文章目錄
一、DNS相關概念概述
1.1、什麼是RFC?
Request For Comments(RFC),是一系列以編號排定的文件。文件收集了有關互聯網相關信息,以及UNIX和互聯網社區的軟件文件。目前RFC文件是由Internet Society(ISOC)贊助發行。基本的互聯網通信協議都有在RFC文件內詳細說明。RFC文件還額外加入許多的論題在標準內,例如對於互聯網新開發的協議及發展中所有的記錄。因此幾乎所有的互聯網標準都有收錄在RFC文件之中。
以後學習服務,建議深入學習以讀RFC文檔爲準。互聯網常見的服務器和協議標準,在RFC中都有其相關定義,比如我們今天講解的DNS協議在RFC中就有相關標準定義。dns的rfc相關鏈接如下:
https://tools.ietf.org/html/rfc2181 #DNS規範說明
https://tools.ietf.org/html/rfc2136 #對DNS的動態更新進行說明
https://tools.ietf.org/html/rfc2308 #對DNS查詢的反向緩存進行說明
1.2、何爲DNS?
DNS(Domain Name System,域名系統,有時候也稱爲Domain Name Service,域名服務),萬維網上作爲域名和IP地址相互映射的一個分佈式數據庫,能夠使用戶更方便的訪問互聯網,而不用去記住能夠被機器直接讀取的IP數串。通過域名,最終得到該域名對應的IP地址的過程叫做域名解析(或主機名解析)。DNS協議運行在UDP協議之上,使用端口號53。
DNS在TCP/IP或者OSI/ISO參考模型中的層面屬於應用程序,即dns是一種應用程序協議。可以抽象成C/S模型,RFC中定義的標準是使用udp的53號端口,不過tcp的53號端口有時候也被dns所使用。上面說的域名也是是一種規範的定義叫法。那麼互聯網通信,或者叫主機之間的進程間的通信,域名一定是必須的嗎?答案是否定的,在C/S模型中,套接字通信是一套標準。進程間通信的根本是ip和端口,ip可以標識一臺主機,端口可以標識一個服務進程向內核註冊的細節,因爲進程間通信以及網絡功能都是內核實現的。那麼爲什麼有了ip,人們還需要域名呢?
其實在互聯網引入的早期時刻,其實沒有域名這個東西的,世界上的計算機也就幾臺,每一臺主機是什麼ip,都一清二楚。但是隨着後來的發展,計算機的數量增加,一串串數字(以ipv4爲例)讓人不易記住,所以人們根據生活中的模型,抽象(當然,這裏只是簡單這麼一說),比如人從出生開始就要起名字,並且去派出所上戶口,後面到了一定的年齡要辦理身份證。那麼爲什麼有身份證可以識別身份,還要起名字呢。答案,爲了方便。數字一大串總是會讓人記不住,但是名字不一樣。那麼我們的互聯網通信亦是如此,隨着主機數量的增加,ip這種東西對於人來說簡直就是折磨,於是IANA肯定會想辦法啦。早期時候,是用的一種叫做本地文本映射關係記錄文件實現,即爲我們常說的"hosts"文件,把ip和名字的對應映射關係寫入這個hosts文件,然後有更新,需要去IANA申請以及下載最新的hosts文件。不過呢,你用今天的思維去考慮問題,你會發現這種設計挺蠢的,世界上計算機這麼多,而且還有更新問題,不得把IANA機構累死。不過呢,hosts這一機制在早些年剛引入的時候可是盛行了一段時間。不過,好景不長,隨着時間的演變,互聯網技術的成熟化以及全世界的通信爆炸式增長,這種hosts機制不得不慢慢的被後來引入的DNS所替代。
上面有提到IANA,那麼IANA是什麼呢?IANA(The Internet Assigned Numbers Authority,互聯網數字分配機構)是一個組織機構,它主要負責"數字資源分配(即我們說的ip地址,端口等這些和數字相關的公共互聯網資源)",“協議分配”,"域名"等。其官方站點爲:https://www.iana.org/
Root Zone Database(根域下的所有的頂級域鏈接)
https://www.iana.org/domains/root/db
二、與DNS相關的一些基本知識
2.1、根域和常見頂級域說明
我們以www.baidu.com這個域名來簡單說明一下,這個是一個二級域名,其二級域名嚴格表示位"baidu.com."(末尾那個點要注意),然後www這個是這個二級域下的主機解析記錄。二級域"baidu.com.“的上級是一級域名”.com.“也叫頂級域,.com頂級域是根域”."下的一種。
可以看到,這是一種分層思想,dns就是用這種抽象的模型,藉助現實生活中化整爲零的思路來分層解決問題的。我們一起來看看其相關概念。
根域(rd,root domain),簡稱爲符號點號".";
頂級域(tld,top level domain),從右往左書寫的規則,比如 .com.,末尾的那個"."就是根域。頂級域有很多,比如早期時候:
(1) 按組織劃分
.com:商業機構;
.net:網絡服務機構
.org:非盈利組織;
.gov:政府部門;
.edu:教育機構;
.mil:軍事機構
等
(2) 按國家劃分
.iq
.tw
.hk
.jp
.cn
等
如下圖所示:
現在IANA那邊登記的頂級域,非常多,相關鏈接:
https://www.iana.org/domains/root/db
我們現在申請的一般都是二級域。比如yanhui.com,我可以去申請這個二級域,DNS語法那邊應該爲"yanhui.com."。如下圖所示:
假設yanhui.com.這個二級域下面有web業務的主機,web1,web2,有論壇一個bbs,還有其他主機等。那麼其樹狀結構大抵是:
上面的樹狀結構是一個正向樹,正向樹只負責從名稱到IP的解析。而從IP到名稱的解析,是由反向樹來負責解析的。如下圖所示:
反向解析書,ip地址反轉過來,書寫,後面跟一個in-addr.arpa.
全球的根域服務器只有13組,分別是:(https://www.iana.org/domains/root/servers)
2.2、域名和區域的概念
說了這麼多域和區域,二者到底有什麼區別,二者是否具有可比性,二者本質又是什麼?
其實域是邏輯的概念,我們申請的都是一個域,比如申請二級域。頂級域的申請要找根域去授權。一般企業使用和個人使用都是從二級域開始。而我們的區域是個什麼概念呢,上面有提到過把域名(FQDN)解析成ip的過程需要走正向解析樹,而把ip解析成域名的過程需要走反向解析樹。這個所謂的解析的本質是,通過解析庫來實現,正向解析和反向解析的解析庫肯定不一樣,所以從域名到ip解析的過程屬於正向解析區域,而反之屬於反向解析區域。它的根本是正向解析區域的庫文件以及反向解析區域的庫文件。請看下面圖解:
上面有提到DNS名稱解析方式:
名稱 --> IP:正向解析
IP --> 名稱:反向解析
注意:二者的名稱空間,非爲同一個空間,即非爲同一棵樹;因此,也不是同一個解析庫;
那麼比如我有一個客戶端就像識別例如www.yanhui.com這個域名,它背後的機理是什麼,簡單理解如下:
不過,解析庫對於一個域獨佔使用,有時候顯得比較浪費而且成本有限,所以大多數的提供這種解析進制的渠道商,會使用一臺解析庫給多個域解析使用。對用戶而言,沒有直接操作解析庫服務器的權限,而是渠道商提供的一個前段web的頁面接口,這樣相較於用戶而言,是不可知的。比如:
2.3、dns遞歸和dns迭代
上面從根域開始,下面有頂級域,假設頂級域com下申請了一個yanhui的二級域,頂級域org下面申請了一個xiaotang的二級域,那麼有可能yanhui和xiaotang這兩個二級域就有可能使用同一臺解析庫。上面有提到客戶端請求某個具體域名,對於本地host文件無法找到解析,而且本地緩存中也查找不到,它就會去找配置的dns服務器,由dns服務器代勞,這個從客戶端到dns服務器的過程,屬於遞歸的查找的過程,我把查找交由給你,遞歸給你去查找。但是呢,dns服務器有可能只是一個緩存名稱服務器,它本身不負責域的解析,不過它會去找根域,有根域告知下一個要找的人,依次類推,知道這個dns服務器(緩存的名稱服務器)找到結果爲止,後面這個反覆依次來回查找的過程屬於迭代查找過程。請看下面的圖解:
那麼,一次完整的查詢請求經過的流程是怎樣的呢?
