測試環境:Centos 7 64位-2,ip:192.168.128.137
一、DNS服務器的類型
①Primary DNS Server(Master)
一個域的主服務器保存着該域的zone配置文件,該域所有的配置、更改都是在該服務器上進行,本篇隨筆要講解的也是如何配置一個域的主DNS服務器
②Secondary DNS Server(Slave)
域從服務器一般都是作爲冗餘負載使用,一個域的從服務器是從該域的主服務器上抓取zone配置文件,從服務器不會進行任何信息的更改,zone配置文件的修改只能在主DNS服務器上進行,所有的修改都有主服務器同步
③Caching only Server
DNS緩存服務器不存在任何的zone配置文件,僅僅依靠緩存來爲客戶端提供服務,通常用於負載均衡及加速訪問操作
二、安裝BIND
對於DNS服務器軟件現在有許多的程序可以使用,但是現今爲止使用的最多最廣泛的DNS服務器軟件還是BIND(Berkeley Internet Name Domain),最早是由伯克利大學的一個學生開發的,現在的最新版本是版本9,由ISC進行編寫和維護。
BIND支持目前市面上所有的主流操作系統,包括Linux、Windows、Mac OS等
我們的CentOS上並沒有默認安裝BIND這個軟件,所以我們需要手動對其進行安裝,這裏使用yum的方式來進行安裝;
2.1,yum安裝軟件bind
[root@CentOS7-2 yum.repos.d]# yum install -y bind bind-chroot bind-utils
Loaded plugins: fastestmirror, langpacks
base | 3.6 kB 00:00:01
epel/x86_64/metalink | 9.5 kB 00:00:00
epel | 5.4 kB 00:00:04
extras | 2.9 kB 00:00:00
mariadb-org | 2.9 kB 00:00:00
nginx-stable | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/9): base/7/x86_64/group_gz | 165 kB 00:00:09
(2/9): extras/7/x86_64/primary_db | 159 kB 00:00:05
(3/9): epel/x86_64/group_gz | 90 kB 00:00:38
(4/9): mariadb-org/primary_db | 53 kB 00:00:28
(5/9): epel/x86_64/updateinfo | 1.0 MB 00:00:46
(6/9): nginx-stable/x86_64/primary_db | 51 kB 00:00:08
(7/9): base/7/x86_64/primary_db | 6.0 MB 00:01:00
(8/9): updates/7/x86_64/primary_db | 6.7 MB 00:00:58
(9/9): epel/x86_64/primary_db | 6.7 MB 00:05:59
Determining fastest mirrors
* base: mirrors.ustc.edu.cn
* epel: mirrors.njupt.edu.cn
* extras: mirrors.zju.edu.cn
* updates: mirrors.nju.edu.cn
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.11.4-9.P2.el7 will be installed
--> Processing Dependency: bind-libs-lite(x86-64) = 32:9.11.4-9.P2.el7 for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: bind-libs(x86-64) = 32:9.11.4-9.P2.el7 for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: python-ply for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: liblwres.so.160()(64bit) for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: libisccfg.so.160()(64bit) for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: libisccc.so.160()(64bit) for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: libisc.so.169()(64bit) for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: libdns.so.1102()(64bit) for package: 32:bind-9.11.4-9.P2.el7.x86_64
--> Processing Dependency: libbind9.so.160()(64bit) for package: 32:bind-9.11.4-9.P2.el7.x86_64
---> Package bind-chroot.x86_64 32:9.11.4-9.P2.el7 will be installed
---> Package bind-utils.x86_64 32:9.9.4-50.el7 will be updated
---> Package bind-utils.x86_64 32:9.11.4-9.P2.el7 will be an update
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-50.el7 will be updated
---> Package bind-libs.x86_64 32:9.11.4-9.P2.el7 will be an update
--> Processing Dependency: bind-license = 32:9.11.4-9.P2.el7 for package: 32:bind-libs-9.11.4-9.P2.el7.x86_64
---> Package bind-libs-lite.x86_64 32:9.9.4-50.el7 will be updated
--> Processing Dependency: libdns-export.so.100()(64bit) for package: 12:dhclient-4.2.5-58.el7.centos.x86_64
--> Processing Dependency: libisc-export.so.95()(64bit) for package: 12:dhclient-4.2.5-58.el7.centos.x86_64
---> Package bind-libs-lite.x86_64 32:9.11.4-9.P2.el7 will be an update
---> Package python-ply.noarch 0:3.4-11.el7 will be installed
--> Running transaction check
