DNS之主從服務器的構建和dig命令的使用

時間 2020-09-23

標籤 dns 主從服務器構建 dig 命令使用欄目系統網絡简体版

原文原文鏈接

通常來講咱們的DNS服務器爲了安全不能對全部用戶（如經過互聯網訪問的用戶）進行遞歸，不然DNS服務器容易受到***，很不安全node

用戶請求有如下幾種：vim

有主機經過互聯網請求本地NS管理的主機（如ns1.fade.com）的權威答案，應該給予響應（此處不是遞歸）安全
有主機從互聯網請求本地沒有的主機（如請求www.baidu.com 此處是遞歸）則不該該給予響應服務器
本地用戶經過本地的NS請求www.baidu.com的解析（此處是遞歸），但應該給予響應ide

#vim /etc/named.confoop

options {google

direcotry "/var/named";spa

allow-recursion{192.168.139.0/24}; 則只容許本地網段用戶進行遞歸.net

};rest

用dig命令進行非遞歸一步步查詢

[root@node1 bind]# dig +norecurse -t A www.sina.com @192.168.139.2

com. 172154 IN NS j.gtld-servers.net.

com. 172154 IN NS m.gtld-servers.net.

顯示的爲com.的解析

[root@node1 bind]# dig +norecurse -t A www.sina.com @m.gtld-servers.net.

sina.com. 172800 IN NS ns1.sina.com.cn.

sina.com. 172800 IN NS ns2.sina.com.cn.

顯示的爲sina.com.的解析

[root@node1 bind]# dig +norecurse -t A www.sina.com @m.ns1.sina.com.cn.

;; QUESTION SECTION:

;www.sina.com. IN A

;; ANSWER SECTION:

www.sina.com. 60 IN CNAME us.sina.com.cn.

us.sina.com.cn. 60 IN CNAME news.sina.com.cn.

news.sina.com.cn. 60 IN CNAME jupiter.sina.com.cn.

jupiter.sina.com.cn. 60 IN CNAME polaris.sina.com.cn.

polaris.sina.com.cn. 60 IN A 202.108.33.107

顯示的爲www.sina.com.的解析，這是一個別名

用dig命令直接進行遞歸查詢www.google.com.hk，則一步就能夠查詢到結果

[root@node1 bind]# dig +recurse -t A www.google.com.hk @192.168.139.2

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> +recurse -t A www.google.com.hk @192.168.139.2

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58042

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 14

;; QUESTION SECTION:

;www.google.com.hk. IN A

;; ANSWER SECTION:

www.google.com.hk. 76 IN A 46.82.174.68

;; AUTHORITY SECTION:

hk. 172797 IN NS z.hkirc.net.hk.

hk. 172797 IN NS u.hkirc.net.hk.

hk. 172797 IN NS v.hkirc.net.hk.

hk. 172797 IN NS x.hkirc.net.hk.

hk. 172797 IN NS c.hkirc.net.hk.

hk. 172797 IN NS w.hkirc.net.hk.

hk. 172797 IN NS d.hkirc.net.hk.

hk. 172797 IN NS y.hkirc.net.hk.

;; ADDITIONAL SECTION:

c.hkirc.net.hk. 172797 IN A 203.119.2.218

c.hkirc.net.hk. 172797 IN AAAA 2001:dca:4000::cb77:2da

d.hkirc.net.hk. 172797 IN A 203.119.87.218

d.hkirc.net.hk. 172797 IN AAAA 2001:dca:2000::cb77:57da

u.hkirc.net.hk. 172797 IN A 210.201.138.58

u.hkirc.net.hk. 172797 IN AAAA 2404:0:10a0::58

v.hkirc.net.hk. 172797 IN A 204.61.216.46

v.hkirc.net.hk. 172797 IN AAAA 2001:500:14:6046:ad::1

w.hkirc.net.hk. 172797 IN A 202.12.28.140

w.hkirc.net.hk. 172797 IN AAAA 2001:dc0:1:0:4777::140

x.hkirc.net.hk. 172797 IN A 202.45.188.39

x.hkirc.net.hk. 172797 IN AAAA 2405:3001:1:3a::27

y.hkirc.net.hk. 172797 IN A 137.189.6.21

y.hkirc.net.hk. 172797 IN AAAA 2405:3000:3:6::15

對任何主機都不給予遞歸的設置

#vim /etc/named.conf

options {

directory "/var/named";

