DNS and Bind

一.BIND的安装及配置

1.BIND:Berkeley Internet Name Domain;现在由ISC.org进行维护,并且该组织也提供DHCPD服务

1.dns:是一个协议
2.bind:是dns协议的一种实现方式
3.named:bind程序的运行进程名

2.bind程序包:使用yum list all bind*进行查看

一般默认安装的程序包
1.bind-libs:被bind和bind-utils包中的程序共同用到的库文件
2.bind-utils:bind客户端程序集,例如dig,host,nslookup等
一般默认不会进行安装的程序包
1.bind:提供的dns server程序,以及几个常用的测试程序
2.bind-chroot:选装,让named运行于jail模式下,即为了防止其程序被劫持,将其运行在一个临时的根中

3.bind:使用yum -y install bind进行安装bind

1.主配置文件:/etc/named.conf或者包含进来其它文件
   1)/etc/named.iscdlv.key
   2)/etc/named.rfc1912.zones
   3) /etc/named.root.key
2.解析库文件:位于/var/named目录下;其下文件一般名字为ZONE_NAME.zone
  需要注意:
     1)一台DNS服务器可以同时为多个区域提供解析
     2)必须要有根区域解析库文件:named.ca
     3)还应该有两个区域解析库文件:localhost和127.0.0.1的正反向解析库;其正向解析库:named.localhost;反向解析库:named.loopback
[root@sakura ~]# ls /var/named/
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
ps:需要注意根域的服务器全球一共有13个

4.rndc:remote name domain contoller

953/tcp,监听于tcp的953端口,但默认监听于127.0.0.1地址,因此仅允许本地使用

5.bind程序安装完成之后,默认即可做为缓存名称服务器使用;如果没有专门负责解析的区域,直接即可启动服务

1.Centos 6:service named start
2.Centos 7:systemctl start named.service

6.主配置文件格式

"主配置文件格式"
   1.全局配置段:options {...}
   2.日志配置段:logging {...}
   3.区域配置段:zone {...};即那些由本机负责解析的区域,或转发的区域
   ps:需要注意每一个配置语句必须以分号进行结尾,并且{}中的结尾也需要以分号结尾,否则会有语法错误
"缓存名称服务器的配置"
   1.监听能与外部主机通信的地址
      1)listen-on port 53
      2)listen-on port { 192.168.3.100; };
   2.测试时,建议关闭dnssec(dns secure)
      1)dnssec-enable no;
      2)dnssec-validation no;
      3)dnssec-lookaside no;
      4)此次测试在named配置文件中未发现第三项	
   3.关闭仅允许本地查询
      1)//allow-query  { localhost; };
"检查配置文件语法错误"
   1.named-checkconf [/etc/named.conf]
   [root@sakura ~]# named-checkconf /etc/named.conf
"检查无误进行启动named"
[root@sakura ~]# systemctl start named.service 
[root@sakura ~]# systemctl status named.service 
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: active (running) since 五 2019-06-14 23:32:00 CST; 5s ago
"查看其端口,发现tcp,udp的53号端口都已经初处于监听状态"
ps:需要注意
   1.可以观察到由rndc监听的127.0.0.1的953端口也处于监听状态
   2.DNS服务会监听tcp/53端口,用于进行区域传送;也会监听udp/53端口,用于进行解析功能
[root@sakura ~]# netstat -tunlp | grep ".*named"
tcp        0      0 192.168.3.100:53        0.0.0.0:*               LISTEN      10225/named         
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      10225/named         
tcp6       0      0 ::1:53                  :::*                    LISTEN      10225/named         
tcp6       0      0 ::1:953                 :::*                    LISTEN      10225/named         
udp        0      0 192.168.3.100:53        0.0.0.0:*                           10225/named         
udp6       0      0 ::1:53                  :::*                                10225/named   
"更改DNS服务器为自身"
[root@sakura ~]# vim /etc/resolv.conf
  1 # Generated by NetworkManager
  2 nameserver 192.168.3.100 

7.测试工具:dig,host,nslookup等
1) dig命令语法:dig [-t RR_TYPE] name [@SERVER] [query options]

其用于测试dns系统,因此其不会查询hosts文件
1.查询选项
   1)+[no]trace:跟踪解析过程
   2)+[no]recurse:进行递归解析
2.反向解析
   1)dig -x IP
3.模拟完全区域传送
   1)dig -t axfr DOMAIN [@server]
dig正向解析测试
[root@sakura ~]# dig -t A www.apple.com @192.168.3.100

; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.apple.com @192.168.3.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 8, ADDITIONAL: 10

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:  "提问部分"
;www.apple.com.			IN	A

;; ANSWER SECTION:  "答案部分,可以看到其所对应的别名最终被转换为IP"
www.apple.com.		1520	IN	CNAME	www.apple.com.edgekey.net.
www.apple.com.edgekey.net. 21321 IN	CNAME	www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net. 3322 IN CNAME	e6858.e19.s.tl88.net.
e6858.e19.s.tl88.net.	20	IN	A	221.230.146.237

;; AUTHORITY SECTION: "权威段,即是由谁来进行解析,可以看到有多个dns服务器"
e19.s.tl88.net.		3722	IN	NS	n7e19.s.tl88.net.
e19.s.tl88.net.		3722	IN	NS	n4e19.s.tl88.net.
e19.s.tl88.net.		3722	IN	NS	n2e19.s.tl88.net.
e19.s.tl88.net.		3722	IN	NS	n5e19.s.tl88.net.
e19.s.tl88.net.		3722	IN	NS	n6e19.s.tl88.net.
e19.s.tl88.net.		3722	IN	NS	n3e19.s.tl88.net.
e19.s.tl88.net.		3722	IN	NS	n0e19.s.tl88.net.
e19.s.tl88.net.		3722	IN	NS	n1e19.s.tl88.net.

;; ADDITIONAL SECTION: "最终将权威段的dns服务器解析成为了IP"
n3e19.s.tl88.net.	3722	IN	A	58.222.30.53
n1e19.s.tl88.net.	3722	IN	A	210.192.116.4
n0e19.s.tl88.net.	3722	IN	A	88.221.81.192
n0e19.s.tl88.net.	3722	IN	AAAA	2600:1480:e800::c0
n6e19.s.tl88.net.	3722	IN	A	122.224.10.167
n4e19.s.tl88.net.	3722	IN	A	58.222.30.47
n5e19.s.tl88.net.	3722	IN	A	58.222.30.61
n2e19.s.tl88.net.	3722	IN	A	58.222.30.45
n7e19.s.tl88.net.	3722	IN	A	58.222.30.55

;; Query time: 63 msec
;; SERVER: 192.168.3.100#53(192.168.3.100)
;; WHEN: 六 6月 15 00:20:47 CST 2019
;; MSG SIZE  rcvd: 503

2)host命令语法:host [-t RR_TYPE] name SERVER_IP

[root@sakura ~]# host -t A www.apple.com 192.168.3.100
Using domain server:
Name: 192.168.3.100
Address: 192.168.3.100#53
Aliases: 

www.apple.com is an alias for www.apple.com.edgekey.net.
www.apple.com.edgekey.net is an alias for www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net is an alias for e6858.e19.s.tl88.net.
e6858.e19.s.tl88.net has address 221.230.146.237

3)nslookup命令语法:nslookup [-options] [name] [server]

交互式模式
1.nslookup>
   1)server IP:以指定的IP为DNS服务器进行查询
   2)set q=RR_TYPE:要查询的资源记录类型
   3)name:要查询的名称
[root@sakura ~]# nslookup
> server 192.168.3.100   "输入指定的DNS服务器,若未指定即为DNS配置文件中的地址"
Default server: 192.168.3.100
Address: 192.168.3.100#53
> set q=A    "指明查询A类型"
> lol.qq.com   "指定要查询的name"
Server:		192.168.3.100
Address:	192.168.3.100#53

Non-authoritative answer:
lol.qq.com	canonical name = lol.tc.qq.com.
lol.tc.qq.com	canonical name = others.x2.tc.qq.com.
others.x2.tc.qq.com	canonical name = tdns.x2.sched.dcloudstc.com.
Name:	tdns.x2.sched.dcloudstc.com
Address: 180.97.146.142
Name:	tdns.x2.sched.dcloudstc.com
Address: 180.97.146.144
Name:	tdns.x2.sched.dcloudstc.com
Address: 180.153.105.195
Name:	tdns.x2.sched.dcloudstc.com
Address: 180.97.146.145
Name:	tdns.x2.sched.dcloudstc.com
Address: 180.97.146.143
> 

4)rndc命令:named服务控制命令

1.rndc status:查看named服务状态
2.rndc flush:清空缓存
[root@sakura ~]# rndc status
version: 9.9.4-RedHat-9.9.4-74.el7_6.1 <id:8f9657aa>
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 101  "现有的区域数"
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 2/150
server is up and running

