本节中将详细介绍下DNS服务器的子域授权和辅助DNS的配置,在公网上根域服务器都是将cn.;edu.;hk.这样的顶级域名授权
给相应的DNS服务器管理,而这些子域的DNS服务器的反向区域需要传送给根域名服务器,这是通过辅助DNS的区域传送来实现的。在下列的配置中
server模拟根域名服务器的工作机制;client则模拟子域服务器,server IP:192.168.100.254/24 client
IP:192.168.100.20/24
一:子域的授权
[root@server ~]# cat /var/named/chroot/var/named/666.zone
//在server服务器上指定子域的授权
$TTL 86400
@ IN SOA 666.com. root.666.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS 666.com.
@ IN MX 10 666.com.
dodo.666.com. IN NS dodo.666.com.
//指定dodo.666.com为该域的NS权威
dodo.666.com. IN A 192.168.100.20
//指定dodo.666.com.权威DNS服务器的IP
www IN A 192.168.100.254
ftp IN CNAME www
[root@server ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
[root@client ~]# grep -v '^//' /etc/named.conf |grep -v '//'
//client服务器主配置文件
options {
listen-on port 53 { 192.168.100.20; };
directory "/var/named";
allow-query { any; };
};
include "/etc/named.rfc1912.zones";
zone "dodo.666.com" IN {
type master;
file "dodo.666.com";
allow-update {none;};
};
zone "1.1.1.in-addr.arpa" IN {
type master;
file "1.1.1.zone";
allow-update {none;};
};
[root@client ~]# cat /var/named/chroot/var/named/dodo.666.com
//client服务器的正向区域文件
$TTL 86400
@ IN SOA dodo.666.com. root.dodo.666.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS dodo.666.com.
@ IN A 192.168.100.20
www IN A 1.1.1.1
ftp IN A 1.1.1.2
[root@client ~]# cat /var/named/chroot/var/named/1.1.1.zone
//client服务器的反向区域文件
$TTL 86400
@ IN SOA dodo.666.com. root.dodo.666.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
@ IN NS dodo.666.com.
20 IN PTR dodo.666.com.
1 IN PTR
2 IN PTR ftp.dodo.666.com.
[root@client ~]# service named configtest //测试配置文件
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42
zone dodo.666.com/IN: loaded serial 42
zone 1.1.1.in-addr.arpa/IN: loaded serial 1997022700
[root@client ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
测试,这里的测试都指向server进行
[root@client ~]# dig dodo.666.com @192.168.100.254
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>>
dodo.666.com @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53530
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;dodo.666.com. IN A
;; ANSWER SECTION:
dodo.666.com. 86400 IN A 192.168.100.20
;; AUTHORITY SECTION:
dodo.666.com. 86400 IN NS dodo.666.com.
;; Query time: 23 msec
;; SERVER: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 07:54:43 2010
;; MSG SIZE rcvd: 69
[root@client ~]# dig ftp.dodo.666.com @192.168.100.254
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>>
ftp.dodo.666.com @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3741
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.dodo.666.com. IN A
;; ANSWER SECTION:
ftp.dodo.666.com. 86400 IN A 1.1.1.2
;; AUTHORITY SECTION:
dodo.666.com. 86400 IN NS dodo.666.com.
;; Query time: 14 msec
;; SERVER: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 07:36:33 2010
;; MSG SIZE rcvd: 73
[root@client ~]# dig @192.168.100.254
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>>
@192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11705
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
; IN A
;; ANSWER SECTION:
86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
dodo.666.com. 86400 IN NS dodo.666.com.
