DNS服務器(二)
博文參考
http://zhang789.blog.51cto.com/11045979/1858610 https://segmentfault.com/a/1190000010332312
主配置文件格式
全局配置段:
options { … }
日誌子系統配置段:
logging { … }
區域定義段:
zone 「ZONE_NAME」 IN { … }
區域定義:本機可以爲哪些zone進行解析,就要定義哪些zone
注意:
每一個配置語句必須以分號結尾
任何服務程序若是指望其可以經過網絡被其它主機訪問,至少應該監聽在一個能與外部主機通訊的IP
緩存名稱服務器的配置
監聽能與外部主機通訊的地址linux
listen-on port 53git
listen-on port 53 { 172.16.252.245; }web
dnssec: 建議關閉dnssec,設爲no(本身作實驗時建議關閉)數據庫
dnssec-enable no dnssec-validation no dnssec-lookaside no
關閉僅容許本地查詢:vim
//allow-query { localhost; }
檢查配置文件語法錯誤:segmentfault
named-checkconf /etc/named.conf檢查區域配置文件錯誤:緩存
named-checkzone 「rookie.com」 /var/named/rookie.com.zone
例:[root@localhost ~]#vim /etc/named.conf安全
測試命令dig:
dig [-t type] name [@SERVER] [query options] dig 只用於測試dns 系統,不會查詢hosts 文件進行解析 查詢選項: +[no]trace程:跟蹤解析過程 : dig +trace rookie.com +[no]recurse:進行遞歸解析 [root@localhost ~]#dig -t A www.baidu.com @172.16.252.254 +trace
測試反向解析:
dig -x IP = dig -t ptr reverseip.in-addr.arpa服務器
模擬區域傳送:
dig -t axfr ZONE_NAME @SERVER dig -t axfr rookie.com @10.10.10.11 dig -t axfr 100.1.10.in-addr.arpa @172.16.1.1 dig -t NS . @114.114.114.114 dig -t NS . @a.root-servers.net
[root@localhost ~]#dig -t NS baidu.com @172.16.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35043 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;baidu.com. IN NS ;; ANSWER SECTION: baidu.com. 54644 IN NS ns7.baidu.com. baidu.com. 54644 IN NS ns3.baidu.com. baidu.com. 54644 IN NS ns4.baidu.com. baidu.com. 54644 IN NS dns.baidu.com. baidu.com. 54644 IN NS ns2.baidu.com. ;; ADDITIONAL SECTION: ns2.baidu.com. 140982 IN A 61.135.165.235 ns4.baidu.com. 140982 IN A 220.181.38.10 dns.baidu.com. 140982 IN A 202.108.22.220 ns3.baidu.com. 140982 IN A 220.181.37.10 ns7.baidu.com. 140982 IN A 119.75.219.82 ;; Query time: 2 msec ;; SERVER: 172.16.0.1#53(172.16.0.1) ;; WHEN: Thu Jun 01 07:22:38 EDT 2017 ;; MSG SIZE rcvd: 208 [root@localhost ~]#dig -t NS baidu.com @172.16.0.1 +nocomments ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1 +nocomments ;; global options: +cmd ;baidu.com. IN NS baidu.com. 54627 IN NS dns.baidu.com. baidu.com. 54627 IN NS ns3.baidu.com. baidu.com. 54627 IN NS ns2.baidu.com. baidu.com. 54627 IN NS ns4.baidu.com. baidu.com. 54627 IN NS ns7.baidu.com. ns2.baidu.com. 140965 IN A 61.135.165.235 ns4.baidu.com. 140965 IN A 220.181.38.10 dns.baidu.com. 140965 IN A 202.108.22.220 ns3.baidu.com. 140965 IN A 220.181.37.10 ns7.baidu.com. 140965 IN A 119.75.219.82 ;; Query time: 1 msec ;; SERVER: 172.16.0.1#53(172.16.0.1) ;; WHEN: Thu Jun 01 07:22:56 EDT 2017 ;; MSG SIZE rcvd: 208
