1四、DNS正反向解析、主從複製、子域受權、區域轉發 學習筆記
DNS:Domain Name Servicelinux
監聽端口:UDP/TCP 53號端口 web
實現工具:BIND(Berkeley Internet Name Domain), PowerDNS, dnsmasq數據庫
FQDN: Full Qualified Domain Name緩存
正向解析:FQDN --> IP安全
反向解析:IP --> FQDN服務器
查詢:網絡
遞歸查詢:recursion用於客戶端和本地DNS之間(客戶端指向的DNS服務器:必定是容許給本地主機作遞歸的)dom
迭代查詢:iteration用於本地DNS和根域及其餘DNS之間tcp
資源記錄:Resource Recordide
資源記錄有類型,用於資源的功能
SOA(Start Of Authority) 起始受權區域 劃分給誰管理
NS(Name Server) 域名服務器 指明NS服務器
MX(Mail eXchanger) 郵件交換器 指明MX服務器
A(Address) FQDN-->IP
PTR(PoiTeR) IP --> FQDN
CNAME(Canonical Name) 別名記錄
DNS服務器類型:
主DNS服務器
輔助DNS服務器
緩存名稱服務器(只有三個區域:根、localhost、127.0.0.1,不具體負責某個域的解析,只是將解析到的數據緩存至本地)
正反向解析技術不一樣,不該該存放於同一個數據庫文件中進行
DNS的數據庫文件(區域數據文件,區域自身有名字):文本文件,只能包含資源記錄或宏定義
資源記錄的格式:
name [ttl] IN RRtype Value
緩存時間
SOA: 只能有一個(必須是區域數據庫文件第一條記錄)
name 區域名稱,例如:kaiyuandiantang.com., 一般能夠簡寫爲@
value 主DNS服務器的FQDN
@ 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com.(
serial number ;序列號,十進制數字,不能超過10位,一般使用日期,例如2017090601
refresh time ;刷新時間,即每隔多久到主服務器檢查一次
retry time ;重試時間,應該小於refresh time
expire time ;過時時間,主服務器失效等待時長;主服務器失效後,輔助服務器也中止工做
negative answer ttl ;否認答案的ttl
)
NS:能夠有多條
name 區域名稱,一般能夠簡寫爲@
value DNS服務器的FQDN(可使用相對名稱)
@ 600 IN NS ns1
MX: 能夠有多個
name 區域名稱,用於標識smtp服務器
value 包含優先級和FQDN(優先級:0-99, 數字越小,級別越高)
@ 600 IN MX 10 mail
A: 只能定義在正向區域數據庫文件中
name FQDN(可使用相對名稱)
value IP
www 600 IN A 192.168.130.1
CNAME:
name FQDN
value FQDN
ftp 600 IN CNAME www
PTR: IP-->FQDN, 只能定義在反向區域數據文件中,反向區域名稱爲逆向網絡地址加.in-addr.arpa.後綴組成
nameIP, 逆向的主機地址,例如192.168.130.1的name爲1,徹底格式爲1.130.168.192.in-addr.arpa.
valueFQDN
3 600 IN PTR www.kaiyuandiantang.com.
