主从DNS服务器的搭建八步骤:
第一步:yum安装DNS解析器:bind
第二步:配置DNS服务器的主配置文件/etc/named.conf
第三步:修改主配文件named.rfc1912.zones
第四步:创建正向解析文件:从服务器无需操作,自动同步主服务器
第五步:创建反向解析文件:从服务器无需操作,自动同步主服务器
第六步:修改正反向解析文件的属主及属组为named
第七步:启动主从DNS服务器的named服务,查看日志检验启动是否成功
第八步:使用检测工具验证DNS的最终效果
环境需求:
服务器系统版本:Centos7.2
DNS软件版本:bind 9.9.4
注意:两台DNS服务器的操作系统版本最好相同,DNS软件版本最好也相同,如果不同,只能从服务的软件版本高于主服务器
第一步:yum安装DNS解析器:bind
[[email protected] ~]# yum install -y bind
两台服务器上执行同样的操作
第二步:配置DNS服务器的主配置文件/etc/named.conf
[[email protected] ~]# vim /etc/named.conf
注释打//的两行,使用//注释
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
两台服务器此处的配置是一样的
主DNS从服务器的话,还需要将下面两行的yes改为no,从服务器无需改动
dnssec-enable no;
dnssec-validation no;
第三步:修改主配文件named.rfc1912.zones
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "firewall.com" IN {
type master;主服务器这样写
file "firewall.com.zone";
allow-transfer {10.1.42.72;};允许从服务器向主服务器索取DNS数据库文件
};
zone "1.10.in-addr.arpa" IN {
type master;
file "10.1.zone";
allow-transfer {10.1.42.72;};允许从服务器向主服务器索取DNS数据库文件
};
[[email protected] ~]# named-checkconf 使用语法检查工具检查一下有没有编辑错误(使用本命令可以直接检查named.conf和named.rfc1912.zones这两个文件里面的语法格式)
从服务器执行第三步相同的操作:
配置文件内容如下:
zone "firewall.com" IN {
type slave;
masters {10.1.42.71;};
file "slaves/firewall.com.zone";
};
zone "1.10.in-addr.arpa" IN {
type slave;
masters {10.1.42.71;};
file "slaves/10.1.zone";
};
第四步:创建正向解析文件:从服务器无需操作,自动同步主服务器
[[email protected] ~]# cd /var/named
[[email protected] named]# ll
total 28
drwxrwx---. 2 named named 4096 Nov 20 2015 data
drwxrwx---. 2 named named 4096 Nov 20 2015 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Nov 20 2015 slaves
[[email protected] named]# vim firewall.com.zone
$TTL 1D
@ IN SOA ns1.firewall.com. admin.firewall.com. (
2016092501
1D
1H
1W
1D
)
@ IN NS ns1.firewall.com.
@ IN NS ns2.firewall.com.
ns1 IN A 10.1.42.71
ns2 IN A 10.1.42.72
www IN A 10.1.42.73
* IN A 10.1.42.73
[[email protected] named]# ll
total 32
drwxrwx---. 2 named named 4096 Nov 20 2015 data
drwxrwx---. 2 named named 4096 Nov 20 2015 dynamic
-rw-r--r--. 1 root root 220 Sep 25 16:29 firewall.com.zone
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Nov 20 2015 slaves
[[email protected] named]# named-checkzone firewall.com firewall.com.zone 检查主配里面定义的区域与解析文件是否匹配
zone firewall.com/IN: loaded serial 2016092501
OK
[[email protected] named]#
第五步:创建反向解析文件:从服务器无需操作,自动同步主服务器
[[email protected] named]# vim 10.1.zone
$TTL 1D
@ IN SOA ns1.firewall.com. admin.firewall.com. (
2016092503
1D
1H
1W
1D
)
@ IN NS ns1.firewall.com.
@ IN NS ns2.firewall.com.
71.42 IN PTR ns1.firewall.com.
72.42 IN PTR ns2.firewall.com.
73.42 IN PTR www.firewall.com.
[[email protected] named]# ll
total 36
[[email protected] named]# named-checkzone 1.10.in-addr.arpa 10.1.zone 检查主配里面定义的区域与解析文件是否匹配
zone 1.10.in-addr.arpa/IN: loaded serial 2016092501
OK
[[email protected] named]#
-rw-r--r--. 1 root root 200 Sep 25 17:02 10.1.zone
drwxrwx---. 2 named named 4096 Nov 20 2015 data
drwxrwx---. 2 named named 4096 Nov 20 2015 dynamic
-rw-r--r--. 1 root root 220 Sep 25 16:29 firewall.com.zone
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Nov 20 2015 slaves
[[email protected] named]#
第六步:修改正反向解析文件的属主及属组为named
[[email protected] named]# chown named:named firewall.com.zone 10.1.zone
[[email protected] named]# ll
total 36
-rw-r--r--. 1 named named 200 Sep 25 17:02 10.1.zone
drwxrwx---. 2 named named 4096 Nov 20 2015 data
drwxrwx---. 2 named named 4096 Nov 20 2015 dynamic
-rw-r--r--. 1 named named 220 Sep 25 16:29 firewall.com.zone
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Nov 20 2015 slaves
[[email protected] named]#
第七步:启动主从DNS服务器的named服务,查看日志检验启动是否成功
[[email protected] named]# cat /var/log/messages
Sep 25 17:28:06 centos730g systemd: Reloaded Berkeley Internet Name Domain (DNS).