測試命令host:
host [-t type] name [SERVER] host -t NS rookie.com 172.16.0.1 host -t soa rookie.com host -t mx rookie.com host -t axfr rookie.com host 1.2.3.4 nslookup命令:nslookup [-option] [name | -] [server] 交互式模式: nslookup> server IP:指明使用哪一個DNS server進行查詢 set q=RR_TYPE:指明查詢的資源記錄類型 name:要查詢的名稱
[root@localhost ~]#nslookup > server 172.16.0.1 Default server: 172.16.0.1 Address: 172.16.0.1#53 > set q=a > www.tencent.com Server: 172.16.0.1 Address: 172.16.0.1#53 Non-authoritative answer: www.tencent.com canonical name = upfile.wj.qq.com.cloud.tc.qq.com. upfile.wj.qq.com.cloud.tc.qq.com canonical name = ssd.tcdn.qq.com. Name: ssd.tcdn.qq.com Address: 111.202.99.24 Name: ssd.tcdn.qq.com Address: 111.202.99.25 Name: ssd.tcdn.qq.com Address: 111.202.99.23 Name: ssd.tcdn.qq.com Address: 123.125.110.21 Name: ssd.tcdn.qq.com Address: 123.125.110.12 Name: ssd.tcdn.qq.com Address: 123.125.110.11 Name: ssd.tcdn.qq.com Address: 123.125.110.22
命令rndc:
rndc:remote name domain contoller(遠程域名控制器)網絡
953/tcp,但默認監聽於127.0.0.1地址,所以僅容許本地使用
rndc –> rndc (953/tcp)
rndc COMMAND
命令:
reload:重載主配置文件和區域解析庫文件 reload zonename:重載區域解析庫文件 retransfer zonename:手動啓動區域傳送,而無論序列號是否增長 notify zonename:從新對區域傳送發通知 reconfig:重載主配置文件 querylog:開啓或關閉查詢日誌文件/var/log/message trace:遞增debug 一個級別 trace LEVEL:指定使用的級別 notrace:爲將調試級別設置爲 0 flush:清空DNS
[root@localhost ~]#rndc status version: 9.9.4-RedHat-9.9.4-37.el7 <id:8f9657aa> 版本 CPUs found: 4 CPU worker threads: 4 線程 UDP listeners per interface: 4 接口 number of zones: 101 區域數 debug level: 0 調試級別 xfers running: 0 運行 xfers deferred: 0 延遲 soa queries in progress: 0 正在進行的SOA查詢 query logging is OFF 查詢記錄 recursive clients: 0/0/1000 遞歸客戶端 tcp clients: 0/100 TCP客戶端 server is up and running 服務器啓動並運行
配置主DNS 服務器:
在主配置文件中定義區域
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
定義區域解析庫文件
出現的內容 宏定義 資源記錄 主配置文件語法檢查: named-checkconf 解析庫文件語法檢查: named-checkzone "rookie.com" /var/named/rookie.com.zone rndc status|reload ;service named reload
注意:實驗配置前須要特別注意三點
關閉防火牆
關閉SElinux
時間必須同步
配置解析一個正向區域
以rookie.com域爲例:
定義區域
在主配置文件中(/etc/named.conf)或主配置文件輔助配置文件(/etc/named.rfc1912.conf)中實現
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com" IN {
type master;
file "rookie.com.zone";
};
注意:區域名字即爲域名
創建區域數據文件(主要記錄爲A或AAAA記錄)
在/var/named目錄下創建區域數據文件;
文件爲:/var/named/rookie.com.zone
[root@localhost /var/named]#vim rookie.com.zone
$TTL 600(全局變量 緩存600秒)
rookie.com.(域名) IN SOA rookie.com. admin.rookie.com.管理員郵箱 (
2017060101 序列號
1H 刷新時間間隔一小時
5M 重試時間間隔五分鐘
1W 過時時間一週
6H ) 否認答案的TTL值六小時
IN NS dns1.rookie.com.
IN NS dns2.rookie.com.
