文章目录
一、DNS相关概念概述
1.1、什么是RFC?
Request For Comments(RFC),是一系列以编号排定的文件。文件收集了有关互联网相关信息,以及UNIX和互联网社区的软件文件。目前RFC文件是由Internet Society(ISOC)赞助发行。基本的互联网通信协议都有在RFC文件内详细说明。RFC文件还额外加入许多的论题在标准内,例如对于互联网新开发的协议及发展中所有的记录。因此几乎所有的互联网标准都有收录在RFC文件之中。
以后学习服务,建议深入学习以读RFC文档为准。互联网常见的服务器和协议标准,在RFC中都有其相关定义,比如我们今天讲解的DNS协议在RFC中就有相关标准定义。dns的rfc相关链接如下:
https://tools.ietf.org/html/rfc2181 #DNS规范说明
https://tools.ietf.org/html/rfc2136 #对DNS的动态更新进行说明
https://tools.ietf.org/html/rfc2308 #对DNS查询的反向缓存进行说明
1.2、何为DNS?
DNS(Domain Name System,域名系统,有时候也称为Domain Name Service,域名服务),万维网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过域名,最终得到该域名对应的IP地址的过程叫做域名解析(或主机名解析)。DNS协议运行在UDP协议之上,使用端口号53。
DNS在TCP/IP或者OSI/ISO参考模型中的层面属于应用程序,即dns是一种应用程序协议。可以抽象成C/S模型,RFC中定义的标准是使用udp的53号端口,不过tcp的53号端口有时候也被dns所使用。上面说的域名也是是一种规范的定义叫法。那么互联网通信,或者叫主机之间的进程间的通信,域名一定是必须的吗?答案是否定的,在C/S模型中,套接字通信是一套标准。进程间通信的根本是ip和端口,ip可以标识一台主机,端口可以标识一个服务进程向内核注册的细节,因为进程间通信以及网络功能都是内核实现的。那么为什么有了ip,人们还需要域名呢?
其实在互联网引入的早期时刻,其实没有域名这个东西的,世界上的计算机也就几台,每一台主机是什么ip,都一清二楚。但是随着后来的发展,计算机的数量增加,一串串数字(以ipv4为例)让人不易记住,所以人们根据生活中的模型,抽象(当然,这里只是简单这么一说),比如人从出生开始就要起名字,并且去派出所上户口,后面到了一定的年龄要办理身份证。那么为什么有身份证可以识别身份,还要起名字呢。答案,为了方便。数字一大串总是会让人记不住,但是名字不一样。那么我们的互联网通信亦是如此,随着主机数量的增加,ip这种东西对于人来说简直就是折磨,于是IANA肯定会想办法啦。早期时候,是用的一种叫做本地文本映射关系记录文件实现,即为我们常说的"hosts"文件,把ip和名字的对应映射关系写入这个hosts文件,然后有更新,需要去IANA申请以及下载最新的hosts文件。不过呢,你用今天的思维去考虑问题,你会发现这种设计挺蠢的,世界上计算机这么多,而且还有更新问题,不得把IANA机构累死。不过呢,hosts这一机制在早些年刚引入的时候可是盛行了一段时间。不过,好景不长,随着时间的演变,互联网技术的成熟化以及全世界的通信爆炸式增长,这种hosts机制不得不慢慢的被后来引入的DNS所替代。
上面有提到IANA,那么IANA是什么呢?IANA(The Internet Assigned Numbers Authority,互联网数字分配机构)是一个组织机构,它主要负责"数字资源分配(即我们说的ip地址,端口等这些和数字相关的公共互联网资源)",“协议分配”,"域名"等。其官方站点为:https://www.iana.org/
Root Zone Database(根域下的所有的顶级域链接)
https://www.iana.org/domains/root/db
二、与DNS相关的一些基本知识
2.1、根域和常见顶级域说明
我们以www.baidu.com这个域名来简单说明一下,这个是一个二级域名,其二级域名严格表示位"baidu.com."(末尾那个点要注意),然后www这个是这个二级域下的主机解析记录。二级域"baidu.com.“的上级是一级域名”.com.“也叫顶级域,.com顶级域是根域”."下的一种。
可以看到,这是一种分层思想,dns就是用这种抽象的模型,借助现实生活中化整为零的思路来分层解决问题的。我们一起来看看其相关概念。
根域(rd,root domain),简称为符号点号".";
顶级域(tld,top level domain),从右往左书写的规则,比如 .com.,末尾的那个"."就是根域。顶级域有很多,比如早期时候:
(1) 按组织划分
.com:商业机构;
.net:网络服务机构
.org:非盈利组织;
.gov:政府部门;
.edu:教育机构;
.mil:军事机构
等
(2) 按国家划分
.iq
.tw
.hk
.jp
.cn
等
如下图所示:
现在IANA那边登记的顶级域,非常多,相关链接:
https://www.iana.org/domains/root/db
我们现在申请的一般都是二级域。比如yanhui.com,我可以去申请这个二级域,DNS语法那边应该为"yanhui.com."。如下图所示:
假设yanhui.com.这个二级域下面有web业务的主机,web1,web2,有论坛一个bbs,还有其他主机等。那么其树状结构大抵是:
上面的树状结构是一个正向树,正向树只负责从名称到IP的解析。而从IP到名称的解析,是由反向树来负责解析的。如下图所示:
反向解析书,ip地址反转过来,书写,后面跟一个in-addr.arpa.
全球的根域服务器只有13组,分别是:(https://www.iana.org/domains/root/servers)
2.2、域名和区域的概念
说了这么多域和区域,二者到底有什么区别,二者是否具有可比性,二者本质又是什么?
其实域是逻辑的概念,我们申请的都是一个域,比如申请二级域。顶级域的申请要找根域去授权。一般企业使用和个人使用都是从二级域开始。而我们的区域是个什么概念呢,上面有提到过把域名(FQDN)解析成ip的过程需要走正向解析树,而把ip解析成域名的过程需要走反向解析树。这个所谓的解析的本质是,通过解析库来实现,正向解析和反向解析的解析库肯定不一样,所以从域名到ip解析的过程属于正向解析区域,而反之属于反向解析区域。它的根本是正向解析区域的库文件以及反向解析区域的库文件。请看下面图解:
上面有提到DNS名称解析方式:
名称 --> IP:正向解析
IP --> 名称:反向解析
注意:二者的名称空间,非为同一个空间,即非为同一棵树;因此,也不是同一个解析库;
那么比如我有一个客户端就像识别例如www.yanhui.com这个域名,它背后的机理是什么,简单理解如下:
不过,解析库对于一个域独占使用,有时候显得比较浪费而且成本有限,所以大多数的提供这种解析进制的渠道商,会使用一台解析库给多个域解析使用。对用户而言,没有直接操作解析库服务器的权限,而是渠道商提供的一个前段web的页面接口,这样相较于用户而言,是不可知的。比如:
2.3、dns递归和dns迭代
上面从根域开始,下面有顶级域,假设顶级域com下申请了一个yanhui的二级域,顶级域org下面申请了一个xiaotang的二级域,那么有可能yanhui和xiaotang这两个二级域就有可能使用同一台解析库。上面有提到客户端请求某个具体域名,对于本地host文件无法找到解析,而且本地缓存中也查找不到,它就会去找配置的dns服务器,由dns服务器代劳,这个从客户端到dns服务器的过程,属于递归的查找的过程,我把查找交由给你,递归给你去查找。但是呢,dns服务器有可能只是一个缓存名称服务器,它本身不负责域的解析,不过它会去找根域,有根域告知下一个要找的人,依次类推,知道这个dns服务器(缓存的名称服务器)找到结果为止,后面这个反复依次来回查找的过程属于迭代查找过程。请看下面的图解:
那么,一次完整的查询请求经过的流程是怎样的呢?
