Bind安裝配置及應用
BIND:Berkeley Internet Name Domain ,ISC.org
DNS服務的實現:
監聽端口:53/UDP , 53/TCP
程序包:bind
服務器程序:named
客戶端工具程序:dig,host ,nslookup
[root@stu1 ~]# yum repolist
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
repo id repo name status
base CentOS 4,184
epel CentOS 6.6 EPEL 12,922
repolist: 17,106
# yum list bind*
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
base | 3.2 kB 00:00
epel | 3.0 kB 00:00
Installed Packages
bind-libs.x86_64 32:9.8.2-0.30.rc1.el6 @anaconda-CentOS-201410241409.x86_64/6.6
共享庫
bind-utils.x86_64 32:9.8.2-0.30.rc1.el6 @anaconda-CentOS-201410241409.x86_64/6.6
工具包
Available Packages
bind.x86_64 32:9.8.2-0.30.rc1.el6 base
服務器端程序
bind-chroot.x86_64 32:9.8.2-0.30.rc1.el6 base
加強安全性工具
把/var/named/chroot/當根目錄使用,限定在這個區域內運行
bind-dyndb-ldap.x86_64 2.3-5.el6 base
bind-libs.i686 32:9.8.2-0.30.rc1.el6 base
# yum info bind
# yum info bind-chroot
# yum install -y bind
# rpm -qc bind
BIND:
設置dns /etc/resolv.conf
服務腳本:/etc/rc.d/init.d/named [start|stop|restart] //啟動|關閉|重啟 named 服務
主配置文件:/etc/named.conf
/etc/named.rfc1912.zones
區域解析庫文件:/var/name/zone_name.zone
RFC:request file comment
在DNS安裝,配置,應用過程中,遇到錯誤,我們通常要從以下幾個配置文件里慢慢來排查錯誤
第一步:首先要查看named服務是否開啟!!!!!!!!!!!!!!!!!!服務腳本:/etc/rc.d/init.d/named [start|stop|restart] /*啟動|關閉|重啟 named 服務*/
或是 service named [start|stop|restart]
第二步:查看主配置文件,看看自己的設置:
vim /etc/named.conf
vim /etc/named.rfc1912.zones //(設定主,從區域解析庫文件設置)
檢查配置文件語法(排查小技巧)
#named-checkconf
#named-checkconf /etc/named.rfc1912.zones
第三步:區域解析庫文件的設置:
vim /var/name/zone_name.zone
第四步:如果有錯誤,就需要查看 /var/log/messages
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/portreserve/named
/etc/rc.d/init.d/named
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named named腳本配置文件
# service named start //開啟named 服務
[root@stu1 ~]# ss -tunlp |grep 53
udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",3180,512))
udp UNCONN 0 0 *:53419 *:* users:(("rpc.statd",1307,7))
udp UNCONN 0 0 ::1:53 :::* users:(("named",3180,513))
tcp LISTEN 0 3 ::1:53 :::* users:(("named",3180,21))
tcp LISTEN 0 3 127.0.0.1:53 *:* users:(("named",3180,20))
tcp LISTEN 0 128 ::1:953 :::* users:(("named",3180,23))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",3180,22))
啟動了沒啥一樣
全球13個根存放位置
# rpm -qc bind
/var/named/named.ca
現在ping本地主機:
# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.023 ms
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.1 server.magelinux.com server
DNS解析告訴主機解析結果是127.0.0.1
區域解析庫文件:
/var/named/named.localhost
/var/named/named.loopback
緩存DNS服務器:
1.根服務器:named.ca
2.localhost <----> 127.0.0.1
區域解析庫文件:
/var/named/named.localhost
/var/named/named.loopback
#cat /etc/named.conf
//全局配置段:定義named進程的工作特性
options {
//監聽端口 地址
//listen-on port 53 { 127.0.0.1; };
listen-on port 53 { 172.16.31.2; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//允許所有主機查詢或者注釋
//allow-query { localhost; };
//是否遞歸
recursion yes;
//是關於DNS安全的,盡量設置為no或者注釋
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
#定義日志功能
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#定義本DNS服務器負責解析的區域;zone可以有多個
zone "." IN {
type hint;
file "named.ca";
};
將文件裝載進本文件
