文章目录
一、域名的解析过程
HOST→→本地缓存→→DNS服务器|DNS服务器缓存→→全球13个根域服务器
#任何一步中查询到对应结果直接返回,DNS服务器收到返回信息后会将解析记录返回的同时在本地缓存一份对应记录。
二、DNS服务器相关信息
类型 | 说明 |
---|---|
软件包名称 | bind |
服务名称 | named |
端口号 | TCP/UDP:53 |
配置文件-主配置文件(服务器运行参数) | /etc/named.conf |
配置文件-区域配置文件(服务器解析的区域配置、正反向区域定义) | /etc/named.rfc1912.zones |
配置文件-数据配置文件(主机名和IP的对应关系及主从同步信息) | /var/named./xx.xx |
三、DNS服务器的记录类型
类型 | 说明 |
---|---|
A | 地址记录用来指定域名的IPV4地址 |
CNAMAE | 将域名指向另一个域名,再由零一个域名提供IP地址 |
TXT | 文本,长度255,主要用来做SPF反垃圾邮件 |
NS | 域名服务器记录,把子域名交给其他DNS服务商解析 |
AAAA | 地址记录用来指定域名的IPV6地址 |
MX | 邮件交换记录 |
四、搭建DNS服务器
关闭iptables及selinux
[root@centos-01 ~]# systemctl stop firewalld
[root@centos-01 ~]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos-01 ~]# sudo setenforce 0
[root@centos-01 ~]# getenforce
Permissive
[root@centos-01 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@centos-01 ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
4.1 搭建DNS服务器
[root@centos-01 ~]# yum -y install bind
[root@centos-01 ~]# rpm -qa |grep bind
bind-libs-9.11.4-16.P2.el7_8.6.x86_64
bind-export-libs-9.11.4-16.P2.el7.x86_64
bind-license-9.11.4-16.P2.el7_8.6.noarch
bind-libs-lite-9.11.4-16.P2.el7_8.6.x86_64
bind-9.11.4-16.P2.el7_8.6.x86_64
[root@centos-01 ~]# cat /etc/named.conf
options {
listen-on port 53 { any; }; #127.0.0.1修改为any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; #localhost修改为any
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
#正向解析
zone “ygxxs.com” IN {
type master;
file "ygxxs.com.zone";
allow-update { none; };
};
#反向解析
zone "64.168.192.in-addr.arpa" IN {
type master;
file "192.168.64.arpa";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#检查配置
[root@centos-01 ~]# named-checkconf
[root@centos-01 ~]#
#添加正向解析及反向解析区域
[root@centos-01 ~]# vi /etc/named.rfc1912.zones
zone ”ygxxs.com“ IN {
type master;
file "ygxxs.com.zone";
allow-update { none; };
};
zone "64.168.192.in-addr.arpa" IN {
type master;
file "192.168.64.arpa";
allow-update { none; };
};
#配置正向解析
[root@centos-01 ~]# cp /var/named/named.localhost /var/named/ygxxs.com.zone
[root@centos-01 ~]# chown root:named /var/named/ygxxs.com.zone
[root@centos-01 ~]# cat /var/named/ygxxs.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimumi
NS @
www A 192.168.64.1
ftp A 192.168.64.1
mail CNAME www
#配置反向解析
[root@centos-01 ~]# cp /var/named/named.localhost /var/named/192.168.64.arpa
[root@centos-01 ~]# chown root:named /var/named/192.168.64.arpa
[root@centos-01 ~]# vi /var/named/192.168.64.arpa
$TTL 1D
@ IN SOA ygxxs.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ygxxs.com.
