#本次實驗共需6台主機 # 10.0.0.11 -》DNS 主服務器 noisedu.org | 子域 10.0.0.13 chengdu.noisedu.org # 10.0.0.12 -》DNS 從服務器 noisedu.org | 子域 10.0.0.14 shenzhen.noisedu.org # 10.0.0.22 -》web服務器 # 10.0.0.32 -》客戶端client #實驗之前,請先關閉所有主機的防火牆設置,否則同步服務器之間會有問題,比如后面同步主從之間的zone文件就會失敗 #安裝工具包 [09:48:15 root@centos8 ~]#yum -y install bind bind-utils #加上域名在named.conf,注釋掉listen和allow [10:00:43 root@centos8 ~]#rpm -ql bind /etc/logrotate.d/named /etc/named /etc/named.conf [10:00:53 root@centos8 ~]#vim /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; #編輯zone文件,加上主服務器 [11:18:11 root@centos8 ~]#vim /etc/named.rfc1912.zones zone "noisedu.org" IN { type master; file "noisedu.org.zone"; }; #編輯自身域file [10:03:47 root@centos8 ~]#cp -p /var/named/named.localhost /var/named/noisedu.org.zone [11:23:24 root@centos8 ~]#vim /var/named/noisedu.org.zone $TTL 1D @ IN SOA ns1 noisedu.org.zone. ( 4 ; serial 1M ; refresh 1M ; retry 1W ; expire 1D ; minimum ) NS ns1 NS ns2 ns1 A 10.0.0.11 ns2 A 10.0.0.12 www A 10.0.0.22 blog A 10.0.0.101 #檢查文件是否有錯 [10:12:48 root@centos8 ~]#named-checkconf [10:12:56 root@centos8 ~]#named-checkzone noisedu.org /var/named/noisedu.org.zone zone noisedu.org/IN: loaded serial 20210606 OK #啟動服務 [10:34:57 root@centos8 ~]#rndc reload server reload successful #或者 [10:13:13 root@centos8 ~]#systemctl restart named #然后查看端口是否打開,tcp953是管理端口,upd53是查詢端口,tcp53是主從服務器之間的同步端口 [10:13:26 root@centos8 ~]#ss -ntul Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port udp UNCONN 0 0 10.0.0.11:53 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:53 0.0.0.0:* udp UNCONN 0 0 0.0.0.0:123 0.0.0.0:* udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:* udp UNCONN 0 0 [::]:53 [::]:* udp UNCONN 0 0 [::1]:323 [::]:* tcp LISTEN 0 10 10.0.0.11:53 0.0.0.0:* tcp LISTEN 0 10 127.0.0.1:53 0.0.0.0:* tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:* tcp LISTEN 0 128 127.0.0.1:953 0.0.0.0:* tcp LISTEN 0 10 [::]:53 [::]:* tcp LISTEN 0 128 [::]:22 [::]:* tcp LISTEN 0 128 [::1]:953 [::]:* #在web服務器設置web [10:13:47 root@centos7 ~]#yum install httpd [10:14:17 root@centos7 ~]#echo www.noisedu.org > /var/www/html/index.html [10:14:46 root@centos7 ~]#systemctl start httpd #在client訪問 [10:31:01 root@noise ~]#dig www.noisedu.org ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.noisedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4546 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.noisedu.org. IN A ;; ANSWER SECTION: www.noisedu.org. 86400 IN A 10.0.0.22 ;; Query time: 1 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sun Jun 06 10:37:04 CST 2021 ;; MSG SIZE rcvd: 60 #######設置從服務器 #安裝軟件 [09:49:40 root@centos8 ~]#yum -y install bind bind-utils #配置named.conf [10:41:02 root@centos8 ~]#vim /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; #編輯zone文件 [11:24:09 root@centos8 ~]#vim /etc/named.rfc1912.zones zone "noisedu.org" IN { type slave; masters {10.0.0.11;}; file "slaves/noisedu.org.zone.slave"; }; #查看拉取的文件 [10:48:32 root@centos8 ~]#ll /var/named/slaves/ total 0 [10:48:38 root@centos8 ~]#rndc reload server reload successful [10:48:44 root@centos8 ~]#rndc reload server reload successful [10:48:46 root@centos8 ~]#ll /var/named/slaves/ total 4 -rw-r--r--. 