常用网络服务部署

一、前言

作为一名运维,有时候需要搭建一些常用服务方便自己的工作,常见的有ftp服务、dns服务、vpn服务等。在这里我准备将日常用的一些服务进行总结,俗话说的好,好记性不如烂笔头,当用到的时候可以直接来这里查看,同时下面的不是服务都是我测试成功可用的。

二、部署开始

2.1.vsftpd部署

这个工具平时用到的还算是比较多的,可以作为平时存放文件工具的一种方式,下面我会用两种登录模式来进行部署。

2.1.1.匿名用户登录

先说一说搭建环境
系统环境 cat /etc/centos-release
CentOS Linux release 7.5.1804 (Core)
应用环境 docker version Version: 18.03.1-ce

  • 编写docker-compose.yml文件
    cat docker-compose.yml
ftp_linuxwt:
   restart: always
   image: fauria/vsftpd
   container_name: ftp_linuxwt
   volumes:
      - /data/vsftpd/vsftpd:/var/ftp
      - $PWD/vsftpd.conf:/etc/vsftpd/vsftpd.conf
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/tomezone
   ports:
      - "21:21"
      - "20:20"
      - "3000-3050:3000-3050"
   environment:
      - FTP_USER=ftp
      - FTP_PASS=
      - PASV_ADDRESS=172.168.1.26
      - PASV_MIN_PORT=3000
      - PASV_MAX_PORT=3050
  • 编写vsftpd.conf
    cat vsftpd.conf
background=NO
anonymous_enable=YES
local_enable=YES
guest_enable=YES
virtual_use_local_privs=YES
#anon_upload_enable=YES
#anon_mkdir_write_enable=YES
#anon_other_write_enable=YES
write_enable=YES
pam_service_name=vsftpd_virtual
user_sub_token=$USER
local_root=/home/vsftpd/$USER
chroot_local_user=YES
allow_writeable_chroot=YES
hide_ids=YES
pasv_addr_resolve=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
port_enable=YES
connect_from_port_20=YES
ftp_data_port=20
seccomp_sandbox=NO
pasv_enable=YES
pasv_address=172.168.1.26
pasv_max_port=3050
pasv_min_port=3000

docker-compose up启动容器
使用ftp工具就可以访问ftp服务器了,比如我们在linux上安装一个ftp客户端,执行命令
ftp 172.168.1.26,输入匿名用户anonymous或ftp,密码为空即可访问ftp服务器,但是这样我们只能够下载ftp的资源,而且我们只能在服务端后台去上传资源才可以。
如果我们想要从客户端上传资源甚至创建修改等操作,需要进行以下几部操作:

  • 修改vsftpd.conf
    cat vsftpd.conf
background=NO
anonymous_enable=YES
local_enable=YES
guest_enable=YES
virtual_use_local_privs=YES
anon_upload_enable=YES
anon_mkdir_write_enable=YES
anon_other_write_enable=YES
write_enable=YES
pam_service_name=vsftpd_virtual
user_sub_token=$USER
local_root=/home/vsftpd/$USER
chroot_local_user=YES
allow_writeable_chroot=YES
hide_ids=YES
pasv_addr_resolve=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
port_enable=YES
connect_from_port_20=YES
ftp_data_port=20
seccomp_sandbox=NO
pasv_enable=YES
pasv_address=172.168.1.26
pasv_max_port=3050
pasv_min_port=3000
  • 创建上传目录
    docker exec -it ftp_linuxwt bash
    mkdir -p /var/ftp/ftp
    chown -Rf ftp /var/ftp/ftp
    docker restart ftp_linuxwt
    这样我们就可以在从客户端上传文件了

2.1.2.单用户认证登录

此种模式需要修改相关配置文件,依次作如下修改
cat docker-compose.yml

ftp_linuxwt:
   restart: always
   image: fauria/vsftpd
   container_name: ftp_linuxwt
   volumes:
      - /data/vsftpd/vsftpd:/home/vsftpd
      - $PWD/vsftpd.conf:/etc/vsftpd/vsftpd.conf
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/tomezone
   ports:
      - "21:21"
      - "20:20"
      - "3000-3050:3000-3050"
   environment:
      - FTP_USER=ftpuser
      - FTP_PASS=ftppassword
      - PASV_ADDRESS=172.168.1.26
      - PASV_MIN_PORT=3000
      - PASV_MAX_PORT=3050

还需要修改vsftpd.conf
cat vsftpd.conf

background=NO
anonymous_enable=NO
local_enable=YES
guest_enable=YES
virtual_use_local_privs=YES
write_enable=YES
pam_service_name=vsftpd_virtual
user_sub_token=$USER
local_root=/home/vsftpd/$USER
chroot_local_user=YES
allow_writeable_chroot=YES
hide_ids=YES
pasv_addr_resolve=NO
xferlog_enable=YES
xferlog_file=/var/log/vsftpd/vsftpd.log
port_enable=YES
connect_from_port_20=YES
ftp_data_port=20
seccomp_sandbox=NO
pasv_enable=YES
pasv_address=172.168.1.26
pasv_max_port=3050
pasv_min_port=3000

