当前位置:网站首页>Fedora 35 deploys DNS master-slave and separation resolution -- the way to build a dream
Fedora 35 deploys DNS master-slave and separation resolution -- the way to build a dream
2022-06-25 13:03:00 【The road to dream】
Reference article :Centos7.8 Deploy DNS service 、 From service and separation analysis
| Host name | operating system | IP Address |
|---|---|---|
| DNS The server | Centos7.8 | 192.168.250.209/24 |
| application server | CENTOS7.8 | 192.168.250.200/24 |
| test PC | WINDOWS10 Home Edition | 10.128.40.100/24 |
Two . install bind Service package
BIND( Berkeley Internet Name Domain, Berkeley internet name domain ) Services are the most widely used in the world 、 The most secure and efficient domain name resolution service program .DNS Domain name resolution service as an Internet infrastructure service , The weight of its responsibility can be imagined , Therefore, it is recommended to install the deployment in the production environment bind Add... To the service program chroot( It's commonly known as the cage mechanism ) Expansion pack, , In order to effectively limit bind The service program can only operate on its own configuration file , To ensure the security of the entire server .
yum install bind-chroot
stay bind There are three key files in the service program :
1. Master profile
/etc/named.conf
Change these two positions :
listen-on port 53{ any; }; # Represents all... On the server IP Address is available DNS Domain name resolution service
allow-query { any; }; # Allow everyone to send... To this server DNS Query request
2. Zone profile
/etc/named.rfc1912.zones
It is used to save domain names and IP The location of the address correspondence . In this file , Defines the domain name and IP The location of the file saved by the address resolution rule is in And service types , It doesn't contain a specific domain name 、IP Address correspondence and other information .
There are three types of services , Respectively hint( Root area )、master( The primary area )、slave( Auxiliary area ), The common master and slave That's right It is the master server and the slave server .
Forward parsing region :
zone "haopython.com" IN {
type master; # Service type
file "haopython.com.zone"; # The domain name and IP The location of the file saved by the address resolution rule
allow-update { none; }; # Which clients are allowed to dynamically update parsing information
};
Reverse parsing area :
zone "250.168.192.in-addr.arpa" IN { # Indicates the reverse resolution region of the network segment
type master;
file "192.168.250.arpa";
};
3. Data profile directory
/var/named)3、 ... and . Configuration forward resolution
This is the most commonly used DNS Working mode .
Forward resolution is based on the domain name ( Host name ) Find the corresponding IP Address . in other words , When the user enters a domain name ,bind The server will automatically look up , And will match to IP Return the address to the user .
1. Edit area profile
[[email protected] ~]# vim /etc/named.rfc1912.zones
[[email protected] ~]# cat /etc/named.rfc1912.zones
zone "haopython.com" IN {
type master;
file "haopython.com.zone";
allow-update {none;};
};
2. Edit data profile
First from /var/named Copy a forward parsing template file in the directory ( named.localhost), Then put the domain name and IP The corresponding data of the address is filled in the data configuration file and saved .
[[email protected] ~]# cd /var/named/
[[email protected] named]# ls -al named.localhost
-rw-r-----. 1 root named 1526 month 212007 named.localhost
[[email protected] named]# cp -a named.localhost haopython.com.zone
[[email protected] named]# vim haopython.com.zone
[[email protected] named]# cat haopython.com.zone
$TTL 1D
@ IN SOA haopython.com. root.haopython.com. (
0; serial
1D; refresh
1H; retry
1W; expire
3H) ; minimum
NS ns.haopython.com.
ns IN A 192.168.250.200
www IN A 192.168.250.200
AAAA ::1
After the configuration , restart named service :
systemctl restart named
systemctl status named.service
3. Test the analytical results
First modify DNS Server's DNS The address is the local address 192.168.250.209, Then restart the network service :
systemctl restart network
And then use nslookup:
nslookup
> www.haopython.com
Server: 192.168.250.209
Address: 192.168.250.209#53
Name: www.haopython.com
Address: 192.168.250.200
Name: www.haopython.com
Address: ::1
stay WIN10 client , set up DNS by 192.168.250.209, Then test :
When tested here , Open on the server 53 Of TCP and UDP port .
firewall-cmd --permanent --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports: 53/tcp 53/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Four . Configuration reverse parsing
The role of reverse parsing is to submit the user's IP The address is resolved to the corresponding domain name information , It's generally used for a IP All domain names bound on the address are screened as a whole , Block spam sent by some domain names . It can also be targeted at IP Address reverse resolution , Roughly judge how many websites are running on it .
1. Edit area profile
[[email protected] ~]# vim /etc/named.rfc1912.zones
[[email protected] ~]# cat /etc/named.rfc1912.zones
zone "haopython.com" IN {
type master;
file "haopython.com.zone";
allow-update {none;};
};
zone "250.168.192.in-addr.arpa" IN {
type master;
file "192.168.250.arpa";
};
2. Edit data profile
First from /var/named Copy a reverse parsing template file in the directory ( named.loopback), And then modify it
[[email protected] named]# pwd
/var/named
[[email protected] named]#
[[email protected] named]# cp -a named.loopback 192.168.250.arpa
[[email protected] named]# ls -al
Total usage 28
drwxrwx--T. 6 root named 1914 month 1211:33.
drwxr-xr-x. 21 root root 40964 month 1209:13..
-rw-r-----. 1 root named 16812 month 152009192.168.250.arpa
drwxr-x---. 7 root named 614 month 1209:13 chroot
drwxrwx---. 2 named named 234 month 1210:42 data
drwxrwx---. 2 named named 604 month 1210:42dynamic
-rw-r-----. 1 root named 2464 month 1210:41 haopython.com.zone
-rw-r-----. 1 root named 22534 month 52018 named.ca
-rw-r-----. 1 root named 15212 month 152009 named.empty
-rw-r-----. 1 root named 1526 month 212007 named.localhost
-rw-r-----. 1 root named 16812 month 152009 named.loopback
drwxrwx---. 2 named named 62 month 2401:17 slaves
Revised as follows :
[[email protected] named]# vim 192.168.250.arpa
[[email protected] named]# vim 192.168.250.arpa
$TTL 1D
@ IN SOA haopython.com. root.haopython.com. (
0; serial
1D; refresh
1H; retry
1W; expire
3H) ; minimum
NS ns.haopython.com.
ns A 192.168.250.200
10 PTR ns.haopython.com.
10 PTR www.haopython.com.
3. Analysis of inspection results
Restart the service
systemctl restart named
test
[[email protected] named]# nslookup
> www.haopython.com
Server: 192.168.250.209
Address: 192.168.250.209#53
Name: www.haopython.com
Address: 192.168.250.200
> 192.168.250.200
200.250.168.192.in-addr.arpa name = www.haopython.com.
200.250.168.192.in-addr.arpa name = ns.haopython.com.
>
The second part : Deploy from server
| Host name | operating system | IP Address |
|---|---|---|
| Lord DNS The server | Centos7.8 | 192.168.250.209 |
| from DNS The server | Centos7.8 | 192.168.250.219 |
2. Basic framework
Two . Configure slave
1. Edit the zone profile of the master server
Allow the update request of the slave server in the zone configuration file of the master server :
[[email protected] named]# vim /etc/named.rfc1912.zones
[[email protected] named]# cat /etc/named.rfc1912.zones
zone "haopython.com" IN {
type master;
file "haopython.com.zone";
allow-update { 192.168.250.219; };
};
zone "250.168.192.in-addr.arpa" IN {
type master;
file "192.168.250.arpa";
allow-update { 192.168.250.219; };
};
[[email protected] named]# systemctl restart named
2. Edit the zone profile of the slave server
Fill in the name of the master server in the slave server IP Address and area information to be captured , Then restart the service .
For the convenience of configuration , Start from the master server mybind Copy the current configuration file to the slave server mybind2 Under the table of contents :
[[email protected] named]# scp /etc/named.rfc1912.zones [email protected]:/etc/named.rfc1912.zones
The authenticity of host '192.168.250.219 (192.168.250.219)' can't be established.
ECDSA key fingerprint is SHA256:vThEoRhUOECeD5jhE+m8TZA2+6OoElIoNOQ3XqtopZw.
ECDSA key fingerprint is MD5:97:40:b2:35:6e:07:5a:61:1f:73:f1:b2:6e:54:5b:7d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.250.219' (ECDSA) to the list of known hosts.
[email protected]'s password:
named.rfc1912.zones
Then go to the slave server to make modifications :
[[email protected] ~]# vim /etc/named.rfc1912.zones
[[email protected] ~]# cat /etc/named.rfc1912.zones
zone "haopython.com" IN {
type slave;
masters { 192.168.250.209; };
file "slaves/haopython.com.zone";
};
zone "250.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.250.209; };
file "slaves/192.168.250.arpa";
};
3. Test the analytical results
Check the following directory , No files for the time being :
[[email protected] slaves]# pwd
/var/named/slaves
[[email protected] slaves]# ll
Total usage 0
[[email protected] slaves]#
Then start bind service
systemctl start named
systemctl status named
And modify the slave server DNS The address is 192.168.250.219 Then test
[[email protected] slaves]# nslookup
> www.haopython.com
Server: 192.168.250.219
Address: 192.168.250.219#53
Name: www.haopython.com
Address: 192.168.250.200
> 192.168.250.200
200.250.168.192.in-addr.arpa name = ns.haopython.com.
200.250.168.192.in-addr.arpa name = www.haopython.com.
The third part :DNS Separation analysis technology
| Host name | operating system | IP Address |
|---|---|---|
| DNS The server | Centos7.8 | Beijing Network :172.16.10.17/24 Shanghai network :10.128.29.177 |
| Beijing users | WIN10 | 172.16.10.200/24 |
| Shanghai users | MAC OS | 10.128.29.200/24 |
Two . Analysis of configuration separation
1. Configure the master configuration file
The following changes bind The main configuration file of the service program :
vim /etc/named.conf
[[email protected] ~]#
options {
listen-on port 53{ any; }; # It is amended as follows any
listen-on-v6 port 53{ ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; # It is amended as follows any
Delete the root domain information in the following lines :
zone "." IN {
type hint;
file "named.ca";
};2. Edit area profile
Clear the original data in the regional configuration file , Then configure view The rules :
[[email protected] ~]# vim /etc/named.rfc1912.zones
[[email protected] ~]# cat /etc/named.rfc1912.zones
acl "beijing"{ 172.16.10.0/24; };
acl "shanghai"{ 10.128.29.0/24; };
view "beijing"{
match-clients { "beijing"; };
zone "haopython.com"{
type master;
file "haopython.com.beijing";
};
};
view "shanghai"{
match-clients { "shanghai"};
zone "haopython.com"{
type master;
file "haopython.com.shanghai";
};
};3. Create a data profile
Here, copy the template file , Create two data files with different names :
[[email protected] ~]# cd /var/named
[[email protected] named]# ls
chroot data dynamic named.ca named.empty named.localhost named.loopback slaves
[[email protected] named]# cp -a named.localhost haopython.com.beijing
[[email protected] named]# cp -a named.localhost haopython.com.shanghai Edit the Beijing configuration file first
[[email protected] named]# vim haopython.com.beijing
[[email protected] named]# cat haopython.com.beijing
$TTL 1D
@ IN SOA haopython.com. root.haopython.com. (
0; serial
1D; refresh
1H; retry
1W; expire
3H) ; minimum
NS ns.haopython.com.
ns IN A 172.16.10.10#DNS Server address
www IN A 172.16.10.17#web Server address Then edit the Shanghai configuration file
[[email protected] named]# vim haopython.com.shanghai
[[email protected] named]# cat haopython.com.shanghai
$TTL 1D
@ IN SOA haopython.com. root.haopython.com. (
0; serial
1D; refresh
1H; retry
1W; expire
3H) ; minimum
NS ns.haopython.com.
ns IN A 10.128.29.10
www IN A 10.128.29.1174. The results verify that
restart named service , Then verify on the client
边栏推荐
猜你喜欢
模块五(微博评论)
Sword finger offer II 032 Effective anagrams
Koa 框架
坡道带来的困惑
Geospatial search: implementation principle of KD tree
mysql导入导出数据到excel表日期出现问题
Fedora 35 部署DNS主从和分离解析 —— 筑梦之路
1251- Client does not support authentication protocol MySql错误解决方案
![[flask tutorial] flask development foundation and introduction](/img/c4/fb80fbe6b563e3b304d59623ef6465.jpg)
[flask tutorial] flask development foundation and introduction
Koa frame
随机推荐
出手即不凡,这很 Oracle!
Lexical trap
Render values to corresponding text
Back test of quantitative trading - example of futures CTA strategy (tqzfuturerenkoscalpingstrategy)
词法陷阱(C)
Koa 框架
The drop-down box renders numbers instead of the corresponding text. How to deal with it
Match regular with fixed format beginning and fixed end
重装cuda/cudnn/pytorch
Summary of leetcode linked list problem solving skills
MySQL writes user-defined functions and stored procedure syntax (a detailed case is attached, and the problem has been solved: errors are reported when running user-defined functions, and errors are r
用include what you use拯救混乱的头文件
2021-09-28
重磅直播|BizDevOps:数字化转型浪潮下的技术破局之路
中国虚拟人哪家强?沙利文、IDC:小冰百度商汤位列第一梯队
Geospatial search - > R tree index
Parse JSON format data and save it to entity class
Oral English - continuous reading
CUDA error: unspecified launch failure
原生js---无限滚动