客戶端 --> 本地hosts文件 --> 本地的DNS緩存 --> 通過dns服務器遞歸查找 --> 經過判斷:
(1) 如果dns服務器自己負責解析的域名
直接查詢數據庫並返回答案。
(2) 不是自己解析的域
會去找它的dns服務器的緩存,沒有結果,然後再去(dns分佈式名稱解析系統)迭代查找。
既然上面有查找,那麼就可能有多種查找結果,我們把這種查找結果,叫做解析答案,那麼解析答案的大概是這樣的:
(1) 肯定答案:有結果,返回。
(2) 否定答案:不存在查詢的鍵,因此,不存在與其查詢鍵對應的值。
肯定答案中可能有分爲:
(3) 權威答案:由直接負責的DNS服務器返回的答案,比如依次完整的查詢請求過程的第(1)步;
(4) 非權威答案:比如依次完整的查詢請求過程的第(2)步。有可能返回的結果是非直接負責的dns服務器的緩存結果,有可能這個緩存結果沒有失效而實際解析記錄已更改了。
2.4、主輔dns
主-輔(從)DNS類型:
(1) 主DNS服務器
維護所負責解析的域數據庫的那臺服務器;讀寫操作均可進行;
(2) 從DNS服務器
從主DNS服務器那裏或其它的從DNS服務器那裏“複製”一份解析庫;但只能進行讀操作
"複製"操作的實施方式:
序列號:serial,即爲數據庫的版本號;主服務器數據庫內容發生變化時,其版本號要遞增;
刷新時間間隔:refresh,從服務器每隔多久到主服務器檢查序列號更新狀態;
重試時間間隔:retry,從服務器從主服務器請求同步解析庫失敗時,再次發起嘗試請求的時間間隔;(要遠小於refresh時間間隔)
過期時長:expire,從服務器始終聯繫不到主服務器時,多久之後放棄從主服務器同步數據,停止提供服務;
否定答案的緩存時長:
主服務器"通知"從服務器隨時更新數據;
區域傳送:
(1) 全量傳送:axfr,傳送整個數據庫;
(2) 增量傳送:ixfr,僅傳送變量的數據;
說明:其實主DNS服務器和輔DNS服務器,從外層來看,都是兩個服務器,而且通過實現DNS協議的應用程序實現,可以支持類似於這種主輔或者叫主從同步的概念。站在從dns服務器的角度看,與主dns服務器同步數據就有兩個方式,一個是從dns服務器去主dns服務器去拉取(pull),另外一個是主dns服務器直接推送(push)給從dns服務器。如下圖所示:
那麼有了主從dns服務器,對於大批量的請求,我們就可以把讀壓力平均分佈。比如我有100臺,服務器。主dns服務器的ip爲172.168.27.221,從服務器的ip爲172.168.27.223。我可以隨機把這100臺平均分爲50臺,然後50臺配置主dns(每個服務器可以配置三條dns記錄,第一條dns記錄叫主dns,第二條dns記錄叫輔dns記錄,第三條叫備份dns記錄,正常情況,第一條dns記錄指向的dns服務器沒有異常,後面兩條都用不上)記錄指向172.168.27.221,後50臺的主dns記錄指向172.168.27.223。這樣一來就可以實現把dns服務器的讀壓力平均分佈到主dns和從dns。上面有提到每個服務器可以配置三條dns記錄,比如以紅帽系列的系統來講,dns的配置文件爲/etc/resolv.conf,配置格式如下:
nameserver 192.168.2.253
nameserver 114.114.114.114
nameserver 8.8.8.8
上面的主dns記錄就是192.168.2.253,這是一個內網的dns服務器,可以是一個緩存dns服務器,也可以是一個解析域的dns服務器。主從dns服務讀壓力分佈圖解簡析:
2.5、常見資源記錄類型和其定義格式模板
在我們正式手動搭建dns服務器之前,還有一些至關重要的概念來解釋一下,有些與區域數據文件相關的概念:
-
資源記錄(RR,Resource Record)
-
常見的資源記錄類型有:
A,AAAA,PTR,SOA,NS,CNAME,MX
(1) SOA記錄
起始授權記錄(Start Of Authority)
說明:一個區域解析庫有且只能有一條SOA記錄,而且必須放在解析記錄的第一條;
(2) NS記錄
域名服務記錄(Name Service)
說明:一個區域解析庫可以有多個NS記錄,其中一個爲主;
(3) A記錄
地址記錄(Address)
說明:把域名解析成IPv4地址。(FQDN–>IPv4)
(4) AAAA記錄
(Ipv6)地址記錄(Address)
說明:把域名解析成IPv6地址。(FQDN–>IPv6)
#一個ipv4是32位,假設用A表示,那麼128位長度的IPv6就用AAAA來表示.
(5) CNAME記錄
別名記錄,正式名記錄(Canonical Name)
說明:原意爲 正式名稱,比如張三的別名叫傻根,那麼張三就是正式名字。
(6) PTR記錄
指針(Pointer)
說明:這個一個比較特殊。從IP到FQDN的解析。
(7) MX記錄
郵件交換器(Mail Exchanger)
說明:優先級,0-99,數字越小,優先級越高(如果有多條MX記錄,要按照優先級來,區別於多條A記錄或AAAA記錄的輪詢方式) -
資源記錄定義的語法格式
語法:name [TTL] IN RR_TYPE Value
說明:name不一定是字符串,上面每種不同記錄類型的條目,對應name值各有不同,TTL是Time To Live,一條域名解析記錄在DNS服務器中的存留時間,可以省略不寫使用默認值(下面會講解)。IN是關鍵字,不可省略。RR_TYPE表示上面提到的資源記錄類型(A,AAAA,PTR,SOA,NS,CNAME,MX)。Value表示這條解析記錄的值。
下面分別介紹不同記錄類型的定義格式:
(1) SOA記錄
name:當前區域的名字。例如"yanhui.com."或"2.3.4.in-addr.arpa"
ttl:域名記錄記錄在dns服務器中的存留時間;這部分可以省略,使用全局定義的,後邊部分就不列出這個條目了
value:由多部分組成
第一部分:當前區域的區域名稱(也可以是主DNS服務器名稱);
第二部分:當前區域的管理員郵箱地,地址中的"@"符號要替換成".";
第三部分:定義在一個小括號內,(主從服務協調屬性的定義以及否定答案的TTL)
示例:
yanhui.com. 86400 IN SOA yanhui.com. admin.yanhui.com. (
2018120101 ; serial
2H ; refresh
10M ; retry
1W ; expire
1D ; negative answer ttl
)
(2) NS記錄
name:當前區域的區域名稱;
value:當前區域的某DNS服務器名稱,例如ns.yanhui.com.;一個區域可以有多個NS記錄。
示例:
yanhui.com. 86400 IN NS ns1.yanhui.com.
yanhui.com. 86400 IN NS ns2.yanhui.com.
(3) MX記錄
name:當前區域名稱;
value:當前區域某郵件交換器的主機名;MX記錄可以有多個,但每個記錄的value之前應該有一個數字表示其優先級。
示例:
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
(4) A記錄
name:某FQDN,例如:www.yanhui.com.
value:某IPv4地址;
例如:
www.yanhui.com. IN A 192.168.56.26
www.yanhui.com. IN A 192.168.56.27
bbs.yanhui.com. IN A 192.168.56.112
(5) AAAA記錄
name:某FQDN;
value:某IPv6地址;
(6) PTR記錄
name:IP地址,有特定格式,IP反過來寫,而且加特定後綴;例如1.2.3.4的記錄應該寫爲4.3.2.1.in-addr.arpa.;
value:FQDN
示例:
4.3.2.1.in-addr.arpa. IN PTR www.yanhui.com.
(7) CANME記錄
name:FQDN格式的別名;
value:FQDN格式的正式名字;
示例:
web.yanhui.com. IN CNAME www.yanhui.com.
書寫說明:
(1) TTL可以從全局繼承;
(2) @表示當前區域的名稱;
(3) 相鄰的兩條記錄,其name相同時,後面的可以省略;
(4) 對於正向區域來說,各MX,NS等類型的記錄的value值爲FQDN,此FQDN應該有一條A記錄;
三、dns協議實現的應用程序
dns協議實現,centos上默認是bind這個軟件包來實現的。
[root@localhost yum.repos.d]# yum info bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.cn99.com
* epel: mirrors.aliyun.com
* extras: centos.ustc.edu.cn
* updates: mirrors.aliyun.com
Available Packages
Name : bind
Arch : x86_64
Epoch : 32
Version : 9.9.4
Release : 61.el7_5.1
Size : 1.8 M
Repo : updates/7/x86_64
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
URL : http://www.isc.org/products/BIND/
License : ISC
Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS
: (Domain Name System) protocols. BIND includes a DNS server (named),
: which resolves host names to IP addresses; a resolver library
: (routines for applications to use when interfacing with DNS); and
: tools for verifying that the DNS server is operating properly.
