BIND:Berkeley Internet name domain
DNS:Domain name service
域名:www.centos.com(主機名,FQDN:Full Qualified domain name,也可以稱完全限定域名)
DNS:名稱解析,Name Resolving.名稱轉換(背後查詢過程,數據庫)
FQDN<-->IP :雙向轉換
nsswitch:本地名稱轉換服務
配置文件:/etc/nsswitch.conf
hosts: file dns
file是指到/etc/hosts文件中查找記錄
dns是指到DNS服務中查找記錄
stub resolver:根解析(本機服務)
Example:
主機ping www.baidu.com的時候:
1、首先調用stub resolver服務,到nsswithc服務中查找hosts記錄
2、首先查找file類別,到/etc/hosts文件中查找,如果沒有記錄,再到DNS中查找相關記錄
ICANN:域名頂級域管理機構
TLD:Top Level Domain 頂級域。.com .org .net等屬於頂級域
頂級域(TLD)常見三類:
1、組織域:.com , .org .net .cc
2、國家域: .cn, .tw,.hk, .iq, .jp,等
3、反向域:將IP地址轉換成主機名
IP-->FQDN(反向解析)
FQDN-->IP(正向解析)
正向和反向使用的不是同一個數據庫, 是分別兩個獨立的數據庫做查詢
DNS查詢方式:
1、遞歸查詢
查詢方式:A-->B-->C;C-->B-->A
2、迭代查詢
查詢方式:A-->B(B沒有值,給出一個參考值,可能C知道)A-->C; C-->A
兩段式查詢方式:
客戶端遞歸,NS服務器迭代(互聯網查詢模塊)
DNS:分佈式數據庫
上級僅知道其直接下級
下級默認只知道根的位置
DNS服務的工作方式:
接受本地客戶端的查詢請求,一般是遞歸方式
外部客戶端請求,請求權威答案
肯定答案;TTL值
否定答案:TTL值
外部客戶端請求,請求非權威答案
主、從結構:
主DNS服務器:修改數據
輔助DNS服務器:請求數據同步
1、主DNS版本號,數據變化在serial number號碼加1
2、從DNS,由refresh定義請求數據的時間週期,再由retry定義重試時間請求數據。最後由 expire定義過期時間,認定DNS掛機
3、否定時間時長:nagetive answer TTL
緩存DNS服務器
不負責權威答案,只負責緩存DNS記錄
轉發器:
不緩存,只轉發DNS請求
數據庫中的每一個條目稱作一個資源記錄(resource record,RR)
資源記錄類型:
A(address):FQDN-->IPV4
AAAA:FQDN-->IPV6
PTR(pointer):IP-->FQDN
NS(Name Server):Zone Name --> FQDN
MX(Mail Exchanger):Zone Name -->FQDN
SOA(Start of Authority):用於標示本區域內,多個主從DNS如何完成數據同步
CNAME(Canonical Name):FQDN-->FQDN
TXT
CHAOS
SRV
資源記錄的格式:
NAME [TTL] IN RRT(資源類型) VALUE
www.btsbox.com. IN A 1.1.1.1
1.1.1.1 IN PTR www.btsbox.com.
NS示例:
btsbox.com. 600 IN NS ns1.btsbox.com.
btsbox.com. 600 IN NS ns2.btsbox.com.
ns1.btsbox.com 600 IN A 1.1.1.2
ns2.btsbox.com 600 IN A 1.1.1.4
MX示例:
Zone Name TTL IN MX pri VALUE
btsbox.com. 600 IN MX 10 mail.btsbox.com.
mail.btsbox.com. 600 IN A 1.1.1.3
MX優先級:0-99,數字越小級別越高、
SOA示例:
zone name TTL IN SOA FQDN ADMINSTRATOR_MAILBOX (
serial number
refresh
retry
expire
na ttl)
時間單位:H(小時)、M(分鐘)、D(天)、W(周)、默認單位是秒
郵箱格式:admin.btsbox.com
@有特殊意義,表示區域名稱,即btsbox.com
@ 600 IN SOA ns1.btsbox.com. admin.btsbox.com. (
2015060801 ;serial number
1H
5M
1W
1D )
CNAME示例:
www2.btsbox.com. IN CNAME www.btsbox.com.
