14、DNS正反向解析、主从复制、子域授权、区域转发 学习笔记
DNS:Domain Name Service
监听端口:UDP/TCP 53号端口
实现工具:BIND(Berkeley Internet Name Domain), PowerDNS, dnsmasq
FQDN: Full Qualified Domain Name
正向解析:FQDN --> IP
反向解析:IP --> FQDN
查询:
递归查询:recursion用于客户端和本地DNS之间(客户端指向的DNS服务器:一定是允许给本地主机做递归的)
迭代查询:iteration用于本地DNS和根域及其他DNS之间
资源记录:Resource Record
资源记录有类型,用于资源的功能
SOA(Start Of Authority) 起始授权区域 划分给谁管理
NS(Name Server) 域名服务器 指明NS服务器
MX(Mail eXchanger) 邮件交换器 指明MX服务器
A(Address) FQDN-->IP
PTR(PoiTeR) IP --> FQDN
CNAME(Canonical Name) 别名记录
DNS服务器类型:
主DNS服务器
辅助DNS服务器
缓存名称服务器(只有三个区域:根、localhost、127.0.0.1,不具体负责某个域的解析,只是将解析到的数据缓存至本地)
正反向解析技术不同,不应该存放于同一个数据库文件中进行
DNS的数据库文件(区域数据文件,区域自身有名字):文本文件,只能包含资源记录或宏定义
资源记录的格式:
name [ttl] IN RRtype Value
缓存时间
SOA: 只能有一个(必须是区域数据库文件第一条记录)
name 区域名称,例如:kaiyuandiantang.com., 通常可以简写为@
value 主DNS服务器的FQDN
@ 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com.(
serial number ;序列号,十进制数字,不能超过10位,通常使用日期,例如2017090601
refresh time ;刷新时间,即每隔多久到主服务器检查一次
retry time ;重试时间,应该小于refresh time
expire time ;过期时间,主服务器失效等待时长;主服务器失效后,辅助服务器也停止工作
negative answer ttl ;否定答案的ttl
)
NS:可以有多条
name 区域名称,通常可以简写为@
value DNS服务器的FQDN(可以使用相对名称)
@ 600 IN NS ns1
MX: 可以有多个
name 区域名称,用于标识smtp服务器
value 包含优先级和FQDN(优先级:0-99, 数字越小,级别越高)
@ 600 IN MX 10 mail
A: 只能定义在正向区域数据库文件中
name FQDN(可以使用相对名称)
value IP
www 600 IN A 192.168.130.1
CNAME:
name FQDN
value FQDN
ftp 600 IN CNAME www
PTR: IP-->FQDN, 只能定义在反向区域数据文件中,反向区域名称为逆向网络地址加.in-addr.arpa.后缀组成
nameIP, 逆向的主机地址,例如192.168.130.1的name为1,完全格式为1.130.168.192.in-addr.arpa.
valueFQDN
3 600 IN PTR www.kaiyuandiantang.com.
但凡以FQDN为value的资源记录,都应该给该value加一条A记录
主配置文件/etc/named.conf定义区域(至少有三个区域:根、localhost、127.0.0.1)
区域数据目录/var/named/存放区域数据库文件(属主、属组、权限:root, named, 640)
type {hint|master|slave|forward}
根域 主域 辅助域 转发域
反向解析区域数据库文件:区域名称以逆向的网络地址,并以.in-addr.arpa为后缀;
第一条必须是SOA
应该具有NS记录,但不能出现MX和A记录
较常见的即为PTR记录,名称为逆向的主机地址
dig命令:
# dig [-t type] [-x addr] [name] [@server]
+[no]trace
+[no]recurse
+[no]tcp
host命令:
# host [-t type] {name} [server]
nslookup命令:
nslookup>
server DNS_SERVER_IP
set q=TYPE
{name}
=========================================================================================
正反向解析例子(ns1:192.168.130.117)
=========================================================================================
1、安装bind
[root@localhost ~]# yum -y install bind
2、配置主配置文件
"/etc/named.conf" 43L, 1000C written
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
3、配置正向区域
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
};
4、配置正向数据库文件
[root@localhost named]# cat kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.130.117
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
5、修改权限启动服务
[root@localhost ~]# cd /var/named/
[root@localhost named]# chown root:named kaiyuandiantang.com.zone
[root@localhost named]# chmod 640 kaiyuandiantang.com.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone "kaiyuandiantang.com" kaiyuandiantang.com.zone
zone kaiyuandiantang.com/IN: loaded serial 2017090601
OK
[root@localhost named]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@localhost named]# service named reload
Reloading named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 16:51:23 localhost named[20996]: managed-keys-zone ./IN: loaded serial 0
Aug 31 16:51:23 localhost named[20996]: running
Aug 31 16:51:29 localhost named[20996]: received control channel command 'reload'
Aug 31 16:51:29 localhost named[20996]: loading configuration from '/etc/named.conf'
Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Aug 31 16:51:29 localhost named[20996]: sizing zone task pool based on 7 zones
Aug 31 16:51:29 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 31 16:51:29 localhost named[20996]: reloading configuration succeeded
Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded
6、测试
[root@localhost named]# dig -t NS kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3470
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:53:46 2017
;; MSG SIZE rcvd: 71
[root@localhost named]#
[root@localhost named]# dig -t MX kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38626
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:53:53 2017
;; MSG SIZE rcvd: 108
[root@localhost named]#
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46757
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:54:09 2017
