利用NSD配置DNS主从解析域名及报错处理 - 开发说
当前位置: 主页 » DNS » 利用NSD配置DNS主从解析域名及报错处理

利用NSD配置DNS主从解析域名及报错处理

      2020年06月27日   阅读 1,257 次     0 评论   Tags: ·

以前博客写了几篇配置DNS的文章,今天迁移博客,重新配置了DNS主从,用的软件是NSD
使用queryperf对DNS服务器进行压力测试
使用queryperf对DNS服务器进行压力测试
利用powerdns自建DNS服务器

目的 DNS FQDN IP地址
主名称服务器 ns1.kaifashuo.com。 192.0.2.1
辅助名称服务器 ns2.kaifashuo.com。 192.0.2.2
网络服务器 www.kaifashuo.com。 192.0.2.3

1、分别在DNS主从服务器上安装NSD软件



###安装EPEL源
[root@mil nsd]# yum install epel-release.noarch

###安装nsd软件
[root@mil nsd]# yum install  nsd

###生成nsd所需的密钥文件
[root@mil nsd]# nsd-control-setup

2、在主DNS生成NSD用来安全地执行主服务器和辅助服务器之间的区域传输的密钥


[root@mil nsd]# dd if=/dev/random of=/dev/stdout count=1 bs=32 | base64
1+0 records in
1+0 records out
32 bytes copied, 0.000127191 s, 252 kB/s
hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c=

hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c=   即为主从DNS传输所需密钥

3、配置主DNS服务器的nsd.conf文件



server:
	server-count: 1
	ip-address: 0.0.0.0
	reuseport: yes
        debug-mode: no
	do-ip4: yes
	port: 53
	verbosity: 3
	username: nsd
	zonesdir: "/etc/nsd/zone"
	zonelistfile: "/var/lib/nsd/zone.list"
	database: ""
	logfile: "/var/log/nsd.log"
	pidfile: "/var/run/nsd/nsd.pid"
	xfrdfile: "/var/lib/nsd/ixfr.state"
	xfrdir: "/tmp"
	hide-version: yes
	#round-robin: yes
	tcp-count: 10000
	tcp-query-count: 0
	statistics: 3600
	zonefiles-check: yes
	rrl-ratelimit: 0
	rrl-whitelist-ratelimit: 0
	include: "/etc/nsd/server.d/*.conf"
	include: "/etc/nsd/conf.d/*.conf"



remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 8952
    server-key-file: "/etc/nsd/nsd_server.key"
    server-cert-file: "/etc/nsd/nsd_server.pem"
    control-key-file: "/etc/nsd/nsd_control.key"
    control-cert-file: "/etc/nsd/nsd_control.pem"

key:
    name: "demokey"
    algorithm: hmac-sha256
    secret: "hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c="
#上一步生成的密钥

pattern:
    name: "tosecondary"
    notify: 192.0.2.2 demokey
    provide-xfr: 192.0.2.2 demokey

zone:
    name: "kaifashuo.com"
    zonefile: "kaifashuo.com.zone"
    include-pattern: "tosecondary"


4、配置从DNS服务器的nsd.conf文件



server:
	server-count: 1
	ip-address: 0.0.0.0
	reuseport: yes
        debug-mode: no
	do-ip4: yes
	port: 53
	verbosity: 3
	username: nsd
	zonesdir: "/etc/nsd/zone"
	zonelistfile: "/var/lib/nsd/zone.list"
	database: ""
	logfile: "/var/log/nsd.log"
	pidfile: "/var/run/nsd/nsd.pid"
	xfrdfile: "/var/lib/nsd/ixfr.state"
	xfrdir: "/tmp"
	hide-version: yes
	#round-robin: yes
	tcp-count: 10000
	tcp-query-count: 0
	statistics: 3600
	zonefiles-check: yes
	rrl-ratelimit: 0
	rrl-whitelist-ratelimit: 0
	include: "/etc/nsd/server.d/*.conf"
	include: "/etc/nsd/conf.d/*.conf"


remote-control:
    control-enable: yes
    control-interface: 127.0.0.1
    control-port: 8952
    server-key-file: "/etc/nsd/nsd_server.key"
    server-cert-file: "/etc/nsd/nsd_server.pem"
    control-key-file: "/etc/nsd/nsd_control.key"
    control-cert-file: "/etc/nsd/nsd_control.pem"

key:
    name: "demokey"
    algorithm: hmac-sha256
    secret: "hWNNqU7hv8t3H9qPc+Xguea2fBQpZbPvMumut6Y+x7c="

pattern:
    name: "fromprimary"
    allow-notify: 192.0.2.1 demokey
    request-xfr: AXFR 192.0.2.1 demokey


zone:
    name: "kaifashuo.com"
    zonefile: "kaifashuo.com.zone"
    include-pattern: "fromprimary"

5、在主DNS服务器配置域名zone文件



$ORIGIN kaifashuo.com.
$TTL 1800
@       IN      SOA     ns1.kaifashuo.com.      admin.kaifashuo.com. (
                        2020062701        ; serial number
                        3600                    ; refresh
                        900                     ; retry
                        1209600                 ; expire
                        1800                    ; ttl
                        )
; Name servers
                    IN      NS      ns1.kaifashuo.com.
                    IN      NS      ns2.kaifashuo.com.

; A records for name servers
ns1                 IN      A       192.0.2.1
ns2                 IN      A       192.0.2.2

; Additional A records
@                   IN      A       192.0.2.3
www                 IN      A       192.0.2.3

6、把 nsd 加入开机启动并启动nsd



[root@decdn1 nsd]# systemctl enable nsd
[root@decdn1 nsd]# systemctl restart nsd

7、查看nsd日志:tail -f /var/log/nsd.log



[root@decdn1 nsd]# tail -f /var/log/nsd.log
[2020-06-27 17:20:30.317] nsd[11590]: notice: nsd starting (NSD 4.2.4)
[2020-06-27 17:20:30.503] nsd[11592]: notice: nsd started (NSD 4.2.4), pid 11590
[2020-06-27 17:22:41.700] nsd[11592]: warning: signal received, shutting down...

[2020-06-27 17:23:59.680] nsd[11749]: info: XSTATS 1593249839 1593249761 RR=0 RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0 SSysQ=0 SAns=5 SFwdQ=0 SDupQ=0 SErr=0 RQ=3 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0 SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=1 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
[2020-06-27 17:23:59.685] nsd[11746]: info: zone kaifashuo.com serial 2020062705 is updated to 2020062706

8、报错处理



### 报错1:error: query: bad tsig (Bad Time) for key demokey. from 192.0.2.1
解决办法:重新同步两台服务器的时间

### 报错2:error: SSL handshake failed
139840491858240:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:
解决办法:重新生产key文件

[root@decdn1 nsd]# rm -rf nsd_control.*
[root@decdn1 nsd]# rm -rf nsd_server.*
[root@decdn1 nsd]# nsd-control-setup

  • 版权声明:本文版权归开发说和原作者所有,未经许可不得转载。文章部分来源于网络仅代表作者看法,如有不同观点,欢迎进行交流。除非注明,文章均由 开发说 整理发布,欢迎转载,转载请带版权。

  • 来源:开发说 ( https://www.kaifashuo.com/ ),提供主机优惠信息深度测评和服务器运维编程技术。
  • 链接:https://www.kaifashuo.com/2131.html
  • 评论(0

    1. 还没有任何评论,你来说两句吧

    发表回复

    您的电子邮箱地址不会被公开。 必填项已用*标注