rh358004bind反向，转发，主从，各种资源记录unboundansible部署bindunbound

博客分享

 0  169

优雅殿下 2022-09-04 21:04:11

悬赏：0 积分收藏

rh358 004 bind反向，转发，主从，各种资源记录 unbound ansible部署bind unbound

通过bind实现正向，反向，转发，主从，各种资源记录

7> 部署反向解析 从ip解析到fqdnvim   /etc/named.confzone "250.25.172.in-addr.arpa" IN {    type master;    file "172.25.250.zone"; 指定方向解析的区域配置文件路径};[root@serverb ~]# cp /var/named/named.empty /var/named/172.25.250.zone[root@serverb ~]# chown root:named /var/named/172.25.250.zone[root@serverb ~]# chmod 640 /var/named/172.25.250.zone[root@serverb ~]# vim /var/named/172.25.250.zone$TTL 3H@       IN SOA  serverb.example.com.  root.serverb.example.com. (                                        0       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum@    IN         NS   serverb.example.com.10   IN         PTR  servera.example.com.11   IN         PTR  serverb.example.com.12   IN         PTR  serverc.example.com.13   IN         PTR  serverd.example.com.~[root@serverb ~]# systemctl restart  named8> 测试[root@servera ~]# host serverb.example.comserverb.example.com has address 172.25.250.11[root@servera ~]# host 172.25.250.1010.250.25.172.in-addr.arpa domain name pointer servera.example.com.[root@servera ~]# host 172.25.250.1111.250.25.172.in-addr.arpa domain name pointer serverb.example.com.[root@servera ~]# host 172.25.250.1212.250.25.172.in-addr.arpa domain name pointer serverc.example.com.[root@servera ~]# host 172.25.250.1313.250.25.172.in-addr.arpa domain name pointer serverd.example.com.[root@servera ~]# [root@servera ~]# nslookup> set type=ptr> 172.25.250.10Server:		172.25.250.11Address:	172.25.250.11#5310.250.25.172.in-addr.arpa	name = servera.example.com.> set type=NS> example.comServer:		172.25.250.11Address:	172.25.250.11#53example.com	nameserver = serverb.example.com.> set type=A  > servera.example.comServer:		172.25.250.11Address:	172.25.250.11#53Name:	servera.example.comAddress: 172.25.250.10> 也可以通过dig查找-x反向解析@跟着DNS服务器A/NS/SOA/-x<ptr>9> 主从同步：修改配置文件在主DNS上配置[root@serverc ~]# vim /etc/named.confzone "example.com" IN {      type  master ;      file "example.com";      allow-transfer {  172.25.250.12; };};zone "250.25.172.in-addr.arpa" IN {    type master;    file "172.25.250.zone";    allow-transfer {  172.25.250.12; };};[root@serverb ~]# systemctl restart  named在从DNS上<slave>[root@serverc ~]# yum install -y bind        listen-on port 53 { any; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        secroots-file   "/var/named/data/named.secroots";        recursing-file  "/var/named/data/named.recursing";        allow-query     { any; };		recursion yes;        dnssec-enable no;        dnssec-validation no;        zone "example.com" IN {      type  slave ;  类型是从DNS服务器      file "slaves/example.com";      masters { 172.25.250.11; };};zone "250.25.172.in-addr.arpa" IN {    type slave;    file "slaves/172.25.250.zone";    masters { 172.25.250.11; };};[root@serverc ~]# firewall-cmd --permanent --add-port=53/tcpsuccess[root@serverc ~]# firewall-cmd --permanent --add-port=53/udpsuccess[root@serverc ~]# firewall-cmd --reloadsuccess[root@serverc ~]# systemctl enable --now  namedCreated symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.[root@serverc ~]#确认：[root@serverc ~]# ll /var/named/slaves/total 8-rw-r--r--. 1 named named 490 Sep  3 22:29 172.25.250.zone-rw-r--r--. 1 named named 432 Sep  3 22:29 example.com[root@serverc ~]#针对主从服务器做的修改1> 添加从的DNS服务器2> 每一次添加必须要把序列号+1，只有当序列号增加才会同步$TTL 3H@       IN SOA  serverb.example.com.  root.serverb.example.com. (                                        1       ; serial                                         1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum@    IN         NS   serverb.example.com.@    IN         NS   serverc.example.com. 从的DNS10   IN         PTR  servera.example.com.11   IN         PTR  serverb.example.com.12   IN         PTR  serverc.example.com.13   IN         PTR  serverd.example.com.[root@servera ~]# dig @serverb.example.com -x 172.25.250.11; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @serverb.example.com -x 172.25.250.11; (1 server found);; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18840;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096; COOKIE: 2cf3b75f384904d1905d5fd16314985b59d1176e48d0a6b3 (good);; QUESTION SECTION:;11.250.25.172.in-addr.arpa.	