DNS正反向解析转发服务器主从服务
DNS正反向解析&转发服务器&主从服务
1. 正反向解析
| 主机 | 角色 | 系统 | IP |
|---|---|---|---|
| client | 客户端 | redhat 9.6 | 192.168.72.7 |
| server | 域名解析服务器 | redhat 9.6 | 192.168.72.18 |
1.1 配置服务端
1)修改主机名和IP地址
[root@localhost ~]# hostnamectl hostname server[root@server ~]# nmcli c m ens160 ipv4.addresses 192.168.72.18/24
[root@server ~]# nmcli c up ens160
2)安装软件
[root@server ~]# dnf install bind -y# 软件的配置文件
[root@server ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
3)修改主配置文件
[root@server ~]# vim /etc/named.conf
[root@server ~]# cat /etc/named.conf
options {listen-on port 53 { 192.168.72.18; }; // 将监听的IP修改为本机的IP地址listen-on-v6 port 53 { ::1; };directory "/var/named"; // 这是区域数据文件所在目录dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file "/var/named/data/named.secroots";recursing-file "/var/named/data/named.recursing";allow-query { any; }; //修改为any表示任何主机都可以查询recursion yes;dnssec-validation no; // 将值改为 no,关闭外网校验managed-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";include "/etc/crypto-policies/back-ends/bind.config";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};zone "." IN {type hint;file "named.ca";
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
4)修改区域配置文件
[root@server ~]# vim /etc/named.rfc1912.zones
// 正向解析
zone "example.com" IN { // 正解解析的域名type master; // 表示主服务file "example.com.zone"; // 正向解析区域数据文件的路径allow-update { none; }; // 不允许动态更新
};
// 反向解析
zone "72.168.192.in-addr.arpa" IN { // 反向解析的IPtype master;file "example.com.arpa.zone"; // 反向解析区域数据文件allow-update { none; };
};
5)创建正向解析区域数据文件
[root@server ~]# cd /var/named/[root@server named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves# 复制正向解析的模板
[root@server named]# cp -a named.localhost example.com.zone
[root@server named]# vim example.com.zone
[root@server named]# vim example.com.zone
[root@server named]# cat example.com.zone
$TTL 1D
@ IN SOA ns.example.com. admin.example.com. (2025110501 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS nsMX 1 mail.example.com.
ns IN A 192.168.72.18
mail IN A 192.168.72.19
www IN A 192.168.72.8
ftp IN A 192.168.72.20
web IN CNAME www
6)创建反向解析区域数据文件
[root@server named]# cp -a named.loopback example.com.arpa.zone
[root@server named]# vim example.com.arpa.zone
[root@server named]# cat example.com.arpa.zone
$TTL 1D
@ IN SOA ns.example.com. amdin.example.com. (2025110501 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS ns
ns IN A 192.168.72.18
8 IN PTR www.example.com.
20 IN PTR ftp
7)校验配置文件的语法(可选)
# 1. 校验主配置文件
[root@server named]# named-checkconf
[root@server named]# # 2. 校验区域数据文件
[root@server named]# named-checkzone example.com. /var/named/example.com.zone
zone example.com/IN: loaded serial 2025110501
OK
8)启动DNS服务
[root@server named]# systemctl start named
[root@server named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)Active: active (running) since Wed 2025-11-05 15:57:47 CST; 5s agoProcess: 1778 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else>Process: 1782 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)Main PID: 1783 (named)Tasks: 8 (limit: 12067)Memory: 20.6MCPU: 72msCGroup: /system.slice/named.service└─1783 /usr/sbin/named -u named -c /etc/named.confNov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Nov 05 15:57:47 server named[1783]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Nov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Nov 05 15:57:47 server named[1783]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Nov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 05 15:57:47 server named[1783]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Nov 05 15:57:47 server named[1783]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Nov 05 15:57:48 server named[1783]: resolver priming query complete
Nov 05 15:57:49 server named[1783]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now t>
Nov 05 15:57:49 server named[1783]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 38696 is now t>
9)防火墙放行服务
[root@server named]# firewall-cmd --permanent --add-service=dns
success
[root@server named]# firewall-cmd --reload
