Bind安装配置及应用
BIND:Berkeley Internet Name Domain ,ISC.org
DNS服务的实现:
监听端口:53/UDP , 53/TCP
程序包:bind
服务器程序:named
客户端工具程序:dig,host ,nslookup
[root@stu1 ~]# yum repolist
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
repo id repo name status
base CentOS 4,184
epel CentOS 6.6 EPEL 12,922
repolist: 17,106
# yum list bind*
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
base | 3.2 kB 00:00
epel | 3.0 kB 00:00
Installed Packages
bind-libs.x86_64 32:9.8.2-0.30.rc1.el6 @anaconda-CentOS-201410241409.x86_64/6.6
共享库
bind-utils.x86_64 32:9.8.2-0.30.rc1.el6 @anaconda-CentOS-201410241409.x86_64/6.6
工具包
Available Packages
bind.x86_64 32:9.8.2-0.30.rc1.el6 base
服务器端程序
bind-chroot.x86_64 32:9.8.2-0.30.rc1.el6 base
加强安全性工具
把/var/named/chroot/当根目录使用,限定在这个区域内运行
bind-dyndb-ldap.x86_64 2.3-5.el6 base
bind-libs.i686 32:9.8.2-0.30.rc1.el6 base
# yum info bind
# yum info bind-chroot
# yum install -y bind
# rpm -qc bind
BIND:
设置dns /etc/resolv.conf
服务脚本:/etc/rc.d/init.d/named [start|stop|restart] //启动|关闭|重启 named 服务
主配置文件:/etc/named.conf
/etc/named.rfc1912.zones
区域解析库文件:/var/name/zone_name.zone
RFC:request file comment
在DNS安装,配置,应用过程中,遇到错误,我们通常要从以下几个配置文件里慢慢来排查错误
第一步:首先要查看named服务是否开启!!!!!!!!!!!!!!!!!!服务脚本:/etc/rc.d/init.d/named [start|stop|restart] /*启动|关闭|重启 named 服务*/
或是 service named [start|stop|restart]
第二步:查看主配置文件,看看自己的设置:
vim /etc/named.conf
vim /etc/named.rfc1912.zones //(设定主,从区域解析库文件设置)
检查配置文件语法(排查小技巧)
#named-checkconf
#named-checkconf /etc/named.rfc1912.zones
第三步:区域解析库文件的设置:
vim /var/name/zone_name.zone
第四步:如果有错误,就需要查看 /var/log/messages
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/portreserve/named
/etc/rc.d/init.d/named
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named named脚本配置文件
# service named start //开启named 服务
[root@stu1 ~]# ss -tunlp |grep 53
udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",3180,512))
udp UNCONN 0 0 *:53419 *:* users:(("rpc.statd",1307,7))
udp UNCONN 0 0 ::1:53 :::* users:(("named",3180,513))
tcp LISTEN 0 3 ::1:53 :::* users:(("named",3180,21))
tcp LISTEN 0 3 127.0.0.1:53 *:* users:(("named",3180,20))
tcp LISTEN 0 128 ::1:953 :::* users:(("named",3180,23))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",3180,22))
启动了没啥一样
全球13个根存放位置
# rpm -qc bind
/var/named/named.ca
现在ping本地主机:
# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.023 ms
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.1 server.magelinux.com server
DNS解析告诉主机解析结果是127.0.0.1
区域解析库文件:
/var/named/named.localhost
/var/named/named.loopback
缓存DNS服务器:
1.根服务器:named.ca
2.localhost <----> 127.0.0.1
区域解析库文件:
/var/named/named.localhost
/var/named/named.loopback
#cat /etc/named.conf
//全局配置段:定义named进程的工作特性
options {
//监听端口 地址
//listen-on port 53 { 127.0.0.1; };
listen-on port 53 { 172.16.31.2; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//允许所有主机查询或者注释
//allow-query { localhost; };
//是否递归
recursion yes;
//是关于DNS安全的,尽量设置为no或者注释
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
#定义日志功能
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#定义本DNS服务器负责解析的区域;zone可以有多个
zone "." IN {
type hint;
file "named.ca";
};
