Linux下搭建主从DNS服务器并实现智能解析(2)

测试反解(Linux方法)

[Allen@master ~]$ dig -x 123.59.246.200 | grep -A1 "ANSWER SECTION" ;; ANSWER SECTION: 200.246.59.123.in-addr.arpa. 21599 IN PTR mail.ehousechina.com. [Allen@master ~]$ dig -x 111.204.53.64 | grep -A1 "ANSWER SECTION" ;; ANSWER SECTION: 64.53.204.111.in-addr.arpa. 37 IN PTR mail.ybjt.net. 6. 权威答案与非权威答案

权威答案：直接负责这个域的NS服务器返回的答案；

非权威答案：服务器不负责这个域，只是因为之前解析过，所以缓存中有，返回缓存中的答案；将这种答案叫做非权威答案是因为，上级DNS可能随时会更新，而所查询的DNS服务器本地缓存不一定及时更新了，所以这时客户端得到的答案可能是无效的；

7. 主/从DNS服务器

主DNS服务器：维护所负责解析的域的数据库的服务器；读写操作均可进行；主服务器的数据会不断发生改变；

从DNS服务器：从主DNS服务器那里或其它的从DNS服务器那里“复制”一份解析库；但只能进行读操作不能修改；从服务器的数据库要随时同步主服务器的数据；

8. 主/从之间的同步方式

在主DNS服务器上定义数据库的序号，当要改变数据库时，手动将序号增加，从DNS服务器每隔一段时间去同步时，根据这个序号判断是否更新自己的数据库(如果主DNS服务器的序号大，就要更新数据)；
配置文件中要需要定义一下几个计时器：

刷新时间间隔refresh：表示从服务器多长时间去同步一次；

重试时间间隔retry：表示同步不到时等待多长时间以后再尝试同步，重试时间要短于刷新时间；

过期时长expire：表示从服务器始终联系不到主服务器时，多久之后放弃从主服务器同步数据；停止提供服务；

negative answer ttl: 否定答案的缓存时长；

假如在刷新时间为5分钟，从服务器刚刷新完数据库，过1分钟后，主服务器就更新了数据库，那么在后面的4分钟之内，从服务器与主服务器的数据库是不同步的，如果在这段时间主服务器挂了，从服务器将没办法得到数据，也没办法向客户端提供最新数据服务，所以用刷新时间解决数据库更新同步是不完美的；

9. 主实时的通知从更新数据

主服务器数据库有变化，会立即通知从服务器更新数据库；这样数据库同步就有了两种叫法：一种站在从服务器角度是拉取，一种是站在主服务器角度描述推送；

10. 区域传送

当主服务器数据库量很大，有上万个域名解析，从服务器来来取数据库时，主服务器数据库只更新了一条信息，从服务器则不用把整个数据库同步一遍，而只需同步变化的数据即可；当从服务器是新数据库时才同步整个数据库；这个同步的过程也叫区域传送，有两种方式，一种是全量传送axfr，一种是增量传送ixfr；

