服务管理——DNS

一 DNS相关知识

什么是DNS服务器

DNS，即Domain Name System，域比如名服务器，实现域名和IP地址对应的解析。将 转换成某个IP地址，或者将某个IP映射成。

这里有个小疑问，没有域名服务器是否可以可以正常上网？答案是当然可以。我们可以使用IP地址，但是输入域名无法访问。根域是一个点（.），下面还有子域，比如熟知的com、net、cn、net、org，某个子域，比如com之下，又有163、baidu……，baidu下又有zhidao、wenku……。根域服务器，全球有13台，亚洲有一台在日本。DNS是怎么解析的呢？有两种方式，第一是递归查询：本级不知道，上一级知道，然后沿路返回；第二是迭代查询：上一级给你信息，自己查询。本机配置DNS成功后不被认可，即不能在公网上跑，需要被上一级管理才行。

sql

常用的DNS服务器

bind：最流行的DNS服务器 （公司用）

mydns：和数据库进行集成（域名提供商，发便用户注册），写到数据库里

下面我们讲解DNS的用法，包括DNS正解配置、DNS配置mail服务器、DNS——配置别名、DNS——通配符、DNS做负载均衡、DNS配置——反解、DNS转发、DNS主从服务器、子域授权、DNS高级视图、/etc/named.conf:41: open: /etc/named.acl.dx:file not found解决。