启动容器 docker-compose up -d
进入容器 docker exec -it ftp_linuxwt bash
/usr/bin/db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
下面我们就可以访问ftp服务器了。

2.1.3.多用户认证登录

修改docker-compose.yml
cat docker-compose.yml

ftp_linuxwt:
   restart: always
   image: fauria/vsftpd
   container_name: ftp_linuxwt
   volumes:
      - /data/vsftpd/vsftpd:/home/vsftpd
      - $PWD/vsftpd.conf:/etc/vsftpd/vsftpd.conf
      - /etc/localtime:/etc/localtime
      - /etc/timezone:/etc/tomezone
   ports:
      - "21:21"
      - "20:20"
      - "3000-3050:3000-3050"
   environment:
      - PASV_ADDRESS=172.168.1.26
      - PASV_MIN_PORT=3000
      - PASV_MAX_PORT=3050

启动容器 docker-compose up -d
进入容器 docker exec -it ftp_linxuwt bash
容器内 vi /etc/vsftpd/virtual_users.txt
这里我们写入两个测试账号信息,如下所示
admin
KfjGTPnoRuZfEyeD
ftpuser1
ftppassword1
ftpuser2
ftppassword2
注意admin是这种模式默认的账号,上面可以看到我们建立了两个ftp账号
填写好用户后将其写入数据库还需要建立用户文件夹
mkdir -p /home/vsftpd/ftpuser1
mkdir -p /home/vsftpd/ftpuser2
将用户信息写入数据库
/usr/bin/db_load -T -t hash -f /etc/vsftpd/virtual_users.txt /etc/vsftpd/virtual_users.db
退出容器重启容器 docker restart ftp_linuxwt
这样我们就可以访问ftp服务器了。
注意:一旦我们down了容器用户就消失了,但是用户的存储目录仍然是存在的,我们只需要再次重建用户即可。

2.1.4.客户端传输测试

上面大致的讲了如何去部署vsftpd服务,但如何去使用客户端传输文件呢?这里以lftp这个连接工具来讲解。
首先在另外一台centos7系统的机器上安装lftp
连接匿名服务器 lftp 172.168.1.26
连接认证服务器 lftp username:password@172.168.1.26
有时候我们想要自动上传文件或目录,可以写个脚本实现

  • 上传目录
    cat lftp.sh1
#!/bin/bash

lftp ftpuser:ftppassword@172.168.1.26<<EOF
mirror -R $1
bye
EOF
  • 上传文件
    cat lftp.sh2
#!/bin/bash

lftp ftpuser:ftppassword@172.168.1.26<<EOF 
put $1
bye
EOF

上面两个脚本有时候不太方便,我们将其合二为一
cat lftp.sh

#!/bin/bash

if [ -d $1 ];then
    lftp ftpuser:ftppassword@172.168.1.26<<EOF
    mirror -R $1
    bye
    EOF
elif [ -f $1 ];then
    lftp ftpuser:ftppassword@172.168.1.26<<EOF 
    put $1
    bye
    EOF
else
    echo "you should enter the first arguments."
    exit -1
fi

有时候会碰到这样的需求,创建目录并向这个目录上传文件,下面是一个示例
cat lftp.sh3

#!/bin/bash

lftp ftpuser:ftppassword@172.168.1.26<<EOF
mkdir $1 
cd $1 && put $2
bye
EOF

2.1.5.遇到的问题

问题一:
现在有三个ftp用户:ftpuser1 ftpuser2 ftpuser3,它们只能上传文件到自己的目录,现在要求ftpuser1也能上传文件到另外两个用户的根目录,可以做一个软连接过去

2.2.Ntp部署

一般来说我们可以直接同步网络上一些公用的ntp服务器,但有时候局域网内需要几台机器进行同步这样更稳定,这时候就需要我们手动建立一个ntp服务器
三台机器为例:

  • 服务端: 172.168.1.26
  • 客户端1: 172.168.1.25
  • 客户端2: 172.168.1.27

2.2.1.服务端部署

yum -y install ntp ntpdate
首先服务端自身和阿里云的时间服务器进行同步
ntpdate ntp1.aliyun.com
ntpdate ntp2.aliyun.com
其次编辑ntp配置文件
cat /etc/ntp.conf

restrict default nomodify notrap noquery
 
restrict 127.0.0.1
restrict 172.168.1.0 mask 255.255.255.0 nomodify    
#只允许172.168.1.0网段的客户机进行时间同步。如果允许任何IP的客户机都可以进行时间同步,就修改为"restrict default nomodify"
 
server ntp1.aliyun.com
server ntp2.aliyun.com
server time1.aliyun.com
server time2.aliyun.com

server time-a.nist.gov
server time-b.nist.gov
 
server  127.127.1.0     
# local clock
fudge   127.127.1.0 stratum 10
 
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
keys            /etc/ntp/keys

systemctl restart ntpd
systemctl enable ntpd
systemctl daemon-reload
服务端定时同步
crontab -e
0 0,6,12,18 * * * /usr/sbin/ntpdate ntp1.aliyun.com; /sbin/hwclock -w
每天的0点、6点、12点、18点进行时间同步

