)]
DNS是什么?
域名系统(Domain Name System)是整个互联网的电话簿,它能够将可被人理解的域名翻译成可被机器理解 IP 地址,使得互联网的使用者不再需要直接接触很难阅读和理解的 IP 地址。
域名系统在现在的互联网中非常重要,因为服务器的 IP 地址可能会经常变动,如果没有了 DNS,那么可能 IP 地址一旦发生了更改,当前服务器的客户端就没有办法连接到目标的服务器了,如果我们为 IP 地址提供一个”别名“并在其发生变动时修改别名和 IP 地址的关系,那么我们就可以保证集群对外提供的服务能够相对稳定地被其他客户端访问。
DNS 其实就是一个分布式的树状命名系统,它就像一个去中心化的分布式数据库,存储着从域名到 IP 地址的映射。
本地名称解析配置文件:hosts
linux:/etc/hosts
windows:%WINDIR%/system32/drivers/etc/hosts
DNS基于C/S架构,服务器端:53/udp,53/tcp
FQDN:全称域名=主机名(别名) + 域名(组织,独立的名称空间)
BIND:Bekerley Internet Name Domain,由ISC提供的DNS软件实现
DNS域名结构
- 根域
- 一级域名:TOP Level Domain —— TLD
- com、edu、mil、gov、org…
- 三类:组织域、国家域(.cn .ca …)、反向域
- 二级域名:baidu.com
- 三级域名:img.baidu.com
- 最多可达到127级域名
DNS工作原理
简单来说:当你输入一个域名时,DNS会返回一个IP地址
虽然只需要返回一个IP地址,但是DNS的查询过程非常复杂,分成多个步骤。
- DNS客户端向DNS解析器发出解析
www.baidu.com域名请求 - DNS解析器首先会向就近的根DNS服务器
.请求顶级域名DNS服务器地址,每个DNS服务器都知道根服务器地址 - 拿到根域名DNS服务
com.的地址后会向.com域名服务器请求负责baidu.com.域名解析的命名服务得到baidu.com.地址信息 - 拿到
.baodu.com.域名服务器的地址后向域名服务器请求负责www.baidu.com.域名解析并返回结果给DNS解析器 - DNS解析器将解析的结果交给DNS客户端
- DNS解析器把解析结果缓存到DNS查询缓存中,之后如果再要查询同样的域名,就直接读取缓存内容(本机也有缓存)
- window:ipconfig/display
- Linux:默认没有缓存,只有本地hosts文件
完整的查询请求经过流程
Client——hosts文件——Client DNS Service Local Cache——DNS Server(recursion)——DNS Server Cache——Iteration——根——顶级域名DNS——二级域名DNS——...
# recursion 递归
# iteration 迭代
DNS 客户端接受到 IP 地址之后,整个 DNS 解析的过程就结束了,客户端接下来就会通过当前的 IP 地址直接向服务器发送请求。
对于 DNS 解析器,这里使用的 DNS 查询方式是迭代查询,每个 DNS 服务并不会直接返回 DNS 信息,而是会返回另一台 DNS 服务器的位置,由客户端依次询问不同级别的 DNS 服务直到查询得到了预期的结果;另一种查询方式叫做递归查询,也就是 DNS 服务器收到客户端的请求之后会直接返回准确的结果,如果当前服务器没有存储 DNS 信息,就会访问其他的服务器并将结果返回给客户端。
雪人计划(Yeti DNS Project)
根服务器是国际互联网最重要的战略基础设施,是互联网通信的“中枢”。由于种种原因,现有互联网根服务器数量一直被限定为13个。基于全新技术架构的全球下一代互联网(IPv6)根服务器测试和运营实验项目—— “雪人计划”。2015年6月23日正式发布,我国下一代互联网工程中心主任、“雪人计划”首任执行主席刘东认为,该计划将打破根服务器困局,全球互联网有望实现多边共治。
2017年11月,据相关报道由下一代互联网国家工程中心牵头发起的“雪人计划”已在全球完成25台IPv6(互联网协议第六版)根服务器架设,中国部署了其中的4台,打破了中国过去没有根服务器的困境。
DNS查询类型
- 递归查询:查询到返回最终结果
- 迭代查询:查询到部分结果,分布查询返回结果
解析类型
- FQDN——>IP 正向解析
- IP——>FQDN 反向解析
注意
正反向解析是两个不同的名称空间,通俗来讲是两颗不同的解析树
DNS服务相关概念与技术
DNS服务器的类型
-
主DNS服务器
-
从DNS服务器
-
缓存DNS服务器(转发器)
主DNS服务器
管理和维护所负责解析的域内解析库的服务器
从DNS服务器
从主服务器或从服务器“复制”(区域传输)解析库副本
序列号:解析库版本号,主服务器解析库变化是,其序列递增
刷新时间间隔:从服务器从主服务器请求同步解析的时间间隔
重试时间间隔:从服务器请求同步失败是,再次尝试时间间隔
过期时长:从服务器联系不到主服务时,多久后停止服务
通知机制:主服务器解析库发生变化时,会主动通知从服务器
互联网域名
域名注册:
- 万网:被阿里收购
- 新网:被腾讯收购
- godaddy
DNS搭建软件BIND
DNS服务器软件:bind,powerdns,unbound
BIND相关程序包
[root@localhost ~]# yum list all bind*
bind # 服务器
bind-libs # 相关库
bind-utils # 客户端
bind-chroot # 安全包,将DNS相关文件放至/var/named/chroot
[root@localhost ~]# rpm -qa bind*
bind-libs-lite-9.11.4-9.P2.el7.x86_64
bind-license-9.11.4-9.P2.el7.noarch
bind-export-libs-9.11.4-9.P2.el7.x86_64
bind-utils-9.11.4-9.P2.el7.x86_64
bind-libs-9.11.4-9.P2.el7.x86_64
安装bind、bind-utils
[root@localhost ~]# yum install bind bind-utils -y
[root@localhost ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
bind-utils常见的客户端测试工具
[root@localhost ~]# rpm -ql bind-utils
/etc/trusted-key.key
/usr/bin/delv
/usr/bin/dig
/usr/bin/host
/usr/bin/mdig
/usr/bin/nslookup
/usr/bin/nsupdate
...
