实训第二天-DNS的搭建
1. DNS安装与环境
ps:跟陈总的文档完全不同
#安装bind
yum install -y bind bind-utils
关于环境:
不先处理一些环境问题,后面处理起来,人要疯
环境:必要两台centos7,复数其它任意网段主机(可有可无)
首先是固定自己的ip(是啊,教室到宿舍,在到教室,网络一断,又得重新配)
#主NDS服务器
vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static #改为static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=118af5e5-92de-42b0-a1c6-619c8d9d6c81 #可删
ONBOOT=yes #改为yes
IPADDR=192.168.241.129 #本地ip
PREFIX=24
GATEWAY=192.168.241.2
DNS1=192.168.241.129 #本地ip
#容灾所使用的服务器(由于是主服务器克隆而来,网卡一摸一样)
vim /etc/sysconfig/network-scripts/ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=static
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
IPADDR=192.168.241.134 #自己的ip,注意区分
PREFIX=24
GATEWAY=192.168.241.2
ONBOOT=yes
DNS1=192.168.241.134 #自己的ip,注意区分
#记得更新网络配置
service network restart
其次是关闭防火墙和SELinux
#控制变量,人人有责
[root@localhost ~] systemctl stop firewalld
[root@localhost ~] setenforce 0
2. DNS的配置和部署
#尝试启动DNS
[root@localhost ~] systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: inactive (dead)
没有配置文件,无法启动很正常
主配置文件修改
[root@localhost ~] vim /etc/named.conf
options {
listen-on port 53 { any; }; #ip地址修改成any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; #一样改成any
配置正向解析与反向解析
后面的容灾也需要以下配置
vim /etc/named.rfc1912.zones
#在末尾增加以下
#正向解析
zone "qiye.com" IN {
type master;
file "qiye.com.zone"; #正向解析文件路径
allow-transfer { 192.168.241.134; }; #允许转移数据(容灾)
allow-update { 192.168.241.134; }; #允许这个ip更新数据(容灾)
};
#反向解析
zone "241.168.192.in-addr.arpa" IN {
type master;
file "qiye.com.local"; #反向解析文件路径
allow-transfer { 192.168.241.134; }; #允许转移数据(容灾)
allow-update { 192.168.241.134; }; #允许这个ip更新数据(容灾)
};
#cd到正向解析和反向解析文件所在的文件夹
cd /var/named/
#创建正向解析文件和反向解析文件:
[root@localhost named] ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
#将模板复制过来,即:
[root@localhost named] cp -p named.localhost qiye.com.zone
[root@localhost named] cp -p named.loopback qiye.com.local
ps:假如他们的所属组是root,那么请将他们所属组改成named(我这里不用)
[root@localhost named]# ll
total 24 #所有者 所属组
drwxrwx---. 2 named named 6 Aug 31 07:53 data
drwxrwx---. 2 named named 6 Aug 31 07:53 dynamic
-rw-r-----. 1 root named 2253 Apr 5 2018 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
-rw-r-----. 1 root named 168 Dec 15 2009 qiye.com.local
-rw-r-----. 1 root named 152 Jun 21 2007 qiye.com.zone
drwxrwx---. 2 named named 6 Aug 31 07:53 slaves
#修改所属组语句:
[root@localhost named] chown -R named:named qiye.com.local
[root@localhost named] chown -R named:named qiye.com.zone
对两个文件进行DNS域名解析编辑
[root@localhost named] vim qiye.com.zone
[root@localhost named] vim qiye.com.local
#正向解析文件
$TTL 1D
@ IN SOA qiye.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
NS ns.qiye.com.
ns IN A 192.168.241.129
www IN A 192.168.241.129
email IN A 192.168.241.129
c2 IN A 192.168.241.134
#反向解析文件
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.
NS ns.qiye.com.
ns A 192.168.241.129
129 PTR www.qiye.com.
129 PTR email.qiye.com.
134 PTR c2.qiye.com.
修改DNS配置
[root@localhost named] vim /etc/resolv.conf
nameserver 192.168.241.129
nameserver 114.114.114.114 #可有可无,防止断网
再次启动DNS服务
#没任何返回,则正常运行
[root@localhost named] systemctl start named
#53端口检查状态
[root@localhost named] lsof -i :53
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
named 43300 named 21u IPv4 91166 0t0 TCP localhost:domain (LISTEN)
named 43300 named 22u IPv4 91168 0t0 TCP www.qiye.com:domain (LISTEN)
named 43300 named 23u IPv6 91170 0t0 TCP localhost:domain (LISTEN)
named 43300 named 26u IPv4 91426 0t0 TCP 192.168.241.147:domain (LISTEN)
named 43300 named 512u IPv4 91164 0t0 UDP localhost:domain
named 43300 named 513u IPv4 91167 0t0 UDP www.qiye.com:domain
named 43300 named 514u IPv6 91169 0t0 UDP localhost:domain
named 43300 named 515u IPv4 91425 0t0 UDP 192.168.241.147:domain
3.实现DNS域名解析
#成功正反向解析域名和ip,ya*da*ze!
