Topology
Scenario
Router
Hostname : router.0846101.nasa
IP Address : 10.113.25.254/24
Primary (Master) DNS Server
Hostname : ns1.0846101.nasa
IP Address : 10.113.25.1/24
Secondary (Slave) DNS Server
Hostname : ns2.0846101.nasa
IP Address : 10.113.25.2/24
Agent
Hostname : agent.0846101.nasa
IP Address : 10.113.25.129/24
ClientPC (proxy)
Hostname : client-pc.0846101.nasa
IP Address : 10.113.25.119/24
Router
Hostname
跟hostname有關的兩個檔案: /etc/sysconfig/network and /etc/hosts
vim /etc/sysconfig/network
# Created by anaconda
HOSTNAME=router.0846101.nasa //localhost.localdomain
vim /etc/hosts
加在最後一行
10.113.25.254 router.0846101.nasa
ping 看看有沒有設定成功
ping -c 2 router.0846101.nasa
有的話就可以reboot
重開機後若還是@localhost 可以執行
hostnamectl set-hostname router.0846101.nasa
DHCP Server
# Add ns1 and ns2 to dns
option domain-name-servers 10.113.25.1, 10.113.25.2, 8.8.8.8;
# Set fixed IP to ns1, ns2, and client-pc
host ns1 {
hardware ethernet 08:00:27:00:87:58;
fixed-address 10.113.25.1;
}
host ns2 {
hardware ethernet 08:00:27:61:73:ae;
fixed-address 10.113.25.2;
}
host client-pc {
hardware ethernet 08:00:27:8b:6c:b7;
fixed-address 10.113.25.119;
}
Setting Router As a DNS Client
一般name servers會在/etc/resolv.conf設定
但重開機會被NetworkManager覆寫
可以先到網卡設定 (Both enp0s3 and enp0s8)
vim /etc/sysconfig/network-scripts/ifcfg-enp0s3
新增一行
PEERDNS=no
再到/etc/resolv.conf 編輯name servers
vim /etc/resolv.conf
search 0846101.nasa
nameserver 10.113.25.1
nameserver 10.113.25.2
nameserver 8.8.8.8
改/etc/nsswitch.conf的找尋hosts的順序
把DNS擺第一順位
hosts: dns files myhostname
Master DNS Server
Install Bind
dnf install bind
Install Bind-Utils (to enable cmds like dig, nslookup…)
dnf install bind-utils
Configure DNS Server
vim /etc/named.conf
# TSIG keys
#key "dotone-key" {
# algorithm hmac-md5;
# secret "OvexY/E9LNONtKlDlPERlg==";
#};
#key "mysub-key" {
# algorithm hmac-md5;
# secret "kZC7vN85HAFzLTrjsKX4tw==";
#};
#key "others-key" {
# algorithm hmac-md5;
# secret "9ZA6TNRXbaJAimpTsEi2Xw==";
#};
#Global settings
options {
# Who can listen on your port 53?
listen-on port 53 { any; };
