1,DNS服务 yum -y bind* cach
BIND 提供DNS服务
libnss_file.so
libnss_dns.so
系统调用这两个库文件来解析
配置文件在/etc/nsswitch.conf 根据这个配置文件的先后顺序来解析
. 根域
.com. / .cn. 顶级域
组织域:.com .org .net .cc
国家域:.cn .tw .hk .iq .ir .jp
反向域:IP-->FQDN
查询:
递归:只发出一次请求
迭代:发出多次请求
互联网查询 先递归,后迭代,
递归客户端,非递归客户端
主DNS服务器负责数据的修改
辅助DNS服务器负责数据的同步
nameserver 必须递归,因为需要直接需要答案
serial number 数据版本号
refresh 刷新时间
retry 重试时间
expire 过期时间,认为多长时间
nagative answer TTL 否定回答的緩存時間
缓存DNS服务器
转发器
数据库中的每一个条目就叫一个资源记录,资源记录必须有谁是DNS服务器,谁是mail服务器
资源记录格式:
TTL 600 默认;
NAMETTL(更新過期時間) IN() RRT(资源记录类型) VALUE(资源值)
nginx.vmware.xx. IN A 1.1.1.1
vmware.xx. IN NS ns01.vmware.xx.
ns01.vmware.xx. IN A 1.1.1.2
mail01.vmware.xx. IN A 1.1.1.1
资源记录类型:
SOA(Start Of Authority):起始授權記錄
ZONE NAME TTL IN SOA FQDN ADMINISTRATOR_MAILBOX(
serial number
refersh
retry
expire
na ttl)
nginx.com.600 IN SOA ns1.vmware.xx. admin.vmware.xx.(
2015010501
1H
5M
1W
1D)
時間單位:M(分鐘)‘H(小時)’D(天)‘W(週),默認為秒
MX(Mail eXchange):ZONE NAME -----> FQDN
vmware.xx. IN MX 10 mail01.vmware.xx.
需要加优先级(0-99),数字越小级别越高,针对邮件服务器
NS(name Server) :DOMAIN NAME----->FQDN
A(address):FQDN---->IP
AAAA :FQDN---->ipv6
PTR(pointer)反向:IP----->FQDN
1.1.1.1 IN PTR nginx.vmware.xx.
CNAME(Canonical Name):FQDN--->FQDN 別名記錄
www2.vmware.xx. IN CNAME www.vmware.xx.
查詢類型:
正向區域文件
vmware.xx. IN SOA
反向區域文件
0.168.192.in-addr.arpa. IN SOA
1.168.192.in-addr.arpa. IN www.vmware.xx.
2 IN nginx.vmware.xx.
區域傳送:
完全區域傳送(第一次複製數據)axfr
增量區域傳送 ixfr
區域類型:
主區域:master
從區域:slave
提示區域:hint
轉發區域:forward
bind:
/etc/named.conf
BIND進程的工作屬性
/etc/rndc.key
rndc:Remote Name Domain Controller
密鑰文件
配置信息:
/etc/rndc.conf
/var/named/
區域數據文件
/etc/rc.d/init.d/named
{start|stop|restart|status|reload|configtest}
yum info caching-nameserver
安裝後可以使其成為緩存服務器
DNS監聽的端口
53/udp
53/tcp 從服務器複製主服務器使用
953/tcp rndc
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
啟動時使用
rndc-confgen -r /dev/urandom > /etc/rndc.conf
rndc-confgen -r /dev/urandom -a
手動生成rndc.key
dig > named.root
dig -t RT NAME @DNSSERVER
dig -t NS(A,NS,MX,PTR) vmware.xx
dig -x IP 反向查詢
dig +recurse +trace -t A vmware.xx @10.207.237.110
dig -t axfr vmware.xx 完全区域传送
dig -t ixfr vmware.xx 增量区域传送
nslookup>
server IP 設定DNS服務器
set q=RT(區域類型)
NAME
named.conf
directory "/var/named"
recursion yes; 開啟递归查询,允许进行外面的用户递归查询;
allow-recursion { 10.207.237.0/24; };允许为10.207.237.网段的用户递归
allow-query { any; };允许那些用户进行查询;
allow-transfer { 10.207.237.112; }; 增加在zone区域中
allow-transfer { none; }; 不允许区域传送;
zone "."IN{
type hint;
file "named.ca";
};
zone "localhost"IN{
type master;
file "named.localhost";
all-transfer { none;};
};
zone "0.0.127.in-addr.arpa"IN{
type master;
file "named.loopback";
all-transfer { none;};
};
zone "vmware.xx" IN {
type master;
file "vmware.xx.zone";
allow-transfer { 10.207.237.110; };
};
zone "237.207.10.in-addr.arpa" IN {
type master;
file "237.207.10.zone";
allow-transfer { 10.207.237.110; };
};
acl china_zz {
10.207.237.0/24;
};
acl china_cd {
10.244.0.0/16;
};
DNS试图配置文档
named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
notify yes;
};
logging {
channel query_log {
file "/var/log/named/query_log.log" versions 3 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
channel axfr_log {
file "/var/log/named/transfer_log.log" versions 5 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
category queries { query_log; };
category xfer-out { axfr_log; };
};
acl china_zz {
10.207.237.0/24;
};
acl china_cd {
10.244.0.0/16;
};
view china_zz{
match-clients { china_zz; };
zone "vmware.xx" IN {
type master;
file "china_zz.vmware.xx.zone";
allow-transfer { any; };
};
zone "207.10.in-addr.arpa" IN {
type master;
