DNS 总揽
权威名称服务器
存储并提供某区域 ( 整个 DNS 域或 DNS 域的一部分 ) 的实际数据。
权威名称服务器的类型包括
Master : 包含原始区域数据。有时称作 “主要 ”名称服务器
Slave : 备份服务器 , 通过区域传送从 Master 服务器获得的区域数据的副本。有时称作 “次要 ”名称服务器
非权威 / 递归名称服务器
– 客户端通过其查找来自权威名称服务器的数据。递归名称服务器的类型包括
存名称服务器 : 仅用于查找 , 对于非重要数据之外的任何内容都不具有权威性
DNS 查找
客户端上的 Stub 解析器 将查询发送至 /etc/resolv.conf 中的名称服务器,如果名称服务器对于请求的信息具有权威性 , 会将权威答案发送至客户端,否则 , 如果名称服务器在其缓存中有请求的信息 , 则会将非权威答案发送至客户端,如果缓存中没有信息 , 名称服务器将搜索权威名称服务器以查找信息 , 从根区域开始 , 按照DNS 层次结构向下搜索, 直至对于信息有具有权威性的名称服务器 , 以此为客户端获得答案。在此情况中,名称服务器将信息传递至客户端并在自己的缓存中保留一个副本 , 以备以后查找。
DNS资源记录
• DNS 区域采用资源记录的形式存储信息。每条资源记录均具有一个类型 , 表明其保留的数据类型。
– A : 名称至 IPv4 地址
– AAAA : 名称至 IPv6 地址
– CNAME : 名称至 ”规范名称 “ ( 包含 A/AAAA 记录的另一个名称 )
– PTR : IPv4/IPv6 地址至名称
– MX : 用于名称的邮件交换器 ( 向何处发送其电子邮件 )
– NS : 域名的名称服务器
– SOA :” 授权起始 “ , DNS 区域的信息 ( 管理信息 )
DNS排错
• 它显示来自 DNS 查找的详细信息 , 其中包括为什么查询失败 :
– NOERROR : 查询成功
– NXDOMAIN : DNS 服务器提示不存在这样的名称
– SERVFAIL : DNS 服务器停机或 DNSSEC 响应验证失败
– REFUSED : DNS 服务器拒绝回答 ( 也许是出于访问控制原因 )
dig输出的部分内容
• 标题指出关于查询和答案的信息 , 其中包括响应状态和设置的任何特殊标记 ( aa 表示权威答案 , 等等 )
– QUESTION : 提出实际的 DNS 查询
– ANSWER : 响应 ( 如果有 )
– AUTHORITY : 负责域 / 区域的名称服务器
– ADDITIONAL : 提供的其他信息 , 通常是关于名称服务器
– 底部的注释指出发送查询的递归名称服务器以及获得响应所花费的时间
缓存 DNS 服务器
BIND 是最广泛使用的开源名称服务器,在 RHEL 中 , 通过 bind 软件包提供防火墙开启端口 53/TCP 和 53/UDP。BIND 的主配置文件是 /etc/named.conf 。/var/named 目录包含名称服务器所使用的其他数据文件
/etc/named.conf 的语法
• // 或 # 至行末尾是注释 ; /* 与 */ 之间的文本也是注释 ( 可以跨越多行 )
• 指令以分号结束 (;)
• 许多指令认为地址匹配列表放在大括号中、以CIDR 表示法表示的 IP 地址或子网列表中 , 或者命名的 ACL 中 ( 例如 any; [ 所有主机 ] 和none; [ 无主机 ] )。
• 文件以 options 块开始 , 其中包含控制 named如何运作的指令。
• zone 块控制 named 如何查对于其具有权威性的根名称服务器和区域。
一些重要的 options 指令
isten-on 控制 named 侦听的 IPv4 地址
listen-on-v6 控制 named 侦听的 IPv6 地址
allow-query 控制哪些客户端可以向 DNS 服务器询问信息
forwarders 包含 DNS 查询将转发至的名称服务器的列表
( 而不是直接联系外部名称服务器 ; 在设有防火 墙的情况中
很有用 )
• 所有这些指令会将打括号中以分号分隔的元素视为地址匹配
列表 . 如
– listen-on { any; };
– allow-query { 127.0.0.1; 10.0.0.0/8 };
配置名称服务器
• 安装 bind 软件包
– yum install -y bind
• vim /etc/named.conf
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
allow-query { any; };
forwarders { 172.25.254.254; };
• 启动并启用 DNS 服务器
• systemctl start named
• systemctl enable named #开机自动启动
• 从 desktopX 进行测试
– dig classroom.example.com
配置高速缓存dns服务器
[root@dns-server ~]# yum search dns
[root@dns-server ~]# yum install bind.x86_64 -y
[root@dns-server ~]# systemctl stop firewalld.service
[root@dns-server ~]# vim /etc/named.conf
修改如下:
options {
listen-on port 53 { any; }; 修改
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; 修改
forwarders {172.25.254.250; }; 添加
[root@dns-server ~]# systemctl restart named
[root@dns-server ~]# netstat -antlpe | grep named 查看端口是否开启
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 98952 4590/named
tcp 0 0 172.25.254.220:53 0.0.0.0:* LISTEN 25 98947 4590/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 98945 4590/named
tcp6 0 0 ::1:953 :::* LISTEN 25 98953 4590/named
tcp6 0 0 ::1:53 :::* LISTEN 25 98949 4590/named
[root@dns-server ~]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22693
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 697 IN CNAME www.a.shifen.com.
