In order to ensure that services can be stable, to avoid server downtime occurs only one time and can not provide DNS service; all have master and slave DNS server architecture
Master from the primary and secondary DNS server :()
details should be noted:
1. The primary and secondary servers are domain-level concept;
2. must ensure smooth communication between the network and the time the primary and secondary synchronization server;
3. To ensure All name servers can be identified and used for all name servers need to add NS resource records in the database area;
the NS resource record area 4. a database must have a corresponding record;
5. from the server can be saved by default copied from the database file to / var / name / slaves directory;
6. on the primary server should allow access control command from the server region; simultaneously to specify a master server from the server;
Prior to ensure that the main framework from the time synchronization server:
1. Two server can be synchronized to network time server;
example;
~] # cn.pool.ntp.org the ntpdate
2.把主服务器设置为主从架构中的时间服务器,让从服务器同步到主服务器
示例:
主:~]# vim /etc/ntp.conf
添加:server 127.127.1.0 iburst
主:~]# systemctl start ntpd.service
从:~]# ntpdate 172.16.72.1
//172.16.72.1(主服务器端)Exemplary master-slave architecture of the server:
edit 1: BIND main configuration file in the main program server (172.16.72.1) in (/etc/named.conf)
Zone "qhdlink.com" {the IN
type Master;
File "qhdlink. zone ";
the allow-Update {none;};
the allow-transfer {172.16.69.1;};
// allow current can be transferred from the area server from the server (172.16.69.1)
};
zone "16.172.in-addr.arpa" IN {
type master;
file "172.16.local";
allow-transfer { 172.16.69.1; };
//允许从服务器(172.16.69.1)能够从当前服务器进行区域传送
};
zone "188.168.192.in-addr.arpa" IN {
type master;
file "192.168.188.local";
allow-transfer { 172.16.69.1; };
//允许从服务器(172.16.69.1)能够从当前服务器进行区域传送
};
2.在主服务器(172.16.72.1)编辑各个zone(区域配置段)中的对应文件:qhdlink.zone、172.16.local、192.168.188.local
1)
named]# touch qhdlink.zone
named]# chmod 640 qhdlink.zone
named]# chgrp named qhdlink.zone:
named]# vim qhdlink.zone
$ORIGIN qhdlink.com.
$TTL 86400
@ IN SOA ns1.qhdlink.com. root.qhdlink.com. (
2018040701;Serial
1H;Refresh
15M;Retry
1W;Expire
1D);Minimal TTL
IN NS ns1.qhdlink.com.
IN MX 10 mail.qhdlink.com.
ns1 IN A 172.16.72.1
mail IN A 172.16.72.1
www IN A 172.16.100.100
www IN A 172.16.100.101
www IN A 172.16.100.102
web IN CNAME www
ftp.qhdlink.com. IN CNAME web.qhdlink.com.
* IN A 172.16.200.1
qhdlink.com. IN A 172.16.200.2
bbs IN A 192.168.100.101
2)
named]# touch 172.16.local
named]# chmod 640 172.16.local
named]# chgrp named 172.16.local
named]# vim 172.16.local
$ORIGIN 16.172.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.qhdlink.com. root.qhdlink.com. (
2018040701;
1H;
15M;
1W;
6H);
IN NS ns1.qhdlink.com.
1.72 IN PTR ns1.qhdlink.com.
1.72 IN PTR mail.qhdlink.com.
100.100 IN PTR www.qhdlink.com.
101.100 IN PTR www.qhdlink.com.
102.100 IN PTR www.qhdlink.com.
1.200 IN PTR qhdlink.com.
3)
named]# cp -p 172.16.local 192.168.188.local
named]# vim 192.168.188.local
$ORIGIN 188.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.qhdlink.com. root.qhdlink.com. (
2018040701;
1H;
15M;
1W;
6H);
IN NS ns1.qhdlink.com.
