一、高速缓存器
高速缓存 DNS 服务器:通过向其他域名解析服务器查询获得域名与 IP 地址的对应关系,并将经常查询的域名信息保存到服务器本地,以此来提高重复查询时的效率。
DNS(域名服务器)是进行域名和与之相对应的IP地址转换的服务器。DNS中保存了一张域名和与之相对应的IP地址的表,以解析消息的域名。 域名是Internet上某一台计算机或计算机组的名称,用于在数据传输时标识计算机的电子方位(有时也指地理位置)。域名是由一串用点分隔的名字组成的,通常包含组织名,而且始终包括两到三个字母的后缀,以指明组织的类型或该域所在的国家或地区。DNS是计算机域名系统的缩写,它是由域名解析器和域名服务器组成的。域名服务器是指保存有该网络中所有主机的域名和对应IP地址,并具有将域名转换为IP地址功能的服务器。其中域名必须对应一个IP地址,一个IP地址可以有多个域名,而IP地址不一定有域名。域名系统采用类似目录树的等级结构。域名服务器通常为客户机/服务器模式中的服务器方,它主要有两种形式:主服务器和转发服务器。将域名映射为IP地址的过程就称为“域名解析”。
DNS 服务器主要分为以下三种:
- 主服务器(权威服务器):在特定区域内具有唯一性,负责维护该区域内的域名与 IP 地址之间的对应关系。
- 从服务器:从主服务器中获得域名与 IP 地址的对应关系并进行维护,以防主服务器宕机等情况。
- 缓存服务器:通过向其他域名解析服务器查询获得域名与 IP 地址的对应关系,并将经常查询的域名信息保存到服务器本地,以此来提高重复查询时的效
(1)、配置yum 源:vim /etc/yum.repos.d/rhel_dvd.repo
[rhel_dvd]
gpgcheck = 0
enabled = 1
baseurl = http://172.25.254.60/source7.0
name = Remote classroom copy of dvd
(2)、安装bind安装包:yum install bind -y
(3)、开启named服务 :systemctl start named
(4)、关闭火墙:systemctl stop firewalld
(5)、编辑主配置文件:vim /etc/named.conf
ptions {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forwarders {114.114.114.114; };
dnssec-validation no;6、重新启动服务:systemctl rsetart named
7、dig www.baidu.com
实例:
[root@localhost ~]# yum clean all #清空缓存信息
已加载插件:langpacks
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
正在清理软件源: rhel_dvd
Cleaning up everything
[root@localhost ~]# yum repolist
已加载插件:langpacks
rhel_dvd | 4.1 kB 00:00
(1/2): rhel_dvd/primary_db | 3.4 MB 00:00
(2/2): rhel_dvd/group_gz | 134 kB 00:00
源标识 源名称 状态
rhel_dvd Remote classroom copy of dvd 4,305
repolist: 4,305
[root@localhost ~]# yum install bind -y #安装bind安装包
已加载插件:langpacks
正在解决依赖关系
--> 正在检查事务
---> 软件包 bind.x86_64.32.9.9.4-14.el7 将被 安装
--> 解决依赖关系完成..
..............................省略
Running transaction
正在安装 : 32:bind-9.9.4-14.el7.x86_64 1/1
验证中 : 32:bind-9.9.4-14.el7.x86_64 1/1
已安装:
bind.x86_64 32:9.9.4-14.el7
完毕!
[root@localhost ~]# systemctl start named #开启named服务
[root@localhost ~]# systemctl enable named #开机时自动重启named服务
ln -s '/usr/lib/systemd/system/named.service' '/etc/syste md/system/multi-user.target.wants/named.service'
[root@localhost ~]# systemctl status named #查看named服务的状态
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled)
Active: active (running) since 三 2018-05-23 23:02:56 EDT; 34s ago
Main PID: 2431 (named)
CGroup: /system.slice/named.service
└─2431 /usr/sbin/named -u named
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: error (network unreach...
5月 23 23:02:56 localhost named[2431]: managed-keys-zone: Una...
