1. experiment environment 1.1 requirements
- Configure forward parsing bind
- Configure reverse resolution bind
- Configure bind of secondary DNS
- Implement regional transfer between primary and secondary DNS
1.2 Environmental Planning
Primary DNS: centos6.8-01 172.24.8.10 linuxmaster.aliyun.com
Secondary DNS: centos6.8-02 172.24.8.11 linuxslave.aliyun.com
Yum + WWW server: CentOS7-03 172.24.8.30 mirrors.aliyun.com
Client: centos6.8-03 172.24.8.20
Domain Name: aliyun.com
2. Configure forward resolution
- Step 1: Use Yum to install the software package used by DNS (BIND)
- Step 2: create or modify the master configuration file (/etc/named. conf)
- Step 3: create a region data file (/var/named/***. Zone)
- Step 4: Use relevant commands (named-checkconf, named-checkzone) to test whether the configuration file and the region file have syntax errors.
- Step 5: ensure that the master configuration file and the DNS database file in each region have 640 permissions. The owner is root and the group is named;
- Step 6: restart the service or reload the configuration file
- Step 7: change the settings of iptables and SELinux (if you do not know about these two items, You can temporarily disable them)
- Step 8: Use (DIG/NSLookup) to query DNS resource records on Linux/Windows hosts.
2.1 install bind
1 [[email protected] ~]# yum -y install bind
2.2 configure the master configuration file
1 [[email protected] ~] # Cat/etc/named. conf 2 ...... 3 options {4 listen-on port 53 {127.0.0.1;}; 5 listen-on-v6 port 53 {: 1;}; 6 directory "/var/named "; # store the root directory of the region file. The relative paths shown below are relative to this directory 7 dump-file "/var/named/data/cache_dump.db "; 8 Statistics-file "/var/named/data/named_stats.txt"; 9 memstatistics-file "/var/named/data/named_mem_stats.txt"; 10 allow-query {localhost ;}; # Which hosts are allowed to query 11 recursion yes; # whether to allow recursive query 12 13 DNSSEC-enable yes; 14 DNSSEC-valida Tion yes; 15 16/* path to isc dlv key */17 bindkeys-file "/etc/named. iscdlv. key "; 18 19 managed-keys-directory"/var/named/dynamic "; 20}; 21 22 Logging {# define log 23 channel default_debug {24 file" Data/named. run "; 25 severity dynamic; 26}; 27}; 28 29 zone ". "In {# define the root region file name 30 type hint; 31 file" named. CA "; # Relative Path,/var/named. CA 32}; 33 34 include "/etc/named. rfc1912.zones "; # define the region configuration file. To add You can also use include 35 include "/etc/named here. root. key "; # key file in the root region, with transaction signature related 36 comment the following three lines -- 37 // listen-on port 53 {127.0.0.1 ;}; 38 // listen-on-v6 port 53 {:: 1 ;}; 39 // allow-query {localhost ;}; 40 [email protected] ~] # Service named start # Start the named service
Validation:
SS-taunl | grep "53" or netstat-tlun verification service starts normally
2.3 Add a zone in the region configuration file
1 [[email protected] ~] # Vi/etc/named. conf # Add Region 2 to the Zone file ...... 3 zone "aliyun.com" in {4 type master; 5 file "aliyun.com. Zone"; 6}; 7 ......
2.4 create a zone File
1 [[email protected] ~] # Cd/var/named/2 [[email protected] named] # cp/var/named. localhost/var/named/aliyun.com. zone 3 [[email protected] named] # vi/var/named/aliyun.com. zone 4 $ TTL 300; 5 @ in SOA linuxmaster.aliyun.com. admin.aliyun.com. (6 2017051720 7 1 H 8 5 m 9 7d 10 3d) 11 In NS linuxmaster 12 in MX 20 MX 13 linuxmaster in a 172.24.8.10 14 WWW in a 172.24.8.30 15 mirrors in a 172.24.8.30 16 FTP in cname WWW 17 [[email protected] ~] # Named-checkconf # Check the configuration file 18 [[email protected] named] # named-checkzone "aliyun.com. zone "/var/named/aliyun.com. zone 19 zone aliyun.com. zone/In: loaded serial 2017051720 20 OK
2.5 Modify permissions
1 [[email protected] ~] # Chmod 640/var/named/aliyun.com. Zone 2 [[email protected] ~] # Chown root: Named/var/named/aliyun.com. Zone 3 Note: ensure that the master configuration file and the file in each region have 640 permissions, the owner is root, and the group is named. 4 [[email protected] ~] # Service named restart
2.6 disable firewall and SELinux
1 [[email protected] ~]# service iptables stop 2 [[email protected] ~]# setenforce 0 3 [[email protected] ~]# service named restart
2.7 Test Analysis
Modify the DNS address as the primary DNS server address, and then Ping linuxmaster.aliyun.com to test.