# Who can send DNS query to you?
allow-query { any; };
# Allow transfer from Agent
allow-transfer { localhost; 10.113.25.129; };
# Default bind version query reply
version "";
# Only allow recursion from Agent
recursion yes;
allow-recursion { 10.113.25.129; };
# Return NXDOMAIN if there is no corresponding A record
auth-nxdomain yes;
};
acl dotone { 10.113.1.0/24; };
acl mysubnet { 10.113.25.0/24; };
acl others { any; };
view "view1" {
# match-clients { !key mysub-key; !key others-key; key dotone-key; dotone; };
# allow-transfer { key dotone-key; };
# server 10.113.25.2 { keys dotone-key; };
match-clients { !10.113.25.2; !10.113.25.22; 10.113.25.222; dotone; };
zone "0846101.nasa" IN {
type master;
file "/var/named/named.0846101.nasa.one";
allow-transfer { 10.113.25.129; 10.113.25.222; };
};
zone "25.113.10.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.one";
allow-transfer { 10.113.25.129; 10.113.25.222; };
};
zone "235.113.140.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.viewone";
allow-transfer { 10.113.25.129; 10.113.25.222; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.one";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; 10.113.25.222; };
};
};
view "viewmine" {
# match-clients { !key dotone-key; !key others-key; key mysub-key; mysubnet; };
# allow-transfer { key mysub-key; };
# server 10.113.25.2 { keys mysub-key; };
match-clients { !10.113.25.2; !10.113.25.222; 10.113.25.22; mysubnet; };
zone "0846101.nasa" IN {
type master;
file "/var/named/named.0846101.nasa.mysub";
allow-transfer { 10.113.25.129; 10.113.25.22; };
};
zone "25.113.10.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.mysub";
allow-transfer { 10.113.25.129; 10.113.25.22; };
};
zone "235.113.140.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.viewmysub";
allow-transfer { 10.113.25.129; 10.113.25.22; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.mysub";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; 10.113.25.22; };
};
};
view "viewothers" {
# match-clients { !key dotone-key; !key mysub-key; key others-key; others; };
# allow-transfer { key others-key; };
# server 10.113.25.2 { keys others-key; };
match-clients { !10.113.25.22; !10.113.25.222; 10.113.25.2; others; };
zone "0846101.nasa" IN {
type master;
file "/var/named/named.0846101.nasa";
allow-transfer { 10.113.25.129; 10.113.25.2; };
};
zone "25.113.10.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25";
allow-transfer { 10.113.25.129; 10.113.25.2; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; 10.113.25.2; };
};
};
Create Zone Files
放在/var/named
| 正查檔 | 反查檔 | view | BIND version |
|---|---|---|---|
| named.0846101.one | named.10.113.25.one | named.10.113.25.viewone | ver.0846101.nasa |
| named.0846101.mysub | named.10.113.25.mysub | named.10.113.25.viewmysub | |
| named.0846101 | named.10.113.25 |
Create Forward Zone
通用的正查檔
vim /var/named/named.0846101.nasa
$TTL 86400
;
; The 0846101.nasa. domain database
;
@ IN SOA ns1.0846101.nasa. root.0846101.nasa. (
2020050604 ; Serial Year,Month,Day,Version
21600 ; Refreash
1800 ; Retry
604800 ; Expire
86400 ; Minimum
)
; Define name servers
IN NS ns1.0846101.nasa.
IN NS ns2.0846101.nasa.
; Define localhost
localhost IN A 127.0.0.1
; Define the static hosts
0846101.nasa. IN A 10.113.25.119
ns1 IN A 10.113.25.1
ns2 IN A 10.113.25.2
agent IN A 10.113.25.129
router IN A 10.113.25.254
; for 10.113.1.0/24
;view IN A 140.113.235.131
; for 10.113.25.0/24
;view IN A 140.113.235.151
; for others
view IN A 10.113.25.87
; Define some aliases
web IN CNAME agent.0846101.nasa.
nasa IN CNAME nasa.cs.nctu.edu.tw.
Create Reverse Zone
通用的反查檔
vim /var/named/named.10.113.25
$TTL 600
$ORIGIN 25.113.10.in-addr.arpa.
@ IN SOA ns1.0846101.nasa. root.0846101.nasa. ( 2020050502 10800 1200 3600000 3600 )
;
@ IN NS ns1.0846101.nasa.
@ IN NS ns2.0846101.nasa.
1 IN PTR ns1.0846101.nasa.
2 IN PTR ns2.0846101.nasa.
129 IN PTR agent.0846101.nasa.
254 IN PTR router.0846101.nasa.
; for others
87 IN PTR view.0846101.nasa.
給10.113.1.0/24的view.0846101.nasa反查
vim /var/named/named.10.113.25.viewone
$TTL 600
$ORIGIN 235.113.140.in-addr.arpa.
