DNS正反向解析&转发服务器&主从服务
1. 正反向解析
| 主机 | 角色 | 系统 | IP |
|---|---|---|---|
| client | 客户端 | redhat 9.6 | 192.168.72.7 |
| server | 域名解析服务器 | redhat 9.6 | 192.168.72.18 |
1.1 配置服务端
1)修改主机名和IP地址
1[root@localhost ~]# hostnamectl hostname server 2 3[root@server ~]# nmcli c m ens160 ipv4.addresses 192.168.72.18/24 4[root@server ~]# nmcli c up ens160 5
2)安装软件
1[root@server ~]# dnf install bind -y 2 3# 软件的配置文件 4[root@server ~]# rpm -qc bind 5/etc/logrotate.d/named 6/etc/named.conf 7/etc/named.rfc1912.zones 8/etc/named.root.key 9/etc/rndc.conf 10/etc/rndc.key 11/etc/sysconfig/named 12/var/named/named.ca 13/var/named/named.empty 14/var/named/named.localhost 15/var/named/named.loopback 16
3)修改主配置文件
1[root@server ~]# vim /etc/named.conf 2[root@server ~]# cat /etc/named.conf 3options { 4 listen-on port 53 { 192.168.72.18; }; // 将监听的IP修改为本机的IP地址 5 listen-on-v6 port 53 { ::1; }; 6 directory "/var/named"; // 这是区域数据文件所在目录 7 dump-file "/var/named/data/cache_dump.db"; 8 statistics-file "/var/named/data/named_stats.txt"; 9 memstatistics-file "/var/named/data/named_mem_stats.txt"; 10 secroots-file "/var/named/data/named.secroots"; 11 recursing-file "/var/named/data/named.recursing"; 12 allow-query { any; }; //修改为any表示任何主机都可以查询 13 14 recursion yes; 15 16 dnssec-validation no; // 将值改为 no,关闭外网校验 17 18 managed-keys-directory "/var/named/dynamic"; 19 geoip-directory "/usr/share/GeoIP"; 20 21 pid-file "/run/named/named.pid"; 22 session-keyfile "/run/named/session.key"; 23 24 include "/etc/crypto-policies/back-ends/bind.config"; 25}; 26 27logging { 28 channel default_debug { 29 file "data/named.run"; 30 severity dynamic; 31 }; 32}; 33 34zone "." IN { 35 type hint; 36 file "named.ca"; 37}; 38 39include "/etc/named.rfc1912.zones"; 40include "/etc/named.root.key"; 41
4)修改区域配置文件
1[root@server ~]# vim /etc/named.rfc1912.zones 2// 正向解析 3zone "example.com" IN { // 正解解析的域名 4 type master; // 表示主服务 5 file "example.com.zone"; // 正向解析区域数据文件的路径 6 allow-update { none; }; // 不允许动态更新 7}; 8// 反向解析 9zone "72.168.192.in-addr.arpa" IN { // 反向解析的IP 10 type master; 11 file "example.com.arpa.zone"; // 反向解析区域数据文件 12 allow-update { none; }; 13}; 14
5)创建正向解析区域数据文件
1[root@server ~]# cd /var/named/ 2 3[root@server named]# ls 4data dynamic named.ca named.empty named.localhost named.loopback slaves 5 6# 复制正向解析的模板 7[root@server named]# cp -a named.localhost example.com.zone 8[root@server named]# vim example.com.zone 9[root@server named]# vim example.com.zone 10[root@server named]# cat example.com.zone 11$TTL 1D 12@ IN SOA ns.example.com. admin.example.com. ( 13 2025110501 ; serial 14 1D ; refresh 15 1H ; retry 16 1W ; expire 17 3H ) ; minimum 18 NS ns 19 MX 1 mail.example.com. 20ns IN A 192.168.72.18 21mail IN A 192.168.72.19 22www IN A 192.168.72.8 23ftp IN A 192.168.72.20 24web IN CNAME www 25
6)创建反向解析区域数据文件
1[root@server named]# cp -a named.loopback example.com.arpa.zone 2[root@server named]# vim example.com.arpa.zone 3[root@server named]# cat example.com.arpa.zone 4$TTL 1D 5@ IN SOA ns.example.com. amdin.example.com. ( 6 2025110501 ; serial 7 1D ; refresh 8 1H ; retry 9 1W ; expire 10 3H ) ; minimum 11 NS ns 12ns IN A 192.168.72.18 138 IN PTR www.example.com. 1420 IN PTR ftp 15
7)校验配置文件的语法(可选)
1# 1. 校验主配置文件 2[root@server named]# named-checkconf 3[root@server named]# 4 5# 2. 校验区域数据文件 6[root@server named]# named-checkzone example.com. /var/named/example.com.zone 7zone example.com/IN: loaded serial 2025110501 8OK 9
