一、 准备工作
1、 实验拓扑
::: hljs-center
:::
| 节点 | IP地址 | 说明 |
|---|---|---|
| centos1 | 192.168.0.100 | dns_master |
| centos2 | 192.168.0.101 | dns_client |
| centos3 | 192.168.0.102 | dns_slave |
2、安装bind软件
yum -y install bind
3、防火墙配置
firewall-cmd --add-service=dns --permanent
firewall-cmd --reload
二、主服务器配置
1、 编辑配置文件/etc/named.conf
sed -i 's/127.0.0.1;/192.168.0.100;/' /etc/named.conf
sed -i 's/localhost;/any;/' /etc/named.conf
# 末尾加入如下条目
zone "mmx.com" IN {
type master;
file "mmx.com.zone";
# 不同之处在于,如下两行允许从服务器进行通信
allow-transfer { 192.168.0.102; };
also-notify { 192.168.0.102;};
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "mmx.com.local";
# 不同之处在于,如下两行允许从服务器进行通信
allow-transfer { 192.168.0.102; };
also-notify { 192.168.0.102;};
};
zone "1.1.1.in-addr.arpa" IN {
type master;
file "mmx.com.local1";
# 不同之处在于,如下两行允许从服务器进行通信
allow-transfer { 192.168.0.102; };
also-notify { 192.168.0.102;};
};
zone "2.2.2.in-addr.arpa" IN {
type master;
file "mmx.com.local2";
# 不同之处在于,如下两行允许从服务器进行通信
allow-transfer { 192.168.0.102; };
also-notify { 192.168.0.102;};
};
2、 编辑/var/named目前下文件
需要添加文件
[root@dns_master /var/named]# ls mmx.com.*
mmx.com.local mmx.com.local1 mmx.com.local2 mmx.com.zone
# 正向解析文件
[root@dns_master /var/named]# cat mmx.com.zone
$TTL 3h
mmx.com. IN SOA ns.mmx.com. root.mmx.com.(
1
1h
2h
24h
1h)
mmx.com. IN NS ns.mmx.com.
ns.mmx.com. IN A 192.168.0.100
www.mmx.com. IN A 1.1.1.1
ftp.mmx.com. IN A 2.2.2.2
mmx.com. IN MX 0 mail.mmx.com.
mail.mmx.com. IN A 3.3.3.3
www1.mmx.com. IN CNAME www.mmx.com.
ftp1.mmx.com. IN CNAME ftp.mmx.com.
# 反向解析文件
[root@dns_master /var/named]# cat mmx.com.local
$TTL 3h
0.168.192.in-addr.arpa. IN SOA ns.mmx.com. root.mmx.com.(
1
1h
2h
24h
1h)
0.168.192.in-addr.arpa. IN NS ns.mmx.com.
100.0.168.192.in-addr.arpa. IN PTR ns.mmx.com.
[root@dns_master /var/named]# cat mmx.com.local1
$TTL 3h
1.1.1.in-addr.arpa. IN SOA ns.mmx.com. root.mmx.com.(
1
1h
2h
24h
1h)
1.1.1.in-addr.arpa. IN NS ns.mmx.com.
1.1.1.1.in-addr.arpa. IN PTR www.mmx.com.
[root@dns_master /var/named]# cat mmx.com.local2
$TTL 3h
2.2.2.in-addr.arpa. IN SOA ns.mmx.com. root.mmx.com.(
1
1h
2h
24h
1h)
2.2.2.in-addr.arpa. IN NS ns.mmx.com.
2.2.2.2.in-addr.arpa. IN PTR ftp.mmx.com.
3、 重启DNS
[root@dns_master ~]# systemctl enable named.service --now
[root@dns_master ~]# systemctl restart named.service
[root@dns_master ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2023-01-19 21:42:17 CST; 1s ago
Process: 56144 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, stat>
Process: 56141 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /us>
Main PID: 56146 (named)
Tasks: 7 (limit: 23656)
Memory: 23.3M
CGroup: /system.slice/named.service
└─56146 /usr/sbin/named -u named -c /etc/named.conf
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './DNSKEY/IN': 2001:500:>
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './NS/IN': 2001:500:200:>
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './DNSKEY/IN': 2001:503:>
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './NS/IN': 2001:503:ba3e>
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './DNSKEY/IN': 2001:7fe:>
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './NS/IN': 2001:7fe::53#>
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './DNSKEY/IN': 2001:500:>
Jan 19 21:42:17 dns_master named[56146]: network unreachable resolving './NS/IN': 2001:500:9f::>
Jan 19 21:42:18 dns_master named[56146]: managed-keys-zone: Key 20326 for zone . acceptance tim>
Jan 19 21:42:18 dns_master named[56146]: resolver priming query complete
三、 从服务器配置
1、 编辑配置文件/etc/named.conf
sed -i 's/localhost;/any;/' /etc/named.conf
sed -i 's/127.0.0.1;/192.168.0.102;/' /etc/named.conf
# 末尾添加如下
zone "mmx.com" IN {
# 类型修改为slave,监听masters为主DNS地址
type slave;
file "mmx.com.zone";
masters { 192.168.0.100; };
also-notify { 192.168.0.100; };
};
zone "0.168.192.in-addr.arpa" IN {
# 类型修改为slave,监听masters为主DNS地址
type slave;
file "mmx.com.local";
masters { 192.168.0.100; };
also-notify { 192.168.0.100; };
};
zone "1.1.1.in-addr.arpa" IN {
# 类型修改为slave,监听masters为主DNS地址
type slave;
file "mmx.com.local1";
masters { 192.168.0.100; };
also-notify { 192.168.0.100; };
};
zone "2.2.2.in-addr.arpa" IN {
# 类型修改为slave,监听masters为主DNS地址
type slave;