但凡以FQDN爲value的資源記錄,都應該給該value加一條A記錄
主配置文件/etc/named.conf定義區域(至少有三個區域:根、localhost、127.0.0.1)
區域數據目錄/var/named/存放區域數據庫文件(屬主、屬組、權限:root, named, 640)
type {hint|master|slave|forward}
根域 主域 輔助域 轉發域
反向解析區域數據庫文件:區域名稱以逆向的網絡地址,並以.in-addr.arpa爲後綴;
第一條必須是SOA
應該具備NS記錄,但不能出現MX和A記錄
較常見的即爲PTR記錄,名稱爲逆向的主機地址
dig命令:
# dig [-t type] [-x addr] [name] [@server]
+[no]trace
+[no]recurse
+[no]tcp
host命令:
# host [-t type] {name} [server]
nslookup命令:
nslookup>
server DNS_SERVER_IP
set q=TYPE
{name}
=========================================================================================
正反向解析例子(ns1:192.168.130.117)
=========================================================================================
一、安裝bind
[root@localhost ~]# yum -y install bind
二、配置主配置文件
"/etc/named.conf" 43L, 1000C written
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
三、配置正向區域
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
};
四、配置正向數據庫文件
[root@localhost named]# cat kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.130.117
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
五、修改權限啓動服務
[root@localhost ~]# cd /var/named/
[root@localhost named]# chown root:named kaiyuandiantang.com.zone
[root@localhost named]# chmod 640 kaiyuandiantang.com.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone "kaiyuandiantang.com" kaiyuandiantang.com.zone
zone kaiyuandiantang.com/IN: loaded serial 2017090601
OK
[root@localhost named]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@localhost named]# service named reload
Reloading named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 16:51:23 localhost named[20996]: managed-keys-zone ./IN: loaded serial 0
Aug 31 16:51:23 localhost named[20996]: running
Aug 31 16:51:29 localhost named[20996]: received control channel command 'reload'
Aug 31 16:51:29 localhost named[20996]: loading configuration from '/etc/named.conf'
Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Aug 31 16:51:29 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Aug 31 16:51:29 localhost named[20996]: sizing zone task pool based on 7 zones
Aug 31 16:51:29 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 31 16:51:29 localhost named[20996]: reloading configuration succeeded
Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded
六、測試
[root@localhost named]# dig -t NS kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3470
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:53:46 2017
;; MSG SIZE rcvd: 71
[root@localhost named]#
[root@localhost named]# dig -t MX kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38626
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:53:53 2017
;; MSG SIZE rcvd: 108
[root@localhost named]#
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46757
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 16:54:09 2017
;; MSG SIZE rcvd: 91
[root@localhost named]#
七、配置反向區域
[root@localhost named]# tail -9 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
};
zone "130.168.192.in-addr.arpa" IN {
type master;
file "130.168.192.zone";
};
八、配置反向數據庫文件
[root@localhost named]# cat 130.168.192.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1.kaiyuandiantang.com.
117 IN PTR ns1.kaiyuandiantang.com.
10 IN PTR mail.kaiyuandiantang.com.
20 IN PTR www.kaiyuandiantang.com.
九、修改權限啓動服務
[root@localhost named]# chown root:named 130.168.192.zone
[root@localhost named]# chmod 640 130.168.192.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone "130.168.192.in-addr.arpa" 130.168.192.zone
zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
OK
[root@localhost named]# service named reload
Reloading named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 16:51:29 localhost named[20996]: reloading zones succeeded
Aug 31 17:08:42 localhost named[20996]: received control channel command 'reload'
Aug 31 17:08:42 localhost named[20996]: loading configuration from '/etc/named.conf'
Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Aug 31 17:08:42 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Aug 31 17:08:42 localhost named[20996]: sizing zone task pool based on 8 zones
Aug 31 17:08:42 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 31 17:08:42 localhost named[20996]: reloading configuration succeeded
Aug 31 17:08:42 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
Aug 31 17:08:42 localhost named[20996]: reloading zones succeeded
十、測試
[root@localhost named]# dig -x 192.168.130.117 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6475
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;117.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 1 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:09:56 2017
;; MSG SIZE rcvd: 113
[root@localhost named]#
[root@localhost named]# dig -x 192.168.130.10 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63381
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;10.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:10:01 2017
;; MSG SIZE rcvd: 117
[root@localhost named]#
[root@localhost named]# dig -x 192.168.130.20 @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.117
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26960
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;20.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 0 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Aug 31 17:10:08 2017
;; MSG SIZE rcvd: 116
[root@localhost named]#
區域傳送:
輔助DNS服務器從主DNS服務器或其它的輔助DNS服務器請求傳輸數據的過程;
徹底區域傳送:傳送區域的全部數據, AXFR
增量區域傳送:傳送區域中改變的數據部分,IXFR
用dig模擬徹底區域傳送
# dig -t axfr 區域名稱 @server
dig -t axfr kaiyuandiantang.com @192.168.130.117
主從:
主:bind版本能夠低於從的;
向區域中添加從服務器的關鍵兩步:
在上級得到受權
在主服務器的區域數據文件中爲從服務器添加一條NS記錄和對應的A或PTR記錄;
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
區域傳送安全控制:
allow-transfer { IP; };
=========================================================================================
主從複製例子(ns1:192.168.130.117,ns2:192.168.130.118)
=========================================================================================
一、修改ns1正向數據庫文件,添加ns2的NS記錄和A記錄
[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.130.117
ns2 IN A 192.168.130.118
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 08:48:47 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 08:48:47 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 08:48:47 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 08:48:47 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 08:48:47 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 08:48:47 localhost named[20996]: reloading configuration succeeded
Sep 1 08:48:47 localhost named[20996]: reloading zones succeeded
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601
Sep 1 08:48:47 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
二、ns2安裝bind
yum -y install bind
三、配置ns2主配置文件
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
四、配置ns2正向區域
[root@localhost ~]# tail -5 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
五、ns2啓動服務
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail -20 /var/log/messages
Sep 2 14:20:56 localhost named[22632]: zone 0.in-addr.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone localhost.localdomain/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: zone localhost/IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: managed-keys-zone ./IN: loaded serial 0
Sep 2 14:20:56 localhost named[22632]: running
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: Transfer started.
