DNS组成:域名服务器、解析器
域名服务器的分类:
1、权威域名服务器、根域名服务器
2、顶级域名服务器
3、二级域名服务器
4、缓存域名服务器
5、转发域名服务器
6、在BIND中要配置禁止递归查询
recursion on;
安装域名缓存软件:yum -y install nscd
vi /etc/ncsd.conf
enable-cache hosts yes
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
//window中统计缓存命中ipconfig /displaydns
安全加固 :yum install -y bind bind-utils bind-libs bind-chroot
cp -R /usr/share/doc/bind- /sample/var/named/ /var/named/chroot/var/named/
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
cp -p /etc/named.conf /var/named/chroot/etc/named.conf
//开机启动
/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
//DNS资源种类:
A记录,把域名解析为IP地址
CNAME,别名
NS记录,授权解析域
负载均衡:在DNS解析中,指定多个A记录,DNS会轮询
DNS视图技术:对同一个资源记录根据DNS的请求来源IP地址不同分配给解析器不同的解析结果
view "view_localnet_45" {
match-clients { # 使用match-clients指令,指定匹配来自这些用户的ip
localnet45; # 写的是acl配置文件定义的aclname
};
zone "ljf.com" {
type master;
file "ljf.com.zone45"; #不同的匹配规则我这里写的是用不同的域名文件,方便管理
};
};
view "view_localnet_141" {
match-clients {
localnet141;
};
zone "ljf.com" {
type master;
file "ljf.com.zone141";
};
};
include "/etc/named.rfc1912.zones"; # 注释掉这条,因为开启view以后,所有的zone必须包含在view里面,不然启动报错。
include "/etc/named.root.key";
include "/etc/named/acl/localnet141.conf"; # 引入acl配置文件
include "/etc/named/acl/LocalNet45.conf"; # 引入acl配置文件
[root@localhost named]# cat /etc/named/acl/localnet141.conf
acl "localnet141" {
192.168.141.0/24; #针对192.168.141的网段
};
You have new mail in /var/spool/mail/root
[root@localhost named]# cat /etc/named/acl/LocalNet45.conf
acl "localnet45" { # 定义acl的名字,方便named.conf里面的match-clients 去调用
192.168.45.0/24; # 针对192.168.45的网段
};
[root@localhost named]# cat /var/named/ljf.com.zone141
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns
www IN A 192.168.141.3
ns IN A 102.168.141.3
[root@localhost named]# cat /var/named/ljf.com.zone45
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS ns
www IN A 192.168.45.128
test IN A 192.168.45.2
ns IN A 192.168.45.129
通过配置日志,来获取IP,进而设定BIND视图
[root@localhost named]# cat /etc/named.conf
'''''
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel query_log { #开启请求日志
file "/var/log/dns/query.log" versions 5 size 30m;
severity info;
print-time yes;
print-category yes;
};
category queries {
query_log;
};
};
'''''
//持续升级BIND
//BIND监控