1.关于父域服务器配置
vim /etc/named.conf编辑配置文件。systemctl reload named载入配置。cat /etc/named.conf | grep -v ^$ | grep -v ^\/查看配置文件。vim /etc/named.rfc1912.zones 编辑配置文件。tail -5 /etc/named.rfc1912.zones查看增加的父域解析文件定义。 rndc reload载入配置。tail /var/log/messages查看日志。vim /var/named/example.com.zone编辑父域解析文件。 cat /var/named/example.com.zone 查看父域解析文件。rndc reload载入配置。
[root@lab1 ~]# vim /etc/named.conf
[root@lab1 ~]# systemctl reload named
[root@lab1 ~]# cat /etc/named.conf | grep -v ^$ | grep -v ^\/
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@lab1 ~]# vim /etc/named.rfc1912.zones
[root@lab1 ~]# tail -5 /etc/named.rfc1912.zones
zone "example.com" IN {
type master;
file "example.com.zone";
};
[root@lab1 ~]# rndc reload
server reload successful
[root@lab1 ~]# tail /var/log/messages
Jan 17 07:07:11 lab1 named[975]: automatic empty zone: 8.E.F.IP6.ARPA
Jan 17 07:07:11 lab1 named[975]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 17 07:07:11 lab1 named[975]: automatic empty zone: A.E.F.IP6.ARPA
Jan 17 07:07:11 lab1 named[975]: automatic empty zone: B.E.F.IP6.ARPA
Jan 17 07:07:11 lab1 named[975]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jan 17 07:07:11 lab1 named[975]: zone 0.20.172.in-addr.arpa/IN: (master) removed
Jan 17 07:07:11 lab1 named[975]: reloading configuration succeeded
Jan 17 07:07:11 lab1 named[975]: reloading zones succeeded
Jan 17 07:07:11 lab1 named[975]: all zones loaded
Jan 17 07:07:11 lab1 named[975]: running
[root@lab1 ~]# vim /var/named/example.com.zone
[root@lab1 ~]# cat /var/named/example.com.zone
$TTL 86400
$ORIGIN example.com.
@ IN SOA ns1.example.com. admin.example.com. (
2019011701
1H
5M
3D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 172.20.0.131
ns2 IN A 172.20.0.132
www IN A 172.20.0.131
* IN A 172.20.0.131
[root@lab1 ~]# named-checkzone "example.com" /var/named/example.com.zone
zone example.com/IN: loaded serial 2019011701
OK
[root@lab1 ~]# ll /var/named/example.com.zone
-rw-r-----. 1 root named 459 Jan 17 07:09 /var/named/example.com.zone
[root@lab1 ~]# rndc reload
server reload successful
[root@lab1 ~]# tail /var/log/messages
Jan 17 07:11:26 lab1 named[975]: automatic empty zone: B.E.F.IP6.ARPA
Jan 17 07:11:26 lab1 named[975]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jan 17 07:11:26 lab1 named[975]: reloading configuration succeeded
Jan 17 07:11:26 lab1 named[975]: reloading zones succeeded
Jan 17 07:11:26 lab1 named[975]: zone example.com/IN: loaded serial 2019011701
Jan 17 07:11:26 lab1 named[975]: all zones loaded
Jan 17 07:11:26 lab1 named[975]: running
Jan 17 07:11:26 lab1 named[975]: zone example.com/IN: sending notifies (serial 2019011701)
Jan 17 07:11:26 lab1 named[975]: client 172.20.0.132#41389 (example.com): transfer of 'example.com/IN': AXFR-style IXFR started
Jan 17 07:11:26 lab1 named[975]: client 172.20.0.132#41389 (example.com): transfer of 'example.com/IN': AXFR-style IXFR ended
[root@lab1 ~]# dig -t A www.example.com @172.20.0.131 | grep flags
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
; EDNS: version: 0, flags:; udp: 4096
[root@lab1 ~]# dig -t A ftp.example.com @172.20.0.131 | grep flags
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
; EDNS: version: 0, flags:; udp: 4096
[root@lab1 ~]# vim /var/named/example.com.zone
[root@lab1 ~]# cat /var/named/example.com.zone
$TTL 86400
$ORIGIN example.com.
