测试环境:
硬件:一台主DNS服务器 一台从DNS服务器,一台子域DNS服务器 (一个有更改NS解析地址权限的二级域名)
系统:Centos 6.5 x86_64
BIND版本:9.9.5
下面是两台服务器的网络情况
[root@LookBack223 ~]# ifconfig | awk -F'[ :]+' '/inet addr/{print$4}' | grep -vE "^127."92.222.219.223 #DNS主服务器=============================================================================[root@LookBack226 ~]# ifconfig | awk -F'[ :]+' '/inet addr/{print$4}' | grep -vE "^127."92.222.219.226 #DNS从服务器=============================================================================[root@LookBack37 ~]# ifconfig | awk -F'[ :]+' '/inet addr/{print$4}' | grep -vE "^127."37.59.108.37 #DNS子域服务器 |
一、安装bind(由于现在的bind大版本有9和10,这里用9版本来测试。)
(官方下载地址:http://www.isc.org/downloads/)
[root@LookBack223 ~]# groupadd -g 153 -r named[root@LookBack223 ~]# useradd -g named -r -u 153 named#在系统上创建一个GID为153 组名为named的系统组#在系统上穿件一个UID为153 所在组为named 系统用户[root@LookBack223 ~]# yum groupinstall "Development tools" "Server Platform Development" -y#安装开发库包,不然下面是编译不了的(自己安装make等程序也是可以的,这里只是为了取巧。)[root@LookBack223 ~]# wget -4c http://www.05hd.com/wp-content/uploads/2014/08/bind-9.9.5.tar.gz[root@LookBack223 ~]# tar xf bind-9.9.5.tar.gz[root@LookBack223 ~]# cd bind-9.9.5[root@LookBack223 bind-9.9.5]# ./configure --prefix=/usr/local/bind995 --sysconfdir=/etc/named --disable-chroot --enable-threads --enable-ipv6#指定bind安装到/usr/local/bind995目录下,指定配置文件在/etc/bind995目录下,关闭chroot功能,开启threads和ipv6功能,其他用默认,这里的编译选项请根据各自的实际需求来选择。#如果能看到类似下面的信息且没有报错那么就可以继续往下走========================================================================Configuration summary:------------------------------------------------------------------------Optional features enabled: Multiprocessing support (--enable-threads) GSS-API (--with-gssapi) Print backtrace on crash (--enable-backtrace) Use symbol table for backtrace, named only (--enable-symtable) Dynamically loadable zone (DLZ) drivers: NoneFeatures disabled or unavailable on this platform: Response Rate Limiting (--enable-rrl) PKCS#11/Cryptoki support (--with-pkcs11) New statistics (--enable-newstats) Allow 'fixed' rrset-order (--enable-fixed-rrset) Automated Testing Framework (--with-atf) GOST algorithm support (--with-gost) Python tools (--with-python) XML statistics (--with-libxml2)========================================================================#开始编译[root@localhost bind-9.9.5]# make -j $(awk '/processor/{i++}}END{print i}' /proc/cpuinfo) && make install |
[root@LookBack223 ~]# dig -vDiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6[root@LookBack223 ~]# /usr/local/bind995/bin/dig -vDiG 9.9.5#系统上的虽然之前没有安装bind服务端但是客户端是有装的比如bind自带的dig程序,所以这里我们需要设置系统环境变量[root@LookBack223 ~]# echo "export PATH=/usr/local/bind/bin:/usr/local/bind/sbin:$PATH" > /etc/profile.d/bind.sh[root@LookBack223 ~]# ln -sv /usr/local/bind995 /usr/local/bind[root@LookBack223 ~]# . /etc/profile.d/bind.sh[root@LookBack223 ~]# echo $PATH/usr/lib64/qt-3.3/bin:/usr/local/bind/bin:/usr/local/bind/sbin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin[root@LookBack223 ~]# dig -vDiG 9.9.5#这时候就OK了[root@LookBack223 ~]# sed -i "$(awk '$1=="MANPATH"{n=NR}END{print n}' /etc/man.config)a MANPATHt/usr/local/bind/share/man" /etc/man.config#导出帮助手册,是系统可以直接man named命令如果有如下提示awk: 命令行:1: 致命错误: 无法以读模式打开文件“/etc/man.config”(没有那个文件或目录)sed:无法读取 /etc/man.config:没有那个文件或目录那就需要安装man[root@LookBack223 ~]# yum install man -y |
二、开始配置基础的配置文件
