实验环境
创新互联公司是一家集网站建设,运城企业网站建设,运城品牌网站建设,网站定制,运城网站建设报价,网络营销,网络优化,运城网站推广为一体的创新建站企业,帮助传统企业提升企业形象加强企业竞争力。可充分满足这一群体相比中小企业更为丰富、高端、多元的互联网需求。同时我们时刻保持专业、时尚、前沿,时刻以成就客户成长自我,坚持不断学习、思考、沉淀、净化自己,让我们为更多的企业打造出实用型网站。
系统 主机名 IP 备注
Centos6.8 nod1.wupeng.com 10.208.131.222 主服务器
Centos6.8 nod2.wupeng.com 10.208.131.228 从服务器
Centos6.8 nod3.wupeng.com 10.208.131.229 子域服务器
bind程序包:
bind:提供的DNS server程序、以及几个常用的测试程序;
bind-libs:被bind和bind-utils包中的程序共同用到的库文件;
bind-utils:bind客户端程序集,例如dig, host, nslookup等;
bind-chroot:选装,让named运行于jail模式下;
对三台主机分别更改主机名 关闭防火墙以及关闭selinux (iptables和selinux保存配置后需要重启服务才能生效)
nod1更改主机
[root@nod1 ~]# vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=nod1.wupeng.com
nod2更改主机
[root@nod2 ~]# vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=nod2.wupeng.com
nod3更改主机
[root@nod3 ~]# vim /etc/sysconfig/network NETWORKING=yes HOSTNAME=nod3.wupeng.com
nod1清空防火墙规则
[root@nod1 ~]# iptables -F [root@nod1 ~]# service iptables save
nod2清空防火墙规则
[root@nod2 ~]# iptables -F [root@nod2 ~]# service iptables save
nod3清空防火墙规则
[root@nod3 ~]# iptables -F [root@nod3 ~]# service iptables save
nod1关闭selinux安全机制
[root@nod1 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config SELINUX=disabled
nod2关闭selinux安全机制
[root@nod2 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config SELINUX=disabled
nod3关闭selinux安全机制
[root@nod3 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config SELINUX=disabled
三台主机分别同步时间为一致 可以使用ntpdate命令来进行时间同步
[root@nod1 ~]# yum install ntpdate -y
[root@nod2 ~]# yum install ntpdate -y
[root@nod3 ~]# yum install ntpdate -y
[root@nod1 ~]# ntpdate ntp.api.bz
28 Jun 15:42:08 ntpdate[1598]: step time server 17.253.84.125 offset 856096.191423 sec
[root@nod2 ~]# ntpdate ntp.api.bz
28 Jun 15:42:08 ntpdate[1577]: step time server 17.253.84.125 offset 854843.947376 sec
[root@nod3 ~]# ntpdate ntp.api.bz
28 Jun 15:42:08 ntpdate[1593]: step time server 17.253.84.125 offset 599540.432080 sec
正向配置
在nod1主机上安装bind的相关软件
[root@nod1 ~]# yum install bind bind-utils -y //bind-libs 这个库文件会进行依赖安装
编辑/etc/bind.conf主配置文件
[root@nod1 ~]# vim /etc/named.conf
options { listen-on port 53 { 127.0.0.1; 10.208.131.222; }; //监听地址 // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; //允许的请求方式为所有人 recursion yes; dnssec-enable no; //安全机制为NO dnssec-validation no; //安全机制为NO /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; };
编辑/etc/named.rfc1912.zones创建正向区域文件
[root@nod1 ~]# vim /etc/named.rfc1912.zones
zone "wupeng.com" IN { type master; file "wupeng.com.zone"; };
利用模板创建一个wupeng.com域的区域数据文件 文件权限为640 属组为named
[root@nod1 ~]# cd /var/named/
第一种: [root@nod1 named]# cp -p named.localhost wupeng.com.zone 第二种: [root@nod1 named]# cp -rf named.localhost wupeng.com.zone [root@nod1 named]# chmod 640 wupeng.com.zone [root@nod1 named]# chgrp named wupeng.com.zone
查看文件属性
[root@nod1 named]# ll wupeng.com.zone -rw-r----- 1 root named 152 6月 21 2007 wupeng.com.zone
编辑wupeng.com.zone文件记录 NS和A记录
[root@nod1 named]# vim wupeng.com.zone
$TTL 1D $ORIGIN wupeng.com. @ IN SOA ns1.wupeng.com. admin.wupeng.com. ( 2017062800 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.wupeng.com. ns1 IN A 10.208.131.222 www IN A 10.208.131.223
检测主配置文件和区域数据文件是否有错误
[root@nod1 named]# named-checkconf //正确是没有任何提示 [root@nod1 named]# named-checkzone wupeng.com /var/named/wupeng.com.zone zone wupeng.com/IN: loaded serial 2017062800 OK
启动bind服务 并测试正向解析是否成功
[root@nod1 named]# service named start
Generating /etc/rndc.key: [确定]
启动 named: [确定]
测试:
[root@nod1 named]# dig -t A www.wupeng.com @10.208.131.222
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t A www.wupeng.com @10.208.131.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33056
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.wupeng.com. INA
;; ANSWER SECTION:
www.wupeng.com. 86400INA10.208.131.223
;; AUTHORITY SECTION:
wupeng.com. 86400INNSns1.wupeng.com.