11. 创建主/从DNS，实现智能解析实验 11.1. 基础信息说明

二级域名：linuxidc.com、linuxmi.com

linuxidc.com主DNS服务器：10.207.51.40：master.linuxidc.com

linuxidc.com从DNS服务器：10.207.51.30; 10.207.51.31：slave.linuxidc.com

linuxmi.com主DNS服务器：10.207.51.32：master.linuxmi.com

web服务器：10.207.51.41：>

web服务器：10.207.51.42：>

client1：10.207.51.61

client2：10.207.51.81

实现效果：当client1访问时解析到10.207.51.41；当client2访问是解析到10.207.51.42；

11.2. 配置主DNS服务器 [root@master ~]# yum install -y bind 11.2.1. 修改主配置文件 [root@master ~]# vim /etc/named.conf ##区域配置保持默认即可 options { listen-on port 53 { 10.207.51.40; }; allow-query { any; }; forward first; forwarders { 10.207.51.32; }; recursion yes; allow-recursion { 10.0.0.0/8;172.16.0.0/15;192.168.0.0/16; }; dnssec-enable no; dnssec-validation no; forward first; forwarders { 8.8.8.8; }; //zone "." IN { // type hint; // file "named.ca"; //}; [root@master ~]# vim /etc/named.rfc1912.zones acl client1 { 10.207.51.61;10.207.51.30; }; acl client2 { 10.207.51.81;10.207.51.31; }; view "client1" { match-clients { "client1"; }; zone "." IN { type hint; file "named.ca"; }; zone "linuxidc.com" IN { type master; file "linuxidc.com.zone.c1"; allow-transfer { 10.207.51.30; }; allow-update { none; }; }; zone "51.207.10.in-addr.arpa" IN { type master; file "10.207.51.zone.c1"; allow-transfer { 10.207.51.30; }; allow-update { none; }; }; zone "linuxmi.com" IN { type forward; forward only; forwarders { 10.207.51.32; }; }; }; view "client2" { match-clients { "client2"; }; zone "." IN { type hint; file "named.ca"; }; zone "linuxidc.com" IN { type master; file "linuxidc.com.zone.c2"; allow-transfer { 10.207.51.31; }; allow-update { none; }; }; zone "51.207.10.in-addr.arpa" IN { type master; file "10.207.51.zone.c2"; allow-transfer { 10.207.51.31; }; allow-update { none; }; }; zone "linuxmi.com" IN { type forward; forward only; forwarders { 10.207.51.32; }; }; }; 11.2.2. 创建zonefile [root@master ~]# vim /var/named/linuxidc.com.zone.c1 $TTL 3600 $ORIGIN linuxidc.com. @ IN SOA master.linuxidc.com. admin.linuxidc.com. ( 2018111601 1H 30M 5H 1H ) IN NS master IN NS slave master IN A 10.207.51.40 slave IN A 10.207.51.31 www IN CNAME [root@master ~]# vim /var/named/linuxidc.com.zone.c2 $TTL 3600 $ORIGIN linuxidc.com. @ IN SOA master.linuxidc.com. admin.linuxidc.com. ( 2018111601 1H 30M 5H 1H ) IN NS master IN NS slave master IN A 10.207.51.40 slave IN A 10.207.51.31 www IN CNAME [root@master ~]# vim /var/named/10.207.51.zone.c1 $TTL 3600 $ORIGIN 51.207.10.in-addr.arpa. @ IN SOA master.linuxidc.com. admin.linuxidc.com. ( 2018111601 1H 30M 5H 1H ) IN NS master.linuxidc.com. IN NS slave.linuxidc.com. 40 IN PTR master.linuxidc.com. 31 IN PTR slave.linuxidc.com. 41 IN PTR [root@master ~]# vim /var/named/10.207.51.zone.c2 $TTL 3600 $ORIGIN 51.207.10.in-addr.arpa. @ IN SOA master.linuxidc.com. admin.linuxidc.com. ( 2018111601 1H 30M 5H 1H ) IN NS master.linuxidc.com. IN NS slave.linuxidc.com. 40 IN PTR master.linuxidc.com. 31 IN PTR slave.linuxidc.com. 42 IN PTR 11.2.3. 修改权限 [root@master ~]# cd /var/named/ [root@master named]# chown :named linuxidc.com.zone.c1 linuxidc.com.zone.c2 10.207.51.zone.c1 10.207.51.zone.c2 [root@master named]# chmod 640 linuxidc.com.zone.c1 linuxidc.com.zone.c2 10.207.51.zone.c1 10.207.51.zone.c2 11.2.4. 启动服务 [root@master named]# systemctl start named [root@master named]# ss -antu | grep "\<53" udp UNCONN 0 0 10.207.51.40:53 *:* tcp LISTEN 0 10 10.207.51.40:53 *:* 11.3. 配置备DNS服务器 [root@slave ~]# yum install -y bind 10.3.1. 