Article Directory
8. Two-way resolution
lab environment:
- A DNS server host: dual network cards
- Two client hosts
Two-way resolution: The A records obtained by doing the same address resolution on two clients are different
8.1 Server side
Set as a dual network card host:
ens160: 192.168.43.101
ens192: 1.1.1.101
cp -p /var/named/westos.org.zone /var/named/westos.org.zone.inter
: Quickly copy a template filevim /var/named/westos.org.zone.inter
: Edit custom bidirectional parsing file
:%s/192.168.43/1.1.1/g #快速修改
cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inter.zones
: Copy the two-way analysis definition area filevim /etc/named.rfc1912.inter.zones
: Edit the definition area file
zone "westos.org" IN {
type master; #当前服务器位
file "westos.org.zone.inter"; #双向解析文件名
allow-update {
none; }; #允许更新主机列表
};
vim /etc/named.conf
: Edit the main configuration file
注释52-58行
view localhost {
match-clients {
192.168.43.0/24; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
};
view inetrnet {
match-clients {
any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.inter.zones";
};
include "/etc/named.root.key";
systemctl restart named
: Restart service
8.2 Client test
Test 1 : IP: 192.168.43.121
vim /etc/resolv.conf
: Modify DNS pointing
nameserver 192.168.43.101 #dns主机192.168.43网段IP
dig www.westos.org
: The query and analysis information is 192.168.43.222
Test 2 : IP: 1.1.1.111
vim /etc/resolv.conf
: Modify DNS pointing
nameserver 1.1.1.101 #dns主机1.1.1网段IP
dig www.westos.org
: The query and analysis information is 1.1.1.222
9. DNS cluster (secondary DNS)
In reality, a DNS domain name server is very likely to be unable to resist the pressure of large traffic access. At this time, we hope to build a DNS cluster to share these accesses.
9.1 Server side (primary DNS side)
IP:192.168.43.101
vim /etc/named.conf
: Revert the last experimental changevim /etc/named.rfc1912.zones
: Definition zone file (add secondary DNS)
zone "westos.org" IN {
type master;
file "westos.org.zone";
allow-update {
none; };
also-notify {
192.168.43.111; }; #主动通知的辅助DNS主机IP
};
systemctl restart named
: Restart service
9.2 Auxiliary DNS configuration
IP:192.168.43.111
#修改DNS指向为服务端主机IP并检测,能否正常连接
vim /etc/resolv.conf
修改为===>nameserver 192.168.43.101
#检测能否dig成功,成功则继续以下实验
dig www.westos.org
- Install and start the service
dnf install bind -y #安装DNS安装包
systemctl start named.service #启动服务
firewall-cmd --permanent --add-service=dns #在火墙中添加dns设定
firewall-cmd --reload #更新火墙规则
vim /etc/named.rfc1912.zones
: Definition area file
29 zone "westos.org" IN {
30 type slave; #dns状态位 辅助dns
31 masters {
192.168.43.101; }; #主dns
32 file "slaves/westos.org.zone"; #同步数据文件名
33 };
vim /etc/named.conf
: Edit the main configuration file
listen-on port 53 {
any; }; #在本地所有网络接口上开启53端口
allow-query {
any; }; #允许查询A记录的客户列表
dnssec-validation no; #禁用DNS检测,使dns能够缓存外部信息到本机
ls /var/named/slaves/
: Check the directory and find no filessystemctl restart named
: Restart servicels /var/named/slaves/
: The synchronization data file westos.org.zone appears
(Each time you delete the synchronization data file of the secondary DNS and restart the service, you can also synchronize the resolution changes of the primary DNS, but it is more troublesome in the enterprise)
9.3 Client test
IP:192.168.43.121
- Modify the primary DNS server: realize the synchronization of primary DNS and secondary DNS data and automatic update
vim /var/named/westos.org.zone
: The primary DNS must modify the A record and the serial value must be modified at the same time to achieve synchronization of the primary DNS and secondary DNS data ( serial can only be increased but not decreased )systemctl restart named
: Restart service
- Client
vim /etc/resolv.conf
: Modify DNS pointing to secondary DNSIP
nameserver 192.168.43.111 #辅助DNS主机IP
2 dig www.westos.org
.: Query and resolve information, success!
10. DNS update
10.1 Update based on IP address
1 Update server side based on IP : 192.168.43.101
vim /etc/named.rfc1912.zones
: Definition area file
zone "westos.org" IN {
type master;
file "westos.org.zone";
allow-update {
192.168.43.20; }; #允许指定客户端更新westos域
also-notify {
192.168.43.111; };
};
systemctl restart named
: Restart service
2 Based on IP update to allocate dhcp host : 192.168.43.20
vim /etc/dhcp/dhcpd.conf
nsupdate is a dynamic DNS update tool that can submit a request for update records to the DNS server. It can add or delete resource records from the zone file without manually editing the zone file.
