服务器评测
本节中将详细介绍下DNS服务器的子域授权和辅助DNS的配置,在公网上根域服务器都是将cn.;edu.;hk.这样的顶级域名授权给相应的DNS服务器管理,而这些子域的DNS服务器的反向区域需要传送给根域名服务器,这是通过辅助DNS的区域传送来实现的。在下列的配置中server模拟根域名服务器的工作机制;client则模拟子域服务器,server IP:192.168.100.254/24 client IP:192.168.100.20/24
一:子域的授权
[root@server ~]# cat /var/named/chroot/var/named/6688.zone //在server服务器上指定子域的授权
$TTL 86400
@ IN SOA 6688.cc. root.6688.cc. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS 6688.cc.
@ IN MX 10 6688.cc.
www.6688.cc. IN NS www.6688.cc. //指定www.6688.cc为该域的NS权威
www.6688.cc. IN A 192.168.100.20 //指定www.6688.cc.权威DNS服务器的IP
www IN A 192.168.100.254
ftp IN CNAME www
[root@server ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
[root@client ~]# grep -v ‘^//’ /etc/named.conf |grep -v ‘//’ //client服务器主配置文件
options {
listen-on port 53 { 192.168.100.20; };
directory “/var/named”;
allow-query { any; };
};
include “/etc/named.rfc1912.zones”;
zone “www.6688.cc” IN {
type master;
file “www.6688.cc”;
allow-update {none;};
};
zone “1.1.1.in-addr.arpa” IN {
type master;
file “1.1.1.zone”;
allow-update {none;};
};
[root@client ~]# cat /var/named/chroot/var/named/www.6688.cc //client服务器的正向区域文件
$TTL 86400
@ IN SOA www.6688.cc. root.www.6688.cc. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS www.6688.cc.
@ IN A 192.168.100.20
www IN A 1.1.1.1
ftp IN A 1.1.1.2
[root@client ~]# cat /var/named/chroot/var/named/1.1.1.zone //client服务器的反向区域文件
$TTL 86400
@ IN SOA www.6688.cc. root.www.6688.cc. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
@ IN NS www.6688.cc.
20 IN PTR www.6688.cc.
1 IN PTR www.www.6688.cc.
2 IN PTR ftp.www.6688.cc.
[root@client ~]# service named configtest //测试配置文件
zone localdomain/IN: loaded serial 42
zone localhost/IN: loaded serial 42
zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
zone 255.in-addr.arpa/IN: loaded serial 42
zone 0.in-addr.arpa/IN: loaded serial 42
zone www.6688.cc/IN: loaded serial 42
zone 1.1.1.in-addr.arpa/IN: loaded serial 1997022700
[root@client ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
测试,这里的测试都指向server进行
[root@client ~]# dig www.6688.cc @192.168.100.254
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> www.6688.cc @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53530
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.6688.cc. IN A
;; ANSWER SECTION:
www.6688.cc. 86400 IN A 192.168.100.20
;; AUTHORITY SECTION:
www.6688.cc. 86400 IN NS www.6688.cc.
;; Query time: 23 msec
;; SERVER: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 07:54:43 2010
;; MSG SIZE rcvd: 69
[root@client ~]# dig ftp.www.6688.cc @192.168.100.254
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> ftp.www.6688.cc @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3741
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.www.6688.cc. IN A
;; ANSWER SECTION:
ftp.www.6688.cc. 86400 IN A 1.1.1.2
;; AUTHORITY SECTION:
www.6688.cc. 86400 IN NS www.6688.cc.
;; Query time: 14 msec
;; SERVER: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 07:36:33 2010
;; MSG SIZE rcvd: 73
[root@client ~]# dig www.www.6688.cc @192.168.100.254
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> www.www.6688.cc @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11705
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.www.6688.cc. IN A
;; ANSWER SECTION:
www.www.6688.cc. 86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
www.6688.cc. 86400 IN NS www.6688.cc.