TTL值可以省略
域和區域的區別:
域:Domain
區域:Zone
.com域的DNS記錄
btsbox.com. IN NS ns.btsbox.com.
ns.btsbox.com. IN A 116.228.3.99
本地域記錄(btsbox.com. 192.168.0.0/24):
首先建立兩個區域文件:
正向區域如下:
btsbox.com. IN SOA admin.btsbox.com. (
www IN A 192.168.0.1
反向區域文件:
0.168.192.in-addr.arpa. IN SOA
1.0.168.192.in-addr.arpa. IN PTR www.btsbox.com.
1 IN PTR www.btsbox.com.(簡寫)
區域傳送的類型:
完全區域傳送:axfr
增量區域傳送:ixfr
區域類型
主區域:master
從區域:slave
提示區域:hint,即義根的位置
轉發區域:forward
BIND服務配置相關:
/etc/named.conf
BIND進程的工作屬性
區域定義
/etc/rndc.key
rndc:Remote Name Domain Controller,讓BIND遠程運行的密鑰文件
配置信息:/etc/rndc.conf
/var/named/
區域數據文件
/etc/rc.d/init.d/named
服務腳本 {start|stop|restart|status|reload|configtest}
二進制程序:named
bind-chroot:
默認情況下工作在/下
用戶:named
組:named
caching-nameserver軟件包:
讓bind服務變成一個緩存服務器
named-checkconfig
named-checkzone
dig:Domain information Gropher
[root@Centos6 named]# dig -t NS . #查詢根域的NS記錄 -t 指定查詢的類型 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2049 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 86321 IN NS l.root-servers.net. . 86321 IN NS j.root-servers.net. . 86321 IN NS b.root-servers.net. . 86321 IN NS k.root-servers.net. . 86321 IN NS d.root-servers.net. . 86321 IN NS a.root-servers.net. . 86321 IN NS m.root-servers.net. . 86321 IN NS f.root-servers.net. . 86321 IN NS c.root-servers.net. . 86321 IN NS e.root-servers.net. . 86321 IN NS i.root-servers.net. . 86321 IN NS h.root-servers.net. . 86321 IN NS g.root-servers.net. ;; Query time: 2 msec ;; SERVER: 202.96.209.5#53(202.96.209.5) ;; WHEN: Mon Jun 8 15:34:39 2015 ;; MSG SIZE rcvd: 228
DNS監聽的協議和端口:
UDP,TCP /53
953/TCP,rndc監聽的端口
SOCKET:套接字
IP:PORT
named.conf配置文件格式:
zone "ZONE NAME" {
type {master|slave|hint|forward};
};
主區域
file "區域數據文件"
從區域
file "區域數據文件"
master { master_IP;};
[root@Centos6 named]# vim /etc/named.conf #手動創建named.conf文件格式,其爲基本格式 options { directory "/var/named"; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "named.localhost"; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; }; [root@Centos6 named]# chown root:named /etc/named.conf #修改文件的屬主,屬組 [root@Centos6 named]# chmod 640 /etc/named.conf #修改文件權限 [root@Centos6 named]# named-checkconf #使用bind內置命令named-checkconf命令檢查語法錯誤 [root@Centos6 named]# named-checkzone "." /var/named/named.ca #檢查根DNS設置語法錯誤 zone ./IN: has 0 SOA records zone ./IN: not loaded due to errors. [root@Centos6 named]# named-checkzone "localhost" /var/named/named.localhost zone localhost/IN: loaded serial 0 OK [root@Centos6 named]# named-checkzone "0.0.127.in-addr.arpa" /var/named/named.loopback zone 0.0.127.in-addr.arpa/IN: loaded serial 0 OK #檢查區域語法格式爲: named-checkzone "區域" 區域數據文件,默認根的裝載爲報以上錯誤 [root@Centos6 named]# service named start 啓動 named:named:正在運行 [確定] [root@Centos6 named]# tail /var/log/messages #日誌默認會加載到/var/log/messages文件中 Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: 