Article Directory
DNS concept
In daily life, people are accustomed to using domain names to access servers, but machines only recognize IP addresses each other. There is a many-to-one relationship between domain names and IP addresses. An ip address does not necessarily correspond to one domain name, and one domain name can only correspond to one. IP address, the conversion between them is called domain name resolution, domain name resolution needs to be completed by a dedicated domain name resolution server, and the whole process is carried out automatically.
Definition of DNS
- DNS is the abbreviation of "Domain Name System". As a distributed database that maps domain names and IP addresses to each other, it can make it easier for people to access the Internet.
- The NDS service uses TCP and UDP port 53, TCP port 53 is used to connect to the DNS server, and UDP port 53 is used to resolve DNS.
- The length of each first-level domain name is limited to 63 characters, and the total length of the domain name cannot exceed 253 characters.
Domain name structure
http://www.sina.com.cn./
http://hostname.subdomain.second-level domain.top-level domain root domain/
The top level of the tree structure is called the root domain, which is indicated by ".". The corresponding server is called the root server. The resolution power of the entire domain name space belongs to the follow server, but the root server cannot bear the huge load. The “delegate” mechanism is adopted. Some top-level domains are set up under the root domain, and then different top-level domain resolution powers are delegated to the corresponding top-level domain servers. For example, the resolution of the com domain is delegated to the com domain server. Afterwards, any domain name resolution ending with com will be received from the server. Requests will be forwarded to the com domain server. For the same reason, in order to reduce the pressure of the top-level domain, a number of second-level domains are set up, and the second-level domains are set up with third-level domains or hosts.
- The root domain
is at the top of the domain name space and is generally represented by a "." - Top-level domains
generally represent a type of organization or country,
such as .net (network provider), .com (business enterprise), .org (group organization), .edu (educational institution), .gov (government department) , .Cn (Chinese national domain name) - The second-level domain is
used to indicate a specific organization in the top-level domain. The second-level domain names under the national top-level domain are managed by the national network department. For
example, the second-level domain names set under the .cn top-level domain name: .com.cn, .net.cn , .Edu.cn - Subdomains The domains
at all levels created under the second-level domains are collectively referred to as subdomains. Each organization or user can freely apply for registration of their own domain names. - Host
Host is located at the lowest level of the domain name space. It is a specific computer. For
example, www and mail are specific computer names, which can be represented by www.sina.com.cn. and mail.sina.com.cn. The method is called FQDN (Fully Qualified Domain Name), which is also the full name of this host in the domain name
DNS domain name resolution method
- Forward resolution: Find the corresponding IP address according to the domain name
- Reverse resolution: Find the corresponding domain name based on the IP address
DNS server type
-
Primary domain name server : responsible for maintaining all domain name information of an area, is the authoritative information source of all specific information, and the data can be modified. When constructing the main domain name server, you need to create the address data file of the area in charge by yourself.
-
Secondary domain name server : When the primary domain name server fails, shuts down, or is overloaded, the secondary domain name server serves as a backup service to provide domain name resolution services. The resolution result provided from the domain name server is not determined by yourself, but comes from the main domain name server. When constructing the secondary domain name server, you need to specify the location of the master domain name server so that the server can automatically synchronize the address database of the area.
-
Cache domain name server : It only provides the cache function of domain name resolution results to improve query speed and efficiency, but there is no domain name database. It obtains the result of each domain name server query from a remote server, puts it in the cache, and uses it to respond when querying the same information later. The cache domain name server is not an authoritative server, because all the information provided is indirect information. When constructing a cache domain name server, you must set the root domain or designate another DNS server as the source of resolution.
-
Forwarding domain name server : responsible for local queries of all non-local domain names. After the forwarding domain name server receives the query request, it searches in its cache, and if it cannot find it, it forwards the request to the specified domain name server in turn until the result is found, otherwise it returns a result that cannot be mapped.