Sep 2 14:20:56 localhost named[22632]: transfer of 'kaiyuandiantang.com/IN' from 192.168.130.117#53: connected using 192.168.130.118#43804
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: transferred serial 2017090601
Sep 2 14:20:56 localhost named[22632]: transfer of 'kaiyuandiantang.com/IN' from 192.168.130.117#53: Transfer completed: 1 messages, 11 records, 276 bytes, 0.001 secs (276000 bytes/sec)
Sep 2 14:20:56 localhost named[22632]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
Sep 2 14:21:00 localhost named[22632]: received control channel command 'reload'
Sep 2 14:21:00 localhost named[22632]: loading configuration from '/etc/named.conf'
Sep 2 14:21:00 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 14:21:00 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 14:21:00 localhost named[22632]: sizing zone task pool based on 7 zones
Sep 2 14:21:00 localhost named[22632]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 2 14:21:00 localhost named[22632]: reloading configuration succeeded
Sep 2 14:21:00 localhost named[22632]: reloading zones succeeded
六、驗證、測試
[root@localhost ~]# cat /var/named/slaves/kaiyuandiantang.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
kaiyuandiantang.com IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
259200 ; expire (3 days)
43200 ; minimum (12 hours)
)
NS ns1.kaiyuandiantang.com.
NS ns2.kaiyuandiantang.com.
MX 10 mail.kaiyuandiantang.com.
$ORIGIN kaiyuandiantang.com.
mail A 192.168.130.10
ns1 A 192.168.130.117
ns2 A 192.168.130.118
pop CNAME mail
web CNAME www
www A 192.168.130.20
[root@localhost ~]# dig -t NS kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28940
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 1 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:08 2017
;; MSG SIZE rcvd: 105
[root@localhost ~]#
[root@localhost ~]# dig -t MX kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27789
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 1 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:29 2017
;; MSG SIZE rcvd: 142
[root@localhost ~]#
[root@localhost ~]# dig -t A mail.kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7090
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;mail.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:24:56 2017
;; MSG SIZE rcvd: 126
[root@localhost ~]#
[root@localhost ~]# dig -t A www.kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2339
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 14:25:05 2017
;; MSG SIZE rcvd: 125
七、修改ns1反向向數據庫文件,添加ns2的NS記錄和PTR記錄
"/var/named/130.168.192.zone" 14L, 323C written
[root@localhost ~]# cat /var/named/130.168.192.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1.kaiyuandiantang.com.
IN NS ns2.kaiyuandiantang.com.
