BIND的安裝配置

BIND: Berkeley Internet Name Domain

該工具目前由ISC組織代為維護(hù)砌创,站點(diǎn):ISC.org

Bind是DNS協(xié)議的一種實(shí)現(xiàn)虏缸,其運(yùn)行的進(jìn)程名為named

程序包:

  • bind:提供的dns server程序、以及幾個(gè)常用的測(cè)試程序嫩实;
  • bind-libs:被bind和bind-utils包中的程序共同用到的庫(kù)文件刽辙;
  • bind-utils:bind客戶端程序集,例如dig, host, nslookup等甲献;
  • bind-chroot:選裝宰缤,為了安全目的,讓named運(yùn)行于jail模式(沙箱)下晃洒;

bind主配置文件

/etc/named.conf

包含進(jìn)來(lái)其它文件:
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key

options {
        listen-on port 53 { 127.0.0.1; }; #設(shè)置監(jiān)控能與外部主機(jī)通信的IP地址
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";  #指定區(qū)域數(shù)據(jù)文件的存放目錄
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };  #限制查詢的來(lái)源為本地
        recursion yes;  #是否開啟遞歸查詢
        dnssec-enable yes;  #學(xué)習(xí)時(shí)建議關(guān)閉
        dnssec-validation yes;  #學(xué)習(xí)時(shí)建議關(guān)閉
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {  #根區(qū)域慨灭,包含著多個(gè)DNS頂級(jí)域信息
        type hint; 
        file "named.ca";
};
include "/etc/named.rfc1912.zones";  #把區(qū)域管理文件的內(nèi)容包含進(jìn)此文件
include "/etc/named.root.key";

格式:

配置段 格式
全局配置段 options { ... }
日志配置段 logging { ... }
區(qū)域配置段 zone { ... }

zone:那些由本機(jī)負(fù)責(zé)解析的區(qū)域,或轉(zhuǎn)發(fā)的區(qū)域

注意:每個(gè)配置語(yǔ)句必須以分號(hào)結(jié)尾

緩存名稱服務(wù)器的配置:

監(jiān)聽能與外部主機(jī)通信的地址

listen-on port 53;
listen-on port 53 { 172.16.100.67; };

學(xué)習(xí)時(shí)锥累,建議關(guān)閉dnssec

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;    

關(guān)閉僅允許本地查詢:
//allow-query { localhost; };(單行注釋)

檢查配置文件語(yǔ)法錯(cuò)誤:
named-checkconf [/etc/named.conf]

解析庫(kù)文件:/var/named/目錄下
一般名字為:ZONE_NAME.zone

注意:
(1) 一臺(tái)DNS服務(wù)器可同時(shí)為多個(gè)區(qū)域提供解析缘挑;
(2) 必須要有根區(qū)域解析庫(kù)文件: named.ca;
正向:named.localhost
反向:named.loopback

bind輔助程序:

rndc:remote name domain contoller桶略,遠(yuǎn)程名稱服務(wù)器控制工具
工作在953/tcp端口语淘,但默認(rèn)監(jiān)聽于127.0.0.1地址,因此僅允許本地使用际歼;

bind程序安裝完成之后惶翻,默認(rèn)即可做緩存名稱服務(wù)器使用;如果沒有專門負(fù)責(zé)解析的區(qū)域鹅心,直接即可啟動(dòng)服務(wù)吕粗;

  • CentOS 6: service named start
  • CentOS 7: systemctl start named.service
[root@promote ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2019-05-13 17:44:41 CST; 15s ago
  Process: 7837 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 7834 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 7839 (named)
   CGroup: /system.slice/named.service
           └─7839 /usr/sbin/named -u named -c /etc/named.conf

May 13 17:44:41 promote.cache-dns.local named[7839]: zone 0.in-addr.arpa/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone localhost.localdomain/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone localhost/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: all zones loaded
May 13 17:44:41 promote.cache-dns.local named[7839]: running
May 13 17:44:41 promote.cache-dns.local named[7839]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 13 17:44:41 promote.cache-dns.local named[7839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 13 17:44:41 promote.cache-dns.local systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.

查看其監(jiān)聽的端口:

[root@promote ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      7839/named          
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6848/sshd           
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      7839/named          
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      7068/master         
tcp6       0      0 ::1:53                  :::*                    LISTEN      7839/named          
tcp6       0      0 :::22                   :::*                    LISTEN      6848/sshd           
tcp6       0      0 ::1:953                 :::*                    LISTEN      7839/named          
tcp6       0      0 ::1:25                  :::*                    LISTEN      7068/master         
udp        0      0 127.0.0.1:53            0.0.0.0:*                           7839/named          
udp        0      0 0.0.0.0:68              0.0.0.0:*                           6652/dhclient       
udp6       0      0 ::1:53                  :::*                                7839/named          

測(cè)試工具:

dig命令:

格式:dig [-t RR_TYPE] name [@SERVER] [query options]
用于測(cè)試dns系統(tǒng),因此其不會(huì)查詢hosts文件
若未安裝dig命令旭愧,則使用yum install bind-utils -y安裝

