[Linux study notes 25-2] Enterprise DNS server construction (below) two-way resolution, DNS cluster, DNS update, dhcp+dns dynamic domain name service

8. Two-way resolution

lab environment:

1. A DNS server host: dual network cards
2. Two client hosts

Two-way resolution: The A records obtained by doing the same address resolution on two clients are different

8.1 Server side

Set as a dual network card host:
ens160: 192.168.43.101
ens192: 1.1.1.101

1. cp -p /var/named/westos.org.zone /var/named/westos.org.zone.inter: Quickly copy a template file
2. vim /var/named/westos.org.zone.inter: Edit custom bidirectional parsing file

:%s/192.168.43/1.1.1/g	#快速修改

3. cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inter.zones: Copy the two-way analysis definition area file
4. vim /etc/named.rfc1912.inter.zones: Edit the definition area file

zone "westos.org" IN {
    
    
        type master;	#当前服务器位
        file "westos.org.zone.inter";	#双向解析文件名
        allow-update {
    
     none; };	#允许更新主机列表
};

5. vim /etc/named.conf: Edit the main configuration file

注释52-58行
view localhost {
    
    
        match-clients {
    
     192.168.43.0/24; };
        zone "." IN {
    
    
                type hint;
                file "named.ca";
        };  
        include "/etc/named.rfc1912.zones";
};

view inetrnet {
    
    
        match-clients {
    
     any; };
        zone "." IN {
    
    
                type hint;
                file "named.ca";
        };
        include "/etc/named.rfc1912.inter.zones";
};
include "/etc/named.root.key";

6. systemctl restart named: Restart service

8.2 Client test

Test 1 : IP: 192.168.43.121

1. vim /etc/resolv.conf: Modify DNS pointing

nameserver 192.168.43.101	#dns主机192.168.43网段IP

2. dig www.westos.org: The query and analysis information is 192.168.43.222

Test 2 : IP: 1.1.1.111

1. vim /etc/resolv.conf: Modify DNS pointing

nameserver 1.1.1.101	#dns主机1.1.1网段IP

2. dig www.westos.org: The query and analysis information is 1.1.1.222

9. DNS cluster (secondary DNS)

In reality, a DNS domain name server is very likely to be unable to resist the pressure of large traffic access. At this time, we hope to build a DNS cluster to share these accesses.

9.1 Server side (primary DNS side)

IP：192.168.43.101

1. vim /etc/named.conf: Revert the last experimental change
2. vim /etc/named.rfc1912.zones: Definition zone file (add secondary DNS)

zone "westos.org" IN {
    
    
        type master;
        file "westos.org.zone";
        allow-update {
    
     none; };
        also-notify {
    
     192.168.43.111; };	#主动通知的辅助DNS主机IP
};

3. systemctl restart named: Restart service

9.2 Auxiliary DNS configuration

IP：192.168.43.111

#修改DNS指向为服务端主机IP并检测，能否正常连接
vim /etc/resolv.conf
修改为===>nameserver 192.168.43.101
#检测能否dig成功，成功则继续以下实验
dig www.westos.org

1. Install and start the service

dnf install bind -y	#安装DNS安装包
systemctl start named.service	#启动服务
firewall-cmd --permanent --add-service=dns	#在火墙中添加dns设定
firewall-cmd --reload	#更新火墙规则

2. vim /etc/named.rfc1912.zones: Definition area file

 29 zone "westos.org" IN {
    
    
 30         type slave;	#dns状态位 辅助dns
 31         masters {
    
     192.168.43.101; };	#主dns
 32         file "slaves/westos.org.zone";	#同步数据文件名
 33 };

3. vim /etc/named.conf: Edit the main configuration file

listen-on port 53 {
    
     any; };	#在本地所有网络接口上开启53端口
allow-query     {
    
     any; };	#允许查询A记录的客户列表
dnssec-validation no;	#禁用DNS检测，使dns能够缓存外部信息到本机

4. ls /var/named/slaves/: Check the directory and find no files
5. systemctl restart named: Restart service
6. ls /var/named/slaves/: The synchronization data file westos.org.zone appears

(Each time you delete the synchronization data file of the secondary DNS and restart the service, you can also synchronize the resolution changes of the primary DNS, but it is more troublesome in the enterprise)

9.3 Client test

IP：192.168.43.121

• Modify the primary DNS server: realize the synchronization of primary DNS and secondary DNS data and automatic update

1. vim /var/named/westos.org.zone: The primary DNS must modify the A record and the serial value must be modified at the same time to achieve synchronization of the primary DNS and secondary DNS data ( serial can only be increased but not decreased )
2. systemctl restart named: Restart service
   
   

• Client

1. vim /etc/resolv.conf: Modify DNS pointing to secondary DNSIP

nameserver 192.168.43.111	#辅助DNS主机IP

2 dig www.westos.org.: Query and resolve information, success!

10. DNS update

10.1 Update based on IP address

1 Update server side based on IP : 192.168.43.101

1. vim /etc/named.rfc1912.zones: Definition area file

zone "westos.org" IN {
    
    
        type master;
        file "westos.org.zone";
        allow-update {
    
     192.168.43.20; };	#允许指定客户端更新westos域
        also-notify {
    
     192.168.43.111; };
};

2. systemctl restart named: Restart service

2 Based on IP update to allocate dhcp host : 192.168.43.20

vim /etc/dhcp/dhcpd.conf

nsupdate is a dynamic DNS update tool that can submit a request for update records to the DNS server. It can add or delete resource records from the zone file without manually editing the zone file.