---> Package bind-license.noarch 32:9.9.4-50.el7 will be updated
---> Package bind-license.noarch 32:9.11.4-9.P2.el7 will be an update
---> Package dhclient.x86_64 12:4.2.5-58.el7.centos will be updated
---> Package dhclient.x86_64 12:4.2.5-77.el7.centos will be an update
--> Processing Dependency: dhcp-libs(x86-64) = 12:4.2.5-77.el7.centos for package: 12:dhclient-4.2.5-77.el7.centos.x86_64
--> Processing Dependency: dhcp-common = 12:4.2.5-77.el7.centos for package: 12:dhclient-4.2.5-77.el7.centos.x86_64
--> Processing Dependency: libisc-export.so.169()(64bit) for package: 12:dhclient-4.2.5-77.el7.centos.x86_64
--> Processing Dependency: libdns-export.so.1102()(64bit) for package: 12:dhclient-4.2.5-77.el7.centos.x86_64
--> Running transaction check
---> Package bind-export-libs.x86_64 32:9.11.4-9.P2.el7 will be installed
---> Package dhcp-common.x86_64 12:4.2.5-58.el7.centos will be updated
---> Package dhcp-common.x86_64 12:4.2.5-77.el7.centos will be an update
---> Package dhcp-libs.x86_64 12:4.2.5-58.el7.centos will be updated
---> Package dhcp-libs.x86_64 12:4.2.5-77.el7.centos will be an update
--> Finished Dependency Resolution
Dependencies Resolved
=======================================================================================
Package Arch Version Repository Size
=======================================================================================
Installing:
bind x86_64 32:9.11.4-9.P2.el7 base 2.3 M
bind-chroot x86_64 32:9.11.4-9.P2.el7 base 90 k
Updating:
bind-utils x86_64 32:9.11.4-9.P2.el7 base 258 k
Installing for dependencies:
bind-export-libs x86_64 32:9.11.4-9.P2.el7 base 1.1 M
python-ply noarch 3.4-11.el7 base 123 k
Updating for dependencies:
bind-libs x86_64 32:9.11.4-9.P2.el7 base 154 k
bind-libs-lite x86_64 32:9.11.4-9.P2.el7 base 1.1 M
bind-license noarch 32:9.11.4-9.P2.el7 base 88 k
dhclient x86_64 12:4.2.5-77.el7.centos base 285 k
dhcp-common x86_64 12:4.2.5-77.el7.centos base 176 k
dhcp-libs x86_64 12:4.2.5-77.el7.centos base 133 k
Transaction Summary
=======================================================================================
Install 2 Packages (+2 Dependent packages)
Upgrade 1 Package (+6 Dependent packages)
Total download size: 5.8 M
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for base
(1/11): bind-chroot-9.11.4-9.P2.el7.x86_64.rpm | 90 kB 00:00:07
(2/11): bind-export-libs-9.11.4-9.P2.el7.x86_64.rpm | 1.1 MB 00:00:42
(3/11): bind-libs-9.11.4-9.P2.el7.x86_64.rpm | 154 kB 00:00:06
(4/11): bind-utils-9.11.4-9.P2.el7.x86_64.rpm | 258 kB 00:00:03
(5/11): bind-license-9.11.4-9.P2.el7.noarch.rpm | 88 kB 00:00:11
(6/11): dhclient-4.2.5-77.el7.centos.x86_64.rpm | 285 kB 00:00:02
(7/11): dhcp-libs-4.2.5-77.el7.centos.x86_64.rpm | 133 kB 00:00:04
(8/11): bind-9.11.4-9.P2.el7.x86_64.rpm | 2.3 MB 00:01:05
(9/11): python-ply-3.4-11.el7.noarch.rpm | 123 kB 00:00:03
(10/11): bind-libs-lite-9.11.4-9.P2.el7.x86_64.rpm | 1.1 MB 00:00:31
dhcp-common-4.2.5-77.el7.cento FAILED
http://mirrors.ustc.edu.cn/centos/7.7.1908/os/x86_64/Packages/dhcp-common-4.2.5-77.el7.centos.x86_64.rpm: [Errno 12] Timeout on http://mirrors.ustc.edu.cn/centos/7.7.1908/os/x86_64/Packages/dhcp-common-4.2.5-77.el7.centos.x86_64.rpm: (28, 'Operation too slow. Less than 1000 bytes/sec transferred the last 30 seconds')
Trying other mirror.