客户端 --> 本地hosts文件 --> 本地的DNS缓存 --> 通过dns服务器递归查找 --> 经过判断:
(1) 如果dns服务器自己负责解析的域名
直接查询数据库并返回答案。
(2) 不是自己解析的域
会去找它的dns服务器的缓存,没有结果,然后再去(dns分布式名称解析系统)迭代查找。
既然上面有查找,那么就可能有多种查找结果,我们把这种查找结果,叫做解析答案,那么解析答案的大概是这样的:
(1) 肯定答案:有结果,返回。
(2) 否定答案:不存在查询的键,因此,不存在与其查询键对应的值。
肯定答案中可能有分为:
(3) 权威答案:由直接负责的DNS服务器返回的答案,比如依次完整的查询请求过程的第(1)步;
(4) 非权威答案:比如依次完整的查询请求过程的第(2)步。有可能返回的结果是非直接负责的dns服务器的缓存结果,有可能这个缓存结果没有失效而实际解析记录已更改了。
2.4、主辅dns
主-辅(从)DNS类型:
(1) 主DNS服务器
维护所负责解析的域数据库的那台服务器;读写操作均可进行;
(2) 从DNS服务器
从主DNS服务器那里或其它的从DNS服务器那里“复制”一份解析库;但只能进行读操作
"复制"操作的实施方式:
序列号:serial,即为数据库的版本号;主服务器数据库内容发生变化时,其版本号要递增;
刷新时间间隔:refresh,从服务器每隔多久到主服务器检查序列号更新状态;
重试时间间隔:retry,从服务器从主服务器请求同步解析库失败时,再次发起尝试请求的时间间隔;(要远小于refresh时间间隔)
过期时长:expire,从服务器始终联系不到主服务器时,多久之后放弃从主服务器同步数据,停止提供服务;
否定答案的缓存时长:
主服务器"通知"从服务器随时更新数据;
区域传送:
(1) 全量传送:axfr,传送整个数据库;
(2) 增量传送:ixfr,仅传送变量的数据;
说明:其实主DNS服务器和辅DNS服务器,从外层来看,都是两个服务器,而且通过实现DNS协议的应用程序实现,可以支持类似于这种主辅或者叫主从同步的概念。站在从dns服务器的角度看,与主dns服务器同步数据就有两个方式,一个是从dns服务器去主dns服务器去拉取(pull),另外一个是主dns服务器直接推送(push)给从dns服务器。如下图所示:
那么有了主从dns服务器,对于大批量的请求,我们就可以把读压力平均分布。比如我有100台,服务器。主dns服务器的ip为172.168.27.221,从服务器的ip为172.168.27.223。我可以随机把这100台平均分为50台,然后50台配置主dns(每个服务器可以配置三条dns记录,第一条dns记录叫主dns,第二条dns记录叫辅dns记录,第三条叫备份dns记录,正常情况,第一条dns记录指向的dns服务器没有异常,后面两条都用不上)记录指向172.168.27.221,后50台的主dns记录指向172.168.27.223。这样一来就可以实现把dns服务器的读压力平均分布到主dns和从dns。上面有提到每个服务器可以配置三条dns记录,比如以红帽系列的系统来讲,dns的配置文件为/etc/resolv.conf,配置格式如下:
nameserver 192.168.2.253
nameserver 114.114.114.114
nameserver 8.8.8.8
上面的主dns记录就是192.168.2.253,这是一个内网的dns服务器,可以是一个缓存dns服务器,也可以是一个解析域的dns服务器。主从dns服务读压力分布图解简析:
2.5、常见资源记录类型和其定义格式模板
在我们正式手动搭建dns服务器之前,还有一些至关重要的概念来解释一下,有些与区域数据文件相关的概念:
-
资源记录(RR,Resource Record)
-
常见的资源记录类型有:
A,AAAA,PTR,SOA,NS,CNAME,MX
(1) SOA记录
起始授权记录(Start Of Authority)
说明:一个区域解析库有且只能有一条SOA记录,而且必须放在解析记录的第一条;
(2) NS记录
域名服务记录(Name Service)
说明:一个区域解析库可以有多个NS记录,其中一个为主;
(3) A记录
地址记录(Address)
说明:把域名解析成IPv4地址。(FQDN–>IPv4)
(4) AAAA记录
(Ipv6)地址记录(Address)
说明:把域名解析成IPv6地址。(FQDN–>IPv6)
#一个ipv4是32位,假设用A表示,那么128位长度的IPv6就用AAAA来表示.
(5) CNAME记录
别名记录,正式名记录(Canonical Name)
说明:原意为 正式名称,比如张三的别名叫傻根,那么张三就是正式名字。
(6) PTR记录
指针(Pointer)
说明:这个一个比较特殊。从IP到FQDN的解析。
(7) MX记录
邮件交换器(Mail Exchanger)
说明:优先级,0-99,数字越小,优先级越高(如果有多条MX记录,要按照优先级来,区别于多条A记录或AAAA记录的轮询方式) -
资源记录定义的语法格式
语法:name [TTL] IN RR_TYPE Value
说明:name不一定是字符串,上面每种不同记录类型的条目,对应name值各有不同,TTL是Time To Live,一条域名解析记录在DNS服务器中的存留时间,可以省略不写使用默认值(下面会讲解)。IN是关键字,不可省略。RR_TYPE表示上面提到的资源记录类型(A,AAAA,PTR,SOA,NS,CNAME,MX)。Value表示这条解析记录的值。
下面分别介绍不同记录类型的定义格式:
(1) SOA记录
name:当前区域的名字。例如"yanhui.com."或"2.3.4.in-addr.arpa"
ttl:域名记录记录在dns服务器中的存留时间;这部分可以省略,使用全局定义的,后边部分就不列出这个条目了
value:由多部分组成
第一部分:当前区域的区域名称(也可以是主DNS服务器名称);
第二部分:当前区域的管理员邮箱地,地址中的"@"符号要替换成".";
第三部分:定义在一个小括号内,(主从服务协调属性的定义以及否定答案的TTL)
示例:
yanhui.com. 86400 IN SOA yanhui.com. admin.yanhui.com. (
2018120101 ; serial
2H ; refresh
10M ; retry
1W ; expire
1D ; negative answer ttl
)
(2) NS记录
name:当前区域的区域名称;
value:当前区域的某DNS服务器名称,例如ns.yanhui.com.;一个区域可以有多个NS记录。
示例:
yanhui.com. 86400 IN NS ns1.yanhui.com.
yanhui.com. 86400 IN NS ns2.yanhui.com.
(3) MX记录
name:当前区域名称;
value:当前区域某邮件交换器的主机名;MX记录可以有多个,但每个记录的value之前应该有一个数字表示其优先级。
示例:
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
(4) A记录
name:某FQDN,例如:www.yanhui.com.
value:某IPv4地址;
例如:
www.yanhui.com. IN A 192.168.56.26
www.yanhui.com. IN A 192.168.56.27
bbs.yanhui.com. IN A 192.168.56.112
(5) AAAA记录
name:某FQDN;
value:某IPv6地址;
(6) PTR记录
name:IP地址,有特定格式,IP反过来写,而且加特定后缀;例如1.2.3.4的记录应该写为4.3.2.1.in-addr.arpa.;
value:FQDN
示例:
4.3.2.1.in-addr.arpa. IN PTR www.yanhui.com.
(7) CANME记录
name:FQDN格式的别名;
value:FQDN格式的正式名字;
示例:
web.yanhui.com. IN CNAME www.yanhui.com.
书写说明:
(1) TTL可以从全局继承;
(2) @表示当前区域的名称;
(3) 相邻的两条记录,其name相同时,后面的可以省略;
(4) 对于正向区域来说,各MX,NS等类型的记录的value值为FQDN,此FQDN应该有一条A记录;
三、dns协议实现的应用程序
dns协议实现,centos上默认是bind这个软件包来实现的。
[root@localhost yum.repos.d]# yum info bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.cn99.com
* epel: mirrors.aliyun.com
* extras: centos.ustc.edu.cn
* updates: mirrors.aliyun.com
Available Packages
Name : bind
Arch : x86_64
Epoch : 32
Version : 9.9.4
Release : 61.el7_5.1
Size : 1.8 M
Repo : updates/7/x86_64
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
URL : http://www.isc.org/products/BIND/
License : ISC
Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS
: (Domain Name System) protocols. BIND includes a DNS server (named),
: which resolves host names to IP addresses; a resolver library
: (routines for applications to use when interfacing with DNS); and
: tools for verifying that the DNS server is operating properly.
