共计 11090 个字符,预计需要花费 28 分钟才能阅读完成。
CentOS 7 DNS 服务器部署
项目背景和要求
要保证即能够解析内网域名 linuxidc.local 的解析,又能解析互联网的域名。
主 DNS 服务器:ZZYH1.LINUXIDC.LOCAL
辅助 DNS 服务器:ZZYH2.LINUXIDC.LOCAL
包含以下域的信息:
1、linuxidc.local 域的信息:
| FQDN | IP 地址 | 备注 |
| zzyh1.linuxidc.local | 192.168.188.15 | DNS1 服务器 |
| zzyh2.linuxidc.local | 192.168.188.16 | DNS2 服务器 |
| ftp.linuxidc.local | 192.168.188.15 | |
| mailyh1.linuxidc.local | 192.168.188.22 | |
| smtp.linuxidc.local | 192.168.188.22 | |
| pop3.linuxidc.local | 192.168.188.22 | |
| www.linuxidc.local | 192.168.188.15 | |
| crm.linuxidc.local | 192.168.188.15 |
2、192.168.188.0/24、192.168.189.0/24 反向解析域
要求实现 chroot 功能,以提高安全性
实现到 202.102.224.68、202.102.227.68 的 DNS 转发。
防止非授权用户的 DNS 记录的枚举 (防止出现类似上海烟草公司的安全隐患)。仅允许管理员在 192.168.188.10 上进行操作。
DNS 网络配置
除了传统的修改 /etc/resolv.conf 之外,还有通过在 ifcfg 文件中添加配置的方式。
Tip: 与 Windows 在某个网卡中设置 DNS 服务器的 IP 地址类似
# vi/etc/sysconfig/network-scripts/ifcfg-eno16777728
# Generated by parse-kickstart
IPV6INIT=no
BOOTPROTO=static
DEVICE=eno16777728
ONBOOT=yes
TYPE=Ethernet
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME=”System eno16777728″
IPADDR=192.168.188.15
NETMASK=255.255.255.0
GATEWAY=192.168.188.2
DNS1=192.168.188.15
DNS2=192.168.188.16
这样,当重新启动 network 服务时,会生成 /etc/resolv.conf 中的配置
# servicenetwork restart
Restarting network (via systemctl): [OK]
# cat/etc/resolv.conf
# Generated by NetworkManager
search linuxidc.local
nameserver 192.168.188.15
nameserver192.168.188.16
配置 Yum 库
[root@zzyh2 ~]# cd /etc/yum.repos.d/
[root@zzyh2 yum.repos.d]# ls
CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Sources.repo CentOS-Vault.repo
[root@zzyh2 yum.repos.d]#
[root@zzyh1 yum.repos.d]# cpCentOS-Base.repo CentOS-Base.repo.origin
[root@zzyh1 yum.repos.d]# viCentOS-Base.repo
配置内容
[base]
name=CentOS-$releasever – Base
baseurl=file:///media
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
安装 DNS 支持包
#yum -y installbind bind-util bind-chroot //
[root@zzyh1 ~]# cd /media/Packages/
[root@zzyh1 Packages]# yum -y install bindbind-util bind-chroot
Warning: RPMDB altered outside of yum.
Installing : 32:bind-libs-9.9.4-14.el7.x86_64 1/3
Installing : 32:bind-9.9.4-14.el7.x86_64 2/3
Installing : 32:bind-chroot-9.9.4-14.el7.x86_64 3/3
Verifying :32:bind-9.9.4-14.el7.x86_64 1/3
Verifying : 32:bind-libs-9.9.4-14.el7.x86_64 2/3
Verifying :32:bind-chroot-9.9.4-14.el7.x86_64 3/3
Installed:
bind.x86_64 32:9.9.4-14.el7 bind-chroot.x86_64 32:9.9.4-14.el7
Dependency Installed:
bind-libs.x86_6432:9.9.4-14.el7
Complete!