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost ~]# vim /etc/named.conf #编辑主配置文件
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forwarders {114.114.114.114; };
dnssec-validation no;
[root@localhost ~]# systemctl restart named #重新启动服务
[root@localhost ~]# systemctl stop firewalld #关闭防火墙
[root@localhost ~]# systemctl disable firewalld #永久关闭防火墙
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
根据dig解析并观察速度
二、dns正向解析
在 DNS 域名解析服务中,正向解析是指根据域名(主机名)查找到对应的 IP 地址。也就是说,当用户输入了一个域名后,bind 服务程序会自动进行查找,并将匹配到的 IP 地址返给用户。这也是最常用的 DNS 工作模式。
正向解析:通过域名查找ip,即通过主机名获取其对应的广域网IP地址;
Bind的主配置文件是etc/name.conf,该文件是文本文件,一般需手动生成。
10 options {
11 listen-on port 53 { any; }; #设置named监听端口及ip地址
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named"; #设置区域文件数据库存放的位置
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { any; }; #设置允许DNS查询的客户端
18 forwarders { 172.25.254.160; };
区域配置文件
24 zone "westos.com" IN { #定义正向DNS区域
25 type master; #设置区域类型
26 file "westos.com.zone"; #设置对应的正向区域地址数据库文件
27 allow-update { none; }; #设置允许动态显示的客户端地址(none为禁止)
28 };
查找bind下的相关配置文件
将named.localhost复制到westos.com.zone下
注意此时必须加参数-p
正向域名解析数据库文件
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial 版本号,同步一次加1,在企业当中,表示为201503122
1D ; refresh 更新时间
1H ; retry 更新失败,重试更新时间
1W ; expire #更新多少次后,此时DNS服务将失效
3H ) ; minimum 解析请求不到多少时间不予恢复
NS dns.westos.com. 域名服务器
dns A 172.25.254.160 dns域名服务器的ip地址
www A 172.25.254.150 www域名服务器的ip地址
bbs A 172.25.254.140 bbs域名服务器的ip
该文件用来指定系统中DNS服务器的IP地址和一些相关信息,格式如下
# Generated by NetworkManager
domain example.com
search example.com ilt.example.com
nameserver 172.25.254.160
dig测试(可以看到www的A记录)
三、dns反向解析
反向域名解析系统(Reverse DNS)的功能确保适当的邮件交换记录是生效的。反向域名解析与通常的正向域名解析相反,提供IP地址到域名的对应
反向解析:通过ip查找域名;
配置辅助文件/etc/named.rfc1912.zones
31 zone "254.25.172.in-addr.arpa" IN { #定义反向解析的ip
32 type master; #设置区域类型
33 file "westos.com.ptr"; #设置反向DNS区域的数据库
34 allow-update { none; };#设置允许动态显示的客户端地址(none为禁止)
35 };
$TTL 1D
@ IN SOA dns.westos.com root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com. 域名服务器
dns A 172.25.254.160
110 PTR www.westos.com. 反向解析的域名ip地址
120 PTR hello.westos.com.
查看westos.com.ptr文件信息
.
[root@localhost named]# systemctl restart named #重新启动服务
[root@localhost named]# dig -x 172.25.254.110 #测试:反向解析:由ip解析出域名
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.110
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34208 #显示NOERROR时解析正确
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;110.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
110.254.25.172.in-addr.arpa. 86400 IN PTR www.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; Query time: 0 msec
;; SERVER: 172.25.254.160#53(172.25.254.160)
;; WHEN: 二 5月 22 08:54:03 EDT 2018
;; MSG SIZE rcvd: 102
四、dns双向解析
在DNS的使用中,有时候需要局域网内和网外的IP询问DNS域名解析不同的IP,这时就需要用到双向解析了,双向解析就是使局域网内解析域名得到和局域网外解析域名不同的IP。
1、编辑主配置文件/etc/named.conf
对主配置文件( /etc/named.conf )进行配置
/etc/named.conf named 服务的配置文件。语句用括号括起来,以分号结束。语句中的子句也是分号终止。支持通常的注释样式。
[root@localhost ~]# vim /etc/named.conf
10 options {
11 listen-on port 53 { any; }; #允许任何ip通过53端口进行访问
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { any; }; #控制任何客户端都可以访问DNS服务询问信息
18
32 dnssec-validation no; #DNS安全扩展验证关闭
将50到58行注释
50 /*
51 zone "." IN {
52 type hint;
53 file "named.ca";
54 };
55
56 include "/etc/named.rfc1912.zones";
57 include "/etc/named.root.key";
58 */
59
