文章索引:
一、服务相关介绍
二、实验:搭建正向主DNS服务器
三、实验:搭建反向解析服务器
四、实验:泛域名解析,如wwww.baidu.com也可以正常访问
环境
服务器 节点名称 IP地址
dns node5 192.168.216.198
web1 web1 192.168.216.199
web2 web2 192.168.216.202
一、服务相关介绍
DNS服务,程序包名bind,程序名named
1、程序包:
bind:提供dns server程序,以及几个常用的测试程序;
bind-libs:被bind和bind-utils包中的程序共同用到的库文件;
bind-utils:bind程序端程序集,提供了,dig,host,nslookup等相关工具;
bind-chroot:选装,提供了一种安全机制;通常公司内部使用不需要安装;
2、bind
服务脚本:/etc/rc.d/init.d/named
主配置文件:/etc/named.conf,/etc/named.rfc1912.zones,/etc/rndc.key(远程管理,其实只在本地)
解析库文件:/var/named/ZONE_NAME.ZONE
注意:
1)一台物理服务器可同时为多个区域提供解析;
2)必须有根区域文件;named.ca
3)应该有两个(不包括ipv6)实现localhost和本地回环地址的解析库;
正向:named.localhost
反向:named.loopback
rndc命令:remote name domain controller,默认与bind安装在同一个主机,且只能通过127.0.0.1来俩姐named进程;提供辅助性的管理功能;端口953/tcp
二、开始搭建正向主DNS服务器
1、安装yum install bind -y
node5
yum install bind -y
1 Installed:2 bind.x86_64 32:9.9.4-61.el7_5.1 3 4 Dependency Updated:5 bind-libs.x86_64 32:9.9.4-61.el7_5.1 bind-libs-lite.x86_64 32:9.9.4-61.el7_5.1 6 bind-license.noarch 32:9.9.4-61.el7_5.1 bind-utils.x86_64 32:9.9.4-61.el7_5.1
cat /var/named/named.ca 看一下全球的13各根节点
1 [root@node5 ~]# cat /var/named/named.ca 2 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +bufsize=1200 +norec @a.root-servers.net 3 ; (2 servers found) 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17380 7 ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 8 9 ;; OPT PSEUDOSECTION:10 ; EDNS: version: 0, flags:; udp: 147211 ;; QUESTION SECTION:12 ;. IN NS13 14 ;; ANSWER SECTION:15 . 518400 IN NS a.root-servers.net.16 . 518400 IN NS b.root-servers.net.17 . 518400 IN NS c.root-servers.net.18 . 518400 IN NS d.root-servers.net.19 . 518400 IN NS e.root-servers.net.20 . 518400 IN NS f.root-servers.net.21 . 518400 IN NS g.root-servers.net.22 . 518400 IN NS h.root-servers.net.23 . 518400 IN NS i.root-servers.net.24 . 518400 IN NS j.root-servers.net.25 . 518400 IN NS k.root-servers.net.26 . 518400 IN NS l.root-servers.net.27 . 518400 IN NS m.root-servers.net.28 29 ;; ADDITIONAL SECTION:30 a.root-servers.net. 3600000 IN A 198.41.0.431 a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:3032 b.root-servers.net. 3600000 IN A 192.228.79.20133 b.root-servers.net. 3600000 IN AAAA 2001:500:84::b34 c.root-servers.net. 3600000 IN A 192.33.4.1235 c.root-servers.net. 3600000 IN AAAA 2001:500:2::c36 d.root-servers.net. 3600000 IN A 199.7.91.1337 d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d38 e.root-servers.net. 3600000 IN A 192.203.230.1039 e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e40 f.root-servers.net. 3600000 IN A 192.5.5.24141 f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f42 g.root-servers.net. 3600000 IN A 192.112.36.443 g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d44 h.root-servers.net. 3600000 IN A 198.97.190.5345 h.root-servers.net. 3600000 IN AAAA 2001:500:1::5346 i.root-servers.net. 3600000 IN A 192.36.148.1747 i.root-servers.net. 3600000 IN AAAA 2001:7fe::5348 j.root-servers.net. 3600000 IN A 192.58.128.3049 j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:3050 k.root-servers.net. 3600000 IN A 193.0.14.12951 k.root-servers.net. 3600000 IN AAAA 2001:7fd::152 l.root-servers.net. 3600000 IN A 199.7.83.4253 l.root-servers.net. 3600000 IN AAAA 2001:500:9f::4254 m.root-servers.net. 3600000 IN A 202.12.27.3355 m.root-servers.net. 3600000 IN AAAA 2001:dc3::3556 57 ;; Query time: 18 msec58 ;; SERVER: 198.41.0.4#53(198.41.0.4)59 ;; WHEN: Po kv臎 22 10:14:44 CEST 201760 ;; MSG SIZE rcvd: 81161 62 [root@node5 ~]#
