You are here
马哥 20_01 _DNS主从复制及区域传送 有大用
bind97
dig:
aa: Authority Answer
泛域名解析:
*.mageedu.com. IN A
[root@localhost named]# vim mageedu.com.zone
$TTL 600
mageedu.com. IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101
1H
5M
2D
6H )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.0.45
mail IN A 192.168.0.15
www IN A 192.168.0.45
www IN A 192.168.0.25
mageedu.com. IN A 192.168.0.45
ftp IN CNAME www
[root@localhost named]# vim /etc/named.conf
options {
directory "/var/named";
#recursion yes; # 默认给所有人递归 (可以给1000个人同时递归,这样保证dns服务器不会挂掉),默认其实是开启递归功能的
allow-recursion { 192.168.1.0/24; }; #(用于定义客户端来源的)这样子就只给 这个网段的192.168.1.0/24 电脑递归
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "0.168.192.in-addr.arpa" IN{
type master;
file "192.168.0.zone";
};
+ 加号 表示以什么方式工作,
+[no] 加号no 表示不以什么方式工作
e
[root@localhost named]# man dig
[root@localhost named]# vim /etc/named.conf
[root@localhost named]# dig +recurse -t A www.sohu.com @192.168.1.45
[root@localhost named]# dig -t A www.sohu.com @192.168.1.45 (默认本身就是 +recurse) 所以结果一样
[root@localhost named]# dig +norecurse -t A www.baidu.com @192.168.1.45
不递归,对方让你去查根了,根告诉你这是属于.com的,你去找.com吧
从.com的服务器中找一个出来,再来找
[root@localhost named]# dig +norecurse -t A www.baidu.com @j.gtld-servers.net
此时返回的是 百度dns服务器的A记录,再继续查找,.换到百度dns服务器
[root@localhost named]# dig +norecurse -t A www.baidu.com @ns2.baidu.com
此时看到了最终结果 ( cdn 的结果 )
不使用递归,只返回一个参考答案给我们,而不是最终答案给我们
[root@localhost named]# man dig
+trace 追踪解析过程
[root@localhost named]# dig +trace -t A www.baidu.com @192.168.1.45 (没有 @192.168.1.45 也可以,因为在resolv.conf中已经改了)
+trace 追踪解析过程
(从 根 到 .com ,再到 baiud.com ,最后到 www.baidu.com)
[root@localhost named]# vim /etc/named.conf
拒绝给所有人递归看看
[root@localhost named]# service named restart
Stopping named: . [确定]
Starting named: [确定]
[root@localhost named]#
[root@localhost named]# dig +recurse -t A www.baidu.com @192.168.1.45
外网是无法递归的
因为,我们不给它递归, 就不能把我们的服务器设置为它的dns服务器了,设置为dns服务器就没有意义了
[root@localhost named]# dig +recurse -t A www.mageedu.com @192.168.1.45
这里是内网,是内部,就没有递归的概念了
给某个网段递归
[root@localhost named]# vim /etc/named.conf
[root@localhost named]# vim /etc/named.conf
options {
directory "/var/named";
#recursion no;
allow-recursion { 192.168.1.0/24; };# 这里注释去掉
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "0.168.192.in-addr.arpa" IN{
type master;
file "192.168.0.zone";
};
[root@localhost named]# service named reload
Reloading named: [确定]
[root@localhost named]#
[root@localhost named]# dig +recurse -t A www.baidu.com @192.168.1.45
这时是可以递归的
[root@localhost named]# dig +recurse -t A www.baidu.com @127.0.0.1
此时不给递归了, 因为只给 192.168.1.0/16 这个网段递归
所以我们再把127.0.0.1放行
[root@localhost named]# vim /etc/named.conf
options {
directory "/var/named";
#recursion no;
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; }; # 这里注释去掉
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "0.168.192.in-addr.arpa" IN{
type master;
file "192.168.0.zone";
};
~
~
[root@localhost named]# dig +recurse -t A www.baidu.com @127.0.0.1
此时可以了
[root@localhost named]# vim /etc/named.conf
options {
directory "/var/named";
#recursion no;
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };# 这里注释去掉
# allow-query; # 只允许某些人查询,互联网上的人都查询不了,访问不了了,所以用得不多
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "0.168.192.in-addr.arpa" IN{
type master;
file "192.168.0.zone";
};
[root@localhost named]# man dig
axfr : ( a all ) 完全区域传送, 得到对方区域内的所有数据
ixfr : ( i increment ) 增量区域传送,
[root@localhost named]# dig -t axfr mageedu.com
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t axfr mageedu.com
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040101 3600 300 172800 21600
mageedu.com. 600 IN A 192.168.0.45
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN MX 10 mail.mageedu.com.
ftp.mageedu.com. 600 IN CNAME www.mageedu.com.
mail.mageedu.com. 600 IN A 192.168.0.15
ns1.mageedu.com. 600 IN A 192.168.0.45
www.mageedu.com. 600 IN A 192.168.0.25
www.mageedu.com. 600 IN A 192.168.0.45
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040101 3600 300 172800 21600
;; Query time: 1 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Fri Jan 25 03:00:33 2019
;; XFR size: 10 records (messages 1, bytes 248)
[root@localhost named]#
[root@localhost named]# vim mageedu.com.zone
$TTL 600
mageedu.com. IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040202
1H
5M
2D
6H )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.45
mail IN A 192.168.1.15
www IN A 192.168.1.45
www IN A 192.168.1.25
ftp IN CNAME www
mageedu.com. IN A 192.168.1.45
pop IN A 192.168.1.45
*.mageedu.com. IN A 192.168.1.25
[root@localhost named]# service named reload
Reloading named: [确定]
[root@localhost named]#
[root@localhost named]# dig -t IXFR=2013040201 mageedu.com
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t IXFR=2013040201 mageedu.com
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 20130402 02 3600 300 172800 21600
mageedu.com. 600 IN A 192.168.1.45
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN MX 10 mail.mageedu.com.
