西部開源學習筆記BOOK3《DNS本地高速緩存服務器》

#################################

####### 配置高速緩存DNS ########

#################################

 

################

### DNS總攬 ###

################

##權威名稱服務器

-存儲並提供某個區域整個DNS域或DNS域的一部分的實際數據。權威名稱服務器的類型包括

*Master包含原始區域數據。有時稱作“主要”名稱服務器

*Slaver備份服務器通過區域傳送從Master服務器獲得的區域數據的副本。有時稱作“次要”名稱服務器

##非權威/遞歸名稱服務器

-客戶端通過其查找來自權威名稱服務器的數據。遞歸名稱服務器的類型包括

*僅緩存名稱服務器僅用於查找對於非數據之外的任何內容都不具有權威性

##DNS查找

-客戶端上的Stub解析器將查詢發送至/etc/resolv.conf中的名稱服務器

-如果名稱服務器

 

 

#########環境搭建##########

1.client端

ip172.25.254.119

dns/etc/resolv.conf172.25.254.219

 

1)修改主機名爲client

[root@localhost ~]# hostnamectl set-hostname client.example.com

[root@localhost ~]# reboot

Connection to 172.25.254.119 closed by remote host.

Connection to 172.25.254.119 closed.

2配置client端的DNS服務器的地址

[root@client ~]# vim /etc/resolv.conf

# Generated by NetworkManager

 domain example.com

 search example.com

 nameserver 172.25.254.219

 

 

2.server端

ip172.25.254.219

dhs172.25.254.219

yum倉庫/etc/yum.repos.d/rhel_dvd.repohttp://172.25.254.250/rhel7

 

1修改主機名爲dns-server

[root@localhost ~]# hostnamectl set-hostname dns-server.example.com

[root@localhost ~]# reboot

Connection to 172.25.254.219 closed by remote host.

Connection to 172.25.254.219 closed.

2)配置yum倉庫

[root@dns-server ~]# vim /etc/yum.repos.d/rhel_dvd.repo

# Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000

[rhel_dvd]

gpgcheck = 0

enabled = 1

baseurl = http://172.25.254.19/rhel7.0

name = Remote cla***oom copy of dvd

[root@dns-server ~]# yum clean all##注意要刷新yum源

3安裝bind9DNS服務軟件

[root@dns-server ~]# yum install bind -y

4開啓DNS服務

[root@dns-server ~]# systemctl status named

named.service - Berkeley Internet Name Domain (DNS)

   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)

   Active: inactive (dead)

 

[root@dns-server ~]# systemctl start named

--------------------------------------------------------------------------

注意啓動過程太慢也許是因爲系統剛開機所以加密字符不夠導致的。可以通過在server端上敲擊鍵盤或移動鼠標來增加無序字符來解決該問題。

系統會將無序字符存儲在/dev/ramdom中可以cat /dev.random查看

[root@dns-server ~]# cat /dev/random

3:HxYK)T

加密字符存放在/etc/rndc.key中可以cat /etc/rndc.key查看

[root@dns-server ~]# cat /etc/rndc.key

key "rndc-key" {

algorithm hmac-md5;

secret "SriFRo71w6fL0Gf8tAeapA==";

};

---------------------------------------------------------------------------

5配置防火牆

[root@dns-server ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client ftp ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

[root@dns-server ~]# firewall-cmd --permanent --add-service=dns

success

[root@dns-server ~]# firewall-cmd --reload

success

[root@dns-server ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client dns ftp ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

6)修改selinux爲警告模式非必要

[root@dns-server ~]# setenforce 0

 

 

#########DNS本地高速緩存服務器##########

1開啓dns在所有端口上的tcp-53端口

[root@client ~]# dig www.baidu.com

connection timed out; no servers could be reached

##此時顯示沒有dns server可達是因爲DNS server的tcp端口未開啓

[root@dns-server ~]# netstat -antuple | grep named

##此處顯示named的tcp-53端口只在127.0.0.1環回口開啓了。

[root@dns-server ~]# rpm -qc bind##查看bind的配置文件都有哪些

/etc/logrotate.d/named

/etc/named.conf##此文件爲主配置文件

/etc/named.iscdlv.key

/etc/named.rfc1912.zones

/etc/named.root.key

/etc/rndc.conf

/etc/rndc.key

/etc/sysconfig/named

/var/named/named.ca

/var/named/named.empty

/var/named/named.localhost

/var/named/named.loopback

[root@dns-server ~]# vim /etc/named.conf

 11         listen-on port 53 { 127.0.0.1; };

  ||

  \/

 11         listen-on port 53 { any; };

[root@dns-server ~]# systemctl restart named##重啓服務後生效

 

2)配置DNS server回答所有人的dns請求

[root@client ~]# dig www.baidu.com

status: REFUSED

##此時client的dns請求被拒絕了是因爲DNS server的配置未設置爲響應所有人的dns請求

[root@dns-server ~]# vim /etc/named.conf

 17         allow-query     { localhost; };

||

\/

 17         allow-query     { any; };

