DNS:Domain Name Service
协议:DNS
UDP:53
TCP:53
实现:BIND
分布式数据库:
一级域:
组织域:.com,.org,.mail,.gov,.edu,.net
国家域:.cn,.hk,.tw
反向域:.in-addr.arpa
FQDN:Full Qualified Domain Name
FQDN --> IP : 正向解析
IP--> FQDN:反向解析
查询:
递归查询: rescursion
迭代查询: iteration
客户端指向的DNS服务器:一定是允许给本地主机做递归的:
资源记录:Resource Record
资源记录有类型 ,用于资源的功能
SOA: Start Of Authority,起始授权
NS:Name Server,域名服务器
MX:Mail Exchanger:邮件交换器
A: Address,FQDN-->IP
PTR:PoiTeR,IP-->FQDN
AAAA:Address,FQDN-->IPv6
CNAME:Canonical Name,别名记录
DNS: FQDN-->IP
.in-addr.arpa
正反向解析技术不同,不应该存放于同一个数据库中进行
域:Domain,逻辑概念
区域: Zone,物理概念
DNS服务器类型:
主DNS服务器
辅助DNS服务器
DNS数据库文件:文本文件(区域数据文件,区域自身名称),只能包含资源记录或宏定义
资源记录的格式:
name [ttl] IN RRtype Value
例子:
www 600 IN A 1.2.3.4
600 IN A 1.2.3.4
SOA:只能有一个
name: 区域名称,通常可以简写为@magedu.com
value: 主DNS服务器的FQDN
注意: SOA必须是区域数据库文件第一条记录
@ 600 IN SOA dnsadmin.shamereedwine.com
NS:可以有多条
name: 区域名称,通常可以简写为@
value:DNS服务器的FQDN(可以使用相对名称)
例子: @ 600 IN NS ns
serial number;序列号,十进制数字,不能超过10位
通常使用日期,例如2014031001
refresh time; 刷新时间,即每隔多久到主服务器检查一次
retry time ; 重试时间,应该小于refresh time
expire time ; 过期时间
negative answer ttl ; 否定答案的ttl
A:
name: FQDN(可以使用相对名称)
value: IP
www 600 IN A 1.2.3.4
www 600 IN A 1.2.3.5
MX: 可以有多个
name:区域名称,用于标识smtp服务器
value:包含优先级和FQDN
优先级:0-99,数字越小,级别越高;
例子: @ 600 IN MX 10 mail
@ 600 IN MX 20 mail2
CNAME:
name: FQDN
value: FQDN
例子:
ftp IN CNAME WWW
mail IN CNAME WWW
PTR: IP -->FQDN,只能定义在反向区域数据文件中
name: IP,逆向的主机地址,例如172.16.100.7的name为7.100,完全格式为7.100.16.172.in-addr.arpa
value: FQDN
例子:
4.3.2.1.in-addr.arpa. 600 IN PTR
区域传送:
辅助DNS服务器从主DNS服务器或其它的辅助DNS服务器请求传输数据的过程
完全区域传送:传送区域所有数据,AXFR
增量区域传送:传送区域中改变的数据部分,IXFR
BIND:isc()
4:
9:
DNS,BIND,named
mail: 192.168.0.115
www : 192.168.0.116
pop --> mail
ftp --> www
dns: 192.168.0.114
主配置文件:定义区域,/etc/named.conf
至少有三个区域:
根、localhost、127.0.0.1
区域数据文件:/var/named/
named:
用户: named
组: named
查询类型:
递归
迭代
主配置文件:
主配置文件/etc/named.conf
区域数据文件/var/named/
root,named,640
区域数据库文件:资源记录
name [tll] IN rrtype value
反向解析区域数据库文件:区域名称以逆向的网络地址,并以.in-addr.arpa为后缀:
第一条必须SOA
应该具有NS记录,但不能出现MX和A记录
较常见的即为PTR记录
名称为逆向的主机地址
区域传送:
用dig模拟完全区域传送
# dig -t axfr 区域名称 @server
主从同步:
/etc/resolv.conf
nameserver MASTER_DNS_IP
nameserver SLAVE_DNS_IP
主从:
主:bind版本可以低于从的:
向区域中添加从服务器的关键两步:
在上级获得授权
在区域数据文件中为从服务器添加一条NS记录和对应的A或PTR记录:
区域传送安全控制:
allow-transfer { IP; };
rndc: Remote Name Domain Controller
远程管理BIND的工具
rndc:密钥
rndc:持有一半密钥,保存于rndc的配置文件中
BIND:持有一半密钥,保存于主配置文件中
rndc的配置文件/etc/rndc.conf
CentOS,RHEL:密钥文件/etc/rndc.key
一、bind安装使用
安装bind
1、yum install bind
2、查看13个根节点
[root@localhost ~]# dig -t NS .
