在CentOS 7上配置具有故障转移和动态更新的绑定DNS服务器
时间:2020-03-21 11:42:27 来源:igfitidea点击:
我们将使用主/从配置来设置DNS故障转移并配置动态更新。
本文是KVM,Katelo和Puppet系列测试环境项目的一部分。
测试环境
我们安装了两个要配置的CentOS 7(最小)服务器,如下所示:
admin1.hl.local(10.11.1.2)将配置为DNS主服务器
admin2.hl.local(10.11.1.3)将配置为DNS从属服务器
两台服务器都将SELinux设置为强制模式。
请参见下图,以确定本文适用的homelab部分。
软件
本文使用的软件:
- CentOS 7
- bind 9.9
配置主DNS服务器
安装和防火墙
安装软件包并确保已启用该服务:
[admin1]# yum install bind bind-utils [admin1]# systemctl enable named
配置防火墙以允许恶意DNS流量(我们使用iptables):
[admin1]# iptables -A INPUT -s 10.11.1.0/24 -p tcp -m state --state NEW --dport 53 -j ACCEPT [admin1]# iptables -A INPUT -s 10.11.1.0/24 -p udp -m state --state NEW --dport 53 -j ACCEPT
如果使用firewalld,请执行以下操作:
[admin1]# firewall-cmd --add-service=dns [admin1]# firewall-cmd --add-service=dns --permanent
日志目录
配置自定义日志目录:
[admin1]# mkdir -m0700 /var/log/named [admin1]# chown named:named /var/log/named
RNDC密钥配置
进行rndc自动配置,并使用512位身份验证密钥。
请注意,默认密钥名称是rndc-key。
[admin1]# rndc-confgen -a -b 512 -r /dev/urandom wrote key file "/etc/rndc.key"
加强文件所有权和权限:
[admin1]# chown root:named /etc/rndc.key [admin1]# chmod 0640 /etc/rndc.key
主named.conf配置和内部区域
主配置文件“ /etc/named.conf”的内容如下所示。
请注意,只有知道密钥的服务器才允许内部区域更新。
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/rndc.key";
# Allow rndc management
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; };
};
# Limit access to local network and homelab LAN
acl "clients" {
127.0.0.0/8;
10.11.1.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 10.11.1.2; }; ## MASTER
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
tcp-clients 50;
# Disable built-in server information zones
version none;
hostname none;
server-id none;
recursion yes;
recursive-clients 50;
allow-recursion { clients; };
allow-query { clients; };
allow-transfer { localhost; 10.11.1.3; }; ## SLAVE
auth-nxdomain no;
notify no;
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
# Specifications of what to log, and where the log messages are sent
logging {
channel "common_log" {
file "/var/log/named/named.log" versions 10 size 5m;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default { "common_log"; };
category general { "common_log"; };
category queries { "common_log"; };
category client { "common_log"; };
category security { "common_log"; };
category query-errors { "common_log"; };
category lame-servers { null; };
};
zone "." IN {
type hint;
file "named.ca";
};
# Internal zone definitions
zone "hl.local" {
type master;
file "data/db.hl.local";
allow-update { key rndc-key; };
notify yes;
};
zone "1.11.10.in-addr.arpa" {
type master;
file "data/db.1.11.10";
allow-update { key rndc-key; };
notify yes;
};
内部区域文件'/var/named/data/db.hl.local'的内容:
$TTL 86400 ; 1 day @ IN SOA dns1.hl.local. root.hl.local. ( 2016010700 ; Serial 3600 ; Refresh (1 hour) 3600 ; Retry (1 hour) 604800 ; Expire (1 week) 3600 ; Minimum (1 hour) ) @ NS dns1.hl.local. @ NS dns2.hl.local. @ A 10.11.1.2 @ A 10.11.1.3 dns1 A 10.11.1.2 dns2 A 10.11.1.3 admin1 A 10.11.1.2 admin2 A 10.11.1.3 katello A 10.11.1.4 mikrotik A 10.11.1.1 pve A 10.11.1.5
内部反向区域文件'/var/named/data/db.1.11.10'的内容:
$TTL 86400 ; 1 day @ IN SOA dns1.hl.local. root.hl.local. ( 2016010700 ; Serial 3600 ; Refresh (1 hour) 3600 ; Retry (1 hour) 604800 ; Expire (1 week) 3600 ; Minimum (1 hour) ) @ NS dns1.hl.local. @ NS dns2.hl.local. @ PTR hl.local. dns1 A 10.11.1.2 dns2 A 10.11.1.3 2 PTR dns1.hl.local. 3 PTR dns2.hl.local. 1 PTR mikrotik.hl.local. 2 PTR admin1.hl.local. 3 PTR admin2.hl.local. 4 PTR katello.hl.local. 5 PTR pve.hl.local.
确保文件所有权合理并且已应用SELinux文件上下文。
[admin1]# chown named:named /var/named/data/db.hl.local /var/named/data/db.1.11.10 [admin1]# semanage fcontext -a -t named_zone_t /var/named/data/db.hl.local [admin1]# semanage fcontext -a -t named_zone_t /var/named/data/db.1.11.10 [admin1]# restorecon -Rv /var/named/
允许命名写入主区域:
[admin1]# setsebool -P named_write_master_zones=1
检查主配置文件的语法:
[admin1]# named-checkconf /etc/named.conf
检查区域文件:
[admin1]# named-checkzone hl.local /var/named/data/db.hl.local zone hl.local/IN: loaded serial 2016010700 OK
[admin1]# named-checkzone hl.local /var/named/data/db.1.11.10 zone hl.local/IN: loaded serial 2016010700 OK
“ /etc/resolv.conf”的内容如下所示:
nameserver 10.11.1.2
重新启动服务:
[admin1]# systemctl restart named
服务器的显示状态:
[admin1]# rndc status version: 9.9.4-RedHat-9.9.4-51.el7 (version.bind/txt/ch disabled) CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 103 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON recursive clients: 0/0/50 tcp clients: 0/50 server is up and runnin
dig区域:
[admin1]# dig @10.11.1.2 ns hl.local ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @10.11.1.2 ns hl.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22854 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;hl.local. IN NS ;; ANSWER SECTION: hl.local. 86400 IN NS dns2.hl.local. hl.local. 86400 IN NS dns1.hl.local. ;; ADDITIONAL SECTION: dns1.hl.local. 86400 IN A 10.11.1.2 dns2.hl.local. 86400 IN A 10.11.1.3 ;; Query time: 0 msec ;; SERVER: 10.11.1.2#53(10.11.1.2) ;; WHEN: Sun Jan 07 16:20:28 GMT 2016 ;; MSG SIZE rcvd: 107
配置从DNS服务器
安装和防火墙
此部分与主服务器相同。
安装软件包:
[admin2]# yum install bind bind-utils [admin2]# systemctl enable named
配置防火墙以允许恶意DNS流量(我们使用iptables):
[admin2]# iptables -A INPUT -s 10.11.1.0/24 -p tcp -m state --state NEW --dport 53 -j ACCEPT [admin2]# iptables -A INPUT -s 10.11.1.0/24 -p udp -m state --state NEW --dport 53 -j ACCEPT
日志目录
配置自定义日志目录:
[admin2]# mkdir -m0700 /var/log/named [admin2]# chown named:named /var/log/named
从站named.conf配置
从属配置文件“ /etc/named.conf”的内容如下所示。
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
acl "clients" {
127.0.0.0/8;
10.11.1.0/24;
};
options {
listen-on port 53 { 127.0.0.1; 10.11.1.3; }; ## SLAVE
listen-on-v6 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
tcp-clients 50;
# Disable built-in server information zones
version none;
hostname none;
server-id none;
recursion yes;
recursive-clients 50;
allow-recursion { clients; };
allow-query { clients; };
allow-transfer { none; };
auth-nxdomain no;
notify no;
dnssec-enable yes;
dnssec-validation auto;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
# Specifications of what to log, and where the log messages are sent
logging {
channel "common_log" {
file "/var/log/named/named.log" versions 10 size 5m;
severity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category default { "common_log"; };
category general { "common_log"; };
category queries { "common_log"; };
category client { "common_log"; };
category security { "common_log"; };
category query-errors { "common_log"; };
category lame-servers { null; };
};
zone "." IN {
type hint;
file "named.ca";
};
# Internal zone definitions
zone "hl.local" {
type slave;
file "data/db.hl.local";
masters { 10.11.1.2; };
allow-notify { 10.11.1.2; };
};
zone "1.11.10.in-addr.arpa" {
type slave;
file "data/db.1.11.10";
masters { 10.11.1.2; };
allow-notify { 10.11.1.2; };
};
检查从属配置文件的语法:
[admin2]# named-checkconf /etc/named.conf
“ /etc/resolv.conf”的内容如下所示:
nameserver 10.11.1.3 nameserver 10.11.1.2
允许命名写入主区域:
[admin2]# setsebool -P named_write_master_zones=1
重新启动服务:
[admin2]# systemctl restart named
dig区域:
[admin2]# dig @10.11.1.3 ns hl.local ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> @10.11.1.3 ns hl.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37134 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;hl.local. IN NS ;; ANSWER SECTION: hl.local. 86400 IN NS dns2.hl.local. hl.local. 86400 IN NS dns1.hl.local. ;; ADDITIONAL SECTION: dns1.hl.local. 86400 IN A 10.11.1.2 dns2.hl.local. 86400 IN A 10.11.1.3 ;; Query time: 0 msec ;; SERVER: 10.11.1.3#53(10.11.1.3) ;; WHEN: Sun Jan 07 16:20:07 GMT 2016 ;; MSG SIZE rcvd: 107
如何编辑动态DNS
动态DNS编辑器nsupdate用于在动态DNS上进行编辑,而无需编辑区域文件和重新启动DNS服务器。
因为我们已经声明了动态区域,所以这就是我们应该进行编辑的方式。
例如,要删除添加到域名的任何类型的所有记录,我们可以执行以下操作:
# nsupdate -k /etc/rndc.key > update delete example.hl.local > send > quit
请注意,rndc不允许我们重新加载动态区域:
# rndc reload hl.local rndc: 'reload' failed: dynamic zone
为此,我们需要暂时停止允许动态更新:
# rndc freeze hl.local
现在,如果需要,我们可以编辑区域文件。
完成后,我们可以再次允许动态更新:
# rndc reload hl.local # rndc thaw hl.local
