|
CentOS 7 DNS服务器部署 项目背景和要求 要保证即能够解析内网域名linuxidc.local的解析,又能解析互联网的域名。 主DNS服务器:ZZYH1.LINUXIDC.LOCAL 辅助DNS服务器:ZZYH2.LINUXIDC.LOCAL 包含以下域的信息: 1、linuxidc.local域的信息:
2、192.168.188.0/24、192.168.189.0/24反向解析域 要求实现chroot功能,以提高安全性 实现到202.102.224.68、202.102.227.68的DNS转发。 防止非授权用户的DNS记录的枚举(防止出现类似上海烟草公司的安全隐患)。仅允许管理员在192.168.188.10上进行操作。 DNS网络配置 除了传统的修改/etc/resolv.conf之外,还有通过在ifcfg文件中添加配置的方式。 Tip: 与Windows在某个网卡中设置DNS服务器的IP地址类似
# vi/etc/sysconfig/network-scripts/ifcfg-eno16777728
# Generated by parse-kickstart BOOTPROTO=static DEVICE=eno16777728 ONBOOT=yes TYPE=Ethernet DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no NAME="System eno16777728" IPADDR=192.168.188.15 NETMASK=255.255.255.0 GATEWAY=192.168.188.2
DNS1=192.168.188.15 这样,当重新启动network服务时,会生成/etc/resolv.conf中的配置 # servicenetwork restart Restarting network (via systemctl): [ OK ] # cat/etc/resolv.conf
search linuxidc.local
nameserver 192.168.188.15 配置Yum库 [root@zzyh2 ~]# cd /etc/yum.repos.d/ [root@zzyh2 yum.repos.d]# ls CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Sources.repo CentOS-Vault.repo [root@zzyh2 yum.repos.d]# [root@zzyh1 yum.repos.d]# cpCentOS-Base.repo CentOS-Base.repo.origin [root@zzyh1 yum.repos.d]# viCentOS-Base.repo 配置内容 [base] name=CentOS-$releasever - Base baseurl=file:///media gpgcheck=1 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 安装DNS支持包 #yum -y installbind bind-util bind-chroot // [root@zzyh1 ~]# cd /media/Packages/ [root@zzyh1 Packages]# yum -y install bindbind-util bind-chroot Warning: RPMDB altered outside of yum. Installing : 32:bind-libs-9.9.4-14.el7.x86_64 1/3 Installing : 32:bind-9.9.4-14.el7.x86_64 2/3 Installing : 32:bind-chroot-9.9.4-14.el7.x86_64 3/3 Verifying :32:bind-9.9.4-14.el7.x86_64 1/3 Verifying : 32:bind-libs-9.9.4-14.el7.x86_64 2/3 Verifying :32:bind-chroot-9.9.4-14.el7.x86_64 3/3
Installed: bind.x86_64 32:9.9.4-14.el7 bind-chroot.x86_64 32:9.9.4-14.el7
Dependency Installed: bind-libs.x86_6432:9.9.4-14.el7 Complete! 查看bind的生成包 [root@zzyh2 ~]# rpm -qc bind /etc/logrotate.d/named /etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/sysconfig/named /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback 配置文件 [root@zzyh1 ~]# cd /etc [root@zzyh1 etc]# cp named.confnamed.conf.origin [root@zzyh1 etc]# vi /etc/named.conf [root@zzyh1 etc]# cat /etc/named.conf、 //listen-on port 53 { 127.0.0.1; }; listen-on port 53 { any; }; //dnssec-enable yes; //dnssec-validation yes; dnssec-enable no; dnssec-validation no; 配置转发地址: forwarders {202.102.224.68; 202.102.227.68;}; allow-transfer {192.168.188.15; 192.168.188.12;}; 查看状态 [root@zzyh1 etc]# rndc status version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa> CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 101 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running 测试一下解析 补充一下
/usr/bin/nslookup
#rpm -qf/usr/bin/nslookup //查询这个命令依附于那个包
#nslookup //如果找不到nslookup那是因为没有安装bind-utils-9.9.4-14.el7.x86_64.rpm > server 192.168.188.15 Default server: 192.168.188.15 Address: 192.168.188.15#53 > g.cn //尝试解析g.cn Server: 192.168.188.15 Address: 192.168.188.15#53