[root@dns-server ~]# systemctl restart named##重啓服務後生效

 

3)配置本地高速緩存DNS server獲取dns的途徑

[root@client ~]# dig www.baidu.com

status: SERVFAIL

##此時DNS server提供服務失敗了是因爲本地高速緩存DNS需要從其他DNS服務器上獲取dns信息

[root@dns-server ~]# vim /etc/named.conf

 18         forwarders      { 172.25.254.250; };##在18行添加該信息

[root@dns-server ~]# systemctl restart named##重啓服務後生效

[root@client ~]# dig www.baidu.com##驗證成功獲取到dns解析

 

最後注意因爲是本地高速緩存DNS所以在公網上未註冊所以要關閉dns安全認證

4)關閉DNS安全認證(dnssec-validation)

[root@dns-server ~]# vim /etc/named.conf

 33         dnssec-validation yes;

       ||

       \/

 33         dnssec-validation no;

[root@dns-server ~]# systemctl restart named##重啓服務後生效

 

#########DNS正向解析##########

[root@dns-server ~]# vim /etc/named.conf

 51 zone "." IN {

 52         type hint;

 53         file "named.ca";

 54 };

 55

 56 include "/etc/named.rfc1912.zones";##指向了該文件

 57 include "/etc/named.root.key";

[root@dns-server ~]# vim /etc/named.rfc1912.zones

 19 zone "localhost" IN {

 20         type master;

 21         file "named.localhost";

 22         allow-update { none; };

 23 };

 24

 25 zone "tbr.com" IN {

 26         type master;

 27         file "tbr.com.zone";##指向了該文件

 28         allow-update { none; };

 29 };

##25-29行是模仿19-23行的模板而來的

 

[root@dns-server ~]# cd /var/named/

[root@dns-server named]# ls

data      named.empty      slaves        

dynamic   named.localhost  

named.ca  named.loopback   

[root@dns-server named]# cp -p named.localhost tbr.com.zone

##注意此處cp一定要加-p保證通過模板複製的文件的所屬組爲named

[root@dns-server named]# ll

total 32

drwxrwx---. 2 named named   22 11月 20 01:23 data

drwxrwx---. 2 named named 4096 11月 21 02:55 dynamic

-rw-r-----. 1 root  named 2076 1月  28 2013 named.ca

-rw-r-----. 1 root  named  152 12月 15 2009 named.empty

-rw-r-----. 1 root  named  152 6月  21 2007 named.localhost

-rw-r-----. 1 root  named  168 12月 15 2009 named.loopback

drwxrwx---. 2 named named    6 1月  29 2014 slaves

-rw-r-----. 1 root  named  210 11月 20 03:15 tbr.com.zone

否則的話會變成

-rw-r-----. 1 root  root   210 11月 20 03:15 tbr.com.zone

 

[root@dns-server named]# vim tbr.com.zone

$TTL 1D

@       IN SOA  @ rname.invalid. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      @

        A       127.0.0.1

        AAAA    ::1

||

\/

 

$TTL 1D

@       IN SOA  dns.tbr.com. root.tbr.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

                NS      dns.tbr.com.

dns             A       172.25.254.219

www           A       172.25.254.19

wwwA172.25.254.18

bbs             CNAME   www.tbr.com.

tbr.com.        MX 1    172.25.254.219.

##dns.tbr.com.指的是dns server的名稱

##注意此處的域名都是以.結尾的否則的話系統會自動加上/etc/named.rfc1912.zones文件中配置的後綴.tbr.com

 

##注意當多個ANAME的一個域名對應多個ip時此時DNS server會對該條dns解析進行輪詢機制。現象如下

當頻繁地執行dig www.tbr.com時兩個ip的先後順序會不斷輪詢變換。如圖

 

 

[root@dns-server ~]# systemctl restart named##重啓服務後生效

 

 

測試

[root@client ~]# dig -t mx tbr.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx tbr.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41997

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;tbr.com.INMX

 

;; ANSWER SECTION:

tbr.com.86400INMX1 172.25.254.219.

 

;; AUTHORITY SECTION:

tbr.com.86400INNSdns.tbr.com.

 

;; ADDITIONAL SECTION:

dns.tbr.com.86400INA172.25.254.219

 

;; Query time: 1 msec

;; SERVER: 172.25.254.219#53(172.25.254.219)

;; WHEN: 一 11月 21 04:06:07 EST 2016

;; MSG SIZE  rcvd: 100

 

[root@client ~]# dig www.tbr.com ##測試ANAME

 

[root@client ~]# dig bbs.tbr.com##測試CNAME

 

[root@client ~]# mail [email protected]##測試MX郵件解析

Subject: dawda

fdawda

caw

.

