CentOS 7 DNS服务器部署
项目背景和要求
要保证即能够解析内网域名linuxidc.local的解析,又能解析互联网的域名。
主DNS服务器:ZZYH1.LINUXIDC.LOCAL
辅助DNS服务器:ZZYH2.LINUXIDC.LOCAL
包含以下域的信息:
1、linuxidc.local域的信息:
2、192.168.188.0/24、192.168.189.0/24反向解析域
要求实现chroot功能,以提高安全性
实现到202.102.224.68、202.102.227.68的DNS转发。
防止非授权用户的DNS记录的枚举(防止出现类似上海烟草公司的安全隐患)。仅允许管理员在192.168.188.10上进行操作。
DNS网络配置
除了传统的修改/etc/resolv.conf之外,还有通过在ifcfg文件中添加配置的方式。
Tip: 与Windows在某个网卡中设置DNS服务器的IP地址类似
# vi/etc/sysconfig/network-scripts/ifcfg-eno16777728
# Generated by parse-kickstart IPV6INIT=no
BOOTPROTO=static
DEVICE=eno16777728
ONBOOT=yes
TYPE=Ethernet
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
NAME="System eno16777728"
IPADDR=192.168.188.15
NETMASK=255.255.255.0
GATEWAY=192.168.188.2
DNS1=192.168.188.15 DNS2=192.168.188.16
这样,当重新启动network服务时,会生成/etc/resolv.conf中的配置
# servicenetwork restart
Restarting network (via systemctl): [ OK ]
# cat/etc/resolv.conf
# Generated by NetworkManager
search linuxidc.local
nameserver 192.168.188.15 nameserver192.168.188.16
配置Yum库
[root@zzyh2 ~]# cd /etc/yum.repos.d/
[root@zzyh2 yum.repos.d]# ls
CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Sources.repo CentOS-Vault.repo
[root@zzyh2 yum.repos.d]#
[root@zzyh1 yum.repos.d]# cpCentOS-Base.repo CentOS-Base.repo.origin
[root@zzyh1 yum.repos.d]# viCentOS-Base.repo
配置内容
[base]
name=CentOS-$releasever - Base
baseurl=file:///media
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
安装DNS支持包
#yum -y installbind bind-util bind-chroot //
[root@zzyh1 ~]# cd /media/Packages/
[root@zzyh1 Packages]# yum -y install bindbind-util bind-chroot
Warning: RPMDB altered outside of yum.
Installing : 32:bind-libs-9.9.4-14.el7.x86_64 1/3
Installing : 32:bind-9.9.4-14.el7.x86_64 2/3
Installing : 32:bind-chroot-9.9.4-14.el7.x86_64 3/3
Verifying :32:bind-9.9.4-14.el7.x86_64 1/3
Verifying : 32:bind-libs-9.9.4-14.el7.x86_64 2/3
Verifying :32:bind-chroot-9.9.4-14.el7.x86_64 3/3
Installed:
bind.x86_64 32:9.9.4-14.el7 bind-chroot.x86_64 32:9.9.4-14.el7
Dependency Installed:
bind-libs.x86_6432:9.9.4-14.el7
Complete!