@ IN SOA ns1.0846101.nasa. root.0846101.nasa. ( 2020050605 10800 1200 3600000 3600 )
131 IN PTR view.0846101.nasa.
給10.113.25.0/24的view.0846101.nasa反查
vim /var/named/named.10.113.25.viewmysub
$TTL 600
$ORIGIN 235.113.140.in-addr.arpa.
@ IN SOA ns1.0846101.nasa. root.0846101.nasa. ( 2020050605 10800 1200 3600000 3600 )
151 IN PTR view.0846101.nasa.
Confuse your BIND version number
For ns1, use “Name Server 1”.
For ns2, use “Name Server 2”.
Only allow queries from your internal network.
dig version.bind txt chaos @ns1.0846101.nasa
在/etc/named.conf新增
view "chaos" CH {
match-clients { "mysubnet"; };
zone "bind" CH {
type master;
file "ver.0846101.nasa";
allow-update { none; };
};
};
view "chaosrefuse" CH {
match-clients { any; };
zone "bind" CH {
type master;
allow-query { none; };
};
};
vim /var/named/ver.0846101.nasa
$TTL 3600
@ 86400 CH SOA ns1.0846101.nasa. root.0846101.nasa. (
2020050401 ; serial
3600 ; refresh
3600 ; retry
604800 ; expiry
86400 ) ; minimum
;
@ CH NS ns1.0846101.nasa.
version CH TXT "Name Server 1"
SSHFP Record
Add SSHFP record of your machines’ ssh key fingerprint.
The algorithm ECDSA and ED25519 should be implement.
The hash type SHA-256 should be implement.
Generate SSHFP Records Remotely
Download the script and make it executable
wget https://gist.githubusercontent.com/webernetz/2ca7325555ce7f28f26daf5728386d82/raw/1c18dc43a05478771ac4693401a3c78205a4e710/grabsshfp.sh
chmod u+x grabsshfp.sh
And call it with the DNS name or IP address of the destination:
./grabsshfp.sh 10.113.25.254
會得到
IN SSHFP [Algorithm] [Fingerprint Type] [Fingerprint (in hex)]
Algorithm(第一個數字)
1 - RSA
2 - DSA
3 - ECDSA
4 - ED25519
Fingerprint Type(第二個數字)
1 - SHA-1
2 - SHA-256
Add records to zone files
加到/var/named/named.0846101.nasa*
; SSHFP
ns1 IN SSHFP 3 2 3e7b3a4ddc106ac972a2719c475b496b82248abefe06acca8d2e680def01a06c
ns1 IN SSHFP 4 2 cb2890ea5649b06c24cf7c22e54a2892fcfb73e169ed684e05697fbcb51cf86d
ns2 IN SSHFP 3 2 3e7b3a4ddc106ac972a2719c475b496b82248abefe06acca8d2e680def01a06c
ns2 IN SSHFP 4 2 cb2890ea5649b06c24cf7c22e54a2892fcfb73e169ed684e05697fbcb51cf86d
router IN SSHFP 3 2 99557b68b0f2fbe86ec510ebc86af25bb1b6a7ef031093cec559c4a8a5b75d01
router IN SSHFP 4 2 bdbff4baf39c4a222107697f69401126cb4ffcf52c1163ae025cf8e340d43ceb
agent IN SSHFP 3 2 681fecc886e9433284ce3c9630970028e44e7a779f88940fdfac50999c02ad5e
agent IN SSHFP 4 2 e1c0088d8ed2f4ed27c990b46a9f75dad7ad0f7fb45356316a637435d3f57c71
Look up SSHFP records
