[服務(wù)搭建]bind正反向配置主從配置子域配置基本安全設(shè)置

實(shí)驗(yàn)環(huán)境

創(chuàng)新互聯(lián)公司是一家集網(wǎng)站建設(shè),運(yùn)城企業(yè)網(wǎng)站建設(shè),運(yùn)城品牌網(wǎng)站建設(shè),網(wǎng)站定制,運(yùn)城網(wǎng)站建設(shè)報(bào)價(jià),網(wǎng)絡(luò)營銷,網(wǎng)絡(luò)優(yōu)化,運(yùn)城網(wǎng)站推廣為一體的創(chuàng)新建站企業(yè)，幫助傳統(tǒng)企業(yè)提升企業(yè)形象加強(qiáng)企業(yè)競爭力。可充分滿足這一群體相比中小企業(yè)更為豐富、高端、多元的互聯(lián)網(wǎng)需求。同時(shí)我們時(shí)刻保持專業(yè)、時(shí)尚、前沿，時(shí)刻以成就客戶成長自我，堅(jiān)持不斷學(xué)習(xí)、思考、沉淀、凈化自己，讓我們?yōu)楦嗟钠髽I(yè)打造出實(shí)用型網(wǎng)站。

系統(tǒng) 主機(jī)名 IP 備注

Centos6.8 nod1.wupeng.com 10.208.131.222 主服務(wù)器

Centos6.8 nod2.wupeng.com 10.208.131.228 從服務(wù)器

Centos6.8 nod3.wupeng.com 10.208.131.229 子域服務(wù)器

bind程序包：

bind：提供的DNS server程序、以及幾個(gè)常用的測試程序；

bind-libs：被bind和bind-utils包中的程序共同用到的庫文件；

bind-utils：bind客戶端程序集，例如dig, host, nslookup等；

bind-chroot：選裝，讓named運(yùn)行于jail模式下；

對(duì)三臺(tái)主機(jī)分別更改主機(jī)名關(guān)閉防火墻以及關(guān)閉selinux （iptables和selinux保存配置后需要重啟服務(wù)才能生效）

nod1更改主機(jī)

[root@nod1 ~]# vim /etc/sysconfig/network    
NETWORKING=yes
HOSTNAME=nod1.wupeng.com

nod2更改主機(jī)

[root@nod2 ~]# vim /etc/sysconfig/network    
NETWORKING=yes
HOSTNAME=nod2.wupeng.com

nod3更改主機(jī)

[root@nod3 ~]# vim /etc/sysconfig/network    
NETWORKING=yes
HOSTNAME=nod3.wupeng.com

nod1清空防火墻規(guī)則

[root@nod1 ~]# iptables -F 
[root@nod1 ~]# service iptables save

nod2清空防火墻規(guī)則

[root@nod2 ~]# iptables -F 
[root@nod2 ~]# service iptables save

nod3清空防火墻規(guī)則

[root@nod3 ~]# iptables -F 
[root@nod3 ~]# service iptables save

nod1關(guān)閉selinux安全機(jī)制

[root@nod1 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config
SELINUX=disabled

nod2關(guān)閉selinux安全機(jī)制

[root@nod2 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config
SELINUX=disabled

nod3關(guān)閉selinux安全機(jī)制

[root@nod3 ~]# vim /etc/sysconfig/selinux 或者 vim /etc/selinux/config
SELINUX=disabled

三臺(tái)主機(jī)分別同步時(shí)間為一致可以使用ntpdate命令來進(jìn)行時(shí)間同步

[root@nod1 ~]# yum install ntpdate -y

[root@nod2 ~]# yum install ntpdate -y

[root@nod3 ~]# yum install ntpdate -y

[root@nod1 ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1598]: step time server 17.253.84.125 offset 856096.191423 sec

[root@nod2 ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1577]: step time server 17.253.84.125 offset 854843.947376 sec

[root@nod3 ~]# ntpdate ntp.api.bz

28 Jun 15:42:08 ntpdate[1593]: step time server 17.253.84.125 offset 599540.432080 sec

正向配置

在nod1主機(jī)上安裝bind的相關(guān)軟件

[root@nod1 ~]# yum install bind bind-utils -y //bind-libs 這個(gè)庫文件會(huì)進(jìn)行依賴安裝