關於bind說明:
dns: 協議
bind: dns協議的一種實現
named:bind程序的運行的進程名
bind程序包以及與bind相關的程序包:
(1) bind-libs
被bind和bind-utils包中的程序共同用到的庫文件;
(2) bind-utils
bind客戶端程序集,例如dig, host, nslookup等;
(3) bind-chroot
讓named運行於jail模式下;(這個軟件包可以選裝,如果不用chroot功能,可以不裝)
(4) bind
提供的dns server程序、以及幾個常用的測試程序;
安裝上面的軟件包:
[root@localhost ~]# yum install bind-libs bind-utils bind
省略安裝過程。
[root@localhost ~]#yum install bind-chroot
省略安裝過程。
[root@localhost ~]# rpm -qa|grep '^bind'
bind-libs-9.9.4-72.el7.x86_64
bind-utils-9.9.4-72.el7.x86_64
bind-license-9.9.4-72.el7.noarch
bind-9.9.4-72.el7.x86_64
bind-libs-lite-9.9.4-72.el7.x86_64
bind-chroot-9.9.4-72.el7.x86_64
#來看看安裝的列表文件:
[root@localhost ~]# rpm -ql bind-libs
/usr/lib64/libbind9.so.90
/usr/lib64/libbind9.so.90.0.8
/usr/lib64/libdns.so.100
/usr/lib64/libdns.so.100.1.1
/usr/lib64/libisc.so.95
/usr/lib64/libisc.so.95.2.1
/usr/lib64/libisccc.so.90
/usr/lib64/libisccc.so.90.0.4
/usr/lib64/libisccfg.so.90
/usr/lib64/libisccfg.so.90.0.7
/usr/lib64/liblwres.so.90
/usr/lib64/liblwres.so.90.0.5
/usr/lib/systemd/system/named-chroot-setup.service
/usr/lib/systemd/system/named-chroot.service
/usr/libexec/setup-named-chroot.sh
/var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/dev/zero
/var/named/chroot/etc
/var/named/chroot/etc/named
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/pki
/var/named/chroot/etc/pki/dnssec-keys
/var/named/chroot/run
/var/named/chroot/run/named
/var/named/chroot/usr
/var/named/chroot/usr/lib64
/var/named/chroot/usr/lib64/bind
/var/named/chroot/var
/var/named/chroot/var/log
/var/named/chroot/var/named
/var/named/chroot/var/run
/var/named/chroot/var/tmp
[root@localhost ~]# rpm -ql bind-utils
/etc/trusted-key.key
/usr/bin/dig
/usr/bin/host
/usr/bin/nslookup
/usr/bin/nsupdate
/usr/share/man/man1/dig.1.gz
/usr/share/man/man1/host.1.gz
/usr/share/man/man1/nslookup.1.gz
/usr/share/man/man1/nsupdate.1.gz
[root@localhost ~]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
中間省略很多......
/usr/share/man/man8/rndc.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
bind的主要安裝文件及其說明:
(1) 主配置文件和子配置文件
[root@localhost ~]# rpm -qc bind
/etc/logrotate.d/named #交由rsyslog託管的日誌輪詢腳本
/etc/named.conf #主配置文件
/etc/named.iscdlv.key #和key相關的配置文件
/etc/named.rfc1912.zones #被主配置文件包含的子配置文件,區域設置配置文件
/etc/named.root.key #被主配置文件包含的子配置文件,和key相關的
/etc/rndc.conf #默認不存在,和rndc這個程序相關的
/etc/rndc.key #默認不存在,和rndc這個程序相關的
/etc/sysconfig/named #配置文件的選項配置文件
/var/named/named.ca #全球根域相關的配置
/var/named/named.empty #一個不包含解析記錄的空模板文件
/var/named/named.localhost #另外兩個和本地迴環地址相關的解析庫文件
/var/named/named.loopback
#/var/named/目錄下,是解析庫文件,一般可以設置爲ZONE_NAME.zone
(1) 一臺DNS服務器可以同時爲多個區域提供解析;
(2) 必須要有根區域解析可文件:named.ca
(3) 還應該有兩個區域解析庫文件:localhost和127.0.0.1的正反向解析庫
bind包的其他軟件包列表:
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/arpaname
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named #主服務端進程
/usr/sbin/named-checkconf #檢查定義區域配置文件語法的工具
/usr/sbin/named-checkzone #檢查區域解析的配置文件的語法的工具
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc #遠程管控named的控制程序
/usr/sbin/rndc-confgen
bind程序安裝完成之後,默認即可做緩存名稱服務器使用;如果沒有專門負責解析區域,直接啓動服務即可:
systemctl start named.service
(2) named程序的主配置文件/etc/named.conf
語法:語句被花括號包含在內,而且語句要以分號結尾,語句中的子句也要以分號結尾。註釋語法支持三類:
C語句風格的多行註釋:/* */
C++或C風格的單行註釋:// 這個是到這行的結尾都爲註釋部分;
unix風格的單行註釋: # 這個是到這行的結尾都爲註釋部分;
配置文件格式主要分爲三段:
(1) 全局配置段
options { … }
(2) 日誌配置段
options { … }
(3) 區域配置段(那些由本機負責解析的區域或轉發的區域)
zone { … }
(3) 由bind-utils軟件包提供的三個工具
dig,host,nslookup
分別看看其簡要用法。
a)=========== dig命令=======================
dns 查詢組件。用於測試dns系統,不會查詢hosts文件。
簡要語法格式:
dig [@SERVER] [-t RR_TYPE] name [query options]
查詢選項:
+[no]trace:跟蹤解析過程;
+[no]recurse:進行遞歸解析;
反向解析語法格式:
dig -x IP
模擬完全區域傳送:
dig -t axfr DOMAIN [@SERVER]
示例:
[root@localhost ~]# dig -t A www.baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8163
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION: #這裏顯示查詢段,我要查詢www.baidu.com.的A記錄
;www.baidu.com. IN A
;; ANSWER SECTION: #查詢結果段落
www.baidu.com. 528 IN CNAME www.a.shifen.com.
www.a.shifen.com. 231 IN A 14.215.177.38
www.a.shifen.com. 231 IN A 14.215.177.39
#www.baidu.com. 是 www.a.shifen.com.的別名。
然後www.a.shifen.com.有兩條A記錄,一條指向的是服務器14.215.177.38,另外一條是14.215.177.39.(www.a.shifen.com.就是我們常說的FQDN,Fully Qualified Domain Name全限定域名,這裏的A記錄有兩條,默認客戶端請求,這兩臺服務器會以輪詢的方式響應)。
;; Query time: 21 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
#這裏表明我是通過114.114.114.114這個DNS服務器去查詢的(此時當做一個緩存名稱服務器來用)
;; WHEN: Tue Dec 04 21:03:38 CST 2018
;; MSG SIZE rcvd: 101
[root@localhost ~]# dig -t MX baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t MX baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42044
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN MX
;; ANSWER SECTION:
baidu.com. 33 IN MX 10 mx.maillb.baidu.com.
baidu.com. 33 IN MX 15 mx.n.shifen.com.
baidu.com. 33 IN MX 20 mx1.baidu.com.
baidu.com. 33 IN MX 20 jpmx.baidu.com.
baidu.com. 33 IN MX 20 mx50.baidu.com.
;; Query time: 21 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:10:01 CST 2018
;; MSG SIZE rcvd: 154
#上面是百度的MX記錄,可以到有5臺服務器,優先級10最高,也是第一條。
[root@localhost ~]# dig -t SOA baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t SOA baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62937
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;baidu.com. IN SOA
;; ANSWER SECTION:
baidu.com. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2012139419 300 300 2592000 7200
;; Query time: 29 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:
#上面是baidu.com.的SOA記錄。
[root@localhost ~]# dig -t ns baidu.com.
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t ns baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19013
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN NS
;; ANSWER SECTION:
baidu.com. 72018 IN NS ns3.baidu.com.
baidu.com. 72018 IN NS ns2.baidu.com.
baidu.com. 72018 IN NS dns.baidu.com.
baidu.com. 72018 IN NS ns7.baidu.com.
baidu.com. 72018 IN NS ns4.baidu.com.
;; Query time: 18 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:12:25 CST 2018
;; MSG SIZE rcvd: 128
#baidu.com.的NS記錄
[root@localhost ~]# dig -x 14.215.177.38
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -x 14.215.177.38
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54050
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;38.177.215.14.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
215.14.in-addr.arpa. 2100 IN SOA soa. dns.guangzhou.gd.cn. 2016012127 10800 3600 604800 86400
;; Query time: 23 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Tue Dec 04 21:14:30 CST 2018
;; MSG SIZE rcvd: 113
#反解,沒有結果。(用的是www.a.shifen.com的一個A記錄對應的value)
b)=========== host命令=======================
簡單語法格式:
host [-t RR_TYPE] name SERVER_IP
例如:
[root@localhost ~]# host -t A www.baidu.com.
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 14.215.177.39
www.a.shifen.com has address 14.215.177.38
[root@localhost ~]# host -t CNAME www.baidu.com.
www.baidu.com is an alias for www.a.shifen.com.
