)]
DNS是什麼?
域名系統(Domain Name System)是整個互聯網的電話簿,它能夠將可被人理解的域名翻譯成可被機器理解 IP 地址,使得互聯網的使用者不再需要直接接觸很難閱讀和理解的 IP 地址。
域名系統在現在的互聯網中非常重要,因爲服務器的 IP 地址可能會經常變動,如果沒有了 DNS,那麼可能 IP 地址一旦發生了更改,當前服務器的客戶端就沒有辦法連接到目標的服務器了,如果我們爲 IP 地址提供一個”別名“並在其發生變動時修改別名和 IP 地址的關係,那麼我們就可以保證集羣對外提供的服務能夠相對穩定地被其他客戶端訪問。
DNS 其實就是一個分佈式的樹狀命名系統,它就像一個去中心化的分佈式數據庫,存儲着從域名到 IP 地址的映射。
本地名稱解析配置文件:hosts
linux:/etc/hosts
windows:%WINDIR%/system32/drivers/etc/hosts
DNS基於C/S架構,服務器端:53/udp,53/tcp
FQDN:全稱域名=主機名(別名) + 域名(組織,獨立的名稱空間)
BIND:Bekerley Internet Name Domain,由ISC提供的DNS軟件實現
DNS域名結構
- 根域
- 一級域名:TOP Level Domain —— TLD
- com、edu、mil、gov、org…
- 三類:組織域、國家域(.cn .ca …)、反向域
- 二級域名:baidu.com
- 三級域名:img.baidu.com
- 最多可達到127級域名
DNS工作原理
簡單來說:當你輸入一個域名時,DNS會返回一個IP地址
雖然只需要返回一個IP地址,但是DNS的查詢過程非常複雜,分成多個步驟。
- DNS客戶端向DNS解析器發出解析
www.baidu.com域名請求 - DNS解析器首先會向就近的根DNS服務器
.請求頂級域名DNS服務器地址,每個DNS服務器都知道根服務器地址 - 拿到根域名DNS服務
com.的地址後會向.com域名服務器請求負責baidu.com.域名解析的命名服務得到baidu.com.地址信息 - 拿到
.baodu.com.域名服務器的地址後向域名服務器請求負責www.baidu.com.域名解析並返回結果給DNS解析器 - DNS解析器將解析的結果交給DNS客戶端
- DNS解析器把解析結果緩存到DNS查詢緩存中,之後如果再要查詢同樣的域名,就直接讀取緩存內容(本機也有緩存)
- window:ipconfig/display
- Linux:默認沒有緩存,只有本地hosts文件
完整的查詢請求經過流程
Client——hosts文件——Client DNS Service Local Cache——DNS Server(recursion)——DNS Server Cache——Iteration——根——頂級域名DNS——二級域名DNS——...
# recursion 遞歸
# iteration 迭代
DNS 客戶端接受到 IP 地址之後,整個 DNS 解析的過程就結束了,客戶端接下來就會通過當前的 IP 地址直接向服務器發送請求。
對於 DNS 解析器,這裏使用的 DNS 查詢方式是迭代查詢,每個 DNS 服務並不會直接返回 DNS 信息,而是會返回另一臺 DNS 服務器的位置,由客戶端依次詢問不同級別的 DNS 服務直到查詢得到了預期的結果;另一種查詢方式叫做遞歸查詢,也就是 DNS 服務器收到客戶端的請求之後會直接返回準確的結果,如果當前服務器沒有存儲 DNS 信息,就會訪問其他的服務器並將結果返回給客戶端。
雪人計劃(Yeti DNS Project)
根服務器是國際互聯網最重要的戰略基礎設施,是互聯網通信的“中樞”。由於種種原因,現有互聯網根服務器數量一直被限定爲13個。基於全新技術架構的全球下一代互聯網(IPv6)根服務器測試和運營實驗項目—— “雪人計劃”。2015年6月23日正式發佈,我國下一代互聯網工程中心主任、“雪人計劃”首任執行主席劉東認爲,該計劃將打破根服務器困局,全球互聯網有望實現多邊共治。
2017年11月,據相關報道由下一代互聯網國家工程中心牽頭髮起的“雪人計劃”已在全球完成25臺IPv6(互聯網協議第六版)根服務器架設,中國部署了其中的4臺,打破了中國過去沒有根服務器的困境。
DNS查詢類型
- 遞歸查詢:查詢到返回最終結果
- 迭代查詢:查詢到部分結果,分佈查詢返回結果
解析類型
- FQDN——>IP 正向解析
- IP——>FQDN 反向解析
注意
正反向解析是兩個不同的名稱空間,通俗來講是兩顆不同的解析樹
DNS服務相關概念與技術
DNS服務器的類型
-
主DNS服務器
-
從DNS服務器
-
緩存DNS服務器(轉發器)
主DNS服務器
管理和維護所負責解析的域內解析庫的服務器
從DNS服務器
從主服務器或從服務器“複製”(區域傳輸)解析庫副本
序列號:解析庫版本號,主服務器解析庫變化是,其序列遞增
刷新時間間隔:從服務器從主服務器請求同步解析的時間間隔
重試時間間隔:從服務器請求同步失敗是,再次嘗試時間間隔
過期時長:從服務器聯繫不到主服務時,多久後停止服務
通知機制:主服務器解析庫發生變化時,會主動通知從服務器
互聯網域名
域名註冊:
- 萬網:被阿里收購
- 新網:被騰訊收購
- godaddy
DNS搭建軟件BIND
DNS服務器軟件:bind,powerdns,unbound
BIND相關程序包
[root@localhost ~]# yum list all bind*
bind # 服務器
bind-libs # 相關庫
bind-utils # 客戶端
bind-chroot # 安全包,將DNS相關文件放至/var/named/chroot
[root@localhost ~]# rpm -qa bind*
bind-libs-lite-9.11.4-9.P2.el7.x86_64
bind-license-9.11.4-9.P2.el7.noarch
bind-export-libs-9.11.4-9.P2.el7.x86_64
bind-utils-9.11.4-9.P2.el7.x86_64
bind-libs-9.11.4-9.P2.el7.x86_64
安裝bind、bind-utils
[root@localhost ~]# yum install bind bind-utils -y
[root@localhost ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
bind-utils常見的客戶端測試工具
[root@localhost ~]# rpm -ql bind-utils
/etc/trusted-key.key
/usr/bin/delv
/usr/bin/dig
/usr/bin/host
/usr/bin/mdig
/usr/bin/nslookup
/usr/bin/nsupdate
...