关于bind说明:
dns: 协议
bind: dns协议的一种实现
named:bind程序的运行的进程名
bind程序包以及与bind相关的程序包:
(1) bind-libs
被bind和bind-utils包中的程序共同用到的库文件;
(2) bind-utils
bind客户端程序集,例如dig, host, nslookup等;
(3) bind-chroot
让named运行于jail模式下;(这个软件包可以选装,如果不用chroot功能,可以不装)
(4) bind
提供的dns server程序、以及几个常用的测试程序;
安装上面的软件包:
[root@localhost ~]# yum install bind-libs bind-utils bind
省略安装过程。
[root@localhost ~]#yum install bind-chroot
省略安装过程。
[root@localhost ~]# rpm -qa|grep '^bind'
bind-libs-9.9.4-72.el7.x86_64
bind-utils-9.9.4-72.el7.x86_64
bind-license-9.9.4-72.el7.noarch
bind-9.9.4-72.el7.x86_64
bind-libs-lite-9.9.4-72.el7.x86_64
bind-chroot-9.9.4-72.el7.x86_64
#来看看安装的列表文件:
[root@localhost ~]# rpm -ql bind-libs
/usr/lib64/libbind9.so.90
/usr/lib64/libbind9.so.90.0.8
/usr/lib64/libdns.so.100
/usr/lib64/libdns.so.100.1.1
/usr/lib64/libisc.so.95
/usr/lib64/libisc.so.95.2.1
/usr/lib64/libisccc.so.90
/usr/lib64/libisccc.so.90.0.4
/usr/lib64/libisccfg.so.90
/usr/lib64/libisccfg.so.90.0.7
/usr/lib64/liblwres.so.90
/usr/lib64/liblwres.so.90.0.5
/usr/lib/systemd/system/named-chroot-setup.service
/usr/lib/systemd/system/named-chroot.service
/usr/libexec/setup-named-chroot.sh
/var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/dev/zero
/var/named/chroot/etc
/var/named/chroot/etc/named
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/pki
/var/named/chroot/etc/pki/dnssec-keys
/var/named/chroot/run
/var/named/chroot/run/named
/var/named/chroot/usr
/var/named/chroot/usr/lib64
/var/named/chroot/usr/lib64/bind
/var/named/chroot/var
/var/named/chroot/var/log
/var/named/chroot/var/named
/var/named/chroot/var/run
/var/named/chroot/var/tmp
[root@localhost ~]# rpm -ql bind-utils
/etc/trusted-key.key
/usr/bin/dig
/usr/bin/host
/usr/bin/nslookup
/usr/bin/nsupdate
/usr/share/man/man1/dig.1.gz
/usr/share/man/man1/host.1.gz
/usr/share/man/man1/nslookup.1.gz
/usr/share/man/man1/nsupdate.1.gz
[root@localhost ~]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
中间省略很多......
/usr/share/man/man8/rndc.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
bind的主要安装文件及其说明:
(1) 主配置文件和子配置文件
[root@localhost ~]# rpm -qc bind
/etc/logrotate.d/named #交由rsyslog托管的日志轮询脚本
/etc/named.conf #主配置文件
/etc/named.iscdlv.key #和key相关的配置文件
/etc/named.rfc1912.zones #被主配置文件包含的子配置文件,区域设置配置文件
/etc/named.root.key #被主配置文件包含的子配置文件,和key相关的
/etc/rndc.conf #默认不存在,和rndc这个程序相关的
/etc/rndc.key #默认不存在,和rndc这个程序相关的
/etc/sysconfig/named #配置文件的选项配置文件
/var/named/named.ca #全球根域相关的配置
/var/named/named.empty #一个不包含解析记录的空模板文件
/var/named/named.localhost #另外两个和本地回环地址相关的解析库文件
/var/named/named.loopback
#/var/named/目录下,是解析库文件,一般可以设置为ZONE_NAME.zone
(1) 一台DNS服务器可以同时为多个区域提供解析;
(2) 必须要有根区域解析可文件:named.ca
(3) 还应该有两个区域解析库文件:localhost和127.0.0.1的正反向解析库
bind包的其他软件包列表:
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/arpaname
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named #主服务端进程
/usr/sbin/named-checkconf #检查定义区域配置文件语法的工具
/usr/sbin/named-checkzone #检查区域解析的配置文件的语法的工具
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc #远程管控named的控制程序
/usr/sbin/rndc-confgen
bind程序安装完成之后,默认即可做缓存名称服务器使用;如果没有专门负责解析区域,直接启动服务即可:
systemctl start named.service
(2) named程序的主配置文件/etc/named.conf
语法:语句被花括号包含在内,而且语句要以分号结尾,语句中的子句也要以分号结尾。注释语法支持三类:
C语句风格的多行注释:/* */
C++或C风格的单行注释:// 这个是到这行的结尾都为注释部分;
unix风格的单行注释: # 这个是到这行的结尾都为注释部分;
配置文件格式主要分为三段:
(1) 全局配置段
options { … }
(2) 日志配置段
options { … }
(3) 区域配置段(那些由本机负责解析的区域或转发的区域)
zone { … }
(3) 由bind-utils软件包提供的三个工具
dig,host,nslookup
分别看看其简要用法。
a)=========== dig命令=======================
dns 查询组件。用于测试dns系统,不会查询hosts文件。
简要语法格式:
dig [@SERVER] [-t RR_TYPE] name [query options]
查询选项:
+[no]trace:跟踪解析过程;
+[no]recurse:进行递归解析;
反向解析语法格式:
dig -x IP
模拟完全区域传送:
dig -t axfr DOMAIN [@SERVER]
示例:
[root@localhost ~]# dig -t A www.baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8163
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION: #这里显示查询段,我要查询www.baidu.com.的A记录
;www.baidu.com. IN A
;; ANSWER SECTION: #查询结果段落
www.baidu.com. 528 IN CNAME www.a.shifen.com.
www.a.shifen.com. 231 IN A 14.215.177.38
www.a.shifen.com. 231 IN A 14.215.177.39
#www.baidu.com. 是 www.a.shifen.com.的别名。
然后www.a.shifen.com.有两条A记录,一条指向的是服务器14.215.177.38,另外一条是14.215.177.39.(www.a.shifen.com.就是我们常说的FQDN,Fully Qualified Domain Name全限定域名,这里的A记录有两条,默认客户端请求,这两台服务器会以轮询的方式响应)。
;; Query time: 21 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
#这里表明我是通过114.114.114.114这个DNS服务器去查询的(此时当做一个缓存名称服务器来用)
;; WHEN: Tue Dec 04 21:03:38 CST 2018
;; MSG SIZE rcvd: 101
[root@localhost ~]# dig -t MX baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t MX baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42044
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN MX
;; ANSWER SECTION:
baidu.com. 33 IN MX 10 mx.maillb.baidu.com.
baidu.com. 33 IN MX 15 mx.n.shifen.com.
baidu.com. 33 IN MX 20 mx1.baidu.com.
baidu.com. 33 IN MX 20 jpmx.baidu.com.
baidu.com. 33 IN MX 20 mx50.baidu.com.
;; Query time: 21 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:10:01 CST 2018
;; MSG SIZE rcvd: 154
#上面是百度的MX记录,可以到有5台服务器,优先级10最高,也是第一条。
[root@localhost ~]# dig -t SOA baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t SOA baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62937
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;baidu.com. IN SOA
;; ANSWER SECTION:
baidu.com. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2012139419 300 300 2592000 7200
;; Query time: 29 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:
#上面是baidu.com.的SOA记录。
[root@localhost ~]# dig -t ns baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t ns baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19013
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN NS
;; ANSWER SECTION:
baidu.com. 72018 IN NS ns3.baidu.com.
baidu.com. 72018 IN NS ns2.baidu.com.
baidu.com. 72018 IN NS dns.baidu.com.
baidu.com. 72018 IN NS ns7.baidu.com.
baidu.com. 72018 IN NS ns4.baidu.com.
;; Query time: 18 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:12:25 CST 2018
;; MSG SIZE rcvd: 128
#baidu.com.的NS记录
[root@localhost ~]# dig -x 14.215.177.38
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -x 14.215.177.38
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54050
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;38.177.215.14.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
215.14.in-addr.arpa. 2100 IN SOA soa. dns.guangzhou.gd.cn. 2016012127 10800 3600 604800 86400
;; Query time: 23 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:14:30 CST 2018
;; MSG SIZE rcvd: 113
#反解,没有结果。(用的是www.a.shifen.com的一个A记录对应的value)
b)=========== host命令=======================
简单语法格式:
host [-t RR_TYPE] name SERVER_IP
例如:
[root@localhost ~]# host -t A www.baidu.com.
