一.DNS服务的信息说明:
A:正向记录
PTR:反向,ip到域名
host -l example.com:查看域中的所有主机
dig -t soa example.com:辅助dns
软件包: Bind
bind-chroot
caching-nameserver
DNS主配置目录:/var/named/chroot/
DNS主配置文件:/var/named/chroot/etc/named.conf
DNS A记录存放目录:/var/named/chroot/var/named
二.如何配置dns正向解析:
1.cp -p /var/named/chroot/etc/named.caching-nameserver.conf /var/
named/chroot/etc/named.conf
#用模板生成dns配置
文件
2. vi /var/named/chroot/etc/named.conf
#编辑配置文件
配置文件中要修改的内容如下:
在options中参数修改如下:
#全局设定
listen-on port 53 { localhost; };
#监听本地53端口
//
listen-on-v6 port 53 { ::1; };
#关闭ipv6选项
allow-query
{ localnets; };
#允许与本地直连的网络使用
dns
allow-query-cache { localnets; };
在view中的参数修改如下:
#局域生效
match-clients
{ localnets; };
#允许与本地直连的网络使用
dns
match-destinations { localnets; };
3.vi /var/named/chroot/etc/named.rfc1912.zones
加入内容如下:
zone "example.com" IN {
#指定要维护的域名
type master;
file "example.com.zone";
#指定A记录文件名
allow-update { none; };
};
4.编写A记录文件:
cd /var/named/chroot/var/named/
cp -p localhost.zone example.com.zone
#
A记录文件内容如下:
dns 服务器主机名
$TTL
86400
||
@
IN SOA station62.example.com
root.exampel.com (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station62.example.com
#指定dns主机
IN A
192.168.0.62
# 指定dns主机的ip
station62
IN A
192.168.0.62
#指定dns服务器的A记录
www
IN A
192.168.1.62
#要添加的A记录
vim named.rfc1912.zones
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
cd /var/named/chroot/var/named/
cp -p localhost.zone example.com.zone
cp -p named.local example.com.local
定义正向解析数据库文件:
vi
example.com.zone
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.41
www
IN A
192.168.0.42
www
IN A
192.168.0.43
bbs
IN CNAME
www
*
IN A
192.168.0.41
定义反向解析数据库
vim example.com.local
zone "0.168.192.in-addr.arpa" IN {
//反向解析
type master;
file "example.com.local";
allow-update { none; };
};
$TTL
86400
@
IN
SOA
station41.example.com. root.example.com. (
1997022700 ; Serial
28800
; Refresh
14400
; Retry
3600000
; Expire
86400 )
; Minimum
IN
NS
station41.example.com.
41
IN
PTR
example.com.
41
IN
PTR
station41.example.com.
/etc/init.d/named restart
acl的使用:
acl example { 192.168.0.0/24; } ;
options {
listen-on port 53 { example; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
blackhole {} ;
黑名单。
allow-query
{ example; };
allow-query-cache { example; };
};
/etc/init.d/named configuretest :dns配置文件检测
添加网关:
route add default gw 192.168.0.254
高速缓存:
在主dns中配置:
vi named.conf
options {
//
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source
port 53;
// query-source-v6 port 53;
forward only;
forwarders { 218.30.19.50; };
allow-query
{ example; };
allow-query-cache { example; };
};
辅助dns(从主dns复制数据):(应关闭iptables)
主dns:
/etc/named.rfc1912.zones
// allow-query
{ example; };
// allow-query-cache { example; };
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
allow-transfer { 192.168.0.4; };
};
辅dns: (/var/named/chroot/var/named/slaves目录下会有主机的dns文
件),此时该机的dns设为本机地址
options {
//
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source
port 53;
// query-source-v6 port 53;
//
allow-query
{ localhost; };
//
allow-query-cache { localhost; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
//
match-clients
{ localnets; };
//
match-destinations { localnets; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type slave;
masters { 192.168.0.41; };
file "slaves/example.com.zone";
};
};
不同的机器使用不同的dns:
主dns:named.conf
view localhost_resolver {
match-clients
{ localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
file "example.com.zone";
};
};
view internal_resolver {
match-clients
{ 192.168.0.0/24; };
match-destinations { 192.168.0.0/24; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
