CentOS7.6 使用Bind配置主從DNS服務器
一、環境信息說明
1.1 實現場景
- 配置實現在一個服務器上配置多域名解析(多區域文件)
- 配置域名反向解析(這個如果不配置郵件服務器,則不是很重要,可以不配置)
- 配置服務器使用該域名解析服務器進行域名解析
- 配置實現DNS服務器的主從數據同步
1.2 環境信息
| 主機名稱 | 地址 | 版本 | 角色 | 備註 |
|---|---|---|---|---|
| sysldap-shylf-1 | 10.116.72.6 | CentOS7.6 min | DNS(主) | |
| sysldap-shylf-2 | 10.116.72.7 | CentOS7.6 min | DNS(從) | |
| systerm-shylf-1 | 10.116.72.4 | CentOS7.6 min | www服務器 | 業務主機示例 |
備註:這裏便於配置關閉了防火牆firewalld,並且禁用了Selinux
這裏配置的示例域名:example.com 和 demo.com
二、主域名服務器配置(也即單節點配置)
2.1 組件安裝
yum -y install bind
rpm -aq |grep bind
bind-license-9.9.4-73.el7_6.noarch
bind-utils-9.9.4-73.el7_6.x86_64
bind-9.9.4-73.el7_6.x86_64
bind-libs-lite-9.9.4-73.el7_6.x86_64
bind-libs-9.9.4-73.el7_6.x86_64
# 主配置文件:
/etc/named.conf
# 默認添加定義區域的配置文件:
/etc/named.rfc1912.zones
# 自定義區域文件默認目錄
/var/named/
# ll /var/named
drwxrwx--- 2 named named 23 Jul 16 16:39 data
drwxrwx--- 2 named named 31 Jul 16 16:41 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Jan 30 01:23 slaves/
2.2 添加自定義區域配置
作爲實驗,我們這裏配置2個域名區域 example.com.zone 和 demo.com.zone 以及一個反向解析區域 72.116.10.in-addr.arpa
[備註]:我這裏實驗需要解析的IP地址段爲10.116.72.0/24
2.2.1 主配置文件修改
修改監聽IP地址;修改允許查詢地址列表:allow-query { 127.0.0.1; 10.0.0.0/8; };
其他先保持不變,配置從服務器的時候再變更
vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 10.116.72.6; };
//我的環境裏面沒有配置ipv6,這裏禁用掉
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
/* allow-query { localhost; }; */
allow-query { 127.0.0.1; 10.0.0.0/8; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 禁用namad服務啓用使用ipv6
vi /etc/sysconfig/named
#將默認參數OPTIONS="whatever" 修改爲如下
OPTIONS="-4"
如果不禁用ipv6可能會報如下錯誤
tail -f /var/log/messages
... ...
network unreachable resolving 'xx.xx.xx/DS/IN': 2001:503:ba3e::2:30#53
network unreachable resolving 'xx.xx.xx/DS/IN': 2001:500:84::b#53
2.2.2 添加自定義區域配置
vi /etc/named.rfc1912.zones
//這裏省略默認配置
//(不要動這裏默認的配置,因爲默認bind需要配置3個區域:根,127.0.0.1, 127.0.0.1的反向解析)
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "demo.com" IN {
type master;
file "demo.com.zone";
allow-update { none; };
};
zone "72.116.10.in-addr.arpa." IN {
type master;
file "72.116.10.in-addr.arpa";
allow-update { none; };
};
[備註]
type:定義區域類型,具有4種參數值:hint(根),master(主),slave(從),forward(轉發)
file:定義區域文件名稱,默認父目錄爲/var/named/ 可以在/etc/named.conf配置文件中修改
2.2.3 添加自定義區域配置文件以及解析內容
cd /var/named/
# 1. 添加區域文件 example.com.zone 名稱與/etc/named.rfc1912.zones裏面配置一致
vi example.com.zone
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071601 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
dns IN A 10.116.72.6
www IN A 10.116.72.4
example.com IN A 10.116.72.4
ntp1 IN A 10.116.72.9
ntp2 IN A 10.116.72.10
ldaps1 IN A 10.116.72.11
ldaps2 IN A 10.116.72.12
relay IN A 10.116.72.13
terminal IN A 10.116.72.15
# 2. 添加區域文件 demo.com.zone 名稱與/etc/named.rfc1912.zones裏面配置一致
vi demo.com.zone
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071601 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
dns.example.com. IN A 10.116.72.6
www IN A 10.116.72.4
demo.com IN A 10.116.72.4
# 3. 添加反向解析區域文件 72.116.10.in-addr.arpa 名稱與/etc/named.rfc1912.zones裏面配置一致
# 反向解析多個域名可以放置在同一個區域文件中,而正向解析不同域名需要放置在不同的區域文件
vi 72.116.10.in-addr.arpa
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071601 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