success
1.2 配置客户端
1)修改主机名和IP地址
[root@localhost ~]# hostnamectl hostname client[root@client ~]# nmcli c m ens160 ipv4.addresses 192.168.72.7/24 ipv4.dns 192.168.72.18
[root@client ~]# nmcli c up ens160
2)安装验证工具
[root@client ~]# dnf install bind-utils -y3)验证DNS解析
# 1. 验证NS记录解析
[root@client ~]# dig -t ns example.com @192.168.72.18; <<>> DiG 9.16.23-RH <<>> -t ns example.com @192.168.72.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21274
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: ad3da14d3544cd0401000000690b049569812617735987d9 (good)
;; QUESTION SECTION:
;example.com. IN NS;; ANSWER SECTION:
example.com. 86400 IN NS ns.example.com.;; ADDITIONAL SECTION:
ns.example.com. 86400 IN A 192.168.72.18;; Query time: 0 msec
;; SERVER: 192.168.72.18#53(192.168.72.18)
;; WHEN: Wed Nov 05 16:02:29 CST 2025
;; MSG SIZE rcvd: 101# 2. 验证A记录解析
[root@client ~]# host -t A www.example.com 192.168.72.18
Using domain server:
Name: 192.168.72.18
Address: 192.168.72.18#53
Aliases: www.example.com has address 192.179.82.8
# 或者
[root@client ~]# dig -t a www.example.com @192.168.72.18; <<>> DiG 9.16.23-RH <<>> -t a www.example.com @192.168.72.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63270
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 35f6c7807e26999601000000690b0522acd6fb06cb2839f8 (good)
;; QUESTION SECTION:
;www.example.com. IN A;; ANSWER SECTION:
www.example.com. 86400 IN A 192.168.72.8;; Query time: 0 msec
;; SERVER: 192.168.72.18#53(192.168.72.18)
;; WHEN: Wed Nov 05 16:04:50 CST 2025
;; MSG SIZE rcvd: 88# 3. 使用nslookup 来验证
[root@client ~]# nslookup www.example.com
Server: 192.168.72.18
Address: 192.168.72.18#53Name: www.example.com
Address: 192.179.82.8# 交互式
[root@client ~]# nslookup
> server 192.168.72.18
Default server: 192.168.72.18
Address: 192.168.72.18#53
> set q=A
> www.example.com
Server: 192.168.72.18
Address: 192.168.72.18#53Name: www.example.com
Address: 192.168.72.8
> 2. 转发服务器
2.1 DNS服务配置
使用前面案例的配置
2.2 配置转发服务器
1、首先新克隆一台机然后修改主机名和IP地址
[root@localhost ~]# hostnamectl set-hostname forward
[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.28/24 ipv4.gateway 192.168.72.2 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160
2、安装bind软件
[root@forward ~]# dnf install -y bind
3、修改主配置文件
[root@forward ~]# vim /etc/named.conf
[root@forward ~]# cat /etc/named.conf
options {listen-on port 53 { 192.168.72.28; };directory "/var/named";forward only;forwarders { 192.168.72.18; };recursion yes;dnssec-validation no;
};
4、防火墙放行服务
[root@forward ~]# firewall-cmd --permanent --add-port=53/tcp --add-port=53/udp
success
[root@forward ~]# firewall-cmd --reload
success
5、启动服务
[root@forward ~]# systemctl start named
2.3 配置客户端
1)修改客户端的DNS地址为转发服务器IP地址
[root@client ~]# nmcli d show ens160
GENERAL.DEVICE: ens160
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:0C:29:16:A2:65
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: ens160
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/3
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 192.168.72.7/24
IP4.GATEWAY: 192.168.72.2
IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100
IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100
IP4.DNS[1]: 192.168.72.18
IP6.ADDRESS[1]: fe80::20c:29ff:fe16:a265/64
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024# 将客户端的dns地址修改为转发服务器的IP地址
[root@client ~]# nmcli c m ens160 ipv4.dns 192.168.72.28
[root@client ~]# nmcli c up ens160 # 修改好后查看
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@client ~]# nmcli d show ens160
GENERAL.DEVICE: ens160
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:0C:29:16:A2:65
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: ens160
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/4
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 192.168.72.7/24
IP4.GATEWAY: 192.168.72.2
IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100
IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100
IP4.DNS[1]: 192.168.72.28
IP6.ADDRESS[1]: fe80::20c:29ff:fe16:a265/64
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 10242)验证解析
[root@client ~]# dig -t A www.example.com @192.168.72.28; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63583
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b08f8d6c649b078a01000000690b1039ea5171b567ef8342 (good)
;; QUESTION SECTION:
;www.example.com. IN A;; ANSWER SECTION:
www.example.com. 86400 IN A 192.168.72.8;; Query time: 13 msec
;; SERVER: 192.168.72.28#53(192.168.72.28)
;; WHEN: Wed Nov 05 16:52:10 CST 2025
;; MSG SIZE rcvd: 883. 整合Web服务
3.1 增加Web服务器
1)克隆一台新的服务器, 然后修改主机名和IP
[root@localhost ~]# hostnamectl hostname web
[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.8/24 ipv4.gateway 192.168.72.2 ipv4.dns 192.168.72.28 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160
2)安装nginx服务
[root@web ~]# dnf install -y nginx
3)防火墙放行服务
[root@web ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@web ~]# firewall-cmd --reload
success
4)修改欢迎页
[root@web ~]# echo "welcome to nginx $(hostname -I)" > /usr/share/nginx/html/index.html
5)启动服务
[root@web ~]# systemctl start nginx
[root@web ~]# systemctl status nginx
● nginx.service - The nginx HTTP and reverse proxy serverLoaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; preset: disabled)Active: active (running) since Wed 2025-11-05 17:03:57 CST; 6s agoProcess: 1878 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)Process: 1879 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)Process: 1880 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)Main PID: 1881 (nginx)Tasks: 3 (limit: 12067)Memory: 3.0MCPU: 31msCGroup: /system.slice/nginx.service├─1881 "nginx: master process /usr/sbin/nginx"├─1882 "nginx: worker process"└─1883 "nginx: worker process"Nov 05 17:03:57 web systemd[1]: Starting The nginx HTTP and reverse proxy server...
Nov 05 17:03:57 web nginx[1879]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Nov 05 17:03:57 web nginx[1879]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Nov 05 17:03:57 web systemd[1]: Started The nginx HTTP and reverse proxy server.
6)访问验证
[root@web ~]# curl localhost
welcome to nginx 192.168.72.8 [root@web ~]# curl 192.168.72.8
welcome to nginx 192.168.72.8[root@web ~]# curl www.example.com
welcome to nginx 192.168.72.8[root@client ~]# curl www.example.com
welcome to nginx 192.168.72.8
4. 主从服务
4.1 修改主服务器
1)修改区域配置文件
[root@server named]# vim /etc/named.rfc1912.zones
[root@server named]# cat /etc/named.rfc1912.zones
zone "example.com" IN {type master;file "example.com.zone";allow-update { 192.168.72.38; };
};zone "72.168.192.in-addr.arpa" IN {type master;file "example.com.arpa.zone";allow-update { any; };
};
2)修改正向解析区域数据文件
[root@server named]# vim /var/named/example.com.zone
[root@server named]# cat /var/named/example.com.zone
$TTL 1D
@ IN SOA example.com. admin.example.com. (2025110501 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS ns1NS ns2MX 1 mail.example.com.
ns1 IN A 192.168.72.18
ns2 IN A 192.168.72.38
mail IN A 192.168.72.19
www IN A 192.168.72.8
ftp IN A 192.168.72.20
web IN CNAME www3)修改反向解析区域数据文件
[root@server named]# vim /var/named/example.com.arpa.zone
[root@server named]# cat /var/named/example.com.arpa.zone
$TTL 1D
@ IN SOA example.com. amdin.example.com. (2025110501 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS ns1NS ns2
ns1 IN A 192.168.72.18
ns2 IN A 192.168.72.38
8 IN PTR www
20 IN PTR ftp
3)重启服务
[root@server named]# systemctl stop named
[root@server named]# systemctl start named
[root@server named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)Active: active (running) since Wed 2025-11-05 17:37:24 CST; 4s agoProcess: 2169 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else>Process: 2172 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)Main PID: 2173 (named)Tasks: 8 (limit: 12067)Memory: 20.6MCPU: 66msCGroup: /system.slice/named.service└─2173 /usr/sbin/named -u named -c /etc/named.confNov 05 17:37:24 server named[2173]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Nov 05 17:37:24 server named[2173]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Nov 05 17:37:24 server systemd[1]: Started Berkeley Internet Name Domain (DNS).
Nov 05 17:37:24 server named[2173]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Nov 05 17:37:24 server named[2173]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Nov 05 17:37:24 server named[2173]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Nov 05 17:37:24 server named[2173]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 05 17:37:25 server named[2173]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Nov 05 17:37:25 server named[2173]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
Nov 05 17:37:25 server named[2173]: resolver priming query complete
4.2 配置从服务器
1)克隆一台从服务器,修改主机名和IP
[root@localhost ~]# hostnamectl hostname slave[root@localhost ~]# nmcli connection modify
[root@localhost ~]# nmcli connection modify ens160 ipv4.method manual ipv4.addresses 192.168.72.38/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160
2)安装软件
[root@slave ~]# dnf install bind -y
3)修改主配置文件
[root@slave ~]# vim /etc/named.conf
[root@slave ~]# cat /etc/named.conf
options {listen-on port 53 { 192.168.72.38; }; //指定监听的IP地址为本机IPdirectory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file "/var/named/data/named.secroots";recursing-file "/var/named/data/named.recursing";allow-query { any; }; //设置为anyrecursion yes;dnssec-validation no; //修改为nomanaged-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";include "/etc/crypto-policies/back-ends/bind.config";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};zone "." IN {type hint;file "named.ca";
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
4)修改区域配置文件
[root@slave ~]# vim /etc/named.rfc1912.zones
[root@slave ~]# cat /etc/named.rfc1912.zones
zone "example.com" IN {type slave; //从服务的配置类型为slavemasters { 192.168.72.18; }; // 指定主服务的IP列表file "slaves/example.com.zone"; // 从服务的区域数据文件存放路径
};zone "72.168.192.in-addr.arpa" IN {type slave;masters { 192.168.72.18; };file "slaves/example.com.arpa.zone";
};5)防火墙放行服务
[root@slave ~]# firewall-cmd --permanent --add-service=dns
success
[root@slave ~]# firewall-cmd --reload
success
6)启动服务
[root@slave ~]# systemctl start named
Job for named.service failed because the control process exited with error code.
See "systemctl status named.service" and "journalctl -xeu named.service" for details.
启动服务时报错,我们查看错误信息:
[root@slave ~]# journalctl -xeu named.service
░░
░░ A start job for unit named.service has begun execution.
░░
░░ The job identifier is 1915.
Nov 05 17:25:04 slave bash[2086]: /etc/named.rfc1912.zones:5: option 'allow-update' is not allowed in 'slave' zone 'example.com'
Nov 05 17:25:04 slave bash[2086]: /etc/named.rfc1912.zones:12: option 'allow-update' is not allowed in 'slave' zone '72.168.192.in-addr.arpa'
Nov 05 17:25:04 slave systemd[1]: named.service: Control process exited, code=exited, status=1/FAILURE
░░ Subject: Unit process exited
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ An ExecStartPre= process belonging to unit named.service has exited.
░░
░░ The process' exit code is 'exited' and its exit status is 1.
Nov 05 17:25:04 slave systemd[1]: named.service: Failed with result 'exit-code'.
░░ Subject: Unit failed
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ The unit named.service has entered the 'failed' state with result 'exit-code'.
Nov 05 17:25:04 slave systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
░░ Subject: A start job for unit named.service has failed
░░ Defined-By: systemd
░░ Support: https://access.redhat.com/support
░░
░░ A start job for unit named.service has finished with a failure.
░░
░░ The job identifier is 1915 and the job result is failed.删除从服务器区域数据配置文件中的 allow-update { none; };
7)再启动从服务
[root@slave ~]# systemctl start named
[root@slave ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)Active: active (running) since Wed 2025-11-05 17:45:35 CST; 1min 20s agoProcess: 2191 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else>Process: 2194 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)Main PID: 2195 (named)Tasks: 10 (limit: 12067)Memory: 29.0MCPU: 74msCGroup: /system.slice/named.service└─2195 /usr/sbin/named -u named -c /etc/named.confNov 05 17:45:35 slave named[2195]: zone 72.168.192.in-addr.arpa/IN: sending notifies (serial 2025110501)
Nov 05 17:45:35 slave named[2195]: resolver priming query complete
Nov 05 17:45:35 slave named[2195]: zone example.com/IN: Transfer started.
Nov 05 17:45:35 slave named[2195]: transfer of 'example.com/IN' from 192.168.72.18#53: connected using 192.168.72.38#42815
Nov 05 17:45:35 slave named[2195]: zone example.com/IN: transferred serial 2025110501
Nov 05 17:45:35 slave named[2195]: transfer of 'example.com/IN' from 192.168.72.18#53: Transfer status: success
Nov 05 17:45:35 slave named[2195]: transfer of 'example.com/IN' from 192.168.72.18#53: Transfer completed: 1 messages, 11 records, 270 bytes>
Nov 05 17:45:35 slave named[2195]: zone example.com/IN: sending notifies (serial 2025110501)
Nov 05 17:45:35 slave named[2195]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now tr>
Nov 05 17:45:35 slave named[2195]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 38696 is now tr>
8)查看从服务器的区域数据文件是否已经同步
[root@slave ~]# cd /var/named/slaves/
[root@slave slaves]# ls
example.com.arpa.zone example.com.zone可以发现已经同步。
9)验证域名解析
[root@slave ~]# dig -t A www.example.com @192.168.72.38; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.38
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22453
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: cc217a4fc217ee6f01000000690b1d81bf5afbd038daefbf (good)
;; QUESTION SECTION:
;www.example.com. IN A;; ANSWER SECTION:
www.example.com. 86400 IN A 192.168.72.8;; Query time: 0 msec
;; SERVER: 192.168.72.38#53(192.168.72.38)
;; WHEN: Wed Nov 05 17:48:49 CST 2025
;; MSG SIZE rcvd: 88[root@slave ~]# dig -t A www.example.com @192.168.72.18; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16437
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 9ed63089a1921cee01000000690b1d98289ae5b3978b1364 (good)
;; QUESTION SECTION:
;www.example.com. IN A;; ANSWER SECTION:
www.example.com. 86400 IN A 192.168.72.8;; Query time: 0 msec
;; SERVER: 192.168.72.18#53(192.168.72.18)
;; WHEN: Wed Nov 05 17:49:12 CST 2025
;; MSG SIZE rcvd: 884.3 修改web服务
将web服务的dns修改如下:
[root@web ~]# nmcli d show ens160
GENERAL.DEVICE: ens160
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:0C:29:AB:A3:7A
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: ens160
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/3
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 192.168.72.8/24
IP4.GATEWAY: 192.168.72.2
IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100
IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100
IP4.DNS[1]: 192.168.72.28
IP6.ADDRESS[1]: fe80::20c:29ff:feab:a37a/64
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024
[root@web ~]# nmcli c m ens160 ipv4.dns "192.168.72.28 192.168.72.38"
[root@web ~]# nmcli c up ens160
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@web ~]# nmcli d show ens160
GENERAL.DEVICE: ens160
GENERAL.TYPE: ethernet
GENERAL.HWADDR: 00:0C:29:AB:A3:7A
GENERAL.MTU: 1500
GENERAL.STATE: 100 (connected)
GENERAL.CONNECTION: ens160
GENERAL.CON-PATH: /org/freedesktop/NetworkManager/ActiveConnection/4
WIRED-PROPERTIES.CARRIER: on
IP4.ADDRESS[1]: 192.168.72.8/24
IP4.GATEWAY: 192.168.72.2
IP4.ROUTE[1]: dst = 192.168.72.0/24, nh = 0.0.0.0, mt = 100
IP4.ROUTE[2]: dst = 0.0.0.0/0, nh = 192.168.72.2, mt = 100
IP4.DNS[1]: 192.168.72.28
IP4.DNS[2]: 192.168.72.38
IP6.ADDRESS[1]: fe80::20c:29ff:feab:a37a/64
IP6.GATEWAY: --
IP6.ROUTE[1]: dst = fe80::/64, nh = ::, mt = 1024
4.4 配置验证
1)主从服务都存在
[root@web ~]# curl www.example.com
welcome to nginx 192.168.72.8
2)将主服务器关闭,然后再测试
[root@server named]# systemctl stop named[root@web ~]# curl www.example.com
welcome to nginx 192.168.72.8
3)将从服务器关闭,主服务打开,然后再测试
[root@server named]# systemctl start named[root@slave ~]# systemctl stop named[root@web ~]# curl www.example.com
welcome to nginx 192.168.72.8
4)将主从服务器都关闭,然后再测试
[root@slave ~]# dig -t A www.example.com @192.168.72.38
^C[root@slave ~]# dig -t A www.example.com @192.168.72.18
^X
; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.72.18
;; global options: +cmd
;; connection timed out; no servers could be reached