rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound
通过bind实现正向,反向,转发,主从,各种资源记录
7> 部署反向解析 从ip解析到fqdn
vim /etc/named.conf
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone"; 指定方向解析的区域配置文件路径
};
[root@serverb ~]# cp /var/named/named.empty /var/named/172.25.250.zone
[root@serverb ~]# chown root:named /var/named/172.25.250.zone
[root@serverb ~]# chmod 640 /var/named/172.25.250.zone
[root@serverb ~]# vim /var/named/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
~
[root@serverb ~]# systemctl restart named
8> 测试
[root@servera ~]# host serverb.example.com
serverb.example.com has address 172.25.250.11
[root@servera ~]# host 172.25.250.10
10.250.25.172.in-addr.arpa domain name pointer servera.example.com.
[root@servera ~]# host 172.25.250.11
11.250.25.172.in-addr.arpa domain name pointer serverb.example.com.
[root@servera ~]# host 172.25.250.12
12.250.25.172.in-addr.arpa domain name pointer serverc.example.com.
[root@servera ~]# host 172.25.250.13
13.250.25.172.in-addr.arpa domain name pointer serverd.example.com.
[root@servera ~]#
[root@servera ~]# nslookup
> set type=ptr
> 172.25.250.10
Server: 172.25.250.11
Address: 172.25.250.11#53
10.250.25.172.in-addr.arpa name = servera.example.com.
> set type=NS
> example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
example.com nameserver = serverb.example.com.
> set type=A
> servera.example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
Name: servera.example.com
Address: 172.25.250.10
>
也可以通过dig查找
-x反向解析
@跟着DNS服务器
A/NS/SOA/-x<ptr>
9> 主从同步:
修改配置文件在主DNS上配置
[root@serverc ~]# vim /etc/named.conf
zone "example.com" IN {
type master ;
file "example.com";
allow-transfer { 172.25.250.12; };
};
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12; };
};
[root@serverb ~]# systemctl restart named
在从DNS上<slave>
[root@serverc ~]# yum install -y bind
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
zone "example.com" IN {
type slave ; 类型是从DNS服务器
file "slaves/example.com";
masters { 172.25.250.11; };
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
file "slaves/172.25.250.zone";
masters { 172.25.250.11; };
};
[root@serverc ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverc ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverc ~]# firewall-cmd --reload
success
[root@serverc ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverc ~]#
确认:
[root@serverc ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 490 Sep 3 22:29 172.25.250.zone
-rw-r--r--. 1 named named 432 Sep 3 22:29 example.com
[root@serverc ~]#
针对主从服务器做的修改
1> 添加从的DNS服务器
2> 每一次添加必须要把序列号+1,只有当序列号增加才会同步
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com. 从的DNS
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
[root@servera ~]# dig @serverb.example.com -x 172.25.250.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @serverb.example.com -x 172.25.250.11
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2cf3b75f384904d1905d5fd16314985b59d1176e48d0a6b3 (good)
;; QUESTION SECTION:
;11.250.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.250.25.172.in-addr.arpa. 10800 IN PTR serverb.example.com.
;; AUTHORITY SECTION:
250.25.172.in-addr.arpa. 10800 IN NS serverc.example.com.
250.25.172.in-addr.arpa. 10800 IN NS serverb.example.com.
;; ADDITIONAL SECTION:
serverb.example.com. 10800 IN A 172.25.250.11
serverc.example.com. 10800 IN A 172.25.250.12
;; Query time: 2 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Sep 04 20:21:47 CST 2022
;; MSG SIZE rcvd: 184
[root@servera ~]#
同步后,可以使用dig,发现有两个dns权威地址了。那么就是配置文件更改后,同步成功
10> 对于一个转发的DNS服务器来说,在正常情况下,如果我们没有配置转发,当这个DNS需要解析其他域的FQDN的时候。首先是去根域服务器。可以通过forwders来改变装法对象
[root@serverd ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverd ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverd ~]# firewall-cmd --reload
success
[root@serverd ~]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
forwarders { 172.25.250.12 ;};
dnssec-enable no;
dnssec-validation no;
这两个可以删掉,也是zone地址。用不上
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
systemctl restart named
[root@serverd ~]# nslookup
> set type=A
> servera.example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer: 这里做了转发所以不一样。非授权机构
Name: servera.example.com
Address: 172.25.250.10
>
邮件服务器
邮件服务器要做转发,所以得找到邮件服务器
正
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
反
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
[root@serverb named]# nslookup
> set type=MX
> example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer:
example.com mail exchanger = 10 classroom.example.com.