file "237.10.zone";
allow-transfer { 10.207.237.111; };
};
};
view china_cd{
match-clients { china_cd; };
zone "vmware.xx" IN {
type master;
file "china_cd.vmware.xx.zone";
allow-transfer { 10.207.237.111; };
};
zone "244.10.in-addr.arpa" IN {
type master;
file "244.10.zone";
allow-transfer { 10.207.237.111; };
};
};
view any{
match-clients { any; };
zone "vmware.xx" IN {
type master;
file "other.vmware.xx.zone";
allow-transfer { 10.207.237.111; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
};
#include "/etc/named.rfc1912.zones";
china_zz.vmware.xx.zone
$TTL 600
@ IN SOA ns01.vmware.xx. admin.vmware.xx. (
2015010701 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns01.vmware.xx.
NS ns02.vmware.xx.
MX 10 mail.vmware.xx.
mail A 10.207.237.113
ns02 A 10.207.237.111
ns01 A 10.207.237.110
www A 10.207.237.112
www A 10.207.237.109
china_cd.vmware.xx.zone
$TTL 600
@ IN SOA ns01.vmware.xx. admin.vmware.xx. (
2015010701 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns01.vmware.xx.
NS ns02.vmware.xx.
MX 10 mail.vmware.xx.
mail A 10.207.237.113
ns01 A 10.207.237.110
ns02 A 10.207.237.111
www A 10.244.235.235
www A 10.244.235.236
237.207.10.zone
$TTL 600
@ IN SOA ns01.vmware.xx. admin.vmware.xx. (
2015010701 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns01.vmware.xx.
NS ns02.vmware.xx.
113 PTR mail.vmware.xx.
111 PTR ns02.vmware.xx.
110 PTR ns01.vmware.xx.
112 PTR www.vmware.xx.
109 PTR www.vmware.xx.
主从区域传送时,必须在区域文件中指明辅助DNS的NS记录,才可以进行区域传送,如上所示;
rndc 远程管理DNS服务器
子域授权
SUB_ZONE_NAMEINNSNSSERVER_SUB_ZONE_NAME
NSSERVER_SUB_ZONE_NAME INA IP
DNS 视图定义;
viewchina_zz {
match-clients { china_zz; };
zone"vmware.xx" IN {
typemaster;
file"china_zz.vmware.xx.zone"
allow-transfer
};
};
linux bind DNS配置以下为所有之配置文件
named.conf
options {
listen-on port 53 { any; };
directory "/usr/local/named/etc";
pid-file "/usr/local/named/var/run/named.pid";
dump-file "/usr/local/named/data/cache_dump.db";
statistics-file "/usr/local/named/data/named_stats.txt";
memstatistics-file "/usr/local/named/data/named_mem_stats.txt";
forwarders { 10.207.238.100; };
allow-query { any; };
recursion yes;
notify yes;
};
logging {
channel query_log {
file "/var/log/named/query_log.log" versions 3 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
channel axfr_log {
file "/var/log/named/transfer_log.log" versions 5 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
category queries { query_log; };
category xfer-out { axfr_log; };
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "vmware.xx" IN {
type master;
file "vmware.xx.zone";
allow-transfer { 10.207.237.200; };
};
zone "vmware.zz" {
type master;
database "mysqldb vmware sc 127.0.0.1 root cisco1989";
allow-transfer { 10.207.237.200; };
};
zone "237.207.10.in-addr.arpa" IN {
type master;
file "10.207.237.zone";
allow-transfer { 10.207.237.200; };
};
zone "238.207.10.in-addr.arpa" IN {
type master;
file "10.207.238.zone";
allow-transfer { 10.207.237.200; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "PESyIEZ6P7LE6D1v0MFQBA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
named.localhost 本地正向解析
$TTL 1D
@ IN SOA @ rname.invalid. (
0; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS @
A 127.0.0.1
AAAA ::1
named.loopback 本地反向解析
$TTL 1D
@ IN SOA @ rname.invalid. (
0; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.
named.root 顶级域解析
; <<>> DiG 9.9.7 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56849
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 25
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 11055 IN NS k.root-servers.net.