recursion no; 直接禁止進行遞歸

};

axfr：全區域傳送

ixfr: 增量區域傳送

[root@node1 bind]# dig -t axfr fade.com. 顯示出fade.com這個區域內全部的記錄

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> -t axfr fade.com.

;; global options: +cmd

fade.com. 600 IN SOA ns1.fade.com.fade.com. admin.fade.com. 2017022101 3600 300 86400 21600

fade.com. 600 IN NS ns1.fade.com.

fade.com. 600 IN MX 10 mail.fade.com.

ftp.fade.com. 600 IN CNAME www.fade.com.

mail.fade.com. 600 IN A 192.168.139.14

ns1.fade.com. 600 IN A 192.168.139.11

www.fade.com. 600 IN A 192.168.139.12

www.fade.com. 600 IN A 192.168.139.13

fade.com. 600 IN SOA ns1.fade.com.fade.com. admin.fade.com. 2017022101 3600 300 86400 21600

;; Query time: 16 msec

;; SERVER: 192.168.139.2#53(192.168.139.2)

;; WHEN: Tue Feb 21 17:01:15 2017

;; XFR size: 9 records (messages 1, bytes 242)

[root@node1 bind]# dig -t ixfr=2017022101 fade.com. 顯示出當前版本號爲2017022101時改變的數據

區域傳送時爲了DNS服務器的安全，只容許從服務器進行區域傳送，其餘的都不容許

#vim /etc/named.conf

options {

direcotry "/var/named";

allow-recursion{192.168.139.0/24}; 則只容許本地網段用戶進行遞歸

allow-transfer {192.168.139.4;}; 只容許192.168.139.4主機進行區域傳送（從DNS)，且這是一個全局定義，即全部區域的傳送都只容許192.168.139.4主機進行

};

要想只定義某個區域的區域傳送對象，則在此區域內定義一個allow-transfer即可;none表示誰都不能傳送

如

#vim /etc/named.conf

zone "fade.com" IN {

type master;

file "fade.com.zone";

allow-transfer{192.168.139.4;};

既fade.com區域停止容許 192.168.139.4進行區域傳送

};

構建主從服務器

192.168.139.2 node1 主

192.168.139.4 node2 從

[root@node1 bind]# vim /etc/named.conf //主服務器（node1）的配置

options {

directory "/var/named";

notify yes;

};

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "named.localhost";

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "named.loopback";

};

zone "fade.com" IN { type master;

file "fade.com.zone";

};

zone "139.168.192.in-addr.arpa" IN {

type master;

file "192.168.139.zone

[root@node1 bind]# vim /var/named/fade.com.zone 正向區域資源記錄文件

$TTL 600

fade.com. IN SOA ns1.fade.com admin.fade.com. (

2017022102

6H)

fade.com. IN NS ns1.fade.com.

fade.com. IN NS ns2.fade.com.

IN MX 10 mail

ns1 IN A 192.168.139.2

ns2 IN A 192.168.139.4

mail IN A 192.168.139.14

www IN A 192.168.139.12

www IN A 192.168.139.13

ftp IN CNAME www

[root@node1 bind]# vim /var/named/192.168.139.zone 反向區域資源記錄文件

$TTL 600

@ IN SOA ns1.fade.com admin.fade.com.(

2017022101

6H)

IN NS ns1.fade.com.

IN NS ns2.fade.com.

