一、简述DNS服务器原理
1.客户端向本地域名服务器提起域名解析请求(递归查询)
2.本地的域名服务器收到请求后,就先查询本地的缓存,如果有该纪录项,则本地的域名服务器就直接把查询的结果返回。如果没有,则发送给根域名服务器(迭代查询)
3.根域名服务器收到请求后,返回一个负责该顶级域名(.com .net等等,是根的子域)的IP给本地域名服务器
4.本地服务器再向上一步返回的顶级域名服务器发送请求,然后接受请求的服务器查询自己的缓存,如果没有该纪录,则返回相关的下级的域名服务器(二级域名服务器)的地址。
5.二级域名服务器查询本地缓存,如果没有则发送给其他二级域名服务器,直到返回查询结果或者返回错误给本地域名服务器
6.本地域名服务器把返回的结果缓存到本地,以便下次可以直接返回结果给客户端
二、搭建主-辅服务器
- 环境
IP | 服务 | 角色 |
---|---|---|
192.168.100.7 | bind | dns主服务器 |
192.168.100.17 | bind | dns从服务器 |
192.168.100.6 | 客户端 | |
192.168.100.8 | httpd | web服务器 |
- 步骤
配置主DNS服务器
- 安装bind服务
# yum -y install bind
# systemctl start named
# systemctl enable named
# netstat -lntup | grep named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 18394/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 18394/named
tcp6 0 0 ::1:953 :::* LISTEN 18394/named
tcp6 0 0 ::1:53 :::* LISTEN 18394/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 18394/named
udp6 0 0 ::1:53 :::* 18394/named
53端口为named服务监听
953端口为rndc监听,rndc只能通过127.0.0.1连接named进程
主要的配置文件有:
主配置文件:
/etc/named.conf
/etc/named.rfc1912.zones
/etc/rndc.key
解析库文件:
/var/named/xxx.ZONE #名称由主配置文件中定义
- 配置DNS
# vim /etc/named.conf
listen-on port 53 { 192.168.100.7; }; ###修改监听地址
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; ###允许所有人查询
dnssec-enable no; ###dnssec DNS安全扩展,做实验建议关闭,可能会导致无法解析
dnssec-validation no;
- 配置正向解析
# vim /etc/named.rfc1912.zones
添加如下配置
zone "learn.net" IN {
type master;
file "learn.net.zone"; #定义解析库文件名称,存放路径在/var/named/
};
- 定义区域解析库文件
# cd /var/named
# ll
total 16
drwxrwx--- 2 named named 23 Aug 8 17:16 data
drwxrwx--- 2 named named 60 Aug 8 17:16 dynamic
-rw-r----- 1 root named 2253 Apr 5 2018 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Aug 8 2019 slaves
根据现有的模板创建
# cp -p named.localhost learn.net.zone #名称在/etc/name.rfc1912.zones定义
#如果cp的时候没有保留权限,需要更改learn.net.zone权限
# chown :named learn.net.zone
# vim learn.net.zone
$TTL 1D
@ IN SOA master admin.learn.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.100.7
slave A 192.168.100.17
www A 192.168.100.8
- 检查配置是否正确
# named-checkconf
# named-checkzone learn.net /var/named/learn.net.zone
zone learn.net/IN: loaded serial 0
OK
# systemctl restart named
- 验证主DNS服务器是否能够解析
web服务器提供web访问
192.168.100.8
# yum -y install httpd
# vim /var/www/html/index.html
Welcome to www.learn.net
# systemctl start httpd
客户端修改网卡信息
192.168.100.6
# vim /etc/sysconfig/network-scripts/ifcfg-eth0
#修改DNS指向主DNS服务器
DNS1=192.168.100.7
# systemctl restart network
# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.7
访问测试
#使用curl命令测试
# curl www.learn.net
Welcome to www.learn.net
#使用dig命令测试
# dig -t -A www.learn.net
;; Warning, ignoring invalid type -A
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t -A www.learn.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56551
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.learn.net. IN A
;; ANSWER SECTION:
www.learn.net. 86400 IN A 192.168.100.8
;; AUTHORITY SECTION:
learn.net. 86400 IN NS slave.learn.net.
learn.net. 86400 IN NS master.learn.net.
