以前博客写了几篇配置DNS的文章,今天迁移博客,重新配置了DNS主从,用的软件是NSD
使用queryperf对DNS服务器进行压力测试
使用queryperf对DNS服务器进行压力测试
利用powerdns自建DNS服务器目的 DNS FQDN IP地址
主名称服务器 ns1.kaifashuo.com。 192.0.2.1
辅助名称服务器 ns2.kaifashuo.com。 192.0.2.2
网络服务器 www.kaifashuo.com。 192.0.2.3
1、分别在DNS主从服务器上安装NSD软件
###安装EPEL源
[root@mil nsd]# yum install epel-release.noarch
###安装nsd软件
[root@mil nsd]# yum install nsd
###生成nsd所需的密钥文件
[root@mil nsd]# nsd-control-setup
2、在主DNS生成NSD用来安全地执行主服务器和辅助服务器之间的区域传输的密钥
[root@mil nsd]# dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
1+0 records in
1+0 records out
32 bytes copied, 0.000127191 s, 252 kB/s
hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c=
hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c= 即为主从DNS传输所需密钥
3、配置主DNS服务器的nsd.conf文件
server:
server-count: 1
ip-address: 0.0.0.0
reuseport: yes
debug-mode: no
do-ip4: yes
port: 53
verbosity: 3
username: nsd
zonesdir: "/etc/nsd/zone"
zonelistfile: "/var/lib/nsd/zone.list"
database: ""
logfile: "/var/log/nsd.log"
pidfile: "/var/run/nsd/nsd.pid"
xfrdfile: "/var/lib/nsd/ixfr.state"
xfrdir: "/tmp"
hide-version: yes
#round-robin: yes
tcp-count: 10000
tcp-query-count: 0
statistics: 3600
zonefiles-check: yes
rrl-ratelimit: 0
rrl-whitelist-ratelimit: 0
include: "/etc/nsd/server.d/*.conf"
include: "/etc/nsd/conf.d/*.conf"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/etc/nsd/nsd_server.key"
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
key:
name: "demokey"
algorithm: hmac-sha256
secret: "hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c="
#上一步生成的密钥
pattern:
name: "tosecondary"
notify: 192.0.2.2 demokey
provide-xfr: 192.0.2.2 demokey
zone:
name: "kaifashuo.com"
zonefile: "kaifashuo.com.zone"
include-pattern: "tosecondary"
4、配置从DNS服务器的nsd.conf文件
server:
server-count: 1
ip-address: 0.0.0.0
reuseport: yes
debug-mode: no
do-ip4: yes
port: 53
verbosity: 3
username: nsd
zonesdir: "/etc/nsd/zone"
zonelistfile: "/var/lib/nsd/zone.list"
database: ""
logfile: "/var/log/nsd.log"
pidfile: "/var/run/nsd/nsd.pid"
xfrdfile: "/var/lib/nsd/ixfr.state"
xfrdir: "/tmp"
hide-version: yes
#round-robin: yes
tcp-count: 10000
tcp-query-count: 0
statistics: 3600
zonefiles-check: yes
rrl-ratelimit: 0
rrl-whitelist-ratelimit: 0
include: "/etc/nsd/server.d/*.conf"
include: "/etc/nsd/conf.d/*.conf"
remote-control:
control-enable: yes
control-interface: 127.0.0.1
control-port: 8952
server-key-file: "/etc/nsd/nsd_server.key"
server-cert-file: "/etc/nsd/nsd_server.pem"
control-key-file: "/etc/nsd/nsd_control.key"
control-cert-file: "/etc/nsd/nsd_control.pem"
key:
name: "demokey"
algorithm: hmac-sha256
secret: "hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c="
pattern:
name: "fromprimary"
allow-notify: 192.0.2.1 demokey
request-xfr: AXFR 192.0.2.1 demokey
zone:
name: "kaifashuo.com"
zonefile: "kaifashuo.com.zone"
include-pattern: "fromprimary"
5、在主DNS服务器配置域名zone文件
$ORIGIN kaifashuo.com.
$TTL 1800
@ IN SOA ns1.kaifashuo.com. admin.kaifashuo.com. (
2020062701 ; serial number
3600 ; refresh
900 ; retry
1209600 ; expire
1800 ; ttl
)
; Name servers
IN NS ns1.kaifashuo.com.
IN NS ns2.kaifashuo.com.
; A records for name servers
ns1 IN A 192.0.2.1
ns2 IN A 192.0.2.2
; Additional A records
@ IN A 192.0.2.3
www IN A 192.0.2.3
6、把 nsd 加入开机启动并启动nsd
[root@decdn1 nsd]# systemctl enable nsd
[root@decdn1 nsd]# systemctl restart nsd
7、查看nsd日志:tail -f /var/log/nsd.log
[root@decdn1 nsd]# tail -f /var/log/nsd.log
[2020-06-27 17:20:30.317] nsd[11590]: notice: nsd starting (NSD 4.2.4)
[2020-06-27 17:20:30.503] nsd[11592]: notice: nsd started (NSD 4.2.4), pid 11590
[2020-06-27 17:22:41.700] nsd[11592]: warning: signal received, shutting down...
[2020-06-27 17:23:59.680] nsd[11749]: info: XSTATS 1593249839 1593249761 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAns=5 SFwdQ=0 SDupQ=0 SErr=0 RQ=3 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=1 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
[2020-06-27 17:23:59.685] nsd[11746]: info: zone kaifashuo.com serial 2020062705 is updated to 2020062706
8、报错处理
### 报错1:error: query: bad tsig (Bad Time) for key demokey. from 192.0.2.1
解决办法:重新同步两台服务器的时间
### 报错2:error: SSL handshake failed
139840491858240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:
解决办法:重新生产key文件
[root@decdn1 nsd]# rm -rf nsd_control.*
[root@decdn1 nsd]# rm -rf nsd_server.*
[root@decdn1 nsd]# nsd-control-setup
还没有任何评论,你来说两句吧