linux系统DNS主从+密钥认证

uytr · 发表于 2016-8-4 09:00:56

服务端 duwers60  192.168.20.60 主DNS
服务端 duwers61  192.168.20.61 从DNS
客户端 duwers62  192.168.20.62
目标

给公司配置一个内网DNS服务器，可以解析域名 xuegod.cn为IP：192.168.20.60。另外，为保证服务器稳定，你还要把duwers61搭建成一个从DNS服务器。
测试：配置PC客户端的DNS服务器地址为：192.168.20.60和192.168.20.61. 当把192.168.20.60网卡关闭时，ping xuegod.cn  还可以通过duwers61正常解析。

一、服务端操作
1、配置主DNS
1）安装程序

1	[iyunv@duwers60 ~]# yum install bindbind-chroot bind-utils -y

2）启动服务

1
2
3
4
5

[iyunv@duwers60 ~]# /etc/init.d/namedrestart
Stopping named:                            [  OK  ]
Generating /etc/rndc.key:                         [  OK  ]
Starting named:                            [  OK  ]
[iyunv@duwers60 ~]#

3）查看挂载项

4）修改本地网络配置重启服务

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

[iyunv@duwers60 ~]# service network restart
Shutting down interface eth0:                      [  OK  ]
Shutting down loopback interface:                   [  OK  ]
Bringing up loopback interface:                   [  OK  ]
Bringing up interface eth0:  Determining if ip address 192.168.20.60 isalready in use for device eth0...
                                                      [  OK  ]
[iyunv@duwers60 ~]# grep DNS1/etc/sysconfig/network-scripts/ifcfg-eth0
#DNS1=114.114.114.114
DNS1=192.168.20.60
[iyunv@duwers60 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search duwers.space
#nameserver 114.114.114.114
#nameserver 8.8.8.8
nameserver 192.168.20.60
[iyunv@duwers60 ~]#

5）修改DNS配置文件（//注释在上方）

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

[iyunv@duwers60 ~]# grep -v '^#'/var/named/chroot/etc/named.conf
options {
listen-onport 53 { any; };          #监听来自所有网段的请求
listen-on-v6port 53 { any; };       #监听来自所有网段的请求
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
      memstatistics-file"/var/named/data/named_mem_stats.txt";
allow-query    { any; };             #监听来自所有网段的请求
recursionyes;
//指向上层服务器
forwardonly;
forwarders{ 114.114.114.114;};
/*Path to ISC DLV key */
bindkeys-file"/etc/named.iscdlv.key";

managed-keys-directory"/var/named/dynamic";
};

logging {
   channel default_debug {
            file"data/named.run";
            severity dynamic;
   };
};

zone "xuegod.cn." IN {
typemaster;
file"xuegod.cn.zone";
allow-transfer{192.168.20.0/24;};       #限定从DNS网段
};

include"/etc/named.rfc1912.zones";
include "/etc/named.root.key";

6）重启服务

1
2
3
4

[iyunv@duwers60 ~]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[iyunv@duwers60 ~]#

2、配置从DNS服务器
1）安装DNS服务

1	[iyunv@duwers61 ~]# yum install bindbind-chroot bind-utils -y

2）启动服务

1
2
3
4

[iyunv@duwers61 ~]# service named start
Generating /etc/rndc.key: [确定]
启动 named： [确定]
[iyunv@duwers61 ~]#

3）修改本地网络配置，重启网络服务

1
2
3
4
5
6
7
8
9
10
11
12
13

[iyunv@duwers61 ~]# service network restart
正在关闭接口 eth0：                                     [确定]
关闭环回接口：                                           [确定]
弹出环回接口：                                           [确定]
弹出界面 eth0：Determining if ip address 192.168.20.61 is already in use for device eth0...
                                                      [确定]
[iyunv@duwers61 ~]# grep DNS1/etc/sysconfig/network-scripts/ifcfg-eth0
#DNS1=114.114.114.114
DNS1=192.168.20.61
[iyunv@duwers61 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
nameserver 192.168.20.61
[iyunv@duwers61 ~]#

4）修改DNS配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

[iyunv@duwers61 ~]# grep -v '^#'/var/named/chroot/etc/named.conf

options {
listen-onport 53 { any; };
listen-on-v6port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
   statistics-file "/var/named/data/named_stats.txt";
   memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query    { any; };
recursionyes;

/*Path to ISC DLV key */
bindkeys-file"/etc/named.iscdlv.key";

managed-keys-directory"/var/named/dynamic";
};

logging {
   channel default_debug {
            file"data/named.run";
            severity dynamic;
   };
};

zone "xuegod.cn" IN {
typeslave;
file"slaves/xuegod.cn.zone.file";
masters{ 192.168.20.60;};
};

include"/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[iyunv@duwers61 ~]#

5）重启DNS 服务

1
2
3
4

[iyunv@duwers61 ~]# service named restart
停止 named：. [确定]
启动 named： [确定]
[iyunv@duwers61 ~]#

