说明:本文并不是一上来就搭建包含view下主从+子域授权+转发域的实验环境,我们按照先易后难的顺序逐渐深入搭建的。特此说明。
===============================实战=======================================
规划:
主DNS:192.168.0.10
从DNS:192.168.0.11 其他地址:192.168.0.13、192.168.0.14
子域DNS:192.168.0.12
注意:所有工作之前,将所有的主机进行如下设置
[root@localhost ~]# setenforce 0 #selinux
[root@localhost ~]# systemctl stop firewalld.service #防火墙
实验一、建立区域和相应的区域数据文件(在主服务器192.168.0.10上实验)
1.修改主配置文件:
[root@localhost ~]# vim /etc/named.conf
修改如下几行内容:
listen-on port 53 { any; }; #由listen-on port 53 { 127.0.0.1; };修改
allow-query { any; }; #由allow-query { localhost; };修改
修改后检查主配置文件是否有语法错误:
[root@localhost ~]# named-checkconf
修改主配置文件:
[root@localhost ~]# vim /etc/named.rfc1912.zones
在最后追加想要添加的区域,本例中创建一个正向区域和一个相对应的反向区域:ljzlinux.com、0.168.192.in-addr.arpa
zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone"; allow-update { none; };};zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone"; allow-update { none; };};
2.创建以上两个区域的区域数据文件:
[root@localhost named]# vim /var/named/ljzlinux.com.zone #创建正向区域数据文件
$TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ IN NS ns1.ljzlinux.com.IN NS ns2.ljzlinux.com.IN MX 10 mailns1 IN A 192.168.0.10ns2 IN A 192.168.0.11mail IN A 192.168.0.101www.ljzlinux.com. IN A 192.168.0.102#此处使用全称www IN A 192.168.0.103ftp IN CNAME www
修改后检查区域数据文件是否有语法错误:
[root@localhost ~]# named-checkzone ljzlinux.com /var/named/ljzlinux.com.zone
zone ljzlinux.com.zone/IN: loaded serial 0
OK
[root@localhost named]# vim /var/named/0.168.192.zone #创建反向区域数据文件
#反向区域数据文件可以在正向区域数据文件的基础上修改,通过cp -a 命令复制。反向区域数据文件只保留SOA、NS记录,其他的A记录转换为PTR记录,CNAME也要转换为PTR.
$TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ IN NS ns1.ljzlinux.com.#注意(易错点):值中的FQDN部分在反向解析库中需要写全称 IN NS ns2.ljzlinux.com.10 IN PTR ns1.ljzlinux.com.11 IN PTR ns2.ljzlinux.com.101 IN PTR mail.ljzlinux.com.102 IN PTR www.ljzlinux.com.103 IN PTR www.ljzlinux.com.102 IN PTR ftp.ljzlinux.com.#102.0.168.192.in-addr.arpa. IN PTR ftp.ljzlinux.com.#这是IP全称的写法
修改后检查区域数据文件是否有语法错误:
[root@localhost named]# named-checkzone 0.168.192.zone /var/named/0.168.192.zone
自己建立的区域数据文件一定要修改其属主属主为root:named,权限为640:
[root@localhost named]# chown root:named ljzlinux.com.zone 0.168.192.zone
[root@localhost named]# chmod 640 ljzlinux.com.zone 0.168.192.zone
#以上部分完成后就完成了区域和区域数据文件的建立。
实验二:在实验一的基础上,通过view(视图)实现分离解析:
view定义:DNS服务器有一个高级的功能,能够实现不同的用户访问同一个域名,把域名解析成不同的IP地址,使用户能够访问离他最近的服务器上的数据,这就是 DNS服务器的视图功能。使用DNS服务器的视图功能可以增加网站的响应速度。例如,当我们网站的数据同步在两台web服务器上时,一台是电信服务器,一台是网通服务器,那么我们肯定希望全国访问我们网站的用户在打开网站的时候,能够自动实现,电信用户访问电信服务器,网通用户访问网通服务器。配置这种情 况的前提是,web服务器必须要有一个电信的IP地址和一个网通的IP地址。DNS服务器的这种解析功能通常也被称之为智能解析。
view视图的实现:通过view下的match-clients语句控制此view的访问客户端来源,以实现分离解析。view视图主要格式为:
view “VIEW_NAME” { match-clients { IP;ACL; };#此语句是view中最关键的一个语句,使用访问IP的控制,可以使用预先定义的ACL(访问控制列表) zone ....}; view视图特点:要求所有的zone都要包含在view视图中。view视图是根据配置文件从上往下匹配的,所以希望优先访问的资源记录文件、区域应该尽量写前面。
1.修改主配置文件:
将/etc/named.conf中的根区域复制到/etc/named.rfc1912.zones文件中,以便让view视图能够覆盖所有的zone:
zone "." IN { type hint; file "named.ca";}; 将所有的zone进行view划分:划分为unicom、telecom、default。每个view都包括所有的zone。
[root@localhost named]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones://// Provided by Red Hat caching-nameserver package //// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt// (c)2007 R W Franks// // See /usr/share/doc/bind*/sample/ for example named configuration files.//#以下自定义ACLacl "unicom" { 192.168.0.0/24;};acl "telecom" { 1.1.1.0/24;}; #以下定义的是视图unicom,注意:同一个zone在不同视图下要用file指定不同的区域数据文件,通过此法实现解析分离(例如ljzlinux.com的区域数据文件在unicom视图下为ljzlinux.com.zone.unicom,在teltcom视图下为ljzlinux.com.zone.telecom。分别在这两个区域数据文件中定义同一个服务器的不同的网址。)