117 IN PTR ns1.kaiyuandiantang.com.
118 IN PTR ns2.kaiyuandiantang.com.
10 IN PTR mail.kaiyuandiantang.com.
20 IN PTR www.kaiyuandiantang.com.
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 09:35:38 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 09:35:38 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 09:35:38 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 09:35:38 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 09:35:38 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 09:35:38 localhost named[20996]: reloading configuration succeeded
Sep 1 09:35:38 localhost named[20996]: reloading zones succeeded
Sep 1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 09:35:38 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: loaded serial 2017090601
Sep 1 09:35:39 localhost named[20996]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)
八、配置ns2反向區域
[root@localhost ~]# tail -11 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
};
zone "130.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/130.168.192.zone";
};
九、ns2啓動服務
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 2 14:43:39 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 14:43:39 localhost named[22632]: sizing zone task pool based on 8 zones
Sep 2 14:43:39 localhost named[22632]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 2 14:43:39 localhost named[22632]: reloading configuration succeeded
Sep 2 14:43:39 localhost named[22632]: reloading zones succeeded
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: Transfer started.
Sep 2 14:43:39 localhost named[22632]: transfer of '130.168.192.in-addr.arpa/IN' from 192.168.130.117#53: connected using 192.168.130.118#51094
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: transferred serial 2017090601
Sep 2 14:43:39 localhost named[22632]: transfer of '130.168.192.in-addr.arpa/IN' from 192.168.130.117#53: Transfer completed: 1 messages, 8 records, 254 bytes, 0.001 secs (254000 bytes/sec)
Sep 2 14:43:39 localhost named[22632]: zone 130.168.192.in-addr.arpa/IN: sending notifies (serial 2017090601)
十、驗證、測試
[root@localhost ~]# cat /var/named/slaves/130.168.192.zone
$ORIGIN .
$TTL 600 ; 10 minutes
130.168.192.in-addr.arpa IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
259200 ; expire (3 days)
43200 ; minimum (12 hours)
)
NS ns1.kaiyuandiantang.com.
NS ns2.kaiyuandiantang.com.
$ORIGIN 130.168.192.in-addr.arpa.
10 PTR mail.kaiyuandiantang.com.
117 PTR ns1.kaiyuandiantang.com.
118 PTR ns2.kaiyuandiantang.com.
20 PTR www.kaiyuandiantang.com.
[root@localhost ~]# dig -x 192.168.130.117 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.117 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;117.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:07:54 2017
;; MSG SIZE rcvd: 147
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.118 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.118 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37094
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;118.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:01 2017
;; MSG SIZE rcvd: 147
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.10 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.10 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11469
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;10.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:10 2017
;; MSG SIZE rcvd: 151
[root@localhost ~]#
[root@localhost ~]# dig -x 192.168.130.20 @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -x 192.168.130.20 @192.168.130.118
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64194
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;20.130.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
;; AUTHORITY SECTION:
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
;; Query time: 0 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Sat Sep 2 15:08:14 2017
;; MSG SIZE rcvd: 150
十一、此時區域傳送存在一個安全問題,任何一臺機器只要知道區域名稱和DNS的IP就能夠得到數據庫文件的內容,可經過添加allow-transfer加以控制。
未加allow-transfer前(在192.168.130.119上測試)
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
pop.kaiyuandiantang.com. 600 IN CNAME mail.kaiyuandiantang.com.
web.kaiyuandiantang.com. 600 IN CNAME www.kaiyuandiantang.com.
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 6 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Sep 7 11:49:50 2017
;; XFR size: 11 records (messages 1, bytes 276)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
kaiyuandiantang.com. 600 IN MX 10 mail.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
mail.kaiyuandiantang.com. 600 IN A 192.168.130.10
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
pop.kaiyuandiantang.com. 600 IN CNAME mail.kaiyuandiantang.com.
web.kaiyuandiantang.com. 600 IN CNAME www.kaiyuandiantang.com.
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
kaiyuandiantang.com. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 4 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Thu Sep 7 11:49:56 2017
;; XFR size: 11 records (messages 1, bytes 276)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117
;; global options: +cmd
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 1 msec
;; SERVER: 192.168.130.117#53(192.168.130.117)
;; WHEN: Thu Sep 7 11:50:26 2017
;; XFR size: 8 records (messages 1, bytes 254)
[root@localhost ~]#
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118
;; global options: +cmd
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
130.168.192.in-addr.arpa. 600 IN NS ns1.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN NS ns2.kaiyuandiantang.com.
