目录
1. DNS主从服务器
1.1 主从服务器概述
辅助DNS是DNS容灾备份服务:在主DNS和辅DNS之间建立区域数据传输机制,当主DNS遇到故障或者服务中断时,辅DNS仍可以继续提供解析服务,因此保障业务稳定运行。例如阿里云提供的主从服务器223.5.5.5和223.6.6.6
辅助DNS的优势:
-
容灾备份,降低业务中断风险:主DNS系统故障,辅助DNS可继续提供域名解析服务,保障业务可用性。
-
负责均衡,流量均摊降低负载:当辅助DNS与主DNS同时对外提供解析服务时,可以达到流量负载均衡的效果。
主从服务器实现原理如下:
注意:从服务器是区域级别的概念;
1.2 主从DNS实现
1.2.1 主从DNS实现要点
DNS主从服务器实现的注意事项如下:
- 确保防火墙规则开放(建议关闭)
- 保持主从服务器时钟一致;
- bind程序的版本应该保持一致;否则,应该从高,主低;
主从DNS服务器的配置要点如下:
- 主 DNS 的 named.conf 里配置 allow-transfer 和 also-notify 选项;
- 辅助 DNS 主配置文件 option 段添加 masterfile-format text ,否则同步的文件为 data 类型;
- 辅助 DNS 添加区域配置文件,类型为 slave ,同时指向 masters 参数指向master 地址;
- 辅助 DNS 不可主动修改 DNS 数据库文件;
- 从服务器只需要定义区域,而无须提供解析库文件;解析库文件应该放置于/var/named/slaves/目录中;
- 主服务器的区域解析库文件中必须有一条NS记录指向从服务器;
- 搭建完主从后,若修改主服务器域配置, Serail Number 必须递增,否则不会立即同步;
实验环境介绍:
- 主DNS服务器:地址:192.168.20.70,主机名:dns01;
- 从DNS服务器:地址:192.168.20.71,主机名:dns02;
1.2.2 主DNS服务器配置
-
主DNS服务器的配置文件如下:
[root@dns01 named]# cat /etc/named.conf options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { localhost; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; recursion yes; allow-recursion { 192.168.20.0/24; 192.168.50.0/24; }; allow-transfer {192.168.20.71;}; <==指定允许哪些主机来同步自己的数据库解析文件; also-notify {192.168.20.71;}; <==指定允许把自己的数据库解析文件同步给哪些主机; dnssec-enable yes; dnssec-validation yes; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.xuzhichao.com.zone"; #区域配置文件 [root@dns01 named]# cat /etc/named.xuzhichao.com.zone zone "xuzhichao.com" IN { type master; file "xuzhichao.com.zone"; notify yes; <==允许本区域数据解析文件进行通告 }; zone "20.168.192.in-addr.arpa" IN { type master; file "20.168.192.in-addr.arpa.zone"; notify yes; <==允许本区域数据解析文件进行通告 }; -
主dns的区域解析文件如下:
#1.正向解析文件: [root@dns01 named]# cat /var/named/xuzhichao.com.zone $TTL 86400 xuzhichao.com. IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. ( 2021071601 10800 900 604800 86400 ) xuzhichao.com. IN NS ns1.xuzhichao.com. xuzhichao.com. IN NS ns2.xuzhichao.com. <==注意:需要添加从服务器的NS记录和对应的A记录 ns1 IN A 192.168.20.70 ns2 IN A 192.168.20.71 ;业务域 xuzhichao.com. IN MX 10 mx1.xuzhichao.com. mx1 IN A 192.168.20.11 www.xuzhichao.com. IN A 192.168.20.31 www.xuzhichao.com. IN A 192.168.20.32 web.xuzhichao.com. IN CNAME www.xuzhichao.com. ;主机域 nginx02.xuzhichao.com. IN A 192.168.20.22 ngxin03.xuzhichao.com. IN A 192.168.20.23 nginx-lb01.xuzhichao.com. IN A 192.168.20.19 nginx-lb02.xuzhichao.com. IN A 192.168.20.20 apache01.xuzhichao.com. IN A 192.168.20.21 lvs01.xuzhichao.com. IN A 192.168.20.31 lvs02.xuzhichao.com. IN A 192.168.20.32 mysql01.xuzhichao.com. IN A 192.168.20.50 redis01.xuzhichao.com. IN A 192.168.20.61 nfs01.xuzhichao.com. IN A 192.168.20.30 dns01.xuzhichao.com. IN A 192.168.20.70 #2.反向解析文件: [root@dns01 named]# cat /var/named/20.168.192.in-addr.arpa.zone $TTL 86400 @ IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. ( 2021071601 10800 900 604800 86400 ) @ IN NS ns1.xuzhichao.com. @ IN NS ns2.xuzhichao.com. <==注意:需要添加从服务器的NS记录和对应的PTR记录 70 IN PTR ns1.xuzhichao.com. 71 IN PTR ns2.xuzhichao.com. ;业务域 31 IN PTR www.xuzhichao.com. 32 IN PTR www.xuzhichao.com. ;主机域 22 IN PTR nginx02.xuzhichao.com. 23 IN PTR ngxin03.xuzhichao.com. 19 IN PTR nginx-lb01.xuzhichao.com. 20 IN PTR nginx-lb02.xuzhichao.com. 21 IN PTR apache01.xuzhichao.com. 31 IN PTR lvs01.xuzhichao.com. 32 IN PTR lvs02.xuzhichao.com. 50 IN PTR mysql01.xuzhichao.com. 61 IN PTR redis01.xuzhichao.com. 30 IN PTR nfs01.xuzhichao.com. 70 IN PTR dns01.xuzhichao.com.
