1.使 serverb 成为 backend.lab.example.com 的主名称服务器,以及 192.168.0/24 和 fde2:6494:1e09:2::/64 的反向区域。
在 serverb 上安装BIND9。 根据以下规范配置BIND:
- 在任何接口上侦听 IPv4 和 IPv6 查询。
- 允许 localhost、172.25.250.254 和 192.168.0.0/24 请求资源数据。
- 禁用递归。
- 删除 root(.) 提示节。
- 为 /etc/named.backend.conf 添加一个包含语句。
- 在 /etc/named.backend.conf 中配置区域指令以引用您的区域文件。 您可以从workstation上的 ~/dns-review/files/primary-named.backend.conf 复制此文件。
- 将现有区域文件从workstation上的 ~/dns-review/files/zones 复制到 serverb 上的 /var/named 并确保 named 可以读取它们。
1.8.1 查看playbook配置
[student@workstation ~]$ cat ~/dns-review/configure_primary.yml
---
- name: Configure primary nameserver
hosts: primary_dns
remote_user: devops
become: yes
tasks:
- name: Install BIND9
yum:
name: bind
state: present
- name: Copy primary config file
copy:
src: files/primary-named.conf
dest: /etc/named.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy zone files to primary
copy:
src: files/zones/
dest: /var/named
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Copy named.backend conf file
copy:
src: files/primary-named.backend.conf
dest: /etc/named.backend.conf
owner: root
group: named
mode: 0640
notify:
- reload_named
- name: Add dns service on firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Make sure named is running
service:
name: named
state: started
enabled: yes
handlers:
- name: reload_named
service:
name: named
state: reloaded
1.8.2 playbook配置中目录的文件
-
src: files/primary_named.conf
-
src: files/zones/
-
src: files/primary-named.backend.conf
files/primary_named.conf
[student@workstation ~]$ cat ~/dns-review/files/primary-named.conf
# /etc/named.conf (primary/secondary)
#
# Template file for BIND labs.
options {
listen-on port 53 {
any; };
listen-on-v6 port 53 {
any; };
directory "/var/named";
allow-transfer {
192.168.0.12; };
allow-query {
localhost; 172.25.250.254; 192.168.0.0/24; };
recursion no;
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
files/zones/
[student@workstation ~]$ ls -l ~/dns-review/files/zones/
total 12
-rw-rw-r--. 1 student student 801 Jul 30 2020 192.168.0.zone
-rw-rw-r--. 1 student student 984 Jul 30 2020 backend.lab.example.com.zone
-rw-rw-r--. 1 student student 813 Jul 30 2020 fde2.6494.1e09.2.zone
[student@workstation ~]$ cat ~/dns-review/files/zones/192.168.0.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041805 ;serial number
1H ;refresh secondary
5M ;retry refresh
1W ;expire zone
1M ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb.backend.lab.example.com.
10.0.168.192.IN-ADDR.ARPA. IN PTR servera.backend.lab.example.com.
11 IN PTR serverb.backend.lab.example.com.
12 IN PTR serverc.backend.lab.example.com.
13 IN PTR serverd.backend.lab.example.com.
[student@workstation ~]$ cat ~/dns-review/files/zones/backend.lab.example.com.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041806 ;serial number
1H ;refresh secondary
5m ;retry refresh
1w ;expire zone
1m ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb
servera IN A 192.168.0.10
serverb IN A 192.168.0.11
serverc IN A 192.168.0.12
serverd IN A 192.168.0.13
servera IN AAAA fde2:6494:1e09:2::a
serverb IN AAAA fde2:6494:1e09:2::b
serverc IN AAAA fde2:6494:1e09:2::c
serverd IN AAAA fde2:6494:1e09:2::d
[student@workstation ~]$ cat ~/dns-review/files/zones/fde2.6494.1e09.2.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041805 ;serial number
1H ;refresh secondary
5M ;retry refresh
1W ;expire zone
1M ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb.backend.lab.example.com.
A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR servera.backend.lab.example.com.
B.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverb.backend.lab.example.com.
C.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverc.backend.lab.example.com.
D.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverd.backend.lab.example.com.
files/primary-named.backend.conf
[student@workstation ~]$ cat ~/dns-review/files/primary-named.backend.conf
zone "backend.lab.example.com" IN {
type master;
file "backend.lab.example.com.zone";
forwarders {
};
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
forwarders {
};
};
zone "2.0.0.0.9.0.E.1.4.9.4.6.2.E.D.F.ip6.arpa" IN {
type master;
file "fde2.6494.1e09.2.zone";
forwarders {
};
};
1.8.2 查看下Inventory主机清单
[student@workstation ~]$ cat /home/student/dns-review/inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
2.配置满足以下要求的servera缓存名称服务器:
-
在servera上安装unbound软件包。
-
配置 unbound 以允许来自 172. 25.250.0/24 子网的查询,免除 example.com 区域的 DNSSEC 验证,并将所有查询转发到 172.25.250.254 。
-
启动并启用unbound并配置防火墙以允许服务器上的 DNS 流量。
~/dns-review/templates/unbound.conf.j2模板如下内容所示:
[student@workstation ~]$ cat ~/dns-review/templates/unbound.conf.j2
server:
interface-automatic: {
{
interface_automatic }}
access-control: {
{
access_control }}
domain-insecure: "{
{ domain_insecure }}"
forward-zone:
name: "{
{ forward_zone_name }}"
forward-addr: {
{
forward_zone_addr }}
~/dns-review/configure_caching.yml剧本如下所示:
[student@workstation ~]$ cat ~/dns-review/configure_caching.yml
---
- name: Install cache only nameserver
hosts: caching_dns
remote_user: devops
become: true
vars:
interface_automatic: "yes"
access_control: "172.25.250.0/24 allow"
domain_insecure: example.com
forward_zone_name: .
forward_zone_addr: "172.25.250.254"
tasks:
- name: Install cache only nameserver
yum:
name: unbound
state: present
notify:
- restart_unbound
- name: Create configuration file on caching server host
template:
src: unbound.conf.j2
dest: /etc/unbound/conf.d/unbound.conf
notify:
- restart_unbound
- name: Add dns service to firewall
firewalld:
service: dns
state: enabled
immediate: yes
permanent: yes
- name: Make sure unbound is running and enabled
service:
name: unbound
state: started
enabled: yes
handlers:
- name: restart_unbound
service:
name: unbound
state: restarted
enabled: true
2.8.1 查看inventory配置
[student@workstation ~]$ cat ~/dns-review/inventory
[control_node]
workstation.lab.example.com
[caching_dns]
servera.lab.example.com
[primary_dns]
serverb.lab.example.com
[secondary_dns]
serverc.lab.example.com
文章评论