dns1.rookie.com. IN A 172.16.250.149
dns2.rookie.com. IN A 172.16.252.245
www.rookie.com. IN A 172.16.0.1
web IN CNAME www
權限及屬組修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
[root@localhost /var/named]#ll
總用量 20
drwxrwx--- 2 named named 6 11月 12 2016 data
drwxrwx--- 2 named named 6 11月 12 2016 dynamic
-rw-r----- 1 root named 2076 1月 28 2013 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
-rw-r----- 1 root named 301 6月 1 00:22 rookie.com.zone
檢查語法錯誤:
[root@localhost /var/named]#named-checkconf
[root@localhost /var/named]#named-checkzone "rookie.com" /var/named/rookie.com.zone
zone rookie.com/IN: loaded serial 2017060101
OK
讓服務器重載配置文件和區域數據文件
[root@localhost /var/named]#rndc reload [root@localhost ~]#systemctl restart named.service
驗證
[root@localhost /var/named]#dig -t A www.rookie.com @172.16.250.149 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38718 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.rookie.com. IN A ;; ANSWER SECTION: www.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns1.rookie.com. rookie.com. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 172.16.250.149#53(172.16.250.149) ;; WHEN: 四 6月 01 01:02:13 CST 2017 ;; MSG SIZE rcvd: 129 也能夠經過修改/etc/hosts省略IP [root@localhost /var/named]#vim /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search magedu.com #nameserver 172.16.0.1 [root@localhost /var/named]#dig -t A www.rookie.com ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39628 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.rookie.com. IN A ;; ANSWER SECTION: www.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns2.rookie.com. rookie.com. 600 IN NS dns1.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 四 6月 01 01:08:08 CST 2017 ;; MSG SIZE rcvd: 129
配置解析一個反向區域
定義區域
在主配置文件中或主配置文件輔助配置文件中實現;
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "16.172.in-addr.arpa" IN {
type master;
file "172.16.zone";
};
注意:反向區域的名字
反寫的網段地址.in-addr.arpa
16.172.in-addr.arpa
定義區域解析庫文件(主要記錄爲PTR)
[root@localhost ~]#vim /var/named/172.16.zone
$TTL 600
@ IN SOA rookie.com. admin.rookie.com. (
2017060101
1H
5M
2W
1D )
@ IN NS dns1.rookie.com.
@ IN NS dns2.rookie.com.
149.250 IN PTR dns1.rookie.com.
245.252 IN PTR dns2.rookie.com.
125.252 IN PTR www.rookie.com.
權限及屬組修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
檢查語法錯誤:
[root@localhost ~]#named-checkconf
[root@localhost ~]#named-checkzone "172.16" /var/named/172.16.zone
zone 172.16/IN: loaded serial 2017060101
讓服務器重載配置文件和區域數據文件
[root@localhost ~]#rndc reload [root@localhost ~]#systemctl restart named.service
驗證
[root@localhost /var/named]#dig -x 172.16.250.149 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 172.16.259.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8132 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;149.259.16.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 149.259.16.172.in-addr.arpa. 600 IN PTR dns1.rookie.com. ;; AUTHORITY SECTION: 16.172.in-addr.arpa. 600 IN NS dns1.rookie.com. 16.172.in-addr.arpa. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 四 6月 01 01:44:45 CST 2017 ;; MSG SIZE rcvd: 150
主從服務器:
注意:從服務器是區域級別的概念;
主區域配置:能夠參照上面的正向區域配置和反向區域配置
從區域配置:
On Slave
定義從區域 (以另外一虛擬機爲例)
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com." IN {
type slave;
file "slaves/rookie.com.zone";
masters { 172.16.250.149; }; #指明主節點
};
[root@localhost ~]#vim /etc/named.conf
options {
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
配置文件語法檢查:
[root@localhost ~]#named-checkconf
主/從都要重載配置
[root@localhost ~]#rndc reload [root@localhost ~]#systemctl restart named.service [root@localhost ~]#ll /var/named/slaves/ (文件已經同步) total 4 -rw-r--r-- 1 named named 414 Jun 1 03:01 rookie.com.zone
驗證 從
[root@localhost ~]#dig -t A www.rookie.com @172.16.250.149 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5639 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.rookie.com. IN A ;; ANSWER SECTION: www.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns1.rookie.com. rookie.com. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 172.16.250.149#53(172.16.250.149) ;; WHEN: Thu Jun 01 03:41:02 EDT 2017 ;; MSG SIZE rcvd: 129
修改主配置文件,並從新測試
[root@localhost /var/named]#vim rookie.com.zone
$TTL 600
rookie.com. IN SOA rookie.com. admin.rookie.com. (
2017060102
1H
5M
1W
6D )
IN NS dns1.rookie.com.
