1.这里将第一台DNS服务器作为主的DNS
2.安装辅助DNS软件同上
yum install bind bind-chrootcaching-nameserver -y
3.启动服务
service named start ; chkconfignamed on
4.修改配置文件named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory"/var/named";
dump-file"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-sourceport 53;
// query-source-v6 port 53;
allow-query{ any; };
allow-query-cache { any; };
};
logging {
channel default_debug {
file"data/named.run";
severity dynamic;
};
};
view dns1 {
match-clients{ any; };
match-destinations { any; };
recursion yes;
include "/etc/named.rfc1912.zones";
};
5.定义/添加自定义查询域
#在named.rfc1912.zones文件中添加以下内容
zone "example.com" IN {
type slave;//类型更改为slave
file "slaves/example.com.zone";//查询数据库存放位置
masters { 192.168.8.201; };//同步数据库的地址
};
zone "8.168.192.in-addr.arpa" IN{
type slave;
file "slaves/8.168.192.zone";
masters { 192.168.8.201; };
};
6.在主DNS的配置文件named.conf文件中添加以下配置
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory"/var/named";
dump-file"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-sourceport 53;
// query-source-v6 port 53;
allow-query{ any; };
allow-query-cache { any; };
allow-transfer { 192.168.8.202; };//允许同步的主机地址
};
7.Reload主辅DNS服务。
# /etc/init.d/named reload
8.查看辅助DNS数据库文件是否同步过来
# ls /var/named/chroot/var/named/slaves/
8.168.192.zoneexample.com.zone//同步成功
9.以上使用IP限定DNS的主辅同步不×××全,在数据同步传输的过程中都是明文的,下面我们来使用Key同步,以保证同步请求的认证和数据传输的加密,首先在主DNS上生成key文件
[root@vm201 etc]# dnssec-keygen -aHMAC-MD5 -b 128 -n HOST server201-server202
然后利用模板配置key文件
# cp -p rndc.key transfer.key//保证transfer.key文件的拥有组为named,权限为640
# catKserver201-server202.+157+29727.private>> transfer.key
# vim transfer.key
key"server201-server202" {//修改key名字
algorithmhmac-md5;
secret"ef/zUb+7SVM9vZqaNXzqTQ==";//修改key
};
在named.conf中配置使用key来更新
include "/etc/transfer.key";//指明key文件位置
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory"/var/named";
dump-file"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-sourceport 53;
// query-source-v6 port 53;
allow-query{ any; };
allow-query-cache { any; };
allow-transfer { key server201-server202; };//指明使用的key
};
最后重启主DNS服务
辅助DNS使用的key要和主DNS一样,所以将transfer.key文件拷贝到辅助DNS上,同样要保证权限,在named.conf文件中设置key
include "/etc/transfer.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory"/var/named";
dump-file"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-sourceport 53;
// query-source-v6 port 53;
allow-query{ any; };
allow-query-cache { any; };
};
server 192.168.8.201
{ keys { server201-server202; };//指定key文件
};
重启服务,查看日志
Dec3 21:08:09 vm202 named[8484]: zone example.com/IN/dns1: transferredserial 2013112601: TSIG 'server201-server202'
Dec3 21:08:09 vm202 named[8484]: transfer of'example.com/IN' from 192.168.8.201#53: end of transfer
红色部分说明已经使用key认证加密传输