view "unicom" { match-clients { unicom; }; zone "." IN { type hint; file "named.ca";};zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; };};zone "localhost" IN { type master; file "named.localhost"; allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; };};zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; };};zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; };};};#以下定义的是视图telecomview "telecom" { match-clients { telecom; }; zone "." IN { type hint; file "named.ca";};zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; };};zone "localhost" IN { type master; file "named.localhost"; allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; };};zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.telecom"; allow-update { none; };};zone "1.1.1.in-addr.arpa" IN {#将0.168.192.in-addr.arpa修改为1.1.1.in-addr.arpa type master; file "1.1.1.zone.telecom";#注意此处的文件名的修改 allow-update { none; };};};#以下部分定义的default视图,如果unicom和telecom视图都没有匹配到的ip会访问此视图。view "default" { match-clients { any; };zone "." IN { type hint; file "named.ca";};zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; };};zone "localhost" IN { type master; file "named.localhost"; allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; };};zone "ljzlinux.com" IN { type master; file "ljzlinux.com.zone.unicom"; allow-update { none; };};zone "0.168.192.in-addr.arpa" IN { type master; file "0.168.192.zone.unicom"; allow-update { none; };};}; 2.修改区域数据文件:
创建正向区域数据文件ljzlinux.com.zone.unicom: #此文件使用原来的内容,所以无需改动,只需要修改一下解析库(区域数据文件)文件名即可
[root@localhost named]# cp -a ljzlinux.com.zone ljzlinux.com.zone.unicom
创建正向区域数据文件ljzlinux.com.zone.telecom:
[root@localhost named]# cp -a ljzlinux.com.zone ljzlinux.com.zone.telecom
[root@localhost named]# vim ljzlinux.com.zone.telecom
$TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ IN NS ns1.ljzlinux.com. IN NS ns2.ljzlinux.com. IN MX 10 mailns1 IN A 1.1.1.10ns2 IN A 1.1.1.11mail IN A 1.1.1.101www.ljzlinux.com. IN A 1.1.1.102www IN A 1.1.1.103ftp IN CNAME www
创建反向区域数据文件0.168.192.zone.unicom:
[root@localhost named]# cp -a 0.168.192.zone 0.168.192.zone.unicom
创建反向区域数据文件1.1.1.zone.telecom:
[root@localhost named]# cp -a 0.168.192.zone 1.1.1.zone.telecom
[root@localhost named]# vim 1.1.1.zone.telecom
#因为此处我的反向区域数据文件使用的是简写IP,而我修改了主配置文件中区域的名称为1.1.1.in-addr.arpa,IP自动补全后正是我们需要的IP,所以无需修改。
#如果你的IP不是简写的,需要将你ip修改为其正向区域对应的IP。
至此,view视图配置完毕。
进行如下测试:
[root@localhost named]# ifconfig eno16777736:0 1.1.1.10/24
#配置一个1.1.1.0/24网段的地址,将此服务器配置成IP为1.1.1.10的DNS服务器[root@localhost named]# ifconfig eno16777736:1 11.11.11.10/24#配置一个11.11.11.0/24网段的地址。
[root@localhost named]# dig -t A www.ljzlinux.com @192.168.0.10
# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @192.168.0.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15217# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.ljzlinux.com. 600 IN A 192.168.0.103# www.ljzlinux.com. 600 IN A 192.168.0.102# ;; AUTHORITY SECTION:# ljzlinux.com. 600 IN NS ns1.ljzlinux.com.# ljzlinux.com. 600 IN NS ns2.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 8 msec# ;; SERVER: 192.168.0.10#53(192.168.0.10)# ;; WHEN: Wed Jan 18 08:44:17 EST 2017# ;; MSG SIZE rcvd: 145
反向解析:
[root@localhost ~]# dig -x 192.168.0.103 @192.168.0.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 192.168.0.103 @192.168.0.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9916# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;103.0.168.192.in-addr.arpa. IN PTR# ;; ANSWER SECTION:# 103.0.168.192.in-addr.arpa. 600 IN PTR www.ljzlinux.com.# ;; AUTHORITY SECTION:# 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com.# 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 0 msec# ;; SERVER: 192.168.0.10#53(192.168.0.10)# ;; WHEN: Thu Jan 19 07:17:54 EST 2017# ;; MSG SIZE rcvd: 153[root@localhost named]# dig -t A www.ljzlinux.com @1.1.1.10# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @1.1.1.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57698# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.ljzlinux.com. 600 IN A 1.1.1.102# www.ljzlinux.com. 600 IN A 1.1.1.103# ;; AUTHORITY SECTION:# ljzlinux.com. 600 IN NS ns1.ljzlinux.com.# ljzlinux.com. 600 IN NS ns2.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 1.1.1.10# ns2.ljzlinux.com. 600 IN A 1.1.1.11# ;; Query time: 0 msec# ;; SERVER: 1.1.1.10#53(1.1.1.10)# ;; WHEN: Wed Jan 18 08:40:33 EST 2017# ;; MSG SIZE rcvd: 145
反向解析测试
[root@localhost ~]# dig -x 1.1.1.103 @1.1.1.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 1.1.1.103 @1.1.1.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56412# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;103.1.1.1.in-addr.arpa. IN PTR# ;; ANSWER SECTION:# 103.1.1.1.in-addr.arpa. 600 IN PTR www.ljzlinux.com.# ;; AUTHORITY SECTION:# 1.1.1.in-addr.arpa. 600 IN NS ns1.ljzlinux.com.# 1.1.1.in-addr.arpa. 600 IN NS ns2.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 1.1.1.10# ns2.ljzlinux.com. 600 IN A 1.1.1.11# ;; Query time: 0 msec# ;; SERVER: 1.1.1.10#53(1.1.1.10)# ;; WHEN: Thu Jan 19 07:16:07 EST 2017# ;; MSG SIZE rcvd: 149[root@localhost named]# dig -t A www.ljzlinux.com @11.11.11.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @11.11.11.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49483# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.ljzlinux.com. 600 IN A 192.168.0.102# www.ljzlinux.com. 600 IN A 192.168.0.103# ;; AUTHORITY SECTION:# ljzlinux.com. 600 IN NS ns2.ljzlinux.com.# ljzlinux.com. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 0 msec# ;; SERVER: 11.11.11.10#53(11.11.11.10)# ;; WHEN: Wed Jan 18 08:45:36 EST 2017# ;; MSG SIZE rcvd: 145[root@localhost ~]# dig -x 192.168.0.103 @11.11.11.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 192.168.0.103 @11.11.11.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10269# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;103.0.168.192.in-addr.arpa. IN PTR# ;; ANSWER SECTION:# 103.0.168.192.in-addr.arpa. 600 IN PTR www.ljzlinux.com.# ;; AUTHORITY SECTION:# 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com.# 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 0 msec# ;; SERVER: 11.11.11.10#53(11.11.11.10)# ;; WHEN: Thu Jan 19 07:19:41 EST 2017# ;; MSG SIZE rcvd: 153
可以看到使用同IP的NS服务器访问,会得到不同的解析结果。
实验三、主从DNS服务器配置(在以上基础上实现):
配置目的:如果只有一个DNS服务器工作,出现宕机,造成损失。为了实现当有一台服务器出现宕机情况时,仍能够提供正常的服务,就出现了主从DNS服务器的搭建。主和从的解析库(区域数据文件)内容是完全一样的,从的解析库是从主上面完全copy来的,所以要让两台服务器都能够提供解析功能,这两台NS服务器都必须在主的区域配置文件中定义。(例如实验一中的ns1和ns2。)
如何实现:只需在主的zone中用allow-transfer { IP; };指定要进行数据传输的从IP,然后在从的同一zone中用masters { IP; };指定要从哪台主服务器进行数据传输。所以对于主从复制,每个zone都需要allow-transfer、transfer-source两个参数同时指定,二者缺一不可。
1.修改主的配置文件中要进行传输zone:(本例配置ljzlinux.com.和其反向区域0.168.192.in-addr.arpa)
[root@localhost named]# vim /etc/named.rfc1912.zones
#在需要的zone中加入allow-transfer { 192.168.0.11; };语句
。。。。。之前部分省略。。。。。
zone "ljzlinux.com" IN {
type master;
file "ljzlinux.com.zone";
allow-update { none; };