9.E.F.IP6.ARPA Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: A.E.F.IP6.ARPA Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: B.E.F.IP6.ARPA Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Jun 8 16:49:38 Centos6 named[20760]: command channel listening on 127.0.0.1#953 Jun 8 16:49:38 Centos6 named[20760]: command channel listening on ::1#953 Jun 8 16:49:38 Centos6 named[20760]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0 Jun 8 16:49:38 Centos6 named[20760]: zone localhost/IN: loaded serial 0 Jun 8 16:49:38 Centos6 named[20760]: managed-keys-zone ./IN: loaded serial 3 Jun 8 16:49:38 Centos6 named[20760]: running
添加btsbox.com域:
[root@Centos6 named]# cat /etc/named.conf options { directory "/var/named"; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "named.localhost"; }; zone "0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; }; zone "btsbox.com" IN { type master; file "btsbox.com.zone"; }; #添加btsbox.com域 [root@Centos6 named]# cat /var/named/btsbox.com.zone #添加btsbox.com正向解析配置 $TTL 600 # $符號爲宏引用,必須添加 @ IN SOA ns1.btsbox.com. admin.btsbox.com. ( 20150608 10M 2M 2D 1W ) IN NS ns1 IN MX 10 mail ns1 IN A 10.189.9.202 mail IN A 10.189.9.202 www IN A 10.189.9.202 www IN A 10.189.9.203 ftp IN CNAME www [root@Centos6 named]# named-checkzone "btsbox.com" /var/named/btsbox.com.zone zone btsbox.com/IN: loaded serial 20150608 OK [root@Centos6 named]# chmod 640 /var/named/btsbox.com.zone [root@Centos6 named]# chown root:named /var/named/btsbox.com.zone
dig -t RT NAME
dig -t NS btsbox.com
[root@Centos6 ~]# dig +trace -t A www.baidu.com @10.189.9.202 #使用dig跟蹤路由 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A www.baidu.com @10.189.9.202 ;; global options: +cmd . 518384 IN NS f.root-servers.net. . 518384 IN NS k.root-servers.net. . 518384 IN NS m.root-servers.net. . 518384 IN NS h.root-servers.net. . 518384 IN NS i.root-servers.net. . 518384 IN NS g.root-servers.net. . 518384 IN NS j.root-servers.net. . 518384 IN NS d.root-servers.net. . 518384 IN NS c.root-servers.net. . 518384 IN NS e.root-servers.net. . 518384 IN NS b.root-servers.net. . 518384 IN NS l.root-servers.net. . 518384 IN NS a.root-servers.net. ;; Received 492 bytes from 10.189.9.202#53(10.189.9.202) in 114240 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. ;; Received 491 bytes from 128.63.2.53#53(128.63.2.53) in 101272 ms baidu.com. 172800 IN NS dns.baidu.com. baidu.com. 172800 IN NS ns2.baidu.com. baidu.com. 172800 IN NS ns3.baidu.com. baidu.com. 172800 IN NS ns4.baidu.com. baidu.com. 172800 IN NS ns7.baidu.com. ;; Received 201 bytes from 192.41.162.30#53(192.41.162.30) in 491 ms www.baidu.com. 1200 IN CNAME www.a.shifen.com. a.shifen.com. 1200 IN NS ns1.a.shifen.com. a.shifen.com. 1200 IN NS ns5.a.shifen.com. a.shifen.com. 1200 IN NS