[服务搭建] bind正反向配置 主从配置 子域配置 基本安全设置

实验环境

系统 主机名 IP 备注

Centos6.8 nod1.wupeng.com 10.208.131.222 主服务器

Centos6.8 nod2.wupeng.com 10.208.131.228 从服务器

Centos6.8 nod3.wupeng.com 10.208.131.229 子域服务器

bind程序包：

bind：提供的dns server程序、以及几个常用的测试程序；

bind-libs：被bind和bind-utils包中的程序共同用到的库文件；

bind-utils：bind客户端程序集，例如dig, host, nslookup等；

bind-chroot：选装，让named运行于jail模式下；

对三台主机分别更改主机名 关闭防火墙以及关闭selinux （iptables和selinux保存配置后需要重启服务才能生效）

nod1更改主机

[root@nod1 ~]# vim /etc/sysconfig/network    NETWORKING=yesHOSTNAME=nod1.wupeng.com

nod2更改主机

[root@nod2 ~]# vim /etc/sysconfig/network    NETWORKING=yesHOSTNAME=nod2.wupeng.com

nod3更改主机

[root@nod3 ~]# vim /etc/sysconfig/network    NETWORKING=yesHOSTNAME=nod3.wupeng.com

nod1清空防火墙规则

[root@nod1 ~]# iptables -F [root@nod1 ~]# service iptables save

nod2清空防火墙规则

[root@nod2 ~]# iptables -F [root@nod2 ~]# service iptables save

nod3清空防火墙规则

[root@nod3 ~]# iptables -F [root@nod3 ~]# service iptables save

nod1关闭selinux安全机制

[root@nod1 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/configSELINUX=disabled

nod2关闭selinux安全机制

[root@nod2 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/configSELINUX=disabled

nod3关闭selinux安全机制

[root@nod3 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/configSELINUX=disabled

三台主机分别同步时间为一致 可以使用ntpdate命令来进行时间同步

[root@nod1 ~]# yum install ntpdate -y

[root@nod2 ~]# yum install ntpdate -y

[root@nod3 ~]# yum install ntpdate -y

[root@nod1 ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1598]: step time server 17.253.84.125 offset 856096.191423 sec

[root@nod2 ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1577]: step time server 17.253.84.125 offset 854843.947376 sec

[root@nod3 ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1593]: step time server 17.253.84.125 offset 599540.432080 sec

正向配置

在nod1主机上安装bind的相关软件

[root@nod1 ~]# yum install bind bind-utils -y //bind-libs 这个库文件会进行依赖安装

编辑/etc/bind.conf主配置文件

[root@nod1 ~]# vim /etc/named.conf

options {        listen-on port 53 { 127.0.0.1; 10.208.131.222; };        //监听地址//      listen-on-v6 port 53 { ::1; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        allow-query     { any; };                   //允许的请求方式为所有人        recursion yes;        dnssec-enable no;                          //安全机制为NO        dnssec-validation no;                        //安全机制为NO        /* Path to ISC DLV key */        bindkeys-file "/etc/named.iscdlv.key";        managed-keys-directory "/var/named/dynamic";};

编辑/etc/named.rfc1912.zones创建正向区域文件

[root@nod1 ~]# vim /etc/named.rfc1912.zones

zone "wupeng.com" IN {        type master;        file "wupeng.com.zone";};

利用模板创建一个wupeng.com域的区域数据文件 文件权限为640 属组为named

[root@nod1 ~]# cd /var/named/

第一种：[root@nod1 named]# cp -p named.localhost wupeng.com.zone第二种：[root@nod1 named]# cp -rf named.localhost wupeng.com.zone[root@nod1 named]# chmod 640 wupeng.com.zone [root@nod1 named]# chgrp named wupeng.com.zone

查看文件属性

[root@nod1 named]# ll wupeng.com.zone -rw-r----- 1 root named 152 6月  21 2007 wupeng.com.zone

编辑wupeng.com.zone文件记录 NS和A记录

[root@nod1 named]# vim wupeng.com.zone

$TTL 1D$ORIGIN wupeng.com.@       IN SOA  ns1.wupeng.com. admin.wupeng.com. (                                        2017062800      ; serial                                        1D              ; refresh                                        1H              ; retry                                        1W              ; expire                                        3H )            ; minimum        IN      NS      ns1.wupeng.com.ns1     IN      A       10.208.131.222www     IN      A       10.208.131.223