;; MSG SIZE rcvd: 91
[root@localhost named]#
7、配置反向区域
[root@localhost named]# tail -9 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
};
zone "130.168.192.in-addr.arpa" IN {
type master;
file "130.168.192.zone";
};
8、配置反向数据库文件
[root@localhost named]# cat 130.168.192.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1.kaiyuandiantang.com.
117 IN PTR ns1.kaiyuandiantang.com.
10 IN PTR mail.kaiyuandiantang.com.
20 IN PTR www.kaiyuandiantang.com.
9、修改权限启动服务
[root@localhost named]# chown root:named 130.168.192.zone
[root@localhost named]# chmod 640 130.168.192.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone "130.168.192.in-addr.arpa" 130.168.192.zone
zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
OK
[root@localhost named]# service named reload
Reloading named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded
Aug 31 17:08:42 localhost named[20996]: received control channel command 'reload'
Aug 31 17:08:42 localhost named[20996]: loading configuration from '/etc/named.conf'
Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Aug 31 17:08:42 localhost named[20996]: sizing zone task pool based on 8 zones
Aug 31 17:08:42 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 31 17:08:42 localhost named[20996]: reloading configuration succeeded
Aug 31 17:08:42 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
Aug 31 17:08:42 localhost named[20996]: reloading zones succeeded
10、测试
[root@localhost named]# dig -x 192.168.130.117 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6475
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;117.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 1 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:09:56 2017
;; MSG SIZE rcvd: 113
[root@localhost named]#
[root@localhost named]# dig -x 192.168.130.10 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63381
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;10.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:10:01 2017
;; MSG SIZE rcvd: 117
[root@localhost named]#
[root@localhost named]# dig -x 192.168.130.20 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26960
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;20.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:10:08 2017
;; MSG SIZE rcvd: 116
[root@localhost named]#
区域传送:
辅助DNS服务器从主DNS服务器或其它的辅助DNS服务器请求传输数据的过程;
完全区域传送:传送区域的所有数据, AXFR
增量区域传送:传送区域中改变的数据部分,IXFR
用dig模拟完全区域传送
# dig -t axfr 区域名称 @server
dig -t axfr kaiyuandiantang.com @192.168.130.117
主从:
主:bind版本可以低于从的;
向区域中添加从服务器的关键两步:
在上级获得授权
在主服务器的区域数据文件中为从服务器添加一条NS记录和对应的A或PTR记录;
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
区域传送安全控制:
allow-transfer { IP; };
=========================================================================================
主从复制例子(ns1:192.168.130.117,ns2:192.168.130.118)
=========================================================================================
1、修改ns1正向数据库文件,添加ns2的NS记录和A记录
[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.130.117
ns2 IN A 192.168.130.118
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 08:48:47 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 08:48:47 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 08:48:47 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 08:48:47 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 08:48:47 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 08:48:47 localhost named[20996]: reloading configuration succeeded
Sep 1 08:48:47 localhost named[20996]: reloading zones succeeded
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
2、ns2安装bind
yum -y install bind
3、配置ns2主配置文件
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
4、配置ns2正向区域
[root@localhost ~]# tail -5 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
5、ns2启动服务
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail -20 /var/log/messages
Sep 2 14:20:56 localhost named[22632]: zone 0.in-addr.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone localhost.localdomain/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone localhost/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: managed-keys-zone ./IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: running
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: Transfer started.