将文件装载进本文件
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
检查主配置文件语法
#named-checkconf
重启named服务:
# service named restart
如果不更改配置
在客户端去dig一下:
没有成功
# dig -t A localhost @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A localhost @172.16.31.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21604
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;localhost. IN A
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 07:43:13 2014
;; MSG SIZE rcvd: 27
解析成功:
# dig -t A localhost @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A localhost @172.16.31.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37731
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
#aa 权威应答
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
#应答段
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
#附加段 如:dig -t MX google.com @172.16.0.1
;; ADDITIONAL SECTION:
localhost. 86400 IN AAAA ::1
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 07:47:33 2014
;; MSG SIZE rcvd: 85
配置DNS服务器成为某区域的主服务器:
1.在主配置文件中定义zone
zone "zone_name" IN {
type master;
file "/path/to/zone_file.zone";
}
zone_name:
正向区域:google.com
反向区域:逆向网络地址,in-addr.arpa
检查配置文件:
#named-checkconf /etc/named.rfc1912.zones // (主,从区域配置文件)
# ls /etc/named.rfc1912.zones
/etc/named.rfc1912.zones
例如:
zone "google" IN {
type master;
file "google.com.zone";
}
2.定义zone用到的区域数据库文件
包含资源记录,也可以包含宏定义
$TTL
$ORIGIN
# pwd
/var/named
#vim google.com.zone
$TTL 600
$ORGIN google.com.
@ IN SOA ns1.google.com. nsadmin.google.com. (
2014120901 // //区域数据文件有版本号(序列号):serival
1H |
| //刷新时间(检查周期):refresh |
| |
5M |
| //重试时间(重试周期):retry | ||
3D |
| //重试时间 < 刷新时间 | ||
3H) |
| //过期时间(失效时长):expire
|
IN NS ns1
IN MX 10 mail1
ns1 IN A 172.16.31.2
mail1 IN A 172.16.31.2
www IN A 172.16.31.2
pop3 IN A 172.16.31.2
iamp4 IN A 172.16.31.2
设置文件权限
#chmod 640 google.com.zone
设置文件所属用户组
#chown :named google.com.zone /* 只许named 用户组可以查看 */
检测解析库配置文件语法:
#named-checkzone "google.com" /var/named/google.com.zone
重新载入服务:
#service named reload
测试服务状态:
#dig -t SOA google.com @172.16.31.2
#dig -t MX google.com @172.16.31.2
客户端测试工具:dig,host,nslookup
dig命令:
用法:dig -t type -name @SERVER [queryoptions]
[-t type] 资源类型
[queryoptions]
+[no]tcp
+[no]trace 跟踪整个名称解析迭代过程
#dig -t A @172.16.0.1 +trace
+[no]recurse 以递归方式查询与否
#dig -t A @172.16.0.1 +recurse
[-x IP] 将ip解析成主机名
#dig -x 172.16.31.2 @172.16.31.2
host命令:
用法:host [-t type] name [SERVER]
#host -t A 172.16.31.2
#host –t MX google.com 172.16.31.2
nslookup命令:
用法:nslookup [options] [name | - ] [server]
#nslookup
>server 172.16.32.2 查询时使用的服务器
>set q=a 设定查询类型(大小写a都可以)
> 指定要查询的名字
>set q=MX
>mail1.google.com
3.反向区域名称有特定后缀:.in-addr.arpa.; //反向解析的固定格式
4.反向区域的区域解析库文件包含SOA,NS及PTR记录,不包含MX,A记录
构建反向区域:
在
#vi /etc/named.rfc1912.zones
zone "31.16.172.in-addr.arpa" IN {
type master;
file "172.16.31.zone";
};
[root@stu1 named]# cat 172.16.31.zone
$TTL 600
$ORIGIN 31.16.172.in-addr.arpa.
@ IN SOA ns1.google.com. nsadmin.google.com. (
2014120901
1H
5H
3D
3H) /*
SOA:
name: 区域名称
[ ttl ] :否定应答的TTL值
value:(有两部分)
主DNS服务器的FQDN,也可以当前区域的名称;
当前区域的管理员邮箱;
@用于表示当前区域的名字,所有邮箱地址不能出现@符号;
*/
IN NS ns1.google.com.