Click here to view the detailed explanation of the nsupdate command
#更新
nsupdate
> server 192.168.43.101
> update add linux.westos.org 86400 A 192.168.43.222 #新增A记录
> send
#删除A记录
nsupdate
> update delete linux.westos.org
> send
3 Update the test client based on IP :
Open dhcp, allow to assign IP, check the IP: 192.168.43.70
- Before the DHCP host has updated the A record, the client tests
dig linux.westos.org
- After the DHCP host updates linux.westos.org , the client tests
dig linux.westos.org
- After the DHCP host deletes linux.westos.org , the client tests
dig linux.westos.org
10.2 Update based on key
Click here to view the dnssec-keygen command details
|
|
---|---|
-a algorithm | Select the algorithm for generating the key file |
-b keysize | Specify the number of bytes in the key |
-n nametype | Specify the owner type of the key file (ZONE, HOST, ENTITY, USER, OTHER) |
1 Update server side based on key :
cd /mnt/
: Enter the directorydnssec-keygen -a HMAC-SHA256 -b 128 -n HOST sdsnzy
: Generate secret keyls
: View the two key files generated
Ksdsnzy.+163+13502.key #公钥
Ksdsnzy.+163+13502.private #私钥
#K秘钥名称.算法的数字表示.密钥标识符
cat /mnt/Ksdsnzy.+163+13502.key
: View public key
cp -p /etc/rndc.key /etc/sdsnzy.key
: Copy the key file template and renamevim /etc/sdsnzy.key
: Edit the key file
key "sdsnzy" {
algorithm hmac-sha256; #密钥文件的算法
secret "ILYkvMmYDFhyPpWAKE/jqQ=="; #来自公钥文件中密码
};
vim /etc/named.conf
: Add key information to the main configuration file
include "/etc/sdsnzy.key"; #添加key文件
vim /etc/named.rfc1912.zones
: Definition area file
zone "westos.org" IN {
type master;
file "westos.org.zone";
allow-update {
key sdsnzy; }; #采用“key sdsnzy”作为密钥的用户可以动态更新“westos.org”区域
};
systemctl restart named
: Restart servicescp /mnt/Ksdsnzy.+163+13502.* [email protected]:/mnt
: Send the key file to the DHCP host
2 Update the host assigned to dhcp based on the key :
Click here to enter the nsupdate command details
nsupdate -k /mnt/Ksdsnzy.+163+13502.private
: Read the private key information from the file
> server 192.168.43.101 #DNS主机
> update add linux.westos.org 86400 A 172.25.254.33 #修改此域名解析
> send #执行后修改
> quit
3 Update client test based on key :
The assigned IP is: 192.168.43.70
- Before the DHCP host is updated, the client tests
dig linux.westos.org
- The DHCP host did not update the secret key and found that the update was rejected
- After the DHCP host key is updated , the client test
dig linux.westos.org
- After the DHCP host key is deleted from linux.westos.org , the client tests
dig linux.westos.org
11. DDNS (peanut shell) (dhcp+dns)
DDNS ( Dynamic Domain Name Server , dynamic domain name service ). DDNS maps the user's dynamic IP address to a fixed domain name resolution service. Each time the user connects to the network, the client program will transmit the dynamic IP address of the host to the server program on the host of the service provider through information transmission. , The server program is responsible for providing DNS services and realizing dynamic domain name resolution.
That is to say, DDNS captures the user’s IP address every time it changes, and then corresponds it to the domain name, so that the domain name can always be resolved to a server with a non-fixed IP. Internet users can obtain the IP address of the website domain name through the local domain name server. Access to website services.
11.1 DNS host configuration
rm -fr /var/named/westos.org.zone.jnl
: This is the .jnl file automatically generated after each update in the last DNS update experimentvim /var/named/westos.org.zone
: Delete the A record pointing to the client host (if it was added before)
systemctl restart named
: Restart servicecat /etc/sdsnzy.key
: Secret key file (made in the previous experiment)
11.2 dhcp host configuration
- Download dhcp
dnf install dhcp-server.x86_64 -y
cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf
vim /etc/dhcp/dhcpd.conf
:Edit configuration file, assign IP
option domain-name "westos.org"; #域名
option domain-name-servers 192.168.43.101; #DNS
ddns-update-style interim; #设置动态DNS更新模式为interim
##27/28行删除
subnet 192.168.43.0 netmask 255.255.255.0 {
range 192.168.43.70 192.168.43.80;
}
##35行之后全部删除,添加以下内容
key sdsnzy {
#密码名
algorithm hmac-sha256; #加密方式
secret ILYkvMmYDFhyPpWAKE/jqQ==; #秘钥文件中的密码
}
zone westos.org. {
primary 192.168.43.101; #dns主机IP,若dhcp和dns主机是同一主机,也可以写127.0.0.1
key sdsnzy; #密码名
}
systemctl restart dhcpd
: Restart the dhcpd service
11.3 Client configuration
- The client is assigned to the IP, and the test
dig node2.westos.org
:: successfully resolve itself!