(a) Introduction
As the company's DNS server is based on Windows, due to frequent patching, resulting in several failures, it needs to migrate to Linux, due to the addition of too many records, the use of Windows as the main responsibility to add, modify the resolution record, and Linux synchronization to accept business request access.
Serial Number |
IP |
function |
system |
1 |
10.128.105.171 |
Master |
Windows |
2 |
172.20.66.132 |
slave- |
Linux |
(ii) Specific steps
(1), Windows installation configuration omitted
(2) The specific steps of Linux are as follows:
2.1 Installing Bind
[[email protected] slaves]# yum install bind-chroot bind-utils -y
2.2修改配置文件
[[email protected] etc]# vim named.conf/* Sample named.conf BIND DNS server ' named ' configuration file for the R Ed Hat BIND distribution. See the BIND Administrator ' s Reference Manual (ARM) For details about the configuration located in/usr/share/doc/bind-{ve rsion}/bv9arm.html*/options{/Put files that named are allowed to write in the Data/directory:directory "/V Ar/named "; "Working" directory Dump-file "Data/cache_dump.db"; Statistics-file "Data/named_stats.txt"; Memstatistics-file "Data/named_mem_stats.txt"; /* Specify listenning interfaces. You can use the list of addresses ('; ' is delimiter) or keywords "any"/"none" */listen-on port. Listen-on Port 53 {127.0.0.1;}; LISTEN-ON-V6 Port: (any;}; Listen-on-v6 Port 53 {:: 1;}; /* Access Restrictions there is-important options:allow-query {argument;}; -Allow queries for authoritative daTa allow-query-cache {argument;}; -Allow queries to non-authoritative data (mostly cached data) you can use address, network address or keywords ' any "/" localhost "/" none "as argument examples:allow-query {localhost; 10.0.0.1; 192.168.1.0/8;}; Allow-query-cache {:: 1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1;}; */allow-query {any;}; Allow-query-cache {localhost;}; /* enable/disable recursion-recursion yes/no; -If You are building a authoritative DNS server, do not enable recursion. -If You is building a RECURSIVE (caching) DNS server, you need to enable recursion. -If your recursive DNS server has a public IP address, you must enable access control to the limit queries to your leg Itimate users. Failing to does so would cause your server to become part of the large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */recursion Yes; /* DNSSEC related options. See information about keys ("Trusted keys", bellow) */* Enable serving of DNSSEC related data-enable on both author Itative and recursive servers DNSSEC aware servers */dnssec-enable Yes; /* Enable DNSSEC validation on recursive servers */dnssec-validation Yes; /* in RHEL-7 we use/run/named instead of the default/var/run/named so we had to configure paths properly. */Pid-file "/run/named/named.pid"; Session-keyfile "/run/named/session.key"; Managed-keys-directory "/var/named/dynamic";}; Logging//configuration related log information {/* If you want to enable debugging, eg. using the ' rndc trace ' command, * named would try to Write the ' named.run ' file in the $directory (/var/named). * By default, SELinux policy does not allow named to modify The/var/named directory, * So put the default debug Log file in data/: */channel Default_debug {file "Data/named.run"; SeveriTy Dynamic; }; Channel Gsquery {file "Data/query.log" versions 3 size 20m; Severity info; Print-time Yes; Print-category Yes; Print-severity Yes; }; Category queries {gsquery;};};/ /Configure a domain of the master server for synchronization, if there are multiple domain synchronizations that can continue to be added, you can also use include to refer to a file to add all domains to the file include "/etc/named.lqb.com.zones"; zone "lqb.com" in { Type slave; File "Slaves/lqb.com.zone"; Masters {10.128.105.171;}; };
2.3 Check that the relevant configuration file is configured correctly
[[email protected] named]# named-checkzone lqb.com /var/named/chroot/var/named/lqb.com.zone zone lqb.com/IN: loaded serial 2OK[[email protected] named]# named-checkconf /var/named/chroot/etc/named.conf
2.4 Restart the service and see if there are any errors
[[email protected] slaves]# systemctl restart named-chroot[[email protected] slaves]# systemctl status Named-chroot Named-chroot.service-berkeley Internet Name Domain (DNS) loaded:loaded (/usr/lib/systemd/system/named-c Hroot.service; Enabled Vendor preset:disabled) active:active (running) since Thu 2018-06-14 18:46:55 CST; 16h ago process:4090 execstop=/bin/sh-c/USR/SBIN/RNDC stop >/dev/null 2>&1 | | /bin/kill-term $MAINPID (code=exited, status=0/success) process:4378 execstart=/usr/sbin/named-u named-c ${NAMEDCONF} -t/var/named/chroot $OPTIONS (code=exited, status=0/success) process:4375 execstartpre=/bin/bash-c if [! "$DISABLE _zone_checking" = = "yes"]; Then/usr/sbin/named-checkconf-t/var/named/chroot-z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; Fi (code=exited, status=0/success) Main pid:4380 (named) CGroup:/system.slice/named-chroot.service└─4380/u Sr/sbin/named-u named-c/etc/named.conf-t/var/naMed/chrootjun 11:42:28 dns-slave named[4380]: Zone corp.ppdai.com/in:vm_win7_7.corp.ppdai.com/a: Bad owner name (CHEC K-names) June 11:42:28 Dns-slave named[4380]: Zone corp.ppdai.com/in:vm_win7_8.corp.ppdai.com/a: Bad owner name (check- Names) June 11:42:28 Dns-slave named[4380]: Zone corp.ppdai.com/in:vm_win7_9.corp.ppdai.com/a: Bad owner name (check-na MES) June 11:42:28 dns-slave named[4380]: Zone corp.ppdai.com/in:win7_1.corp.ppdai.com/a: Bad owner name (check-names) J Un 11:42:28 dns-slave named[4380]: Zone corp.ppdai.com/in:win7_vm1.corp.ppdai.com/a: Bad owner name (check-names) June 1 5 11:42:28 dns-slave named[4380]: Zone corp.ppdai.com/in:win7_vm2.corp.ppdai.com/a: Bad owner name (check-names) June 15 11 : 42:28 dns-slave named[4380]: Zone corp.ppdai.com/in:win7_vm_1.corp.ppdai.com/a: Bad owner name (check-names) June 15 11:4 2:28 dns-slave named[4380]: Zone corp.ppdai.com/in:transferred serial 2045499Jun 11:42:28 dns-slave named[4380]: Trans Fer of ' Corp.ppdai.com/in ' frOm 10.128.105.171#53:transfer completed:19 messages...es/sec) June 11:42:28 Dns-slave named[4380]: Zone corp.ppdai.com /in:sending notifies (serial 2045499) Hint:some lines were ellipsized, use-l to show on full.
2.5 See if there are files synchronized from the server appear
[[email protected] slaves]# ll /var/named/chroot/var/named/slaves/lqb.com.zon -rw-r--r-- 1 named named 381 Jun 14 16:52 /var/named/chroot/var/named/slaves/lqb.com.zon
DNS Server master-Slave synchronization Windows main +linux from (iii)