8)启动DNS服务
1[root@server named]# systemctl start named 2[root@server named]# systemctl status named 3● named.service - Berkeley Internet Name Domain (DNS) 4 Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled) 5 Active: active (running) since Wed 2025-11-05 15:57:47 CST; 5s ago 6 Process: 1778 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else> 7 Process: 1782 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) 8 Main PID: 1783 (named) 9 Tasks: 8 (limit: 12067) 10 Memory: 20.6M 11 CPU: 72ms 12 CGroup: /system.slice/named.service 13 └─1783 /usr/sbin/named -u named -c /etc/named.conf 14 15Nov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:500:2f::f#53 16Nov 05 15:57:47 server named[1783]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53 17Nov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53 18Nov 05 15:57:47 server named[1783]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53 19Nov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:7fd::1#53 20Nov 05 15:57:47 server named[1783]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53 21Nov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:dc3::35#53 22Nov 05 15:57:48 server named[1783]: resolver priming query complete 23Nov 05 15:57:49 server named[1783]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now t> 24Nov 05 15:57:49 server named[1783]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 38696 is now t> 25
9)防火墙放行服务
1[root@server named]# firewall-cmd --permanent --add-service=dns 2success 3[root@server named]# firewall-cmd --reload 4success 5
1.2 配置客户端
1)修改主机名和IP地址
1[root@localhost ~]# hostnamectl hostname client 2 3[root@client ~]# nmcli c m ens160 ipv4.addresses 192.168.72.7/24 ipv4.dns 192.168.72.18 4[root@client ~]# nmcli c up ens160 5
2)安装验证工具
1[root@client ~]# dnf install bind-utils -y 2 3
3)验证DNS解析
1# 1. 验证NS记录解析 2[root@client ~]# dig -t ns example.com @192.168.72.18 3 4; <<>> DiG 9.16.23-RH <<>> -t ns example.com @192.168.72.18 5;; global options: +cmd 6;; Got answer: 7;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21274 8;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2 9 10;; OPT PSEUDOSECTION: 11; EDNS: version: 0, flags:; udp: 1232 12; COOKIE: ad3da14d3544cd0401000000690b049569812617735987d9 (good) 13;; QUESTION SECTION: 14;example.com. IN NS 15 16;; ANSWER SECTION: 17example.com. 86400 IN NS ns.example.com. 18 19;; ADDITIONAL SECTION: 20ns.example.com. 86400 IN A 192.168.72.18 21 22;; Query time: 0 msec 23;; SERVER: 192.168.72.18#53(192.168.72.18) 24;; WHEN: Wed Nov 05 16:02:29 CST 2025 25;; MSG SIZE rcvd: 101 26 27 28# 2. 验证A记录解析 29[root@client ~]# host -t A www.example.com 192.168.72.18 30Using domain server: 31Name: 192.168.72.18 32Address: 192.168.72.18#53 33Aliases: 34 35www.example.com has address 192.179.82.8 36# 或者 37[root@client ~]# dig -t a www.example.com @192.168.72.18 38 39; <<>> DiG 9.16.23-RH <<>> -t a www.example.com @192.168.72.18 40;; global options: +cmd 41;; Got answer: 42;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63270 43;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 44 45;; OPT PSEUDOSECTION: 46; EDNS: version: 0, flags:; udp: 1232 47; COOKIE: 35f6c7807e26999601000000690b0522acd6fb06cb2839f8 (good) 48;; QUESTION SECTION: 49;www.example.com. IN A 50 51;; ANSWER SECTION: 52www.example.com. 86400 IN A 192.168.72.8 53 54;; Query time: 0 msec 55;; SERVER: 192.168.72.18#53(192.168.72.18) 56;; WHEN: Wed Nov 05 16:04:50 CST 2025 57;; MSG SIZE rcvd: 88 58 59 60# 3. 