1. 基本场景
某单位需要配置两台DNS服务器来实现域名解析。要求如下:
| 主机名 | IP地址 |
| ns1.abc.local | 192.168.188.9 |
| ns2.abc.local | 192.168.188.10 |
需要完成以下域名的解析:
| ftp.abc.local | 10.0.0.1 |
| mailsrv1.abc.local | 10.0.0.2 |
| smtp.abc.local | 10.0.0.2 |
| pop3.abc.local | 10.0.0.2 |
| www.abc.local | 10.0.0.3、10.0.0.4 两个主机,以平衡负荷 |
smtp及pop3需要使用CNAME来进行解析。同时,需要实现反向地址解析。
2. 实验环境
2.1.服务器安装
根据《01 RHEL安装-文本最小化安装.docx》进行的最小化安装。
安装了core及base两个组。
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)
# uname -a
Linux localhost.localdomain 2.6.32-358.el6.x86_64 #1 SMP Tue Jan 29 11:47:41 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
2.2.服务器基本配置
ns1.abc.local的配置。
修改IP地址。
# cd /etc/sysconfig/network-scripts/
# ls
ifcfg-eth1 ifdown-isdn ifup-aliases ifup-plusb init.ipv6-global
ifcfg-lo ifdown-post ifup-bnep ifup-post net.hotplug
ifdown ifdown-ppp ifup-eth ifup-ppp network-functions
ifdown-bnep ifdown-routes ifup-ippp ifup-routes network-functions-ipv6
ifdown-eth ifdown-sit ifup-ipv6 ifup-sit
ifdown-ippp ifdown-tunnel ifup-isdn ifup-tunnel
ifdown-ipv6 ifup ifup-plip ifup-wireless
注:浏览文件中红色字体为网络配置文件
# ifconfig
eth2 Link encap:Ethernet HWaddr 00:0C:29:A2:91:B3
inet addr:192.168.188.9 Bcast:192.168.188.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fea2:91b3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:171 errors:0 dropped:0 overruns:0 frame:0
TX packets:141 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15078 (14.7 KiB) TX bytes:21731 (21.2 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
注:记着网卡名字eth2配置的时候要用到
# vi ifcfg-eth1
删除原有内容,写入以下内容
DEVICE=eth2 注:为刚才查看的网卡名,此处如果填错的话网卡服务会启动失败
TYPE=Ethernet
ONBOOT=yes
NM_CONTROLLED=yes
BOOTPROTO=static
IPADDR=192.168.188.9
NETMASK=255.255.255.0
GATEWAY=192.168.188.2
修改主机名
# vi /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=ns1.abc.local
为了方便实验,将防火墙关闭
# service iptables stop 关闭防火墙
# chkconfig iptables off 永久生效
为了排除selinux对试验的干扰,同时关闭selinux
# vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing 改为 disabled # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted |
重启以便生效
#reboot
3. DNS客户机配置
# vi /etc/resolv.conf
nameserver 192.168.188.9
测试解析域名www.sina.com.cn
# nslookup www.sina.com.cn
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached
出现超时,原因是DNS服务器没有启动,启动服务需要安装DNS服务器组件
4. DNS服务器组件安装
4.1.通过yum来进行安装
# mkdir /mnt/cdrom
# mount /dev/cdrom /mnt/cdrom/ 挂载光盘
mount: block device /dev/sr0 is write-protected, mounting read-only
# yum -y install bind
注释: Bind是最知名的域名服务器软件,它完整地实现了DNS协议规定的各种功能,可以在各种主流的操作系统平台上运行,并且被作为许多供应商的UNIX标准配置封装在产品中。
4.2.基本配置
# ps aux | grep named 查看named是否启动
root 1805 0.0 0.0 103236 856 pts/0 S+ 20:27 0:00 grep named
# service named start 重启named,最好重启两次,一次的话日志会测试不出来
Stopping named: . [ OK ]
Starting named: [ OK ]
# ps aux | grep named 查看named是否启动
named 1512 0.0 3.8 166484 19148 ? Ssl 04:38 0:01 /usr/sbin/named -u named
root 1812 0.0 0.1 103244 828 pts/0 S+ 17:00 0:00 grep named
# tail -f /var/log/messages 查看日志
Aug 29 23:24:44 ns1 named[1602]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Aug 29 23:24:44 ns1 named[1602]: command channel listening on 127.0.0.1#953
Aug 29 23:24:44 ns1 named[1602]: command channel listening on ::1#953
Aug 29 23:24:44 ns1 named[1602]: zone 0.in-addr.arpa/IN: loaded serial 0
Aug 29 23:24:44 ns1 named[1602]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Aug 29 23:24:44 ns1 named[1602]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Aug 29 23:24:44 ns1 named[1602]: zone localhost.localdomain/IN: loaded serial 0
Aug 29 23:24:44 ns1 named[1602]: zone localhost/IN: loaded serial 0
Aug 29 23:24:44 ns1 named[1602]: managed-keys-zone ./IN: loaded serial 33
Aug 29 23:24:44 ns1 named[1602]: running