2.2.2.客户端配置

以172.168.1.25为例,手动执行一次看是否可用
ntpdate 172.168.1.26
客户端定时同步
crontab -e
*/5 * * * * /usr/sbin/ntpdate 172.168.1.26;/sbin/hwclock -w
每五分钟进行一次同步

2.3.Nfs部署

2.3.1.客户端服务端安装

假设客户端ip为192.168.167.24,服务端ip为192.168.167.25
安装nfs
yum -y install nfs-utils
启动nfs
systemctl enable rpcbind.service
systemctl enable nfs-server.service
systemctl daemon-reload
systemctl start rpcbind.service
systemctl start nfs-server.service

2.3.2.服务端配置

vi /etc/exports

/data/gooalgene 192.168.167.24(rw,no_root_squash,no_subtree_check,no_all_squash,sync,anonuid=501,anongid=501)

showmount -e
Export list for agent2:
/data/gooalgene 192.168.167.24
vi /var/lib/nfs/etab

/data/gooalgene/load/report   192.168.167.24(rw,sync,wdelay,hide,nocrossmnt,secure,no_root_squash,no_all_squash,no_subtree_check,secure_locks,acl,no_pnfs,anonuid=501,anongid=501,sec=sys,secure,no_root_squash,no_all_squash)  

2.3.3.客户端配置

vi /etc/fstab

192.168.167.25:/data/gooalgene/load/report /data/gooalgene/ga/report nfs4      hard,intr,sync,tcp,rsize=32768,wsize=32768,vers=4.1,clientaddr=192.168.167.24,addr=192.168.167.25  0  0   

source /etc/fstab

2.3.4.挂载

客户端上进行挂载
mount -t nfs 192.168.167.25:/data/gooalgene/load/report /data/gooalgene/ga/report

2.4.Sendmail部署

sendmail是linxu上一种常用的邮件服务器,下面简单介绍该服务的安装及配置

2.4.1.sendmail安装

yum install -y sendmail
yum install -y sendmail-cf
yum -y install mailx
yum -y install saslauthd
systemctl start saslauthd

2.4.2.配置认证配置

2.4.2.1.smtp配置

vi /etc/mail/sendmail.mc将对应行修改成下图的样子

TRUST_AUTH_MECH(`EXTERNAL DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl 
define(`confAUTH_MECHANISMS', `EXTERNAL GSSAPI DIGEST-MD5 CRAM-MD5 LOGIN PLAIN')dnl  

2.4.2.2.网络权限配置

vi /etc/mail/sendmail.mc将对应航修改成下图的样子

DAEMON_OPTIONS(`Port=smtp,Addr=0.0.0.0, Name=MTA')dnl

2.4.3.生成配置文件

m4 /etc/mail/sendmail.mc > /etc/mail/sendmail.cf

2.4.4.配置发送邮箱

理论上到上一步已经可以发送邮件了,但是这种方式往往会被垃圾邮箱拦截,现在我们配置一个常用的第三方邮箱来发送,这里以126邮箱来举例
vi /etc/mail.rc

set from=你的邮箱
set smtp=smtp.126.com
set smtp-auth-user=你的邮箱
set smtp-auth-password=授权码
set smtp-auth=login

测试
echo "test" | mail -s "东北农林研究所服务器192.168.5.204" 439757183@qq.com

2.4.5.使用SSL来发送邮件

阿里云默认屏蔽了25端口,注意安全组里放开也没用,但是可以使用SSL加密通过465来访问
具体步骤如下

mkdir -p /data/.certs  
echo -n | openssl s_client -connect smtp.126.com:465 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /data/.certs/126.crt  
certutil -A -n "GeoTrust SSL CA" -t "C,," -d /data/.certs -i /data/.certs/126.crt
certutil -A -n "GeoTrust Global CA" -t "C,," -d /data/.certs -i /data/.certs/126.crt
certutil -A -n "GeoTrust SSL CA - G3" -t "Pu,Pu,Pu" -d /data/.certs/./ -i /data/.certs/126.crt
certutil -L -d /data/.certs

vi /etc/mail.rc

set from=你的邮箱
set smtp="smtps://smtp.126.com:465"
set smtp-auth-user=你的邮箱
set smtp-auth-password=授权码
set smtp-auth=login
set ssl-verify=ignore
set nss-config-dir=/data/.certs

systemctl start sendmail
测试,成功

2.5.shadowsocks部署

当我们需要访问Gooogle的时候需要翻墙,代理软件有很多,这里介绍一下shadowsocks的部署情况,刚好手里有一台香港的云服务器,我们先使用二进制包在宿主机上安装,测试成功后再试一试使用docker来安装

2.5.1.python相关环境安装

yum -y install python-setuptools
wget https://pypi.python.org/packages/source/p/pip/pip-1.3.1.tar.gz --no-check-certificate
tar -xzvf pip-1.3.1.tar.gz
cd pip-1.3.1
python setup.py install 这一步可能会报一个传参个数不对的错误,但不影响pip的安装,可以忽略

