一、DNS服務的安裝和配置
DNS的實現爲BIND(Berkerly Internat Name Domain), 後來移交給ISC維護(www.isc.org).
DNS服務的程序包名爲bind, 程序名爲named.
所需要的安裝包如下:
- bind
- bind-libs
- bind-utils
- bind-chroot: /var/named/chroot/, 可選
1.1 bind安裝
使用CentOS系統可通過yum直接安裝, 也可以選擇編譯安裝.
# yum安裝
~]# yum install bind bind-libs bind-utils bind-chroot
# 編譯安裝請參考README
1.2 bind的配置文件
bind的服務腳本: CentOS 6(/etc/rc.d/init.d/named); CentOS 7(/usr/lib/systemd/system/named.service)
主配置文件: /etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
解析庫文件: /var/named/ZONE_NAME.zone
NOTE:
- rndc(remote named domain controller)默認與bind安裝中哎同一主機, 且只能通過127.0.0.1來連接named進程, 提供輔助性的管理功能.
- 一臺物理服務器可同時爲多個區域提供解析
- 必須要有根區域文件
- 應該有兩個(如果包括IPv6的地址, 甚至更多)實現localhost和本地會還地址的解析庫
主配置文件用於定義監聽地址, 端口號、安全策略、日誌和區域配置等.
# /etc/named.conf
# 全局配置: option {};
# 日誌子系統配置: logging {};
# /etc/named.rfc1912.zones
# 區域定義: 本機能夠爲哪些zone進行解析, 就要定義哪些zone
# zone "zone_name" IN {};
NOTE: 任何服務程序如果期望能夠通過網絡被其他主機訪問, 至少應該監聽在一個能與外部主機通信的IP地址上.
1.3 bind的配置
緩存名稱服務器的配置:
# 修改外部監聽地址
listen-on port 53 {192.168.123.132; 127.0.0.1; };
# 關閉dnssec
dnssec-enable no;
denssec-validation no;
# 修改allow-query
allow-query { any; };
# 配置文件示例:
[root@docker-package etc]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.123.132; 127.0.0.1; };
// listen-on-v6 port 53 { ::1; }; # IPv6地址如果沒有使用可以將其註釋
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@leistudy yum.repos.d]# systemctl start named
[root@leistudy yum.repos.d]# ss -tunl | grep ":53\b"
udp UNCONN 0 0 192.168.123.100:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
tcp LISTEN 0 10 192.168.123.100:53 *:*
tcp LISTEN 0 10 127.0.0.1:53 *:*
主DNS服務器正向區域配置:
# 在緩存dns服務器的基礎上加zone文件
# 在/etc/named.rfc1912.zones文件中定義區域
# 示例:
[root@leistudy yum.repos.d]# vim /etc/named.rfc1912.zones
zone "leistudy.com" IN {
type master;
file "leistudy.com.zone";
};
# 定義區域解析庫文件
# 宏定義
# 資源記錄
# 示例:
[root@leistudy ~]# cd /var/named/
[root@leistudy named]# ls
chroot data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@leistudy named]# vim leistudy.com.zone
$TTL 86400
$ORIGIN leistudy.com.
@ IN SOA ns1.leistudy.com. admin.leistudy.com (
2018032901
1H
5M
7D
1D
)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.123.100
ns2 IN A 192.168.123.101
mx1 IN A 192.168.123.100
mx2 IN A 192.168.123.101
www IN A 192.168.123.100
web IN CNAME www
# 檢查zone配置文件是否有錯誤
[root@leistudy named]# named-checkzone "leistudy.com" /var/named/leistudy.com.zone
zone leistudy.com/IN: loaded serial 2018032901
OK
# 重新加載配置文件
[root@leistudy named]# rndc reload
server reload successful
# 測試
[root@leistudy named]# dig -t A www.leistudy.com @192.168.123.100
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.leistudy.com @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29655
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leistudy.com. IN A
;; ANSWER SECTION:
www.leistudy.com. 86400 IN A 192.168.123.100
;; AUTHORITY SECTION:
leistudy.com. 86400 IN NS ns2.leistudy.com.
leistudy.com. 86400 IN NS ns1.leistudy.com.