二.配置区域

1.配置解析一个正向区域

1.以kasumi.com域为例,首先定义区域

在主配置文件中或主配置文件辅助配置文件中实现:/etc/named.rfc1912.zones
ps:rfs为请求注解文档,描述每一种协议规范的官方资料
[root@sakura ~]# vim /etc/named.rfc1912.zones 
zone "kasumi.com" IN {
    type master;
    file "kasumi.com.zone";
 };
配置规范
zone  "ZONE_NAME"  IN  {
     type  {master|slave|hint|forward}; "域类型:主服务器|从服务器|根服务器|转发服务器"
     file  "ZONE_NAME.zone"; 
};	
ps:区域名字即为域名

2.建立区域数据文件(主要记录为A或AAAA记录)

"文件为:/var/named/kasumi.com.zone	"					
[root@sakura ~]# cat /var/named/kasumi.com.zone 
$TTL 3600
$ORIGIN kasumi.com.

@   IN   SOA   ns1.kasumi.com.  dnsadmin.kasumi.com. (
		2019061501
		1H
		10M
		1D	
		2D )
	IN NS ns1
	IN MX 10 mx1
	IN MX 30 mx2
ns1 IN A 192.168.3.200
www IN A 192.168.3.200
mx1 IN A 192.168.3.201
mx2 IN A 192.168.3.202
web IN CNAME www
bbs IN A 192.168.3.205
bbs IN A 192.168.3.206
"权限及属组修改"
[root@sakura named]# chown .named /var/named/kasumi.com.zone
[root@sakura named]# chmod o= /var/named/kasumi.com.zone
"检查语法错误"
[root@sakura named]# named-checkzone kasumi.com /var/named/kasumi.com.zone
zone kasumi.com/IN: loaded serial 2019061501
OK
[root@sakura named]# named-checkconf 

3.让服务器重载配置文件和区域数据文件

[root@sakura named]# systemctl reload named.service 
[root@sakura named]# rndc reload

4.进行正向解析测试

"测试www.kasumi.com"
[root@sakura ~]# dig -t A www.kasumi.com @192.168.3.100
;; QUESTION SECTION:
;www.kasumi.com.			IN	A

;; ANSWER SECTION:
www.kasumi.com.		3600	IN	A	192.168.3.200

;; AUTHORITY SECTION:
kasumi.com.		3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
"测试web.kasumi.com"
[root@sakura ~]# dig -t A web.kasumi.com @192.168.3.100
;; QUESTION SECTION:
;web.kasumi.com.			IN	A

;; ANSWER SECTION:
web.kasumi.com.		3600	IN	CNAME	www.kasumi.com.
www.kasumi.com.		3600	IN	A	192.168.3.200

;; AUTHORITY SECTION:
kasumi.com.		3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
"解析bbs.kasumi.com"
[root@sakura ~]# dig -t A bbs.kasumi.com @192.168.3.100
;; QUESTION SECTION:
;bbs.kasumi.com.			IN	A

;; ANSWER SECTION:
bbs.kasumi.com.		3600	IN	A	192.168.3.205
bbs.kasumi.com.		3600	IN	A	192.168.3.206

;; AUTHORITY SECTION:
kasumi.com.		3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
"使用host命令进行测试"
[root@sakura ~]# 
[root@sakura ~]# host -t A bbs.kasumi.com
bbs.kasumi.com has address 192.168.3.206
bbs.kasumi.com has address 192.168.3.205
[root@sakura ~]# host -t A web.kasumi.com
web.kasumi.com is an alias for www.kasumi.com.
www.kasumi.com has address 192.168.3.200
"测试NS类型"
[root@sakura ~]# dig -t NS kasumi.com
;; QUESTION SECTION:
;kasumi.com.			IN	NS

;; ANSWER SECTION:
kasumi.com.		3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200

"测试MX类型"
[root@sakura ~]# dig -t MX kasumi.com
;; QUESTION SECTION:
;kasumi.com.			IN	MX

;; ANSWER SECTION:
kasumi.com.		3600	IN	MX	30 mx2.kasumi.com.
kasumi.com.		3600	IN	MX	10 mx1.kasumi.com.