ns4.a.shifen.com. a.shifen.com. 1200 IN NS ns2.a.shifen.com. a.shifen.com. 1200 IN NS ns3.a.shifen.com. ;; Received 228 bytes from 220.181.38.10#53(220.181.38.10) in 27 ms [root@Centos6 ~]# dig +recurse -t A www.baidu.com @10.189.9.202 #使用dig遞歸查詢DNS記錄 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +recurse -t A www.baidu.com @10.189.9.202 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22798 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 688 IN CNAME www.a.shifen.com. www.a.shifen.com. 300 IN A 115.239.211.112 www.a.shifen.com. 300 IN A 115.239.210.27 ;; AUTHORITY SECTION: a.shifen.com. 691 IN NS ns2.a.shifen.com. a.shifen.com. 691 IN NS ns4.a.shifen.com. a.shifen.com. 691 IN NS ns1.a.shifen.com. a.shifen.com. 691 IN NS ns5.a.shifen.com. a.shifen.com. 691 IN NS ns3.a.shifen.com. ;; ADDITIONAL SECTION: ns1.a.shifen.com. 691 IN A 61.135.165.224 ns3.a.shifen.com. 691 IN A 61.135.162.215 ns2.a.shifen.com. 691 IN A 180.149.133.241 ns4.a.shifen.com. 691 IN A 115.239.210.176 ns5.a.shifen.com. 691 IN A 119.75.222.17 ;; Query time: 33 msec ;; SERVER: 10.189.9.202#53(10.189.9.202) ;; WHEN: Wed Jun 10 12:55:09 2015 ;; MSG SIZE rcvd: 260 [root@Centos6 named]# dig -t axfr mageedua.com #axfr:完全區域傳送 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t axfr mageedua.com ;; global options: +cmd mageedua.com. 86400 IN SOA ns1.mageedua.com. admin.mageedua.com. 201506090 86400 3600 604800 10800 mageedua.com. 86400 IN NS ns1.mageedua.com. mageedua.com. 86400 IN MX 10 mail.mageedua.com. ftp.mageedua.com. 86400 IN CNAME www.mageedua.com. mail.mageedua.com. 86400 IN A 10.189.9.202 ns1.mageedua.com. 86400 IN A 10.189.9.202 www.mageedua.com. 86400 IN A 10.189.9.202 www.mageedua.com. 86400 IN A 10.189.9.203 mageedua.com. 86400 IN SOA ns1.mageedua.com. admin.mageedua.com. 201506090 86400 3600 604800 10800 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jun 10 13:12:58 2015 ;; XFR size: 9 records (messages 1, bytes 233) [root@Centos6 named]# dig -t ixfr=201506092 mageedua.com #ixfr:增量區域傳送。當我們在增加新的記錄後,需在serial中將數值加1,以上爲201506090,修改後的爲201506091 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t ixfr=201506092 mageedua.com ;; global options: +cmd mageedua.com. 86400 IN SOA ns1.mageedua.com. admin.mageedua.com. 201506090 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jun 10 13:13:52 2015 ;; XFR size: 1 records (messages 1, bytes 76) #提示有一個增量區域文件被傳送
泛域名解析
在DNS 正向中添加A記錄
btsbox.com. IN A 10.189.9.201 *.btsbox.com. IN A 10.189.9.201 #IP可以爲WWW服務,即跳轉到www.btsbox.com主機
允許DNS遞歸:
options { directory "/var/named"; recursion yes; 允許遞歸查詢,這種情況會讓外網隨意的主機都可以使用遞歸查詢 allow-recursion { 10.189.9.0/24; };允許10.189.9.0這個網段的主機遞歸 allow-query { localhost; }; 只允許本機查詢DNS請求 allow-transfer { 10.189.9.203; }; #只允許203的這臺主機做區域傳送,寫在options中,對所有區域生效,一般情況寫到區域條目中 allow-transfer { none; }; #不允許區域傳送,一般對沒有從DNS的區域,例:localhost區域 notify yes; #表示啓用通知功能,配置變化通知從服務器 dnssec-enable no; dnssec-validation no; }; masters { 10.189.9.202; }; #指定主服務器是誰