bind文件列表
[root@localhost ~]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
# 主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
/usr/bin/arpaname
/usr/bin/named-rrchecker
/usr/lib/python2.7/site-packages/isc
/usr/lib/python2.7/site-packages/isc-2.0-py2.7.egg-info
/usr/lib/python2.7/site-packages/isc/__init__.py
/usr/lib/python2.7/site-packages/isc/__init__.pyc
/usr/lib/python2.7/site-packages/isc/__init__.pyo
/usr/lib/python2.7/site-packages/isc/checkds.py
/usr/lib/python2.7/site-packages/isc/checkds.pyc
/usr/lib/python2.7/site-packages/isc/checkds.pyo
/usr/lib/python2.7/site-packages/isc/coverage.py
/usr/lib/python2.7/site-packages/isc/coverage.pyc
/usr/lib/python2.7/site-packages/isc/coverage.pyo
/usr/lib/python2.7/site-packages/isc/dnskey.py
/usr/lib/python2.7/site-packages/isc/dnskey.pyc
/usr/lib/python2.7/site-packages/isc/dnskey.pyo
/usr/lib/python2.7/site-packages/isc/eventlist.py
/usr/lib/python2.7/site-packages/isc/eventlist.pyc
/usr/lib/python2.7/site-packages/isc/eventlist.pyo
/usr/lib/python2.7/site-packages/isc/keydict.py
/usr/lib/python2.7/site-packages/isc/keydict.pyc
/usr/lib/python2.7/site-packages/isc/keydict.pyo
/usr/lib/python2.7/site-packages/isc/keyevent.py
/usr/lib/python2.7/site-packages/isc/keyevent.pyc
/usr/lib/python2.7/site-packages/isc/keyevent.pyo
/usr/lib/python2.7/site-packages/isc/keymgr.py
/usr/lib/python2.7/site-packages/isc/keymgr.pyc
/usr/lib/python2.7/site-packages/isc/keymgr.pyo
/usr/lib/python2.7/site-packages/isc/keyseries.py
/usr/lib/python2.7/site-packages/isc/keyseries.pyc
/usr/lib/python2.7/site-packages/isc/keyseries.pyo
/usr/lib/python2.7/site-packages/isc/keyzone.py
/usr/lib/python2.7/site-packages/isc/keyzone.pyc
/usr/lib/python2.7/site-packages/isc/keyzone.pyo
/usr/lib/python2.7/site-packages/isc/parsetab.py
/usr/lib/python2.7/site-packages/isc/parsetab.pyc
/usr/lib/python2.7/site-packages/isc/parsetab.pyo
/usr/lib/python2.7/site-packages/isc/policy.py
/usr/lib/python2.7/site-packages/isc/policy.pyc
/usr/lib/python2.7/site-packages/isc/policy.pyo
/usr/lib/python2.7/site-packages/isc/rndc.py
/usr/lib/python2.7/site-packages/isc/rndc.pyc
/usr/lib/python2.7/site-packages/isc/rndc.pyo
/usr/lib/python2.7/site-packages/isc/utils.py
/usr/lib/python2.7/site-packages/isc/utils.pyc
/usr/lib/python2.7/site-packages/isc/utils.pyo
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
# 服務文件
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
# 主程序
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
# 實現服務關閉或重新加載
/usr/sbin/rndc-confgen
/usr/sbin/tsig-keygen
/usr/share/doc/bind-9.11.4
/usr/share/doc/bind-9.11.4/Bv9ARM.ch01.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch02.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch03.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch04.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch05.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch06.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch07.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch08.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch09.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch10.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch11.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch12.html
/usr/share/doc/bind-9.11.4/Bv9ARM.ch13.html
/usr/share/doc/bind-9.11.4/Bv9ARM.html
/usr/share/doc/bind-9.11.4/Bv9ARM.pdf
/usr/share/doc/bind-9.11.4/CHANGES
/usr/share/doc/bind-9.11.4/README
/usr/share/doc/bind-9.11.4/isc-logo.pdf
/usr/share/doc/bind-9.11.4/man.arpaname.html
/usr/share/doc/bind-9.11.4/man.ddns-confgen.html
/usr/share/doc/bind-9.11.4/man.delv.html
/usr/share/doc/bind-9.11.4/man.dig.html
/usr/share/doc/bind-9.11.4/man.dnssec-checkds.html
/usr/share/doc/bind-9.11.4/man.dnssec-coverage.html
/usr/share/doc/bind-9.11.4/man.dnssec-dsfromkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-importkey.html
/usr/share/doc/bind-9.11.4/man.dnssec-keyfromlabel.html
/usr/share/doc/bind-9.11.4/man.dnssec-keygen.html
/usr/share/doc/bind-9.11.4/man.dnssec-keymgr.html
/usr/share/doc/bind-9.11.4/man.dnssec-revoke.html
/usr/share/doc/bind-9.11.4/man.dnssec-settime.html
/usr/share/doc/bind-9.11.4/man.dnssec-signzone.html
/usr/share/doc/bind-9.11.4/man.dnssec-verify.html
/usr/share/doc/bind-9.11.4/man.dnstap-read.html
/usr/share/doc/bind-9.11.4/man.genrandom.html
/usr/share/doc/bind-9.11.4/man.host.html
/usr/share/doc/bind-9.11.4/man.isc-hmac-fixup.html
/usr/share/doc/bind-9.11.4/man.lwresd.html
/usr/share/doc/bind-9.11.4/man.mdig.html
/usr/share/doc/bind-9.11.4/man.named-checkconf.html
/usr/share/doc/bind-9.11.4/man.named-checkzone.html
/usr/share/doc/bind-9.11.4/man.named-journalprint.html
/usr/share/doc/bind-9.11.4/man.named-nzd2nzf.html
/usr/share/doc/bind-9.11.4/man.named-rrchecker.html
/usr/share/doc/bind-9.11.4/man.named.conf.html
/usr/share/doc/bind-9.11.4/man.named.html
/usr/share/doc/bind-9.11.4/man.nsec3hash.html
/usr/share/doc/bind-9.11.4/man.nslookup.html
/usr/share/doc/bind-9.11.4/man.nsupdate.html
/usr/share/doc/bind-9.11.4/man.pkcs11-destroy.html
/usr/share/doc/bind-9.11.4/man.pkcs11-keygen.html
/usr/share/doc/bind-9.11.4/man.pkcs11-list.html
/usr/share/doc/bind-9.11.4/man.pkcs11-tokens.html
/usr/share/doc/bind-9.11.4/man.rndc-confgen.html
/usr/share/doc/bind-9.11.4/man.rndc.conf.html
/usr/share/doc/bind-9.11.4/man.rndc.html
/usr/share/doc/bind-9.11.4/named.conf.default
/usr/share/doc/bind-9.11.4/notes.html
/usr/share/doc/bind-9.11.4/notes.pdf
/usr/share/doc/bind-9.11.4/sample
/usr/share/doc/bind-9.11.4/sample/etc
/usr/share/doc/bind-9.11.4/sample/etc/named.conf
/usr/share/doc/bind-9.11.4/sample/etc/named.rfc1912.zones
/usr/share/doc/bind-9.11.4/sample/var
/usr/share/doc/bind-9.11.4/sample/var/named