IN	PTR;; ANSWER SECTION:11.250.25.172.in-addr.arpa. 10800 IN	PTR	serverb.example.com.;; AUTHORITY SECTION:250.25.172.in-addr.arpa. 10800	IN	NS	serverc.example.com.250.25.172.in-addr.arpa. 10800	IN	NS	serverb.example.com.;; ADDITIONAL SECTION:serverb.example.com.	10800	IN	A	172.25.250.11serverc.example.com.	10800	IN	A	172.25.250.12;; Query time: 2 msec;; SERVER: 172.25.250.11#53(172.25.250.11);; WHEN: Sun Sep 04 20:21:47 CST 2022;; MSG SIZE  rcvd: 184[root@servera ~]# 同步后，可以使用dig，发现有两个dns权威地址了。那么就是配置文件更改后，同步成功10> 对于一个转发的DNS服务器来说，在正常情况下，如果我们没有配置转发，当这个DNS需要解析其他域的FQDN的时候。首先是去根域服务器。可以通过forwders来改变装法对象[root@serverd ~]# firewall-cmd --permanent --add-port=53/tcpsuccess[root@serverd ~]# firewall-cmd --permanent --add-port=53/udpsuccess[root@serverd ~]# firewall-cmd --reloadsuccess[root@serverd ~]# vim /etc/named.conf   listen-on port 53 { any; };   allow-query     { any; };   forwarders  { 172.25.250.12 ;};   dnssec-enable no;   dnssec-validation no;      这两个可以删掉，也是zone地址。用不上   include "/etc/named.rfc1912.zones";   include "/etc/named.root.key";systemctl restart  named[root@serverd ~]# nslookup> set type=A> servera.example.com   Server:		172.25.250.13Address:	172.25.250.13#53Non-authoritative answer:    这里做了转发所以不一样。非授权机构Name:	servera.example.comAddress: 172.25.250.10> 邮件服务器  邮件服务器要做转发，所以得找到邮件服务器正@    IN         MX   10  classroom.example.com.254  IN         PTR   classroom.example.com.反@    IN         MX   10  classroom.example.com.254  IN         PTR   classroom.example.com.[root@serverb named]# nslookup > set type=MX> example.comServer:		172.25.250.13Address:	172.25.250.13#53Non-authoritative answer:example.com	mail exchanger = 10 classroom.example.com.Authoritative answers can be found from:example.com	nameserver = serverb.example.com.example.com	nameserver = serverc.example.com.classroom.example.com	internet address = 172.25.250.254serverb.example.com	internet address = 172.25.250.11serverc.example.com	internet address = 172.25.250.1212> 仅缓存的DNS服务器：unbond删除原来的unbound[root@workstation ~]# lab dns-unbound start[root@servera ~]# yum install -y unbound[root@servera ~]# firewall-cmd --permanent --add-service=dnssuccess[root@servera ~]# firewall-cmd --reloadsuccess[root@servera ~]#[root@servera ~]# egrep "172.25|domain-insecure:" /etc/unbound/unbound.conf -B 2| egrep -v "#|--"         interface: 172.25.250.10         access-control: 172.25.250.0/24 allow         domain-insecure: "example.com"    # 不开启安全域         interface-automatic: no    # 如果开启那么监听所有端口，唯独不监听172.25.250.10forward-zone:  name: .  forward-addr: 172.25.250.254[root@servera ~]#[root@servera ~]# unbound-control-setup[root@servera ~]# ping servera.lab.example.comPING servera.lab.example.com (172.25.250.10) 56(84) bytes of data.64 bytes from servera.lab.example.com (172.25.250.10): icmp_seq=1 ttl=64 time=0.073 ms^C--- servera.lab.example.com ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms[root@servera ~]# ping workstationPING workstation.lab.example.com (172.25.250.9) 56(84) bytes of data.64 bytes from workstation.lab.example.com (172.25.250.9): icmp_seq=1 ttl=64 time=1.17 ms^C--- workstation.lab.example.com ping statistics ---1 packets transmitted, 1 received, 0% packet loss, time 0msrtt min/avg/max/mdev = 1.165/1.165/1.165/0.000 ms[root@servera ~]# unbound-control dump_cacheSTART_RRSET_CACHE;rrset 38 1 0 7 3lab.example.com.	38	IN	SOA	bastion.lab.example.com. root.bastion.lab.example.com. 2020040800 3600 300 604800 60;rrset 38 1 0 7 3example.com.	38	IN	SOA	classroom.example.com. root.classroom.example.com. 2015071700 3600 300 604800 60END_RRSET_CACHESTART_MSG_CACHEmsg servera.example.com.example.com. IN A 33155 1 38 3 0 1 0example.com. IN SOA 4msg servera.example.com. IN A 33155 1 38 3 0 1 0example.com. IN SOA 4msg servera.example.com.lab.example.com. IN A 33155 1 38 3 0 1 0lab.example.com. IN SOA 4msg servera.example.com.example.com. IN AAAA 33155 1 38 3 0 1 0example.com. IN SOA 4msg servera.example.com.lab.example.com. IN AAAA 33155 1 38 3 0 1 0lab.example.com. IN SOA 4msg servera.example.com. IN AAAA 33155 1 38 3 0 1 0example.com. IN SOA 4END_MSG_CACHEEOF[root@servera ~]# cat /etc/resolv.conf # Generated by NetworkManagersearch lab.example.com example.com#nameserver 172.25.250.254nameserver 172.25.250.10[root@servera ~]# 有缓存后，可以不依赖转发清空缓存[root@servera ~]# unbound-control  flush  *缓存，和forward上的服务器都没了，就无法再ping通了导出unbound-control  dump_cache > aaunbound-control  load_cache < aa