[root@localhost ~]# host -t CNAME www.a.shifen.com.
www.a.shifen.com has no CNAME record
[root@localhost ~]# host -t SOA baidu.com.
baidu.com has SOA record dns.baidu.com. sa.baidu.com. 2012139419 300 300 2592000 7200
[root@localhost ~]# host -t MX baidu.com.
baidu.com mail is handled by 10 mx.maillb.baidu.com.
baidu.com mail is handled by 15 mx.n.shifen.com.
baidu.com mail is handled by 20 mx1.baidu.com.
baidu.com mail is handled by 20 jpmx.baidu.com.
baidu.com mail is handled by 20 mx50.baidu.com.
[root@localhost ~]# host -t NS baidu.com. 114.114.114.114
Using domain server:
Name: 114.114.114.114
Address: 114.114.114.114#53
Aliases:
baidu.com name server ns3.baidu.com.
baidu.com name server ns2.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns4.baidu.com.
[root@localhost ~]# host -t NS baidu.com. 218.85.157.99
Using domain server:
Name: 218.85.157.99
Address: 218.85.157.99#53
Aliases:
baidu.com name server ns2.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns4.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns3.baidu.com.
[root@localhost ~]# host -t PTR 14.215.177.38
Host 38.177.215.14.in-addr.arpa. not found: 3(NXDOMAIN)
[root@localhost ~]# host -t PTR 14.215.177.39
Host 39.177.215.14.in-addr.arpa. not found: 3(NXDOMAIN)
#host命令的結果要比dig命令的結果簡要,含義都差不多。
c)=========== nslookup命令=======================
非交互式模式簡要語法格式:
nslookup [-options] [name] [server]
交互式模式:
nslookup>
server IP:以指定的IP爲DNS服務器進行查詢;
set q=RR_TYPE:要查詢的資源記錄類型;
name:要查詢的名稱;
例如:
[root@localhost ~]# nslookup www.baidu.com
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.39
Name: www.a.shifen.com
Address: 14.215.177.38
交互式模式:
[root@localhost ~]# nslookup
> set q=A
> www.baidu.com
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 14.215.177.39
Name: www.a.shifen.com
Address: 14.215.177.38
> set q=SOA
> baidu.com.
Server: 114.114.114.114
Address: 114.114.114.114#53
Non-authoritative answer:
baidu.com
origin = dns.baidu.com
mail addr = sa.baidu.com
serial = 2012139419
refresh = 300
retry = 300
expire = 2592000
minimum = 7200
Authoritative answers can be found from:
> server 218.85.157.99
Default server: 218.85.157.99 #先設置默認查詢的dns服務器
Address: 218.85.157.99#53
> set q=MX
> baidu.com.
Server: 218.85.157.99
Address: 218.85.157.99#53
Non-authoritative answer:
baidu.com mail exchanger = 10 mx.maillb.baidu.com.
baidu.com mail exchanger = 20 jpmx.baidu.com.
baidu.com mail exchanger = 20 mx50.baidu.com.
baidu.com mail exchanger = 20 mx1.baidu.com.
baidu.com mail exchanger = 15 mx.n.shifen.com.
Authoritative answers can be found from:
baidu.com nameserver = ns2.baidu.com.
baidu.com nameserver = ns7.baidu.com.
baidu.com nameserver = ns4.baidu.com.
baidu.com nameserver = dns.baidu.com.
baidu.com nameserver = ns3.baidu.com.
mx1.baidu.com internet address = 61.135.165.120
mx1.baidu.com internet address = 220.181.50.185
jpmx.baidu.com internet address = 61.208.132.13
dns.baidu.com internet address = 202.108.22.220
ns2.baidu.com internet address = 220.181.37.10
ns3.baidu.com internet address = 112.80.248.64
ns4.baidu.com internet address = 14.215.178.80
ns7.baidu.com internet address = 180.76.76.92
另外幾個與配置文件語法檢測以及服務重載有關的:
named-checkconf [/etc/named.conf] #檢測配置文件語法
named-checkzone ZONE_NAME ZONE_FILE #檢測區域解析配置文件語法
rndc reload #重載named的服務,等效於:
systemctl reload named.service
四、實際配置
4.1、緩存名稱服務器的配置
1、先來看看主配置文件默認的配置:
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost ~]#
說明:
(1) 默認監聽先關的配置
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
表示監聽到本地迴環和默認的ipv6本地迴環。我們以ipv4爲準進行說明。
如果要監聽所有地址或者固定地址,可以這樣寫:
listen-on port 53; #監聽到所有
或
listen-on port 53 { 192.168.56.5 ; }; #監聽到指定的接口,我這裏的內外ip是192.168.56.5
這裏的語法要注意,花括號兩邊要有有空隔,如果花括號內有多條記錄,要以分號隔開,語句結尾也要有分號。
學習配置,建議關閉的選項(與dnssec有關的選項):
默認值:
dnssec-enable yes;
dnssec-validation yes;
#dnssec-lookaside yes; #這個配置有些版本沒有,比如我的就沒有
可以設置關閉,其值爲:
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
配置主從的時候,進本地查詢要設置爲非localhost等:
默認配置:
allow-query { localhost; };
可以設置爲:
//allow-query { localhost; }; #直接註釋掉了。默認是允許所有,還要看簽名的監聽
修改後,我的named.conf配置文件爲:
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 192.168.56.5; }; #修改處,加上來我的內網地址
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
//allow-query { localhost; }; #修改處,下面有新增
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
#dnssec-enable yes; #修改處
#dnssec-validation yes; #修改處
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost ~]#
2、配置解析一個正向區域
假定二級域名爲:yanhui.com (頂級域名com下的二級域,yanhui爲註冊的字符串)
(1) 定義區域
#在主配置文件或主配置文件包含的輔助配置文件中實現
定義模板類似於:
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
#注意語句結束時候的分號。
我添加的內容如下:
[root@localhost named]# vim /etc/named.rfc1912.zones
[root@localhost named]# tail -n 4 /etc/named.rfc1912.zones
zone "yanhui.com" IN {
type master;
file "yanhui.com.zone";
};
#可以使用named-checkconf檢測一下配置文件語法是否有問題
[root@localhost named]# named-checkconf
[root@localhost named]# echo $?
0
[root@localhost named]# named-checkconf /etc/named.rfc1912.zones
[root@localhost named]# echo $?
0
(2) 建立區域數據文件
#第一步的區域定義時候指定的區域數據文件名叫yanhui.com.zone,指向的是一個相對路徑,默認相對的是/var/named,即區域數據文件應該爲/var/named/yanhui.com.zone
[root@localhost named]# vim /var/named/yanhui.com.zone
[root@localhost named]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120401
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 192.168.56.5
ns2.yanhui.com. IN A 192.168.56.5
mx1.yanhui.com. IN A 192.168.56.11
mx2.yanhui.com. IN A 192.168.56.12
bpmx.yanhui.com. IN A 192.168.56.13
www.yanhui.com. IN A 192.168.56.5
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 192.168.56.20
bbs.yanhui.com. IN A 192.168.56.21
要修改一下權限:
[root@localhost named]# ls -l
total 20
drwxr-x--- 7 root named 61 Dec 4 20:17 chroot
drwxrwx--- 2 named named 6 Oct 31 08:29 data
drwxrwx--- 2 named named 6 Oct 31 08:29 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Oct 31 08:29 slaves
-rw-r--r-- 1 root root 598 Dec 4 22:04 yanhui.com.zone
[root@localhost named]# chgrp named yanhui.com.zone
[root@localhost named]# chmod 640 yanhui.com.zone
[root@localhost named]# ls -l yanhui.com.zone
-rw-r----- 1 root named 598 Dec 4 22:04 yanhui.com.zone
#用named-checkzone 檢測一下區域數據文件語法:
[root@localhost named]# named-checkzone yanhui.com. /var/named/yanhui.com.zone
zone yanhui.com/IN: loaded serial 2018120401
OK
#上面表示沒有問題,載入序列號爲2018120401
(3) 重載配置文件和區域數據文件
rndc reload或
systemctl reload named.service
#因爲我這裏之前沒有啓動過,所以要先啓動
[root@localhost named]# systemctl start named.service
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Tue 2018-12-04 22:08:16 CST; 4s ago
Process: 12740 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 12737 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 12743 (named)
CGroup: /system.slice/named.service
└─12743 /usr/sbin/named -u named -c /etc/named.conf
Dec 04 22:08:16 localhost.localdomain named[12743]: all zones loaded
Dec 04 22:08:16 localhost.localdomain named[12743]: running
Dec 04 22:08:16 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Dec 04 22:08:16 localhost.localdomain named[12743]: zone yanhui.com/IN: sending notifies (serial 2018120401)
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Dec 04 22:08:16 localhost.localdomain named[12743]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
[root@localhost named]# ps aux|grep named
root 12690 0.0 0.3 126352 1904 pts/3 S+ 21:51 0:00 vi /etc/named.conf
named 12743 0.0 12.0 166756 58468 ? Ssl 22:08 0:00 /usr/sbin/named -u named -c /etc/named.conf
root 12901 0.0 0.1 112648 960 pts/1 R+ 22:11 0:00 grep --color=auto named
[root@localhost named]# ss -nltu
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 127.0.0.1:323 *:*
udp UNCONN 0 0 ::1:53 :::*
udp UNCONN 0 0 ::1:323 :::*
tcp LISTEN 0 10 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:953 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 10 ::1:53 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:953 :::*
tcp LISTEN 0 100 ::1:25 :::*
#如果要重載,可以這樣做
[root@localhost ~]# rndc reload
server reload successful
(4) 測試
#這裏就以簡單工具host來測試
1> 走我本地的DNS服務器去查詢 yanhui.com.的SOA記錄
[root@localhost ~]# host -t SOA yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com has SOA record ns1.yanhui.com. dnsadmin.yanhui.com. 2018120401 3600 600 86400 360
2> NS記錄查詢
[root@localhost ~]# host -t NS yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com name server ns2.yanhui.com.
yanhui.com name server ns1.yanhui.com.