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
檢查主配置文件語法
#named-checkconf
重啟named服務:
# service named restart
如果不更改配置
在客戶端去dig一下:
沒有成功
# dig -t A localhost @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A localhost @172.16.31.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21604
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;localhost. IN A
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 07:43:13 2014
;; MSG SIZE rcvd: 27
解析成功:
# dig -t A localhost @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A localhost @172.16.31.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37731
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
#aa 權威應答
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
#應答段
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
#附加段 如:dig -t MX google.com @172.16.0.1
;; ADDITIONAL SECTION:
localhost. 86400 IN AAAA ::1
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 07:47:33 2014
;; MSG SIZE rcvd: 85
配置DNS服務器成為某區域的主服務器:
1.在主配置文件中定義zone
zone "zone_name" IN {
type master;
file "/path/to/zone_file.zone";
}
zone_name:
正向區域:google.com
反向區域:逆向網絡地址,in-addr.arpa
檢查配置文件:
#named-checkconf /etc/named.rfc1912.zones // (主,從區域配置文件)
# ls /etc/named.rfc1912.zones
/etc/named.rfc1912.zones
例如:
zone "google" IN {
type master;
file "google.com.zone";
}
2.定義zone用到的區域數據庫文件
包含資源記錄,也可以包含宏定義
$TTL
$ORIGIN
# pwd
/var/named
#vim google.com.zone
$TTL 600
$ORGIN google.com.
@ IN SOA ns1.google.com. nsadmin.google.com. (
2014120901 // //區域數據文件有版本號(序列號):serival
1H |
|
//刷新時間(檢查周期):refresh |
|
|
5M |
|
//重試時間(重試周期):retry |
||
3D |
|
//重試時間 < 刷新時間 |
||
3H) |
|
//過期時間(失效時長):expire
|
||
IN NS ns1
IN MX 10 mail1
ns1 IN A 172.16.31.2
mail1 IN A 172.16.31.2
www IN A 172.16.31.2
pop3 IN A 172.16.31.2
iamp4 IN A 172.16.31.2
設置文件權限
#chmod 640 google.com.zone
設置文件所屬用戶組
#chown :named google.com.zone /* 只許named 用戶組可以查看 */
檢測解析庫配置文件語法:
#named-checkzone "google.com" /var/named/google.com.zone
重新載入服務:
#service named reload
測試服務狀態:
#dig -t SOA google.com @172.16.31.2
#dig -t MX google.com @172.16.31.2
客戶端測試工具:dig,host,nslookup
dig命令:
用法:dig -t type -name @SERVER [queryoptions]
[-t type] 資源類型
[queryoptions]
+[no]tcp
+[no]trace 跟蹤整個名稱解析迭代過程
#dig -t A www.baidu.com @172.16.0.1 +trace
+[no]recurse 以遞歸方式查詢與否
#dig -t A www.google.com @172.16.0.1 +recurse
[-x IP] 將ip解析成主機名
#dig -x 172.16.31.2 @172.16.31.2
host命令:
用法:host [-t type] name [SERVER]
#host -t A www.google.com 172.16.31.2
#host –t MX google.com 172.16.31.2
nslookup命令:
用法:nslookup [options] [name | - ] [server]
#nslookup
>server 172.16.32.2 查詢時使用的服務器
>set q=a 設定查詢類型(大小寫a都可以)
>www.google.com 指定要查詢的名字
>set q=MX
>mail1.google.com
3.反向區域名稱有特定后綴:.in-addr.arpa.; //反向解析的固定格式
4.反向區域的區域解析庫文件包含SOA,NS及PTR記錄,不包含MX,A記錄
構建反向區域:
在
#vi /etc/named.rfc1912.zones
zone "31.16.172.in-addr.arpa" IN {
type master;
file "172.16.31.zone";
};
[root@stu1 named]# cat 172.16.31.zone
$TTL 600
$ORIGIN 31.16.172.in-addr.arpa.
@ IN SOA ns1.google.com. nsadmin.google.com. (
2014120901
1H
5H
3D
3H) /*
SOA:
name: 區域名稱
[ ttl ] :否定應答的TTL值
value:(有兩部分)
主DNS服務器的FQDN,也可以當前區域的名稱;
當前區域的管理員郵箱;
@用於表示當前區域的名字,所有郵箱地址不能出現@符號;
*/
IN NS ns1.google.com.
