bind配置中之DNS主从同步，区域安全传送

原创

逆策 2014-03-21 00:11:29 博主文章分类：DNS ©著作权

文章标签 bind 、DNS主从同步 DNS区域安全传送 文章分类 服务器

©著作权归作者所有：来自51CTO博客作者逆策的原创作品，请联系作者获取转载授权，否则将追究法律责任

实现DNS的主从同步：

主DNS的bind版不能高于从DNS的版本

向区域中添加从服务器的关键两步：

a：在上级得到授权

b：在区域数据文件中为服务器添加一条NS记录和对应的A记录或PTR记录

1.为主DNS服务器添加一条NS记录和对应的A记录

# vim /var/named/mageedu.com.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031901
1D
12H
1D
12H )
IN      NS      dns
IN      NS      ns
IN      MX 20mail
dns     IN      A       172.16.19.100
ns      IN      A       172.16.19.1
mail    IN      A       172.16.19.2
www     IN      A       172.16.19.3
pop     IN      CNAME   mail
ftp     IN      CNAME   www

2.为从DNS服务器添加一条NS记录和对应PTR记录

# vim /var/named/172.16.19.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031902
1D
12H
1D
12H )
IN      NS      dns.mageedu.com.
IN      NS      ns.mageedu.com.
100IN      PTR     dns.mageedu.com.
1IN      PTR     ns.mageedu.com.
2IN      PTR     mail.mageedu.com.
3IN      PTR     www.mageedu.com.

3.并编辑配置文同上

4.在从服务器添加mageedu.com区域

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
};

5.在从服务器添加19.16.172.in-addr.arpa区域

zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.29.100;};
file "slaves/172.16.19.zone";
};

6.启动named服务

# named -u named

7.查看日志文件

# tail /var/log/messages
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: connected using 172.16.19.1#47647
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: transferred serial 2014031902
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: Transfer completed: 1messages, 8records, 255bytes, 0.003secs (85000bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: sending notifies (serial 2014031902)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: connected using 172.16.19.1#40334
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: transferred serial 2014031901
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: Transfer completed: 1messages, 11records, 283bytes, 0.002secs (141500bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: sending notifies (serial 2014031901)

8.查从服务器中/var/named/slave/目录

# ls /var/named/slaves/
172.16.19.zone  mageedu.com.zone

区域传送安全控制

提高DNS服务器的安全性

在主服务器的区域文件中添加allow-transfer{IP};

只允许127.0.0.1和172.16.19.1进行区域传送

zone "mageedu.com"IN {
type master;
file "mageedu.com.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};
zone "19.16.172.in-addr.arpa"IN {
type master;
file "172.16.19.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};

重启主服务器的DNS服务

# service named reload

成功配置区域传送安全控制

# dig -t axfr mageedu.com @172.16.19.100
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.100
;; global options: +cmd
; Transfer failed.
# dig -t axfr mageedu.com @172.16.19.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.1
;; global options: +cmd
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
mageedu.com.        86400IN  MX  20mail.mageedu.com.
mageedu.com.        86400IN  NS  dns.mageedu.com.
mageedu.com.        86400IN  NS  ns.mageedu.com.
dns.mageedu.com.    86400IN  A   172.16.19.100
ftp.mageedu.com.    86400IN  CNAME   www.mageedu.com.
mail.mageedu.com.   86400IN  A   172.16.19.2
ns.mageedu.com.     86400IN  A   172.16.19.1
pop.mageedu.com.    86400IN  CNAME   mail.mageedu.com.
www.mageedu.com.    86400IN  A   172.16.19.3
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
;; Query time: 5msec
;; SERVER: 172.16.19.1#53(172.16.19.1)
;; WHEN: Sun Mar 1616:29:232014
;; XFR size: 11records (messages 1, bytes 283)

对从服务配置区域安全传送控制：不允许任何人进行同步

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
allow-transfer {none;};
};
zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.19.100;};
file "slaves/172.16.19.zone";
allow-transfer {none;};
};

重启从服务器的DNS服务

# service named reload

测试区域传送安全控制配置成功

[root@stu19 ~]# dig -t axfr mageedu.com @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @127.0.0.1
;; global options: +cmd
; Transfer failed.