www.a.shifen.com. 266 IN A 183.232.231.172
www.a.shifen.com. 266 IN A 183.232.231.173
;; AUTHORITY SECTION:
. 513540 IN NS m.root-servers.net.
. 513540 IN NS i.root-servers.net.
. 513540 IN NS d.root-servers.net.
. 513540 IN NS f.root-servers.net.
. 513540 IN NS j.root-servers.net.
. 513540 IN NS h.root-servers.net.
. 513540 IN NS e.root-servers.net.
. 513540 IN NS l.root-servers.net.
. 513540 IN NS a.root-servers.net.
. 513540 IN NS g.root-servers.net.
. 513540 IN NS c.root-servers.net.
. 513540 IN NS b.root-servers.net.
. 513540 IN NS k.root-servers.net.
;; Query time: 10 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri May 05 22:11:43 EDT 2017
;; MSG SIZE rcvd: 312
在另一台
[root@dns-desktop ~]# vim /etc/resolv.conf
# Generated by NetworkManager
search westos.com
nameserver 172.25.254.220 添加这一行,指向dns缓存
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
~
[root@dns-desktop ~]# dig www.baidu.com
配置DNS
[root@server ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
[root@server ~]# systemctl restart named
[root@server ~]# vim /etc/named.rfc1912.zones
zone "westos.com" IN { ##添加这段
type master;
file "westos.com.zone";
allow-update { none; };
};
[root@server ~]# cd /var/named
[root@server named]# cp -p named.localhost westos.com.zone
[root@server named]# vim westos.com.zone
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.20
www A 172.25.254.10
[root@server named]# systemctl restart named
[root@server named]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63556
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.10
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.20
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 08 11:43:28 EDT 2017
;; MSG SIZE rcvd: 93
域名规范与邮件服务器
[root@server named]# cd /var/named/
[root@server named]# vim westos.com.zone
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.20
www A 172.25.254.10
music CNAME music.a.westos.com.
music.a A 172.25.254.111
music.a A 172.25.254.222
westos.com. MX 1 172.25.254.220.
[root@server named]# systemctl restart named
[root@server named]# dig music.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> music.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45216
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;music.westos.com. IN A
;; ANSWER SECTION:
music.westos.com. 86400 IN CNAME music.a.westos.com.
music.a.westos.com. 86400 IN A 172.25.254.222
music.a.westos.com. 86400 IN A 172.25.254.111
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.20
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 08 12:01:27 EDT 2017
;; MSG SIZE rcvd: 133
[root@server named]# dig -t mx westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63363
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;westos.com. IN MX
;; ANSWER SECTION:
westos.com. 86400 IN MX 1 172.25.254.220.
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.20
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 08 12:01:47 EDT 2017
;; MSG SIZE rcvd: 103
多向解析
[root@server ~]# cd /var/named/
[root@server named]# cp -p westos.com.zone westos.com.inter
[root@server named]# vim westos.com.inter
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.20.20 ##全部修改为20网段
www A 172.25.20.10
music CNAME music.a.westos.com.
music.a A 172.25.20.111
music.a A 172.25.20.222
westos.com. MX 1 172.25.20.220.
