#################################
####### 配置高速緩存DNS ########
#################################
################
### DNS總攬 ###
################
##權威名稱服務器
-存儲並提供某個區域整個DNS域或DNS域的一部分的實際數據。權威名稱服務器的類型包括
*Master包含原始區域數據。有時稱作“主要”名稱服務器
*Slaver備份服務器通過區域傳送從Master服務器獲得的區域數據的副本。有時稱作“次要”名稱服務器
##非權威/遞歸名稱服務器
-客戶端通過其查找來自權威名稱服務器的數據。遞歸名稱服務器的類型包括
*僅緩存名稱服務器僅用於查找對於非數據之外的任何內容都不具有權威性
##DNS查找
-客戶端上的Stub解析器將查詢發送至/etc/resolv.conf中的名稱服務器
-如果名稱服務器
#########環境搭建##########
1.client端
ip172.25.254.119
dns/etc/resolv.conf172.25.254.219
1)修改主機名爲client
[root@localhost ~]# hostnamectl set-hostname client.example.com
[root@localhost ~]# reboot
Connection to 172.25.254.119 closed by remote host.
Connection to 172.25.254.119 closed.
2配置client端的DNS服務器的地址
[root@client ~]# vim /etc/resolv.conf
# Generated by NetworkManager
domain example.com
search example.com
nameserver 172.25.254.219
2.server端
ip172.25.254.219
dhs172.25.254.219
yum倉庫/etc/yum.repos.d/rhel_dvd.repohttp://172.25.254.250/rhel7
1修改主機名爲dns-server
[root@localhost ~]# hostnamectl set-hostname dns-server.example.com
[root@localhost ~]# reboot
Connection to 172.25.254.219 closed by remote host.
Connection to 172.25.254.219 closed.
2)配置yum倉庫
[root@dns-server ~]# vim /etc/yum.repos.d/rhel_dvd.repo
# Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000
[rhel_dvd]
gpgcheck = 0
enabled = 1
baseurl = http://172.25.254.19/rhel7.0
name = Remote cla***oom copy of dvd
[root@dns-server ~]# yum clean all##注意要刷新yum源
3安裝bind9DNS服務軟件
[root@dns-server ~]# yum install bind -y
4開啓DNS服務
[root@dns-server ~]# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: inactive (dead)
[root@dns-server ~]# systemctl start named
--------------------------------------------------------------------------
注意啓動過程太慢也許是因爲系統剛開機所以加密字符不夠導致的。可以通過在server端上敲擊鍵盤或移動鼠標來增加無序字符來解決該問題。
系統會將無序字符存儲在/dev/ramdom中可以cat /dev.random查看
[root@dns-server ~]# cat /dev/random
3:HxYK)T
加密字符存放在/etc/rndc.key中可以cat /etc/rndc.key查看
[root@dns-server ~]# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "SriFRo71w6fL0Gf8tAeapA==";
};
---------------------------------------------------------------------------
5配置防火牆
[root@dns-server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ftp ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@dns-server ~]# firewall-cmd --permanent --add-service=dns
success
[root@dns-server ~]# firewall-cmd --reload
success
[root@dns-server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns ftp ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
6)修改selinux爲警告模式非必要
[root@dns-server ~]# setenforce 0
#########DNS本地高速緩存服務器##########
1開啓dns在所有端口上的tcp-53端口
[root@client ~]# dig www.baidu.com
connection timed out; no servers could be reached
##此時顯示沒有dns server可達是因爲DNS server的tcp端口未開啓
[root@dns-server ~]# netstat -antuple | grep named
##此處顯示named的tcp-53端口只在127.0.0.1環回口開啓了。
[root@dns-server ~]# rpm -qc bind##查看bind的配置文件都有哪些
/etc/logrotate.d/named
/etc/named.conf##此文件爲主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
[root@dns-server ~]# vim /etc/named.conf
11 listen-on port 53 { 127.0.0.1; };
||
\/
11 listen-on port 53 { any; };
[root@dns-server ~]# systemctl restart named##重啓服務後生效
2)配置DNS server回答所有人的dns請求
[root@client ~]# dig www.baidu.com
