以前:DNS由CentOS6服务管理-构建本地DNS服务器
让我们构建一个主从DNS服务器
实验环境:
CentOS版本6.6(最终版)两套
IP地址:
12.16.31.3DNS1主DNS服务器端
来自DNS服务器端的12.16.31.4DNS2
我们通常需要以下三个软件包来设置DNS服务器:
Bind-libs.x86_64#提供库文件
Bind-utils.x86_64#提供了一个工具包
Bind.x86_64#提供了主包
我还没用过安全套件,所以没用bind-chroot包。
Chroot环境为了系统安全,一般来说,目前各大发行版都自动把你的bind相关程序给了chroot。
在上一篇博客中,我已经搭建了一个本地DNS服务器,可以实现正向和反向解析,所以我们只需要加入一个从DNS服务器就可以完成了。让我们开始配置主从服务器:
一、主DNS服务器之上的附加配置:
[root@dns1 named]# cat oracle.com.zone $TTL 600 $ORIGIN oracle.com. @ IN SOA ns.oracle.com. root.oracle.com. ( 2014121002 ;serial 1D ;refresh 5M ;retry 1W ;expiry 1H) ;minimum @ IN NS ns.oracle.com. IN NS ns1.oracle.com. IN MX 5 mail.oracle.com. ns IN A 172.16.31.3 ns1 IN A 172.16.31.4 www IN A 172.16.31.3 www IN A 172.16.31.4 mail IN A 172.16.31.3 pop3 IN A 172.16.31.3 iamp4 IN A 172.16.31.3二。从属DNS服务器的配置
记得安装bind包!
主配置文件的配置:
我们可以把主DNS服务器的主配置文件/etc/named.conf复制到从DNS服务器上,方便又懒—_—!
测试主设备和从设备之间的网络连通性:
[root@dns2 ~]# ping -c 3 172.16.31.3 PING 172.16.31.3 (172.16.31.3) 56(84) bytesof data. 64 bytes from 172.16.31.3: icmp_seq=1ttl=64 time=2.16 ms 64 bytes from 172.16.31.3: icmp_seq=2ttl=64 time=0.519 ms ^C --- 172.16.31.3 ping statistics --- 2 packets transmitted, 2 received, 0%packet loss, time 1306ms rtt min/avg/max/mdev = 0.519/1.343/2.167/0.824ms将主DNS服务器的主配置文件复制到从服务器:
[root@dns2 ~]# [email protected]:/etc/named.conf /etc/named.conf The authenticity of host '172.16.31.3(172.16.31.3)' can't be established. RSA key fingerprint isb8:a4:da:03:91:67:32:2f:d5:72:0b:77:3b:6f:ba:30. Are you sure you want to continueconnecting (yes/no)? yes Warning: Permanently added '172.16.31.3'(RSA) to the list of known hosts. [email protected]'s password: named.conf 100%1008 1.0KB/s 00:00查看配置文件,详见上一篇博客:
[root@dns2 ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package toconfigure the ISC BIND named(8) DNS // server as a caching only nameserver (asa localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ forexample named configuration files. // options { //listen-on port 53 { 127.0.0.1; }; //listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable no; dnssec-validation no; dnssec-lookaside no; /* Path to ISC DLV key */ /*bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; */ }; logging { channel default_debug { file"data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include"/etc/named.rfc1912.zones"; include "/etc/named.root.key";从服务器区域配置文件:/etc/named.rfc1912.zones
在下面添加一个从属DNS区域:
因为服务器上/var/named/目录的权限属于名为的主根组,而名为的组没有写权限;如果您对此目录有写权限,系统将会不安全。因此,软件定义了在目录中有一个从属文件来存储从主服务器接收的配置文件。
[root@dns2 named]# vim/etc/named.rfc1912.zones zone "oracle.com" IN { type slave; file "slaves/oracle.com.zone"; masters { 172.16.31.3; }; }; zone "31.16.172.in-addr-arpa" IN{ type slave; file "slaves/172.16.31.zone"; masters { 172.16.31.3; }; };检查语法是否正确:
[root@dns2 named]# named-checkconf [root@dns2 named]# named-checkconf/etc/named.rfc1912.zones三。从DNS服务器启动并解决错误
[root@dns2 named]# service named start Generating /etc/rndc.key: [ OK ] Starting named: [ OK ]我写错了配置文件把31.16.172.in-addr.arpa写成31.16.172.in-addr-arpa进行调试:
我们来看一下从服务器的日志,从日志中可以看到有一个传输错误:
[root@dns2 named]# tail /var/log/messages Dec 10 09:31:30 dns2 named[25953]: zonelocalhost/IN: loaded serial 0 Dec 10 09:31:30 dns2 named[25953]:managed-keys-zone ./IN: loaded serial 0 Dec 10 09:31:30 dns2 named[25953]: running Dec 10 09:31:30 dns2 named[25953]: error(network unreachable) resolving './DNSKEY/IN': 2001:500:1::803f:235#53 Dec 10 09:31:30 dns2 named[25953]: error(network unreachable) resolving './NS/IN': 2001:500:1::803f:235#53 Dec 10 09:31:30 dns2 named[25953]: zone31.16.172.in-addr-arpa/IN: refresh: non-authoritative answer from master172.16.31.3#53 (source 0.0.0.0#0) Dec 10 09:31:31 dns2 named[25953]: zoneoracle.com/IN: Transfer started. Dec 10 09:31:31 dns2 named[25953]: transferof 'oracle.com/IN' from 172.16.31.3#53: connected using 172.16.31.4#55664 Dec 10 09:31:31 dns2 named[25953]: zoneoracle.com/IN: transferred serial 2014121001 Dec 10 09:31:31 dns2 named[25953]: transferof 'oracle.com/IN' from 172.16.31.3#53: Transfer completed: 1 messages, 10records, 254 bytes, 0.006 secs (42333 bytes/sec)从属DNS服务器从主DNS服务器接收到本地从属目录的正向和反向区域解析库文件,但是只有正向区域文件被成功传输用于调试。
然后,我在主DNS上重启了服务:
[root@dns1 named]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [root@dns1 named]# tail /var/log/messages Dec 10 09:32:57 dns1 named[26720]: zone31.16.172.in-addr.arpa/IN: loaded serial 2014121001 Dec 10 09:32:57 dns1 named[26720]: zone1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:loaded serial 0 Dec 10 09:32:57 dns1 named[26720]: zoneoracle.com/IN: loaded serial 2014121002 Dec 10 09:32:57 dns1 named[26720]: zonelocalhost.localdomain/IN: loaded serial 0 Dec 10 09:32:57 dns1 named[26720]: zonelocalhost/IN: loaded serial 0 Dec 10 09:32:57 dns1 named[26720]:managed-keys-zone ./IN: loaded serial 6 Dec 10 09:32:57 dns1 named[26720]: running Dec 10 09:32:57 dns1 named[26720]: zoneoracle.com/IN: sending notifies (serial 2014121002) Dec 10 09:32:57 dns1 named[26720]: client172.16.31.4#53252: transfer of 'oracle.com/IN': AXFR-style IXFR started Dec 10 09:32:57 dns1 named[26720]: client172.16.31.4#53252: transfer of 'oracle.com/IN': AXFR-style IXFR ended从上面的日志可以看出,只传输了“oracle.com.zone”文件,而“31.16.172.in-addr-arpa”区域的认证文件没有响应;是主DNS主动更新文件并将文件推送到从服务器。
修复/etc/named.rfc1912.zones文件中的错误,并再次重置命名服务:
[root@dns2 named]# service named reload Reloading named: [ OK ] [root@dns2 named]# tail/var/log/messages Dec 10 09:40:53 dns2 named[25953]: usingdefault UDP/IPv6 port range: [1024, 65535] Dec 10 09:40:53 dns2 named[25953]: sizingzone task pool based on 8 zones Dec 10 09:40:53 dns2 named[25953]: Warning:'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones Dec 10 09:40:53 dns2 named[25953]: zone31.16.172.in-addr-arpa/IN: (slave) removed Dec 10 09:40:53 dns2 named[25953]:reloading configuration succeeded Dec 10 09:40:53 dns2 named[25953]:reloading zones succeeded Dec 10 09:40:53 dns2 named[25953]: zone31.16.172.in-addr.arpa/IN: Transfer started. Dec 10 09:40:53 dns2 named[25953]: transferof '31.16.172.in-addr.arpa/IN' from 172.16.31.3#53: connected using 172.16.31.4#37022 Dec 10 09:40:53 dns2 named[25953]: zone31.16.172.in-addr.arpa/IN: transferred serial 2014121001 Dec 10 09:40:53 dns2 named[25953]: transferof '31.16.172.in-addr.arpa/IN' from 172.16.31.3#53: Transfer completed: 1messages, 10 records, 268 bytes, 0.001 secs (268000 bytes/sec)从上面可以看出,我们的反向域分析库文件传输是成功的。
错误解决方案。
检查是否有大米送来:
[root@dns2 named]# ls slaves/ 172.16.31.zone oracle.com.zone四。从DNS服务器进行测试
除了dig命令和host命令,nslookup命令可以测试DNS服务器的状态,windows平台也有这个工具。先在windows物理机平台上测试一下吧!
成功了!但是ns1.oracle.com在逆向分析中去了哪里?@_@!
最初,我们只在主服务器上配置了转发区域解析库文件;O(∩_∩)o忘记在反向域解析库文件中配置了,哈哈。
我们来配置一下@
[root@dns1 named]# cat 172.16.31.zone $TTL 600 $ORIGIN 31.16.172.in-addr.arpa. @ IN SOA ns.oracle.com. root.oracle.com. ( 2014121002 ;serial 1D ;refresh 5M ;retry 1W ;expiry 1H) ;minimum @ IN NS ns.oracle.com. IN NS ns1.oracle.com. IN MX 5 mail.oracle.com. 3 IN PTR ns.oracle.com. 4 IN PTR ns1.oracle.com. 3 IN PTR www.oracle.com. 4 IN PTR www.oracle.com. 3 IN PTR mail.oracle.com. 3 IN PTR pop3.oracle.com. 3 IN PTR iamp4.oracle.com.注:在序列号上加1@
因为配置文件已经更改,所以需要重新启动服务!
[root@dns1 named]# service named restart Stopping named: [ OK ] Starting named: [ OK ] [root@dns1 named]# tail /var/log/messages Dec 10 09:59:39 dns1 named[26814]: zone1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:loaded serial 0 Dec 10 09:59:39 dns1 named[26814]: zoneoracle.com/IN: loaded serial 2014121002 Dec 10 09:59:39 dns1 named[26814]: zonelocalhost.localdomain/IN: loaded serial 0 Dec 10 09:59:39 dns1 named[26814]: zonelocalhost/IN: loaded serial 0 Dec 10 09:59:39 dns1 named[26814]:managed-keys-zone ./IN: loaded serial 6 Dec 10 09:59:39 dns1 named[26814]: running Dec 10 09:59:39 dns1 named[26814]: zone31.16.172.in-addr.arpa/IN: sending notifies (serial 2014121002) Dec 10 09:59:39 dns1 named[26814]: zoneoracle.com/IN: sending notifies (serial 2014121002) Dec 10 09:59:39 dns1 named[26814]: client172.16.31.4#39152: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFRstarted Dec 10 09:59:39 dns1 named[26814]: client172.16.31.4#39152: transfer of '31.16.172.in-addr.arpa/IN': AXFR-style IXFRended我们再来测试一下逆向分析!
以上,分析成功!
实际上,您还可以使用Linux中的命令来测试の!O(∩_∩)o哈哈
这里我们已经完成了主从DNS服务器的搭建!
接下来,我们将在BIND程序中介绍RNDC和BIND的安全配置
欢迎分享,转载请注明来源:内存溢出
评论列表(0条)