二 DNS配置——正解

#DNS配置——正解（域名转换成IP地址）#Serv01：DNS服务器#Serv02：测试用--第一步，serv01安装bind#安装bind[root@serv01~]# yum install bind* -y--第二步，修改配置文件named.conf[root@serv01~]# /etc/named.conf#查询[root@serv01~]# rpm -qa|grep bind[root@serv01~]# rpm -ql bind|less#编辑文件[root@serv01~]# vim /etc/named.confoptions {#监听端口 IP地址#listen-onport 53 { 127.0.0.1; };#监听任何IP地址listen-on port 53 { any; };listen-on-v6 port 53 { ::1; };#指定根目录directory "/var/named";#对Cache进行备份dump-file"/var/named/data/cache_dump.db";#静态文件statistics-file"/var/named/data/named_stats.txt";#内存静态文件memstatistics-file"/var/named/data/named_mem_stats.txt";#允许查询的IP地址#allow-query{ localhost; };#允许查询所有的IP地址进行查询allow-query{ any; };#默认递归查询recursion yes;#安全相关的dnssec-enable yes;dnssec-validation yes;dnssec-lookaside auto;/* Path to ISC DLV key */bindkeys-file "/etc/named.iscdlv.key";};#根域服务器zone "." IN {type hint;file "named.ca";};#区域文件include"/etc/named.rfc1912.zones";[root@serv01~]# ls /var/named/chroot data dynamic named.ca named.empty named.localhost named.loopback slaves#根域服务器的相关信息[root@serv01~]# cat /var/named/named.ca;<<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS .@a.root-;; globaloptions: printcmd;; Gotanswer:;;->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34420;; flags:qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20;; OPTPSEUDOSECTION:; EDNS:version: 0, flags:; udp: 4096;;QUESTION SECTION:;.IN NS;; ANSWERSECTION:.518400 IN NS M.ROOT-..518400 IN NS A.ROOT-..518400 IN NS B.ROOT-..518400 IN NS C.ROOT-..518400 IN NS D.ROOT-..518400 IN NS E.ROOT-..518400 IN NS F.ROOT-..518400 IN NS G.ROOT-..518400 IN NS H.ROOT-..518400 IN NS I.ROOT-..518400 IN NS J.ROOT-..518400 IN NS K.ROOT-..518400 IN NS L.ROOT-.;;ADDITIONAL SECTION:#13台根域服务器A.ROOT-.3600000 IN A198.41.0.4A.ROOT-.3600000 IN AAAA2001:503:ba3e::2:30B.ROOT-.3600000 IN A192.228.79.201C.ROOT-.3600000 IN A192.33.4.12D.ROOT-.3600000 IN A128.8.10.90E.ROOT-.3600000 IN A192.203.230.10F.ROOT-. 3600000 IN A192.5.5.241F.ROOT-. 3600000 IN AAAA2001:500:2f::fG.ROOT-.3600000 IN A192.112.36.4H.ROOT-.3600000 IN A128.63.2.53H.ROOT-.3600000 IN AAAA2001:500:1::803f:235I.ROOT-. 3600000 IN A192.36.148.17J.ROOT-. 3600000 IN A192.58.128.30J.ROOT-. 3600000 IN AAAA2001:503:c27::2:30K.ROOT-.3600000 IN A193.0.14.129K.ROOT-.3600000 IN AAAA2001:7fd::1L.ROOT-.3600000 IN A199.7.83.42M.ROOT-. 3600000 IN A202.12.27.33M.ROOT-. 3600000 IN AAAA2001:dc3::35;; Querytime: 147 msec;;SERVER: 198.41.0.4#53(198.41.0.4);; WHEN:Mon Feb 18 13:29:18 ;; MSGSIZE rcvd: 615#本地域名的解析[root@larrywen0808]# ping localhost.localdomainPINGlocalhost (127.0.0.1) 56(84) bytes of data.64 bytesfrom localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.024 ms64 bytesfrom localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.026 ms64 bytesfrom localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.025 ms64 bytesfrom localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.027 ms64 bytesfrom localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.026 ms64 bytesfrom localhost (127.0.0.1): icmp_seq=6 ttl=64 time=0.026 ms^C---localhost ping statistics ---6 packetstransmitted, 6 received, 0% packet loss, time 5624msrttmin/avg/max/mdev = 0.024/0.025/0.027/0.005 ms--第三步，修改配置文件named.rfc1912.zones[root@serv01~]# tail -n5 /etc/named.rfc1912.zoneszone"" IN {typemaster;#域名和IP地址的对应关系的存放文件file".zone";#不允许更新allow-update{none;};};#保持属性保持一致（所属组）[root@serv01named]# cp named.localhost .zone -a[root@serv01named]# ll named.localhost .zone-rw-r-----.1 root named 152 Jun 21 .zone-rw-r-----.1 root named 152 Jun 21 named.localhost--第四步，拷贝文件，修改.zone文件$TTL 1D#注意后面有点@ IN SOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimum#和前面的DNS保持一致NS .dns IN A 192.168.1.11wwwIN A 192.168.1.88#文件配置项解析[root@serv01~]# cat /var/named/named.localhost$TTL 1D#@：域名 #rname.invalid：出了问题，发送邮件地址@ IN SOA @rname.invalid. (#序列号，主从服务器更新需要。版本号，文件修改的次数0 ;serial#从服务器更新刷新的时间1D ; refresh#没有刷新成功，重试时间1H ; retry#如果还没成功，失效的时间1W ; expire#有效时间：三个小时3H) ; minimum#和前面保持一致NS @A127.0.0.1AAAA::1#最终配置结果#/etc/named.conf配置文件options {listen-on port 53 { any; };listen-on-v6 port 53 { ::1; };directory "/var/named";dump-file"/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query{ any; };recursion yes;dnssec-enable yes;dnssec-validation yes;dnssec-lookaside auto;/* Path to ISC DLV key */bindkeys-file "/etc/named.iscdlv.key";};#/etc/named.rfc1912.zones配置zone "" IN {type master;file ".zone";allow-update {none;};};#/var/named/.zone 配置$TTL 1D#注意后面有点@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimum#和前面的DNS保持一致NS .dns INA 192.168.1.11wwwINA 192.168.1.88--第五步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: [ OK ]Starting named: [ OK ]--第六步，使用dig测试，查看是否配置成功[root@serv01 named]# dig ; <<>> DiG9.7.3-RedHat-9.7.3-2.el6 <<>> ;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY,status: NOERROR, id: 61132;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1,AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:;. IN A;; ANSWER SECTION:. 86400 IN A192.168.1.88;; AUTHORITY SECTION:. 86400 IN NS .;; ADDITIONAL SECTION:. 86400 IN A192.168.1.11;; Query time: 0 msec;; SERVER: 127.0.0.1#53(127.0.0.1);; WHEN: Thu Aug 8 18:40:12 ;; MSG SIZE rcvd: 82#查看简短的信息[root@serv01 named]# dig +short192.168.1.88--第七步，serv01能ping通域名#不能ping通[root@serv01 named]# ping ping: unknown host #不能ping通[root@serv01 named]# ping ping: unknown host #在resolv.conf文件中加入nameserver[root@serv01 ~]# vim /etc/resolv.conf[root@serv01 ~]# cat /etc/resolv.confnameserver 192.168.1.11#现在可以ping了，可以解析对应的IP地址[root@serv01 ~]# ping PING (192.168.1.88) 56(84)bytes of data.^C--- ping statistics ---2 packets transmitted, 0 received, 100%packet loss, time 1161ms#可以ping通dns服务器[root@serv01 ~]# ping PING (192.168.1.11) 56(84)bytes of data.64 bytes from 192.168.1.11: icmp_seq=1 ttl=64time=0.020 ms64 bytes from 192.168.1.11: icmp_seq=2 ttl=64time=0.071 ms64 bytes from 192.168.1.11: icmp_seq=3 ttl=64time=0.039 ms64 bytes from 192.168.1.11: icmp_seq=4 ttl=64time=0.041 ms^C--- ping statistics ---4 packets transmitted, 4 received, 0% packetloss, time 3316msrtt min/avg/max/mdev = 0.020/0.042/0.071/0.019ms--第八步，server02测试[root@serv02 ~]# echo "nameserver192.168.1.11" > /etc/resolv.conf[root@serv02 ~]# cat /etc/resolv.confnameserver 192.168.1.11[root@serv02 ~]# yum install bind-utils -y[root@serv02 ~]# dig +short192.168.1.88[root@serv02 ~]# nslookup Server:192.168.1.11Address: 192.168.1.11#53Name: Address: 192.168.1.88--第九步，增加其他的解析[root@serv01 named]# vim/var/named/.zone[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ][root@serv01 named]# cat/var/named/.zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns INA 192.168.1.11wwwINA 192.168.1.88ftp INA 192.168.1.89#或者这样. IN A 192.168.. INMX 5 mailmail IN A192.168.1.90[root@serv01 named]# dig +short192.168.1.89

