问题:
假设在一个公司(域)内有两个部门(子域),这两个部门是可以独立出去的并且希望实现DNS的自我管理,那么就可以实行子域授权。子域授权就是在原有的域上再划分出一个小的区域并指定新DNS服务器。在这个小的区域中如果有客户端请求解析,则只要找新的子DNS服务器。这样的做的好处可以减轻主DNS的压力,也有利于管理
前提:任何的子域必须得到其父域的授权才可以授权;父域子域不一定在同一个网段,但是必须能相互通信;
过程:
1.在父域中定义子域的相关NS记录和A记录
1.1父域的正向区域数据文件:
[root@localhost named]# cat mageedu.com.zone
$TTL 600
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
201507310
8
1H
5M
2D
6H )
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.85.128
ns2 IN A 192.168.85.133
mail IN A 192.168.85.129
www IN A 192.168.85.133
pop IN A 192.168.85.130
ftp IN CNAME www
lw IN A 192.168.85.134
a1 IN NS ns1.a1
ns1.a1 IN A 192.168.85.136
b2 IN NS ns1.b2
ns1.b2 IN A 192.168.85.140
#上面四行定义了两个子域a1.mageedu.com和b2.mageedu.com
1.2 重新加载named服务
[root@localhost named]# service named reload
Reloading named: [ OK ]
1.3 查看日志是否发送了更新
[root@localhost named]# tail /var/log/messages
Aug 3 01:51:04 localhost named[2482]: client 192.168.85.133#35544: transfer of 'mageedu.com/IN': AXFR started
Aug 3 01:51:04 localhost named[2482]: client 192.168.85.133#35544: transfer of 'mageedu.com/IN': AXFR ended
Aug 3 01:51:29 localhost named[2482]: received SIGHUP signal to reload zones
Aug 3 01:51:29 localhost named[2482]: loading configuration from '/etc/named.conf'
Aug 3 01:51:29 localhost named[2482]: using default UDP/IPv4 port range: [1024, 65535]
Aug 3 01:51:29 localhost named[2482]: using default UDP/IPv6 port range: [1024, 65535]
Aug 3 01:51:29 localhost named[2482]: sizing zone task pool based on 5 zones
Aug 3 01:51:29 localhost named[2482]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 3 01:51:29 localhost named[2482]: reloading configuration succeeded
Aug 3 01:51:29 localhost named[2482]: reloading zones succeeded
1.4 在从服务器133上查看是否更新(如果没有更新确保防火墙,SElinux等关闭了或者重新加载服务)
[root@localhost slaves]# cat mageedu.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2015073108 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
a1 NS ns1.a1
$ORIGIN a1.mageedu.com.
ns1 A 192.168.85.136
$ORIGIN mageedu.com.
b2 NS ns1.b2
$ORIGIN b2.mageedu.com.
ns1 A 192.168.85.140
$ORIGIN mageedu.com.
ftp CNAME www
lw A 192.168.85.134
mail A 192.168.85.129
ns1 A 192.168.85.128
ns2 A 192.168.85.133
pop A 192.168.85.130
www A 192.168.85.133
1.5 在主服务器128上查看子域是否建立成功
[root@localhost named]# dig -t NS a1.mageedu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS a1.mageedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16439
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;a1.mageedu.com. IN NS
;; Query time: 10 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 01:58:48 2015
;; MSG SIZE rcvd: 32
这里没有显示有相关信息,这是因为我们虽然已经成功建立了记录信息,但是父域服务器链接不到子域服务器,无法与子域服务器进行通信,所以,下一步需要建立子域以及子域服务器
2. 建立子域服务器
2.1 重开一台主机进行基础配置
IP:192.168.85.136
网关:和父域服务器网关相同
掩码:
和父域服务器掩码相同
DNS1:192.168.85.136(指向自己)
搜索域:a1.mageedu.com
2.2 安装bind后并编辑配置文件
(因为是克隆主DNS服务器的所以包已经装好,各个配置文件都还在,所以修改源配置文件即可)
主配置文件:
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "a1.mageedu.com" IN {
type master;
file "a1.mageedu.com.zone";
};
正向数据文件(之做正向测试,所以反向的不修改了)
[root@localhost named]# cat a1.mageedu.com.zone
$TTL 600
@ IN SOA
ns1.a1.mageedu.com. admin.a1.mageedu.com. (
2015080301
1H
5M
2D
6H )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.85.136
mail IN A 192.168.85.137
www IN A 192.168.85.138
重新启动named服务
2.3 用136本机测试
[root@localhost named]#
dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33477
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 600 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 4 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 02:28:58 2015
;; MSG SIZE rcvd: 86
2.4 用父域DNS服务器测试
[root@localhost named]# dig -t A
@192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 360 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 7 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 02:34:44 2015
;; MSG SIZE rcvd: 86
