DNS的集群
为了分担dns的压力,我们需要再配置一台dns高速缓存服务器与事先存在的dns服务器(172.25.254.202)组成一个集群,我的一台虚拟机已经是dns高速缓存服务器了,现在搭建另外一台,让他们两组成群。
另外一台虚拟机的配置
1. > 配置网络
[root@dns-slave ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
IPADDR=172.25.254.102
NETMASK=255.255.255.0
[root@dns-slave ~]# systemctl restart network
2 . > 搭建yum 源,安装bind软件
[root@dns-slave ~]# cd /etc/yum.repos.d/
[root@dns-slave yum.repos.d]# ls
yum.repo
[root@dns-slave yum.repos.d]# vim yum.repo
[rhel7.0]
name=rhel7.0
baseurl=file:///rhel7.0
gpgcheck=0
[root@dns-slave yum.repos.d]# yum repolist
Loaded plugins: langpacks
rhel7.o | 4.1 kB 00:00
(1/2): rhel7.o/group_gz | 134 kB 00:00
(2/2): rhel7.o/primary_db | 3.4 MB 00:00
repo id repo name status
rhel7.o rhel7.0 4,305
repolist: 4,305
[root@dns-slave yum.repos.d]# yum install bind -y 安装bind 软件
4 . > 火墙策略
[root@dns-slave yum.repos.d]# firewall-cmd --add-service=dns
success
[root@dns-slave yum.repos.d]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
5 . > named 服务的配置
[root@dns-slave yum.repos.d]# systemctl start named
[root@dns-slave yum.repos.d]# vim /etc/resolv.conf
[root@dns-slave yum.repos.d]# vim /etc/named.conf
修改内容:
11 listen-on port 53 { any; };
17 allow-query { any; };
32 dnssec-validation no;
[root@dns-slave yum.repos.d]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type slave;
masters { 172.25.254.202; };
file "slaves/westos.com.zone";
注意:/var/named相当于dns服务的根目录,A记录存放的位置,所以设置file"slaves/..."
文件中填写的名称随意,但是创建文件名要与主DNS要相同
allow-update { none; };
};
[root@dns-slave yum.repos.d]# systemctl restart named
[root@dns-slave yum.repos.d]# cd /var/named/slaves/
[root@dns-slave slaves]# ls
westos.com.zone
[root@dns-slave slaves]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64151
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.68
上述方法如果主DNS的内容改变,那么副DNS上不会同步,同步需要主服务器做以下操作:
配置主dns
[root@localhost named]# vim /etc/named.conf
还原环境
[root@dns ~]# vim /etc/named.rfc1912.zones 更改zone文件
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-transfer { 172.25.254.102; }; 添加,企业6版本之前的需要,企业7之后就不用了
also-notify { 172.25.254.102; }; 添加,通知102同步我的更改
};
[root@localhost named]# vim westos.com.zone
$TTL 1D
@ IN SOA westos.westos.com. root.westos.com. (
2018111801 ; serial serial ##服务编号,同步时在读是时候查看的信息,前面的数字不同,同步,相同就不同步
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
[root@localhost named]# systemctl restart named
在辅助DNS测试看是否同步
DNS的远程更新
在主DNS中(server)进行配置
1. > 对zone文件进行备份
[root@dns named]# mkdir /westos
[root@dns named]# cp -p westos.com.zone /westos/
2. > 设置DNS服务端,允许客户端主机修改westos.com.zone
[root@dns named]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.102; };
also-notify { 172.25.254.102; };
};
[root@localhost named]# systemctl restart named 重启服务,使修改生效
3. > 更改/var/named权限,让其他人对文件有写权限
[root@localhost named]# chmod 770 /var/named/
4. > 打开内核对 named 服务的写功能。
若为Disabled 则不用处理
Enforcing
[root@dns named]getsebool -a | grep named
named_tcp_bind_http_port --> off
named_write_master_zones --> off
[root@dns named]setsebool - P named_write_master_zones on
5 . > 在副dns中进行远程更新
[root@dns-slave slaves]# nsupdate
> server 172.25.254.202
> update add test.westos.com 86400 A 172.25.254.90
> send
> quit
更新成功并退出
6. > 在主dns 中执检测,更新是否成功
[root@dns named]# systemctl restart named
[root@dns named]# vim westos.com.zone
发现新增test,更新成功!!
[root@dns named]# dig test.westos.com
这样的更新方式是不安全的,我们再来设置一种新的dns更新方式,key更新。
DNS的远程key 更新
首先在主DNS中进行配置
1 . > 首先实验环境还原
2 . > 生成key
[root@dns named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westoskey
3 .> 编辑加密文件
key "westoskey" { 密钥名称
algorithm hmac-md5;
secret "密钥";
};
3 . > 更改服务的配置文件
编辑vim /etc/named.conf文件
[root@dns named]# vim /etc/named.conf
写入:
include "/etc/westos.key";
编辑 vim /etc/named.rfc1912.zones文件
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { key westoskey; };
also-notify { 172.25.254.102; };
};
重新启动服务
[root@dns named]# systemctl restart named
4 . > 给客户端分发密钥
[root@dns named]# scp Kwestoskey.+157+54500.* root@172.25.254.102:/var/named
5 . > 测试
[root@dns-slave named]# ls
data Kwestoskey.+157+54500.key named.ca named.localhost slaves
dynamic Kwestoskey.+157+54500.private named.empty named.loopback
[root@dns-slave named]# nsupdate -k Kwestoskey.+157+54500.private
> server 172.25.254.202
> update delete test.westos.com
> send
> quit
测试 远程更新 成功并退出
进入主DNS 确认
远程更新成功,test 被删除