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t NS .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48970
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 197542 IN NS d.root-servers.net.
. 197542 IN NS a.root-servers.net.
. 197542 IN NS b.root-servers.net.
. 197542 IN NS i.root-servers.net.
. 197542 IN NS e.root-servers.net.
. 197542 IN NS g.root-servers.net.
. 197542 IN NS h.root-servers.net.
. 197542 IN NS l.root-servers.net.
. 197542 IN NS m.root-servers.net.
. 197542 IN NS j.root-servers.net.
. 197542 IN NS k.root-servers.net.
. 197542 IN NS f.root-servers.net.
. 197542 IN NS c.root-servers.net.
;; Query time: 15 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Apr 8 18:20:26 2017
;; MSG SIZE rcvd: 228
3、定义个主配置文件
[root@localhost etc]# mv named.conf named.conf.bak#把原配置文件打成bak
自己编写一个配置文件
[root@localhost etc]# cat named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost." IN {
type master;
file "named.localhost";
};
zone "1.0.0.127.in-addr.arpa." IN {
type master;
file "named.loopback";
};
把named.conf的配置文件的属组改为named
[root@localhost etc]# chown root:named /etc/named.conf
把named.conf的权限改为640
[root@localhost etc]# chmod 640 named.conf
检查配置文件是否正确
[root@localhost etc]# named-checkconf
修改/etc/resolv.conf文件,把nameserver指向本机
nameserver 192.168.0.114
4、启动named服务
[root@localhost etc]# service named start
Generating /etc/rndc.key: [确定]
启动 named: [确定]
5、查看日志文件的启动过程
[root@localhost etc]# tail /var/log/messages
Apr 9 07:57:28 localhost named[7797]: automatic empty zone: 9.E.F.IP6.ARPA
Apr 9 07:57:28 localhost named[7797]: automatic empty zone: A.E.F.IP6.ARPA
Apr 9 07:57:28 localhost named[7797]: automatic empty zone: B.E.F.IP6.ARPA
Apr 9 07:57:28 localhost named[7797]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Apr 9 07:57:28 localhost named[7797]: command channel listening on 127.0.0.1#953
Apr 9 07:57:28 localhost named[7797]: command channel listening on ::1#953
Apr 9 07:57:28 localhost named[7797]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 9 07:57:28 localhost named[7797]: zone localhost/IN: loaded serial 0
Apr 9 07:57:28 localhost named[7797]: managed-keys-zone ./IN: loaded serial 0
Apr 9 07:57:28 localhost named[7797]: running
6、编辑主配置文件,定义一个区域名称,加入下面所示的内容
zone "shamereedwine.com." IN {
type master;
file "shamereedwine.com.zone";
};
7、进入bind主配置文件目录,手动创建shamereedwine.com.zone的文件
cd /var/named
vim shamereedwine.com.zone
$TTL 600
@ IN SOA dns.shamereedwine.com. admin.shamereedwine.com. (
20170409
2H
10M
7D
1D )
@ IN NS dns
@ IN MX 10 mail
dns IN A 192.168.0.114
mail IN A 192.168.0.115
www IN A 192.168.0.116
pop IN CNAME mail
ftp IN CNAME www
8、修改shamereedwine.com.zone文件的属主和属组等权限
[root@localhost named]# chown root:named shamereedwine.com.zone
[root@localhost named]# chmod 640 shamereedwine.com.zone
9、检查语法错误
[root@localhost named]# named-checkconf#检查主配置文件语法错误
使用下面的两命令,检查区域文件语法是否有错误
