接第一部分课后练习
三、课后练习:
2、配置反向解析:
步骤一:写主配置文件:改成与上个实验相同,也可以自己写一个简单的配置文件,如下:
[root@localhost tmp]# cat named.conf.new
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca"
};
zone "localhost" IN {
type master
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
步骤二:编辑区域辅助配置文件和解析库文件:
区域文件:在最后添加如下几行,格式仿照(IP反写):
zone "1.10.in-addr.apra" IN {
type master;
file "magedu.com.arpa.zone";
};
解析库文件:
$TTL 600
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2016092301
1H
5M
1W
1D)
IN NS ns1.magedu.com.
250.54 IN PTR ns1.magedu.com.
2.1 IN PTR qq.magedu.com.
步骤三:测试(关闭防火墙):
[root@centos68 ~]# dig -x 10.1.54.250 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 10.1.54.250 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54104 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;250.54.1.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 250.54.1.10.in-addr.arpa. 600 IN PTR ns1.magedu.com. ;; AUTHORITY SECTION: 1.10.in-addr.arpa. 600 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 600 IN A 10.1.54.250 ;; Query time: 3 msec ;; SERVER: 10.1.54.250#53(10.1.54.250) ;; WHEN: Sat Sep 24 20:37:45 2016 ;; MSG SIZE rcvd: 100
使用nslookup测试:
[root@centos68 ~]# nslookup > 10.1.1.2 Server: 10.1.54.250 Address: 10.1.54.250#53 2.1.1.10.in-addr.arpa name = qq.magedu.com.
3、配置子域DNS服务器和转发(关闭selinux):
步骤一:更改主配置文件:更改为以上(不变),但是之后可以配置转发;
步骤二:更改区域辅助配置文件和解析库文件:写入子域配置:
定义区域配置文件:添加如下内容:
zone "game.magedu.com" IN {
type master;
file "game.magedu.com.zone";
};
子域解析库文件,此处无需父域信息,解析时会迭代找根DNS服务器,但本地不能联网,因此需要设置转发;若能联网,会在解析一次后缓存,再有同样请求就会直接解析(递归),只要本地能够联网并开启named服务,就可以提供解析(将请求转发至根并缓存)):
[root@centos68 ~]# cat /var/named/game.magedu.com.zone $TTL 3600 @ IN SOA ns1.game.magedu.com. admin.game.magedu.com. ( 2016092302 1H 30M 1W 1D ) IN NS ns1.game.magedu.com. ns1 IN A 10.1.252.60 game.magedu.com. IN MX 10 mail.game.magedu.com. mail.game.magedu.com. IN A 10.1.4.4 www.game.magedu.com. IN A 10.1.5.5
更改父域的解析库文件,给子域授权:添加如下两行:
game IN NS ns1.game.magedu.com.
ns1.game.magedu.com. IN A 10.1.5.4
检测文件:
[root@localhost named]#named-checkzone "game.magedu.com" game.magedu.com.zone zone game.magedu.com/IN: loaded serial 2016092302 OK
步骤三:添加转发:被转发的服务器需要能够为请求者做递归,否则转发请求不予进行;
全局转发:对本机所负责解析区域的请求,全部转发给指定服务器;
options {
forward first|only;(first是指仅转发一次,若不能解析就自己解析;only指只向此IP转发,不会自己解析。)
forwarders { IP; };
};
特定区域转发:仅转发对特定的区域的请求,全局转发优先级高:
zone “ZONE_NAME” IN {
type forward;
forward first|only;
forwarders { IP; };
};
更改主配置文件:在options中添加如下两行(全局转发):
forward only;
forwarders { 10.1.54.250; };
或者添加如下(特定区域优先级更高):
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 10.1.54.250; };
};
步骤四:重启服务和检测:
直接使用命令测试子域服务器的解析,可以成功:
[root@centos68 ~]# dig -t A www.game.magedu.com @10.1.252.60 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.game.magedu.com @10.1.252.60 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3392 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.game.magedu.com. IN A ;; ANSWER SECTION: www.game.magedu.com. 3600 IN A 10.1.5.5 ;; AUTHORITY SECTION: game.magedu.com. 3600 IN NS ns1.game.magedu.com. ;; ADDITIONAL SECTION: ns1.game.magedu.com. 3600 IN A 10.1.252.60 ;; Query time: 2 msec ;; SERVER: 10.1.252.60#53(10.1.252.60) ;; WHEN: Sat Sep 24 22:51:01 2016 ;; MSG SIZE rcvd: 87
检测设置全局转发之后的父域:通过子域IP检测父域:
[root@centos68 ~]# dig -t A www.magedu.com @10.1.252.60 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.magedu.com @10.1.252.60 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12858 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 600 IN A 10.1.4.2
设置特定区域转发之后的检测:
[root@centos68 ~]# dig -t A ns1.magedu.com @10.1.252.60 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A ns1.magedu.com @10.1.252.60 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54867 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; QUESTION SECTION: ;ns1.magedu.com. IN A ;; ANSWER SECTION: ns1.magedu.com. 600 IN A 10.1.54.250
3、配置缓存DNS服务器:
更改主配置文件:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
allow-query { any; };
datesize 100M;
recursion yes;
dnssec-enable no;
dnssec-validation no;
};
若主机联网,使用命令例如dig -t A www.baidu.com @10.1.252.134,第一次先去找根,返回结果并缓存,第二次直接从缓存中提取。若不能联网则不能解析,但是可以自己模拟一个根服务器,更改根文件,测试也可以使用。
4、配置根服务器:
使用两台主机,一台做根DNS服务器,一台用来做二级域;首先配置根服务器;因为根服务器必须自己也配置一个域,别人才可以访问,而这个域就是根“.”。
步骤一:在根服务器编辑主配置文件,除了正常要注释和改动的地方之外,注释以下内容:
//zone "." IN {
// type hint;
// file "named.ca";
//};
步骤二:根服务器的区域辅助文件,添加根域:
zone "." IN {
type master;
file "root.zone";
};
步骤三:根服务器的解析库root.zone文件,添加授权,此处授权一个名为com的子域:
$TTL 64300
@ IN SOA ns1. admin.com. (
2016092307
1D
1H
1W
1H )
IN NS ns1.
ns1. IN A 10.1.252.60
com IN NS ns2.com.
ns2.com IN A 10.1.252.134
步骤四:更改根配置文件name.ca,注释其他根服务器,仅指向自己:
. 3600000 NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 10.1.252.60
步骤五:更改二级域的主配置文件,正常改动;再更改区域辅助文件,添加内容:
zone "com" IN {
type master;
file "root.com.zone";
};
步骤六:更改二级域的解析库文件:
$TTL 86200
@ IN SOA ns2.com. admin.mage.com. (
2016092306
1H
5M
1W
1D )
IN NS ns2.com.
ns2.com. IN A 10.1.252.134
www.com. IN A 194.1.2.4
步骤七:更改二级域主机的根服务器配置文件,添加新的根服务器:
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 10.1.252.60
步骤八:更改文件属组和权限;重启服务:
步骤九:测试机测试,关闭防火墙,测试机也需要更改根配置文件,将其指向新根:
首先通过根查找二级域:
[root@centos68 ~]# dig -t NS com @10.1.252.60 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t NS com @10.1.252.60 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36809 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;com. IN NS ;; ANSWER SECTION: com. 86010 IN NS ns2.com.
再通过二级域查找根:
[root@centos68 ~]# dig -t NS . @10.1.252.134 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t NS . @10.1.252.134 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48123 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 63579 IN NS ns1.