60 view localnet { #本地客户访问的DNS服务
61 match-clients {172.25.254.118; }; #允许固定ip或网段的用户访问
62 zone "." IN{
63 type hint;
64 file "named.ca";
65 };
66 include "/etc/named.rfc1912.zones";
67 };
68 view internet { #允许外网客户访问的DNS服务
69 match-clients {any; }; #允许所有用户进行访问
70 zone "." IN{
71 type hint;
72 file "named.ca";
73 };
74 include "/etc/named.rfc1912.zones.inter";
75 };
76
复制named.rfc1912.zones文件到/etc/named.rfc1912.zones.inter
[root@localhost ~]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter
编辑辅助配置文件/etc/named.rfc1912.zones.inter,将外网用户的DNS解析文件,设置为westos.com.inter
[root@localhost ~]# vim /etc/named.rfc1912.zones.inter
25 zone "westos.com" IN { #域名
26 type master;
27 file "westos.com.inter"; #文件名称
28 allow-update { none; };
29 };
创建外网DNS解析文件
[root@localhost ~]# cp -p /var/named/westos.com.zone /var/named/westos.com.inter
编辑DNS解析文件westos.com.inter
[root@localhost ~]# vim /var/named/westos.com.inter
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
A 192.168.12.160
dns A 192.168.12.120
hu A 192.168.12.140
hao A 192.168.12.139
www CNAME node1.westos.com.
node1 A 192.168.12.100
node1 A 192.168.12.200
重启named服务
[root@localhost ~]# systemctl restart named
测试,内网用户解析时,看到的是172.25.254.0
[root@localhost ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47481
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN CNAME node1.westos.com.
node1.westos.com. 86400 IN A 172.25.254.100
node1.westos.com. 86400 IN A 172.25.254.200
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.120
;; Query time: 0 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: 四 5月 24 01:05:11 EDT 2018
;; MSG SIZE rcvd: 129
在另一台主机上执行以下命令
外网用户看到的是192.168.12.0
[root@localhost ~]# vim /etc/resolv.conf
# Generated by NetworkManager
domain ilt.example.com
search ilt.example.com example.com
nameserver 172.25.254.118
[root@localhost ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12955
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN CNAME node1.westos.com.
node1.westos.com. 86400 IN A 192.168.12.200
node1.westos.com. 86400 IN A 192.168.12.100
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 192.168.12.120
五、从属DNS服务器部署:dns集群
serial: 更新序列号。表示配置文件的修改版本,格式是年月日当日修改的次数,每次修改时都应该修改这个数字,要不然所做修改的不会更新到网上的其它DNS服务器的数据库上,即你所做的更新很可能对于不以你你的所配置的DNS服务器数据库上,即你所做的更新很可能对于不以你的所配置的DNS服务器为DNS服务器的客户端来说就不会反映出你的更新,也就对他们来你的更新是没意义的
1、主DNS服务器
部署 DNS 集群前,先将主 DNS 服务器中关于内外网的 DNS 的相关配置去掉
[root@localhost ~]# vim /etc/named.conf #编辑主配置文件
61 /*
62 view localnet {
63 match-clients { 172.25.254.114; };
64 zone "." IN {
65 type hint;
66 file "named.ca";
67 };
68 include "/etc/named.rfc1912.zones";
69 };
70
71 view Anynet {
72 match-clients { any; };
73 zone "." IN {
74 type hint;
75 file "named.ca";
76 };
77 include "/etc/named.rfc1912.inter";
78 };
79 */
打开:
53 zone "." IN {
54 type hint;
55 file "named.ca";
56 };
57
58 include "/etc/named.rfc1912.zones";
59 include "/etc/named.root.key"
[root@localhost ~]# vim /etc/resolv.conf #编辑解析文件
# Generated by NetworkManager
domain example.com
search example.com ilt.example.com
nameserver 172.25.254.118 #从本机中进行解析
[root@localhost named]# vim westos.com.zone #编辑文件
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
2 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
A 172.25.254.160
dns A 172.25.254.120
hu A 172.25.254.140
hao A 172.25.254.139
www CNAME node1.westos.com.
