文章索引:
一、服务相关介绍
二、实验:搭建正向主DNS服务器
三、实验:搭建反向解析服务器
四、实验:泛域名解析,如wwww.baidu.com也可以正常访问
一、服务相关介绍
DNS服务,程序包名bind,程序名named
1、程序包:
bind:提供dns server程序,以及几个常用的测试程序;
bind-libs:被bind和bind-utils包中的程序共同用到的库文件;
bind-utils:bind程序端程序集,提供了,dig,host,nslookup等相关工具;
bind-chroot:选装,提供了一种安全机制;通常公司内部使用不需要安装;
2、bind
服务脚本:/etc/rc.d/init.d/named
主配置文件:/etc/named.conf,/etc/named.rfc1912.zones,/etc/rndc.key(远程管理,其实只在本地)
解析库文件:/var/named/ZONE_NAME.ZONE
注意:
1)一台物理服务器可同时为多个区域提供解析;
2)必须有根区域文件;named.ca
3)应该有两个(不包括ipv6)实现localhost和本地回环地址的解析库;
正向:named.localhost
反向:named.loopback
rndc命令:remote name domain controller,默认与bind安装在同一个主机,且只能通过127.0.0.1来俩姐named进程;提供辅助性的管理功能;端口953/tcp
二、开始搭建正向主DNS服务器
1、安装yum install bind -y
1 Installed: 2 bind.x86_64 32:9.9.4-61.el7_5.1 3 4 Dependency Updated: 5 bind-libs.x86_64 32:9.9.4-61.el7_5.1 bind-libs-lite.x86_64 32:9.9.4-61.el7_5.1 6 bind-license.noarch 32:9.9.4-61.el7_5.1 bind-utils.x86_64 32:9.9.4-61.el7_5.1
cat /var/named/named.ca 看一下全球的13各根节点
1 [root@node5 ~]# cat /var/named/named.ca 2 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +bufsize=1200 +norec @a.root-servers.net 3 ; (2 servers found) 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17380 7 ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 8 9 ;; OPT PSEUDOSECTION: 10 ; EDNS: version: 0, flags:; udp: 1472 11 ;; QUESTION SECTION: 12 ;. IN NS 13 14 ;; ANSWER SECTION: 15 . 518400 IN NS a.root-servers.net. 16 . 518400 IN NS b.root-servers.net. 17 . 518400 IN NS c.root-servers.net. 18 . 518400 IN NS d.root-servers.net. 19 . 518400 IN NS e.root-servers.net. 20 . 518400 IN NS f.root-servers.net. 21 . 518400 IN NS g.root-servers.net. 22 . 518400 IN NS h.root-servers.net. 23 . 518400 IN NS i.root-servers.net. 24 . 518400 IN NS j.root-servers.net. 25 . 518400 IN NS k.root-servers.net. 26 . 518400 IN NS l.root-servers.net. 27 . 518400 IN NS m.root-servers.net. 28 29 ;; ADDITIONAL SECTION: 30 a.root-servers.net. 3600000 IN A 198.41.0.4 31 a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 32 b.root-servers.net. 3600000 IN A 192.228.79.201 33 b.root-servers.net. 3600000 IN AAAA 2001:500:84::b 34 c.root-servers.net. 3600000 IN A 192.33.4.12 35 c.root-servers.net. 3600000 IN AAAA 2001:500:2::c 36 d.root-servers.net. 3600000 IN A 199.7.91.13 37 d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d 38 e.root-servers.net. 3600000 IN A 192.203.230.10 39 e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e 40 f.root-servers.net. 3600000 IN A 192.5.5.241 41 f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f 42 g.root-servers.net. 3600000 IN A 192.112.36.4 43 g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d 44 h.root-servers.net. 3600000 IN A 198.97.190.53 45 h.root-servers.net. 3600000 IN AAAA 2001:500:1::53 46 i.root-servers.net. 3600000 IN A 192.36.148.17 47 i.root-servers.net. 3600000 IN AAAA 2001:7fe::53 48 j.root-servers.net. 3600000 IN A 192.58.128.30 49 j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30 50 