Sep 2 14:20:56 localhost named[22632]: transfer of 'kaiyuandiantang.com/IN' from 192.168.130.117#53: connected using 192.168.130.118#43804
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: transferred serial 2017090601
Sep 2 14:20:56 localhost named[22632]: transfer of 'kaiyuandiantang.com/IN' from 192.168.130.117#53: Transfer completed: 1 messages, 11 records, 276 bytes, 0.001 secs (276000 bytes/sec)
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
Sep 2 14:21:00 localhost named[22632]: received control channel command 'reload'
Sep 2 14:21:00 localhost named[22632]: loading configuration from '/etc/named.conf'
Sep 2 14:21:00 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 14:21:00 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 14:21:00 localhost named[22632]: sizing zone task pool based on 7 zones
Sep 2 14:21:00 localhost named[22632]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 2 14:21:00 localhost named[22632]: reloading configuration succeeded
Sep 2 14:21:00 localhost named[22632]: reloading zones succeeded
6、验证、测试
[root@localhost ~]# cat /var/named/slaves/kaiyuandiantang.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
kaiyuandiantang.com IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
259200 ; expire (3 days)
43200 ; minimum (12 hours)
)
NS ns1.kaiyuandiantang.com.
NS ns2.kaiyuandiantang.com.
MX 10 mail.kaiyuandiantang.com.
$ORIGIN kaiyuandiantang.com.
mail A 192.168.130.10
ns1 A 192.168.130.117
ns2 A 192.168.130.118
pop CNAME mail
web CNAME www
www A 192.168.130.20
[root@localhost ~]# dig -t NS kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28940
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 1 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:08 2017
;; MSG SIZE rcvd: 105
[root@localhost ~]#
[root@localhost ~]# dig -t MX kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27789
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 1 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:29 2017
;; MSG SIZE rcvd: 142
[root@localhost ~]#
[root@localhost ~]# dig -t A mail.kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7090
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:56 2017
;; MSG SIZE rcvd: 126
[root@localhost ~]#
[root@localhost ~]# dig -t A www.kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2339
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:25:05 2017
;; MSG SIZE rcvd: 125
7、修改ns1反向向数据库文件,添加ns2的NS记录和PTR记录
"/var/named/130.168.192.zone" 14L, 323C written
[root@localhost ~]# cat /var/named/130.168.192.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1.kaiyuandiantang.com.
IN NS ns2.kaiyuandiantang.com.
117 IN PTR ns1.kaiyuandiantang.com.
118 IN PTR ns2.kaiyuandiantang.com.
10 IN PTR mail.kaiyuandiantang.com.
20 IN PTR www.kaiyuandiantang.com.
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 09:35:38 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 09:35:38 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 09:35:38 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 09:35:38 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 09:35:38 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 09:35:38 localhost named[20996]: reloading configuration succeeded
Sep 1 09:35:38 localhost named[20996]: reloading zones succeeded
Sep 1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
Sep 1 09:35:39 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)
8、配置ns2反向区域
[root@localhost ~]# tail -11 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
zone "130.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/130.168.192.zone";
};
9、ns2启动服务
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 2 14:43:39 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 14:43:39 localhost named[22632]: sizing zone task pool based on 8 zones
Sep 2 14:43:39 localhost named[22632]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 2 14:43:39 localhost named[22632]: reloading configuration succeeded
Sep 2 14:43:39 localhost named[22632]: reloading zones succeeded
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: Transfer started.
Sep 2 14:43:39 localhost named[22632]: transfer of '130.168.192.in-addr.arpa/IN' from 192.168.130.117#53: connected using 192.168.130.118#51094
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: transferred serial 2017090601
Sep 2 14:43:39 localhost named[22632]: transfer of '130.168.192.in-addr.arpa/IN' from 192.168.130.117#53: Transfer completed: 1 messages, 8 records, 254 bytes, 0.001 secs (254000 bytes/sec)
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)
10、验证、测试
[root@localhost ~]# cat /var/named/slaves/130.168.192.zone
$ORIGIN .
$TTL 600 ; 10 minutes
130.168.192.in-addr.arpa IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
259200 ; expire (3 days)
43200 ; minimum (12 hours)
)
NS ns1.kaiyuandiantang.com.