2 IN PTR ns1.google.com.
2 IN PTR mail1.google.com.
2 IN PTR pop3.google.com.
2 IN PTR www.google.com.
2 IN PTR iamp4.google.com.
/* 上面的 2 表示主機號 */
# chmod 640 172.16.31.zone
# chown :named 172.16.31.zone
# service named reload
# dig -t axfr 31.16.172.in-addr.arpa @172.16.31.2 // 拓展axfr
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr 31.16.172.in-addr.arpa @172.16.31.2
;; global options: +cmd
31.16.172.in-addr.arpa. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120901 3600 18000 259200 10800
31.16.172.in-addr.arpa. 600 IN NS ns1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR ns1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR mail1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR pop3.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR www.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR iamp4.google.com.
31.16.172.in-addr.arpa. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120901 3600 18000 259200 10800
;; Query time: 2 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 09:20:08 2014
;; XFR size: 8 records (messages 1, bytes 241)
[root@CA ~]# host -t ptr 172.16.31.2 172.16.31.2
Using domain server:
Name: 172.16.31.2
Address: 172.16.31.2#53
Aliases:
2.31.16.172.in-addr.arpa domain name pointer www.google.com.
2.31.16.172.in-addr.arpa domain name pointer iamp4.google.com.
2.31.16.172.in-addr.arpa domain name pointer ns1.google.com.
2.31.16.172.in-addr.arpa domain name pointer mail1.google.com.
2.31.16.172.in-addr.arpa domain name pointer pop3.google.com.
[root@CA ~]# nslookup
> server 172.16.31.2
Default server: 172.16.31.2
Address: 172.16.31.2#53
> set q=ptr
> 172.16.31.2
Server: 172.16.31.2
Address: 172.16.31.2#53
2.31.16.172.in-addr.arpa name = iamp4.google.com.
2.31.16.172.in-addr.arpa name = ns1.google.com.
2.31.16.172.in-addr.arpa name = mail1.google.com.
2.31.16.172.in-addr.arpa name = pop3.google.com.
2.31.16.172.in-addr.arpa name = www.google.com.
構建從服務器:
主服務器:
# vim google.com.zone
$TTL 600
$ORIGIN google.com.
@ IN SOA ns1.google.com. nsadmin.google.com. (
2014120902
1H
5H
3D
3H)
IN NS ns1
IN NS ns2
IN MX 10 mail1
ns1 IN A 172.16.31.2
ns2 IN A 172.16.31.3
mail1 IN A 172.16.31.2
www IN A 172.16.31.2
pop3 IN A 172.16.31.2
iamp4 IN A 172.16.31.2
或者(iamp4 IN CNAME pop3)
從服務器配置: 首先切換到另一台主機上,再遠程復制172.16.31.2主機上的文件。
[root@CA ~]# scp root@172.16.31.2:/etc/named.conf /etc/named.conf
root@172.16.31.2's password:
named.conf 100% 1051 1.0KB/s 00:00
[root@CA ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on port 53 { 172.16.31.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@CA named]# service named reload
Reloading named: [ OK ]
[root@CA named]# ss -tunl |grep :53
udp UNCONN 0 0 172.16.31.3:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 ::1:53 :::*
tcp LISTEN 0 3 172.16.31.3:53 *:*
tcp LISTEN 0 3 127.0.0.1:53 *:*
tcp LISTEN 0 3 ::1:53 :::*
[root@CA named]# vim /etc/named.rfc1912.zones
zone "google.com" IN {
type slave;
file "slaves/google.com.zone";
masters { 172.16.31.2; };
};
由於從服務器上/var/named/目錄的權限是屬主root屬組named,且屬組named沒有寫權限;如果給這個目錄寫權限就會造成系統的不安全;所以軟件定義了目錄下有個slaves文件,來保存從主服務器接收的配置文件
檢查語法:
[root@CA named]# named-checkconf
重新載入服務:
# service named reload
[root@CA named]# tail /var/log/messages
Dec 9 09:31:05 CA named[3688]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 09:31:05 CA named[3688]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 09:31:05 CA named[3688]: sizing zone task pool based on 7 zones
Dec 9 09:31:05 CA named[3688]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 09:31:05 CA named[3688]: reloading configuration succeeded
Dec 9 09:31:05 CA named[3688]: reloading zones succeeded
Dec 9 09:31:05 CA named[3688]: zone google.com/IN: Transfer started.