三 DNS——配置mail服务器

--第一步，修改配置文件.zone[root@serv01 named]# vim .zone[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns INA 192.168.1.11#第一种配置，指定全名. INMX 5 mailmail IN A192.168.1.90--第二步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]--第三步，检测是否配置成功[root@serv01 named]# dig -t mx .+short5 .--第四步，查看第二种配置[root@serv01 named]# cat .zone$TTL 1D@ IN . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .#继承自根INMX 5 .. IN A192.168.1.90[root@serv01 named]# dig -t mx .+short5 .

四 DNS——配置别名

--第一步，修改配置文件[root@serv01 named]# cat .zone $TTL 1D@IN SOA . . (0; serial1D; refresh1H; retry1W; expire3H ); .IN MX 5 .dnsIN A192.168.1.11wwwIN A192.168.1.88ftpIN A192.168.1.. IN A192.168.1...--第二步，重启服务[root@serv01 named]# /etc/init.d/named restartStopping named: . [ OK ]Starting named: [ OK ]--第三步，测试[root@serv01 named]# dig -t mx . +short5 .[root@serv01 named]# dig +.192.168.1.90[root@serv01 named]# dig +.192.168.1.90

五 DNS——通配符

#通配符（其他的不受影响）--第一步，修改配置文件[root@serv01 named]# vim .zone[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns INA 192.168.1.11*INA192.168.1.88--第二步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]--第三步，测试。只要不在DNS配置项里域名都被解析成192.168.1.88192.168.1.88[root@serv01 named]# dig +short192.168.1.88[root@serv01 named]# dig +short192.168.1.88#这个不能检测处IP[root@serv01 named]# dig +short[root@serv01 named]##把.加上[root@serv01 named]# vim .zone[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns INA 192.168.. IN A 192.168.1.88*INA192.168.1.88#重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]#可以正常匹配出IP[root@serv01 named]# dig +short192.168.1.88[root@serv01 named]# vim .zone[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .INMX 5 . IN A 192.168.0.90dns INA 192.168.. IN A 192.168.1.88*INA192.168.1.88[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ][root@serv01 named]# dig -t mx .+short5 .[root@serv01 named]# dig .+short192.168.1.88#本机有效，不循环查找[root@serv01 named]# ping -c PING (192.168.1.11) 56(84)bytes of data.64 bytes from (192.168.1.11): icmp_seq=1 ttl=64 time=0.023 ms64 bytes from (192.168.1.11): icmp_seq=2 ttl=64 time=0.039 ms--- ping statistics ---2 packets transmitted, 2 received, 0% packetloss, time 999msrtt min/avg/max/mdev =0.023/0.031/0.039/0.008 ms[root@serv01 named]# vim /etc/hosts[root@serv01 named]# tail -n1 /etc/hosts192.168.1.11

六 DNS做负载均衡

#一个域名解析成多个IP地址--第一步，修改配置文件[root@serv01 named]# vim .zone[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns INA 192.168.1.11wwwINA 192.168.1.88wwwINA 192.168.1.188--第二步，启动服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]--第三步，测试[root@serv01 named]# dig +short192.168.1.88192.168.1.188#不建议这样使用，因为会出现Session不一致的问题