1.2.3 从DNS服务器配置
-
从服务器的配置文件如下:
[root@dns02 ~]# cat /etc/named.conf options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; recursion yes; allow-recursion { 192.168.20.0/24; 192.168.50.0/24; }; masterfile-format text; <==从DNS需要增加此配置,指定同步的格式为text; allow-transfer {192.168.20.70;}; <==指定允许哪些主机来同步自己的数据库解析文件; also-notify {192.168.20.70;}; <==指定允许把自己的数据库解析文件同步给哪些主机; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.xuzhichao.com.zone"; #区域配置文件: [root@dns02 ~]# cat /etc/named.xuzhichao.com.zone zone "xuzhichao.com" IN { type slave; file "slaves/xuzhichao.com.zone"; masters {192.168.20.70;}; }; zone "20.168.192.in-addr.arpa" IN { type slave; file "slaves/20.168.192.in-addr.arpa.zone"; masters {192.168.20.70;}; }; #修改区域配置文件属性 [root@dns02 ~]# chgrp named /etc/named.xuzhichao.com.zone [root@dns02 ~]# chmod 640 /etc/named.xuzhichao.com.zone -
检测配置文件语法,启动DNS服务
[root@dns02 ~]# named-checkconf [root@dns02 ~]# systemctl start named.service #查看日志,发现主从解析数据库文件自动完成同步 [root@dns02 ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2021-07-17 11:09:06 CST; 39s ago Process: 1835 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 1833 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 1837 (named) CGroup: /system.slice/named.service └─1837 /usr/sbin/named -u named -c /etc/named.conf Jul 17 11:09:06 dns02 named[1837]: transfer of '20.168.192.in-addr.arpa/IN' from 192.168.20.70#53: Transfer completed: 1 messages, 19 records, 504 bytes, 0.001 secs (504000 bytes/sec) Jul 17 11:09:06 dns02 named[1837]: zone 20.168.192.in-addr.arpa/IN: sending notifies (serial 2021071601) Jul 17 11:09:06 dns02 named[1837]: zone xuzhichao.com/IN: Transfer started. Jul 17 11:09:06 dns02 named[1837]: transfer of 'xuzhichao.com/IN' from 192.168.20.70#53: connected using 192.168.20.71#47495 Jul 17 11:09:06 dns02 named[1837]: zone xuzhichao.com/IN: transferred serial 2021071601 Jul 17 11:09:06 dns02 named[1837]: transfer of 'xuzhichao.com/IN' from 192.168.20.70#53: Transfer status: success Jul 17 11:09:06 dns02 named[1837]: transfer of 'xuzhichao.com/IN' from 192.168.20.70#53: Transfer completed: 1 messages, 22 records, 529 bytes, 0.001 secs (529000 bytes/sec) Jul 17 11:09:06 dns02 named[1837]: zone xuzhichao.com/IN: sending notifies (serial 2021071601) Jul 17 11:09:06 dns02 named[1837]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted Jul 17 11:09:06 dns02 named[1837]: resolver priming query complete -
同步主DNS解析数据库文件:
[root@dns02 ~]# ll /var/named/slaves/ total 8 -rw-r--r-- 1 named named 808 Jul 17 11:09 20.168.192.in-addr.arpa.zone -rw-r--r-- 1 named named 765 Jul 17 11:09 xuzhichao.com.zone -
测试客户端通过从DNS服务器解析:
#测试正向解析: [root@xuzhichao ~]# dig nginx02.xuzhichao.com @192.168.20.71 +short 192.168.20.22 [root@xuzhichao ~]# dig web.xuzhichao.com @192.168.20.71 +short www.xuzhichao.com. 192.168.20.32 192.168.20.31 #测试方向解析: [root@xuzhichao ~]# dig -x 192.168.20.21 @192.168.20.71 +short apache01.xuzhichao.com.