Triplicate dns bind configuration
Forward and reverse resolution use different database types. a DNS server can only have a forward or reverse resolution database, or provide forward/reverse resolution at the same time.
Region name format of the reverse region:
Reverseip. in-addr.arpa.
For example, if the network address is 172.16.100.1, the rule is named 100.16.172.in-ADDR. ARPA.
3.1 Add a reverse zone in the region configuration file
1 [[email protected] ~]# vi /etc/named.conf 2 …… 3 zone "8.24.172.in-addr.arpa" IN { 4 type master; 5 file "8.24.172.zone"; 6 }; 7 ……
3.2 Create a reverse zone File
1 [[email protected] ~]# /var/named/8.24.172.zone 2 $TTL 300; 3 @ IN SOA linuxmaster.aliyun.com. admin.aliyun.com. ( 4 2017051720 5 1H 6 5M 7 7D 8 3D ) 9 IN NS linuxmaster.aliyun.com. 10 8.10 IN PTR linuxmaster.aliyun.com. 11 8.30 IN PTR www.aliyun.com. 12 8.30 IN PTR mirrors.aliyun.com. 13 8.10 IN PTR mx.aliyun.com.
Note:
No cname record is required for reverse resolution, and MX record cannot appear in reverse resolution library;
8.10 if the IP address is not specified, the region name "24.172.in-ADDR. Arpa" automatically defined in the main configuration file is not specified.
1 [[email protected] ~] # Named-checkconf # Check the configuration file 2 [[email protected] ~] # Named-checkzone "aliyun.com. Zone"/var/named/aliyun.com. Zone 3 zone aliyun.com. Zone/In: loaded serial 2017051720 4 OK 5 [[email protected] ~] # Named-checkzone "aliyun.com. Zone"/var/named/8.24.172.zone 6 zone aliyun.com. Zone/In: loaded serial 2017051720 7 OK
3.3 Modify permissions
1 [[email protected] ~] # Chmod 640/var/named/24.172.zone 2 [[email protected] ~] # Chown root: Named/var/named/24.172.zone 3 Note: ensure that the master configuration file and the file in each region have 640 permissions, the owner is root, and the group is named. 4 [[email protected] ~] # Service named restart
3.4 disable firewall and SELinux
1 [[email protected] ~]# service iptables stop 2 [[email protected] ~]# setenforce 0 3 [[email protected] ~]# service named restart
3.5 Test Analysis
Modify the DNS address as the primary DNS server address, and then use NSLookup on the Windows client for testing.
Secondary DNS Configuration
Secondary DNS is for the region. If there are multiple DNS servers, you must create an NS record for each DNS server. Otherwise, the primary DNS will not send notifications to it.