Sep 25 17:42:25 centos730g named[3112]: client 10.1.42.72#46276 (1.10.in-addr.arpa): transfer of ‘1.10.in-addr.arpa/IN‘: AXFR started
Sep 25 17:42:25 centos730g named[3112]: client 10.1.42.72#46276 (1.10.in-addr.arpa): transfer of ‘1.10.in-addr.arpa/IN‘: AXFR ended
Sep 25 17:42:26 centos730g named[3112]: client 10.1.42.72#42253 (firewall.com): transfer of ‘firewall.com/IN‘: AXFR started
Sep 25 17:42:26 centos730g named[3112]: client 10.1.42.72#42253 (firewall.com): transfer of ‘firewall.com/IN‘: AXFR ended
主服务器的日志上看到有上述消息时,说明主服务器启动成功。
[[email protected] slaves]# cat /var/log/messages
Sep 25 17:42:26 centos72-gui systemd: Reloaded Berkeley Internet Name Domain (DNS).
Sep 25 17:42:26 centos72-gui named[4824]: zone firewall.com/IN: Transfer started.
Sep 25 17:42:26 centos72-gui named[4824]: transfer of ‘firewall.com/IN‘ from 10.1.42.71#53: connected using 10.1.42.72#42253
Sep 25 17:42:26 centos72-gui named[4824]: zone firewall.com/IN: transferred serial 2016092501
Sep 25 17:42:26 centos72-gui named[4824]: transfer of ‘firewall.com/IN‘ from 10.1.42.71#53: Transfer completed: 1 messages, 8 records, 214 bytes, 0.005 secs (42800 bytes/sec)
Sep 25 17:42:26 centos72-gui named[4824]: zone firewall.com/IN: sending notifies (serial 2016092501)
从服务器的日志上看有上述消息时,说明从服务器启动成功
[[email protected] slaves]# pwd
/var/named/slaves
[[email protected] slaves]# ll
total 8
-rw-r--r--. 1 named named 368 Sep 25 17:42 10.1.zone
-rw-r--r--. 1 named named 366 Sep 25 17:42 firewall.com.zone
[[email protected] slaves]#
从服务器启动成功后,会在/var/named/slaves自动创建解析文件,实际是从主服务器上同步下来的
如果服务器上的防火墙是处于开启状态的,需要在服务在服务器上开放TCP53端口和UDP53端口,从服务器要能同步需要TCP53端口,查询用到的UDP53端口
第八步:使用检测工具验证DNS的最终效果
[[email protected] slaves]# dig www.firewall.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.firewall.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54677
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.firewall.com.INA
;; ANSWER SECTION:
www.firewall.com.86400INA10.1.42.73
;; AUTHORITY SECTION:
firewall.com.86400INNSns2.firewall.com.
firewall.com.86400INNSns1.firewall.com.
;; ADDITIONAL SECTION:
ns1.firewall.com.86400INA10.1.42.71
ns2.firewall.com.86400INA10.1.42.72
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep 25 20:03:52 CST 2016
;; MSG SIZE rcvd: 129
[[email protected] slaves]#
能够得到这个结果时说明正向解析是没有问题的
[[email protected] slaves]# dig -x 10.1.42.73
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 10.1.42.73
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64415
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;73.42.1.10.in-addr.arpa.INPTR
;; ANSWER SECTION:
73.42.1.10.in-addr.arpa. 86400INPTRwww.firewall.com.
;; AUTHORITY SECTION:
1.10.in-addr.arpa.86400INNSns2.firewall.com.
1.10.in-addr.arpa.86400INNSns1.firewall.com.
;; ADDITIONAL SECTION:
ns1.firewall.com.86400INA10.1.42.71
ns2.firewall.com.86400INA10.1.42.72
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Sep 25 20:38:32 CST 2016
;; MSG SIZE rcvd: 150
[[email protected] slaves]#
能够得到这个结果的同时说明反向解析也是没问题的
如果要想在为客户端提供DNS解析,就需要把客户端的DNS地址指向刚才搭建的主从DNS的IP地址即可