Bind安装配置及应用
Bind安装配置及应用
BIND:Berkeley Internet Name Domain ,ISC.org
DNS服务的实现:
监听端口:53/UDP , 53/TCP
程序包:bind
服务器程序:named
客户端工具程序:dig,host ,nslookup
[root@stu1 ~]# yum repolist
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
repo id repo name status
base CentOS 4,184
epel CentOS 6.6 EPEL 12,922
repolist: 17,106
# yum list bind*
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
base | 3.2 kB 00:00
epel | 3.0 kB 00:00
Installed Packages
bind-libs.x86_64 32:9.8.2-0.30.rc1.el6 @anaconda-CentOS-201410241409.x86_64/6.6
共享库
bind-utils.x86_64 32:9.8.2-0.30.rc1.el6 @anaconda-CentOS-201410241409.x86_64/6.6
工具包
Available Packages
bind.x86_64 32:9.8.2-0.30.rc1.el6 base
服务器端程序
bind-chroot.x86_64 32:9.8.2-0.30.rc1.el6 base
加强安全性工具
把/var/named/chroot/当根目录使用,限定在这个区域内运行
bind-dyndb-ldap.x86_64 2.3-5.el6 base
bind-libs.i686 32:9.8.2-0.30.rc1.el6 base
# yum info bind
# yum info bind-chroot
# yum install -y bind
# rpm -qc bind
BIND:
设置dns /etc/resolv.conf
服务脚本:/etc/rc.d/init.d/named [start|stop|restart] //启动|关闭|重启 named 服务
主配置文件:/etc/named.conf
/etc/named.rfc1912.zones
区域解析库文件:/var/name/zone_name.zone
RFC:request file comment
在DNS安装,配置,应用过程中,遇到错误,我们通常要从以下几个配置文件里慢慢来排查错误
第一步:首先要查看named服务是否开启!!!!!!!!!!!!!!!!!!服务脚本:/etc/rc.d/init.d/named [start|stop|restart] /*启动|关闭|重启 named 服务*/
或是 service named [start|stop|restart]
第二步:查看主配置文件,看看自己的设置:
vim /etc/named.conf
vim /etc/named.rfc1912.zones //(设定主,从区域解析库文件设置)
检查配置文件语法(排查小技巧)
#named-checkconf
#named-checkconf /etc/named.rfc1912.zones
第三步:区域解析库文件的设置:
vim /var/name/zone_name.zone
第四步:如果有错误,就需要查看 /var/log/messages
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/portreserve/named
/etc/rc.d/init.d/named
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named named脚本配置文件
# service named start //开启named 服务
[root@stu1 ~]# ss -tunlp |grep 53
udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",3180,512))
udp UNCONN 0 0 *:53419 *:* users:(("rpc.statd",1307,7))
udp UNCONN 0 0 ::1:53 :::* users:(("named",3180,513))
tcp LISTEN 0 3 ::1:53 :::* users:(("named",3180,21))
tcp LISTEN 0 3 127.0.0.1:53 *:* users:(("named",3180,20))
tcp LISTEN 0 128 ::1:953 :::* users:(("named",3180,23))
tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",3180,22))
启动了没啥一样
全球13个根存放位置
# rpm -qc bind
/var/named/named.ca
现在ping本地主机:
# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.023 ms
# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
172.16.0.1 server.magelinux.com server
DNS解析告诉主机解析结果是127.0.0.1
区域解析库文件:
/var/named/named.localhost
/var/named/named.loopback
缓存DNS服务器:
1.根服务器:named.ca
2.localhost <----> 127.0.0.1
区域解析库文件:
/var/named/named.localhost
/var/named/named.loopback
#cat /etc/named.conf
//全局配置段:定义named进程的工作特性
options {
//监听端口 地址
//listen-on port 53 { 127.0.0.1; };
listen-on port 53 { 172.16.31.2; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//允许所有主机查询或者注释
//allow-query { localhost; };
//是否递归
recursion yes;
//是关于DNS安全的,尽量设置为no或者注释
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
#定义日志功能
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#定义本DNS服务器负责解析的区域;zone可以有多个
zone "." IN {
type hint;
file "named.ca";
};
将文件装载进本文件
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
检查主配置文件语法
#named-checkconf
重启named服务:
# service named restart
如果不更改配置
在客户端去dig一下:
没有成功
# dig -t A localhost @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A localhost @172.16.31.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21604
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;localhost. IN A
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 07:43:13 2014
;; MSG SIZE rcvd: 27
解析成功:
# dig -t A localhost @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t A localhost @172.16.31.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37731
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
#aa 权威应答
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
#应答段
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
#附加段
如:dig -t MX google.com @172.16.0.1
;; ADDITIONAL SECTION:
localhost. 86400 IN AAAA ::1
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 07:47:33 2014
;; MSG SIZE rcvd: 85
配置DNS服务器成为某区域的主服务器:
1.在主配置文件中定义zone
zone "zone_name" IN {
type master;
file "/path/to/zone_file.zone";
}
zone_name:
正向区域:google.com
反向区域:逆向网络地址,in-addr.arpa
检查配置文件:
#named-checkconf /etc/named.rfc1912.zones // (主,从区域配置文件)
# ls /etc/named.rfc1912.zones
/etc/named.rfc1912.zones
例如:
zone "google" IN {
type master;
file "google.com.zone";
}
2.定义zone用到的区域数据库文件
包含资源记录,也可以包含宏定义
$TTL
$ORIGIN
# pwd
/var/named
#vim google.com.zone
$TTL 600
$ORGIN google.com.