七 DNS配置——反解

反解：IP地址解析成域名，比如192.168.1.88解析成.反解邮件服务器用得较多。

--第一步，修改配置文件named.conf，和正解保持不变[root@serv01 named]# cat /etc/named.conf#搭建DNS——正解 反解都配置options {listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query{ any; };recursionyes;dnssec-enableyes;dnssec-validationyes;dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};--第二步，修改配置文件/etc/named.rfc1912.zones[root@serv01 named]# vim/etc/named.rfc1912.zones[root@serv01 named]# tail -n5/etc/named.rfc1912.zoneszone "1.168.192.in-addr.arpa" IN {type master;file ".rev";allow-update { none; };};[root@serv01 named]# tail -n5/etc/named.rfc1912.zoneszone "1.168.192.in-addr.arpa" IN {type master;file ".rev";allow-update { none;};};--第三步，拷贝模板文件，并修改--#记住一定要有-a或者-p参数，保持属性不变[root@serv01 named]# cp .rev -a[root@serv01 named]# ll hongyi..zone named.localhost-rw-r-----. 1 root named212 Aug 8 21:52 .rev-rw-r-----. 1 root named203 Aug 8 21:47 .zone-rw-r-----. 1 root named152 Jun 21 named.localhost#如果组不是named，使用chgrp改变文件所属组[root@serv01 named]# chgrp .rev[root@serv03 named]# cat .rev$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .11 IN PTR .88 IN PTR .--第四步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]--第五步，dig命令检查[root@serv01 named]# dig -x 192.168.1.88+.

八 DNS转发

DNS转发网络拓扑结构图，如图一：

图一DNS转发网络拓扑结构图

serv01配置

--第一步，查看本机IP，通过yum源安装bind[root@serv01 named]# yum install bind* -y--第二步，修改named.conf文件，修改如下[root@serv01 named]# vim /etc/named.conf[root@serv01 named]# cat /etc/named.confoptions {listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query{ any; };forwarders {192.168.1.12;};recursionyes;#dnssec-enableyes;#dnssec-validationyes;#dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};[root@serv01 named]# tail -n5/etc/named.rfc1912.zoneszone "" IN {typemaster;file".zone";allow-update{ none; };};--第三步，拷贝文件，注意加上-a或者-p参数[root@serv01 named]# cp .zone -a--第四步，编辑.zone文件[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A192.168.1.11wwwIN A192.168.1.66[root@serv01 named]# ifconfig eth0eth0Link encap:Ethernet HWaddr00:0C:29:07:DD:3B inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe07:dd3b/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:2823 errors:0 dropped:0 overruns:0 frame:0TX packets:1618 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:257429 (251.3 KiB) TXbytes:252898 (246.9 KiB)--第五步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]--第六步，测试本机[root@serv01 named]# dig +short192.168.1.66

serv02配置

--第一步，查看本机IP，通过yum源安装bind[root@serv02 named]# ifconfig eth0eth0Link encap:Ethernet HWaddr00:0C:29:6A:EC:97 inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe6a:ec97/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:2943 errors:0 dropped:0overruns:0 frame:0TX packets:1728 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:265863 (259.6 KiB) TXbytes:279067 (272.5 KiB)[root@serv01 named]# yum install bind* -y--第二步，修改named.conf文件，修改如下root@serv02 named]# vim /etc/named.conf[root@serv02 named]# cat /etc/named.confoptions {listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query{ any; };recursionyes;dnssec-enableyes;dnssec-validationyes;dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};[root@serv02 named]# tail -n6/etc/named.rfc1912.zoneszone "" IN {type master;file ".zone";allow-update { none; };};--第三步，拷贝文件，注意加上-a或者-p参数[root@serv02 named]# cp .zone -a--第四步，编辑.zone文件[root@serv02 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A192.168.1.12wwwIN A192.168.1.88--第五步，重启服务[root@serv02 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]--第六步，测试本机[root@serv02 named]# dig +short192.168.1.88

serv03 测试机配置

--第一步，安装bind-util[root@serv03 ~]# yum install bind-util* -y--第二步，配置默认的dns[root@serv03 ~]# cat /etc/resolv.confnameserver 192.168.1.11--第三步，测试[root@serv03 ~]# dig +short192.168.1.66--第四步，测试[root@serv03 ~]# dig +short192.168.1.88

