IT技术互动交流平台

bind配置中之DNS主从同步,区域安全传送

作者:转角昕逸  发布日期:2014-03-21 09:36:56

 

实现DNS的主从同步:

主DNS的bind版不能高于从DNS的版本

向区域中添加从服务器的关键两步:

a:在上级得到授权

b:在区域数据文件中为服务器添加一条NS记录和对应的A记录或PTR记录

 

1.为主DNS服务器添加一条NS记录和对应的A记录

# vim /var/named/mageedu.com.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031901
1D
12H
1D
12H )
IN      NS      dns
IN      NS      ns
IN      MX 20mail
dns     IN      A       172.16.19.100
ns      IN      A       172.16.19.1
mail    IN      A       172.16.19.2
www     IN      A       172.16.19.3
pop     IN      CNAME   mail
ftp     IN      CNAME   www

2.为从DNS服务器添加一条NS记录和对应PTR记录

 

# vim /var/named/172.16.19.zone
$TTL 86400
@       IN      SOA     dsn.mageedu.com. admin.mageedu.com (
2014031902
1D
12H
1D
12H )
IN      NS      dns.mageedu.com.
IN      NS      ns.mageedu.com.
100IN      PTR     dns.mageedu.com.
1IN      PTR     ns.mageedu.com.
2IN      PTR     mail.mageedu.com.
3IN      PTR     www.mageedu.com.

3.并编辑配置文同上

 

4.在从服务器添加mageedu.com区域

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
};

 

5.在从服务器添加19.16.172.in-addr.arpa区域

zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.29.100;};
file "slaves/172.16.19.zone";
};

6.启动named服务

# named -u named

 

7.查看日志文件

# tail /var/log/messages
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: connected using 172.16.19.1#47647
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: transferred serial 2014031902
Mar 1705:44:18stu19 named[31977]: transfer of '19.16.172.in-addr.arpa/IN'from 172.16.19.100#53: Transfer completed: 1messages, 8records, 255bytes, 0.003secs (85000bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone 19.16.172.in-addr.arpa/IN: sending notifies (serial 2014031902)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: Transfer started.
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: connected using 172.16.19.1#40334
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: transferred serial 2014031901
Mar 1705:44:18stu19 named[31977]: transfer of 'mageedu.com/IN'from 172.16.19.100#53: Transfer completed: 1messages, 11records, 283bytes, 0.002secs (141500bytes/sec)
Mar 1705:44:18stu19 named[31977]: zone mageedu.com/IN: sending notifies (serial 2014031901)

8.查从服务器中/var/named/slave/目录

# ls /var/named/slaves/
172.16.19.zone  mageedu.com.zone

 

区域传送安全控制

提高DNS服务器的安全性

在主服务器的区域文件中添加allow-transfer{IP};

只允许127.0.0.1和172.16.19.1进行区域传送

zone "mageedu.com"IN {
type master;
file "mageedu.com.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};
zone "19.16.172.in-addr.arpa"IN {
type master;
file "172.16.19.zone";
allow-transfer {127.0.0.1;172.16.19.1;};
};

 

重启主服务器的DNS服务

# service named reload

 

成功配置区域传送安全控制

# dig -t axfr mageedu.com @172.16.19.100
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.100
;; global options: +cmd
; Transfer failed.
# dig -t axfr mageedu.com @172.16.19.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @172.16.19.1
;; global options: +cmd
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
mageedu.com.        86400IN  MX  20mail.mageedu.com.
mageedu.com.        86400IN  NS  dns.mageedu.com.
mageedu.com.        86400IN  NS  ns.mageedu.com.
dns.mageedu.com.    86400IN  A   172.16.19.100
ftp.mageedu.com.    86400IN  CNAME   www.mageedu.com.
mail.mageedu.com.   86400IN  A   172.16.19.2
ns.mageedu.com.     86400IN  A   172.16.19.1
pop.mageedu.com.    86400IN  CNAME   mail.mageedu.com.
www.mageedu.com.    86400IN  A   172.16.19.3
mageedu.com.        86400IN  SOA dsn.mageedu.com. admin.mageedu.com.mageedu.com. 201403190186400432008640043200
;; Query time: 5msec
;; SERVER: 172.16.19.1#53(172.16.19.1)
;; WHEN: Sun Mar 1616:29:232014
;; XFR size: 11records (messages 1, bytes 283)

 

对从服务配置区域安全传送控制:不允许任何人进行同步

 

zone "mageedu.com"IN {
type slave;
masters {172.16.19.100;};
file "slaves/mageedu.com.zone";
allow-transfer {none;};
};
zone "19.16.172.in-addr.arpa"IN {
type slave;
masters {172.16.19.100;};
file "slaves/172.16.19.zone";
allow-transfer {none;};
};

 

重启从服务器的DNS服务

# service named reload

 

测试区域传送安全控制配置成功

[root@stu19 ~]# dig -t axfr mageedu.com @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6 <<>> -t axfr mageedu.com @127.0.0.1
;; global options: +cmd
; Transfer failed.

 

Tag标签: bind   DNS  
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规