5、bind中的acl:
ACL:把一个或多个地址归为一个集合,并通过一个统一的名称调用,在主配置文件中在option之前添加如下几行:
acl myhost {
10.1.252.134;
1.2.3.4/24;
};
将此列表添加至允许查询中:
allow-query { myhost; };
重启服务,使用IP为252.134的主机测试:
[root@centos68 ~]# dig -t A www.magedu.com @10.1.54.250 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.magedu.com @10.1.54.250 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50166 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 600 IN A 10.1.4.2
使用252.28的主机测试,无法查询:
[root@localhost ~]# dig -t A www.magedu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.magedu.com ;; global options: +cmd ;; connection timed out; no servers could be reached [root@localhost ~]# dig -t A www.magedu.com @10.1.54.250 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.magedu.com @10.1.54.250 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 6944 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.magedu.com. IN A
注意:配置文件中访问控制的指令有四种:
allow-query {}; 允许查询的主机;白名单;
allow-transfer {}; 允许区域传送的主机;白名单;
allow-recursion {}; 允许递归的主机,建议全局使用,any;
allow-update {}; 允许更新区域数据库中的内容。
6、视图:
步骤一:编辑主配置文件,添加别名(为了方便使用添加,若少量IP可不添加)。
acl telcom {
10.1.252.134;
192.168.2.6/16;
};
acl unicom {
10.1.54.250;
2.2.4.1/24;
};
步骤二:编辑区域辅助文件和解析库文件:
区域辅助文件:named.rfc1912.zones:将所有的zone都放入视图中,包括默认存在的本机的解析以及主配置文件中的根区域:
view unicom1 {
match-clients { unicom; };
zone "unicom.com" IN {
type master;
file "unicom.com.zone";
};
};
view telcom1 {
match-clients { telcom; };
zone "unicom.com" IN {
type master;
file "telcom.com.zone";
};
};
使用any指定剩余所有IP,按顺序any应该放在最后。含有本地所有内容(此处省略):
view local1 {
match-clients { any; };
zone "magedu.com" IN {
type slave;
masters { 10.1.54.250; };
file "magedu.com.zone";
};
};
解析库文件(www不同,DNS相同):
[root@localhost ~]# cat /var/named/unicom.com.zone $TTL 43200 @ IN SOA ns1.unicom.com. admin.unicom.com. ( 2016092304 1H 5M 1W 1D ) IN NS ns1.unicom.com. ns1 IN A 10.1.252.28 www IN A 195.26.13.4 [root@localhost ~]# cat /var/named/telcom.com.zone $TTL 43200 @ IN SOA ns1.unicom.com. admin.unicom.com. ( 2016092304 1H 5M 1W 1D ) IN NS ns1.unicom.com. ns1 IN A 10.1.252.28 www IN A 195.26.120.120
步骤三:更改权限和属组,重启服务:
[root@localhost ~]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
步骤四:检测:
首先使用telcom的acl中定义的252.134测试:
[root@centos68 ~]# dig -t A www.unicom.com @10.1.252.28 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.unicom.com @10.1.252.28 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25877 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.unicom.com. IN A ;; ANSWER SECTION: www.unicom.com. 43200 IN A 195.26.120.120 ;; AUTHORITY SECTION: unicom.com. 43200 IN NS ns1.unicom.com. ;; ADDITIONAL SECTION: ns1.unicom.com. 43200 IN A 10.1.252.28 ;; Query time: 1 msec ;; SERVER: 10.1.252.28#53(10.1.252.28) ;; WHEN: Sun Sep 25 18:03:50 2016 ;; MSG SIZE rcvd: 82
再使用unicom的acl中定义的54.250测试:
[root@localhost ~]# dig -t A www.unicom.com @10.1.252.28 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.unicom.com @10.1.252.28 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30278 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.unicom.com. IN A ;; ANSWER SECTION: www.unicom.com. 43200 IN A 195.26.13.4 ;; AUTHORITY SECTION: unicom.com. 43200 IN NS ns1.unicom.com. ;; ADDITIONAL SECTION: ns1.unicom.com. 43200 IN A 10.1.252.28 ;; Query time: 1 msec ;; SERVER: 10.1.252.28#53(10.1.252.28) ;; WHEN: 日 9月 25 16:02:27 CST 2016 ;; MSG SIZE rcvd: 93
可以发现,访问同一个网址,使用的解析地址都为252.28,但是返回的IP不同。
原创文章,作者:SilencePavilion,如若转载,请注明出处:http://www.178linux.com/51662