使用nslookup 来验证 61[root@client ~]# nslookup www.example.com 62Server: 192.168.72.18 63Address: 192.168.72.18#53 64 65Name: www.example.com 66Address: 192.179.82.8 67 68# 交互式 69[root@client ~]# nslookup 70> server 192.168.72.18 71Default server: 192.168.72.18 72Address: 192.168.72.18#53 73> set q=A 74> www.example.com 75Server: 192.168.72.18 76Address: 192.168.72.18#53 77 78Name: www.example.com 79Address: 192.168.72.8 80> 81 82
2. 转发服务器
2.1 DNS服务配置
使用前面案例的配置
2.2 配置转发服务器
1、首先新克隆一台机然后修改主机名和IP地址
1[root@localhost ~]# hostnamectl set-hostname forward 2[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.28/24 ipv4.gateway 192.168.72.2 connection.autoconnect yes 3[root@localhost ~]# nmcli c up ens160 4
2、安装bind软件
1[root@forward ~]# dnf install -y bind 2
3、修改主配置文件
1[root@forward ~]# vim /etc/named.conf 2[root@forward ~]# cat /etc/named.conf 3options { 4 listen-on port 53 { 192.168.72.28; }; 5 directory "/var/named"; 6 forward only; 7 forwarders { 192.168.72.18; }; 8 recursion yes; 9 10 dnssec-validation no; 11}; 12
4、防火墙放行服务
1[root@forward ~]# firewall-cmd --permanent --add-port=53/tcp --add-port=53/udp 2success 3[root@forward ~]# firewall-cmd --reload 4success 5
5、启动服务
1[root@forward ~]# systemctl start named 2
2.3 配置客户端
1)修改客户端的DNS地址为转发服务器IP地址
1[root@client ~]# nmcli d show ens160 2GENERAL.DEVICE: ens160 3GENERAL.TYPE: ethernet 4GENERAL.HWADDR: 00:0C:29:16:A2:65 5GENERAL.MTU: 1500 6GENERAL.STATE: 100 (connected) 7GENERAL.CONNECTION: ens160 8GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/3 9WIRED-PROPERTIES.CARRIER: on 10IP4.ADDRESS[1]: 192.168.72.7/24 11IP4.GATEWAY: 192.168.72.2 12IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100 13IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100 14IP4.DNS[1]: 192.168.72.18 15IP6.ADDRESS[1]: fe80::20c:29ff:fe16:a265/64 16IP6.GATEWAY: -- 17IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024 18 19# 将客户端的dns地址修改为转发服务器的IP地址 20[root@client ~]# nmcli c m ens160 ipv4.dns 192.168.72.28 21[root@client ~]# nmcli c up ens160 22 23# 修改好后查看 24Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4) 25[root@client ~]# nmcli d show ens160 26GENERAL.DEVICE: ens160 27GENERAL.TYPE: ethernet 28GENERAL.HWADDR: 00:0C:29:16:A2:65 29GENERAL.MTU: 1500 30GENERAL.STATE: 100 (connected) 31GENERAL.CONNECTION: ens160 32GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/4 33WIRED-PROPERTIES.CARRIER: on 34IP4.ADDRESS[1]: 192.168.72.7/24 35IP4.GATEWAY: 192.168.72.2 36IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100 37IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100 38IP4.DNS[1]: 192.168.72.28 39IP6.ADDRESS[1]: fe80::20c:29ff:fe16:a265/64 40IP6.GATEWAY: -- 41IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024 42 43
2)验证解析
1[root@client ~]# dig -t A www.example.com @192.168.72.28 2 3; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.28 4;; global options: +cmd 5;; Got answer: 6;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63583 7;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 8 9;; OPT PSEUDOSECTION: 10; EDNS: version: 0, flags:; udp: 1232 11; COOKIE: b08f8d6c649b078a01000000690b1039ea5171b567ef8342 (good) 12;; QUESTION SECTION: 13;www.example.com. IN A 14 15;; ANSWER SECTION: 16www.example.com. 86400 IN A 192.168.72.8 17 18;; Query time: 13 msec 19;; SERVER: 192.168.72.28#53(192.168.72.28) 20;; WHEN: Wed Nov 05 16:52:10 CST 2025 21;; MSG SIZE rcvd: 88 22 23