2.5.2.shadowsocks安装

pip install shadowsocks
cat /etc/shadowsocks.json

{
    "server":"0.0.0.0",
    "server_port":188,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"password",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": false,
    "workers": 1
}

ssserver -c /etc/shadowsocks.json -d start后台启动
ssserver -c /etc/shadowsocks.json -d stop停止
将shadowsocks加入系统启动
cat /etc/systemd/system/shadowsocks.service

[Unit]
Description=Shadowsocks
After=network.target

[Service]
Type=forking
PermissionsStartOnly=true
ExecStartPre=/bin/mkdir -p /run/shadowsocks
ExecStartPre=/bin/chown root:root /run/shadowsocks
ExecStart=/usr/bin/ssserver  -c /etc/shadowsocks.json -d start
Restart=on-abort
User=root
Group=root
UMask=0027

[Install]
WantedBy=multi-user.target

systemctl enable shadowsocks
systemctl daemon-reload

2.5.3.docker来部署shadowsocks

2.5.3.1.服务端部署

cat Dockerfile

FROM centos
MAINTAINER <tengwanginit@gmail.com>

RUN yum -y install wget \
&& cd /etc/yum.repos.d \
&&  mv CentOS-Base.repo CentOS-Base.repo.bak \
&& wget  http://mirrors.163.com/.help/CentOS7-Base-163.repo \
&& mv CentOS7-Base-163.repo CentOS-Base.repo \
&& yum makecache && yum -y update \ 
&& yum -y install python-setuptools \
&& wget https://pypi.python.org/packages/source/p/pip/pip-1.3.1.tar.gz --no-check-certificate \
&& tar -xzvf pip-1.3.1.tar.gz  \
&& cd pip-1.3.1 \
&& python setup.py install

RUN pip install shadowsocks

CMD ["/usr/bin/ssserver","-c","/etc/shadowsocks.json"]

cat shadowsocks.json
docker build -t linuxwt/shadowsocks .

{
    "server":"0.0.0.0",
    "server_port":8388,
    "local_address": "127.0.0.1",
    "local_port":1080,
    "password":"password",
    "timeout":300,
    "method":"aes-256-cfb",
    "fast_open": false,
    "workers": 1
}

cat docker-compose.yml

shadowsocks_linuxwt:
    image: linuxwt/shadowsocks
    restart: always
    container_name: shadowsocks_linuxwt
    volumes:
        - /etc/localtime:/etc/localtime
        - /etc/tomezone:/etc/timezone
        - ./shadowsocks.json:/etc/shadowsocks.json
    privileged: true
    ports:
        - "8388:8388"

docker-compose up -d

2.5.3.2.客户端配置

这里以windows系统为例
chrome配合插件Proxy SwitchyOmega来进行代理访问google,步骤如下:

  • 首先配置两个情景模式
    051111
    052222
  • 在第二个情景模式下配置规则列表
    053333
  • 配置客户端shadowsocks
    054444
    client下载

2.6.构建本地yum仓库并共享

有时候工作环境位于一个不能连接互联网的地方,我们需要构建一些工具来方便自己的工作,这里简单的介绍如何去搭建本地yum仓库 ,环境信息如下:

  • 系统环境 Centos7.5刚刚安装
  • 服务器IP: 10.8.8.3

因为我们没有iso镜像光盘,需要利用createrepo来进行自定义构建,同时利用nginx的web功能进行共享,这里nginx和createrepo需要使用rpm包提前进行安装,但是安装的时候可能会碰到缺少依赖的问题,所以一般我们在网上的机器上通过yum安装我们需要的包,然后把这些包保留下来,yum安装如果要保留安装的包把文件/etc/yum.conf里面的配置改为keepcache=1

2.6.1.自定义本地yum仓库

  • 安装createrepo
    05asdasd
  • 配置yum源
    mkdir -p /etc/yum.repos.d/bakrepo
    mkdir -p /www/html/myshare
    mv 原yum源 bakrepo
    cat local.repo
[local]
name=local
baseurl=file:///www/html/myshare
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
  • 更新缓存
    cp lrzsz*.rpm /www/html/myshare
    createrepo /www/html/myshare
    yum makecache
    yum -y install lrzsz 成功安装说明yum源构建成功

最后,yum makecache,我们可以把常用的软件包放到/var/www/myshare中,就可以使用本地yum源进行安装了
这里我们有一个前提就是需要在搭建yum仓库的服务器上预先安装nginx和createrepo工具

2.6.2.共享自定义的yum仓库

利用nginx的web功能将yum地址共享出去,首先我们需要安装一个nginx,我们可以把别处(一般可以联网并已经通过yum装过nginx的机器)的nginx的rpm相关包全部复制到/www/html/myshare下,然后清除yum缓存就可以使用yum安装nginx了,这里假设我们已经安装好nginx了,将nginx的根目录设置为/www/html
启动nginx
systemctl start nginx
修改yum源
cat /etc/yum.repos.d/local

[local]
name=local
baseurl=http://10.8.8.3/myshare
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

createrepo /www/html/myshare
yum makecache
现在所有与服务器10.8.8.3处于统一局域网的机器都可以通过修改yum源来安装该yum仓库里的软件了
TIP:

  • 修改yum源的时候一定要先备份原来的yum源
  • yum安装的包一般位于/var/cache/yum/x86_64/7/base/packages和/var/cache/yum/x86_64/7/updates/packages和/var/cache/yum/x86_64/7/epel/packages
    /var/cache/yum/x86_64/7/extras/packages

2.7.部署DNS

简单说一下dns原理,当某个应用要将域名映射成ip时,它会调用解析程序resolver,成为本地域名服务器的一个用户,将域名放入dns请求报文中以udp的方式发送请求,域名服务器收到请求查找与域名对应的ip,然后将该ip放入响应报文,应用收到后就可以调用其中的ip来与该主机进行通信。总之,dns就是用来将域名解析成ip的。
解析分为正向解析和反向解析,正向解析是将域名解析为ip,反向解析是将ip解析为域名。

2.7.1.服务器说明

部署结构:

  • 主dns服务器: 192.168.0.112
  • 从dns服务器: 192.168.0.113
  • 子dns服务器: 192.168.0.114

为了方便测试,关闭SELINUX和防火墙(三台机器都要做)
sed -i 's/enforcing/disabled/g' /etc/selinux/config
sed -i 's/enforcing/disabled/g' /etc/sysconfig/selinux
systemctl stop firewalld && systemctl disable firewalld && systemctl daemon-reload
更换yum源
时间同步

2.7.2.主服务器部署

负责解析域数据库,可读写
安装必要的软件
yum -y install bind-utils bind bind-devel
cp /etc/named.conf /etc/named.conf-bak
主配置文件
vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 192.168.0.112;127.0.0.1; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.root.key";

//      managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

编辑区域配置文件配置正向区域
cat zone_mz.sh

cat <<EOF>> /etc/named.rfc1912.zones   
zone "tengwang.com" IN {
        type master;
        file "tengwang.com.zone";
        allow-update { none; };
};
EOF   

注意这里的tengwang.com是自定义的域名
cd /var/named
vi tengwang.com.zone

$TTL 86400
$ORIGIN tengwang.com.
@    IN    SOA    ns1.tengwang.com. admin.tengwang.com (
            2017112601
            1H
            5M
            7D
            1D )
       IN    NS    ns1    
       IN    NS    ns2
       IN    MX 10    mx1
ns1    IN    A    192.168.0.112
ns2    IN    A    192.168.0.113
mx1    IN    A    192.168.0.114
www    IN    A    192.168.0.112
www    IN    A    192.168.0.113
ftp    IN    CNAME    www

检查配置
named-checkconf
named-checkzone "tengwang.com" /var/named/tengwang.com.zone

zone tengwang.com/IN: loaded serial 2017112601
OK

输出上面的结果表示配置正确
权限设置
chown :named tengwang.com.zone
chmod 640 tengwang.com.zone
启动服务
systemctl start named
确认服务启动
netstat -ntlpu | grep 53
检查状态
rndc status
输出

version: BIND 9.11.4-P2-RedHat-9.11.4-9.P2.el7 (Extended Support Version) <id:7107deb>
running on master1: Linux x86_64 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018
boot time: Sun, 20 Oct 2019 20:39:39 GMT
last configured: Sun, 20 Oct 2019 20:39:42 GMT
configuration file: /etc/named.conf
CPUs found: 2
worker threads: 2
UDP listeners per interface: 1
number of zones: 104 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 3/150
server is up and running   

测试
dig -t A www.tengwang.com @192.168.0.112
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.tengwang.com @192.168.0.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33783
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.tengwang.com.              IN      A

;; ANSWER SECTION:
www.tengwang.com.       86400   IN      A       192.168.0.112 # 解析结果
www.tengwang.com.       86400   IN      A       192.168.0.113

;; AUTHORITY SECTION:
tengwang.com.           86400   IN      NS      ns1.tengwang.com.
tengwang.com.           86400   IN      NS      ns2.tengwang.com.

;; ADDITIONAL SECTION:
ns1.tengwang.com.       86400   IN      A       192.168.0.112
ns2.tengwang.com.       86400   IN      A       192.168.0.113

;; Query time: 0 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Mon Oct 21 04:46:45 CST 2019
;; MSG SIZE  rcvd: 145   

配置反向区域
cat zone_mf.sh

cat <<EOF>> /etc/named.rfc1912.zones
zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
        allow-update { none; };
};
EOF

vi 192.168.0.zone

$TTL 86400
$ORIGIN 0.168.192.in-addr.arpa.
@    IN    SOA    ns1.tengwang.com. admin.tengwang.com (
            2017112601
            1H
            5M
            7D
            1D )
      IN    NS     ns1.tengwang.com.
      IN    NS     ns2.tengwang.com.
112    IN    PTR    ns1.tengwang.com.
112    IN    PTR    www.tengwang.com.
113    IN    PTR    mx1.tengwang.com.
113    IN    PTR    www.tengwang.com.
113    IN    PTR    ns2.tengwang.com.