k.root-servers.net. 3600000 IN A 193.0.14.129 51 k.root-servers.net. 3600000 IN AAAA 2001:7fd::1 52 l.root-servers.net. 3600000 IN A 199.7.83.42 53 l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42 54 m.root-servers.net. 3600000 IN A 202.12.27.33 55 m.root-servers.net. 3600000 IN AAAA 2001:dc3::35 56 57 ;; Query time: 18 msec 58 ;; SERVER: 198.41.0.4#53(198.41.0.4) 59 ;; WHEN: Po kv臎 22 10:14:44 CEST 2017 60 ;; MSG SIZE rcvd: 811 61 62 [root@node5 ~]#
查看一下监听端口是否监听
1 [root@node5 ~]# ss -tunlop |grep 53 2 udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=603,fd=12)) 3 udp UNCONN 0 0 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=5)) 4 tcp LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=6))
2、修改主配置文件:
全局配置:options{}
日志子系统配置:logging{}
区域定义:本机能够为哪些zone进行解析,就要定义哪些zone;
zone "ZONE_NAME" IN {}
注意:任何服务程序如果期望其能够通过网络被其他主机访问,至少应该监听在一个能与外部主机通信的IP地址上;
备份配置文件
cp -v /etc/named.conf {,.bak}
编辑vim /etc/named.conf
1 [root@node5 ~]# vim /etc/named.conf 2 3 // 4 // named.conf 5 // 6 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 7 // server as a caching only nameserver (as a localhost DNS resolver only). 8 // 9 // See /usr/share/doc/bind*/sample/ for example named configuration files. 10 // 11 // See the BIND Administrator's Reference Manual (ARM) for details about the 12 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html 13 14 options { 15 listen-on port 53 {192.168.216.198; 127.0.0.1; }; #添加本机地址 16 //listen-on-v6 port 53 { ::1; }; #注释v6 17 directory "/var/named"; #定义区域配置文件路径 18 dump-file "/var/named/data/cache_dump.db"; # 19 statistics-file "/var/named/data/named_stats.txt"; 20 memstatistics-file "/var/named/data/named_mem_stats.txt"; 21 allow-query { any; }; 22 23 /* 24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 25 - If you are building a RECURSIVE (caching) DNS server, you need to enable 26 recursion. 27 - If your recursive DNS server has a public IP address, you MUST enable access 28 control to limit queries to your legitimate users. Failing to do so will 29 cause your server to become part of large scale DNS amplification 30 attacks. Implementing BCP38 within your network would greatly 31 reduce such attack surface 32 */ 33 recursion yes; 34 35 dnssec-enable yes; #学习过程可以关掉 36 dnssec-validation yes; #可以先关掉 37 38 /* Path to ISC DLV key */ 39 bindkeys-file "/etc/named.iscdlv.key"; 40 41 managed-keys-directory "/var/named/dynamic"; 42 43 pid-file "/run/named/named.pid"; 44 session-keyfile "/run/named/session.key"; 45 }; 46 47 logging { 48 channel default_debug { 49 file "data/named.run"; 50 severity dynamic; 51 }; 52 }; 53 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; #这个文件定义区域配置文件 60 include "/etc/named.root.key"; 61 62 ~ 63 ~ 64 ~ 65 ~ 66 "/etc/named.conf" 59L, 1723C written
重启服务查看监听端口的变化