allow-transfer { 192.168.0.11; } #此语句为新增
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "0.168.192.zone";
allow-update { none; };
allow-transfer { 192.168.0.11; } #此语句为新增
};
2.修改从的配置文件中相应的zone:
从的配置可以将主的配置文件复制过来进行修改:
[root@localhost named]#scp -a 192.168.0.10:/etc/named.rfc1912.zones /etc/named.rfc1912.zones [root@localhost named]# vim /etc/named.rfc1912.zones 。。。。。之前部分省略。。。。。zone "ljzlinux.com" IN { type slave;#由原来的type master;修改 file "slaves/ljzlinux.com.zone";#由原来的file "ljzlinux.com.zone";修改 allow-update { none; }; masters { 192.168.0.10; }#此语句为新增 masterfile-format text;#如果复制到slaves目录下的文件是乱码,使用此语句。};zone "0.168.192.in-addr.arpa" IN { type slave; file "slaves/0.168.192.zone"; allow-update { none; }; masters { 192.168.0.10; }#此语句为新增 masterfile-format text;};
至此,简单的主从DNS服务器搭建完毕。
实验四:搭建view下的主从DNS服务器:
与简单主从的区别:view视图下主从DNS服务器要求:主服务器下的每个view都需要从服务器的一个IP来传输,不能用同一个IP来传输多个view,所以主有几个view,从就需要几个IP。
如何实现:主设置与简单主从一样,只需在主的view(或zone)中用allow-transfer { IP; };指定要进行数据传输的从IP,但需要注意的是每个view使用不同的从IP,不能重复。其次,从的设置是在简单主从的基础上,增加transfer-source IP;来指定此view用从的哪个IP去传输数据,注意此语句的IP不能用花括号扩起来。还要注意的一点就是:在主、从相应的同一个view中,主allow-transfer { IP; }与从transfer-source IP;要一致。这样才能建立传输连接进行传输。所以对于view视图下的主从复制,每个zone都需要allow-transfer、transfer-source、masters三个参数同时指定,缺一不可。
说明:此试验在view建立之下实验:
1.修改主DNS服务器的主配置文件:
[root@localhost named]# vim /etc/named.rfc1912.zones // named.rfc1912.zones://// Provided by Red Hat caching-nameserver package //// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt// (c)2007 R W Franks// // See /usr/share/doc/bind*/sample/ for example named configuration files.//acl "unicom" {192.168.0.0/24;};acl "telecom" {1.1.1.0/24;};view "unicom" {match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; };#需要在match-clients中添加从服务器同步view的IP地址。其中!192.168.0.13意思是排除此IP.allow-transfer { 192.168.0.11; };#添加此行,allow-transfer允许同步该view的从服务器的IP地址(注意allow-transfer位置不同,作用域不同)zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type master;file "ljzlinux.com.zone.unicom";allow-update { none; };};zone "0.168.192.in-addr.arpa" IN {type master;file "0.168.192.zone.unicom";allow-update { none; };};};view "telecom" {match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; };#修改此行allow-transfer { 192.168.0.13; };#此行为新增zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type master;file "ljzlinux.com.zone.telecom";allow-update { none; };};zone "1.1.1.in-addr.arpa" IN {type master;file "1.1.1.zone.telecom";allow-update { none; };};};view "default" {match-clients { !192.168.0.11;!192.168.0.13;192.168.0.14;any; };#修改此行allow-transfer { 192.168.0.14; };#此行为新增zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type master;file "ljzlinux.com.zone.unicom";allow-update { none; };};zone "0.168.192.in-addr.arpa" IN {type master;file "0.168.192.zone.unicom";allow-update { none; };};};
2.修改从服务器的主配置文件;
我们将主的配置文件复制过来,在其基础上进行修改:
[root@localhost ~]# scp -p 192.168.0.10:/etc/named.conf /etc/named.conf[root@localhost ~]# scp -p 192.168.0.10:/etc/named.rfc1912.zones /etc/named.rfc1912.zones[root@localhost ~]# vim /etc/named.rfc1912.zones[root@localhost slaves]# cat /etc/named.rfc1912.zones// named.rfc1912.zones://// Provided by Red Hat caching-nameserver package //// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt// (c)2007 R W Franks// // See /usr/share/doc/bind*/sample/ for example named configuration files.//acl "unicom" {192.168.0.0/24;};acl "telecom" {1.1.1.0/24;};view "unicom" {match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; }; transfer-source 192.168.0.11; #将此行由原来的allow-transfer 修改为transfer-source,注意IP地址要一样,且去掉花括号。