[root@localhost named]# named-checkzone "shamereedwine.com" /var/named/shamereedwine.com.zone
zone shamereedwine.com/IN: loaded serial 20170409
OK
[root@localhost named]# service named configtest
zone localhost/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone shamereedwine.com/IN: loaded serial 20170409
10、重启named的服务
[root@localhost named]# service named restart
停止 named:. [确定]
启动 named: [确定]
11、解析pop.shamereedwine.com
[root@localhost named]# dig -t A pop.shamereedwine.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t A pop.shamereedwine.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28286
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;pop.shamereedwine.com. IN A
;; ANSWER SECTION:
pop.shamereedwine.com. 3600 IN A 220.250.64.225
;; AUTHORITY SECTION:
com. 900 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1491698301 1800 900 604800 86400
;; Query time: 53 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sun Apr 9 08:38:34 2017
;; MSG SIZE rcvd: 128
12、使用本地主机做DNS解析解析域名
[root@localhost named]# dig -t A @192.168.0.114
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t A @192.168.0.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35952
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.0.116
;; AUTHORITY SECTION:
shamereedwine.com. 600 IN NS dns.shamereedwine.com.
;; ADDITIONAL SECTION:
dns.shamereedwine.com. 600 IN A 192.168.0.114
;; Query time: 17 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Sun Apr 9 10:30:50 2017
;; MSG SIZE rcvd: 89
13、解析本地邮件服务器mail.shamereedwine.com
[root@localhost named]# dig -t MX shamereedwine.com @192.168.0.114
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t MX shamereedwine.com @192.168.0.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3048
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;shamereedwine.com. IN MX
;; ANSWER SECTION:
shamereedwine.com. 600 IN MX 10 mail.shamereedwine.com.
;; AUTHORITY SECTION:
shamereedwine.com. 600 IN NS dns.shamereedwine.com.
;; ADDITIONAL SECTION:
mail.shamereedwine.com. 600 IN A 192.168.0.115
dns.shamereedwine.com. 600 IN A 192.168.0.114
;; Query time: 0 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Sun Apr 9 10:35:00 2017
;; MSG SIZE rcvd: 106
14、使用nslookup解析的web服务器的地址
[root@localhost named]# nslookup
> set q=A
>
Server: 192.168.0.114
Address: 192.168.0.114#53
Name:
Address: 192.168.0.116
15、使用nslookup解析邮件服务器地址
> set q=MX
> shamereedwine.com
Server: 192.168.0.114
Address: 192.168.0.114#53
shamereedwine.com mail exchanger = 10 mail.shamereedwine.com.
16、编辑/etc/named.conf文件,添加一个反向的解析区域
vim /etc/named.conf
加入下面的反向解析区域
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};
17、到/var/named目录下,定义反向解析区域文件
使用源shamereedwine.com.zone文件并复制一份,保持源属主和属组的信息
[root@localhost named]# cp shamereedwine.com.zone 192.168.0.zone -p
vim 192.168.0.zone
$TTL 600
@ IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170409
2H
10M
7D
1D )
IN NS dns.shamereedwine.com.