axfr:完全區域傳送
ixfr:增量區域傳送
區域的主、從結構:
添加從DNS服務器,需在正向和反向中添加NS記錄及NS的反向記錄,不然同步將不能成功
[root@Centos6 named]# cat mageedua.com.zone #首先添加NS2的NS記錄並添加相應A記錄 $TTL 86400 @ IN SOA ns1.mageedua.com. admin.mageedua.com. ( 201506092 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1 IN NS ns2 IN MX 10 mail ns1 IN A 10.189.9.202 ns2 IN A 10.189.9.201 [root@Centos6 named]# cat 9.189.10.zone #再添加NS2的反射指針 $TTL 86400 @ IN SOA ns1.mageedua.com. admin.mageedua.com. ( 201506092 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.mageedua.com. IN NS ns2.mageedua.com. 201 IN PTR ns2.mageedua.com. 202 IN PTR ns1.mageedua.com. [root@Centos6 named]# cat /etc/named.mageedua.com.zons #主DNS服務器上配置 zone "mageedua.com" IN { type master; file "mageedua.com.zone"; allow-transfer { 10.189.9.201; }; #定義能同步axfr ixfr的主機 }; zone "9.189.10.in-addr.arpa" IN { type master; file "9.189.10.zone"; allow-transfer { 10.189.9.201; }; #定義能同步axfr ixfr的主機 }; #從服務器上的配置 options { directory "/var/named"; allow-recursion { 10.189.9.0/24; 127.0.0.1; }; }; zone "." IN { file "named.ca"; type hint; }; zone "localhost" IN { file "named.localhost"; type master; allow-transfer { none; }; }; zone "0.0.127.in-addr.arpa" IN { file "named.loopback"; type master; allow-transfer { none; }; }; zone "mageedua.com" IN { file "slaves/mageedua.com.zone"; type slave; #定義類型爲從服務器 masters { 10.189.9.202; }; #定義主服務器的主機 allow-transfer { none; }; #定義不能查詢AXFR IXFR }; zone "9.189.10.in-addr.arpa" IN { file "slaves/9.189.10.zone"; type slave; masters { 10.189.9.202; }; allow-transfer { none; }; };
rndc實現控制DNS服務:
[root@Centos6 named]# rndc-confgen >> /etc/rndc.conf [root@Centos6 named]# vim /etc/rndc.conf #默認在安裝bind服務時,會產生/etc/rndc.key,需刪除 # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "vAv9U7k+jaHYI0gwdru1dA=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-md5; # secret "vAv9U7k+jaHYI0gwdru1dA=="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf #將添加註釋的行添加到/etc/named.conf文件中,並去掉註釋文件 [root@Centos6 named]# cat /etc/named.conf key "rndc-key" { algorithm hmac-md5; secret "vAv9U7k+jaHYI0gwdru1dA=="; }; controls { inet 10.189.9.202 port 953 allow { 10.189.9.202; } keys { "rndc-key"; }; }; [root@Centos6 named]# rndc -c /etc/rndc.conf flush [root@Centos6 named]# rndc -c /etc/rndc.conf notify "mageedua.com" zone notify queued [root@Centos6 named]# rndc -c /etc/rndc.conf stop [root@Centos6 named]# rndc -c /etc/rndc.conf status #rndc命令,可以使用rndc -h查看相關選項
子域授權:
btsbox.com.:父域
格式如下:
fin.btsbox.com. IN NS ns1.fin.btsbox.com.
fin.btsbox.com. IN NS ns2.fin.btsbox.com.
ns1.fin.btsbox.com. IN A 10.189.9.11
ns2.fin.btsbox.com. IN A 10.189.9.12
market.btsbox.com. IN NS ns1.market.btsbox.com.
