案例3 授权与转发

父域dns对子域dns实现授权，
子域对父域：1.改变根提示，把父域dns视为根
2.转发器
[root@host2 ~]# cd /media/cdrom
[root@host2 cdrom]# ll
[root@host2 cdrom]# cd Packages/
[root@host2 Packages]# ll bind*
-r--r--r--. 2 root root 4173752 Aug 282013 bind-9.8.2-0.17.rc1.el6
-r--r--r--. 2 root root72540 Aug 282013 bind-chroot-9.8.2-0.17.
-r--r--r--. 2 root root70488 Nov 25 03:29 bind-dyndb-ldap-2.3-5.e
-r--r--r--. 2 root root910676 Aug 282013 bind-libs-9.8.2-0.17.rc
-r--r--r--. 2 root root185116 Aug 282013 bind-utils-9.8.2-0.17.r
[root@host2 Packages]# yum --disablerepo --enablerepo=c6-media install bind bind-chroot bind-utils -y
Loaded plugins: fastestmirror, refresh-packagekit
Error getting repository data for --enablerepo=c6-media, repository not found
[root@host2 Packages]# yum --disablerepo=\*--enablerepo=c6-media install bind bind-chroot bind-utils -y
Loaded plugins: fastestmirror, refresh-packagekit
Loading mirror speeds from cached hostfile
* c6-media:
file:///media/CentOS/repodata/repomd.xml: [Errno 14] Could not open/read file:///media/CentOS/repodata/repomd.xml
Trying other mirror.
file:///media/cdrecorder/repodata/repomd.xml: [Errno 14] Could not open/read file:///media/cdrecorder/repodata/repomd.xml
Trying other mirror.
c6-media| 4.0 kB00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.i686 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Processing Dependency: bind-libs = 32:9.8.2-0.17.rc1.el6_4.6 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.i686
--> Processing Dependency: liblwres.so.80 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.i686
--> Processing Dependency: libisccfg.so.82 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.i686
--> Processing Dependency: libisccc.so.80 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.i686
--> Processing Dependency: libisc.so.83 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.i686
--> Processing Dependency: libdns.so.81 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.i686
--> Processing Dependency: libbind9.so.80 for package: 32:bind-9.8.2-0.17.rc1.el6_4.6.i686
---> Package bind-chroot.i686 32:9.8.2-0.17.rc1.el6_4.6 will be installed
---> Package bind-utils.i686 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Running transaction check
---> Package bind-libs.i686 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
======================================================================================================================
PackageArchVersionRepositorySize
======================================================================================================================
Installing:
bindi68632:9.8.2-0.17.rc1.el6_4.6c6-media4.0 M
bind-chrooti68632:9.8.2-0.17.rc1.el6_4.6 c6-media71 k
bind-utilsi68632:9.8.2-0.17.rc1.el6_4.6c6-media181 k
Installing for dependencies:
bind-libsi68632:9.8.2-0.17.rc1.el6_4.6c6-media889 k
Transaction Summary
======================================================================================================================
Install4 Package(s)
Total download size: 5.1 M
Installed size: 10 M
Downloading Packages:
----------------------------------------------------------------------------------------------------------------------
Total32 MB/s | 5.1 MB00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 32:bind-libs-9.8.2-0.17.rc1.el6_4.6.i6861/4
Installing : 32:bind-9.8.2-0.17.rc1.el6_4.6.i6862/4
Installing : 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.i6863/4
Installing : 32:bind-utils-9.8.2-0.17.rc1.el6_4.6.i6864/4
Verifying: 32:bind-libs-9.8.2-0.17.rc1.el6_4.6.i6861/4
Verifying: 32:bind-9.8.2-0.17.rc1.el6_4.6.i6862/4
Verifying: 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.i6863/4
Verifying: 32:bind-utils-9.8.2-0.17.rc1.el6_4.6.i6864/4
Installed:
bind.i686 32:9.8.2-0.17.rc1.el6_4.6bind-chroot.i686 32:9.8.2-0.17.rc1.el6_4.6
bind-utils.i686 32:9.8.2-0.17.rc1.el6_4.6
Dependency Installed:
bind-libs.i686 32:9.8.2-0.17.rc1.el6_4.6
Complete!
在本地终端产生钥匙文件
[root@host2 `]rndc-confgen –a
产生钥匙文件
[root@host2 ]service named restart
[root@host2 ]netstat –tupln |grep 53




