dns 後續（dns叢集，“花生殼”，“遠程IP密碼更改dns”）

最後更新：2016-11-29 來源：互聯網

上載者：User

創建阿里雲帳戶，並獲得超過 40 款產品的免費試用版；而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊！

標籤：dns叢集 “花生殼” “遠程ip密碼更改dns

dns叢集（多台伺服器同步一個主dns資訊，緩解了主dns的壓力）

配置輔助dnf伺服器(使它能同步主dns，分擔主dns的壓力：)
修改設定檔 /etc/named.rfc1912.zone
zone "dd.com" IN {
   type slave;
   masters {172.25.254.131 ;}; //同步誰的dns資訊
   file "slaves /dd.com.zone"; //將主dns的資訊同步到 /var/named/slaves目錄下
   allow-update {none;};
}

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M02/8A/CA/wKioL1g8Q8qCqQuHAAE0GWzNR-w274.png-wh_500x0-wm_3-wmp_4-s_4252872765.png" style="float:none;" title="1.png" alt="wKioL1g8Q8qCqQuHAAE0GWzNR-w274.png-wh_50" />

650) this.width=650;" src="http://s4.51cto.com/wyfs02/M01/8A/CE/wKiom1g8Q83h6WSvAABUgl7-bwI286.png-wh_500x0-wm_3-wmp_4-s_3868026994.png" style="float:none;" title="2.png" alt="wKiom1g8Q83h6WSvAABUgl7-bwI286.png-wh_50" />

650) this.width=650;" src="http://s1.51cto.com/wyfs02/M00/8A/CE/wKiom1g8Q-GzP_JXAAGxO0QkwrU964.png-wh_500x0-wm_3-wmp_4-s_2400274747.png" style="float:none;" title="3.png" alt="wKiom1g8Q-GzP_JXAAGxO0QkwrU964.png-wh_50" />

在主dns伺服器裡面修改設定檔/etc/named.rfc1912.zone

zone "dd.com" IN {
   type master;
   file "dd.com.zone";
   allow-update {none;};
   allow-transfer {172.25.254.231;}; //讓誰同步自己的dns資訊
}
650) this.width=650;" src="http://s2.51cto.com/wyfs02/M01/8A/CA/wKioL1g8RAKzDWYgAAFTyscAfKE063.png-wh_500x0-wm_3-wmp_4-s_1444115638.png" title="4.png" alt="wKioL1g8RAKzDWYgAAFTyscAfKE063.png-wh_50" />

自動同步主dns伺服器修改過的資訊
zone "dd.com" IN {
   type master;
   file "dd.com.zone";
   allow-update {none;};
   allow-transfer {172.25.254.231;}; //讓誰同步自己的dns資訊
   also-notify {172.25.254.231 ;}; // 通知誰“我”改變了數值
}

650) this.width=650;" src="http://s5.51cto.com/wyfs02/M02/8A/CE/wKiom1g8RCOAQ9cnAAFdn2b2BwM386.png-wh_500x0-wm_3-wmp_4-s_2190352168.png" title="5.png" alt="wKiom1g8RCOAQ9cnAAFdn2b2BwM386.png-wh_50" />

修改 serial 值（兩個檔案只有發現兩者有不同的時候才會做更改，但全文去檢索會浪費時間，所以我們在主dns裡做一次更改就更改一次serial數值所以只需要比較兩個檔案裡的serial數值就知道是否主dns做了改變）

650) this.width=650;" src="http://s2.51cto.com/wyfs02/M00/8A/CA/wKioL1g8RGPjka4TAACqHoc4ZTQ802.png-wh_500x0-wm_3-wmp_4-s_590546843.png" style="float:none;" title="6.png" alt="wKioL1g8RGPjka4TAACqHoc4ZTQ802.png-wh_50" />

650) this.width=650;" src="http://s4.51cto.com/wyfs02/M00/8A/CE/wKiom1g8RHPS2bO1AAG264I6Fws371.png-wh_500x0-wm_3-wmp_4-s_4079769316.png" style="float:none;" title="7.png" alt="wKiom1g8RHPS2bO1AAG264I6Fws371.png-wh_50" />

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M01/8A/CE/wKiom1g8RHShs0XYAAC699DD5yc957.png-wh_500x0-wm_3-wmp_4-s_1843084315.png" style="float:none;" title="8.png" alt="wKiom1g8RHShs0XYAAC699DD5yc957.png-wh_50" />

650) this.width=650;" src="http://s2.51cto.com/wyfs02/M01/8A/CA/wKioL1g8RHiDZflhAAGyQSsH5bM113.png-wh_500x0-wm_3-wmp_4-s_2267947668.png" style="float:none;" title="9.png" alt="wKioL1g8RHiDZflhAAGyQSsH5bM113.png-wh_50" />

遠程更改主dns

主dns(修改/var/named許可權 chmod 770 /var/named 關閉selinux)