检测主配置文件和区域数据文件是否有错误

[root@nod1 named]# named-checkconf                        //正确是没有任何提示[root@nod1 named]# named-checkzone wupeng.com /var/named/wupeng.com.zone zone wupeng.com/IN: loaded serial 2017062800OK

启动bind服务 并测试正向解析是否成功

[root@nod1 named]# service named start

Generating /etc/rndc.key: [确定]

启动 named： [确定]

测试:

[root@nod1 named]# dig -t A www.wupeng.com @10.208.131.222

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t A www.wupeng.com @10.208.131.222

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33056

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.wupeng.com. IN A

;; ANSWER SECTION:

www.wupeng.com. 86400 IN A 10.208.131.223

;; AUTHORITY SECTION:

wupeng.com. 86400 IN NS ns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 21:26:24 2017

;; MSG SIZE rcvd: 82

解释:

-t A www.wupeng.com 类型为A记录的域名

@10.208.131.222 以10.208.131.222的IP进行解析 无需在/etc/resolv.conf里进行设置

编辑/etc/named.rfc1912.zones创建反向区域文件

[root@nod1 named]# vim /etc/named.rfc1912.zoneszone "131.208.10.in-addr.arpa" IN {        type master;        file "10.208.131";};

利用模板创建一个10.208.131.zone的区域数据文件 文件权限为640 属组为named

[root@nod1 ~]# cd /var/named/

第一种：[root@nod1 named]# cp -p named.loopback 10.208.131.zone第二种：[root@nod1 named]# cp -rf named.loopback 10.208.131.zone[root@nod1 named]# chmod 640 wupeng.com.zone [root@nod1 named]# chgrp named wupeng.com.zone

查看文件属性

[root@nod1 named]# ll 10.208.131.zone

-rw-r----- 1 root named 263 6月 28 21:07 10.208.131.zone

编辑wupeng.com.zone文件记录 NS和PTR记录

[root@nod1 named]# vim 10.208.131.zone$TTL 1D$ORIGIN 131.208.10.in-addr.arpa.@       IN SOA  ns1.wupeng.com  admin.wupeng.com. (                                        2017062800        ; serial                                        1D              ; refresh                                        1H              ; retry                                        1W              ; expire                                        3H )             ; minimum      IN       NS     ns1.wupeng.com.222     IN      PTR     ns1.wupeng.com.223     IN      PTR     www.wupeng.com.

重新加载bind服务 并测试反向解析是否成功

[root@nod1 named]# rndc reload

server reload successful

测试：

[root@nod1 named]# dig -x 10.208.131.223 @10.208.131.222

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.222

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54483

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;223.131.208.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:

223.131.208.10.in-addr.arpa. 86400 IN PTR www.wupeng.com.

;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400 IN NS ns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 21:19:16 2017

;; MSG SIZE rcvd: 107

主从复制

在主服务器添加从服务器的NS和A记录 并重新加载服务

$TTL 1D

$ORIGIN wupeng.com.

@ IN SOA ns1.wupeng.com. admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

ns1 IN A 10.208.131.222

ns2 IN A 10.208.131.228

www IN A 10.208.131.223

[root@nod1 named]# rndc reload

server reload successful

在主机nod2上安装bind相关文件

[root@nod2 ~]# yum install bind bind-utils -y

配置bind主文件

vim /etc/named.confoptions {        listen-on port 53 { 127.0.0.1; 10.208.131.228; };//      listen-on-v6 port 53 { ::1; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        allow-query     { any; };        recursion yes;        dnssec-enable no;        dnssec-validation no;        /* Path to ISC DLV key */        bindkeys-file "/etc/named.iscdlv.key";        managed-keys-directory "/var/named/dynamic";};

配置区域文件

[root@nod2 ~]# vim /etc/named.rfc1912.zones zone "wupeng.com" IN {        type slave;        file "slaves/wupeng.com";        masters { 10.208.131.222; };};zone "131.208.10.in-addr.arpa" IN {        type slave;        file "10.208.131.zone";        masters { 10.208.131.222; };};

检查配置是否有错误

[root@nod2 ~]# named-checkconf

启动bind服务 查看区域数据是否传输到slaves目录下并测试

[root@nod2 ~]# service named start

启动 named： [确定]

