1. 高速缓存dns服务器
修改server的配置文件/etc/named.conf 10options { 11 listen-on port 53 { any; }; #监听所有端口的bind服务 12 listen-on-v6 port 53 { ::1; }; 13 directory "/var/named"; 14 dump-file "/var/named/data/cache_dump.db"; 15 statistics-file "/var/named/data/named_stats.txt"; 16 memstatistics-file "/var/named/data/named_mem_stats.txt"; 17 allow-query { any; }; #允许任何人询问此台服务器 18 forwarders { 172.25.254.250;};#主机不知道的域名则去询问172.25.254.250这台主机。 此时只需要将client的机器的dns解析修改为server的ip,这时server就为client的DNS的服务器。
2. dns正向解析和反向解析
1》正向解析
从/etc/named.conf 中可以看到:include "/etc/named.rfc1912.zones"; 包含的配置文件/etc/named.rfc1912.zones,在这个配置文件中可以添加正向解析的文件,同样反向解析的配置文件也在这里。
vim /etc/named.rfc1912.zoneszone "feitian.com" IN { #主机域 type master; file "fengkai.com"; #包含本地DNS高速缓存的文件 allow-update { none; }; #不允许任何人更新DNS解析文件};[root@server ~]# cd /var/named/[root@server named]# lsdata dynamic named.ca named.empty named.localhost named.loopback slaves[root@server named]# cp -p named.localhost fengkai.com[root@server named]# vim fengkai.com $TTL 1D@ IN SOA dns.feitian.com. root.feitian.com. (#分别为DNS服务器的主机名dns.feitian.com和管理员的邮箱root.feitian.com#@代表域名也就是feitian.com.最后有个点,在此文件中要以'.'结尾,不然会加上本机的域名#2015080901表示你是2015年08月09日第一次修改,此处的数字在主从同步DNS服务器时,如果不同主从会开始做主从同步。也就是版本号。 2015080901 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum NS dns.feitian.com.dns A 172.25.254.231feng A 172.25.254.111feng A 172.25.254.112bbs CNAME hui.feitian.com.#这里就是重命名,访问bbs.feitian.com是,他会解析出hui.feitian.com.#这里是轮换解析,一次是111,下一次就是112hui A 172.25.254.222 2》反向解析
vim /etc/named.rfc1912.zoneszone "254.25.172.in-addr.arpa" IN{ type master; file "fengkai.com"; allow-update { none; };};[root@server named]#cp -p var/named/named.loopback fengkaiNaNr[root@server named]# vim /var/named/fengkai.com$TTL 1D@ IN SOA dns.feitian.com.root.feitian.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.feitian.com.dns A 172.25.254.231101 PTR fengkai.com.202 PTR kaikai.com. 3. DNS 双向解析
DNS双向解析指的是让一台服务器有两个DNS解析文件,一般分为内网和外网,在/etc/named.conf
中添加如下内容:
[root@server ~]# vim /etc/named.conf/*zone "." IN { type hint; file "named.ca";}; include"/etc/named.rfc1912.zones";include "/etc/named.root.key";*/#将其注释,分别添加到下面的标签中view localnet {match-clients {172.25.254.231;};zone "." IN { type hint; file "named.ca";};include"/etc/named.rfc1912.zones";}; view any {match-clients {any;};zone "." IN { type hint; file "named.ca";};include"/etc/named.rfc1913.zones";}; 将/etc/named.rfc1912.zons拷一份名称为named.rfc1913.zons,分别让其指向不同的解析文件
cp /etc/named.rfc1912.zones /etc/named.rfc1913.zonesvim /etc/named.rfc1912.zoneszone "feitian.com.in" IN { type master; file "fengkai.com.out"; allow-update { none; };};vim /etc/named.rfc1913.zoneszone "feitian.com.out" IN { type master; file "fengkai.com.zone"; allow-update { none; };}; 然后在/var/named/下做如下操作
