#本次实验共需6台主机 # 10.0.0.11 -》DNS 主服务器 noisedu.org | 子域 10.0.0.13 chengdu.noisedu.org # 10.0.0.12 -》DNS 从服务器 noisedu.org | 子域 10.0.0.14 shenzhen.noisedu.org # 10.0.0.22 -》web服务器 # 10.0.0.32 -》客户端client #实验之前,请先关闭所有主机的防火墙设置,否则同步服务器之间会有问题,比如后面同步主从之间的zone文件就会失败 #安装工具包 [09:48:15 root@centos8 ~]#yum -y install bind bind-utils #加上域名在named.conf,注释掉listen和allow [10:00:43 root@centos8 ~]#rpm -ql bind /etc/logrotate.d/named /etc/named /etc/named.conf [10:00:53 root@centos8 ~]#vim /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; #编辑zone文件,加上主服务器 [11:18:11 root@centos8 ~]#vim /etc/named.rfc1912.zones zone "noisedu.org" IN { type master; file "noisedu.org.zone"; }; #编辑自身域file [10:03:47 root@centos8 ~]#cp -p /var/named/named.localhost /var/named/noisedu.org.zone [11:23:24 root@centos8 ~]#vim /var/named/noisedu.org.zone $TTL 1D @ IN SOA ns1 noisedu.org.zone. ( 4 ; serial 1M ; refresh 1M ; retry 1W ; expire 1D ; minimum ) NS ns1 NS ns2 ns1 A 10.0.0.11 ns2 A 10.0.0.12 www A 10.0.0.22 blog A 10.0.0.101 #检查文件是否有错 [10:12:48 root@centos8 ~]#named-checkconf [10:12:56 root@centos8 ~]#named-checkzone noisedu.org /var/named/noisedu.org.zone zone noisedu.org/IN: loaded serial 20210606 OK #启动服务 [10:34:57 root@centos8 ~]#rndc reload server reload successful #或者 [10:13:13 root@centos8 ~]#systemctl restart named #然后查看端口是否打开,tcp953是管理端口,upd53是查询端口,tcp53是主从服务器之间的同步端口 [10:13:26 root@centos8 ~]#ss -ntul Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 10.0.0.11:53 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 [::]:53 [::]:* udp UNCONN 0 0 [::1]:323 [::]:* tcp LISTEN 0 10 10.0.0.11:53 0.0.0.0:* tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:953 0.0.0.0:* tcp LISTEN 0 10 [::]:53 [::]:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 128 [::1]:953 [::]:* #在web服务器设置web [10:13:47 root@centos7 ~]#yum install httpd [10:14:17 root@centos7 ~]#echo www.noisedu.org > /var/www/html/index.html [10:14:46 root@centos7 ~]#systemctl start httpd #在client访问 [10:31:01 root@noise ~]#dig www.noisedu.org ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.noisedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4546 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.noisedu.org. IN A ;; ANSWER SECTION: www.noisedu.org. 86400 IN A 10.0.0.22 ;; Query time: 1 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sun Jun 06 10:37:04 CST 2021 ;; MSG SIZE rcvd: 60 #######设置从服务器 #安装软件 [09:49:40 root@centos8 ~]#yum -y install bind bind-utils #配置named.conf [10:41:02 root@centos8 ~]#vim /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; #编辑zone文件 [11:24:09 root@centos8 ~]#vim /etc/named.rfc1912.zones zone "noisedu.org" IN { type slave; masters {10.0.0.11;}; file "slaves/noisedu.org.zone.slave"; }; #查看拉取的文件 [10:48:32 root@centos8 ~]#ll /var/named/slaves/ total 0 [10:48:38 root@centos8 ~]#rndc reload server reload successful [10:48:44 root@centos8 ~]#rndc reload server reload successful [10:48:46 root@centos8 ~]#ll /var/named/slaves/ total 4 -rw-r--r--. 