*.mageedu.com. 600 IN A 192.168.1.25
ftp.mageedu.com. 600 IN CNAME www.mageedu.com.
mail.mageedu.com. 600 IN A 192.168.1.15
ns1.mageedu.com. 600 IN A 192.168.1.45
pop.mageedu.com. 600 IN A 192.168.1.45
www.mageedu.com. 600 IN A 192.168.1.25
www.mageedu.com. 600 IN A 192.168.1.45
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 20130402 02 3600 300 172800 21600
;; Query time: 3 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Fri Jan 25 03:13:04 2019
;; XFR size: 12 records (messages 1, bytes 298)
[root@localhost named]# dig -t IXFR=2013040202 mageedu.com
这里看到了增量区域传送 但是是哪条记录变化没有看到
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t IXFR=2013040202 mageedu.com
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 20130402 02 3600 300 172800 21600
;; Query time: 0 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Fri Jan 25 03:13:17 2019
;; XFR size: 1 records (messages 1, bytes 75)
我们可以手动进行区域传送
[root@localhost named]#
区域: (区域传送发生在有主从结构的时候)(是从主dns服务器向从dns服务器传送变化的数据内容)
主,从
区域传送时别人可以看到我们的区域数据文件内容,所以不安全,
所以只能允许从服务器来传送,其它任何主机都不能允许
[root@localhost named]# vim /etc/named.conf
options {
directory "/var/named";
# recursion no;
allow-recursion { 192.168.1.0/24; 127.0.0.1/24; };# 这里注释去掉
# allow-transfer 允许谁来传送(传输),对每一个区域生效 可以定义在下面的区域里面
};
zone "." IN {
type hint;
file "named.ca";
allow-transfer { none; }; # 不允许任何主机传送 这里不能定义,定义了就报错了
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; }; # 不允许任何主机传送
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; }; # 不允许任何主机传送
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 192.168.1.15; }; # 只允许这台主机传送
};
zone "1.168.192.in-addr.arpa" IN{
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.15; }; # 只允许这台主机传送
};
等下我们建个从dns服务器 (其ip为192.168.1.15)
[root@localhost named]# service named reload
Reloading named: [确定]
[root@localhost named]#
[root@localhost named]# service named restart
[root@localhost named]# vim /etc/named.conf
options {
directory "/var/named";
#recursion no;
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };# 这里注释去掉
#allow-transfer
};
zone "." IN {
type hint;
file "named.ca";
# allow-transfer { none; }; # 这里不能定义,定义了就报错了
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 192.168.1.15; };
};
zone "1.168.192.in-addr.arpa" IN{
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.15; };
};
[root@localhost named]# service named restart
Stopping named: [确定]
Starting named: [确定]
[root@localhost named]#
[root@localhost named]# dig -t axfr mageedu.com
发觉不能传送了(本机都不能传送了)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t axfr mageedu.com
;; global options: +cmd
; Transfer failed.
[root@localhost named]#
马哥做的另一台主机 改 ip 地址
dns指向自己
我的另一台主机 这里 192.168.1.15 不用改
(只需改下 /etc/resolv.conf 中 的 dns为 192.168.1.15 , search为 mageedu.com )
[root@localhost ~]# service network restart
正在关闭接口 eth0: [确定]
关闭环回接口: [确定]
禁用 IPv4 包转送: net.ipv4.ip_forward = 0
[确定]
弹出环回接口: [确定]
弹出界面 eth0: [确定]
[root@localhost ~]#
[root@localhost ~]# ifconfig
在 192.168.1.15 上
[root@localhost ~]# dig -t axfr mageedu.com @192.168.1.45
这里必须一定要@指向对方的服务器 (因为现在192.168.1.15 的dns指向了自己)
[root@localhost ~]# dig -t axfr mageedu.com @192.168.1.45
;; Connection to 192.168.1.45#53(192.168.1.45) for mageedu.com failed: host unreachable.
报上面的错 ,把两个主机(192.168.1.45 192.168.1.15 )的防火墙全部关掉吧
[root@localhost ~]# dig -t axfr mageedu.com @192.168.1.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-21.P2.el5 <<>> -t axfr mageedu.com @192.168.1.4 5
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040202 3600 300 172800 21600
mageedu.com. 600 IN A 192.168.1.45
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN MX 10 mail.mageedu.com.
*.mageedu.com. 600 IN A 192.168.1.25
ftp.mageedu.com. 600 IN CNAME www.mageedu.com.
mail.mageedu.com. 600 IN A 192.168.1.15
ns1.mageedu.com. 600 IN A 192.168.1.45
pop.mageedu.com. 600 IN A 192.168.1.45
www.mageedu.com. 600 IN A 192.168.1.25
www.mageedu.com. 600 IN A 192.168.1.45
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.c om. 2013040202 3600 300 172800 21600
;; Query time: 3 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Tue Feb 12 15:04:13 2019
;; XFR size: 12 records (messages 1, bytes 298)
如何来配置dns的从服务器
很简单,dns的从服务器 比主服务器简单,只需要建立主配置文件,连数据文件都不用建立,因为它是从主dns服务器上同步过来的
另一台主机 192.168.1.15 ( dns的从服务器 )
[root@localhost ~]# rpm -e bind-libs bind-utils
马哥把repo文件复制过来,我这边本来就有,所以就不需要了
[root@localhost ~]# yum install bind97-libs bind97-utils -y
省略程序安装执行部分
[root@localhost ~]# yum install bind97 -y
省略程序安装执行部分
[root@localhost ~]# ls /var/named (好多东西与主dns服务器上一模一样)
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost ~]#
有一个目录 slaves 属主属组都是 named
[root@localhost ~]# cd /var/named
[root@localhost named]#
[root@localhost named]# ll
总计 28
drwxrwx--- 2 named named 4096 2014-03-24 data
drwxrwx--- 2 named named 4096 2014-03-24 dynamic
-rw-r----- 1 root named 1892 2008-02-18 named.ca
-rw-r----- 1 root named 152 2009-12-15 named.empty
-rw-r----- 1 root named 152 2007-06-21 named.localhost
-rw-r----- 1 root named 168 2009-12-15 named.loopback
drwxrwx--- 2 named named 4096 2014-03-24 slaves
[root@localhost named]#
[root@localhost named]# ll -d . (/var/named目录 属组没有写权限)
drwxr-x--- 5 root named 4096 02-12 15:26 .
