每天一个新知识之Linux(CentOS7)下的DNS服务器部署(主从、DNS缓存、分离解析)

一、域名的解析过程

HOST→→本地缓存→→DNS服务器|DNS服务器缓存→→全球13个根域服务器

#任何一步中查询到对应结果直接返回,DNS服务器收到返回信息后会将解析记录返回的同时在本地缓存一份对应记录。

二、DNS服务器相关信息

类型说明
软件包名称bind
服务名称named
端口号TCP/UDP:53
配置文件-主配置文件(服务器运行参数)/etc/named.conf
配置文件-区域配置文件(服务器解析的区域配置、正反向区域定义)/etc/named.rfc1912.zones
配置文件-数据配置文件(主机名和IP的对应关系及主从同步信息)/var/named./xx.xx

三、DNS服务器的记录类型

类型说明
A地址记录用来指定域名的IPV4地址
CNAMAE将域名指向另一个域名,再由零一个域名提供IP地址
TXT文本,长度255,主要用来做SPF反垃圾邮件
NS域名服务器记录,把子域名交给其他DNS服务商解析
AAAA地址记录用来指定域名的IPV6地址
MX邮件交换记录

四、搭建DNS服务器

关闭iptables及selinux

[root@centos-01 ~]# systemctl stop firewalld
[root@centos-01 ~]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos-01 ~]# sudo setenforce 0
[root@centos-01 ~]# getenforce
Permissive
[root@centos-01 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config 
[root@centos-01 ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled

4.1 搭建DNS服务器

[root@centos-01 ~]# yum -y install bind
[root@centos-01 ~]# rpm -qa |grep bind
bind-libs-9.11.4-16.P2.el7_8.6.x86_64
bind-export-libs-9.11.4-16.P2.el7.x86_64
bind-license-9.11.4-16.P2.el7_8.6.noarch
bind-libs-lite-9.11.4-16.P2.el7_8.6.x86_64
bind-9.11.4-16.P2.el7_8.6.x86_64
[root@centos-01 ~]# cat /etc/named.conf 
options {
	listen-on port 53 { any; };					#127.0.0.1修改为any
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };					#localhost修改为any
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};
#正向解析
zone “ygxxs.com” IN {
        type master;
        file "ygxxs.com.zone";
        allow-update { none; };
};
#反向解析
zone "64.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.64.arpa";
        allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#检查配置
[root@centos-01 ~]# named-checkconf 		
[root@centos-01 ~]# 
#添加正向解析及反向解析区域
[root@centos-01 ~]# vi /etc/named.rfc1912.zones 
zone ”ygxxs.com“ IN {
        type master;
        file "ygxxs.com.zone";
        allow-update { none; };
};
zone "64.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.64.arpa";
        allow-update { none; };
};

#配置正向解析
[root@centos-01 ~]# cp /var/named/named.localhost /var/named/ygxxs.com.zone
[root@centos-01 ~]# chown root:named /var/named/ygxxs.com.zone 
[root@centos-01 ~]# cat /var/named/ygxxs.com.zone 
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimumi
       NS      @
www    A       192.168.64.1
ftp    A       192.168.64.1
mail   CNAME   www                     
#配置反向解析
[root@centos-01 ~]# cp /var/named/named.localhost /var/named/192.168.64.arpa
[root@centos-01 ~]# chown root:named /var/named/192.168.64.arpa 
[root@centos-01 ~]# vi /var/named/192.168.64.arpa 
$TTL 1D
@       IN SOA  ygxxs.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ygxxs.com.
1       PTR     www.ygxxs.com
1       PTR     ftp.ygxxs.com
1       PTR     mail.ygxxs.com

#检查配置是否正确
[root@centos-01 ~]# named-checkzone "ygxxs.com" /var/named/ygxxs.com.zone 
zone ygxxs.com/IN: loaded serial 0
OK
[root@centos-01 ~]# named-checkzone "192.168.64.in-addr.arpa" /var/named/192.168.64.arpa 
zone 192.168.64.in-addr.arpa/IN: loaded serial 0
OK
[root@centos-01 ~]# named-checkconf -z
#启动服务
[root@centos-01 ~]#systemctl start named
[root@centos-01 ~]# netstat -tlun |grep 53
tcp        0      0 10.10.19.154:53         0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN     
tcp6       0      0 ::1:53                  :::*                    LISTEN     
tcp6       0      0 ::1:953                 :::*                    LISTEN     
udp        0      0 10.10.19.154:53         0.0.0.0:*                          
udp        0      0 127.0.0.1:53            0.0.0.0:*                          
udp6       0      0 ::1:53                  :::*    

踩坑:配置文件中对单引号、双引号敏感,统一使用双引号不要使用单引号。(python的习惯单双引号混用出问题查了好久)

客户机验证

[root@centos-03 ~]# nslookup
> server 192.168.64.128    
Default server: 192.168.64.128
Address: 192.168.64.128#53
> www.ygxxs.com
Server:		192.168.64.128
Address:	192.168.64.128#53

Name:	www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server:		192.168.64.128
Address:	192.168.64.128#53

mail.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server:		192.168.64.128
Address:	192.168.64.128#53

ftp.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa	name = ftp.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = www.ygxxs.com.64.168.192.in-addr.arpa.