设置权限,可以参考前面正向区域设置
。。。

测试
host -t ptr 192.168.0.112 192.168.0.112
输出

Using domain server:
Name: 192.168.0.112
Address: 192.168.0.112#53
Aliases: 

Host 112.0.168.192.in-addr.arpa. not found: 3(NXDOMAIN) 

dig -x 192.168.0.113 @192.168.0.112
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.113 @192.168.0.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44509
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;113.0.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
113.0.168.192.in-addr.arpa. 86400 IN    PTR     mx1.tengwang.com.
113.0.168.192.in-addr.arpa. 86400 IN    PTR     www.tengwang.com.
113.0.168.192.in-addr.arpa. 86400 IN    PTR     ns2.tengwang.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400   IN      NS      ns2.tengwang.com.
0.168.192.in-addr.arpa. 86400   IN      NS      ns1.tengwang.com.

;; ADDITIONAL SECTION:
ns1.tengwang.com.       86400   IN      A       192.168.0.112
ns2.tengwang.com.       86400   IN      A       192.168.0.113

;; Query time: 0 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Mon Oct 21 05:29:21 CST 2019
;; MSG SIZE  rcvd: 185   

2.7.3.从服务器部署

同样安装相关包
yum install bind-utils bind bind-devel -y
检测主从是否可以进行全量区域传送
dig -t axfr tengwang.com @192.168.0.112
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t axfr tengwang.com @192.168.0.112
;; global options: +cmd
tengwang.com.           86400   IN      SOA     ns1.tengwang.com. admin.tengwang.com.tengwang.com. 2017112601 3600 300 604800 86400
tengwang.com.           86400   IN      NS      ns1.tengwang.com.
tengwang.com.           86400   IN      NS      ns2.tengwang.com.
tengwang.com.           86400   IN      MX      10 mx1.tengwang.com.
ftp.tengwang.com.       86400   IN      CNAME   www.tengwang.com.
mx1.tengwang.com.       86400   IN      A       192.168.0.114
ns1.tengwang.com.       86400   IN      A       192.168.0.112
ns2.tengwang.com.       86400   IN      A       192.168.0.113
www.tengwang.com.       86400   IN      A       192.168.0.112
www.tengwang.com.       86400   IN      A       192.168.0.113
tengwang.com.           86400   IN      SOA     ns1.tengwang.com. admin.tengwang.com.tengwang.com. 2017112601 3600 300 604800 86400
;; Query time: 17 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Mon Oct 21 14:35:40 CST 2019
;; XFR size: 11 records (messages 1, bytes 290)

编辑主配置文件
vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 192.168.0.113;127.0.0.1; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

//      dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

编辑区域配置文件
cat zone_sz.sh

cat <<EOF>> /etc//named.rfc1912.zones    
zone "tengwang.com" IN {
        type slave;
        masters { 192.168.0.112;};
        file "slaves/tengwang.com.zone";
//        allow-update { none; };
};
EOF

在从服务器中不允许出现选项allow-update
查看正向解析文件是否已经传过来
cd /var/named && ll 发现tengwang.com.zone文件已经传过来了
cat tengwang.zone发现乱码
需要在配置文件/etc/named.conf中添加配置
masterfile-format text;
下面再次查看
cat tengwang.com.zone

$ORIGIN .
$TTL 86400      ; 1 day
tengwang.com            IN SOA  ns1.tengwang.com. admin.tengwang.com.tengwang.com. (
                                2017112601 ; serial
                                3600       ; refresh (1 hour)
                                300        ; retry (5 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.tengwang.com.
                        NS      ns2.tengwang.com.
                        MX      10 mx1.tengwang.com.
$ORIGIN tengwang.com.
ftp                     CNAME   www
mx1                     A       192.168.0.114
ns1                     A       192.168.0.112
ns2                     A       192.168.0.113
www                     A       192.168.0.112
                        A       192.168.0.113

我们测试一下如果主服务器变更,从服务器是否也会同步变更
在主服务器上删除一条记录,添加一条记录,如下所示

$TTL 86400
$ORIGIN tengwang.com.
@    IN    SOA    ns1.tengwang.com. admin.tengwang.com (
            2017112602
            1H
            5M
            7D
            1D )
       IN    NS    ns1
       IN    NS    ns2
       IN    MX 10    mx1
ns1    IN    A    192.168.0.112
ns2    IN    A    192.168.0.113
mx1    IN    A    192.168.0.114
www    IN    A    192.168.0.112
pop3    IN    A    192.168.0.113
ftp    IN    CNAME    www

将映射到192.168.0.113的www记录修改为pop3,同时记住要修改serial
重载服务,这里不要restart
named-checkconf
rndc reload
查看日志
tail -f /var/log/messages