九 DNS主从服务器

从服务器自动成主服务器中同步数据

#serv01：主服务器 IP：192.168.1.11

#serv02：从服务器，主服务器发生变化，从服务器更新 IP 192.168.1.12

#serv03：测试机 IP：192.168.1.13

网络拓扑结构图如图二：

图二DNS主从服务器网络拓扑结构图

server01配置

--第一步，查看本机IP，通过yum源安装bind[root@serv01 named]# ifconfig eth0eth0Link encap:Ethernet HWaddr00:0C:29:07:DD:3B inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe07:dd3b/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:2823 errors:0 dropped:0 overruns:0 frame:0TX packets:1618 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:257429 (251.3 KiB) TXbytes:252898 (246.9 KiB)[root@serv01 named]# yum install bind* -y--第二步，修改named.conf文件，修改如下[root@serv01 named]# vim /etc/named.conf[root@serv01 named]# cat /etc/named.confoptions {-- listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";--allow-query{ any; };recursionyes;dnssec-enableyes;dnssec-validationyes;dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};[root@serv01 named]# tail -n7/etc/named.rfc1912.zoneszone "" IN {type master;file ".zone";-- allow-transfer {192.168.1.12;};notify yes;also-notify { 192.168.1.12;};};--第三步，拷贝文件，注意加上-a或者-p参数[root@serv01 named]# cp .zone -a--第四步，编辑.zone文件[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A192.168.1.11wwwIN A192.168.1.66--第五步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]

server02配置

--第一步，查看本机IP，通过yum源安装bind[root@serv02 slaves]# ifconfig eth0eth0Link encap:Ethernet HWaddr00:0C:29:6A:EC:97 inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe6a:ec97/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:1449 errors:0 dropped:0 overruns:0 frame:0TX packets:908 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:133206 (130.0 KiB) TXbytes:148913 (145.4 KiB)[root@serv01 named]# yum install bind* -y--第二步，修改named.conf文件，修改如下[root@serv01 named]# vim /etc/named.conf[root@serv01 named]# cat /etc/named.confoptions {--listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";-- allow-query{ any; };recursionyes;dnssec-enableyes;dnssec-validationyes;dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};--第三步，修改named.rfc1912.zones 文件，修改如下[root@serv02 slaves]# tail -n5/etc/named.rfc1912.zoneszone "" IN {type slave;file "slaves/.zone";masters {192.168.1.11;};};--第四步，重启服务[root@serv02 slaves]# /etc/init.d/namedrestartStopping named: [ OK ]Starting named: [ OK ]--第五步，进入slaves目录，发现自动生成了文件[root@serv02 named]# cd slaves/[root@serv02 slaves]# lltotal 0[root@serv02 slaves]# lltotal 4-rw-r--r—. 1 named named 330 Aug 8 23:43 .zone[root@serv02 slaves]# cat .zone$ORIGIN .$TTL 86400 ;1 INSOA . . (0; serial86400; refresh (1 day)3600 ; retry (1 hour)604800; expire (1 week)10800; minimum (3 hours))NS .$ORIGIN .dnsA192.168.1.11wwwA192.168.1.66

测试

--第一步，server01加入新的地址，重启服务[root@serv01 named]# vim .zone[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ][root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (-- #注意把serial改成1，不要和以前的保持一致-- 1; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A192.168.1.11wwwIN A192.168.1.66ftp IN A192.168.1.88--第二步，server02查看文件，发现更新成功[root@serv02 slaves]# cat .zone$ORIGIN .$TTL 86400 ;1 INSOA . . (1; serial86400; refresh (1 day)3600 ; retry (1 hour)604800; expire (1 week)10800; minimum (3 hours))NS .$ORIGIN .dnsA192.168.1.11--ftp A192.168.1.88wwwA192.168.1.66--#序列号只能改大，不能改小#删除后也可以同步

server03配置

可以使用dig测试双方同步的数据是否一致

十 子域授权

子级DNS服务器（子域授权）

#serv01

192.168.1.11

web.