Authoritative answers can be found from:
example.com nameserver = serverb.example.com.
example.com nameserver = serverc.example.com.
classroom.example.com internet address = 172.25.250.254
serverb.example.com internet address = 172.25.250.11
serverc.example.com internet address = 172.25.250.12
12> 仅缓存的DNS服务器:unbond
删除原来的unbound
[root@workstation ~]# lab dns-unbound start
[root@servera ~]# yum install -y unbound
[root@servera ~]# firewall-cmd --permanent --add-service=dns
success
[root@servera ~]# firewall-cmd --reload
success
[root@servera ~]#
[root@servera ~]# egrep "172.25|domain-insecure:" /etc/unbound/unbound.conf -B 2| egrep -v "#|--"
interface: 172.25.250.10
access-control: 172.25.250.0/24 allow
domain-insecure: "example.com" # 不开启安全域
interface-automatic: no # 如果开启那么监听所有端口,唯独不监听172.25.250.10
forward-zone:
name: .
forward-addr: 172.25.250.254
[root@servera ~]#
[root@servera ~]# unbound-control-setup
[root@servera ~]# ping servera.lab.example.com
PING servera.lab.example.com (172.25.250.10) 56(84) bytes of data.
64 bytes from servera.lab.example.com (172.25.250.10): icmp_seq=1 ttl=64 time=0.073 ms
^C
--- servera.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms
[root@servera ~]# ping workstation
PING workstation.lab.example.com (172.25.250.9) 56(84) bytes of data.
64 bytes from workstation.lab.example.com (172.25.250.9): icmp_seq=1 ttl=64 time=1.17 ms
^C
--- workstation.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.165/1.165/1.165/0.000 ms
[root@servera ~]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 38 1 0 7 3
lab.example.com. 38 IN SOA bastion.lab.example.com. root.bastion.lab.example.com. 2020040800 3600 300 604800 60
;rrset 38 1 0 7 3
example.com. 38 IN SOA classroom.example.com. root.classroom.example.com. 2015071700 3600 300 604800 60
END_RRSET_CACHE
START_MSG_CACHE
msg servera.example.com.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN A 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN AAAA 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
END_MSG_CACHE
EOF
[root@servera ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.example.com example.com
#nameserver 172.25.250.254
nameserver 172.25.250.10
[root@servera ~]#
有缓存后,可以不依赖转发
清空缓存
[root@servera ~]# unbound-control flush *
缓存,和forward上的服务器都没了,就无法再ping通了
导出
unbound-control dump_cache > aa
unbound-control load_cache < aa
ansible 部署DNS unbound
[root@workstation ~]# lab dns-automation start
[student@workstation dns-auto]$ cat unbound.yml
---
- name: configure cache dns on servera
hosts: caching_dns
become: true
tasks:
- name: install the unbound package
yum:
name: unbound
state: present
- name: prepare configureation file for unbound
template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: root
group: unbound
mode: '0644'
setype: named_conf_t
notify: restart service
- name: start service
service:
name: unbound
state: started
enabled: true
- name: config firewalld for unbond
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: unbond
state: restarted
[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
{% for ip in ansible_facts['all_ipv4_addresses'] %}
interface: {{ ip }}
{% endfor %}
interface-automatic: no
access-control: 172.25.250.0/24 allow
domain-insecure: example.com
forward-zone:
name: .
forward-addr: 172.25.250.254
remote-control:
control-enable: yes
[student@workstation dns-auto]$
[student@workstation dns-auto]$ ls
ansible.cfg inventory playbook.yml unbound.conf.j2
ansible 部署bind
bind的YML文件
---
- name: config bind
hosts: primary_dns,secondary_dns
become: true
tasks:
- name: install package
yum:
name: bind
state: present
- name: config for primary
copy:
src: files/primary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverb.lab.example.com"
- name: config
copy:
src: files/secondary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverc.lab.example.com"
- name: zone file
copy:
src: files/example.com
dest: /var/named/example.com
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: zone file re
copy:
src: files/172.25.250.zone
dest: /var/named/172.25.250.zone
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: start service
service:
name: named
state: started
enabled: true
- name: firewalld
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: named
state: restarted
[student@workstation dns-auto]$
主named的配置文件
[student@workstation dns-auto]$ cat files/primary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com";
allow-transfer { 172.25.250.12;};
};
zone "250.25.172.in-addr.arpa" {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12;};
};
从named的配置文件
[student@workstation files]$ cat secondary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/example.com";
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/172.25.250.zone";
};
主的区域配置文件(正)
[student@workstation dns-auto]$ cat files/example.com
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
servera IN A 172.25.250.10
serverb IN A 172.25.250.11
serverc IN A 172.25.250.12
serverd IN A 172.25.250.13
主的区域配置文件(反)
[student@workstation dns-auto]$ cat files/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
10 IN PTR servera.example.com.
11 IN PTR servera.example.com.
12 IN PTR servera.example.com.
13 IN PTR servera.example.com.
[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
任何一种服务的自动化配置:
一: 安装包
二: 配置文件 1: jiaj2模板的形式配置:unbound,2: file: bind, 3: notify restart service
三: 要读取数据文件路径: 基本都有
四: 服务
五: 防火墙
六: Handlers : 接收配置的文件改变从而去重新启动服务
rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound的更多相关文章
- rh358 003 ansible部署双网卡绑定 DNS原理 bind正向解析
双网卡绑定 绑定多张网卡成为逻辑口,从而实现链路冗余,以及数据流量的负载均衡 1.创建team口 [root@servera ~]# nmcli connection add type team co ...
