rh358 004 bind反向，转发，主从，各种资源记录 unbound ansible部署bind unbound

通过bind实现正向，反向，转发，主从，各种资源记录

7> 部署反向解析 从ip解析到fqdn

vim   /etc/named.conf
zone "250.25.172.in-addr.arpa" IN {
    type master;
    file "172.25.250.zone"; 指定方向解析的区域配置文件路径
};
[root@serverb ~]# cp /var/named/named.empty /var/named/172.25.250.zone
[root@serverb ~]# chown root:named /var/named/172.25.250.zone
[root@serverb ~]# chmod 640 /var/named/172.25.250.zone
[root@serverb ~]# vim /var/named/172.25.250.zone
$TTL 3H
@       IN SOA  serverb.example.com.  root.serverb.example.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@    IN         NS   serverb.example.com.
10   IN         PTR  servera.example.com.
11   IN         PTR  serverb.example.com.
12   IN         PTR  serverc.example.com.
13   IN         PTR  serverd.example.com.
~
[root@serverb ~]# systemctl restart  named

8> 测试
[root@servera ~]# host serverb.example.com
serverb.example.com has address 172.25.250.11
[root@servera ~]# host 172.25.250.10
10.250.25.172.in-addr.arpa domain name pointer servera.example.com.
[root@servera ~]# host 172.25.250.11
11.250.25.172.in-addr.arpa domain name pointer serverb.example.com.
[root@servera ~]# host 172.25.250.12
12.250.25.172.in-addr.arpa domain name pointer serverc.example.com.
[root@servera ~]# host 172.25.250.13
13.250.25.172.in-addr.arpa domain name pointer serverd.example.com.
[root@servera ~]# 

[root@servera ~]# nslookup
> set type=ptr
> 172.25.250.10
Server:		172.25.250.11
Address:	172.25.250.11#53

10.250.25.172.in-addr.arpa	name = servera.example.com.
> set type=NS
> example.com
Server:		172.25.250.11
Address:	172.25.250.11#53

example.com	nameserver = serverb.example.com.
> set type=A  
> servera.example.com
Server:		172.25.250.11
Address:	172.25.250.11#53

Name:	servera.example.com
Address: 172.25.250.10
> 

也可以通过dig查找
-x反向解析
@跟着DNS服务器
A/NS/SOA/-x

9> 主从同步：
修改配置文件在主DNS上配置

[root@serverc ~]# vim /etc/named.conf
zone "example.com" IN {
      type  master ;
      file "example.com";
      allow-transfer {  172.25.250.12; };
};

zone "250.25.172.in-addr.arpa" IN {
    type master;
    file "172.25.250.zone";
    allow-transfer {  172.25.250.12; };
};
[root@serverb ~]# systemctl restart  named

在从DNS上
[root@serverc ~]# yum install -y bind


        listen-on port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };
		recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        
zone "example.com" IN {
      type  slave ;  类型是从DNS服务器
      file "slaves/example.com";
      masters { 172.25.250.11; };
};

zone "250.25.172.in-addr.arpa" IN {
    type slave;
    file "slaves/172.25.250.zone";
    masters { 172.25.250.11; };
};
[root@serverc ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverc ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverc ~]# firewall-cmd --reload
success
[root@serverc ~]# systemctl enable --now  named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@serverc ~]#
确认：
[root@serverc ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 490 Sep  3 22:29 172.25.250.zone
-rw-r--r--. 1 named named 432 Sep  3 22:29 example.com
[root@serverc ~]#

针对主从服务器做的修改
1> 添加从的DNS服务器
2> 每一次添加必须要把序列号+1，只有当序列号增加才会同步
$TTL 3H
@       IN SOA  serverb.example.com.  root.serverb.example.com. (
                                        1       ; serial 
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@    IN         NS   serverb.example.com.
@    IN         NS   serverc.example.com. 从的DNS
10   IN         PTR  servera.example.com.
11   IN         PTR  serverb.example.com.
12   IN         PTR  serverc.example.com.
13   IN         PTR  serverd.example.com.

[root@servera ~]# dig @serverb.example.com -x 172.25.250.11

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> @serverb.example.com -x 172.25.250.11
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18840
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2cf3b75f384904d1905d5fd16314985b59d1176e48d0a6b3 (good)
;; QUESTION SECTION:
;11.250.25.172.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
11.250.25.172.in-addr.arpa. 10800 IN	PTR	serverb.example.com.

;; AUTHORITY SECTION:
250.25.172.in-addr.arpa. 10800	IN	NS	serverc.example.com.
250.25.172.in-addr.arpa. 10800	IN	NS	serverb.example.com.

