rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound
通过bind实现正向,反向,转发,主从,各种资源记录
7> 部署反向解析 从ip解析到fqdn
vim /etc/named.conf
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone"; 指定方向解析的区域配置文件路径
};
[root@serverb ~]# cp /var/named/named.empty /var/named/172.25.250.zone
[root@serverb ~]# chown root:named /var/named/172.25.250.zone
[root@serverb ~]# chmod 640 /var/named/172.25.250.zone
[root@serverb ~]# vim /var/named/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
~
[root@serverb ~]# systemctl restart named
8> 测试
[root@servera ~]# host serverb.example.com
serverb.example.com has address 172.25.250.11
[root@servera ~]# host 172.25.250.10
10.250.25.172.in-addr.arpa domain name pointer servera.example.com.
[root@servera ~]# host 172.25.250.11
11.250.25.172.in-addr.arpa domain name pointer serverb.example.com.
[root@servera ~]# host 172.25.250.12
12.250.25.172.in-addr.arpa domain name pointer serverc.example.com.
[root@servera ~]# host 172.25.250.13
13.250.25.172.in-addr.arpa domain name pointer serverd.example.com.
[root@servera ~]#
[root@servera ~]# nslookup
> set type=ptr
> 172.25.250.10
Server: 172.25.250.11
Address: 172.25.250.11#53
10.250.25.172.in-addr.arpa name = servera.example.com.
> set type=NS
> example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
example.com nameserver = serverb.example.com.
> set type=A
> servera.example.com
Server: 172.25.250.11
Address: 172.25.250.11#53
Name: servera.example.com
Address: 172.25.250.10
>
也可以通过dig查找
-x反向解析
@跟着DNS服务器
A/NS/SOA/-x<ptr>
9> 主从同步:
修改配置文件在主DNS上配置
[root@serverc ~]# vim /etc/named.conf
zone "example.com" IN {
type master ;
file "example.com";
allow-transfer { 172.25.250.12; };
};
zone "250.25.172.in-addr.arpa" IN {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12; };
};
[root@serverb ~]# systemctl restart named
在从DNS上<slave>
[root@serverc ~]# yum install -y bind
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
zone "example.com" IN {
type slave ; 类型是从DNS服务器
file "slaves/example.com";
masters { 172.25.250.11; };
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
file "slaves/172.25.250.zone";
masters { 172.25.250.11; };
};
[root@serverc ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverc ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverc ~]# firewall-cmd --reload
success
[root@serverc ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverc ~]#
确认:
[root@serverc ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 490 Sep 3 22:29 172.25.250.zone
-rw-r--r--. 1 named named 432 Sep 3 22:29 example.com
[root@serverc ~]#
针对主从服务器做的修改
1> 添加从的DNS服务器
2> 每一次添加必须要把序列号+1,只有当序列号增加才会同步
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com. 从的DNS
10 IN PTR servera.example.com.
11 IN PTR serverb.example.com.
12 IN PTR serverc.example.com.
13 IN PTR serverd.example.com.
[root@servera ~]# dig @serverb.example.com -x 172.25.250.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @serverb.example.com -x 172.25.250.11
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2cf3b75f384904d1905d5fd16314985b59d1176e48d0a6b3 (good)
;; QUESTION SECTION:
;11.250.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
11.250.25.172.in-addr.arpa. 10800 IN PTR serverb.example.com.
;; AUTHORITY SECTION:
250.25.172.in-addr.arpa. 10800 IN NS serverc.example.com.
250.25.172.in-addr.arpa. 10800 IN NS serverb.example.com.