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 14.215.177.39
www.a.shifen.com has address 14.215.177.38
[root@localhost ~]# host -t CNAME www.baidu.com.
www.baidu.com is an alias for www.a.shifen.com.
[root@localhost ~]# host -t CNAME www.a.shifen.com.
www.a.shifen.com has no CNAME record
[root@localhost ~]# host -t SOA baidu.com.
baidu.com has SOA record dns.baidu.com. sa.baidu.com. 2012139419 300 300 2592000 7200
[root@localhost ~]# host -t MX baidu.com.
baidu.com mail is handled by 10 mx.maillb.baidu.com.
baidu.com mail is handled by 15 mx.n.shifen.com.
baidu.com mail is handled by 20 mx1.baidu.com.
baidu.com mail is handled by 20 jpmx.baidu.com.
baidu.com mail is handled by 20 mx50.baidu.com.
[root@localhost ~]# host -t NS baidu.com. 114.114.114.114
Using domain server:
Name: 114.114.114.114
Address: 114.114.114.114#53
Aliases:
baidu.com name server ns3.baidu.com.
baidu.com name server ns2.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns4.baidu.com.
[root@localhost ~]# host -t NS baidu.com. 218.85.157.99
Using domain server:
Name: 218.85.157.99
Address: 218.85.157.99#53
Aliases:
baidu.com name server ns2.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns4.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns3.baidu.com.
[root@localhost ~]# host -t PTR 14.215.177.38
Host 38.177.215.14.in-addr.arpa. not found: 3(NXDOMAIN)
[root@localhost ~]# host -t PTR 14.215.177.39
Host 39.177.215.14.in-addr.arpa. not found: 3(NXDOMAIN)
#host命令的结果要比dig命令的结果简要,含义都差不多。
c)=========== nslookup命令=======================
非交互式模式简要语法格式:
nslookup [-options] [name] [server]
交互式模式:
nslookup>
server IP:以指定的IP为DNS服务器进行查询;
set q=RR_TYPE:要查询的资源记录类型;
name:要查询的名称;
例如:
[root@localhost ~]# nslookup www.baidu.com
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.39
Name: www.a.shifen.com
Address: 14.215.177.38
交互式模式:
[root@localhost ~]# nslookup
> set q=A
> www.baidu.com
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.39
Name: www.a.shifen.com
Address: 14.215.177.38
> set q=SOA
> baidu.com.
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
baidu.com
origin = dns.baidu.com
mail addr = sa.baidu.com
serial = 2012139419
refresh = 300
retry = 300
expire = 2592000
minimum = 7200
Authoritative answers can be found from:
> server 218.85.157.99
Default server: 218.85.157.99 #先设置默认查询的dns服务器
Address: 218.85.157.99#53
> set q=MX
> baidu.com.
Server: 218.85.157.99
Address: 218.85.157.99#53
Non-authoritative answer:
baidu.com mail exchanger = 10 mx.maillb.baidu.com.
baidu.com mail exchanger = 20 jpmx.baidu.com.
baidu.com mail exchanger = 20 mx50.baidu.com.
baidu.com mail exchanger = 20 mx1.baidu.com.
baidu.com mail exchanger = 15 mx.n.shifen.com.
Authoritative answers can be found from:
baidu.com nameserver = ns2.baidu.com.
baidu.com nameserver = ns7.baidu.com.
baidu.com nameserver = ns4.baidu.com.
baidu.com nameserver = dns.baidu.com.
baidu.com nameserver = ns3.baidu.com.
mx1.baidu.com internet address = 61.135.165.120
mx1.baidu.com internet address = 220.181.50.185
jpmx.baidu.com internet address = 61.208.132.13
dns.baidu.com internet address = 202.108.22.220
ns2.baidu.com internet address = 220.181.37.10
ns3.baidu.com internet address = 112.80.248.64
ns4.baidu.com internet address = 14.215.178.80
ns7.baidu.com internet address = 180.76.76.92
另外几个与配置文件语法检测以及服务重载有关的:
named-checkconf [/etc/named.conf] #检测配置文件语法
named-checkzone ZONE_NAME ZONE_FILE #检测区域解析配置文件语法
rndc reload #重载named的服务,等效于:
systemctl reload named.service
四、实际配置
4.1、缓存名称服务器的配置
1、先来看看主配置文件默认的配置:
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost ~]#
说明:
(1) 默认监听先关的配置
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
表示监听到本地回环和默认的ipv6本地回环。我们以ipv4为准进行说明。
如果要监听所有地址或者固定地址,可以这样写:
listen-on port 53; #监听到所有
或
listen-on port 53 { 192.168.56.5 ; }; #监听到指定的接口,我这里的内外ip是192.168.56.5
这里的语法要注意,花括号两边要有有空隔,如果花括号内有多条记录,要以分号隔开,语句结尾也要有分号。
学习配置,建议关闭的选项(与dnssec有关的选项):
默认值:
dnssec-enable yes;
dnssec-validation yes;
#dnssec-lookaside yes; #这个配置有些版本没有,比如我的就没有
可以设置关闭,其值为:
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
配置主从的时候,进本地查询要设置为非localhost等:
默认配置:
allow-query { localhost; };
可以设置为:
//allow-query { localhost; }; #直接注释掉了。默认是允许所有,还要看签名的监听
修改后,我的named.conf配置文件为:
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.56.5; }; #修改处,加上来我的内网地址
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
//allow-query { localhost; }; #修改处,下面有新增
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
#dnssec-enable yes; #修改处
#dnssec-validation yes; #修改处
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost ~]#
2、配置解析一个正向区域
假定二级域名为:yanhui.com (顶级域名com下的二级域,yanhui为注册的字符串)
(1) 定义区域
#在主配置文件或主配置文件包含的辅助配置文件中实现
定义模板类似于:
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
#注意语句结束时候的分号。
我添加的内容如下:
[root@localhost named]# vim /etc/named.rfc1912.zones
[root@localhost named]# tail -n 4 /etc/named.rfc1912.zones
zone "yanhui.com" IN {
type master;
file "yanhui.com.zone";
};
#可以使用named-checkconf检测一下配置文件语法是否有问题
[root@localhost named]# named-checkconf
[root@localhost named]# echo $?
0
[root@localhost named]# named-checkconf /etc/named.rfc1912.zones
[root@localhost named]# echo $?
0
(2) 建立区域数据文件
#第一步的区域定义时候指定的区域数据文件名叫yanhui.com.zone,指向的是一个相对路径,默认相对的是/var/named,即区域数据文件应该为/var/named/yanhui.com.zone
[root@localhost named]# vim /var/named/yanhui.com.zone
[root@localhost named]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120401
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 192.168.56.5
ns2.yanhui.com. IN A 192.168.56.5
mx1.yanhui.com. IN A 192.168.56.11
mx2.yanhui.com. IN A 192.168.56.12
bpmx.yanhui.com. IN A 192.168.56.13
www.yanhui.com. IN A 192.168.56.5
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 192.168.56.20
bbs.yanhui.com. IN A 192.168.56.21
要修改一下权限:
[root@localhost named]# ls -l
total 20
drwxr-x--- 7 root named 61 Dec 4 20:17 chroot
drwxrwx--- 2 named named 6 Oct 31 08:29 data
drwxrwx--- 2 named named 6 Oct 31 08:29 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Oct 31 08:29 slaves
-rw-r--r-- 1 root root 598 Dec 4 22:04 yanhui.com.zone
[root@localhost named]# chgrp named yanhui.com.zone
[root@localhost named]# chmod 640 yanhui.com.zone
[root@localhost named]# ls -l yanhui.com.zone
-rw-r----- 1 root named 598 Dec 4 22:04 yanhui.com.zone
#用named-checkzone 检测一下区域数据文件语法:
[root@localhost named]# named-checkzone yanhui.com. /var/named/yanhui.com.zone
zone yanhui.com/IN: loaded serial 2018120401
OK
#上面表示没有问题,载入序列号为2018120401
(3) 重载配置文件和区域数据文件
rndc reload或
systemctl reload named.service
#因为我这里之前没有启动过,所以要先启动
[root@localhost named]# systemctl start named.service
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-12-04 22:08:16 CST; 4s ago
Process: 12740 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 12737 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 12743 (named)
CGroup: /system.slice/named.service
└─12743 /usr/sbin/named -u named -c /etc/named.conf
Dec 04 22:08:16 localhost.localdomain named[12743]: all zones loaded
Dec 04 22:08:16 localhost.localdomain named[12743]: running
Dec 04 22:08:16 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Dec 04 22:08:16 localhost.localdomain named[12743]: zone yanhui.com/IN: sending notifies (serial 2018120401)
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
[root@localhost named]# ps aux|grep named
root 12690 0.0 0.3 126352 1904 pts/3 S+ 21:51 0:00 vi /etc/named.conf
named 12743 0.0 12.0 166756 58468 ? Ssl 22:08 0:00 /usr/sbin/named -u named -c /etc/named.conf
root 12901 0.0 0.1 112648 960 pts/1 R+ 22:11 0:00 grep --color=auto named
[root@localhost named]# ss -nltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 127.0.0.1:323 *:*
udp UNCONN 0 0 ::1:53 :::*
udp UNCONN 0 0 ::1:323 :::*
tcp LISTEN 0 10 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:953 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 10 ::1:53 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:953 :::*
tcp LISTEN 0 100 ::1:25 :::*
#如果要重载,可以这样做
[root@localhost ~]# rndc reload
server reload successful
(4) 测试
#这里就以简单工具host来测试
1> 走我本地的DNS服务器去查询 yanhui.com.的SOA记录
[root@localhost ~]# host -t SOA yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com has SOA record ns1.yanhui.com. dnsadmin.yanhui.com. 2018120401 3600 600 86400 360
2> NS记录查询
[root@localhost ~]# host -t NS yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com name server ns2.yanhui.com.