[root@nod2 ~]# ll /var/named/slaves/

总用量 8

-rw-r--r-- 1 named named 390 6月 28 21:55 10.208.131.zone

-rw-r--r-- 1 named named 335 6月 28 21:54 wupeng.com

测试:

[root@nod2 ~]# dig www.wupeng.com @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1634

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.wupeng.com. IN A

;; ANSWER SECTION:

www.wupeng.com. 86400 IN A 10.208.131.223

;; AUTHORITY SECTION:

wupeng.com. 86400 IN NS ns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 21:56:38 2017

;; MSG SIZE rcvd: 82

[root@nod2 ~]# dig -x 10.208.131.223 @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18940

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;223.131.208.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:

223.131.208.10.in-addr.arpa. 86400 IN PTR www.wupeng.com.

;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400 IN NS ns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 21:57:05 2017

;; MSG SIZE rcvd: 107

在主服务器新增一条记录 在进行测试

[root@nod1 named]# vim /var/named/wupeng.com.zone

$TTL 1D

$ORIGIN wupeng.com.

@ IN SOA ns1.wupeng.com. admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

ns1 IN A 10.208.131.222

ns2 IN A 10.208.131.228

www IN A 10.208.131.223

dns IN A 10.208.131.224

[root@nod1 named]# vim 10.208.131.zone

$TTL 1D

$ORIGIN 131.208.10.in-addr.arpa.

@ IN SOA ns1.wupeng.com admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

222 IN PTR ns1.wupeng.com.

228 IN PTR ns2.wupeng.com.

223 IN PTR www.wupeng.com.

224 IN PTR dns.wupeng.com.

重新加载主服务器

[root@nod1 named]# rndc reload

server reload successful

重新加载从服务器

[root@nod2 ~]# rndc reload wupeng.com

zone refresh queued

[root@nod2 ~]# rndc reload 131.208.10.in-addr.arpa

zone refresh queued

NOTE: rndc reload 在从服务器不生效 尝试过多次只能在后边加区域才生效

测试：

[root@nod2 ~]# dig dns.wupeng.com @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> dns.wupeng.com @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30389

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;dns.wupeng.com. IN A

;; ANSWER SECTION:

dns.wupeng.com. 86400 IN A 10.208.131.224

;; AUTHORITY SECTION:

wupeng.com. 86400 IN NS ns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 22:29:46 2017

;; MSG SIZE rcvd: 82

[root@nod2 ~]# dig -x 10.208.131.224 @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.224 @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20995

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;224.131.208.10.in-addr.arpa. IN PTR

;; ANSWER SECTION:

224.131.208.10.in-addr.arpa. 86400 IN PTR dns.wupeng.com.

;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400 IN NS ns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400 IN A 10.208.131.222

;; Query time: 1 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 22:30:07 2017

;; MSG SIZE rcvd: 107

子域配置

在主机nod3上安装bind相关软件 并配置主文件

[root@nod3 ~]# yum install bind bind-utils -y[root@nod3 ~]# vim /etc/named.confoptions {        listen-on port 53 { 127.0.0.1; 10.208.131.229; };//      listen-on-v6 port 53 { ::1; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        allow-query     { any; };        recursion yes;        dnssec-enable no;        dnssec-validation no;        /* Path to ISC DLV key */        bindkeys-file "/etc/named.iscdlv.key";        managed-keys-directory "/var/named/dynamic";};[root@nod3 ~]# vim /etc/named.rfc1912.zones zone "music.wupeng.com" IN {        type master;        file "music.wupeng.com.zone";};zone "wupeng.com" IN {                                    //设置了转发功能才能进行查询和传输区域文件        type forward;        forward only;        forwarders { 10.208.131.222; 10.208.131.228; };};

复制模板创建子域区域配置文件

[root@nod3 named]# cp -p named.localhost music.wupeng.com.zone

[root@nod3 named]# vim music.wupeng.com.zone

$TTL 1D

$ORIGIN music.wupeng.com.