2 IN PTR ns1.google.com.
2 IN PTR mail1.google.com.
2 IN PTR pop3.google.com.
2 IN PTR .
2 IN PTR iamp4.google.com.
/* 上面的 2 表示主机号 */
# chmod 640 172.16.31.zone
# chown :named 172.16.31.zone
# service named reload
# dig -t axfr 31.16.172.in-addr.arpa @172.16.31.2 // 拓展axfr
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr 31.16.172.in-addr.arpa @172.16.31.2
;; global options: +cmd
31.16.172.in-addr.arpa. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120901 3600 18000 259200 10800
31.16.172.in-addr.arpa. 600 IN NS ns1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR ns1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR mail1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR pop3.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR .
2.31.16.172.in-addr.arpa. 600 IN PTR iamp4.google.com.
31.16.172.in-addr.arpa. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120901 3600 18000 259200 10800
;; Query time: 2 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 09:20:08 2014
;; XFR size: 8 records (messages 1, bytes 241)
[root@CA ~]# host -t ptr 172.16.31.2 172.16.31.2
Using domain server:
Name: 172.16.31.2
Address: 172.16.31.2#53
Aliases:
2.31.16.172.in-addr.arpa domain name pointer .
2.31.16.172.in-addr.arpa domain name pointer iamp4.google.com.
2.31.16.172.in-addr.arpa domain name pointer ns1.google.com.
2.31.16.172.in-addr.arpa domain name pointer mail1.google.com.
2.31.16.172.in-addr.arpa domain name pointer pop3.google.com.
[root@CA ~]# nslookup
> server 172.16.31.2
Default server: 172.16.31.2
Address: 172.16.31.2#53
> set q=ptr
> 172.16.31.2
Server: 172.16.31.2
Address: 172.16.31.2#53
2.31.16.172.in-addr.arpa name = iamp4.google.com.
2.31.16.172.in-addr.arpa name = ns1.google.com.
2.31.16.172.in-addr.arpa name = mail1.google.com.
2.31.16.172.in-addr.arpa name = pop3.google.com.
2.31.16.172.in-addr.arpa name = .
构建从服务器:
主服务器:
# vim google.com.zone
$TTL 600
$ORIGIN google.com.
@ IN SOA ns1.google.com. nsadmin.google.com. (
2014120902
1H
5H
3D
3H)
IN NS ns1
IN NS ns2
IN MX 10 mail1
ns1 IN A 172.16.31.2
ns2 IN A 172.16.31.3
mail1 IN A 172.16.31.2
www IN A 172.16.31.2
pop3 IN A 172.16.31.2
iamp4 IN A 172.16.31.2
或者(iamp4 IN CNAME pop3)
从服务器配置: 首先切换到另一台主机上,再远程复制172.16.31.2主机上的文件。
[root@CA ~]# scp root@172.16.31.2:/etc/named.conf /etc/named.conf
root@172.16.31.2's password:
named.conf 100% 1051 1.0KB/s 00:00
[root@CA ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on port 53 { 172.16.31.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@CA named]# service named reload
Reloading named: [ OK ]
[root@CA named]# ss -tunl |grep :53
udp UNCONN 0 0 172.16.31.3:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 ::1:53 :::*
tcp LISTEN 0 3 172.16.31.3:53 *:*
tcp LISTEN 0 3 127.0.0.1:53 *:*
tcp LISTEN 0 3 ::1:53 :::*
[root@CA named]# vim /etc/named.rfc1912.zones
zone "google.com" IN {
type slave;
file "slaves/google.com.zone";
masters { 172.16.31.2; };
};
由于从服务器上/var/named/目录的权限是属主root属组named,且属组named没有写权限;如果给这个目录写权限就会造成系统的不安全;所以软件定义了目录下有个slaves文件,来保存从主服务器接收的配置文件
检查语法:
[root@CA named]# named-checkconf
重新载入服务:
# service named reload
[root@CA named]# tail /var/log/messages
Dec 9 09:31:05 CA named[3688]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 09:31:05 CA named[3688]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 09:31:05 CA named[3688]: sizing zone task pool based on 7 zones
Dec 9 09:31:05 CA named[3688]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 09:31:05 CA named[3688]: reloading configuration succeeded
Dec 9 09:31:05 CA named[3688]: reloading zones succeeded
Dec 9 09:31:05 CA named[3688]: zone google.com/IN: Transfer started.
Dec 9 09:31:05 CA named[3688]: transfer of 'google.com/IN' from 172.16.31.2#53: connected using 172.16.31.3#38254
Dec 9 09:31:05 CA named[3688]: zone google.com/IN: transferred serial 2014120901
Dec 9 09:31:05 CA named[3688]: transfer of 'google.com/IN' from 172.16.31.2#53: Transfer completed: 1 messages, 9 records, 243 bytes, 0.001 secs (243000 bytes/sec)
这里只存在ns1没有ns2;因为主服务器配置文件没有reload
[root@CA named]# ll slaves/google.com.zone
-rw-r--r-- 1 named named 428 Dec 9 09:31 slaves/google.com.zone
[root@CA named]# cat slaves/google.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
google.com IN SOA ns1.google.com. nsadmin.google.com. (
2014120901 ; serial
3600 ; refresh (1 hour)
18000 ; retry (5 hours)
259200 ; expire (3 days)
10800 ; minimum (3 hours)
)
NS ns1.google.com.
MX 10 mail1.google.com.
$ORIGIN google.com.
iamp4 A 172.16.31.2
mail1 A 172.16.31.2
ns1 A 172.16.31.2
pop3 A 172.16.31.2
www A 172.16.31.2
我们的主服务器配置更改后没有重新载入,我们在主服务器上reload一下:
[root@stu1 named]# service named reload
Reloading named: [ OK ]
[root@stu1 named]# tail /var/log/messages
Dec 9 09:32:36 stu1 named[3336]: received control channel command 'reload'
Dec 9 09:32:36 stu1 named[3336]: loading configuration from '/etc/named.conf'
Dec 9 09:32:36 stu1 named[3336]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 09:32:36 stu1 named[3336]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 09:32:36 stu1 named[3336]: sizing zone task pool based on 8 zones
Dec 9 09:32:36 stu1 named[3336]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 09:32:36 stu1 named[3336]: reloading configuration succeeded
Dec 9 09:32:36 stu1 named[3336]: reloading zones succeeded
Dec 9 09:32:36 stu1 named[3336]: zone google.com/IN: loaded serial 2014120902
Dec 9 09:32:36 stu1 named[3336]: zone google.com/IN: sending notifies (serial 2014120902)
上面的实验是更改过的,更新状况不清楚,我修改了一些再次载入,下面的是增量更新正常表现:
[root@stu1 named]# tail /var/log/messages
Dec 9 20:39:41 stu1 named[3336]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 20:39:41 stu1 named[3336]: reloading configuration succeeded
Dec 9 20:39:41 stu1 named[3336]: reloading zones succeeded
Dec 9 20:39:41 stu1 named[3336]: zone 31.16.172.in-addr.arpa/IN: loaded serial 2014120903
Dec 9 20:39:41 stu1 named[3336]: dns_master_load: google.com.zone:18: imap4.google.com: CNAME and other data
Dec 9 20:39:41 stu1 named[3336]: zone google.com/IN: loading from master file google.com.zone failed: CNAME and other data
Dec 9 20:39:41 stu1 named[3336]: zone google.com/IN: not loaded due to errors.
Dec 9 20:39:41 stu1 named[3336]: zone 31.16.172.in-addr.arpa/IN: sending notifies (serial 2014120903)
Dec 9 20:39:41 stu1 named[3336]: client 172.16.31.3#37586: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFR started
Dec 9 20:39:41 stu1 named[3336]: client 172.16.31.3#37586: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFR ended
然后再在从服务器上查看,同步成功了:
[root@CA named]# cat slaves/google.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
google.com IN SOA ns1.google.com. nsadmin.google.com. (
2014120902 ; serial
3600 ; refresh (1 hour)
18000 ; retry (5 hours)
259200 ; expire (3 days)
10800 ; minimum (3 hours)
)
NS ns1.google.com.
NS ns2.google.com.
MX 10 mail1.google.com.
$ORIGIN google.com.
iamp4 A 172.16.31.2
mail1 A 172.16.31.2
ns1 A 172.16.31.2
ns2 A 172.16.31.3
pop3 A 172.16.31.2
www A 172.16.31.2
我们在windows机器上实现解析:
rndc:Remote Name Domain Controller
基于套接字与named服务通信,控制named服务完成特定操作
控制named服务的密钥:
[root@stu1 named]# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "X203BQ+6bQVPKfBLHXpiDw==";
};
#rndc-confgen #rndc配置文件生成器
会卡住
会去/dev/random和/dev/urandom读取随机数生成密钥
#/dev/random:从熵池中取随机数,如果熵池中的随机数被用尽,则阻塞相关进程
#/dev/urandom:从熵池中取随机数,如果熵池中的随机数被用尽,则用软件生成伪随机数
#rndc-confgen -r /dev/urandom
生成随机数密钥,密钥是一致的
# rndc-confgen -r /dev/urandom
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "YvgyyouB/CHTCUokRe4gbw==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "YvgyyouB/CHTCUokRe4gbw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
#rndc-confgen -r /dev/urandom >/etc/rndc.conf
#vim /etc/rndc.conf
将文件中的内容复制进named.conf中启用来管理远程管理DNS
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "YvgyyouB/CHTCUokRe4gbw==";
};
controls {
inet 127.0.0.1 port 953 #这里是只允许本机控制管理DNS
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
然后我们
[root@stu1 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@stu1 named]# rndc stats
[root@stu1 named]# rndc status #显示当前状态
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000 #递归客户端
tcp clients: 0/100
server is up and running
本机主DNS服务器可以使用rndc管理命令,但是rndc客户端从DNS服务器还没配置,我们来配置一下:
主DNS服务器配置:
controls {
inet 0.0.0.0 port 953
allow { 127.0.0.1; 172.16.31.3; 172.16.31.4; } keys { "rndc-key"; };
};
在allow字段里面加入从服务器的IP地址,并且将允许管理的网络设置成0.0.0.0
从DNS服务器配置:
将主DNS服务器的/etc/rndc.conf文件的如下段复制到从服务器中的/etc/rndc.conf中:
key "rndc-key" {
algorithm hmac-md5;
secret "5xhClxlukK5HSJxmZ4ZV8w==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
将从服务器中的options字段改成下面的配置:
key "rndc-key" {
algorithm hmac-md5;
secret "5xhClxlukK5HSJxmZ4ZV8w==";
};
options {
default-key "rndc-key";
default-server 172.16.31.3;
default-port 953;
};
重启named服务:
[root@dns1 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
查看链接状态:
[root@dns1 named]# ss -tunl |grep 53
udp UNCONN 0 0 172.16.31.3:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
tcp LISTEN 0 3 172.16.31.3:53 *:*
tcp LISTEN 0 3 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:953 *:*
可以看出953端口开放了。
[root@dns1 named]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
在从DNS服务器上重启:
[root@dns2 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
测试从DNS服务器可以管理主DNS服务器:
[root@dns2 named]# rndc -s 172.16.31.3 status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
rndc用法与命令:
#man rndc 查找帮助文件
语法:rndc [-b source-address] [-c config-file] [-k key-file] [-s server]
[-p port] {command}
#rndc -h 获取帮助
reload :重新装载配置文件及区域解析库文件
reload zone:只装载指定区域解析库文件
refresh zone :维护
retransfer zone:在不检查序列号的情况下直接传送一个区域数据文件
notify zone :重新通知区域数据文件
reconfig :只重新装载配置文件及新增的区域
querylog:启用或关闭查询日志,默认关闭
#rndc querylog
#rndc status
#
#tail /var/log/messages
stop:将更新信息发送给服务器,然后关闭DNS服务器
trace level:指明调试级别,不跟数字逐级增加,可以明确指定(如trace 3)
notrace :关闭调试
flush:清除服务器缓存
注意:
1.在任何具有从服务器的区域的区域解析库文件中,必须为每个DNS服务器定义一个NS记录。
2.数据同步时,服务器之间的时间必须一致
#crontab -e
*/3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null
[root@stu1 named]# ntpdate 172.16.0.1
9 Dec 18:14:26 ntpdate[3844]: step time server 172.16.0.1 offset 28998.955058 sec
[root@stu1 named]# date
Tue Dec 9 18:14:28 CST 2014
[root@CA named]# ntpdate 172.16.0.1
9 Dec 18:14:04 ntpdate[3868]: step time server 172.16.0.1 offset 28999.587173 sec
[root@CA named]# date
Tue Dec 9 18:14:09 CST 2014
3.bind程序版本差异:尽可能保持版本相同;不得已时,主低从高是可以的。
4.尽量の开放给从服务器,不用就关闭,但是从服务器需要同步,我们就需要配置限制
通过同步数据可以查看网络拓扑,不安全哦!
