Centos 7 dns bind 主从安装配置
概述
DNS域名解析服务(Domain Name System)是用于解析域名与IP地址对应关系的服务,功能上可以实现正向解析与反向解析:
正向解析:根据主机名(域名)查找对应的IP地址。
反向解析:根据IP地址查找对应的主机名(域名)。
工作形式上又分主服务器、从服务器和缓存服务器。
主服务器:在特定区域内具有唯一性、负责维护该区域内的域名与IP地址对应关系。
从服务器:从主服务器中获得域名与IP地址对应关系并维护,以防主服务器宕机等情况。
缓存服务器:通过向其他域名解析服务器查询获得域名与IP地址对应关系,提高重复查询时的效率
安装Bind服务程序
准备环境
Centos 7.x
yum install bind bind-utils -y #备注:如下操作无效 #yum -y install bind-chroot
域名解析服务Bind的程序名称叫做named,服务程序的配置文件如下:
主程序 /usr/sbin/named
主配置文件 /etc/named.conf
区域配置文件 /etc/named.rfc1912.zones
编辑主配置文件
cp /etc/named.conf{,.ori}
vim /etc/named.conf #注释的为要修改的行
修改1:
listen-on port 53 { 127.0.0.1; }; //127.0.0.1修改为any,代表允许监听任何IP地址。修改为如下:
listen-on port 53 { any; };
修改2:
allow-query { localhost; }; //localhost修改为any,代表允许任何主机查询。修改为如下:
allow-query { any; };
正向解析
第1步:配置区域数据信息
正向解析的作用是根据主机名(域名)查找到对应的IP地址,区域文件中已有一些默认信息,可不必理会,直接在下面追加即可:
vim /etc/named.rfc1912.zones zone "music.com" IN {
type master;
file "music.com.zone";
allow-update { none; };
}; 第2步:配置解析数据信息: 我们可以直接复制正向解析模板文件:"/var/named/named.localhost",填写信息后即可直接使用。
[root@Centos ~]# cd /var/named/ [root@Centos named]# cp -a named.localhost music.com.zone [root@Centos named]# vim music.com.zone
$TTL 1D @ IN SOA music.com. scottcho.qq.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.music.com.
ns IN A 192.168.0.85
IN MX 10 mail.music.com.
mail IN A 192.168.0.85 www IN A 192.168.0.85 bbs IN A 192.168.0.95 重启named服务让配置文件立即生效:
[root@Centos named]# systemctl restart named
第3步:检验解析结果。
将本机的DNS设置为本机的IP 192.168.0.85
[root@Centos named]# cat /etc/resolv.conf
- Generated by NetworkManager
search test
nameserver 192.168.0.85 nslookup命令用于检测能否从网络DNS服务器中查询到域名与IP地址的解析记录,检测named服务的解析能否成功。 此为查询DNS服务器的信息:
[root@Centos named]# nslookup > www.music.com Server: 192.168.0.85 Address: 192.168.0.85#53
Name: www.music.com Address: 192.168.0.85 > mail.music.com Server: 192.168.0.85 Address: 192.168.0.85#53
Name: mail.music.com Address: 192.168.0.85 > bbs.music.com Server: 192.168.0.85 Address: 192.168.0.85#53
Name: bbs.music.com Address: 192.168.0.95 > ns.music.com Server: 192.168.0.85 Address: 192.168.0.85#53
Name: ns.music.com Address: 192.168.0.85 2.4 反向解析实验-可以不配置 第1步:配置区域数据信息。 反向解析的作用是根据IP地址查找到对应的主机名(域名),在区域文件(named.rfc1912.zones)中默认已存在一些注释内容与区域信息,可不需要删除上面实验及默认区域信息,直接在下面追加即可。
[root@Centos named]# vim /etc/named.rfc1912.zones
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.arpa";
allow-update { none; };
}; 第2步:配置解析数据信息。 [root@Centos named]# vim /etc/named.rfc1912.zones [root@Centos named]# cp -a named.loopback 192.168.0.arpa
[root@Centos named]# vim 192.168.0.arpa
$TTL 1D @ IN SOA music.com. scottcho.qq.com. ( #授权信息开始:#DNS区域的地址#域名管理员的邮箱(不要用@符号) 0 ; serial #更新序列号
1D ; refresh #更新时间
1H ; retry #重试延时
1W ; expire #失效时间
3H ) ; minimum #无效解析记录的缓存时间
NS ns.music.com. #域名服务器记录
ns A 192.168.0.85 #地址记录 85 PTR ns.music.com. #PTR为指针记录,仅用于反向解析中 85 PTR mail.music.com. 85 PTR www.music.com 95 PTR bbs.music.com
第3步:检验解析结果。
重启named服务程序,让配置文件立即生效:
[root@Centos named]# systemctl restart named 执行nslookup命令检查反向解析结果:
root@Centos named]# nslookup > 192.168.0.85 Server: 192.168.0.85 Address: 192.168.0.85#53
85.0.168.192.in-addr.arpa name = mail.music.com. 85.0.168.192.in-addr.arpa name = ns.music.com. 85.0.168.192.in-addr.arpa name = www.music.com.0.168.192.in-addr.arpa. > 192.168.0.95 Server: 192.168.0.85 Address: 192.168.0.85#53
95.0.168.192.in-addr.arpa name = bbs.music.com.0.168.192.in-addr.arpa.