114 IN PTR dns.shamereedwine.com.
115 IN PTR mail.shamereedwine.com.
116 IN PTR .
18、检测语法
[root@localhost named]# service named configtest
zone localhost/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone shamereedwine.com/IN: loaded serial 20170409
zone 0.168.192.in-addr.arpa/IN: loaded serial 20170409
19、重新加载配置文件
[root@localhost named]# service named reload
重新载入named: [确定]
20、检查日志
[root@localhost named]# tail /var/log/messages
Apr 9 11:16:02 localhost dhclient[977]: bound to 192.168.0.114 -- renewal in 3586 seconds.
Apr 9 11:19:46 localhost named[7997]: received control channel command 'reload'
Apr 9 11:19:46 localhost named[7997]: loading configuration from '/etc/named.conf'
Apr 9 11:19:46 localhost named[7997]: using default UDP/IPv4 port range: [1024, 65535]
Apr 9 11:19:46 localhost named[7997]: using default UDP/IPv6 port range: [1024, 65535]
Apr 9 11:19:46 localhost named[7997]: sizing zone task pool based on 5 zones
Apr 9 11:19:46 localhost named[7997]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Apr 9 11:19:46 localhost named[7997]: reloading configuration succeeded
Apr 9 11:19:46 localhost named[7997]: zone 0.168.192.in-addr.arpa/IN: loaded serial 20170409
Apr 9 11:19:46 localhost named[7997]: reloading zones succeeded
21、测试反向解析的结果,反向解析dns服务器
[root@localhost named]# dig -x 192.168.0.114
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41422
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;114.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
114.0.168.192.in-addr.arpa. 600 IN PTR dns.shamereedwine.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 600 IN NS dns.shamereedwine.com.
;; ADDITIONAL SECTION:
dns.shamereedwine.com. 600 IN A 192.168.0.114
;; Query time: 15 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Sun Apr 9 11:22:14 2017
;; MSG SIZE rcvd: 109
22、反向解析mail服务器
[root@localhost named]# dig -x 192.168.0.115
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.115
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37802
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;115.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
115.0.168.192.in-addr.arpa. 600 IN PTR mail.shamereedwine.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 600 IN NS dns.shamereedwine.com.
;; ADDITIONAL SECTION:
dns.shamereedwine.com. 600 IN A 192.168.0.114
;; Query time: 1 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Sun Apr 9 11:30:18 2017
;; MSG SIZE rcvd: 114
23、使用host解析192.168.0.114
[root@localhost named]# host -t PTR 192.168.0.114
114.0.168.192.in-addr.arpa domain name pointerdns.shamereedwine.com.
24、拿到数据资源正向解析的所有记录
[root@localhost named]# dig -t axfr shamereedwine.com @192.168.0.114
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t axfr shamereedwine.com @192.168.0.114
;; global options: +cmd
shamereedwine.com. 600 IN SOA dns.shamereedwine.com. admin.shamereedwine.com. 20170409 7200 600 604800 86400
shamereedwine.com. 600 IN NS dns.shamereedwine.com.
shamereedwine.com. 600 IN MX 10 mail.shamereedwine.com.
dns.shamereedwine.com. 600 IN A 192.168.0.114
ftp.shamereedwine.com. 600 IN CNAME .
mail.shamereedwine.com. 600 IN A 192.168.0.115
pop.shamereedwine.com. 600 IN CNAME mail.shamereedwine.com.
. 600 IN A 192.168.0.116
shamereedwine.com. 600 IN SOA dns.shamereedwine.com. admin.shamereedwine.com. 20170409 7200 600 604800 86400
;; Query time: 1 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Sun Apr 9 11:53:33 2017
;; XFR size: 9 records (messages 1, bytes 240)
25、拿到反向解析的所有记录
[root@localhost named]# dig -t axfr 0.168.192.in-addr.arpa @192.168.0.114
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t axfr 0.168.192.in-addr.arpa @192.168.0.114
;; global options: +cmd
0.168.192.in-addr.arpa. 600 IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. 20170409 7200 600 604800 86400
0.168.192.in-addr.arpa. 600 IN NS dns.shamereedwine.com.
114.0.168.192.in-addr.arpa. 600 IN PTR dns.shamereedwine.com.