查看一下监听端口是否监听
1 [root@node5 ~]# ss -tunlop |grep 532 udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=603,fd=12))3 udp UNCONN 0 0 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=5))4 tcp LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=6))
2、修改主配置文件:
全局配置:options{}
日志子系统配置:logging{}
区域定义:本机能够为哪些zone进行解析,就要定义哪些zone;
zone "ZONE_NAME" IN {}
注意:任何服务程序如果期望其能够通过网络被其他主机访问,至少应该监听在一个能与外部主机通信的IP地址上;
备份配置文件
cp -v /etc/named.conf {,.bak}
编辑vim /etc/named.conf
1 [root@node5 ~]# vim /etc/named.conf 2 3 // 4 // named.conf 5 // 6 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 7 // server as a caching only nameserver (as a localhost DNS resolver only). 8 // 9 // See /usr/share/doc/bind*/sample/ for example named configuration files.10 //11 // See the BIND Administrator's Reference Manual (ARM) for details about the12 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html13 14 options {15 listen-on port 53 {192.168.216.198; 127.0.0.1; }; #添加本机地址,这里也可以any;16 //listen-on-v6 port 53 { ::1; }; #注释v6;17 directory "/var/named"; #定义区域配置文件路径;18 dump-file "/var/named/data/cache_dump.db"; 19 statistics-file "/var/named/data/named_stats.txt"; 20 memstatistics-file "/var/named/data/named_mem_stats.txt";21 allow-query { any; }; #允许所有人;22 23 /*24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.25 - If you are building a RECURSIVE (caching) DNS server, you need to enable26 recursion.27 - If your recursive DNS server has a public IP address, you MUST enable access28 control to limit queries to your legitimate users. Failing to do so will29 cause your server to become part of large scale DNS amplification30 attacks. Implementing BCP38 within your network would greatly31 reduce such attack surface32 */33 recursion yes;34 35 dnssec-enable yes; #学习过程可以关掉改成no36 dnssec-validation yes; #可以先关掉,也是改成no37 38 /* Path to ISC DLV key */39 bindkeys-file "/etc/named.iscdlv.key";40 41 managed-keys-directory "/var/named/dynamic";42 43 pid-file "/run/named/named.pid";44 session-keyfile "/run/named/session.key";45 };46 47 logging {48 channel default_debug {49 file "data/named.run";50 severity dynamic;51 };52 };53 54 zone "." IN {55 type hint;56 file "named.ca";57 };58 59 include "/etc/named.rfc1912.zones"; #这个文件定义区域配置文件60 include "/etc/named.root.key";61 62 ~63 ~64 ~65 ~66 "/etc/named.conf" 59L, 1723C written 重启服务查看监听端口的变化
1 [root@node5 ~]# systemctl restart named 2 [root@node5 ~]# ss -tunlp |grep 53 3 udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=603,fd=12)) 4 udp UNCONN 0 0 192.168.216.198:53 *:* users:(("named",pid=5349,fd=519),("named",pid=5349,fd=518),("named",pid=5349,fd=517),("named",pid=5349,fd=516)) 5 udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=5349,fd=515),("named",pid=5349,fd=514),("named",pid=5349,fd=513),("named",pid=5349,fd=512)) 6 udp UNCONN 0 0 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=5)) 7 tcp LISTEN 0 10 192.168.216.198:53 *:* users:(("named",pid=5349,fd=22)) 8 tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",pid=5349,fd=21)) 9 tcp LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=6))10 tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=5349,fd=23))11 tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=5349,fd=24))12 [root@node5 ~]#