@ IN SOA ns1.example.com. admin.example.com. (
2019011701
1H
5M
3D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 172.20.0.131
ns2 IN A 172.20.0.132
www IN A 172.20.0.131
* IN A 172.20.0.131
ops IN NS ns1.ops
ops IN NS ns2.ops
ns1.ops IN A 172.20.0.131
ns1.ops IN A 172.20.0.139
[root@lab1 ~]# rndc reload
server reload successful
2.关于子域服务器配置
vim /etc/named.conf编辑文件。cat /etc/named.conf | grep -v ^$ | grep -v ^\/查看文件。systemctl reload named载入配置。ss -tunl | grep :53查看监听状态。vim /etc/named.rfc1912.zones编辑配置文件。tail -5 /etc/named.rfc1912.zones查看配置文件增加的子域解析文件定义。rndc reload载入配置。vim /var/named/ops.example.com.zone编辑子域解析文件。cat /var/named/ops.example.com.zone查看子域解析文件。ll /var/named/ops.example.com.zone 查看权限和权属并最终完成修改。rndc reload载入配置。dig -t A www.ops.example.com @172.20.0.132 | grep ANSWER -A1尝试正向解析。dig -t NS ops.example.com @172.20.0.132 | grep ANSWER -A1尝试名称服务解析。
[root@lab2 ~]# vim /etc/named.conf
[root@lab2 ~]# cat /etc/named.conf | grep -v ^$ | grep -v ^\/
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
/* Path to ISC DLV key */
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@lab2 ~]# systemctl reload named
[root@lab2 ~]# ss -tunl | grep :53
udp UNCONN 0 0 172.20.0.132:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
tcp LISTEN 0 10 172.20.0.132:53 *:*
tcp LISTEN 0 10 127.0.0.1:53 *:*
[root@lab2 ~]# vim /etc/named.rfc1912.zones
[root@lab2 ~]# tail -5 /etc/named.rfc1912.zones
zone "ops.example.com" IN {
type master;
file "ops.example.com.zone";
};
[root@lab2 ~]# rndc reload
server reload successful
[root@lab2 ~]# vim /var/named/ops.example.com.zone
[root@lab2 ~]# cat /var/named/ops.example.com.zone
$TTL 1d
$ORIGIN ops.example.com.
@ IN SOA ns1.ops.example.com admin.ops.example.com. (
2019011701
1H
10M
3D
1D )
IN NS ns1
IN NS ns2
ns1 IN A 172.20.0.132
ns2 IN A 172.20.0.139
www IN A 172.20.0.140
* IN A 172.20.0.140
[root@lab2 ~]# ll /var/named/ops.example.com.zone
-rw-r--r--. 1 root root 546 Jan 17 07:28 /var/named/ops.example.com.zone
[root@lab2 ~]# chmod 640 /var/named/ops.example.com.zone
[root@lab2 ~]# chown :named /var/named/ops.example.com.zone
[root@lab2 ~]# ll /var/named/ops.example.com.zone
-rw-r-----. 1 root named 546 Jan 17 07:28 /var/named/ops.example.com.zone
[root@lab2 ~]# rndc reload
server reload successful
[root@lab2 ~]# tail /var/log/messages
Jan 17 07:29:05 lab2 named[971]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 17 07:29:05 lab2 named[971]: automatic empty zone: A.E.F.IP6.ARPA
Jan 17 07:29:05 lab2 named[971]: automatic empty zone: B.E.F.IP6.ARPA
Jan 17 07:29:05 lab2 named[971]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jan 17 07:29:05 lab2 named[971]: reloading configuration succeeded
Jan 17 07:29:05 lab2 named[971]: reloading zones succeeded
Jan 17 07:29:05 lab2 named[971]: zone ops.example.com/IN: loaded serial 2019011701
Jan 17 07:29:05 lab2 named[971]: zone ops.example.com/IN: sending notifies (serial 2019011701)
Jan 17 07:29:05 lab2 named[971]: all zones loaded
Jan 17 07:29:05 lab2 named[971]: running
[root@lab2 ~]# dig -t A www.ops.example.com @172.20.0.132 | grep ANSWER -A1
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
--
;; ANSWER SECTION:
www.ops.example.com. 86400 IN A 172.20.0.140
[root@lab2 ~]# dig -t NS ops.example.com @172.20.0.132 | grep ANSWER -A1
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 3
--
;; ANSWER SECTION:
ops.example.com. 86400 IN NS ns1.ops.example.com.