file "mmx.com.local2";
masters { 192.168.0.100; };
also-notify { 192.168.0.100; };
};
2、 重启DNS
[root@dns_slave ~]# systemctl enable named.service --now
[root@dns_slave ~]# systemctl enable named.service
[root@dns_slave ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2023-01-19 21:09:02 CST; 32min ago
Process: 33935 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID >
Process: 33950 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SU>
Process: 33947 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/>
Main PID: 33952 (named)
Tasks: 7 (limit: 23656)
Memory: 25.7M
CGroup: /system.slice/named.service
└─33952 /usr/sbin/named -u named -c /etc/named.conf
Jan 19 21:10:48 dns_slave named[33952]: network unreachable resolving 'arpa/DS/IN': 2001:dc3::35#53
Jan 19 21:10:48 dns_slave named[33952]: network unreachable resolving 'arpa/DS/IN': 2001:503:ba3e::2:3>
Jan 19 21:10:48 dns_slave named[33952]: network unreachable resolving 'arpa/DS/IN': 2001:500:9f::42#53
Jan 19 21:10:48 dns_slave named[33952]: network unreachable resolving 'arpa/DS/IN': 2001:500:2d::d#53
Jan 19 21:10:48 dns_slave named[33952]: no valid RRSIG resolving 'arpa/DS/IN': 192.203.230.10#53
Jan 19 21:10:48 dns_slave named[33952]: network unreachable resolving 'arpa/DS/IN': 2001:503:c27::2:30>
Jan 19 21:10:48 dns_slave named[33952]: no valid RRSIG resolving 'arpa/DS/IN': 198.97.190.53#53
Jan 19 21:10:48 dns_slave named[33952]: no valid DS resolving '3.3.3.3.in-addr.arpa/PTR/IN': 192.5.5.2>
Jan 19 21:10:48 dns_slave named[33952]: validating 3.3.3.3.in-addr.arpa/PTR: bad cache hit (arpa/DS)
Jan 19 21:10:48 dns_slave named[33952]: broken trust chain resolving '3.3.3.3.in-addr.arpa/PTR/IN': 19>
四、 测试
1、 临时设置DNS地址
[root@dns_client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search nice
nameserver 192.168.0.100
nameserver 192.168.0.102
2、 测试
1、 使用dig测试
[root@dns_client ~]# dig www.mmx.com
; <<>> DiG 9.11.36-RedHat-9.11.36-7.el8 <<>> www.mmx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41749
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9893378e0884d733c3cec6a163c94cad6f232d76ea797e34 (good)
;; QUESTION SECTION:
;www.mmx.com. IN A
;; ANSWER SECTION:
www.mmx.com. 10800 IN A 1.1.1.1
;; AUTHORITY SECTION:
mmx.com. 10800 IN NS ns.mmx.com.
;; ADDITIONAL SECTION:
ns.mmx.com. 10800 IN A 192.168.0.100
;; Query time: 1 msec
;; SERVER: 192.168.0.100#53(192.168.0.100)
;; WHEN: Thu Jan 19 21:59:09 CST 2023
;; MSG SIZE rcvd: 117
[root@dns_client ~]# dig 1.1.1.1
; <<>> DiG 9.11.36-RedHat-9.11.36-7.el8 <<>> 1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 41599
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f5a59b8fcbd4ccd672e3efc163c94cb409fa1b64e30afda9 (good)
;; QUESTION SECTION:
;1.1.1.1. IN A
;; Query time: 11 msec
;; SERVER: 192.168.0.100#53(192.168.0.100)
;; WHEN: Thu Jan 19 21:59:17 CST 2023
;; MSG SIZE rcvd: 64
2、 测试从服务器
[root@dns_client ~]# dig @192.168.0.102 mail.mmx.com
; <<>> DiG 9.11.36-RedHat-9.11.36-7.el8 <<>> @192.168.0.102 mail.mmx.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19510
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9371aeaf449192ba2377369263c94d0c5a5a71213fd58327 (good)
;; QUESTION SECTION:
;mail.mmx.com. IN A
;; ANSWER SECTION:
mail.mmx.com. 10800 IN A 3.3.3.3
;; AUTHORITY SECTION:
mmx.com. 10800 IN NS ns.mmx.com.
;; ADDITIONAL SECTION:
ns.mmx.com. 10800 IN A 192.168.0.100
;; Query time: 0 msec
;; SERVER: 192.168.0.102#53(192.168.0.102)
;; WHEN: Thu Jan 19 22:00:45 CST 2023
;; MSG SIZE rcvd: 118
3、 模拟故障测试
1、关闭主服务器DNS服务
[root@dns_master ~]# systemctl stop named.service
2、 在客户端测试解析是否能成功
# 发现客户端使用从服务器地址成功解析
[root@dns_client ~]# dig www.mmx.com
; <<>> DiG 9.11.36-RedHat-9.11.36-7.el8 <<>> www.mmx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14469
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 881b733bbefa34f831743abf63c94dc5e1ef328b27848515 (good)
;; QUESTION SECTION:
;www.mmx.com. IN A
;; ANSWER SECTION:
www.mmx.com. 10800 IN A 1.1.1.1
;; AUTHORITY SECTION:
mmx.com. 10800 IN NS ns.mmx.com.
;; ADDITIONAL SECTION:
ns.mmx.com. 10800 IN A 192.168.0.100
;; Query time: 0 msec
;; SERVER: 192.168.0.102#53(192.168.0.102)
;; WHEN: Thu Jan 19 22:03:50 CST 2023
;; MSG SIZE rcvd: 117