概述
递归请求:发起一次查询,就会有结果;
迭代查询:发起N次查询,才有结果;
注册域名流程
注册域名:在Top Level Domain的DNS服务器主机的解析库中添加子域(条目);子域指向的主机即为解析 子域 的dns服务器;
子域DNS服务器:需要一个有公网IP的主机;
- 代理商,一个主机解析数万条;
- 自己买;
- dnspod.cn, dns.la
DNS一次完整解析请求:
hosts –> 本地缓存 –> 指向的运营商DNS(recursion)
自己负责的域:返回
自己不负责的域:缓存 –> 出去迭代(iteration)
解析:用给出的键在区域解析库中查找值;
域:无形的,逻辑的概念;正向解域区域 + 反向解析区域
区域:物理,一个一个的解析库对应的主机; 正向解析区域 或 反向解析区域;
正向解析区域对应了一棵正向解析树;
反向解析区域对应了一棵反向解析树;
区域解析库的格式:每行有一条RR(Resource Record)记录;
$TTL 3600 <– 解析的结果可以缓存的时长;
$ORIGIN magedu.com. <– 域名省略时,可以自动补充此后缀
@ IN SOA ns1.magedu.com. nsadmin.magedu.com. ( <– @(域名代替者) IN(关键字) SOA(RR_TYPE:资源记录) ns1.magedu.com(可以主DNS地址或域名) 邮件地址;
2017112902 <– serial, 修改时,此解析库所在主机会自动通知其它主机;
1H <– refresh,刷新时间,间隔多久去主或从dns服务器同步一次数据;
10M <– retry, 同步不成功时,重试时间间隔;如果>=refresh的时间;没有意义;
1W <– expire, 从服务器联系不到主服务器时,从长时间放弃从角色;
1D) <– 否定答案的TTL值;或者“否定答案”的缓存时长;
IN NS ns1 <– 域名 IN RR_TYPE(NS) 主机名
IN NS ns2
IN MX 10 mx1 <– 域名 IN RR_TYPE(MX PRI_NUM) 主机名
IN MX 20 mx2
ns1 IN A 172.16.0.6 <– 主机名 IN A IP
ns2 IN A 172.16.0.7
mx1 IN A 172.16.0.6
mx2 IN A 172.16.0.7
www IN A 172.16.0.7
web IN CNAME www <– 别名 IN CNAME 主机名(正式名称);可以通过此别名访问正式名称;
bbs IN A 172.16.0.6
bbs IN A 172.16.0.7
pop3 IN A 172.16.0.7ops IN NS ns1.ops <– 类似于A记录的格式的子域授权记录
ns1.ops IN A 172.16.0.8 <– 子域DNS的A记录;
配置一个DNS服务器,先决条件是有根域的位置/var/named/{ZONE_NAME.zone} 其名称可以随意:从以上的图中可知:为我们递归的主机,首先需要去找根,迭代出结果:递归返回给我们;
(1) 允许查询:allow-query { IP; }; DNS主机,必须能查询;
(2) 允许递归:allow-recursion { IP; }; DNS主机,仅为自己人递归;因为大量的递归请求会消耗资源;
注意:
如果查询不通过时,即使递归通过;这是自己的DNS;
allow-query { loacalhost; };
recursion yes;
如果查询通过时,递归不通过:此主机仅负责解析自己负责的域;
allow-query { any; };
allow-recursion { localhost; };
如果查询通过时,递归通过;此主机可以作为公共的DNS;
allow-query { any; };
allow-recursion { any; };
如果需要访问控制功能;
allow-query { any; };
allow-recursion { 172.16.0.0/16; };
手动测试DNS解析命令:dig, host, nslookup
RR_TYPE: A, NS, SOA, MX, PTR
格式:
正向解析:dig -t RR_TYPE FQDN @DNS_SERVER_IP
反向解析:dig -x IP @DNS_SERVER_IP
host -t RR_TYPE FQDN DNS_SERVER_IP
nslookup
> server DNS_SERVER_IP
> set q=RR_TYPE
> FQDN|IP
> exit
转发:非我所负责的域,就转发;注意:接收请求的主机,应该为转发的主机递归;
区域转发:解析非我所负责的域的主机,且解析此域内的主机才转发;
全局转发:解析非我所负责的域的主机,统统转发;
配置DNS,为所有主机递归;
[root@localhost ~]# yum -y install bind bind-libs bind-utils
配置dns:
options {
directory “/var/named”;
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
};[root@localhost ~]# named-checkconf
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# netstat -tunlp | fgrep 53
tcp 0 0 172.16.0.7:53 0.0.0.0:* LISTEN 14513/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 14513/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 14513/named
tcp6 0 0 ::1:953 :::* LISTEN 14513/named
udp 0 0 172.16.0.7:53 0.0.0.0:* 14513/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 14513/named在本机测试或在其他主机测试是否能查询:
[root@localhost ~]# dig -t A www.magedu.com @172.16.0.7; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15524
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 17;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A;; ANSWER SECTION:
www.magedu.com. 600 IN A 101.200.188.230;; AUTHORITY SECTION:
magedu.com. 172800 IN NS ns2.alidns.com.