編輯/etc/bind.conf主配置文件

[root@nod1 ~]# vim /etc/named.conf

options {
        listen-on port 53 { 127.0.0.1; 10.208.131.222; };        //監(jiān)聽地址
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };                   //允許的請求方式為所有人
        recursion yes;
        dnssec-enable no;                          //安全機(jī)制為NO
        dnssec-validation no;                        //安全機(jī)制為NO
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

編輯/etc/named.rfc1912.zones創(chuàng)建正向區(qū)域文件

[root@nod1 ~]# vim /etc/named.rfc1912.zones

zone "wupeng.com" IN {
        type master;
        file "wupeng.com.zone";
};

利用模板創(chuàng)建一個(gè)wupeng.com域的區(qū)域數(shù)據(jù)文件文件權(quán)限為640 屬組為named

[root@nod1 ~]# cd /var/named/

第一種：
[root@nod1 named]# cp -p named.localhost wupeng.com.zone
第二種：
[root@nod1 named]# cp -rf named.localhost wupeng.com.zone
[root@nod1 named]# chmod 640 wupeng.com.zone 
[root@nod1 named]# chgrp named wupeng.com.zone

查看文件屬性

[root@nod1 named]# ll wupeng.com.zone 
-rw-r----- 1 root named 152 6月  21 2007 wupeng.com.zone

編輯wupeng.com.zone文件記錄 NS和A記錄

[root@nod1 named]# vim wupeng.com.zone

$TTL 1D
$ORIGIN wupeng.com.
@       IN SOA  ns1.wupeng.com. admin.wupeng.com. (
                                        2017062800      ; serial
                                        1D              ; refresh
                                        1H              ; retry
                                        1W              ; expire
                                        3H )            ; minimum
        IN      NS      ns1.wupeng.com.
ns1     IN      A       10.208.131.222
www     IN      A       10.208.131.223

檢測主配置文件和區(qū)域數(shù)據(jù)文件是否有錯(cuò)誤

[root@nod1 named]# named-checkconf                        //正確是沒有任何提示
[root@nod1 named]# named-checkzone wupeng.com /var/named/wupeng.com.zone 
zone wupeng.com/IN: loaded serial 2017062800
OK

啟動(dòng)bind服務(wù) 并測試正向解析是否成功

[root@nod1 named]# service named start

Generating /etc/rndc.key: [確定]

啟動(dòng) named： [確定]

測試:

[root@nod1 named]# dig -t A www.wupeng.com @10.208.131.222

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t A www.wupeng.com @10.208.131.222

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33056

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.wupeng.com. INA

;; ANSWER SECTION:

www.wupeng.com. 86400INA10.208.131.223

;; AUTHORITY SECTION:

wupeng.com. 86400INNSns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400INA10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 21:26:24 2017

;; MSG SIZE rcvd: 82

解釋:

-t A www.wupeng.com 類型為A記錄的域名

@10.208.131.222 以10.208.131.222的IP進(jìn)行解析無需在/etc/resolv.conf里進(jìn)行設(shè)置

編輯/etc/named.rfc1912.zones創(chuàng)建反向區(qū)域文件

[root@nod1 named]# vim /etc/named.rfc1912.zones
zone "131.208.10.in-addr.arpa" IN {
        type master;
        file "10.208.131";
};

利用模板創(chuàng)建一個(gè)10.208.131.zone的區(qū)域數(shù)據(jù)文件文件權(quán)限為640 屬組為named

[root@nod1 ~]# cd /var/named/

第一種：
[root@nod1 named]# cp -p named.loopback 10.208.131.zone
第二種：
[root@nod1 named]# cp -rf named.loopback 10.208.131.zone
[root@nod1 named]# chmod 640 wupeng.com.zone 
[root@nod1 named]# chgrp named wupeng.com.zone

查看文件屬性

[root@nod1 named]# ll 10.208.131.zone

-rw-r----- 1 root named 263 6月 28 21:07 10.208.131.zone

編輯wupeng.com.zone文件記錄 NS和PTR記錄

[root@nod1 named]# vim 10.208.131.zone
$TTL 1D
$ORIGIN 131.208.10.in-addr.arpa.
@       IN SOA  ns1.wupeng.com  admin.wupeng.com. (
                                        2017062800        ; serial
                                        1D              ; refresh
                                        1H              ; retry
                                        1W              ; expire
                                        3H )             ; minimum
      IN       NS     ns1.wupeng.com.
222     IN      PTR     ns1.wupeng.com.
223     IN      PTR     www.wupeng.com.

