一文掌握主从&&智能DNS服务
2020-05-11 本文已影响0人
Stone_説
1. 实现DNS主-从服务器
主DNS服务器centos7min:192.168.43.141
从DNS服务器centos7min:192.168.43.111
测试节点node1:192.168.43.128
目录:
1.1 主DNS服务器配置
1.2 从DNS服务器配置
1.3 分别验证主从解析功能
1.4 测试主从同步机制
1.5 增强主从安全性
1.6 验证主从高可用性
1.1 主服务器配置
[root@centos7min ~]# vim /var/named/stone.com.zone
$TTL 1D
@ IN SOA ns1 admin( 2 3H 10M 12H 1H ) 此处版本号,应该更新才能,每次更改完数据库,版本号一定要修改,而且,版本号一定是手动修改
NS ns1
NS ns2 此处需要多个ns节点,才能自动同步
ns1 A 192.168.43.141
ns2 A 192.168.43.111
ftp A 192.168.43.111
websrv A 192.168.43.128
websrv A 192.168.43.159
www CNAME websrv
@ MX 10 mailsrv
mailsrv A 1.1.1.1
[root@centos7min ~]# rndc reload 修改完之后,加载配置
server reload successful
[root@centos7min slaves]# ll
-rw-r--r--. 1 named named 420 May 10 01:57 stone.com.zone.slave
[root@centos7min slaves]# ll 从节点配置文件时间立刻刷新
-rw-r--r--. 1 named named 501 May 10 02:24 stone.com.zone.slave
[root@node1 ~]# dig -t mx stone.com @192.168.43.111 此时也可解析MX记录
;; QUESTION SECTION:
;stone.com. IN MX
;; ANSWER SECTION:
stone.com. 86400 IN MX 10 mailsrv.stone.com.
;; AUTHORITY SECTION:
stone.com. 86400 IN NS ns1.stone.com.
stone.com. 86400 IN NS ns2.stone.com.
;; ADDITIONAL SECTION:
mailsrv.stone.com. 86400 IN A 1.1.1.1
ns1.stone.com. 86400 IN A 192.168.43.141
ns2.stone.com. 86400 IN A 192.168.43.111
1.2 从服务器搭建
[root@centos7min ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
[root@centos7min ~]# vim /etc/named.rfc1912.zones
zone "stone.com" {
type slave;
masters {192.168.43.141;};
file "slaves/stone.com.zone.slave"; 此处为相对路径,相对于路径为/var/named
};
[root@centos7min ~]# systemctl restart named 重启服务之后,自动生成文件stone.com.zone.slave,内容为从主服务器上同步文件,
[root@centos7min slaves]# pwd 此时文件格式为非文本文件,同步为单向,不能通过修改从而修改主
/var/named/slaves
[root@centos7min slaves]# ls
stone.com.zone.slave
1.3 测试
[root@centos7min ~]# iptables -F 从服务器上关闭iptables,一定要关闭此项,切记,切记,切记
[root@node1 ~]# dig www.stone.com @192.168.43.141 主服务器解析
;; QUESTION SECTION:
;www.stone.com. IN A
;; ANSWER SECTION:
www.stone.com. 86400 IN CNAME websrv.stone.com.
websrv.stone.com. 86400 IN A 192.168.43.159
websrv.stone.com. 86400 IN A 192.168.43.128
;; AUTHORITY SECTION:
stone.com. 86400 IN NS ns1.stone.com.
;; ADDITIONAL SECTION:
ns1.stone.com. 86400 IN A 192.168.43.141
[root@node1 ~]# dig www.stone.com @192.168.43.111 从服务器解析
;; QUESTION SECTION:
;www.stone.com. IN A
;; ANSWER SECTION:
www.stone.com. 86400 IN CNAME websrv.stone.com.
websrv.stone.com. 86400 IN A 192.168.43.128
websrv.stone.com. 86400 IN A 192.168.43.159
;; AUTHORITY SECTION:
stone.com. 86400 IN NS ns1.stone.com.