yanhui.com name server ns1.yanhui.com.
[root@localhost ~]# host -t NS yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com name server ns1.yanhui.com.
yanhui.com name server ns2.yanhui.com.
3> MX记录查询
[root@localhost ~]# host -t MX yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com mail is handled by 20 mx2.yanhui.com.
yanhui.com mail is handled by 10 mx1.yanhui.com.
yanhui.com mail is handled by 21 bpmx.yanhui.com.
[root@localhost ~]# host -t MX yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com mail is handled by 21 bpmx.yanhui.com.
yanhui.com mail is handled by 10 mx1.yanhui.com.
yanhui.com mail is handled by 20 mx2.yanhui.com.
[root@localhost ~]# host -t MX yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com mail is handled by 21 bpmx.yanhui.com.
yanhui.com mail is handled by 10 mx1.yanhui.com.
yanhui.com mail is handled by 20 mx2.yanhui.com.
4> A记录查询
[root@localhost ~]# host -t A www.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
www.yanhui.com has address 192.168.56.5
[root@localhost ~]# host -t A bbs.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
bbs.yanhui.com has address 192.168.56.20
bbs.yanhui.com has address 192.168.56.21
[root@localhost ~]# host -t A ns1.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
ns1.yanhui.com has address 192.168.56.5
5> CNAME记录查询
[root@localhost ~]# host -t CNAME web.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
web.yanhui.com is an alias for www.yanhui.com.
[root@localhost ~]# host -t A web.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
web.yanhui.com is an alias for www.yanhui.com.
www.yanhui.com has address 192.168.56.5
3、配置解析一个反向区域
(1) 定义区域
[root@localhost ~]# vim /etc/named.rfc1912.zones
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "56.168.192.in-addr.arpa" IN {
type master;
file "56.168.192.zone";
};
#检测语法
[root@localhost ~]# named-checkconf
[root@localhost ~]# echo $?
0
(2) 定义区域解析库文件
[root@localhost named]# cat /var/named/56.168.192.zone
$TTL 600
$ORIGIN 56.168.192.in-addr.arpa.
@ IN SOA ns1.yanhui.com. dnsadmin.yanhui.com.(
2018120401
1H
10M
1D
6M
)
@ IN NS ns1.yanhui.com.
@ IN NS ns2.yanhui.com.
5.56.168.192.in-addr.arpa. IN PTR ns1.yanhui.com.
5.@ IN PTR ns2.yanhui.com.
88.56.168.192.in-addr.arpa. IN PTR mx1.yanhui.com.
89.56.168.192.in-addr.arpa. IN PTR mx2.yanhui.com.
90.56.168.192.in-addr.arpa. IN PTR bpmx.yanhui.com.
20.56.168.192.in-addr.arpa. IN PTR bbs.yanhui.com.
21.56.168.192.in-addr.arpa. IN PTR bbs.yanhui.com.
5.56.168.192.in-addr.arpa. IN PTR www.yanhui.com.
[root@localhost named]#
#修改权限并检测语法
[root@localhost named]# ls -l
total 24
-rw-r--r-- 1 root root 552 Dec 4 22:42 56.168.192.zone
drwxr-x--- 7 root named 61 Dec 4 20:17 chroot
drwxrwx--- 2 named named 23 Dec 4 22:08 data
drwxrwx--- 2 named named 60 Dec 4 22:08 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Oct 31 08:29 slaves
-rw-r----- 1 root named 598 Dec 4 22:04 yanhui.com.zone
[root@localhost named]# chgrp named 56.168.192.zone
[root@localhost named]# chmod 640 56.168.192.zone
[root@localhost named]# ls -l 56.168.192.zone
-rw-r----- 1 root named 552 Dec 4 22:42 56.168.192.zone
[root@localhost named]# named-checkzone 56.168.192.in-addr.arpa. /var/named/56.168.192.zone
zone 56.168.192.in-addr.arpa/IN: loaded serial 2018120401
OK
(3) 重载配置文件和区域数据文件
[root@localhost named]# rndc reload
server reload successful
(4) 测试
[root@localhost named]# dig @192.168.56.5 -x 192.168.56.5
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @192.168.56.5 -x 192.168.56.5
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45032
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.56.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
5.56.168.192.in-addr.arpa. 600 IN PTR www.yanhui.com.
5.56.168.192.in-addr.arpa. 600 IN PTR ns1.yanhui.com.
;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 600 IN NS ns2.yanhui.com.
56.168.192.in-addr.arpa. 600 IN NS ns1.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 192.168.56.5
ns2.yanhui.com. 600 IN A 192.168.56.5
;; Query time: 0 msec
;; SERVER: 192.168.56.5#53(192.168.56.5)
;; WHEN: Tue Dec 04 22:45:49 CST 2018
;; MSG SIZE rcvd: 164
[root@localhost named]# dig @192.168.56.5 -x 192.168.56.20
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @192.168.56.5 -x 192.168.56.20
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50045
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;20.56.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.56.168.192.in-addr.arpa. 600 IN PTR bbs.yanhui.com.
;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 600 IN NS ns2.yanhui.com.
56.168.192.in-addr.arpa. 600 IN NS ns1.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 192.168.56.5
ns2.yanhui.com. 600 IN A 192.168.56.5
;; Query time: 0 msec
;; SERVER: 192.168.56.5#53(192.168.56.5)
;; WHEN: Tue Dec 04 22:45:57 CST 2018
;; MSG SIZE rcvd: 151
[root@localhost named]#
4.2、主从服务器配置
#这里测试的时候,我换了一个实验环境,所以ip有所变化,差异不大。单机配置就不贴出配置文件了。
1、从dns服务器区域配置说明
(1) 定义一个从区域
配置模板:
zone "ZONE_NAME" IN {
type slave;
file "slaves/ZONE_NAME.zone";
masters { MASTER_IP; };
};
说明:type类型定义的时候要选择为slave。
file指定的区域解析配置文件要放在提前准备好的slaves目录下,主dns服务器那边会有这个目录。
到时候会自行同步,如果权限、访问控制和防火墙等无异常的话。
需要使用masters指令指明主dns服务器ip
实际从区域配置定义为:
zone "yanhui.com." IN {
type slave;
file "slaves/yanhui.com.zone";
masters { 172.16.0.4; };
};
2、主dns服务器正向区域配置同步和测试
#正向区域配置文件,要至少保证有一条NS解析记录,且这个NS解析记录要添加一条A记录,并且A记录的目标IP指向的是
从服务器的IP
[root@localhost named]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120402
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 172.16.0.4
ns2.yanhui.com. IN A 172.16.0.6 #这一步很关键
mx1.yanhui.com. IN A 172.16.0.11
mx2.yanhui.com. IN A 172.16.0.12
bpmx.yanhui.com. IN A 172.16.0.13
www.yanhui.com. IN A 172.16.0.4
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 172.16.0.20
bbs.yanhui.com. IN A 172.16.0.21
如果此时从服务配置文件已经是同步状态,记得修改主dns服务器的这个SOA中的序列编号,给它加1,我上面贴出的是已经加1的。
此刻,先使用检查主dns服务器的区域配置文件语法,然后重载主dns服务器的配置。
[root@localhost named]# named-checkzone yanhui.com. /var/named/yanhui.com.zone
zone yanhui.com/IN: loaded serial 2018120402
OK
[root@localhost named]# rndc reload
server reload successful
然后去从dns服务器重载配置,然后查看状态:
[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 4min 12s ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 05 23:57:46 localhost.localdomain named[13597]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 05 23:57:46 localhost.localdomain named[13597]: reloading configuration succeeded
Dec 05 23:57:46 localhost.localdomain named[13597]: reloading zones succeeded
Dec 05 23:57:46 localhost.localdomain named[13597]: all zones loaded
Dec 05 23:57:46 localhost.localdomain named[13597]: running
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: Transfer started.