查詢選項(xiàng):

+[no]trace:跟蹤解析過(guò)程
+[no]recurse:進(jìn)行遞歸解析

[root@promote ~]# dig -t A www.baidu.com

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43204
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.         IN  A

;; ANSWER SECTION:
www.baidu.com.      8299    IN  CNAME   www.a.shifen.com.
www.a.shifen.com.   8299    IN  A   111.13.100.91
www.a.shifen.com.   8299    IN  A   111.13.100.92

;; Query time: 13 msec
;; SERVER: 221.131.143.69#53(221.131.143.69)
;; WHEN: Mon May 13 17:54:10 CST 2019
;; MSG SIZE  rcvd: 101

注意:反向解析測(cè)試
dig -x IP

[root@promote ~]# dig -x 121.51.36.46

模擬完全區(qū)域傳送:
dig -t axfr DOMAIN [@server]

host命令:

格式:host [-t RR_TYPE] name SERVER_IP

[root@promote ~]# host -t A www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 111.13.100.92
www.a.shifen.com has address 111.13.100.91
[root@promote ~]# host -t NS baidu.com
baidu.com name server ns4.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns3.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns2.baidu.com.
[root@promote ~]# host -t MX baidu.com
baidu.com mail is handled by 15 mx.n.shifen.com.
baidu.com mail is handled by 20 mx1.baidu.com.
baidu.com mail is handled by 20 jpmx.baidu.com.
baidu.com mail is handled by 20 mx50.baidu.com.
baidu.com mail is handled by 10 mx.maillb.baidu.com.
nslookup命令:

格式:nslookup [-options] [name] [server]

交互式模式:
nslookup>
server IP:以指定的IP為DNS服務(wù)器進(jìn)行查詢
set q=RR_TYPE:要查詢的資源記錄類型
name:要查詢的名稱

[root@promote ~]# nslookup
> server 192.168.0.105
Default server: 192.168.0.105
Address: 192.168.0.105#53
> set q=A
> www.sohu.com
rndc命令:

named服務(wù)控制命令

[root@promote ~]# rndc status
version: 9.9.4-RedHat-9.9.4-73.el7_6 <id:8f9657aa>
CPUs found: 8
worker threads: 8
UDP listeners per interface: 8
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

清空緩存
rndc flush

正反解析區(qū)域的配置流程

配置解析一個(gè)正向區(qū)域:

以magedu.com域?yàn)槔?/p>

(1) 定義區(qū)域
在主配置文件中或主配置文件輔助配置文件中實(shí)現(xiàn)

zone  "ZONE_NAME"  IN  {
    type  {master|slave|hint|forward};
    file  "ZONE_NAME.zone"; 
};  
vim /etc/named.rfc1912.zones 
zone  "magedu.com" IN {
        type master;
        file "magedu.com.zone";
};

注意:區(qū)域名字即為域名

(2) 建立區(qū)域數(shù)據(jù)文件(主要記錄為A或AAAA記錄)

在/var/named目錄下建立區(qū)域數(shù)據(jù)文件

文件為:/var/named/magedu.com.zone

[root@promote named]# vim magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@       IN      SOA     ns1.magedu.com.   dnsadmin.magedu.com. (
                2017010801
                1H
                10M
                3D
                1D )
        IN      NS      ns1
        IN      MX   10 mx1
        IN      MX   20 mx2
ns1     IN      A       172.16.100.67
mx1     IN      A       172.16.100.68
mx2     IN      A       172.16.100.69
www     IN      A       172.16.100.67
web     IN      CNAME   www
bbs     IN      A       172.16.100.70
bbs     IN      A       172.16.100.71                       

權(quán)限及屬組修改:
chgrp named /var/named/magedu.com.zone
chmod o= /var/named/magedu.com.zone

檢查語(yǔ)法錯(cuò)誤:
named-checkzone ZONE_NAME ZONE_FILE
named-checkconf

(3) 讓服務(wù)器重載配置文件和區(qū)域數(shù)據(jù)文件
rndc reloadsystemctl reload named.service

示例:
首先編輯主配置文件/etc/named.conf中的全局配置颅筋,設(shè)置監(jiān)聽服務(wù)器IP地址及允許DNS查詢請(qǐng)求等設(shè)置:

[root@localhost named]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query     { any; };
recursion no;
dnssec-enable no;
dnssec-validation no;

然后編輯/etc/named.rfc1912.zones文件,設(shè)置正向區(qū)域:

[root@localhost named]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type master;
        file "magedu.com.zone";
        allow-update { none; };
};

隨后在/var/named/目錄下創(chuàng)建區(qū)域數(shù)據(jù)文件magedu.com.zone:

[root@localhost named]# vim /var/named/magedu.com.zone
$TTL 3600
@       IN      SOA     ns.magedu.com.  10XXXXXX83.qq.com. (
        20180421
        1D
        1H
        1W
        3H
)
@       IN      NS      ns.magedu.com.
magedu.com.     IN      MX      10      mx1.magedu.com.
magedu.com.     IN      MX      20      mx2.magedu.com.
mx1     IN      A       192.168.0.1
mx2     IN      A       192.168.0.2
ns      IN      A       192.168.0.188
qq      IN      A       114.114.114.114
www     IN      A       199.247.21.135
web     IN      CNAME   www

最后檢查相關(guān)配置文件是否有錯(cuò)誤:

[root@localhost named]# named-checkconf /etc/named.conf 
[root@localhost named]# named-checkzone magedu.com /var/named/magedu.com.zone 
zone magedu.com/IN: loaded serial 20180421
OK

如沒有報(bào)錯(cuò)输枯,重啟加載啟動(dòng)named服務(wù):

[root@localhost named]# systemctl restart named

在其他主機(jī)上驗(yàn)證解析結(jié)果:

[root@localhost ~]# nslookup
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=A     
> www.magedu.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   www.magedu.com
Address: 199.247.21.135
> mx1.magedu.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   mx1.magedu.com
Address: 192.168.0.1
> web.magedu.com
Server:     192.168.0.188
Address:    192.168.0.188#53

web.magedu.com  canonical name = www.magedu.com.
Name:   www.magedu.com
Address: 199.247.21.135
> qq.magedu.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   qq.magedu.com
Address: 114.114.114.114
> www.magedu.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   www.magedu.com
Address: 199.247.21.135

解析成功议泵。

配置解析一個(gè)反向區(qū)域

(1) 定義區(qū)域
在主配置文件中或主配置文件輔助配置文件中實(shí)現(xiàn)

zone  "ZONE_NAME"  IN  {
   type  {master|slave|hint|forward};
   file  "ZONE_NAME.zone"; 
};  
vim /etc/named.rfc1912.zones 
zone  "100.16.172.in-addr.arpa" IN {
         type master;
         file "172.16.100.zone";
};

注意:反向區(qū)域的名字
反寫的網(wǎng)段地址.in-addr.arpa
100.16.172.in-addr.arpa

(2) 定義區(qū)域解析庫(kù)文件(主要記錄為PTR)

示例:區(qū)域名稱為100.16.172.in-addr.arpa;

$TTL 3600
$ORIGIN 100.16.172.in-addr.arpa.
@       IN      SOA     ns1.magedu.com.  nsadmin.magedu.com. (
        2017010801
        1H
        10M
        3D
        12H )
        IN      NS      ns1.magedu.com.
67      IN      PTR     ns1.magedu.com.
68      IN      PTR     mx1.magedu.com.
69      IN      PTR     mx2.magedu.com.
70      IN      PTR     bbs.magedu.com.
71      IN      PTR     bbs.magedu.com.
67      IN      PTR     www.magedu.com.                 

權(quán)限及屬組修改:
chgrp named /var/named/172.16.100.zone
chmod o= /var/named/172.16.100.zone

檢查語(yǔ)法錯(cuò)誤:
named-checkzone ZONE_NAME ZONE_FILE
named-checkconf

(3) 讓服務(wù)器重載配置文件和區(qū)域數(shù)據(jù)文件
rndc reloadsystemctl reload named.service

示例:
在上述案例1的基礎(chǔ)上桃熄,首先在/etc/named.rfc1912.zones中編輯添加反向區(qū)域:

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
        allow-update { none; };
};

然后在/var/named目錄下生成反向區(qū)域文件192.168.0.zone:

[root@localhost named]# vim /var/named/192.168.0.zone
$TTL 3600
@       IN      SOA     ns.magedu.com.  10XXXXXXX3.qq.com. (
        20180421
        1D
        1H
        1W
        3H
)
@       IN      NS      ns.magedu.com.
ns      IN      A       192.168.0.188
1       IN      PTR     mx1.magdu.com.
2       IN      PTR     mx2.magdu.com.
188     IN      PTR     ns.magedu.com.

隨后使用命令檢查相應(yīng)的配置文件:

[root@localhost named]# named-checkconf /etc/named.conf 
[root@localhost named]# named-checkconf /etc/named.rfc1912.zones 
[root@localhost named]# named-checkzone 0.168.192.in-addr.arpa /var/named/192.168.0.zone 
zone 0.168.192.in-addr.arpa/IN: loaded serial 20180421
OK

如無(wú)報(bào)錯(cuò)先口,則重新啟動(dòng)named服務(wù):

[root@localhost named]# systemctl restart named

在其他主機(jī)上測(cè)試結(jié)果:

[root@localhost ~]# nslookup 
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=NS   
> 192.168.0.1
Server:     192.168.0.188
Address:    192.168.0.188#53

1.0.168.192.in-addr.arpa    name = mx1.magdu.com.
> 192.168.0.188
Server:     192.168.0.188
Address:    192.168.0.188#53

188.0.168.192.in-addr.arpa  name = ns.magedu.com.
> 192.168.0.2
Server:     192.168.0.188
Address:    192.168.0.188#53

