Linux Advanced _DNS services and BIND

This chapter describes the experiment in all this: step by step _DNS DNS BIND experiment

DNS

Domain Name System (English: Domain Name System, abbreviated: DNS) is an Internet service. It acts as a distributed database of domain names and IP addresses will be mapped each other, it can make it easier to access the Internet. DNS uses TCP and UDP port 53. Currently, for a limited length of each domain name is 63 characters, the total length of the domain name can not exceed 253 characters

BIND: Bekerley Internat the Name Domain , is currently the most widely used DNS program

On each computer, there will be a local name resolution configuration file: hosts. For example, windows stored in C:\Windows\System32\drivers\etc\hosts. On centos, stored in /etc/hosts. Format like this.

122.10.117.2 www.magedu.com
93.46.8.89 www.google.com

For the port number 53 / tcp: synchronization between DNS
for port number 53 / udp: client queries the domain name used (DNS synchronization is also used)

DNS domain name

The domain can be divided into:

1. Root zone

2. Level domain: (TLD) Top Level Domain, also known as top-level domains
   like: .com, .edu, .mil, .gov , .net
   has so three categories: organizational domain, country domain (.cn, .ca, .hk , .tw), reverse domain

3. Two domain names
   like: baidu,

4. Level domain
   ...

5. Up to 127 domain domain name

Global root servers: server group 13
root servers mainly used to manage the Internet's master directories, IPv4 root servers around the world only 13 units (13 units this IPv4 root name servers are the name "A" to "M"), 1 Ge-based root server in the United States. The remaining 12 were supplemented by a root server, where nine in the United States, two in Europe, the UK and Sweden, 1 in Asia in Japan.

ICANN (The Internet Corporation for Assigned Names and Numbers) Internet Names and Numbers Assigned responsible for the management of the Internet generic top-level domain (gTLD) and top-level domains countries (ccTLD) system on a global scale, and root server system management

DNS domain structure

DNS resolution

1. DNS query types:
   recursive query : the client to process their own specified DNS server requests, is recursive, that is to say when the client requests to the server, the server returns must be a clear result, either find, or not find to

Iterative query : is after when a client requests directly reach the specified DNS server, if there is no cache-related on this server entry, you need to root domain returns the address to the DNS server is a top-level domains to the root domain requests and DNS server and according to the return of top-level domain addresses go, top-level domain and the return address of a second-level domain, and then, second-level domain DNS server to request the ED to track returns a definitive analysis result to the DNS server, the DNS a level the process is iterative query to find

DNS server type

• DNS server type:

  1. Primary DNS Server: management and maintenance of the domain is responsible for parsing parsing library server
  2. From DNS server: parsing master copy of the library or from a server from the "copy" (transmission region)
  3. Caching DNS server (forwarder)

• "Notification" mechanism: if the primary server parsing library changes, will take the initiative to inform the server

Zone transfer

• Area transmission:
  complete transfer: transmitting the entire parsing library
  incremental transfer: transmitting parsing part that changes the library
• Domain: Fully Qualified Domain Name (Fully Qualified Domain Name)
  Forward: FQDN -> IP
  Reverse: IP -> FQDN
• Responsible for local domain name forward and reverse parsing library
  forward zone
  reverse zone

DNS resolution

• Domain: Fully Qualified Domain Name (fully qualified domain name)
  1. Forward resolution: FQDN -> IP
  2. Reverse lookup: IP -> FQDN
• A complete queries through the process:
  Client -> hosts File -> DNS Service Local Cache (local cache) -> DNS Server (recursion recursive) -> Server Cache (Server Cache) -> iteration (iteration ) -> root -> top Level domain DNS -> secondary domain DNS ...
• Analytical answer:
  1. Positive answer : There are a result of analysis out
  2. Negative answer : The requested entry does not exist and other causes can not return results
  3. Authoritative answer : The answer given by the DNS server directly responsible, the result is the answer given is responsible for parsing the time domain themselves, given
  4. Non-authoritative answer : The answer is given in the entry cache cache down, this time because the cache is still valid, and true back-end results may have changed, but because of the cache, the cache is still with the response to the request, then returned It is non-authoritative answer

Resource Record

Regional parsing library: a large number of RR (Resource Record) Composition

• Record types: A, AAAA, PTR, SOA, NS, CNAME, MX
  1. SOA: Start Of Authority, starting authorization record; a library area analysis and there can only be one SOA record, the first record must be in the parsing library
  2. A: Internet Address, action, FQDN -> IP
  3. AAAA：FQDN --> IPv6
  4. PTR：PoinTeR：IP --> FQDN
  5. NS: Name Server, designed to indicate the current zone DNS server
  6. CNAME : Canonical Name, alias record
  7. MX: Mail eXchanger, mail exchanger
  8. TXT: One way to identify the domain name and description will be used to do this when the general verification records, such as: SPF (anti-spam) record, https verification
     example: _dnsauth TXT 2012011200000051qgs69bwoh4h6nht4n1h0lr038x

Resource Record Format

An example of the first release to see, but also a detailed description of each record below

• Resource records that define the format:name [TTL] IN rr_type value

Serial Number : parsing library version number, the primary server parsing library changes, the sequence of incremental
refresh interval : a request from the server from the primary server synchronization resolve interval
retry interval : request synchronization from a server fails, try interval again
expired duration : the master server from the server could not be contacted, how long after stopping the service

$TTL 1D    #现有存在记录的缓存时长
#"@"表示"mage.com."这个域,"IN","SOA"是类型,"master"是表示主DNS服务器，最后是邮箱"@"用"."表示
@   IN SOA  master.mage.com. admin.mage.com. (           
                    0   ; serial   #序列号
                    1D  ; refresh  #刷新时间间隔
                    1H  ; retry    #重试时间间隔(从服务器更新失败时)
                    1W  ; expire   #过期时长(如果一直没有更新，将失效)
                    3H )    ; minimum   #3H表示不存在记录缓存时长
    NS  master          #NS，指定名称服务器
    A   127.0.0.1 
    AAAA    ::1 
master A 192.168.99.10 
@ MX 10 mailsrv     #邮件，别名mailsrv  
mailsrv A 192.168.88.111   #mailsrv记录 
ftp  A  1.1.1.1 
db A 2.2.2.2 
mail 86400 IN A 1.1.1.2 
www CNAME websrv 
websrv A 192.168.99.10 
websrv A 192.168.99.11 
$GENERATE 1-100 yourname$ A 10.0.0.$
#上面这条就是说你访问yourname88.mage.com就是10.0.0.88

Note:
(. 1) the TTL can be inherited from the global
(2) may be used to refer to the name @ current region
can define a plurality of different values (3) of the same name by a plurality of records; in this case the DNS server polling response
( 4) with a plurality of values may have different definitions of names; points defined by a plurality of different values of the same name; this represents only be found by the same plurality of different host names

SOA Record

• name: The name of the current area, for example,magedu.com.
• value: multiple components
  (1) the current primary DNS server FQDN region, may also be used in the name of the current region;
  (2) the administrator's e-mail address of the current region; address, but can not use @symbols, usually with .replacement
  , for example: ADMIN .magedu.com (ie [email protected])
  (3) of the main transmission from the service area definitions and the harmonization of the negative answer TTL
  For example:

magedu.com. 86400 IN SOA ns.magedu.com. nsadmin.magedu.com. (
2015042201 ; serial
2H ; refresh 
10M ; retry
1W ; expire 
1D ) ; minimum 

NS records

• name: the name of the current zone
• value: current name of a DNS server region, e.g. ns.magedu.com .
  Note: a recording region may have a plurality of NS
  example:

magedu.com. IN NS ns1.magedu.com.
magedu.com. IN NS ns2.magedu.com.

Note:
(. 1) may be inherited from the TTL globally, it can write the front bar @TTL 1D, the back can be omitted, the same below
(2) adjacent to the two resource records with the same name, follow may be omitted
(3) for recording and NS words, any ns behind a name server records, follow-up should have an a record

MX records

• name: the name of the current zone
• value: The current area of ​​a mail server (smtp server) hostname
• Within a region, MX records, there may be multiple; it should have a number (0-99) before the value of each record indicates the priority of this server; the lower the number the higher the priority
  , for example:

magedu.com. IN MX 10 mx1.magedu.com.
IN MX 20 mx2.magedu.com.

Note: For MX records, any name server behind a MX record, should have an A record in the follow-up

A record

• name: a host's FQDN, for example: www.magedu.com .
• value: the host name corresponding to the IPv4 address of the host
  , for example:

www.magedu.com.  IN  A  1.1.1.1
www.magedu.com.  IN  A  2.2.2.2
mx1.magedu.com.  IN  A  3.3.3.3
mx2.magedu.com.  IN  A  4.4.4.4
*.magedu.com. IN A 5.5.5.5
magedu.com. IN A 6.6.6.6

Note: avoid giving the wrong answer, be resolved to a particular address can be resolved by the pan-domain user name wrong (* .magedu.com)

AAAA records

1. AAAA:
   • name: FQDN
   • value: IPv6

PTR record

2. PTR:
   • name: IP, there is a specific format, write the IP address in turn, 1.2.3.4, to writing 4.3.2.1; and specific suffix: in-addr.arpa, so complete wording is: 4.3.2.1.in-addr.. arpa.
   • value: FQDN

E.g:

4.3.2.1.in-addr.arpa. IN PTR www.magedu.com.

1.2.3 The network address can be abbreviated as:

4 IN PTR www.magedu.com.

Note: The network address and suffix can be omitted; the host address still need against the written

CNAME alias record

1. CNAME：
   • name: alias FQDN
   • value: real name FQDN

E.g:

www.magedu.com. IN CNAME websrv.magedu.com.

Subdomains

Subdomain Authorized: Each domain name server, are resolved to authorize the library through its parent name server, similar to the root domain authorization TLD (top level domain):

#这里是根域的解析库
.com. IN NS ns1.com.
.com. IN NS ns2.com.
ns1.com. IN A 2.2.2.1
ns2.com. IN A 2.2.2.2

The above said: you're looking for on any .comend, you can go to 2.2.2.1 or 2.2.2.2 of the DNS server to find. For example, magedu.comthis address, you have to go to .comthe DNS server, but in .comparsing library on the name of the server, there is such a resource record:

magedu.com. IN NS ns1.magedu.com.
magedu.com. IN NS ns2.magedu.com.
               NS ns3.magedu.com.
ns1.magedu.com. IN A 3.3.3.1
ns2.magedu.com. IN A 3.3.3.2
ns3.magedu.com. IN A 3.3.3.3

This means that you want to visit magedu.comin 3.3.3.3, you are also looking for
glue record: glue records, records parent domain authorization subdomain

BIND

1. DNS server software: bind (most common), powerdns, unbound
2. Related BIND package: yum List * All the bind
   the bind: Server
   bind-libs: the relevant library
   bind-utils: Client
   bind-chroot: / var / named / chroot /
3. BIND program name: named

bind server

Scripts and service names: /etc/rc.d/init.d/named /usr/lib/systemd/system/named.service
main configuration file: /etc/named.conf, /etc/named.rfc1912.zones, / etc / rndc.key
parsing libraries: /var/named/ZONE_NAME.ZONE
Note:
(1) a single physical server can be resolved to provide a plurality of regions
(2) must be the root zone file; the named.ca
(. 3) there should be two (if included, should be more of ipv6) achieve parsing library localhost and the local loopback address
rndc: remote name domain controller,
the default and bind installed on the same host, and can only be named by 127.0.0.1 connection process
to provide assistance property management; 953 / tcp

Profiles

Main configuration file:
global configuration: options {};
logging subsystem is configured to: logging {};
area definition: The machine is capable of analyzing in which zone, which zone is necessary to define the
zone "ZONE_NAME" IN {};
NOTE: Any service routine If it is desired that can be accessed by other hosts on the network, at least in a can and should listen on the IP address of the external communication with the host
name servers are configured cache:
listen to an external address
dnssec: the proposed closure dnssec, set no

Configure the primary DNS server

Primary DNS name server:
(1) defining area in the main configuration file

zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};

(2) define the area parsing library file
contents appear in
the macro definition of
resource records
master configuration file syntax checking:
named-checkconf
parsing library file syntax checking:
named-checkzone " magedu.com " /var/named/magedu.com.zone
configuration to take effect :
the rndc reload or service named reload

Example main region

$TTL 86400
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. admin.magedu.com (
2015042201
1H
5M
7D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.100.11
ns2 IN A 172.16.100.12
mx1 IN A 172.16.100.13
mx2 IN A 172.16.100.14
websrv IN A 172.16.100.11
websrv IN A 172.16.100.12
www IN CNAME websrv

Test Command: dig

dig [-t type] name [@SERVER] [query options]
dig dns system for testing only, does not query the hosts file is parsed

1. Query options:
   + [NO] the trace: trace resolution process: DIG + the trace magedu.com
   + [NO] recurse: perform recursive resolution

2. Test reverse lookup:

dig -x IP = dig –t ptr reverseip.in-addr.arpa

3. Analog transmission area:

dig -t axfr ZONE_NAME @SERVER
dig -t axfr magedu.com @10.10.10.11
dig –t axfr 100.1.10.in-addr.arpa @172.16.1.1
dig -t NS . @114.114.114.114
dig -t NS . @a.root-servers.net

## test command: host

host [-t type] name [SERVER]
host –t NS magedu.com 172.16.0.1
host –t soa magedu.com
host –t mx magedu.com
host –t axfr magedu.com
host 1.2.3.4

nslookup命令： nslookup [-option] [name | -] [server]

• Interactive Mode:
nslookup>
Server IP: specify which DNS server to use query
set q = RR_TYPE: resource record type specified in the query
NAME: The name to be queried

Reverse zone

Reverse zones:
Zone Name: Network Address Anti-addr.arpa write .in.
172.16.100. --> 100.16.172.in-addr.arpa.
(1) define regions

zone "ZONE_NAME" IN {
type {master|slave|forward}；
file "网络地址.zone"
};

(2) defined area analysis library
Note: no MX, to mainly record PTR

• Example reverse zone

$TTL 86400
$ORIGIN 100.16.172.in-addr.arpa.
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2015042201
1H
5M
7D
1D )
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
11 IN PTR ns1.magedu.com.
11 IN PTR www.magedu.com.
12 IN PTR mx1.magedu.com.
12 IN PTR www.magedu.com.
13 IN PTR mx2.magedu.com.

rndc command

rndc：
rndc COMMAND

COMMAND	significance
reload	Overloading the main configuration file parsing and regional libraries
reload zonename	Overloaded area parsing library file
retransfer zonename	Manually initiate a zone transfer, regardless of whether the serial numbers increase
notify zonename	Re-issued a notice to zone transfer
reconfig	Overloaded main configuration file
querylog	Open or close the query log file / var / log / message
trace	Incrementing a level debug
trace LEVEL	Specify the level of use
notrace	The debug level set to 0
flush	Flush the DNS server cache records of all

Subdomains

Subdomain authorization: distributed database
definition of a sub-region:

ops.magedu.com. IN NS ns1.ops.magedu.com.
ops.magedu.com. IN NS ns2.ops.magedu.com.
ns1.ops.magedu.com. IN A 1.1.1.1
ns2.ops.magedu.com. IN A 1.1.1.2
fin.magedu.com. IN NS ns1.fin.magedu.com.
fin.magedu.com. IN NS ns2.fin.magedu.com.
ns1.fin.magedu.com. IN A 3.1.1.1
ns2.fin.magedu.com. IN A 3.1.1.2

Forwarding server

Note: The server needs to be forwarded to the requester can do recursive, otherwise the request will not be carried forward
(1) Global Forwarding: responsible for the non-native resolution request area, all forwarded to the specified server

Options {
forward first|only;  #first先转发，找不到就自己去根找。only只转发
forwarders { ip;};   #转到哪？
};

(2) the specific area of ​​the repeater: forwarding a request for only a specific area, a high forwarding priority than the global

zone "ZONE_NAME" IN {
type forward;
forward first|only;
forwarders { ip;};
};

Note: Close dnssec function

dnssec-enable no;
dnssec-validation no;

(3) in the bind ACL
the bind security-related configurations based on:
acl: the one or more addresses merged into one set, and a unified call by name
format:

acl acl_name {
ip;
net/prelen;
……
};

Example:

acl mynet {
172.16.0.0/16;
10.10.10.10;
};

bind has four built-acl:

none 没有一个主机
any 任意主机
localhost 本机
localnet 本机的IP同掩码运算后得到的网络地址

NOTE: Use only after first definition; thus generally defined in the configuration file, located in front of the options

(4) Access Control
allow-query {}: allows the host to query; white list
allow-transfer {}: a host zone transfers allowed; white list
allow-recursion {}: allows recursive hosts, it is recommended to use the global
allow-update {}: allows updating of the database content area

---

CDN （Content Delivery Network）

• GSLB：Global Server Load Balance全局负载均衡
  (1). GSLB是对服务器和链路进行综合判断来决定由哪个地点的服务器来提供服务，实现异地服务器群服务质量的保证
  (2). GSLB主要的目的是在整个网络范围内将用户的请求定向到最近的节点（或者区域）
  (3). GSLB分为基于DNS实现、基于重定向实现、基于路由协议实现，其中最通用的是基于DNS解析方式

• GSLB和CDN
  

bind view

• CDN: Content Delivery Network内容分发网络
• 服务商：蓝汛，网宿，帝联等
• 智能DNS：dnspod、dns.la
• view视图：实现智能DNS
  1. 一个bind服务器可定义多个view，每个view中可定义一个或多个zone
  2. 每个view用来匹配一组客户端
  3. 多个view内可能需要对同一个区域进行解析，但使用不同的区域解析库文件
• 注意：
  (1) 一旦启用了view，所有的zone都只能定义在view中
  (2) 仅在允许递归请求的客户端所在view中定义根区域
  (3) 客户端请求到达时，是自上而下检查每个view所服务的客户端列表
• 格式：

view VIEW_NAME {
match-clients { testacl; };
zone “magedu.com” {
type master;
file “magedu.com.zone”;
};
include “/etc/named.rfc1912.zones”;
};

DNS排错

1. 可使用dig +trace排错，可能是网络和防火墙导致
   NXDOMAIN：The queried name does not exist in the zone.
2. 可能是CNAME对应的A记录不存在导致
   REFUSED：The nameserver refused the client’s DNS request due to policy restrictions.
3. 可能是DNS策略导致
4. NOERROR不代表没有问题，也可以是过时的记录
5. 查看是否为权威记录，flags:aa标记判断
6. 被删除的记录仍能返回结果，可能是因为记录存在
   如：.example.com． IN A 172.25.254.254
7. 注意“.”的使用
8. 避免CNAME指向CNAME记录，可能产生回环
   test.example.com. IN CNAME lab.example.com.
   lab.example.com. IN CNAME test.example.com.
9. 正确配置PTR记录，许多服务依赖PTR，如sshd,MTA
10. 正确配置轮询round-robin记录

Can use the dig + trace troubleshooting, network and may be caused by a firewall
NXDOMAIN:. At The queried name does not exist in at The Zone
2. A corresponding probably CNAME record results in the absence
REFUSED: The nameserver refused the client's DNS request due to . policy Restrictions
3. DNS strategy may be the cause
4. NOERROR does not mean there is no problem, it can be outdated records
5. Check whether the authority record, flags: aa mark judgment
6. deleted records can still return a result, may be because there is a record
such as: .example.com. A 172.25.254.254 the IN
7. The attention. "" The use of
9 CNAME points to avoid CNAME record, possible loop
test.example.com . CNAME the IN lab.example.com .
Lab.example.com . CNAME the IN test.example. COM .
10. The properly configured PTR records, many services rely PTR, such as the sshd, the MTA
11. The round-robin polling recording correct configuration