DNS 服务配置
一、DNS 服务器配置
安装服务组件:yum install bind-libs bind bind-utils
设置服务组件启动及开机自启:
systemctl start named
systemctl enable named
编辑 /etc/named.conf
文件:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; --将127.0.0.1修改成any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; --将127.0.0.1修改成any
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
修改 /etc/host.conf
文件:
order bind,hosts # 指定主机名查询顺序,这里规定先使用DNS来解析域名,然后再查询“/etc/hosts”文件(也可以相反)。
multi on # 指定是否“/etc/hosts”文件中指定的主机可以有多个地址,拥有多个IP地址的主机一般称为多穴主机。
nospoof on # 指不允许对该服务器进行IP地址欺骗。IP欺骗是一种攻击系统的手段,把IP地址伪装成别的计算机,来取得其它计算机的信任。
修改 /etc/named.rfc1912.zones
文件:
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "localdomain." IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
// 添加内容:(由于虚拟ip和心跳地址同在192.168.0.0/16网段,所以反向解析内容使用了16位地址,也可以使用24位地址)
zone "whdata-rac.com" IN {
type master;
file "whdata-rac.com.zone";
allow-update { none; };
};
zone "168.192.in-addr.arpa" IN {
type master;
file "168.192.zone";
allow-update { none; };
};
在 /var/named/
目录下分别创建正向解析文件和反向解析文件(名称要和上段规则中的正反向解析zone名称相同)
:
注意:创建文件的所属用户用户组及操作权限,用户:root 用户组:named 权限:644
正向解析 whdata-rac.com.zone
:
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
iscsi IN A 192.168.0.109
whdatarac-scan IN A 192.168.0.105
whdatarac-scan IN A 192.168.0.106
whdatarac-scan IN A 192.168.0.107
whdatarac1 IN A 192.168.0.101
whdatarac2 IN A 192.168.0.102
whdatarac1-vip IN A 192.168.0.103
whdatarac2-vip IN A 192.168.0.104
whdatarac1-priv IN A 192.168.1.11
whdatarac2-priv IN A 192.168.1.12
反向解析 168.192.zone
:
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.
109.0 IN PTR iscsi.whdata-rac.com.
105.0 IN PTR whdatarac-scan.whdata-rac.com.
106.0 IN PTR whdatarac-scan.whdata-rac.com.
107.0 IN PTR whdatarac-scan.whdata-rac.com.
101.0 IN PTR whdatarac1.whdata-rac.com.
102.0 IN PTR whdatarac2.whdata-rac.com.
103.0 IN PTR whdatarac1-vip.whdata-rac.com.
104.0 IN PTR whdatarac2-vip.whdata-rac.com.
11.1 IN PTR whdatarac1-priv.whdata-rac.com.
12.1 IN PTR whdatarac2-priv.whdata-rac.com
修改 /etc/resolv.conf
文件:
该文件每次重启网卡或者主机重启都会覆盖原有内容,可通过 chattr +i /etc/resolv.conf 防止内容被覆盖,但是 oracle cluster 安装检测 DNS 无法通过。
很多帖子说可以通过修改网卡配置文件来达到永久生效的目的, 修改/etc/sysconfig/network-scripts/ifcfg-* 文件,添加:DOMAIN=whdata-rac.com 。但测试无法生效。
# Generated by NetworkManager
search whdata-rac.com
nameserver 192.168.0.109
nameserver 202.*.*.*
将DNS设置为 192.168.0.109
,重启DNS服务并且测试:
systemctl restart named.service
dig -x 192.168.0.109
nslookup whdatarac-sacn
nslookup 192.168.0.102
二、客户端配置
将主机 DNS
设置为 192.168.0.109
。
使用 nslookup
命令测试,不生效。
将 DOMAIN=whdata-rac.com
写入网卡配置文件。
使用 nslookup
命令测试,不生效。
修改 /etc/resolv.conf
文件在 DNS
前加入 search whdata-rac.com
。
使用 nslookup
命令测试,生效。
三、问题解决
服务无法启动,主要报错内容: named.service: control process exited, code=exited status=1
检查一下新添加的域文件:
named-checkzone whdata-rac.com /var/named/whdata-rac.com.zone
它是 OK 的,但是有检查出 MX 沒有指定 A 记录
zone whdata-rac.com/IN: whdata-rac.com/MX 'mail.whdata-rac.com' has no address records (A or AAAA)
zone whdata-rac.com/IN: loaded serial 2013073100
OK
它是能被 named
允许的,但 systemctl
收到了讯息是有误的,因为在 /usr/lib/systemd/system/named.service
里定义了一行:
ExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
启动前 named
前会检查 named-checkconf -z /etc/named.conf
,回应了 exit 1,所以启动失敗。
解決思路及方式:
- 改写
ExecStartPre
检查程式,想办法让它status=0
- 註解
ExecStartPre
不檢查zone
,若如此named
可以正常启动,则为最省时省力的方法。
此处使用了第二种方式,但需要注意:改了 named.service 后需要重新载入 daemon :systemctl daemon-reload
启动成功,再次测试一下域文件:
[root@SCSI ~]# named-checkzone whdata-rac.com /var/named/whdata-rac.com.zone
zone whdata-rac.com/IN: loaded serial 0
OK