重新加載bind服務(wù) 并測試反向解析是否成功

[root@nod1 named]# rndc reload

server reload successful

測試：

[root@nod1 named]# dig -x 10.208.131.223 @10.208.131.222

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.222

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54483

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;223.131.208.10.in-addr.arpa.INPTR

;; ANSWER SECTION:

223.131.208.10.in-addr.arpa. 86400 INPTRwww.wupeng.com.

;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400INNSns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400INA10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 21:19:16 2017

;; MSG SIZE rcvd: 107

主從復(fù)制

在主服務(wù)器添加從服務(wù)器的NS和A記錄并重新加載服務(wù)

$TTL 1D

$ORIGIN wupeng.com.

@ IN SOA ns1.wupeng.com. admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

ns1 IN A 10.208.131.222

ns2 IN A 10.208.131.228

www IN A 10.208.131.223

[root@nod1 named]# rndc reload

server reload successful

在主機(jī)nod2上安裝bind相關(guān)文件

[root@nod2 ~]# yum install bind bind-utils -y

配置bind主文件

vim /etc/named.conf
options {
        listen-on port 53 { 127.0.0.1; 10.208.131.228; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};

配置區(qū)域文件

[root@nod2 ~]# vim /etc/named.rfc1912.zones 
zone "wupeng.com" IN {
        type slave;
        file "slaves/wupeng.com";
        masters { 10.208.131.222; };
};
zone "131.208.10.in-addr.arpa" IN {
        type slave;
        file "10.208.131.zone";
        masters { 10.208.131.222; };
};

檢查配置是否有錯(cuò)誤

[root@nod2 ~]# named-checkconf

啟動(dòng)bind服務(wù) 查看區(qū)域數(shù)據(jù)是否傳輸?shù)絪laves目錄下并測試

[root@nod2 ~]# service named start

啟動(dòng) named： [確定]

[root@nod2 ~]# ll /var/named/slaves/

總用量 8

-rw-r--r-- 1 named named 390 6月 28 21:55 10.208.131.zone

-rw-r--r-- 1 named named 335 6月 28 21:54 wupeng.com

測試:

[root@nod2 ~]# dig www.wupeng.com @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1634

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.wupeng.com. INA

;; ANSWER SECTION:

www.wupeng.com. 86400INA10.208.131.223

;; AUTHORITY SECTION:

wupeng.com. 86400INNSns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400INA10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 21:56:38 2017

;; MSG SIZE rcvd: 82

[root@nod2 ~]# dig -x 10.208.131.223 @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.223 @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18940

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;223.131.208.10.in-addr.arpa.INPTR

;; ANSWER SECTION:

223.131.208.10.in-addr.arpa. 86400 INPTRwww.wupeng.com.

;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400INNSns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400INA10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 21:57:05 2017

;; MSG SIZE rcvd: 107

在主服務(wù)器新增一條記錄在進(jìn)行測試

[root@nod1 named]# vim /var/named/wupeng.com.zone

$TTL 1D

$ORIGIN wupeng.com.

@ IN SOA ns1.wupeng.com. admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

ns1 IN A 10.208.131.222

ns2 IN A 10.208.131.228

www IN A 10.208.131.223

dns IN A 10.208.131.224

[root@nod1 named]# vim 10.208.131.zone

$TTL 1D

$ORIGIN 131.208.10.in-addr.arpa.