监控日志，从新执行
[root@host2 ~]# rndc reload
server reload successful
编辑主配置文件
[root@host2 chroot]# tail -f /var/log/messages
May9 23:35:27 host2 named[1712]: reloading configuration succeeded
May9 23:35:27 host2 named[1712]: reloading zones succeeded
[root@host2 chroot]# cd etc/
[root@host2 etc]# vim named.conf
10 options {
11listen-on port 53 { any; };
12listen-on-v6 port 53 { ::1; };
13directory"/var/named";
14dump-file"/var/named/data/cache_dump.db";
15statistics-file "/var/named/data/named_stats.txt";
16memstatistics-file "/var/named/data/named_mem_stats.txt";
17allow-query{ any; };
18recursion yes;
[root@host2 etc]# vim named.rfc1912.zones



[root@host2 etc]# cd /var/named/chroot/var/named/
[root@host2 named]# ll
total 32
drwxr-x---. 6 rootnamed 4096 May9 23:23 chroot
drwxrwx---. 2 named named 4096 May9 23:30 data
drwxrwx---. 2 named named 4096 May9 23:31 dynamic
-rw-r-----. 1 rootnamed 1892 Feb 182008 named.ca
-rw-r-----. 1 rootnamed152 Dec 152009 named.empty
-rw-r-----. 1 rootnamed152 Jun 212007 named.localhost
-rw-r-----. 1 rootnamed168 Dec 152009 named.loopback
drwxrwx---. 2 named named 4096 Aug 272013 slaves
[root@host2 named]# cp -p named.localhost abc.com.zone
[root@host2 named]# vim abc.com.zone



辑named.rfc1912.zones ，
[root@host2 ~]# cd /var/named/chroot/etc
[root@host2 etc]# vim named.rfc1912.zones
zone "b.com" IN {[root@host2 ~]# cd /var/named/chroot/etc
type forward;
forwarders { 192.168.10.9; };
};
b.com 父域
1.[root@host2 ~]# cd /var/named/chroot/etc
声明2个区域 b.com 和bj.b.com
[root@centos etc]# vim named.rfc1912.zones
zone "b.com" IN {
type master;
file "b.com.zone";
allow-update { none; };
};
zone "bj.b.com" IN {
type master;
file "bj.b.com.zone";
allow-update { none; };
};
2.给sh.b.com授权：
[root@host2 ~]# cd /var/named/chroot
[root@centos chroot]# cd var/named/
[root@centos named]# cp -p named.localhost b.com.zone
[root@centos named]# vim b.com.zone
$TTL 1D
@INSOAns.b.com.rname.invalid. (
2;serial1D;refresh
1H;retry
1W;expire
3H ); minimum
@INNSns.b.com.
nsINA192.168.10.9
wwwINA1.1.1.1
sh.b.com.INNSns.sh.b.com.
ns.sh.b.com.INA192.168.10.10
3.北京子域
[root@host2 ~]# cd /var/named/chroot
[root@centos chroot]# cd var/named/
root@centos named]# cp -p named.localhost bj.b.com.zone
[root@centos named]# vim bj.b.com.zone
$TTL 1D
@INSOAns.bj.b.com.rname.invalid. (
1;serial1D;refresh
1H;retry
1W;expire
3H ); minimum
@INNSns.bj.b.com.
nsINA192.168.10.9
wwwINA2.2.2.2

测试：转发成功
PC 的dns指向192.168.10.10

C:\Documents and Settings\Administrator>nslookup www.sh.b.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.10.10: Timed ou
Server:UnKnown
Address:192.168.10.10
Name:www.sh.b.com
Address:3.3.3.3
C:\Documents and Settings\Administrator>nslookup www.b.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.10.10: Timed ou
Server:UnKnown
Address:192.168.10.10
Non-authoritative answer:
Name:www.b.com
Address:1.1.1.1
C:\Documents and Settings\Administrator>nslookup www.bj.b.co
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 192.168.10.10: Timed ou
Server:UnKnown
Address:192.168.10.10
Non-authoritative answer:
Name:www.bj.b.com
Address:2.2.2.2