1 [root@node5 ~]# systemctl restart named 2 [root@node5 ~]# ss -tunlp |grep 53 3 udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=603,fd=12)) 4 udp UNCONN 0 0 192.168.216.198:53 *:* users:(("named",pid=5349,fd=519),("named",pid=5349,fd=518),("named",pid=5349,fd=517),("named",pid=5349,fd=516)) 5 udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=5349,fd=515),("named",pid=5349,fd=514),("named",pid=5349,fd=513),("named",pid=5349,fd=512)) 6 udp UNCONN 0 0 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=5)) 7 tcp LISTEN 0 10 192.168.216.198:53 *:* users:(("named",pid=5349,fd=22)) 8 tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",pid=5349,fd=21)) 9 tcp LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=6)) 10 tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=5349,fd=23)) 11 tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=5349,fd=24)) 12 [root@node5 ~]#
3、修改区域解析文件
1 [root@node5 ~]# vim /etc/named.rfc1912.zones 2 3 zone "www.web1.com" 4 // named.rfc1912.zones: 5 // 6 // Provided by Red Hat caching-nameserver package 7 // 8 // ISC BIND named zone configuration for zones recommended by 9 // RFC 1912 section 4.1 : localhost TLDs and address zones 10 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt 11 // (c)2007 R W Franks 12 // 13 // See /usr/share/doc/bind*/sample/ for example named configuration files. 14 // 15 16 zone "localhost.localdomain" IN { 17 type master; 18 file "named.localhost"; 19 allow-update { none; }; 20 }; 21 22 zone "localhost" IN { 23 type master; 24 file "named.localhost"; 25 allow-update { none; }; 26 }; 27 28 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 29 type master; 30 file "named.loopback"; 31 allow-update { none; }; 32 }; 33 34 zone "1.0.0.127.in-addr.arpa" IN { 35 type master; 36 file "named.loopback"; 37 allow-update { none; }; 38 }; 39 40 zone "0.in-addr.arpa" IN { 41 type master; 42 file "named.empty"; 43 allow-update { none; }; 44 }; 45 zone "zhangxingeng.com" IN { 46 type master; 47 file "zhangxingeng.com.zone"; 48 };
4、创建区域解析数据库文件(也就是正向解析)
vim /var/named/zhangxingeng.com.zone
1 [root@node5 ~]# cat /var/named/zhangxingeng.com.zone 2 $TTL 1D 3 @ IN SOA zhangxingeng.com. admin.zhangxingeng.com. ( 4 20181120 ; serial 5 1D ; refresh 6 1H ; retry 7 1W ; expire 8 3H ) ; minimum 9 IN NS web1.zhangxingeng.com. 10 IN MX 10 mail.zhangxigneng.com. 11 IN NS dns1.zhangxingeng.com. 12 web1 IN A 192.168.216.199 13 dns1 IN A 192.168.216.198 14 mail IN A 192.168.216.128 15 www IN A 192.168.216.129 17 [root@node5 ~]#
5、测试
named-checkconf 主配置文件语法
named-checkzone "zhangxingeng.com" /var/named/zhangxingeng.com.zone 解析库文件语法检查
6、重启服务
sytemctl reload named或rndc reload
7、node5(dns服务器)安装nginx,http服务器
yum -y install nginx
systemctl start nginx
systemctl enable nginx
8、web1测试 同样安装nginx
用dig命令测试
格式
dig [-t RR_TYPE] name [@server] [query options]
查询
+[no]trace:跟踪解析过程;
+[no]recurse:进行递归解析;
反向解析
dig -x IPADDR
默认完全区域传输
dig -t axfr DOMAIN [@server]
比如:
查询baidu.com的NS记录
dig -t NS baidu.com
跟踪解析www.baidu.com的过程
dig +trace www.baidu.com
解析www.baidu.com的A记录
dig -t A www.baidu.com
