CentOS 7 搭建企业内网 DNS 服务器
在大型企业中经常要搭建自己的内部网络,在企业内部搭建内部 web 服务器,文件服务器,邮件发送服务器,大数据集群等,使用默认的路由器所提供的公网 DNS 服务器就达不到想要的效果,就需要在企业内部搭建一台 DNS 服务器,使其能解析内部私有网络地址,又能解析外网的公网地址。
1. DNS 相关概念
Domain Name System, DNS ———— 域名系统,是互联网的一个服务,作为将域名和 IP 地址相互映射的一个分布式数据库,它能够使人更方便地访问互联网。 DNS
使用 TCP/UDP 53 端口提供服务。目前,对于每一级域名长度的限制是 63 个字符,域名总长度则不能超过 253 个字符。
The Internet Domain Name System (DNS) consists of the syntax to specify the names of entities in the Internet in a hierarchical manner, the
rules used for delegating authority over names, and the system implementation that actually maps names to Internet addresses.
DNS data is maintained in a group of distributed hierarchical databases.
DNS 服务一般是基于静态 IP 的,主要是实现 IP 和域名的对应解析。
Dynamic Domain Name Server, DDNS ———— 动态域名服务,实现对域名的动态解析,即实现动态 IP 地址到域名的对应关系,它是 DNS 服务的一种。
DNS 可以为客户端进行域名解析的前提是 DNS 服务器上有相关的记录。 DDNS 是将用户的动态 IP 地址映射到一个固定的域名解析服务上,用户每次连接网络时,
客户端程序就会通过信息传递把该主机的动态 IP 地址传送给位于服务主机的服务器程序。服务器程序负责提供 DNS 服务并实现动态域名解析。也就是说,DDNS
捕获用户每次变化的 IP 地址,然后将其与域名相对应记录下来,这样联网用户就可以通过域名进行交流了。
1.1 DNS 基本概念
---------------------------------------------------------------------------------------------------------------------------------------------
■ DNS 原理: DNS Fundamentals
-----------------------------------------------------------------------------------------------------------------------------------------
The Domain Name System (DNS) is a hierarchical, distributed database. It stores information for mapping Internet host names to IP addresses
and vice versa, mail routing information, and other data used by Internet applications.
Clients look up information in the DNS by calling a resolver library, which sends queries to one or more name servers and interprets the
responses. The BIND 9 software distribution contains a name server, named, and a resolver library, liblwres.
■ 域和域名: Domains and Domain Names
-----------------------------------------------------------------------------------------------------------------------------------------
The data stored in the DNS is identified by domain names that are organized as a tree according to organizational or administrative
boundaries. Each node of the tree, called a domain, is given a label. The domain name of the node is the concatenation of all the labels
on the path from the node to the root node. This is represented in written form as a string of labels listed from right to left and
separated by dots.
A label need only be unique within its parent domain.
For administrative purposes, the name space is partitioned into areas called zones, each starting at a node and extending down to the leaf
nodes or to nodes where other zones start. The data for each zone is stored in a name server, which answers queries about the zone using
the DNS protocol.
The data associated with each domain name is stored in the form of resource records (RRs).
■ 区域: Zones
-----------------------------------------------------------------------------------------------------------------------------------------
As stated previously, a zone is a point of delegation in the DNS tree. A zone consists of those contiguous parts of the domain tree for
which a name server has complete information and over which it has authority. It contains all domain names from a certain point downward
in the domain tree except those which are delegated to other zones. A delegation point is marked by one or more NS records in the parent
zone, which should be matched by equivalent NS records at the root of the delegated zone.
A zone can map exactly to a single domain, but could also include only part of a domain, the rest of which could be delegated to other
name servers. Every name in the DNS tree is a domain, even if it is terminal, that is, has no subdomains. Every subdomain is a domain and
every domain except the root is also a subdomain.
Though BIND is called a "domain name server", it deals primarily in terms of zones. The master and slave declarations in the named.conf
file specify zones, not domains. When you ask some other site if it is willing to be a slave server for your domain, you are actually
asking for slave service for some collection of zones.
1.2 DNS 服务器角色分类
---------------------------------------------------------------------------------------------------------------------------------------------
■ 权威服务器: Authoritative Name Servers
-----------------------------------------------------------------------------------------------------------------------------------------
Each zone is served by at least one authoritative name server, which contains the complete data for the zone. To make the DNS tolerant of
server and network failures, most zones have two or more authoritative servers, on different networks.