101 IN PTR bbs.qhdlink.com.
3.编辑:在从服务器(172.16.69.1)中的BIND程序的主配置文件(/etc/named.conf)
options {
listen-on port 53 { 127.0.0.1; 172.16.69.1; };
//在启动DNS服务时,named进程所监听的172.16.69.1:53此套接字
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 172.16.72.1; };
//允许本服务器处理主服务器(172.16.72.1)发送来的解析查询请求
//"172.16.72.1"也可改成"any",允许允许本服务器处理所有主服务器发送来的解析查询请求
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
zone "qhdlink.com" IN {
type slave;
masters { 172.16.72.1; };
file "slaves/qhdlink.slave.zone";
allow-transfer { none; };
};
zone "16.172.in-addr.arpa" IN {
type slave;
masters { 172.16.72.1; };
file "slaves/172.16.slave.zone";
allow-transfer { none; };
};
zone "188.168.192.in-addr.arpa" IN {
type slave;
masters { 172.16.72.1; };
file "slaves/172.168.188.slave.zone";
allow-transfer { none; };
};
4.检测区域文件的语法格式.并关闭防火墙和SElinux:
named]# named-checkconf
named]# iptables -F
named]# setenforce 0
5.对主配置文件或区域数据库文件进行修改之后,并不会立即生效;只有在重载配置文件和区域文件之后,配置才生效;重载配置文件的方法:
1.systemctl reload named.service(CentOS 7.x)
2.rndc reload
3.systemctl restart named.service(不推荐)
4.service named reload(CentOS 6.x)
注意:对于应用程序服务进程重载配置文件的操作,如果能使用reload,就使用reload,不要轻易执行restart命令;
6.配置完成进行测试
named]# dig @172.16.69.1 -x 192.168.188.101
named]# dig @172.16.69.1 -t A www.qhdlink.com
named]# dig @172.16.69.1 -x 172.16.100.100Experiences:
A, B two servers can be on the same IP / FQDN DNS resolution
1. If the configuration section area (Zone) BIND main configuration file server A program (/etc/named.conf) and in which the corresponding database file (XXX.zone) DNS resolves;
zone 2. then the main configuration file server B (B from a as a server) program BIND (/etc/named.conf) must have a matching configuration segment (zone) to DNS resolution;
3. BIND ensure that the main profile a server program (/etc/named.conf) configuration section area (zone) of "allow-transfer {XXX.XXX.XXX.XXX ;} "opening area B of the transfer license server;
4 while maintaining the master configuration file BIND server B program (/etc/named.conf) global configuration section (options)" listen-on port 53 " monitor address of the server B, "allow-query" allow B (local server) a process to resolve the query request sent by the server
C作为客户端能够获取DNS解析
1.防火墙规则
2.对应的服务器端的全局配置段(options)中的"allow-query"允许服务器端处理C客户端发送来的解析查询请求DNS forwarder:
global forward:
1. Definitions: For those who can not, to forward all the way by the recursive query server specified by the request from the management server (processing) domain;
2 arrangement position: main configuration of the bind file ( /etc/named.conf) segment of the global configuration (options)
区域转发:
1.定义:专门针对于某个特定的域的请求,如果不能给出权威答案,则转发至指定的服务器进行递归查询;
2.配置位置:在bind的主配置文件(/etc/named.conf)的区域配置段(zone)
转发的方法:
forward first:首先转发,当转发器中指定的服务器无响应时,再自行迭代查找;
forward only:只使用转发器中指定的服务器进行递归查询,如果无法获得答案,则直接返回否定答案;自身不再迭代查找;
注意:
1.任何形式的请求转发,都必须依靠被指定的服务器允许自身做递归查询;
2.根服务器只做迭代查询,不会为任何服务器做递归查询Why DNS forwarder:
1. Suppose there are A, B both the NS (Name Server), A is a Master (primary name server), B is the Slave (from the name server), and a client C
2. On the A analytical www.test.com with this configuration section FQDN region (zone) area, and database file (test.zone), C can be designated a to obtain an affirmative answer to DNS resolution;
