dns
Authoritative name server
storing and providing a region (domain or a portion of the entire DNS domain DNS) actual data
type of the authoritative name server comprising:
Master: region containing the original data. Sometimes referred to as' primary 'nameserver'
the Slave: the backup server, copy area data obtained from the server via a zone transfer Mster called 'minor' Name Server
non-authoritative / recursive name server
the client from the server through which locate the authoritative name The data. Type recursive name server's cache includes only the name of the server: only used to find any content for other than non-critical data is not authoritative
Experimental environment:
Reset a virtual machine, so that virtual machines can access
Dns cache
While visiting the site, our client host each time to access 114 or higher-level root dns, there are a lot of hosts within the network, but only one input, if each host access through its own connection to if the speed is too full, and the waste of resources, then we will host this local area network, external network is connected to another host within the network to access the Internet, they both went to connect through this host, such as someone to visit baidu, com, then this host dns go outside the network to acquire baidu's ip address, and then return the information obtained, access baidu this host will achieve its purpose, but also the second host to access baidu, then , will host this public inquiry will not go outside the network, but the cache information in the Baidu returned directly to host this second too, so more quickly, which will host is called DNS cache
Configure desktop virtual machine, making it a dns cache
software bind 1. In the desktop virtual machine installation provides caching dns services
yum install bind -y
2. Open the software
systemctl start named
may get stuck when opened, because the virtual machine reset to reset, because he is new, not encrypted, then the keyboard or move the mouse in desktop virtual machine, it will solve
3. Management firewall
firewall-cmd --list-all
firewall-cmd --permanent --add-server=dns ##添加dns服务
firewall-cmd --reload
4. Open another virtual machine server, the set ip 172.25.254.113 desktop dns of
Vim /etc/resolv.conf
5. Test
DIG www.baidu.com
appears unable to link
Solution:
In the desktop virtual machine
netstat -antulupe | grep named view the named service interface
can see the interface is not open to other address
configuration profile named
the 13 line interfaces 53 instead of which users open the any
systemctl restart named
Restart named, then dig discovery operation can be connected but was refused
solution;
the line 17 named configuration file that allows the user changed any, allow other users to log in
because it is within the network, we will also turn off the security monitoring
test
DIG www.baidu.com
Then the host /etc/resolve.conf changed to ip desktop, so also by the host desktop dns cache
and then
DIG www.baidu.com
found a lot faster than the server virtual machine, but still very slow
solution
In the 18 line to add forwarders {114.114.114.114;}; ## do not let destop visit, try to resolve the address China's 14, ''
the test again;
with the server to DIG www.taobao.com
go with a host DIG the WWW .taobao.com
the test is successful, the purpose of reach,
Authoritative dns configuration
Open dns configuration file
vim /etc/named.conf
in line 57 can see it reads /etc/named.rfc1912.zones file
in order to prevent the main configuration file is too long, hard to read
so we configured in this file
vim /etc/named.rfc1912.zones
在命令模式下第19行y6y ##复制六行
p 把它复制到25行
修改复制的6行
修改为:
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { none; };
29 };
##在westos.com域内的地址,去查看westos.com.zone这个文件
At / var / named directory
cp -p named.localhost westos.com.zone
切记 -p
然后去编辑这个文件
1 $TTL 1D
2 @ IN SOA dns.westos.com. lee.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.113
10 www A 172.25.254.66
dns.westos.com . lee.westos.com . Who is responsible for this
in the @ file if it is not to '' at the end, will be automatically filled in later as westos.com. ending
above www not end. So it will filled to www.westos.com
cname
Edit westos.com.zone
1 $TTL 1D
2 @ IN SOA dns.westos.com. lee.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.113
10 bbs A 172.25.254.66
11 www CNAME node1.westos.com.
12 node1 A 172.25.254.111
13 node1 A 172.25.254.222
cname specification is the domain name, the domain name is converted into the interior of the external domain, and then make parsing
ptr reverse domain name conversion
The ip address into a domain name
Configure vim /etc/named.rfc1912.zones
to 37-41 copying, pasting in the back, and then edit
43 zone "254.25.172.in-addr.arpa" IN {
44 type master;
45 file "172.25.254.ptr";
46 allow-update { none; };
47 };
Then edit 172.25.254.ptr
in / var / named directory
cp -p named.loopback 172.25.254.ptr
edit files 172.25.254.ptr
1 $TTL 1D
2 @ IN SOA dns.westos.com. lee.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.113
10 66 PTR hello.westos.com.
After the restart named done
ptr test dig -x ip
MX
Mail Exchanger
vim westos.com.zone
1 $TTL 1D
2 @ IN SOA dns.westos.com. lee.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.113
10 bbs A 172.25.254.66
11 www CNAME node1.westos.com.
12 node1 A 172.25.254.111
13 node1 A 172.25.254.222
14 westos.com. MX 1 172.25.254.113.