[root@localhost named] nslookup 192.168.241.129
129.241.168.192.in-addr.arpa name = email.qiye.com.
129.241.168.192.in-addr.arpa name = www.qiye.com.
[root@localhost named] nslookup www.qiye.com
Server: 192.168.241.129
Address: 192.168.241.129#53
Name: www.qiye.com
Address: 192.168.241.129
[root@localhost named] nslookup c2.qiye.com
Server: 192.168.241.129
Address: 192.168.241.129#53
Name: c2.qiye.com
Address: 192.168.241.134
截图为证!
4.容灾处理
在克隆的centos7上的操作(192.168.241.134)
无非是对配置文件的处理
#与前面一样
vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
#注意!!!!!这里变了
[root@localhost ~] vim /etc/named.rfc1912.zones
zone "qiye.com" IN {
type slave; #改成slave
file "slave/qiye.com.zone"; #路径可以变
masters { 192.168.241.129; }; #主DNS服务器的ip地址
};
zone "241.168.192.in-addr.arpa" IN {
type slave; #改成slave
file "slave/qiye.com.local"; #路径变了
masters { 192.168.241.129; }; #主DNS服务器ip地址
};
#DNS修改
[root@localhost ~] vim /etc/resolv.conf
#domain localdomain
search localdomain
#nameserver 192.168.241.2
nameserver 192.168.241.129 #主DNS服务器ip地址
#查看有无正反向解析文件存在
[root@localhost ~] ls /var/named/slaves/ #如果不存在,则把主DNS服务器的两个正反解析文件拷过来到slaves文件夹里(我的是这两个文件 qiye.com.zone,qiye.com.local)
[root@localhost ~] cd /var/named/slaves/
#更新DNS服务
[root@localhost ~] systemctl restart named
#验证是否成功
[root@localhost ~] ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.241.134 netmask 255.255.255.0 broadcast 192.168.241.255
[root@localhost ~] nslookup www.qiye.com
Server: 192.168.241.129
Address: 192.168.241.129#53
Name: www.qiye.com
Address: 192.168.241.129
#ping一下,发现解析成功!
[root@localhost ~] ping www.qiye.com
PING www.qiye.com (192.168.241.129) 56(84) bytes of data.
64 bytes from www.qiye.com (192.168.241.129): icmp_seq=1 ttl=64 time=0.782 ms
64 bytes from email.qiye.com (192.168.241.129): icmp_seq=2 ttl=64 time=0.419 ms
64 bytes from email.qiye.com (192.168.241.129): icmp_seq=3 ttl=64 time=0.711 ms
^C
--- www.qiye.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.419/0.637/0.782/0.158 ms
完成,www.qiye.com正是主DNS服务器的域名,ip地址192.168.241.129
yadaze!
5.智能解析
部署一台DNS智能解析服务器,对 qiye.com 域名做如下智能解析:
广州用户解析 IP 为 1.1.1.1
深圳用户解析 IP 为 2.2.2.2
其他用户解析为 3.3.3.3
#修改主配置文件
vim /etc/named.conf
#新增以下
acl gz { #规则:这个网段ip,返回gz文件的DNS的ip
192.168.247.0/24;
};
acl sz { #规则:这个网段ip,返回sz文件的DNS的ip
192.168.100.0/24;
};
acl ot { #规则:除上述网段ip,返回ot文件的DNS的ip
any;
};
#并且注释zone "."
/*
zone "." IN {
type hint;
file "named.ca";
};
*/
view guangzhou{
match-clients { gz; };
zone "." IN {
type hint;
file "named.ca";
};
zone "qiye.com" IN {
type master;
file "qiye.com.zone.gz";
};
};
view shenzhen {
match-clients { sz; };
zone "." IN {
type hint;
file "named.ca";
};
zone "qiye.com" IN {
type master;
file "qiye.com.zone.gz";
};
};
view other {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
zone "qiye.com" IN {
type master;
file "qiye.com.zone.ot";
};
};
#还有注释了下面这个
#include "/etc/named.rfc1912.zones";
#把新增的文件补上
cd /var/named/
cp qiye.com.zone qiye.com.zone.gz
cp qiye.com.zone qioye.com.zone.sz
cp qiye.com.zone qiye.com.zone.ot
chgrp named qiye.com.zone.*
并且把每个复制后生成的文件,改一下解析域名解析
vim qiye.com.zone.gz
www A 1.1.1.1
vim qiye.com.zone.se
www A 2.2.2.2
vim qiye.com.zone.ot
www A 3.3.3.3
验证可能
#可以发现我的ip为192.168.241.129的时候,根据上述增加的acl规则,DNS服务器给我返回了other的3.3.3.3
[root@localhost named] ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.241.129 netmask 255.255.255.0 broadcast 192.168.241.255
[root@localhost named]# host www.qiye.com
www.qiye.com has address 3.3.3.3
ya✧da✧ze!
扫一扫
2534
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