dig router.0846101.nasa sshfp
DNSSEC
Domain Name System SECurity Extensions
傳統的DNS沒有安全機制,容易遭受攻擊
- Spoofing
- Man‐in‐the‐Middle Attack
- Cache Poisoning Attack
在解析網域名稱的過程中加上驗證的機制
當遇到DNS請求時,會先回上層取得DNSKEY來做認證比對
確保解析網域名稱的過程是安全的,才能進行或回應下一步驟的DNS請求
Based on
- PKI (Public Key Infrastructure) Public Key / Private Key
- Hashing
- Signature (數位簽章)
三大保證
- 來源驗證性 (Origin Authentication)
- 資料完整性 (Data Integrity)
- 受驗證的不存在性 (Authenticated Denial of Existence)
Resource Record : DS & RRSI
Generate KSK
Key Signing Key
dnssec-keygen -a RSASHA256 -b 2048 -f KSK -n ZONE 0846101.nasa
產生兩個key
K0846101.nasa.+008+29014.key //public key
K0846101.nasa.+008+29014.private //private key
Generate ZSK
Zone Signing Key
dnssec-keygen -a RSASHA256 -b 2048 -n ZONE 0846101.nasa
產生兩個key
K0846101.nasa.+008+00945.key //public key
K0846101.nasa.+008+00945.private //private key
我把這四個key放在/var/named/keys
Signing a Zone
Include keys in zone files /var/named/named.0846101.nasa.one, /var/named/named.0846101.nasa.mysub ,and /var/named/named.0846101.nasa
$INCLUDE /etc/named/keys/K0846101.nasa.+008+29014.key ;KSK
$INCLUDE /etc/named/keys/K0846101.nasa.+008+00945.key ;ZSK
NSEC
dnssec-signzone \
-o 0846101.nasa \
-t \
-k /etc/named/keys/K0846101.nasa.+008+29014.key \
/var/named/named.0846101.nasa \
/etc/named/keys/K0846101.nasa.+008+00945.key
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
/var/named/named.0846101.nasa.one.signed
Signatures generated: 25
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.026
Signatures per second: 934.928
Runtime in seconds: 0.041
NSEC3
dnssec-signzone \
-3 55844b7f \ //NSEC3使用的salt值
-H 100 \ //NSEC3使用的iteration值
-u \ //更新NSEC/NSEC3
-o 0846101.nasa \ //domain name
-t \ //查看下面參數
-k /etc/named/keys/K0846101.nasa.+008+29014.key \ //KSK publickey
/var/named/named.0846101.nasa \ //要被簽的zone file
/etc/named/keys/K0846101.nasa.+008+00945.key //ZSK publickey
Verifying the zone using the following algorithms: RSASHA256.
Zone fully signed:
Algorithm: RSASHA256: KSKs: 1 active, 0 stand-by, 0 revoked
ZSKs: 1 active, 0 stand-by, 0 revoked
/var/named/named.0846101.nasa.signed //簽好的zone file
Signatures generated: 27
Signatures retained: 0
Signatures dropped: 0
Signatures successfully verified: 0
Signatures unsuccessfully verified: 0
Signing time in seconds: 0.030
Signatures per second: 891.736
Runtime in seconds: 0.040
Create Trust Chain
dnssec-dsfromkey /etc/named/keys/K0846101.nasa.+008+29014.key //KSK
Upload DS Record to nasa.
