##### DNS ######
################
yum install bind -y ##安裝軟件
systemctl start named ##啓動服務
systemctl enable named ##開機啓動
firewall-cmd --permanent --add-service=dns ##防火牆允許該服務
firewall-cmd --reload ##重啓防火牆
chmod g+s /var/named
### 一、DNS正向解析
將域名解析爲對應IP
服務端配置:
1、vim /etc/named.conf
********
.....
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { none; };
forwarders {172.25.254.250};
};
dnssec-validation no; ##非權威,內部測試用
.....
********
2、vim /etc/named.rfc1912.zones
************
...
添加:
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { none; };
};
...
************
3、cp -p /var/named/named.localhost /var/named/hello.com.zone
4、vim /var/named/hello.com.zone
************
$TTL 1D
@ IN SOA dns.hello.com. root.redhat.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.hello.com.
dns A 172.25.254.67
www A 172.25.254.100
************
*************
$TTL 1D #該區域數據庫文件的生存週期
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
#域名服務器刷新記錄的時間爲1天,輔助域名服務器每隔1天向主域名服務器發送更新請求
1H ; retry
#當輔DNS 1天后無法與主DNS 通信,則每隔1小時向主DNS發送更新請求。
1W ; expire
#過期時間爲1周。即,輔DNS 1周時間無法與主域名服務器通信,則對應的記錄將失效
3H ) ; minimum
#TTL的最小值爲3小時
NS @
#NS記錄,表明域名服務器記錄對應的主機域名
A 127.0.0.1
#A記錄,記錄主機與域名的映射關係
AAAA ::1
#IPv6的主機AAAA記錄
***************
客戶端測試:
vim /etc/resolv.conf
**********
search example.com
nameserver 172.25.254.67
**********
[root@localhost ~]# dig www.hello.com
.......
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58134
......
;; ANSWER SECTION:
www.hello.com. 86400 IN A 172.25.254.100
........
;; ADDITIONAL SECTION:
dns.hello.com. 86400 IN A 172.25.254.67
;; SERVER: 172.25.254.67#53(172.25.254.67) ##DNS服務器的IP地址和端口號
.......
### 二、DNS輪詢機制
一個域名對應兩個IP地址,解析的時候會以輪詢的方式解析
服務端:
vim /etc/named/hello.com.zone
************
.........
添加:
www A 172.25.254.200
************
systemctl restart named
客戶端測試:
[root@localhost ~]# dig www.hello.com
.............
;; ANSWER SECTION:
www.hello.com. 86400 IN A 172.25.254.100
www.hello.com. 86400 IN A 172.25.254.200
............
[root@localhost ~]# dig www.hello.com
...........
;; ANSWER SECTION:
www.hello.com. 86400 IN A 172.25.254.200
www.hello.com. 86400 IN A 172.25.254.100
............
### 三、CNAME解析
域名的別名,例如:www.aa.com,又叫www.bb.com,都對應一個IP
服務端配置:
1、vim /etc/named/hello.com.zone
************
.........
添加:
what CNAME www.hello.com.
************
2、systemctl restart named
客戶端測試:
[root@localhost ~]# dig what.hello.com
**********
.............
;; ANSWER SECTION:
what.hello.com. 86400 IN CNAME www.hello.com.
www.hello.com. 86400 IN A 172.25.254.100
www.hello.com. 86400 IN A 172.25.254.200
;; AUTHORITY SECTION:
hello.com. 86400 IN NS dns.hello.com.
;; ADDITIONAL SECTION:
dns.hello.com. 86400 IN A 172.25.254.67
..........
**********
#### 四、MX
域裏面的郵件服務器
服務端:
vim /etc/named/hello.com.zone
************
.........
添加:
hello.com. MX 1 172.25.254.67
************
systemctl restart named
客戶端測試:
[root@localhost ~]# dig -t mx hello.com
***********
.........
;; QUESTION SECTION:
;hello.com. IN MX
;; ANSWER SECTION:
hello.com. 86400 IN MX 1 172.25.254.67.hello.com.
.........
***********
[root@localhost ~]# mail [email protected]
Subject: hello
123
.
EOT
[root@localhost ~]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
48C7FEAEE9 442 Wed Mar 1 04:28:00 [email protected]
(connect to www.hello.com[172.25.254.200]:25: No route to host)
[email protected]
-- 0 Kbytes in 1 Request.
#### 五、反向解析
將IP解析爲域名
# !它和正向解析沒有關係!
1、vim /etc/named.rfc1912.zones
*********
添加
...........
zone "254.25.172.in-addr.arpa" IN {
type master;
file "hello.com.ptr";
allow-update { none; };
};
..........
*********
2、cp -p named.localhost hello.com.ptr
3、vim /var/named/hello.com.ptr
************
...........
$TTL 1D
@ IN SOA dns.hello.com. root.hello.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.hello.com.
A 172.25.254.67
67 PTR www.hello.com.
111 PTR www.redhat.com.
222 PTR www.linux.com.
.............
# 注意:以上域名必須以‘.’結尾,否則會默認在它們後面加上‘.hello.com’後綴
************
4、systemctl restart named
客戶端測試:
[root@localhost ~]# dig -x 172.25.254.222
*********
.......
;; ANSWER SECTION:
222.254.25.172.in-addr.arpa. 86400 IN PTR www.linux.com.
.......
*********
################
#### DNS集羣 ####
################
#### 一、輔助DNS
輔DNS:
1、yum install bind
2、vim /etc/named.conf
************
.............
listen-on port 53 { any; };
..............
allow-query { any; };
............
************
3、vim /etc/named.rfc1912.zones
************
..........
zone "hello.com" IN {
type slave;
master {172.25.254.67;};
file "slaves/hello.com.zone";
allow-update { none; };
};
.........