]# rpm -qc bind 查看配置文件
/etc/logrotate.d/named
/etc/named.conf 注:为主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
# cp /etc/named.conf /etc/named.conf.original 备份配置文件
]# netstat -an | grep :53 查看当前端口状态
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 ::1:53 :::* LISTEN
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 ::1:53
# vi /etc/named.conf 修改配置文件
options { listen-on port 53 { 127.0.0.1; }; 改为 //listen-on port 53 { 127.0.0.1; }; listen-on port 53 { any; }; |
dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; 改为 //dnssec-enable yes; dnssec-enable no; //dnssec-validation yes; dnssec-validation no; dnssec-lookaside auto; |
allow-query { localhost; }; 改为 //allow-query { localhost; }; //allow-query { localhost; }; allow-query { any; }; allow-query { any; }; |
# service named restart 重启服务
Stopping named: . [ OK ]
Starting named: [ OK ]
# netstat -an | grep :53 再次查看当前端口状态
tcp 0 0 192.168.188.9:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 ::1:53 :::* LISTEN
udp 0 0 192.168.188.9:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 ::1:53 :::*
设置DNS为自动启动。
# chkconfig named on
# chkconfig --list named
named 0:off 1:off 2:on 3:on 4:on 5:on 6:off
5. 主DNS服务器配置
5.1.创建正向ZONE
# vi /etc/named.conf
在配置文件的后面添加如下信息
zone "abc.local" IN { type master; file "abc.local.zone"; }; |
# cd /var/named/
# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
使用空白模板来进行创建新的zone文件
# cp named.empty abc.local.zone
# vi abc.local.zone
$TTL 3H @ IN SOA IN SOA ns1.abc.local. admin.abc.local. (
0 ; seria 序列号 1D ; refresh辅助域名服务器多少时间更新数据 1H ; retry若辅助域名服务器更新数据失败,多少时间再试 1W ; expire若辅助域名服务器无法从主服务器上更新数据,原有数据有效期 3H ) ; minimum若资源记录没有设定TTL,则以此TTL为准 NS ns1.abc.local. ns1 A 192.168.1.241 ftp A 10.0.0.1 mailsrv1 A 10.0.0.2 www A 10.0.0.3 www A 10.0.0.4 smtp CNAME mailsrv1.abc.local. pop3 CNAME mailsrv1.abc.local. |
修改新创建配置文件的属主。
# chown root:named /var/named/abc.local.zone
# rndc status 查看配置文件状态
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 19 注:记录当前zone的数量
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
测试一下:
# nslookup ns1.abc.local
# nslookup mailsrv1.abc.local
# nslookup smtp.abc.local
# nslookup pop3.abc.local
# nslookup www.abc.local
# nslookup www.abc.local
# rndc status 再次查看配置文件状态
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 20 注:比着刚才增加1个zone
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
5.2.创建反向ZONE
# vi /etc/named.conf
在配置文件的后面添加如下信息
zone "0.0.10.in-addr.arpa" IN { type master; file "10.0.0.zone"; }; |
# cd /var/named/
# cp abc.local.zone 10.0.0.zone
# vi 10.0.0.zone
修改配置文件,内容如下:
$TTL 3H @ IN SOA ns1.abc.local. admin.abc.local. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.abc.local. 1 PTR ftp.abc.local. 2 PTR mailsrv1.abc.local. 3 PTR www.abc.local. 4 PTR WWW.abc.local. |
修改新创建配置文件的属主。
# chown root:named /var/named/10.0.0.zone
# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21 注:又增加了一个zone
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
反向解析验证
# nslookup 10.0.0.1
Server: 192.168.188.9
Address: 192.168.188.9#53
再分别反向解析其他三个地址
# nslookup 10.0.0.2
# nslookup 10.0.0.3
# nslookup 10.0.0.4
6. 配置转发器
场景:
缺省情况下,DNS服务器为会为不在本机所管理的域信息通过迭代的方式从根服务器查起。由于多数根服务器主要在国外,速度比较慢。现在希望通过配置转发器,将查询发给本地ISP的DNS服务器以提高效率。
以郑州为例,可以使用:
网通:202.102.224.68、202.102.227.68
电信:219.150.150.150
操作:
修改DNS主配置文件
# vi /etc/named.conf
在全局配置语句option中添加forwarders配置,注意分号
options { …… …… …… forwarders {202.102.224.68; 202.102.227.68; 219.150.150.150; }; }; |
# service named restart 重启named服务
7. 辅助DNS服务器配置
场景:
为了提高域名服务可靠性,防止单点失败,企业新添加一个DNS服务器。由它作为abc.local的辅助DNS服务器。
辅助名称服务主机为ns2,IP地址为192.168.188.10
注:在辅助服务器上做上面1.----4.(服务器名字和ip不同其他步骤相同)
7.1.DNS组件安装
与主DNS安装类似.