(其他view修改雷同)zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type slave;file "slaves/ljzlinux.com.zone.unicom";masterfile-format text;masters { 192.168.0.10; };masterfile-format text;#从主服务器复制来的文件是乱码时,采用此选项};zone "0.168.192.in-addr.arpa" IN {type slave;file "slaves/0.168.192.zone.unicom";masterfile-format text;masters { 192.168.0.10; };masterfile-format text;};};view "telecom" {match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; }; transfer-source 192.168.0.13; zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type slave;file "slaves/ljzlinux.com.zone.telecom";masterfile-format text;masters { 192.168.0.10; };masterfile-format text;};zone "1.1.1.in-addr.arpa" IN {type slave;file "slaves/1.1.1.zone.telecom";masterfile-format text;masters { 192.168.0.10; };masterfile-format text;};};view "default" {match-clients{ !192.168.0.11;!192.168.0.13;192.168.0.14;any; }; transfer-source 192.168.0.14; zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type slave;file "slaves/ljzlinux.com.zone.unicom";masterfile-format text;masters { 192.168.0.10; };masterfile-format text;};zone "0.168.192.in-addr.arpa" IN {type slave;file "slaves/0.168.192.zone.unicom";masterfile-format text;masters { 192.168.0.10; };masterfile-format text;};}; 由于文件是从主服务器上复制过来的,需要修改其属主和数组:
[root@localhost ~]# chown root:named /etc/named.rfc1912.zones
3.为从服务器增加两个ip地址:
[root@localhost slaves]# cd /etc/sysconfig/network-scripts/[root@localhost network-scripts]# cp ifcfg-eno16777736 ifcfg-eno16777736:0[root@localhost network-scripts]# vim ifcfg-eno16777736:0
修改如下几行:
NAME=eno16777736:0
DEVICE=eno16777736:0
IPADDR=192.168.0.13
[root@localhost network-scripts]# cp ifcfg-eno16777736 ifcfg-eno16777736:1[root@localhost network-scripts]# vim ifcfg-eno16777736:1
修改如下几行:
NAME=eno16777736:1
DEVICE=eno16777736:1
IPADDR=192.168.0.14
重启network服务:
[root@localhost network-scripts]# systemctl restart network.service
重启naned服务:
[root@localhost slaves]# systemctl restart named.service
4.从DNS解析测试:
首先将主DNS服务器关机:
然后为从DNS服务器再增加两个不同网段的IP,用于测试不同网段的请求:
[root@localhost slaves]# ifconfig eno16777736:2 1.1.1.11/24[root@localhost slaves]# ifconfig eno16777736:3 11.11.11.11/24
重启named服务:
[root@localhost slaves]# systemctl restart named
正式测试:
[root@localhost slaves]# dig -t A www.ljzlinux.com @192.168.0.11
# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @192.168.0.11# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55341# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.ljzlinux.com. 600 IN A 192.168.0.102# www.ljzlinux.com. 600 IN A 192.168.0.103# ;; AUTHORITY SECTION:# ljzlinux.com. 600 IN NS ns2.ljzlinux.com.# ljzlinux.com. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 0 msec# ;; SERVER: 192.168.0.11#53(192.168.0.11)# ;; WHEN: Thu Jan 19 09:56:02 EST 2017# ;; MSG SIZE rcvd: 145
解析成功!
[root@localhost slaves]# dig -x 192.168.0.103 @192.168.0.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x192.168.0.103 @192.168.0.11# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62294# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;103.0.168.192.in-addr.arpa. IN PTR# ;; ANSWER SECTION:# 103.0.168.192.in-addr.arpa. 600 IN PTR www.ljzlinux.com.# ;; AUTHORITY SECTION:# 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com.# 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 0 msec# ;; SERVER: 192.168.0.11#53(192.168.0.11)# ;; WHEN: Thu Jan 19 09:56:31 EST 2017# ;; MSG SIZE rcvd: 153
解析成功!
