rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound
通过bind实现正向,反向,转发,主从,各种资源记录
7> 部署反向解析 从ip解析到fqdn
vim /etc/named.conf
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone"; 指定方向解析的区域配置文件路径
};
[root@serverb ~]# cp /var/named/named.empty /var/named/172.25.250.zone
[root@serverb ~]# chown root:named /var/named/172.25.250.zone
[root@serverb ~]# chmod 640 /var/named/172.25.250.zone
[root@serverb ~]# vim /var/named/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
~
[root@serverb ~]# systemctl restart named
8> 测试
[root@servera ~]# host serverb.example.com
serverb.example.com has address 172.25.250.11
[root@servera ~]# host 172.25.250.10
10.250.25.172.in-addr.arpa domain name pointer servera.example.com.
[root@servera ~]# host 172.25.250.11
11.250.25.172.in-addr.arpa domain name pointer serverb.example.com.
[root@servera ~]# host 172.25.250.12
12.250.25.172.in-addr.arpa domain name pointer serverc.example.com.
[root@servera ~]# host 172.25.250.13
13.250.25.172.in-addr.arpa domain name pointer serverd.example.com.
[root@servera ~]#
[root@servera ~]# nslookup
> set type=ptr
> 172.25.250.10
Server: 172.25.250.11
Address: 172.25.250.11#53
10.250.25.172.in-addr.arpa name = servera.example.com.
> set type=NS
> example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
example.com nameserver = serverb.example.com.
> set type=A
> servera.example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
Name: servera.example.com
Address: 172.25.250.10
>
也可以通过dig查找
-x反向解析
@跟着DNS服务器
A/NS/SOA/-x<ptr>
9> 主从同步:
修改配置文件在主DNS上配置
[root@serverc ~]# vim /etc/named.conf
zone "example.com" IN {
type master ;
file "example.com";
allow-transfer { 172.25.250.12; };
};
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12; };
};
[root@serverb ~]# systemctl restart named
在从DNS上<slave>
[root@serverc ~]# yum install -y bind
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
zone "example.com" IN {
type slave ; 类型是从DNS服务器
file "slaves/example.com";
masters { 172.25.250.11; };
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
file "slaves/172.25.250.zone";
masters { 172.25.250.11; };
};
[root@serverc ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverc ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverc ~]# firewall-cmd --reload
success
[root@serverc ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverc ~]#
确认:
[root@serverc ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 490 Sep 3 22:29 172.25.250.zone
-rw-r--r--. 1 named named 432 Sep 3 22:29 example.com
[root@serverc ~]#
针对主从服务器做的修改
1> 添加从的DNS服务器
2> 每一次添加必须要把序列号+1,只有当序列号增加才会同步
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com. 从的DNS
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
[root@servera ~]# dig @serverb.example.com -x 172.25.250.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @serverb.example.com -x 172.25.250.11
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2cf3b75f384904d1905d5fd16314985b59d1176e48d0a6b3 (good)
;; QUESTION SECTION:
;11.250.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.250.25.172.in-addr.arpa. 10800 IN PTR serverb.example.com.
;; AUTHORITY SECTION:
250.25.172.in-addr.arpa. 10800 IN NS serverc.example.com.
250.25.172.in-addr.arpa. 10800 IN NS serverb.example.com.
;; ADDITIONAL SECTION:
serverb.example.com. 10800 IN A 172.25.250.11
serverc.example.com. 10800 IN A 172.25.250.12
;; Query time: 2 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Sep 04 20:21:47 CST 2022
;; MSG SIZE rcvd: 184
[root@servera ~]#
同步后,可以使用dig,发现有两个dns权威地址了。那么就是配置文件更改后,同步成功
10> 对于一个转发的DNS服务器来说,在正常情况下,如果我们没有配置转发,当这个DNS需要解析其他域的FQDN的时候。首先是去根域服务器。可以通过forwders来改变装法对象
[root@serverd ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverd ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverd ~]# firewall-cmd --reload
success
[root@serverd ~]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
forwarders { 172.25.250.12 ;};
dnssec-enable no;
dnssec-validation no;
这两个可以删掉,也是zone地址。用不上
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
systemctl restart named
[root@serverd ~]# nslookup
> set type=A
> servera.example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer: 这里做了转发所以不一样。非授权机构
Name: servera.example.com
Address: 172.25.250.10
>
邮件服务器
邮件服务器要做转发,所以得找到邮件服务器
正
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
反
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
[root@serverb named]# nslookup
> set type=MX
> example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer:
example.com mail exchanger = 10 classroom.example.com.