;; ADDITIONAL SECTION:
ns1.wupeng.com. 86400INA10.208.131.222
;; Query time: 0 msec
;; SERVER: 10.208.131.222#53(10.208.131.222)
;; WHEN: Wed Jun 28 21:26:24 2017
;; MSG SIZE rcvd: 82
解释:
-t A www.wupeng.com 类型为A记录的域名
@10.208.131.222 以10.208.131.222的IP进行解析 无需在/etc/resolv.conf里进行设置
编辑/etc/named.rfc1912.zones创建反向区域文件
[root@nod1 named]# vim /etc/named.rfc1912.zones zone "131.208.10.in-addr.arpa" IN { type master; file "10.208.131"; };
利用模板创建一个10.208.131.zone的区域数据文件 文件权限为640 属组为named
[root@nod1 ~]# cd /var/named/
第一种: [root@nod1 named]# cp -p named.loopback 10.208.131.zone 第二种: [root@nod1 named]# cp -rf named.loopback 10.208.131.zone [root@nod1 named]# chmod 640 wupeng.com.zone [root@nod1 named]# chgrp named wupeng.com.zone
查看文件属性
[root@nod1 named]# ll 10.208.131.zone
-rw-r----- 1 root named 263 6月 28 21:07 10.208.131.zone
编辑wupeng.com.zone文件记录 NS和PTR记录
[root@nod1 named]# vim 10.208.131.zone $TTL 1D $ORIGIN 131.208.10.in-addr.arpa. @ IN SOA ns1.wupeng.com admin.wupeng.com. ( 2017062800 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.wupeng.com. 222 IN PTR ns1.wupeng.com. 223 IN PTR www.wupeng.com.
重新加载bind服务 并测试反向解析是否成功
[root@nod1 named]# rndc reload
server reload successful
测试:
[root@nod1 named]# dig -x 10.208.131.223 @10.208.131.222
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54483
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;223.131.208.10.in-addr.arpa.INPTR
;; ANSWER SECTION:
223.131.208.10.in-addr.arpa. 86400 INPTRwww.wupeng.com.
;; AUTHORITY SECTION:
131.208.10.in-addr.arpa. 86400INNSns1.wupeng.com.
;; ADDITIONAL SECTION:
ns1.wupeng.com. 86400INA10.208.131.222
;; Query time: 0 msec
;; SERVER: 10.208.131.222#53(10.208.131.222)
;; WHEN: Wed Jun 28 21:19:16 2017
;; MSG SIZE rcvd: 107
主从复制
在主服务器添加从服务器的NS和A记录 并重新加载服务
$TTL 1D
$ORIGIN wupeng.com.
@ IN SOA ns1.wupeng.com. admin.wupeng.com. (
2017062802 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.wupeng.com.
IN NS ns2.wupeng.com.
ns1 IN A 10.208.131.222
ns2 IN A 10.208.131.228
www IN A 10.208.131.223
[root@nod1 named]# rndc reload
server reload successful
在主机nod2上安装bind相关文件
[root@nod2 ~]# yum install bind bind-utils -y
配置bind主文件
vim /etc/named.conf options { listen-on port 53 { 127.0.0.1; 10.208.131.228; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; };
配置区域文件
[root@nod2 ~]# vim /etc/named.rfc1912.zones zone "wupeng.com" IN { type slave; file "slaves/wupeng.com"; masters { 10.208.131.222; }; }; zone "131.208.10.in-addr.arpa" IN { type slave; file "10.208.131.zone"; masters { 10.208.131.222; }; };
检查配置是否有错误
[root@nod2 ~]# named-checkconf
启动bind服务 查看区域数据是否传输到slaves目录下并测试
[root@nod2 ~]# service named start
启动 named: [确定]
[root@nod2 ~]# ll /var/named/slaves/
总用量 8
-rw-r--r-- 1 named named 390 6月 28 21:55 10.208.131.zone
-rw-r--r-- 1 named named 335 6月 28 21:54 wupeng.com
测试:
[root@nod2 ~]# dig www.wupeng.com @10.208.131.228
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.228
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1634
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.wupeng.com. INA
;; ANSWER SECTION:
www.wupeng.com. 86400INA10.208.131.223
;; AUTHORITY SECTION:
wupeng.com. 86400INNSns1.wupeng.com.