查看bind的生成包
[root@zzyh2 ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
配置文件
[root@zzyh1 ~]# cd /etc
[root@zzyh1 etc]# cp named.confnamed.conf.origin
[root@zzyh1 etc]# vi /etc/named.conf
[root@zzyh1 etc]# cat /etc/named.conf、
//listen-on port 53 { 127.0.0.1; };
listen-on port 53 { any; };
//dnssec-enable yes;
//dnssec-validation yes;
dnssec-enable no;
dnssec-validation no;
配置转发地址:
forwarders {202.102.224.68; 202.102.227.68;};
allow-transfer {192.168.188.15; 192.168.188.12;};
查看状态
[root@zzyh1 etc]# rndc status
version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
测试一下解析
补充一下
#find / -name nslookup
/usr/bin/nslookup
#rpm -qf/usr/bin/nslookup //查询这个命令依附于那个包 bind-utils-9.9.4-14.el7.x86_64.rpm
执行
#nslookup //如果找不到nslookup那是因为没有安装bind-utils-9.9.4-14.el7.x86_64.rpm
> server 192.168.188.15
Default server: 192.168.188.15
Address: 192.168.188.15#53
> g.cn //尝试解析g.cn
Server: 192.168.188.15
Address: 192.168.188.15#53
Non-authoritative answer:
Name: g.cn
Address: 203.208.36.17
Name: g.cn
Address: 203.208.36.18
Name: g.cn
Address: 203.208.36.16
Name: g.cn
Address: 203.208.36.20
Name: g.cn
Address: 203.208.36.19
//解析成功
添加自定义zone
自定义,修改配置文件
[root@zzyh1~]# vi /etc/named.conf
在最后添加
zone "linuxidc.local" IN {
type mester;
file "linuxidc.local.zone";
}
zone "188.168.192.in-addr.arpa"IN {
type master;
file "192.168.188.zone";
}
zone "189.168.192.in-addr.arpa"IN {
type master;
file "192.168.189.zone";
}
include"/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@zzyh1named]# cp named.empty linuxidc.local.zone //修改前备份一下
[root@zzyh1 named]# ls
linuxidc.local.zone data named.ca named.localhost slaves
chroot dynamic named.empty named.loopback
配置文件
[root@zzyh1named]# vi linuxidc.local.zone
$TTL 3H
@ IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H) ; minimum
IN NS zzyh1.linuxidc.local.
IN NS zzyh2.linuxidc.local.
zzyh1 IN A 192.168.188.15
zzyh2 IN A 192.168.188.16
ftp IN A 192.168.188.15
mailyh1 IN A 192.168.188.22
smtp IN CNAME mailyh1.linuxidc.local.
pop3 IN CNAME mailyh1.linuxidc.local.
www IN A 192.168.188.15
crm IN A 192.168.188.15
#vi192.168.188.zone
$TTL 3H
@ IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expiredgG
3H) ; minimum
IN NS zzyh1.linuxidc.local.
IN NS zzyh2.linuxidc.local.
15 IN PTR zzyh1.linuxidc.local.
15 IN PTR ftp.linuxidc.local.
16 IN PTR zzyh2.linuxidc.local.
16 IN PTR mailyh1.linuxidc.local.
#vi192.168.189.zone
$TTL 3H
@ IN SOA zzyh1.linuxidc.local. chenzhou312.blog.51cto.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H) ; minimum
IN NS zzyh1.linuxidc.local.
IN NS zzyh2.linuxidc.local.
www IN NS 192.168.188.15
重启服务
[root@zzyh1 named]# systemctl restartnamed.service
[root@zzyh1 named]# service named restart
Redirecting to /bin/systemctl restart named.service
[root@zzyh1 named]# rndc status
version: 9.9.4-RedHat-9.9.4-14.el7<id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 104
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
设置为自动启动
# systemctl enable named
[root@zzyh1 named]# systemctl status named
named.service - Berkeley Internet NameDomain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled)
Active: active (running) since Mon 2014-08-25 00:36:59 CST; 3min 47s ago
MainPID: 2807 (named)
CGroup: /system.slice/named.service
a””a”2807 /usr/sbin/named -u named
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar...
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar...
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 1.0.0.127.in-addr.arpa...
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 1.0.0.0.0.0.0.0.0.0.0....
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: all zones loaded
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: running
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 188.168.192.in-addr.ar...
Aug 25 00:36:59 zzyh1.linuxidc.localnamed[2807]: zone 189.168.192.in-addr.ar...
Aug 25 00:36:59 zzyh1.linuxidc.localsystemd[1]: Started Berkeley Internet N....
Aug 25 00:37:00 zzyh1.linuxidc.localnamed[2807]: managed-keys-zone: No DNSKE...
Hint: Some lines were ellipsized, use -l toshow in full.
测试
# nslookup
> server192.168.188.15
Default server: 192.168.188.15
Address: 192.168.188.15#53
>www.linuxidc.local.
Server: 192.168.188.15
Address: 192.168.188.15#53
Name: www.linuxidc.local
Address: 192.168.188.15
>smtp.linuxidc.local.