[root@localhost ~]# host -t NS yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com name server ns1.yanhui.com.
yanhui.com name server ns2.yanhui.com.
3> MX記錄查詢
[root@localhost ~]# host -t MX yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com mail is handled by 20 mx2.yanhui.com.
yanhui.com mail is handled by 10 mx1.yanhui.com.
yanhui.com mail is handled by 21 bpmx.yanhui.com.
[root@localhost ~]# host -t MX yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com mail is handled by 21 bpmx.yanhui.com.
yanhui.com mail is handled by 10 mx1.yanhui.com.
yanhui.com mail is handled by 20 mx2.yanhui.com.
[root@localhost ~]# host -t MX yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
yanhui.com mail is handled by 21 bpmx.yanhui.com.
yanhui.com mail is handled by 10 mx1.yanhui.com.
yanhui.com mail is handled by 20 mx2.yanhui.com.
4> A記錄查詢
[root@localhost ~]# host -t A www.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
www.yanhui.com has address 192.168.56.5
[root@localhost ~]# host -t A bbs.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
bbs.yanhui.com has address 192.168.56.20
bbs.yanhui.com has address 192.168.56.21
[root@localhost ~]# host -t A ns1.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
ns1.yanhui.com has address 192.168.56.5
5> CNAME記錄查詢
[root@localhost ~]# host -t CNAME web.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
web.yanhui.com is an alias for www.yanhui.com.
[root@localhost ~]# host -t A web.yanhui.com. 192.168.56.5
Using domain server:
Name: 192.168.56.5
Address: 192.168.56.5#53
Aliases:
web.yanhui.com is an alias for www.yanhui.com.
www.yanhui.com has address 192.168.56.5
3、配置解析一個反向區域
(1) 定義區域
[root@localhost ~]# vim /etc/named.rfc1912.zones
[root@localhost ~]# tail -4 /etc/named.rfc1912.zones
zone "56.168.192.in-addr.arpa" IN {
type master;
file "56.168.192.zone";
};
#檢測語法
[root@localhost ~]# named-checkconf
[root@localhost ~]# echo $?
0
(2) 定義區域解析庫文件
[root@localhost named]# cat /var/named/56.168.192.zone
$TTL 600
$ORIGIN 56.168.192.in-addr.arpa.
@ IN SOA ns1.yanhui.com. dnsadmin.yanhui.com.(
2018120401
1H
10M
1D
6M
)
@ IN NS ns1.yanhui.com.
@ IN NS ns2.yanhui.com.
5.56.168.192.in-addr.arpa. IN PTR ns1.yanhui.com.
5.@ IN PTR ns2.yanhui.com.
88.56.168.192.in-addr.arpa. IN PTR mx1.yanhui.com.
89.56.168.192.in-addr.arpa. IN PTR mx2.yanhui.com.
90.56.168.192.in-addr.arpa. IN PTR bpmx.yanhui.com.
20.56.168.192.in-addr.arpa. IN PTR bbs.yanhui.com.
21.56.168.192.in-addr.arpa. IN PTR bbs.yanhui.com.
5.56.168.192.in-addr.arpa. IN PTR www.yanhui.com.
[root@localhost named]#
#修改權限並檢測語法
[root@localhost named]# ls -l
total 24
-rw-r--r-- 1 root root 552 Dec 4 22:42 56.168.192.zone
drwxr-x--- 7 root named 61 Dec 4 20:17 chroot
drwxrwx--- 2 named named 23 Dec 4 22:08 data
drwxrwx--- 2 named named 60 Dec 4 22:08 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Oct 31 08:29 slaves
-rw-r----- 1 root named 598 Dec 4 22:04 yanhui.com.zone
[root@localhost named]# chgrp named 56.168.192.zone
[root@localhost named]# chmod 640 56.168.192.zone
[root@localhost named]# ls -l 56.168.192.zone
-rw-r----- 1 root named 552 Dec 4 22:42 56.168.192.zone
[root@localhost named]# named-checkzone 56.168.192.in-addr.arpa. /var/named/56.168.192.zone
zone 56.168.192.in-addr.arpa/IN: loaded serial 2018120401
OK
(3) 重載配置文件和區域數據文件
[root@localhost named]# rndc reload
server reload successful
(4) 測試
[root@localhost named]# dig @192.168.56.5 -x 192.168.56.5
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @192.168.56.5 -x 192.168.56.5
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45032
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.56.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
5.56.168.192.in-addr.arpa. 600 IN PTR www.yanhui.com.
5.56.168.192.in-addr.arpa. 600 IN PTR ns1.yanhui.com.
;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 600 IN NS ns2.yanhui.com.
56.168.192.in-addr.arpa. 600 IN NS ns1.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 192.168.56.5
ns2.yanhui.com. 600 IN A 192.168.56.5
;; Query time: 0 msec
;; SERVER: 192.168.56.5#53(192.168.56.5)
;; WHEN: Tue Dec 04 22:45:49 CST 2018
;; MSG SIZE rcvd: 164
[root@localhost named]# dig @192.168.56.5 -x 192.168.56.20
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @192.168.56.5 -x 192.168.56.20
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50045
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;20.56.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.56.168.192.in-addr.arpa. 600 IN PTR bbs.yanhui.com.
;; AUTHORITY SECTION:
56.168.192.in-addr.arpa. 600 IN NS ns2.yanhui.com.
56.168.192.in-addr.arpa. 600 IN NS ns1.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 192.168.56.5
ns2.yanhui.com. 600 IN A 192.168.56.5
;; Query time: 0 msec
;; SERVER: 192.168.56.5#53(192.168.56.5)
;; WHEN: Tue Dec 04 22:45:57 CST 2018
;; MSG SIZE rcvd: 151
[root@localhost named]#
4.2、主從服務器配置
#這裏測試的時候,我換了一個實驗環境,所以ip有所變化,差異不大。單機配置就不貼出配置文件了。
1、從dns服務器區域配置說明
(1) 定義一個從區域
配置模板:
zone "ZONE_NAME" IN {
type slave;
file "slaves/ZONE_NAME.zone";
masters { MASTER_IP; };
};
說明:type類型定義的時候要選擇爲slave。
file指定的區域解析配置文件要放在提前準備好的slaves目錄下,主dns服務器那邊會有這個目錄。
到時候會自行同步,如果權限、訪問控制和防火牆等無異常的話。
需要使用masters指令指明主dns服務器ip
實際從區域配置定義爲:
zone "yanhui.com." IN {
type slave;
file "slaves/yanhui.com.zone";
masters { 172.16.0.4; };
};
2、主dns服務器正向區域配置同步和測試
#正向區域配置文件,要至少保證有一條NS解析記錄,且這個NS解析記錄要添加一條A記錄,並且A記錄的目標IP指向的是
從服務器的IP
[root@localhost named]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120402
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 172.16.0.4
ns2.yanhui.com. IN A 172.16.0.6 #這一步很關鍵
mx1.yanhui.com. IN A 172.16.0.11
mx2.yanhui.com. IN A 172.16.0.12
bpmx.yanhui.com. IN A 172.16.0.13
www.yanhui.com. IN A 172.16.0.4
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 172.16.0.20
bbs.yanhui.com. IN A 172.16.0.21
如果此時從服務配置文件已經是同步狀態,記得修改主dns服務器的這個SOA中的序列編號,給它加1,我上面貼出的是已經加1的。
此刻,先使用檢查主dns服務器的區域配置文件語法,然後重載主dns服務器的配置。
[root@localhost named]# named-checkzone yanhui.com. /var/named/yanhui.com.zone
zone yanhui.com/IN: loaded serial 2018120402
OK
[root@localhost named]# rndc reload
server reload successful
然後去從dns服務器重載配置,然後查看狀態:
[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 4min 12s ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 05 23:57:46 localhost.localdomain named[13597]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 05 23:57:46 localhost.localdomain named[13597]: reloading configuration succeeded
Dec 05 23:57:46 localhost.localdomain named[13597]: reloading zones succeeded
Dec 05 23:57:46 localhost.localdomain named[13597]: all zones loaded
Dec 05 23:57:46 localhost.localdomain named[13597]: running
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: Transfer started.