2.0.168.192.in-addr.arpa    name = mx2.magdu.com.
> 

反向解析成功。

主從服務(wù)器:

配置一個(gè)從區(qū)域:

注意:從服務(wù)器是區(qū)域級(jí)別的概念

在從服務(wù)器上:

(1) 定義區(qū)域
定義一個(gè)從區(qū)域:

zone "ZONE_NAME"  IN {
    type  slave;
    file  "slaves/ZONE_NAME.zone";
    masters  { MASTER_IP; };
};

注意:type類型是slave,file后面是相對(duì)于/var/named/目錄的相對(duì)路徑
配置文件語(yǔ)法檢查:named-checkconf

(2) 重載配置
rndc reload
systemctl reload named.service

在主服務(wù)器上:

確保區(qū)域數(shù)據(jù)文件中為每個(gè)從服務(wù)配置NS記錄碉京,并且在正向區(qū)域文件中厢汹,需要為每個(gè)從服務(wù)器的NS記錄的主機(jī)名配置一個(gè)A記錄,且此A后面的地址為真正的從服務(wù)器的IP地址谐宙;序列號(hào)要+1

注意:時(shí)間要同步烫葬,ntpdate命令;

示例:

配置DNS主服務(wù)器

編輯修改/etc/named.conf文件:

[root@Master ~]# vim /etc/named.conf
options {
        listen-on port 53 { 192.168.0.188; };  #監(jiān)聽本機(jī)IP
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { 192.168.0.0/24; };    #允許來(lái)自192.168.0.0/24網(wǎng)段的的解析請(qǐng)求卧惜;
        recursion yes;    #開啟遞歸查詢
        forward only;    #啟用轉(zhuǎn)發(fā)域功能厘灼,對(duì)于本域無(wú)法解析的請(qǐng)求夹纫,只做轉(zhuǎn)發(fā)處理咽瓷;
        forwarders { 114.114.114.114; };    #指定轉(zhuǎn)發(fā)的DNS服務(wù)器;
        dnssec-enable no;    #關(guān)閉DNS安全擴(kuò)展功能舰讹;
        dnssec-validation no;    #關(guān)閉DNS安全驗(yàn)證茅姜;
};
.....

編輯修改/etc/named.rfc1912.zones:

[root@Master ~]# vim /etc/named.rfc1912.zones
zone "magedu.com." IN {    #創(chuàng)建正向解析域
        type master;
        file "magedu.com.zone";
        allow-update { none; };
        allow-transfer { 192.168.0.189;192.168.0.190; };  #允許同步DNS的輔助服務(wù)器IP;
        notify yes;  #啟用變更通告月匣,當(dāng)主服務(wù)器DNS區(qū)域文件發(fā)生變更后钻洒,通知從服務(wù)器進(jìn)行比較同步;
};
zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
        allow-update { none; };
        allow-transfer { 192.168.0.189;192.168.0.190;};
        notify yes;
};

新建/var/named/magedu.com.zone文件:

$TTL 3600
@       IN      SOA     ns1.magedu.com. 1XXXXXX3.qq.com.      (
        2018042101
        1D
        1H
        1W
        3H
)
magedu.com.     IN      NS      ns1.magedu.com.
magedu.com.     IN      NS      ns2.magedu.com.
magedu.com.     IN      NS      ns3.magedu.com.
magedu.com.     IN      MX      10      mx1.magedu.com.
magedu.com.     IN      MX      20      mx2.magedu.com.
mx1     IN      A       192.168.0.1
mx2     IN      A       192.168.0.2
ns1     IN      A       192.168.0.188
ns2     IN      A       192.168.0.189
ns3     IN      A       192.168.0.190
www     IN      A       199.247.21.135
web     IN      CNAME   www
qq      IN      A       59.37.96.63
master  IN      A       192.168.0.188
slave1  IN      A       192.168.0.189
slave2  IN      A       192.168.0.190

新建/var/named/192.168.0.zone文件:

$TTL 3600
@       IN      SOA     ns1.magedu.com.  1XXXXXXX3.qq.com. (
        2018042101
        1D
        1H
        1W
        3H
)
@       IN      NS      ns1.magedu.com.
@       IN      NS      ns2.magedu.com.  #對(duì)于反向區(qū)域文件來(lái)說(shuō)锄开,從服務(wù)器的NS記錄是必須得素标,否則區(qū)域文件的同步會(huì)有問(wèn)題
@       IN      NS      ns3.magedu.com.
1       IN      PTR     mx1.magdu.com.
2       IN      PTR     mx2.magdu.com.
188     IN      PTR     ns1.magedu.com.
189     IN      PTR     ns2.magedu.com.
190     IN      PTR     ns3.magedu.com.
188     IN      PTR     master.magedu.com.
189     IN      PTR     slave1.magedu.com.
190     IN      PTR     slave2.magedu.com.