[root@server named]# cp -p named.localhost fengkai.com.out[root@server named]# cp -p named.localhost fengkai.com.in[root@server named]# vim fengkai.com.in $TTL 1D@ IN SOA dns.feitian.com.root.feitian.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum NS dns.feitian.com.dns A 172.25.254.231feng A 172.25.254.112bbs CNAME hui.feitian.com.hui A 172.25.254.222[root@server named]# vim fengkai.com.out $TTL 1D@ IN SOA dns.feitian.com.root.feitian.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H) ; minimum NS dns.feitian.com.dns A 1.1.1.231feng A 1.1.1.112bbs CNAME hui.feitian.com.hui A 1.1.1.222
4. DNS主从同步
#修改server的配置文件[root@localhost ~]# vim /etc/named.confoptions { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };#修改客户端client[root@localhost ~]# vim/etc/named.rfc1912.zoneszone "feitian.com" IN { type slave; masters {172.25.254.231;}; file "slaves/feitian.com"; allow-update { any; };};[root@localhost ~]# systemctl restart named[root@localhost ~]# ls /var/named/slaves/feitian.com 5.花生壳
将你的防火墙和selinux开启namd和dhcp服务,或者关闭,修改你的client的DNS为你主机的IP。
1》生成秘钥
dnssec-keygen -a HMAC-MD5 -b 128 -n HOSTwestos ##生成密匙[root@server named]# dnssec-keygen -aHMAC-MD5 -b 128 -n HOST westosKwestos.+157+53107ll | gerp Kwestos-rw-------. 1 root root 50 Aug 9 04:25Kwestos.+157+53107.key-rw-------. 1 root root 165 Aug 9 04:25Kwestos.+157+53107.private[root@server named]# catKwestos.+157+53107.keywestos. IN KEY 512 3 157 MyuqKKel9qE2kj0CZ1NzUw==[root@server named]# cp /etc/rndc.key /etc/westos.key -pvim /etc/westos.keykey "westos" { ##key名称 algorithmhmac-md5; secret"MyuqKKel9qE2kj0CZ1NzUw=="; ##key的加密字符};[root@server named] chmod g+x /var/named/ #保证named服务可修改你的解析文件 2》 配置服务dhcp服务
编辑dhcp的配置文件/etc/dhcp/dhcp.conf
dhcpoption domain-name"feitian.com";option domain-name-servers 172.25.254.231; #你的DNS解析ddns-update-style interim; #开启dhcp的更新服务。subnet 172.25.254.0 netmask 255.255.255.0 {range 172.25.254.80 172.25.254.90;option routers 172.25.254.250;}#37行以后全部删掉后加上如下内容:key westos {algorithm hmac-md5;secret MyuqKKel9qE2kj0CZ1NzUw==; #就是你生成的钥匙文件,key的加密字符};zone feitian.com. {primary 127.0.0.1;key westos;}; 3》修改named.conf文件
在options标签的外边加一个包含你钥匙的路径 :include "/etc/westos.key";
修改option标签的前几行
options {listen-on port 53 { any; };//listen-on-v6 port 53 { ::1; }; #注释掉等于全部开启directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query { any; }; 4》修该/etc/named.rfc1912.zones文件
在/etc/named.rfc1912.zones中复制一个修改成正向解析模式,反向解析也可以,这里以正向解析为例
zone "westos.com" IN { #域名,与/etc/dhcp/dhcpd.conf和你的测试机器的域名结尾保持一致type master;file "westos.com.zone"; allow-update { key westos; }; #钥匙的名字}; 5》测试
将你的钥匙发给从机随便哪个目录,以/var/named/目录为例
在你的client上执行如下命令测试你的秘钥有没有生效
usupdate -k Kwestos.+157+53107.private server 172.25.254.231update add www.westos.com 86400 A 172.25.254.88 send#这时你是用dig 就会出现 172.25.254.88的解析结果
在你的client端修改你的主机域名,与你server上的weston.com保持一致,但是解析文件中没有解析。
比如:feitain.westos.com,然后设置你的主机的网络为dhcp,这是你如果dig 你client的域名解析结果会根你client的IP变化说明你的花生壳就做好了。