这样看来书需要子域建立并能相互通信父域才能解析子域,子域才能解析;
3.转发DNS
一般,如果没有特殊配置,父域可以解析子域记录但是子域却不能解析父域记录;
父域128解析子域136的A记录:
[root@localhost named]# dig -t A @
192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8886
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 600 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 10 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 02:45:01 2015
;; MSG SIZE rcvd: 86
子域136解析父域128的A记录:
[root@localhost named]# dig -t A @
192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49493
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN A
;; AUTHORITY SECTION:
mageedu.com. 600 IN SOA f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1425539659 3600 180 1209600 180
;; Query time: 32 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 02:46:20 2015
;; MSG SIZE rcvd: 107
解决办法:
定义子域转发使得子域将所有的请求都转发给父域来解析而不是自己来解析
3.1 作为转发器转发
3.1.1编辑子域的主配置文件为(其他没变的地方省略了):
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
forward first;
forwarders { 192.168.85.128; };
};
其中 forward 有only和first两个选项;子域无法解析时,forward为only表示只转发给某服务器,如果这些服务器不提供或者无法解析
那么就无法解析;为first表示首先转发给某服务器解析,如果解析失败就转交给根解析....
强调一下:此时的forward是写在全局配置里的,如果请求的是子域本身内的就可以直接解析,请求的是子域外的其他域的无论请求的
是哪一个网段的都将转发出去
3.1.12重启服务后测试
[root@localhost named]#
dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35719
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.133
;; AUTHORITY SECTION:
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN NS ns2.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 600 IN A 192.168.85.128
ns2.mageedu.com. 600 IN A 192.168.85.133
#这里确实给出了应答,只不过是非权威应答
;; Query time: 21 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 03:14:34 2015
;; MSG SIZE rcvd: 117
3.2 作为转发域转发
3.2.1子域服务器136上测试其他域:
[root@localhost named]# dig +trace -t A />
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A @192.168.85.136
;; global options: +cmd
. 512769 IN NS l.root-servers.net.
. 512769 IN NS e.root-servers.net.
. 512769 IN NS i.root-servers.net.
. 512769 IN NS f.root-servers.net.
. 512769 IN NS k.root-servers.net.
. 512769 IN NS a.root-servers.net.
. 512769 IN NS j.root-servers.net.
. 512769 IN NS b.root-servers.net.
. 512769 IN NS h.root-servers.net.
. 512769 IN NS c.root-servers.net.
. 512769 IN NS d.root-servers.net.
. 512769 IN NS m.root-servers.net.
. 512769 IN NS g.root-servers.net.
;; Received 508 bytes from 192.168.85.128#53(192.168.85.128) in 5163 ms #这里是父域完成的;
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
;; Received 491 bytes from 192.112.36.4#53(192.112.36.4) in 17567 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.31.80.30#53(192.31.80.30) in 388 ms
. 1200 IN CNAME />
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
;; Received 228 bytes from 202.108.22.220#53(202.108.22.220) in 23 ms
这里子域来追踪解析的A记录,但是子域并不负责该域,无法解析,所以就转交给了父域处理(父域处理过程并没有显示);
此时父域也不负责baidu域的权威解析,所以转发出去也并没有多大意义,事实上对于子域而言,我们可以只转发对父域的请求到父域,而
剩下的自己处理(自己能连通互联网);
3.2.2 编辑子域的主配置文件为:
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "a1.mageedu.com" IN {
type master;
file "a1.mageedu.com.zone";
};
zone "mageedu.com" IN { #定义将请求转发的域
type forward;
forward first;
forwarders { 192.168.85.128; };
};
这样,就只对这一个域转发解析请求而不对其他的域转发了
3.2.3 重启服务后测试
[root@localhost named]# dig -t A
@192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43895
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.133
;; AUTHORITY SECTION:
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN NS ns2.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 600 IN A 192.168.85.128
ns2.mageedu.com. 600 IN A 192.168.85.133
;; Query time: 21 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 03:35:25 2015
;; MSG SIZE rcvd: 117
3.2.4 对其他域测试
[root@localhost named]# dig +trace -t A />
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A @192.168.85.136
;; global options: +cmd
. 518283 IN NS e.root-servers.net.
