测试环境:
rhel1.rusky.com | 192.168.100.1 | RHEL7(辅DNS) |
rhel2.rusky.com | 192.168.100.2 | RHEL7(主DNS) |
rhdl3.rusky.com | 192.168.100.3 | RHEL6 |
一、搭建主DNS服务器
在安装前先停止系统自带的dnsmasq服务,因为该服务也用53端口,并且已经启动。否则 unbound服务无法启动。
[[email protected] ~]# netstat -antulp | grep 53 tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1403/dnsmasq udp 0 0 192.168.122.1:53 0.0.0.0:* 1403/dnsmasq udp 0 0 0.0.0.0:5353 0.0.0.0:* 678/avahi-daemon: r [[email protected] ~]# ps -ef | grep dnsmasq nobody 1403 1 0 16:12 ? 00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper root 1404 1403 0 16:12 ? 00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper root 2210 1642 0 16:32 pts/0 00:00:00 grep --color=auto dnsmasq [[email protected] ~]# kill -9 1403
然后执行#systemctl disable dnsmasq禁止开机启动。
1、安装 unbound服务
#yum install unbound -y # netstat -antulp | grep unbound --查看监听端口53 tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 10478/unbound tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 10478/unbound tcp6 0 0 ::1:53 :::* LISTEN 10478/unbound tcp6 0 0 ::1:8953 :::* LISTEN 10478/unbound udp 0 0 0.0.0.0:28416 0.0.0.0:* 10478/unbound udp 0 0 127.0.0.1:53 0.0.0.0:* 10478/unbound udp6 0 0 ::1:53 :::* 10478/unbound
2、修改主配置文件
# vi /etc/unbound/unbound.conf interface: 0.0.0.0 access-control: 0.0.0.0/0 allow username: ""
3、重启unbound服务
# systemctl restart unbound # netstat -antulp | grep unbound tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 11234/unbound tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 11234/unbound tcp6 0 0 ::1:8953 :::* LISTEN 11234/unbound udp 0 0 0.0.0.0:16314 0.0.0.0:* 11234/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 11234/unbound
4、新增配置文件
# vi /etc/unbound/local.d/rusky.com.conf local-zone:"rusky.com." static local-data:"rusky.com. 86400 IN SOA ns.rusky.com. root.rusk.com. 120000 86400 3600 10800 86400" local-data:"rusky.com. IN NS ns.rusky.com." local-data:"rusky.com. IN MX 10 mail.rusky.com." local-data:"rusky.com. IN MX 20 smtp.rusky.com." local-data:"rusky.com. IN A 192.168.100.2" local-data:"ns.rusky.com. IN A 192.168.100.2" local-data:"mail.rusky.com. IN A 192.168.100.2" local-data:"smtp.rusky.com. IN A 192.168.100.2" local-data:"ftp.rusky.com. IN A 192.168.100.2" local-data:"www.rusky.com. IN A 192.168.100.2" local-data:"rhel1.rusky.com. IN A 192.168.100.1" local-data:"rhel2.rusky.com. IN A 192.168.100.2" local-data:"rhel3.rusky.com. IN A 192.168.100.3" #lookback反向解析 local-data-ptr:"192.168.100.2 ns.rusky.com." local-data-ptr:"192.168.100.2 mail.rusky.com." local-data-ptr:"192.168.100.2 smtp.rusky.com." local-data-ptr:"192.168.100.2 ftp.ns.rusky.com." local-data-ptr:"192.168.100.2 www.ns.rusky.com." local-data-ptr:"192.168.100.1 rhel1.rusky.com." local-data-ptr:"192.168.100.2 rhel2.rusky.com." local-data-ptr:"192.168.100.3 rhel3.rusky.com."
正向解析的时候还可以这样:
local-data:"www.rusky.com. IN A 192.168.100.2" local-data:"www.rusky.com. IN A 192.168.100.3" local-data:"www.rusky.com. IN A 192.168.100.4" local-data:"www.rusky.com. IN A 192.168.100.5"
一个域名指向多个主机IP,这样每次解析都会指向不同的主机,实现一个简单的负载均衡功能。
========================================================
说明:
local-zone:"rusky.com." static //定义一个域 local-data:"rusky.com. 86400 IN SOA ns.rusky.com. root.rusk.com. 120000 86400 3600 10800 86400" //主辅DNS服务器进行数据同步的控制参数 86400 //TTL资源记录的生存时间。 IN //表示标准DNS的internet类。 SOA //起始授权(Start Of Authority)记录,每个区域都有一条SOA记录,用于指定本区域内负责解析的DNS服务器中哪个是主授权服务器,以及管理区域的负责人的邮箱地址和主、辅授权DNS服务器之间实现数据同步的控制参数。 ns.rusky.com. //定义域内主DNS服务器。ns.rusky.com不是主机名,ns表示所有的域名,比如mail.rusky.com,www.rusky.com,bbs.rusky.com等。 root.rusk.com. //邮箱地址,不需要带@符号 120000 //每次修改区域记录时,都会增加序列号的值,它是辅授权DNS服务器更新数据的依据。 辅助DNS服务器跟主DNS服务器同步时才用到。当master服务器DNS信息有变化时,该值加1,而辅助DNS服务器检查到该值有变化时,就会进行数据同步。这个数不是固定的。生产尽量设置6位数以上。 86400 //(1天) 刷新时间。每隔一天跟主DNS服务器同步一次数据。 辅授权DNS服务器根据此时间间隔周期性地检查主授权DNS服务器的序列号是否改变,若有改变则更新自己的区域记录(以秒为单位) 3600 //(1小时)重试延时。如果前一次同步失败,则隔1小时候再去同步。 10800 //(3小时) 如果同步三次都失败,则不再同步。 86400 //DNS缓存时间。因为前边几次都同步失败了,所以86400秒后,辅助DNS服务器将失效。 MX 10 MX 20 //这两行是优先级别,值越小,优先级越高。 (邮件交换(Mail Exchange)记录,用于将属于该区域的邮件域(即邮箱地址@后面的字符串)映射到邮件服务器的域名。 ) |