@ IN SOA ns1.google.com. nsadmin.google.com. (
// //区域数据文件有版本号(序列号):serival
|
1H |
|
//刷新时间(检查周期):refresh |
|
|
|
5M |
|
//重试时间(重试周期):retry |
||
|
3D |
|
//重试时间 < 刷新时间 |
||
|
3H) |
|
//过期时间(失效时长):expire
|
||
IN NS ns1
IN MX 10 mail1
ns1 IN A 172.16.31.2
mail1 IN A 172.16.31.2
www IN A 172.16.31.2
pop3 IN A 172.16.31.2
iamp4 IN A 172.16.31.2
设置文件权限
#chmod 640 google.com.zone
设置文件所属用户组
#chown :named google.com.zone /* 只许named 用户组可以查看 */
检测解析库配置文件语法:
#named-checkzone "google.com" /var/named/google.com.zone
重新载入服务:
#service named reload
测试服务状态:
#dig -t SOA google.com @172.16.31.2
#dig -t MX google.com @172.16.31.2
客户端测试工具:dig,host,nslookup
dig命令:
用法:dig -t type -name @SERVER [queryoptions]
[-t type] 资源类型
[queryoptions]
+[no]tcp
+[no]trace 跟踪整个名称解析迭代过程
#dig -t A www.baidu.com @172.16.0.1 +trace
+[no]recurse 以递归方式查询与否
#dig -t A www.google.com @172.16.0.1 +recurse
[-x IP] 将ip解析成主机名
#dig -x 172.16.31.2 @172.16.31.2
host命令:
用法:host [-t type] name [SERVER]
#host -t A www.google.com 172.16.31.2
#host –t MX google.com 172.16.31.2
nslookup命令:
用法:nslookup [options] [name | - ] [server]
#nslookup
>server 172.16.32.2 查询时使用的服务器
>set q=a 设定查询类型(大小写a都可以)
>www.google.com 指定要查询的名字
>set q=MX
>mail1.google.com
3.反向区域名称有特定后缀:.in-addr.arpa.; //反向解析的固定格式
4.反向区域的区域解析库文件包含SOA,NS及PTR记录,不包含MX,A记录
构建反向区域:
在
#vi /etc/named.rfc1912.zones
zone "31.16.172.in-addr.arpa" IN {
type master;
file "172.16.31.zone";
};
[root@stu1 named]# cat 172.16.31.zone
$TTL 600
$ORIGIN 31.16.172.in-addr.arpa.
@ IN SOA ns1.google.com. nsadmin.google.com. (
2014120901
1H
5H
3D
3H) /*
SOA:
name: 区域名称
[ ttl ] :否定应答的TTL值
value:(有两部分)
主DNS服务器的FQDN,也可以当前区域的名称;
当前区域的管理员邮箱;
@用于表示当前区域的名字,所有邮箱地址不能出现@符号;
*/
IN NS ns1.google.com.