1 named named 314 Jun 6 10:48 noisedu.org.zone.slave #在client测试 [10:59:53 root@noise ~]#dig www.noisedu.org @10.0.0.12 ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.noisedu.org @10.0.0.12 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51525 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 99ce5eb2ee17a8289a7f67ff60bc3c7ea3a5a2a6fdfe9536 (good) ;; QUESTION SECTION: ;www.noisedu.org. IN A ;; ANSWER SECTION: www.noisedu.org. 86400 IN A 10.0.0.22 ;; AUTHORITY SECTION: noisedu.org. 86400 IN NS ns1.noisedu.org. noisedu.org. 86400 IN NS ns2.noisedu.org. ;; ADDITIONAL SECTION: ns1.noisedu.org. 86400 IN A 10.0.0.11 ns2.noisedu.org. 86400 IN A 10.0.0.12 ;; Query time: 0 msec ;; SERVER: 10.0.0.12#53(10.0.0.12) ;; WHEN: Sun Jun 06 11:09:52 CST 2021 ;; MSG SIZE rcvd: 156 ### 到这个地方,我们的主从DNS服务器搭建完毕,开始搭建子域 #子域A: chengdu.noisedu.org 10.0.0.13 #子域B: shenzhen.noisedu.org 10.0.0.14 #把子域加入父域的zone文件,并且修改版本号,使其能够同步到从服务器 [15:11:00 root@centos8 ~]#cat /var/named/noisedu.org.zone $TTL 1D @ IN SOA ns1 noisedu.org.zone. ( 5 ; serial 1M ; refresh 1M ; retry 1W ; expire 1D ; minimum ) NS ns1 NS ns2 chengdu NS ns3 shenzhen NS ns4 ns1 A 10.0.0.11 ns2 A 10.0.0.12 ns3 A 10.0.0.13 ns4 A 10.0.0.14 www A 10.0.0.22 blog A 10.0.0.101 [15:12:54 root@centos8 ~]#systemctl restart named # 查看从服务器是否更新 [15:13:00 root@centos8 ~]#ll /var/named/slaves/ total 4 -rw-r--r--. 1 named named 565 Jun 6 15:12 noisedu.org.zone.slave #开始设置子域chengdu.noisedu.org #首先关掉防火墙设置,安装包 # 编辑配置文件named.conf,除了注释掉listen和allow,还是把dnssec那两行改为no options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; "/etc/named.conf" 59L, 1709C written # 加上自己的zone [15:30:07 root@centos8 ~]#cat /etc/named.rfc1912.zones zone "chengdu.noisedu.org" IN { type master; file "chengdu.noisedu.org.zone"; }; #编辑自己的zone [15:18:40 root@centos8 ~]#cp -p /var/named/named.localhost /var/named/chengdu.noisedu.org.zone [15:31:06 root@centos8 ~]#vim /var/named/chengdu.noisedu.org.zone $TTL 1D @ IN SOA master admin.chengdu.noisedu.org ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 10.0.0.13 www A 1.1.1.1 www A 2.2.2.2 [15:23:38 root@centos8 ~]#systemctl restart named # 在客户机上查询 [15:25:56 root@noise ~]#dig www.chengdu.noisedu.org ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.chengdu.noisedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2921 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.chengdu.noisedu.org. IN A ;; ANSWER SECTION: www.chengdu.noisedu.org. 6992 IN A 1.1.1.1 www.chengdu.noisedu.org. 6992 IN A 2.2.2.2 ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sun Jun 06 15:27:43 CST 2021 ;; MSG SIZE rcvd: 84 #同理子域B shenzhen.noisedu.org [15:38:02 root@noise ~]#dig www.shenzhen.noisedu.org ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.shenzhen.noisedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36605 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.shenzhen.noisedu.org. IN A ;; ANSWER SECTION: www.shenzhen.noisedu.org. 86400 IN A 11.11.11.11 www.shenzhen.noisedu.org. 86400 IN A 22.22.22.22 ;; Query time: 351 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sun Jun 06 15:40:42 CST 2021 ;; MSG SIZE rcvd: 85 ########## 上述两个子域都了实现负载均衡 # 子域A: web1 1.1.1.1 web2 2.2.2.2
# 子域B: web1 11.11.11.11 web2 22.22.22.22 # 为避免子域从互联网找寻跟服务等,最好加上转发到主服务器, 在从服务器上编辑配置文件/etc/named.conf,加上foward
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; };
forward first;
forwarders {10.0.0.11;};