环境介绍:
node1.cn:slave
node2.cn:masters
1、软件包安装
[[email protected] ~]# yum -y install bind [[email protected] ~]# rpm -ivh /mnt/Packages/bind-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm [[email protected] ~]# rpm -ivh /mnt/Packages/bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64.rp
2、服务启动
[[email protected] ~]# service named restart
DNS服务启动之后的文件挂载信息
[[email protected] ~]# mount /dev/sda2 on / type ext4 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw) /dev/sda1 on /boot type ext4 (rw) /dev/sr0 on /mnt type iso9660 (ro) none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
3、本地网卡eth0配置信息
DEVICE=eth0 TYPE=Ethernet ONBOOT=yes NM_CONTROLLED=yes BOOTPROTO=none HWADDR=00:0c:29:47:1b:4A IPADDR=192.168.31.102 PREFIX=24 GATEWAY=192.168.31.1 DNS1=192.168.31.102 DEFROUTE=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System eth0"
4、服务相关配置文件
[[email protected] ~]# ls /etc/named.conf //主要配置文件 [[email protected] ~]# vim /var/named/chroot/etc/named.conf options 为全局配置文件 options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "node2.cn" IN { //创建区域文件 type master; file "node2.cn.zone"; //区域配置对应文件名 }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
创建新的区域文件
[[email protected] named]# cp -rp named.localhost node2.cn.zone //保证权限的一致性 [[email protected] named]# vim node2.cn.zone 原文件内容 $TTL 1D @ IN SOA @ rname.invalid. ( #SOA授权资源记录 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 修改之后配置文件 $TTL 1D 缓存时间 @ IN SOA ns.node2.cn. root.node2.cn ( SOA授权资源记录,每隔zone只能有一条SO A记录 0 ; serial 手动设置 1D ; refresh 刷新时间 1H ; retry 1W ; expire 3H ) ; minimum NS ns.node2.cn. ns A 192.168.31.102 ns A资源记录 www A 192.168.31.102 web服务器A资源记录 mail A 192.168.31.101 mail邮箱地址 www.zabbix.lexue.cc CNAME jiankong.lexue.cc. 别名
重启named服务
[[email protected] named]# /etc/init.d/named restart
验证
[[email protected] ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.31.102
本地DNS服务基本配置完成
开启迭代查询功能使能查询其他DNS服务器拥有记录的功能
[[email protected] ~]# vim /var/named/chroot/etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; #dnssec-enable yes; #dnssec-validation yes; #dnssec-lookaside auto; 将其注释掉即可开启迭代查询 forward only; #配置转发功能 forwarders { 114.114.114.114; }; #转发的DNS地址 /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; };
主从配置DNS服务器
zone "node2.cn" IN { type master; file "node2.cn.zone"; allow-transfer{ 192.168.31.0/24;}; //区域配置中指定的从DNS服务器网段 };
配置从DNS服务器
[[email protected] ~]# yum -y install bind*
[[email protected] ~]# /etc/init.d/named restart #启动服务
zone "node2.cn" IN { type slave; file "slaves/node2.cn.zone.file"; masters { 192.168.31.102; }; };
添加主机信息
$TTL 1D @ IN SOA ns.node1.cn. root.node1.cn ( 0 ; serial 1D ; refresh 默认同步时间 1H ; retry 1W ; expire 3H ) ; minimum NS ns.node1.cn. ns A 192.168.31.101 www A 192.168.31.101 www.node1.cn CNAME jiankong.lexue.cc.
DNS主从密钥认证
1、同步DNS服务器时间
[[email protected] ~]# yum -y install ntpdate [[email protected] ~]# ntpdate server 0.rhel.pool.ntp.org [[email protected] ~]# /etc/init.d/ntpd restart ^C[[email protected] ~]# crontab -e no crontab for root - using an empty one 0 5 * * * /usr/sbin/ntpdate 192.168.31.102
2、生成密钥,进行主从认证,在主DNS服务器操作
[[email protected] ~]# dnssec-keygen -a hmac-md5 -b 128 -n HOST xyz
-a 指定加密类型 -b密钥长度 -n 名字类型 xyz 密钥
[[email protected] ~]# ls Kxyz.+157+02502.private 私钥 Kxyz.+157+02502.key 公钥
修改主配置文件:
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; key xyzkey { algorithm hmac-md5; secret "OWH6FbG9P2Op5CTEqi5muQ=="; zone "node1.cn" IN { type master; file "node1.cn.zone"; allow-transfer{ key abckey;}; };
从DNS服务器修改的内容
key xyzkey { algorithm hmac-md5; secret "OWH6FbG9P2Op5CTEqi5muQ=="; };
zone "node2.cn" IN { type slave; file "slaves/node2.cn.zone.file"; masters { 192.168.31.102 key xyzkey; }; };
重启主从服务器验证是否可通过密钥对验证是否成功
测试命令
nslookup 交互解析 dig 可制定使用哪写DNS服务器进行解析
通过不同DNS服务器对相同域名进行解析对比结果
[[email protected] ~]# dig @192.168.31.102 www.node1.cn [[email protected] ~]# dig @114.114.114.114 www.node1.cn
时间: 2024-10-24 08:28:45