6 IN PTR dns.example.com.
4 IN PTR www.example.com.
4 IN PTR example.com.
4 IN PTR www.demo.com.
4 IN PTR demo.com.
9 IN PTR ntp1.example.com.
10 IN PTR ntp2.example.com.
11 IN PTR ldaps1.example.com.
12 IN PTR ldaps2.example.com.
13 IN PTR relay.example.com.
15 IN PTR terminal.example.com.
# 修改配置文件權限
chown root:named /var/named/example.com.zone /var/named/demo.com.zone /var/named/72.116.10.in-addr.arpa
chmod 0640 /var/named/example.com.zone /var/named/demo.com.zone /var/named/72.116.10.in-addr.arpa
2.2.4 檢查配置文件正確性
named-checkzone "example.com" /var/named/example.com.zone
zone example.com/IN: loaded serial 2019071601
OK
named-checkzone "demo.com" /var/named/demo.com.zone
/var/named/demo.com.zone:9: ignoring out-of-zone data (dns.example.com)
zone demo.com/IN: loaded serial 2019071601
OK
named-checkzone "example.com.arpa" /var/named/72.116.10.in-addr.arpa
zone example.com.arpa/IN: loaded serial 2019071601
OK
named-checkzone "demo.com.arpa" /var/named/72.116.10.in-addr.arpa
zone demo.com.arpa/IN: loaded serial 2019071601
OK
2.3 啓動bind服務named
systemctl start named.service
systemctl eanble named.service
systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2019-07-16 16:41:59 CST; 32min ago
Process: 11499 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 11513 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11510 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11516 (named)
CGroup: /system.slice/named.service
└─11516 /usr/sbin/named -u named -c /etc/named.conf
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone demo.com/IN: loaded serial 2019071601
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone example.com/IN: loaded serial 2019071601
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone localhost/IN: loaded serial 0
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: all zones loaded
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: running
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone demo.com/IN: sending notifies (serial 2019071601)
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone example.com/IN: sending notifies (serial 2019071601)
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone 72.116.10.in-addr.arpa/IN: sending notifies (serial 2019071601)
Jul 16 16:41:59 sysdns-shylf-1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
netstat -pltn |grep named
tcp 0 0 10.116.72.6:53 0.0.0.0:* LISTEN 11516/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 11516/named
2.4 業務主機配置使用域名解析服務器
2.4.1 配置主機域名解析
業務主機IP:10.116.72.4
ssh 10.116.72.4
vi /etc/resolv.conf
nameserver 10.116.72.6
2.4.2 解析測試
可以用來測試的指令有,dig,nslookup,host ,ping 等
dig [-t type] [-x addr] [name] [@server]
# 正向解析測試
dig -t A www.example.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t A www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39410
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 600 IN A 10.116.72.4
;; AUTHORITY SECTION:
example.com. 600 IN NS dns.example.com.
;; ADDITIONAL SECTION:
dns.example.com. 600 IN A 10.116.72.6
;; Query time: 2 msec
;; SERVER: 10.116.72.6#53(10.116.72.6)
;; WHEN: Tue Jul 16 17:30:01 CST 2019
;; MSG SIZE rcvd: 94
# 2. 反向解析測試
dig -x 10.116.72.4
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -x 10.116.72.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53226
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.72.116.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
4.72.116.10.in-addr.arpa. 600 IN PTR demo.com.
4.72.116.10.in-addr.arpa. 600 IN PTR www.example.com.
4.72.116.10.in-addr.arpa. 600 IN PTR example.com.
4.72.116.10.in-addr.arpa. 600 IN PTR www.demo.com.
;; AUTHORITY SECTION:
72.116.10.in-addr.arpa. 600 IN NS dns.example.com.