6）查看生成的DNS记录文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

[iyunv@duwers61 ~]# ls/var/named/chroot/var/named/slaves/
xuegod.cn.zone.file
[iyunv@duwers61 ~]# cat!$xuegod.cn.zone.file
cat/var/named/chroot/var/named/slaves/xuegod.cn.zone.file
$ORIGIN .
$TTL 86400 ;1 day
xuegod.cn    INSOA dns.xuegod.cn. root.xuegod.cn. (
            0       ; serial
            86400    ; refresh (1 day)
            3600    ; retry (1 hour)
            604800    ; expire (1 week)
            10800    ; minimum (3 hours)
            )
         NS  dns.xuegod.cn.
$ORIGIN xuegod.cn.
dns       A 192.168.20.60
www       A 192.168.20.60
www3       CNAME  www.xuegod.cn
[iyunv@duwers61 ~]#

3、配置主从DNS密钥同步
1）从DNS主服务器60同步时间【忘记说之前已经在60机器上搭建了ntpd服务】

1 2	[iyunv@duwers61 ~]# ntpdate 192.168.20.60 2Aug 05:54:37 ntpdate[2829]: step time server 192.168.20.60 offset -3.443702 sec

2）主DNS服务器生成密钥

1 2	[iyunv@duwers61 ~]# dnssec-keygen -ahmac-md5 -b 128 -n HOST abc Kabc.+157+47348

查看密钥文件

1
2
3
4

[iyunv@duwers61 ~]# ls | grep Kabc
Kabc.+157+47348.key
Kabc.+157+47348.private
[iyunv@duwers61 ~]#

3）查看密钥

1
2
3
4
5
6
7
8
9

[iyunv@duwers61 ~]# catKabc.+157+47348.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: mjENlU7Ef9ggUwBuSQfTKw==
Bits: AAA=
Created: 20160801215638
Publish: 20160801215638
Activate: 20160801215638
[iyunv@duwers61 ~]#

4）主DNS配置
取消下三项注释
   dnssec-enable yes;
   dnssec-validation yes;
   dnssec-lookaside auto;
另外增加

5）从DNS配置
      dnssec-enable yes;
   dnssec-validation yes;
   dnssec-lookaside auto;

6）主从DNS重启服务
主

1
2
3
4

[iyunv@duwers60 ~]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[iyunv@duwers60 ~]#

从

1
2
3
4

[iyunv@duwers61 ~]# service named restart
停止 named：. [确定]
启动 named： [确定]
[iyunv@duwers61 ~]#

7）再次查看zone文件【在61机器上喔】

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

[iyunv@duwers61 ~]# cat/var/named/chroot/var/named/slaves/xuegod.cn.zone.file
$ORIGIN .
$TTL 86400 ;1 day
xuegod.cn    INSOA dns.xuegod.cn. root.xuegod.cn. (
            0       ; serial
            86400    ; refresh (1 day)
            3600    ; retry (1 hour)
            604800    ; expire (1 week)
            10800    ; minimum (3 hours)
            )
         NS  dns.xuegod.cn.
$ORIGIN xuegod.cn.
dns       A 192.168.20.60
www       A 192.168.20.60
www3       CNAME  www.xuegod.cn
[iyunv@duwers61 ~]#

ok，同步成功
4、【测试】
目的：关闭主DNS服务器后，由从DNS负责解析DNS请求
1）客户端PC配置：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

[iyunv@duwers ~]# ifconfig eth0
eth0    Link encap:Ethernet  HWaddr00:0C:29:33:6A:98
      inetaddr:192.168.20.62  Bcast:192.168.20.255  Mask:255.255.255.0
      inet6 addr: fe80::20c:29ff:fe33:6a98/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1500  Metric:1
      RX packets:480 errors:0 dropped:0 overruns:0 frame:0
      TX packets:312 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:1000
      RX bytes:41830 (40.8 KiB)  TXbytes:39348 (38.4 KiB)

[iyunv@duwers ~]# grep DNS/etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=192.168.20.60
DNS2=192.168.20.61
[iyunv@duwers ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search duwers.space
nameserver 192.168.20.60
nameserver 192.168.20.61
[iyunv@duwers ~]#

2）关闭主DNS网卡

3）在客户端PC上验证

账号		自动登录	找回密码
密码			立即注册

winhex数据恢复教程（非常巨大，内容丰富）

VMware vcenter+vSphere 6.5 U2共享

【跟谁学】韩宇极简英语课-技术人员不得不

用Zabbix通过JMX方式监控weblogic

Symantec Backup Exec 2015 2016/2012 BE20

NetScaler VPX部署之：NetScaler Gateway调

zabbix3.4.1安装部署+微信推送信息+大屏显

[经验分享] linux系统DNS主从+密钥认证

相关帖子

浏览过的版块

扫码加入运维网微信交流群