1.2.4 测试主从同步
在主DNS上增加一条记录,并修改序列号,测试从DNS是否会进行同步。
-
主DNS增加A记录,并修改序列号:
#修改正向解析文件: [root@dns01 named]# cat /var/named/xuzhichao.com.zone $TTL 86400 xuzhichao.com. IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. ( 2021071602 <==增加序列号 10800 900 604800 86400 ) xuzhichao.com. IN NS ns1.xuzhichao.com. xuzhichao.com. IN NS ns2.xuzhichao.com. ns1 IN A 192.168.20.70 ns2 IN A 192.168.20.71 ;业务域 xuzhichao.com. IN MX 10 mx1.xuzhichao.com. mx1 IN A 192.168.20.11 www.xuzhichao.com. IN A 192.168.20.31 www.xuzhichao.com. IN A 192.168.20.32 web.xuzhichao.com. IN CNAME www.xuzhichao.com. ;主机域 nginx02.xuzhichao.com. IN A 192.168.20.22 ngxin03.xuzhichao.com. IN A 192.168.20.23 nginx-lb01.xuzhichao.com. IN A 192.168.20.19 nginx-lb02.xuzhichao.com. IN A 192.168.20.20 apache01.xuzhichao.com. IN A 192.168.20.21 lvs01.xuzhichao.com. IN A 192.168.20.31 lvs02.xuzhichao.com. IN A 192.168.20.32 mysql01.xuzhichao.com. IN A 192.168.20.50 redis01.xuzhichao.com. IN A 192.168.20.61 nfs01.xuzhichao.com. IN A 192.168.20.30 dns01.xuzhichao.com. IN A 192.168.20.70 dns02.xuzhichao.com. IN A 192.168.20.71 <==增加A记录 #修改反向解析文件: [root@dns01 named]# cat /var/named/20.168.192.in-addr.arpa.zone $TTL 86400 @ IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. ( 2021071602 <==增加序列号 10800 900 604800 86400 ) @ IN NS ns1.xuzhichao.com. @ IN NS ns2.xuzhichao.com. 70 IN PTR ns1.xuzhichao.com. 71 IN PTR ns2.xuzhichao.com. ;@ IN MX 10 mx1.xuzhichao.com. ;11 IN PTR mx1.xuzhichao.com. ;mx1.xuzhichao.com. IN A 192.168.20.11 ;业务域 31 IN PTR www.xuzhichao.com. 32 IN PTR www.xuzhichao.com. ;主机域 22 IN PTR nginx02.xuzhichao.com. 23 IN PTR ngxin03.xuzhichao.com. 19 IN PTR nginx-lb01.xuzhichao.com. 20 IN PTR nginx-lb02.xuzhichao.com. 21 IN PTR apache01.xuzhichao.com. 31 IN PTR lvs01.xuzhichao.com. 32 IN PTR lvs02.xuzhichao.com. 50 IN PTR mysql01.xuzhichao.com. 61 IN PTR redis01.xuzhichao.com. 30 IN PTR nfs01.xuzhichao.com. 70 IN PTR dns01.xuzhichao.com. 71 IN PTR dns02.xuzhichao.com. <==增加PTR记录 #重启dns服务: [root@dns01 named]# rndc reload server reload successful -
查看从DNS同步情况
#通过日志查看,已经完成同步: [root@dns02 ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since Sat 2021-07-17 11:09:06 CST; 13min ago Process: 1835 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 1833 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 1837 (named) CGroup: /system.slice/named.service └─1837 /usr/sbin/named -u named -c /etc/named.conf Jul 17 11:19:43 dns02 named[1837]: transfer of 'xuzhichao.com/IN' from 192.168.20.70#53: Transfer completed: 1 messages, 23 records, 551 bytes, 0.001 secs (551000 bytes/sec) Jul 17 11:19:43 dns02 named[1837]: zone xuzhichao.com/IN: sending notifies (serial 2021071602) Jul 17 11:19:44 dns02 named[1837]: client @0x7f5cd40c6790 192.168.20.70#52480: received notify for zone '20.168.192.in-addr.arpa' Jul 17 11:19:44 dns02 named[1837]: zone 20.168.192.in-addr.arpa/IN: notify from 192.168.20.70#52480: serial 2021071602 Jul 17 11:19:44 dns02 named[1837]: zone 20.168.192.in-addr.arpa/IN: Transfer started. Jul 17 11:19:44 dns02 named[1837]: transfer of '20.168.192.in-addr.arpa/IN' from 192.168.20.70#53: connected using 192.168.20.71#58675 