magedu.com. 172800 IN NS ns1.alidns.com.;; ADDITIONAL SECTION:
ns1.alidns.com. 172800 IN A 140.205.81.21
ns1.alidns.com. 172800 IN A 106.11.141.111
ns1.alidns.com. 172800 IN A 106.11.141.121
ns1.alidns.com. 172800 IN A 106.11.211.51
ns1.alidns.com. 172800 IN A 106.11.211.61
ns1.alidns.com. 172800 IN A 140.205.41.11
ns1.alidns.com. 172800 IN A 140.205.41.21
ns1.alidns.com. 172800 IN A 140.205.81.11
ns2.alidns.com. 172800 IN A 106.11.141.112
ns2.alidns.com. 172800 IN A 106.11.141.122
ns2.alidns.com. 172800 IN A 106.11.211.52
ns2.alidns.com. 172800 IN A 106.11.211.62
ns2.alidns.com. 172800 IN A 140.205.41.12
ns2.alidns.com. 172800 IN A 140.205.41.22
ns2.alidns.com. 172800 IN A 140.205.81.12
ns2.alidns.com. 172800 IN A 140.205.81.22;; Query time: 1584 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 21:00:35 CST 2017
;; MSG SIZE rcvd: 358[root@localhost ~]# host -t A www.magedu.com 172.16.0.7
Using domain server:
Name: 172.16.0.7
Address: 172.16.0.7#53
Aliases:www.magedu.com has address 101.200.188.230
[root@localhost ~]# nslookup
> server 172.16.0.7
Default server: 172.16.0.7
Address: 172.16.0.7#53
> set q=SOA
> magedu.com
Server: 172.16.0.7
Address: 172.16.0.7#53Non-authoritative answer:
magedu.com
origin = dns9.hichina.com
mail addr = hostmaster.hichina.com
serial = 2016112113
refresh = 3600
retry = 1200
expire = 3600
minimum = 360Authoritative answers can be found from:
magedu.com nameserver = ns2.alidns.com.
magedu.com nameserver = ns1.alidns.com.
ns1.alidns.com internet address = 140.205.81.11
ns1.alidns.com internet address = 140.205.81.21
ns1.alidns.com internet address = 106.11.141.111
ns1.alidns.com internet address = 106.11.141.121
ns1.alidns.com internet address = 106.11.211.51
ns1.alidns.com internet address = 106.11.211.61
ns1.alidns.com internet address = 140.205.41.11
ns1.alidns.com internet address = 140.205.41.21
ns2.alidns.com internet address = 140.205.81.22
ns2.alidns.com internet address = 106.11.141.112
ns2.alidns.com internet address = 106.11.141.122
ns2.alidns.com internet address = 106.11.211.52
ns2.alidns.com internet address = 106.11.211.62
ns2.alidns.com internet address = 140.205.41.12
ns2.alidns.com internet address = 140.205.41.22
ns2.alidns.com internet address = 140.205.81.12
> exit
配置主DNS:
(1) 正向
[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “magedu.com” IN {
type master;
file “magedu.com.zone”;
};
[root@localhost ~]# cd /var/named
[root@localhost named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# vim magedu.com.zone <– 编辑后退出有语法着色;
[root@localhost named]# vim magedu.com.zone
$ORIGIN magedu.com.