;; ADDITIONAL SECTION:
ns1.stone.com. 86400 IN A 192.168.43.141
1.4 修改主DNS服务器配置文件,验证同步机制
[root@centos7min named]# vim /var/named/stone.com.zone
[root@centos7min named]# cat /var/named/stone.com.zone
$TTL 1D
@ IN SOA ns1 admin( 1 3H 10M 12H 1H )
NS ns1
ns1 A 192.168.43.141
ftp A 192.168.43.111
websrv A 192.168.43.128
websrv A 192.168.43.159
www CNAME websrv
@ MX 10 mailsrv
mailsrv A 1.1.1.1
[root@centos7min named]# rndc reload
server reload successful
**此时,分别再主(192.168.43.141),从(192.168.43.111)服务器上验证新增的MX记录**
**结果发现,主DNS服务器可以解析,从DNS服务器不能解析,意味着数据并未同步**
[root@node1 ~]# dig -t mx stone.com @192.168.43.141 主DNS服务器,解析出MX记录
;; QUESTION SECTION:
;stone.com. IN MX
;; ANSWER SECTION:
stone.com. 86400 IN MX 10 mailsrv.stone.com.
;; AUTHORITY SECTION:
stone.com. 86400 IN NS ns1.stone.com.
;; ADDITIONAL SECTION:
mailsrv.stone.com. 86400 IN A 1.1.1.1
ns1.stone.com. 86400 IN A 192.168.43.141
[root@node1 ~]# dig -t mx stone.com @192.168.43.111 从DNS服务器,未解析出MX记录
;; QUESTION SECTION:
;stone.com. IN MX
;; AUTHORITY SECTION:
stone.com. 3600 IN SOA ns1.stone.com. admin.stone.com. 1 10800 600 43200 3600
1.5 修改主,从DNS服务器配置文件,增强安全性
[root@centos7min ~]# vim /etc/named.conf
options { //配置文件的options中增加这一项,即从服务器的IP地址
allow-transfer {192.168.43.111;};
[root@centos7min slaves]# vim /etc/named.conf
options {
allow-transfer {none;}; //从服务器上配置文件修改这一行,则可以防止被抓取
[root@centos7min slaves]# rndc reload
server reload successful
**此时,主从服务器上皆不可以抓取**
[root@localhost ~]# dig -t axfr stone.com @192.168.43.111
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> -t axfr stone.com @192.168.43.111
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr stone.com @192.168.43.141
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> -t axfr stone.com @192.168.43.141
;; global options: +cmd
; Transfer failed.
1.6 验证主从的高可用性
[root@node1 ~]# dig www.stone.com
;; QUESTION SECTION:
;www.stone.com. IN A
;; Query time: 1 msec
;; SERVER: 192.168.43.141#53(192.168.43.141)
;; WHEN: Fri Apr 24 06:17:56 2020
;; MSG SIZE rcvd: 152
[root@centos7min ~]# systemctl stop named 主服务器关闭服务
[root@node1 ~]# dig www.stone.com
;www.stone.com. IN A
;; Query time: 3 msec
;; SERVER: 192.168.43.111#53(192.168.43.111)
;; WHEN: Fri Apr 24 06:18:30 2020
;; MSG SIZE rcvd: 152
[root@centos7min ~]# systemctl stop named 从服务器关闭服务
[root@node1 ~]# dig www.stone.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> www.stone.com
;; global options: +cmd
;; connection timed out; no servers could be reached
2. 搭建并实现智能DNS
目录:
2.1 主DNS配置文件修改
2.2 增加对应域的配置文件
2.3 分别建立对应域的数据库
2.4 验证
2.1 修改主DNS:192.168.43.141修改配置文件
[root@centos7min etc]# vim /etc/named.conf
acl nanjingnet{
192.168.43.0/24;
192.168.44.0/24;
};
acl suqiannet{
192.168.2.0/24;
};
acl shihezinet{
any;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view view_nanjing {
match-clients { nanjingnet; };
include "/etc/named.rfc1912.zones.nj";
};
view view_suqian {
match-clients { suqiannet; };
include "/etc/named.rfc1912.zones.sq";
};
view view_shihezi {
match-clients { shihezinet; };
