接上一篇:CentOS6服务管理之DNS-本地DNS服务器的搭建
下面我们来搭建主从DNS服务器
实验环境:
CentOS release 6.6(Final) 两台
IP地址:
172.16.31.3 DNS1 主DNS服务器端
172.16.31.4 DNS2 从DNS服务器端
我们要架设一个DNS服务器一般需要下面三个软件程序包:
bind-libs.x86_64 #提供库文件
bind-utils.x86_64 #提供工具包
bind.x86_64 #提供主程序包
我还没使用安全套件,所以没有使用bind-chroot程序包。
chroot 环境为了系统的安全性考虑,一般来说目前各主要 distributions 都已经自动的将你的 bind 相关程序给他 chroot 了。
在上一篇博客中我已经搭建好了一个本地DNS服务器,能够实现正向反向解析,那么我们只需要加入一台从DNS服务器即可完成,我们来开始配置主从服务器:
一.主DNS服务器上面的额外配置:
[root@dns1 named]# cat oracle.com.zone $TTL 600 $ORIGIN oracle.com. @ IN SOA ns.oracle.com. root.oracle.com. ( 2014121002 ;serial 1D ;refresh 5M ;retry 1W ;expiry 1H) ;minimum @ IN NS ns.oracle.com. IN NS ns1.oracle.com. IN MX 5 mail.oracle.com. ns IN A 172.16.31.3 ns1 IN A 172.16.31.4 www IN A 172.16.31.3 www IN A 172.16.31.4 mail IN A 172.16.31.3 pop3 IN A 172.16.31.3 iamp4 IN A 172.16.31.3
二.从DNS服务器的配置
切记需要安装好bind包哦!
主配置文件的配置:
我们可以将主DNS服务器的主配置文件/etc/named.conf复制一份到从DNS服务器上,方便,很偷懒的做法—_—!
测试主从之间的网络连通性:
[root@dns2 ~]# ping -c 3 172.16.31.3 PING 172.16.31.3 (172.16.31.3) 56(84) bytesof data. 64 bytes from 172.16.31.3: icmp_seq=1ttl=64 time=2.16 ms 64 bytes from 172.16.31.3: icmp_seq=2ttl=64 time=0.519 ms ^C --- 172.16.31.3 ping statistics --- 2 packets transmitted, 2 received, 0%packet loss, time 1306ms rtt min/avg/max/mdev = 0.519/1.343/2.167/0.824ms
复制主DNS服务器的主配置文件到从服务器:
[root@dns2 ~]# scproot@172.16.31.3:/etc/named.conf /etc/named.conf The authenticity of host ‘172.16.31.3(172.16.31.3)‘ can‘t be established. RSA key fingerprint isb8:a4:da:03:91:67:32:2f:d5:72:0b:77:3b:6f:ba:30. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added ‘172.16.31.3‘(RSA) to the list of known hosts. root@172.16.31.3‘s password: named.conf 100%1008 1.0KB/s 00:00
查看配置文件,详细说明在上一篇博客:
[root@dns2 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package toconfigure the ISC BIND named(8) DNS
// server as a caching only nameserver (asa localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ forexample named configuration files.