Dec 9 09:31:05 CA named[3688]: transfer of 'google.com/IN' from 172.16.31.2#53: connected using 172.16.31.3#38254
Dec 9 09:31:05 CA named[3688]: zone google.com/IN: transferred serial 2014120901
Dec 9 09:31:05 CA named[3688]: transfer of 'google.com/IN' from 172.16.31.2#53: Transfer completed: 1 messages, 9 records, 243 bytes, 0.001 secs (243000 bytes/sec)
這里只存在ns1沒有ns2;因為主服務器配置文件沒有reload
[root@CA named]# ll slaves/google.com.zone
-rw-r--r-- 1 named named 428 Dec 9 09:31 slaves/google.com.zone
[root@CA named]# cat slaves/google.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
google.com IN SOA ns1.google.com. nsadmin.google.com. (
2014120901 ; serial
3600 ; refresh (1 hour)
18000 ; retry (5 hours)
259200 ; expire (3 days)
10800 ; minimum (3 hours)
)
NS ns1.google.com.
MX 10 mail1.google.com.
$ORIGIN google.com.
iamp4 A 172.16.31.2
mail1 A 172.16.31.2
ns1 A 172.16.31.2
pop3 A 172.16.31.2
www A 172.16.31.2
我們的主服務器配置更改后沒有重新載入,我們在主服務器上reload一下:
[root@stu1 named]# service named reload
Reloading named: [ OK ]
[root@stu1 named]# tail /var/log/messages
Dec 9 09:32:36 stu1 named[3336]: received control channel command 'reload'
Dec 9 09:32:36 stu1 named[3336]: loading configuration from '/etc/named.conf'
Dec 9 09:32:36 stu1 named[3336]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 09:32:36 stu1 named[3336]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 09:32:36 stu1 named[3336]: sizing zone task pool based on 8 zones
Dec 9 09:32:36 stu1 named[3336]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 09:32:36 stu1 named[3336]: reloading configuration succeeded
Dec 9 09:32:36 stu1 named[3336]: reloading zones succeeded
Dec 9 09:32:36 stu1 named[3336]: zone google.com/IN: loaded serial 2014120902
Dec 9 09:32:36 stu1 named[3336]: zone google.com/IN: sending notifies (serial 2014120902)
上面的實驗是更改過的,更新狀況不清楚,我修改了一些再次載入,下面的是增量更新正常表現:
[root@stu1 named]# tail /var/log/messages
Dec 9 20:39:41 stu1 named[3336]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 20:39:41 stu1 named[3336]: reloading configuration succeeded
Dec 9 20:39:41 stu1 named[3336]: reloading zones succeeded
Dec 9 20:39:41 stu1 named[3336]: zone 31.16.172.in-addr.arpa/IN: loaded serial 2014120903
Dec 9 20:39:41 stu1 named[3336]: dns_master_load: google.com.zone:18: imap4.google.com: CNAME and other data
Dec 9 20:39:41 stu1 named[3336]: zone google.com/IN: loading from master file google.com.zone failed: CNAME and other data
Dec 9 20:39:41 stu1 named[3336]: zone google.com/IN: not loaded due to errors.
Dec 9 20:39:41 stu1 named[3336]: zone 31.16.172.in-addr.arpa/IN: sending notifies (serial 2014120903)
Dec 9 20:39:41 stu1 named[3336]: client 172.16.31.3#37586: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFR started
Dec 9 20:39:41 stu1 named[3336]: client 172.16.31.3#37586: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFR ended
然后再在從服務器上查看,同步成功了:
[root@CA named]# cat slaves/google.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
google.com IN SOA ns1.google.com. nsadmin.google.com. (
2014120902 ; serial
3600 ; refresh (1 hour)
18000 ; retry (5 hours)
259200 ; expire (3 days)
10800 ; minimum (3 hours)
)
NS ns1.google.com.
NS ns2.google.com.
MX 10 mail1.google.com.
