深入DNS---dns叢集及dns遠端更新
DNS的叢集
為了分擔dns的壓力,我們需要再配置一臺dns快取記憶體伺服器與事先存在的dns伺服器(172.25.254.202)組成一個叢集,我的一臺虛擬機器已經是dns快取記憶體伺服器了,現在搭建另外一臺,讓他們兩組成群。
另外一臺虛擬機器的配置
1. > 配置網路
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
IPADDR=172.25.254.102
NETMASK=255.255.255.0
[[email protected]
2 . > 搭建yum 源,安裝bind軟體
[[email protected] ~]# cd /etc/yum.repos.d/
[[email protected] yum.repos.d]# ls
yum.repo
[[email protected] yum.repos.d]# vim yum.repo
[rhel7.0]
name=rhel7.0
baseurl=file:///rhel7.0
gpgcheck=0
[[email protected] yum.repos.d]# yum repolist
Loaded plugins: langpacks
rhel7.o | 4.1 kB 00:00
(1/2): rhel7.o/group_gz | 134 kB 00:00
(2/2): rhel7.o/primary_db | 3.4 MB 00:00
repo id repo name status
rhel7.o rhel7.0 4,305
repolist: 4,305
[
4 . > 火牆策略
[[email protected] yum.repos.d]# firewall-cmd --add-service=dns
success
[[email protected] yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
5 . > named 服務的配置
[[email protected] yum.repos.d]# systemctl start named
[[email protected] yum.repos.d]# vim /etc/resolv.conf
[[email protected] yum.repos.d]# vim /etc/named.conf
修改內容:
11 listen-on port 53 { any; };
17 allow-query { any; };
32 dnssec-validation no;
[[email protected] yum.repos.d]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type slave;
masters { 172.25.254.202; };
file "slaves/westos.com.zone";
注意:/var/named相當於dns服務的根目錄,A記錄存放的位置,所以設定file"slaves/..."
檔案中填寫的名稱隨意,但是建立檔名要與主DNS要相同 allow-update { none; };
};
[[email protected] yum.repos.d]# systemctl restart named
[[email protected] yum.repos.d]# cd /var/named/slaves/
[[email protected] slaves]# ls
westos.com.zone
[[email protected] slaves]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.68
上述方法如果主DNS的內容改變,那麼副DNS上不會同步,同步需要主伺服器做以下操作:
配置主dns
[[email protected] named]# vim /etc/named.conf
還原環境
[roo[email protected] ~]# vim /etc/named.rfc1912.zones 更改zone檔案
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-transfer { 172.25.254.102; }; 新增,企業6版本之前的需要,企業7之後就不用了
also-notify { 172.25.254.102; }; 新增,通知102同步我的更改
};
[[email protected] named]# vim westos.com.zone
$TTL 1D
@ IN SOA westos.westos.com. root.westos.com. (
2018111801 ; serial serial ##服務編號,同步時在讀是時候檢視的資訊,前面的數字不同,同步,相同就不同步
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
[[email protected] named]# systemctl restart named
在輔助DNS測試看是否同步
DNS的遠端更新
在主DNS中(server)進行配置
1. > 對zone檔案進行備份
[[email protected] named]# mkdir /westos
[[email protected] named]# cp -p westos.com.zone /westos/
2. > 設定DNS服務端,允許客戶端主機修改westos.com.zone
[[email protected] named]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.102; };
also-notify { 172.25.254.102; };
};
[[email protected] named]# systemctl restart named 重啟服務,使修改生效
3. > 更改/var/named許可權,讓其他人對檔案有寫許可權
[[email protected] named]# chmod 770 /var/named/
4. > 開啟核心對 named 服務的寫功能。
若為Disabled 則不用處理
Enforcing
[[email protected] named]getsebool -a | grep named
named_tcp_bind_http_port --> off
named_write_master_zones --> off
[[email protected] named]setsebool - P named_write_master_zones on
5 . > 在副dns中進行遠端更新
[[email protected] slaves]# nsupdate
> server 172.25.254.202
> update add test.westos.com 86400 A 172.25.254.90
> send
> quit
更新成功並退出
6. > 在主dns 中執檢測,更新是否成功
[[email protected] named]# systemctl restart named
[[email protected] named]# vim westos.com.zone
發現新增test,更新成功!!
[[email protected] named]# dig test.westos.com
這樣的更新方式是不安全的,我們再來設定一種新的dns更新方式,key更新。
DNS的遠端key 更新
首先在主DNS中進行配置
1 . > 首先實驗環境還原
2 . > 生成key
[[email protected] named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westoskey
3 .> 編輯加密檔案
key "westoskey" { 金鑰名稱
algorithm hmac-md5;
secret "金鑰";
};
3 . > 更改服務的配置檔案
編輯vim /etc/named.conf檔案
[[email protected] named]# vim /etc/named.conf
寫入:
include "/etc/westos.key";
編輯 vim /etc/named.rfc1912.zones檔案
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { key westoskey; };
also-notify { 172.25.254.102; };
};
重新啟動服務
[[email protected] named]# systemctl restart named
4 . > 給客戶端分發金鑰
[[email protected] named]# scp Kwestoskey.+157+54500.* [email protected]:/var/named
5 . > 測試
[[email protected] named]# ls
data Kwestoskey.+157+54500.key named.ca named.localhost slaves
dynamic Kwestoskey.+157+54500.private named.empty named.loopback
[[email protected] named]# nsupdate -k Kwestoskey.+157+54500.private
> server 172.25.254.202
> update delete test.westos.com
> send
> quit
測試 遠端更新 成功並退出
進入主DNS 確認
遠端更新成功,test 被刪除