;; ADDITIONAL SECTION:
serverb.example.com. 10800 IN A 172.25.250.11
serverc.example.com. 10800 IN A 172.25.250.12
;; Query time: 2 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Sep 04 20:21:47 CST 2022
;; MSG SIZE rcvd: 184
[root@servera ~]#
同步后,可以使用dig,发现有两个dns权威地址了。那么就是配置文件更改后,同步成功
10> 对于一个转发的DNS服务器来说,在正常情况下,如果我们没有配置转发,当这个DNS需要解析其他域的FQDN的时候。首先是去根域服务器。可以通过forwders来改变装法对象
[root@serverd ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverd ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverd ~]# firewall-cmd --reload
success
[root@serverd ~]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
forwarders { 172.25.250.12 ;};
dnssec-enable no;
dnssec-validation no;
这两个可以删掉,也是zone地址。用不上
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
systemctl restart named
[root@serverd ~]# nslookup
> set type=A
> servera.example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer: 这里做了转发所以不一样。非授权机构
Name: servera.example.com
Address: 172.25.250.10
>
邮件服务器
邮件服务器要做转发,所以得找到邮件服务器
正
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
反
@ IN MX 10 classroom.example.com.
254 IN PTR classroom.example.com.
[root@serverb named]# nslookup
> set type=MX
> example.com
Server: 172.25.250.13
Address: 172.25.250.13#53
Non-authoritative answer:
example.com mail exchanger = 10 classroom.example.com.
Authoritative answers can be found from:
example.com nameserver = serverb.example.com.
example.com nameserver = serverc.example.com.
classroom.example.com internet address = 172.25.250.254
serverb.example.com internet address = 172.25.250.11
serverc.example.com internet address = 172.25.250.12
12> 仅缓存的DNS服务器:unbond
删除原来的unbound
[root@workstation ~]# lab dns-unbound start
[root@servera ~]# yum install -y unbound
[root@servera ~]# firewall-cmd --permanent --add-service=dns
success
[root@servera ~]# firewall-cmd --reload
success
[root@servera ~]#
[root@servera ~]# egrep "172.25|domain-insecure:" /etc/unbound/unbound.conf -B 2| egrep -v "#|--"
interface: 172.25.250.10
access-control: 172.25.250.0/24 allow
domain-insecure: "example.com" # 不开启安全域
interface-automatic: no # 如果开启那么监听所有端口,唯独不监听172.25.250.10
forward-zone:
name: .
forward-addr: 172.25.250.254
[root@servera ~]#
[root@servera ~]# unbound-control-setup
[root@servera ~]# ping servera.lab.example.com
PING servera.lab.example.com (172.25.250.10) 56(84) bytes of data.
64 bytes from servera.lab.example.com (172.25.250.10): icmp_seq=1 ttl=64 time=0.073 ms
^C
--- servera.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms
[root@servera ~]# ping workstation
PING workstation.lab.example.com (172.25.250.9) 56(84) bytes of data.
64 bytes from workstation.lab.example.com (172.25.250.9): icmp_seq=1 ttl=64 time=1.17 ms
^C
--- workstation.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.165/1.165/1.165/0.000 ms
[root@servera ~]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 38 1 0 7 3
lab.example.com. 38 IN SOA bastion.lab.example.com. root.bastion.lab.example.com. 2020040800 3600 300 604800 60
;rrset 38 1 0 7 3
example.com. 38 IN SOA classroom.example.com. root.classroom.example.com. 2015071700 3600 300 604800 60
END_RRSET_CACHE
START_MSG_CACHE
msg servera.example.com.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN A 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN AAAA 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
END_MSG_CACHE
EOF
[root@servera ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search lab.example.com example.com
#nameserver 172.25.250.254
nameserver 172.25.250.10
[root@servera ~]#
有缓存后,可以不依赖转发
清空缓存
[root@servera ~]# unbound-control flush *
缓存,和forward上的服务器都没了,就无法再ping通了
导出
unbound-control dump_cache > aa
unbound-control load_cache < aa
ansible 部署DNS unbound
[root@workstation ~]# lab dns-automation start
[student@workstation dns-auto]$ cat unbound.yml
---
- name: configure cache dns on servera
hosts: caching_dns
become: true
tasks:
- name: install the unbound package
yum:
name: unbound
state: present
- name: prepare configureation file for unbound
template:
src: unbound.conf.j2
dest: /etc/unbound/unbound.conf
owner: root
group: unbound
mode: '0644'
setype: named_conf_t
notify: restart service
- name: start service
service:
name: unbound
state: started
enabled: true
- name: config firewalld for unbond
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: unbond
state: restarted
[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
{% for ip in ansible_facts['all_ipv4_addresses'] %}
interface: {{ ip }}
{% endfor %}
interface-automatic: no
access-control: 172.25.250.0/24 allow
domain-insecure: example.com
forward-zone:
name: .