[root@localhost named]#
同步的时候 是以 named属主 和 named属组来进行同步的,
所以此时没有写权限
同步过来的时候,两种方法
1)把 /var/named 的属组有写权限
2)同步过来的数据 放在slaves 目录下 (最好放在slaves目录下吧)
[root@localhost named]# ls -l
总计 28
drwxrwx--- 2 named named 4096 2014-03-24 data
drwxrwx--- 2 named named 4096 2014-03-24 dynamic
-rw-r----- 1 root named 1892 2008-02-18 named.ca
-rw-r----- 1 root named 152 2009-12-15 named.empty
-rw-r----- 1 root named 152 2007-06-21 named.localhost
-rw-r----- 1 root named 168 2009-12-15 named.loopback
drwxrwx--- 2 named named 4096 2014-03-24 slaves
[root@localhost named]#
[root@localhost named]# getenforce
Disabled
[root@localhost named]#
[root@localhost named]# mv /etc/named.conf /etc/named.conf.orig
从主服务器上复制过来 named.conf
[root@localhost named]# scp 192.168.1.45:/etc/named.conf /etc/
The authenticity of host '192.168.1.45 (192.168.1.45)' can't be established.
RSA key fingerprint is cd:38:c5:f6:20:76:32:2d:d3:3a:1b:5c:18:76:e1:de.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.45' (RSA) to the list of known hosts.
root@192.168.1.45's password:
named.conf 100% 729 0.7KB/s 00:00
[root@localhost named]#
左边dns 正向是主,反向是从;;右边dns 正向是从,反向是主,是可以的
当然 左边全是主 右边全是从也是可以的
[root@localhost named]# vim /etc/named.conf
options {
directory "/var/named";
#recursion no;
allow-recursion { 192.168.1.0/24; 127.0.0.1/32; };# 这里注释去掉
#allow-transfer
};
zone "." IN {
type hint;
file "named.ca";
#allow-transfer { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type slave; # 表示它是一个从服务器
file "slaves/mageedu.com.zone"; #这个区域文件路径
masters { 192.168.1.45; }; # 表示它的主是谁
allow-transfer { none; }; # 不允许别人传送数据
};
zone "1.168.192.in-addr.arpa" IN{
type slave;# 表示它是一个从服务器
file "slaves/192.168.1.zone"; #这个区域文件路径
masters { 192.168.1.45; }; # 表示它的主是谁
allow-transfer { none; }; # 不允许别人传送数据
};
在测试的时候 先把 allow-transfer { none; }; 去掉 (测试的时候,主服务器上 也可以去掉 allow-transfer { none; }; ),尽可能的不会因为权限的问题而出错
检查配置文件
[root@localhost named]# named-checkconf
没有数据文件,自然就不用检查了
[root@localhost named]#
[root@localhost named]# service named start
Starting named: [失败]
只要出错了,立即看日志
[root@localhost named]#
[root@localhost named]# tail /var/log/messages
[root@localhost ~]# tail /var/log/messages
Feb 13 20:54:12 localhost rhsmd: In order for Subscription Manager to provide your system with updates, your system must be registered with the Customer Portal. Please enter your Red Hat login to ensure your system is up-to-date.
Feb 13 21:01:15 localhost named[9988]: starting BIND 9.7.0-P2-RedHat-9.7.0-21.P2.el5 -u named
Feb 13 21:01:15 localhost named[9988]: built with '--build=x86_64-redhat-linux-gnu' '--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib64' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDIG_SIGCHASE' 'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --
Feb 13 21:01:15 localhost named[9988]: adjusted limit on open files from 1024 to 1048576
Feb 13 21:01:15 localhost named[9988]: found 4 CPUs, using 4 worker threads
Feb 13 21:01:15 localhost named[9988]: using up to 4096 sockets
Feb 13 21:01:15 localhost named[9988]: loading configuration from '/etc/named.conf'
Feb 13 21:01:15 localhost named[9988]: none:0: open: /etc/named.conf: permission denied
Feb 13 21:01:15 localhost named[9988]: loading configuration: permission denied
Feb 13 21:01:15 localhost named[9988]: exiting (due to fatal error)
[root@localhost named]# ll /etc/named.conf
它属于root组,而且其它组的用户没有任何权限,所以named用户读不到
-rw-r----- 1 root root 791 02-12 16:33 /etc/named.conf
[root@localhost named]#
[root@localhost named]# chgrp named /etc/named.conf
[root@localhost named]# ll /etc/named.conf
-rw-r----- 1 root named 791 02-12 16:33 /etc/named.conf
[root@localhost named]#
这里是 从服务器上启动了 named dns服务器
[root@localhost named]# service named start
Starting named: [确定]
[root@localhost named]#
看看 主 dns 服务器
[root@localhost named]# tail /var/log/messages
Jan 25 05:40:47 localhost named[14741]: zone localhost/IN: loaded serial 0
Jan 25 05:40:47 localhost named[14741]: running
Jan 25 05:40:54 localhost named[14741]: client 192.168.1.15#52476: transfer of 'mageedu.com/IN': AXFR started
Jan 25 05:40:54 localhost named[14741]: client 192.168.1.15#52476: transfer of 'mageedu.com/IN': AXFR ended
Jan 25 06:05:22 localhost named[14741]: error (network unreachable) resolving './NS/IN': 2001:503:c27::2:30#53
Jan 25 06:05:22 localhost named[14741]: error (network unreachable) resolving './NS/IN': 2001:7fd::1#53
Jan 25 07:05:07 localhost named[14741]: client 192.168.1.15#41089: transfer of 'mageedu.com/IN': AXFR started
Jan 25 07:05:07 localhost named[14741]: client 192.168.1.15#41089: transfer of 'mageedu.com/IN': AXFR ended
Jan 25 07:05:07 localhost named[14741]: client 192.168.1.15#58880: transfer of '1.168.192.in-addr.arpa/IN': AXFR started
Jan 25 07:05:07 localhost named[14741]: client 192.168.1.15#58880: transfer of '1.168.192.in-addr.arpa/IN': AXFR ended
看看从dns 服务器
[root@localhost named]# tail /var/log/messages
看下从dns 服务器 有没有 区域数据文件
[root@localhost named]# cd slaves/
[root@localhost slaves]# pwd
/var/named/slaves
[root@localhost slaves]# ls
192.168.1.zone mageedu.com.zone
[root@localhost slaves]#
[root@localhost slaves]# vim mageedu.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040202 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
A 192.168.1.45
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 192.168.1.25
ftp CNAME www
mail A 192.168.1.15
ns1 A 192.168.1.45
pop A 192.168.1.45
www A 192.168.1.25
A 192.168.1.45
$ORIGIN 表示的是后面自动补的吧!