status: REFUSED
##此時client的dns請求被拒絕了是因爲DNS server的配置未設置爲響應所有人的dns請求
[root@dns-server ~]# vim /etc/named.conf
17 allow-query { localhost; };
||
\/
17 allow-query { any; };
[root@dns-server ~]# systemctl restart named##重啓服務後生效
3)配置本地高速緩存DNS server獲取dns的途徑
[root@client ~]# dig www.baidu.com
status: SERVFAIL
##此時DNS server提供服務失敗了是因爲本地高速緩存DNS需要從其他DNS服務器上獲取dns信息
[root@dns-server ~]# vim /etc/named.conf
18 forwarders { 172.25.254.250; };##在18行添加該信息
[root@dns-server ~]# systemctl restart named##重啓服務後生效
[root@client ~]# dig www.baidu.com##驗證成功獲取到dns解析
最後注意因爲是本地高速緩存DNS所以在公網上未註冊所以要關閉dns安全認證
4)關閉DNS安全認證(dnssec-validation)
[root@dns-server ~]# vim /etc/named.conf
33 dnssec-validation yes;
||
\/
33 dnssec-validation no;
[root@dns-server ~]# systemctl restart named##重啓服務後生效
#########DNS正向解析##########
[root@dns-server ~]# vim /etc/named.conf
51 zone "." IN {
52 type hint;
53 file "named.ca";
54 };
55
56 include "/etc/named.rfc1912.zones";##指向了該文件
57 include "/etc/named.root.key";
[root@dns-server ~]# vim /etc/named.rfc1912.zones
19 zone "localhost" IN {
20 type master;
21 file "named.localhost";
22 allow-update { none; };
23 };
24
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone";##指向了該文件
28 allow-update { none; };
29 };
##25-29行是模仿19-23行的模板而來的
[root@dns-server ~]# cd /var/named/
[root@dns-server named]# ls
data named.empty slaves
dynamic named.localhost
named.ca named.loopback
[root@dns-server named]# cp -p named.localhost tbr.com.zone
##注意此處cp一定要加-p保證通過模板複製的文件的所屬組爲named
[root@dns-server named]# ll
total 32
drwxrwx---. 2 named named 22 11月 20 01:23 data
drwxrwx---. 2 named named 4096 11月 21 02:55 dynamic
-rw-r-----. 1 root named 2076 1月 28 2013 named.ca
-rw-r-----. 1 root named 152 12月 15 2009 named.empty
-rw-r-----. 1 root named 152 6月 21 2007 named.localhost
-rw-r-----. 1 root named 168 12月 15 2009 named.loopback
drwxrwx---. 2 named named 6 1月 29 2014 slaves
-rw-r-----. 1 root named 210 11月 20 03:15 tbr.com.zone
否則的話會變成
-rw-r-----. 1 root root 210 11月 20 03:15 tbr.com.zone
[root@dns-server named]# vim tbr.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
||
\/
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
dns A 172.25.254.219
www A 172.25.254.19
wwwA172.25.254.18
bbs CNAME www.tbr.com.
tbr.com. MX 1 172.25.254.219.
##dns.tbr.com.指的是dns server的名稱
##注意此處的域名都是以.結尾的否則的話系統會自動加上/etc/named.rfc1912.zones文件中配置的後綴.tbr.com
##注意當多個ANAME的一個域名對應多個ip時此時DNS server會對該條dns解析進行輪詢機制。現象如下
當頻繁地執行dig www.tbr.com時兩個ip的先後順序會不斷輪詢變換。如圖
[root@dns-server ~]# systemctl restart named##重啓服務後生效
測試
[root@client ~]# dig -t mx tbr.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx tbr.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41997
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tbr.com.INMX
;; ANSWER SECTION:
tbr.com.86400INMX1 172.25.254.219.
;; AUTHORITY SECTION:
tbr.com.86400INNSdns.tbr.com.
;; ADDITIONAL SECTION:
dns.tbr.com.86400INA172.25.254.219
;; Query time: 1 msec
;; SERVER: 172.25.254.219#53(172.25.254.219)
;; WHEN: 一 11月 21 04:06:07 EST 2016
;; MSG SIZE rcvd: 100
[root@client ~]# dig www.tbr.com ##測試ANAME
[root@client ~]# dig bbs.tbr.com##測試CNAME
[root@client ~]# mail [email protected]##測試MX郵件解析
Subject: dawda
fdawda
caw
.
