(1)确认本机的网络地址、主机映射、默认 DNS 服务器地址
网卡:
更改主机映射文件
[root@ns1
~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4::1 localhost
localhost.localdomain localhost6 localhost6.localdomain6192.168.100.10
ns1.linuxli.com192.168.100.20 ns2.linuxli.com
查看DNS
(2)修改主配置文件 /etc/named.conf
[root@ns1
~]# rpm -qa |grep bind
bind-libs-lite-9.9.4-61.el7.x86_64
bind-license-9.9.4-61.el7.noarch
[root@ns1
~]# yum -y install bind
bind-utils bind-chroot
[root@ns1
~]# cd /etc/
[root@ns1
etc]# cp named.conf
named.conf.$(date +%Y%m%d%H%M)
[root@ns1
etc]# vim named.conf
options {
listen-on port 53 { 192.168.100.10; };
//
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;//
dnssec-enable yes;//
dnssec-validation yes;
};
logging {
channel default_debug
{
file "data/named.run";
severity
dynamic;
};
};
//zone "." IN {//
type hint;//
file "named.ca";//};
//include "/etc/named.rfc1912.zones";//include "/etc/named.root.key";
zone "linuxli.com"
IN {
type master;
file "linuxli.com.zone";
allow-transfer { 192.168.100.20;
};
};
zone "100.168.192.in-addr.arpa" IN
{
type master;
file "192.168.100.arpa";
allow-transfer { 192.168.100.20;
};
};
检查配置文件
[root@ns1
etc]# named-checkconf
/etc/named.conf
(3)建立正、反向区域数据文件
1>建立正向区域数据文件
[root@ns1
etc]# cd /var/named/
[root@ns1
named]# ls
chroot data
dynamic named.ca named.empty
named.localhost
named.loopback slaves
[root@ns1
named]# cp -p named.empty
linuxli.com.zone
[root@ns1
named]# vim
linuxli.com.zone
$TTL 1D
//有效解析记录生存时间1天
@ IN SOA linuxli.com. root.ns1.linuxli.com. ( //DNS正向解析域名
邮箱地址
2018122501 ; serial //更新序列号10位数字
1D ; refresh //刷新时间1天
1H ; retry //重试延迟1小时
1W ; expire //失效时间1周
3H
) ; minimum
//无效解析记录生成时间3小时
NS ns1.linuxli.com.
NS ns2.linuxli.com.
MX 10 mail.linuxli.com.
ns1 A 192.168.100.100
ns2 A 192.168.100.110
www A 192.168.100.10
mail A 192.168.100.1
news A 192.168.100.12
bbs CNAME news
* A 192.168.100.10
2>建立反向区域数据文件
[root@ns1 named]# cp -p linuxli.com.zone 192.168.100.arpa
[root@ns1
named]# vim
192.168.100.arpa
$TTL 1D
@ IN SOA linuxli.com. root.ns1.linuxli.com.
(
2018122501
; serial
1D ;
refresh
1H ; retry
1W ;
expire
3H ) ;
minimum
NS ns1.linuxli.com.
NS ns2.linuxli.com.100
PTR
ns1.linuxli.com.110
PTR
ns2.linuxli.com.10
PTR
www.linuxli.com.1
PTR
mail.linuxli.com.12
PTR
news.linuxli.com.12
PTR
bbs.linuxli.com.
3>测试配置文件
[root@ns1
named]# named-checkzone
linuxli.com linuxli.com.zone
zone linuxli.com/IN:
loaded serial 2018122501
OK
[root@ns1
named]# named-checkzone 1.168.192-addr.arpa 192.168.100.arpa
zone 1.168.192-addr.arpa/IN: loaded serial 2018122501
OK
[root@ns1
named]#
更改区域文件的属主属组
chown named:named /var/named/linuxli.com.zone
chown named:named /var/named/192.168.100.arpa
(4)启动
named 服务或重载配置
[root@ns1
named]# systemctl restart
named
(5)客户机测试
二、构建从 DNS 域名解析服务器
1、从域名解析服务器概述
与主域名解析服务器提供完全相同的 DNS 解析服务,通常用于 DNS 服务器的热备份。对客户机来说,无论使用主域名服务器还是从域名服务器,查询结果都是一样的。
2、构建从域名服务器步骤及示例
实验环境:
- 主、从域名服务器均位于 Internet 中,所负责的 DNS 区域为“linuxli.com”
- 主服务器 IP 地址 192.168.100.10/24,主机名为 ns1.linuxli.com
- 从服务器 IP 地址 192.168.100.20/24,主机名为 ns2.linuxli.com
- 客户机将首选、备用 DNS 服务器分别设为 192.168.100.10 和 192.168.100.20