@ IN SOA @ nsadmin.magedu.com (
20171129
1H
10M
1W
1D)
IN NS ns1
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.0.7
mx1 IN A 172.16.0.7
mx2 IN A 172.16.0.6
www IN A 172.16.0.7
web IN CNAME www
bbs IN A 172.16.0.7
bbs IN A 172.16.0.6[root@localhost named]# ll <– 注意权限;root.named 且为640
总用量 20
drwxrwx— 2 named named 22 11月 29 20:58 data
drwxrwx— 2 named named 6 3月 6 2015 dynamic
-rw-r–r– 1 root root 269 11月 29 21:12 magedu.com.zone
-rw-r—– 1 root named 2076 1月 28 2013 named.ca
-rw-r—– 1 root named 152 12月 15 2009 named.empty
-rw-r—– 1 root named 152 6月 21 2007 named.localhost
-rw-r—– 1 root named 168 12月 15 2009 named.loopback
drwxrwx— 2 named named 6 3月 6 2015 slaves[root@localhost named]# chown :named magedu.com.zone
[root@localhost named]# chmod o= magedu.com.zone[root@localhost named]# named-checkconf <– 编辑配置,没有检查语法
[root@localhost named]# named-checkzone magedu.com magedu.com.zone <– 检查区域解析库语法
zone magedu.com/IN: loaded serial 20171129
OK[root@localhost named]# rndc status <– 装载前的zones数据 101
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running[root@localhost named]# rndc reload <–装载
server reload successful[root@localhost named]# rndc status <– 装载后的数据:102
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running本机测试或其它主机测试
[root@localhost named]# dig -t A www.magedu.com @172.16.0.7; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58114
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A;; ANSWER SECTION:
www.magedu.com. 3600 IN A 172.16.0.7;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7;; Query time: 1 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 21:16:38 CST 2017
;; MSG SIZE rcvd: 93[root@localhost ~]# host -t SOA magedu.com 172.16.0.7
Using domain server:
Name: 172.16.0.7
Address: 172.16.0.7#53
Aliases:magedu.com has SOA record magedu.com. nsadmin.magedu.com.magedu.com. 20171129 3600 600 604800 86400
[root@localhost ~]# nslookup
> server 172.16.0.7
Default server: 172.16.0.7
Address: 172.16.0.7#53
> set q=MX
> magedu.com
Server: 172.16.0.7
Address: 172.16.0.7#53magedu.com mail exchanger = 20 mx2.magedu.com.
magedu.com mail exchanger = 10 mx1.magedu.com.
> exit[root@localhost ~]#
(2) 反向
注意反向的域名是IP地址网络段反写;或不变部分反写:例如:使用172.16.0.1-255/16时,可以反写为16.172.in-addr.arpa. 或 0.16.172.in-addr.arpa; 假如第三位变时,则只能使用前者;
[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “0.16.172.in-addr.arpa” IN {
type master;
file “172.16.0.zone”;
};[root@localhost named]# vim -O 172.16.0.zone magedu.com.zone
$TTL 3600
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA @ nsadmin.magedu.com. (
20171129
1H
10M
1W
1D)
IN NS ns1.magedu.com.
7 IN PTR ns1.magedu.com.
7 IN PTR mx1.magedu.com.
6 IN PTR mx2.magedu.com.
7 IN PTR www.magedu.com.
6 IN PTR bbs.magedu.com.
7 IN PTR bbs.magedu.com.[root@localhost named]# ll
总用量 24
-rw-r–r– 1 root root 275 11月 29 22:17 172.16.0.zone
drwxrwx— 2 named named 22 11月 29 20:58 data
drwxrwx— 2 named named 6 3月 6 2015 dynamic
-rw-r—– 1 root named 269 11月 29 21:12 magedu.com.zone
-rw-r—– 1 root named 2076 1月 28 2013 named.ca
-rw-r—– 1 root named 152 12月 15 2009 named.empty
-rw-r—– 1 root named 152 6月 21 2007 named.localhost
-rw-r—– 1 root named 168 12月 15 2009 named.loopback
drwxrwx— 2 named named 6 3月 6 2015 slaves[root@localhost named]# chgrp named 172.16.0.zone
[root@localhost named]# chmod o= 172.16.0.zone[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone 0.16.172.in-addr.arpa 172.16.0.zone
zone 0.16.172.in-addr.arpa/IN: loaded serial 20171129
OK[root@localhost named]# rndc status
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running[root@localhost named]# rndc reload
server reload successful[root@localhost named]# rndc status
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 103
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running测试解析:
[root@localhost named]# dig -x 172.16.0.6 @172.16.0.7; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.0.6 @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53414
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;6.0.16.172.in-addr.arpa. IN PTR;; ANSWER SECTION:
6.0.16.172.in-addr.arpa. 3600 IN PTR mx2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 3600 IN NS ns1.magedu.com.;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7;; Query time: 1 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 22:23:03 CST 2017
;; MSG SIZE rcvd: 132[root@localhost named]# host -t PTR 172.16.0.7 172.16.0.7
Using domain server:
Name: 172.16.0.7
Address: 172.16.0.7#53
Aliases:7.0.16.172.in-addr.arpa domain name pointer bbs.magedu.com.
