部署主从DNS

发表于 | 分类于
字数统计: 861 | 阅读时长 ≈ 5

1.主DNS服务部署

1.1 yum安装DNS服务和依赖

1
[admin@haifly-bj-dns1 ~]$ sudo yum install bind-chroot

1.2 启动named-chroot服务

1
2
[admin@haifly-bj-dns1 ~]$ sudo systemctl start named
[admin@haifly-bj-dns1 ~]$ sudo systemctl enable named

1.3 修改/etc/named.conf配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
[admin@haifly-bj-dns1 ~]$ sudo cat /etc/named.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };

/* 
\- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
\- If you are building a RECURSIVE (caching) DNS server, you need to enable 
recursion. 
\- If your recursive DNS server has a public IP address, you MUST enable access 
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification 
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface 
*/
recursion yes;
allow-recursion { 0.0.0.0/0; };

forward first;
forwarders {
180.76.76.76;
114.114.114.114;
};

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "feiersmart.local" IN {
type master; 
file "feiersmart.local.zone";
allow-transfer { 192.168.1.219; }; 
allow-query { any; }; 
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2.从DNS服务部署:

2.1 安装同主DNS服务一样

2.2 修改/etc/named.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
[admin@haifly-bj-dns2 ~]$ sudo cat /etc/named.conf
[sudo] password for admin: 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
listen-on port 53 { any; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };

/* 
\- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
\- If you are building a RECURSIVE (caching) DNS server, you need to enable 
recursion. 
\- If your recursive DNS server has a public IP address, you MUST enable access 
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification 
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface 
*/
recursion yes;
allow-recursion { 0.0.0.0/0; };

forward first;
forwarders {
119.29.29.29;
114.114.114.114;
};

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone "feiersmart.local" IN {
type slave; 
file "slaves/feiersmart.local.zone";
masters { 192.168.5.244; }; 
allow-query { any; }; 
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

3.使用中的注意事项

3.1 修改 dns 解析

每次修改 DNS 解析,只需要修改主机的配置,一定要修改时间戳,否则会导致配置备机配置不生效。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
[root@haifly-bj-dns1 named]# cat feiersmart.local.zone 
$ORIGIN feiersmart.local.
$TTL 600

@      IN  SOA         dns1.feiersmart.local. root.feiersmart.local. (
                       20190711 //最后修改时间
                       3600
                       3600
                       604800
                       86400
)


@      IN  NS          dns1.feiersmart.local.
       IN  NS          dns2.feiersmart.local.

dns1   IN  A 192.168.5.244
dns2   IN  A 192.168.1.219

hb0.kafka1   IN  A       192.168.6.213
hb0.kafka2   IN  A       192.168.3.94
hb0.kafka3   IN  A       192.168.5.245

3.2 修改 dns 解析完成后,重启服务

1
[admin@haifly-bj-dns1 ~]$ sudo systemctl restart named
-------------本文结束感谢您的阅读-------------
分享到: 收藏夹 复制网址 邮件 微信 QQ空间 腾讯微博 豆瓣 一键分享 更多