NS ns2.kaiyuandiantang.com.
$ORIGIN 130.168.192.in-addr.arpa.
10 PTR mail.kaiyuandiantang.com.
117 PTR ns1.kaiyuandiantang.com.
118 PTR ns2.kaiyuandiantang.com.
20 PTR www.kaiyuandiantang.com.
[root@localhost ~]# dig -x 192.168.130.117 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;117.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:07:54 2017
;; MSG SIZE rcvd: 147
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.118 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.118 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;118.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:01 2017
;; MSG SIZE rcvd: 147
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.10 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11469
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;10.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:10 2017
;; MSG SIZE rcvd: 151
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.20 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64194
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;20.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:14 2017
;; MSG SIZE rcvd: 150
11、此时区域传送存在一个安全问题,任何一台机器只要知道区域名称和DNS的IP就可以获得数据库文件的内容,可通过添加allow-transfer加以控制。
未加allow-transfer前(在192.168.130.119上测试)
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
pop.kaiyuandiantang.com. 600 IN CNAME mail.kaiyuandiantang.com.
web.kaiyuandiantang.com. 600 IN CNAME www.kaiyuandiantang.com.
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 6 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Sep 7 11:49:50 2017
;; XFR size: 11 records (messages 1, bytes 276)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
pop.kaiyuandiantang.com. 600 IN CNAME mail.kaiyuandiantang.com.
web.kaiyuandiantang.com. 600 IN CNAME www.kaiyuandiantang.com.
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 4 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Thu Sep 7 11:49:56 2017
;; XFR size: 11 records (messages 1, bytes 276)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117
;; global options: +cmd
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 1 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Sep 7 11:50:26 2017
;; XFR size: 8 records (messages 1, bytes 254)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118
;; global options: +cmd
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 9 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Thu Sep 7 11:50:38 2017
;; XFR size: 8 records (messages 1, bytes 254)
[root@localhost ~]#
ns1添加allow-transfer
[root@localhost ~]# tail -11 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
allow-transfer { 127.0.0.1; 192.168.130.117; };
};
zone "130.168.192.in-addr.arpa" IN {
type master;
file "130.168.192.zone";
allow-transfer { 127.0.0.1; 192.168.130.117; };
};
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 10:45:45 localhost named[20996]: /etc/named.rfc1912.zones:52: missing ';' before '}'
Sep 1 10:45:45 localhost named[20996]: reloading configuration failed: failure
Sep 1 10:46:48 localhost named[20996]: received control channel command 'reload'
Sep 1 10:46:48 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 10:46:48 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 10:46:48 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 10:46:48 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 10:46:48 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 10:46:48 localhost named[20996]: reloading configuration succeeded
Sep 1 10:46:48 localhost named[20996]: reloading zones succeeded
ns2添加allow-transfer
[root@localhost ~]# tail -13 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
allow-transfer { none; };
};
zone "130.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/130.168.192.zone";
allow-transfer { none; };
};
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of '130.168.192.in-addr.arpa/IN': AXFR started
Sep 2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of '130.168.192.in-addr.arpa/IN': AXFR ended
Sep 2 15:48:52 localhost named[22632]: received control channel command 'reload'
Sep 2 15:48:52 localhost named[22632]: loading configuration from '/etc/named.conf'
Sep 2 15:48:52 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 15:48:52 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 15:48:52 localhost named[22632]: sizing zone task pool based on 8 zones
Sep 2 15:48:52 localhost named[22632]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 2 15:48:52 localhost named[22632]: reloading configuration succeeded
Sep 2 15:48:52 localhost named[22632]: reloading zones succeeded
添加allow-transfer后(在192.168.130.119上测试)
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118
;; global options: +cmd
; Transfer failed.
