2.4. bind主从配置
- Date:
2018-09
2.4.1. 主bind配置
主bind配置参考 bind单实例部署 完全一致。
主DNS系统环境:
系统版本 |
CentOS release 6.6 (Final) |
主机名 |
dns_01 |
硬件环境 |
x86_64 |
网络配置 |
eth0(dhcp):192.168.161.137 |
bind软件 |
|
2.4.2. 从bind配置
系统版本 |
CentOS release 6.6 (Final) |
主机名 |
dns_02 |
硬件环境 |
x86_64 |
网络配置 |
eth0(dhcp):192.168.161.134 |
bind软件 |
|
注意
主bind配置过程的 /var/named/chroot/etc/view.conf 中的注释行(配置前面带 // )删除前面的注释符。
2.4.3. 备bind配置
备注
无论是正向解析的域名配置文件还是反向解析的配置文件,都需要包含进主配置域名文件。
- bind配置过程包括以下几步骤:
rndc配置,用来远程管理bind;
bind主配置文件
/etc/named.conf配置;一般会用主配置文件包含子配置文件的方式来分解配置复杂度对配置分层管理。这样易于配置管理维护,且降低配置复杂度;
权威域名解析文件配置;
在权威域名解析文件中添加对应的解析记录;
添加反向解析记录文件并添加反向解析记录。
2.4.3.1. bind安装后检查
- 安装:
参考: dns-bind-install
安装完以后检查:
1[root@dns_02 ~]# yum install bind bind-devel -y
2[root@dns_02 ~]# rpm -qa bind*
3bind-libs-9.8.2-0.68.rc1.el6_10.1.x86_64
4bind-devel-9.8.2-0.68.rc1.el6_10.1.x86_64
5bind-utils-9.8.2-0.68.rc1.el6_10.1.x86_64
6bind-chroot-9.8.2-0.68.rc1.el6_10.1.x86_64
7bind-9.8.2-0.68.rc1.el6_10.1.x86_64
8[root@dns_02 ~]# chkconfig|grep named
9named 0:off 1:off 2:on 3:on 4:on 5:on 6:off
10[root@dns_02 ~]# /etc/init.d/iptables status
11iptables: Firewall is not running.
2.4.3.2. 备bind服务器rndc配置
备注
默认没有文件 /etc/rndc.key 也没有 /etc/rndc.conf
1[root@dns_02 etc]# pwd
2/etc
3[root@dns_02 etc]# rndc-confgen >>rndc.conf
4[root@dns_02 etc]# grep secret rndc.conf
5 secret "TbfqkuoVT/rt2sCxi1/2TQ==";
6# secret "TbfqkuoVT/rt2sCxi1/2TQ==";
2.4.3.3. 备bind主配置文件修改
1
[root@dns_02 etc]# cp named.conf named.conf`date +%F` [root@dns_02 etc]# ll named.conf* -rw-r—–. 1 root named 984 Nov 20 2015 named.conf -rw-r—– 1 root root 984 Sep 9 22:49 named.conf2018-10-28
清空配置文件 named.conf 然后把下面插入这个配置文件:
1options {
2 version "1.1.1";
3 listen-on port 53 {any;};
4 directory "/var/named/chroot/etc/";
5 pid-file "/var/named/chroot/var/run/named/named.pid";
6 allow-query { any; };
7 dump-file "/var/named/chroot/var/log/binddump.db";
8 statistics-file "/var/named/chroot/var/log/named_stats";
9 zone-statistics yes;
10 memstatistics-file "log/mem_stats";
11 empty-zones-enable no;
12 forwarders {
13 219.146.0.130;
14 8.8.8.8;
15 };
16};
17
18key "rndc-key" {
19 algorithm hmac-md5;
20 secret "TbfqkuoVT/rt2sCxi1/2TQ==";
21};
22
23controls {
24 inet 127.0.0.1 port 953
25 allow { 127.0.0.1; } keys { "rndc-key"; };
26};
27
28logging {
29 channel warning {
30 file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
31 severity warning;
32 print-category yes;
33 print-severity yes;
34 print-time yes;
35 };
36 channel general_dns {
37 file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
38 severity info;
39 print-category yes;
40 print-severity yes;
41 print-time yes;
42 };
43 category default {
44 warning;
45 };
46 category queries {
47 general_dns;
48 };
49};
50
51acl group1 {
52 192.168.161.132;
53};
54
55acl group2 {
56 192.168.161.136;
57};
58acl group1 {
59 192.168.161.132;
60};
61
62acl group2 {
63 192.168.161.136;
64};
65
66include "/var/named/chroot/etc/view.conf";
2.4.3.4. 备bind包含的view配置文件配置
新建配置文件 /var/named/chroot/etc/view.conf 然后配置内容如下:
1view "GROUP1" {
2 match-clients { group1; };
3 zone "display.tk" {
4 type slave;
5 masters {192.168.161.137; };
6 file "slave.hb.display.tk.zone";
7 };
8};
9
10view "GROUP2" {
11 match-clients { group2; };
12 zone "display.tk" {
13 type slave;
14 masters {192.168.161.137; };
15 file "slave.sd.display.tk.zone";
16 };
17};
2.4.3.5. 备bind域名配置文件修改
[root@dns_02 etc]# pwd /var/named/chroot/etc
[root@dns_02 etc]# vi slave.sd.display.tk.zone
1$ORIGIN .
