Article Directory
DNS and Bind
The theoretical basis of DNS
DNS: Domain Name Service, an application layer protocol
C / S:
;: Client initiated application requesting program
program in response to a request (providing services);: Server
53 / UDP 53 / TCP
the DNS query types:
recursive query: responsible for their own analytical domain : direct access to the database and returns the answer;
iterative query; not himself responsible for resolving domain: server Cache -> iteration (iteration)
primary - secondary DNS servers
primary DNS server: domain database server that is responsible for maintenance of the analysis, read and write operations can be carried out;
from the DNS server: where or from where other DNS servers from the primary servercopyA resolver library; but it can only be read;
copyThe method of operation of the embodiment:
SEQ ID NO: serial, that is, the version number of the database; master database content changes, the version number should be incremented +1;
refresh interval: refresh, from the server to the master server to check how long each sequence No. updates;
Retry interval: retry, requests from the server from the primary server synchronization to resolve the database fails, again initiate time try to request interval;
long overdue: expire, the server always can not contact the primary server, how long after giving up from master data synchronization; stop providing services;
long negative answer cache: minimum
master serverNoticeMore data from the server line at any time;
Master - the transfer from the area:
the total amount of transfer: transmitting the entire database;
incremental transfer: transmitting data variable only;
area:
ityunn.com domains:
the FQDN -> the IP
analytical positive library area;
the IP -> the FQDN
reverse parsing library area;
regional database file:
resource record: short rr;
record types: A, AAAA, PTR, SOA , NS, CNAME, MX
| SOA | Starting authorization record; library has a spatially resolved and only one SOA record, and must be placed first; |
|---|---|
| NS | Domain name service records; a region parsing library can have multiple NS records, one of the main; |
| A | Address record, FQDN-> IPv4 |
| YYYY | Address record, FQDN-> ipv6 |
| CNAME | Alias Record |
| MX | Mail exchanger priority: 0-99, the smaller the data about high priority |
Precautions
(1) TTL can be inherited from the global;
(2) @ represents the name of the current region;
(3) which adjacent two records with the same name, the latter may be omitted; $ ORIGIN may be added in the second row ityunn.com come specified.
(4) is for the forward zone, value of each MX, NS and other types of records is FQDN, this should be a FQDN A record;
BIND Installation and Configuration
BIND: Berkeley Internet Domain Name:
dns: protocol
bind: an implementation agreement dns
named: program running bind process names
package:
bind-libs: the common use of bind and bind-utils package library file;
bing-utils: and client set, e.g. dig, nslookup, host and the like;
the bind: DNS Server program provided;
the bind-CHROOT: optional, so named operation at jail mode;
the bind profile
master configuration file: / etc /named.conf
or include it other documents;
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
parsing library file:
under / var / named / directory;
general name for: ZONE_NAME.zone
Note:
(1) a DNS server can resolve simultaneously provide a plurality of regions;
(2) must be the root area analysis library: the named.ca :
(. 3) should also have a spatially resolved two libraries: localhost and 127.0.0.1 forward and reverse parsing library;
forward: named.localhost
reverse: named.loopback
Test Tools:
DIG \ Host \ nslookup
DIG command:
DIG [-t RR_TYPE] name [@server] [Query Options]
reverse analysis test
dig -x IP
complete zone transfer simulation:
DIG -t AXFR DOMAIN [@server]
Host Command
Host [-t RR_TYPE] name SERVER_IP
the nslookup command
interactive mode:
the nslookup>
server IP: IP-specified DNS server queries;
SET = RR_TYPE Q: to query a resource record type;
name: name to query;
the rndc command : named service control command
rndc status to view the configuration
rndc flush to clear the cache
rndc reload reload configuration file
Primary DNS server deployment
(1) defining area in the main configuration file or the master configuration secondary profile achieved;
(2) to establish the zone data files (mainly recorded as A or AAAA records), the establishment of zone data files in / var / named / directory;
(3) to have the server configuration file or reload zone data files;
**
Note:
1. Be sure to set the main configuration file can be parsed service parameters for which the host, by default only for your machine to resolve, any representative of all
2. zone file configuration of the area, you must configure the data corresponding to the area file, otherwise it is impossible to start the service
domain 3. data configuration file which must have a point. "" ending, otherwise it is impossible to start the service
3. data profile administrator mailbox @ can not be used, want to use. instead of, or not start error
4. corresponding domain name server ns a record must be set, otherwise start the service error
5. copy the template area, be sure to add -a to maintain the original property rights, can not be resolved otherwise**
1. Use the yum install Bind DNS service program
yum -y install bind * // install bind service
2. Edit the main configuration file settings allow all hosts provide resolution services
vim /etc/named.conf // edit the main configuration file
{Options
the listen-ON {Port 53 is the any;}; // resolution services to those provided by the host
the listen-ON-V6 {Port 53 is ::. 1;};
Directory "/ var / the named";
the dump-File "/ var / the named /data/cache_dump.db ";
statistics-File" /var/named/data/named_stats.txt ";
memstatistics-File" /var/named/data/named_mem_stats.txt ";
RRset {-Order Order Cyclic;}; / / polling configured to resolve DNS
allow-query {any;}; // allow the host may send a query request to the server
3. Edit the zone file, set the forward lookup and reverse lookup zone area
vim /etc/named.rfc1912.zones
正向区域:zone "ityunn.com" IN { //设置正向区域的域名
type master; 服务的类型,主master,从slave,根hint,转发域forward;
file "ityunn.com.zone"; //区域数据名称文件,默认时相对路径/var/namd/,可以在前面更改路径;
allow-update { none; }; //允许动态更新区域数据库文件中内容;
反向区域:zone "10.168.192.in-addr.arpa" IN { //表示192.168.2.网段的反向区域解析
type master;
file "192.168.10.zone";
allow-update { none; };
};
};
4. New forward zone data file can be copied from a template or write your own file with the same name, (but file permissions to change);
cd /var/named //切换到数据配置文件目录
cp -a named.localhost ityunn.com.zone //复制生成一个正向区域数据文件
vim ityunn.com.zone //编辑配置文件
$TTL 1D 生存周期为一天
$ORIGIN ityunn.com.
@ IN SOA ns1.ityunn.com. admin.ityunn.com. (
20190806 ; serial /更新序列号
1D ; refresh //刷新时间间隔
1H ; retry //重试时间间隔
1W ; expire //过期时长
3H ) ; minimum //否定答案缓存时长
IN NS ns1 //域名服务器记录
IN NS ns2 //域名服务器记录
IN MX 10 mail1 //邮箱交换记录
ns1 IN A 192.168.10.101 //dns服务器记录(对应NS的A记录)
ns2 IN A 192.168.10.104
www IN A 192.168.10.101 //地址记录
mail1 IN A 192.168.10.50 //地址记录
web IN CNAME www //别名记录
bbs IN A 192.168.10.10 //地址记录
bbs IN A 192.168.10.11 //地址记录
5. Create a new reverse zone data file can be copied from a template or write your own file with the same name, (but file permissions to change);
cd /var/named //切换到数据配置文件目录
cp -a named.loopback 192.168.10.zone //复制生成一个反向区域数据文件
vim 192.168.10.zone //编辑配置文件
$TTL 1D
$ORIGIN 10.168.192.in-addr.arpa.
@ IN SOA ns1.ityunn.com. admin.ityunn.com. (
20190806 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.ityunn.com.
IN NS ns2.ityunn.com.