10.130.168.192.in-addr.arpa. 600 IN PTR mail.kaiyuandiantang.com.
117.130.168.192.in-addr.arpa. 600 IN PTR ns1.kaiyuandiantang.com.
118.130.168.192.in-addr.arpa. 600 IN PTR ns2.kaiyuandiantang.com.
20.130.168.192.in-addr.arpa. 600 IN PTR www.kaiyuandiantang.com.
130.168.192.in-addr.arpa. 600 IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. 2017090601 3600 300 259200 43200
;; Query time: 9 msec
;; SERVER: 192.168.130.118#53(192.168.130.118)
;; WHEN: Thu Sep 7 11:50:38 2017
;; XFR size: 8 records (messages 1, bytes 254)
[root@localhost ~]#
ns1添加allow-transfer
[root@localhost ~]# tail -11 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type master;
file "kaiyuandiantang.com.zone";
allow-transfer { 127.0.0.1; 192.168.130.117; };
};
zone "130.168.192.in-addr.arpa" IN {
type master;
file "130.168.192.zone";
allow-transfer { 127.0.0.1; 192.168.130.117; };
};
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 10:45:45 localhost named[20996]: /etc/named.rfc1912.zones:52: missing ';' before '}'
Sep 1 10:45:45 localhost named[20996]: reloading configuration failed: failure
Sep 1 10:46:48 localhost named[20996]: received control channel command 'reload'
Sep 1 10:46:48 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 10:46:48 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 10:46:48 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 10:46:48 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 10:46:48 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 10:46:48 localhost named[20996]: reloading configuration succeeded
Sep 1 10:46:48 localhost named[20996]: reloading zones succeeded
ns2添加allow-transfer
[root@localhost ~]# tail -13 /etc/named.rfc1912.zones
zone "kaiyuandiantang.com" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/kaiyuandiantang.com.zone";
allow-transfer { none; };
};
zone "130.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.130.117; };
file "slaves/130.168.192.zone";
allow-transfer { none; };
};
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of '130.168.192.in-addr.arpa/IN': AXFR started
Sep 2 15:42:39 localhost named[22632]: client 192.168.130.119#50309: transfer of '130.168.192.in-addr.arpa/IN': AXFR ended
Sep 2 15:48:52 localhost named[22632]: received control channel command 'reload'
Sep 2 15:48:52 localhost named[22632]: loading configuration from '/etc/named.conf'
Sep 2 15:48:52 localhost named[22632]: using default UDP/IPv4 port range: [1024, 65535]
Sep 2 15:48:52 localhost named[22632]: using default UDP/IPv6 port range: [1024, 65535]
Sep 2 15:48:52 localhost named[22632]: sizing zone task pool based on 8 zones
Sep 2 15:48:52 localhost named[22632]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 2 15:48:52 localhost named[22632]: reloading configuration succeeded
Sep 2 15:48:52 localhost named[22632]: reloading zones succeeded
添加allow-transfer後(在192.168.130.119上測試)
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.117
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr kaiyuandiantang.com @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr kaiyuandiantang.com @192.168.130.118
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.117
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.117
;; global options: +cmd
; Transfer failed.
[root@localhost ~]# dig -t axfr 130.168.192.in-addr.arpa @192.168.130.118
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> -t axfr 130.168.192.in-addr.arpa @192.168.130.118
;; global options: +cmd
; Transfer failed.
