- 基本环境 redhat 7.3
master 10.8.10.30
slave 10.8.10.204
0 安装bind
yum install -y bind bind-utils
1 MASTER 配置
1.1 修改 /etc/named.conf
a.编辑配置文件/etc/named.conf,找到listen-on这一行,改为:
listen-on port 53 { any; }; #any是匹配所有的意思
b.找到allow-query这一行,改为:
allow-query { any; };
c.修改dnsec为no
dnssec-enable no;
dnssec-validation no;
1.2 修改 /etc/named.rfc1912.zones
a.添加正向解析和反向解析配置
zone "example.com" IN {
type master;
file "example.com.zone";
allow-transfer { 10.8.10.204; };
allow-query { any; };
notify yes;
also-notify { 10.8.10.204; };
};
zone "10.8.10.in-addr.arpa" IN {
type master;
file "10.8.10.arpa";
allow-transfer { 10.8.10.204; };
allow-query { any; };
notify yes;
also-notify { 10.8.10.204; };
};
1.3 添加正向解析和反向解析配置文件
1.3.1 正向解析
cd /var/named/
cp -a named.localhost example.com.zone
vim example.com.zone
a.配置如下 (注意,注释用;,不同其他脚本)
$TTL 1D
@ IN SOA @ example.com. (
20200812 ; serial #更新序列号
1D ; refresh #更新时间
1H ; retry #重试时间
1W ; expire #失效时间
3H ) ; minimum #无效解析记录的缓存时间
@ IN NS dns1.example.com.
IN NS dns2.example.com.
dns1 IN A 10.8.10.30
dns2 IN A 10.8.10.204
@ IN MX 20 mail2.example.com.
IN MX 10 mail1.example.com.
mail1 IN A 10.8.10.30
mail2 IN A 10.8.10.204
www IN CNAME servs.example.com.
ftp IN CNAME servs.example.com.
servs IN A 10.8.10.20
; NS ns.example.com.
;ns A 10.8.10.130
;www A 10.8.10.130
;mail A 10.8.10.120
; MX 10 mail.example.com.
;example.com. A 10.8.10.129
$GENERATE 1-245 server$ A 1.1.1.$
;bbs CNAME www
* A 10.8.10.30
1.3.2 反向解析
cp -a /var/named/named.loopback /var/10.8.10.arpa
a.配置如下
$TTL 1D
@ IN SOA @ example.com. (
20200812 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns1.example.com.
IN NS dns2.example.com.
30 IN PTR dns1.example.com.
204 IN PTR dns2.example.com.
1.4 检查配置
a.主配置
named-checkconf
b.区域配置
named-checkzone example.com /var/named/example.com.zone
named-checkzone 10.8.10 /var/named/10.8.10.arpa
c.重启服务
systemctl restart named
2 SLAVE 配置
2.1 修改 /etc/named.conf
a.编辑配置文件/etc/named.conf,找到listen-on这一行,改为:
listen-on port 53 { any; }; #any是匹配所有的意思
b.找到allow-query这一行,改为:
allow-query { any; };
c.修改dnsec为no
dnssec-enable no;
dnssec-validation no;
d.在options中添加一行,使得master 同步到 slave的配置文件格式相同
masterfile-format text;
2.2 修改 /etc/named.rfc1912.zones
a.添加正向解析和反向解析配置(注意file的目录不能是在/var/named/下,在/var/named/data/ 或者 /var/named/slaves/都可以)
zone "example.com" IN {
type slave;
file "slaves/example.com.zone";
masters { 10.8.10.30; };
};
zone "10.8.10.in-addr.arpa" IN {
type slave;
file "slaves/10.8.10.arpa";
masters { 10.8.10.30; };
};
2.3 检查配置
a.主配置
named-checkconf
3 重启测试
3.1 修改master slave的/var/named/ 目录及所有文件的属性
chown -R named:named /var/named/
3.2 主备 重启
a.重启
systemctl restart named
b.查看 /var/log/messages是否有错误
常见错误
- 1> dumping master file: tmp-Jf88DjE6Zl: open: permission denied
chown -R named:named /var/named/ 修改/var/named/属性好像不管用
file "slaves/example.com.zone"; 修改同步区域配置文件写入目录,可以成功 - 2> error (no valid KEY) resolving './DNSKEY/IN': 192.228.79.201#53
原/etc/named.conf开启了DNS安全扩展(DNSSEC)参数,非权威DNS不能开启这个配置,否则会造成dns请求为
不信任链,最终导致解析失败。
c.查看slaves目录下是否有同步过来的区域配置文件
d.修改 /etc/resolv.conf
nameserver 10.8.10.30
e.通过dig / nslookup 测试
dig -t A www.example.com @10.8.10.30
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.example.com @10.8.10.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 86400 IN CNAME servs.example.com.
servs.example.com. 86400 IN A 10.8.10.20
;; AUTHORITY SECTION:
example.com. 86400 IN NS dns1.example.com.
example.com. 86400 IN NS dns2.example.com.
;; ADDITIONAL SECTION:
dns1.example.com. 86400 IN A 10.8.10.30
dns2.example.com. 86400 IN A 10.8.10.204
;; Query time: 0 msec
;; SERVER: 10.8.10.30#53(10.8.10.30)
;; WHEN: Thu Aug 13 16:12:29 CST 2020
;; MSG SIZE rcvd: 150
dig -x 10.8.10.30 @10.8.10.30
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 10.8.10.30 @10.8.10.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;30.10.8.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
30.10.8.10.in-addr.arpa. 86400 IN PTR dns1.example.com.
;; AUTHORITY SECTION:
10.8.10.in-addr.arpa. 86400 IN NS dns1.example.com.
10.8.10.in-addr.arpa. 86400 IN NS dns2.example.com.
;; ADDITIONAL SECTION:
dns1.example.com. 86400 IN A 10.8.10.30
dns2.example.com. 86400 IN A 10.8.10.204
;; Query time: 1 msec
;; SERVER: 10.8.10.30#53(10.8.10.30)
;; WHEN: Thu Aug 13 16:13:55 CST 2020
;; MSG SIZE rcvd: 147
网友评论