Responses from authoritative servers have the "authoritative answer" (AA) bit set in the response packets. This makes them easy to
identify when debugging DNS configurations using tools like dig
■ 主控服务器: The Primary Master
-----------------------------------------------------------------------------------------------------------------------------------------
The authoritative server where the master copy of the zone data is maintained is called the primary master server, or simply the primary.
Typically it loads the zone contents from some local file edited by humans or perhaps generated mechanically from some other local file
which is edited by humans. This file is called the zone file or master file.
In some cases, however, the master file may not be edited by humans at all, but may instead be the result of dynamic update operations.
■ 从服务器: Slave Servers
-----------------------------------------------------------------------------------------------------------------------------------------
The other authoritative servers, the slave servers (also known as secondary servers) load the zone contents from another server using
a replication process known as a zone transfer. Typically the data are transferred directly from the primary master, but it is also
possible to transfer it from another slave. In other words, a slave server may itself act as a master to a subordinate slave server.
Periodically, the slave server must send a refresh query to determine whether the zone contents have been updated. This is done by sending
a query for the zone's SOA record and checking whether the SERIAL field has been updated; if so, a new transfer request is initiated. The
timing of these refresh queries is controlled by the SOA REFRESH and RETRY fields, but can be overrridden with the max-refresh-time,
min-refresh-time, max-retry-time, and min-retry-time options.
■ 隐形服务器: Stealth Servers
-----------------------------------------------------------------------------------------------------------------------------------------
Usually all of the zone's authoritative servers are listed in NS records in the parent zone. These NS records constitute a delegation of
the zone from the parent. The authoritative servers are also listed in the zone file itself, at the top level or apex of the zone. You can
list servers in the zone's top-level NS records that are not in the parent's NS delegation, but you cannot list servers in the parent's
delegation that are not present at the zone's top level.
A stealth server is a server that is authoritative for a zone but is not listed in that zone's NS records. Stealth servers can be used for
keeping a local copy of a zone to speed up access to the zone's records or to make sure that the zone is available even if all the
"official" servers for the zone are inaccessible.
A configuration where the primary master server itself is a stealth server is often referred to as a "hidden primary" configuration. One
use for this configuration is when the primary master is behind a firewall and therefore unable to communicate directly with the outside
world.
■ 缓存服务器: Caching Name Servers
-----------------------------------------------------------------------------------------------------------------------------------------
The resolver libraries provided by most operating systems are stub resolvers, meaning that they are not capable of performing the full DNS
resolution process by themselves by talking directly to the authoritative servers. Instead, they rely on a local name server to perform the
resolution on their behalf. Such a server is called a recursive name server; it performs recursive lookups for local clients.
To improve performance, recursive servers cache the results of the lookups they perform. Since the processes of recursion and caching are
intimately connected, the terms recursive server and caching server are often used synonymously.
The length of time for which a record may be retained in the cache of a caching name server is controlled by the Time To Live (TTL) field
■ 多角色名称服务器: Name Servers in Multiple Roles
-----------------------------------------------------------------------------------------------------------------------------------------
The BIND name server can simultaneously act as a master for some zones, a slave for other zones, and as a caching (recursive) server for
a set of local clients.
However, since the functions of authoritative name service and caching/recursive name service are logically separate, it is often
advantageous to run them on separate server machines. A server that only provides authoritative name service (an authoritative-only server)
can run with recursion disabled, improving reliability and security. A server that is not authoritative for any zones and only provides
recursive service to local clients (a caching-only server) does not need to be reachable from the Internet at large and can be placed
inside a firewall.
1.3 DNS 运行概念
---------------------------------------------------------------------------------------------------------------------------------------------
■ DNS 组成
-----------------------------------------------------------------------------------------------------------------------------------------
根域(root domain . )
顶级域(.com, .net, .org, .gov, .edu, .mil,.ac)
二级域(baidu.com,google.com ... ...)