1 [root@web1 ~]# dig -t A dns1.zhangxingeng.com @192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A dns1.zhangxingeng.com @192.168.216.198 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57945 7 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 8 ;; WARNING: recursion requested but not available 9 10 ;; OPT PSEUDOSECTION: 11 ; EDNS: version: 0, flags:; udp: 4096 12 ;; QUESTION SECTION: 13 ;dns1.zhangxingeng.com. IN A 14 15 ;; Query time: 1 msec 16 ;; SERVER: 192.168.216.198#53(192.168.216.198) 17 ;; WHEN: Wed Nov 21 17:04:35 CST 2018 18 ;; MSG SIZE rcvd: 50
安装nginx
yum install nginx -y
echo welcome to web1 >/usr/share/nginx/html/index.html
systemctl start nginx
systemctl enable nginx
ss -tunlp |grep 80
web1的web服务器已经搭建好
更改dns
1 [root@web1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 2 TYPE="Ethernet" 3 BOOTPROTO="dhcp" 4 DEFROUTE="yes" 5 PEERDNS="yes" 6 PEERROUTES="yes" 7 IPV4_FAILURE_FATAL="no" 8 IPV6INIT="yes" 9 IPV6_AUTOCONF="yes" 10 IPV6_DEFROUTE="yes" 11 IPV6_PEERDNS="yes" 12 IPV6_PEERROUTES="yes" 13 IPV6_FAILURE_FATAL="no" 14 IPV6_ADDR_GEN_MODE="stable-privacy" 15 NAME="ens33" 16 UUID="4f788080-131a-4f10-85a8-179b4f14ab48" 17 DEVICE="ens33" 18 ONBOOT="yes" 19 DNS1=192.168.216.198 20 [root@web1 ~]#
9、在node5上测试web1
1 [root@node5 ~]# curl web1.zhangxingeng.com 2 welcome to web1
三、开始搭建反向解析
1、定义区域文件
1 ~ 2 [root@node5 named]# vim /etc/named.rfc1912.zones 3 4 // named.rfc1912.zones: 5 // 6 // Provided by Red Hat caching-nameserver package 7 // 8 // ISC BIND named zone configuration for zones recommended by 9 // RFC 1912 section 4.1 : localhost TLDs and address zones 10 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt 11 // (c)2007 R W Franks 12 // 13 // See /usr/share/doc/bind*/sample/ for example named configuration files. 14 // 15 16 zone "localhost.localdomain" IN { 17 type master; 18 file "named.localhost"; 19 allow-update { none; }; 20 }; 21 zone "localhost" IN { 22 type master; 23 file "named.localhost"; 24 allow-update { none; }; 25 }; 26 27 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 28 type master; 29 file "named.loopback"; 30 allow-update { none; }; 31 }; 32 33 zone "1.0.0.127.in-addr.arpa" IN { 34 type master; 35 file "named.loopback"; 36 allow-update { none; }; 37 }; 38 39 zone "0.in-addr.arpa" IN { 40 type master; 41 file "named.empty"; 42 allow-update { none; }; 43 }; 44 zone "zhangxingeng.com" IN { 45 type master; 46 file "zhangxingeng.com.zone"; 47 }; 48 zone "216.168.192.in-addr.arpa" IN { 49 type master; 50 file "192.168.216.zone"; 51 };
2、定义区域解析库
cd /var/named/
1 [root@node5 named]# cat 192.168.216.zone 2 $TTL 3600 3 $ORIGIN 216.168.192.in-addr.arpa. 4 @ IN SOA zhangxingeng.com. admin.zhangxingeng.com. ( 5 20181120 ; serial 6 1D ; refresh 7 1H ; retry 8 1W ; expire 9 3H ) ; minimum 10 IN NS web1.zhangxingeng.com. 11 IN NS dns1.zhangxingeng.com. 12 199 IN PTR web1.zhangxingeng.com. 13 198 IN PTR dns1.zhangxingeng.com. 14 128 IN PTR mail.zhangxingeng.com. 15 129 IN PTR www.zhangxingeng.com.