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: connected using 172.16.0.6#44399
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: transferred serial 2018120402
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: Transfer completed: 1 messag...s/sec)
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: sending notifies (serial 2018120402)
Hint: Some lines were ellipsized, use -l to show in full.
#从上面的状态来看,同步已经完成。
[root@localhost named]# ls -l /var/named/slaves/yanhui.com.zone
-rw-r--r-- 1 named named 631 Dec 5 23:57 /var/named/slaves/yanhui.com.zone
[root@localhost named]# file /var/named/slaves/yanhui.com.zone
/var/named/slaves/yanhui.com.zone: data
#正向区域配置文件已经同步过来,所以同步算正常。然后下面简单测试一下:
[root@localhost named]#
[root@localhost named]# dig -t A www.yanhui.com. @172.16.0.6
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.yanhui.com. @172.16.0.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48543
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yanhui.com. IN A
;; ANSWER SECTION:
www.yanhui.com. 600 IN A 172.16.0.4
;; AUTHORITY SECTION:
yanhui.com. 600 IN NS ns1.yanhui.com.
yanhui.com. 600 IN NS ns2.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 1 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Wed Dec 05 23:59:27 CST 2018
;; MSG SIZE rcvd: 127
#通过从dns服务器解析没有问题。
然后尝试去主dns服务器添加一条解析。主服务器查看信息如下:(注意修改后SOA记录序列号增加,然后查看状态)
[root@localhost named]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120403
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 172.16.0.4
ns2.yanhui.com. IN A 172.16.0.6
mx1.yanhui.com. IN A 172.16.0.11
mx2.yanhui.com. IN A 172.16.0.12
bpmx.yanhui.com. IN A 172.16.0.13
www.yanhui.com. IN A 172.16.0.4
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 172.16.0.20
bbs.yanhui.com. IN A 172.16.0.21
pop3.yanhui.com. IN A 172.16.0.22
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Wed 2018-12-05 14:48:51 CST; 9h ago
Process: 2022 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 2035 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2032 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 2037 (named)
CGroup: /system.slice/named.service
└─2037 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:10:54 localhost.localdomain named[2037]: automatic empty zone: B.E.F.IP6.ARPA
Dec 06 00:10:54 localhost.localdomain named[2037]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 06 00:10:54 localhost.localdomain named[2037]: reloading configuration succeeded
Dec 06 00:10:54 localhost.localdomain named[2037]: reloading zones succeeded
Dec 06 00:10:54 localhost.localdomain named[2037]: zone yanhui.com/IN: loaded serial 2018120403
Dec 06 00:10:54 localhost.localdomain named[2037]: zone yanhui.com/IN: sending notifies (serial 2018120403)
Dec 06 00:10:54 localhost.localdomain named[2037]: all zones loaded
Dec 06 00:10:54 localhost.localdomain named[2037]: running
Dec 06 00:10:54 localhost.localdomain named[2037]: client 172.16.0.6#52665 (yanhui.com): transfer of 'yanhui.com/IN': AXFR-style...tarted
Dec 06 00:10:54 localhost.localdomain named[2037]: client 172.16.0.6#52665 (yanhui.com): transfer of 'yanhui.com/IN': AXFR-style... ended
Hint: Some lines were ellipsized, use -l to show in full.
#从上面状态信息同步可以看出,区域yanhui.com.更新了,主服务器发送通知(徐利好为2018120403)
从dns服务器上查看状态:
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 19min ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: connected using 172.16.0.6#44399
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: transferred serial 2018120402
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: Transfer completed: 1 messag...s/sec)
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: sending notifies (serial 2018120402)
Dec 06 00:10:54 localhost.localdomain named[13597]: client 172.16.0.4#35222: received notify for zone 'yanhui.com'
Dec 06 00:10:54 localhost.localdomain named[13597]: zone yanhui.com/IN: Transfer started.
Dec 06 00:10:54 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: connected using 172.16.0.6#52665
Dec 06 00:10:54 localhost.localdomain named[13597]: zone yanhui.com/IN: transferred serial 2018120403
Dec 06 00:10:54 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: Transfer completed: 1 messag...s/sec)
Dec 06 00:10:54 localhost.localdomain named[13597]: zone yanhui.com/IN: sending notifies (serial 2018120403)
Hint: Some lines were ellipsized, use -l to show in full.
#上面状态信息可以看出,状态已经同步了。用工具测试:
[root@localhost named]# dig @172.16.0.6 -t A pop3.yanhui.com
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.6 -t A pop3.yanhui.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39052
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pop3.yanhui.com. IN A
;; ANSWER SECTION:
pop3.yanhui.com. 600 IN A 172.16.0.22
;; AUTHORITY SECTION:
yanhui.com. 600 IN NS ns1.yanhui.com.
yanhui.com. 600 IN NS ns2.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 0 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Thu Dec 06 00:13:52 CST 2018
;; MSG SIZE rcvd: 128
#解析正常。
3、主dns服务器反向区域同步和测试
(1) 从库定义一个区域,并指向主dns,类型为slave,我的实际内容如下
zone "0.16.172.in-addr.arpa" IN {
type slave;
file "slaves/0.16.172.zone";
masters { 172.16.0.4; };
};
检测语法:
[root@localhost named]# named-checkconf
[root@localhost named]# echo $?
0
(2) 主dns服务器的反向解析区域配置文件中配置一条NS记录,并且这个NS记录要设置一条A记录指向从服务器,并把SOA记录序列值增加
[root@localhost named]# cat /var/named/0.16.172.zone
$TTL 600
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA ns1.yanhui.com. dnsadmin.yanhui.com.(
2018120402
1H
10M
1D
6M
)
@ IN NS ns1.yanhui.com.
@ IN NS ns2.yanhui.com. #这一条记录很关键
4.0.16.172.in-addr.arpa. IN PTR ns1.yanhui.com.
68.0.16.172.in-addr.arpa. IN PTR ns2.yanhui.com. #这一条记录很关键
88.0.16.172.in-addr.arpa. IN PTR mx1.yanhui.com.
89.0.16.172.in-addr.arpa. IN PTR mx2.yanhui.com.
90.0.16.172.in-addr.arpa. IN PTR bpmx.yanhui.com.
20.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
21.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
4.0.16.172.in-addr.arpa. IN PTR www.yanhui.com.
检测语法配置:
[root@localhost named]# named-checkzone 0.16.172.in-addr.arpa /var/named/0.16.172.zone
zone 0.16.172.in-addr.arpa/IN: loaded serial 2018120402
OK
(3) 从服务器重新reload配置,并检测状态
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 30min ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:23:35 localhost.localdomain named[13597]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 06 00:23:35 localhost.localdomain named[13597]: reloading configuration succeeded
Dec 06 00:23:35 localhost.localdomain named[13597]: reloading zones succeeded
Dec 06 00:23:35 localhost.localdomain named[13597]: all zones loaded
Dec 06 00:23:35 localhost.localdomain named[13597]: running
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: Transfer started.
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: connected using 1...#54569
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: transferred serial 2018120401
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: Transfer complete...s/sec)
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120401)
Hint: Some lines were ellipsized, use -l to show in full.
#状态同步ok,看看从dns服务器上slaves目录下是否有了反向区域解析的数据文件
[root@localhost named]# ls -l /var/named/slaves/0.16.172.zone
-rw-r--r-- 1 named named 672 Dec 6 00:23 /var/named/slaves/0.16.172.zone
[root@localhost named]# file /var/named/slaves/0.16.172.zone
/var/named/slaves/0.16.172.zone: data
#测试解析
[root@localhost named]# dig @172.16.0.6 -x 172.16.0.20
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.6 -x 172.16.0.20
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38089
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;20.0.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.0.16.172.in-addr.arpa. 600 IN PTR bbs.yanhui.com.
