DNS主从复制+正向反向解析实现
一、环境准备
192.168.100.9:mstaer
192.168.100.10:slave
192.168.100.5:测试机
关闭防火墙以及selinux
时间同步
二、master配置
2.1、正向解析主配置
1、查看本机是否有bind,如果没有就下载
[root@centos_9 ~]# rpm -ql bind && echo -e "OK" || yum install -y bind
2、配置DNS数据库
[root@centos_9 named]# cat xzcdc.com.zone
$TTL 1D
@ IN SOA master admin.ns1. ( 1 1D 1H 1W 3D )
NS master
NS slave
master A 192.168.100.9
slave A 192.168.100.10
ftp A 192.168.100.120
www CNAME web
web A 192.168.100.121
web A 192.168.100.122
mao A 192.168.100.123
3、检查DNS数据库是否正确
[root@centos_9 named]# named-checkzone xzcdc.com.zone xzcdc.com.zone
zone xzcdc.com.zone/IN: loaded serial 1
OK
4、配置xzcdc.com域
zone "xzcdc.com" {
type master;
file "xzcdc.com.zone";
};
5、检查域配置文件
[root@centos_9 named]# named-checkconf /etc/named.rfc1912.zones
6、修改主配置文件
[root@centos_9 named]# vim /etc/named.conf
options {
listen-on port 53 { localhost; }; 表示监听端口,可以写多个IP,或者是用localhost代替
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; 允许那个IP主机访问
allow-transfer { 192.168.100.10; }; # 表示允许slave在master上抓取数据,其他人不允许
}
2.2、配置反向解析
1、配置区域
vim /etc/named.rfc1912.zones
zone "100.168.192.in-addr.arpa"{
type maste;
file "192.168.100.zone";
};
2、配置数据库
[root@centos_9 named]# cat 192.168.100.zone
$TTL 1D
@ IN SOA master admin.ns1. ( 4 1D 1H 1W 3D )
NS master
NS slave
master A 192.168.100.9
slave A 192.168.100.10
122 PTR web.xzcdc.com
120 PTR ftp.xzcdc.com
121 PTR web.xzcdc.com
123 PTR mao.xzcdc.com
[root@centos_9 named]# named-checkzone 192.168.100.zone 192.168.100.zone
zone 192.168.100.zone/IN: loaded serial 4
OK
1、启动
[root@centos_9 named]# systemctl start named && systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Sun 2021-11-28 19:29:08 CST; 7s ago
Process: 3002 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 3000 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of
zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 3004 (named)
Tasks: 5
CGroup: /system.slice/named.service
└─3004 /usr/sbin/named -u named -c /etc/named.conf
Nov 28 19:29:08 centos_9 named[3004]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Nov 28 19:29:08 centos_9 named[3004]: zone localhost.localdomain/IN: loaded serial 0
Nov 28 19:29:08 centos_9 named[3004]: zone localhost/IN: loaded serial 0
Nov 28 19:29:08 centos_9 named[3004]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
Nov 28 19:29:08 centos_9 named[3004]: zone xzcdc.com/IN: loaded serial 1
Nov 28 19:29:08 centos_9 systemd[1]: Started Berkeley Internet Name Domain (DNS).
Nov 28 19:29:08 centos_9 named[3004]: all zones loaded
Nov 28 19:29:08 centos_9 named[3004]: running
Nov 28 19:29:08 centos_9 named[3004]: zone xzcdc.com/IN: sending notifies (serial 1)
Nov 28 19:29:09 centos_9 named[3004]: error (network unreachable) resolving './NS/IN': 2001:500:12::d0d#53
三、slave配置
3.1、正向解析从配置
1、修改配置文件
[root@centos_9 named]# vim /etc/named.conf
options {
listen-on port 53 { localhost; }; 表示监听端口,可以写多个IP,或者是用localhost代替,可以注释
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; 允许那个IP主机访问
allow-transfer {none;};
}
2、配置域
zone "xzcdc.com" {
type slave;
masters { 192.168.100.9; };
file "slave/xzcdc.com.zone.slave";
};
3、检查配置文件
[root@centos_10 ~]# named-checkconf /etc/named.rfc1912.zones
4、当启动的时候会自动生成从数据库,但是master得先启动
[root@centos_10 ~]# systemctl start named
[root@centos_10 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 403 Nov 28 19:49 xzcdc.com.zone.slave
3.2、从的反向解析配置
vim /etc/named.rfc1912.zones
zone "100.168.192.in-addr.arpa"{ 这个名字 一定要和Master一样
type slave;
masters {192.168.100.17;};
file "slaves/192.168.100.zone.slave"; # 启动生成
};
四、注意事项以及测试
4.1、测试主从是否复制
1、修改master数据库的编号,一定要比现有的大,并让配置文件生效,在次查看slave配置文件是否增大
[root@centos_10 slaves]# ll
total 4
-rw-r--r-- 1 named named 403 Nov 28 19:52 xzcdc.com.zone.slave
[root@centos_10 slaves]# ll
total 4
-rw-r--r-- 1 named named 444 Nov 28 19:55 xzcdc.com.zone.slave
4.2、测试正向解析
[root@centos_5 ~]# dig ftp.xzcdc.com @192.168.100.9
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> ftp.xzcdc.com @192.168.100.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58860
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.xzcdc.com. IN A
;; ANSWER SECTION:
ftp.xzcdc.com. 86400 IN A 192.168.100.120
;; AUTHORITY SECTION:
xzcdc.com. 86400 IN NS master.xzcdc.com.
xzcdc.com. 86400 IN NS slave.xzcdc.com.