[root@localhost ~]#
BIND子域授权的实现:glue record
在父域的配置文件中添加如下项:
授权的子区域名称
子区域的名称服务器
子区域的名称服务器的IP地址
=========================================================================================
正向子域授权例子(父域:192.168.130.117,子域:192.168.130.119)
=========================================================================================
1、在父域中对子域进行授权
[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.130.117
ns2 IN A 192.168.130.118
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
linux IN NS ns1.linux
ns1.linux IN A 192.168.130.119
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 16:29:00 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 16:29:00 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 16:29:00 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 16:29:00 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 16:29:00 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 16:29:00 localhost named[20996]: reloading configuration succeeded
Sep 1 16:29:00 localhost named[20996]: reloading zones succeeded
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
[root@localhost ~]#
2、配置子域服务器的主配置文件
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
3、配置子域服务器的区域数据文件
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "linux.kaiyuandiantang.com" IN {
type master;
file "linux.kaiyuandiantang.com.zone";
};
4、配置子域服务器的数据库文件
[root@localhost ~]# cat /var/named/linux.kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.linux.kaiyuandiantang.com. admin.linux.kaiyuandiantang.com. (
2017090701
1H
5M
3D
12H
)
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.130.119
mail IN A 192.168.130.30
www IN A 192.168.130.40
pop IN CNAME mail
web IN CNAME www
[root@localhost ~]#
5、子域服务器修改权限启动服务
[root@localhost ~]# cd /var/named/
[root@localhost named]# chown root:named linux.kaiyuandiantang.com.zone
[root@localhost named]# chmod 640 linux.kaiyuandiantang.com.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone linux.kaiyuandiantang.com linux.kaiyuandiantang.com.zone
zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701
OK
[root@localhost named]# service named start
Starting named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 18:30:52 localhost named[20903]: command channel listening on 127.0.0.1#953
Aug 31 18:30:52 localhost named[20903]: command channel listening on ::1#953
Aug 31 18:30:52 localhost named[20903]: zone 0.in-addr.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701
Aug 31 18:30:52 localhost named[20903]: zone localhost.localdomain/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone localhost/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: managed-keys-zone ./IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: running
[root@localhost named]#
6、测试
[root@localhost named]# dig -t NS linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;linux.kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:32:28 2017
;; MSG SIZE rcvd: 77
[root@localhost named]# dig -t MX linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42605
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;linux.kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
linux.kaiyuandiantang.com. 600 IN MX 10 mail.linux.kaiyuandiantang.com.
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.linux.kaiyuandiantang.com. 600 IN A 192.168.130.30
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:32:40 2017
;; MSG SIZE rcvd: 114
[root@localhost named]#
[root@localhost named]# dig -t A www.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56396
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.linux.kaiyuandiantang.com. 600 IN A 192.168.130.40
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 1 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:01 2017
;; MSG SIZE rcvd: 97
[root@localhost named]# dig -t A ns1.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A ns1.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3947
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:08 2017
;; MSG SIZE rcvd: 77
[root@localhost named]# dig -t A mail.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50725
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
mail.linux.kaiyuandiantang.com. 600 IN A 192.168.130.30
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:14 2017
;; MSG SIZE rcvd: 98
[root@localhost named]#
7、问题
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59745
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; AUTHORITY SECTION:
com. 829 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1504779223 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:46:52 2017
;; MSG SIZE rcvd: 114
此时因为kaiyuandaintang.com不是该子域dns负责解析的,所以将查询根域,根域提供线索让其查询com域,因为com域下并没有kaiyuandiankang.com这个子域,所以解析失败;为解决该问题,引入区域转发。
配置区域转发:转发域
解析某本机不负责的区域内的名称时不转发给根,而是转给指定的主机;
配置转发的方式:
转发非本机负责解析的所有区域:
options {
forward only|first;
forwarders { IP; }
};
转发某特定区域:
zone "特定区域" IN {
type forward;
forwarders { IP; }
forward only|first;
}
允许使用转发的前提:本机要在对方的允许的递归主机列表中;
8、子域服务器开启区域转发功能
[root@localhost named]# tail -9 /etc/named.rfc1912.zones
type master;
file "linux.kaiyuandiantang.com.zone";
};
zone "kaiyuandiantang.com" IN {
type forward;
forwarders { 192.168.130.117; };
forward only;
};
[root@localhost named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47012
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 3 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:57:19 2017
;; MSG SIZE rcvd: 125
[root@localhost named]#
安全控制选项:
allow-transfer {};
通常都需要启用;
allow-query {};
此项通常仅用于服务器是缓存名称服务器时,只开放查询功能给本地客户端;
allow-recursion { };
定义递归白名单;
allow-update { none; };
定义允许动态更新区域数据文件的主机白名单
ACL: BIND支持使用访问控制列表
acl ACL_NAME {
172.16.0.0/16;
192.168.0.0/24
127.0.0.0/8;
};
访问控制列表只有定义后才能使用;通常acl要定义在named.conf的最上方;
BIND有四个内置的acl:
any: 任何主机
none: 无一主机
local: 本机
localnet: 本机的所在的网络;
转载于:https://blog.51cto.com/kaiyuandiantang/1964390
14、DNS正反向解析、主从复制、子域授权、区域转发 学习笔记相关推荐
- DNS服务器 安装部署 以及子域授权和转发
yum安装bind-9.9.4-29.el7.x86_64 //域名服务包 bind-chroot-9.9.4-29.el7.x86_64 //提供虚拟根支持,牢笼政策 [root@svr7 ~]# ...