Authoritative answers can be found from:
example.com nameserver = serverb.example.com.
example.com nameserver = serverc.example.com.
classroom.example.com internet address = 172.25.250.254
serverb.example.com internet address = 172.25.250.11
serverc.example.com internet address = 172.25.250.12
12> 仅缓存的DNS服务器:unbond
删除原来的unbound
[root@workstation ~]# lab dns-unbound start
[root@servera ~]# yum install -y unbound
[root@servera ~]# firewall-cmd --permanent --add-service=dns
success
[root@servera ~]# firewall-cmd --reload
success
[root@servera ~]#
[root@servera ~]# egrep "172.25|domain-insecure:" /etc/unbound/unbound.conf -B 2| egrep -v "#|--"
interface: 172.25.250.10
access-control: 172.25.250.0/24 allow
domain-insecure: "example.com" # 不开启安全域
interface-automatic: no # 如果开启那么监听所有端口,唯独不监听172.25.250.10
forward-zone:
name: .
forward-addr: 172.25.250.254
[root@servera ~]#
[root@servera ~]# unbound-control-setup
[root@servera ~]# ping servera.lab.example.com
PING servera.lab.example.com (172.25.250.10) 56(84) bytes of data.
64 bytes from servera.lab.example.com (172.25.250.10): icmp_seq=1 ttl=64 time=0.073 ms
^C
--- servera.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms
[root@servera ~]# ping workstation
PING workstation.lab.example.com (172.25.250.9) 56(84) bytes of data.
64 bytes from workstation.lab.example.com (172.25.250.9): icmp_seq=1 ttl=64 time=1.17 ms
^C
--- workstation.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.165/1.165/1.165/0.000 ms
[root@servera ~]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 38 1 0 7 3
lab.example.com. 38 IN SOA bastion.lab.example.com. root.bastion.lab.example.com. 2020040800 3600 300 604800 60
;rrset 38 1 0 7 3
example.com. 38 IN SOA classroom.example.com. root.classroom.example.com. 2015071700 3600 300 604800 60
END_RRSET_CACHE
START_MSG_CACHE
msg servera.example.com.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN A 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN AAAA 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
END_MSG_CACHE
EOF
[root@servera ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.example.com example.com
#nameserver 172.25.250.254
nameserver 172.25.250.10
[root@servera ~]#
有缓存后,可以不依赖转发
清空缓存
[root@servera ~]# unbound-control flush *
缓存,和forward上的服务器都没了,就无法再ping通了
导出
unbound-control dump_cache > aa
unbound-control load_cache < aa
ansible 部署DNS unbound
[root@workstation ~]# lab dns-automation start
[student@workstation dns-auto]$ cat unbound.yml
---
- name: configure cache dns on servera
hosts: caching_dns
become: true
tasks:
- name: install the unbound package
yum:
name: unbound
state: present
- name: prepare configureation file for unbound
template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: root
group: unbound
mode: '0644'
setype: named_conf_t
notify: restart service
- name: start service
service:
name: unbound
state: started
enabled: true
- name: config firewalld for unbond
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: unbond
state: restarted
[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
{% for ip in ansible_facts['all_ipv4_addresses'] %}
interface: {{ ip }}
{% endfor %}
interface-automatic: no
access-control: 172.25.250.0/24 allow
domain-insecure: example.com
forward-zone:
name: .
forward-addr: 172.25.250.254
remote-control:
control-enable: yes
[student@workstation dns-auto]$
[student@workstation dns-auto]$ ls
ansible.cfg inventory playbook.yml unbound.conf.j2
ansible 部署bind
bind的YML文件
---
- name: config bind
hosts: primary_dns,secondary_dns
become: true
tasks:
- name: install package
yum:
name: bind
state: present
- name: config for primary
copy:
src: files/primary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverb.lab.example.com"
- name: config
copy:
src: files/secondary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverc.lab.example.com"
- name: zone file
copy:
src: files/example.com
dest: /var/named/example.com
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: zone file re
copy:
src: files/172.25.250.zone
dest: /var/named/172.25.250.zone
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: start service
service:
name: named
state: started
enabled: true
- name: firewalld
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: named
state: restarted
[student@workstation dns-auto]$
主named的配置文件
[student@workstation dns-auto]$ cat files/primary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com";
allow-transfer { 172.25.250.12;};
};
zone "250.25.172.in-addr.arpa" {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12;};
};
从named的配置文件
[student@workstation files]$ cat secondary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/example.com";
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/172.25.250.zone";
};
主的区域配置文件(正)
[student@workstation dns-auto]$ cat files/example.com
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
servera IN A 172.25.250.10
serverb IN A 172.25.250.11
serverc IN A 172.25.250.12
serverd IN A 172.25.250.13
主的区域配置文件(反)
[student@workstation dns-auto]$ cat files/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
10 IN PTR servera.example.com.
11 IN PTR servera.example.com.
12 IN PTR servera.example.com.
13 IN PTR servera.example.com.
[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
任何一种服务的自动化配置:
一: 安装包
二: 配置文件 1: jiaj2模板的形式配置:unbound,2: file: bind, 3: notify restart service
三: 要读取数据文件路径: 基本都有
四: 服务
五: 防火墙
六: Handlers : 接收配置的文件改变从而去重新启动服务
rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound的更多相关文章
- rh358 003 ansible部署双网卡绑定 DNS原理 bind正向解析
双网卡绑定 绑定多张网卡成为逻辑口,从而实现链路冗余,以及数据流量的负载均衡 1.创建team口 [root@servera ~]# nmcli connection add type team co ...
