linux教程之RHCE(红帽认证工程师)系列(六) DNS配置

luoyjx · 2014-10-02 21:45 · 951次阅读

目录

DNS作用、解析过程

主DNS

辅DNS

委派

视图

动态DNS更新(DDNS)

a)       DNS作用、解析过程     解析域名<->IP

    DNS共分成四级:根、顶级域、二级域、主机

    主机的完全合格域名(FQDN):www.redhat.com.

DNS查询方式:

递归

    客户端发送查询请求到本地dns服务器,本地dns服务器给出肯定或否定性答复

迭代

    客户端发送查询请求到本地dns服务器,本地dns服务器并不给出肯定或否定性答复,而是指引客户端查询根服务器,根服务器指引查询顶级域服务器,顶级域服务器指引查询二级域服务器,二级域服务器给出肯定或否定性答复

 

b)       主DNS     安装

    #yum -y install bind

    #mount 192.168.0.254:/var/ftp/pub /mnt

    #cp /mnt/namedfiles/named.conf /etc/

    #cp /mnt/namedfiles/domainX.example.com.zone /var/named/domain50.example.com.zone

    #cp /mnt/namedfiles/192.168.0.X.zone /var/named/192.168.0.50.zone

    #vim /etc/named.conf

        options {

            directory “/var/named”;                 //DNS解析文件位置

            query-source port 53;                   //监听端口

            query-source-v6 port 53;

            forward only|firse;                     //指定转发方式:递归|迭代

            forwarders { 192.168.0.254; };          //转发到上游服务器

            //allow-query { any; };                 //允许任意网段迭代查询

            //allow-recursion { any; };             //允许任意网段递归查询

        };

        acl “myservers” { 192.168.0.51; };          //访问控制列表

        zone “.” {

            type hint;                              //根区域

            file “named.ca”;                        //区域文件名

        };

        zone “domain50.example.com” {

            type master;                            //主区域

            file “domain50.example.com.zone”;       //区域文件名

            allow-update { none; };                 //不允许自动更新

            allow-transfer { myservers; };          //只允许到指定主机的区域复制

        };

        zone “50.0.168.192.in-addr.arpa” {

            type master;

            file “192.168.0.50.zone”;

            allow-update { none; };

            allow-transfer { myservers; };

        };

    #cp /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/named.ca

    #vim /var/named/domain50.example.com.zone

        $TTL 86400                                          ; 记录在缓存中的生存时间

        @ IN SOA station50.domain50.example.com. root.station50.domain50.example.com. (

                                        2010051301  ;序列号<=2^32

                                        1h          ;更新间隔>2*重试间隔

                                        5m          ;重试间隔+更新间隔<最长重试间隔

                                        1w          ;最长重试间隔>=重试间隔*10 & >=7Day

                                        5m)         ;错误缓存时间

        @   IN  NS station50.domain50.example.com.

        @   IN A   192.168.0.50

        @   IN  MX 5 station50.domain50.example.com.

        station50   IN A    192.168.0.50

        www         IN CNAME    station50.domain50.example.com.

    #vim /var/named/192.168.0.50.zone

        $TTL 86400

        @ IN SOA station50.domain50.example.com. root.station50.domain50.example.com. (

                                            2010051301      ;序列号

                                            1h              ;更新间隔

                                            5m              ;重试间隔

                                            1w              ;最长重试间隔

                                            5m)             ;错误缓存时间

        @   IN  NS station50.domain50.example.com.

        50.0.168.192.in-addr.arpa.  IN  PTR station50.domain50.example.com.

    #named-checkconf                            //检查/etc/named.conf语法

    #named-checkzone domain50.example.com /var/named/domain50.example.com.zone

    #named-checkzone 50.0.168.192.in-addr.arpa /var/named/192.168.0.50.zone

    #service named start

    #chkconfig named on

    #vim /etc/sysconfig/network-scripts/ifcfg-eth0

        DEVICE=eth0

        ONBOOT=yes

        BOOTPROTO=dhcp

        PEERDNS=no                                      //不自动更新dns信息

    内置访问控制列表项说明

any 匹配任意网络
none 不匹配任意网络
localhost 当前主机上任意地址
localnet 当前主机直连网段
    #vim /etc/resolv.conf

        nameserver 192.168.0.50

        search domain50.example.com

    测试

    nslookup

    nslookup命令不读取/etc/nsswitch.conf,默认读取/etc/resolv.conf中的nameserver和search参数。输出比较简单。

    #nslookup www.domian50.example.com

    #nslookup

    >set type=mx                                            //查询邮件交换记录

    >domain50.example.com

    dig

    dig命令不读取/etc/nsswitch.conf,默认读取/etc/resolv.conf中的 nameserver参数。输出比较详细。

    #dig station50.domain50.example.com

    #dig @192.168.0.50 www.domain50.example.com             //指定查询服务器

    #dig @192.168.0.50 -t mx domain50.example.com           //查询邮件交换记录

    #dig @192.168.0.50 -x 192.168.0.50                      //查询反向记录

    #dig +trace www.redhat.com                              //强制迭代查询

 

c)       辅DNS         解决主dns宕机,客户端无法进行查询问题

    安装主DNS服务器

    #yum -y erase bind

    #yum -y erase bind bind-chroot caching-nameserver       //bind-chroot安全增强包,                                                         caching-nameserver缓存dns

    #cd /var/named/chroot

    #mv etc/named.caching-nameserver.conf etc/named.conf

    #vim etc/named.conf

        options {

            listen-on port 53 { any; };

            allow-query { any; };

            directory “/var/named”;

            forward only;

            forwarders { 192.168.0.254; };

        };

        view localhost_resolver {

            match-clients { any; };                         //允许查询客户端

            match-destinations { any; };                    //允许查询目标

            recursion yes;                                  //允许递归

            include “/etc/named.rfc1912.zones”;             //加载区域数据文件

        };

    #vim etc/named.rfc1912.zones

        acl “myservers” { 192.168.0.51; };

        zone “domain50.example.com” {

            type master;                                    //主区域

            file “domain50.example.com.zone”;               //区域文件名

            allow-update { none; };                         //不允许自动更新

            allow-transfer { myservers; };                  //允许区域传输到指定服务器

        };

        zone “0.168.192.in-addr.arpa” {

            type master;

            file “192.168.0.zone”;

            allow-update { none; };

            allow-transfer { myservers; };

        };

    #vim var/named/domain50.example.com.zone

        $TTL 86400

        @ IN SOA station50.domain50.example.com. root.station50.domain50.example.com. (

                                        2010051301      ;序列号

                                        1h              ;更新间隔

                                        5m              ;重试间隔

                                        1w              ;最长重试间隔

                                        5m)             ;错误缓存时间

        @   IN  NS station50.domain50.example.com.

        @   IN  NS station51.domain50.example.com.

        @   IN A   192.168.0.50

        @   IN A   192.168.0.51

        @   IN  MX 5 station50.domain50.example.com.

        station50   IN A    192.168.0.50

        station51   IN A    192.168.0.51

        www         IN CNAME    station50.domain50.example.com.

    #vim var/named/192.168.0.zone

        $TTL 86400

        @ IN SOA station50.domain50.example.com. root.station50.domain50.example.com. (

                                        2010051301      ;序列号

                                        1h              ;更新间隔

                                        5m              ;重试间隔

                                        1w              ;最长重试间隔

                                        5m)             ;错误缓存时间

        @   IN  NS station50.domain50.example.com.

        @   IN  NS station51.domain50.example.com.

        50  IN  PTR station50.domain50.example.com.

        51  IN  PTR station51.domain50.example.com.

    #cat /etc/sysconfig/named

        ROOTDIR=/var/named/chroot/

    #rm -f /etc/named.caching-nameserver.conf

    #ln -s /var/named/chroot/etc/named.conf /etc/named.conf

    #ln -s /var/named/chroot/var/named/domain50.example.com.zone

           /var/named/domain50.example.com.zone

    #ln -s /var/named/chroot/var/named/192.168.0.zone /var/named/192.168.0.zone

    #chgrp named /var/named/chroot/var/named/*

    #named-checkconf                            //检查/etc/named.conf语法

    #named-checkzone domain50.example.com /var/named/domain50.example.com.zone

    #named-checkzone 50.0.168.192.in-addr.arpa /var/named/192.168.0.50.zone

    #service named start

安装辅助DNS服务器

#yum -y install bind bind-chroot caching-nameserver

    #cd /var/named/chroot

    #mv etc/named.caching-nameserver.conf etc/named.conf

    #vim etc/named.conf

        options {

            listen-on port 53 { any; };

            allow-query { any; };

            directory “/var/named”;

            forward only;

            forwarders { 192.168.0.254; };

        };

        view localhost_resolver {

            match-clients { any; };                         //允许查询客户端

            match-destinations { any; };                    //允许查询目标

            recursion yes;                                  //允许递归

            include “/etc/named.rfc1912.zones”;             //加载区域数据文件

        };

    #vim etc/named.rfc1912.zones

        zone “domain50.example.com” {

            type slave;                                     //辅助区域

            file “slaves/domain50.example.com.zone”;        //区域文件名

            masters { 192.168.0.50; };

        };

        zone “0.168.192.in-addr.arpa” {

            type slave;                                     //辅助区域

            file “slaves/domain50.example.com.zone”;        //区域文件名

            masters { 192.168.0.50; };

        };

    #rm -f /etc/named.caching-nameserver.conf

    #ln -s /var/named/chroot/etc/named.conf /etc/named.conf

#service named start

#chkconfig named on

#tail -f /var/log/messages

 

d)       委派         当域很大时,可以指定服务器为某个子域的dns服务器,解析某个子域的域名信息

    配置委派(主dns)

    #cd /var/named/chroot/

    #vim var/named/domain50.example.com

        $TTL 86400

        @ IN SOA station50.domain50.example.com. root.station50.domain50.example.com. (

                                        2010051301      ;序列号

                                        1h              ;更新间隔

                                        5m              ;重试间隔

                                        1w              ;最长重试间隔

                                        5m)             ;错误缓存时间

        @   IN  NS station50.domain50.example.com.

        @   IN A   192.168.0.50

        @   IN  MX 5 station50.domain50.example.com.

        station50   IN A    192.168.0.50

        www         IN CNAME    station50.domain50.example.com.

        hr.domain50.example.com.            IN  NS  station51.hr.domain50.example.com.

        station51.hr.domain50.example.com.  IN A    192.168.0.51

    配置委派(委派dns)

    #cd /var/named/chroot

    #vim etc/named.conf

        zone “hr.domain50.example.com” {

            type master;

            file “hr.zone”;

            allow-update { none; };

            allow-transfer { none; };

        };

    #cp var/named/localhost.zone var/named/hr.zone

    #vim var/named/hr.zone

    $TTL 86400

    @ IN SOA station51.hr.domain50.example.com. root.station51.hr.domain50.example.com.(

                                                    2010051301      ;序列号

                                                    1h              ;更新间隔

                                                    5m              ;重试间隔

                                                    1w              ;最长重试间隔

                                                    5m)             ;错误缓存时间

    @   IN  NS station51.hr.domain50.example.com.

    @   IN A   192.168.0.51

    @   IN  MX 5 station51.hr.domain50.example.com.

    station51   IN A    192.168.0.51

    www         IN CNAME    station51.hr.domain50.example.com.

 

e)       视图     利用视图可实现客户端查询分类

配置

#yum -y erase bind bind-chroot caching-nameserver

#rm -rf /var/named/

#rm -f /etc/named.conf/ etc/named.rcf1912.zones

#yum -y install bind

#vim /etc/named.conf

    options {

        directory “/var/named/”;

        forward only;

        forwarders { 192.168.0.254; };

    };

    acl “dianxin” { 192.168.0.0/24; };

    acl “wangtong” { 192.168.1.0/24; };

    view “dianxin” {

        match-clients { dianxin; };

        include “/etc/dianxin.zones”;

    };

    view “wangtong” {

        match-clients { wangtong; };

        include “/etc/wangtong.zones”;

    };

#vim /etc/dianxin.zones

    zone “yangbang.com” {

        type master;

        file “yangbang.dianxin.zone”;

    };

#vim /etc/wangtong.zones

    zone “yangbang.com” {

        type master;

        file “yangbang.wangtong.zone”;

    };

#vim /var/named/yangbang.dianxin.zone

$TTL 86400

 @ IN SOA   station51.yangbang.com. root.station51.yangbang.com. (

                                                    2010051301      ;序列号

                                                    1h              ;更新间隔

                                                    5m              ;重试间隔

                                                    1w              ;最长重试间隔

                                                    5m)             ;错误缓存时间

@   IN  NS station51.yangbang.com.

@   IN A   192.168.0.51

station51   IN A    192.168.0.51

www         IN A    192.168.0.200

#vim /var/named/yangbang.wangtong.zone

$TTL 86400

 @ IN SOA   station51.yangbang.com. root.station51.yangbang.com. (

                                                    2010051301      ;序列号

                                                    1h              ;更新间隔

                                                    5m              ;重试间隔

                                                    1w              ;最长重试间隔

                                                    5m)             ;错误缓存时间

@   IN  NS station51.yangbang.com.

@   IN A   192.168.1.51

station51   IN A    192.168.1.51

www         IN A    192.168.1.200

 

 

 

f)       动态DNS更新(DDNS) DDNS主要适用于小型互联网架站服务,www、ftp等服务器没有固定IP地址,可以委托一台有固定IP的DNS服务器实行动态地址和主机记录更新,即动态DNS更新(DDNS)。

服务器端配置

#yum -y install bind

#mkdir /var/named/keys

#cd /var/named/keys

#dnssec-keygen -a HMAC-MD5 -b 128 -n HOST www           //创建密钥对

//-a 加密算法类型(RSAMD5,RSA,HMAC-MD5) -b 密钥长度 -n 客户端更新类型(HOST:仅更新A记录、ZONE:可更新任意类型记录)

#cat Kwww.+157+50096.key

www. IN KEY 512 3 157 +j8TSooNNIUPb3OR9Rh53Q==

#vim /etc/named.conf

    options {

        directory "/var/named";

};

    key "www" {

algorithm hmac-md5;

secret "+j8TSooNNIUPb3OR9Rh53Q==";

};

zone "example.com" {

type master;

file "example.com.zone";

update-policy {

    grant www name www.example.com. A;

    #允许叫‘www’的key更新主机‘www.example.com’的A记录

};

};

zone "0.168.192.in-addr.arpa" {

type master;

file "192.168.0.zone";

allow-update { key www; };

#允许叫'www'的key更新任意区域记录

};

#chown named.named /var/named -R                        //一定要设置named

#service named restart

#setsebool -P named_write_master_zones on               //支持ddns的区域更新

 

 

 

 

 

客户端配置

#mdkir /usr/local/ddns

#scp 192.168.0.X:/var/named/keys/* /usr/local/ddns      //复制服务器上的密钥到本地

#cd /usr/local/ddns

#nsupdate -k Kwww.+157+50096.key

>server 192.168.0.X

>update delete www.example.com                          //删除原有记录

>update add www.example.com 86400 A 192.168.0.Y         //更新A记录

>update add Y.0.168.192.in-addr.arpa 600 PTR www.example.com //更行PTR记录

>send

>ctrl+d

实现客户端自动更新

#vim /usr/local/ddns/ddns_update.sh

    #!/bin/bash

PATH=/sbin:/bin:/usr/sbin:/usr/bin

export PATH

KEYFILE="/usr/local/keys/Kwww.+157+50096.key"

TTL=86400

HOSTNAME="www.example.com

SERVERNAME=192.168.0.X

NEWIP=$(ifconfig eth0 | grep "inet addr" | cut -d: -f2 | cut -d'' -f1)

if [ "$NEWIP" == "" ] ; then

        exit 1

fi

TMPFILE=/usr/local/keys/tmp.txt

cat > $TMPFILE << EOF

server $SERVERNAME

update delete $HOSTNAME

update add $HOSTNAME $TTL A $NEWIP

send

EOF

nsupdate -k $KEYFILE -v $TMPFILE

unset KEYFILE TTL HOSTNAME SERVERNAME NEWIP TMPFILE

#chmod 700 /usr/local/ddns/ddns_update.sh

#crontab -e

        MAILTO=root

        *   */2   *   *   *  /bin/bash /usr/local/ddns/ddns_update.sh

收藏

暂无评论

登录后可以进行评论。没有账号?马上注册