$ORIGIN google.com.
iamp4 A 172.16.31.2
mail1 A 172.16.31.2
ns1 A 172.16.31.2
ns2 A 172.16.31.3
pop3 A 172.16.31.2
www A 172.16.31.2
我們在windows機器上實現解析:
rndc:Remote Name Domain Controller
基於套接字與named服務通信,控制named服務完成特定操作
控制named服務的密鑰:
[root@stu1 named]# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "X203BQ+6bQVPKfBLHXpiDw==";
};
#rndc-confgen #rndc配置文件生成器
會卡住
會去/dev/random和/dev/urandom讀取隨機數生成密鑰
#/dev/random:從熵池中取隨機數,如果熵池中的隨機數被用盡,則阻塞相關進程
#/dev/urandom:從熵池中取隨機數,如果熵池中的隨機數被用盡,則用軟件生成偽隨機數
#rndc-confgen -r /dev/urandom
生成隨機數密鑰,密鑰是一致的
# rndc-confgen -r /dev/urandom
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "YvgyyouB/CHTCUokRe4gbw==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "YvgyyouB/CHTCUokRe4gbw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
#rndc-confgen -r /dev/urandom >/etc/rndc.conf
#vim /etc/rndc.conf
將文件中的內容復制進named.conf中啟用來管理遠程管理DNS
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "YvgyyouB/CHTCUokRe4gbw==";
};
controls {
inet 127.0.0.1 port 953 #這里是只允許本機控制管理DNS
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
然后我們
[root@stu1 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@stu1 named]# rndc stats
[root@stu1 named]# rndc status #顯示當前狀態
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000 #遞歸客戶端
tcp clients: 0/100
server is up and running
本機主DNS服務器可以使用rndc管理命令,但是rndc客戶端從DNS服務器還沒配置,我們來配置一下:
主DNS服務器配置:
controls {
inet 0.0.0.0 port 953
allow { 127.0.0.1; 172.16.31.3; 172.16.31.4; } keys { "rndc-key"; };
};
在allow字段里面加入從服務器的IP地址,並且將允許管理的網絡設置成0.0.0.0
從DNS服務器配置:
將主DNS服務器的/etc/rndc.conf文件的如下段復制到從服務器中的/etc/rndc.conf中:
key "rndc-key" {
algorithm hmac-md5;
secret "5xhClxlukK5HSJxmZ4ZV8w==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
將從服務器中的options字段改成下面的配置:
key "rndc-key" {
algorithm hmac-md5;
secret "5xhClxlukK5HSJxmZ4ZV8w==";
};
options {
default-key "rndc-key";
default-server 172.16.31.3;
default-port 953;
};
重啟named服務:
[root@dns1 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
查看鏈接狀態:
[root@dns1 named]# ss -tunl |grep 53
udp UNCONN 0 0 172.16.31.3:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
tcp LISTEN 0 3 172.16.31.3:53 *:*
tcp LISTEN 0 3 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:953 *:*
可以看出953端口開放了。
[root@dns1 named]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
在從DNS服務器上重啟:
[root@dns2 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
測試從DNS服務器可以管理主DNS服務器:
[root@dns2 named]# rndc -s 172.16.31.3 status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
rndc用法與命令:
#man rndc 查找幫助文件
語法:rndc [-b source-address] [-c config-file] [-k key-file] [-s server]
[-p port] {command}
#rndc -h 獲取幫助
reload :重新裝載配置文件及區域解析庫文件
reload zone:只裝載指定區域解析庫文件
refresh zone :維護
retransfer zone:在不檢查序列號的情況下直接傳送一個區域數據文件
notify zone :重新通知區域數據文件
reconfig :只重新裝載配置文件及新增的區域
querylog:啟用或關閉查詢日志,默認關閉
#rndc querylog
#rndc status
#
#tail /var/log/messages
stop:將更新信息發送給服務器,然后關閉DNS服務器
trace level:指明調試級別,不跟數字逐級增加,可以明確指定(如trace 3)
notrace :關閉調試
flush:清除服務器緩存
注意:
1.在任何具有從服務器的區域的區域解析庫文件中,必須為每個DNS服務器定義一個NS記錄。
2.數據同步時,服務器之間的時間必須一致
#crontab -e
*/3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null
[root@stu1 named]# ntpdate 172.16.0.1
9 Dec 18:14:26 ntpdate[3844]: step time server 172.16.0.1 offset 28998.955058 sec
[root@stu1 named]# date
Tue Dec 9 18:14:28 CST 2014
[root@CA named]# ntpdate 172.16.0.1
9 Dec 18:14:04 ntpdate[3868]: step time server 172.16.0.1 offset 28999.587173 sec
[root@CA named]# date
Tue Dec 9 18:14:09 CST 2014
3.bind程序版本差異:盡可能保持版本相同;不得已時,主低從高是可以的。
4.盡量の開放給從服務器,不用就關閉,但是從服務器需要同步,我們就需要配置限制
通過同步數據可以查看網絡拓撲,不安全哦!
