综合案例,实现 Internet 的 DNS 服务架构
0. 架构图
1. 环境规划
节点名称 ip地址 节点信息 client 10.0.0.6 DNS客户端 ldns 10.0.0.8 本地DNS服务器(只缓存) zdns 10.0.0.18 转发目标DNS服务器 rdns 10.0.0.28 根DNS服务器 odns 10.0.0.38 org域DNS服务器 mdns 10.0.0.48 lec.org域主DNS服务器 sdns 10.0.0.58 lec.org域从DNS服务器 wdns 10.0.0.68 www.lec.org的WEB服务器
3.前提准备
关闭SElinux
关闭防火墙
ufw disable
root@master1:~
Status: inactive
时间同步
apt -y install chrony; chronyc sources -v ; timedatectl set-timezone Asia/Shanghai
apt update ; apt upgrade
4.实现步骤
4.1 在客户端配置DNS服务器地址
root@client:~
network:
ethernets:
ens33:
dhcp4: no
addresses: [ 10.0 .0.6/24]
gateway4: 10.0 .0.3
nameservers:
addresses: [ 10.0 .0.8]
version: 2
root@client:~
nameserver 10.0 .0.8
options edns0 trust-ad
apt -y install bind9-utils
4.2 实现WEB服务
apt -y install nginx ; systemctl enable --now nginx; echo "www.lec.org is 10.0.0.68 " >> /var/www/html/index.html
root@client:~
www.lec.org is 10.0 .0.68
4.3 实现lec.org域的主DNS服务器
10.0.0.48 机器上 从服务器是通过版本号标识来确定是否从主服务器复制
apt -y install bind9-utils bind9
root@mdns:/etc/bind
options {
directory "/var/cache/bind" ;
dnssec-validation auto;
allow-transfer { 10.0 .0.58; } ;
listen-on-v6 { any; } ;
} ;
vi /etc/bind/named.conf.default-zones
zone "lec.org" {
type master;
file "/etc/bind/db.lec.org" ;
} ;
cp -p /etc/bind/db.local /etc/bind/db.lec.org
root@mdns:/etc/bind
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA master admin.lec.org. (
2 ; Serial 版本号标识
604800 ; Refresh 从服务器刷新时间
86400 ; Retry 重试时间
2419200 ; Expire 过期时间
604800 ) ; Negative Cache TTL 否定答案的TTL值
;
NS master
NS slave
master IN A 10.0 .0.48
slave IN A 10.0 .0.58
www IN A 10.0 .0.68
named-checkconf
named-checkzone "lec.org" /etc/bind/db.lec.org
systemctl start bind9.service
rndc reload
4.4 实现lec.org域的从DNS服务器
4.4.1 实现lec.org域的从DNS服务器
apt -y install bind9-utils bind9
root@sdns:/etc/bind
options {
directory "/var/cache/bind" ;
dnssec-validation auto;
allow-transfer { none; } ;
listen-on-v6 { any; } ;
} ;
vi /etc/bind/named.conf.default-zones
zone "lec.org" {
type slave;
masters { 10.0 .0.48; } ;
file "db.lec.org.slave" ;
} ;
named-checkconf
systemctl start bind9.service
rndc reload
root@sdns:/etc/bind
options {
directory "/var/cache/bind" ;
root@sdns:/etc/bind
root@sdns:/var/cache/bind
total 12
-rw-r--r-- 1 bind bind 2237 Mar 21 10 :17 managed-keys.bind.jnl
-rw-r--r-- 1 bind bind 221 Mar 21 10 :17 managed-keys.bind
-rw-r--r-- 1 bind bind 369 Mar 21 11 :13 db.lec.org.slave
root@client:~
Server: 10.0 .0.48
Address: 10.0 .0.48
Name: www.lec.org
Address: 10.0 .0.68
root@client:~
Server: 10.0 .0.58
Address: 10.0 .0.58
Name: www.lec.org
Address: 10.0 .0.68
root@client:~
Server: 10.0 .0.58
Address: 10.0 .0.58
Name: www.lec.org
Address: 10.0 .0.68
root@client:~
; ; communications error to 10.0 .0.48
; ; communications error to 10.0 .0.48
; ; communications error to 10.0 .0.48
; ; no servers could be reached
4.4.2 zone里的file写绝对路径报错
4.4.2.1 zone文件配置
cat /etc/bind/named.conf.default-zones
zone "lec.org" {
type slave;
masters { 10.0 .0.48; } ;
file "/etc/bind/slave/lec.org.slave" ;
} ;
4.4.2.2 报错内容
Mar 21 11 :07:54 sdns named[ 12349 ] : dumping master file: /etc/bind/slaves/tmp-dLxYrqkUR6: open: permission denied