Non-authoritative answer: Name: g.cn Address: 203.208.36.17 Name: g.cn Address: 203.208.36.18 Name: g.cn Address: 203.208.36.16 Name: g.cn Address: 203.208.36.20 Name: g.cn Address: 203.208.36.19 //解析成功 添加自定义zone 自定义,修改配置文件 [root@zzyh1~]# vi /etc/named.conf 在最后添加 zone "linuxidc.local" IN { type mester; file "linuxidc.local.zone"; } zone "188.168.192.in-addr.arpa"IN { type master; file "192.168.188.zone"; } zone "189.168.192.in-addr.arpa"IN { type master; file "192.168.189.zone"; }
include"/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[root@zzyh1named]# cp named.empty linuxidc.local.zone //修改前备份一下 [root@zzyh1 named]# ls linuxidc.local.zone data named.ca named.localhost slaves chroot dynamic named.empty named.loopback 配置文件 [root@zzyh1named]# vi linuxidc.local.zone $TTL 3H @ IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum IN NS zzyh1.linuxidc.local. IN NS zzyh2.linuxidc.local. zzyh1 IN A 192.168.188.15 zzyh2 IN A 192.168.188.16 ftp IN A 192.168.188.15 mailyh1 IN A 192.168.188.22 smtp IN CNAME mailyh1.linuxidc.local. pop3 IN CNAME mailyh1.linuxidc.local. www IN A 192.168.188.15 crm IN A 192.168.188.15
#vi192.168.188.zone $TTL 3H @ IN SOA zzyh1.itnetcn.local. it.net.cn ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expiredgG 3H) ; minimum IN NS zzyh1.itnetcn.local. IN NS zzyh2.itnetcn.local. 15 IN PTR zzyh1.itnetcn.local. 15 IN PTR ftp.itnetcn.local. 16 IN PTR zzyh2.itnetcn.local. 16 IN PTR mailyh1.itnetcn.local.
#vi192.168.189.zone
$TTL 3H @ IN SOA zzyh1.itnetcn.local. it.net.cn ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum IN NS zzyh1.itnetcn.local. IN NS zzyh2.itnetcn.local. www IN NS 192.168.188.15 重启服务 [root@zzyh1 named]# systemctl restartnamed.service [root@zzyh1 named]# service named restart Redirecting to /bin/systemctl restart named.service
[root@zzyh1 named]# rndc status version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa> CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 104 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running 设置为自动启动 # systemctl enable named
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled) Active: active (running) since Mon 2014-08-25 00:36:59 CST; 3min 47s ago MainPID: 2807 (named) CGroup: /system.slice/named.service a””a”2807 /usr/sbin/named -u named
Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: zone 189.168.192.in-addr.ar... Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: zone 189.168.192.in-addr.ar... Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: zone 1.0.0.127.in-addr.arpa... Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: zone 1.0.0.0.0.0.0.0.0.0.0.... Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: all zones loaded Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: running Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: zone 188.168.192.in-addr.ar... Aug 25 00:36:59 zzyh1.itnetcn.localnamed[2807]: zone 189.168.192.in-addr.ar... Aug 25 00:36:59 zzyh1.itnetcn.localsystemd[1]: Started Berkeley Internet N.... Aug 25 00:37:00 zzyh1.itnetcn.localnamed[2807]: managed-keys-zone: No DNSKE...
Hint: Some lines were ellipsized, use -l toshow in full.
