今天单位的DNS重新构架,一台主的作主DNS,二台从的作辅助DNS,下面把配置的要求写下,以免在运维中的同志们走弯路和错路(抚琴煮酒),DNS版本采用9.6-P1源码安装(处理问题的过程中得到了netseek的帮助,这里要特别感谢下)
这是在从DNS上出现的问题一:
Mar2616:04:17gdstnamed[18464]:client
115.207.47.199#20601:viewany:query(cache)'112.2.5.221.in-
addr.arpa/PTR/IN'denied
Mar2616:04:17gdstnamed[18464]:client
115.207.47.199#20602:viewany:query(cache)
'dx.3158.com.domain/A/IN'denied
Mar2616:04:17gdstnamed[18464]:client
115.207.47.199#20603:viewany:query(cache)
'dx.3158.com.domain/AAAA/IN'denied
Mar2616:04:17gdstnamed[18464]:client
115.207.47.199#20604:viewany:query(cache)'y163.net/A/IN'
denied
Mar2616:04:17gdstnamed[18464]:client
115.207.47.199#20605:viewany:query(cache)
'y163.net/AAAA/IN'denied
Mar2616:04:18gdstnamed[18464]:client
115.207.47.199#20606:viewany:query(cache)'112.2.5.221.in-
addr.arpa/PTR/IN'denied
Mar2616:04:18gdstnamed[18464]:client
115.207.47.199#20607:viewany:query(cache)
'dx.3158.com.domain/A/IN'denied
Mar2616:04:18gdstnamed[18464]:client
115.207.47.199#20608:viewany:query(cache)
'dx.3158.com.domain/AAAA/IN'denied
Mar2616:04:18gdstnamed[18464]:client
115.207.47.199#20609:viewany:query(cache)'y163.net/A/IN'
denied
Mar2616:04:19gdstnamed[18464]:client
115.207.47.199#20610:viewany:query(cache)
'y163.net/AAAA/IN'denied
Mar2616:04:19gdstnamed[18464]:client
115.207.47.199#20611:viewany:query(cache)'112.2.5.221.in-
addr.arpa/PTR/IN'denied
Mar2616:04:19gdstnamed[18464]:client
115.207.47.199#20612:viewany:query(cache)
'dx.3158.com.domain/A/IN'denied
Mar2616:04:19gdstnamed[18464]:client
115.207.47.199#20613:viewany:query(cache)
'dx.3158.com.domain/AAAA/IN'denied
Mar2616:04:19gdstnamed[18464]:client
115.207.47.199#20614:viewany:query(cache)'y163.net/A/IN'
denied
Mar2616:04:20gdstnamed[18464]:client
115.207.47.199#20615:viewany:query(cache)
'y163.net/AAAA/IN'denied
Mar2616:04:21gdstnamed[18464]:client
60.215.129.103#53455:viewany:query(cache)
''denied
Mar2616:04:49gdstnamed[18464]:client
121.14.128.68#53455:viewCHINANET:query(cache)
''denied
Mar2616:04:59gdstnamed[18464]:client
221.171.1.147#53455:viewCHINANET:query(cache)
''denie
发现新版的对cache的处理有所改变
新版本的BIND对 allow-query 有着不同的处理,新增加了一个
allow-query-cache 的选项。
QUOTE:allow-query Specifies which hosts are allowed to ask
ordinary DNS questions. allow-query may also
be specified in the zone statement, in which case it overrides the
options allow-query statement.
If not specified, the default is to allow queries from all hosts.
QUOTE:allow-query-cache Specifies which hosts are allowed to
get answers from the cache. The default is the
builtin acls localnets and localhost.
The way to set query access to the cache is now via allow-query-
cache. This differs from earlier
versions which used allow-query.
BIND 9.4 的手册上还特别注释了
QUOTE:allow-query-cache is now used to specify access to the
cache.
即在从DNS的options里添加一条:
key "rndc-key" {
algorithm hmac-md5;
secret "Rox3q+3f0gp8MKyQXx2zWw==";
};
controls {
inet 127.0.0.1 port 953
allow { localhost; } keys { "rndc-key"; };
};
options {
version "9.8.12";
directory "/var/named";
pid-file "named.pid";
allow-query { any; }; //此处为添加
};
在维护CDN的bind的服务器时,有以下事项要注意:
一、如果主DNS和从DNS都是用root用户的,不需要考虑权限问题
,即/var/named写权限不需要更改任何地方,即不需要更改为named或给7权限;
二、多使用bind自带的rndc命令,这命令异常方便;配置时多用tail -f /var/log/messages,我就是系统日志来排错的;
三、如果测试bind时发现出现Non-authoritative answer,意即非授权的回答,说明来自其他DNS服务器或缓存;
四、辅DNS服务器主要有两种主要用途,一是作为主NDNS服务器的备份,二是分担主NDS服务器的负载。区域传(Zone transfer)是指辅DNS从master DNS服务器中将区域数据库文件复制来的过程,启动区域传输的机制我也总结了下,有以下三种情况:
①辅DNS服务器刚启动;
②是SOA记录中的刷新间隔到达;
③是master DNS设置了主动通知辅DNS数据有变化。