;; ADDITIONAL SECTION:
master.learn.net. 86400 IN A 192.168.100.7
slave.learn.net. 86400 IN A 192.168.100.17
;; Query time: 0 msec
;; SERVER: 192.168.100.7#53(192.168.100.7)
;; WHEN: Sat Aug 08 19:17:49 CST 2020
;; MSG SIZE rcvd: 131
#ANSWER SECTION中可以看到解析结果,正常解析到192.168.100.8
配置从DNS服务器
- 安装bind服务
# yum -y install bind
- 配置DNS
# vim /etc/named.conf
#主要修改如下项
listen-on port 53 { 192.168.100.17; };
allow-query { any; };
dnssec-enable no;
dnssec-validation no;
# vim /etc/named.rfc1912.zones
#增加如下信息
zone "learn.net" IN {
type slave;
masters { 192.168.100.7; }; #指明主DNS服务器地址
file "slaves/learn.net.zone.slave"; #将主DNS服务器区域解析文件同步到本地的/var/named/slaves下
};
# systemctl start named
# systemctl enable named
#此时从库应该将从主库同步文件到/var/named/slaves下
# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 310 Jun 29 00:13 learn.net.zone.slave
- 验证能否正常解析
更改客户端网卡信息
# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS2=192.168.100.17
# systemctl restart network
# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.7
nameserver 192.168.100.17
#停掉主DNS
192.168.100.7
# systemctl stop named
192.168.100.6
#访问测试
# curl www.learn.net
Welcome to www.learn.net
#dig访问测试
# dig -t -A www.learn.net
;; Warning, ignoring invalid type -A
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t -A www.learn.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51373
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.learn.net. IN A
;; ANSWER SECTION:
www.learn.net. 86400 IN A 192.168.100.8
;; AUTHORITY SECTION:
learn.net. 86400 IN NS master.learn.net.
learn.net. 86400 IN NS slave.learn.net.
;; ADDITIONAL SECTION:
master.learn.net. 86400 IN A 192.168.100.7
slave.learn.net. 86400 IN A 192.168.100.17
;; Query time: 0 msec
;; SERVER: 192.168.100.17#53(192.168.100.17)
;; WHEN: Sat Aug 08 19:40:18 CST 2020
;; MSG SIZE rcvd: 131
# SERVER: 192.168.100.17#53(192.168.100.17)中可以看到是从192.168.100.17上查询到结果的
禁止拉取DNS解析文件内容
#客户端上可以拉取DNS区域解析文件内容
192.168.100.6
# dig -t axfr learn.net @192.168.100.7
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t axfr learn.net @192.168.100.7
;; global options: +cmd
learn.net. 86400 IN SOA master.learn.net. admin.learn.com. 0 86400 3600 604800 10800
learn.net. 86400 IN NS master.learn.net.
learn.net. 86400 IN NS slave.learn.net.
master.learn.net. 86400 IN A 192.168.100.7
slave.learn.net. 86400 IN A 192.168.100.17
www.learn.net. 86400 IN A 192.168.100.8
learn.net. 86400 IN SOA master.learn.net. admin.learn.com. 0 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 192.168.100.7#53(192.168.100.7)
;; WHEN: Sat Aug 08 19:45:24 CST 2020
;; XFR size: 7 records (messages 1, bytes 218)
可以看到客户端能够获取到主DNS上的区域解析内容,这样就可以直接获取到解析对应的IP,不是很安全,可以设置不允许区域传输或者只允许从DNS服务器进行区域传输
192.168.100.7-主DNS服务器上修改
# vim /etc/named.conf
#在options模块中添加如下信息
allow-transfer { 192.168.100.17; };
#重新加载配置文件
# rndc reload
server reload successful
192.168.100.17-从DNS服务器上修改
# vim /etc/named.conf
allow-transfer { none; };
#重新加载配置文件
# rndc reload
server reload successful
192.168.100.6上测试
# dig -t axfr learn.net @192.168.100.7
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t axfr learn.net @192.168.100.7
;; global options: +cmd
; Transfer failed.
# dig -t axfr learn.net @192.168.100.17
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -t axfr learn.net @192.168.100.17
;; global options: +cmd
; Transfer failed.
现在无法通过dig获取主从DNS服务器的区域解析文件信息了
三、搭建并实现智能DNS
假设www.learn.net网站提供了公网访问,北京的用户访问,域名解析返回的是北京的IP,上海的用户访问,返回的是上海的IP,深圳的用户访问,返回的是sz的IP。根据地区的不同,实现智能识别控制
模拟各个区域IP:
10.0.0.0/24 北京
10.0.10.0/24 上海
10.0.20.0/24 深圳
www.learn.net在各个区域的IP:
1.1.1.1 北京
2.2.2.2 上海
3.3.3.3 深圳
配置主DNS服务器
- 修改/etc/named.conf
# vim /etc/named.conf
acl beijing {
10.0.0.0/24; #模拟此网段为北京用户网段
};
acl shanghai {
10.0.10.0/24; #模拟此网段为上海用户网段
};
acl shenzhen {
10.0.20.0/24; #模拟此网段为深圳用户网段
};
options {
//listen-on port 53 { 192.168.100.7; }; #注释此行
listen-on-v6 port 53 { ::1; };
//allow-query { any; }; #注释此行
//allow-transfer { 192.168.100.17; }; #注释此行
...