1 named named 314 Jun 6 10:48 noisedu.org.zone.slave #在client測試 [10:59:53 root@noise ~]#dig www.noisedu.org @10.0.0.12 ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.noisedu.org @10.0.0.12 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51525 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 99ce5eb2ee17a8289a7f67ff60bc3c7ea3a5a2a6fdfe9536 (good) ;; QUESTION SECTION: ;www.noisedu.org. IN A ;; ANSWER SECTION: www.noisedu.org. 86400 IN A 10.0.0.22 ;; AUTHORITY SECTION: noisedu.org. 86400 IN NS ns1.noisedu.org. noisedu.org. 86400 IN NS ns2.noisedu.org. ;; ADDITIONAL SECTION: ns1.noisedu.org. 86400 IN A 10.0.0.11 ns2.noisedu.org. 86400 IN A 10.0.0.12 ;; Query time: 0 msec ;; SERVER: 10.0.0.12#53(10.0.0.12) ;; WHEN: Sun Jun 06 11:09:52 CST 2021 ;; MSG SIZE rcvd: 156 ### 到這個地方,我們的主從DNS服務器搭建完畢,開始搭建子域 #子域A: chengdu.noisedu.org 10.0.0.13 #子域B: shenzhen.noisedu.org 10.0.0.14 #把子域加入父域的zone文件,並且修改版本號,使其能夠同步到從服務器 [15:11:00 root@centos8 ~]#cat /var/named/noisedu.org.zone $TTL 1D @ IN SOA ns1 noisedu.org.zone. ( 5 ; serial 1M ; refresh 1M ; retry 1W ; expire 1D ; minimum ) NS ns1 NS ns2 chengdu NS ns3 shenzhen NS ns4 ns1 A 10.0.0.11 ns2 A 10.0.0.12 ns3 A 10.0.0.13 ns4 A 10.0.0.14 www A 10.0.0.22 blog A 10.0.0.101 [15:12:54 root@centos8 ~]#systemctl restart named # 查看從服務器是否更新 [15:13:00 root@centos8 ~]#ll /var/named/slaves/ total 4 -rw-r--r--. 1 named named 565 Jun 6 15:12 noisedu.org.zone.slave #開始設置子域chengdu.noisedu.org #首先關掉防火牆設置,安裝包 # 編輯配置文件named.conf,除了注釋掉listen和allow,還是把dnssec那兩行改為no options { // listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; "/etc/named.conf" 59L, 1709C written # 加上自己的zone [15:30:07 root@centos8 ~]#cat /etc/named.rfc1912.zones zone "chengdu.noisedu.org" IN { type master; file "chengdu.noisedu.org.zone"; }; #編輯自己的zone [15:18:40 root@centos8 ~]#cp -p /var/named/named.localhost /var/named/chengdu.noisedu.org.zone [15:31:06 root@centos8 ~]#vim /var/named/chengdu.noisedu.org.zone $TTL 1D @ IN SOA master admin.chengdu.noisedu.org ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 10.0.0.13 www A 1.1.1.1 www A 2.2.2.2 [15:23:38 root@centos8 ~]#systemctl restart named # 在客戶機上查詢 [15:25:56 root@noise ~]#dig www.chengdu.noisedu.org ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.chengdu.noisedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2921 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.chengdu.noisedu.org. IN A ;; ANSWER SECTION: www.chengdu.noisedu.org. 6992 IN A 1.1.1.1 www.chengdu.noisedu.org. 6992 IN A 2.2.2.2 ;; Query time: 0 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sun Jun 06 15:27:43 CST 2021 ;; MSG SIZE rcvd: 84 #同理子域B shenzhen.noisedu.org [15:38:02 root@noise ~]#dig www.shenzhen.noisedu.org ; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> www.shenzhen.noisedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36605 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;www.shenzhen.noisedu.org. IN A ;; ANSWER SECTION: www.shenzhen.noisedu.org. 86400 IN A 11.11.11.11 www.shenzhen.noisedu.org. 86400 IN A 22.22.22.22 ;; Query time: 351 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Sun Jun 06 15:40:42 CST 2021 ;; MSG SIZE rcvd: 85 ########## 上述兩個子域都了實現負載均衡 # 子域A: web1 1.1.1.1 web2 2.2.2.2
# 子域B: web1 11.11.11.11 web2 22.22.22.22 # 為避免子域從互聯網找尋跟服務等,最好加上轉發到主服務器, 在從服務器上編輯配置文件/etc/named.conf,加上foward
options {
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; };
forward first;
forwarders {10.0.0.11;};