1 PTR www.ygxxs.com
1 PTR ftp.ygxxs.com
1 PTR mail.ygxxs.com
#检查配置是否正确
[root@centos-01 ~]# named-checkzone "ygxxs.com" /var/named/ygxxs.com.zone
zone ygxxs.com/IN: loaded serial 0
OK
[root@centos-01 ~]# named-checkzone "192.168.64.in-addr.arpa" /var/named/192.168.64.arpa
zone 192.168.64.in-addr.arpa/IN: loaded serial 0
OK
[root@centos-01 ~]# named-checkconf -z
#启动服务
[root@centos-01 ~]#systemctl start named
[root@centos-01 ~]# netstat -tlun |grep 53
tcp 0 0 10.10.19.154:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp6 0 0 ::1:53 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
udp 0 0 10.10.19.154:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp6 0 0 ::1:53 :::*
踩坑:配置文件中对单引号、双引号敏感,统一使用双引号不要使用单引号。(python的习惯单双引号混用出问题查了好久)
客户机验证
[root@centos-03 ~]# nslookup
> server 192.168.64.128
Default server: 192.168.64.128
Address: 192.168.64.128#53
> www.ygxxs.com
Server: 192.168.64.128
Address: 192.168.64.128#53
Name: www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server: 192.168.64.128
Address: 192.168.64.128#53
mail.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server: 192.168.64.128
Address: 192.168.64.128#53
ftp.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa name = ftp.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = www.ygxxs.com.64.168.192.in-addr.arpa.
4.2 主从DNS服务器
#关闭防火墙和SELinux
[root@centos-02 ~]# systemctl stop firewalld
[root@centos-02 ~]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos-02 ~]# sudo setenforce 0
[root@centos-02 ~]# getenforce
Permissive
[root@centos-02 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@centos-02 ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
#安装bind
[root@centos-02 ~]# yum -y install bind*
#修改主配置文件/etc/named.conf
[root@centos-02 ~]# vi /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#修改区域配置文件/etc/named.rfc1912.zones
[root@centos-02 ~]# vi /etc/named.rfc1912.zones
#正向解析区域
zone "ygxxs.com" IN {
type slave;
masters { 192.168.64.128; };
file "slaves/ygxxs.com";
};
#反向解析区域
zone "64.168.192.in-addr.arpa." IN {
type slave;
masters { 192.168.64.128; };
file "slaves/64.168.192.zone";
};
#启动从机named服务
[root@centos-02 ~]# systemctl start named #无报错则启动正常
#测试
[root@centos-03 ~]# nslookup
> server 192.168.64.30
Default server: 192.168.64.30
Address: 192.168.64.30#53
>
> www.ygxxs.com
Server: 192.168.64.30
Address: 192.168.64.30#53
Name: www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server: 192.168.64.30
Address: 192.168.64.30#53
ftp.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server: 192.168.64.30
Address: 192.168.64.30#53
ftp.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server: 192.168.64.30
Address: 192.168.64.30#53
mail.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa name = ftp.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = www.ygxxs.com.64.168.192.in-addr.arpa.
4.3 DNS缓存服务器
#关闭防火墙和SELinux
[root@centos-04 ~]# systemctl stop firewalld
[root@centos-04 ~]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos-04 ~]# sudo setenforce 0
[root@centos-04 ~]# getenforce
Permissive
[root@centos-04 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
[root@centos-04 ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
#安装dnsmasq
[root@centos-04 ~]# yum -y install dnsmasq*
#编辑配置文件
[root@centos-04 ~]# vi /etc/dnsmasq.conf
domain="ygxxs.com" #域名
server=192.168.64.30 #服务器IP地址
cache-size=15000 #缓存条数
#重启dnsmasq服务
[root@centos-04 ~]# systemctl restart dnsmasq
#客户机验证
[root@centos-01 ~]# nslookup
> server 192.168.64.129
Default server: 192.168.64.129
Address: 192.168.64.129#53
>
> ygxxs.com
Server: 192.168.64.129
Address: 192.168.64.129#53
Name: ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server: 192.168.64.129
Address: 192.168.64.129#53
ftp.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server: 192.168.64.129
Address: 192.168.64.129#53
mail.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa name = ftp.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = www.ygxxs.com.64.168.192.in-addr.arpa.
>
4.4 DNS分离解析(智能解析)
在DNS服务器上添加一块网卡,模拟服务器内网外网连接,其中eth0接外网,eth1接内网。
[root@centos-01 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.19.154 netmask 255.255.255.0 broadcast 10.10.19.255
inet6 fe80::20c:29ff:fe43:41d9 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:43:41:d9 txqueuelen 1000 (Ethernet)
RX packets 209095 bytes 43746244 (41.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23705 bytes 2604037 (2.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.64.128 netmask 255.255.255.0 broadcast 192.168.64.255
inet6 fe80::1535:4d36:1713:8e26 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:43:41:e3 txqueuelen 1000 (Ethernet)
RX packets 263 bytes 30755 (30.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 136 bytes 20277 (19.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
#服务器开启路由10.10.19.
