DNS子域授權

DNS子域授權

當一個域很大時，而且還有上，下層關系，如果所有的記錄變更都由某一台服務器來管理的話，那將會是什么樣子？就好比一個公司的總經理直接管理公司1000個人的所有事項，恐怕會被累死。所以會在總經理下面設科室，科室下面又分班組，這樣一層管理一層會比較好管理些。
同樣道理，DNS中也分域和子域，上層DNS可以將子域的管理授權給子域中的DNS服務器來管理記錄的變更，這種做法就叫子域授權。

子域授權配置

假設父域為：frank.com,NS地址：master.frank.com 子域為：mf.frank.com,NS地址：sub.mf.frank.com

父域服務器配置

只需在區域解析庫文件中添加下層DNS服務器的NS與A記錄即可。

# vi /var/named/frank.com.zone
$TTL 1D
frank.com.  IN SOA  master.frank.com.    admin.frank.com. (
        201802002   ;序列號
        3H          ;刷新時間
        10M         ;重試時間間隔
        1W          ;過期時間
        1D          ;無法解析時否定答案的TTL值
        )
frank.com.           IN  NS  master.frank.com.
mf.frank.com.        IN  NS  sub.mf.frank.com.
master.frank.com.    IN  A   192.168.138.200
sub.mf.frank.com.    IN  A   192.168.138.201
frank.com.           IN  MX 10  mx1.frank.com.
                     IN  MX 20  mx2.frank.com.
mx1.frank.com.       IN  A   192.168.138.200
mx2.frank.com.       IN  A   192.168.138.200
www                  IN  A   192.168.138.200
master               IN  CNAME   www.frank.com.
web                  IN  CNAME   www.frank.com.

子域服務器配置

子域需要有完整的區域相關的配置，配置內容和主，從配置相同。

• 在/etc/named.rfc1912.zones中加入子域區域定義。

# vi /etc/named.conf
...
zone "mf.frank.com" IN {
	type master;
	file "mf.frank.com.zone";
};

• 創建mf.frank.com.zone區域解析庫文件

# vi /var/named/mf.frank.com.zone
$TTL 600
@   IN SOA  sub.mf.frank.com.   admin.sub.mf.frank.com. ( 
        201802001
        2H
        15M
        1W
        1D )
@   IN  NS  sub.mf.frank.com.
sub IN  A   192.168.138.201
www IN  A   192.168.138.201

配置完成重載配置文件

# rndc reload
server reload successful

在父域測試解析子域名www.mf.frank.com的A記錄

# dig -t A www.mf.frank.com @192.168.138.200

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.mf.frank.com @192.168.138.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17968
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mf.frank.com.		IN	A

;; ANSWER SECTION:
www.mf.frank.com.	600	IN	A	192.168.138.201

;; AUTHORITY SECTION:
mf.frank.com.		600	IN	NS	sub.mf.frank.com.

;; ADDITIONAL SECTION:
sub.mf.frank.com.	600	IN	A	192.168.138.201

;; Query time: 19 msec
;; SERVER: 192.168.138.200#53(192.168.138.200)
;; WHEN: Sat Feb 24 22:27:22 CST 2018
;; MSG SIZE  rcvd: 95

在子域DNS服務器添加指向父域的轉發器

# vi /etc/named.rfc1912.conf
...
zone "mf.frank.com" IN {
    type    master;
    file "mf.frank.com.zone";
};
//將查詢父域的請求轉發給父域DNS
zone "frank.com" IN {
    type    forward;
    forward only;
    forwarders { 192.168.138.200; };
};

配置完成重載配置文件

# rndc reload
server reload successful

在子域服務器上使用自己的DNS解析父域www.frank.com的A記錄

# dig -t A www.frank.com @192.168.138.201

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.frank.com @192.168.138.201
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63485
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.frank.com.			IN	A

;; ANSWER SECTION:
www.frank.com.		142	IN	A	192.168.138.200

;; AUTHORITY SECTION:
frank.com.		142	IN	NS	master.frank.com.

;; ADDITIONAL SECTION:
master.frank.com.	142	IN	A	192.168.138.200

;; Query time: 0 msec
;; SERVER: 192.168.138.201#53(192.168.138.201)
;; WHEN: Sat Feb 24 22:46:24 CST 2018
;; MSG SIZE  rcvd: 95