node1 A 172.25.254.222
node1 A 172.25.254.111
[root@localhost named]# systemctl restart named #重启named服务
[root@localhost named]# vim /etc/named.rfc1912.zones #编辑辅助配置文件
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { none; };
29 also-notify {172.25.254.218; };
30 };
[root@localhost named]# systemctl restart named #重新启动named服务
[root@localhost named]# dig www.westos.com #修改前利用dig进行验证
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28331
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN CNAME node1.westos.com.
node1.westos.com. 86400 IN A 172.25.254.222
node1.westos.com. 86400 IN A 172.25.254.111
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.120
;; Query time: 0 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: 四 5月 24 02:26:14 EDT 2018
;; MSG SIZE rcvd: 129
[root@localhost named]# vim westos.com.zone #编辑域名文件westos.com.zone
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
3 ; serial #每修改一次这里数字就要加1,企业级201532411
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
A 172.25.254.160
dns A 172.25.254.120
hu A 172.25.254.140
hao A 172.25.254.139
www CNAME node1.westos.com.
node1 A 172.25.254.100 #修改id
node1 A 172.25.254.233
[root@localhost named]# systemctl restart named #重新启动named服务
[root@localhost named]# dig www.westos.com #修改后进行dig验证
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62903
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN CNAME node1.westos.com.
node1.westos.com. 86400 IN A 172.25.254.100
node1.westos.com. 86400 IN A 172.25.254.233
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.120
;; Query time: 0 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: 四 5月 24 02:27:27 EDT 2018
;; MSG SIZE rcvd: 129
(2)辅助DNS服务器
[root@localhost ~]# vim /etc/yum.repos.d/rhel_dvd.repo #配置yum源
[root@localhost ~]# yum clean all #清空缓存
已加载插件:langpacks
正在清理软件源: rhel_dvd
Cleaning up everything
[root@localhost ~]# yum repolist #yum源信息
已加载插件:langpacks
rhel_dvd | 4.1 kB 00:00
(1/2): rhel_dvd/group_gz | 134 kB 00:00
(2/2): rhel_dvd/primary_db | 3.4 MB 00:00
源标识 源名称 状态
rhel_dvd Remote classroom copy of dvd 4,305
repolist: 4,305
[root@localhost ~]# yum install bind -y #安装bind安装包
已加载插件:langpacks
正在解决依赖关系
--> 正在检查事务
---> 软件包 bind.x86_64.32.9.9.4-14.el7 将被 安装
--> 解决依赖关系完成
依赖关系解决
====================================================================
Package 架构 版本 源 大小
====================================================================
正在安装:
bind x86_64 32:9.9.4-14.el7 rhel_dvd 1.8 M
事务概要
====================================================================
安装 1 软件包
总下载量:1.8 M
安装大小:4.3 M
Downloading packages:
bind-9.9.4-14.el7.x86_64.rpm | 1.8 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在安装 : 32:bind-9.9.4-14.el7.x86_64 1/1
验证中 : 32:bind-9.9.4-14.el7.x86_64 1/1
已安装:
bind.x86_64 32:9.9.4-14.el7
完毕!
[root@localhost ~]# systemctl start named #开启named服务
[root@localhost ~]# systemctl enable named #开机时启动named服务
ln -s '/usr/lib/systemd/system/named.service' '/etc/systemd/system/multi-user.target.wants/named.service'
[root@localhost ~]# systemctl stop firewalld #关闭防火墙
[root@localhost ~]# systemctl disable firewalld #开机时关闭防火墙
[root@localhost ~]# vim /etc/named.conf #编辑主配置文件
[root@localhost ~]# vim /etc/named.rfc1912.zones #编辑辅助配置文件
[root@localhost ~]# systemctl restart named #重新启动named服务
[root@localhost ~]# vim /etc/resolv.conf #编辑解析文件
[root@localhost ~]# dig www.westos.com #执行dig命令进行验证
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19261
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN CNAME node1.westos.com.
