DNS
一. DNS安装部署
yum install -y bind
systemctl start named
systemctl enable namedsystemctl stop firewalld
systemctl disable firewalld
das主配置文件:/etc/named.conf
dns子配置文件:/etc/name.rfc1912.zones
dns数据目录:/var/named
二. DNS高速缓存
vim /etc/named.con
listen-on port 53 { any; };
allow-query { any; };
forwarders { 172.25.254.70; }; #权威指向,70主机需可以上网
systemctl restart named
测试主机:vim /etc/resolv.conf #nameserver 172.25.254.170
测试:
三. DNS权威解析
1. 正向解析
vim /etc/named.rfc1912.zones
zone "sky.com" IN {
type master;
file "sky.com.zone";
allow-update { none; };
};
cd /var/named/
cp -p named.localhost sky.com.zone
vim sky.com.zone #配置正向解析子文件
$TTL 1D
@ IN SOA dns.sky.com. root.sky.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.sky.com.
dns A 172.25.254.170 #dns服务器指向
www A 172.25.254.111 #查询网址
systemctl restart named
测试:dig www.sky.com
2. 反向解析
vim /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN {
type master;
file "sky.com.ptr";
allow-update { none; };
};
cp -p named.loopback sky.com.ptr
vim sky.com.ptr #配置反向解析子文件
$TTL 1D
@ IN SOA dns.sky.com. root.sky.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.sky.com.
dns A 172.25.254.170
111 A www.sky.com
systemctl restart named
测试:dig -x 172.25.254.111
3. 双向解析
vim /etc/named.conf
view localnet { #允许内部查看
match-clients { 172.25.254.150; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones"; #内部数据文件
include "/etc/named.root.key";
};
view any { #允许外部查看
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones.inter"; #外部数据文件
include "/etc/named.root.key";
};
cp -p sky.com.zone sky.com.inter
vim sky.com.inter #建立一个对外部的数据文件
cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter #建立对外的子配置文件
zone "sky.com" IN {
type master;
file "sky.com.inter";
allow-update { none; };
};
systemctl restart named
测试------内部:
测试------外部:
四. 辅助DNS
主机:
vim /etc/named.rfc1912.zones.inter
zone "sky.com" IN {
type master;
file "sky.com.inter";
allow-update { none; };
also-notify{ 172.25.254.150; }; #150辅机
};
systemctl restart named
辅机:
yum install -y bind
systemctl start named
systemctl stop firewalld
vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
vim /etc/named.rfc1912.zones
zone "sky.com" IN {
type slave;
masters { 172.25.254.170; }; #170主机
file "slaves/sky.com.zone";
allow-update { none; };
};
systemctl restart named
测试:vim /etc/resolv.conf
注:每次更改A记录文件后必须更改serial的数值,这个数值最大值10位,如2017091012
五. DNS的远程更新
基于ip:
vim /etc/named.rfc1912.zones.inter
zone "sky.com" IN {
type master;
file "sky.com.inter";
allow-update { 172.25.254.150; };
also-notify{ 172.25.254.150; };
};
chmod g+w /var/named/
systemctl restart named
注:/etc/named.conf中,远程控制更新主机ip需不在内部文件中
基于150主机:
六. 远程主机恢复更新状态
cp -p /var/named/sky.com.zone /mnt/
rm -fr /var/named/sky.com.zone* #主要为jnl文件
cp -p /mnt/sky.com.zone /var/named/
基于key:
dnssec-****** -a HMAC-MD5 -b 128 -n HOST sky #生成一个钥匙
cp -p /etc/rndc.key /etc/sky.key #复制一个钥匙文件模版
cat Ksky.+157+27973.key #查看钥匙
cat Ksky.+157+27973.private
vim /etc/sky.key #编辑钥匙文件
key "sky" { #更改钥匙名称
algorithm hmac-md5;
secret "6GaHlzdiysYn+xUaD0KpKQ=="; #更换正确钥匙哈希字符
};
vim /etc/named.conf #主配置文件
include "/etc/westos.key"; #放在42行左右,读取优先级
vim /etc/named.rfc1912.zones #子配置文件
zone "sky.com" IN {
type master;
file "sky.com.zone";
allow-update { none; };
also-notify { 172.25.254.150; };
};
systemctl restart named
scp Ksky.+157+27973* [email protected]:/mnt/
测试:150主机
nsupdate -k Ksky.+157+27973.key #利用**进行更新
七. ddns
服务主机:
yum install -y dhcp
cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf #生成dhcp配置文件
vim /etc/dhcp/dhcpd.conf
vim /var/named/sky.com.zone #删除www访问记录
systemctl restart dhcpd
systemctl restart named
远程辅机:
hostnamectl set-hostname www.sky.com #建立与dhcp获取方的关系
vim /etc/sysconfig/network-scripts/ifcfg-eth0 #配置为dhcp
systemctl restart network
ifconfig
dig www.sky.com
注:ip需与dig解析保持一致
易出现的问题:ip可以获取,但与dig解析不能保持一致
解决方案:
1. 查看主配置文件/etc/named.conf中是否有问题
2. 查看子配置文件/etc/named.rfc1912.zones中是否有问题,更新方式为“key sky”
3. 查看/var/named/sky.con.zone文件是否有问题,需要删除www访问以及jnl文件
4. 查看dhcp配置文件/etc/dhcp/dhcpd.conf是否有问题,包括ddns开启以及方式为interim;dig的获取文件等
5. 注意权限问题及selinux布尔值,setsebool设置所允许的布尔值