7.0.16.172.in-addr.arpa domain name pointer www.magedu.com.
7.0.16.172.in-addr.arpa domain name pointer mx1.magedu.com.
7.0.16.172.in-addr.arpa domain name pointer ns1.magedu.com.[root@localhost named]# nslookup
> server 172.16.0.7
Default server: 172.16.0.7
Address: 172.16.0.7#53
> set q=PTR
> 172.16.0.6
Server: 172.16.0.7
Address: 172.16.0.7#536.0.16.172.in-addr.arpa name = bbs.magedu.com.
6.0.16.172.in-addr.arpa name = mx2.magedu.com.
> exit[root@localhost named]#
从DNS配置
配置前准备
- 主、从DNS时间同步,已经配置好了时间服务器: 172.16.0.247
如果需要查看时间服务器如何配置,请移驾: https://www.mykernel.cn/archives/573
[root@localhost named]# ntpdate 172.16.0.247 <– 主DNS: 172.16.0.7
29 Nov 22:27:19 ntpdate[41180]: adjust time server 172.16.0.247 offset -0.051880 sec
[root@localhost ~]# ntpdate 172.16.0.247 <– 从DNS: 172.16.0.6
29 Nov 22:27:28 ntpdate[41204]: adjust time server 172.16.0.247 offset -0.008223 sec - 版本一致:
[root@localhost named]# rpm -q bind <– 主DNS: 172.16.0.7
bind-9.9.4-18.el7.x86_64
[root@localhost ~]# rpm -q bind <– 从DNS: 172.16.0.6
bind-9.9.4-18.el7.x86_64 - 从DNS能从主DNS做区域传送:
[root@localhost ~]# dig -t axfr magedu.com @172.16.0.7
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t axfr magedu.com @172.16.0.7
;; global options: +cmd
magedu.com. 3600 IN SOA magedu.com. nsadmin.magedu.com.magedu.com. 20171129 3600 600 604800 86400
magedu.com. 3600 IN NS ns1.magedu.com.
magedu.com. 3600 IN MX 10 mx1.magedu.com.
magedu.com. 3600 IN MX 20 mx2.magedu.com.
bbs.magedu.com. 3600 IN A 172.16.0.7
bbs.magedu.com. 3600 IN A 172.16.0.6
mx1.magedu.com. 3600 IN A 172.16.0.7
mx2.magedu.com. 3600 IN A 172.16.0.6
ns1.magedu.com. 3600 IN A 172.16.0.7
web.magedu.com. 3600 IN CNAME www.magedu.com.
www.magedu.com. 3600 IN A 172.16.0.7
magedu.com. 3600 IN SOA magedu.com. nsadmin.magedu.com.magedu.com. 20171129 3600 600 604800 86400
;; Query time: 5 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 22:30:07 CST 2017
;; XFR size: 12 records (messages 1, bytes 299)[root@localhost ~]# dig -t axfr 0.16.172.in-addr.arpa @172.16.0.7
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t axfr 0.16.172.in-addr.arpa @172.16.0.7
;; global options: +cmd
0.16.172.in-addr.arpa. 3600 IN SOA 0.16.172.in-addr.arpa. nsadmin.magedu.com. 20171129 3600 600 604800 86400
0.16.172.in-addr.arpa. 3600 IN NS ns1.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR mx2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR ns1.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR mx1.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR www.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.
