DNS子域授权

当一个域很大时,而且还有上,下层关系,如果所有的记录变更都由某一台服务器来管理的话,那将会是什么样子?就好比一个公司的总经理直接管理公司1000个人的所有事项,恐怕会被累死。所以会在总经理下面设科室,科室下面又分班组,这样一层管理一层会比较好管理些。

同样道理,DNS中也分域和子域,上层DNS可以将子域的管理授权给子域中的DNS服务器来管理记录的变更,这种做法就叫子域授权。

子域授权配置

假设父域为:frank.com,NS地址:master.frank.com 子域为:mf.frank.com,NS地址:sub.mf.frank.com

父域服务器配置

只需在区域解析库文件中添加下层DNS服务器的NS与A记录即可。

# vi /var/named/frank.com.zone
$TTL 1D
frank.com. IN SOA master.frank.com. admin.frank.com. (
201802002 ;序列号
3H ;刷新时间
10M ;重试时间间隔
1W ;过期时间
1D ;无法解析时否定答案的TTL值
)
frank.com. IN NS master.frank.com.
mf.frank.com. IN NS sub.mf.frank.com.
master.frank.com. IN A 192.168.138.200
sub.mf.frank.com. IN A 192.168.138.201
frank.com. IN MX 10 mx1.frank.com.
IN MX 20 mx2.frank.com.
mx1.frank.com. IN A 192.168.138.200
mx2.frank.com. IN A 192.168.138.200
www IN A 192.168.138.200
master IN CNAME www.frank.com.
web IN CNAME www.frank.com.

子域服务器配置

子域需要有完整的区域相关的配置,配置内容和主,从配置相同。

  • 在/etc/named.rfc1912.zones中加入子域区域定义。
# vi /etc/named.conf
...
zone "mf.frank.com" IN {
type master;
file "mf.frank.com.zone";
};
  • 创建mf.frank.com.zone区域解析库文件
# vi /var/named/mf.frank.com.zone
$TTL 600
@ IN SOA sub.mf.frank.com. admin.sub.mf.frank.com. (
201802001
2H
15M
1W
1D )
@ IN NS sub.mf.frank.com.
sub IN A 192.168.138.201
www IN A 192.168.138.201

配置完成重载配置文件

# rndc reload
server reload successful

在父域测试解析子域名www.mf.frank.com的A记录

# dig -t A www.mf.frank.com @192.168.138.200

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.mf.frank.com @192.168.138.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17968
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mf.frank.com. IN A ;; ANSWER SECTION:
www.mf.frank.com. 600 IN A 192.168.138.201 ;; AUTHORITY SECTION:
mf.frank.com. 600 IN NS sub.mf.frank.com. ;; ADDITIONAL SECTION:
sub.mf.frank.com. 600 IN A 192.168.138.201 ;; Query time: 19 msec
;; SERVER: 192.168.138.200#53(192.168.138.200)
;; WHEN: Sat Feb 24 22:27:22 CST 2018
;; MSG SIZE rcvd: 95

在子域DNS服务器添加指向父域的转发器

# vi /etc/named.rfc1912.conf
...
zone "mf.frank.com" IN {
type master;
file "mf.frank.com.zone";
};
//将查询父域的请求转发给父域DNS
zone "frank.com" IN {
type forward;
forward only;
forwarders { 192.168.138.200; };
};

配置完成重载配置文件

# rndc reload
server reload successful

在子域服务器上使用自己的DNS解析父域www.frank.com的A记录

# dig -t A www.frank.com @192.168.138.201

; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.frank.com @192.168.138.201
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63485
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.frank.com. IN A ;; ANSWER SECTION:
www.frank.com. 142 IN A 192.168.138.200 ;; AUTHORITY SECTION:
frank.com. 142 IN NS master.frank.com. ;; ADDITIONAL SECTION:
master.frank.com. 142 IN A 192.168.138.200 ;; Query time: 0 msec
;; SERVER: 192.168.138.201#53(192.168.138.201)
;; WHEN: Sat Feb 24 22:46:24 CST 2018
;; MSG SIZE rcvd: 95
05-08 15:35