. 11055 IN NS i.root-servers.net.
. 11055 IN NS c.root-servers.net.
. 11055 IN NS e.root-servers.net.
. 11055 IN NS a.root-servers.net.
. 11055 IN NS m.root-servers.net.
. 11055 IN NS g.root-servers.net.
. 11055 IN NS d.root-servers.net.
. 11055 IN NS f.root-servers.net.
. 11055 IN NS h.root-servers.net.
. 11055 IN NS j.root-servers.net.
. 11055 IN NS l.root-servers.net.
. 11055 IN NS b.root-servers.net.
;; ADDITIONAL SECTION:
k.root-servers.net. 8316 IN A 193.0.14.129
k.root-servers.net. 8978 IN AAAA 2001:7fd::1
i.root-servers.net. 8323 IN A 192.36.148.17
i.root-servers.net. 8244 IN AAAA 2001:7fe::53
c.root-servers.net. 8153 IN A 192.33.4.12
c.root-servers.net. 8422 IN AAAA 2001:500:2::c
e.root-servers.net. 8253 IN A 192.203.230.10
a.root-servers.net. 14310 IN A 198.41.0.4
a.root-servers.net. 8316 IN AAAA 2001:503:ba3e::2:30
m.root-servers.net. 8323 IN A 202.12.27.33
m.root-servers.net. 9520 IN AAAA 2001:dc3::35
g.root-servers.net. 8253 IN A 192.112.36.4
d.root-servers.net. 8253 IN A 199.7.91.13
d.root-servers.net. 8258 IN AAAA 2001:500:2d::d
f.root-servers.net. 8253 IN A 192.5.5.241
f.root-servers.net. 8275 IN AAAA 2001:500:2f::f
h.root-servers.net. 8323 IN A 128.63.2.53
h.root-servers.net. 8623 IN AAAA 2001:500:1::803f:235
j.root-servers.net. 8323 IN A 192.58.128.30
j.root-servers.net. 8518 IN AAAA 2001:503:c27::2:30
l.root-servers.net. 8279 IN A 199.7.83.42
l.root-servers.net. 8244 IN AAAA 2001:500:3::42
b.root-servers.net. 8151 IN A 192.228.79.201
b.root-servers.net. 8153 IN AAAA 2001:500:84::b
;; Query time: 34 msec
;; SERVER: 10.191.131.131#53(10.191.131.131)
;; WHEN: Thu Apr 02 13:52:18 CST 2015
;; MSG SIZE rcvd: 768
rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "PESyIEZ6P7LE6D1v0MFQBA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "PESyIEZ6P7LE6D1v0MFQBA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of rndc.conf
vmware.xx.zone 正向解析
$TTL 600
@ IN SOA ns01.vmware.xx. jason.cahng.vmware.xx. (
2015040201; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS ns01.vmware.xx.
MX 10 mail.vmware.xx.
A 10.207.237.122
mail A 10.207.238.199
nessus01 A 10.207.238.93
nessus02 A 10.207.238.94
nessus03 A 10.207.238.95
nessus04 A 10.207.238.96
symantec CNAM Email.vmware.xx.
ns01 A 10.207.237.122
ubuntu A 10.207.237.124
rd A 10.207.237.123
nessus A 10.207.237.121
10.207.237.zone 反向解析配置
$TTL 600
@ IN SOA ns01.vmware.xx. jason.chang.vmware.xx. (
2015040201; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS ns01.vmware.xx.
122 PTR ns01.vmware.xx.
124 PTR ubuntu.vmware.xx.
123 PTR rd.vmware.xx.
121 PTR nessus.vmware.xx.
10.207.238.zone 反向解析文件
$TTL 600
@ IN SOA ns01.vmware.xx. jason.chang.vmware.xx. (
2015040201; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS ns01.vmware.xx.
122 PTR ns01.vmware.xx.
93 PTR nessus01.vmware.xx.
94 PTR nessus02.vmware.xx.
95 PTR nessus03.vmware.xx.
96 PTR nessus04.vmware.xx.