(一)简介 由于公司DNS服务器是以windows为主,由于经常打补丁,造成几次故障,故需要迁移到Linux,由于添加的记录过多,故采用以windows为主负责添加,修改解析记录,而Linux同步后进行接受业务请求的访问。
| 序号 | IP | 功能 |系统| | -------- | -------- | | |1 | 10.128.105.171 | Master | Windows | | 2 | 172.20.66.132 |Slave- | Linux |
(二)具体的步骤 (1),windows安装配置省略
(2)Linux的具体步骤如下:
2.1安装bind
[root@DNS-Slave slaves]# yum install bind-chroot bind-utils -y
2.2修改配置文件
[root@DNS-Slave etc]# vim named.conf
/*
Sample named.conf BIND DNS server 'named' configuration file
for the Red Hat BIND distribution.
See the BIND Administrator's Reference Manual (ARM) for details about the
configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
*/
options
{
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // "Working" directory
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
/*
Specify listenning interfaces. You can use list of addresses (';' is
delimiter) or keywords "any"/"none"
*/
listen-on port 53 { any; };
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { any; };
//listen-on-v6 port 53 { ::1; };
/*
Access restrictions
There are two important options:
allow-query { argument; };
- allow queries for authoritative data
allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached data)
You can use address, network address or keywords "any"/"localhost"/"none" as argument
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/
allow-query { any; };
//allow-query-cache { localhost; };
/* Enable/disable recursion - recursion yes/no;
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
dnssec-validation yes;
/* In RHEL-7 we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
managed-keys-directory "/var/named/dynamic";
};
logging //配置相关的日志信息
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel gsquery {
file "data/query.log" versions 3 size 20m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
category queries { gsquery; };
};
//配置同步的主服务器的某个域,如果有多个域同步可以继续添加,也可以使用include 引用某个文件把所有的域添加到文件中
include "/etc/named.lqb.com.zones";
zone "lqb.com" IN {
type slave;
file "slaves/lqb.com.zone";
masters { 10.128.105.171; };
};
2.3 检查相关配置文件是否配置正确
[root@DNS-Master named]# named-checkzone lqb.com /var/named/chroot/var/named/lqb.com.zone
zone lqb.com/IN: loaded serial 2
OK
[root@DNS-Master named]# named-checkconf /var/named/chroot/etc/named.conf
2.4 重启服务,并查看是否有报错
[root@DNS-Slave slaves]# systemctl restart named-chroot
[root@DNS-Slave slaves]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2018-06-14 18:46:55 CST; 16h ago
Process: 4090 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 4378 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 4375 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 4380 (named)
CGroup: /system.slice/named-chroot.service
└─4380 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: vm_win7_7.corp.ppdai.com/A: bad owner name (check-names)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: vm_win7_8.corp.ppdai.com/A: bad owner name (check-names)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: vm_win7_9.corp.ppdai.com/A: bad owner name (check-names)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: WIN7_1.corp.ppdai.com/A: bad owner name (check-names)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: WIN7_VM1.corp.ppdai.com/A: bad owner name (check-names)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: WIN7_VM2.corp.ppdai.com/A: bad owner name (check-names)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: win7_vm_1.corp.ppdai.com/A: bad owner name (check-names)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: transferred serial 2045499
Jun 15 11:42:28 DNS-Slave named[4380]: transfer of 'corp.ppdai.com/IN' from 10.128.105.171#53: Transfer completed: 19 messages...es/sec)
Jun 15 11:42:28 DNS-Slave named[4380]: zone corp.ppdai.com/IN: sending notifies (serial 2045499)
Hint: Some lines were ellipsized, use -l to show in full.
2.5 查看从服务器是否有同步的文件出现
[root@DNS-Slave slaves]# ll /var/named/chroot/var/named/slaves/lqb.com.zon
-rw-r--r-- 1 named named 381 Jun 14 16:52 /var/named/chroot/var/named/slaves/lqb.com.zon