/usr/share/doc/bind-9.11.4/sample/var/named/data
/usr/share/doc/bind-9.11.4/sample/var/named/my.external.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/my.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/named.ca
/usr/share/doc/bind-9.11.4/sample/var/named/named.empty
/usr/share/doc/bind-9.11.4/sample/var/named/named.localhost
/usr/share/doc/bind-9.11.4/sample/var/named/named.loopback
/usr/share/doc/bind-9.11.4/sample/var/named/slaves
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.ddns.internal.zone.db
/usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.slave.internal.zone.db
/usr/share/man/man1/arpaname.1.gz
/usr/share/man/man1/named-rrchecker.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man5/rndc.conf.5.gz
/usr/share/man/man8/ddns-confgen.8.gz
/usr/share/man/man8/dnssec-checkds.8.gz
/usr/share/man/man8/dnssec-coverage.8.gz
/usr/share/man/man8/dnssec-dsfromkey.8.gz
/usr/share/man/man8/dnssec-importkey.8.gz
/usr/share/man/man8/dnssec-keyfromlabel.8.gz
/usr/share/man/man8/dnssec-keygen.8.gz
/usr/share/man/man8/dnssec-keymgr.8.gz
/usr/share/man/man8/dnssec-revoke.8.gz
/usr/share/man/man8/dnssec-settime.8.gz
/usr/share/man/man8/dnssec-signzone.8.gz
/usr/share/man/man8/dnssec-verify.8.gz
/usr/share/man/man8/genrandom.8.gz
/usr/share/man/man8/isc-hmac-fixup.8.gz
/usr/share/man/man8/lwresd.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named-compilezone.8.gz
/usr/share/man/man8/named-journalprint.8.gz
/usr/share/man/man8/named.8.gz
/usr/share/man/man8/nsec3hash.8.gz
/usr/share/man/man8/rndc-confgen.8.gz
/usr/share/man/man8/rndc.8.gz
/usr/share/man/man8/tsig-keygen.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
啓動服務
[root@localhost ~]# systemctl start named
[root@localhost ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
查看端口
[root@localhost ~]# ss -nutlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 [::1]:53 [::]:* users:(("named",pid=67617,fd=513))
tcp LISTEN 0 128 [::1]:953 [::]:* users:(("named",pid=67617,fd=24))
tcp LISTEN 0 10 [::1]:53 [::]:* users:(("named",pid=67617,fd=22))
實現DNS主服務器搭建
準備工作
兩臺主機,一臺作爲DNS服務器,一臺作爲客戶端
設置 DNS服務器的/etc/resolv.conf文件,將DNS指向自己IP
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=fc4d728c-858c-41f2-9a0f-8bcbcdfdb804
DEVICE=ens33
ONBOOT=yes
DNS1=127.0.0.1
DNS2=180.76.76.76
改完後,生效一下
nmcli connection reload
nmcli connection up ens33
生效完成後/etc/resolv.conf的DNS內容已經改變
[root@localhost ~]# nmcli connection reload
[root@localhost ~]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@localhost ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain CentOS8
nameserver 127.0.0.1
nameserver 180.76.76.76
使用測試工具host、dig、nslookup
host www.baidu.com DNSSERVER
dig www.baidu.com @DNSSERVER
nslookup可以做交互式
host
[root@localhost ~]# host www.baidu.com 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 14.215.177.38
www.a.shifen.com has address 14.215.177.39
dig
[root@localhost ~]# dig www.baidu.com @127.0.0.1
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46479
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 49986308e0fe172f521523215ee786b8e2cf8877826cd9f9 (good)
;; QUESTION SECTION:# 要求選項,將www.baidu.com解析成A
;www.baidu.com. IN A
;; ANSWER SECTION:# 返回結果
www.baidu.com. 1142 IN CNAME www.a.shifen.com.
www.a.shifen.com. 244 IN A 14.215.177.38
www.a.shifen.com. 244 IN A 14.215.177.39
;; AUTHORITY SECTION:
a.shifen.com. 1143 IN NS ns2.a.shifen.com.
a.shifen.com. 1143 IN NS ns1.a.shifen.com.
a.shifen.com. 1143 IN NS ns5.a.shifen.com.
a.shifen.com. 1143 IN NS ns4.a.shifen.com.
a.shifen.com. 1143 IN NS ns3.a.shifen.com.
;; ADDITIONAL SECTION:
ns1.a.shifen.com. 1143 IN A 61.135.165.224
ns4.a.shifen.com. 1143 IN A 14.215.177.229
ns5.a.shifen.com. 1143 IN A 180.76.76.95
ns3.a.shifen.com. 1143 IN A 112.80.255.253
ns2.a.shifen.com. 1143 IN A 220.181.33.32
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jun 15 10:33:28 EDT 2020
;; MSG SIZE rcvd: 299
nslookup:windows和linux都支持且爲交互式
[root@localhost ~]# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> www.baidu.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:# 非權威結果
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.38
Name: www.a.shifen.com
Address: 14.215.177.39
查詢到的內容是否爲權威結果
[root@localhost ~]# dig www.baidu.com @106.11.211.61
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.baidu.com @106.11.211.61
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 675
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
#此處有aa就爲權威結果
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; AUTHORITY SECTION:
baidu.com. 600 IN SOA ns1.alidns.com. hostmaster.hichina.com. 2019090319 3600 1200 86400 360
;; Query time: 34 msec
;; SERVER: 106.11.211.61#53(106.11.211.61)
;; WHEN: Mon Jun 15 10:43:10 EDT 2020
;; MSG SIZE rcvd: 114
[root@localhost ~]# nslookup
> server 106.11.211.61
Default server: 106.11.211.61
Address: 106.11.211.61#53
> www.baidu.com
Server: 106.11.211.61
Address: 106.11.211.61#53
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.38
Name: www.a.shifen.com
Address: 14.215.177.39
將DNS服務監聽所有地址
修改配置文件
[root@localhost ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
# /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
//
// named.conf
//
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
listen-on port 53 { 127.0.0.1; };//修改配置localhost 或 0.0.0.0;註釋這行效果一樣
listen-on-v6 port 53 { ::1; };
directory "/var/named";//指定默認文件路徑
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };//允許誰查詢,可以改成any;註釋這行效果一樣
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes; //這兩項最好改成no,加密選項
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";// 互聯網上13ipv4個根服務器地址,文件路徑在上方directory "/var/named"中
};
// 引用其他區域的配置文件,我們在添加自己域時也應該使用這種引用方法
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
檢查語法