forward-addr: 172.25.250.254
remote-control:
control-enable: yes
[student@workstation dns-auto]$
[student@workstation dns-auto]$ ls
ansible.cfg inventory playbook.yml unbound.conf.j2
ansible 部署bind
bind的YML文件
---
- name: config bind
hosts: primary_dns,secondary_dns
become: true
tasks:
- name: install package
yum:
name: bind
state: present
- name: config for primary
copy:
src: files/primary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverb.lab.example.com"
- name: config
copy:
src: files/secondary_dns.conf
dest: /etc/named.conf
notify: restart service
when: inventory_hostname == "serverc.lab.example.com"
- name: zone file
copy:
src: files/example.com
dest: /var/named/example.com
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: zone file re
copy:
src: files/172.25.250.zone
dest: /var/named/172.25.250.zone
owner: root
group: named
when: inventory_hostname == "serverb.lab.example.com"
- name: start service
service:
name: named
state: started
enabled: true
- name: firewalld
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
handlers:
- name: restart service
service:
name: named
state: restarted
[student@workstation dns-auto]$
主named的配置文件
[student@workstation dns-auto]$ cat files/primary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type master;
file "example.com";
allow-transfer { 172.25.250.12;};
};
zone "250.25.172.in-addr.arpa" {
type master;
file "172.25.250.zone";
allow-transfer { 172.25.250.12;};
};
从named的配置文件
[student@workstation files]$ cat secondary_dns.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.com" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/example.com";
};
zone "250.25.172.in-addr.arpa" IN {
type slave;
masters { 172.25.250.11; };
file "slaves/172.25.250.zone";
};
主的区域配置文件(正)
[student@workstation dns-auto]$ cat files/example.com
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
servera IN A 172.25.250.10
serverb IN A 172.25.250.11
serverc IN A 172.25.250.12
serverd IN A 172.25.250.13
主的区域配置文件(反)
[student@workstation dns-auto]$ cat files/172.25.250.zone
$TTL 3H
@ IN SOA serverb.example.com. root.serverb.example.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS serverb.example.com.
@ IN NS serverc.example.com.
10 IN PTR servera.example.com.
11 IN PTR servera.example.com.
12 IN PTR servera.example.com.
13 IN PTR servera.example.com.
[student@workstation dns-auto]$ cat inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
任何一种服务的自动化配置:
一: 安装包
二: 配置文件 1: jiaj2模板的形式配置:unbound,2: file: bind, 3: notify restart service
三: 要读取数据文件路径: 基本都有
四: 服务
五: 防火墙
六: Handlers : 接收配置的文件改变从而去重新启动服务
rh358 004 bind反向,转发,主从,各种资源记录 unbound ansible部署bind unbound的更多相关文章
- rh358 003 ansible部署双网卡绑定 DNS原理 bind正向解析
双网卡绑定 绑定多张网卡成为逻辑口,从而实现链路冗余,以及数据流量的负载均衡 1.创建team口 [root@servera ~]# nmcli connection add type team co ...
- 二.Nginx反向代理和静态资源服务配置
2018年03月31日 10:30:12 麦洛_ 阅读数:1362更多 所属专栏: nginx 版权声明:本文为博主原创文章,未经博主允许不得转载. https://blog.csdn.net/M ...
- 常见资源记录定义(Resource Record)
所有的RRs(Resource Records)都具有相同的顶级字段格式定义:owner TTL CLASS TYPE RDATA owner 指示拥有资源记录的DNS域名 TTL 对大多数资源记录 ...
- DNS解惑之资源记录(2)
1.区域解析库 每个域都要维护一个区域解析库,而区域解析库都是由一条条的记录组成的,而每一条记录就被称为资源记录(resource record RR). 我们知道大多数域名下面都不仅仅有www服 ...