115.0.168.192.in-addr.arpa. 600 IN PTR mail.shamereedwine.com.
116.0.168.192.in-addr.arpa. 600 IN PTR .
0.168.192.in-addr.arpa. 600 IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. 20170409 7200 600 604800 86400
;; Query time: 5 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Sun Apr 9 11:55:43 2017
;; XFR size: 6 records (messages 1, bytes 219)
二、bind主从复制
主bind服务器:192.168.0.114
从bind服务器:192.168.0.100
1、编辑主bind服务器的主区域文件,添加ns2的配置参数
vim /var/named/shamereedwine.com.zone
$TTL 600
@ IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170409
2H
10M
7D
1D )
@ IN NS dns
@ IN NS ns2
@ IN MX 10 mail
dns IN A 192.168.0.114
mail IN A 192.168.0.115
ns2 IN A 192.168.0.100
www IN A 192.168.0.116
pop IN CNAME mail
ftp IN CNAME www
2、编辑从bind服务器的主配置文件和主区域文件等
注:这里只添加了正向的解析区域
[root@localhost ~]# mv /etc/named.conf /etc/named.conf.bak#把原先的配置文件打成bak
vim /etc/named.conf,添加红色所示的部分
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost." IN {
type master;
file "named.localhost";
};
zone "1.0.0.127.in-addr.arpa." IN {
type master;
file "named.loopback";
};
zone "shamereedwine.com." IN {
type slave;
masters { 192.168.0.114; };
file "slaves/shamereedwine.com.zone";
};
3、修改从bind主配置文件/etc/named.conf的属主、属组和权限
[root@localhost ~]# ll /etc/named.conf
-rw-r----- 1 root named 435 4月 9 21:33 /etc/named.conf
4、修改主bind和从bind的/etc/resolv.conf的文件
设置主服务器和从服务器的地址
[root@localhost named]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 192.168.0.114
nameserver 192.168.0.100
5、从bind服务器启动named服务
[root@localhost ~]# service named start
Generating /etc/rndc.key: [确定]
启动 named: [确定]
6、查看启动日志
[root@localhost ~]# tail /var/log/messages
Apr 9 21:43:22 localhost named[3747]: command channel listening on 127.0.0.1#953
Apr 9 21:43:22 localhost named[3747]: command channel listening on ::1#953
Apr 9 21:43:22 localhost named[3747]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Apr 9 21:43:22 localhost named[3747]: zone localhost/IN: loaded serial 0
Apr 9 21:43:22 localhost named[3747]: managed-keys-zone ./IN: loaded serial 0
Apr 9 21:43:22 localhost named[3747]: running
Apr 9 21:43:22 localhost named[3747]: zone shamereedwine.com/IN: Transfer started.
Apr 9 21:43:22 localhost named[3747]: transfer of 'shamereedwine.com/IN' from 192.168.0.114#53: connected using 192.168.0.100#55119
Apr 9 21:43:22 localhost named[3747]: zone shamereedwine.com/IN: transferred serial 20170409
Apr 9 21:43:22 localhost named[3747]: transfer of 'shamereedwine.com/IN' from 192.168.0.114#53: Transfer completed: 1 messages, 9 records, 240 bytes,
7、在从bind服务器上查看/var/named/salves/下面的shamereedwine.com.zone的区域配置文件
[root@localhost ~]# cat /var/named/slaves/shamereedwine.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
shamereedwine.com IN SOA dns.shamereedwine.com. admin.shamereedwine.com. (
20170409 ; serial
7200 ; refresh (2 hours)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.shamereedwine.com.
MX 10 mail.shamereedwine.com.
$ORIGIN shamereedwine.com.
dns A 192.168.0.114
ftp CNAME www
mail A 192.168.0.115
pop CNAME mail
www A 192.168.0.116
8、使用从bind解析该域名,可以看到解析成功了
[root@localhost named]# dig -t A @192.168.0.100
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t A @192.168.0.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35723
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.0.116
;; AUTHORITY SECTION:
shamereedwine.com. 600 IN NS dns.shamereedwine.com.