;; ADDITIONAL SECTION:
master.xzcdc.com. 86400 IN A 192.168.100.9
slave.xzcdc.com. 86400 IN A 192.168.100.10
;; Query time: 2 msec
;; SERVER: 192.168.100.9#53(192.168.100.9)
;; WHEN: Sun Nov 28 20:42:32 CST 2021
;; MSG SIZE rcvd: 131
4.3测试反向解析
[root@centos_5 ~]# dig -x 192.168.100.123 @192.168.100.9
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -x 192.168.100.123 @192.168.100.9
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 980
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;123.100.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
123.100.168.192.in-addr.arpa. 86400 IN PTR mao.xzcdc.com.100.168.192.in-addr.arpa.
;; AUTHORITY SECTION:
100.168.192.in-addr.arpa. 86400 IN NS slave.100.168.192.in-addr.arpa.
100.168.192.in-addr.arpa. 86400 IN NS master.100.168.192.in-addr.arpa.
;; ADDITIONAL SECTION:
master.100.168.192.in-addr.arpa. 86400 IN A 192.168.100.9
slave.100.168.192.in-addr.arpa. 86400 IN A 192.168.100.10
;; Query time: 1 msec
;; SERVER: 192.168.100.9#53(192.168.100.9)
;; WHEN: Sun Nov 28 20:40:49 CST 2021
;; MSG SIZE rcvd: 158
[root@centos_5 ~]# dig -x 192.168.100.120 @192.168.100.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -x 192.168.100.120 @192.168.100.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17647
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;120.100.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
120.100.168.192.in-addr.arpa. 86400 IN PTR ftp.xzcdc.com.100.168.192.in-addr.arpa.
;; AUTHORITY SECTION:
100.168.192.in-addr.arpa. 86400 IN NS slave.100.168.192.in-addr.arpa.
100.168.192.in-addr.arpa. 86400 IN NS master.100.168.192.in-addr.arpa.
;; ADDITIONAL SECTION:
master.100.168.192.in-addr.arpa. 86400 IN A 192.168.100.9
slave.100.168.192.in-addr.arpa. 86400 IN A 192.168.100.10
;; Query time: 1 msec
;; SERVER: 192.168.100.10#53(192.168.100.10)
;; WHEN: Sun Nov 28 20:41:41 CST 2021
;; MSG SIZE rcvd: 158
4.4、因为我们在前面配置了安全加固,所以在master和slave上都是抓取不了数据下来的
安全加固代码如下:
master:
vim /etc/named.conf
options{
allow-transfer {192.168.100.16;}; 谁是从就把数据传给谁,只让从来抓取数据
}
slave:
vim /etc/named.conf
options{
allow-transfer {none;};
}
[root@centos_5 ~]# dig -t axfr xzcdc.com @192.168.100.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t axfr xzcdc.com @192.168.100.10
;; global options: +cmd
; Transfer failed.
[root@centos_5 ~]# dig -t axfr xzcdc.com @192.168.100.9
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t axfr xzcdc.com @192.168.100.9
;; global options: +cmd
; Transfer failed.
4.5、如果把取消安全加固如下:
[root@centos_5 ~]# dig -t axfr xzcdc.com @192.168.100.9
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t axfr xzcdc.com @192.168.100.9
;; global options: +cmd
xzcdc.com. 86400 IN SOA master.xzcdc.com. admin.ns1. 4 86400 3600 604800 259200
xzcdc.com. 86400 IN NS master.xzcdc.com.
xzcdc.com. 86400 IN NS slave.xzcdc.com.
ftp.xzcdc.com. 86400 IN A 1.1.1.1
mao.xzcdc.com. 86400 IN A 4.4.4.3
master.xzcdc.com. 86400 IN A 192.168.100.9
slave.xzcdc.com. 86400 IN A 192.168.100.10
web.xzcdc.com. 86400 IN A 3.3.3.3
web.xzcdc.com. 86400 IN A 4.4.4.4
www.xzcdc.com. 86400 IN CNAME web.xzcdc.com.
xzcdc.com. 86400 IN SOA master.xzcdc.com. admin.ns1. 4 86400 3600 604800 259200
;; Query time: 0 msec
;; SERVER: 192.168.100.9#53(192.168.100.9)
;; WHEN: Sun Nov 28 20:08:09 CST 2021
;; XFR size: 11 records (messages 1, bytes 275)
[root@centos_5 ~]# dig -t axfr xzcdc.com @192.168.100.10
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> -t axfr xzcdc.com @192.168.100.10
;; global options: +cmd
xzcdc.com. 86400 IN SOA master.xzcdc.com. admin.ns1. 4 86400 3600 604800 259200
xzcdc.com. 86400 IN NS master.xzcdc.com.
xzcdc.com. 86400 IN NS slave.xzcdc.com.
ftp.xzcdc.com. 86400 IN A 1.1.1.1
mao.xzcdc.com. 86400 IN A 4.4.4.3
master.xzcdc.com. 86400 IN A 192.168.100.9
slave.xzcdc.com. 86400 IN A 192.168.100.10
web.xzcdc.com. 86400 IN A 3.3.3.3
web.xzcdc.com. 86400 IN A 4.4.4.4
www.xzcdc.com. 86400 IN CNAME web.xzcdc.com.
xzcdc.com. 86400 IN SOA master.xzcdc.com. admin.ns1. 4 86400 3600 604800 259200
;; Query time: 1 msec
;; SERVER: 192.168.100.10#53(192.168.100.10)
;; WHEN: Sun Nov 28 20:08:29 CST 2021
;; XFR size: 11 records (messages 1, bytes 275)
浙公网安备 33010602011771号