• 基本環(huán)境 redhat 7.3
  master 10.8.10.30
  slave 10.8.10.204

0 安裝bind

yum install -y bind bind-utils

1 MASTER 配置

1.1 修改 /etc/named.conf

a.編輯配置文件/etc/named.conf乱投，找到listen-on這一行乃戈，改為：

listen-on port 53 { any; }; #any是匹配所有的意思

b.找到allow-query這一行扰她，改為：

allow-query     { any; };

c.修改dnsec為no

dnssec-enable no;
dnssec-validation no;

1.2 修改 /etc/named.rfc1912.zones

a.添加正向解析和反向解析配置

zone "example.com" IN {
        type master;
        file "example.com.zone";
        allow-transfer { 10.8.10.204; };
        allow-query { any; };
        notify yes;
        also-notify { 10.8.10.204; };
};                                                                                                                                                                           

zone "10.8.10.in-addr.arpa" IN {
        type master;
        file "10.8.10.arpa";
        allow-transfer { 10.8.10.204; };
        allow-query { any; };
        notify yes;
        also-notify { 10.8.10.204; };
};

1.3 添加正向解析和反向解析配置文件

1.3.1 正向解析

cd /var/named/

cp -a named.localhost example.com.zone

vim example.com.zone

a.配置如下 (注意纺涤，注釋用;振诬，不同其他腳本）

$TTL 1D
@       IN SOA  @ example.com.   (   
              20200812        ; serial  #更新序列號
                      1D      ; refresh #更新時間
                      1H      ; retry   #重試時間
                      1W      ; expire   #失效時間
                      3H )    ; minimum  #無效解析記錄的緩存時間
@ IN NS dns1.example.com.
  IN NS dns2.example.com.

dns1 IN A 10.8.10.30
dns2 IN A 10.8.10.204

@ IN MX 20 mail2.example.com.
  IN MX 10 mail1.example.com.

mail1 IN A 10.8.10.30
mail2 IN A 10.8.10.204

www  IN  CNAME  servs.example.com.
ftp  IN  CNAME  servs.example.com.
servs  IN  A  10.8.10.20
;        NS      ns.example.com.  
;ns      A       10.8.10.130  
;www     A       10.8.10.130 
;mail    A       10.8.10.120  
;        MX 10   mail.example.com. 
;example.com.    A 10.8.10.129
$GENERATE 1-245 server$ A 1.1.1.$
;bbs     CNAME   www                                                                                                                                                         
*       A       10.8.10.30

1.3.2 反向解析

cp -a /var/named/named.loopback /var/10.8.10.arpa

a.配置如下

$TTL 1D
@   IN SOA  @ example.com. (
            20200812    ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum

@ IN NS dns1.example.com.
  IN NS dns2.example.com.

30 IN PTR dns1.example.com.
204 IN PTR dns2.example.com.  

1.4 檢查配置

a.主配置

named-checkconf

b.區(qū)域配置

named-checkzone example.com /var/named/example.com.zone

named-checkzone 10.8.10 /var/named/10.8.10.arpa 

c.重啟服務(wù)

systemctl restart named

2 SLAVE 配置

2.1 修改 /etc/named.conf

a.編輯配置文件/etc/named.conf，找到listen-on這一行嘀趟，改為：

listen-on port 53 { any; }; #any是匹配所有的意思

b.找到allow-query這一行雄驹，改為：

allow-query     { any; };

c.修改dnsec為no

dnssec-enable no;
dnssec-validation no;

d.在options中添加一行块促，使得master 同步到 slave的配置文件格式相同

masterfile-format text;

2.2 修改 /etc/named.rfc1912.zones

a.添加正向解析和反向解析配置（注意file的目錄不能是在/var/named/下，在/var/named/data/ 或者 /var/named/slaves/都可以）

zone "example.com" IN {
        type slave;
        file "slaves/example.com.zone";
        masters { 10.8.10.30; };
};

zone "10.8.10.in-addr.arpa" IN {
    type slave;
    file "slaves/10.8.10.arpa";
    masters { 10.8.10.30; };
}; 

2.3 檢查配置

a.主配置

named-checkconf

3 重啟測試

3.1 修改master slave的/var/named/ 目錄及所有文件的屬性

chown -R named:named /var/named/

3.2 主備 重啟

a.重啟

systemctl restart named

b.查看 /var/log/messages是否有錯誤
常見錯誤

• 1> dumping master file: tmp-Jf88DjE6Zl: open: permission denied
  chown -R named:named /var/named/ 修改/var/named/屬性好像不管用
  file "slaves/example.com.zone"; 修改同步區(qū)域配置文件寫入目錄床未，可以成功
• 2> error (no valid KEY) resolving './DNSKEY/IN': 192.228.79.201#53
  原/etc/named.conf開啟了DNS安全擴展（DNSSEC）參數(shù)竭翠，非權(quán)威DNS不能開啟這個配置，否則會造成dns請求為
  不信任鏈薇搁，最終導(dǎo)致解析失敗斋扰。

c.查看slaves目錄下是否有同步過來的區(qū)域配置文件
d.修改 /etc/resolv.conf

nameserver      10.8.10.30

e.通過dig / nslookup 測試

dig -t A www.example.com @10.8.10.30

; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.example.com @10.8.10.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com.       IN  A

;; ANSWER SECTION:
www.example.com.    86400   IN  CNAME   servs.example.com.
servs.example.com.  86400   IN  A   10.8.10.20

;; AUTHORITY SECTION:
example.com.        86400   IN  NS  dns1.example.com.
example.com.        86400   IN  NS  dns2.example.com.

;; ADDITIONAL SECTION:
dns1.example.com.   86400   IN  A   10.8.10.30
dns2.example.com.   86400   IN  A   10.8.10.204

;; Query time: 0 msec
;; SERVER: 10.8.10.30#53(10.8.10.30)
;; WHEN: Thu Aug 13 16:12:29 CST 2020
;; MSG SIZE  rcvd: 150

dig -x 10.8.10.30 @10.8.10.30

; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 10.8.10.30 @10.8.10.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;30.10.8.10.in-addr.arpa.   IN  PTR

;; ANSWER SECTION:
30.10.8.10.in-addr.arpa. 86400  IN  PTR dns1.example.com.

;; AUTHORITY SECTION:
10.8.10.in-addr.arpa.   86400   IN  NS  dns1.example.com.
10.8.10.in-addr.arpa.   86400   IN  NS  dns2.example.com.

;; ADDITIONAL SECTION:
dns1.example.com.   86400   IN  A   10.8.10.30
dns2.example.com.   86400   IN  A   10.8.10.204

;; Query time: 1 msec
;; SERVER: 10.8.10.30#53(10.8.10.30)
;; WHEN: Thu Aug 13 16:13:55 CST 2020
;; MSG SIZE  rcvd: 147