2 IN PTR ns1.google.com.
2 IN PTR mail1.google.com.
2 IN PTR pop3.google.com.
2 IN PTR www.google.com.
2 IN PTR iamp4.google.com.
/* 上面的 2 表示主机号 */
# chmod 640 172.16.31.zone
# chown :named 172.16.31.zone
# service named reload
# dig -t axfr 31.16.172.in-addr.arpa @172.16.31.2 // 拓展axfr
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr 31.16.172.in-addr.arpa @172.16.31.2
;; global options: +cmd
31.16.172.in-addr.arpa. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120901 3600 18000 259200 10800
31.16.172.in-addr.arpa. 600 IN NS ns1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR ns1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR mail1.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR pop3.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR www.google.com.
2.31.16.172.in-addr.arpa. 600 IN PTR iamp4.google.com.
31.16.172.in-addr.arpa. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120901 3600 18000 259200 10800
;; Query time: 2 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 09:20:08 2014
;; XFR size: 8 records (messages 1, bytes 241)
[root@CA ~]# host -t ptr 172.16.31.2 172.16.31.2
Using domain server:
Name: 172.16.31.2
Address: 172.16.31.2#53
Aliases:
2.31.16.172.in-addr.arpa domain name pointer www.google.com.
2.31.16.172.in-addr.arpa domain name pointer iamp4.google.com.
2.31.16.172.in-addr.arpa domain name pointer ns1.google.com.
2.31.16.172.in-addr.arpa domain name pointer mail1.google.com.
2.31.16.172.in-addr.arpa domain name pointer pop3.google.com.
[root@CA ~]# nslookup
> server 172.16.31.2
Default server: 172.16.31.2
Address: 172.16.31.2#53
> set q=ptr
> 172.16.31.2
Server: 172.16.31.2
Address: 172.16.31.2#53
2.31.16.172.in-addr.arpa name = iamp4.google.com.
2.31.16.172.in-addr.arpa name = ns1.google.com.
2.31.16.172.in-addr.arpa name = mail1.google.com.
2.31.16.172.in-addr.arpa name = pop3.google.com.
2.31.16.172.in-addr.arpa name = www.google.com.
构建从服务器:
主服务器:
# vim google.com.zone
$TTL 600
$ORIGIN google.com.
@ IN SOA ns1.google.com. nsadmin.google.com. (
1H
5H
3D
3H)
IN NS ns1
IN NS ns2
IN MX 10 mail1
ns1 IN A 172.16.31.2
ns2 IN A 172.16.31.3
mail1 IN A
172.16.31.2
www IN A 172.16.31.2
pop3 IN A 172.16.31.2
iamp4 IN A 172.16.31.2
或者(iamp4 IN CNAME pop3)
从服务器配置:
首先切换到另一台主机上,再远程复制172.16.31.2主机上的文件。
[root@CA ~]# scp root@172.16.31.2:/etc/named.conf
/etc/named.conf
root@172.16.31.2's password:
named.conf 100% 1051 1.0KB/s 00:00
[root@CA ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
//listen-on port 53 { 127.0.0.1; };
//listen-on port 53 { 172.16.31.2; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
/*bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
*/
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@CA named]# service named reload
Reloading named: [ OK ]
[root@CA named]# ss -tunl |grep :53
udp UNCONN 0 0 172.16.31.3:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 ::1:53 :::*
tcp LISTEN 0 3 172.16.31.3:53 *:*
tcp LISTEN 0 3 127.0.0.1:53 *:*
tcp LISTEN 0 3 ::1:53 :::*
[root@CA named]# vim /etc/named.rfc1912.zones
zone "google.com" IN {
type slave;
file "slaves/google.com.zone";
masters { 172.16.31.2; };
};
由于从服务器上/var/named/目录的权限是属主root属组named,且属组named没有写权限;如果给这个目录写权限就会造成系统的不安全;所以软件定义了目录下有个slaves文件,来保存从主服务器接收的配置文件
检查语法:
[root@CA named]# named-checkconf
重新载入服务:
# service named reload
[root@CA named]# tail /var/log/messages
Dec 9 09:31:05 CA named[3688]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 09:31:05 CA named[3688]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 09:31:05 CA named[3688]: sizing zone task pool based on 7 zones
Dec 9 09:31:05 CA named[3688]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 09:31:05 CA named[3688]: reloading configuration succeeded
Dec 9 09:31:05 CA named[3688]: reloading zones succeeded
Dec 9 09:31:05 CA named[3688]: zone google.com/IN: Transfer started.