;; ADDITIONAL SECTION:
dns.shamereedwine.com. 600 IN A 192.168.0.114
;; Query time: 18 msec
;; SERVER: 192.168.0.100#53(192.168.0.100)
;; WHEN: Sun Apr 9 13:55:07 2017
;; MSG SIZE rcvd: 89
9、在从bind上查看域名服务器的个数
[root@localhost ~]# dig -t NS shamereedwine.com @192.168.0.100
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t NS shamereedwine.com @192.168.0.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9864
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;shamereedwine.com. IN NS
;; ANSWER SECTION:
shamereedwine.com. 600 IN NS dns.shamereedwine.com.
shamereedwine.com. 600 IN NS ns2.shamereedwine.com.
;; ADDITIONAL SECTION:
dns.shamereedwine.com. 600 IN A 192.168.0.114
ns2.shamereedwine.com. 600 IN A 192.168.0.100
;; Query time: 1 msec
;; SERVER: 192.168.0.100#53(192.168.0.100)
;; WHEN: Sun Apr 9 22:08:07 2017
;; MSG SIZE rcvd: 103
10、在主bind服务器上在/var/named/下加一条新的资源记录
[root@localhost named]# vim /var/named/shamereedwine.com.zone,如下图红色部分所示,加的是图片服务器的地址
$TTL 600
@ IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170411#加完需将该序列号加1
2H
10M
7D
1D )
IN NS dns
IN NS ns2
IN MX 10 mail
dns IN A 192.168.0.114
mail IN A 192.168.0.115
ns2 IN A 192.168.0.100
www IN A 192.168.0.116
pop IN CNAME mail
ftp IN CNAME www
img IN A 192.168.0.128#图片服务器的地址
11、重新启动主bind的named服务
[root@localhost named]# service named reload
重新载入named: [确定]
12、查看主bind的日志信息
[root@localhost named]# tail /var/log/messages
Apr 9 14:23:10 localhost named[7997]: using default UDP/IPv4 port range: [1024, 65535]
Apr 9 14:23:10 localhost named[7997]: using default UDP/IPv6 port range: [1024, 65535]
Apr 9 14:23:10 localhost named[7997]: sizing zone task pool based on 5 zones
Apr 9 14:23:10 localhost named[7997]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Apr 9 14:23:10 localhost named[7997]: reloading configuration succeeded
Apr 9 14:23:10 localhost named[7997]: reloading zones succeeded
Apr 9 14:23:10 localhost named[7997]: zone shamereedwine.com/IN: loaded serial 20170411
Apr 9 14:23:10 localhost named[7997]: zone shamereedwine.com/IN: sending notifies (serial 20170411)
Apr 9 14:23:10 localhost named[7997]: client 192.168.0.100#35447: transfer of 'shamereedwine.com/IN': AXFR-style IXFR started
Apr 9 14:23:10 localhost named[7997]: client 192.168.0.100#35447: transfer of 'shamereedwine.com/IN': AXFR-style IXFR ended
13、在从bind上查看区域配置文件的信息,可以看到img配置信息已加入到区域配置文件中,如下面红字所示的区域
[root@localhost ~]# cat /var/named/slaves/shamereedwine.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
shamereedwine.com IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170411 ; serial
7200 ; refresh (2 hours)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.shamereedwine.com.
NS ns2.shamereedwine.com.
MX 10 mail.shamereedwine.com.