查看 bind 的生成包
[root@zzyh2 ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
配置文件
[root@zzyh1 ~]# cd /etc
[root@zzyh1 etc]# cp named.confnamed.conf.origin
[root@zzyh1 etc]# vi /etc/named.conf
[root@zzyh1 etc]# cat /etc/named.conf、
//listen-on port 53 {127.0.0.1;};
listen-on port 53 {any;};
//dnssec-enable yes;
//dnssec-validation yes;
dnssec-enable no;
dnssec-validation no;
配置转发地址:
forwarders {202.102.224.68; 202.102.227.68;};
allow-transfer {192.168.188.15; 192.168.188.12;};
查看状态
[root@zzyh1 etc]# rndc status
version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
测试一下解析
补充一下
#find / -name nslookup
/usr/bin/nslookup
#rpm -qf/usr/bin/nslookup // 查询这个命令依附于那个包
bind-utils-9.9.4-14.el7.x86_64.rpm
执行
#nslookup // 如果找不到 nslookup 那是因为没有安装 bind-utils-9.9.4-14.el7.x86_64.rpm
> server 192.168.188.15
Default server: 192.168.188.15
Address: 192.168.188.15#53
> g.cn // 尝试解析 g.cn
Server: 192.168.188.15
Address: 192.168.188.15#53
Non-authoritative answer:
Name: g.cn
Address: 203.208.36.17
Name: g.cn
Address: 203.208.36.18
Name: g.cn
Address: 203.208.36.16
Name: g.cn
Address: 203.208.36.20
Name: g.cn
Address: 203.208.36.19
// 解析成功
添加自定义 zone
自定义,修改配置文件
[root@zzyh1~]# vi /etc/named.conf
在最后添加
zone “linuxidc.local” IN {
type mester;
file “linuxidc.local.zone”;
}
zone “188.168.192.in-addr.arpa”IN {
type master;
file “192.168.188.zone”;
}
zone “189.168.192.in-addr.arpa”IN {
type master;
file “192.168.189.zone”;
}
include”/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
[root@zzyh1named]# cp named.empty linuxidc.local.zone // 修改前备份一下
[root@zzyh1 named]# ls
linuxidc.local.zone data named.ca named.localhost slaves
chroot dynamic named.empty named.loopback
配置文件
[root@zzyh1named]# vi linuxidc.local.zone
$TTL 3H
@ IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H) ; minimum
IN NS zzyh1.linuxidc.local.
IN NS zzyh2.linuxidc.local.
zzyh1 IN A 192.168.188.15
zzyh2 IN A 192.168.188.16
ftp IN A 192.168.188.15
mailyh1 IN A 192.168.188.22
smtp IN CNAME mailyh1.linuxidc.local.
pop3 IN CNAME mailyh1.linuxidc.local.
www IN A 192.168.188.15
crm IN A 192.168.188.15
#vi192.168.188.zone
$TTL 3H
@ IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expiredgG
3H) ; minimum
IN NS zzyh1.linuxidc.local.
IN NS zzyh2.linuxidc.local.
15 IN PTR zzyh1.linuxidc.local.
15 IN PTR ftp.linuxidc.local.
16 IN PTR zzyh2.linuxidc.local.
16 IN PTR mailyh1.linuxidc.local.
#vi192.168.189.zone
$TTL 3H
@ IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H) ; minimum
IN NS zzyh1.linuxidc.local.
IN NS zzyh2.linuxidc.local.
www IN NS 192.168.188.15
重启服务
[root@zzyh1 named]# systemctl restartnamed.service
[root@zzyh1 named]# service named restart
Redirecting to /bin/systemctl restart named.service
[root@zzyh1 named]# rndc status
version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 104
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
设置为自动启动
# systemctl enable named
[root@zzyh1 named]# systemctl status named
named.service – Berkeley Internet NameDomain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled)
Active: active (running) since Mon 2014-08-25 00:36:59 CST; 3min 47s ago
MainPID: 2807 (named)
CGroup: /system.slice/named.service
a””a”2807 /usr/sbin/named -u named
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar…
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar…
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 1.0.0.127.in-addr.arpa…
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 1.0.0.0.0.0.0.0.0.0.0….
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: all zones loaded
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: running
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 188.168.192.in-addr.ar…
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar…
Aug 25 00:36:59 zzyh1.linuxidc.localsystemd[1]: Started Berkeley Internet N….
Aug 25 00:37:00 zzyh1.linuxidc.localnamed[2807]: managed-keys-zone: No DNSKE…
Hint: Some lines were ellipsized, use -l toshow in full.
测试
# nslookup
> server192.168.188.15
Default server: 192.168.188.15
Address: 192.168.188.15#53
>www.linuxidc.local.
Server: 192.168.188.15
Address: 192.168.188.15#53
Name: www.linuxidc.local
Address: 192.168.188.15
>smtp.linuxidc.local.
Server: 192.168.188.15
Address: 192.168.188.15#53
smtp.linuxidc.local canonical name = mailyh1.linuxidc.local.
Name: mailyh1.linuxidc.local
Address: 192.168.188.22
>192.168.188.15
Server: 192.168.188.15
Address: 192.168.188.15#53
15.188.168.192.in-addr.arpa name = ftp.linuxidc.local.
15.188.168.192.in-addr.arpa name = zzsrv1.linuxidc.local.