;; AUTHORITY SECTION:
kasumi.com.		3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
mx1.kasumi.com.		3600	IN	A	192.168.3.201
mx2.kasumi.com.		3600	IN	A	192.168.3.202
ns1.kasumi.com.		3600	IN	A	192.168.3.200

2.配置反向解析区域

1.定义区域

在主配置文件中或配置文件辅助配置文件中实现
[root@sakura ~]# vim /etc/named.rfc1912.zones 
 zone "3.168.192.in-addr.arpa" IN {
     type master;
     file "192.168.3.zone";
 };
配置规范
zone  "ZONE_NAME"  IN  {
     type  {master|slave|hint|forward}; "域类型:主服务器|从服务器|根服务器|转发服务器"
     file  "ZONE_NAME.zone"; 
};	
ps:反向区域的名字,即反写的网段地址.in-addr.arpa

2.定义区域解析库文件(主要记录PTR)

测试,区域名称为3.168.192.in-addr-arpa
[root@sakura named]# cat /var/named/192.168.3.zone 
$TTL 3600
$ORIGIN 3.168.192.in-addr.arpa.

@ IN SOA ns1.kasumi.com. nsadmin.kasumi.com. (
		2019061502
		1H
		10M
		1D
		12H )
	IN NS ns1.kasumi.com.
200 IN PTR ns1.kasumi.com.
201	IN PTR mx1.kasumi.com.
202	IN PTR mx2.kasumi.com.
205	IN PTR bbs.kasumi.com	
206 IN PTR bbs.kasumi.com.
200 IN PTR www.kasumi.com.
"权限及属组修改"
[root@sakura named]# chown .named /var/named/192.168.3.zone 
[root@sakura named]# chmod o= /var/named/192.168.3.zone
[root@sakura named]# ll /var/named/192.168.3.zone
-rw-r-----. 1 root named 311 6月  15 01:33 /var/named/192.168.3.zone
"检查语法错误"
[root@sakura named]# named-checkzone 3.168.192.in-addr.arpa /var/named/192.168.3.zone
zone 3.168.192.in-addr.arpa/IN: loaded serial 2019061502
OK
[root@sakura named]# named-checkconf 

3.让服务器重载配置文件和区域数据文件

[root@sakura named]# systemctl reload named.service 
[root@sakura named]# rndc reload

4.进行测试

"测试反向解析192.168.3.200"
[root@sakura named]# dig -x 192.168.3.200
;; QUESTION SECTION:
;200.3.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
200.3.168.192.in-addr.arpa. 3600 IN	PTR	ns1.kasumi.com.
200.3.168.192.in-addr.arpa. 3600 IN	PTR	www.kasumi.com.
;; AUTHORITY SECTION:
3.168.192.in-addr.arpa.	3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
"反向解析192.168.3.205"
[root@sakura named]# dig -x 192.168.3.205
;; QUESTION SECTION:
;205.3.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
205.3.168.192.in-addr.arpa. 3600 IN	PTR	bbs.kasumi.com.3.168.192.in-addr.arpa.

;; AUTHORITY SECTION:
3.168.192.in-addr.arpa.	3600	IN	NS	ns1.kasumi.com.

;; ADDITIONAL SECTION:
ns1.kasumi.com.		3600	IN	A	192.168.3.200
"host命令解析"
[root@sakura named]# host -t PTR 192.168.3.200
200.3.168.192.in-addr.arpa domain name pointer www.kasumi.com.3.168.192.in-addr.arpa.
200.3.168.192.in-addr.arpa domain name pointer ns1.kasumi.com.
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
Pro DNS and BIND guides you through the challenging array of features surrounding DNS, with a special focus on BIND, the worlds most popular DNS implementation. This book unravels the mysteries of DNS, offering insight into origins, evolution, and key concepts like domain names and zone files. This book focuses on running DNS systems based on BIND 9.3.0the first stable release that includes support for the latest DNSSEC (DNSSEC.bis) standards and a major functional upgrade from previous BIND 9 releases. If you administer a DNS system or are thinking about running one, or if you need to upgrade to support IPv6 DNS, need to secure a DNS for zone transfer, dynamic update, or other reasons, or if you need to implement DNSSEC, or simply want to understand the DNS system, then this book provides you with a single point of reference. Pro DNS and BIND starts with simple concepts, then moves on to full security-aware DNSSEC configurations. Various features, parameters, and resource records are described and, in the majority of cases, illustrated with one or more examples. The book contains a complete reference to zone files, Resource Records, and BINDs configuration file parameters. You can treat the book as as a simple paint-by-numbers guide to everything from a simple caching DNS, to the most complex secure DNS (DNSSEC) implementation. Background information is still included for when you need to know what to do and why you have to do it, and so that you can modify processes to meet your unique needs.

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值