[root@localhost named]# dig -x 1.1.1.102 @192.168.0.10 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 1.1.1.102 @192.168.0.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1686# ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;102.1.1.1.in-addr.arpa. IN PTR# ;; Query time: 1060 msec# ;; SERVER: 192.168.0.10#53(192.168.0.10)# ;; WHEN: Fri Jan 20 08:58:56 EST 2017# ;; MSG SIZE rcvd: 51
解析失败! 这是为什么呢?我们知道,在view作用下为了实现分离解析提高网站的相应速度,我们让1台主机拥有两个不同网段的IP,例如www.ljzlinux.com主机的ip分别为192.168.0.103(我们假设为网通unicom内的IP)和1.1.1.103(假设为telecom内IP),从而实现来自网通用户通过网通IP访问,来自电信用户通过电信IP访问。而来自192.168.0.10 这台NS服务器的请求在view作用下,按照上面的配置文件,反向解析只能解析192.168.0.0/24网段内主机,而不能解析1.1.1.0/24这个网段内的主机,因为我们在view "teltcom"下我们只配置了zone "0.168.192.in-addr.arpa"而没有配置zone "1.1.1.in-addr.arpa"。
综上总结:如上面的例子,为了让网通用户(192.168.0.10)不仅能够反向解析网通IP(192.168.0.103),又能反向解析电信IP(1.1.1.103)。网通view视图下的反向解析应同时包含所有网段的反向解析库。
[root@localhost slaves]# dig -t A www.ljzlinux.com @1.1.1.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @1.1.1.11# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9442# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.ljzlinux.com. 600 IN A 1.1.1.102# www.ljzlinux.com. 600 IN A 1.1.1.103# ;; AUTHORITY SECTION:# ljzlinux.com. 600 IN NS ns2.ljzlinux.com.# ljzlinux.com. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 1.1.1.10# ns2.ljzlinux.com. 600 IN A 1.1.1.11# ;; Query time: 0 msec# ;; SERVER: 1.1.1.11#53(1.1.1.11)# ;; WHEN: Thu Jan 19 09:56:59 EST 2017# ;; MSG SIZE rcvd: 145[root@localhost slaves]# dig -x 1.1.1.101 @1.1.1.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 1.1.1.101 @1.1.1.11# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12199# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;101.1.1.1.in-addr.arpa. IN PTR# ;; ANSWER SECTION:# 101.1.1.1.in-addr.arpa. 600 IN PTR mail.ljzlinux.com.# ;; AUTHORITY SECTION:# 1.1.1.in-addr.arpa. 600 IN NS ns2.ljzlinux.com.# 1.1.1.in-addr.arpa. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 1.1.1.10# ns2.ljzlinux.com. 600 IN A 1.1.1.11# ;; Query time: 0 msec# ;; SERVER: 1.1.1.11#53(1.1.1.11)# ;; WHEN: Thu Jan 19 09:57:37 EST 2017# ;; MSG SIZE rcvd: 150[root@localhost slaves]# dig -t A www.ljzlinux.com @11.11.11.11# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @11.11.11.11# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7303# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.ljzlinux.com. 600 IN A 192.168.0.103# www.ljzlinux.com. 600 IN A 192.168.0.102# ;; AUTHORITY SECTION:# ljzlinux.com. 600 IN NS ns2.ljzlinux.com.# ljzlinux.com. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 0 msec# ;; SERVER: 11.11.11.11#53(11.11.11.11)# ;; WHEN: Thu Jan 19 09:57:50 EST 2017# ;; MSG SIZE rcvd: 145[root@localhost slaves]# dig -x 192.168.0.101 @11.11.11.11 # ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -x 192.168.0.101 @11.11.11.11# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58867# ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;101.0.168.192.in-addr.arpa. IN PTR# ;; ANSWER SECTION:# 101.0.168.192.in-addr.arpa. 600 IN PTR mail.ljzlinux.com.# ;; AUTHORITY SECTION:# 0.168.192.in-addr.arpa. 600 IN NS ns2.ljzlinux.com.# 0.168.192.in-addr.arpa. 600 IN NS ns1.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.ljzlinux.com. 600 IN A 192.168.0.10# ns2.ljzlinux.com. 600 IN A 192.168.0.11# ;; Query time: 0 msec# ;; SERVER: 11.11.11.11#53(11.11.11.11)# ;; WHEN: Thu Jan 19 09:58:09 EST 2017# ;; MSG SIZE rcvd: 154
扩展:为了让来自每个view的客户端能够请求每个view内的IP,需要在每个view内放置所有的反向解析库,上例中需要放置zone "1.1.1.in-addr.arpa" 和zone "0.168.192.in-addr.arpa"这两个解析库,所以配置文件变为如下:
主服务器的主配置文件:
[root@localhost slaves]# vim /etc/named.rfc1912.zones // named.rfc1912.zones://// Provided by Red Hat caching-nameserver package //// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt// (c)2007 R W Franks// // See /usr/share/doc/bind*/sample/ for example named configuration files.//acl "unicom" {192.168.0.0/24;};acl "telecom" {1.1.1.0/24;};view "unicom" {match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; };allow-transfer { 192.168.0.11; };zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type master;file "ljzlinux.com.zone.unicom";allow-update { none; };};#zone "ljzlinux.com"让网通用户只能解析到网通网段的IPzone "0.168.192.in-addr.arpa" IN {type master;file "0.168.192.zone.unicom";allow-update { none; };};zone "1.1.1.in-addr.arpa" IN {type master;file "1.1.1.zone.telecom";allow-update { none; };};#以上两个反向区域能够让网通用户既能反向解析网通网段IP,又能反向解析电信网段IP。如果只有zone "0.168.192.in-addr.arpa" ,那么1.1.1.x请求解析IP 192.168.0.x是不能完成的。};view "telecom" {match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; };allow-transfer { 192.168.0.13; };zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type master;file "ljzlinux.com.zone.telecom";allow-update { none; };};zone "0.168.192.in-addr.arpa" IN {type master;file "0.168.192.zone.unicom";allow-update { none; };};zone "1.1.1.in-addr.arpa" IN {type master;file "1.1.1.zone.telecom";allow-update { none; };};};view "default" {match-clients { !192.168.0.11;!192.168.0.13;192.168.0.14;any; };allow-transfer { 192.168.0.14; };zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type master;file "ljzlinux.com.zone.unicom";allow-update { none; };};zone "0.168.192.in-addr.arpa" IN {type master;file "0.168.192.zone.unicom";allow-update { none; };};zone "1.1.1.in-addr.arpa" IN {type master;file "1.1.1.zone.telecom";allow-update { none; };};}; 从服务器的主配置文件:
[root@localhost slaves]# scp 192.168.0.10:/etc/named.rfc1912.zones /etc/named.rfc1912.zones[root@localhost slaves]# vim /etc/named.rfc1912.zones #主要修改内容:transfer-source 、type slave;、file "slaves/ljzlinux.com.zone.unicom";、masters { 192.168.0.10; };// named.rfc1912.zones://// Provided by Red Hat caching-nameserver package //// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt// (c)2007 R W Franks// // See /usr/share/doc/bind*/sample/ for example named configuration files.//acl "unicom" {192.168.0.0/24;};acl "telecom" {1.1.1.0/24;};view "unicom" {match-clients { 192.168.0.11;!192.168.0.13;!192.168.0.14;unicom; };#需要在match-clients中添加从服务器view同步的IP地址。其中!192.168.0.13意思是排斥此IP.(其他view修改雷同)transfer-source 192.168.0.11;#添加allow-transfer允许同步的IP地址。(其他view修改雷同)zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {#其他所有的zone按照以下模板进行修改type slave;#类型修改为slavefile "slaves/ljzlinux.com.zone.unicom";#注意从服务器的解析文件存放位置的修改masters { 192.168.0.10; };#添加此行,删除 allow-update。masterfile-format text;};zone "0.168.192.in-addr.arpa" IN {type slave;file "slaves/0.168.192.zone.unicom";masters { 192.168.0.10; };masterfile-format text;};zone "1.1.1.in-addr.arpa" IN {type slave;file "slaves/1.1.1.zone.telecom";masters { 192.168.0.10; };masterfile-format text;};};view "telecom" {match-clients { !192.168.0.11;192.168.0.13;!192.168.0.14;telecom; };transfer-source 192.168.0.13;zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type slave;file "slaves/ljzlinux.com.zone.telecom";masters { 192.168.0.10; };masterfile-format text;};zone "0.168.192.in-addr.arpa" IN {type slave;file "slaves/0.168.192.zone.unicom";masters { 192.168.0.10; };masterfile-format text;};zone "1.1.1.in-addr.arpa" IN {type slave;file "slaves/1.1.1.zone.telecom";masters { 192.168.0.10; };masterfile-format text;};};view "default" {match-clients { !192.168.0.11;!192.168.0.13;192.168.0.14;any; };transfer-source 192.168.0.14;zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};zone "ljzlinux.com" IN {type slave;file "slaves/ljzlinux.com.zone.unicom";masters { 192.168.0.10; };masterfile-format text;};zone "0.168.192.in-addr.arpa" IN {type slave;file "slaves/0.168.192.zone.unicom";masters { 192.168.0.10; };masterfile-format text;};zone "1.1.1.in-addr.arpa" IN {type slave;file "slaves/1.1.1.zone.telecom";masters { 192.168.0.10; };masterfile-format text;};}; 实验五:子域授权,转发域:(192.168.0.13)