3、修改区域解析文件
1 [root@node5 ~]# vim /etc/named.rfc1912.zones 2 3 zone "www.web1.com" 4 // named.rfc1912.zones: 5 // 6 // Provided by Red Hat caching-nameserver package 7 // 8 // ISC BIND named zone configuration for zones recommended by 9 // RFC 1912 section 4.1 : localhost TLDs and address zones10 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt11 // (c)2007 R W Franks12 //13 // See /usr/share/doc/bind*/sample/ for example named configuration files.14 //15 16 zone "localhost.localdomain" IN {17 type master;18 file "named.localhost";19 allow-update { none; };20 };21 22 zone "localhost" IN {23 type master;24 file "named.localhost";25 allow-update { none; };26 };27 28 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {29 type master;30 file "named.loopback";31 allow-update { none; };32 };33 34 zone "1.0.0.127.in-addr.arpa" IN {35 type master;36 file "named.loopback";37 allow-update { none; };38 };39 40 zone "0.in-addr.arpa" IN {41 type master;42 file "named.empty";43 allow-update { none; };44 };45 zone "zhangxingeng.com" IN {46 type master;47 file "zhangxingeng.com.zone";48 }; 4、创建区域解析数据库文件(也就是正向解析)
vim /var/named/zhangxingeng.com.zone
1 [root@node5 named]# cat /var/named/zhangxingeng.com.zone 2 $TTL 86400 3 $ORIGIN zhangxingeng.com. 4 @ IN SOA dns1.zhangxingeng.com. admin.zhangxingeng.com. ( 5 2018112002 ; serial 6 1D ; refresh 7 1H ; retry 8 1W ; expire 9 3H ) ; minimum10 zhangxingeng.com. IN NS dns111 IN MX 10 mail12 web1 IN A 192.168.216.199.13 dns1 IN A 192.168.216.198.14 mail IN A 192.168.216.199.15 www IN CNAME web1
5、web1当作客户端ip-199
安装nginx
yum install nginx -y
echo welcome to web1 >/usr/share/nginx/html/index.html
systemctl start nginx
systemctl enable nginx
ss -tunlp |grep 80
web1的web服务器已经搭建好
更改dns
1 [root@web1 ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 2 TYPE="Ethernet" 3 BOOTPROTO="dhcp" 4 DEFROUTE="yes" 5 PEERDNS="yes" 6 PEERROUTES="yes" 7 IPV4_FAILURE_FATAL="no" 8 IPV6INIT="yes" 9 IPV6_AUTOCONF="yes"10 IPV6_DEFROUTE="yes"11 IPV6_PEERDNS="yes"12 IPV6_PEERROUTES="yes"13 IPV6_FAILURE_FATAL="no"14 IPV6_ADDR_GEN_MODE="stable-privacy"15 NAME="ens33"16 UUID="4f788080-131a-4f10-85a8-179b4f14ab48"17 DEVICE="ens33"18 ONBOOT="yes"19 DNS1=192.168.216.19820 [root@web1 ~]#
6、语法检查
named-checkconf 主配置文件语法
named-checkzone "zhangxingeng.com" /var/named/zhangxingeng.com.zone 解析库文件语法检查
7、重启服务
sytemctl reload named或rndc reload
8、node5(dns服务器)安装nginx,http服务器
yum -y install nginx
echo welcome to web1 >/usr/share/nginx/html/index.html
systemctl start nginx
systemctl enable nginx
9、web1测试
用dig命令测试
格式
dig [-t RR_TYPE] name [@server] [query options]
查询
+[no]trace:跟踪解析过程;
+[no]recurse:进行递归解析;
反向解析
dig -x IPADDR
默认完全区域传输
dig -t axfr DOMAIN [@server]
比如:
查询baidu.com的NS记录
dig -t NS baidu.com
跟踪解析www.baidu.com的过程
dig +trace www.baidu.com
解析www.baidu.com的A记录
dig -t A www.baidu.com
1 root@web1 ~]# dig -t A dns1.zhangxingeng.com @192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A dns1.zhangxingeng.com @192.168.216.198 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34597 7 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 8 9 ;; OPT PSEUDOSECTION:10 ; EDNS: version: 0, flags:; udp: 409611 ;; QUESTION SECTION:12 ;dns1.zhangxingeng.com. IN A13 14 ;; ANSWER SECTION:15 dns1.zhangxingeng.com. 86400 IN A 192.168.216.19816 17 ;; AUTHORITY SECTION:18 zhangxingeng.com. 86400 IN NS dns1.zhangxingeng.com.19 20 ;; Query time: 1 msec21 ;; SERVER: 192.168.216.198#53(192.168.216.198)22 ;; WHEN: Thu Nov 22 00:04:12 CST 201823 ;; MSG SIZE rcvd: 80