[root@LookBack223 ~]# cat > /etc/named/named.conf << EOFoptions { directory "/var/named"; //定义工作目录 recursion yes; //允许递归};zone "." IN { type hint; file "named.ca";};zone "localhost" IN { type master; //定义为主DNS master file "localhost.zone"; allow-update { none; }; //不允许任何人更新};zone "0.0.127.in-addr.arpa" IN {//把127.0.0反向解析 type master; file "127.0.0.zone"; allow-update { none; };};EOF[root@LookBack223 ~]# chown root:named /etc/named/named.conf[root@LookBack223 ~]# chmod 640 /etc/named/named.conf[root@LookBack223 ~]# mkdir -p /var/named/slaves[root@LookBack223 ~]# chown root:named /var/named/[root@LookBack223 ~]# chown named:named /var/named/slaves/[root@LookBack223 ~]# chmod 750 /var/named/[root@LookBack223 ~]# chmod 770 /var/named/slaves/#制作相关配置文件和设置文件对应的权限 |
下面开始来配置实现正向解析
[root@LookBack223 named]# for i in $(grep 'file' /etc/named/named.conf | awk -F'"' '{print$2}'); do touch /var/named/$i;chgrp named /var/named/$i;chmod 640 /var/named/$i;done[root@LookBack223 named]# pwd/var/named[root@LookBack223 named]# tree.├── 127.0.0.zone├── localhost.zone├── named.ca└── slaves1 directory, 3 files#到这里 几个基础的文件就都创建好了,现在需要不足文件里面的配置信息[root@LookBack223 named]# dig -t NS . @a.root-servers.net. > /var/named/named.ca#获取13台根服务器的配置文件,我们上面已经配置了将跟解析放在/var/named/named.cd,所以我么直接用dig命令将结果重定向过去就好了 |
####下面是3个文件的配置内容####[root@LookBack223 named]# cat named.ca ; > DiG 9.9.5 > -t NS . @a.root-servers.net.;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18948;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 25;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;. IN NS ;; ANSWER SECTION:. 518400 IN NS b.root-servers.net.. 518400 IN NS h.root-servers.net.. 518400 IN NS i.root-servers.net.. 518400 IN NS l.root-servers.net.. 518400 IN NS f.root-servers.net.. 518400 IN NS g.root-servers.net.. 518400 IN NS d.root-servers.net.. 518400 IN NS j.root-servers.net.. 518400 IN NS a.root-servers.net.. 518400 IN NS k.root-servers.net.. 518400 IN NS m.root-servers.net.. 518400 IN NS c.root-servers.net.. 518400 IN NS e.root-servers.net. ;; ADDITIONAL SECTION:b.root-servers.net. 3600000 IN A 192.228.79.201b.root-servers.net. 3600000 IN AAAA 2001:500:84::bh.root-servers.net. 3600000 IN A 128.63.2.53h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235i.root-servers.net. 3600000 IN A 192.36.148.17i.root-servers.net. 3600000 IN AAAA 2001:7fe::53l.root-servers.net. 3600000 IN A 199.7.83.42l.root-servers.net. 3600000 IN AAAA 2001:500:3::42f.root-servers.net. 3600000 IN A 192.5.5.241f.root-servers.net. 3600000 IN AAAA 2001:500:2f::fg.root-servers.net. 3600000 IN A 192.112.36.4d.root-servers.net. 3600000 IN A 199.7.91.13d.root-servers.net. 3600000 IN AAAA 2001:500:2d::dj.root-servers.net. 3600000 IN A 192.58.128.30j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30a.root-servers.net. 3600000 IN A 198.41.0.4a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30k.root-servers.net. 3600000 IN A 193.0.14.129k.root-servers.net. 3600000 IN AAAA 2001:7fd::1m.root-servers.net. 3600000 IN A 202.12.27.33m.root-servers.net. 3600000 IN AAAA 2001:dc3::35c.root-servers.net. 3600000 IN A 192.33.4.12c.root-servers.net. 3600000 IN AAAA 2001:500:2::ce.root-servers.net. 3600000 IN A 192.203.230.10 ;; Query time: 65 msec;; SERVER: 198.41.0.4#53(198.41.0.4);; WHEN: Wed Aug 06 05:22:48 UTC 2014;; MSG SIZE rcvd: 755 [root@LookBack223 named]# cat localhost.zone$TTL 86400@ IN SOA localhost. admin.05hd.org. ( 2014080601 3H 15M 7D 1D ) IN NS localhost. IN A 172.0.0.1[root@LookBack223 named]# cat 127.0.0.zone$TTL 86400@ IN SOA localhost. admin.05hd.org. ( 2014080601 3H 15M 7D 1D ) IN NS localhost.1 IN PTR localhost. |
[root@LookBack223 named]# chgrp named 127.0.0.zone localhost.zone named.ca[root@LookBack223 named]# chmod 640 127.0.0.zone localhost.zone named.ca[root@LookBack223 named]# lltotal 16-rw-r----- 1 root named 128 Aug 6 06:24 127.0.0.zone-rw-r----- 1 root named 124 Aug 6 06:23 localhost.zone-rw-r----- 1 root named 2177 Aug 6 06:11 named.cadrwxrwx--- 2 named named 4096 Aug 6 05:04 slaves#修改3个文件的属主属组和权限 |
[root@LookBack223 named]# named-checkconf[root@LookBack223 named]# named-checkconf /etc/named/named.conf[root@LookBack223 named]# named-checkzone "localhost" /var/named/localhost.zonezone localhost/IN: loaded serial 2014080601OK[root@LookBack223 named]# named-checkzone "0.0.127.in-addr.arpa" /var/named/127.0.0.zonezone 0.0.127.in-addr.arpa/IN: loaded serial 2014080601OK##检测配置文件如下图 |
到了这里我们就可以启动服务来测试了,但是这里的bind是我们编译安装的,编译安装是没有启动脚本的,下面制作启动脚本
将下面的内容保存为/etc/rc.d/init.d/named (注意下面的高亮的两行中的bind安装目录,我这里安装在/usr/local/bind995就用这,其安装在其他目录请根据情况做修改)
[root@LookBack223 named]# wget -c4 http://www.05hd.com/named.sh -O /etc/rc.d/init.d/named##可以用上面的命令下载启动脚本 也可以用下面的源码自建 更可以自己手写启动脚本#!/bin/bash## description: named daemon# chkconfig: - 25 80#pidFile=/usr/local/bind995/var/run/named.pidlockFile=/var/lock/subsys/namedconfFile=/etc/named/named.conf[ -r /etc/rc.d/init.d/functions ] && . /etc/rc.d/init.d/functionsstart() {if [ -e $lockFile ]; thenecho "named is already running..."exit 0fiecho -n "Starting named:"daemon --pidfile "$pidFile" /usr/local/bind995/sbin/named -u named -c "$confFile"RETVAL=$?echoif [ $RETVAL -eq 0 ]; thentouch $lockFilereturn $RETVALelserm -f $lockFile $pidFilereturn 1fi}stop() {if [ ! -e $lockFile ]; thenecho "named is stopped."# exit 0fiecho -n "Stopping named:"killproc namedRETVAL=$?echoif [ $RETVAL -eq 0 ];thenrm -f $lockFile $pidFilereturn 0elseecho "Cannot stop named."failurereturn 1fi}restart() {stopsleep 2start}reload() {echo -n "Reloading named: "killproc named -HUP#killall -HUP namedRETVAL=$?echoreturn $RETVAL}status() {if pidof named &> /dev/null; thenecho -n "named is running..."successechoelseecho -n "named is stopped..."successechofi}usage() {echo "Usage: named {start|stop|restart|status|reload}"}case $1 instart)start ;;stop)stop ;;restart)restart ;;status)status ;;reload)reload ;;*)usageexit 4;;esac<a href="http://www.dwhd.org/wp-content/uploads/2015/05/bind使用详解45.png"><img class="attachment-medium" src="http://www.dwhd.org/wp-content/uploads/2015/05/bind使用详解45.png" alt="bind使用详解45" /></a> |
[root@LookBack223 named]# chmod +x /etc/rc.d/init.d/named[root@LookBack223 named]# chkconfig --add named[root@LookBack223 named]# chkconfig named on[root@LookBack223 named]# chkconfig --list namednamed 0:off 1:off 2:on 3:on 4:on 5:on 6:off |
下面来测试启动脚本的正常与否 开始来启动named服务
[root@LookBack223 named]# service named startStarting named: [ OK ][root@LookBack223 named]# service named restartStopping named: [ OK ]Starting named: [ OK ][root@LookBack223 named]# service named stopStopping named: [ OK ][root@LookBack223 named]# service named startStarting named: [ OK ][root@LookBack223 named]# service named statusnamed is running... [ OK ] |
来看下服务器启动情况和端口监听正常不
下面两图可以看出 服务器上的dns服务器已经OK了。
三、现在来开始做域名正反向解析了
先来看看用于测试域名的为zeaxion.com
1、正向域解析配置
在/etc/named/named.conf配置文件里面追加下面的内容
zone "zeaxion.com" IN { type master; file "zeaxion.com.zone";}; |
如下图:
创建/var/named/zeaxion.com.zone文件并写好配置内容
[root@LookBack223 named]# touch /var/named/zeaxion.com.zone[root@LookBack223 named]# chgrp named /var/named/zeaxion.com.zone[root@LookBack223 named]# chmod 640 /var/named/zeaxion.com.zone[root@LookBack223 named]# cat zeaxion.com.zone$TTL 600@ IN SOA ns.zeaxion.com. admin.zeaxion.com. (;\ 上面的admin.zeaxion.com.其实邮箱地址,在这里邮箱地址不能使用@所以要使用. 2014080601 1H 10M 7D 2H ) IN NS ns.zeaxion.com. IN MX 10 mxdomain.qq.com.ns.zeaxion.com. IN A 106.186.17.185www.zeaxion.com. IN A 106.186.17.185manage.zeaxion.com. IN A 106.186.17.185 |
如下图
然后检测下配置文件可有写法格式错误
到了这里我们需要去域名注册商处将域名的ns设置成ns.zeaxion.com和ns2.zeaxion.com,设置好了之后我们来看看在互联网上这个域名的DNS解析是否OK了
[root@LookBack226 ~]# ifconfig | awk -F'[ :]+' '/inet addr/{print$4}' | grep -vE "^127."92.222.219.226[root@LookBack226 ~]# dig +trace -t A www.zeaxion.com; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> +trace -t A www.zeaxion.com;; global options: +cmd. 509310 IN NS e.root-servers.net.. 509310 IN NS a.root-servers.net.. 509310 IN NS l.root-servers.net.. 509310 IN NS d.root-servers.net.. 509310 IN NS b.root-servers.net.. 509310 IN NS m.root-servers.net.. 509310 IN NS h.root-servers.net.. 509310 IN NS f.root-servers.net.. 509310 IN NS g.root-servers.net.. 509310 IN NS j.root-servers.net.. 509310 IN NS c.root-servers.net.. 509310 IN NS k.root-servers.net.. 509310 IN NS i.root-servers.net.;; Received 228 bytes from 127.0.0.1#53(127.0.0.1) in 2151 mscom. 172800 IN NS a.gtld-servers.net.com. 172800 IN NS b.gtld-servers.net.com. 172800 IN NS c.gtld-servers.net.com. 172800 IN NS d.gtld-servers.net.com. 172800 IN NS e.gtld-servers.net.com. 172800 IN NS f.gtld-servers.net.com. 172800 IN NS g.gtld-servers.net.com. 172800 IN NS h.gtld-servers.net.com. 172800 IN NS i.gtld-servers.net.com. 172800 IN NS j.gtld-servers.net.com. 172800 IN NS k.gtld-servers.net.com. 172800 IN NS l.gtld-servers.net.com. 172800 IN NS m.gtld-servers.net.;; Received 493 bytes from 198.41.0.4#53(198.41.0.4) in 1180 mszeaxion.com. 172800 IN NS ns.zeaxion.com.zeaxion.com. 172800 IN NS ns2.zeaxion.com.;; Received 100 bytes from 2001:503:a83e::2:30#53(2001:503:a83e::2:30) in 23 mswww.zeaxion.com. 600 IN A 106.186.17.185zeaxion.com. 600 IN NS ns.zeaxion.com.zeaxion.com. 600 IN NS ns2.zeaxion.com.;; Received 116 bytes from 92.222.219.223#53(92.222.219.223) in 0 ms |
以上可以看出现在我们的基本的域名DNS解析已经搞定了。
2、反向域解析配置
在/etc/named/named.conf文件中加入
[root@LookBack223 named]# zone "219.222.92.in-addr.arpa" { type master; file "92.222.219.zone";}; |
创建一个/var/named/92.222.219.zone的文件,注意文件的属主数组权限,也可以用下面的命令自动生成/etc/named/named.conf配置内容需要的文件了,
[root@LookBack223 named]# for i in $(grep 'file' /etc/named/named.conf | awk -F'"' '{print$2}'); do touch /var/named/$i;chgrp named /var/named/$i;chmod 640 /var/named/$i;done |
来看下/var/named/92.222.219.zone文件怎么做反接配置的
[root@LookBack223 named]# cat !$cat 92.222.219.zone$TTL 600@ IN SOA ns.zeaxion.com. admin.zeaxion.com. ( 2014080601 1H 10M 7D 2H ) IN NS ns.zeaxion.com. IN NS ns2.zeaxion.com.219 IN PTR ns.zeaxion.com.226 IN PTR ns2.zeaxion.com.;106.186.17.185 IN PTR zeaxion.com.;106.186.17.185 IN PTR www.zeaxion.com.;106.186.17.185 IN PTR manage.zeaxion.com.####最后的3行不能用。。。请注意。。 |
接着来检测下配置文件,如果没有错误就让named重新载入下配置文件
[root@LookBack223 named]# named-checkconf[root@LookBack223 named]# named-checkzone "219.222.92.in-addr.arpa" 92.222.219.zonezone 219.222.92.in-addr.arpa/IN: loaded serial 2014080601OK[root@LookBack223 named]# service named reloadReloading named: [ OK ][root@LookBack223 named]# |
[root@LookBack226 ~]# ifconfig | awk -F'[ :]+' '/inet addr/{print$4}' | grep -vE "^127."92.222.219.226[root@LookBack226 ~]# dig -x 92.222.219.223 @92.222.219.223; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x 92.222.219.223 @92.222.219.223;; global options: +cmd;; Got answer:;; ->>HEADER<> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t AXFR 219.222.92.in-addr.arpa @92.222.219.223;; global options: +cmd219.222.92.in-addr.arpa. 600 IN SOA ns.zeaxion.com. admin.zeaxion.com. 2014080601 3600 600 604800 7200219.222.92.in-addr.arpa. 600 IN NS ns.zeaxion.com.219.222.92.in-addr.arpa. 600 IN NS ns2.zeaxion.com.223.219.222.92.in-addr.arpa. 600 IN PTR ns.zeaxion.com.226.219.222.92.in-addr.arpa. 600 IN PTR ns2.zeaxion.com.219.222.92.in-addr.arpa. 600 IN SOA ns.zeaxion.com. admin.zeaxion.com. 2014080601 3600 600 604800 7200;; Query time: 1 msec;; SERVER: 92.222.219.223#53(92.222.219.223);; WHEN: Wed Aug 6 15:26:04 2014;; XFR size: 6 records (messages 1, bytes 201) |
到此 反向解析也配置好了。
四、配置多DNS主从复制
做主从复制的时候需要注意的几点的事情
(1)、从服务器的bind版本必须大于等于主服务器的bind版本。因为程序都是采取向下兼容的规则。如果从服务器版本低于主服务器那么很可能因为程序功能的改变导致失败
所以这里我们还是采取编译安装从服务器这样就可以保证主从服务器的bind都为同一版本。因为之前已经编译了一次 这里就不详说从服务器的编译安装过程了。直接使用下面的命令就可以了。
(2)、主从服务器的时间需要相对一致,所以我们这里给主从服务器都做NTP在线时间同步。http://www.pool.ntp.org/en/
[root@LookBack226 ~]# echo "*/3 * * * * `which ntpdate` fr.pool.ntp.org &> /dev/null" /var/spool/cron/root[root@LookBack226 ~]# ntpdate fr.pool.ntp.org 6 Aug 15:58:38 ntpdate[21702]: Can't adjust the time of day: Operation not permitted我这里由于2台测试机都是openvz的虚拟机,被机房设置不能修改时间,因为虚拟机需要和母机做同步时间,那么我这里的时间问题就无需操心了。 |
安装完毕之后还是需要重新启动下shell 或者服务器。因为系统的环境变量有改变。
[root@LookBack226 ~]# groupadd -g 153 -r named[root@LookBack226 ~]# useradd -g named -r -u 153 named[root@LookBack226 ~]# yum groupinstall "Development tools" "Server Platform Development" -y[root@LookBack226 ~]# wget -4c http://www.05hd.com/wp-content/uploads/2014/08/bind-9.9.5.tar.gz[root@LookBack226 ~]# tar xf bind-9.9.5.tar.gz[root@LookBack226 ~]# cd bind-9.9.5[root@LookBack226 bind-9.9.5]# ./configure --prefix=/usr/local/bind995 --sysconfdir=/etc/named --disable-chroot --enable-threads --enable-ipv6[root@LookBack226 bind-9.9.5]# make && make install[root@LookBack226 ~]# echo "export PATH=/usr/local/bind995/bin:/usr/local/bind995/sbin:$PATH" > /etc/profile.d/bind995.sh[root@LookBack226 ~]# sed -i "$(cat /etc/man.config | grep -nE '^MANPATH[[:space:]]+' | tail -1 | awk -F: '{print$1}')a MANPATHt/usr/local/bind995/share/man" /etc/man.config[root@LookBack226 ~]# wget -c4 http://www.05hd.com/named.sh -O /etc/rc.d/init.d/named[root@LookBack226 ~]# chmod +x /etc/rc.d/init.d/named[root@LookBack226 ~]# chkconfig --add named[root@LookBack226 ~]# chkconfig named on[root@LookBack226 ~]# chown root:named /etc/named/named.conf[root@LookBack226 ~]# chmod 640 /etc/named/named.conf[root@LookBack226 ~]# mkdir -p /var/named/slaves[root@LookBack226 ~]# chown root:named /var/named/[root@LookBack226 ~]# chown named:named /var/named/slaves/[root@LookBack226 ~]# chmod 750 /var/named/[root@LookBack226 ~]# chmod 770 /var/named/slaves/#上面的步骤做好了 新建个shell进程进服务器或者直接重启下服务器 |
上图可以看出 bind已经编译安装好了 系统环境变量也做OK了
首先来配置从服务器
[root@LookBack226 ~]# cat /etc/named/named.confoptions {listen-on port 53 { 127.0.0.1; 92.222.219.226; };//这里记得要换成从服务器的IPV4地址哦listen-on-v6 port 53 { 2001:41d0:52:300::10f8; };//这里记得要换成从服务器的IPV6地址哦directory "/var/named";//定义工作目录recursion yes;//允许递归};zone "." IN {type hint;file "named.ca";};zone "localhost" IN {type master;//设施为主 masterfile "localhost.zone";allow-update { none; };//不允许任何人更新};zone "0.0.127.in-addr.arpa" IN {//把127.0.0反向解析type master;file "127.0.0.zone";allow-update { none; };};zone "zeaxion.com" IN {type slave; //设置为从服务器file "slaves/zeaxion.com.zone"; //设置从服务器配置文件存放路径masters { 92.222.219.223; }; //配置主DNS服务器的IP地址};zone "219.222.92.in-addr.arpa" {type slave;file "slaves/92.222.219.zone";masters { 92.222.219.223; };};配置好了主配置文件后 ,和上面一样创建一个bind的启动脚本,然后启动服务。来看看从服务器上的端口监听状态<a href="http://www.dwhd.org/wp-content/uploads/2015/05/bind使用详解17.png"><img class="attachment-medium" src="http://www.dwhd.org/wp-content/uploads/2015/05/bind使用详解17.png" alt="bind使用详解17" /></a>然后来看看从服务器上的文件是否同步成功。。<a href="http://www.dwhd.org/wp-content/uploads/2015/05/bind使用详解18.png"><img class="attachment-medium" src="http://www.dwhd.org/wp-content/uploads/2015/05/bind使用详解18.png" alt="bind使用详解18" /></a>来做下测试 |
[root@LookBack226 ~]# ifconfig | awk -F'[ :]+' '/inet addr/{print$4}' | grep -vE "^127."92.222.219.226[root@LookBack226 ~]# dig -x 92.222.219.223 @92.222.219.226; <<>> DiG 9.9.5 <<>> -x 92.222.219.223 @92.222.219.226;; global options: +cmd;; Got answer:;; ->>HEADER<> DiG 9.9.5 <<>> -x 92.222.219.226 @92.222.219.223;; global options: +cmd;; Got answer:;; ->>HEADER<> DiG 9.9.5 <<>> -t AXFR 219.222.92.in-addr.arpa @92.222.219.226;; global options: +cmd219.222.92.in-addr.arpa. 600 IN SOA ns.zeaxion.com. admin.zeaxion.com. 2014080601 3600 600 604800 7200219.222.92.in-addr.arpa. 600 IN NS ns.zeaxion.com.219.222.92.in-addr.arpa. 600 IN NS ns2.zeaxion.com.223.219.222.92.in-addr.arpa. 600 IN PTR ns.zeaxion.com.226.219.222.92.in-addr.arpa. 600 IN PTR ns2.zeaxion.com.219.222.92.in-addr.arpa. 600 IN SOA ns.zeaxion.com. admin.zeaxion.com. 2014080601 3600 600 604800 7200;; Query time: 0 msec;; SERVER: 92.222.219.226#53(92.222.219.226);; WHEN: Sat Aug 09 06:30:19 CEST 2014;; XFR size: 6 records (messages 1, bytes 201)[root@LookBack226 ~]# dig -t A www.zeaxion.com @92.222.219.223; <<>> DiG 9.9.5 <<>> -t A www.zeaxion.com @92.222.219.223;; global options: +cmd;; Got answer:;; ->>HEADER<> DiG 9.9.5 <<>> -t A www.zeaxion.com @92.222.219.226;; global options: +cmd;; Got answer:;; ->>HEADER< |
可以看出从服务器已经同步OK了。好了 到了这里 主从同步就做好了
五、DNS正向子域授权的配置
其实DNS的子域授权只需要在父域的区域解析库中添加“胶水记录”就OK
下面来说说怎么配置子域授权DNS吧
这里就不说子域授权的DNS服务器编译安装BIND和基础配置文件生成的过程了
[root@LookBack37 ~]# groupadd -g 153 -r named[root@LookBack37 ~]# useradd -g named -r -u 153 named[root@LookBack37 ~]# yum groupinstall "Development tools" "Server Platform Development" -y[root@LookBack37 ~]# wget -4c http://www.05hd.com/wp-content/uploads/2014/08/bind-9.9.5.tar.gz[root@LookBack37 ~]# tar xf bind-9.9.5.tar.gz[root@LookBack37 ~]# cd bind-9.9.5[root@LookBack37 bind-9.9.5]# ./configure --prefix=/usr/local/bind995 --sysconfdir=/etc/named --disable-chroot --enable-threads --enable-ipv6[root@LookBack37 bind-9.9.5]# make && make install[root@LookBack37 ~]# echo "export PATH=/usr/local/bind995/bin:/usr/local/bind995/sbin:$PATH" > /etc/profile.d/bind995.sh[root@LookBack37 ~]# sed -i "$(cat /etc/man.config | grep -nE '^MANPATH[[:space:]]+' | tail -1 | awk -F: '{print$1}')a MANPATHt/usr/local/bind995/share/man" /etc/man.config[root@LookBack37 ~]# wget -c4 http://www.05hd.com/named.sh -O /etc/rc.d/init.d/named[root@LookBack37 ~]# chmod +x /etc/rc.d/init.d/named[root@LookBack37 ~]# chkconfig --add named[root@LookBack37 ~]# chkconfig named on[root@LookBack37 ~]# chown root:named /etc/named/named.conf[root@LookBack37 ~]# chmod 640 /etc/named/named.conf[root@LookBack37 ~]# mkdir -p /var/named/slaves[root@LookBack37 ~]# chown root:named /var/named/[root@LookBack37 ~]# chown named:named /var/named/slaves/[root@LookBack37 ~]# chmod 750 /var/named/[root@LookBack37 ~]# chmod 770 /var/named/slaves/#上面的步骤做好了 新建个shell进程进服务器或者直接重启下服务器 |
下面来配置主DNS服务器上的/var/named/zeaxion.com.zone文件
[root@LookBack1 named]# pwd/var/named[root@LookBack1 named]# cat zeaxion.com.zone$TTL 600@ IN SOA ns.zeaxion.com. admin.zeaxion.com. (;;上面的admin.zeaxion.com.其实邮箱地址,在这里邮箱地址不能使用@所以要使用. 2014080711 1H 10M 7D 2H ) IN NS ns.zeaxion.com. IN NS ns2.zeaxion.com. IN MX 10 mxdomain.qq.com.ns.zeaxion.com. IN A 92.222.219.223ns2.zeaxion.com. IN A 92.222.219.226www.zeaxion.com. IN A 106.186.17.185web.zeaxion.com. IN A 106.186.17.185manage.zeaxion.com. IN A 106.186.17.185ops.zeaxion.com. IN NS ns.ops.zeaxion.comnsops.zeaxion.com. IN A 37.59.108.37 |
配置好了来重启下服务
[root@LookBack1 named]# /etc/init.d/named restartStopping named: [ OK ]Starting named: [ OK ] |
然后来看看效果
[root@LookBack1 named]# dig -t NS ops.zeaxion.com @92.222.219.223; <<>> DiG 9.9.5 <<>> -t NS ops.zeaxion.com @92.222.219.223;; global options: +cmd;; Got answer:;; ->>HEADER< |
是不是这时候主DNS服务器就不能解析ops.zeaxion.com的域了
但是看看下面会发现我们的FQDN是有信息的
[root@LookBack1 named]# dig -t AXFR zeaxion.com @92.222.219.226; <<>> DiG 9.9.5 <<>> -t AXFR zeaxion.com @92.222.219.226;; global options: +cmdzeaxion.com. 600 IN SOA ns.zeaxion.com. admin.zeaxion.com. 2014080713 3600 600 604800 7200zeaxion.com. 600 IN MX 10 mxdomain.qq.com.zeaxion.com. 600 IN NS ns.zeaxion.com.zeaxion.com. 600 IN NS ns2.zeaxion.com.manage.zeaxion.com. 600 IN A 106.186.17.185ns.zeaxion.com. 600 IN A 92.222.219.223ns2.zeaxion.com. 600 IN A 92.222.219.226ops.zeaxion.com. 600 IN NS ns.ops.zeaxion.com.ns.ops.zeaxion.com. 600 IN A 37.59.108.37web.zeaxion.com. 600 IN A 106.186.17.185www.zeaxion.com. 600 IN A 106.186.17.185zeaxion.com. 600 IN SOA ns.zeaxion.com. admin.zeaxion.com. 2014080713 3600 600 604800 7200;; Query time: 0 msec;; SERVER: 92.222.219.226#53(92.222.219.226);; WHEN: Sat Aug 09 11:26:22 CEST 2014;; XFR size: 12 records (messages 1, bytes 302) |
这时候我们就可以得出 虽然我们在主DNS服务器上都建立了解析 但是这时候的ops.zeaxion.com的子域主DNS服务器是不负责解析了
下面来配置子域的/etc/named/named.conf文件
[root@LookBack37 ~]# vi /etc/named/named.conf[root@LookBack37 ~]# cat !$cat /etc/named/named.confoptions { listen-on port 53 { 127.0.0.1; 37.59.108.37; }; listen-on-v6 port 53 { 2001:41d0:51:1::d1c; }; directory "/var/named"; //定义工作目录 recursion yes; //允许递归};zone "." IN { type hint; file "named.ca";};zone "localhost" IN { type master; //设施为主 master file "localhost.zone"; allow-update { none; }; //不允许任何人更新};zone "0.0.127.in-addr.arpa" IN {//把127.0.0反向解析 type master; file "127.0.0.zone"; allow-update { none; };};zone "ops.zeaxion.com" IN { type master; file "ops.zeaxion.com.zone"; //allow-update { 127.0.0.1; };}; |
再去/var/named/下创建需要的文件
[root@LookBack37 ~]# for i in $(grep 'file' /etc/named/named.conf | awk -F'"' '{print$2}'); do touch /var/named/$i;chgrp named /var/named/$i;chmod 640 /var/named/$i;done[root@LookBack37 ~]# cd /var/named/[root@LookBack37 named]# ls -ltotal 8-rw-r----- 1 root named 0 Aug 9 11:43 127.0.0.zonedrwxrwx--- 2 named named 4096 Jan 20 2014 datadrwxrwx--- 2 named named 4096 Aug 9 09:02 dynamic-rw-r----- 1 root named 0 Aug 9 11:43 localhost.zone-rw-r----- 1 root named 0 Aug 9 11:43 named.ca-rw-r----- 1 root named 0 Aug 9 11:43 ops.zeaxion.com.zone##我这里就直接用命令批量创建好了文件 等下去补充文件内容##127.0.0.zone localhost.zone named.ca 这3个文件和主从DNS服务器上文件内容是一样的 |
下面是 127.0.0.zone localhost.zone named.ca 3个文件的内容
[root@LookBack223 named]# cat 127.0.0.zone$TTL 86400@ IN SOA localhost. admin.05hd.org. ( 2014080601 3H 15M 7D 1D ) IN NS localhost.1 IN PTR localhost.[root@LookBack223 named]# cat localhost.zone$TTL 86400@ IN SOA localhost. admin.05hd.org. ( 2014080601 3H 15M 7D 1D ) IN NS localhost. IN A 127.0.0.1[root@LookBack223 named]# cat named.ca; <<>> DiG 9.9.5 <<>> -t NS . @a.root-servers.net.;; global options: +cmd;; Got answer:;; ->>HEADER< |
下面来开始配置/var/named/ops.zeaxion.com.zone的配置文件
[root@LookBack37 named]# cat ops.zeaxion.com.zone$TTL 600$ORIGIN ops.zeaxion.com.@ IN SOA ns.ops.zeaxion.com. admin.ops.zeaxion.com. ( 2014080701 ;版本号 1H ;刷新时长 5M ;每5分钟做一次重试 3D ;过期时间 3H );否定回答时间) IN NS ns ;这里ns后面不用写全了 因为第二行做了ORIGIN IN MX 10 mailns IN A 37.59.108.37mail IN A 106.186.17.185www IN A 106.186.17.185ftp IN A 106.186.17.185 |
下面来启动子域服务器上DNS服务
[root@LookBack37 named]# service named startStarting named: [ OK ] |
来测试下子域配置
[root@LookBack37 named]# dig -t A www.ops.zeaxion.com @37.59.108.37; <<>> DiG 9.9.5 <<>> -t A www.ops.zeaxion.com @37.59.108.37;; global options: +cmd;; Got answer:;; ->>HEADER<> DiG 9.9.5 <<>> -t A www.ops.zeaxion.com @92.222.219.223;; global options: +cmd;; Got answer:;; ->>HEADER< |
[root@LookBack223 named]# dig -t A www.ops.zeaxion.com; <<>> DiG 9.9.5 <<>> -t A www.ops.zeaxion.com;; global options: +cmd;; Got answer:;; ->>HEADER< |
通过上面可以看出 不论是通过子域服务器查询还是通过父域查询 都可以了,也就是说到了这里 我们的子域服务器也OK了
六、配置转发
转发器顾名思义就是转发不是本机DNS所解析的服务至指定的服务器,这时候本机就是一个转发器了。
下面来看看第一种配置,转发器
[root@LookBack37 named]# pwd/etc/named[root@LookBack37 named]# cat named.confoptions {listen-on port 53 { 127.0.0.1; 37.59.108.37; };listen-on-v6 port 53 { 2001:41d0:51:1::d1c; };directory "/var/named";//定义工作目录recursion yes;//允许递归//forward only;forward first;//only 是先递归给指定服务器,如果没有答案那么结果就是没答案,first 是先递归查询 要是没答案就自己再找一圈forwarders { 8.8.8.8; };//转发到哪个服务器上}; |
下面来看看第二种配置,转发区域(只对指定的区域做转发,其他的任然是去根上查询)
#看zone "zeaxion.com" IN段中的配置,这里做了只转发zeaxion.com域的配置[root@LookBack37 named]# pwd/etc/named[root@LookBack37 named]# cat named.confoptions { listen-on port 53 { 127.0.0.1; 37.59.108.37; }; listen-on-v6 port 53 { 2001:41d0:51:1::d1c; }; directory "/var/named"; //定义工作目录 recursion yes; //允许递归 //forward only; forward first; forwarders { 8.8.8.8; };};zone "." IN { type hint; file "named.ca";};zone "localhost" IN { type master; //设施为主 master file "localhost.zone"; allow-update { none; }; //不允许任何人更新};zone "0.0.127.in-addr.arpa" IN {//把127.0.0反向解析 type master; file "127.0.0.zone"; allow-update { none; };};zone "ops.zeaxion.com" IN { type master; file "ops.zeaxion.com.zone"; //allow-update { 127.0.0.1; };};zone "zeaxion.com" IN { type forward; forward only; forwarders { 92.222.219.223; 92.222.219.226; };}; |
下面来看看效果
[root@LookBack37 named]# dig -t A www.zeaxion.com @37.59.108.37; <<>> DiG 9.9.5 <<>> -t A www.zeaxion.com @37.59.108.37;; global options: +cmd;; Got answer:;; ->>HEADER< |