(11/11): dhcp-common-4.2.5-77.el7.centos.x86_64.rpm | 176 kB 00:00:01
---------------------------------------------------------------------------------------
Total 68 kB/s | 5.8 MB 01:26
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Updating : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64 1/18
Updating : 32:bind-license-9.11.4-9.P2.el7.noarch 2/18
Updating : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64 3/18
Updating : 32:bind-libs-9.11.4-9.P2.el7.x86_64 4/18
Updating : 12:dhcp-common-4.2.5-77.el7.centos.x86_64 5/18
Installing : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64 6/18
Installing : python-ply-3.4-11.el7.noarch 7/18
Installing : 32:bind-9.11.4-9.P2.el7.x86_64 8/18
Installing : 32:bind-chroot-9.11.4-9.P2.el7.x86_64 9/18
Updating : 12:dhclient-4.2.5-77.el7.centos.x86_64 10/18
Updating : 32:bind-utils-9.11.4-9.P2.el7.x86_64 11/18
Cleanup : 12:dhclient-4.2.5-58.el7.centos.x86_64 12/18
Cleanup : 12:dhcp-common-4.2.5-58.el7.centos.x86_64 13/18
Cleanup : 32:bind-libs-lite-9.9.4-50.el7.x86_64 14/18
Cleanup : 32:bind-utils-9.9.4-50.el7.x86_64 15/18
Cleanup : 12:dhcp-libs-4.2.5-58.el7.centos.x86_64 16/18
Cleanup : 32:bind-libs-9.9.4-50.el7.x86_64 17/18
Cleanup : 32:bind-license-9.9.4-50.el7.noarch 18/18
Verifying : python-ply-3.4-11.el7.noarch 1/18
Verifying : 32:bind-chroot-9.11.4-9.P2.el7.x86_64 2/18
Verifying : 32:bind-license-9.11.4-9.P2.el7.noarch 3/18
Verifying : 32:bind-libs-9.11.4-9.P2.el7.x86_64 4/18
Verifying : 12:dhcp-common-4.2.5-77.el7.centos.x86_64 5/18
Verifying : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64 6/18
Verifying : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64 7/18
Verifying : 32:bind-utils-9.11.4-9.P2.el7.x86_64 8/18
Verifying : 32:bind-9.11.4-9.P2.el7.x86_64 9/18
Verifying : 12:dhclient-4.2.5-77.el7.centos.x86_64 10/18
Verifying : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64 11/18
Verifying : 12:dhcp-libs-4.2.5-58.el7.centos.x86_64 12/18
Verifying : 12:dhcp-common-4.2.5-58.el7.centos.x86_64 13/18
Verifying : 32:bind-license-9.9.4-50.el7.noarch 14/18
Verifying : 32:bind-libs-lite-9.9.4-50.el7.x86_64 15/18
Verifying : 32:bind-utils-9.9.4-50.el7.x86_64 16/18
Verifying : 32:bind-libs-9.9.4-50.el7.x86_64 17/18
Verifying : 12:dhclient-4.2.5-58.el7.centos.x86_64 18/18
Installed:
bind.x86_64 32:9.11.4-9.P2.el7 bind-chroot.x86_64 32:9.11.4-9.P2.el7
Dependency Installed:
bind-export-libs.x86_64 32:9.11.4-9.P2.el7 python-ply.noarch 0:3.4-11.el7
Updated:
bind-utils.x86_64 32:9.11.4-9.P2.el7
Dependency Updated:
bind-libs.x86_64 32:9.11.4-9.P2.el7 bind-libs-lite.x86_64 32:9.11.4-9.P2.el7
bind-license.noarch 32:9.11.4-9.P2.el7 dhclient.x86_64 12:4.2.5-77.el7.centos
dhcp-common.x86_64 12:4.2.5-77.el7.centos dhcp-libs.x86_64 12:4.2.5-77.el7.centos
Complete!