0.16.172.in-addr.arpa. 3600 IN SOA 0.16.172.in-addr.arpa. nsadmin.magedu.com. 20171129 3600 600 604800 86400
;; Query time: 4 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 22:30:20 CST 2017
;; XFR size: 9 records (messages 1, bytes 251)[root@localhost ~]#
- 在主DNS的解析库中添加ns2记录;ns2 A记录指向从DNS主机;
1 正向的从
[root@localhost named]# vim -O magedu.com.zone 172.16.0.zone
[root@localhost named]# cat magedu.com.zone 172.16.0.zone | fgrep ns2
IN NS ns2
ns2 IN A 172.16.0.6
IN NS ns2.magedu.com.
6 IN PTR ns2.magedu.com.>>>>
[root@localhost ~]# vim /etc/named.confoptions {
directory “/var/named”;
//allow-query { localhost; };
recursion yes;dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
};[root@localhost ~]# named-checkconf
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# systemctl status named.service
named.service – Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since 三 2017-11-29 22:39:37 CST; 5s ago
Process: 41274 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 41272 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
Main PID: 41276 (named)
CGroup: /system.slice/named.service
└─41276 /usr/sbin/named -u named11月 29 22:39:37 localhost.localdomain named[41276]: managed-keys-zone: sync_keyzone:dns_journal_open -> unexpected error
11月 29 22:39:37 localhost.localdomain named[41276]: managed-keys-zone: unable to synchronize managed keys: unexpe…rror
11月 29 22:39:37 localhost.localdomain named[41276]: zone 0.in-addr.arpa/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone localhost/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0….al 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone localhost.localdomain/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: all zones loaded
11月 29 22:39:37 localhost.localdomain named[41276]: running
11月 29 22:39:37 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.[root@localhost ~]# netstat -tunlp | fgrep 53
tcp 0 0 172.16.0.6:53 0.0.0.0:* LISTEN 41276/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 41276/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 41276/named
tcp6 0 0 ::1:953 :::* LISTEN 41276/named
udp 0 0 172.16.0.6:53 0.0.0.0:* 41276/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 41276/named[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “magedu.com” IN {
type slave;
file “slaves/magedu.com.zone”; <— 为什么是slaves目录下?
masters { 172.16.0.7; };
};[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# ls /var/named/slaves/
magedu.com.zone<— 为什么是slaves目录下?
[root@localhost ~]# ps axu | fgrep named <– named进程以普通用户 named 身份运行;
named 41276 0.0 1.6 162652 16740 ? Ssl 22:39 0:00 /usr/sbin/named -u named[root@localhost ~]# ls -ld /var/named <– named组对/var/named目录没有写权限,所以不能修改此目录下的文件;
drwxr-x— 5 root named 120 11月 29 22:28 /var/named[root@localhost ~]# ls -ld /var/named/slaves <– named属主对/var/named/slaves目录有写权限, 则named用户可以修改此目录下的文件,完成创建删除操作;
drwxrwx— 2 named named 28 11月 29 22:42 /var/named/slaves
<– 主从同步,需要从服务从主DNS服务器那里复制一份副本,到从服务器;如果named进程没有写权限,将不能保留复制过来的文件;测试解析:
[root@localhost ~]# dig -t A web.magedu.com @172.16.0.6
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A web.magedu.com @172.16.0.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;web.magedu.com. IN A;; ANSWER SECTION:
web.magedu.com. 3600 IN CNAME www.magedu.com.
www.magedu.com. 3600 IN A 172.16.0.7;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7;; Query time: 0 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: 三 11月 29 22:47:42 CST 2017
;; MSG SIZE rcvd: 111[root@localhost ~]# host -t MX magedu.com 172.16.0.6
Using domain server:
Name: 172.16.0.6
Address: 172.16.0.6#53
Aliases:magedu.com mail is handled by 20 mx2.magedu.com.