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: connected using 172.16.0.6#44399
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: transferred serial 2018120402
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: Transfer completed: 1 messag...s/sec)
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: sending notifies (serial 2018120402)
Hint: Some lines were ellipsized, use -l to show in full.
#從上面的狀態來看,同步已經完成。
[root@localhost named]# ls -l /var/named/slaves/yanhui.com.zone
-rw-r--r-- 1 named named 631 Dec 5 23:57 /var/named/slaves/yanhui.com.zone
[root@localhost named]# file /var/named/slaves/yanhui.com.zone
/var/named/slaves/yanhui.com.zone: data
#正向區域配置文件已經同步過來,所以同步算正常。然後下面簡單測試一下:
[root@localhost named]#
[root@localhost named]# dig -t A www.yanhui.com. @172.16.0.6
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.yanhui.com. @172.16.0.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48543
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yanhui.com. IN A
;; ANSWER SECTION:
www.yanhui.com. 600 IN A 172.16.0.4
;; AUTHORITY SECTION:
yanhui.com. 600 IN NS ns1.yanhui.com.
yanhui.com. 600 IN NS ns2.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 1 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Wed Dec 05 23:59:27 CST 2018
;; MSG SIZE rcvd: 127
#通過從dns服務器解析沒有問題。
然後嘗試去主dns服務器添加一條解析。主服務器查看信息如下:(注意修改後SOA記錄序列號增加,然後查看狀態)
[root@localhost named]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120403
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 172.16.0.4
ns2.yanhui.com. IN A 172.16.0.6
mx1.yanhui.com. IN A 172.16.0.11
mx2.yanhui.com. IN A 172.16.0.12
bpmx.yanhui.com. IN A 172.16.0.13
www.yanhui.com. IN A 172.16.0.4
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 172.16.0.20
bbs.yanhui.com. IN A 172.16.0.21
pop3.yanhui.com. IN A 172.16.0.22
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Wed 2018-12-05 14:48:51 CST; 9h ago
Process: 2022 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 2035 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2032 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 2037 (named)
CGroup: /system.slice/named.service
└─2037 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:10:54 localhost.localdomain named[2037]: automatic empty zone: B.E.F.IP6.ARPA
Dec 06 00:10:54 localhost.localdomain named[2037]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 06 00:10:54 localhost.localdomain named[2037]: reloading configuration succeeded
Dec 06 00:10:54 localhost.localdomain named[2037]: reloading zones succeeded
Dec 06 00:10:54 localhost.localdomain named[2037]: zone yanhui.com/IN: loaded serial 2018120403
Dec 06 00:10:54 localhost.localdomain named[2037]: zone yanhui.com/IN: sending notifies (serial 2018120403)
Dec 06 00:10:54 localhost.localdomain named[2037]: all zones loaded
Dec 06 00:10:54 localhost.localdomain named[2037]: running
Dec 06 00:10:54 localhost.localdomain named[2037]: client 172.16.0.6#52665 (yanhui.com): transfer of 'yanhui.com/IN': AXFR-style...tarted
Dec 06 00:10:54 localhost.localdomain named[2037]: client 172.16.0.6#52665 (yanhui.com): transfer of 'yanhui.com/IN': AXFR-style... ended
Hint: Some lines were ellipsized, use -l to show in full.
#從上面狀態信息同步可以看出,區域yanhui.com.更新了,主服務器發送通知(徐利好爲2018120403)
從dns服務器上查看狀態:
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 19min ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: connected using 172.16.0.6#44399
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: transferred serial 2018120402
Dec 05 23:57:46 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: Transfer completed: 1 messag...s/sec)
Dec 05 23:57:46 localhost.localdomain named[13597]: zone yanhui.com/IN: sending notifies (serial 2018120402)
Dec 06 00:10:54 localhost.localdomain named[13597]: client 172.16.0.4#35222: received notify for zone 'yanhui.com'
Dec 06 00:10:54 localhost.localdomain named[13597]: zone yanhui.com/IN: Transfer started.
Dec 06 00:10:54 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: connected using 172.16.0.6#52665
Dec 06 00:10:54 localhost.localdomain named[13597]: zone yanhui.com/IN: transferred serial 2018120403
Dec 06 00:10:54 localhost.localdomain named[13597]: transfer of 'yanhui.com/IN' from 172.16.0.4#53: Transfer completed: 1 messag...s/sec)
Dec 06 00:10:54 localhost.localdomain named[13597]: zone yanhui.com/IN: sending notifies (serial 2018120403)
Hint: Some lines were ellipsized, use -l to show in full.
#上面狀態信息可以看出,狀態已經同步了。用工具測試:
[root@localhost named]# dig @172.16.0.6 -t A pop3.yanhui.com
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.6 -t A pop3.yanhui.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39052
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pop3.yanhui.com. IN A
;; ANSWER SECTION:
pop3.yanhui.com. 600 IN A 172.16.0.22
;; AUTHORITY SECTION:
yanhui.com. 600 IN NS ns1.yanhui.com.
yanhui.com. 600 IN NS ns2.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 0 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Thu Dec 06 00:13:52 CST 2018
;; MSG SIZE rcvd: 128
#解析正常。
3、主dns服務器反向區域同步和測試
(1) 從庫定義一個區域,並指向主dns,類型爲slave,我的實際內容如下
zone "0.16.172.in-addr.arpa" IN {
type slave;
file "slaves/0.16.172.zone";
masters { 172.16.0.4; };
};
檢測語法:
[root@localhost named]# named-checkconf
[root@localhost named]# echo $?
0
(2) 主dns服務器的反向解析區域配置文件中配置一條NS記錄,並且這個NS記錄要設置一條A記錄指向從服務器,並把SOA記錄序列值增加
[root@localhost named]# cat /var/named/0.16.172.zone
$TTL 600
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA ns1.yanhui.com. dnsadmin.yanhui.com.(
2018120402
1H
10M
1D
6M
)
@ IN NS ns1.yanhui.com.
@ IN NS ns2.yanhui.com. #這一條記錄很關鍵
4.0.16.172.in-addr.arpa. IN PTR ns1.yanhui.com.
68.0.16.172.in-addr.arpa. IN PTR ns2.yanhui.com. #這一條記錄很關鍵
88.0.16.172.in-addr.arpa. IN PTR mx1.yanhui.com.
89.0.16.172.in-addr.arpa. IN PTR mx2.yanhui.com.
90.0.16.172.in-addr.arpa. IN PTR bpmx.yanhui.com.
20.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
21.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
4.0.16.172.in-addr.arpa. IN PTR www.yanhui.com.
檢測語法配置:
[root@localhost named]# named-checkzone 0.16.172.in-addr.arpa /var/named/0.16.172.zone
zone 0.16.172.in-addr.arpa/IN: loaded serial 2018120402
OK
(3) 從服務器重新reload配置,並檢測狀態
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 30min ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:23:35 localhost.localdomain named[13597]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 06 00:23:35 localhost.localdomain named[13597]: reloading configuration succeeded
Dec 06 00:23:35 localhost.localdomain named[13597]: reloading zones succeeded
Dec 06 00:23:35 localhost.localdomain named[13597]: all zones loaded
Dec 06 00:23:35 localhost.localdomain named[13597]: running
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: Transfer started.
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: connected using 1...#54569
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: transferred serial 2018120401
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: Transfer complete...s/sec)
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120401)
Hint: Some lines were ellipsized, use -l to show in full.
#狀態同步ok,看看從dns服務器上slaves目錄下是否有了反向區域解析的數據文件
[root@localhost named]# ls -l /var/named/slaves/0.16.172.zone
-rw-r--r-- 1 named named 672 Dec 6 00:23 /var/named/slaves/0.16.172.zone
[root@localhost named]# file /var/named/slaves/0.16.172.zone
/var/named/slaves/0.16.172.zone: data
#測試解析
[root@localhost named]# dig @172.16.0.6 -x 172.16.0.20
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.6 -x 172.16.0.20
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38089
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;20.0.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
20.0.16.172.in-addr.arpa. 600 IN PTR bbs.yanhui.com.
;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 600 IN NS ns2.yanhui.com.
0.16.172.in-addr.arpa. 600 IN NS ns1.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 1 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Thu Dec 06 00:25:10 CST 2018
;; MSG SIZE rcvd: 149
#測試ok
#主服務器新增一條記錄,測試是否能立即同步(注意序列號要增加)
[root@localhost ~]# vim /var/named/0.16.172.zone
[root@localhost ~]# cat /var/named/0.16.172.zone
$TTL 600
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA ns1.yanhui.com. dnsadmin.yanhui.com.(
2018120403
1H
10M
1D
6M
)
@ IN NS ns1.yanhui.com.