- 基于Bind实现的DNS正反向解析及主从DNS的配置
一.什么是DNS? 1.1 简单的理解,Domain Name System,是互联网一项核心的服务,他作为一个桥梁可以将域名和IP地址相互因素的一个分布式数据库,能够使人更加方便的访问互联网,而不用 ...
- main 函数解析(二)—— Linux-0.11 学习笔记(六)
main函数解析(二)--Linux-0.11 学习笔记(六) 4.6 blk_dev_init函数 void blk_dev_init(void) {int i;for (i=0 ; i<NR ...
- main函数解析(一)——Linux-0.11 学习笔记(五)
main()函数解析(一)--Linux-0.11 学习笔记(五) 经过了前面的各种铺垫,终于来到了main函数.这篇博客的任务是把init/main.c讲清楚.由于牵扯到很多的函数调用,要想一次就说 ...
- 学习笔记之dns正反向解析区域,主从服务,子域授权,安全
一.配置解析一个正向区域: 以bucktan.com域为例: 1.1 定义区域 在主配置文件中(/etc/named.conf)或主配置文件辅助配置文件(/etc/named.rfc1912.zone ...
- DNS的子域授权和转发机制,view设置
在现实生活中我们世界互联网中的每个主机并不是在同一个域内,而是通过不同的依据将将其划分到不同的"小域"中,犹如一个倒立的树状结构,由一点出发,一层层的向下分成了多个分支,而这些分支 ...
- linux做子域dns,Linux下的DNS服务器配置实践(三)-子域授权、转发、视图
[子域授权] [实验说明]:新增一台服务器ip为192.168.0.112,配置成为test.com子域(a.test.com)的主DNS [实验验证]:子域可以实现自我管理,通过父域DNS可以查询解 ...
- linux dns子域授权(一),DNS的基本配置、子域授权与bind编译(第十八九天)
DNS( Domain Name System)是"域名系统"的英文缩写,是一种组织成域层次结构的计算机和网络服务命名系统,它用于TCP/IP网络,它所提供的服务是用来将主机名和域 ...
- Linux入门 21_企业dns服务器搭建之高速缓存dns搭建与dns正反向解析
一.dns服务器部署 1.关于dns的名词解释 dns: domain name service(域名解析服务)是Internet上解决网上机器命名的一种系统.它作为将域名和IP地址相互映射的一个分布 ...
最新文章
- 阿里某程序员吐槽:年终奖被金融行业的老婆完爆!自己奖金15万,老婆奖金66万!...
- orcle 删除表报正在使用_ORA-14452:试图创建,更改或删除正在使用的临时表中的索引...
- 这篇 CPU Cache,估计要消化一下
- dedecms首页怎么调用公司简介的内容
- 吴忠军 - 如何理解马云所说的月入两三万,三四万的人最幸福?
- 11 Python之初识函数
- nginx+php-fpm 502 bad gateway
- Java中运行Shell for Android
- linux的chmod,chown命令 详解
- 华为今年或发两款5G产品:5G CPE Win和5G随行WiFi
- 基于ipv6的数据包分析(GNS3)
- ACL'22 | 关系抽取和NER等论文分类整理
- 10.31,11.1外出纪要
- 【UVALive - 6922】Reverse Polish Notation【贪心】
- oracle数据库单张表备份,oracle数据库如何备份一张表
- 测试用例的粒度和评价
- 清明时节雨纷纷,心思却剪不断,理还乱
- 招聘网站分析-前程无忧网站的爬虫设计与实现
- 健康知识竞答线上活动方案——微信答题小程序实现
- ceph---ceph osd DNE状态对集群的影响