EOT
[root@client ~]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
C8A7717E849 462 Sun Nov 20 03:05:10 [email protected]
(connect to 172.25.254.219[172.25.254.219]:25: No route to host)
0938717E857 437 Mon Nov 21 04:09:23 [email protected]
(connect to 172.25.254.219[172.25.254.219]:25: No route to host)
-- 1 Kbytes in 2 Requests.
#########DNS反向解析##########
[root@dns-server named]# vim /etc/named.rfc1912.zones
37 zone "1.0.0.127.in-addr.arpa" IN {
38 type master;
39 file "named.loopback";
40 allow-update { none; };
41 };
42
43 zone "254.25.172.in-addr.arpa" IN {##表示172.25.254.0網段
44 type master;
45 file "tbr.comNaNr";
46 allow-update { none; };
47 };
##43-47行是模仿37-41行的模板而來的
[root@dns-server ~]# cd /var/named/
[root@dns-server named]# ls
data named.empty slaves
dynamic named.localhost tbr.com.zone
named.ca named.loopback
[root@dns-server named]# cp -p named.localhost tbr.comNaNr##注意此處一定要加-p
[root@dns-server named]# vim tbr.com.zone
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
A 172.25.254.219
19 PTR www.tbr.com.
18 PTR www.hello.com.
##ip地址172.25.254.19---->www.tbr.com
##ip地址172.25.254.18---->www.hello.com
[root@dns-server ~]# systemctl restart named##重啓服務後生效
測試
[root@client ~]# dig -x 172.25.254.19##反向查詢域名
#########DNS的內網外網解析##########
假設172.25.254.119爲內網測試主機172.25.254.219爲外網測試主機
1.主配置文件修改
[root@dns-server named]# vim /etc/named.conf
51 /*\
52 zone "." IN {|
53 type hint;|
54 file "named.ca";|
55 };|->這部分註釋掉
56 |
57 include "/etc/named.rfc1912.zones";|
58 include "/etc/named.root.key";|
59 *//
==================================================================
60 view localnet {
61 match-clients { 172.25.254.119; };##client端匹配172.25.254.119的主機
62 zone "." IN {\
63 type hint|
64 file "named.ca";|->從52-55行復制而來
65 };/
66 include "/etc/named.rfc1912.zones";
67 };
68
69
70 view internet {
71 match-clients { 172.25.254.219; };##client端匹配172.25.254.219的主機
72 zone "." IN {
73 type hint;
74 file "named.ca";
75 };
76 include "/etc/named.rfc1912.zones.inter";
77 };
##6171行中可以寫成網段{ 172.25.254.0/24; };
/client端是172.25.254.119的區查看/etc/named.rfc1912.zones文件
##此部分的意義是|
\client端是172.25.254.119的區查看/etc/named.rfc1912.zones.inter文件
2./etc/named.rfc1912.zone與etc/named.rfc1912.zone.inter文件的配置
[root@dns-server named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter##注意此處一定要加-p
##以/etc/named.rfc1912.zones爲模板複製出外網主機讀取的文件
[root@dns-server named]# vim /etc/named.rfc1912.zones.inter
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone.inter";##外網主機再區查看該文件
28 allow-update { none; };
29 };
3./var/named/tbr.com.zone.inter文件的配置
[root@dns-server named]# ls
data named.empty slaves
dynamic named.localhost tbr.comNaNr
named.ca named.loopback tbr.com.zone
[root@dns-server named]# cp -p tbr.com.zone tbr.com.zone.inter##注意此處一定要加-p
[root@dns-server named]# ls
data named.empty slaves tbr.com.zone.inter
dynamic named.localhost tbr.comNaNr
named.ca named.loopback tbr.com.zone
[root@dns-server named]# vim tbr.com.zone.inter
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
dns A 172.25.0.219
www A 172.25.0.19
www A 172.25.0.18
bbs CNAME www.tbr.com.
tbr.com. MX 1 172.25.0.219.
[root@dns-server ~]# systemctl restart named##重啓服務後生效
《總結》
各個文件之間的邏輯關係
/client端是172.25.254.119的區查看/etc/named.rfc1912.zones文件
| ||
| \/
| /var/named/tbr.com.zone
/etc/named.conf -->|
(主配置文件) | /var/named/tbr.com.zone.inter
| /\
| ||
\client端是172.25.254.119的區查看/etc/named.rfc1912.zones.inter文件
補充
man 5 named.conf##查看named.conf文件的信息