Click here to view the detailed explanation of the nsupdate command

#更新
nsupdate
> server 192.168.43.101
> update add linux.westos.org 86400 A 192.168.43.222	#新增A记录
> send

#删除A记录
nsupdate
> update delete linux.westos.org
> send

3 Update the test client based on IP :

Open dhcp, allow to assign IP, check the IP: 192.168.43.70

1. Before the DHCP host has updated the A record, the client tests dig linux.westos.org

2. After the DHCP host updates linux.westos.org , the client testsdig linux.westos.org

3. After the DHCP host deletes linux.westos.org , the client testsdig linux.westos.org

10.2 Update based on key

Click here to view the dnssec-keygen command details

dnssec-keygen [options] [parameters] name
-a algorithm	Select the algorithm for generating the key file
-b keysize	Specify the number of bytes in the key
-n nametype	Specify the owner type of the key file (ZONE, HOST, ENTITY, USER, OTHER)

1 Update server side based on key :

1. cd /mnt/: Enter the directory
2. dnssec-keygen -a HMAC-SHA256 -b 128 -n HOST sdsnzy: Generate secret key
3. ls: View the two key files generated

Ksdsnzy.+163+13502.key	#公钥
Ksdsnzy.+163+13502.private	#私钥
#K秘钥名称.算法的数字表示.密钥标识符

4. cat /mnt/Ksdsnzy.+163+13502.key: View public key

5. cp -p /etc/rndc.key /etc/sdsnzy.key: Copy the key file template and rename
6. vim /etc/sdsnzy.key: Edit the key file

key "sdsnzy" {
    
    
        algorithm hmac-sha256;	#密钥文件的算法
        secret "ILYkvMmYDFhyPpWAKE/jqQ==";	#来自公钥文件中密码
};

7. vim /etc/named.conf: Add key information to the main configuration file

include "/etc/sdsnzy.key";	#添加key文件

8. vim /etc/named.rfc1912.zones: Definition area file

 zone "westos.org" IN {
    
    
        type master;
        file "westos.org.zone";
        allow-update {
    
     key sdsnzy; };	#采用“key sdsnzy”作为密钥的用户可以动态更新“westos.org”区域
};

9. systemctl restart named: Restart service
10. scp /mnt/Ksdsnzy.+163+13502.* [email protected]:/mnt: Send the key file to the DHCP host

2 Update the host assigned to dhcp based on the key :

Click here to enter the nsupdate command details

nsupdate -k /mnt/Ksdsnzy.+163+13502.private: Read the private key information from the file

> server 192.168.43.101	#DNS主机
> update add linux.westos.org 86400 A 172.25.254.33	#修改此域名解析
> send	#执行后修改
> quit

3 Update client test based on key :

The assigned IP is: 192.168.43.70

1. Before the DHCP host is updated, the client testsdig linux.westos.org

2. The DHCP host did not update the secret key and found that the update was rejected

3. After the DHCP host key is updated , the client testdig linux.westos.org

4. After the DHCP host key is deleted from linux.westos.org , the client testsdig linux.westos.org

11. DDNS (peanut shell) (dhcp+dns)

DDNS ( Dynamic Domain Name Server , dynamic domain name service ). DDNS maps the user's dynamic IP address to a fixed domain name resolution service. Each time the user connects to the network, the client program will transmit the dynamic IP address of the host to the server program on the host of the service provider through information transmission. , The server program is responsible for providing DNS services and realizing dynamic domain name resolution.
That is to say, DDNS captures the user’s IP address every time it changes, and then corresponds it to the domain name, so that the domain name can always be resolved to a server with a non-fixed IP. Internet users can obtain the IP address of the website domain name through the local domain name server. Access to website services.

11.1 DNS host configuration

1. rm -fr /var/named/westos.org.zone.jnl: This is the .jnl file automatically generated after each update in the last DNS update experiment
2. vim /var/named/westos.org.zone: Delete the A record pointing to the client host (if it was added before)

3. systemctl restart named: Restart service
4. cat /etc/sdsnzy.key: Secret key file (made in the previous experiment)

11.2 dhcp host configuration

1. Download dhcp

dnf install dhcp-server.x86_64 -y
cp /usr/share/doc/dhcp-server/dhcpd.conf.example  /etc/dhcp/dhcpd.conf

2. vim /etc/dhcp/dhcpd.conf：Edit configuration file, assign IP

option domain-name "westos.org";	#域名
option domain-name-servers 192.168.43.101;	#DNS
ddns-update-style interim;	#设置动态DNS更新模式为interim
##27/28行删除
subnet 192.168.43.0 netmask 255.255.255.0 {
    
    
  range 192.168.43.70 192.168.43.80;
}
##35行之后全部删除，添加以下内容
key sdsnzy {
    
    	#密码名
        algorithm hmac-sha256;	#加密方式
        secret ILYkvMmYDFhyPpWAKE/jqQ==;	#秘钥文件中的密码
}
zone westos.org. {
    
    
        primary 192.168.43.101;	#dns主机IP，若dhcp和dns主机是同一主机，也可以写127.0.0.1
        key sdsnzy;	#密码名
}

3. systemctl restart dhcpd: Restart the dhcpd service

11.3 Client configuration

• The client is assigned to the IP, and the test dig node2.westos.org:: successfully resolve itself!