Steps to construct DNS domain name resolution server
Install the bind package
yum -y install bind
Configure Forward Analysis (Command)
First check the path of the configuration file that needs to be modified
rpm -qc bind #查询bind软件配置文件所在路径
/etc/named.conf #主配置文件
/etc/named.rfc1912.zones #区域配置文件
/var/named/named.localhost #区域数据配置文件
Modify the main configuration file
vim /etc/named.conf
options {
listen-on port 53 { 192.168.249.10; }; #监听53端口,ip地址使用提供服务的本地IP,也可用any表示所有
#listen-on-v6 port 53 { ::1; }; #ipv6行如不使用可以注释掉或者删除
directory "/var/named"; #区域数据文件的默认存放位置
dump-file "/var/named/data/cache_dump.db"; #域名缓存数据库文件的位置
statistics-file "/var/named/data/named_stats.txt"; #状态统计文件的位置
memstatistics-file "/var/named/data/named_mem_stats.txt"; #内存统计文件的位置
allow-query { any; }; #允许使用本DNS解析服务的网段,也可用any代表所有
……
}
zone "." IN { #正向解析“.”根区域
type hint; #类型为根区域
file "named.ca"; #区域数据文件为named.ca,记录了13台根域服务器的域名和IP地址等信息
};
include "/etc/named.rfc1912.zones"; #包含区域配置文件里的所有配置
Modify the zone configuration file and add the forward zone configuration
vim /etc/named.rfc1912.zones #可在文件里有模版,可复制粘贴后修改
zone "xyz.com" IN { #正向解析“xyz.com”区域
type master; #类型为主区域
file "xyz.com.zone"; #指定区域数据文件为xyz.com.zone
allow-update { none; }; #忽略,可不用配置,默认就好
};
Configure the forward zone data file
cd /var/named/
cp -p named.localhost xyz.com.zone #保留源文件的权限和属主的属性复制
vim /var/named/xyz.com.zone
$TTL 1D #设置缓存解析结果的有效时间
@ IN SOA xyz.com. admin.xyz.com. ( #邮件和域名后面的“.”不能忘
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS xyz.com. #记录当前区域的DNS服务器的名称(必不可少)
А 192.168.249.10 #记录主机IP地址(必不可少)
IN MX 10 mail.xyz.com. #MX为邮件交换记录,数字越大优先级越低
www IN A 192.168.249.20 #记录正向解析www.xyz.com对应的IP
mail IN A 192.168.249.21 #邮箱的正向解析地址
ftp IN CNAME www #CNAME使用别名, ftp是www的别名
* IN A 192.168.249.200 #泛域名解析, "*" 代表任意主机名
Start the service, turn off the firewall
systemctl start named
systemctl stop firewalld
setenforce 0
#如果服务启动失败,可以查看日志文件来排查错误
tail -f /var/log/messages
#如果服务启动卡住,可以执行下面命令解决
rndc-confgen -r /dev/urandom -a
Add the DNS server address in the domain name resolution configuration file of the client
vim /etc/resolv.conf #修改完后立即生效
nameserver 192.168.249.10
或
vim /etc/sysconfig/network-scripts/ifcfg-ens33 #修改完后需要重启网卡
DNS1=192.168.249.10
systemctl restart network
Test DNS resolution
host www.xyz.com
nslookup www.xyz.com
Configure forward resolution (operation)
First check the path of the configuration file that needs to be modified
Modify the main configuration file
Modify the zone configuration file
Configure the forward zone data file
Start the service, turn off the firewall
Add the DNS server address in the domain name resolution configuration file of the client
Test DNS resolution on the client
Configure reverse analysis (command)
Modify zone configuration file, add reverse zone configuration
vim /etc/named.rfc1912.zones #文件里有模版,可复制粘贴后修改
zone "249.168.192.in-addr.arpa" IN { #反向解析的地址倒过来写,代表解析192.168.163段的地址
type master;
file "xyz.com.zone.local"; #指定区域数据文件为xyz.com.zone.local
allow-update { none; };
};
Configure reverse zone data file
cd /var/named/
cp -p named.localhost xyz.com.zone.local
vim /var/named/xyz.com.zone.local
$TTL 1D
@ IN SOA xyz.com. admin.xyz.com. ( #这里的“@”代表192.168.249段地址
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS xyz.com.
A 192.168.249.20
200 IN PTR www.xyz.com.
#PTR为反向指针,反向解析192.168.249.20地址结果为www.xyz.com.
Restart the service to test
systemctl restart named
host 192.168.249.20
nslookup 192.168.249.20
Configure reverse resolution (operation)
Modify zone configuration file, add reverse zone configuration
Configure reverse zone data file
Restart the service to test
Build master-slave domain name server (command)
Use the above configuration environment to
modify the zone configuration file of the primary domain name server, modify the forward and reverse zone configuration
vim /etc/named.rfc1912.zones
zone "xyz.com" IN {
type master; #类型为主区域
file "xyz.com.zone";
allow-transfer { 192.168.249.10; }; #允许从服务器下载正向区域数据,这里添从服务器的IP地址
};
zone "249.168.192.in-addr.arpa" IN {
type master;
file "xyz.com.zone.local";
allow-transfer { 192.168.249.10; };
};
Modify the master configuration file of the slave domain name server
yum -y install bind
vim /etc/named.conf
options {
listen-on port 53 { 192.168.249.10; }; #监听53端口,ip地址使用提供服务的本地IP即可,也可用any代表所有
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; #允许使用本DNS解析服务的网段,也可用any代表所有
……
}
Modify the zone configuration file from the domain name server, add positive and negative zone configuration
vim /etc/named.rfc1912.zones
zone "xyz.com" IN {
type slave; #类型为从区域
masters { 192.168.249.20; }; #指定主服务器的IP地址
file "slaves/xyz.com.zone"; #下载的区域数据文件保存到slaves/目录下
};
zone "249.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.249.20; };
file "slaves/xyz.com.zone.local";
};
Both the master and slave restart the service, turn off the firewall, and check whether the area data file has been downloaded successfully
systemctl restart named
systemctl stop firewalld #关闭防火墙,一定要关
setenforce 0
ls -l /var/named/slaves/
Add the slave DNS server address in the domain name resolution configuration file of the client
echo "nameserver 192.168.249.20" >> /etc/resolv.conf
echo "nameserver 192.168.249.10" >> /etc/resolv.conf
test
host 192.168.249.20
nslookup 192.168.249.20
#停止主服务器的服务,模拟主服务器故障
systemctl stop named
host 192.168.249.20
nslookup 192.168.249.20
Build master-slave domain name server (operation)
Modify the zone configuration file of the primary domain name server, modify the forward and reverse zone configuration
Turn off the firewall and restart
Modify the main configuration file of the secondary domain name server
Install the service first, then edit the main configuration file
Modify the zone configuration from the domain name server, add positive and negative zone configuration
Turn off the firewall and restart
Restart a client
Add the secondary DNS server address in the client's domain name resolution configuration file
test
Simulate main server failure
Client:
Configure the gateway server to build separate DNS resolution
The domain name server for separate resolution is actually the main domain name server, which mainly refers to providing different domain name resolution records according to different clients. For example, when clients from different network segment addresses of the intranet and the extranet request to resolve the same domain name, they will be provided with different resolution results.
Configure dual network cards for the gateway server
. Add another network card in the shutdown state and restart the system
ifconfig #先查看增加的网卡名称
cd /etc/sysconfig/network-scripts/
cp ifcfg-ens33 ifcfg-ens37
vim ifcfg-ens37
DEVICE=ens37
IPADDR=10.0.0.1
NETMASK=255.255.255.0
ifconfig
Install the bind package
yum install -y bind
Modify the main configuration file
vim /etc/named.conf
options {
listen-on port 53 { 192.168.249.10; 10.0.0.1; }; #监听本机或者any
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; #允许所有主机解析
……
};
include "/etc/named.rfc1912.zones";
Modify the zone configuration file
vim /etc/named.rfc1912.zones
view "lan" { #定义内网view,view代表容器分割
match-clients { 192.168.249.0/24; }; #匹配内网网段
zone "lisi.com" IN { #设置要解析的区域
type master;
file "lisi.com.zone.lan"; #数据配置文件
};
zone "." IN { #可将根域配置从主配置文件剪切过来,dd+p
type hint; #hint是根区域类型
file "named.ca";
};
};
view "wan" { #定义外网view
match-clients { any; }; #匹配除了内网网段以外的任意地址
zone "lisi.com" IN {
type master;
file "lisi.com.zone.wan";
};
};
#注意:一旦启用view,所有的zone必须都在view下,所以要把系统默认的自检用的zone也放在view下或者删除
Modify regional data configuration file
cd /var/named
cp -p named.localhost lisi.com.zone.lan
cp -p named.localhost lisi.com.zone.wan
vim lisi.com.zone.lan
$TTL 1D
@ IN SOA lisi.com. admin.lisi.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS lisi.com.
A 192.168.249.10
www IN A 192.168.163.100 #内网主机通过解析www.lisi.com的地址得到192.168.249.100
vim lisi.com.zone.wan
$TTL 1D
@ IN SOA lisi.com. admin.lisi.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS lisi.com.
A 10.0.0.1
www IN A 10.0.0.100 #外网主机通过解析www.lisi.com的地址得到10.0.0.100
Start service
systemctl start named
Add the DNS server address to the domain name resolution configuration file of the client on the internal and external networks
echo "nameserver 192.168.163.15" >> /etc/resolv.conf #内网客户端
外网客户端用win10代替
Test on internal and external network clients
nslookup www.lisi.com
operating
Operation requirements: Set up separate DNS resolution on the gateway server, so that the local network host resolves www.lisi.com to 192.168.163.20, and the external host resolves www.lisi.com to 10.0.0.1.
Configure dual network cards for the gateway server
. Add another network card in the shutdown state and restart the system
Permanently modify the network card address
Restart the network card and check whether the modification is successful
install software
Modify the main configuration file
Modify regional data configuration file
Turn off the firewall and restart
Add the DNS server address to the domain name resolution configuration file of the client on the internal and external networks
External network test
Intranet test