;; ADDITIONAL SECTION:
ns1.wupeng.com. 86400INA10.208.131.222
;; Query time: 0 msec
;; SERVER: 10.208.131.228#53(10.208.131.228)
;; WHEN: Wed Jun 28 21:56:38 2017
;; MSG SIZE rcvd: 82
[root@nod2 ~]# dig -x 10.208.131.223 @10.208.131.228
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.228
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18940
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;223.131.208.10.in-addr.arpa.INPTR
;; ANSWER SECTION:
223.131.208.10.in-addr.arpa. 86400 INPTRwww.wupeng.com.
;; AUTHORITY SECTION:
131.208.10.in-addr.arpa. 86400INNSns1.wupeng.com.
;; ADDITIONAL SECTION:
ns1.wupeng.com. 86400INA10.208.131.222
;; Query time: 0 msec
;; SERVER: 10.208.131.228#53(10.208.131.228)
;; WHEN: Wed Jun 28 21:57:05 2017
;; MSG SIZE rcvd: 107
在主服务器新增一条记录 在进行测试
[root@nod1 named]# vim /var/named/wupeng.com.zone
$TTL 1D
$ORIGIN wupeng.com.
@ IN SOA ns1.wupeng.com. admin.wupeng.com. (
2017062802 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.wupeng.com.
IN NS ns2.wupeng.com.
ns1 IN A 10.208.131.222
ns2 IN A 10.208.131.228
www IN A 10.208.131.223
dns IN A 10.208.131.224
[root@nod1 named]# vim 10.208.131.zone
$TTL 1D
$ORIGIN 131.208.10.in-addr.arpa.
@ IN SOA ns1.wupeng.com admin.wupeng.com. (
2017062802 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.wupeng.com.
IN NS ns2.wupeng.com.
222 IN PTR ns1.wupeng.com.
228 IN PTR ns2.wupeng.com.
223 IN PTR www.wupeng.com.
224 IN PTR dns.wupeng.com.
重新加载主服务器
[root@nod1 named]# rndc reload
server reload successful
重新加载从服务器
[root@nod2 ~]# rndc reload wupeng.com
zone refresh queued
[root@nod2 ~]# rndc reload 131.208.10.in-addr.arpa
zone refresh queued
NOTE:rndc reload 在从服务器不生效 尝试过多次只能在后边加区域才生效
测试:
[root@nod2 ~]# dig dns.wupeng.com @10.208.131.228
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> dns.wupeng.com @10.208.131.228
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30389
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;dns.wupeng.com. INA
;; ANSWER SECTION:
dns.wupeng.com. 86400INA10.208.131.224
;; AUTHORITY SECTION:
wupeng.com. 86400INNSns1.wupeng.com.
;; ADDITIONAL SECTION:
ns1.wupeng.com. 86400INA10.208.131.222
;; Query time: 0 msec
;; SERVER: 10.208.131.228#53(10.208.131.228)
;; WHEN: Wed Jun 28 22:29:46 2017
;; MSG SIZE rcvd: 82
[root@nod2 ~]# dig -x 10.208.131.224 @10.208.131.228
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.224 @10.208.131.228
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20995
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;224.131.208.10.in-addr.arpa.INPTR
;; ANSWER SECTION:
224.131.208.10.in-addr.arpa. 86400 INPTRdns.wupeng.com.
;; AUTHORITY SECTION:
131.208.10.in-addr.arpa. 86400INNSns1.wupeng.com.
;; ADDITIONAL SECTION:
ns1.wupeng.com. 86400INA10.208.131.222
;; Query time: 1 msec
;; SERVER: 10.208.131.228#53(10.208.131.228)
;; WHEN: Wed Jun 28 22:30:07 2017
;; MSG SIZE rcvd: 107
子域配置
在主机nod3上安装bind相关软件 并配置主文件
[root@nod3 ~]# yum install bind bind-utils -y [root@nod3 ~]# vim /etc/named.conf options { listen-on port 53 { 127.0.0.1; 10.208.131.229; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; [root@nod3 ~]# vim /etc/named.rfc1912.zones zone "music.wupeng.com" IN { type master; file "music.wupeng.com.zone"; }; zone "wupeng.com" IN { //设置了转发功能才能进行查询和传输区域文件 type forward; forward only; forwarders { 10.208.131.222; 10.208.131.228; }; };
复制模板创建子域区域配置文件
[root@nod3 named]# cp -p named.localhost music.wupeng.com.zone
[root@nod3 named]# vim music.wupeng.com.zone
$TTL 1D
$ORIGIN music.wupeng.com.
