CentOS7.6 使用Bind配置主从DNS服务器
一、环境信息说明
1.1 实现场景
- 配置实现在一个服务器上配置多域名解析(多区域文件)
- 配置域名反向解析(这个如果不配置邮件服务器,则不是很重要,可以不配置)
- 配置服务器使用该域名解析服务器进行域名解析
- 配置实现DNS服务器的主从数据同步
1.2 环境信息
| 主机名称 | 地址 | 版本 | 角色 | 备注 |
|---|---|---|---|---|
| sysldap-shylf-1 | 10.116.72.6 | CentOS7.6 min | DNS(主) | |
| sysldap-shylf-2 | 10.116.72.7 | CentOS7.6 min | DNS(从) | |
| systerm-shylf-1 | 10.116.72.4 | CentOS7.6 min | www服务器 | 业务主机示例 |
备注:这里便于配置关闭了防火墙firewalld,并且禁用了Selinux
这里配置的示例域名:example.com 和 demo.com
二、主域名服务器配置(也即单节点配置)
2.1 组件安装
yum -y install bind
rpm -aq |grep bind
bind-license-9.9.4-73.el7_6.noarch
bind-utils-9.9.4-73.el7_6.x86_64
bind-9.9.4-73.el7_6.x86_64
bind-libs-lite-9.9.4-73.el7_6.x86_64
bind-libs-9.9.4-73.el7_6.x86_64
# 主配置文件:
/etc/named.conf
# 默认添加定义区域的配置文件:
/etc/named.rfc1912.zones
# 自定义区域文件默认目录
/var/named/
# ll /var/named
drwxrwx--- 2 named named 23 Jul 16 16:39 data
drwxrwx--- 2 named named 31 Jul 16 16:41 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Jan 30 01:23 slaves/
2.2 添加自定义区域配置
作为实验,我们这里配置2个域名区域 example.com.zone 和 demo.com.zone 以及一个反向解析区域 72.116.10.in-addr.arpa
[备注]:我这里实验需要解析的IP地址段为10.116.72.0/24
2.2.1 主配置文件修改
修改监听IP地址;修改允许查询地址列表:allow-query { 127.0.0.1; 10.0.0.0/8; };
其他先保持不变,配置从服务器的时候再变更
vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 10.116.72.6; };
//我的环境里面没有配置ipv6,这里禁用掉
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
/* allow-query { localhost; }; */
allow-query { 127.0.0.1; 10.0.0.0/8; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 禁用namad服务启用使用ipv6
vi /etc/sysconfig/named
#将默认参数OPTIONS="whatever" 修改为如下
OPTIONS="-4"
如果不禁用ipv6可能会报如下错误
tail -f /var/log/messages
... ...
network unreachable resolving 'xx.xx.xx/DS/IN': 2001:503:ba3e::2:30#53
network unreachable resolving 'xx.xx.xx/DS/IN': 2001:500:84::b#53
2.2.2 添加自定义区域配置
vi /etc/named.rfc1912.zones
//这里省略默认配置
//(不要动这里默认的配置,因为默认bind需要配置3个区域:根,127.0.0.1, 127.0.0.1的反向解析)
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
zone "demo.com" IN {
type master;
file "demo.com.zone";
allow-update { none; };
};
zone "72.116.10.in-addr.arpa." IN {
type master;
file "72.116.10.in-addr.arpa";
allow-update { none; };
};
[备注]
type:定义区域类型,具有4种参数值:hint(根),master(主),slave(从),forward(转发)
file:定义区域文件名称,默认父目录为/var/named/ 可以在/etc/named.conf配置文件中修改
2.2.3 添加自定义区域配置文件以及解析内容
cd /var/named/
# 1. 添加区域文件 example.com.zone 名称与/etc/named.rfc1912.zones里面配置一致
vi example.com.zone
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071601 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
dns IN A 10.116.72.6
www IN A 10.116.72.4
example.com IN A 10.116.72.4
ntp1 IN A 10.116.72.9
ntp2 IN A 10.116.72.10
ldaps1 IN A 10.116.72.11
ldaps2 IN A 10.116.72.12
relay IN A 10.116.72.13
terminal IN A 10.116.72.15
# 2. 添加区域文件 demo.com.zone 名称与/etc/named.rfc1912.zones里面配置一致
vi demo.com.zone
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071601 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
dns.example.com. IN A 10.116.72.6
www IN A 10.116.72.4
demo.com IN A 10.116.72.4
# 3. 添加反向解析区域文件 72.116.10.in-addr.arpa 名称与/etc/named.rfc1912.zones里面配置一致
# 反向解析多个域名可以放置在同一个区域文件中,而正向解析不同域名需要放置在不同的区域文件
vi 72.116.10.in-addr.arpa
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071601 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