[root@localhost ~]#
BIND子域受權的實現:glue record
在父域的配置文件中添加以下項:
受權的子區域名稱
子區域的名稱服務器
子區域的名稱服務器的IP地址
=========================================================================================
正向子域受權例子(父域:192.168.130.117,子域:192.168.130.119)
=========================================================================================
一、在父域中對子域進行受權
[root@localhost ~]# cat /var/named/kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.kaiyuandiantang.com. admin.kaiyuandiantang.com. (
2017090601
1H
5M
3D
12H
)
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.130.117
ns2 IN A 192.168.130.118
mail IN A 192.168.130.10
www IN A 192.168.130.20
pop IN CNAME mail
web IN CNAME www
linux IN NS ns1.linux
ns1.linux IN A 192.168.130.119
[root@localhost ~]# service named reload
Reloading named: [ OK ]
[root@localhost ~]# tail /var/log/messages
Sep 1 16:29:00 localhost named[20996]: loading configuration from '/etc/named.conf'
Sep 1 16:29:00 localhost named[20996]: using default UDP/IPv4 port range: [1024, 65535]
Sep 1 16:29:00 localhost named[20996]: using default UDP/IPv6 port range: [1024, 65535]
Sep 1 16:29:00 localhost named[20996]: sizing zone task pool based on 8 zones
Sep 1 16:29:00 localhost named[20996]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 1 16:29:00 localhost named[20996]: reloading configuration succeeded
Sep 1 16:29:00 localhost named[20996]: reloading zones succeeded
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: zone serial (2017090601) unchanged. zone may fail to transfer to slaves.
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: loaded serial 2017090601
Sep 1 16:29:00 localhost named[20996]: zone kaiyuandiantang.com/IN: sending notifies (serial 2017090601)
[root@localhost ~]#
二、配置子域服務器的主配置文件
[root@localhost ~]# sed "/^\//d" /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
三、配置子域服務器的區域數據文件
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "linux.kaiyuandiantang.com" IN {
type master;
file "linux.kaiyuandiantang.com.zone";
};
四、配置子域服務器的數據庫文件
[root@localhost ~]# cat /var/named/linux.kaiyuandiantang.com.zone
$TTL 600
@ IN SOA ns1.linux.kaiyuandiantang.com. admin.linux.kaiyuandiantang.com. (
2017090701
1H
5M
3D
12H
)
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.130.119
mail IN A 192.168.130.30
www IN A 192.168.130.40
pop IN CNAME mail
web IN CNAME www
[root@localhost ~]#
五、子域服務器修改權限啓動服務
[root@localhost ~]# cd /var/named/
[root@localhost named]# chown root:named linux.kaiyuandiantang.com.zone
[root@localhost named]# chmod 640 linux.kaiyuandiantang.com.zone
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone linux.kaiyuandiantang.com linux.kaiyuandiantang.com.zone
zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701
OK
[root@localhost named]# service named start
Starting named: [ OK ]
[root@localhost named]# tail /var/log/messages
Aug 31 18:30:52 localhost named[20903]: command channel listening on 127.0.0.1#953
Aug 31 18:30:52 localhost named[20903]: command channel listening on ::1#953
Aug 31 18:30:52 localhost named[20903]: zone 0.in-addr.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone linux.kaiyuandiantang.com/IN: loaded serial 2017090701
Aug 31 18:30:52 localhost named[20903]: zone localhost.localdomain/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: zone localhost/IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: managed-keys-zone ./IN: loaded serial 0
Aug 31 18:30:52 localhost named[20903]: running
[root@localhost named]#
六、測試
[root@localhost named]# dig -t NS linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63108
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;linux.kaiyuandiantang.com. IN NS
;; ANSWER SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:32:28 2017
;; MSG SIZE rcvd: 77
[root@localhost named]# dig -t MX linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t MX linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42605
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;linux.kaiyuandiantang.com. IN MX
;; ANSWER SECTION:
linux.kaiyuandiantang.com. 600 IN MX 10 mail.linux.kaiyuandiantang.com.
