写在前面
- 分享一些 使用 bind9 配置
主从权威名称服务器的笔记 - 理解不足小伙伴帮忙指正
对每个人而言,真正的职责只有一个:找到自我。然后在心中坚守其一生,全心全意,永不停息。所有其它的路都是不完整的,是人的逃避方式,是对大众理想的懦弱回归,是随波逐流,是对内心的恐惧 ——赫尔曼·黑塞《德米安》
DNS 架构
向供应商注册新的域名时,必须提供该域的公共权威名称服务器的名称和IP地址。注册服务商将该信息放在父域的区域文件中(如NS,A和AAAA记录),以便DNS解析器可以找到您的名称服务器。为了帮助确保可靠性,应该至少有两个公共DNS服务器,并且它们应位于不同的站点,以避免由于网络故障而造成的中断。
外部主机如何通过缓存名称服务器和权威名称服务器进行 DNS 解析,对记录执行DNS查找。假设还没有缓存的记录:
外部访问
客户的缓存名称服务器首先查询一个根名称服务器。它被定向到负责 com域的名称服务器池。其中一个服务器响应 example.com域的NS记录,因此 缓存的名称服务器查询一个面向公共的次要名称服务器。
主名称服务器实际上不是公共的,但是辅助名称服务器可以从主名称服务器执行区域传输,以便它们拥有关于 example.com 区域的最新数据。下图说明了对于example.com 域内的内部仅缓存名称服务器,该过程是相同的:
内部访问
更好的方法是提供内部名称服务器可以查询的内部授权辅助服务器。当本地域存在问题时,这消除了外部查询,这更安全。
内部访问
为此,需要配置内部缓存名称服务器来转发对记录的请求。Com 到内部辅助服务器。(例如,使用Unbound时,您需要配置适当的forward-zone块。)
# forward-zone:
# name: "example.com"
# forward-addr: 192.0.2.68
# forward-addr: 192.0.2.73@5355 # forward to port 5355.
# forward-first: no
# forward-tls-upstream: no
# forward-zone:
# name: "example.org"
# forward-host: fwd.example.com
主从权威 DNS 部署
配置主 DNS 服务器
安装 bind9
[root@serverb ~]# yum install bind -y
一些准备工作
[root@serverb ~]# vim /etc/named.conf
[root@serverb ~]# chmod 640 /etc/named.conf
[root@serverb ~]# chgrp named /etc/named.conf
[root@serverb ~]# firewall-cmd --add-service=dns --permanent
success
[root@serverb ~]# firewall-cmd --reload
success
[root@serverb ~]# systemctl enable named.service --now
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverb ~]#
在serverb配置主 DNS,并且添加几条记录
- 配置正向解析
servera.blog.liruilong.com.,serverc.blog.liruilong.com.地址分别为172.25.250.10,172.25.250.12 - 配置反向解析
servera,serverc
编辑配置文件 /etc/named.conf
options {listen-on port 53 { any; };listen-on-v6 port 53 { any; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file "/var/named/data/named.secroots";recursing-file "/var/named/data/named.recursing";allow-query { any; };.....添加对应的 zone
zone "blog.liruilong.com" IN {type master;file "blog.liruilong.com.zone";forwarders {};
};
添加对应的 zone 数据
[root@serverb ~]# cat /var/named/blog.liruilong.com.zone
$TTL 300
@ IN SOA serverb.blog.liruilong.com. dnslab.example.com. (2023072900 ; serial1H ; refresh5M ; retry1W ; expire1M ) ; minimum600 IN NS serverb.blog.liruilong.com.serverb IN A 172.25.250.11
serverc IN A 172.25.250.12
servera IN A 172.25.250.10[root@serverb ~]#
检测 zone 文件
[root@serverb ~]# vim /var/named/blog.liruilong.com.zone
[root@serverb ~]# named-checkzone blog.liruilong.com.zone /var/named/blog.liruilong.com.zone
zone blog.liruilong.com.zone/IN: loaded serial 2023072900
OK
确认无误后,重启服务,测试
[root@serverb ~]# systemctl restart named
[root@serverb ~]# dig serverc.blog.liruilong.com. @serverb; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> serverc.blog.liruilong.com. @serverb
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9608
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 196c643e805924a3ea772e3264c649cef6a873b5c3803907 (good)
;; QUESTION SECTION:
;serverc.blog.liruilong.com. IN A;; ANSWER SECTION:
serverc.blog.liruilong.com. 300 IN A 172.25.250.12;; AUTHORITY SECTION:
blog.liruilong.com. 600 IN NS serverb.blog.liruilong.com.;; ADDITIONAL SECTION:
serverb.blog.liruilong.com. 300 IN A 172.25.250.11;; Query time: 0 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Jul 30 19:30:22 CST 2023
;; MSG SIZE rcvd: 137
[root@serverb ~]# dig servera.blog.liruilong.com. @172.25.250.11; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> servera.blog.liruilong.com. @172.25.250.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37549
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 7e67c9a9f9d30b3df695a33864c64a1bb0d653a623775fd6 (good)
;; QUESTION SECTION:
;servera.blog.liruilong.com. IN A;; ANSWER SECTION:
servera.blog.liruilong.com. 300 IN A 172.25.250.10;; AUTHORITY SECTION:
blog.liruilong.com. 600 IN NS serverb.blog.liruilong.com.;; ADDITIONAL SECTION:
serverb.blog.liruilong.com. 300 IN A 172.25.250.11;; Query time: 0 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Jul 30 19:31:39 CST 2023
;; MSG SIZE rcvd: 137[root@serverb ~]#
反向解析配置
zone "25.172.in-addr.arpa" IN {type master;file "25.172.loopback"allow-update { none; };};
这里修改完 配置文件提示上面的报错,缺少; 号
[root@serverb ~]# named-checkconf /etc/named.conf
/etc/named.conf:67: missing ';' before 'allow-update'
[root@serverb ~]# vim /etc/named.conf
[root@serverb ~]# named-checkconf /etc/named.conf
[root@serverb ~]#
重新编辑后测试OK
zone "25.172.in-addr.arpa" IN {type master;file "25.172.loopback";allow-update { none; };};
编写对应的 zone 数据文件
[root@serverb ~]# cat /var/named/25.172.loopback
$TTL 1D
@ IN SOA serverb.blog.liruilong.com rname.invalid. (2023073000 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS serverb.blog.liruilong.com.