file "example.com.internal";
};
example.com.zone:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.41
example.com.internal:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.49
此时辅机的dns设为主dns地址
dns文件同步:
主dns:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
also-notify {192.168.0.4; };
file "example.com.zone";
};
};
example.com.zone:每次修改后应更改serial 值
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
2010042101
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.49
辅dns机:此时它的规则应设为主机可访问模式
view localhost_resolver {
//
match-clients
{ localnets; };
//
match-destinations { localnets; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type slave;
masters { 192.168.0.41; };
file "slaves/example.com.zone";
};
};
(1) SOA资源记录
每个数据库文件按的开始处都包含了一个起始授权记录(Start of Authority
Record),简称SOA记录。SOA定义了域的全局参数,进行整个域的管 理设置。一个
区域文件只允许存在唯一的SOA记录。
(2) NS资源记录
名称服务器(NS)资源记录表示该区的授权服务器,它 们表示SOA资源记录中指定
的该区的主和辅助服务器,也表示了任何授权区的服务器。每个区在区根处至 少包含
一个NS记录。
(3) A资源记录
地址(A)资源记录把FQDN映射到IP地址,因而解析器能查询FQDN对应的IP地址。
(4) PTR资源记录
相对于A资源记录,指针(PTR)记录把IP地址映射到FQDN。
(5) CNAME资源记录
规范名字(CNAME)资源记录创建特定FQDN的别名。用户可以通过定义的CANME
记录中的别名来访问
(6) MX资源记录
邮件交换(MX)资源记录为DNS域名指定邮件交换服务器。邮件交换服务器是为
DNS域名处理或转发邮件的主机。处理邮 件指把邮件投递到目的地或转交另一不同类
型的邮件传送者。转发邮件指把邮件发送到最终目的服务器。
(7) 泛域名解析记录
除了在数据库文件中定义的资源记录以为,其他的所有域名都可以被DNS所解析出
来。
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
221001
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.42
bbs
IN A
192.168.0.43
mail
IN A
192.168.0.44
forum
IN A
192.168.0.45
web
IN CNAME
mail
@
IN MX 10
192.168.0.44
注意:
重启服务:/etc/init.d/named restart ; rndc reload; (主机,辅机同时
重启)
访问权限:
match-clients
{ localnets; };
match-destinations { localnets; };
更改序列值:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com.
(
2010042101
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
CNAME:
bbs
IN CNAME
www
泛域名解析记录,匹配所有记录:
*
IN A
www
Selinux:
不显示dns版本:
vi named.conf:
version "no version for you"
dig version.bind chaos txt @station41.example.com
Dns查询:客户机远程管理dns主机的dns记录
主机的named.conf
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
//
include "/etc/named.rfc1912.zones";
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
allow-update { 192.168.0.4; };
file "example.com.zone";
};
};
chmod 775 /var/named/chroot/var/named
客户机:
nsupdate
server 192.168.0.41
update delete www.example.com
send
update add www.example.com 0 A 192.168.0.44
使用key查询:
vi named.conf:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
//
allow-update { 192.168.0.4; };
update-policy { grant example.com. name www.example.com. A; };
file "example.com.zone";
};
};
include "/etc/example.com.key";
key的制作与处理(example.com.key):
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com. :生
成key文件
cp -p rndc.key example.com.key
vi example.com.key:
key "example.com." {
algorithm
hmac-md5;
secret
"H1Oqzvs7jtqsk5zJ/e9gEQ==";
};
copy key到远程主机:
scp Kexample.com.+157+00308.* 192.168.0.4:/home
远程主机修改dns记录:
nsupdate -k Kexample.com.+157+00308.private
server 192.168.0.41
update delete www.example.com
send
host -l example.com
Dns主机对客户机的授权处理:
update-policy { grant example.com. name www.example.com. A; };
此种方式规定辅助机只可对www.example.com记录进行delete或add操作;
update-policy { grant example.com. subdomain example.com. ANY;
};
此种方式是辅助机可对example.com域下的所有记录进行更改
(www.mail.bbs)
使用key在dns辅助机中进行dns数据库文件同步:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
//
include "/etc/named.rfc1912.zones";
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
//
allow-update { 192.168.0.4; };
//
update-policy { grant example.com. subdomain example.com.