檢查相關(guān)的配置文件:

[root@Master ~]# named-checkconf /etc/named.conf 
[root@Master ~]# named-checkzone magedu.com /var/named/magedu.com.zone 
zone magedu.com/IN: loaded serial 2018042101
OK
[root@Master ~]# named-checkzone 0.168.192.ip-addr.arpa /var/named/192.168.0.zone 
zone 0.168.192.ip-addr.arpa/IN: loaded serial 2018042101
OK

如沒有錯(cuò)誤則啟動(dòng)named服務(wù):

[root@Master ~]# systemctl status named

搭建DNS從服務(wù)器
在Slave server 1上編輯/etc/named.conf文件:

[root@Slave1 ~]# vim /etc/named.conf
options {
        listen-on port 53 { 192.168.0.189; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { 192.168.0.0/24; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
....
};
.....

隨后編輯/etc/named.rfc1912.zones:

[root@Slave1 ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
        type slave;    #指定類型為slave 萍悴;
        file "slaves/magedu.com.zone";  #指定同步文件的存放路徑及名稱头遭;
        masters { 192.168.0.188; };  #指定主服務(wù)器的IP;
        masterfile-format text;  #指定區(qū)域文件的格式為text,不指定有可能會(huì)為亂碼
};
zone "0.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/192.168.0.zone";
        masters { 192.168.0.188; };
        masterfile-format text;
};

編輯完成后檢查相應(yīng)的配置文件:

[root@Slave1 ~]# named-checkconf /etc/named.conf

如無(wú)報(bào)錯(cuò)癣诱,則啟動(dòng)named服務(wù):

[root@Slave1 ~]# systemctl start named
[root@localhost ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: active (running) since 六 2018-04-21 18:05:47 CST; 5s ago
  Process: 11084 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 11081 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 11087 (named)
   CGroup: /system.slice/named.service
           └─11087 /usr/sbin/named -u named -c /etc/named.conf

4月 21 18:05:47 localhost.localdomain named[11087]: zone 0.168.192.in-addr.arpa/IN: Transfer started.
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.188#53: conn...42852
4月 21 18:05:47 localhost.localdomain named[11087]: zone 0.168.192.in-addr.arpa/IN: transferred serial 2018042101
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.188#53: Tran.../sec)
4月 21 18:05:47 localhost.localdomain named[11087]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 2018042101)
4月 21 18:05:47 localhost.localdomain named[11087]: zone magedu.com/IN: Transfer started.
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of 'magedu.com/IN' from 192.168.0.188#53: connected using ...41953
4月 21 18:05:47 localhost.localdomain named[11087]: zone magedu.com/IN: transferred serial 2018042101
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of 'magedu.com/IN' from 192.168.0.188#53: Transfer complet.../sec)
4月 21 18:05:47 localhost.localdomain named[11087]: zone magedu.com/IN: sending notifies (serial 2018042101)
Hint: Some lines were ellipsized, use -l to show in full.

如上述過(guò)程所示计维,從服務(wù)器能正常同步主服務(wù)器的正向和反向解析區(qū)域文件。

測(cè)試DNS主從服務(wù)器的解析結(jié)果
主服務(wù)器正向解析:

[root@Slave2 ~]# dig -t A www.magedu.com @192.168.188

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.188
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55749
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.            IN  A

;; ANSWER SECTION:      #成功獲取正向解析結(jié)果
www.magedu.com.     3600    IN  A   199.247.21.135

;; AUTHORITY SECTION:
magedu.com.     3600    IN  NS  ns1.magedu.com.
magedu.com.     3600    IN  NS  ns2.magedu.com.
magedu.com.     3600    IN  NS  ns3.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.     3600    IN  A   192.168.0.188
ns2.magedu.com.     3600    IN  A   192.168.0.189
ns3.magedu.com.     3600    IN  A   192.168.0.190

;; Query time: 2 msec
;; SERVER: 192.168.0.188#53(192.168.0.188)
;; WHEN: Sat Apr 21 05:13:05 EDT 2018
;; MSG SIZE  rcvd: 161

從服務(wù)器正向解析:

[root@Slave2 ~]# dig -t A www.magedu.com @192.168.189

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.189
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36011
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.            IN  A

;; ANSWER SECTION:    #成功獲取正向解析結(jié)果
www.magedu.com.     3600    IN  A   199.247.21.135

;; AUTHORITY SECTION:
magedu.com.     3600    IN  NS  ns1.magedu.com.
magedu.com.     3600    IN  NS  ns3.magedu.com.
magedu.com.     3600    IN  NS  ns2.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.     3600    IN  A   192.168.0.188
ns2.magedu.com.     3600    IN  A   192.168.0.189
ns3.magedu.com.     3600    IN  A   192.168.0.190

;; Query time: 1 msec
;; SERVER: 192.168.0.189#53(192.168.0.189)
;; WHEN: Sat Apr 21 05:13:02 EDT 2018
;; MSG SIZE  rcvd: 161

主服務(wù)器反向解析:

[root@Slave2 ~]# dig -x 192.168.0.1 @192.168.0.188

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.0.1 @192.168.0.188
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64876
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.168.192.in-addr.arpa.  IN  PTR

;; ANSWER SECTION:     #成功獲取反向解析結(jié)果
1.0.168.192.in-addr.arpa. 3600  IN  PTR mx1.magdu.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600    IN  NS  ns2.magedu.com.
0.168.192.in-addr.arpa. 3600    IN  NS  ns3.magedu.com.
0.168.192.in-addr.arpa. 3600    IN  NS  ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.     3600    IN  A   192.168.0.188
ns2.magedu.com.     3600    IN  A   192.168.0.189
ns3.magedu.com.     3600    IN  A   192.168.0.190

;; Query time: 2 msec
;; SERVER: 192.168.0.188#53(192.168.0.188)
;; WHEN: Sat Apr 21 05:19:32 EDT 2018
;; MSG SIZE  rcvd: 189

從服務(wù)器反向解析:

[root@Slave2 ~]# dig -x 192.168.0.188 @192.168.0.189

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.0.188 @192.168.0.189
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58662
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;188.0.168.192.in-addr.arpa.    IN  PTR

;; ANSWER SECTION:    #成功獲取反向解析結(jié)果
188.0.168.192.in-addr.arpa. 3600 IN PTR ns1.magedu.com.
188.0.168.192.in-addr.arpa. 3600 IN PTR master.magedu.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600    IN  NS  ns2.magedu.com.
0.168.192.in-addr.arpa. 3600    IN  NS  ns3.magedu.com.
0.168.192.in-addr.arpa. 3600    IN  NS  ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com.     3600    IN  A   192.168.0.188
ns2.magedu.com.     3600    IN  A   192.168.0.189
ns3.magedu.com.     3600    IN  A   192.168.0.190

;; Query time: 2 msec
;; SERVER: 192.168.0.189#53(192.168.0.189)
;; WHEN: Sat Apr 21 05:20:18 EDT 2018
;; MSG SIZE  rcvd: 202
子域授權(quán):

正向解析區(qū)域授權(quán)子域的方法:

ops.magedu.com.         IN  NS      ns1.ops.magedu.com.
ops.magedu.com.         IN  NS      ns2.ops.magedu.com.
ns1.ops.magedu.com.     IN  A   IP.AD.DR.ESS
ns2.ops.magedu.com.     IN  A   IP.AD.DR.ESS

定義轉(zhuǎn)發(fā):
注意:被轉(zhuǎn)發(fā)的服務(wù)器必須允許為當(dāng)前服務(wù)做遞歸撕予;

(1) 區(qū)域轉(zhuǎn)發(fā):僅轉(zhuǎn)發(fā)對(duì)某特定區(qū)域的解析請(qǐng)求鲫惶;

zone  "ZONE_NAME"  IN {
    type  forward;
    forward  {first|only};
    forwarders  { SERVER_IP; };
};

first:首先轉(zhuǎn)發(fā);轉(zhuǎn)發(fā)器不響應(yīng)時(shí)实抡,自行去迭代查詢欠母;
only:只轉(zhuǎn)發(fā);

(2) 全局轉(zhuǎn)發(fā):針對(duì)凡本地沒有通過(guò)zone定義的區(qū)域查詢請(qǐng)求吆寨,通通轉(zhuǎn)給某轉(zhuǎn)發(fā)器赏淌;

vim /etc/named.conf
options {
... ...
forward  {only|first};
forwarders  { SERVER_IP; };
... ...
};

bind中的安全相關(guān)的配置:

acl:訪問(wèn)控制列表;把一個(gè)或多個(gè)地址歸并一個(gè)命名的集合鸟废,隨后通過(guò)此名稱即可對(duì)此集合全內(nèi)的所有主機(jī)實(shí)現(xiàn)統(tǒng)一調(diào)用猜敢;

acl  acl_name  {
     ip;
     net/prelen;
};

示例:

acl  mynet {
      172.16.0.0/16;
      127.0.0.0/8;
};

bind有四個(gè)內(nèi)置的acl

  • none:沒有一個(gè)主機(jī)
  • any:任意主機(jī)
  • local:本機(jī)
  • localnet:本機(jī)所在的IP所屬的網(wǎng)絡(luò)
訪問(wèn)控制指令 作用
allow-query {}; 允許查詢的主機(jī);白名單;
allow-transfer {}; 允許向哪些主機(jī)做區(qū)域傳送缩擂;默認(rèn)為向所有主機(jī)鼠冕;應(yīng)該配置僅允許從服務(wù)器;
allow-recursion {}; 允許哪此主機(jī)向當(dāng)前DNS服務(wù)器發(fā)起遞歸查詢請(qǐng)求胯盯;
allow-update {}; DDNS懈费,允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫(kù)文件中內(nèi)容;

bind view 視圖(智能DNS實(shí)現(xiàn))

view就是將不同IP地址段發(fā)來(lái)的查詢響應(yīng)到不同的DNS解析博脑。

示例

192.168.0.189/32代表電信網(wǎng)絡(luò)憎乙,192.168.0.190/32代表聯(lián)通網(wǎng)絡(luò),進(jìn)行模擬測(cè)試