Dec 9 09:31:05 CA named[3688]: transfer of 'google.com/IN' from 172.16.31.2#53: connected using 172.16.31.3#38254
Dec 9 09:31:05 CA named[3688]: transfer of 'google.com/IN' from 172.16.31.2#53: Transfer completed: 1 messages, 9 records, 243 bytes, 0.001 secs (243000 bytes/sec)
这里只存在ns1没有ns2;因为主服务器配置文件没有reload
[root@CA named]# ll slaves/google.com.zone
-rw-r--r-- 1 named named 428 Dec 9 09:31 slaves/google.com.zone
[root@CA named]# cat slaves/google.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
google.com IN SOA ns1.google.com. nsadmin.google.com. (
2014120901 ; serial
3600 ; refresh (1 hour)
18000 ; retry (5 hours)
259200 ; expire (3 days)
10800 ; minimum (3 hours)
)
NS ns1.google.com.
MX 10 mail1.google.com.
$ORIGIN google.com.
iamp4 A 172.16.31.2
mail1 A 172.16.31.2
ns1 A 172.16.31.2
pop3 A 172.16.31.2
www A 172.16.31.2
我们的主服务器配置更改后没有重新载入,我们在主服务器上reload一下:
[root@stu1 named]# service named reload
Reloading named: [ OK ]
[root@stu1 named]# tail /var/log/messages
Dec 9 09:32:36 stu1 named[3336]: received control channel command 'reload'
Dec 9 09:32:36 stu1 named[3336]: loading configuration from '/etc/named.conf'
Dec 9 09:32:36 stu1 named[3336]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 09:32:36 stu1 named[3336]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 09:32:36 stu1 named[3336]: sizing zone task pool based on 8 zones
Dec 9 09:32:36 stu1 named[3336]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 09:32:36 stu1 named[3336]: reloading configuration succeeded
Dec 9 09:32:36 stu1 named[3336]: reloading zones succeeded
Dec 9 09:32:36 stu1 named[3336]: zone google.com/IN: sending notifies (serial 2014120902)
上面的实验是更改过的,更新状况不清楚,我修改了一些再次载入,下面的是增量更新正常表现:
[root@stu1 named]# tail /var/log/messages
Dec 9 20:39:41 stu1 named[3336]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 20:39:41 stu1 named[3336]: reloading configuration succeeded
Dec 9 20:39:41 stu1 named[3336]: reloading zones succeeded
Dec 9 20:39:41 stu1 named[3336]: zone 31.16.172.in-addr.arpa/IN: loaded serial 2014120903
Dec 9 20:39:41 stu1 named[3336]: dns_master_load: google.com.zone:18: imap4.google.com: CNAME and other data
Dec 9 20:39:41 stu1 named[3336]: zone google.com/IN: loading from master file google.com.zone failed: CNAME and other data
Dec 9 20:39:41 stu1 named[3336]: zone google.com/IN: not loaded due to errors.
)
Dec 9 20:39:41 stu1 named[3336]: client 172.16.31.3#37586: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFR started
Dec 9 20:39:41 stu1 named[3336]: client 172.16.31.3#37586: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFR ended
然后再在从服务器上查看,同步成功了:
[root@CA named]# cat slaves/google.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
google.com IN SOA ns1.google.com. nsadmin.google.com. (
; serial
3600 ; refresh (1 hour)
18000 ; retry (5 hours)
259200 ; expire (3 days)
10800 ; minimum (3 hours)
)
NS ns1.google.com.
NS ns2.google.com.
MX 10 mail1.google.com.
$ORIGIN google.com.