[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful
此時可以實現DNS轉發器功能
查看named.ca內容
[root@localhost ~]# cat /var/named/named.ca
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:# 13個根服務器
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
# IPV4地址
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
# IPV6地址 緩存時間518400以秒爲單位
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811
改完配置之後儘量reload而不是重啓服務
- 重啓服務後會改變PID導致正在使用的用戶斷開
rndc reload
實現正向解析
將flamenca.cn解析成IP
主要正向解析DNS服務器
type:master
type:hint
主DNS服務器配置
// 在/etc/named.conf中
// 註釋掉下面兩行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
// 域名解析範圍
zone "ZONE_NAME" IN {
type {hint|master|slave|forward};
file "ZONE_NAME.zone";
};
// 通過include導入數據配置
include "/etc/named.XXX.zones";
// 如
include "/etc/named.rfc1912.zones";
查看文件include "/etc/named.rfc1912.zones";
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "flamenca.com" IN {
type master;
file "flamenca.com.zone" //準備創建該目錄
}
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
設定zone文件權限、所有組
自己創建zone文件時需注意權限匹配:權限一般爲640,其所有組爲named
[root@localhost named]# cd /var/named/
[root@localhost named]# ll
total 16
drwxrwx---. 2 named named 23 Jun 15 10:31 data
drwxrwx---. 2 named named 60 Jun 17 06:50 dynamic
-rw-r-----. 1 root named 2253 Apr 24 09:54 named.ca
-rw-r-----. 1 root named 152 Apr 24 09:54 named.empty
-rw-r-----. 1 root named 152 Apr 24 09:54 named.localhost
-rw-r-----. 1 root named 168 Apr 24 09:54 named.loopback
drwxrwx---. 2 named named 6 Apr 24 09:54 slaves
爲什麼不運行其他用戶的權限?如果other有權限會讓黑客得知公司的網絡架構從而攻擊之
創建我的zone文件
[root@localhost named]# pwd
/var/named
[root@localhost named]# touch flamenca.com.zone
[root@localhost named]# id named
uid=25(named) gid=25(named) groups=25(named)
# 修改所屬組
[root@localhost named]# chgrp named flamenca.com.zone
[root@localhost named]# ll
total 16
drwxrwx---. 2 named named 23 Jun 15 10:31 data
drwxrwx---. 2 named named 60 Jun 17 06:50 dynamic
# 我新建的文件
-rw-r--r-- 1 root named 0 Jun 17 07:41 flamenca.com.zone
-rw-r-----. 1 root named 2253 Apr 24 09:54 named.ca
-rw-r-----. 1 root named 152 Apr 24 09:54 named.empty
-rw-r-----. 1 root named 152 Apr 24 09:54 named.localhost
-rw-r-----. 1 root named 168 Apr 24 09:54 named.loopback
drwxrwx---. 2 named named 6 Apr 24 09:54 slaves
[root@localhost named]# chmod o= flamenca.com.zone
[root@localhost named]# ll flamenca.com.zone
-rw-r----- 1 root named 0 Jun 17 07:41 flamenca.com.zone
zone文件內容參考
# 可以參考namd.localhost
[root@localhost named]# pwd
/var/named
[root@localhost named]# cat named.localhost
############### SOA #######################
$TTL 1D # 1D=1天
# 管理的本域
@ IN SOA @ rname.invalid. (
0 ; serial # 序列號
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum # 否定答案的TTL值
# 前面IP不寫,即從上一條繼承即爲@
NS @
A 127.0.0.1
AAAA ::1
###############################################
各種資源記錄
區域解析庫:由衆多RR組成:
資源記錄:Resource Record,RR
記錄類型:A,AAAA,RTP,SOA,NS,CNAME,MX
-
SOA:Start Of Authority,起始授權記錄;一個區域解析庫有且僅能有一個SOA記錄,必須位於解析庫的第一條記錄
-
A:Internet Address,作用,FQDN——>IP
-
AAAA:FQDN——>IPv6
-
PTR:PoinTeR,IP——>FQDN
-
NS:Name Server,專門用於標明當前區域的DNS服務器
-
CNAME:Canonical Name,別名記錄
-
MX:Mail eXchange,郵件交換器
-
TXT:對域名進行標識和說明的一種方式,一般做驗證記錄時會使用此項,如:SPF(反垃圾郵件)記錄,https驗證等,如下示例:
_dnsauth TXT XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
資源記錄(RR)定義的格式
name [TTL] IN rr_type value
#域名 緩存時間 固定值 上述資源類型 IP
注意:
- TTL可從全局繼承
- 使用"@"符號可用於引用當前區域的名字
- 同一個名字可以通過多條記錄定義多個不同的值,此時DNS服務器會以輪詢的方式響應
- 同一個值也可能有多個不同的定義名字,通過多個不同的名字指向同一個值進行定義;此僅僅表示通過多個不同的名字可以找到同一個主機
主從服務器同步機制
推:
由主服務器將數據推送到從服務器進行同步
拉:
由從服務器將主服務器的數據拉到自身進行同步;有時間間隔
從服務器序列號機制
- 解析庫版本號:從服務器器解析庫變化時,其序列遞增
- 刷新時間間隔:從服務器從主服務器請求同步解析的時間間隔
- 重試時間間隔:從服務器請求同步失敗時,再次嘗試時間間隔
- 過期時長:從服務器聯繫不到主服務器時,多久以後停止服務
- 通知機制(推操作):主服務器解析庫發生變化時,會主動通知從服務器
判斷數據更新的條件:數據庫的序列號
SOA記錄
- name:當前區域的名字。例如”flamenca.com."
- value:有多部分組成
注意:
-
當前區域的主DNS服務器的FQDN,也可以使用當前區域的名字
-
當前區域管理員的郵箱地址;但地址中不能使用@符號,一般用
.替換例如:admin.flamenca.com -
從主服務區域傳輸相關定義以及否定的答案的統一的TTL
範例:
# 主DNS服務器名字 管理員郵箱
flameca.com. 86400 IN SOA ns.flamenca.com. admin.flamenca.com. (
1234 ;# 序列號
2H ;# 刷新時間
10M ;# 重試時間
1W ;# 過期時間 Week
1D ;# 否定答案的TTL值,將不存在的、錯誤的記錄緩存下來
)
開始仿寫
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
webserv A 192.168.33.130
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
檢查配置文件與zone文件格式是否正確
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone flamenca.com /var/named/flamenca.com.zone
zone flamenca.com/IN: loaded serial 20200618
OK
配置完成reload
[root@localhost named]# rndc reload
server reload successful
dig測試www.flamenca.com
[root@localhost named]# dig www.flamenca.com
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.flamenca.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45146
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; 顯示 aa
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 92156a57011b8a24f1b619f95eeb77481eedcaa191394c91 (good)
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION: ;;CNAME 解析成功
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 192.168.33.130
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Thu Jun 18 10:16:40 EDT 2020
;; MSG SIZE rcvd: 148
開啓另一臺虛擬機192.168.33.130
# 安裝好httpd服務
[root@localhost ~]# echo www.flamenca.com > /var/www/html/index.html
[root@localhost ~]# systemctl start httpd
curl訪問網站內容
[root@localhost named]# curl www.flamenca.com
www.flamenca.com
正向解析到此完成。
A記錄
name:某主機的FQDN
value:主機名對應主機的IP地址
避免用戶錯寫名稱時候給錯誤答案,可通過泛域名解析進行解析至特定地址
www.flamenca.com. IN A 192.168.33.129
$GENERATE 1-254 HOST$ IN A 1.2.3.$
*.flamenca.com. IN A 192.168.33.129
允許動態更新
動態更新:可以通過遠程更新區域數據庫的資源記錄。存在安全風險
實現動態更新,需要在指定的zone語句塊中加入
Allow-update {any;}
# 可以在大括號中加入IP指定可以遠程更改數據庫的主機
實現反向解析區域
ARPA頂級域
將IP——>FQDN
# 192.168.33.130——>www.flamenca.com
# 按照:130.33.168.192的反向格式來解析
# 域名爲:33.168.192.in-addr.arpa
建立反向區域
[root@localhost named]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
...