4.2 主从DNS服务器

#关闭防火墙和SELinux
[root@centos-02 ~]# systemctl stop firewalld
[root@centos-02 ~]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos-02 ~]# sudo setenforce 0
[root@centos-02 ~]# getenforce
Permissive
[root@centos-02 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config 
[root@centos-02 ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
#安装bind
[root@centos-02 ~]# yum -y install bind*
#修改主配置文件/etc/named.conf
[root@centos-02 ~]# vi /etc/named.conf
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#修改区域配置文件/etc/named.rfc1912.zones 
[root@centos-02 ~]# vi /etc/named.rfc1912.zones 
#正向解析区域
zone "ygxxs.com" IN {
        type slave;
        masters { 192.168.64.128; };
        file "slaves/ygxxs.com";
};
#反向解析区域
zone "64.168.192.in-addr.arpa." IN {
        type slave;
        masters { 192.168.64.128; };
        file "slaves/64.168.192.zone";
};
#启动从机named服务
[root@centos-02 ~]# systemctl start named	#无报错则启动正常
#测试
[root@centos-03 ~]# nslookup
> server 192.168.64.30
Default server: 192.168.64.30
Address: 192.168.64.30#53
> 
> www.ygxxs.com
Server:		192.168.64.30
Address:	192.168.64.30#53

Name:	www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server:		192.168.64.30
Address:	192.168.64.30#53

ftp.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server:		192.168.64.30
Address:	192.168.64.30#53

ftp.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server:		192.168.64.30
Address:	192.168.64.30#53

mail.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa	name = ftp.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = www.ygxxs.com.64.168.192.in-addr.arpa.

4.3 DNS缓存服务器

#关闭防火墙和SELinux
[root@centos-04 ~]# systemctl stop firewalld
[root@centos-04 ~]# sudo systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@centos-04 ~]# sudo setenforce 0
[root@centos-04 ~]# getenforce
Permissive
[root@centos-04 ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config 
[root@centos-04 ~]# grep SELINUX=disabled /etc/selinux/config
SELINUX=disabled
#安装dnsmasq
[root@centos-04 ~]# yum -y install dnsmasq*
#编辑配置文件
[root@centos-04 ~]# vi /etc/dnsmasq.conf 
domain="ygxxs.com"			#域名
server=192.168.64.30		#服务器IP地址
cache-size=15000			#缓存条数
#重启dnsmasq服务
[root@centos-04 ~]# systemctl restart dnsmasq
#客户机验证
[root@centos-01 ~]# nslookup
> server 192.168.64.129
Default server: 192.168.64.129
Address: 192.168.64.129#53
> 
> ygxxs.com
Server:		192.168.64.129
Address:	192.168.64.129#53

Name:	ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server:		192.168.64.129
Address:	192.168.64.129#53

ftp.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server:		192.168.64.129
Address:	192.168.64.129#53

mail.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa	name = ftp.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = www.ygxxs.com.64.168.192.in-addr.arpa.
> 

