DNS服務器原理,並搭建主-輔服務器
- 什麼是DNS
DNS:Domain Name Service 域名解析服務
DNS協議屬於應用層協議,監聽於tcp(解析)/udp(區域傳送) 53端口 - DNS服務器類型
主DNS服務器:維護所負責解析的域的數據庫的那臺服務器; 讀寫操作均可進行
從DNS服務器:從主DNS服務器那裏或其他的從DNS服務器那裏"複製"一份解析庫;但只能進行讀操作;
緩存服務器:通過其他域名服務器查詢獲得的域名與IP地址對應關係,並將經常查詢的域名信息保存到服務器本地,用於提高查詢效率 - DNS查詢類型:
遞歸查詢:主機向本地域名服務器的查詢,遞歸查詢返回的查詢結果或者是所要查詢的IP地址,或者是報錯,表示無法查詢到所需的IP地址
迭代查詢:本地域名服務器向根域名服務器的查詢,當根域名服務器收到本地域名服務器發出的迭代查詢請求報文時,要麼給出所要查詢的IP地址,要麼告訴本地服務器:“你下一步應當向哪一個域名服務器進行查詢” - 一次完整的查詢請求經過的流程:
Clinet-->本地hosts文件-->DNS Local Cache --> DNS Server (recersion) -->
自己負責解析的域:直接查詢數據庫並返回答案
不是自己負責的域:Server Cache --> iteration(迭代) - DNS區域數據庫文件:
資源記錄:Resource Record, 簡稱rr,有以下幾種:
SOA:起始授權記錄,一個區域解析庫有且只有一個SOA記錄,而且必須放在第一條;
NS:Name Service,域名服務記錄,一個區域解析庫可以有多個NS記錄,其中有一個爲主;
A:Address,地址記錄,FQDN--> IPV4;
CNAME:Canonical Name,別名記錄;
PTR:Pointer,IP --> FQDN;
MX:Mail exchanger,郵件服務器;
優先級:0-99,數字越小優先級越高 -
搭建主-輔服務器
1.安裝軟件:[root@localhost /]# yum -y install bind [root@localhost /]# systemctl start named [root@localhost /]# ss -tan State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:111 *:* LISTEN 0 10 127.0.0.1:53 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 127.0.0.1:631 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 100 127.0.0.1:25 *:* ESTAB 0 52 172.20.10.12:22 172.20.10.6:57589 LISTEN 0 128 :::111 :::* LISTEN 0 10 ::1:53 :::* LISTEN 0 128 :::22 :::* LISTEN 0 128 ::1:631 :::* LISTEN 0 128 ::1:953 :::* LISTEN 0 100 ::1:25 :::*
2.配置環境:
[root@localhost /]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 172.20.10.12 [root@localhost /]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 172.20.10.12; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.tx memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
3.配置一個正向解析域:
[root@localhost /]# vim /etc/named.rfc1912.zones zone "ww.com" IN{ type master; file "ww.com.zone"; }; [root@localhost /]# vim /var/named/ww.com.zone $TTL 3600 $ORIGIN ww.com. @ IN SOA ns1.ww.com. admin.ww.com. ( 2019080401 1H 10M 3D 1D) IN NS ns1 IN NS ns2 ns1 IN A 172.20.10.12 ns2 IN A 172.20.10.8 www IN A 172.20.10.12 web IN CNAME www [root@localhost /]# chmod o= /var/named/ww.com.zone [root@localhost /]# chgrp named /var/named/ww.com.zone [root@localhost /]# named-checkconf [root@localhost /]# named-checkzone ww.com. /var/named/ww.com.zone zone ww.com/IN: loaded serial 2019080401 OK
DNS主服務器正向解析測試:
[root@localhost /]# dig -t A www.ww.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> -t A www.ww.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34753 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ww.com. IN A ;; ANSWER SECTION: www.ww.com. 3600 IN A 172.20.10.12 ;; AUTHORITY SECTION: ww.com. 3600 IN NS ns2.ww.com. ww.com. 3600 IN NS ns1.ww.com. ;; ADDITIONAL SECTION: ns1.ww.com. 3600 IN A 172.20.10.12 ns2.ww.com. 3600 IN A 172.20.10.8 ;; Query time: 0 msec ;; SERVER: 172.20.10.12#53(172.20.10.12) ;; WHEN: Sun Aug 04 18:09:46 CST 2019 ;; MSG SIZE rcvd: 123 [root@localhost /]# dig -t A web.ww.