rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound
通过bind实现正向,反向,转发,主从,各种资源记录
7> 部署反向解析 从ip解析到fqdn
vim /etc/named.conf
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone"; 指定方向解析的区域配置文件路径
};
[root@serverb ~]# cp /var/named/named.empty /var/named/172.25.250.zone
[root@serverb ~]# chown root:named /var/named/172.25.250.zone
[root@serverb ~]# chmod 640 /var/named/172.25.250.zone
[root@serverb ~]# vim /var/named/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
~
[root@serverb ~]# systemctl restart named
8> 测试
[root@servera ~]# host serverb.example.com
serverb.example.com has address 172.25.250.11
[root@servera ~]# host 172.25.250.10
10.250.25.172.in-addr.arpa domain name pointer servera.example.com.
[root@servera ~]# host 172.25.250.11
11.250.25.172.in-addr.arpa domain name pointer serverb.example.com.
[root@servera ~]# host 172.25.250.12
12.250.25.172.in-addr.arpa domain name pointer serverc.example.com.
[root@servera ~]# host 172.25.250.13
13.250.25.172.in-addr.arpa domain name pointer serverd.example.com.
[root@servera ~]#
[root@servera ~]# nslookup
> set type=ptr
> 172.25.250.10
Server: 172.25.250.11
Address: 172.25.250.11#53
10.250.25.172.in-addr.arpa name = servera.example.com.
> set type=NS
> example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
example.com nameserver = serverb.example.com.
> set type=A
> servera.example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
Name: servera.example.com
Address: 172.25.250.10
>
也可以通过dig查找
-x反向解析
@跟着DNS服务器
A/NS/SOA/-x<ptr>
9> 主从同步:
修改配置文件在主DNS上配置
[root@serverc ~]# vim /etc/named.conf
zone "example.com" IN {
type master ;
file "example.com";
allow-transfer { 172.25.250.12; };
};
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12; };
};
[root@serverb ~]# systemctl restart named
在从DNS上<slave>
[root@serverc ~]# yum install -y bind
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
zone "example.com" IN {
type slave ; 类型是从DNS服务器
file "slaves/example.com";
masters { 172.25.250.11; };
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
file "slaves/172.25.250.zone";
masters { 172.25.250.11; };
};
[root@serverc ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverc ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverc ~]# firewall-cmd --reload
success
[root@serverc ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverc ~]#
确认:
[root@serverc ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 490 Sep 3 22:29 172.25.250.zone
-rw-r--r--. 1 named named 432 Sep 3 22:29 example.com
[root@serverc ~]#
针对主从服务器做的修改
1> 添加从的DNS服务器
2> 每一次添加必须要把序列号+1,只有当序列号增加才会同步
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com. 从的DNS
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
[root@servera ~]# dig @serverb.example.com -x 172.25.250.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @serverb.example.com -x 172.25.250.11
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2cf3b75f384904d1905d5fd16314985b59d1176e48d0a6b3 (good)
;; QUESTION SECTION:
;11.250.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.250.25.172.in-addr.arpa. 10800 IN PTR serverb.example.com.
;; AUTHORITY SECTION:
250.25.172.in-addr.arpa. 10800 IN NS serverc.example.com.
250.25.172.in-addr.arpa. 10800 IN NS serverb.example.com.
;; ADDITIONAL SECTION:
serverb.example.com. 10800 IN A 172.25.250.11
serverc.example.com. 10800 IN A 172.25.250.12
;; Query time: 2 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Sep 04 20:21:47 CST 2022
;; MSG SIZE rcvd: 184
[root@servera ~]#
同步后,可以使用dig,发现有两个dns权威地址了。那么就是配置文件更改后,同步成功
10> 对于一个转发的DNS服务器来说,在正常情况下,如果我们没有配置转发,当这个DNS需要解析其他域的FQDN的时候。首先是去根域服务器。可以通过forwders来改变装法对象
[root@serverd ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverd ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverd ~]# firewall-cmd --reload
success
[root@serverd ~]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
forwarders { 172.25.250.12 ;};
dnssec-enable no;
dnssec-validation no;
这两个可以删掉,也是zone地址。用不上
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
systemctl restart named
[root@serverd ~]# nslookup
> set type=A
> servera.example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer: 这里做了转发所以不一样。非授权机构
Name: servera.example.com
Address: 172.25.250.10
>
邮件服务器
邮件服务器要做转发,所以得找到邮件服务器
正
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
反
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
[root@serverb named]# nslookup
> set type=MX
> example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer:
example.com mail exchanger = 10 classroom.example.com.