//
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include"/etc/named.rfc1912.zones";
include "/etc/named.root.key";
从服务器区域配置文件:/etc/named.rfc1912.zones
在下面添加一个从DNS区域:
由于从服务器上/var/named/目录的权限是属主root属组named,且属组named没有写权限;如果给这个目录写权限就会造成系统的不安全;所以软件定义了目录下有个slaves文件,来保存从主服务器接收的配置文件
[root@dns2 named]# vim/etc/named.rfc1912.zones
zone "oracle.com" IN {
type slave;
file "slaves/oracle.com.zone";
masters { 172.16.31.3; };
};
zone "31.16.172.in-addr-arpa" IN{
type slave;
file "slaves/172.16.31.zone";
masters { 172.16.31.3; };
};
检查一下语法正确与否:
[root@dns2 named]# named-checkconf [root@dns2 named]# named-checkconf/etc/named.rfc1912.zones
三.从DNS服务器启动和错误解析
[root@dns2 named]# service named start Generating /etc/rndc.key: [ OK ] Starting named: [ OK ]
我写错了配置文件将31.16.172.in-addr.arpa写成了31.16.172.in-addr-arpa来进行排错:
我们查看一下从服务器的日志,从日志中可以看出有传输错误:
[root@dns2 named]# tail /var/log/messages Dec 10 09:31:30 dns2 named[25953]: zonelocalhost/IN: loaded serial 0 Dec 10 09:31:30 dns2 named[25953]:managed-keys-zone ./IN: loaded serial 0 Dec 10 09:31:30 dns2 named[25953]: running Dec 10 09:31:30 dns2 named[25953]: error(network unreachable) resolving ‘./DNSKEY/IN‘: 2001:500:1::803f:235#53 Dec 10 09:31:30 dns2 named[25953]: error(network unreachable) resolving ‘./NS/IN‘: 2001:500:1::803f:235#53 Dec 10 09:31:30 dns2 named[25953]: zone31.16.172.in-addr-arpa/IN: refresh: non-authoritative answer from master172.16.31.3#53 (source 0.0.0.0#0) Dec 10 09:31:31 dns2 named[25953]: zoneoracle.com/IN: Transfer started. Dec 10 09:31:31 dns2 named[25953]: transferof ‘oracle.com/IN‘ from 172.16.31.3#53: connected using 172.16.31.4#55664 Dec 10 09:31:31 dns2 named[25953]: zoneoracle.com/IN: transferred serial 2014121001 Dec 10 09:31:31 dns2 named[25953]: transferof ‘oracle.com/IN‘ from 172.16.31.3#53: Transfer completed: 1 messages, 10records, 254 bytes, 0.006 secs (42333 bytes/sec)
从DNS服务器从主DNS服务器接收正向反向区域解析库文件到本地slaves目录,但是传输成功的只有正向区域文件,进行排错。
然后我在主DNS上重启服务了:
[root@dns1 named]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [root@dns1 named]# tail /var/log/messages Dec 10 09:32:57 dns1 named[26720]: zone31.16.172.in-addr.arpa/IN: loaded serial 2014121001 Dec 10 09:32:57 dns1 named[26720]: zone1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:loaded serial 0 Dec 10 09:32:57 dns1 named[26720]: zoneoracle.com/IN: loaded serial 2014121002 Dec 10 09:32:57 dns1 named[26720]: zonelocalhost.localdomain/IN: loaded serial 0 Dec 10 09:32:57 dns1 named[26720]: zonelocalhost/IN: loaded serial 0 Dec 10 09:32:57 dns1 named[26720]:managed-keys-zone ./IN: loaded serial 6 Dec 10 09:32:57 dns1 named[26720]: running Dec 10 09:32:57 dns1 named[26720]: zoneoracle.com/IN: sending notifies (serial 2014121002) Dec 10 09:32:57 dns1 named[26720]: client172.16.31.4#53252: transfer of ‘oracle.com/IN‘: AXFR-style IXFR started Dec 10 09:32:57 dns1 named[26720]: client172.16.31.4#53252: transfer of ‘oracle.com/IN‘: AXFR-style IXFR ended
从上面的日志中看出传输完成的只有“oracle.com.zone”文件,而”31.16.172.in-addr-arpa“这个区域的认证文件没有应答;传输是主DNS主动增量更新文件并推送文件到从服务器的。
我们将/etc/named.rfc1912.zones文件中的错误修复,再次重置一下named服务:
[root@dns2 named]# service named reload Reloading named: [ OK ] [root@dns2 named]# tail/var/log/messages Dec 10 09:40:53 dns2 named[25953]: usingdefault UDP/IPv6 port range: [1024, 65535] Dec 10 09:40:53 dns2 named[25953]: sizingzone task pool based on 8 zones Dec 10 09:40:53 dns2 named[25953]: Warning:‘empty-zones-enable/disable-empty-zone‘ not set: disabling RFC 1918 empty zones Dec 10 09:40:53 dns2 named[25953]: zone31.16.172.in-addr-arpa/IN: (slave) removed Dec 10 09:40:53 dns2 named[25953]:reloading configuration succeeded Dec 10 09:40:53 dns2 named[25953]:reloading zones succeeded Dec 10 09:40:53 dns2 named[25953]: zone31.16.172.in-addr.arpa/IN: Transfer started. Dec 10 09:40:53 dns2 named[25953]: transferof ‘31.16.172.in-addr.arpa/IN‘ from 172.16.31.3#53: connected using 172.16.31.4#37022 Dec 10 09:40:53 dns2 named[25953]: zone31.16.172.in-addr.arpa/IN: transferred serial 2014121001 Dec 10 09:40:53 dns2 named[25953]: transferof ‘31.16.172.in-addr.arpa/IN‘ from 172.16.31.3#53: Transfer completed: 1messages, 10 records, 268 bytes, 0.001 secs (268000 bytes/sec)
从上面看出我们的反向区域解析库文件传输成功了。
错误解决。
查看一下有米有传过来:
[root@dns2 named]# ls slaves/ 172.16.31.zone oracle.com.zone
四.从DNS服务器测试
除了dig命令和host命令,还有nslookup命令可以测试DNS服务器的状态,并且windows平台也有这个工具,我们就先在windows物理机平台来测试一下哦!
成功是成功了!但是反向解析的时候ns1.oracle.com去哪里了哦@_@!
原来我们在主服务器上只配置了正向区域解析库文件;反向区域解析库文件忘记配置了o(∩_∩)o 哈哈
我们去配置一下哦@
[root@dns1 named]# cat 172.16.31.zone $TTL 600 $ORIGIN 31.16.172.in-addr.arpa. @ IN SOA ns.oracle.com. root.oracle.com. ( 2014121002 ;serial 1D ;refresh 5M ;retry 1W ;expiry 1H) ;minimum @ IN NS ns.oracle.com. IN NS ns1.oracle.com. IN MX 5 mail.oracle.com. 3 IN PTR ns.oracle.com. 4 IN PTR ns1.oracle.com. 3 IN PTR www.oracle.com. 4 IN PTR www.oracle.com. 3 IN PTR mail.oracle.com. 3 IN PTR pop3.oracle.com. 3 IN PTR iamp4.oracle.com.
注意:序列号要加1 哦@
由于更改了配置文件,需要重启服务哦!
[root@dns1 named]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [root@dns1 named]# tail /var/log/messages Dec 10 09:59:39 dns1 named[26814]: zone1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:loaded serial 0 Dec 10 09:59:39 dns1 named[26814]: zoneoracle.com/IN: loaded serial 2014121002 Dec 10 09:59:39 dns1 named[26814]: zonelocalhost.localdomain/IN: loaded serial 0 Dec 10 09:59:39 dns1 named[26814]: zonelocalhost/IN: loaded serial 0 Dec 10 09:59:39 dns1 named[26814]:managed-keys-zone ./IN: loaded serial 6 Dec 10 09:59:39 dns1 named[26814]: running Dec 10 09:59:39 dns1 named[26814]: zone31.16.172.in-addr.arpa/IN: sending notifies (serial 2014121002) Dec 10 09:59:39 dns1 named[26814]: zoneoracle.com/IN: sending notifies (serial 2014121002) Dec 10 09:59:39 dns1 named[26814]: client172.16.31.4#39152: transfer of ‘31.16.172.in-addr.arpa/IN‘: AXFR-style IXFRstarted Dec 10 09:59:39 dns1 named[26814]: client172.16.31.4#39152: transfer of ‘31.16.172.in-addr.arpa/IN‘: AXFR-style IXFRended
我们再次测试一下反向解析哦!
从上面看解析都是成功的哦!
其实也可以使用Linux里面的命令来测试の!o(∩_∩)o 哈哈
到这里我们的构建主从DNS服务器就完成了!
接下来将介绍一下BIND程序中的RNDC和BIND的安全配置
本文出自 “龙之守护” 博客,请务必保留此出处http://sohudrgon.blog.51cto.com/3088108/1588545
原文地址:http://sohudrgon.blog.51cto.com/3088108/1588545