$ORIGIN $TTL 生效范围是它的下面,可以多次定义的
[root@localhost slaves]# vim 192.168.1.zone
$ORIGIN .
$TTL 600 ; 10 minutes
1.168.192.in-addr.arpa IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
$ORIGIN 1.168.192.in-addr.arpa.
15 PTR www.mageedu.com.
PTR mail.mageedu.com.
45 PTR ns1.mageedu.com.
PTR www.mageedu.com.
看看增量区域传送怎么弄
先改下主服务器上的文件
[root@localhost named]# vim mageedu.com.zone
$TTL 600
mageedu.com. IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040203 ; 改下序列号
1H
5M
2D
6H )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.45
mail IN A 192.168.1.15
www IN A 192.168.1.45
www IN A 192.168.1.25
ftp IN CNAME www
mageedu.com. IN A 192.168.1.45
pop IN A 192.168.1.45
*.mageedu.com. IN A 192.168.1.25
imap IN A 192.168.1.45 ; 加上这条记录
[root@localhost named]# service named reload
Reloading named: [确定]
[root@localhost named]#
[root@localhost named]# tail /var/log/messages
Jan 25 07:05:07 localhost named[14741]: client 192.168.1.15#41089: transfer of 'mageedu.com/ IN': AXFR ended
Jan 25 07:05:07 localhost named[14741]: client 192.168.1.15#58880: transfer of '1.168.192.in -addr.arpa/IN': AXFR started
Jan 25 07:05:07 localhost named[14741]: client 192.168.1.15#58880: transfer of '1.168.192.in -addr.arpa/IN': AXFR ended
Jan 25 07:43:10 localhost named[14741]: received control channel command 'reload'
Jan 25 07:43:10 localhost named[14741]: loading configuration from '/etc/named.conf'
Jan 25 07:43:10 localhost named[14741]: using default UDP/IPv4 port range: [1024, 65535]
Jan 25 07:43:10 localhost named[14741]: using default UDP/IPv6 port range: [1024, 65535]
Jan 25 07:43:10 localhost named[14741]: reloading configuration succeeded
Jan 25 07:43:10 localhost named[14741]: reloading zones succeeded
Jan 25 07:43:10 localhost named[14741]: zone mageedu.com/IN: loaded serial 2013040203
[root@localhost named]#
再来看看从服务器上的文件
[root@localhost slaves]# tail /var/log/messages
Feb 12 16:41:51 localhost named[9896]: zone localhost/IN: loaded serial 0
Feb 12 16:41:51 localhost named[9896]: running
Feb 12 16:41:51 localhost named[9896]: zone mageedu.com/IN: Transfer started.
Feb 12 16:41:51 localhost named[9896]: transfer of 'mageedu.com/IN' from 192.168 #41089
Feb 12 16:41:51 localhost named[9896]: zone mageedu.com/IN: transferred serial 2
Feb 12 16:41:51 localhost named[9896]: transfer of 'mageedu.com/IN' from 192.168 es, 12 records, 286 bytes, 0.004 secs (71500 bytes/sec)
Feb 12 16:41:51 localhost named[9896]: zone 1.168.192.in-addr.arpa/IN: Transfer
Feb 12 16:41:51 localhost named[9896]: transfer of '1.168.192.in-addr.arpa/IN' f 92.168.1.15#58880
Feb 12 16:41:51 localhost named[9896]: zone 1.168.192.in-addr.arpa/IN: transferr
Feb 12 16:41:51 localhost named[9896]: transfer of '1.168.192.in-addr.arpa/IN' f d: 1 messages, 7 records, 218 bytes, 0.001 secs (218000 bytes/sec)
[root@localhost slaves]#
[root@localhost slaves]# cat mageedu.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040202 ; serial ; 数字没变,说明传送没发生
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
A 192.168.1.45
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 192.168.1.25
ftp CNAME www
mail A 192.168.1.15
ns1 A 192.168.1.45
pop A 192.168.1.45
www A 192.168.1.25
A 192.168.1.45
[root@localhost slaves]#
再看看主dns服务器
[root@localhost ~]# vim /etc/named.conf
options {
directory "/var/named";
#recursion no;
allow-recursion { 192.168.1.0/24; 127.0.0.1/24; };# 这里注释去掉
#allow-transfer
notify yes; # 1) 表示启动通知功能,一旦这儿改了,就通知从服务器来同步 刚才同步没发生,可能是因为同步时间没到 refresh的时间没到,
};
zone "." IN {
type hint;
file "named.ca";
#allow-transfer { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 192.168.1.15; };
};
zone "1.168.192.in-addr.arpa" IN{
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.15; };
};
[root@localhost ~]# service named reload
Reloading named: [失败]
[root@localhost ~]# tail /var/log/messages
Feb 10 14:36:29 localhost smartd[4094]: Device: /dev/hdd, not found in smartd database.
Feb 10 14:36:29 localhost smartd[4094]: Device: /dev/hdd, lacks SMART capability
Feb 10 14:36:29 localhost smartd[4094]: Device: /dev/hdd, to proceed anyway, use '-T permissive' Directive.