3. 整合Web服务
3.1 增加Web服务器
1)克隆一台新的服务器, 然后修改主机名和IP
1[root@localhost ~]# hostnamectl hostname web 2[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.8/24 ipv4.gateway 192.168.72.2 ipv4.dns 192.168.72.28 connection.autoconnect yes 3[root@localhost ~]# nmcli c up ens160 4
2)安装nginx服务
1[root@web ~]# dnf install -y nginx 2
3)防火墙放行服务
1[root@web ~]# firewall-cmd --permanent --add-port=80/tcp 2success 3[root@web ~]# firewall-cmd --reload 4success 5
4)修改欢迎页
1[root@web ~]# echo "welcome to nginx $(hostname -I)" > /usr/share/nginx/html/index.html 2
5)启动服务
1[root@web ~]# systemctl start nginx 2[root@web ~]# systemctl status nginx 3● nginx.service - The nginx HTTP and reverse proxy server 4 Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled) 5 Active: active (running) since Wed 2025-11-05 17:03:57 CST; 6s ago 6 Process: 1878 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS) 7 Process: 1879 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS) 8 Process: 1880 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS) 9 Main PID: 1881 (nginx) 10 Tasks: 3 (limit: 12067) 11 Memory: 3.0M 12 CPU: 31ms 13 CGroup: /system.slice/nginx.service 14 ├─1881 "nginx: master process /usr/sbin/nginx" 15 ├─1882 "nginx: worker process" 16 └─1883 "nginx: worker process" 17 18Nov 05 17:03:57 web systemd[1]: Starting The nginx HTTP and reverse proxy server... 19Nov 05 17:03:57 web nginx[1879]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok 20Nov 05 17:03:57 web nginx[1879]: nginx: configuration file /etc/nginx/nginx.conf test is successful 21Nov 05 17:03:57 web systemd[1]: Started The nginx HTTP and reverse proxy server. 22
6)访问验证
1[root@web ~]# curl localhost 2welcome to nginx 192.168.72.8 3 4 5[root@web ~]# curl 192.168.72.8 6welcome to nginx 192.168.72.8 7 8 9[root@web ~]# curl www.example.com 10welcome to nginx 192.168.72.8 11 12 13[root@client ~]# curl www.example.com 14welcome to nginx 192.168.72.8 15
4. 主从服务
4.1 修改主服务器
1)修改区域配置文件
1[root@server named]# vim /etc/named.rfc1912.zones 2[root@server named]# cat /etc/named.rfc1912.zones 3zone "example.com" IN { 4 type master; 5 file "example.com.zone"; 6 allow-update { 192.168.72.38; }; 7}; 8 9zone "72.168.192.in-addr.arpa" IN { 10 type master; 11 file "example.com.arpa.zone"; 12 allow-update { any; }; 13}; 14
2)修改正向解析区域数据文件
1[root@server named]# vim /var/named/example.com.zone 2[root@server named]# cat /var/named/example.com.zone 3$TTL 1D 4@ IN SOA example.com. admin.example.com. ( 5 2025110501 ; serial 6 1D ; refresh 7 1H ; retry 8 1W ; expire 9 3H ) ; minimum 10 NS ns1 11 NS ns2 12 MX 1 mail.example.com. 13ns1 IN A 192.168.72.18 14ns2 IN A 192.168.72.38 15mail IN A 192.168.72.19 16www IN A 192.168.72.8 17ftp IN A 192.168.72.20 18web IN CNAME www 19 20
3)修改反向解析区域数据文件
1[root@server named]# vim /var/named/example.com.arpa.zone 2[root@server named]# cat /var/named/example.com.arpa.zone 3$TTL 1D 4@ IN SOA example.com. amdin.example.com. ( 5 2025110501 ; serial 6 1D ; refresh 7 1H ; retry 8 1W ; expire 9 3H ) ; minimum 10 NS ns1 11 NS ns2 12ns1 IN A 192.168.72.18 13ns2 IN A 192.168.72.38 148 IN PTR www 1520 IN PTR ftp 16
3)重启服务