2.5 配置dns转发服务器
[root@Centos named]# vim /etc/named.conf 配置如下参数
1
2
allow-query { any; };
forwarders { 114.114.114.114; 8.8.8.8; 223.5.5.5; 223.6.6.6; };
如下所示:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
forwarders { 114.114.114.114; 8.8.8.8; 223.5.5.5; 223.6.6.6; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
...省略...
3 主从复制配置
主DNS:192.168.15.98
从DNS:192.168.15.99
3.1 主DNS配置 3.1.1 主配置文件 只看“// 修改为”部分即可
[root@szxlkl01-dns-98 ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; // 修改为:any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; // 修改为:any;允许查询
forwarders { 114.114.114.114; 8.8.8.8; 223.5.5.5; 223.6.6.6; }; // 修改为:外网DNS服务器;转发配置
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[root@szxlkl01-dns-98 ~]# 3.1.2 配置域名区域 只看// huawei.com后面部分
以huawei.com为例:// huawei.com后面增加一个域名区域
[root@szxlkl01-dns-98 ~]# cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. //
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
// huawei.com
zone "huawei.com" IN {
type master;
file "huawei.com.zone";
masterfile-format text;
allow-update {none;};
allow-transfer {192.168.15.99;};
notify yes;
also-notify {192.168.15.99;};
}; [root@szxlkl01-dns-98 ~]# 3.1.3 配置域名解析 [root@szxlkl01-dns-98 ~]# cat /var/named/huawei.com.zone $TTL 1D $ORIGIN huawei.com. @ IN SOA ns.lalala.com. root.localhost. ( 11 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ; minimum ) @ IN NS ns1.huawei.com. @ IN NS ns2.huawei.com. ns1 IN A 192.168.15.98 ns2 IN A 192.168.15.99
- vuat environment
vuat.fintech IN A 10.68.8.64 vuat.fintech IN A 10.68.8.65
3.2 从DNS配置
3.2.1 主配置文件
和主DNS一样的
3.2.2 配置域名区域 以huawei.com为例:// huawei.com后面增加一个域名区域
[root@szxlkl02-dns-99 ~]# cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. //
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
// huawei.com
zone "huawei.com" IN {
type slave;
masters { 192.168.15.98; };
file "huawei.com.zone";
masterfile-format text;
};
[root@szxlkl02-dns-99 ~]# 3.1.3 配置域名解析 从DNS不需要配置域名解析/var/named/lakala.com.zone
因为主域名更新后,执行修改serial +1后,在执行命令: rndc reload 后
从DNS对应域名配置文件/var/named/lakala.com.zone就会自动同步。
3.3 验证主从复制 3.3.1 需求:增删解析 DNS加一条记录:10.68.8.65 vuat.fintech.huawei.com
3.3.2 主DNS编辑配置文件 vim /var/named/huawei.com.zone 1、serial 号+1
2、加记录:vuat.fintech IN A 10.68.8.65 详情如下所示:
[root@szxlkl01-dns-98 ~]# vim /var/named/lakala.com.zone $TTL 1D $ORIGIN huawei.com. @ IN SOA ns.huawei.com. root.localhost. ( 12 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ; minimum ) @ IN NS ns1.huawei.com. @ IN NS ns2.huawei.com. ns1 IN A 192.168.15.98 ns2 IN A 192.168.15.99
- vuat environment
vuat.fintech IN A 10.68.8.64 vuat.fintech IN A 10.68.8.65
主DNS执行同步命令
[root@szxlkl01-dns-98 ~]# rndc reload server reload successful [root@szxlkl01-dns-98 ~]# 3.3.3 从DNS上看已同步 [root@szxlkl02-dns-99 ~]# cat /var/named/lakala.com.zone $ORIGIN . $TTL 86400 ; 1 day huawei.com IN SOA ns.huawei.com. root.localhost. (
12 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS ns1.huawei.com.
NS ns2.huawei.com.
$ORIGIN huawei.com. vuat A 192.168.15.64
A 192.168.15.65
3.3.4 dig命令和nslookup查看 linux客户端配置DNS为192.168.15.98和192.168.15.99
[root@szxlkl01-dns-98 ~]# mkdir /var/named/logs/
logging { channel default_debug { file "data/named.run"; severity dynamic; }; };
修改为
logging { file "/var/named/logs/bind_query.log" versions 3 10M; severity dynamic; print-category yes; print-time yes; // 表示记录日志的时间 print-severity yes; // 表示记录日志级别 }; category queries { query_log; }; // 表示queries类型的DNS日志信息全部记录到query_log这个channel中 };
