Linux-dns basic knowledge and simple configuration of BIND-3 (Master-slave DNS server and forwarding)

Source: Internet
Author: User
Tags domain server subdomain

RNDC Related knowledge:
1. What is RNDC:
Remote Name Domain controller
RNDC communicates with the name server via a TCP connection and sends a digitally signed command. In the current version of RNDC and named, the only supported authentication algorithm is HMAC-MD5, which uses shared keys on both ends of the connection. It provides the TSIG type of authentication for the command request and the name server's response. All commands sent through the channel must be signed by a key_id known to the server.
Listening Port: 953/tcp
RNDC [-B address] [-c config] [-s server] [-p port]
[-K Key-file] [-y key] [-v] Command
command is one of the following:
Reload reload configuration file and zones. #重新加载配置文件和区域文件
Reconfig Reload configuration file and new zones only. #重新加载配置文件和新的区域文件
Freeze Suspend updates to all dynamic zones.
Stats Write Server statistics to the statistics file. #将服务器统计信息写入统计文件中
Stop Save pending updates to master files and stop the server.
Halt Stop the server without saving pending updates.
Flush flushes all of the server ' s caches. #清空DNS缓存
Status Display status of the server. #显示bind服务器的工作状态
2, RNDC Debug and log:
Debug: Displays detailed information in program run (I/O, which is normally recommended to close)
Debug Level: 0,1,2,3 ...
To raise the debug level:
RNDC Trace
RNDC Trace Level
RNDC Notrace
Open Query log: Record query action (increase disk I/O)

configuration of the master-slave DNS server
Function: Prevent all hosts under one domain from being inaccessible because the primary DNS server is hung, and the server can access the load evenly.
The contents of the parse library file from the server should be consistent with the primary server, from the server to synchronize from the main server at any time, this synchronization is one-way, only pull the primary server's parse library file from the server
How to make parsing requests load balanced

If it is a request to the local cache DNS server, only the local half of the host DNS address is configured as the IP of the primary server, and the other half is configured as a slave;
If the server that is responsible for the specified domain on the Internet, you only need to write two NS records on the server's superior DNS server, and bind to the client host answer when the polling method is taken.
Configuring the master-Slave server
The master-slave server time should be consistent.
The parsing files from the server are synchronized from the primary DNS server and cannot be created and modified manually. The parse library file from the server is placed under the/etc/named/slaves directory.
Named process to the working directory/var/named is not write permission, and on the slave server can not be as the master server as the administrator to manually create the resolution library, so bind provides a directory/var/named/slaves used to specifically store the synchronization of the parse file. The named process has write access to the directory.

Definition of a region:
Zone "region name" in {
Type slave; #区域类型为从DNS服务器
File "Slaves/"; #区域文件必须保存在slaves目录下, no permissions placed in other directories
Masters {#指出主服务器是谁, note: There should be a space before and after the curly braces
MASTER_DNS_IP; The primary DNS server IP address can be one or more
We are here as an example of a forward-parsing master-slave DNS server configuration
First edit the Zone resolution library file on the primary DNS server to add the corresponding record

Edit add a corresponding zone record from the DNS server/etc/named.rfc1912.zones
Zone "" in {
Type slave;
File "Slaves/";//the name of the zone and the resolution library are consistent with the primary DNS server
Masters {;};
To check for syntax errors from the DNS server, reread the configuration file

We modify the serial number in the primary DNS server parsing library file.

RNDC Reload
We can see in the primary DNS server log

In the/var/named/slaves from the DNS server we can also see the Synchronized parsing library file

If the Synchronized parsing library file is garbled, we can specify the format in the zone file.
Zone "" in {
Type slave;
File "Slaves/";
Masters {;};
Masterfile-format text;


1, each DNS server must have a corresponding NS resource record;
2, when creating slave, its configuration file type must be type slve; The IP address of the primary server must be specified;
3, can use dig-t AXFR @server_IP pull all the Analytic Library resource records from the primary DNS server;
4, the main auxiliary synchronization is completed, will automatically generate a zone file in the slaves/directory on the slave server, these zone files are synchronized from the primary DNS, generally read-only, do not recommend changing the slave zone file;
5, when modifying the zone file on the primary DNS, the serial of the SOA record must be added 1 because slave is determined by the serial value (automatic completion on the Windows system);
6, the DNS log is all saved in the/var/log/messege file by default;
7, the DNS resolution depends on the parsing library, so that the configuration of the content is completely non-existent can also be resolved (and forward parsing and reverse parsing of the analytic libraries are independent). It is important to note that there is no PTR record in the forward parsing, and the A, MX, and CNAME records are not required in the reverse parsing library.

Create a subdomain
Here we still take the parent domain ( as the primary DNS server from the DNS server as the subdomain server (
We create a subdomain zone file in the Subdomain server edit/etc/named.rfc1912.zones
Zone "" in {
Type master;
File "";
Create a resolution library file for a subdomain zone file

We edit the resolution library file on the parent domain server to add NS records and a records for the subdomain


Extra GLUE A indicates additional adhesion a record
RNDC Reload


At this point we turn off the master-slave DNS server function and clear the cache we test whether the domain can access the parent domain

RNDC Reload
RNDC Flush

At this point we find that the subdomain cannot resolve the parent domain
The authorization is top-down, and the ancestor (parent domain) knows the existence of the subordinate (subdomain), and the subordinate (subdomain) does not know the presence of the ancestor (the parent domain) (so the resolution of the subdomain is iterated from the root layer)
We can also enable subdomains to parse the parent domain by forwarding

DNS Name Resolution forwarder:

(1) When a local DNS server (also a forwarder) receives a query, it attempts to resolve the query using the primary and secondary zones it hosts and caches;
(2) If the query cannot be resolved using local data, it will forward the query to the external DNS server as the client;
(3) The local DNS (forwarder) receives the client's request and waits a short time to wait for the reply from the external network DNS;
(4) For the extranet DNS, it receives the query request is a recursive query, at this time, it needs to iterate to the outer layer to find the final answer back to the forwarder (at this time the forwarder as a DNS client)
(5) The forwarder sends the results of the query returned by the extranet DNS to the client (non-authoritative answer) and completes the parsing process.
Note: The premise of forwarding-the server that receives the forwarding request (this is the extranet DNS) must be able to do the recursive query for the requestor (here is the local DNS, also the forwarder);
3, the type of forwarding:
(1) Unconditional forwarding: Forward all requests for non-native area of resolution;

#在主配置文件/etc/named.conf, add the following to the global options:
Options {
forwarders {IP;}; #指明转发器是谁
Forward Only|first; #only表示仅转发, first means forwarding, and if no results are queried, it will also iterate out the query based on root hints.


To define a forwarding domain #在区域置文件/etc/
Zone "region name" in {
Type forward; #区域的类型为转发
forwarders {IP;}; #指明转发器是谁
Forward Only|first; #only表示仅转发, first means forwarding, and if no results are queried, it will also iterate out the query based on root hints.


We add the following in the global configuration file for the subdomain server:

Check the configuration file and then RNDC reload

The child domain is now able to parse parent domains normally
We have just forwarded the comment to the global configuration file, and then RNDC flush
/etc/named.rfc1912.zones configuration conditions in the subdomain are forwarded, forwarding only requests for the parent domain

Zone "" in {
Type forward;
Forwarders {;};
Forward first;

Check the configuration file and execute RNDC Reload

At this time for request we can parse through the subdomain

Linux-dns basic knowledge and simple configuration of BIND-3 (Master-slave DNS server and forwarding)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.