ansible 部署DNS unbound

[root@workstation ~]# lab dns-automation start [student@workstation dns-auto]$ cat unbound.yml---- name: configure cache dns on servera  hosts: caching_dns  become: true  tasks:  - name: install the unbound package    yum:      name: unbound      state: present  - name: prepare configureation file for unbound    template:      src: unbound.conf.j2      dest: /etc/unbound/unbound.conf      owner: root      group: unbound      mode: '0644'      setype: named_conf_t    notify: restart service  - name: start service    service:      name: unbound      state: started      enabled: true  - name: config firewalld for unbond    firewalld:      service: dns      state: enabled      immediate: yes      permanent: yes  handlers:  - name: restart service    service:      name: unbond      state: restarted[student@workstation dns-auto]$ cat templates/unbound.conf.j2server: {% for ip in ansible_facts['all_ipv4_addresses'] %}  interface: {{ ip }} {% endfor %}  interface-automatic: no  access-control: 172.25.250.0/24 allow  domain-insecure: example.comforward-zone:  name: .  forward-addr: 172.25.250.254remote-control:  control-enable: yes[student@workstation dns-auto]$[student@workstation dns-auto]$ lsansible.cfg   inventory  playbook.yml  unbound.conf.j2

ansible 部署bind

bind的YML文件---- name: config bind  hosts: primary_dns,secondary_dns  become: true  tasks:  - name: install package    yum:      name: bind      state: present  - name: config  for primary    copy:      src: files/primary_dns.conf      dest: /etc/named.conf    notify:  restart service    when: inventory_hostname == "serverb.lab.example.com"     - name: config    copy:      src: files/secondary_dns.conf      dest: /etc/named.conf    notify:  restart service    when: inventory_hostname == "serverc.lab.example.com"  - name: zone file    copy:      src: files/example.com      dest: /var/named/example.com      owner: root      group: named    when: inventory_hostname == "serverb.lab.example.com"  - name: zone file re    copy:      src: files/172.25.250.zone      dest: /var/named/172.25.250.zone      owner: root      group: named    when: inventory_hostname == "serverb.lab.example.com"  - name: start service    service:      name: named      state: started      enabled: true  - name: firewalld    firewalld:      service: dns      state: enabled      immediate: yes      permanent: yes  handlers:  - name: restart service    service:      name: named      state: restarted[student@workstation dns-auto]$          主named的配置文件[student@workstation dns-auto]$ cat files/primary_dns.conf//// named.conf//// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS// server as a caching only nameserver (as a localhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ for example named configuration files.//options {        listen-on port 53 { any; };        directory       "/var/named";        dump-file       "/var/named/data/cache_dump.db";        statistics-file "/var/named/data/named_stats.txt";        memstatistics-file "/var/named/data/named_mem_stats.txt";        secroots-file   "/var/named/data/named.secroots";        recursing-file  "/var/named/data/named.recursing";        allow-query     { any; };        /*         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.         - If you are building a RECURSIVE (caching) DNS server, you need to enable           recursion.         - If your recursive DNS server has a public IP address, you MUST enable access           control to limit queries to your legitimate users. Failing to do so will           cause your server to become part of large scale DNS amplification           attacks. Implementing BCP38 within your network would greatly           reduce such attack surface        */        recursion yes;        dnssec-enable no;        dnssec-validation no;        managed-keys-directory "/var/named/dynamic";        pid-file "/run/named/named.pid";        session-keyfile "/run/named/session.key";        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */        include "/etc/crypto-policies/back-ends/bind.config";};logging {        channel default_debug {                file "data/named.run";                severity dynamic;        };};zone "." IN {        type hint;        file "named.ca";};zone "example.com" IN {      type master;      file "example.com";      allow-transfer { 172.25.250.12;};};zone "250.25.172.in-addr.arpa" {      type master;      file "172.25.250.zone";      allow-transfer { 172.25.250.12;};};从named的配置文件[student@workstation files]$ cat secondary_dns.conf //// named.conf//// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS// server as a caching only nameserver (as a localhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ for example named configuration files.//options {	listen-on port 53 { any; };	listen-on-v6 port 53 { ::1; };	directory 	"/var/named";	dump-file 	"/var/named/data/cache_dump.db";	statistics-file "/var/named/data/named_stats.txt";	memstatistics-file "/var/named/data/named_mem_stats.txt";	secroots-file	"/var/named/data/named.secroots";	recursing-file	"/var/named/data/named.recursing";	allow-query     { any; };	/* 	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 	   recursion. 	 - If your recursive DNS server has a public IP address, you MUST enable access 	   control to limit queries to your legitimate users. Failing to do so will	   cause your server to become part of large scale DNS amplification 	   attacks. Implementing BCP38 within your network would greatly	   reduce such attack surface 	*/	recursion yes;	dnssec-enable no;	dnssec-validation no;	managed-keys-directory "/var/named/dynamic";	pid-file "/run/named/named.pid";	session-keyfile "/run/named/session.key";	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */	include "/etc/crypto-policies/back-ends/bind.config";};logging {        channel default_debug {                file "data/named.run";                severity dynamic;        };};zone "." IN {	type hint;	file "named.ca";};zone "example.com" IN {	type slave;	masters { 172.25.250.11; };	file "slaves/example.com";};zone "250.25.172.in-addr.arpa" IN  {	type slave;	masters { 172.25.250.11; };	file "slaves/172.25.250.zone";};主的区域配置文件（正）[student@workstation dns-auto]$ cat files/example.com$TTL 3H@       IN SOA serverb.example.com. root.serverb.example.com. (                                        1       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum@      IN   NS     serverb.example.com.@      IN   NS     serverc.example.com.servera   IN  A  172.25.250.10serverb   IN  A  172.25.250.11serverc   IN  A  172.25.250.12serverd   IN  A  172.25.250.13主的区域配置文件（反）[student@workstation dns-auto]$ cat files/172.25.250.zone$TTL 3H@       IN SOA serverb.example.com. root.serverb.example.com. (                                        1       ; serial                                        1D      ; refresh                                        1H      ; retry                                        1W      ; expire                                        3H )    ; minimum@      IN   NS     serverb.example.com.@      IN   NS     serverc.example.com.10   IN  PTR  servera.example.com.11  IN  PTR  servera.example.com.12   IN  PTR  servera.example.com.13   IN  PTR  servera.example.com.[student@workstation dns-auto]$ cat inventory [control_node]workstation.lab.example.com[caching_dns]servera.lab.example.com[primary_dns]serverb.lab.example.com[secondary_dns]serverc.lab.example.com任何一种服务的自动化配置：一： 安装包二： 配置文件  1： jiaj2模板的形式配置：unbound，2： file: bind, 3: notify restart service三： 要读取数据文件路径： 基本都有四： 服务五： 防火墙六： Handlers : 接收配置的文件改变从而去重新启动服务

posted @ 2022-09-04 20:13 supermao12 阅读(0) 评论(0) 编辑收藏举报

上一篇：学习ASP.NETCoreBlazor编程系列二——第一个Blazor应用程序（中）

下一篇：day32-线程基础02

回帖

优雅殿下（王者段位）

2018 积分 (2)粉丝 (47)源码

小小码农，大大世界

温馨提示

您可以通过每日签到获得积分；
您也可以通过发布源码或者分享技术获得积分；

亦奇源码

rh358004bind反向，转发，主从，各种资源记录unboundansible部署bindunbound

rh358 004 bind反向，转发，主从，各种资源记录 unbound ansible部署bind unbound

通过bind实现正向，反向，转发，主从，各种资源记录

ansible 部署DNS unbound

ansible 部署bind

优雅殿下 （王者 段位）

温馨提示

最新会员

优雅殿下（王者段位）