Feb 10 14:36:29 localhost smartd[4094]: Device: /dev/sda, opened
Feb 10 14:36:29 localhost smartd[4094]: Device: /dev/sda, [VMware, VMware Virtual S 1.0 ], 128 GB
Feb 10 14:36:29 localhost smartd[4094]: Device: /dev/sda, IE (SMART) not enabled, skip device
Feb 10 14:36:29 localhost smartd[4094]: Try 'smartctl -s on /dev/sda' to turn on SMART features
Feb 10 14:36:29 localhost smartd[4094]: Monitoring 0 ATA and 0 SCSI devices
Feb 10 14:36:30 localhost smartd[4096]: smartd has fork()ed into background mode. New PID=4096.
Feb 10 14:36:30 localhost avahi-daemon[4064]: Server startup complete. Host name is localhost-2.local. Local service cookie is 859771901.
[root@localhost ~]# service named restart
Stopping named: [确定]
Starting named: [确定]
[root@localhost ~]#
[root@localhost ~]# tail /var/log/messages 没看到主服务器 named有变化 没看到通知
Feb 10 15:20:29 localhost named[4276]: automatic empty zone: 9.E.F.IP6.ARPA
Feb 10 15:20:29 localhost named[4276]: automatic empty zone: A.E.F.IP6.ARPA
Feb 10 15:20:29 localhost named[4276]: automatic empty zone: B.E.F.IP6.ARPA
Feb 10 15:20:29 localhost named[4276]: command channel listening on 127.0.0.1#953
Feb 10 15:20:29 localhost named[4276]: command channel listening on ::1#953
Feb 10 15:20:29 localhost named[4276]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Feb 10 15:20:29 localhost named[4276]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2013040101
Feb 10 15:20:29 localhost named[4276]: zone mageedu.com/IN: loaded serial 2013040203
Feb 10 15:20:29 localhost named[4276]: zone localhost/IN: loaded serial 0
Feb 10 15:20:29 localhost named[4276]: running
[root@localhost ~]#
看下从服务器
[root@localhost ~]# tail /var/log/messages 没看到从服务器 named有变化 没看到通知
Feb 14 08:08:44 localhost smartd[4867]: Device: /dev/hdd, VMware Virtual IDE Hard Drive, S/N:11000000000000000001, WWN:5-000c29-bd261040c, FW:00000001, 21.4 GB
Feb 14 08:08:44 localhost smartd[4867]: Device: /dev/hdd, not found in smartd database.
Feb 14 08:08:44 localhost smartd[4867]: Device: /dev/hdd, lacks SMART capability
Feb 14 08:08:44 localhost smartd[4867]: Device: /dev/hdd, to proceed anyway, use '-T permissive' Directive.
Feb 14 08:08:44 localhost smartd[4867]: Device: /dev/sda, opened
Feb 14 08:08:44 localhost smartd[4867]: Device: /dev/sda, [VMware, VMware Virtual S 1.0 ], 128 GB
Feb 14 08:08:44 localhost smartd[4867]: Device: /dev/sda, IE (SMART) not enabled, skip device
Feb 14 08:08:44 localhost smartd[4867]: Try 'smartctl -s on /dev/sda' to turn on SMART features
Feb 14 08:08:44 localhost smartd[4867]: Monitoring 0 ATA and 0 SCSI devices
Feb 14 08:08:44 localhost smartd[4869]: smartd has fork()ed into background mode. New PID=4869.
[root@localhost ~]#
不是不会通知 而是因为 忘记了通知
2)一个域内有多少台dns服务器 每一个dns服务器在它的域 (区域内)应该有记录的.因此要加上去另一台从dns服务器
切记 当加上一个dns服务器的时候,要加上这个dns的服务记录
下面是主dns服务器,
[root@localhost ~]# cd /var/named/
[root@localhost named]# ls
192.168.1.zone dynamic named.ca named.localhost slaves
data mageedu.com.zone named.empty named.loopback
[root@localhost named]# vim mageedu.com.zone
$TTL 600
mageedu.com. IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040203
1H
5M
2D
6H )
IN NS ns1
IN NS ns2 # 加上这个dns服务器
IN MX 10 mail
ns1 IN A 192.168.1.45
ns2 IN A 192.168.1.15 # 加上这个dns服务器的解析
mail IN A 192.168.1.15
www IN A 192.168.1.45
www IN A 192.168.1.25
ftp IN CNAME www
mageedu.com. IN A 192.168.1.45
pop IN A 192.168.1.45
*.mageedu.com. IN A 192.168.1.25
imap IN A 192.168.1.45
[root@localhost named]# vim 192.168.1.zone
$TTL 600
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101
1H
5M
2D
6H )
IN NS ns1.mageedu.com.
IN NS ns2.mageedu.com.
45 IN PTR ns1.mageedu.com.
45 IN PTR ns2.mageedu.com.
45 IN PTR www.mageedu.com.
15 IN PTR mail.mageedu.com.
15 IN PTR www.mageedu.com.
~
[root@localhost named]# vim 192.168.1.zone #反向记录也加上去
$TTL 600
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101
1H
5M
2D
6H )
IN NS ns1.mageedu.com.