// 反向區域的例子
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
// 仿寫
zone "33.168.192.in-addr.arpa" IN {
type master;
file "192.168.33.zone"
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "flamenca.com" IN {
type master;
file "flamenca.com.zone";
};
創建對應的192.168.33.zone文件
[root@localhost named]# cd /var/named
[root@localhost named]# vim 192.168.33.zone
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master.flamenca.com. ; master.flamenca.com
master.flamenca.com. A 192.168.33.129 ; DNS server IP
130 PTR www.flamenca.com. ; 130=192.168.33.130
129 PTR master.flamenca.com.
dig -t ptr測試
[root@localhost named]# dig -t ptr 130.33.168.192.in-addr.arpa
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> -t ptr 130.33.168.192.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57764
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4144c2e7128bcbfe71b5ddc85eeb903f2aff58e8dfc42c99 (good)
;; QUESTION SECTION:
;130.33.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
130.33.168.192.in-addr.arpa. 86400 IN PTR www.flamenca.com.
;; AUTHORITY SECTION:
33.168.192.in-addr.arpa. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Thu Jun 18 12:03:11 EDT 2020
;; MSG SIZE rcvd: 151
dig -x反向解析命令
[root@localhost named]# dig -x 192.168.33.130
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> -x 192.168.33.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48564
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 89904e21ae5e908c7364f7c45eeb90b72b27912d58d0fa0c (good)
;; QUESTION SECTION:
;130.33.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
130.33.168.192.in-addr.arpa. 86400 IN PTR www.flamenca.com.
;; AUTHORITY SECTION:
33.168.192.in-addr.arpa. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Thu Jun 18 12:05:11 EDT 2020
;; MSG SIZE rcvd: 151
在郵件中能通過反向解析來校驗是否爲合法主機,來排除垃圾郵件
多個主機
搭建多個DNS服務器實現容錯
一個主機指向多個IP
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
##########一個主機指向多個IP實現容錯###########
webserv A 192.168.33.130
webserv A 192.168.33.131
webserv A 192.168.33.132
#####對外是一個域名,背後是多個服務器,實現負載均衡#####
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
實現容錯
用戶敲錯域名,用泛域名指向設置好的主機
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
webserv A 192.168.33.130
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
########泛域名##############
* CNAME webserv
###########################
# 輸入其他內容,則指向webserv主機
注意:*匹配不了空內容
* 匹配不了不帶前綴的 flamenca.com
解決方案
$TTL 1D
@ IN SOA ns1.flamenca.com. admin.flamenca.com.(
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS ns1
ns1 A 192.168.33.129
webserv A 192.168.33.130
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
########泛域名##############
* CNAME webserv
###########################
# 輸入其他內容,則指向webserv主機
#########@通配符A記錄############
@ A 192.168.33.129
##########不能指向別名CNAME######
搭建從服務器
主要功能是實現數據的同步
虛擬機192.168.33.130爲從服務器
[root@localhost ~]# yum install bind -y
修改配置文件
[root@localhost ~]# vim /etc/named.conf
//
// named.conf
//
options {
// listen-on port 53 { 127.0.0.1; };
...
// allow-query { localhost; };
};
# 註釋掉這兩行
修改named.rfc1912.zones文件,創建與主服務器相同的zone
[root@localhost ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
//
zone "flamenca.com" IN {
type slave;# #
masters {192.168.33.129;};# 主服務器地址
file "slaves/flamecna.com.zone.slave";# 該路徑爲相對路徑
};
...
從服務器的數據存放/var/named/slaves中
重啓named
[root@localhost ~]# systemctl restart named
[root@localhost ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 422 Jun 19 09:00 flamecna.com.zone.slave
# 成功
# 該文件無法打開,非文本文件,只是一種數據文件
在主服務器設定中增加從服務器的負載均衡
增加主服務推送數據設置:在設置中增加NS記錄
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
NS slave # 命名無所謂,需要有指向從服務器的記錄
master A 192.168.33.129
slave A 192.168.33.130 # 從服務器解析IP
webserv A 192.168.33.130
webserv A 192.168.33.129
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
從服務及時同步的方法
# 刪除原下載的slave文件,重啓named服務
# 要讓從服務更新服務,首先要更新主服務器的配置的序列號
查看日誌文件信息
[root@localhost ~]# tail /var/log/messages
在.129上查看
[root@localhost named]# dig www.flamenca.com @192.168.33.130
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.flamenca.com @192.168.33.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37118
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: d486ed5b13c2f6b138aafd7d5eec0f245ea686e6c545bf36 (good)
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 192.168.33.130
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.130#53(192.168.33.130)
;; WHEN: Thu Jun 18 13:04:39 EDT 2020
;; MSG SIZE rcvd: 148
解析成功
主服務器的安全問題
如何限制從服務?
centos6 中可以直接抓取DNS數據信息
dig -t axfr flamenca.com @192.168.33.129
指定從服務器主機抓取數據
vim /etc/named.conf
allow-transfer {192.168.33.130;};
# 從服務也應有相應涉及
allow-transfer {none;};
實現子域
在父域的配置文件/var/named/flamenca.com.zone中加入子域信息
[root@localhost named]# vim flamenca.com.zone
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
NS slave
www.ziyu01.flamenca.com. A 1.1.1.2
blog.ziyu01.flamenca.com. A 1.1.1.3
master A 192.168.33.129
slave A 192.168.33.130
webserv A 192.168.33.130
webserv A 192.168.33.129
www CNAME webserv
app A 1.1.1.1
db A 2.2.2.2
創建完成後重啓服務
systemctl restart named
dig測試
[root@localhost named]# dig www.ziyu01.flamenca.com
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.ziyu01.flamenca.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34439
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: bdfe8b341c9306586f9e1aae5eec4993aef5ff24ca69e188 (good)
;; QUESTION SECTION:
;www.ziyu01.flamenca.com. IN A
;; ANSWER SECTION:
www.ziyu01.flamenca.com. 86400 IN A 1.1.1.2
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
flamenca.com. 86400 IN NS slave.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
slave.flamenca.com. 86400 IN A 192.168.33.130
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jun 19 01:13:55 EDT 2020
;; MSG SIZE rcvd: 169
成功
子域的DNS服務器
父域與子域分開
# 設定名爲 ziyu02的子域 IP爲192.168.33.131
[root@localhost named]# vim flamenca.com.zone
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
NS slave
ziyu02 NS ziyu02serv
www.ziyu01.flamenca.com. A 1.1.1.2
blog.ziyu02.flamenca.com. A 1.1.1.3
ziyu02serv A 192.168.33.131
master A 192.168.33.129
slave A 192.168.33.130
webserv A 192.168.33.130
子域 DNS服務器192.168.33.131建立
[root@centos8 named]# vim /etc/named.conf
//
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; };
allow-transfer {none;};
/etc/named.rfc1912.zones中增加zone子域
zone "ziyu02.flamenca.com" IN {
type master;
file "ziyu02.flamenca.com.zone";
};
進入/var/named/建立ziyu02.flamenca.com.zone
[root@centos8 named]# vim ziyu02.flamenca.com.zone
$TTL 1D
@ IN SOA ziyu02 admin (
1
1H
5M
1D
3H
);
NS ziyu02
ziyu02 A 192.168.33.131
www A 192.33.33.33
~
###
[root@centos8 named]# chmod 640 ziyu02.flamenca.com.zone
[root@centos8 named]# chgrp named ziyu02.flamenca.com.zone
###啓動服務###
[root@centos8 named]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
## ##
###檢查語法###
[root@centos8 named]# named-checkconf
[root@centos8 named]# named-checkzone ziyu02.flamenca.com ziyu02.flamenca.com.zone
zone ziyu02.flamenca.com/IN: loaded serial 1
OK
dig 測試
[root@centos8 named]# dig www.ziyu02.flamenca.com @192.168.33.129
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.ziyu02.flamenca.com @192.168.33.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7516
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8c25356f918d2b2e5f6f471d5eec62c946fc6fc46dc582d5 (good)
;; QUESTION SECTION:
;www.ziyu02.flamenca.com. IN A
;; ANSWER SECTION:
www.ziyu02.flamenca.com. 86400 IN A 192.33.33.33
;; AUTHORITY SECTION:
ziyu02.flamenca.com. 86400 IN NS ziyu02serv.flamenca.com.