6 IN PTR dns.example.com.
4 IN PTR www.example.com.
4 IN PTR example.com.
4 IN PTR www.demo.com.
4 IN PTR demo.com.
9 IN PTR ntp1.example.com.
10 IN PTR ntp2.example.com.
11 IN PTR ldaps1.example.com.
12 IN PTR ldaps2.example.com.
13 IN PTR relay.example.com.
15 IN PTR terminal.example.com.
# 修改配置文件权限
chown root:named /var/named/example.com.zone /var/named/demo.com.zone /var/named/72.116.10.in-addr.arpa
chmod 0640 /var/named/example.com.zone /var/named/demo.com.zone /var/named/72.116.10.in-addr.arpa
2.2.4 检查配置文件正确性
named-checkzone "example.com" /var/named/example.com.zone
zone example.com/IN: loaded serial 2019071601
OK
named-checkzone "demo.com" /var/named/demo.com.zone
/var/named/demo.com.zone:9: ignoring out-of-zone data (dns.example.com)
zone demo.com/IN: loaded serial 2019071601
OK
named-checkzone "example.com.arpa" /var/named/72.116.10.in-addr.arpa
zone example.com.arpa/IN: loaded serial 2019071601
OK
named-checkzone "demo.com.arpa" /var/named/72.116.10.in-addr.arpa
zone demo.com.arpa/IN: loaded serial 2019071601
OK
2.3 启动bind服务named
systemctl start named.service
systemctl eanble named.service
systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2019-07-16 16:41:59 CST; 32min ago
Process: 11499 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 11513 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11510 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11516 (named)
CGroup: /system.slice/named.service
└─11516 /usr/sbin/named -u named -c /etc/named.conf
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone demo.com/IN: loaded serial 2019071601
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone example.com/IN: loaded serial 2019071601
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone localhost/IN: loaded serial 0
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: all zones loaded
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: running
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone demo.com/IN: sending notifies (serial 2019071601)
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone example.com/IN: sending notifies (serial 2019071601)
Jul 16 16:41:59 sysdns-shylf-1 named[11516]: zone 72.116.10.in-addr.arpa/IN: sending notifies (serial 2019071601)
Jul 16 16:41:59 sysdns-shylf-1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
netstat -pltn |grep named
tcp 0 0 10.116.72.6:53 0.0.0.0:* LISTEN 11516/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 11516/named
2.4 业务主机配置使用域名解析服务器
2.4.1 配置主机域名解析
业务主机IP:10.116.72.4
ssh 10.116.72.4
vi /etc/resolv.conf
nameserver 10.116.72.6
2.4.2 解析测试
可以用来测试的指令有,dig,nslookup,host ,ping 等
dig [-t type] [-x addr] [name] [@server]
# 正向解析测试
dig -t A www.example.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t A www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39410
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 600 IN A 10.116.72.4
;; AUTHORITY SECTION:
example.com. 600 IN NS dns.example.com.
;; ADDITIONAL SECTION:
dns.example.com. 600 IN A 10.116.72.6
;; Query time: 2 msec
;; SERVER: 10.116.72.6#53(10.116.72.6)
;; WHEN: Tue Jul 16 17:30:01 CST 2019
;; MSG SIZE rcvd: 94
# 2. 反向解析测试
dig -x 10.116.72.4
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -x 10.116.72.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53226
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4.72.116.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
4.72.116.10.in-addr.arpa. 600 IN PTR demo.com.
4.72.116.10.in-addr.arpa. 600 IN PTR www.example.com.
4.72.116.10.in-addr.arpa. 600 IN PTR example.com.
4.72.116.10.in-addr.arpa. 600 IN PTR www.demo.com.
;; AUTHORITY SECTION:
72.116.10.in-addr.arpa. 600 IN NS dns.example.com.