3.父域服务器转发的配置
dig -t A www.baidu.com @172.20.0.2使用网关解析。vim /etc/named.conf编辑配置文件。cat /etc/named.conf | grep recursion[[:space:]] -A2查看增加的转发定义。rndc reload重新载入。dig -t A www.baidu.com @172.20.0.131使用父域服务器进行解析。
[root@lab1 ~]# dig -t A www.baidu.com @172.20.0.2
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.baidu.com @172.20.0.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 926
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; MBZ: 0005 , udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
WWW.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN A 163.177.151.110
www.a.shifen.com. 5 IN A 163.177.151.109
;; Query time: 38 msec
;; SERVER: 172.20.0.2#53(172.20.0.2)
;; WHEN: Thu Jan 17 07:51:18 EST 2019
;; MSG SIZE rcvd: 105
[root@lab1 ~]# vim /etc/named.conf
[root@lab1 ~]# cat /etc/named.conf | grep recursion[[:space:]] -A2
recursion yes;
forward first;
forwarders { 172.20.0.2; };
[root@lab1 ~]# rndc reload
server reload successful
[root@lab1 ~]# dig -t A www.baidu.com @172.20.0.131
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.baidu.com @172.20.0.131
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42178
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN A 163.177.151.110
www.a.shifen.com. 5 IN A 163.177.151.109
;; AUTHORITY SECTION:
com. 172799 IN NS h.gtld-servers.net.
com. 172799 IN NS l.gtld-servers.net.
com. 172799 IN NS a.gtld-servers.net.
com. 172799 IN NS b.gtld-servers.net.
com. 172799 IN NS k.gtld-servers.net.
com. 172799 IN NS i.gtld-servers.net.
com. 172799 IN NS j.gtld-servers.net.
com. 172799 IN NS f.gtld-servers.net.
com. 172799 IN NS e.gtld-servers.net.
com. 172799 IN NS c.gtld-servers.net.
com. 172799 IN NS m.gtld-servers.net.
com. 172799 IN NS g.gtld-servers.net.
com. 172799 IN NS d.gtld-servers.net.
;; ADDITIONAL SECTION:
e.gtld-servers.net. 172799 IN A 192.12.94.30
e.gtld-servers.net. 172799 IN AAAA 2001:502:1ca1::30
b.gtld-servers.net. 172799 IN A 192.33.14.30
b.gtld-servers.net. 172799 IN AAAA 2001:503:231d::2:30
j.gtld-servers.net. 172799 IN A 192.48.79.30
j.gtld-servers.net. 172799 IN AAAA 2001:502:7094::30
m.gtld-servers.net. 172799 IN A 192.55.83.30
m.gtld-servers.net. 172799 IN AAAA 2001:501:b1f9::30
i.gtld-servers.net. 172799 IN A 192.43.172.30
i.gtld-servers.net. 172799 IN AAAA 2001:503:39c1::30
f.gtld-servers.net. 172799 IN A 192.35.51.30
f.gtld-servers.net. 172799 IN AAAA 2001:503:d414::30
a.gtld-servers.net. 172799 IN A 192.5.6.30
a.gtld-servers.net. 172799 IN AAAA 2001:503:a83e::2:30
g.gtld-servers.net. 172799 IN A 192.42.93.30
g.gtld-servers.net. 172799 IN AAAA 2001:503:eea3::30
h.gtld-servers.net. 172799 IN A 192.54.112.30
h.gtld-servers.net. 172799 IN AAAA 2001:502:8cc::30
l.gtld-servers.net. 172799 IN A 192.41.162.30
l.gtld-servers.net. 172799 IN AAAA 2001:500:d937::30
k.gtld-servers.net. 172799 IN A 192.52.178.30
k.gtld-servers.net. 172799 IN AAAA 2001:503:d2d::30
c.gtld-servers.net. 172799 IN A 192.26.92.30
c.gtld-servers.net. 172799 IN AAAA 2001:503:83eb::30
d.gtld-servers.net. 172799 IN A 192.31.80.30