- 二.Nginx反向代理和静态资源服务配置
2018年03月31日 10:30:12 麦洛_ 阅读数:1362更多 所属专栏: nginx 版权声明:本文为博主原创文章,未经博主允许不得转载. https://blog.csdn.net/M ...
- 常见资源记录定义(Resource Record)
所有的RRs(Resource Records)都具有相同的顶级字段格式定义:owner TTL CLASS TYPE RDATA owner 指示拥有资源记录的DNS域名 TTL 对大多数资源记录 ...
- DNS解惑之资源记录(2)
1.区域解析库 每个域都要维护一个区域解析库,而区域解析库都是由一条条的记录组成的,而每一条记录就被称为资源记录(resource record RR). 我们知道大多数域名下面都不仅仅有www服 ...
- dns资源记录类型
资源记录的定义格式: 语法:name [TTL] IN RR_TYPE value SOA: name:当前区域的名字,例如"magedu.com.",或者"2.168. ...
- DNS资源记录的七类
在Microsoft产品系列中,ADDS是一个很出色的设计平台,说到AD,那么我们就不得不提起他的合作伙伴--DNS,相信大家都知道,DNS在AD中的重要地位,就如男人和女人一样,要想有所作为,他们2 ...
- 三十三、DNS资源记录类型和请求流程
DNS分布均衡(Load balance)的实现 在上级数据库中写两条记录(同一个名字对应对个IP时),DNS会自动将请求基于轮循方式,分给每个DNS服务器 例如: 第一次将请求给第一个DNS,第二次 ...
- IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript、css、vm文件
IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript.css.vm文件https://blog.csdn.net/feng_pump/article ...
- DNS 资源记录解释
;SOA授权的开始;;SOA或授权的开始记录用来表示区域的启动;每个区域必须只有一个SOA记录;从名字服务器,在不能和主服务器通信的情况下,将提供12小时DNS服务, 在指定的时间后停止为那个区域提供 ...
随机推荐
- 【主流技术】ElasticSearch 在 Spring 项目中的实践
前言 ElasticSearch简称es,是一个开源的高扩展的分布式全文检索引擎. 它可以近乎实时的存储.检索数据,其扩展性很好,ElasticSearch是企业级应用中较为常见的技术. 下面和大家分 ...
- Redis 切片集群的数据倾斜分析
Redis 中如何应对数据倾斜 什么是数据倾斜 数据量倾斜 bigkey导致倾斜 Slot分配不均衡导致倾斜 Hash Tag导致倾斜 数据访问倾斜 如何发现 Hot Key Hot Key 如何解决 ...
- 不同network中的两个docker容器
1. 创建docker网络 docker network create --subnet 172.18.0.1/16 test docker network ls 2. 创建两个容器指定docker ...
- UiPathExcel读取操作
一.Uipath操作Excel的相关基本概念 1.UiPath操作Excel的两组方法 App Integration > Excel VS System > File > W ...
- static关键字续、继承、重写、多态
static关键字 1.对于实例变量,每个java对象都拥有自己的一份,存储在堆内存当中,在构造方法执行的时候初始化. 2.所有对象都拥有同一个属性时,并且值相同,建议声明为static变量. 3.静 ...
- 初学python常用,python模块安装和卸载的几种方法
兄弟们常常因为遇到模块不会安装,或者遇到报错就懵了,就很耽误学习进度,今天我们就一次性了解Python几种安装模块的方法~不过~ 实在是懒得看 点击此处找管理员小姐姐手把手教你安装 一.命令提示符窗口 ...
- Day01 对前端的初步了解
了解了工作性质以及流程 产品经理+UI+前端程序员+后端程序员+测试人员 了解了工作会做到的项目 pc端项目,后台管理系统,APP,小程序,移动端网页 了解了后续需要学到的课程 HTML+CSS Ja ...
- Tapdata Cloud 2.1.4 来啦:数据连接又上新,PolarDB MySQL、轻流开始接入,可自动标记不支持的字段类型
需求持续更新,优化一刻不停--Tapdata Cloud 2.1.4 来啦! 最新发布的版本中,在新增数据连接之余,默认标记不支持同步的字段类型,避免因此影响任务的正常运行. 更新速览 ① 数 ...
- 【.NET基础】Linq常用语法代码演示
前言:前言不重要,linq入门常用的语法,linq语法可以用来写操作集合.数据库表集合等等几乎所有集合类型的操作.下面就写几个案例(以List集合来做的),看代码和运行结果即可. 本文演示环境:VS2 ...
- webapi <Message>已拒绝为此请求授权。</Message>
webapi <Message>已拒绝为此请求授权.</Message> 原有的调用base.OnAuthorization(actionContext); 换成下面这个 // ...