ns1.market.btsbox.com. IN A 10.189.10.11
#在主域中定義子域的NS記錄和名稱 [root@Centos6 named]# cat /var/named/mageedua.com.zone $TTL 86400 @ IN SOA ns1.mageedua.com. admin.mageedua.com. ( 201506093 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1 IN NS ns2 IN MX 10 mail ns1 IN A 10.189.9.202 ns2 IN A 10.189.9.201 mail IN A 10.189.9.202 www IN A 10.189.9.202 www IN A 10.189.9.203 ftp IN CNAME www pop IN A 10.189.9.204 imap IN A 10.189.9.205 fin IN NS ns1 #定義fin的子域及NS記錄 ns1 IN A 10.189.9.110 market IN NS ns1 ns1 IN A 10.189.9.111 #定義market的子域及NS記錄 #在子域的NS服務器上搭建bind服務,並且寫好主配置文件及區域文件 [root@localhost ~]# cat /etc/named.conf options { directory "/var/named"; allow-recursion { 10.189.9.0/24; 127.0.0.1; }; }; zone "fin.mageedua.com" IN { file "fin.mageedua.com.zone"; type master; }; [root@localhost ~]# cat /var/named/fin.mageedua.com.zone $TTL 86400 @ IN SOA ns1.fin.mageedua.com. admin.fin.mageedua.com. ( 2015060901 1D 1H 30M 1D ) IN NS ns1 ns1 IN A 10.189.9.110 #只有在子域中的NS服務器正常工作的情況下,才能在父域的NS服務器中查詢到子域的ns記錄 [root@Centos6 named]# dig -t NS fin.mageedua.com @10.189.9.202 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS fin.mageedua.com @10.189.9.202 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13505 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;fin.mageedua.com. IN NS ;; ANSWER SECTION: fin.mageedua.com. 86400 IN NS ns1.fin.mageedua.com. ;; Query time: 2614 msec ;; SERVER: 10.189.9.202#53(10.189.9.202) ;; WHEN: Wed Jun 10 17:05:05 2015 ;; MSG SIZE rcvd: 52
定義子域的查詢請求轉發到父域:
/etc/named.conf中定義
options {
forward {only|first}; #only表示只轉發到一個指定的ns服務器 first表示先轉到到指定NS,不成功便到根遞歸查詢
forwarders { 10.189.9.202; }; #配置轉發到的NS地址
};
[root@localhost ~]# cat /etc/named.conf options { directory "/var/named"; allow-recursion { 10.189.9.0/24; 127.0.0.1; }; forward only; forwarders { 10.189.9.202; }; }; zone "fin.mageedua.com" IN { file "fin.mageedua.com.zone"; type master; }; #以上是對子域進行全局轉發 zone "mageedua.com" IN { type forward; forward first; forwarders { 10.189.9.202; }; }; #可以建立一個區域,在區域裏面配置區域的轉發
named.conf相同屬性組的引入方法:
acl ACL_NAME {
IP;
};
例:
acl innet { 10.189.9.0/24; 127.0.0.1/8; 192.168.0.0/24; }; options { directory "/var/named"; allow-recursion { innet; }; };
DNS視圖功能:
注意點:
只要定義了視圖,所有的區域都必須定義在視圖中
如果解析的一個域,不需要區分網絡,可以將此域在電信或者網通的視圖中都添加一個解析區域
格式:
view VIEW_NAME {
};
[root@localhost named]# cat /etc/named.conf acl telecom { 10.189.9.0/24; }; acl unicom { 10.189.8.0/24; }; options { directory "/var/named"; allow-recursion { 127.0.0.1; }; allow-query { any; }; }; view telecom { match-clients { telecom; }; zone "mageedua.com" IN { type master; file "telecom.mageedua.com.zone"; }; }; view unicom { match-clients { unicom; }; zone "mageedua.com" IN { type master; file "unicom.mageedua.com.zone"; }; }; #在named.conf配置文件中,配置view功能,並在視圖區域定義match-clients 參數,讓match-clients引用acl列表,acl可以爲電信IP列表,或者聯通IP列表。最後在view視圖中定義需要智能DNS的區域。一般情況,可以將區域劃分三類: 1、內網視圖 2、電信視圖 3、聯通視圖 [root@localhost named]# cat telecom.mageedua.com.zone $TTL 86400 @ IN SOA ns1.mageedua.com. admin.mageedua.com. ( 2015061101 1D 1H 7D 1D ) IN NS ns1 IN MX 10 mail ns1 IN A 10.189.9.110 mail IN A 10.189.9.111 www IN A 10.189.9.112 #電信www服務器爲112的地址 [root@localhost named]# cat unicom.mageedua.com.zone $TTL 86400 @ IN SOA ns1.mageedua.com. admin.mageedua.com. ( 2015061101 1D 1H 7D 1D ) IN NS ns1 IN MX 10 mail ns1 IN A 10.189.9.110 mail IN A 10.189.9.111 www IN A 10.189.9.113 #聯通www服務器爲113的地址 [root@localhost slaves]# dig -t A www.mageedua.com @10.189.9.110 #電信用戶查詢結果 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7_0.1 <<>> -t A www.mageedua.com @10.189.9.110 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58349 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.mageedua.com. IN A ;; ANSWER SECTION: www.mageedua.com. 86400 IN A 10.189.9.112 ;; AUTHORITY SECTION: mageedua.com. 86400 IN NS ns1.mageedua.com. ;; ADDITIONAL SECTION: ns1.mageedua.com. 86400 IN A 10.189.9.110 ;; Query time: 1 msec ;; SERVER: 10.189.9.110#53(10.189.9.110) ;; WHEN: 四 6月 11 10:26:21 CST 2015 ;; MSG SIZE rcvd: 95
bind日誌:
category:定義日誌源
查詢
區域傳送
...