[root@CentOS7-2 yum.repos.d]#
[root@CentOS7-2 yum.repos.d]#
[root@CentOS7-2 yum.repos.d]#
[root@CentOS7-2 yum.repos.d]#
[root@CentOS7-2 yum.repos.d]#
[root@CentOS7-2 yum.repos.d]#
[root@CentOS7-2 yum.repos.d]# rpm -qa | grep bind
bind-export-libs-9.11.4-9.P2.el7.x86_64
bind-chroot-9.11.4-9.P2.el7.x86_64
bind-utils-9.11.4-9.P2.el7.x86_64
bind-libs-9.11.4-9.P2.el7.x86_64
bind-9.11.4-9.P2.el7.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-lite-9.11.4-9.P2.el7.x86_64
rpcbind-0.2.0-42.el7.x86_64
bind-license-9.11.4-9.P2.el7.noarch
[root@CentOS7-2 yum.repos.d]#
[root@CentOS7-2 yum.repos.d]#
我們這裏一共安裝了三個文件,一個是bind的主程序,一個是bind-chroot,還有一個是bind-utils,這兩個包一般我們在安裝bind時都要用到的,包括bind的拓展功能以及僞根等等,所以我們一併將其安裝了
BIND的服務名是 named,因爲BIND提供的是DNS服務,而DNS默認的協議是TCP與UDP協議,所以BIND服務在啓動以後會佔用53(Domain), 953(mdc)這兩個端口號。
2.2,啓動named服務
root@CentOS7-2 named]# systemctl start named
[root@CentOS7-2 named]#
[root@CentOS7-2 named]#
[root@CentOS7-2 named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2020-02-26 11:12:21 CST; 9s ago
Process: 11307 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11305 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11310 (named)
CGroup: /system.slice/named.service
└─11310 /usr/sbin/named -u named -c /etc/named.conf
Feb 26 11:12:21 CentOS7-2 named[11310]: network unreachable resolving './DNSKEY/IN...53
Feb 26 11:12:21 CentOS7-2 named[11310]: network unreachable resolving './NS/IN': 2...53
Feb 26 11:12:21 CentOS7-2 named[11310]: network unreachable resolving './DNSKEY/IN...53
Feb 26 11:12:21 CentOS7-2 named[11310]: network unreachable resolving './NS/IN': 2...53
Feb 26 11:12:21 CentOS7-2 named[11310]: network unreachable resolving './DNSKEY/IN...53
Feb 26 11:12:21 CentOS7-2 named[11310]: network unreachable resolving './NS/IN': 2...53
Feb 26 11:12:22 CentOS7-2 named[11310]: network unreachable resolving './DNSKEY/IN...53
Feb 26 11:12:22 CentOS7-2 named[11310]: network unreachable resolving './DNSKEY/IN...53
Feb 26 11:12:22 CentOS7-2 named[11310]: managed-keys-zone: Key 20326 for zone . ac...ed
Feb 26 11:12:24 CentOS7-2 named[11310]: resolver priming query complete
Hint: Some lines were ellipsized, use -l to show in full.
[root@CentOS7-2 named]#
2.3,備份主配置文件
安裝完BIND以後,BIND的主配置文件通常是保存在兩個位置:
/etc/named.conf -BIND服務主配置文件
/var/named/ -域的zone配置文件
但是我們如果在安裝了 bind-chroot 這個程序以後,BIND的主配置文件存放位置就變了,此時BIND的主配置文件會被封裝到一個僞根目錄內,此時的配置文件位置爲:
/var/named/chroot/etc/named.conf -BIND服務主配置文件
/var/named/chroot/var/named -域的zone配置文件
爲什麼安裝了bind-chroot以後,BIND的主配置文件的存放位置變了呢?這裏就涉及到了一個僞根的知識,chroot是通過將相關文件封裝到一個僞根目錄內,已達到安全防護的目的,一旦該程序被攻破,將只能訪問到僞根目錄內的內容,而並不是真實的根目錄。我們知道Linux的根目錄是 / ,我們的服務如果安裝了chroot這個程序,此時我們的服務的配置文件都會被安裝到我們的僞根裏面,會在裏面生成一個與原來服務完全相同的一個目錄體系結構。我們知道 /var/named/chroot 這個肯定不是我們的根目錄,但是如果在安裝了chroot以後,該服務的根目錄就會把 /var/named/chroot 當成是自己的根目錄,這樣就可以對我們的真實根目錄進行保護,所以建議大家在安裝網絡服務時最好都附帶安裝上chroot這個程序,有關chroot的更多知識,
不同於其他的服務,BIND服務在安裝完以後不會有預置的配置文件,其他服務比如samba、httpd服務安裝完以後其目錄下都會有一些配置文件,而BIND服務是沒有的,怎麼辦呢?我們通常在安裝完BIND服務以後,有關該服務的一些文檔都會保存在 /usr/share/doc 這個目錄下,在 (/usr/share/doc/bind-9.8.2/)這個目錄下有我們BIND配置文件的模板,我們只需要將其拷貝到其僞根目錄下即可。
這裏我實際的主配置文件是/etc/named.conf
[root@CentOS7-2 named]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
/usr/bin/arpaname
/usr/bin/named-rrchecker
/usr/lib/python2.7/site-packages/isc
/usr/lib/python2.7/site-packages/isc-2.0-py2.7.egg-info
/usr/lib/python2.7/site-packages/isc/__init__.py
/usr/lib/python2.7/site-packages/isc/__init__.pyc
/usr/lib/python2.7/site-packages/isc/__init__.pyo
/usr/lib/python2.7/site-packages/isc/checkds.py
/usr/lib/python2.7/site-packages/isc/checkds.pyc
/usr/lib/python2.7/site-packages/isc/checkds.pyo
/usr/lib/python2.7/site-packages/isc/coverage.py
/usr/lib/python2.7/site-packages/isc/coverage.pyc
/usr/lib/python2.7/site-packages/isc/coverage.pyo