EOT

[root@client ~]# mailq

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

C8A7717E849      462 Sun Nov 20 03:05:10  [email protected]

              (connect to 172.25.254.219[172.25.254.219]:25: No route to host)

                                         [email protected]

 

0938717E857      437 Mon Nov 21 04:09:23  [email protected]

              (connect to 172.25.254.219[172.25.254.219]:25: No route to host)

                                         [email protected]

 

-- 1 Kbytes in 2 Requests.

 

 

 

 

#########DNS反向解析##########

[root@dns-server named]# vim /etc/named.rfc1912.zones

 37 zone "1.0.0.127.in-addr.arpa" IN {

 38         type master;

 39         file "named.loopback";

 40         allow-update { none; };

 41 };

 42

 43 zone "254.25.172.in-addr.arpa" IN {##表示172.25.254.0網段

 44         type master;

 45         file "tbr.comNaNr";

 46         allow-update { none; };

 47 };

##43-47行是模仿37-41行的模板而來的

 

[root@dns-server ~]# cd /var/named/

[root@dns-server named]# ls

data      named.empty      slaves        

dynamic   named.localhost  tbr.com.zone

named.ca  named.loopback   

[root@dns-server named]# cp -p named.localhost tbr.comNaNr##注意此處一定要加-p

[root@dns-server named]# vim tbr.com.zone

$TTL 1D

@       IN SOA  dns.tbr.com. root.tbr.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      dns.tbr.com.

        A       172.25.254.219

19      PTR     www.tbr.com.

18      PTR     www.hello.com.

 

##ip地址172.25.254.19---->www.tbr.com

##ip地址172.25.254.18---->www.hello.com

 

[root@dns-server ~]# systemctl restart named##重啓服務後生效

 

測試

[root@client ~]# dig -x 172.25.254.19##反向查詢域名

 

 

#########DNS的內網外網解析##########

假設172.25.254.119爲內網測試主機172.25.254.219爲外網測試主機

 

1.主配置文件修改

[root@dns-server named]# vim /etc/named.conf

 51 /*\

 52 zone "." IN {|

 53         type hint;|

 54         file "named.ca";|

 55 };|->這部分註釋掉

 56 |

 57 include "/etc/named.rfc1912.zones";|

 58 include "/etc/named.root.key";|

 59 *//

==================================================================

 60 view localnet {

 61         match-clients { 172.25.254.119;  };##client端匹配172.25.254.119的主機

 62         zone "." IN {\

 63         type hint|

 64         file "named.ca";|->從52-55行復制而來

 65 };/

 66 include "/etc/named.rfc1912.zones";

 67 };

 68

 69

 70 view internet {

 71         match-clients { 172.25.254.219;  };##client端匹配172.25.254.219的主機

 72         zone "." IN {

 73         type hint;

 74         file "named.ca";

 75 };

 76 include "/etc/named.rfc1912.zones.inter";

 77 };

##6171行中可以寫成網段{ 172.25.254.0/24; };

      /client端是172.25.254.119的區查看/etc/named.rfc1912.zones文件

##此部分的意義是|

     \client端是172.25.254.119的區查看/etc/named.rfc1912.zones.inter文件

 

2./etc/named.rfc1912.zone與etc/named.rfc1912.zone.inter文件的配置

[root@dns-server named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter##注意此處一定要加-p

##以/etc/named.rfc1912.zones爲模板複製出外網主機讀取的文件

[root@dns-server named]# vim /etc/named.rfc1912.zones.inter

 25 zone "tbr.com" IN {

 26         type master;

 27         file "tbr.com.zone.inter";##外網主機再區查看該文件

 28         allow-update { none; };

 29 };

 

3./var/named/tbr.com.zone.inter文件的配置

[root@dns-server named]# ls

data      named.empty      slaves       

dynamic   named.localhost  tbr.comNaNr

named.ca  named.loopback   tbr.com.zone

[root@dns-server named]# cp -p tbr.com.zone tbr.com.zone.inter##注意此處一定要加-p

[root@dns-server named]# ls

data      named.empty      slaves        tbr.com.zone.inter

dynamic   named.localhost  tbr.comNaNr

named.ca  named.loopback   tbr.com.zone

[root@dns-server named]# vim tbr.com.zone.inter

$TTL 1D

@       IN SOA  dns.tbr.com. root.tbr.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

                NS      dns.tbr.com.

dns             A       172.25.0.219

www            A       172.25.0.19

www            A        172.25.0.18

bbs             CNAME   www.tbr.com.

tbr.com.        MX 1    172.25.0.219.

[root@dns-server ~]# systemctl restart named##重啓服務後生效

 

《總結》

各個文件之間的邏輯關係

                /client端是172.25.254.119的區查看/etc/named.rfc1912.zones文件

               |                                    ||

               |                                    \/

               |                    /var/named/tbr.com.zone

/etc/named.conf -->|

   (主配置文件)  |                                    /var/named/tbr.com.zone.inter

                |                                /\

                |                                ||

                \client端是172.25.254.119的區查看/etc/named.rfc1912.zones.inter文件

 

 

 

補充

man 5 named.conf##查看named.conf文件的信息