DNS(Domain Name System),是运行在UDP协议53号端口服务,简单来说就是将域名解析成ip,从而实现主机定位。
DNS解析流程图
|
1
2
3
4
5
6
7
|
BIND: 4和9连个版本 4早期比较安全 默认9
协议:DNS
软件: BIND
进程名: named
安装
[root@marvin ~]
# yum install bind -y
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
|
实验环境:
marvin.com
192.168.1.
www 192.168.1.220
www 192.168.1.221
mail 192.168.1.223
pop --> mail
ftp
--> www
dns: 192.168.1.220
主配置文件:定义区域,
/etc/named
.conf
至少有三个区域:根、localhost、127.0.0.1
区域数据文件:
/var/named/
named: 用户:named 组:named
|
根域名服务器查找:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
[root@marvin ~]
# dig -t NS . [@dnsServer 指定服务器查找]
; <<>> DiG 9.8.2rc1--9.8.2-0.47.rc1.el6 <<>> -t NS .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 36810
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 276268 IN NS c.root-servers.net.
. 276268 IN NS l.root-servers.net.
. 276268 IN NS f.root-servers.net.
. 276268 IN NS m.root-servers.net.
. 276268 IN NS d.root-servers.net.
. 276268 IN NS a.root-servers.net.
. 276268 IN NS e.root-servers.net.
. 276268 IN NS g.root-servers.net.
. 276268 IN NS i.root-servers.net.
. 276268 IN NS k.root-servers.net.
. 276268 IN NS j.root-servers.net.
. 276268 IN NS b.root-servers.net.
. 276268 IN NS h.root-servers.net.
;; Query
time
: 69 msec
;; SERVER: 114.114.114.114
#53(114.114.114.114)
;; WHEN: Sun Jun 5 10:42:33 2016
;; MSG SIZE rcvd: 228
|
主配置文件:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
[root@marvin ~]
# mv /etc/named.conf /etc/named.conf.bak
[root@marvin ~]
# vim /etc/named.conf
options {
#全局配置
//
listen-on port 53 { 127.0.0.1; 192.168.1.220; } ;
#缓存服务器端口监听 不给就是监听所有地址
//
listen-on-v6 port 53 { ::1; };
#ipv6的监听地址
//
dump-
file
"/var/named/data/cache_dump.db"
; #dump时候 不是重要选项
//
statistics-
file
"/var/named/data/named_stats.txt"
; #统计数据 不是重要选项
//
memstatistics-
file
"/var/named/data/named_mem_stats.txt"
;
#不是重要选项
//
allow-query { localhost; };
# 只允许本地主机 localhost any或者注释掉就是允许所有主机查询
recursion
yes
; #是否允许递归 能否让其他客户端指向
yes
能
allow-recursion { 192.168.1.0
/24
};
#递归白名单
//
dnssec-
enable
yes
;
#dnf安全选项
//
dnssec-validation
yes
;
//
bindkeys-
file
"/etc/named.iscdlv.key"
;
//
managed-keys-directory
"/var/named/dynamic"
;
directory
"/var/named"
;
#固定工作目录
};
zone
"."
{
#根域配置
type
hint; #起始域 根 :hint 主:master 从:slave 转发:forward
file
"named.ca"
;
# 根解析文件
} ;
zone
"localhost."
IN {
type
master;
file
"named.localhost"
;
};
zone
"1.0.0.127.in-addr.arpa."
IN {
type
master;
file
"named.loopback"
;
};
zone
"marvin.com."
IN {
type
master;
file
"marvin.com.zone"
;
allow-transfer { 127.0.0.1;192.168.1.220;};
};
zone
"1.168.192.in-addr.arpa."