Jul 17 11:19:44 dns02 named[1837]: zone 20.168.192.in-addr.arpa/IN: transferred serial 2021071602 Jul 17 11:19:44 dns02 named[1837]: transfer of '20.168.192.in-addr.arpa/IN' from 192.168.20.70#53: Transfer status: success Jul 17 11:19:44 dns02 named[1837]: transfer of '20.168.192.in-addr.arpa/IN' from 192.168.20.70#53: Transfer completed: 1 messages, 20 records, 524 bytes, 0.001 secs (524000 bytes/sec) Jul 17 11:19:44 dns02 named[1837]: zone 20.168.192.in-addr.arpa/IN: sending notifies (serial 2021071602) -
从客户端测试能否解析成功:
#测试从主DNS解析: [root@xuzhichao ~]# dig dns02.xuzhichao.com @192.168.20.70 +short 192.168.20.71 [root@xuzhichao ~]# dig -x 192.168.20.71 @192.168.20.70 +short ns2.xuzhichao.com. dns02.xuzhichao.com. #测试从从DNS解析: [root@xuzhichao ~]# dig dns02.xuzhichao.com @192.168.20.71 +short 192.168.20.71 [root@xuzhichao ~]# dig -x 192.168.20.71 @192.168.20.71 +short dns02.xuzhichao.com. ns2.xuzhichao.com.
1.2.5 客户端配置DNS高可用
在客户端上需要实现DNS的高可用,就要配置两个DNS的地址:
[root@xuzhichao ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lan
nameserver 192.168.20.70
nameserver 192.168.20.71
1.2.6 手动同步区域解析文件
在从DNS上使用dig命令可以手动同步主DNS的配置文件:
在从DNS上同步主DNS的xuzhichao.com域的区域解析文件:
[root@dns02 ~]# dig -t axfr xuzhichao.com @192.168.20.70
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> -t axfr xuzhichao.com @192.168.20.70
;; global options: +cmd
xuzhichao.com. 86400 IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. 2021071602 10800 900 604800 86400
xuzhichao.com. 86400 IN NS ns1.xuzhichao.com.
xuzhichao.com. 86400 IN NS ns2.xuzhichao.com.
xuzhichao.com. 86400 IN MX 10 mx1.xuzhichao.com.
apache01.xuzhichao.com. 86400 IN A 192.168.20.21
dns01.xuzhichao.com. 86400 IN A 192.168.20.70
dns02.xuzhichao.com. 86400 IN A 192.168.20.71
lvs01.xuzhichao.com. 86400 IN A 192.168.20.31
lvs02.xuzhichao.com. 86400 IN A 192.168.20.32
mx1.xuzhichao.com. 86400 IN A 192.168.20.11
mysql01.xuzhichao.com. 86400 IN A 192.168.20.50
nfs01.xuzhichao.com. 86400 IN A 192.168.20.30
nginx-lb01.xuzhichao.com. 86400 IN A 192.168.20.19
nginx-lb02.xuzhichao.com. 86400 IN A 192.168.20.20
nginx02.xuzhichao.com. 86400 IN A 192.168.20.22
ngxin03.xuzhichao.com. 86400 IN A 192.168.20.23
ns1.xuzhichao.com. 86400 IN A 192.168.20.70
ns2.xuzhichao.com. 86400 IN A 192.168.20.71
redis01.xuzhichao.com. 86400 IN A 192.168.20.61
web.xuzhichao.com. 86400 IN CNAME www.xuzhichao.com.
www.xuzhichao.com. 86400 IN A 192.168.20.31
www.xuzhichao.com. 86400 IN A 192.168.20.32
xuzhichao.com. 86400 IN SOA ns1.xuzhichao.com. mail.xuzhichao.com. 2021071602 10800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.20.70#53(192.168.20.70)
;; WHEN: Sat Jul 17 11:26:59 CST 2021
;; XFR size: 23 records (messages 1, bytes 562)
这样我们就需要在主从DNS中明确指明允许哪台主机进行DNS同步,否则会存在安全隐患,配置指令为:
allow-transfer {192.168.20.71;}; <==指定允许哪些主机来同步自己的数据库解析文件;
also-notify {192.168.20.71;}; <==指定允许把自己的数据库解析文件同步给哪些主机;
此时从其他主机进行同步主DNS的文件就无法同步:
[root@xuzhichao ~]# dig -t axfr xuzhichao.com @192.168.20.70
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7 <<>> -t axfr xuzhichao.com @192.168.20.70
;; global options: +cmd
; Transfer failed.
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