};
view view_beijing {
match-clients { beijing; }; #对应上方acl名称
zone "." IN { #系统默认zone,写了view,不允许zone写在view外面
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones.bj"; #单独设置的区域文件
include "/etc/named.root.key";
};
view view_shanghai {
match-clients { shanghai; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones.sh";
include "/etc/named.root.key";
};
view view_shenzhen {
match-clients { shenzhen; };
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones.sz";
include "/etc/named.root.key";
};
- 创建不同地区的区域文件
# cp -p /etc/named.rfc1912.zones{,.bj}
# cp -p /etc/named.rfc1912.zones{,.sh}
# cp -p /etc/named.rfc1912.zones{,.sz}
# vim /etc/named.rfc1912.zones.bj
zone "learn.net" IN {
type master;
file "learn.net.zone.bj"; #指明区域解析文件路径和名称
};
# vim /etc/named.rfc1912.zones.sh
zone "learn.net" IN {
type master;
file "learn.net.zone.sh";
};
# vim /etc/named.rfc1912.zones.sz
zone "learn.net" IN {
type master;
file "learn.net.zone.sz";
};
- 创建对应的区域解析文件
# cp -p /var/named/learn.net.zone{,bj}
# cp -p /var/named/learn.net.zone{,sh}
# cp -p /var/named/learn.net.zone{,sz}
# vim /var/named/learn.net.zone.bj
$TTL 1D
@ IN SOA master admin.learn.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 192.168.100.7
www A 1.1.1.1 #假设为北京IP
# vim /var/named/learn.net.zone.sh
$TTL 1D
@ IN SOA master admin.learn.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 192.168.100.7
www A 2.2.2.2 #假设为上海IP
# vim /var/named/learn.net.zone.sz
$TTL 1D
@ IN SOA master admin.learn.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 192.168.100.7
www A 3.3.3.3 #假设为深圳IP
更改完后重启DNS服务
# systemctl restart named
- DNS服务器上添加三个网段IP
# ip a a 10.0.0.7/24 dev eth0 #模拟北京网络
# ip a a 10.0.10.7/24 dev eth0 #模拟上海网络
# ip a a 10.0.20.7/24 dev eth0 #模拟深圳网络
- 客户端上添加三个网段IP
# ip a a 10.0.0.6/24 dev eth0 #模拟北京网络
# ip a a 10.0.10.6/24 dev eth0 #模拟上海网络
# ip a a 10.0.20.6/24 dev eth0 #模拟深圳网络
- 访问测试
客户端模拟北京网络访问
# dig www.learn.net @10.0.0.7
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.learn.net @10.0.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30916
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.learn.net. IN A
;; ANSWER SECTION:
www.learn.net. 86400 IN A **1.1.1.1**
;; AUTHORITY SECTION:
learn.net. 86400 IN NS master.learn.net.
;; ADDITIONAL SECTION:
master.learn.net. 86400 IN A 192.168.100.7
;; Query time: 0 msec
;; SERVER: 10.0.0.7#53(10.0.0.7)
;; WHEN: Sun Aug 09 00:19:34 CST 2020
;; MSG SIZE rcvd: 95
客户端模拟上海网络访问
# dig www.learn.net @10.0.10.7
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.learn.net @10.0.10.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43209
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.learn.net. IN A
;; ANSWER SECTION:
www.learn.net. 86400 IN A **2.2.2.2**
;; AUTHORITY SECTION:
learn.net. 86400 IN NS master.learn.net.
;; ADDITIONAL SECTION:
master.learn.net. 86400 IN A 192.168.100.7
;; Query time: 0 msec
;; SERVER: 10.0.10.7#53(10.0.10.7)
;; WHEN: Sun Aug 09 00:19:28 CST 2020
;; MSG SIZE rcvd: 95
客户端模拟深圳网络访问
# dig www.learn.net @10.0.20.7
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.learn.net @10.0.20.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1066
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.learn.net. IN A
;; ANSWER SECTION:
www.learn.net. 86400 IN A **3.3.3.3**
;; AUTHORITY SECTION:
learn.net. 86400 IN NS master.learn.net.
;; ADDITIONAL SECTION:
master.learn.net. 86400 IN A 192.168.100.7
;; Query time: 0 msec
;; SERVER: 10.0.20.7#53(10.0.20.7)
;; WHEN: Sun Aug 09 00:19:31 CST 2020
;; MSG SIZE rcvd: 95
模拟不同区域的网络访问,返回的解析结果不一样。实现了简单的智能解析