d.gtld-servers.net. 172799 IN AAAA 2001:500:856e::30
;; Query time: 2457 msec
;; SERVER: 172.20.0.131#53(172.20.0.131)
;; WHEN: Thu Jan 17 07:55:50 EST 2019
;; MSG SIZE rcvd: 897
4.子域服务器转发的配置
vim /etc/named.rfc1912.zones 编辑配置文件。 tail -5 /etc/named.rfc1912.zones查看增加的内容。rndc reload重新载入。tail /var/log/messages查看日志。 dig -t A www.ops.example.com @172.20.0.132 | grep "ANSWER SECTION" -A2尝试子域服务器解析。dig -t A www.ops.example.com @172.20.0.131尝试父域解析。vim /etc/named.conf编辑父域服务器配置文件。grep dnssec /etc/named.conf将父域服务器安全功能关闭(不能注释,注释则默认是开启)。vim /etc/named.conf编辑子域服务器配置文件。grep dnssec /etc/named.conf将子域服务器安全功能关闭(不能注释,注释则默认是开启)。dig -t A www.example.com @172.20.0.132用子域服务器解析父域。
[root@lab2 ~]# vim /etc/named.rfc1912.zones
[root@lab2 ~]# tail -5 /etc/named.rfc1912.zones
zone "example.com" IN {
type forward;
forward only;
forwarders { 172.20.0.131; };
};
[root@lab2 ~]# rndc reload
server reload successful
[root@lab2 ~]# tail /var/log/messages
Jan 18 02:33:34 lab2 named[977]: automatic empty zone: D.F.IP6.ARPA
Jan 18 02:33:34 lab2 named[977]: automatic empty zone: 8.E.F.IP6.ARPA
Jan 18 02:33:34 lab2 named[977]: automatic empty zone: 9.E.F.IP6.ARPA
Jan 18 02:33:34 lab2 named[977]: automatic empty zone: A.E.F.IP6.ARPA
Jan 18 02:33:34 lab2 named[977]: automatic empty zone: B.E.F.IP6.ARPA
Jan 18 02:33:34 lab2 named[977]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jan 18 02:33:34 lab2 named[977]: reloading configuration succeeded
Jan 18 02:33:34 lab2 named[977]: reloading zones succeeded
Jan 18 02:33:34 lab2 named[977]: all zones loaded
Jan 18 02:33:34 lab2 named[977]: running
[root@lab2 ~]# dig -t A www.ops.example.com @172.20.0.132 | grep "ANSWER SECTION" -A2
;; ANSWER SECTION:
www.ops.example.com. 86400 IN A 172.20.0.140
[root@lab1 ~]# dig -t A www.ops.example.com @172.20.0.131
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.ops.example.com @172.20.0.131
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 46587
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.example.com. IN A
;; Query time: 479 msec
;; SERVER: 172.20.0.131#53(172.20.0.131)
;; WHEN: Fri Jan 18 02:48:59 EST 2019
;; MSG SIZE rcvd: 48
[root@lab1 ~]# vim /etc/named.conf
[root@lab1 ~]# grep dnssec /etc/named.conf
dnssec-enable no;
dnssec-validation no;
[root@lab2 ~]# vim /etc/named.conf
[root@lab2 ~]# grep dnssec /etc/named.conf
dnssec-enable no;
dnssec-validation no;
[root@lab2 ~]# dig -t A www.example.com @172.20.0.132
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> -t A www.example.com @172.20.0.132
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1635
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.example.com. IN A
;; ANSWER SECTION:
www.example.com. 86400 IN A 172.20.0.131
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns2.example.com.
example.com. 86400 IN NS ns1.example.com.
;; ADDITIONAL SECTION:
ns2.example.com. 86400 IN A 172.20.0.132
ns1.example.com. 86400 IN A 172.20.0.131
;; Query time: 1 msec
;; SERVER: 172.20.0.132#53(172.20.0.132)
;; WHEN: Fri Jan 18 03:02:00 EST 2019
;; MSG SIZE rcvd: 128