3. Although the a B as a slave, but it in /etc/named.conf B but not in the FQDN on www.test.com configuration section area (zone), this area is not on the database file (test.zone) in / var / named / slaves, it may be Since B is not enough time to be transferred from the area a, and updates the configuration file in the content database;
4. At this time, if the C B specified DNS resolution is performed, even in the option /etc/named.conf B (global ) in the configuration section "allow-query" to "{any;}" (process B allows any host to resolve the query request is transmitted), C client can not obtain positive answer, B can only be returned (DNS parse a negative answer not) to C
5. the server availability order to achieve efficient, B can not be resolved when this DNS resolution A request is passed to the processing, which can be implemented using a DNS forwarder;
Given three virtual machines tested:
A: Server side (172.16.72.1)
B: terminal repeater (172.16.69.1)
C: Client (172.16.69.2)
全局转发示例:
1.编辑在A服务器(172.16.72.1)中的BIND程序的主配置文件(/etc/named.conf),定义qhdlink.org域
named]# vim /etc/named.conf
zone "qhdlink.org" IN {
type master;
file "qhdlink.org.zone";
allow-transfer { none; };
};
2.创建数据库文件,修改权限并添加相应资源记录;编辑A服务器(172.16.72.1)中主配置文件的zone(区域配置段)对应的文件:qhdlink.org.zone
named]# touch qhdlink.org.zone
named]# chgrp named qhdlink.org.zone
named]# chmod 640 qhdlink.org.zone
named]# vim qhdlink.org.zone
$TTL 86400
qhdlink.org. IN SOA ns1.qhdlink.org. root.qhdlink.org. (
2018040701;
1H;
10M;
3D;
4H);
IN NS ns1
ns1 IN A 172.16.72.1
www IN A 11.22.33.44
3.编辑B服务器(172.16.69.1)中主配置文件(/etc/named.conf)中的全局配置段(option)
named]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 172.16.72.1; 172.16.69.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
forward first;
//转发方法
forwarders { 172.16.72.1; };
//转发给172.16.72.1
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
4.检测区域文件和对应数据库文件
A:
named]# named-checkconf
named]# named-checkzone qhdlink.org qhdlink.org.zone
zone qhdlink.org/IN: loaded serial 2018040701
OK
B:
named]# named-checkconf
5.对主配置文件或区域数据库文件进行修改之后,并不会立即生效;只有在重载配置文件和区域文件之后,配置才生效;重载配置文件的方法:
1.systemctl reload named.service(CentOS 7.x)
2.rndc reload
3.systemctl restart named.service(不推荐)
4.service named reload(CentOS 6.x)
注意:对于应用程序服务进程重载配置文件的操作,如果能使用reload,就使用reload,不要轻易执行restart命令;
6.配置完成进行测试
在C客户端上:
~]# dig @172.16.72.1 -t A www.qhdlink.org
~]# dig @172.16.69.1 -t A www.qhdlink.org
//对比两者结果,解析得到的答案一致,则转发器有效
在C客户端上:
~]# nslookup
> set q=a
> server 172.16.69.1
Default server: 172.16.69.1
Address: 172.16.69.1#53
> www.qhdlink.org
Server: 172.16.69.1
Address: 172.16.69.1#53
Non-authoritative answer:
//非权威答案,证明是通过转发获取得到的,则转发器有效
Name: www.qhdlink.org
Address: 11.22.33.44
全局转发测试成功后,可以用"/*...*/"的注释方法把定义全局转法部分先注释掉,避免进行区域转发测试得到的结果的准确性和有效性;
区域转发示例:
1.编辑在A服务器(172.16.72.1)中的BIND程序的主配置文件(/etc/named.conf),定义qhdlink.com.cn域
named]# vim /etc/named.conf
zone "qhdlink.com.cn" IN {
type master;
file "qhdlink.com.cn.zone";
allow-transfer { none; };
};
2.创建数据库文件,修改权限并添加相应资源记录;编辑A服务器(172.16.72.1)中主配置文件的zone(区域配置段)对应的文件:qhdlink.com.cn.zone
named]# touch qhdlink.com.cn.zone
named]# chgrp named qhdlink.com.cn.zone
named]# chmod 640 qhdlink.com.cn.zone
named]# vim qhdlink.com.cn.zone
$ORIGIN qhdlink.com.cn.