10.250 PTR servera.blog.liruilong.com.
11.250 PTR serverb.blog.liruilong.com.
12.250 PTR serverc.blog.liruilong.com.
[root@serverb ~]#
重启服务测试
[root@serverb ~]# vim /var/named/25.172.loopback
[root@serverb ~]# systemctl restart named
[root@serverb ~]# host serverc.blog.liruilong.com 172.25.250.11
Using domain server:
Name: 172.25.250.11
Address: 172.25.250.11#53
Aliases:serverc.blog.liruilong.com has address 172.25.250.12
[root@serverb ~]# host servera.blog.liruilong.com 172.25.250.11
Using domain server:
Name: 172.25.250.11
Address: 172.25.250.11#53
Aliases:servera.blog.liruilong.com has address 172.25.250.10
[root@serverb ~]# host 172.25.250.10 172.25.250.11
Using domain server:
Name: 172.25.250.11
Address: 172.25.250.11#53
Aliases:10.250.25.172.in-addr.arpa domain name pointer servera.blog.liruilong.com.
[root@serverb ~]#
配置 DNS从服务器
[root@serverc ~]# yum install bind -y
复制 配置文件
[root@serverc ~]# scp serverb:/etc/named.conf /etc/named.conf
需要修改的部分:
- 将每个主要 (master) 区域条⽬转换为次要 (slave) 区域条⽬。
- 将 type 指令的值更改为 slave。
- 添加 masters 指令,以指向 serverb(主DNS) 后端接⼝ 192.168.0.11
- 为⽂件位置加上前缀,以便在 slaves/ ⼦⽬录中创建区域⽂件。⽣成的⽂件应当包含以下内容:
zone "blog.liruilong.com" IN {type slave;file "slaves/blog.liruilong.com.zone";masters { 192.168.0.11; };
};zone "25.172.in-addr.arpa" IN {type slave;file "slaves/25.172.loopback";masters { 192.168.0.11; };
};修改配置文件,配置防火墙
[root@serverc ~]# vim /etc/named.conf
[root@serverc ~]# chmod 640 /etc/named.conf
[root@serverc ~]# chgrp named /etc/named.conf
[root@serverc ~]# firewall-cmd --add-service=dns --permanent
success
[root@serverc ~]# firewall-cmd --reload
success
[root@serverc ~]# systemctl enable named.service --now
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverc ~]#
查看 zone 数据是否同步
[root@serverc named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@serverc named]# cd slaves/
[root@serverc slaves]# ls
25.172.loopback blog.liruilong.com.zone
[root@serverc slaves]#
这个同步过来的zone数据是乱码的,直接看不了
[root@serverc ~]# host servera.blog.liruilong.com 172.25.250.11
Using domain server:
Name: 172.25.250.11
Address: 172.25.250.11#53
Aliases:servera.blog.liruilong.com has address 172.25.250.10
[root@serverc ~]# host servera.blog.liruilong.com 172.25.250.12
Using domain server:
Name: 172.25.250.12
Address: 172.25.250.12#53
Aliases:servera.blog.liruilong.com has address 172.25.250.10
[root@serverc ~]#
关于 DNS 主从服务器搭建就和小伙伴们分享到这里,简单介绍,更多配置小伙伴们可以查看帮助文档
博文部分内容参考
© 文中涉及参考链接内容版权归原作者所有,如有侵权请告知
https://www.isc.org/bind/
<RH358 授课课堂笔记>
© 2018-2023 liruilonger@gmail.com, All rights reserved. 保持署名-非商用-相同方式共享(CC BY-NC-SA 4.0)