bind文件列表
[root@localhost ~]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
# 主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
/usr/bin/arpaname
/usr/bin/named-rrchecker
/usr/lib/python2.7/site-packages/isc
/usr/lib/python2.7/site-packages/isc-2.0-py2.7.egg-info
/usr/lib/python2.7/site-packages/isc/__init__.py
/usr/lib/python2.7/site-packages/isc/__init__.pyc
/usr/lib/python2.7/site-packages/isc/__init__.pyo
/usr/lib/python2.7/site-packages/isc/checkds.py
/usr/lib/python2.7/site-packages/isc/checkds.pyc
/usr/lib/python2.7/site-packages/isc/checkds.pyo
/usr/lib/python2.7/site-packages/isc/coverage.py
/usr/lib/python2.7/site-packages/isc/coverage.pyc
/usr/lib/python2.7/site-packages/isc/coverage.pyo
/usr/lib/python2.7/site-packages/isc/dnskey.py
/usr/lib/python2.7/site-packages/isc/dnskey.pyc
/usr/lib/python2.7/site-packages/isc/dnskey.pyo
/usr/lib/python2.7/site-packages/isc/eventlist.py
/usr/lib/python2.7/site-packages/isc/eventlist.pyc
/usr/lib/python2.7/site-packages/isc/eventlist.pyo
/usr/lib/python2.7/site-packages/isc/keydict.py
/usr/lib/python2.7/site-packages/isc/keydict.pyc
/usr/lib/python2.7/site-packages/isc/keydict.pyo
/usr/lib/python2.7/site-packages/isc/keyevent.py
/usr/lib/python2.7/site-packages/isc/keyevent.pyc
/usr/lib/python2.7/site-packages/isc/keyevent.pyo
/usr/lib/python2.7/site-packages/isc/keymgr.py
/usr/lib/python2.7/site-packages/isc/keymgr.pyc
/usr/lib/python2.7/site-packages/isc/keymgr.pyo
/usr/lib/python2.7/site-packages/isc/keyseries.py
/usr/lib/python2.7/site-packages/isc/keyseries.pyc
/usr/lib/python2.7/site-packages/isc/keyseries.pyo
/usr/lib/python2.7/site-packages/isc/keyzone.py
/usr/lib/python2.7/site-packages/isc/keyzone.pyc
/usr/lib/python2.7/site-packages/isc/keyzone.pyo
/usr/lib/python2.7/site-packages/isc/parsetab.py
/usr/lib/python2.7/site-packages/isc/parsetab.pyc
/usr/lib/python2.7/site-packages/isc/parsetab.pyo
/usr/lib/python2.7/site-packages/isc/policy.py
/usr/lib/python2.7/site-packages/isc/policy.pyc
/usr/lib/python2.7/site-packages/isc/policy.pyo
/usr/lib/python2.7/site-packages/isc/rndc.py
/usr/lib/python2.7/site-packages/isc/rndc.pyc
/usr/lib/python2.7/site-packages/isc/rndc.pyo
/usr/lib/python2.7/site-packages/isc/utils.py
/usr/lib/python2.7/site-packages/isc/utils.pyc
/usr/lib/python2.7/site-packages/isc/utils.pyo
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
# 服务文件
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
# 主程序
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
# 实现服务关闭或重新加载
/usr/sbin/rndc-confgen
/usr/sbin/tsig-keygen
/usr/share/doc/bind-9.11.4
/usr/share/doc/bind-9.11.4/Bv9ARM.ch01.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch02.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch03.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch04.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch05.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch06.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch07.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch08.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch09.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch10.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch11.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch12.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch13.html
/usr/share/doc/bind-9.11.4/Bv9ARM.html
/usr/share/doc/bind-9.11.4/Bv9ARM.pdf
/usr/share/doc/bind-9.11.4/CHANGES
/usr/share/doc/bind-9.11.4/README
/usr/share/doc/bind-9.11.4/isc-logo.pdf
/usr/share/doc/bind-9.11.4/man.arpaname.html
/usr/share/doc/bind-9.11.4/man.ddns-confgen.html
/usr/share/doc/bind-9.11.4/man.delv.html
/usr/share/doc/bind-9.11.4/man.dig.html
/usr/share/doc/bind-9.11.4/man.dnssec-checkds.html
/usr/share/doc/bind-9.11.4/man.dnssec-coverage.html
/usr/share/doc/bind-9.11.4/man.dnssec-dsfromkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-importkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-keyfromlabel.html
/usr/share/doc/bind-9.11.4/man.dnssec-keygen.html
/usr/share/doc/bind-9.11.4/man.dnssec-keymgr.html
/usr/share/doc/bind-9.11.4/man.dnssec-revoke.html
/usr/share/doc/bind-9.11.4/man.dnssec-settime.html
/usr/share/doc/bind-9.11.4/man.dnssec-signzone.html
/usr/share/doc/bind-9.11.4/man.dnssec-verify.html
/usr/share/doc/bind-9.11.4/man.dnstap-read.html
/usr/share/doc/bind-9.11.4/man.genrandom.html
/usr/share/doc/bind-9.11.4/man.host.html
/usr/share/doc/bind-9.11.4/man.isc-hmac-fixup.html
/usr/share/doc/bind-9.11.4/man.lwresd.html
/usr/share/doc/bind-9.11.4/man.mdig.html
/usr/share/doc/bind-9.11.4/man.named-checkconf.html
/usr/share/doc/bind-9.11.4/man.named-checkzone.html
/usr/share/doc/bind-9.11.4/man.named-journalprint.html
/usr/share/doc/bind-9.11.4/man.named-nzd2nzf.html
/usr/share/doc/bind-9.11.4/man.named-rrchecker.html
/usr/share/doc/bind-9.11.4/man.named.conf.html
/usr/share/doc/bind-9.11.4/man.named.html
/usr/share/doc/bind-9.11.4/man.nsec3hash.html
/usr/share/doc/bind-9.11.4/man.nslookup.html
/usr/share/doc/bind-9.11.4/man.nsupdate.html
/usr/share/doc/bind-9.11.4/man.pkcs11-destroy.html
/usr/share/doc/bind-9.11.4/man.pkcs11-keygen.html
/usr/share/doc/bind-9.11.4/man.pkcs11-list.html
/usr/share/doc/bind-9.11.4/man.pkcs11-tokens.html
/usr/share/doc/bind-9.11.4/man.rndc-confgen.html
/usr/share/doc/bind-9.11.4/man.rndc.conf.html
/usr/share/doc/bind-9.11.4/man.rndc.html
/usr/share/doc/bind-9.11.4/named.conf.default
/usr/share/doc/bind-9.11.4/notes.html
/usr/share/doc/bind-9.11.4/notes.pdf
/usr/share/doc/bind-9.11.4/sample
/usr/share/doc/bind-9.11.4/sample/etc
/usr/share/doc/bind-9.11.4/sample/etc/named.conf
/usr/share/doc/bind-9.11.4/sample/etc/named.rfc1912.zones
/usr/share/doc/bind-9.11.4/sample/var