/usr/lib/python2.7/site-packages/isc/dnskey.py
/usr/lib/python2.7/site-packages/isc/dnskey.pyc
/usr/lib/python2.7/site-packages/isc/dnskey.pyo
/usr/lib/python2.7/site-packages/isc/eventlist.py
/usr/lib/python2.7/site-packages/isc/eventlist.pyc
/usr/lib/python2.7/site-packages/isc/eventlist.pyo
/usr/lib/python2.7/site-packages/isc/keydict.py
/usr/lib/python2.7/site-packages/isc/keydict.pyc
/usr/lib/python2.7/site-packages/isc/keydict.pyo
/usr/lib/python2.7/site-packages/isc/keyevent.py
/usr/lib/python2.7/site-packages/isc/keyevent.pyc
/usr/lib/python2.7/site-packages/isc/keyevent.pyo
/usr/lib/python2.7/site-packages/isc/keymgr.py
/usr/lib/python2.7/site-packages/isc/keymgr.pyc
/usr/lib/python2.7/site-packages/isc/keymgr.pyo
/usr/lib/python2.7/site-packages/isc/keyseries.py
/usr/lib/python2.7/site-packages/isc/keyseries.pyc
/usr/lib/python2.7/site-packages/isc/keyseries.pyo
/usr/lib/python2.7/site-packages/isc/keyzone.py
/usr/lib/python2.7/site-packages/isc/keyzone.pyc
/usr/lib/python2.7/site-packages/isc/keyzone.pyo
/usr/lib/python2.7/site-packages/isc/parsetab.py
/usr/lib/python2.7/site-packages/isc/parsetab.pyc
/usr/lib/python2.7/site-packages/isc/parsetab.pyo
/usr/lib/python2.7/site-packages/isc/policy.py
/usr/lib/python2.7/site-packages/isc/policy.pyc
/usr/lib/python2.7/site-packages/isc/policy.pyo
/usr/lib/python2.7/site-packages/isc/rndc.py
/usr/lib/python2.7/site-packages/isc/rndc.pyc
/usr/lib/python2.7/site-packages/isc/rndc.pyo
/usr/lib/python2.7/site-packages/isc/utils.py
/usr/lib/python2.7/site-packages/isc/utils.pyc
/usr/lib/python2.7/site-packages/isc/utils.pyo
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
/usr/sbin/rndc-confgen
/usr/sbin/tsig-keygen
/usr/share/doc/bind-9.11.4
/usr/share/doc/bind-9.11.4/Bv9ARM.ch01.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch02.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch03.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch04.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch05.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch06.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch07.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch08.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch09.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch10.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch11.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch12.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch13.html
/usr/share/doc/bind-9.11.4/Bv9ARM.html
/usr/share/doc/bind-9.11.4/Bv9ARM.pdf
/usr/share/doc/bind-9.11.4/CHANGES
/usr/share/doc/bind-9.11.4/README
/usr/share/doc/bind-9.11.4/isc-logo.pdf
/usr/share/doc/bind-9.11.4/man.arpaname.html
/usr/share/doc/bind-9.11.4/man.ddns-confgen.html
/usr/share/doc/bind-9.11.4/man.delv.html
/usr/share/doc/bind-9.11.4/man.dig.html
/usr/share/doc/bind-9.11.4/man.dnssec-checkds.html
/usr/share/doc/bind-9.11.4/man.dnssec-coverage.html
/usr/share/doc/bind-9.11.4/man.dnssec-dsfromkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-importkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-keyfromlabel.html
/usr/share/doc/bind-9.11.4/man.dnssec-keygen.html
/usr/share/doc/bind-9.11.4/man.dnssec-keymgr.html
/usr/share/doc/bind-9.11.4/man.dnssec-revoke.html
/usr/share/doc/bind-9.11.4/man.dnssec-settime.html
/usr/share/doc/bind-9.11.4/man.dnssec-signzone.html
/usr/share/doc/bind-9.11.4/man.dnssec-verify.html
/usr/share/doc/bind-9.11.4/man.dnstap-read.html
/usr/share/doc/bind-9.11.4/man.genrandom.html
/usr/share/doc/bind-9.11.4/man.host.html
/usr/share/doc/bind-9.11.4/man.isc-hmac-fixup.html
/usr/share/doc/bind-9.11.4/man.lwresd.html
/usr/share/doc/bind-9.11.4/man.mdig.html
/usr/share/doc/bind-9.11.4/man.named-checkconf.html
/usr/share/doc/bind-9.11.4/man.named-checkzone.html
/usr/share/doc/bind-9.11.4/man.named-journalprint.html
/usr/share/doc/bind-9.11.4/man.named-nzd2nzf.html
/usr/share/doc/bind-9.11.4/man.named-rrchecker.html
/usr/share/doc/bind-9.11.4/man.named.conf.html
/usr/share/doc/bind-9.11.4/man.named.html
/usr/share/doc/bind-9.11.4/man.nsec3hash.html
/usr/share/doc/bind-9.11.4/man.nslookup.html
/usr/share/doc/bind-9.11.4/man.nsupdate.html
/usr/share/doc/bind-9.11.4/man.pkcs11-destroy.html
/usr/share/doc/bind-9.11.4/man.pkcs11-keygen.html
/usr/share/doc/bind-9.11.4/man.pkcs11-list.html
/usr/share/doc/bind-9.11.4/man.pkcs11-tokens.html
/usr/share/doc/bind-9.11.4/man.rndc-confgen.html
/usr/share/doc/bind-9.11.4/man.rndc.conf.html
/usr/share/doc/bind-9.11.4/man.rndc.html
/usr/share/doc/bind-9.11.4/named.conf.default
/usr/share/doc/bind-9.11.4/notes.html
/usr/share/doc/bind-9.11.4/notes.pdf
/usr/share/doc/bind-9.11.4/sample
/usr/share/doc/bind-9.11.4/sample/etc
/usr/share/doc/bind-9.11.4/sample/etc/named.conf
/usr/share/doc/bind-9.11.4/sample/etc/named.rfc1912.zones
/usr/share/doc/bind-9.11.4/sample/var
/usr/share/doc/bind-9.11.4/sample/var/named
/usr/share/doc/bind-9.11.4/sample/var/named/data
/usr/share/doc/bind-9.11.4/sample/var/named/my.external.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/my.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/named.ca
/usr/share/doc/bind-9.11.4/sample/var/named/named.empty
/usr/share/doc/bind-9.11.4/sample/var/named/named.localhost
/usr/share/doc/bind-9.11.4/sample/var/named/named.loopback
/usr/share/doc/bind-9.11.4/sample/var/named/slaves
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.ddns.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.slave.internal.zone.db
/usr/share/man/man1/arpaname.1.gz
/usr/share/man/man1/named-rrchecker.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man5/rndc.conf.5.gz
/usr/share/man/man8/ddns-confgen.8.gz
/usr/share/man/man8/dnssec-checkds.8.gz
/usr/share/man/man8/dnssec-coverage.8.gz
/usr/share/man/man8/dnssec-dsfromkey.8.gz
/usr/share/man/man8/dnssec-importkey.8.gz
/usr/share/man/man8/dnssec-keyfromlabel.8.gz
/usr/share/man/man8/dnssec-keygen.8.gz
/usr/share/man/man8/dnssec-keymgr.8.gz
/usr/share/man/man8/dnssec-revoke.8.gz
/usr/share/man/man8/dnssec-settime.8.gz
/usr/share/man/man8/dnssec-signzone.8.gz
/usr/share/man/man8/dnssec-verify.8.gz
/usr/share/man/man8/genrandom.8.gz
/usr/share/man/man8/isc-hmac-fixup.8.gz
/usr/share/man/man8/lwresd.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named-compilezone.8.gz
/usr/share/man/man8/named-journalprint.8.gz
/usr/share/man/man8/named.8.gz
/usr/share/man/man8/nsec3hash.8.gz
/usr/share/man/man8/rndc-confgen.8.gz
/usr/share/man/man8/rndc.8.gz
/usr/share/man/man8/tsig-keygen.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
[root@CentOS7-2 named]#
[root@CentOS7-2 named]# ps -aux |grep named
named 11310 0.0 3.0 243108 57556 ? Ssl 11:56 0:03 /usr/sbin/named -u named -c /etc/named.conf
root 18813 0.0 0.0 112712 964 pts/0 S+ 14:12 0:00 grep --color=auto named
[root@CentOS7-2 named]# cp /etc/named.conf /etc/named.conf_default
三,配置實戰和測試
3.1,Type的類型有
Type的類型有:main,slave,forward,hint
3.2,編輯主配置文件,此處以type爲master爲例
[root@CentOS7-2 etc]# cat /etc/named.conf
options{
directory "/var/named"; //域名文件存放的絕對路徑
};
zone "imooc.com" { // 裏面寫上我們要配置的域的域名
type master; // 指定我們要配置的是域主DNS服務器
file "imooc.com.zone"; //解析域名imooc.com的zone文件內容,其路徑由options中的directory指定,一般都是以域名.zone命名
};
zone "iaskjob.com" {
type master;
file "iaskjob.com.zone";
};
[root@CentOS7-2 etc]#
3.3,編輯zone配置文件
[root@CentOS7-2 named]# vim /var/named/imooc.com.zone
$TTL 7200
imooc.com. IN SOA imooc.com. jeson.imooc.com. (222 1H 15M 1W 1D)
imooc.com. IN NS dns1.imooc.com.