$TTL 86400
qhdlink.com.cn. IN SOA ns1.qhdlink.com.cn. root.qhdlink.com.cn. (
2018040701;
1H;
10M;
3D;
4H);
IN NS ns1
ns1 IN A 172.16.72.1
www IN A 1.2.3.4
3.编辑B服务器(172.16.69.1)中主配置文件(/etc/named.conf)中的全局配置段(option)和区域配置段(zone)
named]# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 172.16.72.1; 172.16.69.1; };
//添加监听C客户端(172.16.69.1)的53端口
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
//允许本服务器处理任何主机发送来的解析查询请求
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
zone "qhdlink.com.cn" IN {
type forward;
forward only;
forwarders { 172.16.72.1; };
};
4.检测区域文件的语法格式
A:
named]# named-checkconf
named]# named-checkzone qhdlink.com.cn qhdlink.com.cn.zone
zone qhdlink.com.cn/IN: loaded serial 2018040701
OK
B:
named]# named-checkconf
5.对主配置文件或区域数据库文件进行修改之后,并不会立即生效;只有在重载配置文件和区域文件之后,配置才生效;重载配置文件的方法:
1.systemctl reload named.service(CentOS 7.x)
2.rndc reload
3.systemctl restart named.service(不推荐)
4.service named reload(CentOS 6.x)
注意:对于应用程序服务进程重载配置文件的操作,如果能使用reload,就使用reload,不要轻易执行restart命令;
6.配置完成进行测试
在C客户端上:
~]# dig @172.16.72.1 -t A www.qhdlink.com.cn
~]# dig @172.16.69.1 -t A www.qhdlink.com.cn
//对比A和B的解析结果,解析得到的答案一致则成功
在C客户端上:
~]# nslookup
> server 172.16.69.1
Default server: 172.16.69.1
Address: 172.16.69.1#53
> www.qhdlink.com.cn
Server: 172.16.69.1
Address: 172.16.69.1#53
Non-authoritative answer:
//非权威答案,证明是通过转发获取得到的,则转发器有效
Name: www.qhdlink.com.cn
Address: 1.2.3.4Subdomain delegated authorization:
authorization management rights to a name server subdomain subdomain; the parent domain does not save any sub-domain database resource record; but in order to be successful authorization, we need to add a NS record, pointing to the name of subdomain server;
Compare subdomain delegating authority to the repeater:
1. subdomain delegating authority actually provides the client with an iterative query mechanism;
2. transponder actually provides the client with a recursive query mechanism;
3. Because neither directly returns the result to the client to resolve the DNS, it is through a third party to "assist" complete resolution, so the answer is non authoritative;
Given three servers tested:
A: Server side (172.16.72.1)
B: terminal repeater (172.16.69.1)
C: Client (172.16.69.2)
Example subdomain delegate authority:
1. do qhdlink.org arranged in this field A, the configuration of the domain is not bj.qhdlink.org
the named] # Vim /etc/named.conf
Zone "qhdlink.org" {the IN
type Master;
File "qhdlink.org.zone";
the allow-Transfer {none;};
};
named]# vim qhdlink.org.zone
$TTL 86400
qhdlink.org. IN SOA ns1.qhdlink.org. root.qhdlink.org. (
2018040701;
1H;
10M;
3D;
4H);
IN NS ns1
bj.qhdlink.org. IN NS ns1.bj.qhdlink.org.
ns1 IN A 172.16.72.1
ns1.bj.qhdlink.org. IN A 172.16.69.1
www IN A 11.22.33.44
2.在B上做bj.qhdlink.org这个域的配置
named]# vim /etc/named.conf
zone "bj.qhdlink.org" IN {
type master;
file "bj.qhdlink.org.zone";
allow-transfer { none; };
};
named]# named]# touch bj.qhdlink.org.zone
named]# chgrp named bj.qhdlink.org.zone
named]# chmod 640 bj.qhdlink.org.zone
named]# vim bj.qhdlink.org.zone
$ORIGIN bj.qhdlink.org.
$TTL 86400
@ IN SOA ns1.bj.qhdlink.org. root.bj.qhdlink.org. (
2018040701;
3H;
30M;
10D;
8H);
IN NS ns1
ns1 IN A 172.16.72.2
www IN A 55.66.77.88
3.检测区域文件的语法格式
A:
named]# named-checkconf
named]# named-checkzone qhdlink.org qhdlink.org.zone
B:
named]# named-checkconf
named]# named-checkzone bj.qhdlink.org bj.qhdlink.org.zone
4.对主配置文件或区域数据库文件进行修改之后,并不会立即生效;只有在重载配置文件和区域文件之后,配置才生效;重载配置文件的方法:
1.systemctl reload named.service(CentOS 7.x)
2.rndc reload
3.systemctl restart named.service(不推荐)
4.service named reload(CentOS 6.x)
注意:对于应用程序服务进程重载配置文件的操作,如果能使用reload,就使用reload,不要轻易执行restart命令;
5.配置完成进行测试
C:
~]# dig @172.16.72.1 -t A www.bj.qhdlink.org
//解析得到肯定答案,则说明测试成功Example delegation authorization can be seen from the sub-domains:
1.A qhdlink.org configured only interpret the contents of this field;
2.B bj.qhdlink.org arranged only interpret the contents of this field;
3 but only of the A qhdlink the .org domain corresponding database file add these two the RR:
bj.qhdlink.org the NS ns1.bj.qhdlink.org the iN..
ns1.bj.qhdlink.org the iN a 172.16.69.1.
4. able to a contact B up; for C client sent me a DNS resolution queries, although a can not return DNS resolution query message to the C on your local server, but can be delegated to B, let B to DNS resolution service for C and the results returned to the C