/usr/share/doc/bind-9.11.4/sample/var/named
/usr/share/doc/bind-9.11.4/sample/var/named/data
/usr/share/doc/bind-9.11.4/sample/var/named/my.external.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/my.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/named.ca
/usr/share/doc/bind-9.11.4/sample/var/named/named.empty
/usr/share/doc/bind-9.11.4/sample/var/named/named.localhost
/usr/share/doc/bind-9.11.4/sample/var/named/named.loopback
/usr/share/doc/bind-9.11.4/sample/var/named/slaves
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.ddns.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.slave.internal.zone.db
/usr/share/man/man1/arpaname.1.gz
/usr/share/man/man1/named-rrchecker.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man5/rndc.conf.5.gz
/usr/share/man/man8/ddns-confgen.8.gz
/usr/share/man/man8/dnssec-checkds.8.gz
/usr/share/man/man8/dnssec-coverage.8.gz
/usr/share/man/man8/dnssec-dsfromkey.8.gz
/usr/share/man/man8/dnssec-importkey.8.gz
/usr/share/man/man8/dnssec-keyfromlabel.8.gz
/usr/share/man/man8/dnssec-keygen.8.gz
/usr/share/man/man8/dnssec-keymgr.8.gz
/usr/share/man/man8/dnssec-revoke.8.gz
/usr/share/man/man8/dnssec-settime.8.gz
/usr/share/man/man8/dnssec-signzone.8.gz
/usr/share/man/man8/dnssec-verify.8.gz
/usr/share/man/man8/genrandom.8.gz
/usr/share/man/man8/isc-hmac-fixup.8.gz
/usr/share/man/man8/lwresd.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named-compilezone.8.gz
/usr/share/man/man8/named-journalprint.8.gz
/usr/share/man/man8/named.8.gz
/usr/share/man/man8/nsec3hash.8.gz
/usr/share/man/man8/rndc-confgen.8.gz
/usr/share/man/man8/rndc.8.gz
/usr/share/man/man8/tsig-keygen.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
启动服务
[root@localhost ~]# systemctl start named
[root@localhost ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
查看端口
[root@localhost ~]# ss -nutlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 [::1]:53 [::]:* users:(("named",pid=67617,fd=513))
tcp LISTEN 0 128 [::1]:953 [::]:* users:(("named",pid=67617,fd=24))
tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=67617,fd=22))
实现DNS主服务器搭建
准备工作
两台主机,一台作为DNS服务器,一台作为客户端
设置 DNS服务器的/etc/resolv.conf文件,将DNS指向自己IP
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=fc4d728c-858c-41f2-9a0f-8bcbcdfdb804
DEVICE=ens33
ONBOOT=yes
DNS1=127.0.0.1
DNS2=180.76.76.76
改完后,生效一下
nmcli connection reload
nmcli connection up ens33
生效完成后/etc/resolv.conf的DNS内容已经改变
[root@localhost ~]# nmcli connection reload
[root@localhost ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain CentOS8
nameserver 127.0.0.1
nameserver 180.76.76.76
使用测试工具host、dig、nslookup
host www.baidu.com DNSSERVER
dig www.baidu.com @DNSSERVER
nslookup可以做交互式
host
[root@localhost ~]# host www.baidu.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 14.215.177.38
www.a.shifen.com has address 14.215.177.39
dig
[root@localhost ~]# dig www.baidu.com @127.0.0.1
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46479
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 49986308e0fe172f521523215ee786b8e2cf8877826cd9f9 (good)
;; QUESTION SECTION:# 要求选项,将www.baidu.com解析成A
;www.baidu.com. IN A
;; ANSWER SECTION:# 返回结果
www.baidu.com. 1142 IN CNAME www.a.shifen.com.
www.a.shifen.com. 244 IN A 14.215.177.38
www.a.shifen.com. 244 IN A 14.215.177.39
;; AUTHORITY SECTION:
a.shifen.com. 1143 IN NS ns2.a.shifen.com.
a.shifen.com. 1143 IN NS ns1.a.shifen.com.
a.shifen.com. 1143 IN NS ns5.a.shifen.com.
a.shifen.com. 1143 IN NS ns4.a.shifen.com.
a.shifen.com. 1143 IN NS ns3.a.shifen.com.
;; ADDITIONAL SECTION:
ns1.a.shifen.com. 1143 IN A 61.135.165.224
ns4.a.shifen.com. 1143 IN A 14.215.177.229
ns5.a.shifen.com. 1143 IN A 180.76.76.95
ns3.a.shifen.com. 1143 IN A 112.80.255.253
ns2.a.shifen.com. 1143 IN A 220.181.33.32
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 15 10:33:28 EDT 2020
;; MSG SIZE rcvd: 299
nslookup:windows和linux都支持且为交互式
[root@localhost ~]# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> www.baidu.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:# 非权威结果
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.38
Name: www.a.shifen.com
Address: 14.215.177.39
查询到的内容是否为权威结果
[root@localhost ~]# dig www.baidu.com @106.11.211.61
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.baidu.com @106.11.211.61
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 675
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
#此处有aa就为权威结果
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; AUTHORITY SECTION:
baidu.com. 600 IN SOA ns1.alidns.com. hostmaster.hichina.com. 2019090319 3600 1200 86400 360
;; Query time: 34 msec
;; SERVER: 106.11.211.61#53(106.11.211.61)
;; WHEN: Mon Jun 15 10:43:10 EDT 2020
;; MSG SIZE rcvd: 114
[root@localhost ~]# nslookup
> server 106.11.211.61
Default server: 106.11.211.61
Address: 106.11.211.61#53
> www.baidu.com
Server: 106.11.211.61
Address: 106.11.211.61#53
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.38
Name: www.a.shifen.com
Address: 14.215.177.39
将DNS服务监听所有地址
修改配置文件
[root@localhost ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
# /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
//
// named.conf
//
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
listen-on port 53 { 127.0.0.1; };//修改配置localhost 或 0.0.0.0;注释这行效果一样
listen-on-v6 port 53 { ::1; };
directory "/var/named";//指定默认文件路径
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };//允许谁查询,可以改成any;注释这行效果一样
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes; //这两项最好改成no,加密选项
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";// 互联网上13ipv4个根服务器地址,文件路径在上方directory "/var/named"中
};
// 引用其他区域的配置文件,我们在添加自己域时也应该使用这种引用方法
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
检查语法
[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful
此时可以实现DNS转发器功能
查看named.ca内容
[root@localhost ~]# cat /var/named/named.ca
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:# 13个根服务器
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
# IPV4地址
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
# IPV6地址 缓存时间518400以秒为单位
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811
改完配置之后尽量reload而不是重启服务
- 重启服务后会改变PID导致正在使用的用户断开
rndc reload
实现正向解析
将flamenca.cn解析成IP
主要正向解析DNS服务器
type:master
type:hint
主DNS服务器配置
// 在/etc/named.conf中
// 注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
// 域名解析范围
zone "ZONE_NAME" IN {
type {hint|master|slave|forward};
file "ZONE_NAME.zone";
};
// 通过include导入数据配置
include "/etc/named.XXX.zones";
// 如
include "/etc/named.rfc1912.zones";
查看文件include "/etc/named.rfc1912.zones";
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "flamenca.com" IN {
type master;
file "flamenca.com.zone" //准备创建该目录
}
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
设定zone文件权限、所有组
自己创建zone文件时需注意权限匹配:权限一般为640,其所有组为named
[root@localhost named]# cd /var/named/
[root@localhost named]# ll
total 16
drwxrwx---. 2 named named 23 Jun 15 10:31 data
drwxrwx---. 2 named named 60 Jun 17 06:50 dynamic
-rw-r-----. 1 root named 2253 Apr 24 09:54 named.ca
-rw-r-----. 1 root named 152 Apr 24 09:54 named.empty
-rw-r-----. 1 root named 152 Apr 24 09:54 named.localhost
-rw-r-----. 1 root named 168 Apr 24 09:54 named.loopback
drwxrwx---. 2 named named 6 Apr 24 09:54 slaves
为什么不运行其他用户的权限?如果other有权限会让黑客得知公司的网络架构从而攻击之
创建我的zone文件
[root@localhost named]# pwd
/var/named
[root@localhost named]# touch flamenca.com.zone
[root@localhost named]# id named
uid=25(named) gid=25(named) groups=25(named)
# 修改所属组
[root@localhost named]# chgrp named flamenca.com.zone
[root@localhost named]# ll
total 16
drwxrwx---. 2 named named 23 Jun 15 10:31 data
drwxrwx---. 2 named named 60 Jun 17 06:50 dynamic
# 我新建的文件
-rw-r--r-- 1 root named 0 Jun 17 07:41 flamenca.com.zone
-rw-r-----. 1 root named 2253 Apr 24 09:54 named.ca
-rw-r-----. 1 root named 152 Apr 24 09:54 named.empty
-rw-r-----. 1 root named 152 Apr 24 09:54 named.localhost
-rw-r-----. 1 root named 168 Apr 24 09:54 named.loopback
drwxrwx---. 2 named named 6 Apr 24 09:54 slaves
[root@localhost named]# chmod o= flamenca.com.zone
[root@localhost named]# ll flamenca.com.zone
-rw-r----- 1 root named 0 Jun 17 07:41 flamenca.com.zone
zone文件内容参考
# 可以参考namd.localhost
[root@localhost named]# pwd
/var/named
[root@localhost named]# cat named.localhost
############### SOA #######################
$TTL 1D # 1D=1天
# 管理的本域
@ IN SOA @ rname.invalid. (
0 ; serial # 序列号
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum # 否定答案的TTL值
# 前面IP不写,即从上一条继承即为@
NS @
A 127.0.0.1
AAAA ::1
###############################################
各种资源记录
区域解析库:由众多RR组成:
资源记录:Resource Record,RR
记录类型:A,AAAA,RTP,SOA,NS,CNAME,MX
-
SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,必须位于解析库的第一条记录
-
A:Internet Address,作用,FQDN——>IP
-
AAAA:FQDN——>IPv6
-
PTR:PoinTeR,IP——>FQDN
-
NS:Name Server,专门用于标明当前区域的DNS服务器
-
CNAME:Canonical Name,别名记录
-
MX:Mail eXchange,邮件交换器
-
TXT:对域名进行标识和说明的一种方式,一般做验证记录时会使用此项,如:SPF(反垃圾邮件)记录,https验证等,如下示例:
_dnsauth TXT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
资源记录(RR)定义的格式
name [TTL] IN rr_type value
#域名 缓存时间 固定值 上述资源类型 IP
注意:
- TTL可从全局继承
- 使用"@"符号可用于引用当前区域的名字
- 同一个名字可以通过多条记录定义多个不同的值,此时DNS服务器会以轮询的方式响应
- 同一个值也可能有多个不同的定义名字,通过多个不同的名字指向同一个值进行定义;此仅仅表示通过多个不同的名字可以找到同一个主机
主从服务器同步机制
推:
由主服务器将数据推送到从服务器进行同步
拉:
由从服务器将主服务器的数据拉到自身进行同步;有时间间隔
从服务器序列号机制
- 解析库版本号:从服务器器解析库变化时,其序列递增
- 刷新时间间隔:从服务器从主服务器请求同步解析的时间间隔
- 重试时间间隔:从服务器请求同步失败时,再次尝试时间间隔
- 过期时长:从服务器联系不到主服务器时,多久以后停止服务
- 通知机制(推操作):主服务器解析库发生变化时,会主动通知从服务器
判断数据更新的条件:数据库的序列号
SOA记录
- name:当前区域的名字。例如”flamenca.com."
- value:有多部分组成
注意:
-
当前区域的主DNS服务器的FQDN,也可以使用当前区域的名字
-
当前区域管理员的邮箱地址;但地址中不能使用@符号,一般用
.替换例如:admin.flamenca.com -
从主服务区域传输相关定义以及否定的答案的统一的TTL
范例:
# 主DNS服务器名字 管理员邮箱
flameca.com. 86400 IN SOA ns.flamenca.com. admin.flamenca.com. (
1234 ;# 序列号
2H ;# 刷新时间
10M ;# 重试时间
1W ;# 过期时间 Week
1D ;# 否定答案的TTL值,将不存在的、错误的记录缓存下来
)
开始仿写
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
webserv A 192.168.33.130
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
检查配置文件与zone文件格式是否正确
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone flamenca.com /var/named/flamenca.com.zone
zone flamenca.com/IN: loaded serial 20200618
OK
配置完成reload
[root@localhost named]# rndc reload
server reload successful
dig测试www.flamenca.com
[root@localhost named]# dig www.flamenca.com
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.flamenca.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45146
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; 显示 aa
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 92156a57011b8a24f1b619f95eeb77481eedcaa191394c91 (good)
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION: ;;CNAME 解析成功
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 192.168.33.130
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Thu Jun 18 10:16:40 EDT 2020
;; MSG SIZE rcvd: 148
开启另一台虚拟机192.168.33.130
# 安装好httpd服务
[root@localhost ~]# echo www.flamenca.com > /var/www/html/index.html
[root@localhost ~]# systemctl start httpd
curl访问网站内容
[root@localhost named]# curl www.flamenca.com
www.flamenca.com
正向解析到此完成。
A记录
name:某主机的FQDN
value:主机名对应主机的IP地址
避免用户错写名称时候给错误答案,可通过泛域名解析进行解析至特定地址
www.flamenca.com. IN A 192.168.33.129
$GENERATE 1-254 HOST$ IN A 1.2.3.$
*.flamenca.com. IN A 192.168.33.129
允许动态更新
动态更新:可以通过远程更新区域数据库的资源记录。存在安全风险
实现动态更新,需要在指定的zone语句块中加入
Allow-update {any;}
# 可以在大括号中加入IP指定可以远程更改数据库的主机
实现反向解析区域
ARPA顶级域
将IP——>FQDN
# 192.168.33.130——>www.flamenca.com
# 按照:130.33.168.192的反向格式来解析
# 域名为:33.168.192.in-addr.arpa
建立反向区域
[root@localhost named]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
...