@ IN NS ns2.yanhui.com.
4.0.16.172.in-addr.arpa. IN PTR ns1.yanhui.com.
68.0.16.172.in-addr.arpa. IN PTR ns2.yanhui.com.
88.0.16.172.in-addr.arpa. IN PTR mx1.yanhui.com.
89.0.16.172.in-addr.arpa. IN PTR mx2.yanhui.com.
90.0.16.172.in-addr.arpa. IN PTR bpmx.yanhui.com.
20.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
21.0.16.172.in-addr.arpa. IN PTR bbs.yanhui.com.
4.0.16.172.in-addr.arpa. IN PTR www.yanhui.com.
22.0.16.172.in-addr.arpa. IN PTR pop3.yanhui.com.
檢測反向區域解析配置文件語法,並重載
[root@localhost ~]# named-checkzone 0.16.172.in-addr.arpa /var/named/0.16.172.zone
zone 0.16.172.in-addr.arpa/IN: loaded serial 2018120403
OK
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Wed 2018-12-05 14:48:51 CST; 9h ago
Process: 2022 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 2035 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2032 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 2037 (named)
CGroup: /system.slice/named.service
└─2037 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:27:45 localhost.localdomain named[2037]: automatic empty zone: B.E.F.IP6.ARPA
Dec 06 00:27:45 localhost.localdomain named[2037]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Dec 06 00:27:45 localhost.localdomain named[2037]: reloading configuration succeeded
Dec 06 00:27:45 localhost.localdomain named[2037]: reloading zones succeeded
Dec 06 00:27:45 localhost.localdomain named[2037]: zone 0.16.172.in-addr.arpa/IN: loaded serial 2018120403
Dec 06 00:27:45 localhost.localdomain named[2037]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120403)
Dec 06 00:27:45 localhost.localdomain named[2037]: all zones loaded
Dec 06 00:27:45 localhost.localdomain named[2037]: running
Dec 06 00:27:45 localhost.localdomain named[2037]: client 172.16.0.6#52017 (0.16.172.in-addr.arpa): transfer of '0.16.172.in-add...tarted
Dec 06 00:27:45 localhost.localdomain named[2037]: client 172.16.0.6#52017 (0.16.172.in-addr.arpa): transfer of '0.16.172.in-add... ended
Hint: Some lines were ellipsized, use -l to show in full.
查看從服務器狀態:
[root@localhost named]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2018-12-05 23:53:44 CST; 34min ago
Process: 13595 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 13592 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 13597 (named)
CGroup: /system.slice/named.service
└─13597 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: connected using 1...#54569
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: transferred serial 2018120401
Dec 06 00:23:35 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: Transfer complete...s/sec)
Dec 06 00:23:35 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120401)
Dec 06 00:27:45 localhost.localdomain named[13597]: client 172.16.0.4#27039: received notify for zone '0.16.172.in-addr.arpa'
Dec 06 00:27:45 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: Transfer started.
Dec 06 00:27:45 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: connected using 1...#52017
Dec 06 00:27:45 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: transferred serial 2018120403
Dec 06 00:27:45 localhost.localdomain named[13597]: transfer of '0.16.172.in-addr.arpa/IN' from 172.16.0.4#53: Transfer complete...s/sec)
Dec 06 00:27:45 localhost.localdomain named[13597]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 2018120403)
Hint: Some lines were ellipsized, use -l to show in full.
#狀態正常,測試解析記錄:
[root@localhost named]# dig @172.16.0.6 -x 172.16.0.22
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.6 -x 172.16.0.22
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61455
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;22.0.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
22.0.16.172.in-addr.arpa. 600 IN PTR pop3.yanhui.com.
;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 600 IN NS ns1.yanhui.com.
0.16.172.in-addr.arpa. 600 IN NS ns2.yanhui.com.
;; ADDITIONAL SECTION:
ns1.yanhui.com. 600 IN A 172.16.0.4
ns2.yanhui.com. 600 IN A 172.16.0.6
;; Query time: 1 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: Thu Dec 06 00:29:04 CST 2018
;; MSG SIZE rcvd: 150
#解析ok,測試大抵通過。
4.3、子域授權配置(只演示子域的單個,而且只演示子域的正向區域解析配置)
1、正向解析區域授權子域的方法
假設正向解析要配置的子域爲 ops.yanhui.com.
子域要授權,NS記錄要加類似於下面的如此,然後也要有對應A記錄
ops.yanhui.com. IN NS ns1.ops.yanhui.com.
ops.yanhui.com. IN NS ns2.ops.yanhui.com
ns1.ops.yanhui.com. IN A IP_ADDRESS
ns2.ops.yanhui.com. IN A IP_ADDRESS
實際yanhui.com.這個二級域的正向區域配置文件添加內容爲:(它的子域ops.yanhui.com.)
[root@localhost ~]# cat /var/named/yanhui.com.zone
$TTL 600
yanhui.com. IN SOA ns1.yanhui.com. dnsadmin.yanhui.com. (
2018120404
1H
10M
1D
6M
)
yanhui.com. IN NS ns1.yanhui.com.
yanhui.com. IN NS ns2.yanhui.com.
yanhui.com. IN MX 10 mx1.yanhui.com.
yanhui.com. IN MX 20 mx2.yanhui.com.
yanhui.com. IN MX 21 bpmx.yanhui.com.
ns1.yanhui.com. IN A 172.16.0.4
ns2.yanhui.com. IN A 172.16.0.6
mx1.yanhui.com. IN A 172.16.0.11
mx2.yanhui.com. IN A 172.16.0.12
bpmx.yanhui.com. IN A 172.16.0.13
www.yanhui.com. IN A 172.16.0.4
web.yanhui.com. IN CNAME www.yanhui.com.
bbs.yanhui.com. IN A 172.16.0.20
bbs.yanhui.com. IN A 172.16.0.21
pop3.yanhui.com. IN A 172.16.0.22
#下面是爲了子域設置的(上面的序列號要增加)
ops.yanhui.com. IN NS ns1.ops.yanhui.com.
ns1.ops.yanhui.com. IN A 172.16.0.8
檢測語法並重載,這裏就不寫出過程了。
2、在新服務器上配置子域的區域定義以及子域的正向解析區域配置
子域名的區域定義配置爲:
zone "ops.yanhui.com" IN {
type master;
file "ops.yanhui.com.zone";
};
#重載配置並查看狀態
[root@localhost ~]# named-checkconf
[root@localhost ~]# echo $?
[root@localhost ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2018-12-06 00:45:12 CST; 10s ago
Process: 14123 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 14119 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 14124 (named)
CGroup: /system.slice/named.service
└─14124 /usr/sbin/named -u named -c /etc/named.conf
Dec 06 00:45:13 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Dec 06 00:45:13 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 193.0.14.129#53
Dec 06 00:45:13 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 199.7.91.13#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 202.12.27.33#53
Dec 06 00:45:14 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:500:84::b#53
Dec 06 00:45:14 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Dec 06 00:45:14 localhost.localdomain named[14124]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 192.58.128.30#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 192.5.5.241#53
Dec 06 00:45:14 localhost.localdomain named[14124]: FORMERR resolving './NS/IN': 198.97.190.53#53
[root@localhost ~]# ss -tunl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp UNCONN 0 0 172.16.0.8:53 *:*
tcp UNCONN 0 0 127.0.0.1:53 *:*
tcp UNCONN 0 0 ::1:53 :::*
tcp LISTEN 0 10 172.16.0.8:53 *:*
tcp LISTEN 0 10 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:953 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 10 ::1:53 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:953 :::*
tcp LISTEN 0 100 ::1:25 :::*
PS:子域的主配置文件,設置還是要和之前設置的一樣,比如監聽要加上本地的內網ip地址。還有允許所有訪問。
子域的正向區域解析配置:
[root@localhost ~]# cat /var/named/ops.yanhui.com.zone
$TTL 3600
ops.yanhui.com. IN SOA ns1.ops.yanhui.com. nsadmin.ops.yanhui.com. (
2018120601
1H
10M
1D
2H
)
ops.yanhui.com. IN NS ns1.ops.yanhui.com.
ns1.ops.yanhui.com. IN A 172.16.0.8
www.ops.yanhui.com. IN A 172.16.0.8
#修改屬組以及文件的權限
[root@localhost named]# chgrp named ops.yanhui.com.zone
[root@localhost named]# chmod 640 ops.yanhui.com.zone
#檢測區域配置語法以及重載
[root@localhost named]# named-checkzone ops.yanhui.com. /var/named/ops.yanhui.com.zone
zone ops.yanhui.com/IN: loaded serial 2018120601
OK
[root@localhost named]# rndc reload
server reload successful
使用dig工具在子域dns服務器和其父域dns服務器分別通過該服務器來解析:
(1) 子域dns服務器上操作
[root@localhost named]# dig -t A www.ops.yanhui.com @172.16.0.8
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.ops.yanhui.com @172.16.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51727
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.yanhui.com. IN A
;; ANSWER SECTION:
www.ops.yanhui.com. 3600 IN A 172.16.0.8
;; AUTHORITY SECTION:
ops.yanhui.com. 3600 IN NS ns1.ops.yanhui.com.