magedu.com mail is handled by 10 mx1.magedu.com.[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=A
> www.magedu.com
Server: 172.16.0.6
Address: 172.16.0.6#53Name: www.magedu.com
Address: 172.16.0.7
> pop3.magedu.com
Server: 172.16.0.6
Address: 172.16.0.6#53** server can’t find pop3.magedu.com: NXDOMAIN <— 注意 pop3不能解析
> exit[root@localhost ~]#
===================>>>>>>>>>>>修改正向的主DNS解析库(172.16.0.7); 注意: 修改serial
[root@localhost named]# vim magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA @ nsadmin.magedu.com (
20171130
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.0.7
ns2 IN A 172.16.0.6
mx1 IN A 172.16.0.7
mx2 IN A 172.16.0.6
www IN A 172.16.0.7
web IN CNAME www
bbs IN A 172.16.0.7
bbs IN A 172.16.0.6
pop3 IN A 172.16.0.7 <– 此为新增的条目[root@localhost named]# named-checkzone magedu.com magedu.com.zone
zone magedu.com/IN: loaded serial 20171130
OK[root@localhost named]# rndc reload
server reload successful从服务器再次测试解析pop3.magedu.com
[root@localhost ~]# host -t A pop3.magedu.com 172.16.0.6
Using domain server:
Name: 172.16.0.6
Address: 172.16.0.6#53
Aliases:pop3.magedu.com has address 172.16.0.7
[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=A
> pop3.magedu.com
Server: 172.16.0.6
Address: 172.16.0.6#53Name: pop3.magedu.com
Address: 172.16.0.7
> exit[root@localhost ~]#
2 反向的从
[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “0.16.172.in-addr.arpa” IN {
type slave;
file “slaves/0.16.172.in-addr.arpa”;
masters { 172.16.0.7; };
};[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# systemctl status named.service
11月 29 22:55:45 localhost.localdomain named[41276]: transfer of ‘0.16.172.in-addr.arpa/IN’ from 172.16.0.7#53: co…6344
11月 29 22:55:45 localhost.localdomain named[41276]: zone 0.16.172.in-addr.arpa/IN: transferred serial 20171129
11月 29 22:55:45 localhost.localdomain named[41276]: transfer of ‘0.16.172.in-addr.arpa/IN’ from 172.16.0.7#53: Tr…sec)
11月 29 22:55:45 localhost.localdomain named[41276]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 20171129)测试:
root@localhost ~]# dig -x 172.16.0.6 @172.16.0.6; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.0.6 @172.16.0.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62169
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;6.0.16.172.in-addr.arpa. IN PTR;; ANSWER SECTION:
6.0.16.172.in-addr.arpa. 3600 IN PTR ns2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR mx2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 3600 IN NS ns1.magedu.com.
0.16.172.in-addr.arpa. 3600 IN NS ns2.magedu.com.;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7
ns2.magedu.com. 3600 IN A 172.16.0.6;; Query time: 0 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: 三 11月 29 22:56:38 CST 2017
;; MSG SIZE rcvd: 180[root@localhost ~]# host -t PTR 172.16.0.6 172.16.0.6
Using domain server:
Name: 172.16.0.6
Address: 172.16.0.6#53
Aliases:6.0.16.172.in-addr.arpa domain name pointer bbs.magedu.com.
6.0.16.172.in-addr.arpa domain name pointer mx2.magedu.com.
6.0.16.172.in-addr.arpa domain name pointer ns2.magedu.com.[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=PTR
> 172.16.0.7
Server: 172.16.0.6
Address: 172.16.0.6#537.0.16.172.in-addr.arpa name = ns1.magedu.com.
7.0.16.172.in-addr.arpa name = bbs.magedu.com.
7.0.16.172.in-addr.arpa name = www.magedu.com.
7.0.16.172.in-addr.arpa name = mx1.magedu.com.
> exit[root@localhost ~]#
============>>>>>>主服务器添加pop3.magedu.com反向解析;注意:修改serial
[root@localhost named]# vim 172.16.0.zone
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA @ nsadmin.magedu.com. (
20171130
1H
10M
1W
1D)
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
7 IN PTR ns1.magedu.com.
6 IN PTR ns2.magedu.com.
7 IN PTR mx1.magedu.com.
6 IN PTR mx2.magedu.com.
7 IN PTR www.magedu.com.
6 IN PTR bbs.magedu.com.
7 IN PTR bbs.magedu.com.
7 IN PTR pop3.magedu.com.[root@localhost named]# named-checkzone 0.16.172.in-addr.arpa 172.16.0.zone
[root@localhost named]# rndc status
[root@localhost named]# rndc reload
[root@localhost named]# rndc status[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=PTR
> 172.16.0.7
Server: 172.16.0.6
Address: 172.16.0.6#537.0.16.172.in-addr.arpa name = ns1.magedu.com.