// 反向区域的例子
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
// 仿写
zone "33.168.192.in-addr.arpa" IN {
type master;
file "192.168.33.zone"
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "flamenca.com" IN {
type master;
file "flamenca.com.zone";
};
创建对应的192.168.33.zone文件
[root@localhost named]# cd /var/named
[root@localhost named]# vim 192.168.33.zone
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master.flamenca.com. ; master.flamenca.com
master.flamenca.com. A 192.168.33.129 ; DNS server IP
130 PTR www.flamenca.com. ; 130=192.168.33.130
129 PTR master.flamenca.com.
dig -t ptr测试
[root@localhost named]# dig -t ptr 130.33.168.192.in-addr.arpa
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> -t ptr 130.33.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57764
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4144c2e7128bcbfe71b5ddc85eeb903f2aff58e8dfc42c99 (good)
;; QUESTION SECTION:
;130.33.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
130.33.168.192.in-addr.arpa. 86400 IN PTR www.flamenca.com.
;; AUTHORITY SECTION:
33.168.192.in-addr.arpa. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Thu Jun 18 12:03:11 EDT 2020
;; MSG SIZE rcvd: 151
dig -x反向解析命令
[root@localhost named]# dig -x 192.168.33.130
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> -x 192.168.33.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48564
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 89904e21ae5e908c7364f7c45eeb90b72b27912d58d0fa0c (good)
;; QUESTION SECTION:
;130.33.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
130.33.168.192.in-addr.arpa. 86400 IN PTR www.flamenca.com.
;; AUTHORITY SECTION:
33.168.192.in-addr.arpa. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Thu Jun 18 12:05:11 EDT 2020
;; MSG SIZE rcvd: 151
在邮件中能通过反向解析来校验是否为合法主机,来排除垃圾邮件
多个主机
搭建多个DNS服务器实现容错
一个主机指向多个IP
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
##########一个主机指向多个IP实现容错###########
webserv A 192.168.33.130
webserv A 192.168.33.131
webserv A 192.168.33.132
#####对外是一个域名,背后是多个服务器,实现负载均衡#####
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
实现容错
用户敲错域名,用泛域名指向设置好的主机
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
webserv A 192.168.33.130
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
########泛域名##############
* CNAME webserv
###########################
# 输入其他内容,则指向webserv主机
注意:*匹配不了空内容
* 匹配不了不带前缀的 flamenca.com
解决方案
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
webserv A 192.168.33.130
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
########泛域名##############
* CNAME webserv
###########################
# 输入其他内容,则指向webserv主机
#########@通配符A记录############
@ A 192.168.33.129
##########不能指向别名CNAME######
搭建从服务器
主要功能是实现数据的同步
虚拟机192.168.33.130为从服务器
[root@localhost ~]# yum install bind -y
修改配置文件
[root@localhost ~]# vim /etc/named.conf
//
// named.conf
//
options {
// listen-on port 53 { 127.0.0.1; };
...
// allow-query { localhost; };
};
# 注释掉这两行
修改named.rfc1912.zones文件,创建与主服务器相同的zone
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
//
zone "flamenca.com" IN {
type slave;# #
masters {192.168.33.129;};# 主服务器地址
file "slaves/flamecna.com.zone.slave";# 该路径为相对路径
};
...
从服务器的数据存放/var/named/slaves中
重启named
[root@localhost ~]# systemctl restart named
[root@localhost ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 422 Jun 19 09:00 flamecna.com.zone.slave
# 成功
# 该文件无法打开,非文本文件,只是一种数据文件
在主服务器设定中增加从服务器的负载均衡
增加主服务推送数据设置:在设置中增加NS记录
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
NS slave # 命名无所谓,需要有指向从服务器的记录
master A 192.168.33.129
slave A 192.168.33.130 # 从服务器解析IP
webserv A 192.168.33.130
webserv A 192.168.33.129
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
从服务及时同步的方法
# 删除原下载的slave文件,重启named服务
# 要让从服务更新服务,首先要更新主服务器的配置的序列号
查看日志文件信息
[root@localhost ~]# tail /var/log/messages
在.129上查看
[root@localhost named]# dig www.flamenca.com @192.168.33.130
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.flamenca.com @192.168.33.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37118
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d486ed5b13c2f6b138aafd7d5eec0f245ea686e6c545bf36 (good)
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 192.168.33.130
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.130#53(192.168.33.130)
;; WHEN: Thu Jun 18 13:04:39 EDT 2020
;; MSG SIZE rcvd: 148
解析成功
主服务器的安全问题
如何限制从服务?
centos6 中可以直接抓取DNS数据信息
dig -t axfr flamenca.com @192.168.33.129
指定从服务器主机抓取数据
vim /etc/named.conf
allow-transfer {192.168.33.130;};
# 从服务也应有相应涉及
allow-transfer {none;};
实现子域
在父域的配置文件/var/named/flamenca.com.zone中加入子域信息
[root@localhost named]# vim flamenca.com.zone
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
NS slave
www.ziyu01.flamenca.com. A 1.1.1.2
blog.ziyu01.flamenca.com. A 1.1.1.3
master A 192.168.33.129
slave A 192.168.33.130
webserv A 192.168.33.130
webserv A 192.168.33.129
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
创建完成后重启服务
systemctl restart named
dig测试
[root@localhost named]# dig www.ziyu01.flamenca.com
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.ziyu01.flamenca.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34439
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: bdfe8b341c9306586f9e1aae5eec4993aef5ff24ca69e188 (good)
;; QUESTION SECTION:
;www.ziyu01.flamenca.com. IN A
;; ANSWER SECTION:
www.ziyu01.flamenca.com. 86400 IN A 1.1.1.2
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
flamenca.com. 86400 IN NS slave.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
slave.flamenca.com. 86400 IN A 192.168.33.130
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 19 01:13:55 EDT 2020
;; MSG SIZE rcvd: 169
成功
子域的DNS服务器
父域与子域分开
# 设定名为 ziyu02的子域 IP为192.168.33.131
[root@localhost named]# vim flamenca.com.zone
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
NS slave
ziyu02 NS ziyu02serv
www.ziyu01.flamenca.com. A 1.1.1.2
blog.ziyu02.flamenca.com. A 1.1.1.3
ziyu02serv A 192.168.33.131
master A 192.168.33.129
slave A 192.168.33.130
webserv A 192.168.33.130
子域 DNS服务器192.168.33.131建立
[root@centos8 named]# vim /etc/named.conf
//
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; };
allow-transfer {none;};
/etc/named.rfc1912.zones中增加zone子域
zone "ziyu02.flamenca.com" IN {
type master;
file "ziyu02.flamenca.com.zone";
};
进入/var/named/建立ziyu02.flamenca.com.zone
[root@centos8 named]# vim ziyu02.flamenca.com.zone
$TTL 1D
@ IN SOA ziyu02 admin (
1
1H
5M
1D
3H
);
NS ziyu02
ziyu02 A 192.168.33.131
www A 192.33.33.33
~
###
[root@centos8 named]# chmod 640 ziyu02.flamenca.com.zone
[root@centos8 named]# chgrp named ziyu02.flamenca.com.zone
###启动服务###
[root@centos8 named]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
## ##
###检查语法###
[root@centos8 named]# named-checkconf
[root@centos8 named]# named-checkzone ziyu02.flamenca.com ziyu02.flamenca.com.zone
zone ziyu02.flamenca.com/IN: loaded serial 1
OK
dig 测试
[root@centos8 named]# dig www.ziyu02.flamenca.com @192.168.33.129
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.ziyu02.flamenca.com @192.168.33.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7516
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8c25356f918d2b2e5f6f471d5eec62c946fc6fc46dc582d5 (good)
;; QUESTION SECTION:
;www.ziyu02.flamenca.com. IN A
;; ANSWER SECTION:
www.ziyu02.flamenca.com. 86400 IN A 192.33.33.33
;; AUTHORITY SECTION:
ziyu02.flamenca.com. 86400 IN NS ziyu02serv.flamenca.com.