dns1.imooc.com. IN A 192.168.128.137
www.imooc.com. IN A 115.182.41.180
或者
[root@CentOS7-2 named]# vim /var/named/imooc.com.zone
$TTL 7200
@ IN SOA imooc.com. jeson.imooc.com. (222 1H 15M 1W 1D)
imooc.com. IN NS dns1.imooc.com.
dns1 IN A 192.168.128.137
www IN A 115.182.41.180
[root@CentOS7-2 named]#
[root@CentOS7-2 named]# vim /var/named/iaskjob.com.zone
$TTL 7200
iaskjob.com. IN SOA iaskjob.com. iaskjob.163.com. (4012100 1H 15M 1W 1D)
iaskjob.com. IN NS dns1.iaskjob.com.
dns1.iaskjob.com. IN A 192.168.128.137
www.iaskjob.com. IN CNAME www.imooc.com.
[root@CentOS7-2 named]#
注意:我們在配置好以後,都要確保other用戶對配置文件擁有 r 的權限
3.4,重啓named服務
[root@CentOS7-2 named]# systemctl restart named
3.5,測試配置是否成功
[root@CentOS7-2 named]# dig @192.168.128.137 www.imooc.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @192.168.128.137 www.imooc.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5396
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.imooc.com. IN A
;; ANSWER SECTION:
www.imooc.com. 7200 IN A 115.182.41.180
;; AUTHORITY SECTION:
imooc.com. 7200 IN NS dns1.imooc.com.
;; ADDITIONAL SECTION:
dns1.imooc.com. 7200 IN A 192.168.128.137
;; Query time: 0 msec
;; SERVER: 192.168.128.137#53(192.168.128.137)
;; WHEN: Wed Feb 26 15:15:05 CST 2020
;; MSG SIZE rcvd: 93
[root@CentOS7-2 named]#
[root@CentOS7-2 named]# dig www.imooc.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.imooc.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25725
;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.imooc.com. IN A
;; ANSWER SECTION:
www.imooc.com. 30 IN A 115.182.41.103
www.imooc.com. 30 IN A 115.182.41.163
www.imooc.com. 30 IN A 117.121.101.134
www.imooc.com. 30 IN A 117.121.101.40
www.imooc.com. 30 IN A 117.121.101.144
www.imooc.com. 30 IN A 117.121.101.41
www.imooc.com. 30 IN A 115.182.41.180
;; Query time: 131 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Wed Feb 26 15:15:39 CST 2020
;; MSG SIZE rcvd: 154
[root@CentOS7-2 named]# dig @192.168.128.137 www.iaskjob.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> @192.168.128.137 www.iaskjob.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24878
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.iaskjob.com. IN A
;; ANSWER SECTION:
www.iaskjob.com. 7200 IN CNAME www.imooc.com.
www.imooc.com. 7200 IN A 115.182.41.180
;; AUTHORITY SECTION:
imooc.com. 7200 IN NS dns1.imooc.com.