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
mail.linux.kaiyuandiantang.com. 600 IN A 192.168.130.30
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:32:40 2017
;; MSG SIZE rcvd: 114
[root@localhost named]#
[root@localhost named]# dig -t A www.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56396
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.linux.kaiyuandiantang.com. 600 IN A 192.168.130.40
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 1 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:01 2017
;; MSG SIZE rcvd: 97
[root@localhost named]# dig -t A ns1.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A ns1.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3947
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:08 2017
;; MSG SIZE rcvd: 77
[root@localhost named]# dig -t A mail.linux.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A mail.linux.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50725
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mail.linux.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
mail.linux.kaiyuandiantang.com. 600 IN A 192.168.130.30
;; AUTHORITY SECTION:
linux.kaiyuandiantang.com. 600 IN NS ns1.linux.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns1.linux.kaiyuandiantang.com. 600 IN A 192.168.130.119
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:33:14 2017
;; MSG SIZE rcvd: 98
[root@localhost named]#
七、問題
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59745
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; AUTHORITY SECTION:
com. 829 IN SOA a.gtld-servers.net. nstld.verisign-grs.com. 1504779223 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:46:52 2017
;; MSG SIZE rcvd: 114
此時由於kaiyuandaintang.com不是該子域dns負責解析的,因此將查詢根域,根域提供線索讓其查詢com域,由於com域下並無kaiyuandiankang.com這個子域,因此解析失敗;爲解決該問題,引入區域轉發。
配置區域轉發:轉發域
解析某本機不負責的區域內的名稱時不轉發給根,而是轉給指定的主機;
配置轉發的方式:
轉發非本機負責解析的全部區域:
options {
forward only|first;
forwarders { IP; }
};
轉發某特定區域:
zone "特定區域" IN {
type forward;
forwarders { IP; }
forward only|first;
}
容許使用轉發的前提:本機要在對方的容許的遞歸主機列表中;
八、子域服務器開啓區域轉發功能
[root@localhost named]# tail -9 /etc/named.rfc1912.zones
type master;
file "linux.kaiyuandiantang.com.zone";
};
zone "kaiyuandiantang.com" IN {
type forward;
forwarders { 192.168.130.117; };
forward only;
};
[root@localhost named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@localhost named]# dig -t A www.kaiyuandiantang.com @192.168.130.119
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t A www.kaiyuandiantang.com @192.168.130.119
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47012
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.kaiyuandiantang.com. IN A
;; ANSWER SECTION:
www.kaiyuandiantang.com. 600 IN A 192.168.130.20
;; AUTHORITY SECTION:
kaiyuandiantang.com. 600 IN NS ns2.kaiyuandiantang.com.
kaiyuandiantang.com. 600 IN NS ns1.kaiyuandiantang.com.
;; ADDITIONAL SECTION:
ns2.kaiyuandiantang.com. 600 IN A 192.168.130.118
ns1.kaiyuandiantang.com. 600 IN A 192.168.130.117
;; Query time: 3 msec
;; SERVER: 192.168.130.119#53(192.168.130.119)
;; WHEN: Thu Aug 31 18:57:19 2017
;; MSG SIZE rcvd: 125
[root@localhost named]#
安全控制選項:
allow-transfer {};
一般都須要啓用;
allow-query {};
此項一般僅用於服務器是緩存名稱服務器時,只開放查詢功能給本地客戶端;
allow-recursion { };
定義遞歸白名單;
allow-update { none; };
定義容許動態更新區域數據文件的主機白名單
ACL: BIND支持使用訪問控制列表
acl ACL_NAME {
172.16.0.0/16;
192.168.0.0/24
127.0.0.0/8;
};
訪問控制列表只有定義後才能使用;一般acl要定義在named.conf的最上方;
BIND有四個內置的acl:
any: 任何主機
none: 無一主機
local: 本機
localnet: 本機的所在的網絡;
- 1. 學習筆記之dns正反向解析區域,主從服務,子域受權,安全
- 2. DNS之二:bind主從複製,子域受權、轉發
- 3. DNS正反向解析、主從同步、子域受權及視圖
- 4. DNS正向解析區域子域
- 5. DNS服務器配置實驗--正向解析、反向解析、主從解析、子域受權和bindview
- 6. DNS正反向區域解析(二)
- 7. DNS服務正向、反向解析區域,主/從區域數據庫複製,子域授權及基本安全控制...
- 8. 搭建DNS服務器:正向解析區域、反向解析區域、主從DNS
- 9. DNS區域傳送、子域受權
- 10. DNS主從、子域受權,轉發實驗
- 更多相關文章...
- • XSL-FO 區域 - XSL-FO 教程
- • 網站 域名 - 網站主機教程
- • Tomcat學習筆記(史上最全tomcat學習筆記)
- • PHP Ajax 跨域問題最佳解決方案
-
每一个你不满意的现在,都有一个你没有努力的曾经。