;; ADDITIONAL SECTION:
dns.example.com. 600 IN A 10.116.72.6
;; Query time: 1 msec
;; SERVER: 10.116.72.6#53(10.116.72.6)
;; WHEN: Tue Jul 16 17:34:37 CST 2019
;; MSG SIZE rcvd: 167
三、配置从域名解析服务器并数据同步
3.1 组件安装
yum -y install bind
rpm -aq |grep bind
bind-license-9.9.4-73.el7_6.noarch
bind-utils-9.9.4-73.el7_6.x86_64
bind-9.9.4-73.el7_6.x86_64
bind-libs-lite-9.9.4-73.el7_6.x86_64
bind-libs-9.9.4-73.el7_6.x86_64
# 主配置文件:
/etc/named.conf
# 默认添加定义区域的配置文件:
/etc/named.rfc1912.zones
# 自定义区域文件默认目录
/var/named/
# ll /var/named
drwxrwx--- 2 named named 23 Jul 16 16:39 data
drwxrwx--- 2 named named 31 Jul 16 16:41 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Jan 30 01:23 slaves/
3.2 添加自定义区域信息
3.2.1 主配置文件修改
修改监听IP地址;修改允许查询地址列表:allow-query { 127.0.0.1; 10.0.0.0/8; };
其他先保持不变,配置从服务器的时候再变更
跟主服务器一致,只是将监听IP地址修改为本机IP地址
3.2.2 添加自定义区域信息
vi /etc/named.rfc1912.zones
//这里省略默认配置
//(不要动这里默认的配置,因为默认bind需要配置3个区域:根,127.0.0.1, 127.0.0.1的反向解析)
zone "example.com" IN {
type slave;
master { 10.116.72.6; };
masterfile-format text;
file "slaves/example.com.zone";
};
zone "demo.com" IN {
type slave;
master { 10.116.72.6; };
masterfile-format text;
file "slaves/demo.com.zone";
};
zone "72.116.10.in-addr.arpa." IN {
type slave;
master { 10.116.72.6; };
masterfile-format text;
file "slaves/72.116.10.in-addr.arpa";
};
[备注] 从服务器上不需要生成区域配置文件,数据同步自动生成
3.3 启动从服务器
systemctl start named.service
systemctl enable named.service
netstat -pltn |grep named
# 可以看到区域文件已经同步过来了。
ll /var/named/slaves
-rw-r--r-- 1 named named 818 Jul 16 17:51 72.116.10.in-addr.arpa
-rw-r--r-- 1 named named 264 Jul 16 17:51 demo.com.zone
-rw-r--r-- 1 named named 601 Jul 16 17:51 example.com.zone
3.4 修改主DNS服务器,将从服务器记录加入进去
vi /var/named/example.com.zone
vi /var/named/demo.com.zone
$TTL 600
@ IN SOA dns.example.com admin.example.com (
2019071602 ; serial
2H ; refresh
5M ; retry
1D ; expire
2D ) ; minimum
@ IN NS dns.example.com.
@ IN NS ns2.example.com.
dns IN A 10.116.72.6
ns2 IN A 10.116.72.7
# 重新加载主DNS服务器配置文件
systemctl restart named.service
# 验证
dig ns2.example.com @10.116.72.7
dig ns2.example.com @10.116.72.6
[备注] serial需要修改,也就是会通知从服务器自动更新数据文件
3.5 修改业务主机域名解析配置
业务主机:10.116.72.4
ssh 10.116.72.4
vi /etc/resolv.conf
nameserver 10.116.72.6
nameserver 10.116.72.7
# 测试
dig www.example.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> www.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49816
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 600 IN A 10.116.72.4
;; AUTHORITY SECTION:
example.com. 600 IN NS ns2.example.com.
example.com. 600 IN NS dns.example.com.
;; ADDITIONAL SECTION:
dns.example.com. 600 IN A 10.116.72.6
ns2.example.com. 600 IN A 10.116.72.7
;; Query time: 1 msec
;; SERVER: 10.116.72.6#53(10.116.72.6)
;; WHEN: Tue Jul 16 18:03:36 CST 2019
;; MSG SIZE rcvd: 128
四、总结与延展
到这里DNS主从同步就配置完成了,在单独的10.116.72.0/24 内部网段可以完成解析。还需要进行配置或者使用的工具
- 从业务主机上ping/dig其他公网域名,例如 baidu.com 会发现不通或者没有解析记录,是因为只配置了这2个域名而不能解析其他域名。完成这一步需要配置forward
- 刚刚配置区域文件是直接编辑文件,然后重启服务生效。在实际使用中需要通过工具进行更新文件,并自动生效。
- 可以开发API,与域名管理平台进行集成