101 IN PTR ns1.ityunn.com.
104 IN PTR ns2.ityunn.com.
101 IN PTR www.ityunn.com.
50 IN PTR mail1.ityunn.com.
10 IN PTR bbs.ityunn.com.
11 IN PTR bbs.ityunn.com.
6. Restart dns service, verify the results using nslookup
systemctl restart named // start the dns service program
rndc reload // reload the configuration file
if you can not start the service, use the following command to check the configuration file
named-checkconf // Check the main configuration file syntax and parameter error whether there is a
named-checkzone // check data configuration file syntax and parameters for errors
Deploy from the DNS server
** Note:
1. If you can not start the service, please check the configuration file parameters are correct
2. From the dns to restart the service does not synchronize files, check the main ip address from the zone file name is the same
3 can be resolved locally, the client can not resolution, please turn off the firewall, selinux, check the main configuration file allows all clients dns queries
4. synchronization server to achieve real-time data from a file, you need to add ns record from dns server in the main zone data file and the data in the main area after a file is to change the serial number plus 1 primary server and then restart the service, from the server to the primary server will automatically update the data files
5. main from time server to synchronize, or it may be wrong
**
The Slave (. 1) defining area
defines a region from:
Zone "ZONE_NAME" {the IN
type Slave;
File "slaves / ZONE_NAME.ZONE"
Masters {masters_IP;};
};
configuration file syntax checking: the named-checkconfig
(2) arranged reload
reload the rndc
systemctl restart named
Master
zone "ityunn.com" IN {
type master;
file "ityunn.com.zone";
allow-update { 192.168.10.104; }; //允许从的IP地址进行更新
notify yes;
also-notify { 192.168.10.104; }; //当主服务器数据有变化是,会主动通知从服务器来更新数据
;};
Note: Make sure the zone data file for each configuration NS records from the server; and the need for each server host name from the NS records of a configuration file A record in the forward area, and the back of the A true IP address from the server address, synchronization is not responsible for the past;
Subdomain authorization:
The method of forward resolution area authorized:
1. Add in the main area above
vim /vim ityunn.com.zone //编辑正向解析配置文件
ops IN NS ns1.ops
ns1.ops IN A 192.168.10.102
2. In the main areaSubdomainsAdd this master server ops below
zone "ops.ityunn.com" IN { //设置主域的字域名称
type master;
file "ops.ityunn.com.zone";
};
3. New forward zone data file can be copied from a template or write your own file with the same name, (but file permissions to change);
cd /var/named //切换到数据配置文件目录
cp -a named.localhost ops.ityunn.com.zone //复制生成一个正向区域数据文件
vim ops.ityunn.com.zone //编辑配置文件
$TTL 3600
$ORIGIN ops.ityunn.com.
@ IN SOA ns1.ops.ityunn.com. admin.ityunn.com. (
20190801 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
ns1 IN A 192.168.10.102
www IN A 192.168.10.102
bbs IN A 192.168.10.103
~
Defined forwarding
Note: The server must be forwarded allow the service to do recursive current;
(1) forwarding area: only forwarded resolve the request for a particular region;
Zone "ZONE_NAME" {the IN
type Forward;
Forward First {|} only;
forwarders along {SERVER_IP;};
};
first:首先转发;转发器不响应时,自行去迭代查询;
only:只转发;
(2) Global Forwarding: query request for the area where the local zone is not defined by it, all transferred to a transponder;
Options {
... ...
Forward only {|} First;
forwarders along SERVER_IP {;};
... ...
};
Bind Safety relevant configuration:
acl: access control list; one or more addresses to merge a named collection, followed by this name to this whole set of all hosts in a unified call;
acl acl_name {
ip;
net/prelen;
};
实例:
vim /etc/named.rfc1912.zones
zone "ityunn.com" IN {
type master;
file "ityunn.com.zone";
allow-update { none; };
allow-transfer { slaves; }; //定义允许那些主机做区域传送;默认为所有主机;
};
在/etc/name.conf配置文件中写入(不要写到optiso全局里面,写到optiso上面;)
acl slaves {
192.168.10.104;
127.0.0.1;
};
Bind has four built ACL
none: no host;
the any: any host;
local: the machine;
the localnet: IP network of the present machine is located belongs;
>
Access control instructions:
the allow-Query {}; allows the host query; whitelist;
the allow-Transfer {}; allowed to do zone transfer to which the host; default to all hosts; should be configured to allow only from the server;
the allow-recursion {} ; which allow this host to initiate a recursive query request to the current DNS server;
the allow-update {}; the DDNS, allow dynamic updates the contents of the database file region;
Bind view analytical separation
视图:
view VIEW_NAME {
zone
zone
zone
}
acl internal { //定义外网匹配的网段;
172.16.0.0/8;
};
acl external { //定义内网匹配的网段;
192.168.10.0/24;
};
view internal { //视图
match-clients { "internal"; }; //匹配的网段
zone "fenli.com" IN {
type master;
file "fenli.com/internal"; //区域数据文件
};
};
view external { /视图
match-clients { "external"; }; //匹配的网段
zone "fenli.com" IN {
type master;
file fenli.com/external"; //区域数据文件
};
};
Note: If you use a separate resolution, then all you have on the inside of the area; otherwise they will be wrong;