IN NS dns2.rookie.com.
dns1.rookie.com. IN A 172.16.250.149
dns2.rookie.com. IN A 172.16.252.245
www.rookie.com. IN A 172.16.252.125
web IN CNAME www
ftp IN CNAME www
[root@localhost ~]#dig -t A ftp.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A ftp.rookie.com @172.16.250.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30068 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ftp.rookie.com. IN A ;; ANSWER SECTION: ftp.rookie.com. 600 IN CNAME WWW.rookie.com. WWW.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns1.rookie.com. rookie.com. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 172.16.250.149#53(172.16.250.149) ;; WHEN: Thu Jun 01 03:46:11 EDT 2017 ;; MSG SIZE rcvd: 147
On Master
確保區域數據文件中爲每一個從服務配置NS記錄,而且在正向區域文件須要每一個從服務器的NS記錄的主機名配置一個A記錄,且此A後面的地址爲真正的從服務器的IP地
注意:時間要同步
ntpdate命令
子域受權:
正向解析區域受權子域的方法:
ops.rookie.com. IN NS ns1.ops.rookie.com.
ops.rookie.com. IN NS ns2.ops.rookie.com.
ns1.ops.rookie.com. IN A IP.AD.DR.ESS
ns2.ops.rookie.com. IN A IP.AD.DR.ESS
定義轉發:
注意:被轉發的服務器必須容許爲當前服務作遞歸;
區域轉發:僅轉發對某特定區域的解析請求;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先轉發;轉發器不響應時,自行去迭代查詢;
only:只轉發
全局轉發:針對凡本地沒有經過zone定義的區域查詢請求,統統轉給某轉發器;
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
.. ...
};
轉發服務器
注意:被轉發的服務器須要可以爲請求者作遞歸,不然轉發請求不予進行
first:首先轉發;轉發器不響應時,自行去迭代查詢 only:只轉發
全局轉發: 對非本機所負責解析區域的請求, 全 轉發給指定的服務器
Options {
fforward {only|first};
forwarders { SERVER_IP; };
};
特定區域轉發:僅轉發對特定的區域的請求,比全局轉發優先級高
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
注意:關閉dnssec 功能:
dnssec-enable no;
dnssec-validation no;
bind中的安全相關的配置:
acl:訪問控制列表;把一個或多個地址歸併一個命名的集合,隨後經過此名稱便可對此集合內的全部主機實現統一調用
格式:
acl acl_name {
ip;
net/prelen;
……
};
示例:
acl mynet {
172.16.0.0/16;
10.10.10.10;
};
bind有四個內置的acl:
none:沒有一個主機 any:任意主機 localhost:本機 localnet:本機的IP同掩碼運算後獲得的網絡地址
注意:只能先定義,後使用,所以通常定在配置文件中,處於options
訪問控制的指令:
allow-query {};容許查詢的主機;白名單
allow-transfer {};容許向哪些主機作區域傳送;默認爲向全部主機;應該配置僅容許從服務器
allow-recursion {}; 容許哪此主機向當前DNS服務器發起遞歸查詢請求
allow-update {}; DDNS,容許動態更新區域數據庫文件中內容
bind view(視圖):
view:視圖,一個bind 服務器可定義多個view ,每一個view中可定義一個或多個zone
每一個view 用來匹配一組客戶端
多個view 內可能須要對同一個區域進行解析,但使用不一樣的區域解析庫文件
view VIEW_NAME {
zone
zone
zone
}
view internal {
match-clients { 172.16.0.0/8; };
zone "rookie.com" IN {
type master;
file "rookie.com/internal";
};
};
view external {
match-clients { any; };
zone "rookie.com" IN {
type master;
file rookie.com/external";
};
};
相關文章
- 1. DNS服務器搭建(二)—配置完整的DNS服務器
- 2. DNS服務(二)
- 3. DNS服務器
- 4. dns服務器
- 5. DNS與DNS服務器
- 6. DNS服務器(二):使用bind實現主從DNS服務器數據同步
- 7. RHEL 5.0 DNS服務器配置(二)
- 8. rhel5.5 二、DNS服務器的配置
- 9. DNS服務器的搭建(二)
- 10. DNS+DHCP 服務器
- 更多相關文章...
- • Git 服務器搭建 - Git 教程
- • 服務器上的 XML - XML 教程
- • Spring Cloud 微服務實戰(三) - 服務註冊與發現
- • Docker容器實戰(七) - 容器眼光下的文件系統
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. DNS服務器搭建(二)—配置完整的DNS服務器
- 2. DNS服務(二)
- 3. DNS服務器
- 4. dns服務器
- 5. DNS與DNS服務器
- 6. DNS服務器(二):使用bind實現主從DNS服務器數據同步
- 7. RHEL 5.0 DNS服務器配置(二)
- 8. rhel5.5 二、DNS服務器的配置
- 9. DNS服務器的搭建(二)
- 10. DNS+DHCP 服務器