@ IN SOA ns3.music.wupeng.com. admin.music.wupeng.com. (

2017062800 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns3.music

ns3.music IN A 10.208.131.229

www IN A 10.208.131.230

检测是否有配置错误

[root@nod3 named]# named-checkzone music.wupeng.com /var/named/music.wupeng.com.zone

zone music.wupeng.com/IN: loaded serial 2017062800

OK

在主服务器添加子域的NS和A记录

[root@nod1 named]# vim /etc/named.conf

$TTL 1D

$ORIGIN wupeng.com.

@ IN SOA ns1.wupeng.com. admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

ns1 IN A 10.208.131.222

ns2 IN A 10.208.131.228

www IN A 10.208.131.223

dns IN A 10.208.131.224

ns3 IN NS ns3.music

ns3.music IN A 10.208.131.229

重新加载主配置文件 启动nod3的bind的服务

[root@nod1 named]# rndc reload

server reload successful

测试:

[root@nod3 named]# dig www.music.wupeng.com @10.208.131.229

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.music.wupeng.com @10.208.131.229

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46119

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.music.wupeng.com. IN A

;; ANSWER SECTION:

www.music.wupeng.com. 86400 IN A 10.208.131.230

;; AUTHORITY SECTION:

music.wupeng.com. 86400 IN NS ns3.music.music.wupeng.com.

;; ADDITIONAL SECTION:

ns3.music.music.wupeng.com. 86400 IN A 10.208.131.229

;; Query time: 0 msec

;; SERVER: 10.208.131.229#53(10.208.131.229)

;; WHEN: Wed Jun 28 23:28:55 2017

;; MSG SIZE rcvd: 94

[root@nod3 named]# dig www.wupeng.com @10.208.131.229

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.229

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25255

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;www.wupeng.com. IN A

;; ANSWER SECTION:

www.wupeng.com. 86365 IN A 10.208.131.223

;; AUTHORITY SECTION:

wupeng.com. 86365 IN NS ns1.wupeng.com.

wupeng.com. 86365 IN NS ns2.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86365 IN A 10.208.131.222

ns2.wupeng.com. 86365 IN A 10.208.131.228

;; Query time: 13 msec

;; SERVER: 10.208.131.229#53(10.208.131.229)

;; WHEN: Wed Jun 28 23:29:06 2017

;; MSG SIZE rcvd: 116

[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.222 //全量区域传送

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222

;; global options: +cmd

wupeng.com. 86400 IN SOA ns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600

604800 10800wupeng.com. 86400 IN NS ns1.wupeng.com.

wupeng.com. 86400 IN NS ns2.wupeng.com.

dns.wupeng.com. 86400 IN A 10.208.131.224

ns3.music.wupeng.com. 86400 IN A 10.208.131.229

ns1.wupeng.com. 86400 IN A 10.208.131.222

ns2.wupeng.com. 86400 IN A 10.208.131.228

ns3.wupeng.com. 86400 IN NS ns3.music.wupeng.com.

www.wupeng.com. 86400 IN A 10.208.131.223

wupeng.com. 86400 IN SOA ns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600

604800 10800;; Query time: 4 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 23:41:31 2017

;; XFR size: 10 records (messages 1, bytes 258)

可以进行全量传输区域数据 一般是不允许的 所以我们要进行安全配置

在主机nod1主配置文件上配置acl 只允许从服务器传输 全局之外定义

[root@nod1 named]# vim /etc/named.confacl slaves {        10.208.131.228;};[root@nod1 named]# vim /etc/named.rfc1912.zones zone "wupeng.com" IN {        type master;        file "wupeng.com.zone";        allow-transfer { slaves; };        allow-update { none; };};zone "131.208.10.in-addr.arpa" IN {        type master;        file "10.208.131.zone";        allow-transfer { slaves; };        allow-update { none; };};

重新加载服务

[root@nod1 named]# rndc reload

server reload successful

在主机nod2上配置文件不进行更新

zone "wupeng.com" IN {        type slave;        file "slaves/wupeng.com";        masters { 10.208.131.222; };        allow-transfer { none; };        allow-update { none; };};zone "131.208.10.in-addr.arpa" IN {        type slave;        file "slaves/10.208.131.zone";        masters { 10.208.131.222; };        allow-transfer { none; };        allow-update { none; };};

重新加载服务

[root@nod2 slaves]# rndc reload

server reload successful

测试

[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.222

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222

;; global options: +cmd

; Transfer failed.

[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.228

;; global options: +cmd

; Transfer failed.