web. 192.168.1.12

#客户端192.168.1.13

#nameserver配置成192.168.1.11

#DNS转发：域名之间无关系

#子欲授权：域名之间有关系

网络拓扑结构图如图三：

图三DNS子域授权网络拓扑结构图

serv01配置

--第一步，查看本机IP，通过yum源安装bind[root@serv01 named]# ifconfig eth0eth0Link encap:Ethernet HWaddr00:0C:29:07:DD:3B inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe07:dd3b/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:2823 errors:0 dropped:0 overruns:0 frame:0TX packets:1618 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:257429 (251.3 KiB) TXbytes:252898 (246.9 KiB)[root@serv01 named]# yum install bind* -y>/dev/null 2>&1--第二步，修改named.conf文件，修改如下[root@serv01 named]# vim /etc/named.conf[root@serv01 named]# cat /etc/named.confoptions {--listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";-- allow-query{ any; };<recursionyes;--#dnssec-enable yes;#dnssec-validationyes;#dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};[root@serv01 named]# tail -n7/etc/named.rfc1912.zoneszone "" IN {type master;file ".zone";allow-update { none; };};zone "" IN {type master;file ".zone";allow-update { none; };};--第三步，拷贝文件，注意加上-a或者-p参数[root@serv01 named]# cp .zone -av[root@serv01 named]# cp named..zone -av--第四步，编辑.zone和.zone文件[root@serv01 named]# cat .zone$TTL 1D@ INSOA . . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A192.168.1.11web IN A192.168.1.88[root@serv01 named]# cat .zone$TTL 1D@ INSOA dns..root.. (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS dns..dns IN A192.168.1.11web IN A192.168.1.89--第五步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]

serv02配置

--第一步，查看本机IP，通过yum源安装bind[root@serv02 slaves]# ifconfig eth0eth0Link encap:Ethernet HWaddr00:0C:29:6A:EC:97 inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0inet6 addr: fe80::20c:29ff:fe6a:ec97/64 Scope:LinkUP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:1449 errors:0 dropped:0 overruns:0 frame:0TX packets:908 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:133206 (130.0 KiB) TXbytes:148913 (145.4 KiB)[root@serv01 named]# yum install bind* -y>/dev/null 2>&1--第二步，修改named.conf文件，修改如下[root@serv01 named]# vim /etc/named.conf[root@serv01 named]# cat /etc/named.confoptions {-- listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";--allow-query{ any; };recursionyes;dnssec-enableyes;dnssec-validationyes;dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};--第三步，修改named.rfc1912.zones 文件，修改如下[root@serv02 named]# tail -n5/etc/named.rfc1912.zoneszone "" IN {typemaster;file".zone";allow-update{ none;};};--第四步，重启服务[root@serv02 slaves]# /etc/init.d/namedrestartStopping named: [ OK ]Starting named: [ OK ]

实现功能

--第一步，serv01修改配置文件。添加如下两行[root@serv01 named]# cat .zone$TTL 1D@ INSOA . (0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A192.168.1.11web IN A192.168.1.88--.IN NS dns..dns..IN A192.168.1.12--第二步，serv03安装bind-util[root@serv03 ~]# yum install bind-util* -y> /dev/null 2>&1--第三步，serv03修改resolv配置文件[root@serv03 ~]# echo "nameserver192.168.1.11" > /etc/resolv.conf[root@serv03 ~]# cat /etc/resolv.confnameserver 192.168.1.11--第四步，进行测试[root@serv03 ~]# dig +short192.168.1.88[root@serv03 ~]# dig web. +short192.168.1.89[root@serv03 ~]# dig web. +short192.168.1.90