. 518283 IN NS k.root-servers.net.
. 518283 IN NS l.root-servers.net.
. 518283 IN NS m.root-servers.net.
. 518283 IN NS j.root-servers.net.
. 518283 IN NS a.root-servers.net.
. 518283 IN NS h.root-servers.net.
. 518283 IN NS f.root-servers.net.
. 518283 IN NS i.root-servers.net.
. 518283 IN NS g.root-servers.net.
. 518283 IN NS d.root-servers.net.
. 518283 IN NS b.root-servers.net.
. 518283 IN NS c.root-servers.net.
;; Received 496 bytes from 192.168.85.136#53(192.168.85.136) in 63 ms #不再是父域完成的而是子域服务器自己完成的
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
;; Received 503 bytes from 192.5.5.241#53(192.5.5.241) in 4117 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.12.94.30#53(192.12.94.30) in 979 ms
. 1200 IN CNAME />
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
;; Received 228 bytes from 220.181.38.10#53(220.181.38.10) in 29 ms
4.补充
接上面的配置继续,此时用父域服务器来解析可知,父域不负责该域,所以将请求交给了根 根交给了.com域
.com域交给了baidu域然后才找到记录;
我们可以配置将对.com 的请求都转发给.com的服务器;
一下实在父域服务器上测试:
4.1 首先获得.com的NS记录在找到对应的A记录
[root@localhost named]# dig -t NS com @192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS com @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19117
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15
;; QUESTION SECTION:
;com. IN NS
;; ANSWER SECTION:
com. 164836 IN NS l.gtld-servers.net.
com. 164836 IN NS m.gtld-servers.net.
com. 164836 IN NS e.gtld-servers.net.
com. 164836 IN NS b.gtld-servers.net.
com. 164836 IN NS h.gtld-servers.net.
com. 164836 IN NS d.gtld-servers.net.
com. 164836 IN NS f.gtld-servers.net.
com. 164836 IN NS k.gtld-servers.net.
com. 164836 IN NS c.gtld-servers.net.
com. 164836 IN NS j.gtld-servers.net.
com. 164836 IN NS g.gtld-servers.net.
com. 164836 IN NS i.gtld-servers.net.
com. 164836 IN NS a.gtld-servers.net.
;; ADDITIONAL SECTION:
i.gtld-servers.net. 170482 IN A 192.43.172.30
l.gtld-servers.net. 170476 IN A 192.41.162.30
j.gtld-servers.net. 170479 IN A 192.48.79.30
k.gtld-servers.net. 170475 IN A 192.52.178.30
a.gtld-servers.net. 170478 IN A 192.5.6.30
a.gtld-servers.net. 170478 IN AAAA 2001:503:a83e::2:30
h.gtld-servers.net. 170479 IN A 192.54.112.30
b.gtld-servers.net. 170477 IN A 192.33.14.30
b.gtld-servers.net. 170477 IN AAAA 2001:503:231d::2:30
g.gtld-servers.net. 170482 IN A 192.42.93.30
e.gtld-servers.net. 170481 IN A 192.12.94.30
f.gtld-servers.net. 170479 IN A 192.35.51.30
d.gtld-servers.net. 170491 IN A 192.31.80.30
m.gtld-servers.net. 170484 IN A 192.55.83.30
c.gtld-servers.net. 170489 IN A 192.26.92.30
;; Query time: 262 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 03:57:10 2015
;; MSG SIZE rcvd: 509
4.2 将相应的A记录写在forwards中即可;