4.1 define a region
1 zone "region name" in {2 type slave; # The region type is auxiliary 3 File "Slaves/zone_name.zone"; # The region file must be saved in the slaves directory, in other directories, you do not have the permission 4 masters {# specifies who the master server is. Note: there must be a space 5 master_dns_ip; 6 master_dns2_ip; 7}; 8} before and after curly brackets };
4.2 install bind on secondary DNS
1 [[email protected] ~]# yum -y install bind
4.3 Add a secondary zone in the region configuration file
1 [[email protected] ~] # Vi/etc/named. rfc1912.zones # It is recommended to add it in named. rfc1912.zones 2 ...... 3 zone "aliyun.com" in {4 type slave; 5 file "Slaves/aliyun.com. zone "; 6 masters {172.24.8.10 ;};# master DNS address 7}; 8 zone" 8.24.172-ADDR. ARPA "in {9 type slave; 10 file" Slaves/24.8.172.zone "; 11 Masters {172.24.8.10 ;}; 12 }; 13 [email protected] ~] # Named-checkconf # Check Configuration
4.3 secondary DNS disable firewall and SELinux
1 [[email protected] ~]# service iptables stop 2 [[email protected] ~]# setenforce 0 3 [[email protected] ~]# service named restart
4.4 Add secondary DNS records for primary DNS forward resolution
1 [[email protected] ~]# vi /var/named/aliyun.com.zone 2 $TTL 300; 3 @ IN SOA linuxmaster.aliyun.com. admin.aliyun.com. ( 4 2017051720 5 1H 6 5M 7 7D 8 3D ) 9 IN NS linuxmaster 10 IN NS linuxslave 11 IN MX 20 MX 12 linuxmasterIN A 172.24.8.10 13 linuxslaveIN A 172.24.8.11 14 wwwIN A 172.24.8.30 15 mirrorsIN A 172.24.8.30 16 mxIN A 172.24.8.10 17 ftpIN CNAME www
4.5 Add secondary DNS records for reverse resolution of primary DNS
1 [[email protected] ~]# vi /var/named/8.24.172.zone 2 $TTL 300; 3 @ IN SOA linuxmaster.aliyun.com. admin.aliyun.com. ( 4 2017051720 5 1H 6 5M 7 7D 8 3D ) 9 IN NS linuxmaster.aliyun.com. 10 IN NS linuxslave.aliyun.com. 11 8.10 IN PTR linuxmaster.aliyun.com. 12 8.11 IN PTR linuxslave.aliyun.com. 13 8.30 IN PTR www.aliyun.com. 14 8.30 IN PTR mirrors.aliyun.com. 15 8.10 IN PTR mx.aliyun.com.
4.6 Check Configuration
1 [[email protected] ~] # Named-checkconf # Check the configuration file 2 [[email protected] ~] # Named-checkzone "aliyun.com. Zone"/var/named/aliyun.com. Zone 3 zone aliyun.com. Zone/In: loaded serial 2017051720 4 OK 5 [[email protected] ~] # Named-checkzone "aliyun.com. Zone"/var/named/8.24.172.zone 6 zone aliyun.com. Zone/In: loaded serial 2017051720 7 OK 8 [[email protected] ~] # Service named restart
View data synchronization from the primary DNS to the secondary DNS
4.7 view secondary DNS
1 [[email protected] ~] # Yum-y install bind-utils 2 # Install client 3 [[email protected] ~] # Dig-T axfr aliyun.com @ 172.24.8.10 # view secondary DNS Synchronization
1 [[email protected] ~]# cat /var/named/slaves/aliyun.com.zone
Note: The secondary DNS resource records are synchronized from the primary DNS and cannot be changed manually.
Windows Client Detection.
Summary:
- 1. Each DNS server must have a corresponding NS resource record;
- 2. When creating a Server Load balancer instance, the configuration file type must be type slave and the IP address of the master server must be specified;
- 3. You can use dig-T axfr test.com @ server_ip to pull all resolution database resource records from the primary DNS server;
- 4. After the Master/Slave synchronization is completed, zone files are automatically generated under the slaves/directory on the slave server. These zone files are synchronized from the primary DNS and are generally read-only, we do not recommend you change the slave zone file;
- 5. When modifying the region file on the primary DNS, you must add the SOA record serial to 1 because slave judges and updates through the serial value (automatically completed on Windows );
- 6. DNS logs are stored in the/var/log/messege file by default;
- 7. DNS resolution depends on the DNS database. Therefore, DNS can be parsed even if the configured content does not exist at all (and the database for forward and reverse resolution is independent of each other ). Note that there is no PTR record in forward resolution, and the record, MX record, and cname record are not required in reverse resolution.
003. DNS-master-slave server configuration Experiment