- 二.Nginx反向代理和静态资源服务配置
2018年03月31日 10:30:12 麦洛_ 阅读数:1362更多 所属专栏: nginx 版权声明:本文为博主原创文章,未经博主允许不得转载. https://blog.csdn.net/M ...
- 常见资源记录定义(Resource Record)
所有的RRs(Resource Records)都具有相同的顶级字段格式定义:owner TTL CLASS TYPE RDATA owner 指示拥有资源记录的DNS域名 TTL 对大多数资源记录 ...
- DNS解惑之资源记录(2)
1.区域解析库 每个域都要维护一个区域解析库,而区域解析库都是由一条条的记录组成的,而每一条记录就被称为资源记录(resource record RR). 我们知道大多数域名下面都不仅仅有www服 ...
- dns资源记录类型
资源记录的定义格式: 语法:name [TTL] IN RR_TYPE value SOA: name:当前区域的名字,例如"magedu.com.",或者"2.168. ...
- DNS资源记录的七类
在Microsoft产品系列中,ADDS是一个很出色的设计平台,说到AD,那么我们就不得不提起他的合作伙伴--DNS,相信大家都知道,DNS在AD中的重要地位,就如男人和女人一样,要想有所作为,他们2 ...
- 三十三、DNS资源记录类型和请求流程
DNS分布均衡(Load balance)的实现 在上级数据库中写两条记录(同一个名字对应对个IP时),DNS会自动将请求基于轮循方式,分给每个DNS服务器 例如: 第一次将请求给第一个DNS,第二次 ...
- IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript、css、vm文件
IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript.css.vm文件https://blog.csdn.net/feng_pump/article ...
- DNS 资源记录解释
;SOA授权的开始;;SOA或授权的开始记录用来表示区域的启动;每个区域必须只有一个SOA记录;从名字服务器,在不能和主服务器通信的情况下,将提供12小时DNS服务, 在指定的时间后停止为那个区域提供 ...
随机推荐
- 《ECMAScript 6 入门》【一、let、const命令】(持续更新中……)
前言: 我们在ES5都使用var来声明常量跟变量,ES6使用了最新的语法,使用let跟const分别声明.一.let命令: let命令是用于声明变量块级作用域 1. { let a = 10; var ...
- JavaScript写倒计时
在网页中,特别是电商网站中,倒计时的出现频率很高,接下来给大家介绍一下怎么用JavaScript写一个倒计时.代码如下: 首先我们通过Date构造函数的方法创建一个倒计时的结束的时间.并将其转换为毫秒 ...
- oracle-安装与访问、卸载
安装oracle 官网(http://oracle.com/ )下载oracle -->Oracle Database -->点击接受Accept --> 下载11g(Downloa ...
- rhel挂载本地光盘为yum源
挂载光盘 mount /dev/sr0 /mnt/cdrom mkdir /mnt/cdrom 临时挂载 mount /dev/sr0 /mnt/cdrom 永久挂载光盘 mount -a 执行挂载 ...
- 一次 Keepalived 高可用的事故,让我重学了一遍它!
原文首发: 你好,我是悟空. 前言 上次我们遇到了一个 MySQL 故障的事故,这次我又遇到了另外一个奇葩的问题: Keepalived 高可用组件的虚拟 IP 持续漂移,导致 MySQL 主从不断切 ...
- Burnside 引理与 Pólya 定理
群 群的定义 在数学中,群是由一种集合以及一个二元运算所组成的,符合"群公理"的代数结构. 一个群是一个集合 \(G\) 加上对 \(G\) 的二元运算.二元运算用 \(\cdot ...
- 注册器机制Registry
在众多深度学习开源库的代码中经常出现Registry代码块,例如OpenMMlab,facebookresearch和BasicSR中都使用了注册器机制.这块的代码经常会让新使用这些库的初学者感到一头 ...
- npm相关资料
npm 源的配置 命令行模式 npm install XXX --registry https://registry.npmmirror.com/ 项目模式 在项目更目录新建.npmrc 文件,内容 ...
- Josephus问题(Ⅱ)
题目描述 n个人排成一圈,按顺时针方向依次编号1,2,3-n.从编号为1的人开始顺时针"一二"报数,报到2的人退出圈子.这样不断循环下去,圈子里的人将不断减少.最终一定会剩下一个人 ...
- 乐观锁和悲观锁在kubernetes中的应用
数据竞争和竞态条件 Go并发中有两个重要的概念:数据竞争(data race)和竞争条件(race condition).在并发程序中,竞争问题可能是程序面临的最难也是最不容易发现的错误之一. 当有两 ...