重启unbound服务。
# systemctl restart unbound
5、修改网卡DNS配置指向rhel2
修改三台服务器的DNS都指向192.168.100.2
6、测试DNS解析
[[email protected] ~]# ping rhel2.rusky.com -c 2 PING rhel2.rusky.com (192.168.100.2) 56(84) bytes of data. 64 bytes from www.ns.rusky.com (192.168.100.2): icmp_seq=1 ttl=64 time=0.193 ms 64 bytes from www.ns.rusky.com (192.168.100.2): icmp_seq=2 ttl=64 time=0.350 ms --- rhel2.rusky.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.193/0.271/0.350/0.080 ms [[email protected] ~]# ping www.rusky.com -c 2 PING www.rusky.com (192.168.100.2) 56(84) bytes of data. 64 bytes from ftp.ns.rusky.com (192.168.100.2): icmp_seq=1 ttl=64 time=0.278 ms 64 bytes from ftp.ns.rusky.com (192.168.100.2): icmp_seq=2 ttl=64 time=0.357 ms --- www.rusky.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.278/0.317/0.357/0.043 ms [[email protected] ~]# nslookup > mail.rusky.com Server: 192.168.100.2 Address: 192.168.100.2#53 Name: mail.rusky.com Address: 192.168.100.2 > 192.168.100.3 Server: 192.168.100.2 Address: 192.168.100.2#53 3.100.168.192.in-addr.arpa name = rhel3.rusky.com. > rhel2.rusky.com Server: 192.168.100.2 Address: 192.168.100.2#53 Name: rhel2.rusky.com Address: 192.168.100.2 > 192.168.100.1 Server: 192.168.100.2 Address: 192.168.100.2#53 1.100.168.192.in-addr.arpa name = rhel1.rusky.com. >
二、搭建辅DNS服务器
同上,先停止并禁用dnsmasq服务,再安装unbound服务,然后修改主配置文件的三个参数。
#yum install unbound -y
# vi /etc/unbound/unbound.conf
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
username: "“
然后新增配置文件rusky.com.conf,修改内容如下:
# vi /etc/unbound/local.d/rusky.com.conf
[[email protected] ~]# cat /etc/unbound/local.d/rusky.com.conf domain-insecure:"rusky.com." forward-zone: name:"." forward-addr:"192.168.100.2"
说明:
当客户机到192.168.100.1来请求DNS解析时,则转发到192.168.100.2服务器进行解析,如果解析成功,则缓存一份到本地。以后其它机器再到192.168.100.2来请求DNS解析时,则不需要转发了,直接使用本地缓存的数据。
再加上一句:
domain-insecure:"rusky.com"
表示不需要进行安全检测。
同时,主DNS 192.168.100.2 服务器上的该配置文件里也需要加上这行参数。
然后都重启unbound服务。
测试:
rtt min/avg/max/mdev = 0.196/0.196/0.196/0.000 ms [[email protected] ~]# hostname rhel3.rusky.com [[email protected] ~]# cat /etc/resolv.conf # Generated by NetworkManager search rusky.com nameserver 192.168.100.1
[[email protected] ~]# ping rhel1.rusky.com PING rhel1.rusky.com (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.275 ms ^C --- rhel1.rusky.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 713ms rtt min/avg/max/mdev = 0.275/0.275/0.275/0.000 ms [[email protected] ~]# ping www.rusky.com -c 2 PING www.rusky.com (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=1.22 ms 64 bytes from 192.168.100.2: icmp_seq=2 ttl=64 time=0.677 ms --- www.rusky.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1003ms rtt min/avg/max/mdev = 0.677/0.949/1.221/0.272 ms [[email protected] ~]# nslookup > rhel1.rusky.com Server: 192.168.100.1 Address: 192.168.100.1#53 Non-authoritative answer: Name: rhel1.rusky.com Address: 192.168.100.1 >
停止rhel2上的unbound服务后,再到rhel3来测试DNS解析:
[[email protected] ~]# nslookup > mail.rusky.com Server: 192.168.100.1 Address: 192.168.100.1#53 ** server can‘t find mail.rusky.com.rusky.com: SERVFAIL > rhel2.rusky.com ;; connection timed out; trying next origin Server: 192.168.100.1 Address: 192.168.100.1#53 ** server can‘t find rhel2.rusky.com.rusky.com: SERVFAIL > www.rusky.com Server: 192.168.100.1 Address: 192.168.100.1#53 Non-authoritative answer: Name: www.rusky.com Address: 192.168.100.2 >
说明,当主DNS服务rhel2停止后,从rhel3服务器到rhel1进行DNS解析时,只能解析已缓存到本地的记录。而之前未解析过的,也就是未缓存到rhel1的,则解析失败。