十一 DNS高级视图

应用场景：不同的IP访问相同的域名，转到各自运营商的服务器

网络拓扑结构图如图四

图四DNS高级视图网络拓扑结构图

serv01配置

--第一步，IP地址配置如下[root@serv01 ~]# ifconfig eth0|grep"inet addr"inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0[root@serv01 ~]# ifconfig eth1|grep"inet addr"inet addr:172.16.1.11 Bcast:172.16.1.255 Mask:255.255.255.0[root@serv01 ~]# ifconfig |grep -A 1 etheth0Link encap:Ethernet HWaddr00:0C:29:07:DD:3B inet addr:192.168.1.11 Bcast:192.168.1.255 Mask:255.255.255.0--eth1Link encap:Ethernet HWaddr00:0C:29:07:DD:45 inet addr:172.16.1.11 Bcast:172.16.1.255 Mask:255.255.255.0[root@serv02 ~]# man named.conf--第二步，安装bind[root@serv01 named]# yum install bind* -y[root@serv01 named]# cat /etc/named.conf//// named.conf//// Provided by Red Hat bind package toconfigure the ISC BIND named(8) DNS// server as a caching only nameserver (as alocalhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ forexample named configuration files.//options {listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query{ any; };recursionyes;dnssec-enableyes;dnssec-validationyes;dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};logging {channel default_debug {file"data/named.run";severity dynamic;};};#注释或者删除以下几行内容#zone "." IN {#typehint;#file"named.ca";#};#如果这几行存在，重启服务会报如下错误：Error in named configuration:/etc/named.conf:35: when using 'view'statements, all zones must be in views[FAILED]#注释此行#include"/etc/named.rfc1912.zones";acl dx {192.168.1.10;192.168.1.11;192.168.1.12;192.168.1.13;192.168.1.14;};acl wt {172.16.1.10;172.16.1.11;172.16.1.12;172.16.1.13;172.16.1.14;};view dianxin {match-clients{"dx";};zone "." IN {type hint;file "named.ca";};#在此处进入命令模式，执行以下命令，将文件里的内容拷贝过来。r !cat /etc/named.rfc1912.zoneszone "localhost.localdomain" IN {typemaster;file"named.localhost";allow-update{ none; };};zone "localhost" IN {typemaster;file"named.localhost";allow-update{ none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"IN {typemaster;file"named.loopback";allow-update{ none; };};zone "1.0.0.127.in-addr.arpa" IN {typemaster;file"named.loopback";allow-update{ none; };};zone "0.in-addr.arpa" IN {typemaster;file"named.empty";allow-update{ none; };};zone "" {typemaster;file".zone.dx";allow-update{ none;};};};view wangtong {match-clients{"wt";};zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {typemaster;file"named.localhost";allow-update{ none; };};zone "localhost" IN {typemaster;file"named.localhost";allow-update{ none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"IN {typemaster;file"named.loopback";allow-update{ none; };};zone "1.0.0.127.in-addr.arpa" IN {typemaster;file"named.loopback";allow-update{ none; };};zone "0.in-addr.arpa" IN {typemaster;file"named.empty";allow-update{ none; };};zone "" {typemaster;file".zone.wt";allow-update{ none;};};};--第三步，拷贝并编辑.zone.dx文件[root@serv01 named]# cp named.localhost .zone.dx-a[root@serv01 named]# .zone.dx[root@serv01 named]# .zone.dx$TTL 1D@ INSOA . .(0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A192.168.1.11wwwIN A192.168.1.88--第四步，拷贝并编辑.zone.wt 文件[root@serv01 named]# cp .zone.wt-a[root@serv01 named]# vim .zone.wt[root@serv01 named]# cat .zone.wt$TTL 1D@ INSOA . .(0; serial1D ; refresh1H ; retry1W ; expire3H) ; minimumNS .dns IN A172.16.1.11wwwIN A172.16.1.88--第五步，重启服务[root@serv01 named]# /etc/init.d/namedrestartStopping named: . [ OK ]Starting named: [ OK ]

serv02 测试

--第一步，配置IP[root@serv02 ~]# ifconfig eth0|grep"inet addr"inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0--第二步，安装bind-utils工具[root@serv02 ~]# yum install bind-utils-y--第三步，配置DNS[root@serv02 ~]# echo "nameserver192.168.1.11" > /etc/resolv.conf--第四步，检测[root@serv02 ~]# dig +short192.168.1.88[root@serv02 ~]# ifconfig|grep -A 1 etheth0Link encap:Ethernet HWaddr00:0C:29:6A:EC:97 inet addr:192.168.1.12 Bcast:192.168.1.255 Mask:255.255.255.0

serv03测试

--第一步，配置IP[root@serv03 ~]# ifconfig eth0|grep"inet addr"inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0[root@serv03 ~]# ifconfig eth1|grep"inet addr"inet addr:172.16.1.12 Bcast:172.16.1.255 Mask:255.255.255.0[root@serv03 ~]# ifconfig|grep -A 1 etheth0Link encap:Ethernet HWaddr00:0C:29:BD:08:05 inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0--eth1Link encap:Ethernet HWaddr00:0C:29:BD:08:0F inet addr:172.16.1.12 Bcast:172.16.1.255 Mask:255.255.255.0--第二步，安装bind-utils工具[root@serv02 ~]# yum install bind-utils-y--第三步，配置DNS[root@serv03 ~]# echo "nameserver172.16.1.11" > /etc/resolv.conf--第四步，检测[root@serv03 ~]# dig +short172.16.1.88