;; Query time: 15 msec
;; SERVER: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 07:37:20 2010
;; MSG SIZE rcvd: 73
二:辅助DNS服务器的配置
[root@client ~]# grep -A 1 -B 1 'allow-transfer' /etc/named.conf
//在client服务器上主配置文件全局配置中加入allow-transfer参数,不加的话默认运行任何IP进行传送,很不安全
allow-query { any; };
allow-transfer {192.168.100.254;};
};
[root@client ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
root@server ~]# tail -5 /etc/named.conf
//在server主配置文件中加入辅助DNS服务器的配置,辅助DNS服务器也可以配置正向区域
zone "1.1.1.in-addr.arpa" IN {
type slave; //指定类型为slave
master 192.168.100.20; //指定主服务器的IP
file "slaves/1.1.1.zone"; //传送后的文件保存位置
};
[root@server ~]# ls /var/named/chroot/var/named/slaves/
//从主服务器传送过来的区域文件默认保存在这个位置,如果修改到其他位置,则需要注意修改selinux的布尔值
[root@server ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
[root@server ~]# tail -f /var/log/messages //查看日志,测试区域传送可以使用dig -t
axfr 命令
Mar 14 08:09:28 server named[4350]: starting BIND
9.3.6-P1-RedHat-9.3.6-4.P1.el5 -u named -t /var/named/chroot
Mar 14 08:09:28 server named[4350]: adjusted limit on open files from
1024 to 1048576
Mar 14 08:09:28 server named[4350]: found 2 CPUs, using 2 worker threads
Mar 14 08:09:28 server named[4350]: using up to 4096 sockets
Mar 14 08:09:28 server named[4350]: loading configuration from
'/etc/named.conf'
Mar 14 08:09:28 server named[4350]: using default UDP/IPv4 port range:
[1024, 65535]
Mar 14 08:09:28 server named[4350]: using default UDP/IPv6 port range:
[1024, 65535]
Mar 14 08:09:28 server named[4350]: listening on IPv4 interface eth1,
192.168.100.254#53
Mar 14 08:09:28 server named[4350]: command channel listening on
127.0.0.1#953
Mar 14 08:09:28 server named[4350]: command channel listening on ::1#953
Mar 14 08:09:28 server named[4350]: the working directory is not
writable
Mar 14 08:09:28 server named[4350]: zone 0.in-addr.arpa/IN: loaded
serial 42
Mar 14 08:09:28 server named[4350]: zone 0.0.127.in-addr.arpa/IN: loaded
serial 1997022700
Mar 14 08:09:28 server named[4350]: zone 100.168.192.in-addr.arpa/IN:
loaded serial 1997022700
Mar 14 08:09:28 server named[4350]: zone 255.in-addr.arpa/IN: loaded
serial 42
Mar 14 08:09:28 server named[4350]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 1997022700
Mar 14 08:09:28 server named[4350]: zone 666.com/IN: loaded serial 42
Mar 14 08:09:28 server named[4350]: zone localdomain/IN: loaded serial
42
Mar 14 08:09:28 server named[4350]: zone localhost/IN: loaded serial 42
Mar 14 08:09:28 server named[4350]: running
Mar 14 08:09:28 server named[4350]: zone 1.1.1.in-addr.arpa/IN: Transfer
started. / /开始区域传送
Mar 14 08:09:28 server named[4350]: transfer of '1.1.1.in-addr.arpa/IN'
from 192.168.100.20#53: connected using 192.168.100.254#38446
//连接到client服务器的53端口
Mar 14 08:09:29 server named[4350]: zone 1.1.1.in-addr.arpa/IN:
transferred serial 1997022700 //传送序列号,在区域文件中定义
Mar 14 08:09:29 server named[4350]: transfer of '1.1.1.in-addr.arpa/IN'
from 192.168.100.20#53: end of transfer //结束传送
[root@server ~]# cat /var/named/chroot/var/named/slaves/1.1.1.zone
//查看传送好的区域文件
$ORIGIN .
$TTL 86400 ; 1 day
1.1.1.in-addr.arpa IN SOA dodo.666.com. root.dodo.666.com. (
1997022700 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS dodo.666.com.
$ORIGIN 1.1.1.in-addr.arpa.
1 PTR
2 PTR ftp.dodo.666.com.
20 PTR dodo.666.com.
阅读(1623) | 评论(0) | 转发(0) |