;; ADDITIONAL SECTION:
ns1.leistudy.com. 86400 IN A 192.168.123.100
ns2.leistudy.com. 86400 IN A 192.168.123.101
;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Thu Mar 29 17:11:04 CST 2018
;; MSG SIZE rcvd: 129
主DNS服務器反向區域配置:
# 區域名稱: 網絡地址反寫.in-addr.arpa
192.168.123. --> 100.16.172.in-addr.arpa
# 定義區域: /etc/named.rfc1912.zones
[root@leistudy ~]# vim /etc/named.rfc1912.zones
zone "123.168.192.in-addr.arpa" IN {
type master;
file "123.168.192.in-addr.arpa.zone";
};
# 定義反向區域解析庫文件
[root@leistudy ~]# vim /var/named/123.168.192.in-addr.arpa.zone
$TTL 86400
$ORIGIN 123.168.192.in-addr.arpa.
@ IN SOA ns1.leistudy.com. admin.leistudy.com. (
2018032901
1H
5M
7D
1D
)
IN NS ns1.leistudy.com.
IN NS ns2.leistudy.com.
100 IN PTR ns1.leistudy.com.
101 IN PTR ns2.leistudy.com.
100 IN PTR mx1.leistudy.com.
101 IN PTR mx2.leistudy.com.
100 IN PTR www.leistudy.com.
# 區域解析庫文件測試
[root@leistudy ~]# named-checkzone "123.168.192.in-addr.arpa" /var/named/123.168.192.in-addr.arpa.zone
zone 123.168.192.in-addr.arpa/IN: loaded serial 2018032901
OK
# 重新加載配置文件
[root@leistudy ~]# rndc reload
server reload successful
# 反解測試
[root@leistudy ~]# host -t PTR 192.168.123.100 192.168.123.100
Using domain server:
Name: 192.168.123.100
Address: 192.168.123.100#53
Aliases:
100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.
[root@leistudy ~]# dig -x 192.168.123.100 @192.168.123.100
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.123.100 @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34713
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.123.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.123.168.192.in-addr.arpa. 86400 IN PTR www.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN PTR ns1.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN PTR mx1.leistudy.com.
;; AUTHORITY SECTION:
123.168.192.in-addr.arpa. 86400 IN NS ns2.leistudy.com.
123.168.192.in-addr.arpa. 86400 IN NS ns1.leistudy.com.
;; ADDITIONAL SECTION:
ns1.leistudy.com. 86400 IN A 192.168.123.100
ns2.leistudy.com. 86400 IN A 192.168.123.101
;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Fri Mar 30 10:06:13 CST 2018
;; MSG SIZE rcvd: 187
主從複製:
# 1. 從服務器應該爲一臺獨立的名稱服務器
# 2. 主服務器的區域解析庫文件中必須有一條NS記錄指向從服務器
# 3. 從服務器只需要定義區域, 而無需提供解析庫文件, 解析庫文件應該放置於/var/named/slaves目錄中
# 4. 主服務器得允許從服務器做區域傳送
# 5. 主從無武器時間應該同步, 可同ntp進行
# 6. bind程序的版本應該保持一致, 否則應該從高主低
# 定義從區域:
[root@ns2 ~]# ip add sh | grep ens33 | tail -1
inet 192.168.123.101/24 brd 192.168.123.255 scope global ens33
[root@ns2 slaves]# vim /etc/named.rfc1912.zones
zone "leistudy.com" IN {
type slave;
masters { 192.168.123.100; };
file "slaves/leistudy.com.zone";
};
zone "123.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.123.100; };
file "slaves/123.168.192.in-addr.arpa.zone";
};
# 查看區域文件是否同步
[root@ns2 slaves]# cd /var/named/slaves/
[root@ns2 slaves]# ll
total 8
-rw-r--r--. 1 named named 416 Mar 30 10:44 123.168.192.in-addr.arpa.zone
-rw-r--r--. 1 named named 561 Mar 30 10:46 leistudy.com.zone
# 測試
[root@ns2 slaves]# host -t A www.leistudy.com 192.168.123.101
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases:
www.leistudy.com has address 192.168.123.100
[root@ns2 slaves]# host -t PTR 192.168.123.100 192.168.123.101
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases:
100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.
二、rndc命令
rndc用於連接rndc服務端, rndc服務端隨着named一起啓動, 監聽端口號爲tcp的953號端口號.
[root@ns2 slaves]# ss -tnl | grep ":953\b"
LISTEN 0 128 127.0.0.1:953 *:*
LISTEN 0 128 ::1:953 :::*
# 用法: rndc COMMAND
# COMMAND:
# reload: 重載主配置文件和區域解析庫文件
# relaod zone: 只重載區域解析庫文件, 不重載主配置文件
# retransfer zone: 手動啓動區域傳送過程, 而不管序列號是否增加
# notify zone: 重新對區域傳送發通知
# reconfig: 重載主配置文件
# querylog: 開啓或關閉查詢日誌
# trace: 遞增debug級別
# trace [LEVEL]: 指定使用的級別