> exit
zzyh2 上的 DNS 配置
安装 BIND
与 zzyh1 上的主 DNS 配安装一样。
操作略。
配置
Cache Only Server
与 zzyh1 上的主 DNS 配安装一样。
操作略。
添加辅助 Zone
# vi /etc/named.conf
添加如下 zone 信息
zone “linuxidc.local” IN {
type slave;
masters {192.168.188.15;};
file “linuxidc.local.zone”;
};
zone “188.168.192.in-addr.arpa”IN {
type slave;
masters {192.168.188.15;};
file “192.168.188.zone”;
};
zone “189.168.192.in-addr.arpa”IN {
type slave;
masters {192.168.188.15;};
file “192.168.189.zone”;
};
修改目录权限
[root@zzyh2 named]# ll /var/named/ -d
drwxr-x— 6 root named 133 Aug 15 14:06/var/named/
[root@zzyh2 named]# chmod g+w /var/named/
[root@zzyh2 named]# ll /var/named/ -d
drwxrwx— 6 root named 133 Aug 15 14:06/var/named/
启动服务
[root@zzyh2 ~]# systemctl startnamed.service
Redirecting to /bin/systemctl restart named.service
设置为自动启动
[root@zzyh2 ~]# systemctl enable named
ln -s’/usr/lib/systemd/system/named.service”/etc/systemd/system/multi-user.target.wants/named.service’
查看日志,检查是否有报错信息。(建议在启动时,就在另外一个会话时就打开)
# tail -f /var/log/messages
测试 BIND
在 zzyh1 上生成了相应的 zone 文件
[root@zzyh2 ~]# ll /var/named/
total 28
-rw-r–r– 1 named named 451 Aug 15 14:58 192.168.188.zone
-rw-r–r– 1 named named 254 Aug 15 15:05 192.168.189.zone
-rw-r–r– 1 named named 647 Aug 15 15:16 linuxidc.local.zone
drwxr-x— 7 root named 56 Aug 15 14:06 chroot
drwxrwx— 2 named named 22 Aug 15 14:19 data
drwxrwx— 2 named named 58 Aug 15 16:20 dynamic
-rw-r—– 1 root named 2076 Jan 28 2013 named.ca
-rw-r—– 1 root named 152 Dec 15 2009 named.empty
-rw-r—– 1 root named 152 Jun 21 2007 named.localhost
-rw-r—– 1 root named 168 Dec 15 2009 named.loopback
drwxrwx— 2 named named 6 Jun 10 16:13 slaves
[root@zzyh1 ~]# vi /var/named/linuxidc.local.zone
添加一个 A 记录
test IN A 10.0.0.1
并且将,zone 的序列号增大
[root@zzyh1 ~]# rndc reload
server reload successful
在 zzyh1 的日志中会看到
zone linuxidc.local/IN: sending notifiesrial 15)
client 192.168.188.16#41658 (linuxidc.loc:transfer of ‘linuxidc.local/IN’: AXFR-style IXFR started
client 192.168.188.16#41658 (linuxidc.loc:transfer of ‘linuxidc.local/IN’: AXFR-style IXFR ended
在 zzyh2 的日志中会看到
client 192.168.188.15#33856: received notifyfor zone ‘linuxidc.local’
zone linuxidc.local/IN: Transfer started.
transfer of ‘linuxidc.local/IN’ from192.168.188.15#53: connected using 192.168.188.16#41658
zone linuxidc.local/IN: transferred serial15
transfer of ‘linuxidc.local/IN’ from192.168.188.15#53: Transfer completed: 1 messages, 13 records, 339 bytes, 0.005secs (67800 bytes/sec)
zone linuxidc.local/IN: sending notifies(serial 15)
测试
# nslookup
> server 192.168.188.16
Default server: 192.168.188.16
Address: 192.168.188.16#53
> test.linuxidc.local.
Server: 192.168.188.16
Address: 192.168.188.16#53
Name: test.linuxidc.local
Address: 10.0.0.1
> exit
————————————– 分割线 ————————————–
CentOS 下源码安装 Bind 9.6.1 搭建 DNS 服务器 http://www.linuxidc.com/Linux/2014-06/103660.htm
使用 BIND 配置 DNS 服务器 — 初级篇 http://www.linuxidc.com/Linux/2013-05/84920.htm
BIND+DLZ+MySQL 智能 DNS 的正向解析和反向解析实现方法 http://www.linuxidc.com/Linux/2013-04/82527.htm
域名服务 BIND 构建与应用配置 http://www.linuxidc.com/Linux/2013-04/82111.htm
Ubuntu BIND9 泛域名解析配置 http://www.linuxidc.com/Linux/2013-03/81928.htm
CentOS 5.2 下安装 BIND9.6 http://www.linuxidc.com/Linux/2013-02/79889.htm
DNS 服务器配置图文详解 http://www.linuxidc.com/Linux/2012-10/72728.htm
————————————– 分割线 ————————————–
更多 CentOS 相关信息见 CentOS 专题页面 http://www.linuxidc.com/topicnews.aspx?tid=14