配置修改此前實(shí)例DNS主服務(wù)器的named.conf:

acl "telecom"{
        192.168.0.189;
};
acl "unicom"{
        192.168.0.190;
};
options{
...
};
logging{
...
};
view  telecom {
        match-clients { telecom;};
        zone "." IN {
                type hint;
                file "named.ca";
        };
        zone "charlie.com" IN {
                type master;
                file "charlie.com.zone.telecom";
        };
        include "/etc/named.rfc1912.zones";
        include "/etc/named.root.key";
};

view unicom {
        match-clients { unicom;};
        zone "." IN {
                type hint;
                file "named.ca";
        };
        zone "charlie.com" IN {
                type master;
                file "charlie.com.zone.unicom";
        };
        include "/etc/named.rfc1912.zones";
        include "/etc/named.root.key";
};

view others {
        match-clients { any;};
        zone "." IN {
                type hint;
                file "named.ca";
        };
        include "/etc/named.rfc1912.zones";
        include "/etc/named.root.key";
};

新建charlie.com.zone.telecom:

[root@Master ~]# vim /var/named/charlie.com.zone.telecom 
$TTL 3600
@       IN      SOA     ns.charlie.com. 1XXXXXX3.qq.com (
        00
        1D
        1H
        1W
        3H
)
@       IN      NS      ns.charlie.com.
ns      IN      A       192.168.0.188
@       IN      MX      10      mx.charlie.com.
mx      IN      A       192.168.0.188
www     IN      A       1.1.1.1
blog    IN      A       1.1.1.2

新建charlie.com.zone.unicom:

[root@Master ~]# vim /var/named/charlie.com.zone.unicom
$TTL 3600
@       IN      SOA     ns.charlie.com. 1XXXXX3.qq.com. (
        00
        1D
        1H
        1W
        3H
)
@       IN      NS      ns.charlie.com.
ns      IN      A       192.168.0.188
@       IN      MX      10      mx.charlie.com.
mx      IN      A       192.168.0.188
www     IN      A       2.2.2.1
blog    IN      A       2.2.2.2

檢查相應(yīng)的配置文件:

[root@Master ~]# named-checkconf /etc/named.conf 
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.telecom 
zone charlie.com/IN: loaded serial 0
OK
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.unicom 
zone charlie.com/IN: loaded serial 0
OK

重啟或重載named服務(wù):

[root@Master ~]# systemctl restart named

在192.168.0.189從服務(wù)器上驗(yàn)證解析結(jié)果:
[root@slave1 ~]# nslookup
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=A
> www.charlie.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   www.charlie.com
Address: 1.1.1.1    #能正確解析出指定的telecomIP叉趣;
> blog.charlie.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   blog.charlie.com
Address: 1.1.1.2     #能正確解析出指定的telecomIP泞边;
> ns1.magedu.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   ns1.magedu.com
Address: 192.168.0.188

在192.168.0.190從服務(wù)器上驗(yàn)證解析結(jié)果:

[root@slave2 ~]# nslookup
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=A
> www.charlie.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   www.charlie.com
Address: 2.2.2.1     #能正確解析出指定的unicomIP;
> blog.charlie.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   blog.charlie.com
Address: 2.2.2.2     #能正確解析出指定的unicomIP疗杉;
> ns1.magedu.com
Server:     192.168.0.188
Address:    192.168.0.188#53

Name:   ns1.magedu.com
Address: 192.168.0.188
> 

到此一個(gè)智能DNS解析便搭建完成了阵谚,如果能將公網(wǎng)上的電信和聯(lián)通IP分別寫入ACL列表中,并且將此服務(wù)器接入了多個(gè)運(yùn)營(yíng)商線路烟具,使得其能夠在公網(wǎng)上提供DNS解析梢什,那么此服務(wù)器就能為來(lái)自不同運(yùn)行商的客戶端IP提供智能DNS解析了。