[root@CA named]# dig -t axfr google.com @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr google.com @172.16.31.2
;; global options: +cmd
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120902 3600 18000 259200 10800
google.com. 600 IN NS ns1.google.com.
google.com. 600 IN NS ns2.google.com.
google.com. 600 IN MX 10 mail1.google.com.
iamp4.google.com. 600 IN A 172.16.31.2
mail1.google.com. 600 IN A 172.16.31.2
ns1.google.com. 600 IN A 172.16.31.2
ns2.google.com. 600 IN A 172.16.31.3
pop3.google.com. 600 IN A 172.16.31.2
www.google.com. 600 IN A 172.16.31.2
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120902 3600 18000 259200 10800
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 18:18:56 2014
;; XFR size: 11 records (messages 1, bytes 277)
bind的安全配置:
1.acl控制列表:
#vi /etc/named.conf
acl acl_name {
IP;
NETWORK/PRILEN;
};
BIND內置的acl:
none:表示沒有任意主機
any:表示任意主機
local:表示本機
localnet:表示本地網絡
實例:
1.編輯named.conf文件,添加acl控制語句
acl mynet {
172.16.31.0/24;
127.0.0.0;
};
acl slaveservers {
172.16.31.3;
127.0.0.1;
};
2.在/etc/named.rfc1912.zone中調用:
zone "google.com" IN {
type master;
file "google.com.zone";
allow-query { any; };
allow-transfer { slaveservers; };
};
zone "31.16.172.in-addr.arpa" IN {
type master;
file "172.16.31.zone";
allow-query { any; };
allow-transfer { slaveservers; };
};
[root@stu1 named]# rndc reload
server reload successful
[root@stu1 named]# tail /var/log/messages
Dec 9 21:40:14 stu1 named[4735]: received control channel command 'stats'
Dec 9 21:40:14 stu1 named[4735]: dumpstats complete
Dec 9 22:01:09 stu1 named[4735]: received control channel command 'reload'
Dec 9 22:01:09 stu1 named[4735]: loading configuration from '/etc/named.conf'
Dec 9 22:01:09 stu1 named[4735]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 22:01:09 stu1 named[4735]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 22:01:09 stu1 named[4735]: sizing zone task pool based on 8 zones
Dec 9 22:01:09 stu1 named[4735]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 22:01:09 stu1 named[4735]: reloading configuration succeeded
Dec 9 22:01:09 stu1 named[4735]: reloading zones succeeded
在從服務器上測試是否能夠同步數據:
[root@CA named]# dig -t axfr google.com @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr google.com @172.16.31.2
;; global options: +cmd
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120903 3600 18000 259200 10800
google.com. 600 IN NS ns1.google.com.
google.com. 600 IN NS ns2.google.com.
google.com. 600 IN MX 10 mail1.google.com.
ftp.google.com. 600 IN A 172.16.31.2
imap4.google.com. 600 IN A 172.16.31.2
mail1.google.com. 600 IN A 172.16.31.2
ns1.google.com. 600 IN A 172.16.31.2
ns2.google.com. 600 IN A 172.16.31.3
pop3.google.com. 600 IN A 172.16.31.2
www.google.com. 600 IN A 172.16.31.2
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120903 3600 18000 259200 10800
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 22:05:56 2014
;; XFR size: 12 records (messages 1, bytes 297)
配置文件中設置允許也可以:
#vi /etc/named.conf
allow-query {};
allow-transfer {};
allow-recuersion {};
默認情況下服務器是允許遞歸查詢的,
但是某個區域我們需要關閉遞歸查詢,只對本地網絡來遞歸:
#vi /etc/named.conf
//recursion yes;
allow-recursion {mynet; };