;; ADDITIONAL SECTION:
ziyu02serv.flamenca.com. 86400 IN A 192.168.33.131
;; Query time: 1 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Fri Jun 19 03:01:29 EDT 2020
;; MSG SIZE rcvd: 137
成功
实现转发
DNS转发
利用DNS转发,可以将用户的DNS请求转发至指定的DNS服务,而非默认的根DNS服务器,并将指定服务器查询的返回结果进行缓存,提高效率
注意:
- 被转发的服务器需要能够为请求者做递归,否则转发请求不予进行
- 在全局配置块中,关闭dnssec功能
dnssec-enable no;
dnssec-validation no;
转发方式
全局转发
对非本机所负责解析区域的请求,全转发给指定的服务器
在全局配置中实现:
// named.conf
//
options {
listen-on port 53 { localhost; }; // 将此处服务器指向根服务器或是转发服务器
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
forward fist|only;//first 先转发指定的dns服务器,如果查不了,则亲自去问根服务器
// only 只转发给指定的dns服务器,如果查询不了,则返回错误信息
forwarders {ip;};
};
特定区域的转发
实现智能DNS
把网站搬到家门口,在每个城市都设置主机
GSLB:Global Server Load Balance 全局负载均衡
GSLB是服务器和链路进行综合判断来决定由哪个地点的服务器来提供服务,实现异地服务器群来保证服务质量,一般大公司会将大部分流量分散在DNS服务器上,从而保证服务的速率
GSLB的主要目的是在整个网络范围内将用户的 请求定向到最近的节点(或者区域)
GSLB分为基于DNS实现、基于重定向实现、基于路由协议实现,其中通用的是基于DNS解析的方式,这就是智能DNS的逻辑
[root@localhost named]# dig www.taobao.com
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.taobao.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19239
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;www.taobao.com. IN A
;; ANSWER SECTION:
www.taobao.com. 5 IN CNAME www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com. 5 IN A 182.106.155.238
www.taobao.com.danuoyi.tbcache.com. 5 IN A 182.106.155.237
;; Query time: 11 msec
;; SERVER: 192.168.33.2#53(192.168.33.2)
;; WHEN: Fri Jun 19 12:01:41 EDT 2020
;; MSG SIZE rcvd: 120
以淘宝为例,输入www.taobao.com的时候,DNS服务器返回的是另外一个服务器地址www.taobao.com.danuoyi.tbcache.com.
CDN内容分发网络
CDN服务商收费方式为按流量收费,举个例子:一个1K的图片被访问,就收1K的钱,1M的图片被访问就收1M的钱,所以对于资源的压缩很重要,我们之后会讲这方面的内容
CDN工作原理
- 用户向浏览器输入
www.taobao.com这个域名,浏览器第一次发现没有本地的dns缓存(提一下:bind中清除dns缓存的命令为rndc flush),则向淘宝网站DNS服务器请求 - 淘宝网站的DNS域名解析器中设置了CNAME,指向了
www.taobao.com.danuoyi.tbcache.com.,即该请求指向了CDN网络中智能DNS负载均衡系统 - 智能DNS负载均衡系统解析域名,把对用户相应速度快的IP节点返回给用户
- 用户向该返回的IP节点(CDN服务器)发出请求
- 由于是第一次访问,CDN服务器会通过Cache内部专用DNS解析得到此域名的原web站点的IP,向原站点服务器发起请求,并在CDN服务器上缓存内容
- 请求结果发送给用户
智能DNS服务实现
bind中的ACL
acl把一个或多个地址归并为一个集合,并通过一个统一的名称调用
注意:只能先定义后使用;因此一般定义在配置文件中,处于option的前面
格式如下:
acl acl_name {
ip;
net/prelen;
...