2 IN PTR ns1.fade.com.

4 IN PTR ns2.fade.com.

12 IN PTR www.fade.com.

13 IN PTR www.fade.com.

14 IN PTR mail.fade.com.

在node2上安裝bind

[root@node2 ~]# yum install bind bind-libs bind-utils

[root@node2 ~]# ls -ld /var/named/

drwxr-x---. 5 root named 4096 Feb 21 17:26 /var/named/

[root@node2 ~]# ls -ld /var/named/slaves/

drwxrwx---. 2 named named 4096 Jan 17 21:04 /var/named/slaves/

能夠看到named對/var/named是沒有寫入權限的，而進行主從區域傳送時是以named用戶身份進行的，沒法將dns主從區域傳送的內容寫入/var/named目錄下；只能寫到/var/named/slaves/目錄下，或者要修改權限

[root@node2 ~]# mv /etc/named.conf /etc/named.conf.bak

[root@node2 ~]# scp 192.168.139.2:/etc/named.conf /etc/

[root@node2 ~]# vim /etc/named.conf

options {

directory "/var/named";

allow-recursion { 192.168.139.0/16;};

};

zone "." IN {

type hint;

file "named.ca";

};

zone "localhost" IN {

type master;

file "named.localhost";

allow-transfer { none;};

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "named.loopback";

allow-transfer { none;};

};

zone "fade.com" IN { type slave;

file "slaves/fade.com.zone";

masters { 192.168.139.2;};

allow-transfer { none;};

};

zone "139.168.192.in-addr.arpa" IN {

type slave;

file "slaves/192.168.139.zone";

masters { 192.168.139.2;};

allow-transfer { none;};

};

[root@node2 ~]# ll /etc/named.conf 這個目錄屬於root，named用戶沒法讀

-rw-r-----. 1 root root 1212 Feb 21 17:43 /etc/named.conf

[root@node2 ~]# chgrp named /etc/named.conf 將組改成named

[root@node2 ~]# service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

返回192.168.139.2（主服務器）

[root@node1 bind]# tail /var/log/messages

Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#41679: transfer of 'fade.com/IN': AXFR started

Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#41679: transfer of 'fade.com/IN': AXFR ended

Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#35693: transfer of '139.168.192.in-addr.arpa/IN': AXFR started //AXFR全區域傳送開始

Feb 21 17:45:11 node1 named[3173]: client 192.168.139.4#35693: transfer of '139.168.192.in-addr.arpa/IN': AXFR ended //AXFR全區域傳送結束

node2上

[root@node2 ~]# tail /var/log/messages

Feb 21 17:45:17 node2 named[2693]: transfer of 'fade.com/IN' from 192.168.139.2#53: connected using 192.168.139.4#41679

Feb 21 17:45:17 node2 named[2693]: zone fade.com/IN: transferred serial 2017022101

Feb 21 17:45:17 node2 named[2693]: transfer of 'fade.com/IN' from 192.168.139.2#53: Transfer completed: 1 messages, 10 records, 264 bytes, 0.007 secs (37714 bytes/sec)

Feb 21 17:45:17 node2 named[2693]: zone fade.com/IN: sending notifies (serial 2017022101)

Feb 21 17:45:18 node2 named[2693]: zone 139.168.192.in-addr.arpa/IN: Transfer started.

Feb 21 17:45:18 node2 named[2693]: transfer of '139.168.192.in-addr.arpa/IN' from 192.168.139.2#53: connected using 192.168.139.4#35693

Feb 21 17:45:18 node2 named[2693]: zone 139.168.192.in-addr.arpa/IN: transferred serial 2017022101

Feb 21 17:45:18 node2 named[2693]: transfer of '139.168.192.in-addr.arpa/IN' from 192.168.139.2#53: Transfer completed: 1 messages, 7 records, 236 bytes, 0.001 secs (236000 bytes/sec)

Feb 21 17:45:18 node2 named[2693]: zone 139.168.192.in-addr.arpa/IN: sending notifies (serial 2017022101)

Feb 21 17:45:18 node2 named[2693]: dumping master file: tmp-oztkOxYEv1: open: permission denied

[root@node2 ~]# cd /var/named/slaves/

[root@node2 slaves]# ls

192.168.139.zone fade.com.zone

[root@node2 slaves]# vim fade.com.zone 正向區域傳送文件

$ORIGIN .