我選擇第二個
Configuration
只列出要新增或修改的地方
把.signed的zone files替換上去
vim /etc/named.conf
#Global settings
options {
dnssec-enable yes;
dnssec-validation yes;
};
view "view1" {
zone "0846101.nasa" IN {
file "/var/named/named.0846101.nasa.one.signed";
};
};
view "viewmine" {
zone "0846101.nasa" IN {
file "/var/named/named.0846101.nasa.mysub.signed";
};
};
view "viewothers" {
zone "0846101.nasa" IN {
file "/var/named/named.0846101.nasa.signed";
};
};
維護Domain
- RR修改
- 修改原始zone file (rndc freeze)
- 凍結zone
- 簽署zone file
- 解凍zone使其生效 (rndc thaw)
- 退回DNS
- 要求上層拿掉DS record
Start the DNS service
Enable and start DNS service:
systemctl enable named
systemctl start named
Firewall Configuration
Firewall預設是關的
將DNS的 TCP, UDP port 53打開
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --reload
Router的iptables規則也要改
vim /etc/sysconfig/iptables
-A INPUT -p tcp --dport 53 -j ACCEPT
-A INPUT -p udp --dport 53 -j ACCEPT
-A FORWARD -p tcp --dport 53 -j ACCEPT
-A FORWARD -p udp --dport 53 -j ACCEPT
Test DNS
Restart BIND before testing
systemctl restart named
Forward Look up
dig view.0846101.nasa @10.113.25.1
Reverse Look up
dig -x 10.113.25.254 @10.113.25.1
AXFR
dig axfr 0846101.nasa @10.113.25.1
SOA
dig -t soa router.0846101.nasa
Slave DNS Server
General Configuration
/etc/named.conf
options {
listen-on port 53 { any; };
allow-query { any; };
allow-transfer { localhost; 10.113.25.129; };
version "";
recursion yes;
allow-recursion { 10.113.25.129; 10.113.25.119; 10.113.254.25; };
auth-nxdomain yes;
dnssec-enable yes;
dnssec-validation yes;
};
多個 View 同步到 Slave
VIEW
- Add A record for view.{your_domain}.
- For queries from 10.113.1.x/25
- Answer 140.113.235.131
- For queries from 10.113.ID.x/24
- Answer 140.113.235.151
- For other queries
- Answer 10.113.ID.87
- For queries from 10.113.1.x/25
兩個方法
- TSIG
- 給 Slave 多個IP
TSIG
Transaction Signature
Generate 3 keys in Master DNS
dnssec-keygen -a HMAC-MD5 -b 128 -n Host dotone-key
dnssec-keygen -a HMAC-MD5 -b 128 -n Host mysub-key
dnssec-keygen -a HMAC-MD5 -b 128 -n Host others-key
會在/etc/ssh產生三組Keys
把.key的內容cat出來寫入Master、Slave的/etc/named.conf
key "dotone-key" {
algorithm hmac-md5;
secret "OvexY/E9LNONtKlDlPERlg==";
};
key "mysub-key" {
algorithm hmac-md5;
secret "kZC7vN85HAFzLTrjsKX4tw==";
};
key "others-key" {
algorithm hmac-md5;
secret "9ZA6TNRXbaJAimpTsEi2Xw==";
};
ns1/etc/named.conf
acl dotone { 10.113.1.0/24; };
acl mysubnet { 10.113.25.0/24; };
acl others { any; };
view "view1" {
match-clients { !key mysub-key; !key others-key; key dotone-key; dotone; };
allow-transfer { key dotone-key; 10.113.25.129; };
server 10.113.25.2 { keys dotone-key; };
zone "0846101.nasa" IN {
type master;
file "/var/named/named.0846101.nasa.one";
};
zone "25.113.10.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.one";
};
zone "235.113.140.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.viewone";
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.one";
masters { 10.113.0.254; };
};
};
view "viewmine" {
match-clients { !key dotone-key; !key others-key; key mysub-key; mysubnet; };
allow-transfer { key mysub-key; 10.113.25.129; };
server 10.113.25.2 { keys mysub-key; };
zone "0846101.nasa" IN {
type master;
file "/var/named/named.0846101.nasa.mysub";
};
zone "25.113.10.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.mysub";
};
zone "235.113.140.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25.viewmysub";
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.mysub";
masters { 10.113.0.254; };
};
};
view "viewothers" {
match-clients { !key dotone-key; !key mysub-key; key others-key; others; };
allow-transfer { key others-key; 10.113.25.129; };
server 10.113.25.2 { keys others-key; };
zone "0846101.nasa" IN {
type master;
file "/var/named/named.0846101.nasa";
};
zone "25.113.10.in-addr.arpa" IN {
type master;
file "/var/named/named.10.113.25";
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa";
masters { 10.113.0.254; };
};
};
ns2 /etc/named.conf
view "view1" {
match-clients { !key mysub-key; !key others-key; key dotone-key; dotone; };
server 10.113.25.1 { keys dotone-key; };
zone "0846101.nasa" IN {
type slave;