@ IN SOA ns1.wupeng.com admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

222 IN PTR ns1.wupeng.com.

228 IN PTR ns2.wupeng.com.

223 IN PTR www.wupeng.com.

224 IN PTR dns.wupeng.com.

重新加載主服務(wù)器

[root@nod1 named]# rndc reload

server reload successful

重新加載從服務(wù)器

[root@nod2 ~]# rndc reload wupeng.com

zone refresh queued

[root@nod2 ~]# rndc reload 131.208.10.in-addr.arpa

zone refresh queued

NOTE:rndc reload 在從服務(wù)器不生效嘗試過多次只能在后邊加區(qū)域才生效

測試：

[root@nod2 ~]# dig dns.wupeng.com @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> dns.wupeng.com @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30389

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;dns.wupeng.com. INA

;; ANSWER SECTION:

dns.wupeng.com. 86400INA10.208.131.224

;; AUTHORITY SECTION:

wupeng.com. 86400INNSns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400INA10.208.131.222

;; Query time: 0 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 22:29:46 2017

;; MSG SIZE rcvd: 82

[root@nod2 ~]# dig -x 10.208.131.224 @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -x 10.208.131.224 @10.208.131.228

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20995

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;224.131.208.10.in-addr.arpa.INPTR

;; ANSWER SECTION:

224.131.208.10.in-addr.arpa. 86400 INPTRdns.wupeng.com.

;; AUTHORITY SECTION:

131.208.10.in-addr.arpa. 86400INNSns1.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86400INA10.208.131.222

;; Query time: 1 msec

;; SERVER: 10.208.131.228#53(10.208.131.228)

;; WHEN: Wed Jun 28 22:30:07 2017

;; MSG SIZE rcvd: 107

子域配置

在主機(jī)nod3上安裝bind相關(guān)軟件并配置主文件

[root@nod3 ~]# yum install bind bind-utils -y
[root@nod3 ~]# vim /etc/named.conf
options {
        listen-on port 53 { 127.0.0.1; 10.208.131.229; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
        managed-keys-directory "/var/named/dynamic";
};
[root@nod3 ~]# vim /etc/named.rfc1912.zones 
zone "music.wupeng.com" IN {
        type master;
        file "music.wupeng.com.zone";
};
zone "wupeng.com" IN {                                    //設(shè)置了轉(zhuǎn)發(fā)功能才能進(jìn)行查詢和傳輸區(qū)域文件
        type forward;
        forward only;
        forwarders { 10.208.131.222; 10.208.131.228; };
};

復(fù)制模板創(chuàng)建子域區(qū)域配置文件

[root@nod3 named]# cp -p named.localhost music.wupeng.com.zone

[root@nod3 named]# vim music.wupeng.com.zone

$TTL 1D

$ORIGIN music.wupeng.com.

@ IN SOA ns3.music.wupeng.com. admin.music.wupeng.com. (

2017062800 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns3.music

ns3.music IN A 10.208.131.229

www IN A 10.208.131.230

檢測是否有配置錯(cuò)誤

[root@nod3 named]# named-checkzone music.wupeng.com /var/named/music.wupeng.com.zone

zone music.wupeng.com/IN: loaded serial 2017062800

在主服務(wù)器添加子域的NS和A記錄

[root@nod1 named]# vim /etc/named.conf

$TTL 1D

$ORIGIN wupeng.com.

@ IN SOA ns1.wupeng.com. admin.wupeng.com. (

2017062802 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

IN NS ns1.wupeng.com.

IN NS ns2.wupeng.com.

ns1 IN A 10.208.131.222

ns2 IN A 10.208.131.228

www IN A 10.208.131.223

dns IN A 10.208.131.224

ns3 IN NS ns3.music

ns3.music IN A 10.208.131.229

重新加載主配置文件啟動(dòng)nod3的bind的服務(wù)

[root@nod1 named]# rndc reload

server reload successful

測試:

[root@nod3 named]# dig www.music.wupeng.com @10.208.131.229

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.music.wupeng.com @10.208.131.229

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46119

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;www.music.wupeng.com. INA

;; ANSWER SECTION:

www.music.wupeng.com.86400INA10.208.131.230

;; AUTHORITY SECTION:

music.wupeng.com.86400INNSns3.music.music.wupeng.com.

;; ADDITIONAL SECTION:

ns3.music.music.wupeng.com. 86400 INA10.208.131.229

;; Query time: 0 msec

;; SERVER: 10.208.131.229#53(10.208.131.229)

;; WHEN: Wed Jun 28 23:28:55 2017

;; MSG SIZE rcvd: 94

[root@nod3 named]# dig www.wupeng.com @10.208.131.229

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> www.wupeng.com @10.208.131.229

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25255

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:

;www.wupeng.com. INA

;; ANSWER SECTION:

www.wupeng.com. 86365INA10.208.131.223

;; AUTHORITY SECTION:

wupeng.com. 86365INNSns1.wupeng.com.

wupeng.com. 86365INNSns2.wupeng.com.