$ORIGIN shamereedwine.com.
dns A 192.168.0.114
ftp CNAME www
img A 192.168.0.128
mail A 192.168.0.115
ns2 A 192.168.0.100
pop CNAME mail
www A 192.168.0.116
14、从bind的服务器,编辑/etc/named.conf配置文件添加反向解析区域
向配置文件中加入下面所示的内容:
zone "0.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.0.114; };
file "slaves/192.168.0.zone";
};
15、从bind检查是否有语法错误
[root@localhost ~]# named-checkconf
16、从bind重新加载配置文件
[root@localhost ~]# service named reload
重新载入named: [确定]
17、从bind查看日志信息
[root@localhost ~]# tail /var/log/messages
Apr 9 22:37:02 localhost named[3747]: using default UDP/IPv4 port range: [1024, 65535]
Apr 9 22:37:02 localhost named[3747]: using default UDP/IPv6 port range: [1024, 65535]
Apr 9 22:37:02 localhost named[3747]: sizing zone task pool based on 5 zones
Apr 9 22:37:02 localhost named[3747]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Apr 9 22:37:02 localhost named[3747]: reloading configuration succeeded
Apr 9 22:37:02 localhost named[3747]: reloading zones succeeded
Apr 9 22:37:02 localhost named[3747]: zone 0.168.192.in-addr.arpa/IN: Transfer started.
Apr 9 22:37:02 localhost named[3747]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.114#53: connected using 192.168.0.100#34079
Apr 9 22:37:02 localhost named[3747]: zone 0.168.192.in-addr.arpa/IN: transferred serial 20170409
Apr 9 22:37:02 localhost named[3747]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.114#53: Transfer completed: 1 messages, 6 records, 219 bytes, 0.003 secs (73000 bytes/sec)
18、查看从bind上的区域配置文件系统,可以看到已从主bind上同步过来
[root@localhost ~]# cat /var/named/slaves/192.168.0.zone
$ORIGIN .
$TTL 600 ; 10 minutes
0.168.192.in-addr.arpa IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170409 ; serial
7200 ; refresh (2 hours)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.shamereedwine.com.
$ORIGIN 0.168.192.in-addr.arpa.
114 PTR dns.shamereedwine.com.
115 PTR mail.shamereedwine.com.
116 PTR .
19、编辑主bind的反向解析区域配置文件192.168.0.zone,加入红线所示的两行,img服务器和ns2的地址等信息,同时把序列号加1
[root@localhost named]# vim /var/named/192.168.0.zone
$TTL 600
@ IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170410#需要加1
2H
10M
7D
1D )
IN NS dns.shamereedwine.com.
114 IN PTR dns.shamereedwine.com.
115 IN PTR mail.shamereedwine.com.
116 IN PTR .
128 IN PTR img.shamereedwine.com.
100 IN PTR ns2.shamereedwine.com.
20、主bind检查语法
[root@localhost named]# service named configtest
zone localhost/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone shamereedwine.com/IN: loaded serial 20170411
zone 0.168.192.in-addr.arpa/IN: loaded serial 20170410
21、主bind重新加载named服务
[root@localhost named]# service named reload
重新载入named: [确定]
22、 查看主bind日志信息,发现主bind没有通知从bind区域文件变更的信息
[root@localhost named]# tail /var/log/messages
Apr 9 14:40:11 localhost dhclient[977]: bound to 192.168.0.114 -- renewal in 3399 seconds.
Apr 9 14:49:40 localhost named[7997]: received control channel command 'reload'
Apr 9 14:49:40 localhost named[7997]: loading configuration from '/etc/named.conf'
Apr 9 14:49:40 localhost named[7997]: using default UDP/IPv4 port range: [1024, 65535]
Apr 9 14:49:40 localhost named[7997]: using default UDP/IPv6 port range: [1024, 65535]
Apr 9 14:49:40 localhost named[7997]: sizing zone task pool based on 5 zones
Apr 9 14:49:40 localhost named[7997]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Apr 9 14:49:40 localhost named[7997]: reloading configuration succeeded
Apr 9 14:49:40 localhost named[7997]: reloading zones succeeded
Apr 9 14:49:40 localhost named[7997]: zone 0.168.192.in-addr.arpa/IN: loaded serial 20170410
22、在主bind的区域文件,加入一条ns2的信息,并把序列号加1
$TTL 600
@ IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170411#需要加1
2H
10M
7D
1D )
IN NS dns.shamereedwine.com.