file "slaves/named.0846101.nasa.one";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "25.113.10.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.one";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "235.113.140.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.viewone";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.one";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; };
};
};
view "viewmine" {
match-clients { !key dotone-key; !key others-key; key mysub-key; mysubnet; };
server 10.113.25.1 { keys mysub-key; };
zone "0846101.nasa" IN {
type slave;
file "slaves/named.0846101.nasa.mysub";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "25.113.10.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.mysub";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "235.113.140.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.viewmysub";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.mysub";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; };
};
};
view "viewothers" {
match-clients { !key dotone-key; !key others-key; key others-key; others; };
server 10.113.25.1 { keys others-key; };
zone "0846101.nasa" IN {
type slave;
file "slaves/named.0846101.nasa";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "25.113.10.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25";
masters { 10.113.25.1; };
allow-transfer { 10.113.25.129; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; };
};
};
給 Slave 多個IP
分配IP
| 10.113.1.0/24 | 10.113.25.0/24 | others |
|---|---|---|
| 10.113.25.222 | 10.113.25.22 | 10.113.25.2 |
設定
vim /etc/sysconfig/network-scripts/ifcfg-enp0s3
IPADDR1="10.113.25.22"
IPADDR2="10.113.25.222"
PREFIX1="24"
PREFIX2="24"
view "view1" {
match-clients { dotone; };
zone "0846101.nasa" IN {
type slave;
file "slaves/named.0846101.nasa.one";
masters { 10.113.25.1; };
transfer-source 10.113.25.222;
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.222; };
};
zone "25.113.10.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.one";
masters { 10.113.25.1; };
transfer-source 10.113.25.222;
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.222; };
};
zone "235.113.140.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.viewone";
masters { 10.113.25.1; };
transfer-source 10.113.25.222;
allow-transfer { 10.113.25.129; 10.113.25.222; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.one";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; 10.113.25.222; };
};
};
view "viewmine" {
match-clients { mysubnet; };
zone "0846101.nasa" IN {
type slave;
file "slaves/named.0846101.nasa.mysub";
masters { 10.113.25.1; };
transfer-source 10.113.25.22;
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.22; };
};
zone "25.113.10.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.mysub";
masters { 10.113.25.1; };
transfer-source 10.113.25.22;
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.22; };
};
zone "235.113.140.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25.viewmysub";
masters { 10.113.25.1; };
transfer-source 10.113.25.22;
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.22; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa.mysub";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.22; };
};
};
view "viewothers" {
match-clients { others; };
zone "0846101.nasa" IN {
type slave;
file "slaves/named.0846101.nasa";
masters { 10.113.25.1; };
transfer-source 10.113.25.2;
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.2; };
};
zone "25.113.10.in-addr.arpa" IN {
type slave;
file "slaves/named.10.113.25";
masters { 10.113.25.1; };
transfer-source 10.113.25.2;
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.2; };
};
zone "nasa" IN {
type slave;
file "slaves/named.nasa";
masters { 10.113.0.254; };
allow-transfer { 10.113.25.129; 10.113.25.119; 10.113.25.2; };
};
};
Firewall
Firewall預設是關的
將DNS的 TCP, UDP port 53打開
firewall-cmd --permanent --add-port=53/tcp
firewall-cmd --permanent --add-port=53/udp
firewall-cmd --reload
同步
一般只要Master的zone files有更動
更新好serial 就會自動同步到Slave
但也可以
手動同步Master
rndc retransfer 0846101.nasa IN view1
rndc retransfer 0846101.nasa IN viewmine
rndc retransfer 0846101.nasa IN viewothers