@ IN SOA ns3.music.wupeng.com. admin.music.wupeng.com. (
2017062800 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns3.music
ns3.music IN A 10.208.131.229
www IN A 10.208.131.230
检测是否有配置错误
[root@nod3 named]# named-checkzone music.wupeng.com /var/named/music.wupeng.com.zone
zone music.wupeng.com/IN: loaded serial 2017062800
OK
在主服务器添加子域的NS和A记录
[root@nod1 named]# vim /etc/named.conf
$TTL 1D
$ORIGIN wupeng.com.
@ IN SOA ns1.wupeng.com. admin.wupeng.com. (
2017062802 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.wupeng.com.
IN NS ns2.wupeng.com.
ns1 IN A 10.208.131.222
ns2 IN A 10.208.131.228
www IN A 10.208.131.223
dns IN A 10.208.131.224
ns3 IN NS ns3.music
ns3.music IN A 10.208.131.229
重新加载主配置文件 启动nod3的bind的服务
[root@nod1 named]# rndc reload
server reload successful
测试:
[root@nod3 named]# dig www.music.wupeng.com @10.208.131.229
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.music.wupeng.com @10.208.131.229
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46119
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.music.wupeng.com. INA
;; ANSWER SECTION:
www.music.wupeng.com.86400INA10.208.131.230
;; AUTHORITY SECTION:
music.wupeng.com.86400INNSns3.music.music.wupeng.com.
;; ADDITIONAL SECTION:
ns3.music.music.wupeng.com. 86400 INA10.208.131.229
;; Query time: 0 msec
;; SERVER: 10.208.131.229#53(10.208.131.229)
;; WHEN: Wed Jun 28 23:28:55 2017
;; MSG SIZE rcvd: 94
[root@nod3 named]# dig www.wupeng.com @10.208.131.229
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.229
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25255
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.wupeng.com. INA
;; ANSWER SECTION:
www.wupeng.com. 86365INA10.208.131.223
;; AUTHORITY SECTION:
wupeng.com. 86365INNSns1.wupeng.com.
wupeng.com. 86365INNSns2.wupeng.com.
;; ADDITIONAL SECTION:
ns1.wupeng.com. 86365INA10.208.131.222
ns2.wupeng.com. 86365INA10.208.131.228
;; Query time: 13 msec
;; SERVER: 10.208.131.229#53(10.208.131.229)
;; WHEN: Wed Jun 28 23:29:06 2017
;; MSG SIZE rcvd: 116
[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.222 //全量区域传送
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222
;; global options: +cmd
wupeng.com. 86400INSOAns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600
604800 10800wupeng.com. 86400INNSns1.wupeng.com.
wupeng.com. 86400INNSns2.wupeng.com.
dns.wupeng.com. 86400INA10.208.131.224
ns3.music.wupeng.com.86400INA10.208.131.229
ns1.wupeng.com. 86400INA10.208.131.222
ns2.wupeng.com. 86400INA10.208.131.228
ns3.wupeng.com. 86400INNSns3.music.wupeng.com.
www.wupeng.com. 86400INA10.208.131.223
wupeng.com. 86400INSOAns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600
604800 10800;; Query time: 4 msec
;; SERVER: 10.208.131.222#53(10.208.131.222)
;; WHEN: Wed Jun 28 23:41:31 2017
;; XFR size: 10 records (messages 1, bytes 258)
可以进行全量传输区域数据 一般是不允许的 所以我们要进行安全配置
在主机nod1主配置文件上配置acl 只允许从服务器传输 全局之外定义
[root@nod1 named]# vim /etc/named.conf acl slaves { 10.208.131.228; }; [root@nod1 named]# vim /etc/named.rfc1912.zones zone "wupeng.com" IN { type master; file "wupeng.com.zone"; allow-transfer { slaves; }; allow-update { none; }; }; zone "131.208.10.in-addr.arpa" IN { type master; file "10.208.131.zone"; allow-transfer { slaves; }; allow-update { none; }; };
重新加载服务
[root@nod1 named]# rndc reload
server reload successful
在主机nod2上配置文件不进行更新
zone "wupeng.com" IN { type slave; file "slaves/wupeng.com"; masters { 10.208.131.222; }; allow-transfer { none; }; allow-update { none; }; }; zone "131.208.10.in-addr.arpa" IN { type slave; file "slaves/10.208.131.zone"; masters { 10.208.131.222; }; allow-transfer { none; }; allow-update { none; }; };
重新加载服务
[root@nod2 slaves]# rndc reload
server reload successful
测试
[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.222
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222
;; global options: +cmd
; Transfer failed.
[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.228
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.228
;; global options: +cmd
; Transfer failed.