4.4 DNS分离解析(智能解析)

在DNS服务器上添加一块网卡,模拟服务器内网外网连接,其中eth0接外网,eth1接内网。

[root@centos-01 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.19.154  netmask 255.255.255.0  broadcast 10.10.19.255
        inet6 fe80::20c:29ff:fe43:41d9  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:43:41:d9  txqueuelen 1000  (Ethernet)
        RX packets 209095  bytes 43746244 (41.7 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 23705  bytes 2604037 (2.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.64.128  netmask 255.255.255.0  broadcast 192.168.64.255
        inet6 fe80::1535:4d36:1713:8e26  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:43:41:e3  txqueuelen 1000  (Ethernet)
        RX packets 263  bytes 30755 (30.0 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 136  bytes 20277 (19.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#服务器开启路由10.10.19.
[root@centos-01 ~]# echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf 
[root@centos-01 ~]# sysctl -p
net.ipv4.ip_forward = 1
#备份/etc/named.conf
[root@centos-01 ~]# cp -a /etc/named.conf /etc/named.conf.bak
#编辑/etc/named.conf
[root@centos-01 ~]# vi /etc/named.conf
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
/*
#注释掉这部分
zone "." IN {
        type hint;
        file "named.ca";
};
include "/etc/named.rfc1912.zones";
*/
view lan {
        match-clients { 192.168.64.0/24; };
        zone "." IN {
                type hint;
                file "named.ca";
        };
        include "/etc/lan.zones";
};
view wan {
        match-clients { any; };
        zone "." IN {
                type hint;
                file "named.ca";
        };
        include "/etc/wan.zones";
};
include "/etc/named.root.key";
#生成自定义区域配置文件
[root@centos-01 ~]# cp -a /etc/named.rfc1912.zones /etc/lan.zones
[root@centos-01 ~]# vi /etc/lan.zones 
zone "ygxxs.com" IN {
        type master;
        file "ygxxs.com.zone";
        allow-update { any; };
};
zone "64.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.64.arpa";
        allow-update { any; };
};
#这里lan的数据配置文件与之前相同无需更改。
[root@centos-01 ~]# cp -a /etc/named.rfc1912.zones /etc/wan.zones
[root@centos-01 ~]# vi /etc/wan.zones 
zone "ygxxs.com" IN {
        type master;
        file "wan.ygxxs.com.zone";
        allow-update { any; };
};
zone "19.77.10.in-addr.arpa" IN {
        type master;
        file "19.77.10.arpa";
        allow-update { any; };
};
#配置wan的数据配置文件
#正向解析
[root@centos-01 ~]# cp -a /var/named/ygxxs.com.zone /var/named/wan.ygxxs.zone
[root@centos-01 ~]# vi /var/named/wan.ygxxs.com.zone 
$TTL 1D
@       IN SOA  @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimumi
        IN      NS      @
        A       10.10.19.154
www     A       10.10.19.154
ftp     CNAME   www
mail    CNAME   www
#反向解析
[root@centos-01 ~]# cp -a /var/named/192.168.64.arpa /var/named/19.10.10.arpa
[root@centos-01 ~]# vi /var/named/19.10.10.arpa 
$TTL 1D
@       IN SOA  ygxxs.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ygxxs.com.
154     PTR     www.ygxxs.com
154     PTR     ftp.ygxxs.com
154     PTR     mail.ygxxs.com
#检查下配置
[root@centos-01 ~]# named-checkconf -z
zone ygxxs.com/IN: loaded serial 0
zone 64.168.192.in-addr.arpa/IN: loaded serial 0
zone ygxxs.com/IN: loaded serial 0
zone 19.77.10.in-addr.arpa/IN: loaded serial 0
#重启named服务
[root@centos-01 ~]# systemctl restart named
#外网主机测试
C:\Users\86186>nslookup
默认服务器:  XiaoQiang
Address:  10.10.19.253

> server 10.10.19.154
默认服务器:  [10.10.19.154]
Address:  10.10.19.154

> www.ygxxs.com
服务器:  [10.10.19.154]
Address:  10.10.19.154

名称:    www.ygxxs.com
Address:  10.10.19.154

> ftp.ygxxs.com
服务器:  [10.10.19.154]
Address:  10.10.19.154

名称:    www.ygxxs.com
Address:  10.10.19.154
Aliases:  ftp.ygxxs.com

> mail.ygxxs.com
服务器:  [10.10.19.154]
Address:  10.10.19.154

名称:    www.ygxxs.com
Address:  10.10.19.154
Aliases:  mail.ygxxs.com

> 10.10.19.154
服务器:  [10.10.19.154]
Address:  10.10.19.154

名称:    mail.ygxxs.com.19.10.10.in-addr.arpa
Address:  10.10.19.154
#内网主机测试
[root@centos-03 ~]# nslookup
> server 192.168.64.128
Default server: 192.168.64.128
Address: 192.168.64.128#53
> www.ygxxs.com
Server:		192.168.64.128
Address:	192.168.64.128#53

Name:	www.ygxxs.com
Address: 192.168.64.1
> ftp.ygxxs.com
Server:		192.168.64.128
Address:	192.168.64.128#53

ftp.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> mail.ygxxs.com
Server:		192.168.64.128
Address:	192.168.64.128#53

mail.ygxxs.com	canonical name = www.ygxxs.com.
Name:	www.ygxxs.com
Address: 192.168.64.1
> 192.168.64.1
1.64.168.192.in-addr.arpa	name = mail.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = www.ygxxs.com.64.168.192.in-addr.arpa.
1.64.168.192.in-addr.arpa	name = ftp.ygxxs.com.64.168.192.in-addr.arpa.

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值