1 DNS简介
举例:
域名的分级:
2 DNS解析过程
(1)客户端访问域名
(2)查本机hosts文件
(3)查看本机dns缓存
(4)查看网卡上配置的DNS服务器地址,访问DNS服务器进行域名解析
(5)若本地DNS服务器上没有该域名,则本地DNS服务器向根域服务器、顶级域服务器、二级域服务器进行迭代查询;
(6)最终DNS查到该域名的解析记录,返回给客户端,同时自身保存该解析记录以备后续其他客户端请求查询;
注意:(1)(2)(3)(4)可以视为递归查询,客户端与服务器之间的过程。
如下图所示:
3 分布式DNS服务器
同一个任务,由不同步骤共同完成的过程就叫分布式。(生产车间中的某一条流水线,流水线上很多步骤,不同步骤之间就叫分布式)
- 根域中保存所有顶级域ip地址
- 顶级域保存所有二级域的ip地址
- 二级域知道所有三级域名的ip地址,没有三级域名服务器,后续都统称为DNS服务器
4 DNS软件
4.1 DNS软件信息
(1)主配置文件(/etc/named.conf配置文件)
[root@]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
主要修改的信息如下:
(2)区域配置文件(/etc/named.rfc1912.zones)
[root@]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};主要修改的地方如下:
上面修改的地方,针对file处根据自己的需求进行修改(比如修改成xiaomi.localhost或者xiaomi.loopback),其他多余的可以去掉。
(3)数据配置文件
[root@]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@]# pwd
/var/named- 正向解析配置文件:**.localhost
- 反向解析配置文件:**.loopback
[root@]# cat named.localhost
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
[root@]# cat named.loopback
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.上面字段解释如下:
记录类型
4.2 DNS基础实验
实验模型:
实验流程如下:
/etc/named.conf配置文件:
[root@vm3 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
/etc/named.rfc1912.zones配置文件:
[root@vm3 ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
#正向解析
zone "atguigu.com" IN {
type master;
file "atguigu.localhost";
allow-update { 192.168.0.154; };(此处需要填写从DNS Server的IP,没从服务器则不写)
};
#反向解析
zone "0.168.192.in-addr.arpa" IN {
type master;
file "atguigu.loopback";
allow-update { 192.168.0.154; };(此处需要填写从DNS Server的IP,没从服务器则不写)
};/var/named/atguigu.localhost 正向解析文件:
[root@vm3 named]# cat atguigu.localhost
$TTL 1D
@ IN SOA atguigu.com. rname.invalid. (
20210325 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.atguigu.com.
dns A 192.168.0.152
www A 192.168.0.154/var/named/atguigu.loopback 反向解析文件:
[root@vm3 named]# cat atguigu.loopback
$TTL 1D
@ IN SOA atguigu.com. rname.invalid. (
20210325 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.atguigu.com.
152 PTR dns.atguigu.com.
154 PTR www.atguigu.com.
4.3 DNS主从服务器实验
从服务器会主动从主服务器上按一定时间周期间隔进行数据同步。
实验模型:
实验步骤如下:
主服务器的DNS配置如4.2所示,从服务器DNS配置如下:
/etc/named.conf配置文件:
[root@xuexi ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";/etc/named.rfc1912.zones:
[root@xuexi ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "atguigu.com" IN {
type slave;
masters { 192.168.0.152; };
file "slaves/atguigu.localhost";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.0.152; };
file "slaves/atguigu.loopback";
allow-update { none; };
};重启完named服务后,/var/named/slaves/目录下会自动同步这两个文件atguigu.localhost、atguigu.loopback。
[root@xuexi slaves]# ls
atguigu.localhost atguigu.loopback
[root@xuexi slaves]# 4.4 DNS缓存服务器实验(dnsmasq)
实现DNS快速的解析,节省主服务器快速查询过程。主DNS服务器按正常进行配置,缓存DNS服务器需要安装dnsmasq。(实验中有个问题,主DNS服务器挂了,客户端解析失败,可能与主服务器上配置有关系)
缓存服务器上的配置文件/etc/dnsmasq.conf进行如下修改,并重启dnsmasq服务。
4.5 智能DNS(分离解析)
一个域名解析成不同的ip地址,例如私网内的DNS请求解析成内网的ip,外网的DNS请求解析成外网的ip。实际上这种使用方式很少,因为大部分公司公网域名解析都用的DNS-POD等第三方的域名机构。该分离解析模型如下:
主要的操作内容:视图、区域配置文件、数据配置文件
vim /etc/named.conf修改,增加两个view,原来的include注释掉:
生成自己的区域配置文件/etc/lan.zones、/etc/wan.zones:
[root@vm3 etc]# cat lan.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "atguigu.com" IN {
type master;
file "lan.localhost";
allow-update { none; };
};
[root@vm3 etc]# cat wan.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "atguigu.com" IN {
type master;
file "wan.localhost";
allow-update { none; };
};
数据文件配置:
同理,对于wan.localhost配置文件类似配置。最后重启服务就可以进行客户端测试了。
1836
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