;; ADDITIONAL SECTION:
ziyu02serv.flamenca.com. 86400 IN A 192.168.33.131
;; Query time: 1 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Fri Jun 19 03:01:29 EDT 2020
;; MSG SIZE rcvd: 137
成功
實現轉發
DNS轉發
利用DNS轉發,可以將用戶的DNS請求轉發至指定的DNS服務,而非默認的根DNS服務器,並將指定服務器查詢的返回結果進行緩存,提高效率
注意:
- 被轉發的服務器需要能夠爲請求者做遞歸,否則轉發請求不予進行
- 在全局配置塊中,關閉dnssec功能
dnssec-enable no;
dnssec-validation no;
轉發方式
全局轉發
對非本機所負責解析區域的請求,全轉發給指定的服務器
在全局配置中實現:
// named.conf
//
options {
listen-on port 53 { localhost; }; // 將此處服務器指向根服務器或是轉發服務器
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
forward fist|only;//first 先轉發指定的dns服務器,如果查不了,則親自去問根服務器
// only 只轉發給指定的dns服務器,如果查詢不了,則返回錯誤信息
forwarders {ip;};
};
特定區域的轉發
實現智能DNS
把網站搬到家門口,在每個城市都設置主機
GSLB:Global Server Load Balance 全局負載均衡
GSLB是服務器和鏈路進行綜合判斷來決定由哪個地點的服務器來提供服務,實現異地服務器羣來保證服務質量,一般大公司會將大部分流量分散在DNS服務器上,從而保證服務的速率
GSLB的主要目的是在整個網絡範圍內將用戶的 請求定向到最近的節點(或者區域)
GSLB分爲基於DNS實現、基於重定向實現、基於路由協議實現,其中通用的是基於DNS解析的方式,這就是智能DNS的邏輯
[root@localhost named]# dig www.taobao.com
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.taobao.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19239
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096
;; QUESTION SECTION:
;www.taobao.com. IN A
;; ANSWER SECTION:
www.taobao.com. 5 IN CNAME www.taobao.com.danuoyi.tbcache.com.
www.taobao.com.danuoyi.tbcache.com. 5 IN A 182.106.155.238
www.taobao.com.danuoyi.tbcache.com. 5 IN A 182.106.155.237
;; Query time: 11 msec
;; SERVER: 192.168.33.2#53(192.168.33.2)
;; WHEN: Fri Jun 19 12:01:41 EDT 2020
;; MSG SIZE rcvd: 120
以淘寶爲例,輸入www.taobao.com的時候,DNS服務器返回的是另外一個服務器地址www.taobao.com.danuoyi.tbcache.com.
CDN內容分發網絡
CDN服務商收費方式爲按流量收費,舉個例子:一個1K的圖片被訪問,就收1K的錢,1M的圖片被訪問就收1M的錢,所以對於資源的壓縮很重要,我們之後會講這方面的內容
CDN工作原理
- 用戶向瀏覽器輸入
www.taobao.com這個域名,瀏覽器第一次發現沒有本地的dns緩存(提一下:bind中清除dns緩存的命令爲rndc flush),則向淘寶網站DNS服務器請求 - 淘寶網站的DNS域名解析器中設置了CNAME,指向了
www.taobao.com.danuoyi.tbcache.com.,即該請求指向了CDN網絡中智能DNS負載均衡系統 - 智能DNS負載均衡系統解析域名,把對用戶相應速度快的IP節點返回給用戶
- 用戶向該返回的IP節點(CDN服務器)發出請求
- 由於是第一次訪問,CDN服務器會通過Cache內部專用DNS解析得到此域名的原web站點的IP,向原站點服務器發起請求,並在CDN服務器上緩存內容
- 請求結果發送給用戶
智能DNS服務實現
bind中的ACL
acl把一個或多個地址歸併爲一個集合,並通過一個統一的名稱調用
注意:只能先定義後使用;因此一般定義在配置文件中,處於option的前面
格式如下:
acl acl_name {
ip;
net/prelen;
...
};
範例
acl shanghai {
127.16.0.0/16; # 假設這個網段爲傷害網段
10.10.10.10;# 則分配的地址爲10.10.10.10,也可以增加其他ip
};
bind有四個內置的acl(訪問列表)
- none:沒有一個主機
- any:任意主機
- localhost:本機
- localnet:本機的IP同掩碼運算後得到的網絡地址
訪問控制的指令
allow-query {}# 允許查詢的主機:白名單
allow-transfer {}# 允許區域傳送的主機:白名單
allow-recursion {}# 允許遞歸的主機,建議全局使用,意思是是否運行去互聯網上找DNS服務器返回結果
allow-updata {}# 允許更新區域數據庫中的內容
VIEW視圖
將ACL和區域數據庫實現對應關係,實現智能DNS
- 一個bind服務器可定義多個view,每個view中可定義一個或多個zone
- 每個view用來匹配一組客戶端
- 多個view內可能需要對同一個區域進行解析,dan使用不同的區域解析庫文件
注意
- 一旦啓用了view,所有的zone都只能定義 在view中
- 僅僅在允許遞歸請求的 客戶端所在view中定義根區域
- 客戶端請求到達時,是自上而下檢查每個view所服務的客戶端列表
view 格式
# 北京的VIEW
view VIEW_NAME {
match-clients {beijingnet; };
zone "flamenca.com" {
type master;
file "flamenca.com.zone.bj";
};
include "/etc/named.rfc1912.zones";
};
# 上海的VIEW
view VIEW_NAME {
match-clients {shanghainet; };
zone "flamenca.com" {
type master;
file "flamenca.com.zone.bj";
};
include "/etc/named.rfc1912.zones";
};
實驗步驟
配置一個域名,當從beijing網段訪問則返回1.1.1.1、shanghai訪問則返回2.2.2.2、other則返回3.3.3.3
在/etc/named.conf中定義三個acl:beijing、shanghai、other
acl beijingnet {
};
acl shanghainet {
};
acl other {
};
options {
//listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
//allow-query { any; };
準備兩臺虛擬機,創建兩個不同的網段
# 採用增加網卡的形式
# 192.168.0.8/24
[root@localhost ~]# ip a a 192.168.0.3/24 dev ens33
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:9a:35:c7 brd ff:ff:ff:ff:ff:ff
inet 192.168.33.129/24 brd 192.168.33.255 scope global dynamic noprefixroute ens33
valid_lft 1643sec preferred_lft 1643sec
inet 192.168.0.3/24 scope global ens33
valid_lft forever preferred_lft forever
inet6 fe80::5f95:77de:7cad:df9e/64 scope link noprefixroute
valid_lft forever preferred_lft forever
在CentOS7中增加地址192.168.0.6/24
[root@localhost ~]# ip a a 192.168.0.6/24 dev eth0
[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:b6:94:7d brd ff:ff:ff:ff:ff:ff
inet 192.168.33.130/24 brd 192.168.33.255 scope global noprefixroute dynamic eth0
valid_lft 1013sec preferred_lft 1013sec
inet 192.168.0.6/24 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::28d1:a712:6021:917a/64 scope link noprefixroute
valid_lft forever preferred_lft forever
假設:
- 192.168.33.130/24網段是beijing網段
- 192.168.0.6/27網段是shanghai網段
- 127.0.0.1/8網段是other
那麼開始配置DNS服務器/etc/named.com中的acl
acl beijingnet {
192.168.33.0/24;
};
acl shanghainet {
192.168.0.0/24;
};
acl other {
any;
};
options {
//listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
//allow-query { any; };
...