(1)确认本机的网络地址、主机映射、默认 DNS 服务器地址
网卡:
更改主机映射文件
[root@ns2
~]# vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4
localhost4.localdomain4::1 localhost
localhost.localdomain localhost6 localhost6.localdomain6192.168.100.10
ns1.linuxli.com192.168.100.20
ns2.linuxli.com
查看DNS
[root@ns2
~]# cat /etc/resolv.conf
# Generated by NetworkManager
search linuxli.com
nameserver 192.168.100.10
nameserver 192.168.100.20
(2)修改主配置文件/etc/named.conf
[root@ns2
~]# rpm -qa |grep bind
bind-libs-lite-9.9.4-61.el7.x86_64
bind-license-9.9.4-61.el7.noarch
[root@ns2
~]# yum -y install bind
bind-utils bind-chroot
[root@ns2
~]# cd /etc/
[root@ns2
etc]# cp named.conf
named.conf.$(date +%Y%m%d%H%M)
[root@ns2
etc]# vim named.conf
options {
listen-on port 53 { 192.168.100.110;
};//
listen-on-v6 port 53 { ::1; };
directory "/var/named";//
dump-file "/var/named/data/cache_dump.db";//
statistics-file "/var/named/data/named_stats.txt";//
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
// dnssec-enable
yes;//
dnssec-validation yes;//
bindkeys-file "/etc/named.iscdlv.key";//
managed-keys-directory "/var/named/dynamic";//
pid-file "/run/named/named.pid";//
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug
{
file "data/named.run";
severity
dynamic;
};
};
//zone "." IN {//
type hint;//
file "named.ca";//};
//include "/etc/named.rfc1912.zones";//include "/etc/named.root.key";
zone "linuxli.com"
IN {
type slave;
masters { 192.168.100.100; };
file "slaves/linuxli.com.zone";
};
zone "100.168.192.in-addr.arpa"
IN {
type slave;
masters { 192.168.100.100; };
file "slaves/192.168.100.arpa";
};
检查配置文件
[root@ns2
etc]# named-checkconf
/etc/named.conf
(3)启动
named 服务,查看区域数据文件是否下载成功
[root@ns2
etc]# ll
/var/named/slaves/
总用量 0
[root@ns2
etc]# systemctl restart
named
[root@ns2
etc]# ll
/var/named/slaves/
总用量 8
-rw-r--r-- 1 named named 573 12月 26
14:04 192.168.100.arpa
-rw-r--r-- 1 named named 555 12月 26
14:04 linuxli.com.zone
(4)客户机测试
(5)将主域名服务器增加地址解析记录,修改序列号+1
查看从域名服务器/var/named/slaves/下文件的时间
[root@ns2
etc]# ll
/var/named/slaves/
总用量 8
-rw-r--r-- 1 named named 573 12月 26
14:04 192.168.100.arpa
-rw-r--r-- 1 named named 555 12月 26
14:04 linuxli.com.zone
更新主域名服务器的区域配置文件
[root@ns1
~]# cd /var/named/
[root@ns1
named]# vim
linuxli.com.zone
$TTL 86400
@ IN SOA linuxli.com. root.ns1.linuxli.com.
(
2018122602 ; serial
1D ;
refresh
1H ; retry
1W ;
expire
3H ) ;
minimum
NS ns1.linuxli.com.
NS ns2.linuxli.com.
MX 10
mail.linuxli.com.
ns1 A 192.168.100.100
ns2 A 192.168.100.110
www A 192.168.100.10
mail A 192.168.100.1
news A 192.168.100.12
bbs CNAME news
* A 192.168.100.10
money A 192.168.100.13
[root@ns1
named]# named-checkzone
linuxli.com linuxli.com.zone
zone linuxli.com/IN: loaded serial 2018122602
OK
[root@ns1
named]# vim
192.168.100.arpa
$TTL 1D
@ IN SOA linuxli.com. root.ns1.linuxli.com.
(
2018122602 ; serial
1D ;
refresh
1H ; retry
1W ;
expire
3H ) ;
minimum
NS ns1.linuxli.com.
NS ns2.linuxli.com.100
PTR
ns1.linuxli.com.110
PTR
ns2.linuxli.com.10
PTR
www.linuxli.com.1
PTR
mail.linuxli.com.12
PTR
news.linuxli.com.12
PTR
bbs.linuxli.com.13
PTR
money.linuxli.com.