[root@centos-01 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
[root@centos-01 ~]# sysctl -p
net.ipv4.ip_forward = 1
#备份/etc/named.conf
[root@centos-01 ~]# cp -a /etc/named.conf /etc/named.conf.bak
#编辑/etc/named.conf
[root@centos-01 ~]# vi /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
/*
#注释掉这部分
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
*/
view lan {
match-clients { 192.168.64.0/24; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/lan.zones";
};
view wan {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/wan.zones";
};
include "/etc/named.root.key";
#生成自定义区域配置文件
[root@centos-01 ~]# cp -a /etc/named.rfc1912.zones /etc/lan.zones
[root@centos-01 ~]# vi /etc/lan.zones
zone "ygxxs.com" IN {
type master;
file "ygxxs.com.zone";
allow-update { any; };
};
zone "64.168.192.in-addr.arpa" IN {
type master;
file "192.168.64.arpa";
allow-update { any; };
};
#这里lan的数据配置文件与之前相同无需更改。
[root@centos-01 ~]# cp -a /etc/named.rfc1912.zones /etc/wan.zones
[root@centos-01 ~]# vi /etc/wan.zones
zone "ygxxs.com" IN {
type master;
file "wan.ygxxs.com.zone";
allow-update { any; };
};
zone "19.77.10.in-addr.arpa" IN {
type master;
file "19.77.10.arpa";
allow-update { any; };
};
#配置wan的数据配置文件
#正向解析
[root@centos-01 ~]# cp -a /var/named/ygxxs.com.zone /var/named/wan.ygxxs.zone
[root@centos-01 ~]# vi /var/named/wan.ygxxs.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimumi
IN NS @
A 10.10.19.154
www A 10.10.19.154
ftp CNAME www
mail CNAME www
#反向解析
[root@centos-01 ~]# cp -a /var/named/192.168.64.arpa /var/named/19.10.10.arpa
[root@centos-01 ~]# vi /var/named/19.10.10.arpa
$TTL 1D
@ IN SOA ygxxs.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ygxxs.com.
154 PTR www.ygxxs.com
154 PTR ftp.ygxxs.com
154 PTR mail.ygxxs.com
#检查下配置
[root@centos-01 ~]# named-checkconf -z
zone ygxxs.com/IN: loaded serial 0
zone 64.168.192.in-addr.arpa/IN: loaded serial 0
zone ygxxs.com/IN: loaded serial 0
zone 19.77.10.in-addr.arpa/IN: loaded serial 0
#重启named服务
[root@centos-01 ~]# systemctl restart named
#外网主机测试
C:\Users\86186>nslookup
默认服务器: XiaoQiang
Address: 10.10.19.253
> server 10.10.19.154
默认服务器: [10.10.19.154]
Address: 10.10.19.154
> www.ygxxs.com
服务器: [10.10.19.154]
Address: 10.10.19.154
名称: www.ygxxs.com
Address: 10.10.19.154
> ftp.ygxxs.com
服务器: [10.10.19.154]
Address: 10.10.19.154
名称: www.ygxxs.com
Address: 10.10.19.154
Aliases: ftp.ygxxs.com
> mail.ygxxs.com
服务器: [10.10.19.154]
Address: 10.10.19.154
名称: www.ygxxs.com
Address: 10.10.19.154
Aliases: mail.ygxxs.com
> 10.10.19.154
服务器: [10.10.19.154]
Address: 10.10.19.154
名称: mail.ygxxs.com.19.10.10.in-addr.arpa
Address: 10.10.19.154
#内网主机测试
[root@centos-03 ~]# nslookup
> server 192.168.64.128
Default server: 192.168.64.128
Address: 192.168.64.128#53
> www.ygxxs.com
Server: 192.168.64.128
Address: 192.168.64.128#53
Name: www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server: 192.168.64.128
Address: 192.168.64.128#53
ftp.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server: 192.168.64.128
Address: 192.168.64.128#53
mail.ygxxs.com canonical name = www.ygxxs.com.
Name: www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = www.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa name = ftp.ygxxs.com.64.168.192.in-addr.arpa.