DNS.配置

DNS 配置1. 使用bind 来安装DNS# yum install bind 服务器软件包 # yum install bind-chroot 安全考虑 用来将bind 与OS 分离出来 虚拟

DNS 配置

1. 使用bind 来安装DNS

# yum install bind 服务器软件包 # yum install bind-chroot 安全考虑 用来将bind 与OS 分离出来 虚拟的根

2. 建立uplooking.com 的正解与反解

zone "uplooking.com" IN { type master; file "uplooking.com.zone.db"; 修改主配置文件 [root@stu254 etc]# grep any named.caching-nameserver.conf listen-on port 53 { any; }; allow-query { any; }; match-clients { any; }; match-destinations { any; }; 监听端口, 查询地址, 客户端和查询目的地址 都改成any [root@stu254 etc]# 建立正反解查询 [root@stu254 etc]# tail named.rfc1912.zones

}; zone "1.168.192.in-addr.arpa" IN { type master; file "uplooking.com.arpa.db"; }; [root@stu254 etc]# 建立正反解区域文件 从localhost.zone 复制 修改 [root@stu254 named]# pwd /var/named/chroot/var/named [root@stu254 named]# cat uplooking.com.zone.db $TTL 86400 @ IN SOA @ root ( 2009060401 3H ; refresh ; retry ; serial (d. adams) 15M 1W 1D ) ; expiry ; minimum IN NS IN MX 5 dns.uplooking.com. mail.uplooking.com.

mail dns IN A 10.10.10.30 IN A 192.168.1.31 192.168.1.31 www IN A

解释

NS 授权记录

A ip 地址记录

MX 5(优先级) 邮件交换记录 SOA 起始授权记录 CNAME 别名记录

PTR 反解记录

IN NS dns.uplooking.com. [root@stu254 named]# cat uplooking.com.arpa.db $TTL 86400 @ IN SOA @ root ( 2009060401 3H ; refresh ; retry ; serial (d. adams) 15M 1W 1D ) ; expiry ; minimum IN MX 5 mail.uplooking.com.

30 31 31 IN PTR IN PTR IN PTR mail.uplooking.com. dns.uplooking.com. www.uplooking.com. [root@stu254 named]# 修改区域文件的权限 # chown :named /var/named/chroot/var/named/uplooking.com.* 用语法检查工具检查配置 # named-checkconf /var/named/chroot/etc/named.caching-nameserver.conf

# named-checkzone uplooking.com /var/named/chroot/var/named/uplooking.com.*

zone uplooking.com/IN: loaded serial 2009060401 OK # 没有问题 重新启动named service named restart

3. 语法检查和测试工具

DNS 客户端修改成本机 [root@stu254 named]# cat /etc/resolv.conf search uplooking.com nameserver 192.168.1.31

[root@stu254 named]# [root@stu254 named]# host www.uplooking.com www.uplooking.com has address 192.168.1.31 [root@stu254 named]# host mail.uplooking.com mail.uplooking.com has address 10.10.10.31 mail.uplooking.com mail is handled by 5 mail.uplooking.com. [root@stu254 named]# host 192.168.1.31 31.1.168.192.in-addr.arpa domain name pointer www.uplooking.com.

Name: www.uplooking.com Address: 192.168.1.31 > mail.uplooking.com Server: 192.168.1.31 [root@stu254 named]# nslookup > www.uplooking.com Server: 192.168.1.31 [root@stu254 named]# Address: 192.168.1.31#53 Address: 192.168.1.31#53

31.1.168.192.in-addr.arpa n ame = www.uplooking.com. 31.1.168.192.in-addr.arpa n ame = mail.uplooking.com. Name: mail.uplooking.com Address: 192.168.1.31 > 192.168.1.31 Server: 192.168.1.31 Address: 192.168.1.31#53 4. 负载均衡

用ping www测试 会每次显示不同IP 修改正解文件 www 0 IN A 192.168.1.31 www 0 IN A 192.168.1.30 www 0 IN A 192.168.1.32 其中 0 是生存时间 可以当做权值来使用

5. 直接解析域名和连续域名解析和泛域名解析

在正解文件中添加 uplooking.com. IN A 192.168.1.31 # host uplooking.com uplooking.com has address 192.168.1.31

连续域名解析, 需要用$GENERATE函数 比如要解析1-254个循环的变量

stu$ 是主机名 192.168.1.$ 是对应地址

$GENERATE 1-254 stu$ IN A 192.168.1.$

$GENERATE 1-254 $ IN PTR stu$.uplooking.com.

泛域名解析 一定要写在最后

* IN A 192.168.1.31

6. 搭建主从服务器

修改主机配置文件

[root@stu31 named]# tail

/var/named/chroot/etc/named.rfc1912.zones

zone "uplooking.com" IN {

type master;

file "uplooking.com.zone.db";

allow-transfer {192.168.1.32;};

};

zone "1.168.192.in-addr.arpa" IN {

type master;

file "uplooking.com.arpa.db"; -n 12

}; allow-transfer {192.168.1.32;}; [root@stu31 named]# 在主机的zone 文件中加入从机做NS 正解: dns IN NS dns.uplooking.com. IN A 192.168.1.32

反解: 32 IN NS dns.uplooking.com. IN PTR dns.uplooking.com.

如不修改则只能向从机传递zone 文件 从机不会随主机更新正解反解文件而更新

修改从机配置文件 无需建立zone 文件 [root@stu32 named]# tail -n 12 /var/named/chroot/etc/named.rfc1912.zones

zone "uplooking.com" IN { type slave;

file "slaves/uplooking.com.zone.db";

masters {192.168.1.31;}; }; zone "1.168.192.in-addr.arpa" IN {

type slave;

file "slaves/uplooking.com.arpa.db";

测试 重新启动主从服务器,zone 文件会自动复制过去 再向主服务器中添加新的正反记录并修改版本号, 重新启动主后, }; [root@stu32 named]# masters {192.168.1.31;}; 从即可更新记录

7. DNS 主从数据transfer 的TSIG 方法

TSIG 事务签名的m 方式（Key ）

dnssec-keygen -a hmac-md5 -b 128 -n HOST 名字.

master dns:

key pgkey {

algorithm hmac-md5;

secret "BmGdrEJzYDFegy4wM8TBdQ=="; };

zone "uplooking.com" IN {

type master;

file "uplooking.com.zone";

allow-transfer { key pgkey; };

};

slave dns:

key pgkey {

algorithm hmac-md5;

secret "BmGdrEJzYDFegy4wM8TBdQ=="; };

zone "uplooking.com" IN {

type slave;

file "slaves/uplooking.com.slave.zone"; masters { 192.168.1.254 key pgkey; }; };

8. 转发域服务器

options {

allow-query { 192.168.1.0/24; }; forward first;