;; ADDITIONAL SECTION:
serverb.example.com.	10800	IN	A	172.25.250.11
serverc.example.com.	10800	IN	A	172.25.250.12

;; Query time: 2 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Sun Sep 04 20:21:47 CST 2022
;; MSG SIZE  rcvd: 184

[root@servera ~]# 
同步后，可以使用dig，发现有两个dns权威地址了。那么就是配置文件更改后，同步成功

10> 对于一个转发的DNS服务器来说，在正常情况下，如果我们没有配置转发，当这个DNS需要解析其他域的FQDN的时候。首先是去根域服务器。可以通过forwders来改变装法对象
[root@serverd ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@serverd ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@serverd ~]# firewall-cmd --reload
success

[root@serverd ~]# vim /etc/named.conf
   listen-on port 53 { any; };
   allow-query     { any; };
   forwarders  { 172.25.250.12 ;};
   dnssec-enable no;
   dnssec-validation no;
   
   这两个可以删掉，也是zone地址。用不上
   include "/etc/named.rfc1912.zones";
   include "/etc/named.root.key";
systemctl restart  named

[root@serverd ~]# nslookup
> set type=A
> servera.example.com   
Server:		172.25.250.13
Address:	172.25.250.13#53

Non-authoritative answer:    这里做了转发所以不一样。非授权机构
Name:	servera.example.com
Address: 172.25.250.10
> 

邮件服务器  
邮件服务器要做转发，所以得找到邮件服务器
正
@    IN         MX   10  classroom.example.com.
254  IN         PTR   classroom.example.com.
反
@    IN         MX   10  classroom.example.com.
254  IN         PTR   classroom.example.com.

[root@serverb named]# nslookup 
> set type=MX
> example.com
Server:		172.25.250.13
Address:	172.25.250.13#53

Non-authoritative answer:
example.com	mail exchanger = 10 classroom.example.com.

Authoritative answers can be found from:
example.com	nameserver = serverb.example.com.
example.com	nameserver = serverc.example.com.
classroom.example.com	internet address = 172.25.250.254
serverb.example.com	internet address = 172.25.250.11
serverc.example.com	internet address = 172.25.250.12




12> 仅缓存的DNS服务器：unbond
删除原来的unbound
[root@workstation ~]# lab dns-unbound start

[root@servera ~]# yum install -y unbound

[root@servera ~]# firewall-cmd --permanent --add-service=dns
success
[root@servera ~]# firewall-cmd --reload
success
[root@servera ~]#

[root@servera ~]# egrep "172.25|domain-insecure:" /etc/unbound/unbound.conf -B 2| egrep -v "#|--"
         interface: 172.25.250.10
         access-control: 172.25.250.0/24 allow
         domain-insecure: "example.com"    # 不开启安全域
         interface-automatic: no    # 如果开启那么监听所有端口，唯独不监听172.25.250.10
forward-zone:
  name: .
  forward-addr: 172.25.250.254
[root@servera ~]#

[root@servera ~]# unbound-control-setup


[root@servera ~]# ping servera.lab.example.com
PING servera.lab.example.com (172.25.250.10) 56(84) bytes of data.
64 bytes from servera.lab.example.com (172.25.250.10): icmp_seq=1 ttl=64 time=0.073 ms
^C
--- servera.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.073/0.073/0.073/0.000 ms
[root@servera ~]# ping workstation
PING workstation.lab.example.com (172.25.250.9) 56(84) bytes of data.
64 bytes from workstation.lab.example.com (172.25.250.9): icmp_seq=1 ttl=64 time=1.17 ms
^C
--- workstation.lab.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.165/1.165/1.165/0.000 ms
[root@servera ~]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 38 1 0 7 3
lab.example.com.	38	IN	SOA	bastion.lab.example.com. root.bastion.lab.example.com. 2020040800 3600 300 604800 60
;rrset 38 1 0 7 3
example.com.	38	IN	SOA	classroom.example.com. root.classroom.example.com. 2015071700 3600 300 604800 60
END_RRSET_CACHE
START_MSG_CACHE
msg servera.example.com.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com. IN A 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN A 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
msg servera.example.com.lab.example.com. IN AAAA 33155 1 38 3 0 1 0
lab.example.com. IN SOA 4
msg servera.example.com. IN AAAA 33155 1 38 3 0 1 0
example.com. IN SOA 4
END_MSG_CACHE
EOF
[root@servera ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search lab.example.com example.com
#nameserver 172.25.250.254
nameserver 172.25.250.10
[root@servera ~]# 
有缓存后，可以不依赖转发

清空缓存
[root@servera ~]# unbound-control  flush  *
缓存，和forward上的服务器都没了，就无法再ping通了

导出
unbound-control  dump_cache > aa
unbound-control  load_cache < aa

ansible 部署DNS unbound

[root@workstation ~]# lab dns-automation start 

[student@workstation dns-auto]$ cat unbound.yml
---
- name: configure cache dns on servera
  hosts: caching_dns
  become: true
  tasks:
  - name: install the unbound package
    yum:
      name: unbound
      state: present