Oct 21 14:59:23 master1 named[11454]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Oct 21 14:59:23 master1 named[11454]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Oct 21 14:59:23 master1 named[11454]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Oct 21 14:59:23 master1 named[11454]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Oct 21 14:59:23 master1 named[11454]: resolver priming query complete
Oct 21 14:59:24 master1 named[11454]: client @0x7f6e800d49a0 192.168.0.113#39532 (tengwang.com): transfer of 'tengwang.com/IN': AXFR-style IXFR started (serial 2017112602)
Oct 21 14:59:24 master1 named[11454]: client @0x7f6e800d49a0 192.168.0.113#39532 (tengwang.com): transfer of 'tengwang.com/IN': AXFR-style IXFR ended

slave上查看是否同步
cat /var/named/slaves/tengwang.com.zone

$ORIGIN .
$TTL 86400      ; 1 day
tengwang.com            IN SOA  ns1.tengwang.com. admin.tengwang.com.tengwang.com. (
                                2017112602 ; serial
                                3600       ; refresh (1 hour)
                                300        ; retry (5 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.tengwang.com.
                        NS      ns2.tengwang.com.
                        MX      10 mx1.tengwang.com.
$ORIGIN tengwang.com.
ftp                     CNAME   www
mx1                     A       192.168.0.114
ns1                     A       192.168.0.112
ns2                     A       192.168.0.113
pop3                    A       192.168.0.113
www                     A       192.168.0.112

发现同步成功
上面这是说的正向区域同步,下面进行反向解析同步
配置反向区域
cat zone_sf.sh

cat <<EOF>> /etc/named.rfc1912.zones
zone "0.168.192.in-addr.arpa" IN {
        type slave;
        masters { 192.168.0.112;};
        file "slaves/192.168.0.zone";
//      allow-update { none; };
};
EOF

重载服务,查看反向解析库是否同步过来

在配置主从dns的时候有以下几点需要注意:

  • 主服务器的ns记录必须有一条指向从服务器
  • 从服务器只需要定义区域,无需定义解析库
  • 主从服务器时间同步
  • 如果想主服务器解析库并更后立刻同步到从服务器上,需要手动将序列号加1

2.7.4.子域配置

主服务器上配子域并授权,这里新增一个ops.tengwang.com子域
vi /var/named/tengwang.com.zone

$TTL 86400
$ORIGIN tengwang.com.
@    IN    SOA    ns1.tengwang.com. admin.tengwang.com (
            2017112602
            1H
            5M
            7D
            1D )
       IN    NS    ns1
       IN    NS    ns2
       IN    MX 10    mx1
ns1    IN    A    192.168.0.112
ns2    IN    A    192.168.0.113
mx1    IN    A    192.168.0.114
www    IN    A    192.168.0.112
pop3    IN    A    192.168.0.113
ftp    IN    CNAME    www

ops    IN    NS    ns1.ops  
ns1.ops IN    A    192.168.0.114

子服务器,安装相关包
yum install bind-utils bind bind-devel -y
将其配置成主服务器,注意这里是指让这台子域服务器成为其自身的主服务器
编辑其主配置文件
vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 192.168.0.114;127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.root.key";

//      managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

编辑区域配置文件
cat sub_sz.sh

cat <<EOF>> /etc/named.rfc1912.zones 
zone "ops.tengwang.com" IN {
        type master;
        file "ops.tengwang.com.zone";
        allow-update { none; };
};
EOF

编辑解析库文件
vi /var/named/ops.tengwang.com.zone

$TTL 1D
$ORIGIN ops.tengwang.com.
@       IN    SOA      ns1.ops.tengwang.com.    admin.ops.tengwang.com. (
                       2017112701
                       1H
                       10M
                       7D    
                       1D)

        IN    NS   ns1
ns1     IN    A    192.168.0.114
www     IN    A    192.168.0.100
*       IN    A    192.168.0.100

同样也要进行权限配置
chmod 640 ops.tengwang.com.zone
chown :named ops.tengwang.com.zone
named-checkconf
systemctl start named

测试
测试当前区域A记录解析
dig -t A www.ops.tengwang.com @192.168.0.114
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.ops.tengwang.com @192.168.0.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15632
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.tengwang.com.          IN      A

;; ANSWER SECTION:
www.ops.tengwang.com.   86400   IN      A       192.168.0.100

;; AUTHORITY SECTION:
ops.tengwang.com.       86400   IN      NS      ns1.ops.tengwang.com.

;; ADDITIONAL SECTION:
ns1.ops.tengwang.com.   86400   IN      A       192.168.0.114

;; Query time: 0 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Wed Oct 23 04:29:34 CST 2019
;; MSG SIZE  rcvd: 99

测试当前区域ns记录
dig -t NS ops.tengwang.com @192.168.0.114
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t NS ops.tengwang.com @192.168.0.114
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ops.tengwang.com.              IN      NS

;; ANSWER SECTION:
ops.tengwang.com.       86400   IN      NS      ns1.ops.tengwang.com.