十二 /etc/named.conf:41: open: /etc/named.acl.dx: file not found解决

chroot：笼环境，阻止因软件的漏洞而任意切换根目录

chroot：虚拟根目录

[root@serv01 etc]# ls -l /etc/named.conf/var/named/chroot/etc/named.conf -i131137 -rw-r-----. 1 root named 2563 Aug 1219:37 /etc/named.conf131137 -rw-r-----. 1 root named 2563 Aug 1219:37 /var/named/chroot/etc/named.conf--第一步，写到配置文件（named.conf）中[root@serv01 etc]# cat named.conf//// named.conf//// Provided by Red Hat bind package toconfigure the ISC BIND named(8) DNS// server as a caching only nameserver (as alocalhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ forexample named configuration files.//options {listen-onport 53 { any; };listen-on-v6port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query{ any; };recursionyes;dnssec-enableyes;dnssec-validationyes;dnssec-lookasideauto;/*Path to ISC DLV key */bindkeys-file"/etc/named.iscdlv.key";};logging {channel default_debug {file"data/named.run";severity dynamic;};};#zone "." IN {#typehint;#file"named.ca";#};#include "/etc/named.rfc1912.zones";include"/etc/named.acl.dx";include"/etc/named.acl.wt";view dianxin {match-clients{"dx";};zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {typemaster;file"named.localhost";allow-update{ none; };};zone "localhost" IN {typemaster;file"named.localhost";allow-update{ none; };};zone"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"IN {typemaster;file"named.loopback";allow-update{ none; };};zone "1.0.0.127.in-addr.arpa" IN {typemaster;file"named.loopback";allow-update{ none; };};zone "0.in-addr.arpa" IN {typemaster;file"named.empty";allow-update{ none; };};zone "" {typemaster;file".zone.dx";allow-update{ none;};};};view wangtong {match-clients{"wt";};zone "." IN {type hint;file "named.ca";};zone "localhost.localdomain" IN {typemaster;file"named.localhost";allow-update{ none; };};zone "localhost" IN {typemaster;file"named.localhost";allow-update{ none; };};zone"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"IN {typemaster;file"named.loopback";allow-update{ none; };};zone "1.0.0.127.in-addr.arpa" IN {typemaster;file"named.loopback";allow-update{ none; };};zone "0.in-addr.arpa" IN {typemaster;file"named.empty";allow-update{ none; };};zone "" {typemaster;file".zone.wt";allow-update{ none;};};};--第二步，查看配置文件[root@serv01 etc]# vim /etc/named.acl.dx[root@serv01 etc]# cat /etc/named.acl.dxacl dx {192.168.1.10;192.168.1.11;192.168.1.12;192.168.1.13;192.168.1.14;};[root@serv01 etc]# vim /etc/named.acl.wt[root@serv01 etc]# cat /etc/named.acl.wtacl wt {172.16.1.10;172.16.1.11;172.16.1.12;172.16.1.13;172.16.1.14;};--第三步，重启服务，发生错误[root@serv01 etc]# /etc/init.d/namedrestartStopping named: [ OK ]Starting named:Error in named configuration:/etc/named.conf:41: open: /etc/named.acl.dx:file not found[FAILED]--第四步，解决问题（将etc目录下的named文件拷贝到 /var/named/chroot/etc/）[root@serv01 etc]# cd /var/named/chroot/dynamic/ .zone.wt named.empty named.loopback data/ .zone.dx named.ca named.localhost slaves/ [root@serv01 etc]# cd /var/named/chroot/etc/[root@serv01 etc]# lltotal 12-rw-r--r--. 1 root root 389 Jul 23 00:57 localtimedrwxr-x---. 2 root named 4096 Mar 28 nameddrwxr-xr-x. 3 root root 4096 Aug 12 18:27 pki[root@serv01 etc]# cp /etc/named* ./ -a[root@serv01 etc]# lltotal 36-rw-r--r--. 1 root root 389 Jul 23 00:57 localtimedrwxr-x---. 2 root named 4096 Mar 28 named-rw-r-----. 1 root named 123 Aug 12 19:49 named.acl.dx-rw-r-----. 1 root named 118 Aug 12 19:50 named.acl.wt-rw-r-----. 1 root named 2450 Aug 12 19:54named.conf-rw-r--r--. 1 root named 2544 Mar 28 named.iscdlv.key-rw-r-----. 1 root named 931 Jun 21 named.rfc1912.zones-rw-r--r--. 1 root named 487 Mar 28 named.root.keydrwxr-xr-x. 3 root root 4096 Aug 12 18:27 pki[root@serv01 etc]# /etc/init.d/named restartStopping named: [ OK ]Starting named: [ OK ]

我的邮箱：wgbno27@ 新浪微博：@Wentasy27 微信公众平台：JustOracle（微信号：justoracle）数据库技术交流群：336882565（加群时验证 From CSDN XXX）By Larry Wen

如果觉得《服务管理——DNS》对你有帮助，请点赞、收藏，并留下你的观点哦！