  - name: prepare configureation file for unbound
    template:
      src: unbound.conf.j2
      dest: /etc/unbound/unbound.conf
      owner: root
      group: unbound
      mode: '0644'
      setype: named_conf_t
    notify: restart service

  - name: start service
    service:
      name: unbound
      state: started
      enabled: true

  - name: config firewalld for unbond
    firewalld:
      service: dns
      state: enabled
      immediate: yes
      permanent: yes
  handlers:
  - name: restart service
    service:
      name: unbond
      state: restarted


[student@workstation dns-auto]$ cat templates/unbound.conf.j2
server:
 {% for ip in ansible_facts['all_ipv4_addresses'] %}
  interface: {{ ip }}
 {% endfor %}
  interface-automatic: no
  access-control: 172.25.250.0/24 allow
  domain-insecure: example.com
forward-zone:
  name: .
  forward-addr: 172.25.250.254
remote-control:
  control-enable: yes

[student@workstation dns-auto]$

[student@workstation dns-auto]$ ls
ansible.cfg   inventory  playbook.yml  unbound.conf.j2

ansible 部署bind

bind的YML文件
---
- name: config bind
  hosts: primary_dns,secondary_dns
  become: true
  tasks:
  - name: install package
    yum:
      name: bind
      state: present

  - name: config  for primary
    copy:
      src: files/primary_dns.conf
      dest: /etc/named.conf
    notify:  restart service
    when: inventory_hostname == "serverb.lab.example.com"   

  - name: config
    copy:
      src: files/secondary_dns.conf
      dest: /etc/named.conf
    notify:  restart service
    when: inventory_hostname == "serverc.lab.example.com"

  - name: zone file
    copy:
      src: files/example.com
      dest: /var/named/example.com
      owner: root
      group: named
    when: inventory_hostname == "serverb.lab.example.com"

  - name: zone file re
    copy:
      src: files/172.25.250.zone
      dest: /var/named/172.25.250.zone
      owner: root
      group: named
    when: inventory_hostname == "serverb.lab.example.com"

  - name: start service
    service:
      name: named
      state: started
      enabled: true

  - name: firewalld
    firewalld:
      service: dns
      state: enabled
      immediate: yes
      permanent: yes

  handlers:
  - name: restart service
    service:
      name: named
      state: restarted
[student@workstation dns-auto]$

          
主named的配置文件
[student@workstation dns-auto]$ cat files/primary_dns.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { any; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "example.com" IN {
      type master;
      file "example.com";
      allow-transfer { 172.25.250.12;};
};

zone "250.25.172.in-addr.arpa" {
      type master;
      file "172.25.250.zone";
      allow-transfer { 172.25.250.12;};
};


从named的配置文件
[student@workstation files]$ cat secondary_dns.conf 
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
	listen-on port 53 { any; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { any; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable no;
	dnssec-validation no;

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "example.com" IN {
	type slave;
	masters { 172.25.250.11; };
	file "slaves/example.com";
};


zone "250.25.172.in-addr.arpa" IN  {
	type slave;
	masters { 172.25.250.11; };
	file "slaves/172.25.250.zone";
};


主的区域配置文件（正）
[student@workstation dns-auto]$ cat files/example.com
$TTL 3H
@       IN SOA serverb.example.com. root.serverb.example.com. (
                                        1       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@      IN   NS     serverb.example.com.
@      IN   NS     serverc.example.com.
servera   IN  A  172.25.250.10
serverb   IN  A  172.25.250.11
serverc   IN  A  172.25.250.12
serverd   IN  A  172.25.250.13

主的区域配置文件（反）
[student@workstation dns-auto]$ cat files/172.25.250.zone
$TTL 3H
@       IN SOA serverb.example.com. root.serverb.example.com. (
                                        1       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
@      IN   NS     serverb.example.com.
@      IN   NS     serverc.example.com.
10   IN  PTR  servera.example.com.
11  IN  PTR  servera.example.com.
12   IN  PTR  servera.example.com.
13   IN  PTR  servera.example.com.




[student@workstation dns-auto]$ cat inventory 
[control_node]
workstation.lab.example.com

[caching_dns]
servera.lab.example.com

[primary_dns]
serverb.lab.example.com

[secondary_dns]
serverc.lab.example.com



任何一种服务的自动化配置：
一： 安装包
二： 配置文件  1： jiaj2模板的形式配置：unbound，2： file: bind, 3: notify restart service
三： 要读取数据文件路径： 基本都有
四： 服务
五： 防火墙
六： Handlers : 接收配置的文件改变从而去重新启动服务