[root@ns1
named]# named-checkzone
1.168.192.in-addr.arpa 192.168.100.arpa
zone 1.168.192.in-addr.arpa/IN: loaded serial 2018122602
OK
(6)修改主域名解析服务器的主配置文件,添加
also-notify { 192.168.100.110; }; 观察从域名解析服务器区域数据文件是否更新
[root@ns1
named]# vim
/etc/named.conf
17
also-notify { 192.168.100.110; };
重新加载主域名解析服务器配置文件
[root@ns1
named]# systemctl reload
named.service
发现从域名服务器已自动更新区域配置文件
[root@ns2
etc]# ll
/var/named/slaves/
总用量 8
-rw-r--r-- 1 named named 643 12月 26
14:35 192.168.100.arpa
-rw-r--r-- 1 named named 600 12月 26
14:35 linuxli.com.zone
客户机测试
[root@linuxli
~]# cat /etc/resolv.conf
# Generated by NetworkManager
search com
nameserver 192.168.100.110
nameserver 192.168.100.100
[root@linuxli
~]# nslookup
> money.linuxli.comServer: 192.168.100.110
Address: 192.168.100.110#53
Name: money.linuxli.comAddress: 192.168.100.13
> 192.168.100.13
Server: 192.168.100.110
Address: 192.168.100.110#53
13.100.168.192.in-addr.arpa name
= money.linuxli.com.
> exit
三、构建分离解析的 DNS 域名解析服务器
1、分离解析的域名解析服务器概述 分离解析的域名解析服务器实际也是主域名服务器,这里所说的分离解析(Split DNS),
主要是指根据不同的客户端提供不同的域名解析记录。来自不同地址的客户机请求解析同一 域名时,为其提供不同的解析结果。
2、构建分离解析的域名服务器步骤及示例
实验环境:
- 域名服务器架设在企业网关服务器中,网卡 ens32 的 IP 地址为 192.168.100.100/24;网 卡 eth1 的 IP 地址为 192.168.60.34/24(桥接网络)模拟外网
- 在Internet中的公共域名 www.linuxli.com和mail.linuxli.com均解析为 192.168.60.34
- 在内网中 www.linuxli.com和mail.linuxli.com分别解析为 192.168.100.10 和 192.168.100.20
- 分别用两台客户机模拟内网与外网进行测试
(1)在/etc/named.conf 主配置文件中为不同的客户机地址启用不同的 zone 区域设置, 各自使用独立的数据文件
[root@linuxli ~]# vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat
bind package to configure the ISC BIND named(8) DNS
// server as a caching
only nameserver (as a localhost DNS resolver only).
//
// See
/usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND
Administrator's Reference Manual (ARM) for details about the
// configuration located
in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.100.100;192.168.60.34; };// listen-on-v6 port 53 { ::1; };
directory "/var/named";// dump-file
"/var/named/data/cache_dump.db";
// statistics-file
"/var/named/data/named_stats.txt";
// memstatistics-file
"/var/named/data/named_mem_stats.txt";
allow-query { any; };// recursion yes;
//
dnssec-enable yes;
// dnssec-validation yes;
/* Path to ISC DLV key */
// bindkeys-file
"/etc/named.iscdlv.key";
//
managed-keys-directory "/var/named/dynamic";
};
acl "lan" { 192.168.100.0/24;
}; //定义acl规则
acl "wan" { any; };
view "LAN"
{ //引用acl规则
match-clients { lan; };
zone "linuxli.com" IN {
type master;
file "linuxli.com.zone.lan";
};
};
view "WAN" {
match-clients { wan; };
zone "linuxli.com" IN {
type master;
file "linuxli.com.zone.wan";
};
};
检查配置文件
[root@linuxli
~]# named-checkconf
/etc/named.conf
(2)分别建立不同的区域数据文件
[root@linuxli
~]# cd /var/named/
[root@linuxli
named]# cp -p named.empty
linuxli.com.zone.lan
[root@linuxli
named]# vim
linuxli.com.zone.lan
$TTL 1D
@ IN SOA linuxli.com. root.ns1.linuxli.com.
(
2018122601
; serial
1D ;
refresh
1H ; retry
1W ;
expire
3H ) ;
minimum
NS ns1.linuxli.com.
MX 10
mail.linuxli.com.
ns1 A 192.168.100.100
www A 192.168.100.10
mail A 192.168.100.20
[root@linuxli
named]# cp -p
linuxli.com.zone.lan linuxli.com.zone.wan
[root@linuxli
named]# vim
linuxli.com.zone.wan
$TTL 1D
@ IN SOA linuxli.com. root.ns1.linuxli.com.
(
2018122601
; serial
1D ;
refresh
1H ; retry
1W ;
expire
3H ) ;
minimum
NS ns1.linuxli.com.
MX 10
mail.linuxli.com.
ns1 A 192.168.60.34
www A 192.168.60.34
mail A 192.168.60.34
检查区域配置文件
[root@linuxli
named]# named-checkzone
linuxli.com linuxli.com.zone.lan
zone linuxli.com/IN: loaded serial 2018122601
OK
[root@linuxli named]# named-checkzone linuxli.com linuxli.com.zone.wan
zone linuxli.com/IN: loaded serial 2018122601
OK
(3)启动或重新加载
named 服务程序
[root@linuxli
named]# systemctl restart
named
(4)内网及模拟外网的两台客户机进行测试
1>内网测试
2>外网测试
来自 <http://blog.linuxli.com/2018/12/linux_network_service_6/>