$TTL 600 ; 10 minutes

fade.com IN SOA ns1.fade.com.fade.com. admin.fade.com. (

2017022101 ; serial

3600 ; refresh (1 hour)

300 ; retry (5 minutes)

86400 ; expire (1 day)

21600 ; minimum (6 hours)

)

NS ns1.fade.com.

NS ns2.fade.com.

MX 10 mail.fade.com.

$ORIGIN fade.com.

ftp CNAME www

mail A 192.168.139.14

ns1 A 192.168.139.2

ns2 A 192.168.139.4

www A 192.168.139.12

A 192.168.139.13

[root@node2 slaves]# vim 192.168.139.zone 反向區域傳送文件

$ORIGIN .

$TTL 600 ; 10 minutes

139.168.192.in-addr.arpa IN SOA ns1.fade.com.139.168.192.in-addr.arpa. admin.fade.com. (

2017022101 ; serial

3600 ; refresh (1 hour)

300 ; retry (5 minutes)

86400 ; expire (1 day)

21600 ; minimum (6 hours)

)

NS ns1.fade.com.

NS ns2.fade.com.

$ORIGIN 139.168.192.in-addr.arpa.

12 PTR www.fade.com.

13 PTR www.fade.com.

14 PTR mail.fade.com.

2 PTR ns1.fade.com.

4 PTR ns2.fade.com.

修改node1的正向資源文件記錄和版本號，再從新reload

[root@node1 bind]# vim /var/named/fade.com.zone

添加下面兩個記錄

序列號從2017022101 改成 2017022102

node1 IN A 192.168.139.15

node2 IN A 192.168.139.16

[root@node1 bind]# service named reload

[root@node1 bind]# tail /var/log/messages

Feb 21 18:13:49 node1 named[3173]: reloading configuration succeeded

Feb 21 18:13:49 node1 named[3173]: reloading zones succeeded

Feb 21 18:13:49 node1 named[3173]: zone fade.com/IN: loaded serial 2017022102

Feb 21 18:13:49 node1 named[3173]: zone fade.com/IN: sending notifies (serial 2017022102)

發出了通知，讓192.168.139.4（從）前來同步

Feb 21 18:13:49 node1 named[3173]: client 192.168.139.4#42545: transfer of 'fade.com/IN': AXFR-style IXFR started

Feb 21 18:13:49 node1 named[3173]: client 192.168.139.4#42545: transfer of 'fade.com/IN': AXFR-style IXFR ended

Feb 21 18:13:50 node1 named[3173]: client 192.168.139.4#19213: received notify for zone 'fade.com'

[root@node2 slaves]# vim fade.com.zone 數據已近同步

$ORIGIN .

$TTL 600 ; 10 minutes

fade.com IN SOA ns1.fade.com.fade.com. admin.fade.com. (

2017022102 ; serial

3600 ; refresh (1 hour)

300 ; retry (5 minutes)

86400 ; expire (1 day)

21600 ; minimum (6 hours)

)

NS ns1.fade.com.

NS ns2.fade.com.

MX 10 mail.fade.com.

$ORIGIN fade.com.

ftp CNAME www

mail A 192.168.139.14

node1 A 192.168.139.15

node2 A 192.168.139.16

ns1 A 192.168.139.2

ns2 A 192.168.139.4

www A 192.168.139.12

A 192.168.139.13

這樣一個帶有更新通知和自動同步的DNS主從服務器就構成了

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。