DNS 53
/etc/resolv.conf
在/etc/resolv.conf 配置文件:关键字domain和search作用是一样的。search 它的多个参数指明域名查询顺序。当要查询没有域名的主机,主机将在由search 声明的域中分别查找。domain 和search 不能共存;如果同时存在,后面出现的将会被使用。
]
search openstack.local dev.com example.local
nameserver 192.168 .122.21
例1:查询主机名,因为主机名后面没有点,就认为是主机名,所以先添加search里的每一项依次组成FQDN(完全合格域名)来查询,完全合格域名查询未找到,就再认为主机名是完全合格域名来查询。
]
Trying "centos7-bind-1.openstack.local"
Trying "centos7-bind-1.dev.com"
Trying "centos7-bind-1.example.local"
Trying "centos7-bind-1"
; ; connection timed out; no servers could be reached
例2:查询主机名,因为主机名中有点(不是末尾有点),就认为是完全合格域名,先用它来查询,查询失败就把它当成是主机名来进行,添加search里的每一项组成FQDN(完全合格域名)来查询。
]
Trying "centos7-bind-1.com"
Received 109 bytes from 192.168 .122.21
Trying "centos7-bind-1.com.openstack.local"
Trying "centos7-bind-1.com.dev.com"
Trying "centos7-bind-1.com.example.local"
Host centos7-bind-1.com not found: 3 ( NXDOMAIN)
Received 125 bytes from 192.168 .122.21
例3:查询主机名,因为主机名中末尾有点,则认为是完全合格域名,只用它来查询(不会再添加search里的每一项)。查询次数会与search里项域名个数有关。
]
Trying "centos7-bind-1"
; ; connection timed out; trying next origin
Trying "centos7-bind-1"
; ; connection timed out; trying next origin
Trying "centos7-bind-1"
; ; connection timed out; trying next origin
Trying "centos7-bind-1"
; ; connection timed out; no servers could be reached
安装
bind(Berkeley Internet Name Domain):DNS服务端软件
bind-chroot:DNS服务端的补充软件,提供牢笼政策(创建DNS服务的根目录防止被攻击后波及系统安全)
bind-utils:DNS客户端软件,提供nslookup命令、host命令等
+ ` nslookup或host [ 选项] 域名 [ IP地址] ` :由该IP临时提供DNS服务,如果省略则使用` /etc/resolv.conf` 指定的nameserver
DNS服务:` /usr/lib/systemd/system/named.service`
DNS的配置文件:` /etc/named.conf`
DNS的默认地址库文件父目录:` /var/named`
DNS的地址库文件模板:` /var/named/named.localhost`
+ 用户named需要对地址库文件无r权限
+ 主从架构中slave的用户named需要对地址库文件有rwx权限
方式一:` man named.conf`
方式二:` vim /usr/share/doc/bind/sample/etc/named.conf` 、` vim /usr/share/doc/bind/sample/var/named/named.localhost`
递归查询(递归解析,默认):客户端将解析请求发送给首选DNS服务器(互联网运营商),首选DNS服务器与其他的DNS服务器交流,最终将解析结果返回给客户端。
迭代查询(迭代解析):客户端发送请求给首选DNS服务器,首选DNS服务器告知客户端下一个DNS服务器地址。
+ 一般首选DNS服务器给客户端提供递归解析,这个过程中自身通过迭代解析查询解析结果。
正向解析:将域名解析为IP地址
反向解析:将IP地址解析为域名
正向解析
DNS服务器(192.168.88.53):
[ root@dns ~]
Disabled
[ root@dns ~]
未安装软件包 firewalld
[ root@dns ~]
[ root@dns ~]
1 // named.conf
2 // See /usr/share/doc/bind*/sample/ for example named configuration files. // 模板文件
3
4 options {
// listen-on port 53 { any; } // 监听本地任意IPv4地址的53端口,缺省配置
// listen-on-v6 port 53 { any; } // 监听本地任意IPv6地址的53端口,缺省配置
// allow-query { any; } ; // 允许访问本DNS服务的客户端,缺省配置。可以是IP地址、网段、any所有
5 directory "/var/named" ; // 地址库文件父目录
// recursion no; // 禁用递归解析(使用迭代解析)。缺省为yes
6 } ;
7
8 zone "example" IN { // 解析的域名
9 type master; // master主服务器、slave从服务器、hint根域服务器、forward转发服务器