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 序言:七十年代末朝聋,一起剝皮案震驚了整個(gè)濱河市嗡午,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌冀痕,老刑警劉巖荔睹,帶你破解...
    沈念sama閱讀 211,817評(píng)論 6 492
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件,死亡現(xiàn)場(chǎng)離奇詭異金度,居然都是意外死亡应媚,警方通過(guò)查閱死者的電腦和手機(jī),發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 90,329評(píng)論 3 385
  • 文/潘曉璐 我一進(jìn)店門猜极,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái)中姜,“玉大人,你說(shuō)我怎么就攤上這事跟伏《撸” “怎么了?”我有些...
    開封第一講書人閱讀 157,354評(píng)論 0 348
  • 文/不壞的土叔 我叫張陵受扳,是天一觀的道長(zhǎng)携龟。 經(jīng)常有香客問(wèn)我,道長(zhǎng)勘高,這世上最難降的妖魔是什么峡蟋? 我笑而不...
    開封第一講書人閱讀 56,498評(píng)論 1 284
  • 正文 為了忘掉前任坟桅,我火速辦了婚禮,結(jié)果婚禮上蕊蝗,老公的妹妹穿的比我還像新娘仅乓。我一直安慰自己,他們只是感情好蓬戚,可當(dāng)我...
    茶點(diǎn)故事閱讀 65,600評(píng)論 6 386
  • 文/花漫 我一把揭開白布夸楣。 她就那樣靜靜地躺著,像睡著了一般子漩。 火紅的嫁衣襯著肌膚如雪豫喧。 梳的紋絲不亂的頭發(fā)上,一...
    開封第一講書人閱讀 49,829評(píng)論 1 290
  • 那天幢泼,我揣著相機(jī)與錄音紧显,去河邊找鬼。 笑死旭绒,一個(gè)胖子當(dāng)著我的面吹牛鸟妙,可吹牛的內(nèi)容都是我干的焦人。 我是一名探鬼主播挥吵,決...
    沈念sama閱讀 38,979評(píng)論 3 408
  • 文/蒼蘭香墨 我猛地睜開眼,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼花椭!你這毒婦竟也來(lái)了忽匈?” 一聲冷哼從身側(cè)響起,我...
    開封第一講書人閱讀 37,722評(píng)論 0 266
  • 序言:老撾萬(wàn)榮一對(duì)情侶失蹤矿辽,失蹤者是張志新(化名)和其女友劉穎丹允,沒想到半個(gè)月后,有當(dāng)?shù)厝嗽跇淞掷锇l(fā)現(xiàn)了一具尸體袋倔,經(jīng)...
    沈念sama閱讀 44,189評(píng)論 1 303
  • 正文 獨(dú)居荒郊野嶺守林人離奇死亡雕蔽,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 36,519評(píng)論 2 327
  • 正文 我和宋清朗相戀三年,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了宾娜。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片批狐。...
    茶點(diǎn)故事閱讀 38,654評(píng)論 1 340
  • 序言:一個(gè)原本活蹦亂跳的男人離奇死亡,死狀恐怖前塔,靈堂內(nèi)的尸體忽然破棺而出嚣艇,到底是詐尸還是另有隱情,我是刑警寧澤华弓,帶...
    沈念sama閱讀 34,329評(píng)論 4 330
  • 正文 年R本政府宣布食零,位于F島的核電站,受9級(jí)特大地震影響寂屏,放射性物質(zhì)發(fā)生泄漏贰谣。R本人自食惡果不足惜娜搂,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 39,940評(píng)論 3 313
  • 文/蒙蒙 一、第九天 我趴在偏房一處隱蔽的房頂上張望吱抚。 院中可真熱鬧涌攻,春花似錦、人聲如沸频伤。這莊子的主人今日做“春日...
    開封第一講書人閱讀 30,762評(píng)論 0 21
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)憋肖。三九已至因痛,卻和暖如春,著一層夾襖步出監(jiān)牢的瞬間岸更,已是汗流浹背鸵膏。 一陣腳步聲響...
    開封第一講書人閱讀 31,993評(píng)論 1 266
  • 我被黑心中介騙來(lái)泰國(guó)打工, 沒想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留怎炊,地道東北人谭企。 一個(gè)月前我還...
    沈念sama閱讀 46,382評(píng)論 2 360
  • 正文 我出身青樓,卻偏偏與公主長(zhǎng)得像评肆,于是被迫代替她去往敵國(guó)和親债查。 傳聞我的和親對(duì)象是個(gè)殘疾皇子,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 43,543評(píng)論 2 349

推薦閱讀更多精彩內(nèi)容

  • 一瓜挽、BIND是什么 BIND是互聯(lián)網(wǎng)應(yīng)用最為廣泛的DNS軟件盹廷。 二、BIND的安裝與使用 以下內(nèi)容轉(zhuǎn)自 http:...
    0_0啊閱讀 3,082評(píng)論 0 0
  • DNS DNS:Domain Name Service 應(yīng)用層協(xié)議(C/S,53/udp, 53/tcp) 域名 ...
    毛利卷卷發(fā)閱讀 6,808評(píng)論 0 6
  • 1. 概述 在網(wǎng)絡(luò)環(huán)境中一般用戶只需要在瀏覽器中輸入url如www.sunny.com就可以到對(duì)應(yīng)服務(wù)器獲取相應(yīng)的...
    ghbsunny閱讀 2,876評(píng)論 0 7
  • DNS服務(wù)器的基礎(chǔ)應(yīng)用及主從同步域名系統(tǒng)(英文:Domain Name System久橙,縮寫:DNS)是因特網(wǎng)的一項(xiàng)...
    linuxlove閱讀 478評(píng)論 0 0
  • DNS and Bind(2) BIND的安裝配置:BIND: Berkeley Internet Name Do...
    人間失格_430b閱讀 323評(píng)論 0 0