include "/etc/named.rfc1912.zones.shz";
};
include "/etc/named.root.key";
2.2 修改对应域的配置文件,DNS_IP:192.168.43.141
NOTE:
这个地方需要注意权限问题,如果配置没问题,可能是所属组问题,
可使用chgrp命令修改所属组解决
[root@centos7min ~]# chgrp named /etc/named.rfc1912.zones*
[root@centos7min ~]# ll /etc/named.rfc1912.zones*
-rw-r-----. 1 root named 1136 May 11 00:50 /etc/named.rfc1912.zones.nj
-rw-r-----. 1 root named 1137 May 11 00:51 /etc/named.rfc1912.zones.shz
-rw-r-----. 1 root named 1136 May 11 00:50 /etc/named.rfc1912.zones.sq
[root@centos7min ~]# cat /etc/named.rfc1912.zones.nj
zone "stone.com"{
type master;
file "stone.com.zone.nj";
};
zone "." IN {
type hint;
file "named.ca";
};
[root@centos7min ~]# cat /etc/named.rfc1912.zones.sq
zone "stone.com"{
type master;
file "stone.com.zone.sq";
};
zone "." IN {
type hint;
file "named.ca";
};
[root@centos7min ~]# cat /etc/named.rfc1912.zones.shz
zone "stone.com"{
type master;
file "stone.com.zone.shz";
};
zone "." IN {
type hint;
file "named.ca";
};
2.3 对应数据库的建立
[root@centos7min ~]# cat /var/named/stone.com.zone.nj
$TTL 1D
@ IN SOA ns1 admin( 1 1H 1H 1D 3H )
NS ns1
ns1 A 192.168.43.141
www A 192.168.43.100
[root@centos7min ~]# cat /var/named/stone.com.zone.sq
$TTL 1D
@ IN SOA ns1 admin( 1 1H 1H 1D 3H )
NS ns1
ns1 A 192.168.43.141
www A 192.168.2.100
[root@centos7min ~]# cat /var/named/stone.com.zone.shz
$TTL 1D
@ IN SOA ns1 admin( 1 1H 1H 1D 3H )
NS ns1
ns1 A 192.168.43.141
www A 4.4.4.4
**NOTE:此处最好也将文件所属组属性进行修改**
[root@centos7min ~]# ll /var/named/stone.com.zone*
-rw-r--r--. 1 root root 235 May 10 18:34 /var/named/stone.com.zone
-rw-r--r--. 1 root root 98 May 10 22:59 /var/named/stone.com.zone.nj
-rw-r--r--. 1 root root 91 May 10 23:01 /var/named/stone.com.zone.shz
-rw-r--r--. 1 root root 97 May 10 23:00 /var/named/stone.com.zone.sq
[root@centos7min ~]# chgrp named /var/named/stone.com.zone*
[root@centos7min ~]# ll /var/named/stone.com.zone*
-rw-r--r--. 1 root named 235 May 10 18:34 /var/named/stone.com.zone
-rw-r--r--. 1 root named 98 May 10 22:59 /var/named/stone.com.zone.nj
-rw-r--r--. 1 root named 91 May 10 23:01 /var/named/stone.com.zone.shz
-rw-r--r--. 1 root named 97 May 10 23:00 /var/named/stone.com.zone.sq
2.4 验证
[root@node1 ~]# dig www.stone.com @192.168.43.141 使用192.168.43.0网段进行测验,结果返回值192.168.43.100,对应配置文件/etc/named.conf中的nanjingnet
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> www.stone.com @192.168.43.141
;; ANSWER SECTION:
www.stone.com. 86400 IN A 192.168.43.100
[root@localhost ~]# dig www.stone.com @192.168.2.160 在192.168.43.141机子上桥接一个192.168.2.0网段地址,则会返回192.168.2.100,对应/etc/named.conf中的suqiannet
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.stone.com @192.168.2.160
;; ANSWER SECTION:
www.stone.com. 86400 IN A 192.168.2.100
[root@centos7min ~]# dig www.stone.com @127.0.0.1 由于只准备了两个网段,故在192.168.43.141本机上,对127.0.0.1进行测验,则会返回4.4.4.4,对应/etc/named.conf中的shihezinet
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.2 <<>> www.stone.com @127.0.0.1
;; ANSWER SECTION:
www.stone.com. 86400 IN A 4.4.4.4
