欢迎加入王导的VIP学习qq群：==>932194668<==

DNS主辅同步架构

IP	主机名	功能
10.4.7.11	HDSS7-11.host.com	DNS主
10.4.7.12	HDSS7-12.host.com	DNS辅
注意：所有资源记录的增、删、改的操作，均在主DNS上进行，辅助DNS仅提供查询功能

辅助DNS主机上安装部署BIND9

安装BIND9软件


#yum install bind
=============================================================================================================================================================
 Package                                       Arch                          Version                                    Repository                      Size
=============================================================================================================================================================
Installing:
 bind                                          x86_64                        32:9.9.4-73.el7_6                          updates                        1.8 M

注意：辅助DNS的BIND9软件版本应小于等于主DNS的BIND9软件版本

修改辅助DNS主配置文件

修改主配置文件，并加入masterfile-format text;

/etc/named.conf

options {
  listen-on port 53 { 10.4.7.12; };
  directory 	"/var/named";
  dump-file 	"/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-query     { any; };
  masterfile-format text;
  /* 
   - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
   - If you are building a RECURSIVE (caching) DNS server, you need to enable 
     recursion. 
   - If your recursive DNS server has a public IP address, you MUST enable access 
     control to limit queries to your legitimate users. Failing to do so will
     cause your server to become part of large scale DNS amplification 
     attacks. Implementing BCP38 within your network would greatly
     reduce such attack surface 
  */
  recursion yes;

  dnssec-enable no;
  dnssec-validation no;

  /* Path to ISC DLV key */
  bindkeys-file "/etc/named.iscdlv.key";

  managed-keys-directory "/var/named/dynamic";

  pid-file "/run/named/named.pid";
  session-keyfile "/run/named/session.key";
};


logging {
  channel default_debug {
    file "data/named.run";
    severity dynamic;
  };
};

zone "." IN {
  type hint;
  file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

修改主DNS主配置文件

加入以下配置

/etc/named.conf

1 2	allow-transfer { 10.4.7.12; }; also-notify { 10.4.7.12; };

检查配置并重启主DNS

1 2	# named-checkconf # systemctl restart named

检查完全区域数据传送

[root@hdss7-12 ~]# dig -t axfr host.com @10.4.7.11

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t axfr host.com @10.4.7.11
;; global options: +cmd
host.com.		600	IN	SOA	dns.host.com. dnsadmin.host.com. 2018121601 10800 900 604800 86400
host.com.		600	IN	NS	ns1.host.com.
HDSS7-11.host.com.	60	IN	A	10.4.7.11
HDSS7-12.host.com.	60	IN	A	10.4.7.12
ns1.host.com.		60	IN	A	10.4.7.11
host.com.		600	IN	SOA	dns.host.com. dnsadmin.host.com. 2018121601 10800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 10.4.7.11#53(10.4.7.11)
;; WHEN: Sun Dec 16 14:16:01 CST 2018
;; XFR size: 6 records (messages 1, bytes 220)

辅助DNS上创建自定义正解区域配置

/etc/named.rfc1912.zones

zone "host.com" IN {
  type  slave;
  masters { 10.4.7.11; };
  file  "slaves/host.com.zone";
};

检查配置并启动辅助DNS

1 2	# named-checkconf # systemctl start named

检查同步过来的区域数据库文件

/var/named/slaves/host.com.zone

[root@hdss7-12 slaves]# ll
-rw-r--r-- 1 named named 392 Feb 10 21:08 host.com.zone
[root@hdss7-12 slaves]# cat host.com.zone 
$ORIGIN .
$TTL 600	; 10 minutes
host.com		IN SOA	dns.host.com. dnsadmin.host.com. (
				2018121601 ; serial
				10800      ; refresh (3 hours)
				900        ; retry (15 minutes)
				604800     ; expire (1 week)
				86400      ; minimum (1 day)
				)
			NS	ns1.host.com.
$ORIGIN host.com.
$TTL 60	; 1 minute
HDSS7-11		A	10.4.7.11
HDSS7-12		A	10.4.7.12
ns1			A	10.4.7.11

检查解析是否正确

使用主DNS查询一个A记录

1 2	# dig -t A HDSS7-11.host.com @10.4.7.11 +short 10.4.7.11

使用辅助DNS查询一个A记录

1 2	# dig -t A HDSS7-11.host.com @10.4.7.12 +short 10.4.7.11

辅助DNS上创建自定义反解区域配置

略

增加、删除、修改记录，并验证同步

注意：一定要手动修改主DNS上SOA记录里的serial值！

增加记录

删除记录

修改记录

再增加一个od.com的业务域，并验证主辅同步（复习）

主DNS上增加自定义区域

主DNS上增加自定义区域数据库文件

主DNS上增加自定义区域资源记录

检查配置并重启主DNS服务

辅助DNS上增加自定义区域

检查完全区域数据传送

检查配置并重启辅助DNS服务

验证主辅同步

分别使用主DNS和辅助DNS查询新业务域的A记录

在主DNS上新增一条A记录，并验证主辅同步

在主DNS上修改一条A记录，并验证主辅同步

在主DNS上删除一条A记录，并验证主辅同步

客户端配置DNS解析高可用

在客户端主机（以Linux主机为例，Windows和Mac操作系统略）配置主、辅DNS

/etc/resolv.conf

#cat /etc/resolv.conf 
# Generated by NetworkManager
search host.com od.com
nameserver 10.4.7.11
nameserver 10.4.7.12

这样客户端高可用就配置好了，任意一个DNS服务器宕机也不会影响正常解析