3、语法测试
[root@node5 named]# named-checkconf [root@node5 named]# named-checkzone zhangxingeng.com. zhangxingeng.com.zone zone zhangxingeng.com/IN: zhangxingeng.com/MX 'mail.zhangxigneng.com' (out of zone) has no addresses records (A or AAAA) zone zhangxingeng.com/IN: loaded serial 2018112001 OK [root@node5 named]# named-checkzone 216.168.192.in-addr.arpa. 192.168.216.zone zone 216.168.192.in-addr.arpa/IN: loaded serial 2018112001 OK [root@node5 named]#
4、重启主服务器配置
rndc reload
systemctl status named.service
5、测试
1 [root@web1 ~]# dig -t axfr zhangxingeng.com @192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t axfr zhangxingeng.com @192.168.216.198 4 ;; global options: +cmd 5 zhangxingeng.com. 86400 IN SOA web1.zhangxingeng.com. admin.zhangxingeng.com. 2018112001 86400 3600 604800 10800 6 zhangxingeng.com. 86400 IN NS web1.zhangxingeng.com. 7 zhangxingeng.com. 86400 IN NS dns1.zhangxingeng.com. 8 zhangxingeng.com. 86400 IN MX 10 mail.zhangxigneng.com. 9 *.zhangxingeng.com. 86400 IN A 192.168.216.199 10 dns1.zhangxingeng.com. 86400 IN A 192.168.216.198 11 mail.zhangxingeng.com. 86400 IN A 192.168.216.128 12 web1.zhangxingeng.com. 86400 IN A 192.168.216.199 13 www.zhangxingeng.com. 86400 IN CNAME web1.zhangxingeng.com. 14 zhangxingeng.com. 86400 IN SOA web1.zhangxingeng.com. admin.zhangxingeng.com. 2018112001 86400 3600 604800 10800 15 ;; Query time: 2 msec 16 ;; SERVER: 192.168.216.198#53(192.168.216.198) 17 ;; WHEN: Wed Nov 21 20:31:09 CST 2018 18 ;; XFR size: 10 records (messages 1, bytes 273) 19 20 [root@web1 ~]# dig -t A zhangxingeng.com @192.168.216.198 21 22 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A zhangxingeng.com @192.168.216.198 23 ;; global options: +cmd 24 ;; Got answer: 25 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57290 26 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 27 ;; WARNING: recursion requested but not available 28 29 ;; OPT PSEUDOSECTION: 30 ; EDNS: version: 0, flags:; udp: 4096 31 ;; QUESTION SECTION: 32 ;zhangxingeng.com. IN A 33 34 ;; Query time: 1 msec 35 ;; SERVER: 192.168.216.198#53(192.168.216.198) 36 ;; WHEN: Wed Nov 21 20:31:27 CST 2018 37 ;; MSG SIZE rcvd: 45 38 39 [root@web1 ~]# dig -t NS zhangxingeng.com @192.168.216.198 40 41 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS zhangxingeng.com @192.168.216.198 42 ;; global options: +cmd 43 ;; Got answer: 44 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44575 45 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 46 ;; WARNING: recursion requested but not available 47 48 ;; OPT PSEUDOSECTION: 49 ; EDNS: version: 0, flags:; udp: 4096 50 ;; QUESTION SECTION: 51 ;zhangxingeng.com. IN NS 52 53 ;; Query time: 1 msec 54 ;; SERVER: 192.168.216.198#53(192.168.216.198) 55 ;; WHEN: Wed Nov 21 20:31:37 CST 2018 56 ;; MSG SIZE rcvd: 45
四、泛域名解析,提高访问的感受
即使将主机名写错,也能正常访问
1、修改区域解析库,添加一条A记录即可
1 [root@node5 named]# vim /var/named/zhangxingeng.com.zone 2 3 $TTL 86400 4 $ORIGIN zhangxingeng.com. 5 @ IN SOA web1.zhangxingeng.com. admin.zhangxingeng.com. ( 6 2018112001 ; serial 7 1D ; refresh 8 1H ; retry 9 1W ; expire 10 3H ) ; minimum 11 IN NS web1.zhangxingeng.com. 12 IN NS dns1.zhangxingeng.com. 13 IN MX 10 mail.zhangxigneng.com. 14 web1 IN A 192.168.216.199 15 dns1 IN A 192.168.216.198 16 mail IN A 192.168.216.128 17 www IN CNAME web1 18 * IN A 192.168.216.199 19 ~ 20 ~
2、简单测试一下
1 [root@node5 named]# curl web11.zhangxingeng.com 2 welcome to web1 3 [root@node5 named]#
待续。。。