域名: demo.com
- (主) DNS 服务器的详细信息:
Operating System : CentOS 7 minimal server
Hostname : dns1.demo.com
IP Address : 10.0.1.254/24
- (副) DNS 服务器的详细信息:
Operating System : CentOS 7 minimal server
Hostname : dns2.demo.com
IP Address : 10.0.1.253/24
客户端的详细信息:
app1.demo.com : 10.0.1.1
app2.demo.com : 10.0.1.2
app3.demo.com : 10.0.2.1
app4.demo.com : 10.0.2.2
yum install bind bind-utils -y
vi /etc/named.conf
添加行,如图所示 '###' 注释的地方:
options {
listen-on port 53 { 127.0.0.1; 10.0.1.254; }; ### Master DNS IP ###
# listen-on-v6 port 53 { ::1; }; ### Disable ipv6
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 10.0.1.0/24; 10.0.2.0/24; }; ### IP Range ###
allow-transfer { localhost; 10.0.1.253; }; ### Slave DNS IP ###
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
####### 添加正向解析 zone ###########
zone "demo.com" IN {
type master;
file "demo.com.zone";
allow-update { none; };
};
####### 添加反向解析 zone ###########
zone "1.0.10.in-addr.arpa" IN {
type master;
file "10.0.1.zone";
allow-update { none; };
};
zone "2.0.10.in-addr.arpa" IN {
type master;
file "10.0.2.zone";
allow-update { none; };
};
#####################################
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
vi /var/named/demo.com.zone
添加以下行:
$TTL 86400
@ IN SOA dns1.demo.com. postmaster.demo.com. ( 2007120710 1d 2h 4w 1h )
IN NS dns1.demo.com.
IN NS dns2.demo.com.
dns IN A 10.0.1.254
dns2 IN A 10.0.1.253
app1 IN A 10.0.1.1
app2 IN A 10.0.1.2
app3 IN A 10.0.2.1
app4 IN A 10.0.2.2
vi /var/named/10.0.1.zone
添加以下行:
$TTL 86400
@ IN SOA dns1.demo.com. postmaster.demo.com. ( 2007120710 1d 2h 4w 1h )
IN NS dns1.demo.com.
IN NS dns2.demo.com.
254 IN PTR dns1.demo.com.
253 IN PTR dns2.demo.com.
1 IN PTR app1.demo.com.
2 IN PTR app2.demo.com.
vi /var/named/10.0.2.zone
添加以下行:
$TTL 86400
@ IN SOA dns1.demo.com. postmaster.demo.com. ( 2007120710 1d 2h 4w 1h )
IN NS dns1.demo.com.
IN NS dns2.demo.com.
254 IN PTR dns1.demo.com.
253 IN PTR dns2.demo.com.
1 IN PTR app3.demo.com.
2 IN PTR app4.demo.com.
systemctl enable named
systemctl start named
我们必须允许 DNS 服务默认端口 53 通过防火墙。
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --reload
chgrp named -R /var/named
chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf
vi /etc/resolv.conf
添加如下内容:
search demo.com
nameserver 10.0.1.254
nameserver 10.0.1.253
重新启动网络服务:
systemctl restart network
dig dns1.demo.com
dig app2.demo.com
nslookup dns1.demo.com
nslookup app2.demo.com
nslookup 10.0.2.2