1[root@server named]# systemctl stop named 2[root@server named]# systemctl start named 3[root@server named]# systemctl status named 4● named.service - Berkeley Internet Name Domain (DNS) 5 Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled) 6 Active: active (running) since Wed 2025-11-05 17:37:24 CST; 4s ago 7 Process: 2169 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else> 8 Process: 2172 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) 9 Main PID: 2173 (named) 10 Tasks: 8 (limit: 12067) 11 Memory: 20.6M 12 CPU: 66ms 13 CGroup: /system.slice/named.service 14 └─2173 /usr/sbin/named -u named -c /etc/named.conf 15 16Nov 05 17:37:24 server named[2173]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53 17Nov 05 17:37:24 server named[2173]: network unreachable resolving './NS/IN': 2001:500:1::53#53 18Nov 05 17:37:24 server systemd[1]: Started Berkeley Internet Name Domain (DNS). 19Nov 05 17:37:24 server named[2173]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53 20Nov 05 17:37:24 server named[2173]: network unreachable resolving './NS/IN': 2001:500:9f::42#53 21Nov 05 17:37:24 server named[2173]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53 22Nov 05 17:37:24 server named[2173]: network unreachable resolving './NS/IN': 2001:7fd::1#53 23Nov 05 17:37:25 server named[2173]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete) 24Nov 05 17:37:25 server named[2173]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete) 25Nov 05 17:37:25 server named[2173]: resolver priming query complete 26
4.2 配置从服务器
1)克隆一台从服务器,修改主机名和IP
1[root@localhost ~]# hostnamectl hostname slave 2 3[root@localhost ~]# nmcli connection modify 4[root@localhost ~]# nmcli connection modify ens160 ipv4.method manual ipv4.addresses 192.168.72.38/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes 5[root@localhost ~]# nmcli c up ens160 6
2)安装软件
1[root@slave ~]# dnf install bind -y 2
3)修改主配置文件
1[root@slave ~]# vim /etc/named.conf 2[root@slave ~]# cat /etc/named.conf 3options { 4 listen-on port 53 { 192.168.72.38; }; //指定监听的IP地址为本机IP 5 directory "/var/named"; 6 dump-file "/var/named/data/cache_dump.db"; 7 statistics-file "/var/named/data/named_stats.txt"; 8 memstatistics-file "/var/named/data/named_mem_stats.txt"; 9 secroots-file "/var/named/data/named.secroots"; 10 recursing-file "/var/named/data/named.recursing"; 11 allow-query { any; }; //设置为any 12 13 recursion yes; 14 15 dnssec-validation no; //修改为no 16 17 managed-keys-directory "/var/named/dynamic"; 18 geoip-directory "/usr/share/GeoIP"; 19 20 pid-file "/run/named/named.pid"; 21 session-keyfile "/run/named/session.key"; 22 23 include "/etc/crypto-policies/back-ends/bind.config"; 24}; 25 26logging { 27 channel default_debug { 28 file "data/named.run"; 29 severity dynamic; 30 }; 31}; 32 33zone "." IN { 34 type hint; 35 file "named.ca"; 36}; 37 38include "/etc/named.rfc1912.zones"; 39include "/etc/named.root.key"; 40
4)修改区域配置文件
1[root@slave ~]# vim /etc/named.rfc1912.zones 2[root@slave ~]# cat /etc/named.rfc1912.zones 3zone "example.com" IN { 4 type slave; //从服务的配置类型为slave 5 masters { 192.168.72.18; }; // 指定主服务的IP列表 6 file "slaves/example.com.zone"; // 从服务的区域数据文件存放路径 7}; 8 9zone "72.168.192.in-addr.arpa" IN { 10 type slave; 11 masters { 192.168.72.18; }; 12 file "slaves/example.com.arpa.zone"; 13}; 14 15
5)防火墙放行服务
1[root@slave ~]# firewall-cmd --permanent --add-service=dns 2success 3[root@slave ~]# firewall-cmd --reload 4success 5
6)启动服务
1[root@slave ~]# systemctl start named 2Job for named.service failed because the control process exited with error code. 3See "systemctl status named.service" and "journalctl -xeu named.service" for details. 4