;; Query time: 15 msec
;; SERVER: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 07:37:20 2010
;; MSG SIZE rcvd: 73
二:辅助DNS服务器的配置
[root@client ~]# grep -A 1 -B 1 ‘allow-transfer’ /etc/named.conf //在client服务器上主配置文件全局配置中加入allow-transfer参数,不加的话默认运行任何IP进行传送,很不安全
allow-query { any; };
allow-transfer {192.168.100.254;};
};
[root@client ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
root@server ~]# tail -5 /etc/named.conf //在server主配置文件中加入辅助DNS服务器的配置,辅助DNS服务器也可以配置正向区域
zone “1.1.1.in-addr.arpa” IN {
type slave; //指定类型为slave
master 192.168.100.20; //指定主服务器的IP
file “slaves/1.1.1.zone”; //传送后的文件保存位置
};
[root@server ~]# ls /var/named/chroot/var/named/slaves/ //从主服务器传送过来的区域文件默认保存在这个位置,如果修改到其他位置,则需要注意修改selinux的布尔值
[root@server ~]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
[root@server ~]# tail -f /var/log/messages //查看日志,测试区域传送可以使用dig -t axfr 命令
Mar 14 08:09:28 server named[4350]: starting BIND 9.3.6-P1-RedHat-9.3.6-4.P1.el5 -u named -t /var/named/chroot
Mar 14 08:09:28 server named[4350]: adjusted limit on open files from 1024 to 1048576
Mar 14 08:09:28 server named[4350]: found 2 CPUs, using 2 worker threads
Mar 14 08:09:28 server named[4350]: using up to 4096 sockets
Mar 14 08:09:28 server named[4350]: loading configuration from ‘/etc/named.conf’
Mar 14 08:09:28 server named[4350]: using default UDP/IPv4 port range: [1024, 65535]
Mar 14 08:09:28 server named[4350]: using default UDP/IPv6 port range: [1024, 65535]
Mar 14 08:09:28 server named[4350]: listening on IPv4 interface eth1, 192.168.100.254#53
Mar 14 08:09:28 server named[4350]: command channel listening on 127.0.0.1#953
Mar 14 08:09:28 server named[4350]: command channel listening on ::1#953
Mar 14 08:09:28 server named[4350]: the working directory is not writable
Mar 14 08:09:28 server named[4350]: zone 0.in-addr.arpa/IN: loaded serial 42
Mar 14 08:09:28 server named[4350]: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700
Mar 14 08:09:28 server named[4350]: zone 100.168.192.in-addr.arpa/IN: loaded serial 1997022700
Mar 14 08:09:28 server named[4350]: zone 255.in-addr.arpa/IN: loaded serial 42
Mar 14 08:09:28 server named[4350]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 1997022700
Mar 14 08:09:28 server named[4350]: zone 6688.cc/IN: loaded serial 42
Mar 14 08:09:28 server named[4350]: zone localdomain/IN: loaded serial 42
Mar 14 08:09:28 server named[4350]: zone localhost/IN: loaded serial 42
Mar 14 08:09:28 server named[4350]: running
Mar 14 08:09:28 server named[4350]: zone 1.1.1.in-addr.arpa/IN: Transfer started. / /开始区域传送
Mar 14 08:09:28 server named[4350]: transfer of ‘1.1.1.in-addr.arpa/IN’ from 192.168.100.20#53: connected using 192.168.100.254#38446 //连接到client服务器的53端口
Mar 14 08:09:29 server named[4350]: zone 1.1.1.in-addr.arpa/IN: transferred serial 1997022700 //传送序列号,在区域文件中定义
Mar 14 08:09:29 server named[4350]: transfer of ‘1.1.1.in-addr.arpa/IN’ from 192.168.100.20#53: end of transfer //结束传送
[root@server ~]# cat /var/named/chroot/var/named/slaves/1.1.1.zone //查看传送好的区域文件
$ORIGIN .
$TTL 86400 ; 1 day
1.1.1.in-addr.arpa IN SOA www.6688.cc. root.www.6688.cc. (
1997022700 ; serial
28800 ; refresh (8 hours)
14400 ; retry (4 hours)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS www.6688.cc.
$ORIGIN 1.1.1.in-addr.arpa.
1 PTR www.www.6688.cc.
2 PTR ftp.www.6688.cc.
20 PTR www.6688.cc.