iamp4 A 172.16.31.2
mail1 A 172.16.31.2
ns1 A 172.16.31.2
ns2 A 172.16.31.3
pop3 A 172.16.31.2
www A 172.16.31.2
我们在windows机器上实现解析:
rndc:Remote Name Domain Controller
基于套接字与named服务通信,控制named服务完成特定操作
控制named服务的密钥:
[root@stu1 named]# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "X203BQ+6bQVPKfBLHXpiDw==";
};
#rndc-confgen #rndc配置文件生成器
会卡住
会去/dev/random和/dev/urandom读取随机数生成密钥
#/dev/random:从熵池中取随机数,如果熵池中的随机数被用尽,则阻塞相关进程
#/dev/urandom:从熵池中取随机数,如果熵池中的随机数被用尽,则用软件生成伪随机数
#rndc-confgen -r /dev/urandom
生成随机数密钥,密钥是一致的
# rndc-confgen -r /dev/urandom
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "YvgyyouB/CHTCUokRe4gbw==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "YvgyyouB/CHTCUokRe4gbw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
#rndc-confgen -r /dev/urandom >/etc/rndc.conf
#vim /etc/rndc.conf
将文件中的内容复制进named.conf中启用来管理远程管理DNS
# Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
secret "YvgyyouB/CHTCUokRe4gbw==";
};
controls {
inet 127.0.0.1 port 953 #这里是只允许本机控制管理DNS
allow { 127.0.0.1; } keys { "rndc-key"; };
};
# End of named.conf
然后我们
[root@stu1 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@stu1 named]# rndc stats
[root@stu1 named]# rndc status #显示当前状态
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000 #递归客户端
tcp clients: 0/100
server is up and running
本机主DNS服务器可以使用rndc管理命令,但是rndc客户端从DNS服务器还没配置,我们来配置一下:
主DNS服务器配置:
controls {
inet 0.0.0.0 port 953
allow { 127.0.0.1; 172.16.31.3; 172.16.31.4; } keys { "rndc-key"; };
};
在allow字段里面加入从服务器的IP地址,并且将允许管理的网络设置成0.0.0.0
从DNS服务器配置:
将主DNS服务器的/etc/rndc.conf文件的如下段复制到从服务器中的/etc/rndc.conf中:
key "rndc-key" {
algorithm hmac-md5;
secret "5xhClxlukK5HSJxmZ4ZV8w==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
将从服务器中的options字段改成下面的配置:
key "rndc-key" {
algorithm hmac-md5;
secret "5xhClxlukK5HSJxmZ4ZV8w==";
};
options {
default-key "rndc-key";
default-server 172.16.31.3;
default-port 953;
};
重启named服务:
[root@dns1 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
查看链接状态:
[root@dns1 named]# ss -tunl |grep 53
udp UNCONN 0 0 172.16.31.3:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
tcp LISTEN 0 3 172.16.31.3:53 *:*
tcp LISTEN 0 3 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:953 *:*
可以看出953端口开放了。
[root@dns1 named]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
在从DNS服务器上重启:
[root@dns2 named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
测试从DNS服务器可以管理主DNS服务器:
[root@dns2 named]# rndc -s 172.16.31.3 status
version: 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
rndc用法与命令:
#man rndc 查找帮助文件
语法:rndc [-b source-address] [-c config-file] [-k key-file] [-s server]
[-p port] {command}
#rndc -h 获取帮助
reload :重新装载配置文件及区域解析库文件
reload zone:只装载指定区域解析库文件
refresh zone :维护
retransfer zone:在不检查序列号的情况下直接传送一个区域数据文件
notify zone :重新通知区域数据文件
reconfig :只重新装载配置文件及新增的区域
querylog:启用或关闭查询日志,默认关闭
#rndc querylog
#rndc status
#
#tail /var/log/messages
stop:将更新信息发送给服务器,然后关闭DNS服务器
trace level:指明调试级别,不跟数字逐级增加,可以明确指定(如trace 3)
notrace :关闭调试
flush:清除服务器缓存
注意:
1.在任何具有从服务器的区域的区域解析库文件中,必须为每个DNS服务器定义一个NS记录。
2.数据同步时,服务器之间的时间必须一致
#crontab -e
*/3 * * * * /usr/sbin/ntpdate 172.16.0.1 &> /dev/null
[root@stu1 named]# ntpdate 172.16.0.1
9 Dec 18:14:26 ntpdate[3844]: step time server 172.16.0.1 offset 28998.955058 sec
[root@stu1 named]# date
Tue Dec 9 18:14:28 CST 2014
[root@CA named]# ntpdate 172.16.0.1
9 Dec 18:14:04 ntpdate[3868]: step time server 172.16.0.1 offset 28999.587173 sec
[root@CA named]# date
Tue Dec 9 18:14:09 CST 2014
3.bind程序版本差异:尽可能保持版本相同;不得已时,主低从高是可以的。
4.尽量の开放给从服务器,不用就关闭,但是从服务器需要同步,我们就需要配置限制
通过同步数据可以查看网络拓扑,不安全哦!