10 file "example.zone" ; // 地址库文件
11 } ;
[ root@dns ~]
-rw-r----- 1 root named 194 11 月 6 23 :27 /var/named/named.localhost
[ root@dns ~]
[ root@dns ~]
1 $TTL 1D
2 @ IN SOA @ rname.invalid. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS server
9 server A 192.168 .88.11
10 www A 11.11 .11.11
11 xxx A 22.22 .22.22
12 yyy CNAME www
13 * A 33.33 .33.33
14 example A 44.44 .44.44
15 @ A 55.55 .55.55
16 example. A 7.7 .7.7
[ root@dns ~]
[ root@dns ~]
[ root@client ~]
[ root@client ~]
[ root@client ~]
Server: 192.168 .88.53
Address: 192.168 .88.53
Name: server.example
Address: 192.168 .88.11
[ root@client ~]
www.example has address 11.11 .11.11
[ root@client ~]
xxx.example has address 22.22 .22.22
[ root@client ~]
yyy.example is an alias for xxx.example.
xxx.example has address 22.22 .22.22
[ root@client ~]
abcd.example has address 33.33 .33.33
[ root@client ~]
example.example has address 44.44 .44.44
[ root@client ~]
example has address 55.55 .55.55 如果` example.` 在` @` 之前,则解析结果为` example has address 7.7 .7.7`
分离解析
DNS分离解析:区分查询请求的源IP地址,为不同类型的客户端提供不同的解析结果。
例如:位于不同地方搜索地图上最近的连锁酒店,返回结果不一样。
DNS服务器(192.168.88.53):
[ root@dns ~]
Disabled
[ root@dns ~]
未安装软件包 firewalld
[ root@dns ~]
[ root@dns ~]
1 options {
2 directory "/var/named" ;
3 } ;
4
5 view "class01" {
6 match-clients { 192.168 .88.104; 192.168 .100.0/24; } ;
7 zone "example" IN {
8 type master;
9 file "example.zone" ;
10 } ;
11 } ;
12 view "class02" {
13 match-clients { any; } ;
14 zone "example" IN {
15 type master;
16 file "other.zone" ;
17 } ;
18 } ;
[ root@dns ~]
-rw-r----- 1 root named 194 11 月 6 23 :27 /var/named/named.localhost
[ root@dns ~]
[ root@dns ~]
1 $TTL 1D
2 @ IN SOA @ rname.invalid. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS server
9 server A 192.168 .88.53
10 www A 11.11 .11.11
[ root@dns ~]
[ root@dns ~]
10 www A 22.22 .22.22
[ root@dns ~]
[ root@dns ~]
client1(192.168.88.104):
[ root@client ~]
[ root@client ~]
[ root@client ~]
Server: 192.168 .88.53
Address: 192.168 .88.53
Name: www.example
Address: 11.11 .11.11
[ root@client ~]
www.example has address 11.11 .11.11
client1(192.168.88.102):
[ root@client ~]
[ root@client ~]
[ root@client ~]
Server: 192.168 .88.53
Address: 192.168 .88.53
Name: www.example
Address: 22.22 .22.22
[ root@client ~]
www.example has address 22.22 .22.22
主从架构
主服务器:允许传输地址库文件给slave,服务器类型为master
从服务器:服务器类型为slave,从master服务器上下载(同步更新)地址库文件(默认加密)并重命名,指定下载的地址库文件为明文方式
主DNS服务器(192.168.88.53):
[ root@dns ~]
Disabled
[ root@dns ~]
未安装软件包 firewalld
[ root@dns ~]
[ root@dns ~]
1 options {
2 directory "/var/named" ;
3 allow-transfer { 192.168 .88.153; } ; // 允许传输文件
4 } ;
5 zone "example" IN {