Then the client
[root@localhost ~]# > /var/log/maillog
[root@localhost ~]# mail [email protected]
Subject: hahah
hahaha
hahhaha
. ROT
Input. Enter e-mail sent after
mailq View
[root@localhost ~]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
D5CFF17E85C 453 Sat May 11 02:55:58 [email protected]
(connect to 172.25.254.113[172.25.254.113]:25: No route to host)
[email protected]
-- 0 Kbytes in 1 Request.
Bidirectional resolve
network access dns network segment is obtained within the network, external network segments to get access when outside the network to resolve the address
test ideas:
When the internal network segment ip to access, read, belongs to the configuration file within the network, as it resolves to the network ip
when ip external network to access the network, reads the configuration file belonging to the external network, it resolves to the external network ip
inside and outside separately
in the case study, we will be at the same dns the ip See segment within the network, to the network segment 172 resolves
the external network segment resolves to an
operation :( in our experiments for convenience, a native resolved address, a host access analysis ip)
at / var / named,
1.Vim /etc/named.conf
edit master configuration file named
2
cp -p /etc/named.rfc.1912.zones /etc/named.rfc1912.inter.zones
Edit etc / named.rfc1912.inter.zones file
cp -p westos.com.zone westos.inter.com.zone
Westos.inter.com.zone edit files
will 172.25.254. 1.1.1 replaced.
4. Testing
using this unit as dns (Desktop) test, DIG node1.westos.com
with a test virtual machine server, DIG node1.westos. com
Secondary dns
when the volume of traffic, a dns server obviously does not meet the requirements, we need to back the main secondary dns dns-sharing
Experimental Procedure
1. configure dns on the secondary dns server
(1) bind to download the software
to modify the main configuration file
options {
13 listen-on port 53 { any; };
14 listen-on-v6 port 53 { ::1; };
15 directory "/var/named";
16 dump-file "/var/named/data/cache_dump.db";
17 statistics-file "/var/named/data/named_stats.txt";
18 memstatistics-file "/var/named/data/named_mem_stats.txt";
19 allow-query { any; };
34 dnssec-validation no;
vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type slave;
file "slaves/westos.com.zone";
masters {172.25.254.113;};
allow-update { none; };
};
2. In the main operating dns server configuration file to do two-way parsed commented, and recovery
(1) in /etc/named.rfc.1912.zones
Testing
in the main DIG dns and secondary dns bbs.westos.com
function can be achieved, so it can complete sync
In the modified test
In the main dns modify the
test
can be seen and did not complete the update
modify srial value will be able to update his value increases to take effect, up to 10
Remote update
in the desktop, dns server
1. cp -p westos.com.zone /opt/
2. vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 also-notify { 172.25.254.213; };
29 allow-update { 172.25.254.113; };
30 };
Make changes, restart named after cover
empty log
> /var/log/messages
then
[root@dns named]# nsupdate
> server 172.25.254.113
> update add test.westos.com 86400 A 172.25.254.222
> send
update failed: SERVFAIL
> quit
Failed, view the log to see what the problem is
[root@dns named]# cat /var/log/messages
May 11 05:22:25 localhost named[4349]: client 172.25.254.113#53389: updating zone 'westos.com/IN': adding an RR at 'test.westos.com' A
May 11 05:22:25 localhost named[4349]: westos.com.zone.jnl: create: permission denied
May 11 05:22:25 localhost named[4349]: client 172.25.254.113#53389: updating zone 'westos.com/IN': error: journal open failed: unexpected error
This file needs to create documents, but he did not have permission, you need to give permission
[root@dns named]# chmod 770 /var/named
[root@dns named]# nsupdate
> server 172.25.254.113
> update add test.westos.com 86400 A 172.25.254.222
> send
> quit
test
Updated by the key key
above experiments we are the ip to update, so very insecure, that by this method we described below to update the
ip update before 1. Delete
under / var / named directory
rm -fr westos.con.zone*
Then we copy the backup in the / opt directory a back
2. Build your own encrypted file
cp -p /etc/rndc.key /etc/westos.key
3. Key generated at / mnt / directory
[root@dns-server mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
Kwestos.+157+56402
4. Edit encrypted file
5. edit the main configuration file, so that the key can read the file
6.
vim /etc/named.rfc1912.zones
test
ddns
Ideas: ip address of the domain name of each change occurs, to manually modify the file clearly unrealistic, how after it ip address changes, automatic correspondence between domain names and dns ip address tells it, apparently to inform the dhcp dns so good after each name change, dhcp all the correspondence between domain names and IP addresses tell dns
Environment: well Key
1. It will be done before the update generated files deleted,
2. westos. com. zon copied from / opt, remember -p
3. Server download dhcp, modify the configuration file
3. Modify the client host named test.westos.com
4. The client network is set to dhcp, restart the network address obtained dhcpIP
5. Test: DIG test.westos.com , view it whether dynamic ip ip and get consistent