;; ADDITIONAL SECTION:

ns1.wupeng.com. 86365INA10.208.131.222

ns2.wupeng.com. 86365INA10.208.131.228

;; Query time: 13 msec

;; SERVER: 10.208.131.229#53(10.208.131.229)

;; WHEN: Wed Jun 28 23:29:06 2017

;; MSG SIZE rcvd: 116

[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.222 //全量區(qū)域傳送

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222

;; global options: +cmd

wupeng.com. 86400INSOAns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600

604800 10800wupeng.com. 86400INNSns1.wupeng.com.

wupeng.com. 86400INNSns2.wupeng.com.

dns.wupeng.com. 86400INA10.208.131.224

ns3.music.wupeng.com.86400INA10.208.131.229

ns1.wupeng.com. 86400INA10.208.131.222

ns2.wupeng.com. 86400INA10.208.131.228

ns3.wupeng.com. 86400INNSns3.music.wupeng.com.

www.wupeng.com. 86400INA10.208.131.223

wupeng.com. 86400INSOAns1.wupeng.com. admin.wupeng.com. 2017062802 86400 3600

604800 10800;; Query time: 4 msec

;; SERVER: 10.208.131.222#53(10.208.131.222)

;; WHEN: Wed Jun 28 23:41:31 2017

;; XFR size: 10 records (messages 1, bytes 258)

可以進(jìn)行全量傳輸區(qū)域數(shù)據(jù) 一般是不允許的所以我們要進(jìn)行安全配置

在主機(jī)nod1主配置文件上配置acl 只允許從服務(wù)器傳輸全局之外定義

[root@nod1 named]# vim /etc/named.conf
acl slaves {
        10.208.131.228;
};
[root@nod1 named]# vim /etc/named.rfc1912.zones 
zone "wupeng.com" IN {
        type master;
        file "wupeng.com.zone";
        allow-transfer { slaves; };
        allow-update { none; };
};
zone "131.208.10.in-addr.arpa" IN {
        type master;
        file "10.208.131.zone";
        allow-transfer { slaves; };
        allow-update { none; };
};

重新加載服務(wù)

[root@nod1 named]# rndc reload

server reload successful

在主機(jī)nod2上配置文件不進(jìn)行更新

zone "wupeng.com" IN {
        type slave;
        file "slaves/wupeng.com";
        masters { 10.208.131.222; };
        allow-transfer { none; };
        allow-update { none; };
};
zone "131.208.10.in-addr.arpa" IN {
        type slave;
        file "slaves/10.208.131.zone";
        masters { 10.208.131.222; };
        allow-transfer { none; };
        allow-update { none; };
};

重新加載服務(wù)

[root@nod2 slaves]# rndc reload

server reload successful

測試

[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.222

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.222

;; global options: +cmd

; Transfer failed.

[root@nod3 named]# dig -t axfr wupeng.com @10.208.131.228

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>> -t axfr wupeng.com @10.208.131.228

;; global options: +cmd

; Transfer failed.

網(wǎng)站標(biāo)題：[服務(wù)搭建]bind正反向配置主從配置子域配置基本安全設(shè)置
文章出自：http://muchs.cn/article36/picepg.html

成都網(wǎng)站建設(shè)公司_創(chuàng)新互聯(lián)，為您提供響應(yīng)式網(wǎng)站、網(wǎng)站設(shè)計(jì)、軟件開發(fā)、定制開發(fā)、網(wǎng)站營銷、外貿(mào)建站

聲明：本網(wǎng)站發(fā)布的內(nèi)容（圖片、視頻和文字）以用戶投稿、用戶轉(zhuǎn)載內(nèi)容為主，如果涉及侵權(quán)請盡快告知，我們將會(huì)在第一時(shí)間刪除。文章觀點(diǎn)不代表本網(wǎng)站立場，如需處理請聯(lián)系客服。電話：028-86922220；郵箱：631063699@qq.com。內(nèi)容未經(jīng)允許不得轉(zhuǎn)載，或轉(zhuǎn)載時(shí)需注明來源：創(chuàng)新互聯(lián)

猜你還喜歡下面的內(nèi)容