[root@CA named]# dig -t axfr google.com @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr google.com @172.16.31.2
;; global options: +cmd
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120902 3600 18000 259200 10800
google.com. 600 IN NS ns1.google.com.
google.com. 600 IN NS ns2.google.com.
google.com. 600 IN MX 10 mail1.google.com.
iamp4.google.com. 600 IN A 172.16.31.2
mail1.google.com. 600 IN A 172.16.31.2
ns1.google.com. 600 IN A 172.16.31.2
ns2.google.com. 600 IN A 172.16.31.3
pop3.google.com. 600 IN A 172.16.31.2
www.google.com. 600 IN A 172.16.31.2
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120902 3600 18000 259200 10800
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 18:18:56 2014
;; XFR size: 11 records (messages 1, bytes 277)
bind的安全配置:
1.acl控制列表:
#vi /etc/named.conf
acl acl_name {
IP;
NETWORK/PRILEN;
};
BIND内置的acl:
none:表示没有任意主机
any:表示任意主机
local:表示本机
localnet:表示本地网络
实例:
1.编辑named.conf文件,添加acl控制语句
acl mynet {
172.16.31.0/24;
127.0.0.0;
};
acl slaveservers {
172.16.31.3;
127.0.0.1;
};
2.在/etc/named.rfc1912.zone中调用:
zone "google.com" IN {
type master;
file "google.com.zone";
allow-query { any; };
allow-transfer { slaveservers; };
};
zone "31.16.172.in-addr.arpa" IN {
type master;
file "172.16.31.zone";
allow-query { any; };
allow-transfer { slaveservers; };
};
[root@stu1 named]# rndc reload
server reload successful
[root@stu1 named]# tail /var/log/messages
Dec 9 21:40:14 stu1 named[4735]: received control channel command 'stats'
Dec 9 21:40:14 stu1 named[4735]: dumpstats complete
Dec 9 22:01:09 stu1 named[4735]: received control channel command 'reload'
Dec 9 22:01:09 stu1 named[4735]: loading configuration from '/etc/named.conf'
Dec 9 22:01:09 stu1 named[4735]: using default UDP/IPv4 port range: [1024, 65535]
Dec 9 22:01:09 stu1 named[4735]: using default UDP/IPv6 port range: [1024, 65535]
Dec 9 22:01:09 stu1 named[4735]: sizing zone task pool based on 8 zones
Dec 9 22:01:09 stu1 named[4735]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Dec 9 22:01:09 stu1 named[4735]: reloading configuration succeeded
Dec 9 22:01:09 stu1 named[4735]: reloading zones succeeded
在从服务器上测试是否能够同步数据:
[root@CA named]# dig -t axfr google.com @172.16.31.2
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t axfr google.com @172.16.31.2
;; global options: +cmd
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120903 3600 18000 259200 10800
google.com. 600 IN NS ns1.google.com.
google.com. 600 IN NS ns2.google.com.
google.com. 600 IN MX 10 mail1.google.com.
ftp.google.com. 600 IN A 172.16.31.2
imap4.google.com. 600 IN A 172.16.31.2
mail1.google.com. 600 IN A 172.16.31.2
ns1.google.com. 600 IN A 172.16.31.2
ns2.google.com. 600 IN A 172.16.31.3
pop3.google.com. 600 IN A 172.16.31.2
www.google.com. 600 IN A 172.16.31.2
google.com. 600 IN SOA ns1.google.com. nsadmin.google.com. 2014120903 3600 18000 259200 10800
;; Query time: 1 msec
;; SERVER: 172.16.31.2#53(172.16.31.2)
;; WHEN: Tue Dec 9 22:05:56 2014
;; XFR size: 12 records (messages 1, bytes 297)
配置文件中设置允许也可以:
#vi /etc/named.conf
allow-query {};
allow-transfer {};
allow-recuersion {};
默认情况下服务器是允许递归查询的,
但是某个区域我们需要关闭递归查询,只对本地网络来递归:
#vi /etc/named.conf
//recursion yes;
allow-recursion {mynet; };
Bind安装配置及应用的更多相关文章
- centos7 dns(bind)安装配置
yum install -y bind bind-chroot bind-utils chroot是通过相关文件封装在一个伪根目录内,已达到安全防护的目的,一旦程序被攻破,将只能访问伪根目录内的内容, ...