;; ADDITIONAL SECTION:
dns.example.com. 600 IN A 10.116.72.6
;; Query time: 1 msec
;; SERVER: 10.116.72.6#53(10.116.72.6)
;; WHEN: Tue Jul 16 17:34:37 CST 2019
;; MSG SIZE rcvd: 167
三、配置從域名解析服務器並數據同步
3.1 組件安裝
yum -y install bind
rpm -aq |grep bind
bind-license-9.9.4-73.el7_6.noarch
bind-utils-9.9.4-73.el7_6.x86_64
bind-9.9.4-73.el7_6.x86_64
bind-libs-lite-9.9.4-73.el7_6.x86_64
bind-libs-9.9.4-73.el7_6.x86_64
# 主配置文件:
/etc/named.conf
# 默認添加定義區域的配置文件:
/etc/named.rfc1912.zones
# 自定義區域文件默認目錄
/var/named/
# ll /var/named
drwxrwx--- 2 named named 23 Jul 16 16:39 data
drwxrwx--- 2 named named 31 Jul 16 16:41 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Jan 30 01:23 slaves/
3.2 添加自定義區域信息
3.2.1 主配置文件修改
修改監聽IP地址;修改允許查詢地址列表:allow-query { 127.0.0.1; 10.0.0.0/8; };
其他先保持不變,配置從服務器的時候再變更
跟主服務器一致,只是將監聽IP地址修改爲本機IP地址
3.2.2 添加自定義區域信息
vi /etc/named.rfc1912.zones
//這裏省略默認配置
//(不要動這裏默認的配置,因爲默認bind需要配置3個區域:根,127.0.0.1, 127.0.0.1的反向解析)
zone "example.com" IN {
type slave;
master { 10.116.72.6; };
masterfile-format text;
file "slaves/example.com.zone";
};
zone "demo.com" IN {
type slave;
master { 10.116.72.6; };
masterfile-format text;
file "slaves/demo.com.zone";
};
zone "72.116.10.in-addr.arpa." IN {
type slave;
master { 10.116.72.6; };
masterfile-format text;
file "slaves/72.116.10.in-addr.arpa";
};
[備註] 從服務器上不需要生成區域配置文件,數據同步自動生成
3.3 啓動從服務器
systemctl start named.service
systemctl enable named.service
netstat -pltn |grep named
# 可以看到區域文件已經同步過來了。
ll /var/named/slaves
-rw-r--r-- 1 named named 818 Jul 16 17:51 72.116.10.in-addr.arpa
-rw-r--r-- 1 named named 264 Jul 16 17:51 demo.com.zone
-rw-r--r-- 1 named named 601 Jul 16 17:51 example.com.zone
3.4 修改主DNS服務器,將從服務器記錄加入進去
vi /var/named/example.com.zone
vi /var/named/demo.com.zone
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071602 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
@ IN NS ns2.example.com.
dns IN A 10.116.72.6
ns2 IN A 10.116.72.7
# 重新加載主DNS服務器配置文件
systemctl restart named.service
# 驗證
dig ns2.example.com @10.116.72.7
dig ns2.example.com @10.116.72.6
[備註] serial需要修改,也就是會通知從服務器自動更新數據文件
3.5 修改業務主機域名解析配置
業務主機:10.116.72.4
ssh 10.116.72.4
vi /etc/resolv.conf
nameserver 10.116.72.6
nameserver 10.116.72.7
# 測試
dig www.example.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49816
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 600 IN A 10.116.72.4
;; AUTHORITY SECTION:
example.com. 600 IN NS ns2.example.com.
example.com. 600 IN NS dns.example.com.
;; ADDITIONAL SECTION:
dns.example.com. 600 IN A 10.116.72.6
ns2.example.com. 600 IN A 10.116.72.7
;; Query time: 1 msec
;; SERVER: 10.116.72.6#53(10.116.72.6)
;; WHEN: Tue Jul 16 18:03:36 CST 2019
;; MSG SIZE rcvd: 128
四、總結與延展
到這裏DNS主從同步就配置完成了,在單獨的10.116.72.0/24 內部網段可以完成解析。還需要進行配置或者使用的工具
- 從業務主機上ping/dig其他公網域名,例如 baidu.com 會發現不通或者沒有解析記錄,是因爲只配置了這2個域名而不能解析其他域名。完成這一步需要配置forward
- 剛剛配置區域文件是直接編輯文件,然後重啓服務生效。在實際使用中需要通過工具進行更新文件,並自動生效。
- 可以開發API,與域名管理平臺進行集成