node1.westos.com. 86400 IN A 172.25.254.111
node1.westos.com. 86400 IN A 172.25.254.222
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.120
;; Query time: 1 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: 四 5月 24 02:26:18 EDT 2018
;; MSG SIZE rcvd: 129
辅助DNS服务器的第二次验证
[root@localhost ~]# dig www.westos.com #修改后westos.com.zones文件后,利用dig进行验证
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12571
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN CNAME node1.westos.com.
node1.westos.com. 86400 IN A 172.25.254.100
node1.westos.com. 86400 IN A 172.25.254.233
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.120
;; Query time: 0 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: 四 5月 24 02:27:31 EDT 2018
;; MSG SIZE rcvd: 129
六、普通模式 DNS 更新
在主DNS服务器中执行的命令
(1)在主服务器中编辑配置文件 /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { 172.25.254.218; };
29 also-notify {172.25.254.218; };
30 };
(2)更新后修改 /var/named/ 目录的权限,让 “组权限” 可写,否则从属服务器无法上传信息到主服务器
chmod 770 /var/named
(3)重新启动named服务:systemctl restart named
在从属DNS服务器中执行的命令进行更新
nsupdate #动态域名更新程序
>server 主DNS服务器的id #要上传的目的地
>update add test.westos.com 86400 A 172.25.254.40 #添加需要上传的DNS服务的Id
>send #发送当前的消息
如果此时出现refuse,那么首先应该检查服务是否重启,配置文件是否写的正确,然后还是被拒绝的话,应考虑SELINUX的状态
更新成功后就会出现如下的文件 :westos.com.zone.jnl;
可以利用dig在主DNS服务器进行验证:dig test.westos.com
主DNS服务器:
[root@localhost ~]# vim /etc/named.rfc1912.zones #编辑配置文件
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { 172.25.254.218; }; #允许172.25.254.218这台主机进行更新
29 also-notify {172.25.254.218; };
30 };
[root@localhost named]# chmod 770 /var/named/ 修改/var/named的权限
[root@localhost ~]# ls -ld /var/named
drwxrwx--- 5 root named 4096 5月 24 03:30 /var/named
[root@localhost ~]# systemctl restart named #重启服务
从属DNS服务器
[root@localhost named]# nsupdate
> server 172.25.254.118
> update add test.westos.com 86400 A 172.25.254.50
> send
在主DNS服务器中查看是否更新成功
[root@localhost named]# ls
data named.localhost westos.com.ptr
dynamic named.loopback westos.com.zone
named.ca slaves westos.com.zone.jnl
[root@localhost named]# dig test.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> test.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58647
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.westos.com. IN A
;; ANSWER SECTION:
test.westos.com. 86400 IN A 172.25.254.50
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.120
;; Query time: 0 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: 四 5月 24 03:31:36 EDT 2018
;; MSG SIZE rcvd: 94
七、DNS 加密传输更新
上述通过指定子服务器 IP 来更新 DNS 不够安全,可以通过密钥的方式来进行
在主DNS服务器中执行的命令
[root@dns-server ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos #获取密钥
Kwestos.+157+32336
[root@dns-server ~]# ls #查看是否有生成的密钥文件
anaconda-ks.cfg Documents Kwestos.+157+32336.key Music Public Videos
Desktop Downloads Kwestos.+157+32336.private Pictures Templates
[root@dns-server ~]# cat Kwestos.+157+32336.private #查看私有钥匙的文件
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: T3X0lrVfee5jWvWbPlpuCA==
Bits: AAA=
Created: 20180520063741
Publish: 20180520063741
Activate: 20180520063741
[root@dns-server ~]# cat Kwestos.+157+32336.key #查看公钥匙文件
westos. IN KEY 512 3 157 T3X0lrVfee5jWvWbPlpuCA==
[root@dns-server ~]# vim /etc/named.rfc1912.zones #编辑配置文件
19 zone "westos.com" IN {
20 type master;
21 file "westos.com.zone";
22 allow-update { key westos; }; #拥有钥匙的主机才可以更新
23 also-notify { 172.25.254.218; };
24 };
[root@dns-server ~]# vim /etc/named.conf #编辑主配置文件