IN {
type
master;
file
"192.168.1.zone"
;
allow-transfer { 127.0.0.1;192.168.1.220;};
};
[root@marvin ~]
# chown root.named /etc/named.conf
[root@marvin ~]
# chmod 640 /etc/named.conf
|
正向解析数据库文件:
|
1
|
[root@marvin named]
# vim marvin.com.zone
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
$TTL 600
@ IN SOA dns.marvin.com. admin.marvin.com. (
2016060511
2H
10M
7D
1D)
@ IN NS dns
@ IN MX 10 mail
dns IN A 192.168.1.220
mail IN A 192.168.1.223
www IN A 192.168.1.221
pop IN CNAME mail
ftp
IN CNAME www
|
|
1
2
|
[root@marvin named]
# chown root.named marvin.com.zone
[root@marvin named]
# chmod 640 marvin.com.zone
|
反向解析数据库文件:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@marvin named]
# vim 192.168.1.zone
$TTL 600
@ IN SOA dns.marvin.com. admin.marvin.com. (
2016060511
2H
10M
7D
1D)
@ IN NS dns.marvin.com.
220 IN PTR dns.marvin.com.
223 IN PTR mail.marvin.com.
221 IN PTR www.marvin.com.
|
|
1
2
|
[root@marvin named]
# chown root.named 192.168.1.zone
[root@marvin named]
# chmod 640 192.168.1.zone
|
语法检测:
|
1
2
3
4
5
6
7
8
|
[root@marvin ~]
# /etc/init.d/named configtest
zone localhost
/IN
: loaded serial 0
zone 1.0.0.127.
in
-addr.arpa
/IN
: loaded serial 0
[root@marvin ~]
# named-checkconf
[root@marvin named]
# named-checkzone "marvin.com" /var/named/marvin.com.zone
zone marvin.com
/IN
: loaded serial 2016060511
OK
|
启动:
|
1
2
3
|
[root@marvin ~]
# /etc/init.d/named start
Generating
/etc/rndc
.key: [ OK ]
Starting named: [ OK ]
|
|
1
2
3
4
|
[root@marvin named]
# vim /etc/resolv.conf
search localdomain
#nameserver 114.114.114.114
nameserver 192.168.1.220
|
正向解析测试:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@marvin named]
# dig -t A www.marvin.com @marvin
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.marvin.com @marvin
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 10468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.marvin.com. IN A
;; ANSWER SECTION:
www.marvin.com. 600 IN A 192.168.1.221
;; AUTHORITY SECTION:
marvin.com. 600 IN NS dns.marvin.com.
;; ADDITIONAL SECTION:
dns.marvin.com. 600 IN A 192.168.1.220
;; Query
time
: 0 msec
;; SERVER: 192.168.1.220
#53(192.168.1.220)
;; WHEN: Sun Jun 5 11:43:06 2016
;; MSG SIZE rcvd: 82
|
反向解析测试:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
[root@marvin named]
# dig -x 192.168.1.221 @marvin
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.1.221 @marvin
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 33871
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;221.1.168.192.
in
-addr.arpa. IN PTR
;; ANSWER SECTION:
221.1.168.192.
in
-addr.arpa. 600 IN PTR www.marvin.com.
;; AUTHORITY SECTION:
1.168.192.
in
-addr.arpa. 600 IN NS dns.marvin.com.
;; ADDITIONAL SECTION:
dns.marvin.com. 600 IN A 192.168.1.220
;; Query
time
: 0 msec
;; SERVER: 192.168.1.220
#53(192.168.1.220)
;; WHEN: Mon Jun 6 09:02:04 2016
;; MSG SIZE rcvd: 106
|
数据传送:(allow-transfer有关)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@marvin ~]
# dig -t axfr marvin.com @marvin
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t axfr marvin.com @marvin
;; global options: +cmd
marvin.com. 600 IN SOA dns.marvin.com. admin.marvin.com. 2016060512 7200 600 604800 86400
marvin.com. 600 IN NS dns.marvin.com.
marvin.com. 600 IN NS dns2.marvin.com.
marvin.com. 600 IN MX 10 mail.marvin.com.
dns.marvin.com. 600 IN A 192.168.1.220
dns2.marvin.com. 600 IN A 192.168.1.221
ftp
.marvin.com. 600 IN CNAME www.marvin.com.