;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 600 IN NS ns2.yanhui.com.
0.16.172.in-addr.arpa. 600 IN NS ns1.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 1 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Thu Dec 06 00:25:10 CST 2018
;; MSG SIZE rcvd: 149
#测试ok
#主服务器新增一条记录,测试是否能立即同步(注意序列号要增加)
[root@localhost ~]# vim /var/named/0.16.172.zone
[root@localhost ~]# cat /var/named/0.16.172.zone
$TTL 600
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA ns1.yanhui.com. dnsadmin.yanhui.com.(
2018120403
1H
10M
1D
6M
)
@ IN NS ns1.yanhui.com.
@ IN NS ns2.yanhui.com.
4.0.16.172.in-addr.arpa. IN PTR ns1.yanhui.com.
68.0.16.172.in-addr.arpa. IN PTR ns2.yanhui.com.
88.0.16.172.in-addr.arpa. IN PTR mx1.yanhui.com.
89.0.16.172.in-addr.arpa. IN PTR mx2.yanhui.com.
90.0.16.172.in-addr.arpa. IN PTR bpmx.yanhui.com.
20.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
21.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
4.0.16.172.in-addr.arpa. IN PTR www.yanhui.com.
22.0.16.172.in-addr.arpa. IN PTR pop3.yanhui.com.
检测反向区域解析配置文件语法,并重载
[root@localhost ~]# named-checkzone 0.16.172.in-addr.arpa /var/named/0.16.172.zone
zone 0.16.172.in-addr.arpa/IN: loaded serial 2018120403
OK
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Wed 2018-12-05 14:48:51 CST; 9h ago
Process: 2022 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 2035 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2032 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 2037 (named)
CGroup: /system.slice/named.service
└─2037 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:27:45 localhost.localdomain named[2037]: automatic empty zone: B.E.F.IP6.ARPA
Dec 06 00:27:45 localhost.localdomain named[2037]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 06 00:27:45 localhost.localdomain named[2037]: reloading configuration succeeded
Dec 06 00:27:45 localhost.localdomain named[2037]: reloading zones succeeded
Dec 06 00:27:45 localhost.localdomain named[2037]: zone 0.16.172.in-addr.arpa/IN: loaded serial 2018120403
Dec 06 00:27:45 localhost.localdomain named[2037]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120403)
Dec 06 00:27:45 localhost.localdomain named[2037]: all zones loaded
Dec 06 00:27:45 localhost.localdomain named[2037]: running
Dec 06 00:27:45 localhost.localdomain named[2037]: client 172.16.0.6#52017 (0.16.172.in-addr.arpa): transfer of '0.16.172.in-add...tarted
Dec 06 00:27:45 localhost.localdomain named[2037]: client 172.16.0.6#52017 (0.16.172.in-addr.arpa): transfer of '0.16.172.in-add... ended
Hint: Some lines were ellipsized, use -l to show in full.
查看从服务器状态:
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 34min ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: connected using 1...#54569
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: transferred serial 2018120401
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: Transfer complete...s/sec)
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120401)
Dec 06 00:27:45 localhost.localdomain named[13597]: client 172.16.0.4#27039: received notify for zone '0.16.172.in-addr.arpa'
Dec 06 00:27:45 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: Transfer started.
Dec 06 00:27:45 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: connected using 1...#52017
Dec 06 00:27:45 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: transferred serial 2018120403
Dec 06 00:27:45 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: Transfer complete...s/sec)
Dec 06 00:27:45 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120403)
Hint: Some lines were ellipsized, use -l to show in full.
#状态正常,测试解析记录:
[root@localhost named]# dig @172.16.0.6 -x 172.16.0.22
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.6 -x 172.16.0.22
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61455
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;22.0.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
22.0.16.172.in-addr.arpa. 600 IN PTR pop3.yanhui.com.
;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 600 IN NS ns1.yanhui.com.
0.16.172.in-addr.arpa. 600 IN NS ns2.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 1 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Thu Dec 06 00:29:04 CST 2018
;; MSG SIZE rcvd: 150
#解析ok,测试大抵通过。
4.3、子域授权配置(只演示子域的单个,而且只演示子域的正向区域解析配置)
1、正向解析区域授权子域的方法
假设正向解析要配置的子域为 ops.yanhui.com.
子域要授权,NS记录要加类似于下面的如此,然后也要有对应A记录
ops.yanhui.com. IN NS ns1.ops.yanhui.com.
ops.yanhui.com. IN NS ns2.ops.yanhui.com
ns1.ops.yanhui.com. IN A IP_ADDRESS
ns2.ops.yanhui.com. IN A IP_ADDRESS
实际yanhui.com.这个二级域的正向区域配置文件添加内容为:(它的子域ops.yanhui.com.)
[root@localhost ~]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120404
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 172.16.0.4
ns2.yanhui.com. IN A 172.16.0.6
mx1.yanhui.com. IN A 172.16.0.11
mx2.yanhui.com. IN A 172.16.0.12
bpmx.yanhui.com. IN A 172.16.0.13
www.yanhui.com. IN A 172.16.0.4
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 172.16.0.20
bbs.yanhui.com. IN A 172.16.0.21
pop3.yanhui.com. IN A 172.16.0.22
#下面是为了子域设置的(上面的序列号要增加)
ops.yanhui.com. IN NS ns1.ops.yanhui.com.
ns1.ops.yanhui.com. IN A 172.16.0.8
检测语法并重载,这里就不写出过程了。
2、在新服务器上配置子域的区域定义以及子域的正向解析区域配置
子域名的区域定义配置为:
zone "ops.yanhui.com" IN {
type master;
file "ops.yanhui.com.zone";
};
#重载配置并查看状态
[root@localhost ~]# named-checkconf
[root@localhost ~]# echo $?
[root@localhost ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2018-12-06 00:45:12 CST; 10s ago
Process: 14123 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 14119 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 14124 (named)
CGroup: /system.slice/named.service
└─14124 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:45:13 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Dec 06 00:45:13 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 193.0.14.129#53
Dec 06 00:45:13 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 199.7.91.13#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 202.12.27.33#53
Dec 06 00:45:14 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:500:84::b#53
Dec 06 00:45:14 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Dec 06 00:45:14 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 192.58.128.30#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 192.5.5.241#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 198.97.190.53#53
[root@localhost ~]# ss -tunl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp UNCONN 0 0 172.16.0.8:53 *:*
tcp UNCONN 0 0 127.0.0.1:53 *:*
tcp UNCONN 0 0 ::1:53 :::*
tcp LISTEN 0 10 172.16.0.8:53 *:*
tcp LISTEN 0 10 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:953 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 10 ::1:53 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:953 :::*
tcp LISTEN 0 100 ::1:25 :::*
PS:子域的主配置文件,设置还是要和之前设置的一样,比如监听要加上本地的内网ip地址。还有允许所有访问。
子域的正向区域解析配置:
[root@localhost ~]# cat /var/named/ops.yanhui.com.zone
$TTL 3600
ops.yanhui.com. IN SOA ns1.ops.yanhui.com. nsadmin.ops.yanhui.com. (
2018120601
1H
10M
1D
2H
)
ops.yanhui.com. IN NS ns1.ops.yanhui.com.
ns1.ops.yanhui.com. IN A 172.16.0.8
www.ops.yanhui.com. IN A 172.16.0.8
#修改属组以及文件的权限
[root@localhost named]# chgrp named ops.yanhui.com.zone
[root@localhost named]# chmod 640 ops.yanhui.com.zone
#检测区域配置语法以及重载
[root@localhost named]# named-checkzone ops.yanhui.com. /var/named/ops.yanhui.com.zone
zone ops.yanhui.com/IN: loaded serial 2018120601
OK
[root@localhost named]# rndc reload
server reload successful
使用dig工具在子域dns服务器和其父域dns服务器分别通过该服务器来解析:
(1) 子域dns服务器上操作
[root@localhost named]# dig -t A www.ops.yanhui.com @172.16.0.8
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.ops.yanhui.com @172.16.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.yanhui.com. IN A
;; ANSWER SECTION:
www.ops.yanhui.com. 3600 IN A 172.16.0.8
;; AUTHORITY SECTION:
ops.yanhui.com. 3600 IN NS ns1.ops.yanhui.com.