43 include "/etc/westos.key";
[root@dns-server ~]# vim /etc/westos.key #编辑钥匙的文件
key "westos" {
algorithm hmac-md5;
secret "T3X0lrVfee5jWvWbPlpuCA==";
};
~
[root@dns-server ~]# scp Kwestos.+157+32336.* [email protected]:/mnt/ #将钥匙送给218这台主机到/mnt目录下
[email protected]'s password: #输入密码
Kwestos.+157+32336.key 100% 50 0.1KB/s 00:00
Kwestos.+157+32336.private 100% 165 0.2KB/s 00:00
[root@dns-server ~]# systemctl restart named #重新启动服务
在172.25.254.218这台主机上进行更新
[root@localhost ~]# nsupdate -k /mnt/Kwestos.+157+50874.private
> server 172.25.254.118
> update add sweet.westos.com 86400 A 172.25.254.11
> send
若是没有任何显示的话说明更新成功
在真机中进行验证时,被拒绝
[kiosk@foundation60 Desktop]$ nsupdate
> server 172.25.254.118
> update add book.westos.com 86400 A 172.25.254.112
> send
update failed: REFUSED
>
在主DNS服务器上进行验证
[root@dns-server named]# dig sweet.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> sweet.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6099
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;sweet.westos.com. IN A
;; ANSWER SECTION:
sweet.westos.com. 86400 IN A 172.25.254.11
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.120
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 四 5月 24 04:03:41 EDT 2018
;; MSG SIZE rcvd: 95
八、DHCP 更新DNS 动态域名服务部署
首先在主dnc服务器中,安装dhcp服务
[root@dns-server Desktop]# yum install dhcp -y #安装dhcp服务
安装dhcp服务时,编辑dhcp配置文件
root@dns-server Desktop] vim /etc/dhcp/dhcpd.conf #编辑dhcp配置文件
6 # option definitions common to all supported networks...
7 option domain-name "westos.com"; #备选域名
8 option domain-name-servers 172.25.254.118; #备选域名服务器
13 # Use this to enble / disable dynamic dns updates globally. #使用此功能可以在全局范围内禁用/禁用动态dns更新
14 ddns-update-style interim; #启用
28 # This is a very basic subnet declaration.
29
30 subnet 172.25.254.0 netmask 255.255.255.0 { #设置动态分配的网段和子网掩码
31 range 172.25.254.110 172.25.254.130; #设置动态分配的ip范围
32 option routers 172.25.254.118; #分配的网关
33 }
34
35 key westos { #dns 服务密钥
36 algorithm hmac-md5;
37 secret T3X0lrVfee5jWvWbPlpuCA==;
38 };
39
40 zone westos.com. { #dns服务区域
41 primary 127.0.0.1; #允许哪个主机进行动态同步
42 key westos; #通过密钥进行
43 }
[root@dns-server Desktop]# systemctl restart dhcpd.service # 重新启动dhcp 服务
[root@dns-server Desktop]# systemctl status dhcpd.service #查看dhcp服务的状态
dhcpd.service - DHCPv4 Server Daemon
Loaded: loaded (/usr/lib/systemd/system/dhcpd.service; disabled)
Active: active (running) since Sun 2018-05-20 04:35:23 EDT; 18s ago
Docs: man:dhcpd(8)
man:dhcpd.conf(5)
Main PID: 11706 (dhcpd)
CGroup: /system.slice/dhcpd.service
└─11706 /usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group.
在从属服务器端
[root@localhost~] hostnamectl set-hostname linux.westos.com #修改主机名称
ot@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0 #编辑网络配置文件
DEVICE=eth0 #设备名称
TYPE=Ethernet #网络类型
BOOTPROTO=dhcp #设置网络为dhcp类型
USERCTL=yes
PEERDNS=yes
IPV6INIT=no
ONBOOT=yes
PERSISTENT_DHCLIENT=1
[root@localhost~]#systemctl restart network #重新启动服务
ot@localhost ~]# dig linux.westos.com #进行测试
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> linux.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24936
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;linux.westos.com. IN A
;; ANSWER SECTION:
linux.westos.com. 300 IN A 172.25.254.110
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.118
;; Query time: 0 msec
;; SERVER: 172.25.254.118#53(172.25.254.118)
;; WHEN: Sun May 20 04:56:07 EDT 2018
;; MSG SIZE rcvd: 95