1、简述DNS服务器原理,并搭建主-辅服务器。
###主DNS配置
#安装包
#修改配置文件
[root@master-dns ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost;};
allow-transfer { 172.17.8.27;(从服务器的IP)};(只允许从服务器区域进行传输)
#添加区域
[root@master-dns ~]# vim /etc/named.rfc1912.zones
zone "magedeu.org" IN {
type master;
file "magedu.org.zone";
};
#创建区域库资源解析库
[root@master-dns ~]#cp -p /var/named/named.localhost /var/named/magedu.org.zone
[root@master-dns ~]# cat /var/named/magedu.org.zone
$TTL 1D
@ IN SOA master admin.magedu.org. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 172.17.8.17
slave A 172.17.8.27
www A 172.17.8.47
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务
####从DNS的配置
#安装相关的包
#修改/etc/named.conf配置文件
[root@dns-slave ~]#vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
allow-transfer {none;}; (不允许其他主机进行区域传输)
#添加区域文件
[root@dns-slave ~]# vim /etc/named.rfc1912.zones
zone "magedu.org" IN {
type slave;
masters {172.17.8.17(主服务器的IP);};
file "slaves/magedu.org.slave";
};
###客户端验证
#主DNS没有关闭
[root@centos7 ~]# nslookup www.magedu.org
Server: 172.17.8.17
Address: 172.17.8.17#53
Name: www.magedu.org
Address: 172.17.8.47
[root@centos7 ~]# curl www.magedu.org
hello,world
#关闭主DNS
[root@master-dns ~]# systemctl stop named
[root@master-dns ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: inactive (dead)
Nov 23 13:21:12 master-dns named[2583]: zone magedu.org/IN: loaded serial 1
Nov 23 13:21:12 master-dns named[2583]: all zones loaded
Nov 23 13:21:12 master-dns named[2583]: running
Nov 23 13:21:12 master-dns named[2583]: zone magedu.org/IN: sending notifies (serial 1)
Nov 23 13:21:12 master-dns named[2583]: client 172.17.8.27#59144 (magedu.org): transfer of 'magedu.org/IN': AXFR started
Nov 23 13:21:12 master-dns named[2583]: client 172.17.8.27#59144 (magedu.org): transfer of 'magedu.org/IN': AXFR ended
Nov 23 13:23:37 master-dns systemd[1]: Stopping Berkeley Internet Name Domain (DNS)...
Nov 23 13:23:37 master-dns named[2583]: received control channel command 'stop'
Nov 23 13:23:37 master-dns systemd[1]: Stopped Berkeley Internet Name Domain (DNS).
Nov 23 14:19:44 master-dns systemd[1]: Stopped Berkeley Internet Name Domain (DNS).
[root@centos7 ~]# nslookup www.magedu.org
Server: 172.17.8.27
Address: 172.17.8.27#53
Name: www.magedu.org
Address: 172.17.8.47
2、搭建并实现智能DNS。
####主DNS服务端配置文件实现 view
vim /etc/named.conf
#在文件最前面加下面行
acl beijingnet {
10.0.0.0/24;
};
acl shanghainet {
172.16.0.0/16;
};
acl othernet {
any;
};
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#其它略
# 创建view
view beijingview {
match-clients { beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients { shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients { othernet;};
include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.root.key";
#######实现区域配置文件
vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.bj";
};
vim /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.sh";
};
vim /etc/named.rfc1912.zones.other
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.other";
};
chgrp named /etc/named.rfc1912.zones.bj
chgrp named /etc/named.rfc1912.zones.sh
chgrp named /etc/named.rfc1912.zones.other
#####创建区域数据库文件
vim /var/named/magedu.org.zone.bj
$TTL 1D
@ IN SOA master admin.magedu.org. (
2019042214 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 10.0.0.7
www CNAME websrv
vim /var/named/magedu.org.zone.sh
$TTL 1D9.4.4.5 实现位于不同区域的三个WEB服务器
9.4.4.6 客户端测试
@ IN SOA master admin.magedu.org. (
2019042214 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 172.16.0.7
www CNAME websrv
vim /var/named/magedu.org.zone.other
$TTL 1D
@ IN SOA master admin.magedu.org. (
2019042214 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
websrv A 127.0.0.1
www CNAME websrv
chgrp named /var/named/magedu.org.zone.bj
chgrp named /var/named/magedu.org.zone.sh
chgrp named /var/named/magedu.org.zone.other
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务
#分别在三台主机上安装http服务
#在web服务器1:10.0.0.8/24实现
yum install httpd
echo www.magedu.org in Other > /var/www/html/index.html
systemctl start httpd
#在web服务器2:10.0.0.7/16
echo www.magedu.org in Beijing > /var/www/html/index.html
systemctl start httpd
#在web服务器3:172.16.0.7/16
yum install httpd
echo www.magedu.org in Shanghai > /var/www/html/index.html
systemctl start httpd
####客户端测试
#DNS客户端1:10.0.0.6/24 实现,确保DNS指向10.0.0.8
curl www.magedu.org
www.magedu.org in Beijing
#DNS客户端2:172.16.0.6/16 实现,确保DNS指向172.16.0.8
curl www.magedu.org
www.magedu.org in Shanghai
#DNS客户端3:10.0.0.8 实现,,确保DNS指向127.0.0.1
curl www.magedu.org
www.magedu.org in Other
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
[
root@centos7 ~]# iptables -A INPUT -p tcp -m multiport --dports 21,22,23,80 -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
[root@centos7 ~]# iptables -A INPUT -j REJECT
3、NAT原理总结
1、NAT表适用于perrouting、INPUT、OUTPUT、POSTROUTING四个链
2、SNAT:支持POSTROUTING,INPUT,让本地网络中的主机通过某一特定地址访问外部网络,实现地址伪装,请求报文:修改源IP
3、DNAT:支持PREROUTING,OUTPUT,把本地网络中的主机上的某服务开放给外部网络访问(发布服务和端口映射)但隐藏真实IP;请求报文:修改目标IP
4、iptables实现SNAT和DNAT,并对规则持久保存
[root@firewall ~]#cat /etc/sysctl.conf
net.ipv4.ip_forward=1