配置三套zone文件
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# cd /var/named/
[root@localhost named]# cp -p flamenca.com.zone flamenca.com.zone.bj
[root@localhost named]# cp -p flamenca.com.zone flamenca.com.zone.sh
[root@localhost named]# cp -p flamenca.com.zone flamenca.com.zone.other
配置文件flamenca.com.zone.bj
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
master A 192.168.33.129
webserv A 1.1.1.1
www CNAME webserv
配置文件flamenca.com.zone.sh
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
master A 192.168.33.129
webserv A 2.2.2.2
www CNAME webserv
配置文件flamenca.com.zone.other
$TTL 1D
@ IN SOA master.flamenca.com. admin.flamenca.com. (
20200618 ;
1D ;
10M ;
3D ;
2H) ;
NS master
master A 192.168.33.129
webserv A 3.3.3.3
www CNAME webserv
關聯數據庫至配置文件/etc/named.conf
acl beijingnet {
192.168.33.0/24;
};
acl shanghainet {
192.168.0.0/24;
};
acl other {
any;
};
###################################
...
###################################
VIEW beijingVIEW {
match-clients {beijingnet; };
include "/etc/named.rfc1912.zones.bj";
};
VIEW shanghaiVIEW {
match-clients {shanghai; };
include "/etc/named.rfc1912.zones.sh";
};
VIEW otherVIEW {
match-clients {other; };
include "/etc/named.rfc1912.zones.other";
};
注意:一旦有了VIEW,其他的zone配置信息都必須放入VIEW中
所以我們將配置文件中原有的zone配置信息全部都放入在
vim /etc/named.rfc1912.zones中
將/etc/named.rfc1912.zones文件拷貝三份,分別增加後綴.bj .sh .other
[root@localhost named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@localhost named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.sh
[root@localhost named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.other
分別修改內容
[root@localhost named]# vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
...
zone "flamenca.com" IN {
type master;
file "flamenca.com.zone.bj";# 將對應的數據庫文件指向對應的區域,以此類推其他sh.other
};
配置好後重啓服務
[root@localhost named]# systemctl restart named
開始測試
使用dig,分別訪問192.168.33.129(只會從網卡192.168.33.130出去訪問)、192.168.0.3(只會從網卡192.168.0.3出去訪問)、127.0.0.1;
[root@localhost ~]# dig www.flamenca.com @192.168.33.129
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.flamenca.com @192.168.33.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8069
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 1.1.1.1
# 此處成功顯示1.1.1.1
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.33.129#53(192.168.33.129)
;; WHEN: Sun Jun 21 09:24:11 CST 2020
;; MSG SIZE rcvd: 120
[root@localhost ~]# dig www.flamenca.com @192.168.0.3
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.flamenca.com @192.168.0.3
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13911
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 2.2.2.2
# 此處成功顯示2.2.2.2
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 192.168.0.3#53(192.168.0.3)
;; WHEN: Sun Jun 21 09:24:41 CST 2020
;; MSG SIZE rcvd: 120
[root@localhost named]# dig www.flamenca.com @127.0.0.1
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.flamenca.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53370
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 57b53af9b14534f9083ddf865eee47ff9a65289e3c32efd0 (good)
;; QUESTION SECTION:
;www.flamenca.com. IN A
;; ANSWER SECTION:
www.flamenca.com. 86400 IN CNAME webserv.flamenca.com.
webserv.flamenca.com. 86400 IN A 3.3.3.3
# 成功顯示3.3.3.3,注意該地址是迴環網卡地址,所以只在DNS服務器上測試
;; AUTHORITY SECTION:
flamenca.com. 86400 IN NS master.flamenca.com.
;; ADDITIONAL SECTION:
master.flamenca.com. 86400 IN A 192.168.33.129
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun 20 13:31:43 EDT 2020
;; MSG SIZE rcvd: 148
實現Internet的DNS架構
實驗準備
利用cobbler安裝8臺虛擬機並配置好yum源
準備8臺虛擬機
所以爲了方便測試,服務器搭建順序爲
# Client
192.168.33.6
# WEB SERVER
192.168.33.68
# MASTER DNS
192.168.33.48
# SLAVE DNS
192.168.33.58
# COM DNS
192.168.33.38
# ROOT DNS
192.168.33.28
# FORWARD DNS
192.168.33.18
# LOCAL DNS
192.168.33.8
- webserv
192.168.33.68安裝http、bind服務 - client
192.168.33.6安裝bind-utils服務 - 其他都安裝bind
開始配置
webserv
[root@webserv ~]# curl 192.168.33.68
www.coralloveme.com
# 安裝http服務,創建www.coralloveme.com主頁。意思意思
配置named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
Client
# 配置dns指向local dns
[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.33.6
NETMASK=255.255.255.0
ONBOOT=yes
DNS1=192.168.33.8
####
[root@client ~]# systemctl restart network
[root@client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.33.8
####
[root@client ~]# curl 192.168.33.68
www.coralloveme.com
將DNS設置爲LOCAL DNS後測試解析域名
[root@client ~]# dig www.coralloveme.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12868
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 85918 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 85918 IN NS slave.com.
coralloveme.com. 85918 IN NS master.com.
;; ADDITIONAL SECTION:
master.com. 85918 IN A 192.168.33.48
slave.com. 85918 IN A 192.169.33.58
;; Query time: 0 msec
;; SERVER: 192.168.33.8#53(192.168.33.8)
;; WHEN: Sun Jun 21 17:20:51 CST 2020
;; MSG SIZE rcvd: 137
curl測試
[root@client ~]# curl www.coralloveme.com
www.coralloveme.com
MASTER DNS
# 配置named.conf
options {
// listen-on port 53 { 127.0.0.1; };
...
