DNS 配置1. 使用bind 來安裝DNS# yum install bind 服務(wù)器軟件包 # yum install bind-chroot 安全考慮 用來將bind 與OS 分離出來 虛擬

DNS 配置

1. 使用bind 來安裝DNS

# yum install bind 服務(wù)器軟件包 # yum install bind-chroot 安全考慮 用來將bind 與OS 分離出來 虛擬的根

2. 建立uplooking.com 的正解與反解

zone "uplooking.com" IN { type master; file "uplooking.com.zone.db"; 修改主配置文件 [root@stu254 etc]# grep any named.caching-nameserver.conf listen-on port 53 { any; }; allow-query { any; }; match-clients { any; }; match-destinations { any; }; 監(jiān)聽端口, 查詢地址, 客戶端和查詢目的地址 都改成any [root@stu254 etc]# 建立正反解查詢 [root@stu254 etc]# tail named.rfc1912.zones

}; zone "1.168.192.in-addr.arpa" IN { type master; file "uplooking.com.arpa.db"; }; [root@stu254 etc]# 建立正反解區(qū)域文件 從localhost.zone 復(fù)制 修改 [root@stu254 named]# pwd /var/named/chroot/var/named [root@stu254 named]# cat uplooking.com.zone.db $TTL 86400 @ IN SOA @ root ( 2009060401 3H ; refresh ; retry ; serial (d. adams) 15M 1W 1D ) ; expiry ; minimum IN NS IN MX 5 dns.uplooking.com. mail.uplooking.com.

mail dns IN A 10.10.10.30 IN A 192.168.1.31 192.168.1.31 www IN A

解釋

NS 授權(quán)記錄

A ip 地址記錄

MX 5(優(yōu)先級) 郵件交換記錄 SOA 起始授權(quán)記錄 CNAME 別名記錄

PTR 反解記錄

IN NS dns.uplooking.com. [root@stu254 named]# cat uplooking.com.arpa.db $TTL 86400 @ IN SOA @ root ( 2009060401 3H ; refresh ; retry ; serial (d. adams) 15M 1W 1D ) ; expiry ; minimum IN MX 5 mail.uplooking.com.

30 31 31 IN PTR IN PTR IN PTR mail.uplooking.com. dns.uplooking.com. www.uplooking.com. [root@stu254 named]# 修改區(qū)域文件的權(quán)限 # chown :named /var/named/chroot/var/named/uplooking.com.* 用語法檢查工具檢查配置 # named-checkconf /var/named/chroot/etc/named.caching-nameserver.conf

# named-checkzone uplooking.com /var/named/chroot/var/named/uplooking.com.*

zone uplooking.com/IN: loaded serial 2009060401 OK # 沒有問題 重新啟動named service named restart

3. 語法檢查和測試工具

DNS 客戶端修改成本機 [root@stu254 named]# cat /etc/resolv.conf search uplooking.com nameserver 192.168.1.31

[root@stu254 named]# [root@stu254 named]# host www.uplooking.com www.uplooking.com has address 192.168.1.31 [root@stu254 named]# host mail.uplooking.com mail.uplooking.com has address 10.10.10.31 mail.uplooking.com mail is handled by 5 mail.uplooking.com. [root@stu254 named]# host 192.168.1.31 31.1.168.192.in-addr.arpa domain name pointer www.uplooking.com.

Name: www.uplooking.com Address: 192.168.1.31 > mail.uplooking.com Server: 192.168.1.31 [root@stu254 named]# nslookup > www.uplooking.com Server: 192.168.1.31 [root@stu254 named]# Address: 192.168.1.31#53 Address: 192.168.1.31#53

31.1.168.192.in-addr.arpa n ame = www.uplooking.com. 31.1.168.192.in-addr.arpa n ame = mail.uplooking.com. Name: mail.uplooking.com Address: 192.168.1.31 > 192.168.1.31 Server: 192.168.1.31 Address: 192.168.1.31#53 4. 負載均衡

用ping www測試 會每次顯示不同IP 修改正解文件 www 0 IN A 192.168.1.31 www 0 IN A 192.168.1.30 www 0 IN A 192.168.1.32 其中 0 是生存時間 可以當(dāng)做權(quán)值來使用

5. 直接解析域名和連續(xù)域名解析和泛域名解析

在正解文件中添加 uplooking.com. IN A 192.168.1.31 # host uplooking.com uplooking.com has address 192.168.1.31

連續(xù)域名解析, 需要用$GENERATE函數(shù) 比如要解析1-254個循環(huán)的變量

stu$ 是主機名 192.168.1.$ 是對應(yīng)地址

$GENERATE 1-254 stu$ IN A 192.168.1.$

$GENERATE 1-254 $ IN PTR stu$.uplooking.com.

泛域名解析 一定要寫在最后

* IN A 192.168.1.31

6. 搭建主從服務(wù)器

修改主機配置文件

[root@stu31 named]# tail

/var/named/chroot/etc/named.rfc1912.zones

zone "uplooking.com" IN {

type master;

file "uplooking.com.zone.db";

allow-transfer {192.168.1.32;};

};

zone "1.168.192.in-addr.arpa" IN {

type master;

file "uplooking.com.arpa.db"; -n 12

}; allow-transfer {192.168.1.32;}; [root@stu31 named]# 在主機的zone 文件中加入從機做NS 正解: dns IN NS dns.uplooking.com. IN A 192.168.1.32

反解: 32 IN NS dns.uplooking.com. IN PTR dns.uplooking.com.

如不修改則只能向從機傳遞zone 文件 從機不會隨主機更新正解反解文件而更新

修改從機配置文件 無需建立zone 文件 [root@stu32 named]# tail -n 12 /var/named/chroot/etc/named.rfc1912.zones

zone "uplooking.com" IN { type slave;

file "slaves/uplooking.com.zone.db";

masters {192.168.1.31;}; }; zone "1.168.192.in-addr.arpa" IN {

type slave;

file "slaves/uplooking.com.arpa.db";

測試 重新啟動主從服務(wù)器,zone 文件會自動復(fù)制過去 再向主服務(wù)器中添加新的正反記錄并修改版本號, 重新啟動主后, }; [root@stu32 named]# masters {192.168.1.31;}; 從即可更新記錄

7. DNS 主從數(shù)據(jù)transfer 的TSIG 方法

TSIG 事務(wù)簽名的m 方式（Key ）

dnssec-keygen -a hmac-md5 -b 128 -n HOST 名字.

master dns:

key pgkey {

algorithm hmac-md5;

secret "BmGdrEJzYDFegy4wM8TBdQ=="; };

zone "uplooking.com" IN {

type master;

file "uplooking.com.zone";

allow-transfer { key pgkey; };

};

slave dns:

key pgkey {

algorithm hmac-md5;

secret "BmGdrEJzYDFegy4wM8TBdQ=="; };

zone "uplooking.com" IN {

type slave;

file "slaves/uplooking.com.slave.zone"; masters { 192.168.1.254 key pgkey; }; };

8. 轉(zhuǎn)發(fā)域服務(wù)器

options {

allow-query { 192.168.1.0/24; }; forward first;