IN NS ns2.mageedu.com. #反向记录也加上去
45 IN PTR ns1.mageedu.com.
15 IN PTR ns2.mageedu.com. #反向记录也加上去
45 IN PTR www.mageedu.com.
15 IN PTR mail.mageedu.com.
15 IN PTR www.mageedu.com.
3)防火墙关掉 4)重启
[root@localhost named]# service named restart ( 或者 service named reload )
Stopping named: . [确定]
Starting named: [确定]
[root@localhost named]#
到从服务器上 删掉,重新来一次完全同步
[root@localhost ~]# cd /var/named/slaves/
You have new mail in /var/spool/mail/root
[root@localhost slaves]# ls
192.168.1.zone mageedu.com.zone
[root@localhost slaves]# rm -rf *
[root@localhost slaves]#
[root@localhost slaves]# service named restart
Stopping named: [确定]
Starting named: [确定]
[root@localhost slaves]#
可能需要 清空下防火墙 然后 重启两个 dns 服务器
在从服务器上
[root@localhost slaves]# ls
192.168.1.zone mageedu.com.zone
[root@localhost slaves]#
[root@localhost slaves]# cat mageedu.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040203 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
A 192.168.1.45
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 192.168.1.25
ftp CNAME www
imap A 192.168.1.45
mail A 192.168.1.15
ns1 A 192.168.1.45
ns2 A 192.168.1.15
pop A 192.168.1.45
www A 192.168.1.25
A 192.168.1.45
[root@localhost slaves]#
[root@localhost slaves]# cat 192.168.1.zone
$ORIGIN .
$TTL 600 ; 10 minutes
1.168.192.in-addr.arpa IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
$ORIGIN 1.168.192.in-addr.arpa.
15 PTR www.mageedu.com.
PTR mail.mageedu.com.
45 PTR ns1.mageedu.com.
15 PTR ns2.mageedu.com.
PTR www.mageedu.com.
[root@localhost slaves]#
到主dns服务器上
[root@localhost named]# vim mageedu.com.zone
$TTL 600
mageedu.com. IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040204 # 修改它
1H
5M
2D
6H )
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.1.45
ns2 IN A 192.168.1.15
mail IN A 192.168.1.15
www IN A 192.168.1.45
www IN A 192.168.1.25
ftp IN CNAME www
mageedu.com. IN A 192.168.1.45
pop IN A 192.168.1.45
*.mageedu.com. IN A 192.168.1.25
imap IN A 192.168.1.45
hello IN A 192.168.1.45 #增加它
[root@localhost named]# service named reload
Reloading named: [确定]
[root@localhost named]#
[root@localhost named]# tail /var/log/messages
Feb 10 15:57:12 localhost named[12803]: received control channel command 'reload'
Feb 10 15:57:12 localhost named[12803]: loading configuration from '/etc/named.conf'
Feb 10 15:57:12 localhost named[12803]: using default UDP/IPv4 port range: [1024, 65535]
Feb 10 15:57:12 localhost named[12803]: using default UDP/IPv6 port range: [1024, 65535]
Feb 10 15:57:12 localhost named[12803]: reloading configuration succeeded
Feb 10 15:57:12 localhost named[12803]: reloading zones succeeded
Feb 10 15:57:12 localhost named[12803]: zone mageedu.com/IN: loaded serial 2013040204
Feb 10 15:57:12 localhost named[12803]: zone mageedu.com/IN: sending notifies (serial 2013040204)
Feb 10 15:57:12 localhost named[12803]: client 192.168.1.15#42549: transfer of 'mageedu.com/IN': AXFR-style IXFR started
Feb 10 15:57:12 localhost named[12803]: client 192.168.1.15#42549: transfer of 'mageedu.com/IN': AXFR-style IXFR ended
[root@localhost named]#
从服务器
[root@localhost slaves]# tail /var/log/messages
Feb 14 09:24:21 localhost named[6066]: zone localhost/IN: loaded serial 0
Feb 14 09:24:21 localhost named[6066]: running
Feb 14 09:24:21 localhost named[6066]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2013040101)
Feb 14 09:24:21 localhost named[6066]: zone mageedu.com/IN: sending notifies (serial 2013040203)
Feb 14 09:29:47 localhost named[6066]: client 192.168.1.45#30728: received notify for zone 'mageedu.com'
Feb 14 09:29:47 localhost named[6066]: zone mageedu.com/IN: Transfer started.
Feb 14 09:29:47 localhost named[6066]: transfer of 'mageedu.com/IN' from 192.168.1.45#53: connected using 192.168.1.15#42549
Feb 14 09:29:47 localhost named[6066]: zone mageedu.com/IN: transferred serial 2013040204
Feb 14 09:29:47 localhost named[6066]: transfer of 'mageedu.com/IN' from 192.168.1.45#53: Transfer completed: 1 messages, 16 records, 363 bytes, 0.001 secs (363000 bytes/sec)
Feb 14 09:29:47 localhost named[6066]: zone mageedu.com/IN: sending notifies (serial 2013040204)
[root@localhost slaves]#
下面可以看到 hello 了
[root@localhost slaves]# cat mageedu.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040204 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
A 192.168.1.45
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 192.168.1.25
ftp CNAME www
hello A 192.168.1.45
imap A 192.168.1.45
mail A 192.168.1.15
ns1 A 192.168.1.45
ns2 A 192.168.1.15
pop A 192.168.1.45
www A 192.168.1.25
A 192.168.1.45
[root@localhost slaves]#
到主dns服务器 测下反向服务器
[root@localhost named]# vim 192.168.1.zone
$TTL 600
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040104 # 序列号同时增加
1H
5M
2D
6H )
IN NS ns1.mageedu.com.
IN NS ns2.mageedu.com.
45 IN PTR ns1.mageedu.com.
15 IN PTR ns2.mageedu.com.
45 IN PTR www.mageedu.com.
15 IN PTR mail.mageedu.com.
15 IN PTR www.mageedu.com.
45 IN PTR hello.mageedu.com. # 增加这条记录
~
[root@localhost named]# service named reload
Reloading named: [确定]
[root@localhost named]#
[root@localhost named]# tail /var/log/messages
Feb 10 17:11:10 localhost named[12803]: received control channel command 'reload'
Feb 10 17:11:10 localhost named[12803]: loading configuration from '/etc/named.conf'
Feb 10 17:11:10 localhost named[12803]: using default UDP/IPv4 port range: [1024, 65535]
Feb 10 17:11:10 localhost named[12803]: using default UDP/IPv6 port range: [1024, 65535]
Feb 10 17:11:10 localhost named[12803]: reloading configuration succeeded
Feb 10 17:11:10 localhost named[12803]: reloading zones succeeded
Feb 10 17:11:10 localhost named[12803]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2013040104
Feb 10 17:11:10 localhost named[12803]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2013040104)
Feb 10 17:11:10 localhost named[12803]: client 192.168.1.15#48656: transfer of '1.168.192.in-addr.arpa/IN': AXFR-style IXFR started
Feb 10 17:11:10 localhost named[12803]: client 192.168.1.15#48656: transfer of '1.168.192.in-addr.arpa/IN': AXFR-style IXFR ended
[root@localhost named]#
到从服务器上看看 看到 hello 了
[root@localhost slaves]# cat 192.168.1.zone
$ORIGIN .