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> -t A web.ww.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11743 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;web.ww.com. IN A ;; ANSWER SECTION: web.ww.com. 3600 IN CNAME www.ww.com. www.ww.com. 3600 IN A 172.20.10.12 ;; AUTHORITY SECTION: ww.com. 3600 IN NS ns2.ww.com. ww.com. 3600 IN NS ns1.ww.com. ;; ADDITIONAL SECTION: ns1.ww.com. 3600 IN A 172.20.10.12 ns2.ww.com. 3600 IN A 172.20.10.8 ;; Query time: 0 msec ;; SERVER: 172.20.10.12#53(172.20.10.12) ;; WHEN: Sun Aug 04 18:09:37 CST 2019 ;; MSG SIZE rcvd: 141
4.配置反向區域
[root@localhost ~]# cat /etc/named.rfc1912.zones zone "10.20.172.in-addr.arpa" IN { type master; file "172.20.10.zone"; }; [root@localhost ~]# cat /var/named/172.20.10.zone $TTL 3600 $ORIGIN 10.20.172.in-addr.arpa. @ IN SOA ns1.ww.com. nsadmin.ww.com. ( 2019080406 1H 10M 3D 12H ) @ IN NS ns1.ww.com. 12 IN PTR ns1.ww.com. 10 IN PTR www.ww.com. 12 IN PTR bbs.ww.com. [root@localhost /]# chgrp named /var/named/172.20.10.zone [root@localhost /]# chmod o= /var/named/172.20.10.zone [root@localhost /]# named-checkconf [root@localhost /]# named-checkzone 10.20.172.in-addr.arpa /var/named/172.20.10.zone zone 10.20.172.in-addr.arpa/IN: loaded serial 2019080406 OK
反向解析測試:
[root@localhost /]# dig -x 172.20.10.12 ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> -x 172.20.10.12 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44674 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;12.10.20.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 12.10.20.172.in-addr.arpa. 3600 IN PTR bbs.ww.com. 12.10.20.172.in-addr.arpa. 3600 IN PTR ns1.ww.com. ;; AUTHORITY SECTION: 10.20.172.in-addr.arpa. 3600 IN NS ns1.ww.com. ;; ADDITIONAL SECTION: ns1.ww.com. 3600 IN A 172.20.10.12 ;; Query time: 2 msec ;; SERVER: 172.20.10.12#53(172.20.10.12) ;; WHEN: Sun Aug 04 22:48:51 CST 2019 ;; MSG SIZE rcvd: 126
5.設置輔DNS服務器
[root@localhost ~]# yum -y install bind [root@localhost ~]# systemctl start named.service [root@localhost ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 172.20.10.14 [root@localhost ~]# cat /etc/named.rfc1912.zones zone "ww.com" IN { type slave; file "slaves/ww.com.zone"; masters { 172.20.10.12; }; };
在主服務器上添加內容:確保區域數據文件中爲每個從服務配置NS記錄,並且在正向區域文件需要每個從服務器的NS記錄的主機名配置一個A 記錄,且此A後面的地址爲真正的從服務器的IP地址
[root@localhost ~]# cat /var/named/ww.com.zone $TTL 3600 $ORIGIN ww.com. @ IN SOA ns1.ww.com. admin.ww.com. ( 2019080401 1H 10M 3D 1D ) @ IN NS ns1 @ IN NS ns2 ns1 IN A 172.20.10.12 ns2 IN A 172.20.10.14 www IN A 172.20.10.12 web IN CNAME www
主服務器模擬區域傳送:
[root@localhost ~]# dig -t axfr ww.com. ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> -t axfr ww.com. ;; global options: +cmd ww.com. 3600 IN SOA ns1.ww.com. admin.ww.com. 2019080401 3600 600 259200 86400 ww.com. 3600 IN NS ns1.ww.com. ww.com. 3600 IN NS ns2.ww.com. ns1.ww.com. 3600 IN A 172.20.10.12 ns2.ww.com. 3600 IN A 172.20.10.14 web.ww.com. 3600 IN CNAME www.ww.com. www.ww.com. 3600 IN A 172.20.10.12 ww.com. 3600 IN SOA ns1.ww.com. admin.ww.com. 2019080401 3600 600 259200 86400 ;; Query time: 1 msec ;; SERVER: 172.20.10.12#53(172.20.10.12) ;; WHEN: Mon Aug 05 14:35:06 CST 2019 ;; XFR size: 8 records (messages 1, bytes 208)
測試輔助服務器:
[root@localhost ~]# dig -t A www.ww.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> -t A www.ww.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13297 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ww.com. IN A ;; ANSWER SECTION: www.ww.com. 3600 IN A 172.20.10.12 ;; AUTHORITY SECTION: ww.com. 3600 IN NS ns2.ww.com. ww.com. 3600 IN NS ns1.ww.com. ;; ADDITIONAL SECTION: ns1.ww.com. 3600 IN A 172.20.10.12 ns2.ww.com. 3600 IN A 172.20.10.14 ;; Query time: 0 msec ;; SERVER: 172.20.10.14#53(172.20.10.14) ;; WHEN: Mon Aug 05 14:37:03 CST 2019 ;; MSG SIZE rcvd: 123
6.配置子域授權:
子域服務器配置:[root@localhost /]# vim /etc/named.rfc1912.zones zone "ops.ww.com" IN{ type master; file "ops.ww.com.zone"; }; zone "ww.com" IN { type forward; forward only; forwarders { 172.20.10.12; }; }; [root@localhost /]# vim /var/named/ops.ww.com.zone $TTL 3600 $ORIGIN ops.ww.com. @ IN SOA ns1.ops.ww.com. admin.ops.ww.com. ( 201908221 1H 10M 1D 2H ) @ IN NS ns1 ns1 IN A 172.20.10.2 www IN A 172.20.10.2
主域服務器配置:
[root@localhost /]# cat /var/named/ww.com.zone $TTL 3600 $ORIGIN ww.com. @ IN SOA ns1.ww.com. admin.ww.com. ( 2019080401 1H 10M 3D 1D ) @ IN NS ns1 @ IN NS ns2 ns1 IN A 172.20.10.12 ns2 IN A 172.20.10.14 www IN A 172.20.10.12 web IN CNAME www ops IN NS ns1.ops ns1.ops IN A 172.20.10.2
子域測試:
[root@localhost /]# dig www.ops.ww.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.ops.ww.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57797 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ops.ww.com. IN A ;; ANSWER SECTION: www.ops.ww.com. 2691 IN A 172.20.10.2 ;; AUTHORITY SECTION: ops.ww.com. 2686 IN NS ns1.ops.ww.com. ;; ADDITIONAL SECTION: ns1.ops.ww.com. 2686 IN A 172.20.10.2 ;; Query time: 0 msec ;; SERVER: 172.20.10.12#53(172.20.10.12) ;; WHEN: Mon Aug 05 17:16:28 CST 2019 ;; MSG SIZE rcvd: 93 [root@localhost /]# dig www.ww.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.ww.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23872 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ww.com. IN A ;; ANSWER SECTION: www.ww.com. 2468 IN A 172.20.10.12 ;; AUTHORITY SECTION: ww.com. 2468 IN NS ns1.ww.com. ww.com. 2468 IN NS ns2.ww.com. ;; ADDITIONAL SECTION: ns2.ww.com. 2468 IN A 172.20.10.14 ns1.ww.com. 2468 IN A 172.20.10.12 ;; Query time: 2 msec ;; SERVER: 172.20.10.2#53(172.20.10.2) ;; WHEN: Mon Aug 05 17:17:11 CST 2019 ;; MSG SIZE rcvd: 123