子域授权:通俗讲,就是将某个创建好的域的NS、A记录写入到父域的区域数据文件中,这样服务就知道子域的存在了。如果有客户端向父域请求解析这个小的区域(子域),父域只要找到子域的DNS服务器,然后将请求转交给子域DNS服务器即可。这样的做的好处可以减轻父DNS的压力,也有利于管理。
1.创建子域tech.ljzlinux.com·
[root@localhost named]# vim /etc/named.rfc1912.zones#在配置文件中追加tech.ljzlinux.com区域// named.rfc1912.zones://// Provided by Red Hat caching-nameserver package //// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt// (c)2007 R W Franks// // See /usr/share/doc/bind*/sample/ for example named configuration files.//zone "localhost.localdomain" IN {type master;file "named.localhost";allow-update { none; };};zone "localhost" IN {type master;file "named.localhost";allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN {type master;file "named.loopback";allow-update { none; };};zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { none; };};#增加子域zone "tech.ljzlinux.com." IN {type master;file "tech.ljzlinux.com.zone";allow-update { none; };}; 2.创建tech.ljzlinux.com的区域数据文件
[root@localhost named]# vim tech.ljzlinux.com.zone $TTL 600 @ IN SOA ns1.tech.ljzlinux.com. dnsadmin.tech.ljzlinux.com. ( 20170115 2H 10M 3D 12H)@ IN NS ns1IN MX 10 mailns1 IN A 192.168.0.12mail IN A 192.168.0.121www IN A 192.168.0.122
至此,服务器192.168.0.12上的子域构建完成。
3.子域授权实现:在父域区域数据文件中加入子域NS和A记录即可完成(反向解析的子域授权比较麻烦,不在此实验范围)
主机:192.168.0.10
[root@localhost named]# vim ljzlinux.com.zone.unicom $TTL 600 @ IN SOA ns1.ljzlinux.com. admin.ljzlinux.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ IN NS ns1.ljzlinux.com.IN NS ns2.ljzlinux.com.IN MX 10 mailns1 IN A 192.168.0.10ns2 IN A 192.168.0.11mail IN A 192.168.0.101www.ljzlinux.com. IN A 192.168.0.102www IN A 192.168.0.103ftp IN CNAME wwwtech IN NS ns1ns1 IN A 192.168.0.12
4.进行子域授权测试:
[root@localhost named]# dig -t A www.tech.ljzlinux.com @192.168.0.10# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.tech.ljzlinux.com @192.168.0.10# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51406# ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.tech.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.tech.ljzlinux.com. 600 IN A 192.168.0.122# ;; AUTHORITY SECTION:# tech.ljzlinux.com. 600 IN NS ns1.tech.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns1.tech.ljzlinux.com. 600 IN A 192.168.0.12# ;; Query time: 6 msec# ;; SERVER: 192.168.0.10#53(192.168.0.10)# ;; WHEN: Sat Jan 21 08:01:14 EST 2017# ;; MSG SIZE rcvd: 100
解析成功!
5.创建转发域:实现解析父域的请求转发给父域的DNS服务器 (如果转发域无法解析,注释掉主配置文件中的include "/etc/named.root.key";)
在子域服务器主配置文件上追加创建子域转发域ljzlinux.com
#创建父域(ljzlinux.com)的转发域,所有解析父域的请求转发到父域DNS服务器
zone "ljzlinux.com" IN {type forward;forward first;#区域转发类型为first:先转发,不能解析再找根解析;only:只转发,不能解析也不会找根来解析forwarders { 192.168.0.10;192.168.0.11; };#区域类型为forward时,只将请求解析父域ljzlinux.com的解析请求转发给192.168.0.10;若定义在options项下,则为全局转发,转发非本机负责解析的所有区域给192.168.0.10};
测试:
[root@localhost named]# dig -t A www.ljzlinux.com @192.168.0.12# ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> -t A www.ljzlinux.com @192.168.0.12# ;; global options: +cmd# ;; Got answer:# ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11232# ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 4# ;; OPT PSEUDOSECTION:# ; EDNS: version: 0, flags:; udp: 4096# ;; QUESTION SECTION:# ;www.ljzlinux.com. IN A# ;; ANSWER SECTION:# www.ljzlinux.com. 443 IN A 192.168.0.103# www.ljzlinux.com. 443 IN A 192.168.0.102# ;; AUTHORITY SECTION:# ljzlinux.com. 443 IN NS ns1.ljzlinux.com.# ljzlinux.com. 443 IN NS ns2.ljzlinux.com.# ;; ADDITIONAL SECTION:# ns2.ljzlinux.com. 443 IN A 192.168.0.11# ns1.ljzlinux.com. 443 IN A 192.168.0.10# ns1.ljzlinux.com. 443 IN A 192.168.0.12# ;; Query time: 0 msec# ;; SERVER: 192.168.0.12#53(192.168.0.12)# ;; WHEN: Sat Jan 21 09:41:49 EST 2017# ;; MSG SIZE rcvd: 161
解析成功!
本文中所有的配置文件都会以附件的形式共享。