;; ADDITIONAL SECTION:
ns1.ops.yanhui.com. 3600 IN A 172.16.0.8
;; Query time: 1 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: Thu Dec 06 00:52:16 CST 2018
;; MSG SIZE rcvd: 97
(2) 在ops.yanhui.com.的父域dns服務器上測試
[root@localhost ~]# dig -t A www.ops.yanhui.com @172.16.0.4
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> -t A www.ops.yanhui.com @172.16.0.4
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42399
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.yanhui.com. IN A
;; ANSWER SECTION:
www.ops.yanhui.com. 3600 IN A 172.16.0.8
;; AUTHORITY SECTION:
ops.yanhui.com. 600 IN NS ns1.ops.yanhui.com.
;; ADDITIONAL SECTION:
ns1.ops.yanhui.com. 3600 IN A 172.16.0.8
;; Query time: 4 msec
;; SERVER: 172.16.0.4#53(172.16.0.4)
;; WHEN: Thu Dec 06 00:52:50 CST 2018
;; MSG SIZE rcvd: 97
#上面結果都OK,表示正常。其實呢,子域dns服務和之前配置yanhui.com.一樣,yanhui.com.的父域是全球的頂級域,所以
頂級域的配置文件配置和我們這裏差不多。另外子域dns服務器也可以實現其反向區域配置文件解析以及主從。
4.4、智能dns配置和模擬實現
1、智能dns概述
智能DNS是通過DNS的視圖(view)功能來實現的。可以理解爲view是bind的子容器。
一個bind服務器可定義多個view,每個view中可定義一個或多個zone。每個view用來匹配一組請求的客戶端。多個view內可能需要對同一個區域進行解析,但使用不同的區域解析庫文件。
一旦啓用了view,所有的zone都只能定義在view中(比如我們後邊會把配置文件中的根域剪切到view定義語句塊中)。僅有必要在匹配到允許遞歸請求的客戶端所在view中定義根區域。客戶端請求到達時,是自上而下檢查每個view所服務的客戶端列表。
智能DNS是域名服務在業界首創的智能解析服務。能自動判斷訪問者的IP地址並解析出對應的IP地址,使網通用戶會訪問到網通服務器,電信用戶會訪問到電信服務器。下面兩種場景,就需要dns智能解析:
場景1:
公司局域網有一個站點,對外提供web服務器(不用管它如何對外提供服務),假設站點的域名是 www.yanhui.com,公網有一個DNS服務器(含有內網網卡和外網網卡並分別配置了局域網的ip地址和公網的ip地址),現在就有兩種可能性,一種是外網的客戶端請求www.yanhui.com,另外一個是內網的客戶端請求www.yanhui.com。對於公網客戶端請求www.yanhui.com,dns服務器只能解析成公司出口的公網ip上,而對於內網的客戶端,兩者皆可,但是,如果局域網請求dns服務器,也把它解析到出口公網,這樣還要去轉到局域網,走了一大圈的彎路,當dns複製知道局域網的時候,更希望的是,對於內網客戶端的請求,把解析直接解析成局域網的站點的內網ip上。如下圖所示:
場景2:
dns服務器的內網,電信機房和聯通機房會同步緩存一份。當屬於電信網絡的用戶和屬於聯通網絡的用戶,請求dns服務器的時候,希望能讓電信網絡的用戶請求的是電信機房緩存的DNS,而對於聯通網絡的用戶請求,希望他們請求的是聯通機房的緩存的DNS。如下圖所示:
現在我們簡單來模擬一下這種場景,圖解如下:
2、實際簡單模擬測試實現dns的view功能
(1) 準備一臺服務器,配置兩個ip
#這裏爲了簡單,我就配置別名了,一個ip是172.16.0.10,一個ip是192.168.0.24
[root@localhost ~]# ip addr add 192.168.0.24/24 dev eno16777736
[root@localhost ~]# ip addr list eno16777736
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:85:86:8d brd ff:ff:ff:ff:ff:ff
inet 172.16.0.10/16 brd 172.16.255.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet 192.168.0.24/24 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe85:868d/64 scope link
valid_lft forever preferred_lft forever
(2) 配置view
#bind等軟件包安裝,省略。
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
//listen-on port 53 { 127.0.0.1; 172.16.0.24; 192.168.0.24; };
listen-on port 53 { any; }; #因爲我本地是網卡別名,所以這裏爲了讓它監聽到每個ip地址上,就寫了any
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; }; #這裏如果是多大主機,這裏要注意,我這裏本地模擬測試,都在一臺上,
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
##測試就關掉dnssec功能,因爲配置確實有點麻煩
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#原先這裏的根域定義,被移到view中去了
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@localhost ~]#
區域配置:
[root@localhost ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
view inner { //定義的第一個視圖,裏面包含了從主配置那邊剪切的根域定義
match-clients { 192.168.0.0/24; }; #匹配192.168.0.0/24網段的
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "yanhui.com." IN {
type master;
file "yanhui.com.inner";
};
};
view outnet { //第二個根域
match-clients { 172.16.0.0/16; }; #匹配172.16.0.0./16網段的
zone "yanhui.com." IN {
type master;
file "yanhui.com.outnet";
};
};
view default {
match-clients { any; }; #如果上面兩個視圖的網段都沒有匹配到,就指向這個默認視圖,匹配所有的(視圖是從上到下匹配,匹配到就結束)
zone "yanhui.com." IN {
type master;
file "yanhui.com.outnet";
};
};
區域解析文件:
[root@localhost ~]# cat /var/named/yanhui.com.inner
$TTL 60
@ IN SOA dns.yanhui.com. dnsadmin.yanhui.com. (
2018120701
1H
5M
1D
2H
)
IN NS dns
IN MX 10 mail
dns IN A 192.168.0.24
mail IN A 192.168.0.12
www IN A 192.168.0.254
[root@localhost ~]# cat /var/named/yanhui.com.outnet
$TTL 60
@ IN SOA dns.yanhui.com. dnsadmin.yanhui.com. (
2018120701
1H
5M
1D
2H
)
IN NS dns
IN MX 10 mail
dns IN A 172.16.0.10
mail IN A 172.16.0.12
www IN A 172.16.0.28
修改權限並檢測配置文件語法:
[root@localhost ~]# chgrp named /var/named/yanhui.com.*
[root@localhost ~]# chmod 640 /var/named/yanhui.com.*
[root@localhost ~]# ls -l /var/named/yanhui.com.*
-rw-r----- 1 root named 181 Dec 7 08:22 /var/named/yanhui.com.inner
-rw-r----- 1 root named 177 Dec 7 08:21 /var/named/yanhui.com.outnet
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone yanhui.com. /var/named/yanhui.com.inner
zone yanhui.com/IN: loaded serial 2018120701
OK
[root@localhost ~]# named-checkzone yanhui.com. /var/named/yanhui.com.outnet
zone yanhui.com/IN: loaded serial 2018120701
OK
重啓named服務器, 然後測試:
(1) 走192.168.0.24接口的
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @192.168.0.24 -t A www.yanhui.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7485
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yanhui.com. IN A
;; ANSWER SECTION:
www.yanhui.com. 60 IN A 192.168.0.254
;; AUTHORITY SECTION:
yanhui.com. 60 IN NS dns.yanhui.com.
;; ADDITIONAL SECTION:
dns.yanhui.com. 60 IN A 192.168.0.24
;; Query time: 1 msec
;; SERVER: 192.168.0.24#53(192.168.0.24)
;; WHEN: Fri Dec 07 08:35:08 CST 2018
;; MSG SIZE rcvd: 93
(2) 走172.16.0.10接口的
[root@localhost ~]# dig @172.16.0.10 -t A www.yanhui.com
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> @172.16.0.10 -t A www.yanhui.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8819
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yanhui.com. IN A
;; ANSWER SECTION:
www.yanhui.com. 60 IN A 172.16.0.28
;; AUTHORITY SECTION:
yanhui.com. 60 IN NS dns.yanhui.com.
;; ADDITIONAL SECTION:
dns.yanhui.com. 60 IN A 172.16.0.10
;; Query time: 0 msec
;; SERVER: 172.16.0.10#53(172.16.0.10)
;; WHEN: Fri Dec 07 08:35:57 CST 2018
;; MSG SIZE rcvd: 93
PS:上面的模擬測試OK了。
參考:
http://blog.51cto.com/longlei/2053983
https://www.cnblogs.com/Finley/p/6831508.html
https://www.jianshu.com/p/e8b5866802d1
包括文中給出的一些外部鏈接。