$TTL 600 ; 10 minutes
1.168.192.in-addr.arpa IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040104 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
$ORIGIN 1.168.192.in-addr.arpa.
15 PTR www.mageedu.com.
PTR mail.mageedu.com.
45 PTR ns1.mageedu.com.
15 PTR ns2.mageedu.com.
PTR www.mageedu.com.
PTR hello.mageedu.com.
[root@localhost slaves]#
rndc: (remote name domain controller )dns 的远程控制工具
先在本机上使用rndc看看
[root@localhost named]# rndc -h
-c config 指定配置文件
-s server 指定远程服务器是谁
-p port 以哪个端口进行连接
-k key-file 以哪个key文件向外进行发送 很关键,不然任何人都能停掉的话,很麻烦,会产生攻击
command 是子命令
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones. 直接通知某个服务器让它重读配置文件和区域数据文件
reload zone [class [view]]
Reload a single zone. 只重读区域文件 可以指定某一个区域的
refresh zone [class [view]]
Schedule immediate maintenance for a zone. 作维护的 重新刷新的
retransfer zone [class [view]] 重传的
Retransfer a single zone without checking serial number.
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]] 将一个动态区域冻结了 动态区域以后讲
Suspend updates to a dynamic zone.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
notify zone [class [view]] 手动将某一个区域向外发通知的
Resend NOTIFY messages for the zone.
reconfig Reload configuration file and new zones only. 只重读配置文件和新区域文件
sign zone [class [view]]
Update zone keys, and sign as needed.
stats Write server statistics to the statistics file. 收集 服务器区域统计信息的
querylog Toggle query logging. 打开查询日志的
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server. 停止named, 停止服务器
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches. 清空缓存的
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
validation newstate [view]
Enable / disable DNSSEC validation.
*restart Restart the server. 重启服务器,目前来讲 好像不支持
#所以 好像通过 stop 命令停止 ,然后只能通过 service named start 启动
* == not yet implemented
Version: 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2
[root@localhost named]#
rndc 为了安全,一定要通过key 来控制我们的远程dns服务器
[root@localhost named]# cd
[root@localhost ~]# pwd
/root
[root@localhost ~]# rndc-confgen > /etc/rndc.conf
[root@localhost ~]#
[root@localhost ~]# cat /etc/rndc.conf
# Start of rndc.conf # vrndc.conf 的内容的开始
key "rndc-key" {
algorithm hmac-md5;
secret "Fc3ldG+QkyLiMNT1qH+wOA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf # vrndc.conf 的内容的结束
把下面的内容放到named.conf文件中去,而用把前面的井号( # ) 去掉
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "Fc3ldG+QkyLiMNT1qH+wOA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@localhost ~]#
[root@localhost ~]# vim /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Fc3ldG+QkyLiMNT1qH+wOA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "Fc3ldG+QkyLiMNT1qH+wOA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
~
~
~
:.,$-1w >> /etc/named.conf 把内容追加保存至 /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
zone "." IN {
type hint;
file "named.ca";
#allow-transfer { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 192.168.1.15; };
};
zone "1.168.192.in-addr.arpa" IN{
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.15; };
};
# key "rndc-key" { # rndc-key保存的位置
# algorithm hmac-md5; #这是密钥 签名密钥
# secret "Fc3ldG+QkyLiMNT1qH+wOA==";
# };
#
# controls {
# inet 127.0.0.1 port 953 它只监听在 127.0.0.1上
# allow { 127.0.0.1; } keys { "rndc-key"; }; # 而且keys是 rndc-key
# };
:.,$s/^# //g 把当前行到最后一行以#空格开头的部分全部替换为空
[root@localhost ~]# vim /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5; # 这是密钥
secret "Fc3ldG+QkyLiMNT1qH+wOA==";
};
options {
default-key "rndc-key"; # 默认密钥
default-server 127.0.0.1; # 默认服务器
default-port 953; # 默认端口
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "Fc3ldG+QkyLiMNT1qH+wOA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
rndc 指定配置文件,就可以控制器 dns 服务器了
[root@localhost ~]# rndc -c /etc/rndc.conf status
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
[root@localhost ~]#
装完 bind97以后,会生成 /etc/rndc.key 文件,这个文件用不着,删掉吧
[root@localhost ~]# rm /etc/rndc.key
rm:是否删除 一般文件 “/etc/rndc.key”? y
[root@localhost ~]#
下面的命令仍然有错误
[root@localhost ~]# rndc -c /etc/rndc.conf status
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
[root@localhost ~]#
重启下 named 吧
[root@localhost ~]# service named restart
Stopping named: . [确定]
Generating /etc/rndc.key: [确定]
Starting named: [确定]
[root@localhost ~]#
下面的命令现在可以了
[root@localhost ~]# rndc -c /etc/rndc.conf status
version: 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 # 显示版本号
CPUs found: 4 # 显示主机上几个cpu
worker threads: 4 # 有几个named工作进程
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0 # 此时有没有发生区域传送
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running # server 当前的状态
[root@localhost ~]#
这是主服务器 通知一下 mageedu.com 这个区域
[root@localhost ~]# rndc -c /etc/rndc.conf notify "mageedu.com"
zone notify queued
[root@localhost ~]#
[root@localhost ~]# tail /var/log/messages # 此时可以看到 手动发送的通知
Feb 10 22:44:13 localhost named[13605]: command channel listening on 127.0.0.1#953
Feb 10 22:44:13 localhost named[13605]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Feb 10 22:44:13 localhost named[13605]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2013040104
Feb 10 22:44:13 localhost named[13605]: zone mageedu.com/IN: loaded serial 2013040204
Feb 10 22:44:13 localhost named[13605]: zone localhost/IN: loaded serial 0