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M02/8A/CA/wKioL1g8RJvRHNOiAAB3SUXxPew348.png-wh_500x0-wm_3-wmp_4-s_2960096082.png" title="10.png" alt="wKioL1g8RJvRHNOiAAB3SUXxPew348.png-wh_50" />
zone "dd.com" IN {
   type master;
   file "dd.com.zone";
   allow-update {172.25.254.231;}; // 允許誰更改我的dns資訊
650) this.width=650;" src="http://s4.51cto.com/wyfs02/M00/8A/CE/wKiom1g8RKbyrWFgAAEyCGs4Dig872.png-wh_500x0-wm_3-wmp_4-s_295611308.png" title="11.png" alt="wKiom1g8RKbyrWFgAAEyCGs4Dig872.png-wh_50" />
輔助dns
(86400s 代表只緩衝一天 A:A記錄檔案)
nsupdate
>server 172.25.254.131
>update delete www.dd.com
>send

650) this.width=650;" src="http://s3.51cto.com/wyfs02/M00/8A/CA/wKioL1g8RLqza65mAABjIMSYaE4823.png-wh_500x0-wm_3-wmp_4-s_2930679251.png" style="float:none;" title="12.png" alt="wKioL1g8RLqza65mAABjIMSYaE4823.png-wh_50" />

650) this.width=650;" src="http://s2.51cto.com/wyfs02/M01/8A/CE/wKiom1g8RLzz-O93AAHuOy1xFmY837.png-wh_500x0-wm_3-wmp_4-s_1547592374.png" style="float:none;" title="13.png" alt="wKiom1g8RLzz-O93AAHuOy1xFmY837.png-wh_50" />

nsupdate
>server 172.25.254.131
>update add www.dd.com86400 A 172.25.254.199
>send

650) this.width=650;" src="http://s4.51cto.com/wyfs02/M00/8A/CA/wKioL1g8RNKiOPrLAACghcOw1fI685.png-wh_500x0-wm_3-wmp_4-s_4019548779.png" style="float:none;" title="14.png" alt="wKioL1g8RNKiOPrLAACghcOw1fI685.png-wh_50" />

650) this.width=650;" src="http://s1.51cto.com/wyfs02/M01/8A/CE/wKiom1g8RNSRSfukAAG3DIwzYf4657.png-wh_500x0-wm_3-wmp_4-s_3902541527.png" style="float:none;" title="15.png" alt="wKiom1g8RNSRSfukAAG3DIwzYf4657.png-wh_50" />

恢複：因為重啟服務後，更新檔案/var/named/dd/com.zone.jnl會匯入原來的/var/named/dd.com.zone，所以在做更改前先將原來的/var/named/dd.com.zone做備份(cp -p /var/named/dd.com.zone /mnt)
rm -f /var/named/dd/com.zone
rm -f /var/named/dd/com.zone.jnl
再將備份檔案同步回來（cp -p）
650) this.width=650;" src="http://s1.51cto.com/wyfs02/M01/8A/CA/wKioL1g8ROyyrzNmAAIO8_HFEFM723.png-wh_500x0-wm_3-wmp_4-s_174160618.png" title="16.png" alt="wKioL1g8ROyyrzNmAAIO8_HFEFM723.png-wh_50" />
加密（只允許有鑰匙的主機來更改我的dns）
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
為什麼用HMAC-MD5加密方式：查看/etc/rndc.key看系統的預設加密方式是什麼，用一樣的就可以了

650) this.width=650;" src="http://s2.51cto.com/wyfs02/M01/8A/CA/wKioL1g8RSfgHyAfAAB-FwbETqM866.png-wh_500x0-wm_3-wmp_4-s_786457602.png" style="float:none;" title="17.png" alt="wKioL1g8RSfgHyAfAAB-FwbETqM866.png-wh_50" />

650) this.width=650;" src="http://s2.51cto.com/wyfs02/M02/8A/CE/wKiom1g8RTCgUMAMAAE8mwUZZc0426.png-wh_500x0-wm_3-wmp_4-s_4121179122.png" style="float:none;" title="18.png" alt="wKiom1g8RTCgUMAMAAE8mwUZZc0426.png-wh_50" />