ANY; };
allow-transfer { key example.com.; };
also-notify {192.168.0.4; };
file "example.com.zone";
};
};
include "/etc/example.com.key";
key的制作与处理(example.com.key):
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com. :生
成key文件
cp -p rndc.key example.com.key
vi example.com.key:
key "example.com." {
algorithm
hmac-md5;
secret
"H1Oqzvs7jtqsk5zJ/e9gEQ==";
};
copy key到远程主机:
scp example.com.key 192.168.0.4:/var/named/chroot/etc/
远程主机:
cd /var/named/chroot/etc/
chgrp named example.com.key
vi named.conf:
server 192.168.0.41 {
keys { example.com.; };
};
include "/etc/example.com.key";
注意:此时如果无法同步文件,应删除chroot/var/named/目录下的 *.jnl文件
configtest 检测语法。
A:正向记录
PTR:反向,ip到域名
host -l example.com:查看域中的所有主机
dig -t soa example.com:辅助dns
软件包: Bind
bind-chroot
caching-nameserver
DNS主配置目录:/var/named/chroot/
DNS主配置文件:/var/named/chroot/etc/named.conf
DNS A记录存放目录:/var/named/chroot/var/named
二.如何配置dns正向解析:
1.cp -p /var/named/chroot/etc/named.caching-nameserver.conf /var/
named/chroot/etc/named.conf
#用模板生成dns配置
文件
2. vi /var/named/chroot/etc/named.conf
#编辑配置文件
配置文件中要修改的内容如下:
在options中参数修改如下:
#全局设定
listen-on port 53 { localhost; };
#监听本地53端口
//
listen-on-v6 port 53 { ::1; };
#关闭ipv6选项
allow-query
{ localnets; };
#允许与本地直连的网络使用
dns
allow-query-cache { localnets; };
在view中的参数修改如下:
#局域生效
match-clients
{ localnets; };
#允许与本地直连的网络使用
dns
match-destinations { localnets; };
3.vi /var/named/chroot/etc/named.rfc1912.zones
加入内容如下:
zone "example.com" IN {
#指定要维护的域名
type master;
file "example.com.zone";
#指定A记录文件名
allow-update { none; };
};
4.编写A记录文件:
cd /var/named/chroot/var/named/
cp -p localhost.zone example.com.zone
#
A记录文件内容如下:
dns 服务器主机名
$TTL
86400
||
@
IN SOA station62.example.com
root.exampel.com (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station62.example.com
#指定dns主机
IN A
192.168.0.62
# 指定dns主机的ip
station62
IN A
192.168.0.62
#指定dns服务器的A记录
www
IN A
192.168.1.62
#要添加的A记录
vim named.rfc1912.zones
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
cd /var/named/chroot/var/named/
cp -p localhost.zone example.com.zone
cp -p named.local example.com.local
定义正向解析数据库文件:
vi
example.com.zone
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.41
www
IN A
192.168.0.42
www
IN A
192.168.0.43
bbs
IN CNAME
www
*
IN A
192.168.0.41
定义反向解析数据库
vim example.com.local
zone "0.168.192.in-addr.arpa" IN {
//反向解析
type master;
file "example.com.local";
allow-update { none; };
};
$TTL
86400
@
IN
SOA
station41.example.com. root.example.com. (
1997022700 ; Serial
28800
; Refresh
14400
; Retry
3600000
; Expire
86400 )
; Minimum
IN
NS
station41.example.com.
41
IN
PTR
example.com.
41
IN
PTR
station41.example.com.
/etc/init.d/named restart
acl的使用:
acl example { 192.168.0.0/24; } ;
options {
listen-on port 53 { example; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
blackhole {} ;
黑名单。
allow-query
{ example; };
allow-query-cache { example; };
};
/etc/init.d/named configuretest :dns配置文件检测
添加网关:
route add default gw 192.168.0.254
高速缓存:
在主dns中配置:
vi named.conf
options {
//
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source
port 53;
// query-source-v6 port 53;
forward only;
forwarders { 218.30.19.50; };
allow-query
{ example; };
allow-query-cache { example; };
};
辅助dns(从主dns复制数据):(应关闭iptables)
主dns:
/etc/named.rfc1912.zones
// allow-query
{ example; };
// allow-query-cache { example; };
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
allow-transfer { 192.168.0.4; };
};
辅dns: (/var/named/chroot/var/named/slaves目录下会有主机的dns文
件),此时该机的dns设为本机地址
options {
//
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source
port 53;
// query-source-v6 port 53;
//
allow-query
{ localhost; };
//
allow-query-cache { localhost; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
//
match-clients
{ localnets; };
//
match-destinations { localnets; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type slave;
masters { 192.168.0.41; };
file "slaves/example.com.zone";
};
};
不同的机器使用不同的dns:
主dns:named.conf
view localhost_resolver {
match-clients
{ localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
file "example.com.zone";
};
};
view internal_resolver {
match-clients
{ 192.168.0.0/24; };
match-destinations { 192.168.0.0/24; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
