1:环境配置:
服务器:demo1 ip:192.168.75.100
2: 安装dns
[root@demo1 ~]# yum install bind bind-chroot bind-utils -y
bind-9.7.3-8.P3.el6.x86_64.rpm #该包为DNS 服务的主程序包。
bind-chroot-9.7.3-8.P3.el6.x86_64.rpm # 提高安全性。
[root@demo1 ~]# ls /etc/named.conf
/etc/named.conf
named.conf 是BIND 的核心配置文件,它包含了BIND 的基本配置,但其并不包括区域数据。
/var/named/ 目录为DNS数据库文件存放目录,每一个域文件都放在这里
[root@demo1 ~]# less /etc/named.conf
[root@demo1 ~]# ls /var/named/chroot/
dev etc run usr var
启动:
[root@demo1 ~]# systemctl start named
[root@demo1 ~]# systemctl enable named
[root@demo1 etc]# vim /etc/named.conf
options {
listen-on port 53 { any; }; #any是修改后的
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes; #默认支持递归查询
dnssec-lookaside auto; #添加这行,为了安全
};
#自定义区域
zone "demo1.cn" IN {
type master;
file "demo1.cn.zone";
};
创建区域文件:
[root@demo1 etc]# cd /var/named/
[root@demo1 named]# ls
chroot data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@demo1 named]# cp -a named.localhost demo1.cn.zone
[root@demo1 named]# ls
chroot demo1.cn.zone named.ca named.localhost slaves
data dynamic named.empty named.loopback
[root@demo1 named]# vim demo1.cn.zone
[root@demo1 named]# cat /var/named/demo1.cn.zone
$TTL 1D
demo1.cn. IN SOA dns.demo1.cn. root.demo1.cn. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
demo1.cn. NS dns.demo1.cn.
dns.demo1.cn. A 192.168.75.100
www.demo1.cn. A 192.168.75.100
www1.demo1.cn. CNAME www.demo1.cn.
[root@demo1 etc]# systemctl restart named #重启
3:dns主从服务器
1:主服务器配置:
生成密钥:
[root@demo1 named]# cd /var/named/chroot/etc/
[root@demo1 etc]# dnssec-keygen -a hmac-md5 -b 128 -n HOST abc
[root@demo1 etc]# ll
总用量 8
-rw------- 1 root root 47 1月 28 16:21 Kabc.+157+03280.key
-rw------- 1 root root 165 1月 28 16:21 Kabc.+157+03280.private
drwxr-x--- 2 root named 6 4月 13 2018 named
drwxr-x--- 3 root named 25 1月 28 15:56 pki
[root@demo1 etc]# cat Kabc.+157+03280.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: LefeTThm3O7IaXvg6ii3NQ==
Bits: AAA=
Created: 20190128082129
Publish: 20190128082129
Activate: 20190128082129
[root@demo1 etc]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
dnssec-lookaside auto;
/* Path to ISC DLV key */
forward only;
forwarders { 8.8.8.8; };
bindkeys-file "/etc/named.iscdlv.key";
}
key abckey{
algorithm hmac-md5;
secret "LefeTThm3O7IaXvg6ii3NQ==";
};
zone "demo1.cn" IN {
type master;
file "demo1.cn.zone";
allow-transfer { key abckey; };
};
2:从服务器:
服务器: demo2 ip:192.168.75.101
[root@demo2 ~]# yum install bind bind-chroot bind-utils -y
[root@demo2 ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
}
key abckey{
algorithm hmac-md5;
secret "LefeTThm3O7IaXvg6ii3NQ==";
};
zone "demo1.cn" IN {
type slave;
file "slaves/demo1.cn.zone";
masters { 192.168.75.100 key abckey; }; #采用密钥进行同步
};
[root@demo2 slaves]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@demo2 slaves]# systemctl start named
[root@demo2 named]# cat /etc/resolv.conf
# Generated by NetworkManager
#search demo.cn
nameserver 192.168.75.100
nameserver 192.168.1.1
[root@demo2 named]# nslookup www.demo1.cn
Server: 192.168.75.100
Address: 192.168.75.100#53
Name: www.demo1.cn
Address: 192.168.75.100
[root@demo2 named]# ping www.demo1.cn
PING www.demo1.cn (192.168.75.100) 56(84) bytes of data.
64 bytes from demo1.cn (192.168.75.100): icmp_seq=1 ttl=64 time=0.244 ms
64 bytes from demo1.cn (192.168.75.100): icmp_seq=2 ttl=64 time=0.399 ms