Authoritative answers can be found from:
example.com nameserver = serverb.example.com.
example.com nameserver = serverc.example.com.
classroom.example.com internet address = 172.25.250.254
serverb.example.com internet address = 172.25.250.11
serverc.example.com internet address = 172.25.250.12
12> 仅缓存的DNS服务器:unbond
删除原来的unbound
[root@workstation ~]# lab dns-unbound start
[root@servera ~]# yum install -y unbound
[root@servera ~]# firewall-cmd --permanent --add-service=dns
success
[root@servera ~]# firewall-cmd --reload
success
[root@servera ~]#
[root@servera ~]# egrep "172.25|domain-insecure:" /etc/unbound/unbound.conf -B 2| egrep -v "#|--"
interface: 172.25.250.10
access-control: 172.25.250.0/24 allow
domain-insecure: "example.com" # 不开启安全域
interface-automatic: no # 如果开启那么监听所有端口,唯独不监听172.25.250.10
forward-zone:
name: .
forward-addr: 172.25.250.254
[root@servera ~]#
[root@servera ~]# unbound-control-setup
[root@servera ~]# ping servera.lab.example.com
PING servera.lab.example.com (172.25.250.10) 56(84) bytes of data.
64 bytes from servera.lab.example.com (172.25.250.10): icmp_seq=1 ttl=64 time=0.073 ms
^C
--- servera.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms
[root@servera ~]# ping workstation
PING workstation.lab.example.com (172.25.250.9) 56(84) bytes of data.
64 bytes from workstation.lab.example.com (172.25.250.9): icmp_seq=1 ttl=64 time=1.17 ms
^C
--- workstation.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.165/1.165/1.165/0.000 ms
[root@servera ~]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 38 1 0 7 3
lab.example.com. 38 IN SOA bastion.lab.example.com. root.bastion.lab.example.com. 2020040800 3600 300 604800 60
;rrset 38 1 0 7 3
example.com. 38 IN SOA classroom.example.com. root.classroom.example.com. 2015071700 3600 300 604800 60
END_RRSET_CACHE
START_MSG_CACHE
msg servera.example.com.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN A 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN AAAA 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
END_MSG_CACHE
EOF
[root@servera ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.example.com example.com
#nameserver 172.25.250.254
nameserver 172.25.250.10
[root@servera ~]#
有缓存后,可以不依赖转发
清空缓存
[root@servera ~]# unbound-control flush *
缓存,和forward上的服务器都没了,就无法再ping通了
导出
unbound-control dump_cache > aa
unbound-control load_cache < aa
ansible 部署DNS unbound
[root@workstation ~]# lab dns-automation start
[student@workstation dns-auto]$ cat unbound.yml
---
- name: configure cache dns on servera
hosts: caching_dns
become: true
tasks:
- name: install the unbound package
yum:
name: unbound
state: present
- name: prepare configureation file for unbound
template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: root
group: unbound
mode: '0644'
setype: named_conf_t
notify: restart service
- name: start service
service:
name: unbound
state: started
enabled: true
- name: config firewalld for unbond
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: unbond
state: restarted
[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
{% for ip in ansible_facts['all_ipv4_addresses'] %}
interface: {{ ip }}
{% endfor %}
interface-automatic: no
access-control: 172.25.250.0/24 allow
domain-insecure: example.com
forward-zone:
name: .
forward-addr: 172.25.250.254
remote-control:
control-enable: yes
[student@workstation dns-auto]$
[student@workstation dns-auto]$ ls
ansible.cfg inventory playbook.yml unbound.conf.j2
ansible 部署bind
bind的YML文件
---
- name: config bind
hosts: primary_dns,secondary_dns
become: true
tasks:
- name: install package
yum:
name: bind
state: present
- name: config for primary
copy:
src: files/primary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverb.lab.example.com"
- name: config
copy:
src: files/secondary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverc.lab.example.com"
- name: zone file
copy:
src: files/example.com
dest: /var/named/example.com
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: zone file re
copy:
src: files/172.25.250.zone
dest: /var/named/172.25.250.zone
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: start service
service:
name: named
state: started
enabled: true
- name: firewalld
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: named
state: restarted
[student@workstation dns-auto]$
主named的配置文件
[student@workstation dns-auto]$ cat files/primary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com";
allow-transfer { 172.25.250.12;};
};
zone "250.25.172.in-addr.arpa" {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12;};
};
从named的配置文件
[student@workstation files]$ cat secondary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/example.com";
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/172.25.250.zone";
};
主的区域配置文件(正)
[student@workstation dns-auto]$ cat files/example.com
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
servera IN A 172.25.250.10
serverb IN A 172.25.250.11
serverc IN A 172.25.250.12
serverd IN A 172.25.250.13
主的区域配置文件(反)
[student@workstation dns-auto]$ cat files/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
10 IN PTR servera.example.com.
11 IN PTR servera.example.com.
12 IN PTR servera.example.com.
13 IN PTR servera.example.com.
[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
任何一种服务的自动化配置:
一: 安装包
二: 配置文件 1: jiaj2模板的形式配置:unbound,2: file: bind, 3: notify restart service
三: 要读取数据文件路径: 基本都有
四: 服务
五: 防火墙
六: Handlers : 接收配置的文件改变从而去重新启动服务
rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound的更多相关文章
- rh358 003 ansible部署双网卡绑定 DNS原理 bind正向解析
双网卡绑定 绑定多张网卡成为逻辑口,从而实现链路冗余,以及数据流量的负载均衡 1.创建team口 [root@servera ~]# nmcli connection add type team co ...
- 二.Nginx反向代理和静态资源服务配置
2018年03月31日 10:30:12 麦洛_ 阅读数:1362更多 所属专栏: nginx 版权声明:本文为博主原创文章,未经博主允许不得转载. https://blog.csdn.net/M ...
- 常见资源记录定义(Resource Record)
所有的RRs(Resource Records)都具有相同的顶级字段格式定义:owner TTL CLASS TYPE RDATA owner 指示拥有资源记录的DNS域名 TTL 对大多数资源记录 ...
- DNS解惑之资源记录(2)
1.区域解析库 每个域都要维护一个区域解析库,而区域解析库都是由一条条的记录组成的,而每一条记录就被称为资源记录(resource record RR). 我们知道大多数域名下面都不仅仅有www服 ...
- dns资源记录类型
资源记录的定义格式: 语法:name [TTL] IN RR_TYPE value SOA: name:当前区域的名字,例如"magedu.com.",或者"2.168. ...
- DNS资源记录的七类
在Microsoft产品系列中,ADDS是一个很出色的设计平台,说到AD,那么我们就不得不提起他的合作伙伴--DNS,相信大家都知道,DNS在AD中的重要地位,就如男人和女人一样,要想有所作为,他们2 ...
- 三十三、DNS资源记录类型和请求流程
DNS分布均衡(Load balance)的实现 在上级数据库中写两条记录(同一个名字对应对个IP时),DNS会自动将请求基于轮循方式,分给每个DNS服务器 例如: 第一次将请求给第一个DNS,第二次 ...
- IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript、css、vm文件
IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript.css.vm文件https://blog.csdn.net/feng_pump/article ...
- DNS 资源记录解释
;SOA授权的开始;;SOA或授权的开始记录用来表示区域的启动;每个区域必须只有一个SOA记录;从名字服务器,在不能和主服务器通信的情况下,将提供12小时DNS服务, 在指定的时间后停止为那个区域提供 ...
随机推荐
- Tomcat部署接口环境遇到的问题,有没有人能帮忙解决指导一下
1.在虚拟机中用Tomcat部署一个接口环境:linux+jdk+Tomcat 前提条件:代码包啥的别人都用过,可以部署成功 2.具体部署: a. 利用xftp把所有的代码包war包传送到tomcat ...
- (win环境)使用Electron打造一个桌面应用翻译小工具
初始化项目 npm init 修改package.json {"name": "trans","version": "1.0.0& ...
- NC50965 Largest Rectangle in a Histogram
NC50965 Largest Rectangle in a Histogram 题目 题目描述 A histogram is a polygon composed of a sequence of ...
- 从 1.5 开始搭建一个微服务框架——日志追踪 traceId
你好,我是悟空. 前言 最近在搭一个基础版的项目框架,基于 SpringCloud 微服务框架. 如果把 SpringCloud 这个框架当做 1,那么现在已经有的基础组件比如 swagger/log ...
- Node.js精进(8)——错误处理
在 Node.js 中,提供了 error 模块,并且内置了标准的 JavaScript 错误,常见的有: EvalError:在调用 eval() 函数时出现问题时抛出该错误. SyntaxErro ...
- SDK导入问题 __imp_与__imp__
目前刚刚实习一周,接触的第一个项目是CMake编译的QT项目,需要引入公司的SDK,编译能过去但是程序就是找不到SDK的接口, 排查了半天发现问题在于:公司的SDK是32位的,自己项目的build k ...
- linux 文件名乱码的文件无法删除
1.通过ls -i命令获得文件的节点号 2.通过节点号删除 find -inum 节点号 -delete 这样就可以删除文件名乱码的文件
- java controller 异常捕获
package com.aiyusheng.framework.exception; import lombok.Data; /** * base异常类 * @author :cza * @date ...
- Maven3 入门到入门
Maven3 Core Overview Maven是一个项目管理工具,它包含了一个项目对象模型(Project Object Model,POM) ,一组标准集合,一个项目生命周期(Project ...
- 科学计算库Numpy基础&提升(理解+重要函数讲解)
Intro 对于同样的数值计算任务,使用numpy比直接编写python代码实现 优点: 代码更简洁: numpy直接以数组.矩阵为粒度计算并且支持大量的数学函数,而python需要用for循环从底层 ...