实验拓扑:
域名为yqc.com,域内主机网段为192.168.43.0/24
域中有一个子域ops.yqc.com,需要在正向解析区域授权该子域
321 Services - DNS bind - DNS正向 反向 主从 实验拓扑.jpg
大致步骤
- 192.168.43.101:搭建yqc.com的正向解析服务
- 192.168.43.102:搭建43.168.192.in-addr.arpa的反向解析服务
- 192.168.43.101:搭建反向解析从服务器
- 192.168.43.102:搭建正向解析从服务器
- 192.168.43.103:搭建子域ops.yqc.com的正向解析服务,并在主DNS服务器上授权子域
- 192.168.43.103:定义子域DNS服务器的转发功能
- 为DNS服务器做简单的安全配置
准备工作
首先在各服务器上上安装DNS服务所需的程序包:
~]# yum -y install bind bind-libs bind-utils bind-chroot
安装完成后,在主配置文件/etc/named.conf中关闭不必要的选项:
关闭dnssec功能
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
注释掉仅允许本地查询
//allow-query { localhost; }
配置crontab,添加定时同步ntp(因为主从服务器需要时间同步)
一、在192.168.43.101上搭建yqc.com的正向解析DNS主服务器
首先,在主配置文件/etc/named.conf中添加监听地址192.168.43.101
options {
listen-on port 53 { 127.0.0.1;192.168.43.101; };
1. 定义区域
/etc/named.rfc1912.zones
zone "yqc.com" IN {
type master;
file "yqc.com.zone";
};
2. 建立区域数据文件
/var/named/yqc.com.zone
$TTL 3600
$ORIGIN yqc.com.
@ IN SOA ns1.yqc.com. dnsadmin.yqc.com. (
2018111301
1H
10M
3D
1D )
IN NS ns1.yqc.com.
IN MX 10 mx1
ns1 IN A 192.168.43.101
mx1 IN A 192.168.43.101
CentOS7-node-01 IN A 192.168.43.71
CentOS7-node-02 IN A 192.168.43.72
node1 IN CNAME CentOS7-node-01
node2 IN CNAME CentOS7-node-02
3. 更改区域数据文件的属组和权限
~]# chown root.named /var/named/yqc.com.zone
~]# chmod o= /var/named/yqc.com.zone
4. 检查配置文件,重载配置或启动服务
~]# named-checkconf
~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload
若未启动named服务,则直接启动
~]# systemctl start named.service
5.客户端dig命令测试
~]# dig -t A node1.yqc.com @192.168.43.101
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.yqc.com @192.168.43.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40545
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.yqc.com. IN A
;; ANSWER SECTION:
node1.yqc.com. 3600 IN CNAME CentOS7-node-01.yqc.com.
CentOS7-node-01.yqc.com. 3600 IN A 192.168.43.71
;; AUTHORITY SECTION:
yqc.com. 3600 IN NS ns1.yqc.com.
;; ADDITIONAL SECTION:
ns1.yqc.com. 3600 IN A 192.168.43.101
;; Query time: 2 msec
;; SERVER: 192.168.43.101#53(192.168.43.101)
;; WHEN: Thu Nov 08 11:58:06 CST 2018
;; MSG SIZE rcvd: 122
二、在192.168.43.102上搭建43.168.192.in-addr.arpa的反向解析DNS主服务器
首先,在主配置文件/etc/named.conf中添加监听地址192.168.43.102
options {
listen-on port 53 { 127.0.0.1;192.168.43.102; };
1. 定义反向区域
/etc/named.rfc1912.zones
zone "43.168.192.in-addr.arpa" IN {
type master;
file "192.168.43.zone";
};
2. 建立区域数据文件
/var/named/192.168.43.zone
$TTL 3600
$ORIGIN 43.168.192.in-addr.arpa.
@ IN SOA ns1.yqc.com. dnsadmin.yqc.com. (
2018111301
1H
10M
3D
1D )
IN NS ns1.yqc.com.
101 IN PTR ns1.yqc.com.
IN PTR mx1.yqc.com.
71 IN PTR CentOS7-node-01.yqc.com.
IN PTR node1.yqc.com.
72 IN PTR CentOS7-node-02.yqc.com.
IN PTR node2.yqc.com.
3. 更改区域数据文件的属组和权限
~]# chown root.named /var/named/192.168.43.zone
~]# chmod o= /var/named/192.168.43.zone
4. 检查配置文件,重载配置或启动服务
~]# named-checkconf
~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload
若未启动named服务,则直接启动
~]# systemctl start named.service
5. 客户端dig命令测试
]# dig -x 192.168.43.72 @192.168.43.102
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.43.72 @192.168.43.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16357
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;72.43.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
72.43.168.192.in-addr.arpa. 3600 IN PTR node2.yqc.com.
72.43.168.192.in-addr.arpa. 3600 IN PTR CentOS7-node-02.yqc.com.
;; AUTHORITY SECTION:
43.168.192.in-addr.arpa. 3600 IN NS ns1.yqc.com.
;; Query time: 1 msec
;; SERVER: 192.168.43.102#53(192.168.43.102)
;; WHEN: Thu Nov 08 17:53:46 CST 2018
;; MSG SIZE rcvd: 130
三、在192.168.43.101上搭建43.168.192.in-addr.arpa的反向解析DNS从服务器
Slave(192.168.43.101)上的配置
1. 定义一个从区域
/etc/namd.rfc1912.zones
zone "43.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.43.zone";
masters { 192.168.43.102; };
};
2. 检查和重载配置
~]# named-checkconf
~]# rndc reload
Master(192.168.43.102)上的配置
1.区域数据文件中添加从服务器的NS、PTR记录(注意序列号要加1)
$TTL 3600
$ORIGIN 43.168.192.in-addr.arpa.
@ IN SOA ns1.yqc.com. dnsadmin.yqc.com. (
2018111302
1H
10M
3D
1D )
IN NS ns1.yqc.com.
IN NS ns2.yqc.com.
101 IN PTR ns1.yqc.com.
IN PTR mx1.yqc.com.
102 IN PTR ns2.yqc.com.
IN PTR mx2.yqc.com.
71 IN PTR CentOS7-node-01.yqc.com.
IN PTR node1.yqc.com.
72 IN PTR CentOS7-node-02.yqc.com.
IN PTR node2.yqc.com.
更改有以下几处:
...
2018111302
...
IN NS ns2.yqc.com.
...
102 IN PTR ns2.yqc.com.
IN PTR mx2.yqc.com.
...
2. 检查和重载配置
~]# named-checkzone 43.168.192.in-addr.arpa 192.168.43.zone
~]# rndc reload
客户端dig命令测试
测试反向解析的从服务器192.168.43.101是否有反向解析的能力:
~]# dig -x 192.168.43.71 @192.168.43.101
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.43.71 @192.168.43.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1910
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;71.43.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
71.43.168.192.in-addr.arpa. 3600 IN PTR node1.yqc.com.
71.43.168.192.in-addr.arpa. 3600 IN PTR CentOS7-node-01.yqc.com.
;; AUTHORITY SECTION:
43.168.192.in-addr.arpa. 3600 IN NS ns1.yqc.com.
;; ADDITIONAL SECTION:
ns1.yqc.com. 3600 IN A 192.168.43.101
;; Query time: 2 msec
;; SERVER: 192.168.43.101#53(192.168.43.101)
;; WHEN: Thu Nov 08 13:45:18 CST 2018
;; MSG SIZE rcvd: 146
四、在192.168.43.102上搭建yqc.com的正向解析DNS从服务器
Slave(192.168.43.102)上的配置
1. 定义一个从区域
/etc/namd.rfc1912.zones
zone "yqc.com" IN {
type slave;
file "slaves/yqc.com.zone";
masters { 192.168.43.101; };
};
2. 检查和重载配置
~]# named-checkconf
~]# rndc reload
Master(192.168.43.101)上的配置
1.区域数据文件中添加从服务器的NS、A记录(注意序列号要加1)
$TTL 3600
$ORIGIN yqc.com.
@ IN SOA ns1.yqc.com. dnsadmin.yqc.com. (
2018111302
1H
10M
3D
1D )
IN NS ns1.yqc.com.
IN NS ns2.yqc.com.
IN MX 10 mx1
ns1 IN A 192.168.43.101
mx1 IN A 192.168.43.101
ns2 IN A 192.168.43.102
CentOS7-node-01 IN A 192.168.43.71
CentOS7-node-02 IN A 192.168.43.72
node1 IN CNAME CentOS7-node-01
node2 IN CNAME CentOS7-node-02
更改有以下几处:
...
2018111302
...
IN NS ns2.yqc.com.
...
ns2 IN A 192.168.43.102
...
2. 检查和重载配置
~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload
客户端dig命令测试
测试正向解析的从服务器192.168.43.102是否有正向解析的能力:
~]# dig -t A node1.yqc.com @192.168.43.102
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.yqc.com @192.168.43.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44717
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.yqc.com. IN A
;; ANSWER SECTION:
node1.yqc.com. 3600 IN CNAME CentOS7-node-01.yqc.com.
CentOS7-node-01.yqc.com. 3600 IN A 192.168.43.71
;; AUTHORITY SECTION:
yqc.com. 3600 IN NS ns1.yqc.com.
yqc.com. 3600 IN NS ns2.yqc.com.
;; ADDITIONAL SECTION:
ns1.yqc.com. 3600 IN A 192.168.43.101
ns2.yqc.com. 3600 IN A 192.168.43.102
;; Query time: 2 msec
;; SERVER: 192.168.43.102#53(192.168.43.102)
;; WHEN: Thu Nov 08 14:07:20 CST 2018
;; MSG SIZE rcvd: 156
至此,两台互为正反向解析主从的DNS服务器已搭建完成。
五、在192.168.43.103上搭建子域ops.yqc.com的正向解析DNS服务器,并将其授权到主DNS服务器
子域DNS服务器配置
首先,在主配置文件/etc/named.conf中添加监听地址192.168.43.103
options {
listen-on port 53 { 127.0.0.1;192.168.43.103; };
1. 定义子域的区域
/etc/named.rfc1912.zones
zone "ops.yqc.com" IN {
type master;
file "ops.yqc.com.zone";
};
2. 建立子域的区域数据文件
/var/named/ops.yqc.com.zone
$TTL 3600
$ORIGIN ops.yqc.com.
@ IN SOA ns1.ops.yqc.com. dnsadmin.ops.yqc.com. (
2018111301
1H
10M
3D
1D )
IN NS ns1.ops.yqc.com.
IN MX 10 mx1
ns1 IN A 192.168.43.103
mx1 IN A 192.168.43.103
node1 IN A 192.168.43.251
node2 IN A 192.168.43.252
3. 更改区域数据文件的属组和权限
~]# chgrp named /var/named/ops.yqc.com.zone
~]# chmod o= /var/named/ops.yqc.com.zone
4. 检查配置文件,重载配置或启动服务
~]# named-checkconf
~]# systemctl start named.service
主DNS服务器192.168.43.101上的配置
1. 在区域数据文件/var/named/yqc.com.zone中定义子域ops.yqc.com
$TTL 3600
$ORIGIN yqc.com.
@ IN SOA ns1.yqc.com. dnsadmin.yqc.com. (
2018111303
1H
10M
3D
1D )
IN NS ns1.yqc.com.
IN NS ns2.yqc.com.
ops.yqc.com. IN NS ns1.ops.yqc.com.
IN MX 10 mx1
ns1 IN A 192.168.43.101
mx1 IN A 192.168.43.101
ns2 IN A 192.168.43.102
ns1.ops.yqc.com. IN A 192.168.43.103
CentOS7-node-01 IN A 192.168.43.71
CentOS7-node-02 IN A 192.168.43.72
node1 IN CNAME CentOS7-node-01
node2 IN CNAME CentOS7-node-02
主要更改了如下内容:
...
2018111303
...
ops.yqc.com. IN NS ns1.ops.yqc.com.
...
ns1.ops.yqc.com. IN A 192.168.43.103
...
2. 检查并重载配置
~]# named-checkzone yqc.com /var/named/yqc.com.zone
~]# rndc reload
客户端dig命令测试
测试192.168.43.101和192.168.43.102是否能够解析子域中的主机:
~]# dig -t A node1.ops.yqc.com @192.168.43.101
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.ops.yqc.com @192.168.43.101
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9913
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.ops.yqc.com. IN A
;; ANSWER SECTION:
node1.ops.yqc.com. 3600 IN A 192.168.43.251
;; AUTHORITY SECTION:
ops.yqc.com. 3600 IN NS ns1.ops.yqc.com.
;; ADDITIONAL SECTION:
ns1.ops.yqc.com. 3600 IN A 192.168.43.103
;; Query time: 8 msec
;; SERVER: 192.168.43.101#53(192.168.43.101)
;; WHEN: Thu Nov 08 14:28:07 CST 2018
;; MSG SIZE rcvd: 96
~]# dig -t A node1.ops.yqc.com @192.168.43.102
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.ops.yqc.com @192.168.43.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32676
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.ops.yqc.com. IN A
;; ANSWER SECTION:
node1.ops.yqc.com. 3600 IN A 192.168.43.251
;; AUTHORITY SECTION:
ops.yqc.com. 3600 IN NS ns1.ops.yqc.com.
;; ADDITIONAL SECTION:
ns1.ops.yqc.com. 3600 IN A 192.168.43.103
;; Query time: 12 msec
;; SERVER: 192.168.43.102#53(192.168.43.102)
;; WHEN: Thu Nov 08 14:28:13 CST 2018
;; MSG SIZE rcvd: 96
至此,两个主从DNS服务器已经可以解析子域中的主机,但子域DNS服务器还无法解析yqc.com中的主机
六、在子域DNS服务器上定义转发功能
子域的转发有两种:区域转发和全局转发
区域转发
只把某个区域的请求转发给指定服务器。
比如本次实验中,需要将yqc.com域的请求转发给192.168.43.101和192.168.43.102去解析。
全局转发
除了在本地通过zone定义的区域,其他所有DNS请求都转发给指定服务器。
比如本次实验中,除了ops.yqc.com域的请求,其余所有请求都转发给192.168.43.101和192.168.43.102。
因为实验中每台服务器都接入了互联网,所以子域DNS服务器除了yqc.com,其余都可以自行解析,所以这里只做区域转发。
ops.yqc.com的子域DNS服务器定义对yqc.com域的区域转发
在/etc/named.rfc1912.zones配置文件中定义转发域
zone "yqc.com" IN {
type forward;
forward only;
forwaders { 192.168.43.101;192.168.43.102; };
};
检查并重载配置
~]# named-checkconf
~]# rndc reload
客户端dig命令测试192.168.43.103是否可以解析yqc.com中的主机
~]# dig -t A node1.yqc.com @192.168.43.103
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A node1.yqc.com @192.168.43.103
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55272
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;node1.yqc.com. IN A
;; ANSWER SECTION:
node1.yqc.com. 3600 IN CNAME CentOS7-node-01.yqc.com.
CentOS7-node-01.yqc.com. 3600 IN A 192.168.43.71
;; AUTHORITY SECTION:
yqc.com. 3600 IN NS ns2.yqc.com.
yqc.com. 3600 IN NS ns1.yqc.com.
;; ADDITIONAL SECTION:
ns1.yqc.com. 3600 IN A 192.168.43.101
ns2.yqc.com. 3600 IN A 192.168.43.102
;; Query time: 10 msec
;; SERVER: 192.168.43.103#53(192.168.43.103)
;; WHEN: Thu Nov 08 14:53:22 CST 2018
;; MSG SIZE rcvd: 156
七、简单的安全配置
先在三台DNS服务器主配置文件/etc/named.conf中定义一个192.168.43.0/24网络中主机的acl:
acl mynet {
192.168.43.0/24;
};
然后分别定义访问控制指令:
访问控制指令的作用范围分为全局和区域两种:
- 在/etc/named.conf中定义为全局有效;
- 在/etc/named.rfc1912.zones中的zone中定义,为指定区域有效。
本次实验中做全局配置
192.168.43.101:
- 只允许本网络主机查询
- 只向192.168.43.102做区域传送
- 只允许本网络主机的递归查询
- 不允许动态更新区域数据文件中的内容
/etc/named.conf
options {
...
allow-query { mynet; };
allow-transfer { 192.168.43.102; };
allow-recursion { mynet; };
allow-update { none; };
...
};
检查并重载配置:
~]# named-checkconf
~]# rndc reload
192.168.43.102:
- 只允许本网络主机查询
- 只向192.168.43.101做区域传送
- 只允许本网络主机的递归查询
- 不允许动态更新区域数据文件中的内容
/etc/named.conf
options {
...
allow-query { mynet; };
allow-transfer { 192.168.43.101; };
allow-recursion { mynet; };
allow-update { none; };
...
};
检查并重载配置:
~]# named-checkconf
~]# rndc reload
192.168.43.103:
- 只允许本网络主机查询
- 不允许做区域传送
- 只允许本网络主机的递归查询
- 不允许动态更新区域数据文件中的内容
/etc/named.conf
options {
...
allow-query { mynet; };
allow-transfer { none; };
allow-recursion { mynet; };
allow-update { none; };
...
};
检查并重载配置:
~]# named-checkconf
~]# rndc reload
此实验只是根据本人对DNS服务的浅显认识,搭建的一个DNS服务架构,和生产环境肯定存在不小的差距,旨在梳理自己的知识点。