cp -p /etc/rndc.key /etc/westos.key (複製加密模板修改加密檔案 HMAC-MD5：對稱式加密：公開金鑰，私密金鑰一樣 )
650) this.width=650;" src="http://s1.51cto.com/wyfs02/M02/8A/CE/wKiom1g8RY7xaeblAABwOfNMkbI621.png-wh_500x0-wm_3-wmp_4-s_3221258310.png" title="19.png" alt="wKiom1g8RY7xaeblAABwOfNMkbI621.png-wh_50" />
vim /etc/named.conf
include "/etc/westos.key"
650) this.width=650;" src="http://s1.51cto.com/wyfs02/M00/8A/CE/wKiom1g8Rf_Tnh-kAAGAAq4qw54426.png-wh_500x0-wm_3-wmp_4-s_777075551.png" title="20.png" alt="wKiom1g8Rf_Tnh-kAAGAAq4qw54426.png-wh_50" />
vim /etc/named.rfc1912.zone
zone "dd.com" IN {
   type master;
   file "dd.com.zone";
   allow-update {westos key;}; // 允許誰更改我的dns資訊
650) this.width=650;" src="http://s4.51cto.com/wyfs02/M00/8A/CA/wKioL1g8RhqwXJeNAAFjbFu0sLo710.png-wh_500x0-wm_3-wmp_4-s_1512867462.png" title="21.png" alt="wKioL1g8RhqwXJeNAAFjbFu0sLo710.png-wh_50" />
給輔助dns鑰匙
650) this.width=650;" src="http://s4.51cto.com/wyfs02/M00/8A/CE/wKiom1g8RjCR-SNVAAFbgi3XR0A659.png-wh_500x0-wm_3-wmp_4-s_2198408993.png" title="22.png" alt="wKiom1g8RjCR-SNVAAFbgi3XR0A659.png-wh_50" />

測試：
nsupdate -k Kwestos.+157+51429.private

650) this.width=650;" src="http://s5.51cto.com/wyfs02/M00/8A/CA/wKioL1g8RluS7HUwAACKRNvIug8606.png-wh_500x0-wm_3-wmp_4-s_1599330183.png" style="float:none;" title="23.png" alt="wKioL1g8RluS7HUwAACKRNvIug8606.png-wh_50" />

650) this.width=650;" src="http://s1.51cto.com/wyfs02/M01/8A/CE/wKiom1g8RmTyKMdrAAGlOunzj10466.png-wh_500x0-wm_3-wmp_4-s_1277928494.png" style="float:none;" title="24.png" alt="wKiom1g8RmTyKMdrAAGlOunzj10466.png-wh_50" />

650) this.width=650;" src="http://s2.51cto.com/wyfs02/M01/8A/CE/wKiom1g8RmWDTxNyAADHVZWM8lw391.png-wh_500x0-wm_3-wmp_4-s_1678071267.png" style="float:none;" title="25.png" alt="wKiom1g8RmWDTxNyAADHVZWM8lw391.png-wh_50" />

650) this.width=650;" src="http://s5.51cto.com/wyfs02/M01/8A/CA/wKioL1g8RmeiCJdpAAF6ThcEf5E507.png-wh_500x0-wm_3-wmp_4-s_3795168805.png" style="float:none;" title="26.png" alt="wKioL1g8RmeiCJdpAAF6ThcEf5E507.png-wh_50" />

dns的動態綁定

配置dhcp 伺服器（用戶端每改一次ip，dns伺服器就會同步新的ip）

650) this.width=650;" src="http://s5.51cto.com/wyfs02/M02/8A/CE/wKiom1g8RqfRI9y3AAG_PvgXGEU283.png-wh_500x0-wm_3-wmp_4-s_3950690448.png" style="float:none;" title="27.png" alt="wKiom1g8RqfRI9y3AAG_PvgXGEU283.png-wh_50" />

650) this.width=650;" src="http://s4.51cto.com/wyfs02/M02/8A/CA/wKioL1g8RqmS2BVjAAExw3uexKI780.png-wh_500x0-wm_3-wmp_4-s_2937116077.png" style="float:none;" title="28.png" alt="wKioL1g8RqmS2BVjAAExw3uexKI780.png-wh_50" />

ddns-update-style interim
primary 127.0.0.1 (本應該dns所在的伺服器的IP 但用原生迴環介面速度快)

測試：更改dhcp伺服器動態ip範圍
ifconfig

dig lucky.dd.com (本機動態擷取的ip有時是不同的，測試看dns伺服器有沒有更新 )
650) this.width=650;" src="http://s2.51cto.com/wyfs02/M00/8A/CE/wKiom1g8Rs7CYqCKAAG1j9luti4318.png-wh_500x0-wm_3-wmp_4-s_699301584.png" title="29.png" alt="wKiom1g8Rs7CYqCKAAG1j9luti4318.png-wh_50" />
改變動態ip範圍

650) this.width=650;" src="http://s1.51cto.com/wyfs02/M00/8A/CA/wKioL1g8RwGzLHMpAAKAuB8lEgI531.png-wh_500x0-wm_3-wmp_4-s_2383546287.png" title="30.png" alt="wKioL1g8RwGzLHMpAAKAuB8lEgI531.png-wh_50" />650) this.width=650;" src="http://s2.51cto.com/wyfs02/M02/8A/CE/wKiom1g8Ry2Dh2qSAAHDRjqcL_s640.png-wh_500x0-wm_3-wmp_4-s_3392571095.png" title="31.png" alt="wKiom1g8Ry2Dh2qSAAHDRjqcL_s640.png-wh_50" />

dns 後續（dns叢集，“花生殼”，“遠程IP密碼更改dns”）

本文章原先以中文撰寫並發佈於 aliyun.com，亦設英文版本，僅作資訊用途。本網站不對文章的準確性，完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴，請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡，一經驗證之後，即會刪除該侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More