};
范例
acl shanghai {
127.16.0.0/16; # 假设这个网段为伤害网段
10.10.10.10;# 则分配的地址为10.10.10.10,也可以增加其他ip
};
bind有四个内置的acl(访问列表)
- none:没有一个主机
- any:任意主机
- localhost:本机
- localnet:本机的IP同掩码运算后得到的网络地址
访问控制的指令
allow-query {}# 允许查询的主机:白名单
allow-transfer {}# 允许区域传送的主机:白名单
allow-recursion {}# 允许递归的主机,建议全局使用,意思是是否运行去互联网上找DNS服务器返回结果
allow-updata {}# 允许更新区域数据库中的内容
VIEW视图
将ACL和区域数据库实现对应关系,实现智能DNS
- 一个bind服务器可定义多个view,每个view中可定义一个或多个zone
- 每个view用来匹配一组客户端
- 多个view内可能需要对同一个区域进行解析,dan使用不同的区域解析库文件
注意
- 一旦启用了view,所有的zone都只能定义 在view中
- 仅仅在允许递归请求的 客户端所在view中定义根区域
- 客户端请求到达时,是自上而下检查每个view所服务的客户端列表
view 格式
# 北京的VIEW
view VIEW_NAME {
match-clients {beijingnet; };
zone "flamenca.com" {
type master;
file "flamenca.com.zone.bj";
};
include "/etc/named.rfc1912.zones";
};
# 上海的VIEW
view VIEW_NAME {
match-clients {shanghainet; };
zone "flamenca.com" {
type master;
file "flamenca.com.zone.bj";
};
include "/etc/named.rfc1912.zones";
};
实验步骤
配置一个域名,当从beijing网段访问则返回1.1.1.1、shanghai访问则返回2.2.2.2、other则返回3.3.3.3
在/etc/named.conf中定义三个acl:beijing、shanghai、other
acl beijingnet {
};
acl shanghainet {
};
acl other {
};
options {
//listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
//allow-query { any; };
准备两台虚拟机,创建两个不同的网段
# 采用增加网卡的形式
# 192.168.0.8/24
[root@localhost ~]# ip a a 192.168.0.3/24 dev ens33
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:9a:35:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.33.129/24 brd 192.168.33.255 scope global dynamic noprefixroute ens33
valid_lft 1643sec preferred_lft 1643sec
inet 192.168.0.3/24 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::5f95:77de:7cad:df9e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
在CentOS7中增加地址192.168.0.6/24
[root@localhost ~]# ip a a 192.168.0.6/24 dev eth0
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b6:94:7d brd ff:ff:ff:ff:ff:ff
inet 192.168.33.130/24 brd 192.168.33.255 scope global noprefixroute dynamic eth0
valid_lft 1013sec preferred_lft 1013sec
inet 192.168.0.6/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::28d1:a712:6021:917a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
假设:
- 192.168.33.130/24网段是beijing网段
- 192.168.0.6/27网段是shanghai网段
- 127.0.0.1/8网段是other
那么开始配置DNS服务器/etc/named.com中的acl
acl beijingnet {
192.168.33.0/24;
};
acl shanghainet {
192.168.0.0/24;
};
acl other {
any;
};
options {
//listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
//allow-query { any; };
...
配置三套zone文件
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# cd /var/named/
[root@localhost named]# cp -p flamenca.com.zone flamenca.com.zone.bj
[root@localhost named]# cp -p flamenca.com.zone flamenca.com.zone.sh
[root@localhost named]# cp -p flamenca.com.zone flamenca.com.zone.other
配置文件flamenca.com.zone.bj
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
master A 192.168.33.129
webserv A 1.1.1.1
www CNAME webserv
配置文件flamenca.com.zone.sh
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
master A 192.168.33.129
webserv A 2.2.2.2
www CNAME webserv
配置文件flamenca.com.zone.other
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
master A 192.168.33.129
webserv A 3.3.3.3
www CNAME webserv
关联数据库至配置文件/etc/named.conf
acl beijingnet {
192.168.33.0/24;
};
acl shanghainet {
192.168.0.0/24;
};
acl other {
any;
};
###################################
...
###################################
VIEW beijingVIEW {
match-clients {beijingnet; };
include "/etc/named.rfc1912.zones.bj";
};
VIEW shanghaiVIEW {
match-clients {shanghai; };
include "/etc/named.rfc1912.zones.sh";
};
VIEW otherVIEW {
match-clients {other; };
include "/etc/named.rfc1912.zones.other";
};
注意:一旦有了VIEW,其他的zone配置信息都必须放入VIEW中
所以我们将配置文件中原有的zone配置信息全部都放入在
vim /etc/named.rfc1912.zones中
将/etc/named.rfc1912.zones文件拷贝三份,分别增加后缀.bj .sh .other
[root@localhost named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@localhost named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.sh
[root@localhost named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.other
分别修改内容
[root@localhost named]# vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
...
zone "flamenca.com" IN {
type master;
file "flamenca.com.zone.bj";# 将对应的数据库文件指向对应的区域,以此类推其他sh.other
};
配置好后重启服务
[root@localhost named]# systemctl restart named
开始测试
使用dig,分别访问192.168.33.129(只会从网卡192.168.33.130出去访问)、192.168.0.3(只会从网卡192.168.0.3出去访问)、127.0.0.1;
[root@localhost ~]# dig www.flamenca.com @192.168.33.129
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.flamenca.com @192.168.33.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8069
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 1.1.1.1
# 此处成功显示1.1.1.1
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Sun Jun 21 09:24:11 CST 2020
;; MSG SIZE rcvd: 120
[root@localhost ~]# dig www.flamenca.com @192.168.0.3
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.flamenca.com @192.168.0.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13911
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 2.2.2.2
# 此处成功显示2.2.2.2
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Sun Jun 21 09:24:41 CST 2020
;; MSG SIZE rcvd: 120
[root@localhost named]# dig www.flamenca.com @127.0.0.1
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.flamenca.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53370
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 57b53af9b14534f9083ddf865eee47ff9a65289e3c32efd0 (good)
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 3.3.3.3
# 成功显示3.3.3.3,注意该地址是回环网卡地址,所以只在DNS服务器上测试
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 20 13:31:43 EDT 2020
;; MSG SIZE rcvd: 148
实现Internet的DNS架构
实验准备
利用cobbler安装8台虚拟机并配置好yum源
准备8台虚拟机
所以为了方便测试,服务器搭建顺序为
# Client
192.168.33.6
# WEB SERVER
192.168.33.68
# MASTER DNS
192.168.33.48
# SLAVE DNS
192.168.33.58
# COM DNS
192.168.33.38
# ROOT DNS
192.168.33.28
# FORWARD DNS
192.168.33.18
# LOCAL DNS
192.168.33.8
- webserv
192.168.33.68安装http、bind服务 - client
192.168.33.6安装bind-utils服务 - 其他都安装bind
开始配置
webserv
[root@webserv ~]# curl 192.168.33.68
www.coralloveme.com
# 安装http服务,创建www.coralloveme.com主页。意思意思
配置named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
Client
# 配置dns指向local dns
[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.33.6
NETMASK=255.255.255.0
ONBOOT=yes
DNS1=192.168.33.8
####
[root@client ~]# systemctl restart network
[root@client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.33.8
####
[root@client ~]# curl 192.168.33.68
www.coralloveme.com
将DNS设置为LOCAL DNS后测试解析域名
[root@client ~]# dig www.coralloveme.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12868
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 85918 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 85918 IN NS slave.com.
coralloveme.com. 85918 IN NS master.com.
;; ADDITIONAL SECTION:
master.com. 85918 IN A 192.168.33.48
slave.com. 85918 IN A 192.169.33.58
;; Query time: 0 msec
;; SERVER: 192.168.33.8#53(192.168.33.8)
;; WHEN: Sun Jun 21 17:20:51 CST 2020
;; MSG SIZE rcvd: 137
curl测试
[root@client ~]# curl www.coralloveme.com
www.coralloveme.com
MASTER DNS
# 配置named.conf
options {
// listen-on port 53 { 127.0.0.1; };
...