;; ADDITIONAL SECTION:
ns1.ops.tengwang.com.   86400   IN      A       192.168.0.114

;; Query time: 0 msec
;; SERVER: 192.168.0.114#53(192.168.0.114)
;; WHEN: Wed Oct 23 04:32:23 CST 2019
;; MSG SIZE  rcvd: 79

测试父域解析子域
dig -t A www.ops.tengwang.com @192.168.0.112 +norecurse
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.ops.tengwang.com @192.168.0.112 +norecurse
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4892
;; flags: qr aa ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.tengwang.com.          IN      A

;; AUTHORITY SECTION:
tengwang.com.           86400   IN      SOA     ns1.tengwang.com. admin.tengwang.com.tengwang.com. 2017112602 3600 300 604800 86400

;; Query time: 6 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Wed Oct 23 04:36:06 CST 2019
;; MSG SIZE  rcvd: 108

解析失败

如何解决这个问题呢,需要在父域服务器上作如下配置
vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
//      listen-on port 53 { 192.168.0.112;127.0.0.1; };
        listen-on port 53 { any; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

//      dnssec-enable yes;
//      dnssec-validation yes;
        dnssec-enable no;
        dnssec-validation no;

        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.root.key";

//      managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

再次测试
dig -t A www.ops.tengwang.com @192.168.0.112
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.ops.tengwang.com @192.168.0.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30141
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.tengwang.com.          IN      A

;; ANSWER SECTION:
www.ops.tengwang.com.   86161   IN      A       192.168.0.100

;; AUTHORITY SECTION:
ops.tengwang.com.       86242   IN      NS      ns1.ops.tengwang.com.

;; ADDITIONAL SECTION:
ns1.ops.tengwang.com.   86242   IN      A       192.168.0.114

;; Query time: 0 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Wed Oct 23 04:45:12 CST 2019
;; MSG SIZE  rcvd: 99

可以从父成功解析子域了

2.7.5.访问控制

acl指令主要有以下四种:

  • allow-query # 允许查询的主机
  • allow-transfer # 允许传送域的主机
  • allow-update # 允许更新区域数据库
  • allow-recursion # 允许递归的主机

在主服务器上做测试
在正向域配置中添加一条acl规则

zone "tengwang.com" IN {
        type master;
        file "tengwang.com.zone";
        allow-update { none; };
        allow-query { 127.0.0.1; };
};

rndc reload
使用命令
dig -t A www.tengwang.com @192.168.0.112
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.tengwang.com @192.168.0.112
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 34921
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.tengwang.com.              IN      A

;; Query time: 0 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Wed Oct 23 13:53:29 CST 2019
;; MSG SIZE  rcvd: 45

很明显解析失败
dig -t A www.tengwang.com @127.0.0.1
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t A www.tengwang.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31112
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.tengwang.com.              IN      A

;; ANSWER SECTION:
www.tengwang.com.       86400   IN      A       192.168.0.112

;; AUTHORITY SECTION:
tengwang.com.           86400   IN      NS      ns1.tengwang.com.
tengwang.com.           86400   IN      NS      ns2.tengwang.com.

;; ADDITIONAL SECTION:
ns1.tengwang.com.       86400   IN      A       192.168.0.112
ns2.tengwang.com.       86400   IN      A       192.168.0.113

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Oct 23 13:54:22 CST 2019
;; MSG SIZE  rcvd: 129

解析成功

acl规则在named.conf中影响全局,在zone中只影响当前zone
默认任意主机可以进行区域传送,前面我们改成master自己才可以进行解析,事实上我们一般只允许定义同步的主机slave即可,这样才安全
主服务器上

zone "tengwang.com" IN {
        type master;
        file "tengwang.com.zone";
        allow-update { none; };
        allow-query { 192.168.0.113; };

rndc reload
测试
dig -t FXDR www.tengwang.com @192.168.0.112
解析失败
从服务器上
dig -t AXFR tengwang.com @192.168.0.112
输出

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t AXFR tengwang.com @192.168.0.112
;; global options: +cmd
tengwang.com.           86400   IN      SOA     ns1.tengwang.com. admin.tengwang.com.tengwang.com. 2017112602 3600 300 604800 86400
tengwang.com.           86400   IN      NS      ns1.tengwang.com.
tengwang.com.           86400   IN      NS      ns2.tengwang.com.
tengwang.com.           86400   IN      MX      10 mx1.tengwang.com.
ftp.tengwang.com.       86400   IN      CNAME   www.tengwang.com.
mx1.tengwang.com.       86400   IN      A       192.168.0.114
ns1.tengwang.com.       86400   IN      A       192.168.0.112
ns2.tengwang.com.       86400   IN      A       192.168.0.113
ops.tengwang.com.       86400   IN      NS      ns1.ops.tengwang.com.
ns1.ops.tengwang.com.   86400   IN      A       192.168.0.114
pop3.tengwang.com.      86400   IN      A       192.168.0.113
www.tengwang.com.       86400   IN      A       192.168.0.112
tengwang.com.           86400   IN      SOA     ns1.tengwang.com. admin.tengwang.com.tengwang.com. 2017112602 3600 300 604800 86400
;; Query time: 0 msec
;; SERVER: 192.168.0.112#53(192.168.0.112)
;; WHEN: Thu Oct 31 15:32:09 CST 2019
;; XFR size: 13 records (messages 1, bytes 333)

解析成功

子域服务器上
dig -t AXFR tengwang.com @192.168.0.112
解析失败

Previous Post

Cacti部署(一)

Next Post

MySQL复制