IN NS ns2.shamereedwine.com.
114 IN PTR dns.shamereedwine.com.
115 IN PTR mail.shamereedwine.com.
116 IN PTR .
128 IN PTR img.shamereedwine.com.
100 IN PTR ns2.shamereedwine.com.
23、重新加载配置文件并查看日志信息,可以看到通知已经成功发送
[root@localhost named]# service named reload
重新载入named: [确定]
[root@localhost named]# tail /var/log/messages
Apr 9 15:01:21 localhost named[7997]: using default UDP/IPv4 port range: [1024, 65535]
Apr 9 15:01:21 localhost named[7997]: using default UDP/IPv6 port range: [1024, 65535]
Apr 9 15:01:21 localhost named[7997]: sizing zone task pool based on 5 zones
Apr 9 15:01:21 localhost named[7997]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Apr 9 15:01:21 localhost named[7997]: reloading configuration succeeded
Apr 9 15:01:21 localhost named[7997]: reloading zones succeeded
Apr 9 15:01:21 localhost named[7997]: zone 0.168.192.in-addr.arpa/IN: loaded serial 20170411
Apr 9 15:01:21 localhost named[7997]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 20170411)
Apr 9 15:01:21 localhost named[7997]: client 192.168.0.100#56542: transfer of '0.168.192.in-addr.arpa/IN': AXFR-style IXFR started
Apr 9 15:01:21 localhost named[7997]: client 192.168.0.100#56542: transfer of '0.168.192.in-addr.arpa/IN': AXFR-style IXFR ended
24、从服务器上查看反向解析的区域文件,可以看到图片服务器和ns2地址等信息已经成功加入到反向区域配置文件中
[root@localhost ~]# cat /var/named/slaves/192.168.0.zone
$ORIGIN .
$TTL 600 ; 10 minutes
0.168.192.in-addr.arpa IN SOA dns.shamereedwine.com. dnsadmin.shamereedwine.com. (
20170411 ; serial
7200 ; refresh (2 hours)
600 ; retry (10 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS dns.shamereedwine.com.
NS ns2.shamereedwine.com.
$ORIGIN 0.168.192.in-addr.arpa.
100 PTR ns2.shamereedwine.com.
114 PTR dns.shamereedwine.com.
115 PTR mail.shamereedwine.com.
116 PTR .
128 PTR img.shamereedwine.com.
25、主bind主配置文件/etc/named.conf做安全限制,只允许本机和192.168.0.100的服务器之间传输配置文件,修改主配置文件
加上红线所示的两行
zone "shamereedwine.com." IN {
type master;
file "shamereedwine.com.zone";
allow-transfer { 127.0.0.1; 192.168.0.100; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
allow-transfer { 127.0.0.1; 192.168.0.100; };
};
26、检查配置文件
[root@localhost named]# named-checkconf
27、重新加载配置文件
[root@localhost named]# service named reload
重新载入named: [确定]
28、从bind服务器上的主配置文件/etc/named.conf也加访问控制选项,如红线所示
zone "shamereedwine.com." IN {
type slave;
masters { 192.168.0.114; };
file "slaves/shamereedwine.com.zone";
allow-transfer { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.0.114; };
file "slaves/192.168.0.zone";
allow-transfer { none; };
};
29、检查从bind的主配置文件
[root@localhost ~]# named-checkconf
30、从bind重新加载主配置文件
[root@localhost ~]# service named reload
重新载入named: [确定]
31、传送时可以看到已拒绝传送
[root@localhost ~]# dig -t axfr shamereedwine.com @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -t axfr shamereedwine.com @127.0.0.1
;; global options: +cmd
; Transfer failed.
阅读(3301) | 评论(0) | 转发(0) |