// allow-query { localhost; };
allow-transfer {192.168.33.58; };
dnssec-enable no;
dnssec-validation no;
[root@master-dns ~]# vim /etc/named.rfc1912.zones
zone "coralloveme.com" IN {
type master;
file "coralloveme.com.zone";
};
[root@master-dns ~]# cd /var/named/
[root@master-dns named]# cp named.localhost coralloveme.com.zone
[root@master-dns named]# ll coralloveme.com.zone
-rw-r----- 1 root root 152 Jun 21 15:37 coralloveme.com.zone
################
[root@master-dns named]# vim coralloveme.com.zone
$TTL 1D
@ IN SOA master admin (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.33.48
slave A 192.168.33.58
www A 192.168.33.68
#####
# 注意将该文件所属组设置为named
#####
[root@master-dns named]# systemctl restart named
client测试
[root@client ~]# dig www.coralloveme.com @192.168.33.48
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23461
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS slave.coralloveme.com.
coralloveme.com. 86400 IN NS master.coralloveme.com.
;; ADDITIONAL SECTION:
master.coralloveme.com. 86400 IN A 192.168.33.48
slave.coralloveme.com. 86400 IN A 192.168.33.58
;; Query time: 2 msec
;; SERVER: 192.168.33.48#53(192.168.33.48)
;; WHEN: Sun Jun 21 16:10:37 CST 2020
;; MSG SIZE rcvd: 137
SLAVE DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
allow-transfer {none;};
dnssec-enable no;
dnssec-validation no;
// named.rfc1912.zones:
//
//
zone "coralloveme.com" IN {
type slave;
masters {192.168.33.48;};
file "slaves/coralloveme.com.zone.bak";
};
# 这里取名是什么,备份的文件就叫啥名字
[root@slave-dns ~]# systemctl restart named
检查数据库是否复制过来了
[root@slave-dns ~]# ll /var/named/slaves
total 4
-rw-r--r-- 1 named named 364 Jun 21 16:19 coralloveme.com.zone.bak
client测试从节点
[root@client ~]# dig www.coralloveme.com @192.168.33.58
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13335
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS slave.coralloveme.com.
coralloveme.com. 86400 IN NS master.coralloveme.com.
;; ADDITIONAL SECTION:
master.coralloveme.com. 86400 IN A 192.168.33.48
slave.coralloveme.com. 86400 IN A 192.168.33.58
;; Query time: 0 msec
;; SERVER: 192.168.33.58#53(192.168.33.58)
;; WHEN: Sun Jun 21 16:21:17 CST 2020
;; MSG SIZE rcvd: 137
注意:当master有改动且序列号发生变化时,才会备份到slave
COM DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
// named.rfc1912.zones:
//
//
zone "com" IN {
type master;
file "com.zone";
};
区域数据库文件
[root@com-dns named]# vim com.zone
$TTL 1D
@ IN SOA com admin (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS com
coralloveme NS master
coralloveme NS slave
com A 192.168.33.38
master A 192.168.33.48
slave A 192.169.33.58
####
[root@com-dns named]# systemctl restart named
client测试
[root@client ~]# dig www.coralloveme.com @192.168.33.38
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.38
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50700
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS master.com.
coralloveme.com. 86400 IN NS slave.com.
;; ADDITIONAL SECTION:
master.com. 86400 IN A 192.168.33.48
slave.com. 86400 IN A 192.169.33.58
;; Query time: 3 msec
;; SERVER: 192.168.33.38#53(192.168.33.38)
;; WHEN: Sun Jun 21 16:44:47 CST 2020
;; MSG SIZE rcvd: 137
ROOT DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
####注意
zone "." IN {
type master;
file "root.zone";
};
[root@root-dns named]# vim root.zone
$TTL 1D
@ IN SOA master admin (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
com NS com
master A 192.168.33.28
com A 192.168.33.38
client测试
[root@client ~]# dig www.coralloveme.com @192.168.33.28
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22151
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS slave.com.
coralloveme.com. 86400 IN NS master.com.
;; ADDITIONAL SECTION:
master.com. 86400 IN A 192.168.33.48
slave.com. 86400 IN A 192.169.33.58
;; Query time: 2 msec
;; SERVER: 192.168.33.28#53(192.168.33.28)
;; WHEN: Sun Jun 21 17:04:01 CST 2020
;; MSG SIZE rcvd: 137
FORWARD DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
#########
#注意设置转发服务这里必须改成no
#########
dnssec-enable no;
dnssec-validation no;
FORWARD DNS是直接从根目录递归询问的所以直接将named.ca修改根服务器地址即可
[root@forward-dns ~]# vim /var/named/named.ca
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 192.168.33.28
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811
#####
[root@forward-dns ~]# systemctl restart named
client测试
[root@client ~]# dig www.coralloveme.com @192.168.33.18
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25600
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS master.com.
coralloveme.com. 86400 IN NS slave.com.
;; ADDITIONAL SECTION:
master.com. 86400 IN A 192.168.33.48
slave.com. 86400 IN A 192.169.33.58
;; Query time: 3 msec
;; SERVER: 192.168.33.18#53(192.168.33.18)
;; WHEN: Sun Jun 21 17:12:48 CST 2020
;; MSG SIZE rcvd: 137
LOCAL DNS
本地dns设置一个转发即可
[root@local-dns ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
###########
#增加forward选项
###########
forward only;
forwarders { 192.168.33.18;};
...
#########
#注意设置转发服务这里必须改成no
#########
dnssec-enable no;
dnssec-validation no;
#
[root@forward-dns ~]# systemctl restart named
client测试
[root@client ~]# dig www.coralloveme.com @192.168.33.8
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42512
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86019 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86019 IN NS slave.com.
coralloveme.com. 86019 IN NS master.com.
;; ADDITIONAL SECTION:
master.com. 86019 IN A 192.168.33.48
slave.com. 86019 IN A 192.169.33.58
;; Query time: 1 msec
;; SERVER: 192.168.33.8#53(192.168.33.8)
;; WHEN: Sun Jun 21 17:19:10 CST 2020
;; MSG SIZE rcvd: 137
至此DNS架构已经全部搭建完成,可以将client的DNS改为LOCAL DNS的IP
DNS排错
一次window验证DNS操作过程
我已经在Linux主机上配置好了域名为flamenca.com的DNS信息
但在windows电脑中该域名解析的内容却为其它IP
检查hosts文件,也没有相关信息
之后查出原因:
- 网卡中的IP是自动获取,与虚拟机中的IP非同一个网段,所以在NAT模式网卡VM8中增加DNS
192.168.33.129即Linux主机地址 - 将网卡的DNS设置为
192.168.33.129 - 此时再ping
192.168.33.129出来的就是我自己测试的界面