# nslookup > server192.168.188.15 Default server: 192.168.188.15 Address: 192.168.188.15#53 >www.itnetcn.local. Server: 192.168.188.15 Address: 192.168.188.15#53
Name: www.itnetcn.local Address: 192.168.188.15 >smtp.linuxidc.local. Server: 192.168.188.15 Address: 192.168.188.15#53
smtp.linuxidc.local canonical name = mailyh1.linuxidc.local. Name: mailyh1.itnetcn.local Address: 192.168.188.22 >192.168.188.15 Server: 192.168.188.15 Address: 192.168.188.15#53
15.188.168.192.in-addr.arpa name = ftp.itnetcn.local. 15.188.168.192.in-addr.arpa name = zzsrv1.itnetcn.local. > exit
zzyh2上的DNS配置 安装BIND 与zzyh1上的主DNS配安装一样。 操作略。 配置 Cache Only Server 与zzyh1上的主DNS配安装一样。 操作略。
添加辅助Zone # vi /etc/named.conf 添加如下zone信息
zone "linuxidc.local" IN { type slave; masters {192.168.188.15; }; file "linuxidc.local.zone"; };
zone "188.168.192.in-addr.arpa"IN { type slave; masters {192.168.188.15; }; file "192.168.188.zone"; };
zone "189.168.192.in-addr.arpa"IN { type slave; masters {192.168.188.15; }; file "192.168.189.zone"; };
修改目录权限 [root@zzyh2 named]# ll /var/named/ -d drwxr-x--- 6 root named 133 Aug 15 14:06/var/named/ [root@zzyh2 named]# chmod g+w /var/named/ [root@zzyh2 named]# ll /var/named/ -d drwxrwx--- 6 root named 133 Aug 15 14:06/var/named/
启动服务 [root@zzyh2 ~]# systemctl startnamed.service Redirecting to /bin/systemctl restart named.service 设置为自动启动 [root@zzyh2 ~]# systemctl enable named ln -s'/usr/lib/systemd/system/named.service''/etc/systemd/system/multi-user.target.wants/named.service'
查看日志,检查是否有报错信息。(建议在启动时,就在另外一个会话时就打开) # tail -f /var/log/messages 测试BIND 在zzyh1上生成了相应的zone文件 [root@zzyh2 ~]# ll /var/named/ total 28 -rw-r--r-- 1 named named 451 Aug 15 14:58 192.168.188.zone -rw-r--r-- 1 named named 254 Aug 15 15:05 192.168.189.zone -rw-r--r-- 1 named named 647 Aug 15 15:16 linuxidc.local.zone drwxr-x--- 7 root named 56 Aug 15 14:06 chroot drwxrwx--- 2 named named 22 Aug 15 14:19 data drwxrwx--- 2 named named 58 Aug 15 16:20 dynamic -rw-r----- 1 root named 2076 Jan 28 2013 named.ca -rw-r----- 1 root named 152 Dec 15 2009 named.empty -rw-r----- 1 root named 152 Jun 21 2007 named.localhost -rw-r----- 1 root named 168 Dec 15 2009 named.loopback drwxrwx--- 2 named named 6 Jun 10 16:13 slaves
[root@zzyh1 ~]# vi /var/named/itnetcn.local.zone 添加一个A记录 test IN A 10.0.0.1 并且将,zone的序列号增大
[root@zzyh1 ~]# rndc reload server reload successful
在zzyh1的日志中会看到 zone linuxidc.local/IN: sending notifiesrial 15) client 192.168.188.16#41658 (linuxidc.loc:transfer of 'linuxidc.local/IN': AXFR-style IXFR started client 192.168.188.16#41658 (linuxidc.loc:transfer of 'linuxidc.local/IN': AXFR-style IXFR ended
在zzyh2的日志中会看到 client 192.168.188.15#33856: received notifyfor zone 'linuxidc.local' zone linuxidc.local/IN: Transfer started. transfer of 'linuxidc.local/IN' from192.168.188.15#53: connected using 192.168.188.16#41658 zone linuxidc.local/IN: transferred serial15 transfer of 'linuxidc.local/IN' from192.168.188.15#53: Transfer completed: 1 messages, 13 records, 339 bytes, 0.005secs (67800 bytes/sec) zone linuxidc.local/IN: sending notifies(serial 15) 测试 # nslookup > server 192.168.188.16 Default server: 192.168.188.16 Address: 192.168.188.16#53 > test.linuxidc.local. Server: 192.168.188.16 Address: 192.168.188.16#53
Name: test.itnetcn.local Address: 10.0.0.1
> exit |