- DNS配置-BIND安装配置全过程
下载地址:ftp://ftp.isc.org/isc/ 下载bind,我下载的是bind-9.11.13.tar.gz 我下载的文件放在/root目录下进入目录解压缩 [root@localhost ...
- Centos 5.2安装配置DNS服务器
BIND安装配置(主从)我的系统环境:centos 5.2 作者:哈密瓜 主:我采用的是yum安装[root@linux src]#yum -y install bind* 生成rndc控制命令的ke ...
- redis的安装配置
主要讲下redis的安装配置,以及以服务的方式启动redis 1.下载最新版本的redis-3.0.7 到http://redis.io/download中下载最新版的redis-3.0.7 下载后 ...
- JBOSS.71.1.Final安装配置
对于JBOSS大家了解多少,相信做Java开发的小童鞋对于Tomcat一定不陌生,而今天为大家介绍的JBOSS也是一款服务器软件,相比Tomcat,JBOSS对于高级的JavaEE相对来说更强大一点, ...
- Redis 对比 Memcached 并在 CentOS 下进行安装配置
了解一下 Redis Redis 是一个开源.支持网络.基于内存.键值对的 Key-Value 数据库,使用 ANSI C 编写,并提供多种语言的 API ,它几乎没有上手难度,只需要几分钟我们就能完 ...
- Linux下apache+phppgadmin+postgresql安装配置
Linux下apache+phppgadmin+postgresql安装配置 操作系统:CentOS 安装包:httpd(首选yum), php(包括php以及php-pgsql,php-mbstri ...
- JBoss7 安装配置
一.下载安装 1.下载地址: http://www.jboss.org/jbossas/downloads ,下载Certified Java EE 6 Full Profile版本. 2.解压 jb ...
- centos6.6安装配置jboss7.1.1
Centos6.6下安装配置Jboss7.1.1 在了解jboss牛逼特性之后,我决定安装下jboss7.1.1试试 下面是安装包百度云盘链接: http://pan.baidu.com/s/1o6O ...
随机推荐
- android应用程序ANR定义
在Android上,如果你的应用程序有一段时间响应不够灵敏,系统会向用户显示一个对话框,这个对话框称作应用程序无响应(ANR:Application Not Responding)对话框.用户可以选择 ...
- iOS开发——语法篇OC篇&高级语法精讲二
Objective高级语法精讲二 Objective-C是基于C语言加入了面向对象特性和消息转发机制的动态语言,这意味着它不仅需要一个编译器,还需要Runtime系统来动态创建类和对象,进行消息发送和 ...
- 如何制作按钮hover状态
1.选中文字加背景图层 2.Ctrl+J复制图层,向下轻移. 3.点击所复制图层的背景图层,右键选中——混合选项 弹出图层样式框: 4.选择渐变叠加,将渐变——反向勾选上,确定: 5.完成,效果如图.
- Android广播接收者应用(电话拦截器)
一.电话拦截器应用说明 在我们输入完电话号码并拨打电话时,系统会发出一个有序广播(action="android.intent.action.NEW_OUTGOING_CALL") ...
- 解析mysql索引
在mysql中,索引是存储引擎用于快速查找到目标记录的一种数据结构.常见的索引类型包含B树索引.哈希索引.空间索引(R-Tree).全文索引等. 索引是在存储引擎层实现的,不同的存储引擎对索引的工作方 ...
- Android图片选择器--仿QQ
当做一款APP,需要选择本地图片时,首先考虑的无疑是系统相册,但是Android手机五花八门,再者手机像素的提升,大图无法返回等异常因数,导致适配机型比较困难,微信.QQ都相继的在自己的APP里集成了 ...
- FindBugs缺陷库
1.possible null pointer dereference 解释:某字段可能为空 修复:对应字段使用前判空 2.normal confidence 解释:私有成员变量没有初始化 修复:初始 ...
- Captcha生成及使用
@Controller @RequestMapping("/PictureCheckCode") public class ServletController { @Request ...
- github/hexo搭建个人博客几个问题总结
问题一:hexo ERROR Deployer not found: github or hexo ERROR Deployer not found: git npm install hexo-dep ...
- JDK的安装
安装jdk解压拷贝过来的jdk(1.6版本)压缩包 cd /usr/local/tar xzvf /tmp/jdk.tgz 修改环境变量vi /etc/profile 加入如下内容export JAV ...