2$TTL 3600 ; 1 hour
3display.tk IN SOA op.display.tk. dns.display.tk. (
4 2000 ; serial
5 900 ; refresh (15 minutes)
6 600 ; retry (10 minutes)
7 86400 ; expire (1 day)
8 3600 ; minimum (1 hour)
9 )
10 NS op.display.tk.
11$ORIGIN display.tk.
12shanks A 1.2.3.4
13op A 1.2.3.4
14www A 192.168.161.134
[root@dns_02 etc]# vi slave.hb.display.tk.zone
1$ORIGIN .
2$TTL 3600 ; 1 hour
3display.tk IN SOA op.display.tk. dns.display.tk. (
4 2000 ; serial
5 900 ; refresh (15 minutes)
6 600 ; retry (10 minutes)
7 86400 ; expire (1 day)
8 3600 ; minimum (1 hour)
9 )
10 NS op.display.tk.
11$ORIGIN display.tk.
12shanks A 1.2.3.4
13op A 1.2.3.4
14www A 192.168.161.138
2.4.3.6. 测试
1[root@client_sd_01 ~]# ifconfig eth0|awk -F '[ :]+' '{if(NR==2) print $4}'
2192.168.161.136
3[root@client_sd_01 ~]# dig @192.168.161.134 WWW.display.tk
4
5; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> @192.168.161.134 WWW.display.tk
6; (1 server found)
7;; global options: +cmd
8;; Got answer:
9;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42608
10;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
11
12;; QUESTION SECTION:
13;WWW.display.tk. IN A
14
15;; ANSWER SECTION:
16WWW.display.tk. 3600 IN A 192.168.161.134
17
18;; AUTHORITY SECTION:
19display.tk. 3600 IN NS op.display.tk.
20
21;; ADDITIONAL SECTION:
22op.display.tk. 3600 IN A 1.2.3.4
23
24;; Query time: 1 msec
25;; SERVER: 192.168.161.134#53(192.168.161.134)
26;; WHEN: Mon Oct 15 13:10:05 2018
27;; MSG SIZE rcvd: 81
1[root@client_hb_01 ~]# ifconfig eth0|awk -F '[ :]+' '{if(NR==2) print $4}'
2192.168.161.132
3[root@client_hb_01 ~]# dig @192.168.161.134 WWW.display.tk
4
5; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> @192.168.161.134 WWW.display.tk
6; (1 server found)
7;; global options: +cmd
8;; Got answer:
9;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56745
10;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
11
12;; QUESTION SECTION:
13;WWW.display.tk. IN A
14
15;; ANSWER SECTION:
16WWW.display.tk. 3600 IN A 192.168.161.138
17
18;; AUTHORITY SECTION:
19display.tk. 3600 IN NS op.display.tk.
20
21;; ADDITIONAL SECTION:
22op.display.tk. 3600 IN A 1.2.3.4
23
24;; Query time: 1 msec
25;; SERVER: 192.168.161.134#53(192.168.161.134)
26;; WHEN: Sun Oct 28 11:49:29 2018
27;; MSG SIZE rcvd: 81
2.4.4. named日志
/var/named/chroot/var/log/named_stats 日志默认没有,需要运行下面的命令才能生成这个日志文件。
1rndc stats