7.0.16.172.in-addr.arpa name = pop3.magedu.com.
7.0.16.172.in-addr.arpa name = mx1.magedu.com.
7.0.16.172.in-addr.arpa name = bbs.magedu.com.
7.0.16.172.in-addr.arpa name = www.magedu.com.
> exit[root@localhost ~]#
配置子域:
- 仅能修改主DNS服务器,因为从服务器不能修改解析库,从服务器是从主服务器那里同步数据的;
- 修改解析库后需要将serial + 1,否则从服务器无法立即同步数据;
修改主DNS
[root@localhost named]# vim magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA @ nsadmin.magedu.com (
20171131
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.0.7
ns2 IN A 172.16.0.6
mx1 IN A 172.16.0.7
mx2 IN A 172.16.0.6
www IN A 172.16.0.7
web IN CNAME www
bbs IN A 172.16.0.7
bbs IN A 172.16.0.6
pop3 IN A 172.16.0.7ops IN NS ns1.ops
ns1.ops IN A 172.16.0.8[root@localhost named]# named-checkzone magedu.com magedu.com.zone
zone magedu.com/IN: ops.magedu.com/NS ‘ns1.ops.magedu.com’ extra GLUE A record (172.16.0.8)
zone magedu.com/IN: ops.magedu.com/NS ‘ns1.ops.magedu.com’ missing GLUE A record (218.28.144.39)
zone magedu.com/IN: loaded serial 20171131
OK
[root@localhost named]# rndc reload
server reload successful
配置子域
[root@localhost ~]# rpm -q bind
未安装软件包 bind
[root@localhost ~]# yum -y install bind bind-libs bind-utils
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# named-checkconf
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# netstat -tunl
[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “ops.magedu.com” IN {
type mater;
file “ops.magedu.com.zone”;
};
[root@localhost ~]# cd /var/named
[root@localhost named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# vim ops.magedu.com.zone
[root@localhost named]# vim ops.magedu.com.zone <– 为了语法着色,第二次进入;
$TTL 3600
$ORIGIN ops.magedu.com.
@ IN SOA @ nsadmin.magedu.com. (
20171129
1H
10M
1W
1D)
IN NS ns1
ns1 IN A 172.16.0.8
www IN A 172.16.0.8
[root@localhost named]#
[root@localhost named]# ll
总用量 20
drwxrwx— 2 named named 22 11月 29 23:19 data
drwxrwx— 2 named named 6 3月 6 2015 dynamic
-rw-r—– 1 root named 2076 1月 28 2013 named.ca
-rw-r—– 1 root named 152 12月 15 2009 named.empty
-rw-r—– 1 root named 152 6月 21 2007 named.localhost
-rw-r—– 1 root named 168 12月 15 2009 named.loopback
-rw-r–r– 1 root root 146 11月 29 23:22 ops.magedu.com.zone
drwxrwx— 2 named named 6 3月 6 2015 slaves
[root@localhost named]# chgrp named ops.magedu.com.zone
[root@localhost named]# chmod o= ops.magedu.com.zone
[root@localhost named]# vim /etc/named.rfc1912.zones
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone ops.magedu.com ops.magedu.com.zone
zone ops.magedu.com/IN: loaded serial 20171129
OK
[root@localhost named]# rndc status
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# rndc status
[root@localhost named]# dig -t A www.ops.magedu.com @172.16.0.8
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.ops.magedu.com @172.16.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21247
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.magedu.com. IN A
;; ANSWER SECTION:
www.ops.magedu.com. 3600 IN A 172.16.0.8
;; AUTHORITY SECTION:
ops.magedu.com. 3600 IN NS ns1.ops.magedu.com.
;; ADDITIONAL SECTION:
ns1.ops.magedu.com. 3600 IN A 172.16.0.8
;; Query time: 1 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: 三 11月 29 23:24:33 CST 2017
;; MSG SIZE rcvd: 97
[root@localhost named]# vim /etc/resolv.conf
nameserver 172.16.0.8
[root@localhost named]# host -t NS ops.magedu.com
ops.magedu.com name server ns1.ops.magedu.com.
注意:
子域能否解析父域?