[root@CA named]# dig -t axfr google.com @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr google.com @172.16.31.2
;; global options: +cmd
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120902 3600 18000 259200 10800
google.com. 600 IN NS ns1.google.com.
google.com. 600 IN NS ns2.google.com.
google.com. 600 IN MX 10 mail1.google.com.
iamp4.google.com. 600 IN A 172.16.31.2
mail1.google.com. 600 IN A 172.16.31.2
ns1.google.com. 600 IN A 172.16.31.2
ns2.google.com. 600 IN A 172.16.31.3
pop3.google.com. 600 IN A 172.16.31.2
. 600 IN A 172.16.31.2
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120902 3600 18000 259200 10800
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 18:18:56 2014
;; XFR size: 11 records (messages 1, bytes 277)
bind的安全配置:
1.acl控制列表:
#vi /etc/named.conf
acl acl_name {
IP;
NETWORK/PRILEN;
};
BIND内置的acl:
none:表示没有任意主机
any:表示任意主机
local:表示本机
localnet:表示本地网络
实例:
1.编辑named.conf文件,添加acl控制语句
acl mynet {
172.16.31.0/24;
127.0.0.0;
};
acl slaveservers {
172.16.31.3;
127.0.0.1;
};
2.在/etc/named.rfc1912.zone中调用:
zone "google.com" IN {
type master;
file "google.com.zone";
allow-query { any; };
allow-transfer { slaveservers; };
};
zone "31.16.172.in-addr.arpa" IN {
type master;
file "172.16.31.zone";
allow-query { any; };
allow-transfer { slaveservers; };
};
[root@stu1 named]# rndc reload
server reload successful
[root@stu1 named]# tail /var/log/messages
Dec 9 21:40:14 stu1 named[4735]: received control channel command 'stats'
Dec 9 21:40:14 stu1 named[4735]: dumpstats complete
Dec 9 22:01:09 stu1 named[4735]: received control channel command 'reload'
Dec 9 22:01:09 stu1 named[4735]: loading configuration from '/etc/named.conf'
Dec 9 22:01:09 stu1 named[4735]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 22:01:09 stu1 named[4735]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 22:01:09 stu1 named[4735]: sizing zone task pool based on 8 zones
Dec 9 22:01:09 stu1 named[4735]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 22:01:09 stu1 named[4735]: reloading configuration succeeded
Dec 9 22:01:09 stu1 named[4735]: reloading zones succeeded
在从服务器上测试是否能够同步数据:
[root@CA named]# dig -t axfr google.com @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr google.com @172.16.31.2
;; global options: +cmd
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120903 3600 18000 259200 10800
google.com. 600 IN NS ns1.google.com.
google.com. 600 IN NS ns2.google.com.
google.com. 600 IN MX 10 mail1.google.com.
. 600 IN A 172.16.31.2
imap4.google.com. 600 IN A 172.16.31.2
mail1.google.com. 600 IN A 172.16.31.2
ns1.google.com. 600 IN A 172.16.31.2
ns2.google.com. 600 IN A 172.16.31.3
pop3.google.com. 600 IN A 172.16.31.2
. 600 IN A 172.16.31.2
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120903 3600 18000 259200 10800
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 22:05:56 2014
;; XFR size: 12 records (messages 1, bytes 297)
配置文件中设置允许也可以:
#vi /etc/named.conf
allow-query {};
allow-transfer {};
allow-recuersion {};
默认情况下服务器是允许递归查询的,
但是某个区域我们需要关闭递归查询,只对本地网络来递归:
#vi /etc/named.conf
//recursion yes;
allow-recursion {mynet; };