- dns资源记录类型
资源记录的定义格式: 语法:name [TTL] IN RR_TYPE value SOA: name:当前区域的名字,例如"magedu.com.",或者"2.168. ...
- DNS资源记录的七类
在Microsoft产品系列中,ADDS是一个很出色的设计平台,说到AD,那么我们就不得不提起他的合作伙伴--DNS,相信大家都知道,DNS在AD中的重要地位,就如男人和女人一样,要想有所作为,他们2 ...
- 三十三、DNS资源记录类型和请求流程
DNS分布均衡(Load balance)的实现 在上级数据库中写两条记录(同一个名字对应对个IP时),DNS会自动将请求基于轮循方式,分给每个DNS服务器 例如: 第一次将请求给第一个DNS,第二次 ...
- IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript、css、vm文件
IntelliJ IDEA - 热部署插件JRebel ,对静态资源文件进行热部署?javascript.css.vm文件https://blog.csdn.net/feng_pump/article ...
- DNS 资源记录解释
;SOA授权的开始;;SOA或授权的开始记录用来表示区域的启动;每个区域必须只有一个SOA记录;从名字服务器,在不能和主服务器通信的情况下,将提供12小时DNS服务, 在指定的时间后停止为那个区域提供 ...
随机推荐
- BUUCTF-[BJDCTF2020]你猜我是个啥
[BJDCTF2020]你猜我是个啥 下载压缩包提示打不开,16进制直接拉最下方可以查看到flag flag{i_am_fl@g}
- 关于升级最新版本node.js你知道多少?
1.先检查版本 node -v 2.清除缓存 npm cache clean -f 3.全局安装管理node.js版本工具 npm install -g n 4.确认安装最新版本 n stable 5 ...
- MOEAD实现、基于分解的多目标进化、 切比雪夫方法-(python完整代码)
确定某点附近的点 答:每个解对应的是一组权重,即子问题,红点附近的四个点,也就是它的邻居怎么确定呢?由权重来确定,算法初始化阶段就确定了每个权重对应的邻居,也就是每个子问题的邻居子问题.权重的邻居通过 ...
- python小题目练习(十)
题目:根据生日判断星座 需求:实现如下图所示结果 代码展示: """Author:mllContent:根据生日判断星座Date:2020-11-23"&quo ...
- MySQL 锁常见知识点&面试题总结
节选自 <MySQL 常见知识点&面试题总结> 表级锁和行级锁了解吗?有什么区别? MyISAM 仅仅支持表级锁(table-level locking),一锁就锁整张表,这在并发 ...
- TypeScript ReadonlyArray(只读数组类型) 详细介绍
1.ReadonlyArray 简介 在TypeScript中,除了Array<T>类型,还有一个ReadonlyArray<T>类型,ReadonlyArray类型和Arra ...
- MyBatis关联查询和懒加载错误
MyBatis关联查询和懒加载错误 今天在写项目时遇到了个BUG.先说一下背景,前端请求更新生产订单状态,后端从前端接收到生产订单ID进行查询,然后就有问题了. 先看控制台报错: org.apache ...
- CMU15445 (Fall 2019) 之 Project#2 - Hash Table 详解
前言 该实验要求实现一个基于线性探测法的哈希表,但是与直接放在内存中的哈希表不同的是,该实验假设哈希表非常大,无法整个放入内存中,因此需要将哈希表进行分割,将多个键值对放在一个 Page 中,然后搭配 ...
- java-数据输入,分支结构
数据输入 1.Scanner使用的基本步骤" 导包:import java.util.Scanner;(导包的动作必须出现在类定义的上边) 创建对象:Scanner sc = new Sca ...
- java--运算符和表达式
运算符:就是对常量或者遍历进行操作的符号: 表达式:用运算符把常量或者变量连接起来符合java语法的式子称为表达式,不同运算符连接的表达式体现的是不同类型的表达式. 一.算术运算符 1.使用%运算符: ...