修改主配置文件 [root@slave ~]# vim /etc/named.conf ##区域配置保持默认即可 options { listen-on port 53 { 10.207.51.31; }; allow-query { any; }; forward first; forwarders { 10.207.51.32; }; recursion yes; allow-recursion { 10.0.0.0/8;172.16.0.0/8;192.168.0.0/8; }; dnssec-enable no; dnssec-validation no; forward first; forwarders { 8.8.8.8; }; //zone "." IN { // type hint; // file "named.ca"; //}; [root@slave ~]# vim /etc/named.rfc1912.zones acl client1 { 10.207.51.61; }; acl client2 { 10.207.51.81; }; view "client1" { match-clients { "client1"; }; zone "linuxidc.com" IN { type slave; file "slaves/linuxidc.com.zone.c1"; masters { 10.207.51.40; }; transfer-source 10.207.51.31; }; zone "51.207.10.in-addr.arpa" IN { type slave; file "slaves/10.207.51.zone.c1"; masters { 10.207.51.40; }; transfer-source 10.207.51.31; }; zone "linuxmi.com" IN { type forward; forward only; forwarders { 10.207.51.32; }; }; }; view "client2" { match-clients { "client2"; }; zone "." IN { type hint; file "named.ca"; }; zone "linuxidc.com" IN { type slave; file "slaves/linuxidc.com.zone.c2"; masters { 10.207.51.40; }; transfer-source 10.207.51.31; }; zone "51.207.10.in-addr.arpa" IN { type slave; file "slaves/10.207.51.zone.c2"; masters { 10.207.51.40; }; transfer-source 10.207.51.31; }; zone "linuxmi.com" IN { type forward; forward only; forwarders { 10.207.51.32; }; }; }; 11.3.2. 修改权限 [root@slave ~]# cd /var/named/ [root@slave named]# chown named:named slaves [root@slave named]# chmod 770 slaves 11.3.3. 启动服务 [root@slave ~]# systemctl start named [root@slaves ~]# ss -antu | grep "\<53" udp UNCONN 0 0 10.207.51.31:53 *:* tcp LISTEN 0 10 10.207.51.30:53 *:* 11.4. 测试效果 [root@client ~]# dig -b 10.207.51.61 @10.207.51.40 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -b 10.207.51.61 @10.207.51.40 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18485 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: 3600 IN CNAME 3600 IN A 10.207.51.41 ##测试主DNS，客户端10.207.51.61解析，IP地址为10.207.51.41，解析成功； ;; AUTHORITY SECTION: linuxmi.com. 3600 IN NS master.linuxmi.com. ;; ADDITIONAL SECTION: master.linuxmi.com. 3600 IN A 10.207.51.32 ;; Query time: 5 msec ;; SERVER: 10.207.51.40#53(10.207.51.40) ;; WHEN: Fri Nov 16 18:28:07 CST 2018 ;; MSG SIZE rcvd: 122 [root@client ~]# dig -b 10.207.51.81 @10.207.51.40 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -b 10.207.51.81 @10.207.51.40 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21173 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: 3600 IN CNAME 3600 IN A 10.207.51.42 ##测试主DNS，客户端10.207.51.81解析，IP地址为10.207.51.42，解析成功； ;; AUTHORITY SECTION: linuxmi.com. 3600 IN NS master.linuxmi.com. ;; ADDITIONAL SECTION: master.linuxmi.com. 3600 IN A 10.207.51.32 ;; Query time: 5 msec ;; SERVER: 10.207.51.40#53(10.207.51.40) ;; WHEN: Fri Nov 16 18:28:32 CST 2018 ;; MSG SIZE rcvd: 122 [root@client ~]# dig -b 10.207.51.61 @10.207.51.31 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -b 10.207.51.61 @10.207.51.31 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36254 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: 3600 IN CNAME 3600 IN A 10.207.51.41 ##测试从DNS，客户端10.207.51.61解析，IP地址为10.207.51.41，解析成功； ;; AUTHORITY SECTION: linuxmi.com. 3600 IN NS master.linuxmi.com. ;; ADDITIONAL SECTION: master.linuxmi.com. 3600 IN A 10.207.51.32 ;; Query time: 1 msec ;; SERVER: 10.207.51.31#53(10.207.51.31) ;; WHEN: Sun Nov 18 20:40:35 CST 2018 ;; MSG SIZE rcvd: 122 [root@client ~]# dig -b 10.207.51.81 @10.207.51.31 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -b 10.207.51.81 @10.207.51.31 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4116 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ; IN A ;; ANSWER SECTION: 3600 IN CNAME 2921 IN A 10.207.51.42 ##测试从DNS，客户端10.207.51.81解析，IP地址为10.207.51.42，解析成功； ;; AUTHORITY SECTION: linuxmi.com. 2921 IN NS master.linuxmi.com. ;; ADDITIONAL SECTION: master.linuxmi.com. 2921 IN A 10.207.51.32 ;; Query time: 0 msec ;; SERVER: 10.207.51.31#53(10.207.51.31) ;; WHEN: Sun Nov 18 20:40:50 CST 2018 ;; MSG SIZE rcvd: 122

Linux公社的RSS地址：https://www.linuxidc.com/rssFeed.aspx