[root@localhost named]# dig -t A www.magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15234
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 17;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A;; ANSWER SECTION:
www.magedu.com. 383 IN A 101.200.188.230;; AUTHORITY SECTION:
magedu.com. 172583 IN NS ns1.alidns.com.
magedu.com. 172583 IN NS ns2.alidns.com.;; ADDITIONAL SECTION:
ns1.alidns.com. 172583 IN A 106.11.211.61
ns1.alidns.com. 172583 IN A 140.205.41.11
ns1.alidns.com. 172583 IN A 140.205.41.21
ns1.alidns.com. 172583 IN A 140.205.81.11
ns1.alidns.com. 172583 IN A 140.205.81.21
ns1.alidns.com. 172583 IN A 106.11.141.111
ns1.alidns.com. 172583 IN A 106.11.141.121
ns1.alidns.com. 172583 IN A 106.11.211.51
ns2.alidns.com. 172583 IN A 140.205.41.12
ns2.alidns.com. 172583 IN A 140.205.41.22
ns2.alidns.com. 172583 IN A 140.205.81.12
ns2.alidns.com. 172583 IN A 140.205.81.22
ns2.alidns.com. 172583 IN A 106.11.141.112
ns2.alidns.com. 172583 IN A 106.11.141.122
ns2.alidns.com. 172583 IN A 106.11.211.52
ns2.alidns.com. 172583 IN A 106.11.211.62;; Query time: 1 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: 三 11月 29 23:32:44 CST 2017
;; MSG SIZE rcvd: 358不能
父域能否解析子域?
[root@localhost named]# dig -t A www.ops.magedu.com @172.16.0.7
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.ops.magedu.com @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35571
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.magedu.com. IN A;; ANSWER SECTION:
www.ops.magedu.com. 3600 IN A 172.16.0.8;; AUTHORITY SECTION:
ops.magedu.com. 3600 IN NS ns1.ops.magedu.com.;; ADDITIONAL SECTION:
ns1.ops.magedu.com. 3600 IN A 172.16.0.8;; Query time: 1 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 23:33:20 CST 2017
;; MSG SIZE rcvd: 97能
开启,子域的区域转发:在子域主机上定义
[root@localhost named]# vim + /etc/named.rfc1912.zones
zone “magedu.com” IN {
type forward;
forward only;
forwarders { 172.16.0.7; 172.16.0.8; };
};forward
first: 表示递归请求转发过去后,不响应;自己再出去迭代;
only: 表示递归请求后,只等响应;[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful在测试子域解析父域:
[root@localhost named]# rndc flush
[root@localhost named]# dig -t A www.magedu.com @172.16.0.8; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com @172.16.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5087
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A;; ANSWER SECTION:
www.magedu.com. 3600 IN A 172.16.0.7;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.
magedu.com. 3600 IN NS ns2.magedu.com.;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7
ns2.magedu.com. 3600 IN A 172.16.0.6;; Query time: 1204 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: 三 11月 29 23:37:04 CST 2017
;; MSG SIZE rcvd: 127[root@localhost named]#
基本安全配置:
1、可以全量传送仅从服务器:
主DNS服务器修改:
zone “magedu.com” IN {
type master;
file “magedu.com.zone”;
allow-transfer { 172.16.0.6; };
};
zone “0.16.172.in-addr.arpa” IN {
type master;
file “172.16.0.zone”;
allow-transfer { 172.16.0.6; };
};[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful从服务修改
[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “magedu.com” IN {
type slave;
file “slaves/magedu.com.zone”;
masters { 172.16.0.7; };
allow-transfer { localhost; }; <– 因为从服务器没有从服务器了呀!
};
zone “0.16.172.in-addr.arpa” IN {
type slave;
file “slaves/0.16.172.in-addr.arpa”;
masters { 172.16.0.7; };
allow-transfer { localhost; };
};[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful子域主,没有从:
[root@localhost named]# vim + /etc/named.rfc1912.zones
zone “ops.magedu.com” IN {
type master;
file “ops.magedu.com.zone”;
allow-transfer { localhost; };
};
[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful不应该允许别人更新解析库:
allow-update { none; };
本文来自投稿,不代表Linux运维部落立场,如若转载,请注明出处:http://www.178linux.com/89092