file "example.com.internal";
};
example.com.zone:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.41
example.com.internal:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.49
此时辅机的dns设为主dns地址
dns文件同步:
主dns:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
also-notify {192.168.0.4; };
file "example.com.zone";
};
};
example.com.zone:每次修改后应更改serial 值
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
2010042101
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.49
辅dns机:此时它的规则应设为主机可访问模式
view localhost_resolver {
//
match-clients
{ localnets; };
//
match-destinations { localnets; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type slave;
masters { 192.168.0.41; };
file "slaves/example.com.zone";
};
};
(1) SOA资源记录
每个数据库文件按的开始处都包含了一个起始授权记录(Start of Authority
Record),简称SOA记录。SOA定义了域的全局参数,进行整个域的管 理设置。一个
区域文件只允许存在唯一的SOA记录。
(2) NS资源记录
名称服务器(NS)资源记录表示该区的授权服务器,它 们表示SOA资源记录中指定
的该区的主和辅助服务器,也表示了任何授权区的服务器。每个区在区根处至 少包含
一个NS记录。
(3) A资源记录
地址(A)资源记录把FQDN映射到IP地址,因而解析器能查询FQDN对应的IP地址。
(4) PTR资源记录
相对于A资源记录,指针(PTR)记录把IP地址映射到FQDN。
(5) CNAME资源记录
规范名字(CNAME)资源记录创建特定FQDN的别名。用户可以通过定义的CANME
记录中的别名来访问
(6) MX资源记录
邮件交换(MX)资源记录为DNS域名指定邮件交换服务器。邮件交换服务器是为
DNS域名处理或转发邮件的主机。处理邮 件指把邮件投递到目的地或转交另一不同类
型的邮件传送者。转发邮件指把邮件发送到最终目的服务器。
(7) 泛域名解析记录
除了在数据库文件中定义的资源记录以为,其他的所有域名都可以被DNS所解析出
来。
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
221001
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.42
bbs
IN A
192.168.0.43
IN A
192.168.0.44
forum
IN A
192.168.0.45
web
IN CNAME
@
IN MX 10
192.168.0.44
注意:
重启服务:/etc/init.d/named restart ; rndc reload; (主机,辅机同时
重启)
访问权限:
match-clients
{ localnets; };
match-destinations { localnets; };
更改序列值:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com.
(
2010042101
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
CNAME:
bbs
IN CNAME
www
泛域名解析记录,匹配所有记录:
*
IN A
www
Selinux:
不显示dns版本:
vi named.conf:
version "no version for you"
dig version.bind chaos txt @station41.example.com
Dns查询:客户机远程管理dns主机的dns记录
主机的named.conf
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
//
include "/etc/named.rfc1912.zones";
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
allow-update { 192.168.0.4; };
file "example.com.zone";
};
};
chmod 775 /var/named/chroot/var/named
客户机:
nsupdate
server 192.168.0.41
update delete www.example.com
send
update add www.example.com 0 A 192.168.0.44
使用key查询:
vi named.conf:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
//
allow-update { 192.168.0.4; };
update-policy { grant example.com. name www.example.com. A; };
file "example.com.zone";
};
};
include "/etc/example.com.key";
key的制作与处理(example.com.key):
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com. :生
成key文件
cp -p rndc.key example.com.key
vi example.com.key:
key "example.com." {
algorithm
hmac-md5;
secret
"H1Oqzvs7jtqsk5zJ/e9gEQ==";
};
copy key到远程主机:
scp Kexample.com.+157+00308.* 192.168.0.4:/home
远程主机修改dns记录:
nsupdate -k Kexample.com.+157+00308.private
server 192.168.0.41
update delete www.example.com
send
host -l example.com
Dns主机对客户机的授权处理:
update-policy { grant example.com. name www.example.com. A; };
此种方式规定辅助机只可对www.example.com记录进行delete或add操作;
update-policy { grant example.com. subdomain example.com. ANY;
};
此种方式是辅助机可对example.com域下的所有记录进行更改
(www.mail.bbs)
使用key在dns辅助机中进行dns数据库文件同步:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
//
include "/etc/named.rfc1912.zones";
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
//
allow-update { 192.168.0.4; };
//
update-policy { grant example.com. subdomain example.com.
ANY; };
allow-transfer { key example.com.; };
also-notify {192.168.0.4; };
file "example.com.zone";
};
};
include "/etc/example.com.key";
key的制作与处理(example.com.key):
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com. :生
成key文件
cp -p rndc.key example.com.key
vi example.com.key:
key "example.com." {
algorithm
hmac-md5;
secret
"H1Oqzvs7jtqsk5zJ/e9gEQ==";
};
copy key到远程主机:
scp example.com.key 192.168.0.4:/var/named/chroot/etc/
远程主机:
cd /var/named/chroot/etc/
chgrp named example.com.key
vi named.conf:
server 192.168.0.41 {
keys { example.com.; };
};
include "/etc/example.com.key";
注意:此时如果无法同步文件,应删除chroot/var/named/目录下的 *.jnl文件
configtest 检测语法。
温馨提示:内容为网友见解,仅供参考
无其他回答
相似回答
