1. Problem scenario
There is such a scenario, two servers, server A, server B.
Server A and Server B are in the same intranet, but Server A accesses Server B through domain.
You do not want Server A to use the public network when accessing Server B. A feasible solution is to resolve this domain not to the public network of Server B, but to the intranet. So what to do?
2. Modify /etc/hosts
Modifying /etc/hosts is a way of thinking, but in actual operation, it is found that when using tools such as ping, the system first queries /etc/hosts, and if there is a result, it will no longer access DNS .
But in the actual routing process, the system only queries DNS. For the configuration in hosts to take effect, it must be loaded into the corresponding DNS service.
Through discovery, there is no local DNS service in centos7, so its hosts cannot take effect in DNS; but in centos 8, it is addeddnsmasqservice, which is equivalent to a layer of DNS caching service, which can load the configuration in hosts into DNS.
After Ubuntu 16, the system has been installed by defaultsystemd-resolved, it can also add the configuration in hosts to DNS
Through host, nslookup and dig query, the results obtained by different systems may be different.
Next, we modify /etc/hosts on centos and ubuntu respectively, and add a record to indicate Server B
192.168.0.168 <Server B>
Then test the difference on different systems
2.1 Modify /etc/hosts on centos 7
The following figure is a sample result of dig
You can see that DNS queries are not affected by /etc/hosts
2.2 Modify /etc/hosts on ubuntu 20
The following figure is a sample result of dig
3. Custom nameserver
You can use unbound to build a custom nameserver, and you can directly install the unbound service under Centos or Ubuntu;
centos installation
yum install unbound
ubuntu installation
apt install unbound
The default configuration file is in /etc/unbound/unbound.conf
After installing unbound, you can start the service directly through the command unbound or start it through the system service.
The following is launched through the command line
unbound -v -d
The unbound log is written to syslog in the default configuration. If you need to redirect it to other files, you can modify the following configuration in unbound.cfg.
In the example, the log is redirected to /tmp/unbound.log
If you need to print to the standard output stream at startup, you can follow the instructions in the comments and leave the logfile configuration empty.
The default startup of unbound is in the background, so when the command is started, the log will be refreshed partly and then it will end; if you want to output the log in the foreground all the time, add the -d parameter to the startup command.
3.1 Common startup errors
The following is to output the unbound log to the standard output stream according to the above steps, so that you can see the exception at startup, and the
prompt error here is related to "remote-control".
Turn off remote-control in the configuration file to solve this problem.
Log sample for normal startup, where the log level is -v
Suggested configuration method of custom domain name
In the /etc/unbound/local.d folder, configure the domain name that needs to be proxied, and do not write it in the main configuration file
3.2 debug unbound
Use dig or nslookup to test the unbound service.
If dig is not installed,
centos can be installed by the following command
yum install bind-utils
ubuntu
apt install bind-utils
The dig command is as follows:
dig @<unbound服务地址> <测试域名>
The @ symbol indicates which DNS service to send to. If you do not add @, you need to modify the /etc/resolve.conf file
Configure the IP address that is allowed to access the service. If it is fully open, configure 0.0.0.0/0 allow, otherwise, please configure it according to the actual situation.
At this point, a custom nameserver is built. On Server A, you can modify /etc/resolv.conf to modify the dns address.
common problem
53 port occupation problem
In the Ubuntu system, port 53 is occupied by the system service **/lib/systemd/systemd-resolved**.
In fact, it is a DNS service, but it only resolves the local domain name, including the configuration in /etc/hosts, so there are differences between ubuntu and centos in the resolution of local domain names as shown in the second section.
In Centos8, port 53 is also occupied by the system service dnsmasq . Like the systemd-resolved service, it acts as a proxy for local domains. (Note, there is no such service in centos7)
Both systems actually have local domain name resolution solutions, so if it is only a local domain name resolution problem, you can fully use the above two services without building an unbound service yourself.
The centos8 dnsmasq service did not update the configuration in hosts in time
Unlike the real-time update of systemd-resolved in ubuntu , dnsmasq in centos8 needs to be restarted before it can load the changes in hosts.
To restart it you can use the following command
killall -HUP dnsmasq
Restart and try again.
Of course, one thing that needs to be done is that if you want to use systemd-resolved or dnsmasq, you must add the local service IP in /etc/resolv.conf of the local machine,
how to check it?
Execute the following command
netstat -nulp | grep ":53 "
An example of the result is as follows,
Then add it to /etc/resolv.conf