;; ADDITIONAL SECTION:
dns1.imooc.com. 7200 IN A 192.168.128.137
;; Query time: 2 msec
;; SERVER: 192.168.128.137#53(192.168.128.137)
;; WHEN: Wed Feb 26 15:16:18 CST 2020
;; MSG SIZE rcvd: 119
[root@CentOS7-2 named]#
四,在本機配置dns服務器地址
[root@CentOS7-2 named]# cat /etc/sysconfig/net
netconsole network network-scripts/
[root@CentOS7-2 named]# cat /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
#BOOTPROTO=dhcp
BOOTPROTO=static
IPADDR=192.168.128.137
NAME=ens33
DEVICE=ens33
ONBOOT=yes
GATEWAY=192.168.128.2
#DNS1=10.1.1.2
DNS2=8.8.8.8
DNS3=114.114.114.114
DNS4=115.115.115.115
[root@CentOS7-2 named]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 8.8.8.8
nameserver 114.114.114.114
nameserver 115.115.115.115
[root@CentOS7-2 named]#
注:需在 /etc/sysconfig/network-scripts/ifcfg-ens33中配置dns地址,否則重啓network服務之後,/etc/resolv.conf 會被清空。
五,DNS端口說明
DNS同時佔用UDP和TCP端口53是公認的,這種單個應用協議同時使用兩種傳輸協議的情況在TCP/IP棧也算是個另類。但很少有人知道DNS分別在什麼情況下使用這兩種協議。
先簡單介紹下TCP與UDP。
TCP是一種面向連接的協議,提供可靠的數據傳輸,一般服務質量要求比較高的情況,使用這個協議。UDP—用戶數據報協議,是一種無連接的傳輸層協議,提供面向事務的簡單不可靠信息傳送服務。
TCP與UDP的區別:
UDP和TCP協議的主要區別是兩者在如何實現信息的可靠傳遞方面不同。TCP協議中包含了專門的傳遞保證機制,當數據接收方收到發送方傳來的信息時,會自動向發送方發出確認消息;發送方只有在接收到該確認消息之後才繼續傳送其它信息,否則將一直等待直到收到確認信息爲止。 與TCP不同,UDP協議並不提供數據傳送的保證機制。如果在從發送方到接收方的傳遞過程中出現數據報的丟失,協議本身並不能做出任何檢測或提示。因此,通常人們把UDP協議稱爲不可靠的傳輸協議。相對於TCP協議,UDP協議的另外一個不同之處在於如何接收突發性的多個數據報。不同於TCP,UDP並不能確保數據的發送和接收順序。事實上,UDP協議的這種亂序性基本上很少出現,通常只會在網絡非常擁擠的情況下才有可能發生。
既然UDP是一種不可靠的網絡協議,那麼還有什麼使用價值或必要呢?其實不然,在有些情況下UDP協議可能會變得非常有用。因爲UDP具有TCP所望塵莫及的速度優勢。雖然TCP協議中植入了各種安全保障功能,但是在實際執行的過程中會佔用大量的系統開銷,無疑使速度受到嚴重的影響。反觀UDP由於排除了信息可靠傳遞機制,將安全和排序等功能移交給上層應用來完成,極大降低了執行時間,使速度得到了保證。
DNS在進行區域傳輸的時候使用TCP協議,其它時候則使用UDP協議;
DNS的規範規定了2種類型的DNS服務器,一個叫主DNS服務器,一個叫輔助DNS服務器。在一個區中主DNS服務器從自己本機的數據文件中讀取該區的DNS數據信息,而輔助DNS服務器則從區的主DNS服務器中讀取該區的DNS數據信息。當一個輔助DNS服務器啓動時,它需要與主DNS服務器通信,並加載數據信息,這就叫做區傳送(zone transfer)。
爲什麼既使用TCP又使用UDP?
首先了解一下TCP與UDP傳送字節的長度限制:
UDP報文的最大長度爲512字節,而TCP則允許報文長度超過512字節。當DNS查詢超過512字節時,協議的TC標誌出現刪除標誌,這時則使用TCP發送。通常傳統的UDP報文一般不會大於512字節。
區域傳送時使用TCP,主要有一下兩點考慮:
1.輔域名服務器會定時(一般時3小時)向主域名服務器進行查詢以便了解數據是否有變動。如有變動,則會執行一次區域傳送,進行數據同步。區域傳送將使用TCP而不是UDP,因爲數據同步傳送的數據量比一個請求和應答的數據量要多得多。
2.TCP是一種可靠的連接,保證了數據的準確性。
域名解析時使用UDP協議:
客戶端向DNS服務器查詢域名,一般返回的內容都不超過512字節,用UDP傳輸即可。不用經過TCP三次握手,這樣DNS服務器負載更低,響應更快。雖然從理論上說,客戶端也可以指定向DNS服務器查詢的時候使用TCP,但事實上,很多DNS服務器進行配置的時候,僅支持UDP查詢包。
參考鏈接:
https://www.cnblogs.com/xiaoluo501395377/archive/2013/06/06/3120326.html
https://www.cnblogs.com/cobbliu/archive/2013/03/19/2970311.html
https://blog.csdn.net/App_IOS/article/details/86893929
https://www.cnblogs.com/ginvip/p/6365605.html