启动服务时报错,我们查看错误信息:
1[root@slave ~]# journalctl -xeu named.service 2░░ 3░░ A start job for unit named.service has begun execution. 4░░ 5░░ The job identifier is 1915. 6Nov 05 17:25:04 slave bash[2086]: /etc/named.rfc1912.zones:5: option 'allow-update' is not allowed in 'slave' zone 'example.com' 7Nov 05 17:25:04 slave bash[2086]: /etc/named.rfc1912.zones:12: option 'allow-update' is not allowed in 'slave' zone '72.168.192.in-addr.arpa' 8Nov 05 17:25:04 slave systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE 9░░ Subject: Unit process exited 10░░ Defined-By: systemd 11░░ Support: https://access.redhat.com/support 12░░ 13░░ An ExecStartPre= process belonging to unit named.service has exited. 14░░ 15░░ The process' exit code is 'exited' and its exit status is 1. 16Nov 05 17:25:04 slave systemd[1]: named.service: Failed with result 'exit-code'. 17░░ Subject: Unit failed 18░░ Defined-By: systemd 19░░ Support: https://access.redhat.com/support 20░░ 21░░ The unit named.service has entered the 'failed' state with result 'exit-code'. 22Nov 05 17:25:04 slave systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). 23░░ Subject: A start job for unit named.service has failed 24░░ Defined-By: systemd 25░░ Support: https://access.redhat.com/support 26░░ 27░░ A start job for unit named.service has finished with a failure. 28░░ 29░░ The job identifier is 1915 and the job result is failed. 30 31
删除从服务器区域数据配置文件中的 allow-update { none; };
7)再启动从服务
1[root@slave ~]# systemctl start named 2[root@slave ~]# systemctl status named 3● named.service - Berkeley Internet Name Domain (DNS) 4 Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled) 5 Active: active (running) since Wed 2025-11-05 17:45:35 CST; 1min 20s ago 6 Process: 2191 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else> 7 Process: 2194 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) 8 Main PID: 2195 (named) 9 Tasks: 10 (limit: 12067) 10 Memory: 29.0M 11 CPU: 74ms 12 CGroup: /system.slice/named.service 13 └─2195 /usr/sbin/named -u named -c /etc/named.conf 14 15Nov 05 17:45:35 slave named[2195]: zone 72.168.192.in-addr.arpa/IN: sending notifies (serial 2025110501) 16Nov 05 17:45:35 slave named[2195]: resolver priming query complete 17Nov 05 17:45:35 slave named[2195]: zone example.com/IN: Transfer started. 18Nov 05 17:45:35 slave named[2195]: transfer of 'example.com/IN' from 192.168.72.18#53: connected using 192.168.72.38#42815 19Nov 05 17:45:35 slave named[2195]: zone example.com/IN: transferred serial 2025110501 20Nov 05 17:45:35 slave named[2195]: transfer of 'example.com/IN' from 192.168.72.18#53: Transfer status: success 21Nov 05 17:45:35 slave named[2195]: transfer of 'example.com/IN' from 192.168.72.18#53: Transfer completed: 1 messages, 11 records, 270 bytes> 22Nov 05 17:45:35 slave named[2195]: zone example.com/IN: sending notifies (serial 2025110501) 23Nov 05 17:45:35 slave named[2195]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now tr> 24Nov 05 17:45:35 slave named[2195]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 38696 is now tr> 25
8)查看从服务器的区域数据文件是否已经同步
1[root@slave ~]# cd /var/named/slaves/ 2[root@slave slaves]# ls 3example.com.arpa.zone example.com.zone 4 5
可以发现已经同步。
9)验证域名解析