4.4.2.3 解决方法一
修改 /etc/apparmor.d/usr.sbin.named
加上一行 /etc/bind/slave/** rw, 要设定 rw 才是代表「可读可写」的意思。
vi /etc/apparmor.d/usr.sbin.named
/etc/bind/** r,
/etc/bind/slave/** rw,
/var/lib/bind/** rw,
/var/lib/bind/ rw,
/var/cache/bind/** lrw,
/var/cache/bind/ rw,
如下图
4.4.2.4 解决方法二
写相对路径,默认的文件路径/var/cache/bind
cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind" ;
修改 /etc/bind/named.conf.default-zones ,把zone里的file写相对路径
cat /etc/bind/named.conf.default-zones
zone "lec.org" {
type slave;
masters { 10.0 .0.48; } ;
file "lec.org.slave" ;
} ;
root@sdns:/etc/bind
root@sdns:/var/cache/bind
total 12
-rw-r--r-- 1 bind bind 2237 Mar 21 10 :17 managed-keys.bind.jnl
-rw-r--r-- 1 bind bind 221 Mar 21 10 :17 managed-keys.bind
-rw-r--r-- 1 bind bind 369 Mar 21 11 :13 lec.org.slave
4.5 实现org域的主DNS服务器
apt -y install bind9-utils bind9
vi /etc/bind/named.conf.default-zones
zone "org" {
type master;
file "/etc/bind/db.org" ;
} ;
cp -p /etc/bind/db.local /etc/bind/db.org
root@mdns:/etc/bind
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA master admin.lec.org. (
2 ; Serial 版本号标识
604800 ; Refresh 从服务器刷新时间
86400 ; Retry 重试时间
2419200 ; Expire 过期时间
604800 ) ; Negative Cache TTL 否定答案的TTL值
;
NS master
lec NS lecns1
lec NS lecns2
master IN A 10.0 .0.38
lecns1 IN A 10.0 .0.48
lecns2 IN A 10.0 .0.58
named-checkconf
named-checkzone "org" /etc/bind/db.org
systemctl start bind9.service
rndc reload
root@client:~
Server: 10.0 .0.38
Address: 10.0 .0.38
Non-authoritative answer:
Name: www.lec.org
Address: 10.0 .0.68
4.6 实现根域的主DNS服务器
apt -y install bind9-utils bind9
vi /etc/bind/named.conf.default-zones
zone "." {
type master;
file "/etc/bind/db.root.zone" ;
} ;
cp -p /etc/bind/db.local /etc/bind/db.root.zone
root@mdns:/etc/bind
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA master admin.lec.org. (
2 ; Serial 版本号标识
604800 ; Refresh 从服务器刷新时间
86400 ; Retry 重试时间
2419200 ; Expire 过期时间
604800 ) ; Negative Cache TTL 否定答案的TTL值
;
NS master
org NS orgns
master IN A 10.0 .0.28
orgns IN A 10.0 .0.38
named-checkconf
named-checkzone "." /etc/bind/db.root.zone
systemctl start bind9.service
rndc reload
root@client:~
Server: 10.0 .0.28
Address: 10.0 .0.28
Non-authoritative answer:
Name: www.lec.org
Address: 10.0 .0.68
4.7 实现转发目标的DNS服务器
apt -y install bind9-utils bind9
vi /etc/bind/named.conf.default-zones
zone "." {
type master;
file "/etc/bind/root.hints" ;
} ;
root@mdns:/etc/bind
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 10.0 .0.28
named-checkconf
systemctl start bind9.service
rndc reload
root@client:~
Server: 10.0 .0.18
Address: 10.0 .0.18
Non-authoritative answer:
Name: www.lec.org
Address: 10.0 .0.68
4.8 实现本地只缓存DNS服务器
apt -y install bind9-utils bind9
vi /etc/bind/named.conf.options
forwarders {
10.0 .0.18;
} ;
dnssec-validation no;
named-checkconf
systemctl start bind9.service
rndc reload
root@client:~
Server: 10.0 .0.8
Address: 10.0 .0.8
Non-authoritative answer:
Name: www.lec.org
Address: 10.0 .0.68
root@client:~
www.lec.org is 10.0 .0.68
4.9 客户端测试
cat /etc/resolv.conf
nameserver 10.0 .0.8
root@client:~
www.lec.org is 10.0 .0.68