************
4、systemctl restart named
主:
1、vim /etc/named.rfc1912.zones
************5
..........
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { none; };
allow-transer{ 172.25.254.105;};
};
.........
************
2、systemctl restart named
測試:
dig dns.hello.com
**********
........
;; ANSWER SECTION:
dns.hello.com. 86400 IN A 172.25.254.67
........
**********
### 二、同步主DNS
當主DNS修改了記錄時,輔助DNS並不會改變,因此輔助DNS就需要同步主DNS的記錄。
主DNS配置:
vim /etc/named.rfc1912.zones
***********
.......
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { none; };
allow-transfer {172.25.254.105;}; ##允許誰同步
also-notify {172.25.254.105;}; ##更新時通知輔DNS
};
..........
**********
測試:
主DNS:
vim /var/named/hello.com.zone
************
$TTL 1D
@ IN SOA dns.hello.com. root.redhat.com. (
2 ; serial
##每次修改域名或者IP都改變該數字,輔DNS纔會知道同步
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.hello.com.
dns A 172.25.254.67
www A 172.25.254.100
www A 172.25.254.233
what CNAME www.hello.com.
hello.com. MX 1 172.25.254.67
************
輔DNS:
每次主DNS修改配置文件 /var/named/hello.com.zone中的‘serial’和IP或域名後
輔DNS執行:dig www.hello.com
#### 三、輔DNS更新主DNS
1)、指定IP更新
vim /etc/named.rfc1912.zones
*********
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { 172.25.254.105; };
allow-transfer {172.25.254.105;};
also-notify {172.25.254.105;};
};
*********
2、systemctl restart named
3、chmod 770 /var/named
4、cp -p /var/named/hello.com.zone /mnt
測試:
[root@localhost named]# nsupdate
> server 172.25.254.67
> update delete www.hello.com
> send
[root@localhost named]# dig www.hello.com
.........
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 42186
.........
[root@localhost named]# nsupdate
> server 172.25.254.67
> update add www.hello.com 86400 IN A 172.25.254.111
> send
[root@localhost named]# dig www.hello.com
...........
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49266
.........
;; ANSWER SECTION:
www.hello.com. 86400 IN A 172.25.254.111
..........
注意:只有當主DNS重啓服務後纔會更新/var/named/hello.com.zone該文件
##恢復
rm -fr /var/named/hello.com.zone.jnl
cp -p /mnt/hello.com.zone /var/named/hello.com.zone #不要移動
#### 四、加密更新
當其他人的IP和輔DNS的IP一致時,別人也可更新,不安全!於是就需要用密鑰進行身份驗證來更新。
主DNS配置:
1、dnssec-keygen -a HMAC-MD5 -b 128 -n HOST hello
-a:指定加密方式 -b:密碼長度 -n:密碼用途
生成 Khello.+157+61162.key和Khello.+157+61162.private兩個文件,公鑰私鑰兩個加密字符一樣
cat Khello.+157+61162.key
*********
hello. IN KEY 512 3 157 2rhbDFQ+fR8h+iGE4au9AA==
*********
2、cp -p /etc/rndc.key /etc/hello.key
3、vim /etc/hello.key
***********
key "hello" {
algorithm hmac-md5;
secret "2rhbDFQ+fR8h+iGE4au9AA==";
};
***********
4、vim /etc/named.conf
*********
添加:
include "/etc/hello.key";
注意:在其他大括號外添加
*********
#只允許擁有對應key的才能更新
5、vim /etc/named.rfc1912.zones
***********
........
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { key hello; };
allow-transfer {172.25.254.105;};
also-notify {172.25.254.105;};
};
........
***********
#將鑰匙分發給輔DNS
scp Khello.+157+61162.* [email protected]:/mnt
測試:
輔DNS:
nsupdate -k /mnt/Khello.+157+61162.private
> server 172.25.254.67
> update delete www.hello.com
> send
dig www.hello.com
**********
.........
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16551
.....
;www.hello.com. IN A
........
**********
#恢復
rm -f /var/named/hello.com.zone
rm -f /var/named/hello.com.zone.jnl
cp -p /mnt/hello.com.zone /var/named/
注意:一定要還原文件,2次的更新方式不同,/var/named/hello.com.zone文件格式會改變,會有衝突
#### 五、花生殼DDNS
DDNS原理:DNS+DHCP=DDNS
DHCP負責IP解析,給客戶機分配IP
DNS負責域名解析,A記錄裏記錄了每個IP對應的域名
當dns所維護的域裏的主機的IP獲取方式爲dhcp時,每次輔DNS重啓網絡服務時,都有可能會更改IP。DNS服務器裏的A記錄,就可能錯誤,所以需要dhcp分發IP時主動更改DNS服務器裏的A記錄。
1、配置dhcp服務(以前已經做過)。
2、修改dhcp配置
vim /etc/dhcp/dhcpd.conf
**********
該文件所有實質內容:
option domain-name "hello.com";
option domain-name-servers 172.25.254.67;
ddns-update-style interim;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
subnet 172.25.254.0 netmask 255.255.255.0 {
range 172.25.254.100 172.25.254.200;
option routers 172.25.254.67;
filename "pxelinux.0"; #不用寫,這是做pxe的
next-server 172.25.254.67; #不用寫,這是做pxe的
}
key hello {
algorithm hmac-md5;
secret "2rhbDFQ+fR8h+iGE4au9AA==";
};
zone hello.com {
primary 127.0.0.1;
key hello;
}
*************
3、chmod 770 /var/named
4、systemctl restart dhcpd
5、systemctl restart named
測試
測試機修改主機名:wang.hello.com
DNS機重啓dhcpd和named,測試機重啓named和network