// allow-query { localhost; };
allow-transfer {192.168.33.58; };
dnssec-enable no;
dnssec-validation no;
[root@master-dns ~]# vim /etc/named.rfc1912.zones
zone "coralloveme.com" IN {
type master;
file "coralloveme.com.zone";
};
[root@master-dns ~]# cd /var/named/
[root@master-dns named]# cp named.localhost coralloveme.com.zone
[root@master-dns named]# ll coralloveme.com.zone
-rw-r----- 1 root root 152 Jun 21 15:37 coralloveme.com.zone
################
[root@master-dns named]# vim coralloveme.com.zone
$TTL 1D
@ IN SOA master admin (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.33.48
slave A 192.168.33.58
www A 192.168.33.68
#####
# 注意將該文件所屬組設置爲named
#####
[root@master-dns named]# systemctl restart named
client測試
[root@client ~]# dig www.coralloveme.com @192.168.33.48
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23461
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS slave.coralloveme.com.
coralloveme.com. 86400 IN NS master.coralloveme.com.
;; ADDITIONAL SECTION:
master.coralloveme.com. 86400 IN A 192.168.33.48
slave.coralloveme.com. 86400 IN A 192.168.33.58
;; Query time: 2 msec
;; SERVER: 192.168.33.48#53(192.168.33.48)
;; WHEN: Sun Jun 21 16:10:37 CST 2020
;; MSG SIZE rcvd: 137
SLAVE DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
allow-transfer {none;};
dnssec-enable no;
dnssec-validation no;
// named.rfc1912.zones:
//
//
zone "coralloveme.com" IN {
type slave;
masters {192.168.33.48;};
file "slaves/coralloveme.com.zone.bak";
};
# 這裏取名是什麼,備份的文件就叫啥名字
[root@slave-dns ~]# systemctl restart named
檢查數據庫是否複製過來了
[root@slave-dns ~]# ll /var/named/slaves
total 4
-rw-r--r-- 1 named named 364 Jun 21 16:19 coralloveme.com.zone.bak
client測試從節點
[root@client ~]# dig www.coralloveme.com @192.168.33.58
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.58
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13335
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS slave.coralloveme.com.
coralloveme.com. 86400 IN NS master.coralloveme.com.
;; ADDITIONAL SECTION:
master.coralloveme.com. 86400 IN A 192.168.33.48
slave.coralloveme.com. 86400 IN A 192.168.33.58
;; Query time: 0 msec
;; SERVER: 192.168.33.58#53(192.168.33.58)
;; WHEN: Sun Jun 21 16:21:17 CST 2020
;; MSG SIZE rcvd: 137
注意:當master有改動且序列號發生變化時,纔會備份到slave
COM DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
// named.rfc1912.zones:
//
//
zone "com" IN {
type master;
file "com.zone";
};
區域數據庫文件
[root@com-dns named]# vim com.zone
$TTL 1D
@ IN SOA com admin (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS com
coralloveme NS master
coralloveme NS slave
com A 192.168.33.38
master A 192.168.33.48
slave A 192.169.33.58
####
[root@com-dns named]# systemctl restart named
client測試
[root@client ~]# dig www.coralloveme.com @192.168.33.38
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.38
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50700
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS master.com.
coralloveme.com. 86400 IN NS slave.com.
;; ADDITIONAL SECTION:
master.com. 86400 IN A 192.168.33.48
slave.com. 86400 IN A 192.169.33.58
;; Query time: 3 msec
;; SERVER: 192.168.33.38#53(192.168.33.38)
;; WHEN: Sun Jun 21 16:44:47 CST 2020
;; MSG SIZE rcvd: 137
ROOT DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no;
####注意
zone "." IN {
type master;
file "root.zone";
};
[root@root-dns named]# vim root.zone
$TTL 1D
@ IN SOA master admin (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
com NS com
master A 192.168.33.28
com A 192.168.33.38
client測試
[root@client ~]# dig www.coralloveme.com @192.168.33.28
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22151
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS slave.com.
coralloveme.com. 86400 IN NS master.com.
;; ADDITIONAL SECTION:
master.com. 86400 IN A 192.168.33.48
slave.com. 86400 IN A 192.169.33.58
;; Query time: 2 msec
;; SERVER: 192.168.33.28#53(192.168.33.28)
;; WHEN: Sun Jun 21 17:04:01 CST 2020
;; MSG SIZE rcvd: 137
FORWARD DNS
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
#########
#注意設置轉發服務這裏必須改成no
#########
dnssec-enable no;
dnssec-validation no;
FORWARD DNS是直接從根目錄遞歸詢問的所以直接將named.ca修改根服務器地址即可
[root@forward-dns ~]# vim /var/named/named.ca
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 192.168.33.28
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811
#####
[root@forward-dns ~]# systemctl restart named
client測試
[root@client ~]# dig www.coralloveme.com @192.168.33.18
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25600
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86400 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86400 IN NS master.com.
coralloveme.com. 86400 IN NS slave.com.
;; ADDITIONAL SECTION:
master.com. 86400 IN A 192.168.33.48
slave.com. 86400 IN A 192.169.33.58
;; Query time: 3 msec
;; SERVER: 192.168.33.18#53(192.168.33.18)
;; WHEN: Sun Jun 21 17:12:48 CST 2020
;; MSG SIZE rcvd: 137
LOCAL DNS
本地dns設置一個轉發即可
[root@local-dns ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
###########
#增加forward選項
###########
forward only;
forwarders { 192.168.33.18;};
...
#########
#注意設置轉發服務這裏必須改成no
#########
dnssec-enable no;
dnssec-validation no;
#
[root@forward-dns ~]# systemctl restart named
client測試
[root@client ~]# dig www.coralloveme.com @192.168.33.8
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.coralloveme.com @192.168.33.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42512
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.coralloveme.com. IN A
;; ANSWER SECTION:
www.coralloveme.com. 86019 IN A 192.168.33.68
;; AUTHORITY SECTION:
coralloveme.com. 86019 IN NS slave.com.
coralloveme.com. 86019 IN NS master.com.
;; ADDITIONAL SECTION:
master.com. 86019 IN A 192.168.33.48
slave.com. 86019 IN A 192.169.33.58
;; Query time: 1 msec
;; SERVER: 192.168.33.8#53(192.168.33.8)
;; WHEN: Sun Jun 21 17:19:10 CST 2020
;; MSG SIZE rcvd: 137
至此DNS架構已經全部搭建完成,可以將client的DNS改爲LOCAL DNS的IP
DNS排錯
一次window驗證DNS操作過程
我已經在Linux主機上配置好了域名爲flamenca.com的DNS信息
但在windows電腦中該域名解析的內容卻爲其它IP
檢查hosts文件,也沒有相關信息
之後查出原因:
- 網卡中的IP是自動獲取,與虛擬機中的IP非同一個網段,所以在NAT模式網卡VM8中增加DNS
192.168.33.129即Linux主機地址 - 將網卡的DNS設置爲
192.168.33.129 - 此時再ping
192.168.33.129出來的就是我自己測試的界面