Linux运维部署DNS主从同步

DNS主从介绍

作为重要的互联网基础设施服务,保证DNS域名解析服务的正常运转至关重要,只有这样才能提供稳定、快速且不间断的域名查询服务。在DNS域名解析服务中,从服务器可以从主服务器上获取指定的区域数据文件,从而起到备份解析记录与负载均衡的作用,因此通过部署从服务器可以减轻主服务器的负载压力,还可以提升用户的查询效率。

安装环境

主机名操作系统IP
主服务器CentOS 710.1.1.250
从服务器CentOS 710.1.1.254

修改配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
options {
        listen-on port 53 { 10.1.1.250; };
        directory       "/var/named/chroot/etc/";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        empty-zones-enable no;
        forwarders {114.114.114.114;8.8.8.8; };


        recursion yes;
                dnssec-enable no;
                dnssec-validation no;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};


logging {
        channel default_debug {
                file "/var/named/data/named.run";
                severity dynamic;
        };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
1
2
3
4
5
6
7
zone "boysec.cn" IN {
      type    master;
      file    "boysec.cn.zone";
      also-notify { 10.1.1.254; };
      allow-transfer { 10.1.1.254; };
      allow-update { 10.1.1.254; };
};
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
options {
        listen-on port 53 { 10.1.1.254; };
        directory       "/var/named/chroot/etc/";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        forwarders {202.106.196.115;8.8.8.8; };
        recursion yes;
        masterfile-format text;

        dnssec-enable yes;
        dnssec-validation yes;
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};


include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
1
2
3
4
5
zone "boysec.cn" IN {
  type  slave;
  masters { 10.1.1.250; };
  file  "slave/boysec.cn.zone";
};

检查配置并重启主DNS

1
2
3
4
# mkdir /var/named/chroot/etc/slave
# chown -R named.named /var/named/
# named-checkconf
# systemctl restart named

检查同步过来的区域数据库文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@dns-slave ~]# cat /var/named/chroot/etc/slave/boysec.cn.zone 
$ORIGIN .
$TTL 600        ; 10 minutes
boysec.cn               IN SOA  ns1.boysec.cn. dnsadmin.boysec.cn. (
                                2018121602 ; serial
                                10800      ; refresh (3 hours)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      ns1.boysec.cn.
$ORIGIN boysec.cn.
$TTL 60 ; 1 minute
admin                   A       10.1.1.254
bbs                     A       1.2.3.4
www                    A       10.1.1.250
ns1                     A       10.4.7.11

检查解析是否正确

使用主DNS查询A记录

1
2
3
4
[root@dns-slave slave]# dig -t A @10.1.1.250 www.boysec.cn +short 
10.1.1.250
[root@dns-slave slave]# dig -t A @10.1.1.250 down.boysec.cn +short   
1.22.22.3

使用备DNS查询A记录

1
2
3
4
[root@dns-slave slave]# dig -t A @10.1.1.254 www.boysec.cn +short
10.1.1.250
[root@dns-slave slave]# dig -t A @10.1.1.254 down.boysec.cn +short 
1.22.22.3