;; ADDITIONAL SECTION:
ns1.ops.yanhui.com. 3600 IN A 172.16.0.8
;; Query time: 1 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: Thu Dec 06 00:52:16 CST 2018
;; MSG SIZE rcvd: 97
(2) 在ops.yanhui.com.的父域dns服务器上测试
[root@localhost ~]# dig -t A www.ops.yanhui.com @172.16.0.4
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.ops.yanhui.com @172.16.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42399
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.yanhui.com. IN A
;; ANSWER SECTION:
www.ops.yanhui.com. 3600 IN A 172.16.0.8
;; AUTHORITY SECTION:
ops.yanhui.com. 600 IN NS ns1.ops.yanhui.com.
;; ADDITIONAL SECTION:
ns1.ops.yanhui.com. 3600 IN A 172.16.0.8
;; Query time: 4 msec
;; SERVER: 172.16.0.4#53(172.16.0.4)
;; WHEN: Thu Dec 06 00:52:50 CST 2018
;; MSG SIZE rcvd: 97
#上面结果都OK,表示正常。其实呢,子域dns服务和之前配置yanhui.com.一样,yanhui.com.的父域是全球的顶级域,所以
顶级域的配置文件配置和我们这里差不多。另外子域dns服务器也可以实现其反向区域配置文件解析以及主从。
4.4、智能dns配置和模拟实现
1、智能dns概述
智能DNS是通过DNS的视图(view)功能来实现的。可以理解为view是bind的子容器。
一个bind服务器可定义多个view,每个view中可定义一个或多个zone。每个view用来匹配一组请求的客户端。多个view内可能需要对同一个区域进行解析,但使用不同的区域解析库文件。
一旦启用了view,所有的zone都只能定义在view中(比如我们后边会把配置文件中的根域剪切到view定义语句块中)。仅有必要在匹配到允许递归请求的客户端所在view中定义根区域。客户端请求到达时,是自上而下检查每个view所服务的客户端列表。
智能DNS是域名服务在业界首创的智能解析服务。能自动判断访问者的IP地址并解析出对应的IP地址,使网通用户会访问到网通服务器,电信用户会访问到电信服务器。下面两种场景,就需要dns智能解析:
场景1:
公司局域网有一个站点,对外提供web服务器(不用管它如何对外提供服务),假设站点的域名是 www.yanhui.com,公网有一个DNS服务器(含有内网网卡和外网网卡并分别配置了局域网的ip地址和公网的ip地址),现在就有两种可能性,一种是外网的客户端请求www.yanhui.com,另外一个是内网的客户端请求www.yanhui.com。对于公网客户端请求www.yanhui.com,dns服务器只能解析成公司出口的公网ip上,而对于内网的客户端,两者皆可,但是,如果局域网请求dns服务器,也把它解析到出口公网,这样还要去转到局域网,走了一大圈的弯路,当dns复制知道局域网的时候,更希望的是,对于内网客户端的请求,把解析直接解析成局域网的站点的内网ip上。如下图所示:
场景2:
dns服务器的内网,电信机房和联通机房会同步缓存一份。当属于电信网络的用户和属于联通网络的用户,请求dns服务器的时候,希望能让电信网络的用户请求的是电信机房缓存的DNS,而对于联通网络的用户请求,希望他们请求的是联通机房的缓存的DNS。如下图所示:
现在我们简单来模拟一下这种场景,图解如下:
2、实际简单模拟测试实现dns的view功能
(1) 准备一台服务器,配置两个ip
#这里为了简单,我就配置别名了,一个ip是172.16.0.10,一个ip是192.168.0.24
[root@localhost ~]# ip addr add 192.168.0.24/24 dev eno16777736
[root@localhost ~]# ip addr list eno16777736
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:85:86:8d brd ff:ff:ff:ff:ff:ff
inet 172.16.0.10/16 brd 172.16.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet 192.168.0.24/24 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe85:868d/64 scope link
valid_lft forever preferred_lft forever
(2) 配置view
#bind等软件包安装,省略。
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
//listen-on port 53 { 127.0.0.1; 172.16.0.24; 192.168.0.24; };
listen-on port 53 { any; }; #因为我本地是网卡别名,所以这里为了让它监听到每个ip地址上,就写了any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; }; #这里如果是多大主机,这里要注意,我这里本地模拟测试,都在一台上,
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
##测试就关掉dnssec功能,因为配置确实有点麻烦
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#原先这里的根域定义,被移到view中去了
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost ~]#
区域配置:
[root@localhost ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
view inner { //定义的第一个视图,里面包含了从主配置那边剪切的根域定义
match-clients { 192.168.0.0/24; }; #匹配192.168.0.0/24网段的
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "yanhui.com." IN {
type master;
file "yanhui.com.inner";
};
};
view outnet { //第二个根域
match-clients { 172.16.0.0/16; }; #匹配172.16.0.0./16网段的
zone "yanhui.com." IN {
type master;
file "yanhui.com.outnet";
};
};
view default {
match-clients { any; }; #如果上面两个视图的网段都没有匹配到,就指向这个默认视图,匹配所有的(视图是从上到下匹配,匹配到就结束)
zone "yanhui.com." IN {
type master;
file "yanhui.com.outnet";
};
};
区域解析文件:
[root@localhost ~]# cat /var/named/yanhui.com.inner
$TTL 60
@ IN SOA dns.yanhui.com. dnsadmin.yanhui.com. (
2018120701
1H
5M
1D
2H
)
IN NS dns
IN MX 10 mail
dns IN A 192.168.0.24
mail IN A 192.168.0.12
www IN A 192.168.0.254
[root@localhost ~]# cat /var/named/yanhui.com.outnet
$TTL 60
@ IN SOA dns.yanhui.com. dnsadmin.yanhui.com. (
2018120701
1H
5M
1D
2H
)
IN NS dns
IN MX 10 mail
dns IN A 172.16.0.10
mail IN A 172.16.0.12
www IN A 172.16.0.28
修改权限并检测配置文件语法:
[root@localhost ~]# chgrp named /var/named/yanhui.com.*
[root@localhost ~]# chmod 640 /var/named/yanhui.com.*
[root@localhost ~]# ls -l /var/named/yanhui.com.*
-rw-r----- 1 root named 181 Dec 7 08:22 /var/named/yanhui.com.inner
-rw-r----- 1 root named 177 Dec 7 08:21 /var/named/yanhui.com.outnet
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone yanhui.com. /var/named/yanhui.com.inner
zone yanhui.com/IN: loaded serial 2018120701
OK
[root@localhost ~]# named-checkzone yanhui.com. /var/named/yanhui.com.outnet
zone yanhui.com/IN: loaded serial 2018120701
OK
重启named服务器, 然后测试:
(1) 走192.168.0.24接口的
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @192.168.0.24 -t A www.yanhui.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7485
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yanhui.com. IN A
;; ANSWER SECTION:
www.yanhui.com. 60 IN A 192.168.0.254
;; AUTHORITY SECTION:
yanhui.com. 60 IN NS dns.yanhui.com.
;; ADDITIONAL SECTION:
dns.yanhui.com. 60 IN A 192.168.0.24
;; Query time: 1 msec
;; SERVER: 192.168.0.24#53(192.168.0.24)
;; WHEN: Fri Dec 07 08:35:08 CST 2018
;; MSG SIZE rcvd: 93
(2) 走172.16.0.10接口的
[root@localhost ~]# dig @172.16.0.10 -t A www.yanhui.com
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.10 -t A www.yanhui.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8819
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yanhui.com. IN A
;; ANSWER SECTION:
www.yanhui.com. 60 IN A 172.16.0.28
;; AUTHORITY SECTION:
yanhui.com. 60 IN NS dns.yanhui.com.
;; ADDITIONAL SECTION:
dns.yanhui.com. 60 IN A 172.16.0.10
;; Query time: 0 msec
;; SERVER: 172.16.0.10#53(172.16.0.10)
;; WHEN: Fri Dec 07 08:35:57 CST 2018
;; MSG SIZE rcvd: 93
PS:上面的模拟测试OK了。
参考:
http://blog.51cto.com/longlei/2053983
https://www.cnblogs.com/Finley/p/6831508.html
https://www.jianshu.com/p/e8b5866802d1
包括文中给出的一些外部链接。
567
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