1 [root@web1 ~]# dig -t CNAME dns1.zhangxingeng.com @192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t CNAME dns1.zhangxingeng.com @192.168.216.198 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54294 7 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 8 9 ;; OPT PSEUDOSECTION:10 ; EDNS: version: 0, flags:; udp: 409611 ;; QUESTION SECTION:12 ;dns1.zhangxingeng.com. IN CNAME13 14 ;; AUTHORITY SECTION:15 zhangxingeng.com. 10800 IN SOA dns1.zhangxingeng.com. admin.zhangxingeng.com. 2018112002 86400 3600 604800 1080016 17 ;; Query time: 1 msec18 ;; SERVER: 192.168.216.198#53(192.168.216.198)19 ;; WHEN: Thu Nov 22 00:05:06 CST 201820 ;; MSG SIZE rcvd: 9221 22 [root@web1 ~]# curl www.zhangxingeng.com23 welcome to web124 [root@web1 ~]#
1 [root@web1 ~]# dig -t NS dns1.zhangxingeng.com @192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS dns1.zhangxingeng.com @192.168.216.198 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20293 7 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 8 9 ;; OPT PSEUDOSECTION:10 ; EDNS: version: 0, flags:; udp: 409611 ;; QUESTION SECTION:12 ;dns1.zhangxingeng.com. IN NS13 14 ;; AUTHORITY SECTION:15 zhangxingeng.com. 10800 IN SOA dns1.zhangxingeng.com. admin.zhangxingeng.com. 2018112002 86400 3600 604800 1080016 17 ;; Query time: 1 msec18 ;; SERVER: 192.168.216.198#53(192.168.216.198)19 ;; WHEN: Thu Nov 22 00:04:55 CST 201820 ;; MSG SIZE rcvd: 92
访问一下dns服务器部署的http服务
1 [root@web1 ~]# curl dns1.zhangxingeng.com2 welcome to dns13 [root@web1 ~]#
三、开始搭建反向解析
1、定义区域文件
1 ~ 2 [root@node5 named]# vim /etc/named.rfc1912.zones 3 4 // named.rfc1912.zones: 5 // 6 // Provided by Red Hat caching-nameserver package 7 // 8 // ISC BIND named zone configuration for zones recommended by 9 // RFC 1912 section 4.1 : localhost TLDs and address zones10 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt11 // (c)2007 R W Franks12 //13 // See /usr/share/doc/bind*/sample/ for example named configuration files.14 //15 16 zone "localhost.localdomain" IN {17 type master;18 file "named.localhost";19 allow-update { none; };20 };21 zone "localhost" IN {22 type master;23 file "named.localhost";24 allow-update { none; };25 };26 27 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {28 type master;29 file "named.loopback";30 allow-update { none; };31 };32 33 zone "1.0.0.127.in-addr.arpa" IN {34 type master;35 file "named.loopback";36 allow-update { none; };37 };38 39 zone "0.in-addr.arpa" IN {40 type master;41 file "named.empty";42 allow-update { none; };43 };44 zone "zhangxingeng.com" IN {45 type master;46 file "zhangxingeng.com.zone";47 };48 zone "216.168.192.in-addr.arpa" IN {49 type master;50 file "192.168.216.zone";51 }; 2、定义区域解析库
cd /var/named/
1 [root@node5 named]# cat 192.168.216.zone 2 $TTL 3600 3 $ORIGIN 216.168.192.in-addr.arpa. 4 @ IN SOA zhangxingeng.com. admin.zhangxingeng.com. ( 5 20181120 ; serial 6 1D ; refresh 7 1H ; retry 8 1W ; expire 9 3H ) ; minimum10 IN NS web1.zhangxingeng.com.11 IN NS dns1.zhangxingeng.com.12 199 IN PTR web1.zhangxingeng.com.13 198 IN PTR dns1.zhangxingeng.com.14 128 IN PTR mail.zhangxingeng.com.15 129 IN PTR www.zhangxingeng.com.
