1實戰(zhàn)案例-DNS服務(wù)與管理

第3章Linux系統(tǒng)與服務(wù)構(gòu)建運維3.11實戰(zhàn)案例——DNS服務(wù)與管理目錄2010203案例目標(biāo)案例分析案例實施301案例目標(biāo)學(xué)習(xí)目標(biāo)

配置DNS服務(wù)的正反向解析

了解BIND服務(wù)的安裝配置

使用bind-chroot搭建DNS服務(wù)使用4（1）了解BIND服務(wù)的安裝配置（2）使用bind-chroot搭建DNS服務(wù)（3）配置DNS服務(wù)的正反向解析01案例目標(biāo)502案例分析學(xué)習(xí)目標(biāo)規(guī)劃節(jié)點基礎(chǔ)準(zhǔn)備61.規(guī)劃節(jié)點部署主從節(jié)點DNS服務(wù)的節(jié)點規(guī)劃IP主機名節(jié)點masterslaver主DNS服務(wù)器從DNS服務(wù)器12.基礎(chǔ)準(zhǔn)備使用VMWareWorkstation軟件安裝CentOS7.2操作系統(tǒng)，鏡像使用提供的CentOS-7-x86_64-DVD-1511.iso，最小化CentOS7.2虛擬機兩臺。YUM源使用本地CetnOS7.2系統(tǒng)源。02案例分析703案例實施學(xué)習(xí)目標(biāo)配置主從DNS配置YUM源（兩個節(jié)點）

安裝配置DNS軟件BIND（兩個節(jié)點）81.配置YUM源（兩個節(jié)點）（1）YUM源備份[root@master~]#mv/etc/yum.repos.d/*/opt/（2）創(chuàng)建repo文件[root@master~]#vi/etc/yum.repos.d/local.repo[centos]name=centosbaseurl=0/centos7.2gpgcheck=0enabled=103案例實施9（3）測試YUM源配置[root@master~]#yumlist（4）關(guān)閉防火墻和SELinux[root@master~]#setenforce0[root@master~]#systemctlstopfirewalld2.安裝配置DNS軟件BIND（兩個節(jié)點）使用如下命令安裝bind-chrootDNS服務(wù)器，示例結(jié)果如圖所示。[root@master~]#yuminstallbind-chrootbind-utils-y03案例實施10通過rpm-qlbind-chroot查詢所安裝的文件。03案例實施11進入bind-chroot目錄?？截恇ind相關(guān)文件，準(zhǔn)備bind-chroot環(huán)境：[root@masterchroot]#cp-R/usr/share/doc/bind-9.9.4/sample/etc/*/var/named/chroot/etc/[root@masterchroot]#cp-R/usr/share/doc/bind-9.9.4/sample/var/*/var/named/chroot/var/03案例實施12創(chuàng)建dynamic目錄，將bind文件設(shè)置為可寫，如圖所示。[root@masterchroot]#cdvar/named/[root@masternamed]#chmod-R777/var/named/chroot/var/named/data/[root@masternamed]#mkdirdynamic[root@masternamed]#chmod-R777/var/named/chroot/var/named/dynamic03案例實施13將DNS服務(wù)named.conf文件拷貝到bind-chroot目錄中。[root@masterchroot]#cp/etc/named.conf/var/named/chroot/etc/named.conf編輯配置文件named.conf，具體示例代碼如下：-IfyouarebuildinganAUTHORITATIVEDNSserver,doNOTenablerecursion.-IfyouarebuildingaRECURSIVE(caching)DNSserver,youneedtoenable[root@masterchroot]#vi/var/named/chroot/etc/named.confrecursion.//named.conf………..-IfyourrecursiveDNSserverhasapublicIPaddress,youMUSTenableaccesscontroltolimitqueriestoyourlegitimateusers.Failingtodosowilloptions{causeyourservertobecomepartoflargescaleDNSamplificationlisten-onport53{any;};attacks.ImplementingBCP38withinyournetworkwouldgreatly//listen-on-v6port53{::1;};reducesuchattacksurface*/directory"/var/named";dump-file"/var/named/data/cache_dump.db";recursionyes;statistics-file"/var/named/data/named_stats.txt";dnssec-enableyes;memstatistics-file"/var/named/data/named_mem_stats.txt";allow-query{any;};/*dnssec-validationyes;/*PathtoISCDLVkey*/bindkeys-file"/etc/named.iscdlv.key";03案例實施14managed-keys-directory"/var/named/dynamic";pid-file"/run/named/named.pid";session-keyfile"/run/named/session.key";};logging{channeldefault_debug{file"data/named.run";severitydynamic;};};zone""{typemaster;file".zon";};include"/etc/named.rfc1912.zones";include"/etc/named.root.key";設(shè)置named.conf文件的用戶權(quán)限為named，示例代碼如下：[root@masternamed]#chownnamed/var/named/chroot/etc/named.conf03案例實施15創(chuàng)建轉(zhuǎn)發(fā)域拷貝模板文件named.localhost到.zon，示例代碼如下：[root@masternamed]#cp/var/named/named.localhost/var/named/chroot/var/named/.zon編輯.zon文件，示例代碼如下：[root@masternamed]#vi.zon$TTL1D$ORIGIN.@INSOA..(2019001;serial1D;refresh1H;retry1W;expire3H;minimum)INNS.ns1INA0wwwINA1ftpINA03案例實施16賦予.zon所有權(quán)限，命令如下：chmod-R777.zon檢查配置，如圖所示。[root@masternamed]#named-checkconf/var/named/chroot/etc/named.conf[root@masternamed]#named-checkzone.zon03案例實施17配置服務(wù)設(shè)置主機時間，示例代碼如下：[root@masternamed]#date-s15:47:00關(guān)閉named服務(wù)，取消開機啟動，命令如下：[root@masternamed]#systemctlstopnamed[root@masternamed]#systemctldisablenamed設(shè)置bind-chroot服務(wù)開機啟動，并重啟。[root@masternamed]#systemctlenablenamed-chrootln-s'/usr/lib/systemd/system/named-chroot.service''/etc/systemd/system/multi-user.target.wants/named-chroot.service'[root@masternamed]#systemctlrestartnamed-chroot03案例實施18查看bind-chroot服務(wù)狀態(tài)，如圖所示。[root@masternamed]#systemctlstatusnamed-chroot03案例實施19配置主機DNS服務(wù)器。[root@masternamed]#vi/etc/resolv.conf;generatedby/usr/sbin/dhclient-scriptsearchopenstacklocallocaldomain.localdomainnameserver//修改為當(dāng)前主機IP使用bind基本命令重載主配置文件和區(qū)域解析庫文件，如圖所示。[root@masternamed]#rndcreload[root@masternamed]#rndcreload[root@masternamed]#rndcnotify[root@masternamed]#rndcreconfig03案例實施20測試DNS解析是否正常，如圖所示。03案例實施213.配置主從DNS在Master上操作，修改Master的named.conf配置文件[root@masterchroot]#cat/var/named/chroot/etc/named.conf////named.conf…………..//listen-onport53{any;};listen-on-v6port53{::1;};//dump-file"/var/named/data/cache_dump.db";statistics-file"/var/named/data/named_stats.txt";memstatistics-file"/var/named/data/named_mem_stats.txt";allow-query{any;};03案例實施22logging{channeldefault_debug{file"data/named.run";severitydynamic;/*};…………..};zone""{typemaster;recursionyes;dnssec-enableyes;dnssec-validationyes;/*PathtoISCDLVkey*/file".zon";allow-transfer{1;};notifyyes;bindkeys-file"/etc/named.iscdlv.key";managed-keys-directory"/var/named/dynamic";};includesession-keyfile"/run/named/session.key";"/etc/named.rfc1912.zones";include"/etc/named.root.key";};03案例實施23在Master編輯主服務(wù)器解析庫文件，添加解析記錄，示例代碼如下。[root@masterchroot]#catvar/named/.zon$TTL1D@INSOA..(2019002;serial//改值比修改前的要大，才能同步1D;refresh1W;expireINNS.ns1INA0wwwINA1www2INA//添加記錄ftpINA03案例實施24重新加載配置文件。03案例實施25在slave上操作，修改slave服務(wù)器上的named.conf文件，示例代碼如下：[root@slavenamed]#vi/var/named/chroot/etc/named.conf//named.conf//ProvidedbyRedHatbindpackagetoconfiguretheISCBINDnamed(8)DNS////See/usr/share/doc/bind*/sample/forexamplenamedconfigurationfiles.//options{listen-onport53{any;};//listen-on-v6port53{::1;};directory"/var/named";03案例實施26dump-file"/var/named/data/cache_dump.db";statistics-file"/var/named/data/named_stats.txt";memstatistics-file"/var/named/data/named_mem_stats.txt";allow-query{any;};/*…………..*/recursionyes;dnssec-enableyes;dnssec-validationyes;/*PathtoISCDLVkey*/bindkeys-file"/etc/named.iscdlv.key";managed-keys-directory"/v