Feb 10 22:44:13 localhost named[13605]: running
Feb 10 22:44:13 localhost named[13605]: zone mageedu.com/IN: sending notifies (serial 2013040204)
Feb 10 22:44:13 localhost named[13605]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2013040104)
Feb 10 22:49:22 localhost named[13605]: received control channel command 'notify mageedu.com'
Feb 10 22:49:22 localhost named[13605]: zone mageedu.com/IN: sending notifies (serial 2013040204)
[root@localhost ~]#
清空缓存
[root@localhost ~]# rndc -c /etc/rndc.conf flush
[root@localhost ~]#
停止dns服务器
[root@localhost ~]# rndc -c /etc/rndc.conf stop
[root@localhost ~]#
此时 53号端口没有了
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3839/./hpiod
tcp 0 0 0.0.0.0:708 0.0.0.0:* LISTEN 3494/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3444/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3862/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3876/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3917/sendmail
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3844/python
tcp 0 0 :::22 :::* LISTEN 3862/sshd
udp 0 0 0.0.0.0:702 0.0.0.0:* 3494/rpc.statd
udp 0 0 0.0.0.0:705 0.0.0.0:* 3494/rpc.statd
udp 0 0 0.0.0.0:35175 0.0.0.0:* 4064/avahi-daemon
udp 0 0 0.0.0.0:5353 0.0.0.0:* 4064/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 3444/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 3876/cupsd
udp 0 0 :::49946 :::* 4064/avahi-daemon
udp 0 0 :::5353 :::* 4064/avahi-daemon
[root@localhost ~]#
[root@localhost ~]# service named start
Starting named: [确定]
[root@localhost ~]#
[root@localhost ~]# rndc stop
( 其实 -c 可以不用指,因为默认它就是一个独立的配置文件 )
WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf)
[root@localhost ~]#
[root@localhost ~]# service named start
Starting named: [确定]
[root@localhost ~]#
rndc 想控制另外一台主机
[root@localhost ~]# vim /etc/named.conf
zone "." IN {
type hint;
file "named.ca";
#allow-transfer { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 192.168.1.15; };
};
zone "1.168.192.in-addr.arpa" IN{
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.15; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "Fc3ldG+QkyLiMNT1qH+wOA==";
};
controls {
inet 127.0.0.1 port 953 # 1)监听的地址要改
allow { 127.0.0.1; } keys { "rndc-key"; }; # 2)允许控制的地址也要来改一改
};
本机是 192.168.1.45
[root@localhost ~]# vim /etc/named.conf
zone "." IN {
type hint;
file "named.ca";
#allow-transfer { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 192.168.1.15; };
};
zone "1.168.192.in-addr.arpa" IN{
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.15; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "Fc3ldG+QkyLiMNT1qH+wOA==";
};
controls {
inet 192.168.1.45 port 953 # 1)监听的地址要改 192.168.1.45 ( 或者 0.0.0.0 )
allow { 192.168.1.15; } keys { "rndc-key"; }; # 2)允许控制的地址也要来改一改 192.168.1.15 ,使用rndc-key来控制
};
重启一下dns服务
[root@localhost ~]# service named restart
Stopping named: . [确定]
Starting named: [确定]
[root@localhost ~]#
[root@localhost ~]# netstat -tnlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3839/./hpiod
tcp 0 0 0.0.0.0:708 0.0.0.0:* LISTEN 3494/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3444/portmap
tcp 0 0 192.168.1.45:53 0.0.0.0:* LISTEN 13771/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 13771/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3862/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3876/cupsd
tcp 0 0 192.168.1.45:953 0.0.0.0:* LISTEN 13771/named #可以看到,监听到这个端口上了,通过远程主机可以连接这个端口了
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3917/sendmail
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3844/python
tcp 0 0 :::22 :::* LISTEN 3862/sshd
[root@localhost ~]#
当然远程主机上还要有这个密钥
[root@localhost ~]# scp /etc/rndc.conf 192.168.1.15:/root 不要覆盖人家以前的,放在/root下吧
rndc.conf 100% 479 0.5KB/s 00:00
[root@localhost ~]#
到另一台主机上 192.168.1.15
root@localhost ~]# ls
另一台主机上 192.168.1.15
[root@localhost ~]# vim rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Fc3ldG+QkyLiMNT1qH+wOA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1; 默认server 应由127.0.0.1 改成 192.168.1.45
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "Fc3ldG+QkyLiMNT1qH+wOA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
另一台主机上 192.168.1.15
[root@localhost ~]# rndc -c rndc.conf status
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or # 时间不同步
* the key is invalid.
[root@localhost ~]#
另一台主机上 192.168.1.15
[root@localhost ~]# date
2019年 02月 14日 星期四 16:58:09 CST
[root@localhost ~]#
一台主机上 192.168.1.45
[root@localhost ~]# date
2019年 02月 10日 星期日 23:24:17 CST
[root@localhost ~]#
确实时间不同步
把时间同步一下 应该就没有问题了
一台主机上 192.168.1.45 设置了一下时间
[root@localhost ~]# date -s "2019-02-14 17:00:00"
2019年 02月 14日 星期四 17:00:00 CST
[root@localhost ~]# date
2019年 02月 14日 星期四 17:00:02 CST
[root@localhost ~]#
在另一台主机192.168.1.15上 执行下面的命令就可以了
[root@localhost ~]# rndc -c rndc.conf status
version: 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2
CPUs found: 4
worker threads: 4
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@localhost ~]#
当然了,一般我们不要开放rndc允许远程主机控制的,因为相当危险
所以这种用法不是特别的多,但是在本机上控制是很常用的
所以我们至少要生成一个配置文件,把配置文件的后半段保存在/etc/named.conf中
而且 还要能实现 rndc flush 这样的命令等等