3、语法测试
[root@node5 named]# named-checkconf [root@node5 named]# named-checkzone zhangxingeng.com. zhangxingeng.com.zonezone zhangxingeng.com/IN: zhangxingeng.com/MX 'mail.zhangxigneng.com' (out of zone) has no addresses records (A or AAAA)zone zhangxingeng.com/IN: loaded serial 2018112001OK[root@node5 named]# named-checkzone 216.168.192.in-addr.arpa. 192.168.216.zone zone 216.168.192.in-addr.arpa/IN: loaded serial 2018112001OK[root@node5 named]#
4、重启主服务器配置
rndc reload
systemctl status named.service
5、测试
命令dig -x ipaddr
web1上测试
1 [root@web1 ~]# dig -x 192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 192.168.216.198 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59092 7 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 8 9 ;; OPT PSEUDOSECTION:10 ; EDNS: version: 0, flags:; udp: 409611 ;; QUESTION SECTION:12 ;198.216.168.192.in-addr.arpa. IN PTR13 14 ;; ANSWER SECTION:15 198.216.168.192.in-addr.arpa. 3600 IN PTR dns1.zhangxingeng.com.16 17 ;; AUTHORITY SECTION:18 216.168.192.in-addr.arpa. 3600 IN NS dns1.zhangxingeng.com.19 216.168.192.in-addr.arpa. 3600 IN NS web1.zhangxingeng.com.20 21 ;; ADDITIONAL SECTION:22 web1.zhangxingeng.com. 86400 IN A 192.168.216.19923 dns1.zhangxingeng.com. 86400 IN A 192.168.216.19824 25 ;; Query time: 1 msec26 ;; SERVER: 192.168.216.198#53(192.168.216.198)27 ;; WHEN: Wed Nov 21 23:46:10 CST 201828 ;; MSG SIZE rcvd: 15729 30 [root@web1 ~]#
能够解析出web1和dns1
四、泛域名解析,提高访问的感受
即使将主机名写错,也能正常访问
1、修改区域解析库,添加一条A记录即可
1 [root@node5 named]# vim /var/named/zhangxingeng.com.zone 2 3 $TTL 86400 4 $ORIGIN zhangxingeng.com. 5 @ IN SOA dns1.zhangxingeng.com. admin.zhangxingeng.com. ( 6 2018112002 ; serial 7 1D ; refresh 8 1H ; retry 9 1W ; expire10 3H ) ; minimum11 zhangxingeng.com. IN NS dns112 IN MX 10 mail13 web1 IN A 192.168.216.199.14 dns1 IN A 192.168.216.198.15 mail IN A 192.168.216.199.16 www IN CNAME web117 * IN A 192.168.216.199.
2、简单测试一下
1 [root@node5 named]# curl web11.zhangxingeng.com2 welcome to web13 [root@node5 named]#
待续。。。
转载请注明出处: