Shulou(Shulou.com)06/02 Report--

Background introduction

In order to avoid a single point of failure in the real environment, the DNS server is composed of a group of servers. Each server has several zones, and the same zone on different servers is divided into two roles: master and slave. Because the forward and reverse are different areas, the same area between multiple servers can be master-slave or one-master-multi-slave, which is demonstrated in the figure on the right of this department.

Master-slave replication of DNS server

1. Previously, the contoso.com forward and reverse resolution zone has been created on the 172.16.10.10 zone 24 host and set to the master server respectively. For the slave server, you only need to add the resolution zone in the configuration file and the zone name must be consistent with the zone name of the master server, and he will automatically go to the master server to synchronize the zone resolution library file. The masters here is a fixed usage, no matter how many hosts your master role has.

The reason for putting the zone resolution library files in the / var/named/slave directory is that the bind program runs as the named user, and the / var/named directory does not have write permission for the named user, so the bind program creates a special slaves directory to facilitate the slave host to store synchronized zone resolution library files.

It is important to note that the slave server to synchronize must have established a NS record on the master server, and the A record has established the correct correspondence (that is, the master server authorization allows synchronization from the slave server).

After adding the parsing area and reloading it using rndc reload, you can see that he has synchronized.

Master-slave replication does not necessarily have to wait until after the synchronization time period to update. If you manually modify the zone resolution library file, manually change the current sequence number + 1, and he will synchronize immediately after reloading using rndc reload.

Zone forwarding of DNS

As shown in the following figure: when there is a blog.contoso.com subdomain in the contoso.com domain, if a customer in the controso.com domain wants to access ark.blog.contoso.com, he will first request the DNS server in the region. Because the DNS server in this region has a record of authorization to the blog.contoso.com subdomain, he will directly find the DNS server in the subdomain to obtain the IP address of the ark.blog.contoso.com. When customers in the child domain want to access the www.contoso.com in the parent domain, they also request the DNS server in the local region, but there is no record of the DNS server in the parent domain, so the DNS server in the child domain will initiate a request to the root, and finally obtain the IP address of the www.contoso.com through a level of iterative query.

This causes unnecessary consumption to the server, and our child domain wants to use the DNS server on the parent domain instead of finding the root directly when parsing the parent domain. Here is how to set up the forwarding of DNS.

1. First of all, to configure the DNS of both the contoso.com domain and the blog.contoso.com domain as a cached DNS server, it should be noted that dnssec is a secure DNS transport mechanism that uses keys between each other to prevent DNS from being contaminated. Here, it needs to be changed to no, and even if its default value is logged off, it will be yes.

two。 The parent domain DNS server only needs to create its own zone and indicate the DNS server (that is, authorization) of the child domain in the zone resolution database.

3. Because the DNS server of the child domain has a point in the parent domain, the parent domain can resolve to the ark.blog.contoso.com address of the child domain (at this point, the DNS server of the child domain must be able to provide services normally, otherwise it cannot be resolved, and it is indicated in the / var/log/message record that it cannot communicate with the child domain DNS server).

5. In the child domain DNS server configuration file / etc/named.rfc912.zones, you need to create not only your own zone, but also the zone of the parent domain. The forwarding method can be first or only (first means forwarding first, forwarding is not successful and then recursive; only means forwarding only). Here, take only as an example, and indicate the address of the DNS server to which it is forwarded.

6. In the options global configuration section of the subdomain DNS server master profile / etc/named.conf, all address requests are forwarded to the DNS server on the Internet, and because contoso.com and blog.contoso.com are clearly defined in the subdomain, local forwarding takes precedence over global forwarding.

7. Using the DNS server of the child domain to parse the www.contoso.com, you can see that it does address resolution by forwarding to the parent domain DNS server.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.