[root@server named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inter
[root@server named]# vim /etc/named.rfc1912.inter
zone "westos.com" IN { ##删除这段
type master;
file "westos.com.zone";
allow-update { none; };
};
zone "westos.com" IN { ##添加这段
type master;
file "westos.com.inter";
allow-update { none; };
};
[root@server named]# vim /etc/named.conf
/*
zone "." IN {
type hint; 把这段注释
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
*/
view localnet{
match-clients { 172.25.254.20/24; }; ##添加视图
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
};
view internet{
match-clients { 172.25.20.20/24; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.inter";
};
[root@server named]# systemctl restart named
检测:
给server加一块无线网卡,并设置 在20 网段
[root@server ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
BOOTPROTO=none
IPADDR=172.25.20.20
NETMASK=255.255.255.0
ONBOOT=yes
[root@server ~]# systemctl restart network
[root@server ~]# ifconfig
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.20.20 netmask 255.255.255.0 broadcast 172.25.20.255
inet6 fe80::5054:ff:fe5f:4e96 prefixlen 64 scopeid 0x20<link>
ether 52:54:00:5f:4e:96 txqueuelen 1000 (Ethernet)
RX packets 7681 bytes 945721 (923.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 33 bytes 4387 (4.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@server ~]# vim /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 172.25.20.20 ##设置dns指向20网段
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
在server 上检测
[root@server ~]# dig www.westos.com ##
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21593
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.20.10
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.20.20
;; Query time: 0 msec
;; SERVER: 172.25.20.20#53(172.25.20.20)
;; WHEN: Tue May 09 03:18:41 EDT 2017
;; MSG SIZE rcvd: 93
再在client上检测
[root@client ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27016
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.10
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.20
;; Query time: 1 msec
;; SERVER: 172.25.254.20#53(172.25.254.20)
;; WHEN: Tue May 09 03:16:54 EDT 2017
;; MSG SIZE rcvd: 93
反向解析
[root@server ~]# vim /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN {
type master;
file "westos.com.ptr";
allow-update { none; };
};
[root@server ~]# cp -p /var/named/named.loopback /var/named/westos.com.ptr
[root@server ~]# vim /var/named/westos.com.ptr
$TTL 1D
@ IN SOA dns.westos.com root.westos.com.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com. ##在修改时一定要注意加点
dns A 172.25.254.20
111 PTR www.westos.com. ##设置www.westos.com的解析为172.25.254.111
[root@server ~]# systemctl restart named
[root@server ~]# vim /etc/resolv.conf
# Generated by NetworkManager
domain lan
search westos.com
nameserver 172.25.254.20 ##必须指向dns服务器的ip,删掉原有的nameserver指向
在client检测
[root@client ~]# dig -x 172.25.254.111
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9189
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;111.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 IN PTR www.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.20
;; Query time: 1 msec
;; SERVER: 172.25.254.20#53(172.25.254.20)
;; WHEN: Tue May 09 03:39:08 EDT 2017
;; MSG SIZE rcvd: 118
dns更新
[root@server ~]# cp -p /var/named/westos.com.zone /mnt/
[root@server ~]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.10; };
};
[root@server ~]# chmod 770 /var/named/
[root@server ~]# setsebool -P named_write_master_zones 1
[root@server ~]# systemctl restart named
在client检测
[root@client ~]# nsupdate ##更新数据
> server 172.25.254.20
> update add hello.westos.com 86400 A 172.25.254.222 ##添加
> send
> quit
[root@client ~]# dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34366
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com. IN A
;; ANSWER SECTION:
hello.westos.com. 86400 IN A 172.25.254.222
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.20
;; Query time: 0 msec
;; SERVER: 172.25.254.20#53(172.25.254.20)
;; WHEN: Tue May 09 03:46:17 EDT 2017
;; MSG SIZE rcvd: 95
[root@client ~]# nsupdate
> server 172.25.254.20
> update delete hello.westos.com ##进行删除
> send
> quit
[root@client ~]# dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23712
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com. IN A
;; AUTHORITY SECTION:
westos.com. 10800 IN SOA dns.westos.com. root.westos.com. 2 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 172.25.254.20#53(172.25.254.20)
;; WHEN: Tue May 09 03:50:11 EDT 2017
;; MSG SIZE rcvd: 90
因为更新dns会产生一个新的文件 /var/named/westos.com.zone.jnl 做完实验需要将产生的文件删掉,然后将之前拷贝的文件再复制过来,不然的话会对后边的实验产生影响
[root@server named]# rm -fr /var/named/westos.com.zone.jnl /var/named/westos.com.zone
[root@server named]# cp -p /mnt/westos.com.zone /var/named/