主备 DNS 是指在互联网上用于解析域名和 IP 地址之间对应关系的服务器。主 DNS 服务器存储着域名与 IP 地址的映射记录,而备用 DNS 服务器则在主 DNS 服务器发生故障或不可用时接管其工作,确保网络服务的持续性和稳定性。
主备 DNS 的作用包括:
- 域名解析:将用户输入的域名翻译成对应的 IP 地址,以便正确路由到目标服务器。
- 提高可靠性:通过主备 DNS 架构,即使主 DNS 服务器发生故障,备用 DNS 服务器仍能提供域名解析服务,确保网络的连通性。
- 负载均衡:可以将流量分散到多个 DNS 服务器上,减轻单一服务器的压力,提高整体性能。
- 安全性:通过主备 DNS 设置不同的安全策略,加强网络安全性,防范 DNS 劫持等攻击。
主备 DNS 服务器的结合可以提高系统的可靠性、稳定性和安全性,是构建一个健壮的网络基础设施的重要组成部分。
本操作两台虚拟机IP地址分别为(192.168.1.220)(192.168.1.36)
主DNS服务器
安装软件
yum install -y bind bind-utils bind-chroot
bind 主包
bind-utils 客户端测试工具(host 、dig 、nslookup)
bind-chroot chroot环境 禁锢dns服务器的工作目录
caching-nameserver(rhel5提供模板文本,缓存服务) rhel6不需要关闭防火墙
systemctl stop firewalld && setenforce 0启动服务
# systemctl start named
如果启动服务没有工作目录的文件夹工作目录
/var/named/chroot/etc 存放主配置文件
/var/named/chroot/var/named配置文件
备份配置文件
cp /etc/named.conf /etc/named.conf.backup
修改配置文件:
[root@wing etc]# vim /etc/named.conf
options {
# 监听在主机的53端口上。any代表监听所有的主机
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
# 如果此档案底下有规范到正反解的zone file 档名时,该档名预设应该放置在哪个目录底下
directory "/var/named";
# 下面三项是服务的相关统计信息
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
# 谁可以对我的DNS服务器提出查询请求。any代表任何人
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
forwarders {
# 指定上层DNS服务器(网关)
192.168.1.1;
};
//可不配(rocky9)
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";增加zone信息
vim /etc/named.rfc1912.zones
zone "baidu.com" IN {
# 定义要解析主域名
type master;
file "baidu.com.zone";
# 具体相关解析的配置文件保存在 /var/named/baidu.com.zone 文件中
allow-update { 192.168.1.36; };
};
编辑区域配置文件
vim /var/named/baidu.com.zone
$TTL 1D
@ IN SOA baidu.com. root (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
0 ) ; minimum
IN NS baidu.com.
IN A 192.168.101.1
www IN A 192.168.101.244
test IN A 192.168.101.129增加权限 并启动服务
chown root:named /var/named/baidu.com.zone
systemctl restart named
systemctl enable named备DNS服务器
安装软件
yum install -y bind bind-utils bind-chroot
bind 主包
bind-utils 客户端测试工具(host 、dig 、nslookup)
bind-chroot chroot环境 禁锢dns服务器的工作目录
caching-nameserver(rhel5提供模板文本,缓存服务) rhel6不需要关闭防火墙
systemctl stop firewalld && setenforce 0启动服务
# systemctl start named
如果启动服务没有工作目录的文件夹工作目录
/var/named/chroot/etc 存放主配置文件
/var/named/chroot/var/named配置文件
备份配置文件
cp /etc/named.conf /etc/named.conf.backup
修改配置文件:
[root@wing etc]# vim /etc/named.conf
options {
# 监听在主机的53端口上。any代表监听所有的主机
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
# 如果此档案底下有规范到正反解的zone file 档名时,该档名预设应该放置在哪个目录底下
directory "/var/named";
# 下面三项是服务的相关统计信息
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
# 谁可以对我的DNS服务器提出查询请求。any代表任何人
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
forwarders {
# 指定上层DNS服务器(网关)
192.168.1.1;
};
//可不配(rocky9)
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";增加zone信息
vim /etc/named.rfc1912.zones
zone "baidu.com" IN {
# 定义要解析主域名
type slave;
file "slaves/baidu.com.zone";
# 具体相关解析的配置文件保存在 /var/named/baidu.com.zone 文件中
masters { 192.168.1.220; };
};
编辑区域配置文件
vim /var/named/slaves/baidu.com.zone
备服务器这个文件不用创建,因为是同步主DNS服务器的信息,所以这个文件会自动创建
启动服务
systemctl restart named
systemctl enable named
Comments NOTHING