# mount /dev/cdrom /mnt/cdrom/
# cd /mnt/cdrom/Packages/
# rpm -ivh bind-9.8.2-0.17.rc1.el6.x86_64.rpm bind-libs-9.8.2-0.17.rc1.el6.x86_64.rpm
portreserve-0.0.4-9.el6.x86_64.rpm (安装所需依赖组件)
7.2.配置Zone传递
在NS1上修改配置主配置文件,添加ns2的NS及AY记录。
[root@ns1 ~]# vi /var/named/abc.local.zone
$TTL 3H @ IN SOA ns1.abc.local. admin.abc.local. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.abc.local. NS ns2.abc.local. 新增 ns1 A 192.168.1.241 ns2 A 192.168.1.242 新增 ftp A 10.0.0.1 mailsrv1 A 10.0.0.2 www A 10.0.0.3 www A 10.0.0.4 smtp CNAME mailsrv1.abc.local. pop3 CNAME mailsrv1.abc.local. |
在NS2上修改配置主配置文件,添加ns2的NS及AY记录。
[root@ns2 ~]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 19 注意此zone数目
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@ns2 ~]# vi /etc/named.conf
在最后添加如下信息:
zone "abc.local" IN {
type slave;
file "abc.local.zone";
masters {192.168.188.10; };
};
修改/var/named/目录许可,允许named组有写的权限
[root@ns2 ~]# ll -d /var/named/
drwxr-x---. 5 root named 4096 Jul 29 14:02 /var/named/
[root@ns2 ~]# chmod g+w /var/named/
[root@ns2 ~]# ll -d /var/named/
drwxrwx--- 5 root named 4096 Jul 29 18:19 /var/named/
[root@ns2 ~]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@ns2 ~]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 20 多出一个
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@ns2 ~]# ls /var/named/ -l
total 32
-rw-r--r-- 1 named named 465 Sep 2 02:57 abc.local.zone 同步文件
drwxrwx--- 2 named named 4096 Aug 30 20:00 data
drwxrwx--- 2 named named 4096 Sep 2 04:29 dynamic
-rw-r----- 1 root named 1892 Feb 18 2008 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 4096 Dec 5 2012 slaves
查看生成文件
[root@ns2 ~]# cat /var/named/abc.local.zone
$ORIGIN .
$TTL 10800 ; 3 hours
abc.local IN SOA ns1.abc.local. admin.abc.local. (
0 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS ns1.abc.local.
NS ns2.abc.local.
$ORIGIN abc.local.
ftp A 10.0.0.1
mailsrv1 A 10.0.0.2
ns1 A 192.168.188.9
ns2 A 192.168.188.10
pop3 CNAME mailsrv1
smtp CNAME mailsrv1
www A 10.0.0.3
A 10.0.0.4
测试一下
[root@ns2 ~]# nslookup
> server 192.168.188.10
Default server: 192.168.188.10
Address: 192.168.188.10#53
> www.abc.local
Server: 192.168.188.10
Address: 192.168.188.10#53
Name: www.abc.local
Address: 10.0.0.4
Name: www.abc.local
Address: 10.0.0.3
> exit