channel:日誌保存的位置
channel類型:
syslog
file:可自定義保存日誌信息的文件,可定義日誌級別
日誌級別如下:
critical
error
warning
notice
info
debug [level]
dynamic
category源定義類:
default
general
client
config
dispatch
dnssec
lame-servers
network
notify
queries
resolver
security
update
xfer-in
xfer-out
logging { #定義日誌選項 channel query_log { #定義信道 file "/var/log/named/bind_query.log" versions 5 size 10M; #定義存放位置 severity dynamic; #定義日誌級別 print-category yes; #記錄category來源 print-time yes; #記錄日誌時間 print-severity yes; #記錄日誌級別 }; channel xfr_out { file "/var/log/named/xfr_out.log"; severity debug; print-time yes; print-severity yes; print-category yes; }; category xfer-out { xfr_out; }; category queries { query_log; }; #定義日誌來源並使用query_log信道記錄 };
DNS壓力測試
使用queryperf軟件進行查詢壓力測試,(queryperf工具是bind源代碼自帶,需手動編譯安裝)
[root@localhost ~]# queryperf -h #查看幫助 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ Usage: queryperf [-d datafile] [-s server_addr] [-p port] [-q num_queries] [-b bufsize] [-t timeout] [-n] [-l limit] [-f family] [-1] [-i interval] [-r arraysize] [-u unit] [-H histfile] [-T qps] [-e] [-D] [-R] [-c] [-v] [-h] -d specifies the input data file (default: stdin) -s sets the server to query (default: 127.0.0.1) -p sets the port on which to query the server (default: 53) -q specifies the maximum number of queries outstanding (default: 20) -t specifies the timeout for query completion in seconds (default: 5) -n causes configuration changes to be ignored -l specifies how a limit for how long to run tests in seconds (no default) -1 run through input only once (default: multiple iff limit given) -b set input/output buffer size in kilobytes (default: 32 k) -i specifies interval of intermediate outputs in seconds (default: 0=none) -f specify address family of DNS transport, inet or inet6 (default: any) -r set RTT statistics array size (default: 50000) -u set RTT statistics time unit in usec (default: 100) -H specifies RTT histogram data file (default: none) -T specify the target qps (default: 0=unspecified) -e enable EDNS 0 -D set the DNSSEC OK bit (implies EDNS) -R disable recursion -c print the number of packets with each rcode -v verbose: report the RCODE of each response on stdout -h print this usage root@localhost ~]# queryperf -d test -s 10.189.9.202 #命令使用格式 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 10.189.9.202) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 651690 queries Queries completed: 651690 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 0.633849 sec RTT min: 0.000249 sec RTT average: 0.000831 sec RTT std deviation: 0.001287 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Thu Jun 11 14:59:14 2015 Finished at: Thu Jun 11 14:59:41 2015 Ran for: 27.499620 seconds Queries per second: 23698.145647 qps
注:可以使用dnstop工具對服務器進行抓包進行流量分析
互聯網免費著名的DNS解析商:
dnspod
www.dns.la
臨時性地關閉SElinux:
#getenforce
enforcing
#setenforce 0
#setenforce 1
永久關閉
vim /etc/selinux/config
SELINUX=enforcing 改爲 disabled 或者permissive