6 type master; // master服务器
7 file "example.zone" ;
8 } ;
[ root@dns ~]
-rw-r----- 1 root named 194 11 月 6 23 :27 /var/named/named.localhost
[ root@dns ~]
[ root@dns ~]
1 $TTL 1D // 地址解析记录缓存时间
2 @ IN SOA @ rname.invalid. (
3 1949100101 ; serial // 数据的版本号,约定年月日次数十位
4 1D ; refresh // 每一天联系一次,健康检查
5 1H ; retry // 健康检查失败后,每隔一小时尝试联系一次
6 1W ; expire // 健康检查失败后,联系失败后尝试一周
7 3H ) ; minimum // 没有设置TTL时的地址解析记录缓存时间
8 NS server
9 NS cong
10 server A 192.168 .88.53
11 cong A 192.168 .88.153 // 指定第二个DNS服务器
12 www A 11.11 .11.11
[ root@dns ~]
[ root@dns ~]
从DNS服务器(192.168.88.153):
[ root@dns2 ~]
Disabled
[ root@dns2 ~]
未安装软件包 firewalld
[ root@dns2 ~]
[ root@dns2 ~]
drwxrwx--T 6 root named 162 11 月 12 00:40 /var/named/
[ root@dns2 ~]
1 options {
2 directory "/var/named/" ;
3 } ;
4 zone "example" IN {
5 type slave; // slave服务器
6 masters { 192.168 .88.53; } ; // 指定其master服务器
7 file "example.slave" ; // 从master服务器下载地址库文件(默认加密)并重命名
8 masterfile-format text; // 下载的地址库文件为明文
9 } ;
[ root@dns2 ~]
[ root@dns2 ~]
[ root@dns2 ~]
/var/named/example.slave
[ root@client ~]
[ root@client ~]
Server: 192.168 .88.53
Address: 192.168 .88.53
Name: www.example
Address: 11.11 .11.11
[ root@client ~]
www.example has address 11.11 .11.11
[ root@client ~]
Server: 192.168 .88.153
Address: 192.168 .88.153
Name: www.example
Address: 11.11 .11.11
[ root@client ~]
www.example has address 11.11 .11.11
[ root@dns ~]
[ root@dns ~]
[ root@dns ~]
[ root@client ~]
[ root@client ~]
Server: 192.168 .88.53
Address: 192.168 .88.53
Name: www.example
Address: 11.11 .11.22
[ root@client ~]
Server: 192.168 .88.153
Address: 192.168 .88.153
Name: www.example
Address: 11.11 .11.22
缓存DNS
缓存DNS:转发解析请求,向权威服务器获取DNS解析,并将结果缓存(重启失效),可以加快对同一域名的解析速度
权威DNS服务器(192.168.88.53):
[ root@dns ~]
Disabled
[ root@dns ~]
未安装软件包 firewalld
[ root@dns ~]
[ root@dns ~]
1 options {
2 directory "/var/named" ;
3 allow-transfer { 192.168 .88.153; } ; // 允许传输文件
4 } ;
5 zone "example" IN {
6 type master;
7 file "example.zone" ;
8 } ;
[ root@dns ~]
-rw-r----- 1 root named 194 11 月 6 23 :27 /var/named/named.localhost
[ root@dns ~]
[ root@dns ~]
1 $TTL 1D
2 @ IN SOA @ rname.invalid. (
3 1949100101 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS server
9 server A 192.168 .88.53
10 www A 11.11 .11.11
[ root@dns ~]
[ root@dns ~]
缓存DNS服务器(192.168.88.253):
[ root@dns3 ~]
Disabled
[ root@dns3 ~]
未安装软件包 firewalld
[ root@dns3 ~]
[ root@dns3 ~]
1 options {
2 directory "/var/named/" ;
3 forwarders { 192.168 .88.53; } ;
3 } ;
[ root@dns3 ~]
[ root@dns3 ~]
[ root@client ~]
[ root@client ~]
Server: 192.168 .88.253
Address: 192.168 .88.253
Non-authoritative answer:
Name: www.example
Address: 11.11 .11.11
end