文章目录
配置文件
DNS的配置文件主要分为三种,/etc/named.conf、/etc/named.rfc1912.zones、/var/named/区域数据文件。
在主配置文件/etc/named.conf中包含了许多设置参数,/etc/named.rfc1912.zones包含了需要被解析的域名等配置,区域数据文件包含了域名解析的一些参数和数据。
在/etc/named.conf中能找到”include “/etc/named.rfc1912.zones”;“语句,说明/etc/named.conf包含了/etc/named.rfc1912.zones的配置。
执行named-checkconf对主配置文件named.conf进行语法检查,如果文件中没有语法错误,则命令将不给任何提示;反之,则会给出相应的提示。加-z参数可以尝试加载主配置文件中对应的区域数据库文件,并检查该文件是否存在问题。
主配置文件:/etc/named.conf
options {
listen-on port 53 { 192.168.218.4; }; # 监听地址和端口,为any时监听主机所有网卡
directory "/var/named"; # 区域数据文件的默认存放位置
allow-query { any; }; # 允许使用本DNS服务的网段
};
zone "." IN {
type hint;
file "named.ca"; #记录了根服务器的IP地址
};
include "/etc/named.rfc1912.zones"; # 区域配置文件
include "/etc/named.root.key";
其他的区域配置文件将结合下面的配置实例来解析。
正向和反向解析配置
正向解析:域名–>IP地址,大多数使用
反向解析:IP地址–>域名,一般仅在测试维护中使用
区域配置
服务器的/etc/named.rfc1912.zones文件
# 添加正向解析区域
zone "dnstest.com" IN {
type master;
# 指定区域数据文件
file "dnstest.com.zone";
allow-update { none; };
};
# 添加反向解析区域,网段为10.0.0.0/24
zone "0.0.10.in-addr.arpa" IN {
type master;
# 指定区域数据文件
file "dnstest.com.arpa";
allow-update { none; };
};
区域数据文件配置
正向解析
服务器的/var/named/dnstest.com.zone文件
# 以named.localhosts配置文件为模板,-p参数保留原文件权限
[root@localhost ~]# cp -p /var/named/dnstest.com.zone /var/named/dnstest.com.zone
# 做修改
$TTL 1D # 有效解析记录的生存周期
@ IN SOA @ admin.dnstest.com. ( # SOA标记、域名、管理邮箱
0 ; serial # 更新序列号,可以是10以内整数
1D ; refresh # 刷新时间
1H ; retry # 重试延迟,下载失败后的重试间隔
1W ; expire # 失效时间,超过该时间则不再重试下载
3H ) ; minimum # 无效解析记录的生存周期
@ IN NS abc.dnstest.com.
IN NS def.dnstest.com.
abc IN A 10.0.0.1 # abc.dnstest.com.-->10.0.0.1
def IN A 10.0.0.2
www IN A 10.0.0.3
ftp IN CNAME www # ftp.dnstest.com. = www.dnstest.com.
反向解析
服务器的/var/named/dnstest.com.arpa文件
[root@localhost ~]# cp -p /var/named/dnstest.com.zone /var/named/dnstest.com.arpa
$TTL 1D
@ IN SOA @ admin.dnstest.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS abc.dnstest.com.
IN NS def.dnstest.com.
1 IN PTR abc.dnstest.com. # abc.dnstest.com. --> 10.0.0.1
2 IN PTR def.dnstest.com.
3 IN PTR www.dnstest.com.
验证
使用nslookup命令,向主机的DNS服务器请求解析,这里的测试机IP地址为192.168.218.5。
正向解析
[root@localhost named]# nslookup abc.dnstest.com
Server: 192.168.218.4
Address: 192.168.218.4#53
Name: abc.dnstest.com
Address: 10.0.0.1
[root@localhost named]# nslookup def.dnstest.com
Server: 192.168.218.4
Address: 192.168.218.4#53
Name: def.dnstest.com
Address: 10.0.0.2
[root@localhost named]# nslookup www.dnstest.com
Server: 192.168.218.4
Address: 192.168.218.4#53
Name: www.dnstest.com
Address: 10.0.0.3
反向解析
[root@localhost named]# nslookup 10.0.0.1
Server: 192.168.218.4
Address: 192.168.218.4#53
1.0.0.10.in-addr.arpa name = abc.dnstest.com.
[root@localhost named]# nslookup 10.0.0.2
Server: 192.168.218.4
Address: 192.168.218.4#53
2.0.0.10.in-addr.arpa name = def.dnstest.com.
[root@localhost named]# nslookup 10.0.0.3
Server: 192.168.218.4
Address: 192.168.218.4#53
3.0.0.10.in-addr.arpa name = www.dnstest.com.
构建主从DNS服务器
主域名服务器通常假设在外网环境中,提供某些域的主机名与IP地址的查询服务;
从服务器可以分担主服务器的负担,提供区域数据的备份。
主配置文件配置
主DNS服务器
# /etc/named.rfc1912.zones
zone "dnstest.com" IN {
# 类型为master
type master;
file "dnstest.com.zone";
allow-update { none; };
# 允许以下地址下载区域数据
allow-transfer { 192.168.218.5; };
};
zone "0.0.10.in-addr.arpa" IN {
type master;
file "dnstest.com.arpa";
allow-update { none; };
allow-transfer { 192.168.218.5; };
};
从DNS服务器
# /etc/named.rfc1912.zones
zone "dnstest.com" IN {
# 类型为slave
type slave;
file "slaves/dnstest.com.zone";
# 指定master,从master下载区域数据
masters { 192.168.218.4; };
};
zone "0.0.10.in-addr.arpa" IN {
type slave;
file "slaves/dnstest.com.arpa";
masters { 192.168.218.4; };
};
区域数据配置文件
主DNS的/var/named/dnstest.com.zone文件
$TTL 1D
@ IN SOA @ admin.dnstest1.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dnstest1.com.
IN A 20.0.0.1
www IN A 20.0.0.2
ftp IN CNAME www
配置完成后主从DNS都重启服务
[root@localhost ~]# systemctl restart named
查看同步文件
[root@localhost ~]# ls /var/named/slaves/
dnstest.com.arpa dnstest.com.zone
构建缓存DNS服务器
通常假设在局域网内,主要目的是提高域名解析的速度,减少对互联网访问的出口流量。
当局域网向该DNS发起解析请求时,该DNS会先查本地缓存数据,如查不到则会向其他DNS服务器去请求解析,再将结果返回给局域网。
主配置文件
options {
listen-on port 53 { 192.168.218.4; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db"; # 设置域名缓存数据库文件位置
statistics-file "/var/named/data/named_stats.txt"; # 设置状态统计文件位置
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
query-source port 53;
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
# 设置向外网DNS请求
forwarders { 223.5.5.5;223.6.6.6; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
# 用于向根服务器进行迭代查询
# 为了提高效率,可用forwarders向ISP的DNS服务器进行转发查询请求
#zone "." IN {
# type hint;
# file "named.ca";
#};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
验证
# 把测试机的DNS服务器设为192.168.218.5
[root@localhost ~]# nslookup www.baidu.com
Server: 192.168.218.4
Address: 192.168.218.4#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 183.232.231.174
Name: www.a.shifen.com
Address: 183.232.231.172
构建分离解析DNS
该模式主要应用在内网和外网对同一个域名解析成不同的IP地址,如图,内网只需将域名解析为内网的web server地址即可,而外网则需要解析成外网地址。
主配置文件
# 可将原配置文件进行备份后创建一个新的配置文件
options {
listen-on port 53 { any; };
directory "/var/named";
allow-query { any; };
};
# 内网
view "lan" {
# 匹配的clines网段
match-clients { 192.168.218.0/24; };
zone "testdns.com" IN {
type master;
file "/var/named/testdns.com.lan";
};
zone "." IN {
type hint;
file "/var/named/named.ca";
};
};
# 外网
view "wan" {
# 匹配的clients网段
match-clients { 100.0.0.0/24; };
zone "testdns.com" IN {
type master;
file "/var/named/testdns.com.wan";
};
};
区域数据文件
内网/var/named/testdns.com.lan文件
$TTL 1D
@ IN SOA testdns.com. admin.testdns.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS testdns.com.
IN A 192.168.218.88
www IN A 192.168.218.88
ftp IN A 192.168.218.99
外网/var/named/testdns.com.wan文件
$TTL 1D
@ IN SOA testdns.com. admin.testdns.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS testdns.com.
IN A 100.0.0.1
www IN A 100.0.0.1
ftp IN A 100.0.0.2
验证
内网
[root@localhost ~]# nslookup www.testdns.com
Server: 192.168.218.4
Address: 192.168.218.4#53
Name: www.testdns.com
Address: 192.168.218.88
[root@localhost ~]# nslookup ftp.testdns.com
Server: 192.168.218.4
Address: 192.168.218.4#53
Name: ftp.testdns.com
Address: 192.168.218.99
外网
[root@localhost ~]# nslookup www.testdns.com
Server: 100.0.0.1
Address: 100.0.0.1#53
Name: www.testdns.com
Address: 100.0.0.1
[root@localhost ~]# nslookup ftp.testdns.com
Server: 100.0.0.1
Address: 100.0.0.1#53
Name: ftp.testdns.com
Address: 100.0.0.2