1[root@slave ~]# dig -t A www.example.com @192.168.72.38 2 3; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.38 4;; global options: +cmd 5;; Got answer: 6;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22453 7;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 8 9;; OPT PSEUDOSECTION: 10; EDNS: version: 0, flags:; udp: 1232 11; COOKIE: cc217a4fc217ee6f01000000690b1d81bf5afbd038daefbf (good) 12;; QUESTION SECTION: 13;www.example.com. IN A 14 15;; ANSWER SECTION: 16www.example.com. 86400 IN A 192.168.72.8 17 18;; Query time: 0 msec 19;; SERVER: 192.168.72.38#53(192.168.72.38) 20;; WHEN: Wed Nov 05 17:48:49 CST 2025 21;; MSG SIZE rcvd: 88 22 23 24[root@slave ~]# dig -t A www.example.com @192.168.72.18 25 26; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.18 27;; global options: +cmd 28;; Got answer: 29;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16437 30;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 31 32;; OPT PSEUDOSECTION: 33; EDNS: version: 0, flags:; udp: 1232 34; COOKIE: 9ed63089a1921cee01000000690b1d98289ae5b3978b1364 (good) 35;; QUESTION SECTION: 36;www.example.com. IN A 37 38;; ANSWER SECTION: 39www.example.com. 86400 IN A 192.168.72.8 40 41;; Query time: 0 msec 42;; SERVER: 192.168.72.18#53(192.168.72.18) 43;; WHEN: Wed Nov 05 17:49:12 CST 2025 44;; MSG SIZE rcvd: 88 45 46
4.3 修改web服务
将web服务的dns修改如下:
1[root@web ~]# nmcli d show ens160 2GENERAL.DEVICE: ens160 3GENERAL.TYPE: ethernet 4GENERAL.HWADDR: 00:0C:29:AB:A3:7A 5GENERAL.MTU: 1500 6GENERAL.STATE: 100 (connected) 7GENERAL.CONNECTION: ens160 8GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/3 9WIRED-PROPERTIES.CARRIER: on 10IP4.ADDRESS[1]: 192.168.72.8/24 11IP4.GATEWAY: 192.168.72.2 12IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100 13IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100 14IP4.DNS[1]: 192.168.72.28 15IP6.ADDRESS[1]: fe80::20c:29ff:feab:a37a/64 16IP6.GATEWAY: -- 17IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024 18[root@web ~]# nmcli c m ens160 ipv4.dns "192.168.72.28 192.168.72.38" 19[root@web ~]# nmcli c up ens160 20Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4) 21[root@web ~]# nmcli d show ens160 22GENERAL.DEVICE: ens160 23GENERAL.TYPE: ethernet 24GENERAL.HWADDR: 00:0C:29:AB:A3:7A 25GENERAL.MTU: 1500 26GENERAL.STATE: 100 (connected) 27GENERAL.CONNECTION: ens160 28GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/4 29WIRED-PROPERTIES.CARRIER: on 30IP4.ADDRESS[1]: 192.168.72.8/24 31IP4.GATEWAY: 192.168.72.2 32IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100 33IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100 34IP4.DNS[1]: 192.168.72.28 35IP4.DNS[2]: 192.168.72.38 36IP6.ADDRESS[1]: fe80::20c:29ff:feab:a37a/64 37IP6.GATEWAY: -- 38IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024 39
4.4 配置验证
1)主从服务都存在
1[root@web ~]# curl www.example.com 2welcome to nginx 192.168.72.8 3
2)将主服务器关闭,然后再测试
1[root@server named]# systemctl stop named 2 3[root@web ~]# curl www.example.com 4welcome to nginx 192.168.72.8 5
3)将从服务器关闭,主服务打开,然后再测试
1[root@server named]# systemctl start named 2 3[root@slave ~]# systemctl stop named 4 5[root@web ~]# curl www.example.com 6welcome to nginx 192.168.72.8 7
4)将主从服务器都关闭,然后再测试
1[root@slave ~]# dig -t A www.example.com @192.168.72.38 2^C 3 4[root@slave ~]# dig -t A www.example.com @192.168.72.18 5^X 6; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.18 7;; global options: +cmd 8;; connection timed out; no servers could be reached 9
《DNS正反向解析&转发服务器&主从服务》 是转载文章,点击查看原文。
