Steps for intra-enterprise DNS from the server architecture

From the setup of the DNS server

The previous article has a schema procedure that says "Primary DNS server", and now, from the server's schema step, the IP address and server name of the master-slave DNS server are unchanged.

Basically, the settings from the server are simple, because the master server's data has been done, from the server only need to do a good link, and then verify that the data can be read from the primary server.

The ip:172.16.100.1 of the primary server, called DNS, is ip:172.16.100.2 from the server, and the name is NS2.

Login from DNS server,#yum install bind-y, get bind, and then vim/etc/named.conf, this conf is also to have " link Global 13 root node + local forward Resolution + The function of local reverse parsing .

Then #scp 172.16.100.1:/var/named/{name.ca,localhost.zone,named.local}, copy from the primary server to these three basic DNS resolution files. Also put these three files in/car/named this folder.

Then get RNDC,#rndc-confgen >/var/rndc.conf. Copy and paste the contents of the rndc.conf in the named.conf, and #chmod: named/var/named/ and #chmod: named/etc/named.conf.

Now it's time to check the syntax and try #dig-T-A localhost to see if the output is 127.0.0.1. If it succeeds, then the whole named.conf is OK.

Since named.conf this file OK, but there is no specific slave settings, so the current DNS server is just a cache server, is not a DNS from the server, so to add specific content, in the named.conf add:

Zone "Lnsjb.com" in {

Type slave; #指定本服务器的性质是 from the server;

Masters {172.16.100.1;}; #他的主子是172.16.100.1

File "/var/named/slave/lnsjb.com.zone"; #从主子那里获取的相关文件保存在这个路径里

};

If you want to add a reverse resolution, such as the direction resolution of a 172.16 segment:

Zone "16.172.in-addr.arpa" in {

Type slave;

Masters {172.16.100.1;} ；

File "/var/named/slave/172.16.zone";

};

First, add the two paragraphs of a positive and reverse information, save the exit,#setforce 0,#rndc reconfig, look at Lnsjb.com.zone and 172.16.zone Whether it was synced over.

After erection

Now the master-slave DNS server has established a relationship, this time manually in the primary DNS Lnsjb.com.zone to add a new record, such as: games.lnsjb.com corresponding IP is 172.16.100.9. After adding, remember to put the number +1, then: Wq save exit.

#rndc reload on the primary DNS server, and then to #dig- t A games.lnsjb.comfrom the server, you will see that this information can already be parsed. As the visible number changes, the primary DNS server automatically notifies the server to get the latest data.

However, such a setting will bring huge hidden trouble, other people just do a DNS server, write our IP address, you can #dig-t AXFR domain name to obtain the destination domain of our server all IP information, this is certainly not safe. So to make a setting on the master server: only allow IP from the DNS server can request a one-time access to a large amount of data, the rest of the IP address will be masked out.

This time will be in the main DNS server named.conf use Allow-transfer, in the beginning of the options to add Allow-transfer, is all the domain can be transferred to the target IP, If you add Allow-transfer to a domain individually, it is specifically indicated that the information for this domain can be transmitted to the destination IP, such as:

Options {

Directory "path to the named folder";

Allow-transfer {203.56.100.4;176.24.99.6;}; #这样就指定下面所有的域信息可以被这两个IP获取, the rest of the IP is not.

};

Another way to do this is to set the ACL (Access control list) on the primary DNS server. This ACL is set at the top of the named.conf file, adding specific IP or a network side to the ACL, such as:

ACL myslaves {

127.0.0,1;

203.56.100.1;

176.24.99.1; #将上面三个ip地址, belonging to the myslaves ACL.

};

ACL myclients {

192.168.0.0/24; #将整个192.168.0.1~192.168.0.254 are added to the myclients ACL.

127.0.0.1; #别忘了本机也要递归的

};

Options {

Directory "/var/named/";

Allow-transfer {myslaves;}; #只有MYSLAVES组里的成员可以访问

allow-recursion {myclients;}; #只有MYCLIENTS组里的成员可以递归查询

};

ACLS have several default names and are commonly used: none (none), any (all), localnet (Local machine in the network)

If you want to check whether the query can be recursive, then #dig +recuse-t destination URL at the specified DNS server (this server to be able to access the Internet).

This article is from "Life is waiting for Gordo" blog, please make sure to keep this source http://chenx1242.blog.51cto.com/10430133/1752963

Steps for intra-enterprise DNS from server architecture