bind配置中之DNS主從同步，區域安全傳送

時間 2020-07-02

標籤 bind 配置 dns 主從同步區域安全傳送欄目系統網絡简体版

原文原文鏈接

實現DNS的主從同步：vim

主DNS的bind版不能高於從DNS的版本安全

向區域中添加從服務器的關鍵兩步：
服務器

a：在上級獲得受權
ide

b：在區域數據文件中爲服務器添加一條NS記錄和對應的A記錄或PTR記錄測試

1.爲主DNS服務器添加一條NS記錄和對應的A記錄 spa

# vim /var/named/mageedu.com.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031901
1D
12H
1D
12H )
IN      NS      dns
IN      NS      ns
IN      MX 20mail
dns     IN      A       172.16.19.100
ns      IN      A       172.16.19.1
mail    IN      A       172.16.19.2
www     IN      A       172.16.19.3
pop     IN      CNAME   mail
ftp     IN      CNAME   www

2.爲從DNS服務器添加一條NS記錄和對應PTR記錄日誌

# vim /var/named/172.16.19.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031902
1D
12H
1D
12H )
IN      NS      dns.mageedu.com.
IN      NS      ns.mageedu.com.
100IN      PTR     dns.mageedu.com.
1IN      PTR     ns.mageedu.com.
2IN      PTR     mail.mageedu.com.
3IN      PTR     www.mageedu.com.

3.並編輯配置文同上
dns

4.在從服務器添加mageedu.com區域 cmd

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
};

5.在從服務器添加19.16.172.in-addr.arpa區域同步

zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.29.100;};
file "slaves/172.16.19.zone";
};

6.啓動named服務

# named -u named

7.查看日誌文件

# tail /var/log/messages
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: connected using 172.16.19.1#47647
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: transferred serial 2014031902
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: Transfer completed: 1messages, 8records, 255bytes, 0.003secs (85000bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: sending notifies (serial 2014031902)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: connected using 172.16.19.1#40334
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: transferred serial 2014031901
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: Transfer completed: 1messages, 11records, 283bytes, 0.002secs (141500bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: sending notifies (serial 2014031901)

8.查從服務器中/var/named/slave/目錄

# ls /var/named/slaves/
172.16.19.zone  mageedu.com.zone

區域傳送安全控制

提升DNS服務器的安全性

在主服務器的區域文件中添加allow-transfer{IP};

只容許127.0.0.1和172.16.19.1進行區域傳送

zone "mageedu.com"IN {
type master;
file "mageedu.com.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};
zone "19.16.172.in-addr.arpa"IN {
type master;
file "172.16.19.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};

重啓主服務器的DNS服務

# service named reload

成功配置區域傳送安全控制

# dig -t axfr mageedu.com @172.16.19.100
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.100
;; global options: +cmd
; Transfer failed.
# dig -t axfr mageedu.com @172.16.19.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.1
;; global options: +cmd
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
mageedu.com.        86400IN  MX  20mail.mageedu.com.
mageedu.com.        86400IN  NS  dns.mageedu.com.
mageedu.com.        86400IN  NS  ns.mageedu.com.
dns.mageedu.com.    86400IN  A   172.16.19.100
ftp.mageedu.com.    86400IN  CNAME   www.mageedu.com.
mail.mageedu.com.   86400IN  A   172.16.19.2
ns.mageedu.com.     86400IN  A   172.16.19.1
pop.mageedu.com.    86400IN  CNAME   mail.mageedu.com.
www.mageedu.com.    86400IN  A   172.16.19.3
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
;; Query time: 5msec
;; SERVER: 172.16.19.1#53(172.16.19.1)
;; WHEN: Sun Mar 1616:29:232014
;; XFR size: 11records (messages 1, bytes 283)

對從服務配置區域安全傳送控制：不容許任何人進行同步

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
allow-transfer {none;};
};
zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.19.100;};
file "slaves/172.16.19.zone";
allow-transfer {none;};
};

重啓從服務器的DNS服務

# service named reload

測試區域傳送安全控制配置成功

[root@stu19 ~]# dig -t axfr mageedu.com @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @127.0.0.1
;; global options: +cmd
; Transfer failed.