mail.marvin.com. 600 IN A 192.168.1.223
pop.marvin.com. 600 IN CNAME mail.marvin.com.
www.marvin.com. 600 IN A 192.168.1.221
marvin.com. 600 IN SOA dns.marvin.com. admin.marvin.com. 2016060512 7200 600 604800 86400
;; Query
time
: 0 msec
;; SERVER: 192.168.1.220
#53(192.168.1.220)
;; WHEN: Mon Jun 6 10:56:34 2016
;; XFR size: 11 records (messages 1, bytes 268)
|
主从配置:
主服务器配置:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
[root@marvin ~]
# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.220; } ;
directory
"/var/named"
;
};
zone
"."
IN {
type
hint;
file
"named.ca"
;
};
zone
"localhost."
IN {
type
master;
file
"named.localhost"
;
};
zone
"1.0.0.127.in-addr.arpa."
IN {
type
master;
file
"named.loopback"
;
};
zone
"marvin.com."
IN {
type
master;
file
"marvin.com.zone"
;
allow-transfer { 127.0.0.1;192.168.1.220;192.168.1.221; };
#允许同步的ip
};
zone
"1.168.192.in-addr.arpa."
IN {
type
master;
file
"192.168.1.zone"
;
allow-transfer { 127.0.0.1;192.168.1.220;192.168.1.221; };
#允许同步的ip
};
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
[root@marvin named]
# vim marvin.com.zone
$TTL 600
@ IN SOA dns.marvin.com. admin.marvin.com. (
2016060512 #每次修改完成 1
2H
10M
7D
1D)
@ IN NS dns
#主 跟soa对应
@ IN NS dns2 #从 通知从服务器
@ IN MX 10 mail
dns IN A 192.168.1.220
dns2 IN A 192.168.1.221 #从ip
mail IN A 192.168.1.223
www IN A 192.168.1.221
pop IN CNAME mail
ftp
IN CNAME www
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[root@marvin named]
# vim 192.168.1.zone
$TTL 600
@ IN SOA dns.marvin.com. admin.marvin.com. (
2016060512 #每次修改完成 1
2H
10M
7D
1D)
@ IN NS dns.marvin.com.
#主 跟soa对应
@ IN NS dns2.marvin.com. #从 通知从服务器
220 IN PTR dns.marvin.com.
221 IN PTR dns2.marvin.com. #从ip
223 IN PTR mail.marvin.com.
221 IN PTR www.marvin.com.
~
|
从服务器配置:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
[root@sherry ~]
# vim /etc/named.conf
options {
directory
"/var/named"
;
};
zone
"."
IN {
type
hint;
file
"named.ca"
;
};
zone
"localhost."
IN {
type
master;
file
"named.localhost"
;
};
zone
"1.0.0.127.in-addr.arpa."
IN {
type
master;
file
"named.loopback"
;
};
zone
"marvin.com."
IN {
type
slave;
masters { 192.168.1.220; };
file
"slaves/marvin.com.zone"
;
};
zone
"1.168.192.in-addr.arpa."
IN {
type
salve;
masters { 192.168.1.220; };
file
"slaves/192.168.1.zone"
;
};
|
启动:
|
1
2
3
4
5
|
从服务器
[root@sherry named]
# /etc/init.d/named start
主服务器
[root@marvin named]
# /etc/init.d/named reload
|
从服务器解析:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
[root@sherry slaves]
# dig -t NS marvin.com @sherry
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t NS marvin.com @sherry
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 56301
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;marvin.com. IN NS
;; ANSWER SECTION:
marvin.com. 600 IN NS dns2.marvin.com.
marvin.com. 600 IN NS dns.marvin.com.
;; ADDITIONAL SECTION:
dns.marvin.com. 600 IN A 192.168.1.220
dns2.marvin.com. 600 IN A 192.168.1.221
;; Query
time
: 0 msec
;; SERVER: 192.168.1.221
#53(192.168.1.221)
;; WHEN: Mon Jun 6 10:38:35 2016
;; MSG SIZE rcvd: 97
|