Server: 192.168.188.15
Address: 192.168.188.15#53
smtp.linuxidc.local canonical name = mailyh1.linuxidc.local.
Name: mailyh1.linuxidc.local
Address: 192.168.188.22
>192.168.188.15
Server: 192.168.188.15
Address: 192.168.188.15#53
15.188.168.192.in-addr.arpa name = ftp.linuxidc.local.
15.188.168.192.in-addr.arpa name = zzsrv1.linuxidc.local.
> exit
zzyh2上的DNS配置
安装BIND
与zzyh1上的主DNS配安装一样。
操作略。
配置
Cache Only Server
与zzyh1上的主DNS配安装一样。
操作略。
添加辅助Zone
# vi /etc/named.conf
添加如下zone信息
zone "linuxidc.local" IN {
type slave;
masters {192.168.188.15; };
file "linuxidc.local.zone";
};
zone "188.168.192.in-addr.arpa"IN {
type slave;
masters {192.168.188.15; };
file "192.168.188.zone";
};
zone "189.168.192.in-addr.arpa"IN {
type slave;
masters {192.168.188.15; };
file "192.168.189.zone";
};
修改目录权限
[root@zzyh2 named]# ll /var/named/ -d
drwxr-x--- 6 root named 133 Aug 15 14:06/var/named/
[root@zzyh2 named]# chmod g+w /var/named/
[root@zzyh2 named]# ll /var/named/ -d
drwxrwx--- 6 root named 133 Aug 15 14:06/var/named/
启动服务
[root@zzyh2 ~]# systemctl startnamed.service
Redirecting to /bin/systemctl restart named.service
设置为自动启动
[root@zzyh2 ~]# systemctl enable named
ln -s'/usr/lib/systemd/system/named.service''/etc/systemd/system/multi-user.target.wants/named.service'
查看日志,检查是否有报错信息。(建议在启动时,就在另外一个会话时就打开)
# tail -f /var/log/messages
测试BIND
在zzyh1上生成了相应的zone文件
[root@zzyh2 ~]# ll /var/named/
total 28
-rw-r--r-- 1 named named 451 Aug 15 14:58 192.168.188.zone
-rw-r--r-- 1 named named 254 Aug 15 15:05 192.168.189.zone
-rw-r--r-- 1 named named 647 Aug 15 15:16 linuxidc.local.zone
drwxr-x--- 7 root named 56 Aug 15 14:06 chroot
drwxrwx--- 2 named named 22 Aug 15 14:19 data
drwxrwx--- 2 named named 58 Aug 15 16:20 dynamic
-rw-r----- 1 root named 2076 Jan 28 2013 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Jun 10 16:13 slaves
[root@zzyh1 ~]# vi /var/named/linuxidc.local.zone
添加一个A记录
test IN A 10.0.0.1
并且将,zone的序列号增大
[root@zzyh1 ~]# rndc reload
server reload successful
在zzyh1的日志中会看到
zone linuxidc.local/IN: sending notifiesrial 15)
client 192.168.188.16#41658 (linuxidc.loc:transfer of 'linuxidc.local/IN': AXFR-style IXFR started
client 192.168.188.16#41658 (linuxidc.loc:transfer of 'linuxidc.local/IN': AXFR-style IXFR ended
在zzyh2的日志中会看到
client 192.168.188.15#33856: received notifyfor zone 'linuxidc.local'
zone linuxidc.local/IN: Transfer started.
transfer of 'linuxidc.local/IN' from192.168.188.15#53: connected using 192.168.188.16#41658
zone linuxidc.local/IN: transferred serial15
transfer of 'linuxidc.local/IN' from192.168.188.15#53: Transfer completed: 1 messages, 13 records, 339 bytes, 0.005secs (67800 bytes/sec)
zone linuxidc.local/IN: sending notifies(serial 15)
测试
# nslookup
> server 192.168.188.16
Default server: 192.168.188.16
Address: 192.168.188.16#53
> test.linuxidc.local.
Server: 192.168.188.16
Address: 192.168.188.16#53
Name: test.linuxidc.local
Address: 10.0.0.1
> exit