■ DNS 查询
-----------------------------------------------------------------------------------------------------------------------------------------
迭代查询:一般DNS服务器之间属迭代查询,如:若 DNS2 不能响应 DNS1 的请求,则它会将 DNS3 的IP给 DNS2,以便其再向 DNS3 发出请求;
递归查询:一般客户机和服务器之间属递归查询,即当客户机向 DNS 服务器发出请求后,若 DNS 服务器本身不能解析,则会向另外的 DNS 服务器发出查询请求,
得到结果后转交给客户机;
从客户端到本地 DNS 服务器是属于递归查询,而 DNS 服务器之间的交互查询就是迭代查询。
■ DNS 解析
-----------------------------------------------------------------------------------------------------------------------------------------
正向解析区域和反向解析区域
正向解析是将域名映射为IP地址
www.baidu.com --> 202.108.22.5
反向解析是将IP地址映射为域名
202.108.22.5 --> www.baidu.com
注意:二者的名称空间,非为同一个空间,即非为同一棵树;因此,也不是同一个解析库;
■ 主-从 DNS 服务器
-----------------------------------------------------------------------------------------------------------------------------------------
主 DNS 服务器:维护所负责解析的域数据库的那台服务器;读写操作均可进行;
从 DNS 服务器:从主 DNS 服务器那里或其它的从 DNS 服务器那里“复制”一份解析库;但只能进行读操作;
“复制” 操作的实施方式:
序列号:serial, 也即是数据库的版本号;主服务器数据库内容发生变化时,其版本号递增;
刷新时间间隔:refresh, 从服务器每多久到主服务器检查序列号更新状况;
重试时间间隔:retry, 从服务器从主服务器请求同步解析库失败时,再次发起尝试请求的时间间隔;
过期时长:expire,从服务器始终联系不到主服务器时,多久之后放弃从主服务器同步数据;停止提供服务;
否定答案的缓存时长:主服务器 “通知”从服务器随时更新数据;
区域传送:
全量传送:axfr, 传送整个数据库;
增量传送:ixfr, 仅传送变量的数据;
■ 区域 (zone)和域 (domain):
-----------------------------------------------------------------------------------------------------------------------------------------
baidu.com 域:
FQDN --> IP
正向解析库;区域
IP --> FQDN
反向解析库;区域
1.4 DNS 数据库文件
---------------------------------------------------------------------------------------------------------------------------------------------
■ 区域 (zone) 数据库文件:
-----------------------------------------------------------------------------------------------------------------------------------------
资源记录: Resource Record, 简称rr;
记录类型: A, AAAA, PTR, SOA, NS, CNAME, MX
SOA :Start Of Authority,起始授权记录;一个区域解析库有且只能有一个 SOA 记录,而且必须放在第一条;这个域由哪部 DNS 作为 Primary DNS;
NS :Name Service,域名服务记录;一个区域解析库可以有多个 NS 记录;其中一个为主的;
A :Address, 地址记录,FQDN --> IPv4;
AAAA:地址记录, FQDN --> IPv6;
CNAME:Canonical Name,别名记录;
PTR :Pointer,IP --> FQDN
MX :Mail eXchanger,邮件交换器
优先级:0-99,数字越小优先级越高;
■ 资源记录的定义格式:
-----------------------------------------------------------------------------------------------------------------------------------------
语法: name [TTL] IN RR_TYPE value
常见的正向区域 zone 文件 RR 相关信息:
[domain] IN [[RR type] [RR data]]
主机名. IN A IPv4 的 IP 地址
主机名. IN AAAA IPv6 的 IP 地址
域名. IN NS 管理这个领域名的服务器主机名.
域名. IN SOA 管理这个领域名的七个重要参数(后面说明)
域名. IN MX 顺序数字 接收邮件的服务器主机名
主机别名. IN CNAME 实际代表这个主机别名的主机名.
● SOA 记录:表明此 DNS 名称服务器是为该 DNS 域中的数据的信息的来源。
-------------------------------------------------------------------------------------------------------------------------------------
记录格式:
ZONE NAME TTL IN SOA FQDN ADMINISTRATOR_MAILBOX (
serial number
refresh
retry
expire
na ttl )
时间单位:M(分钟)、H(小时)、D(天)、W(周),默认单位是秒
邮箱格式:[email protected] -写为-> admin.toxingwang.com
name : 当前区域的名字;例如 ”sansovo.org.” ,或者 “1.168.192.in-addr.arpa.” ;
value : 有多部分组成
① 当前区域的区域名称(也可以使用主DNS服务器名称);
② 当前区域管理员的邮箱地址;但地址中不能使用@符号,一般使用点号来替代;
③ 主从服务协调属性的定义以及否定答案的 TTL 。
范例:
baidu.com. 86400 IN SOA baidu.com. admin.magedu.com. (
2017010801 ; serial 序号
2H ; refresh 刷新时间为 2 小时
10M ; retry 重试时间为 10分钟
1W ; expire 缓存失效时间为 1 周
1D ; negative answer ttl 解析失败缓存保留时间为 1 天
)
● NS 记录: 域名服务器记录,用来指定某域名由哪个 DNS 服务器来进行解析。
-------------------------------------------------------------------------------------------------------------------------------------
NS(Name Server): ZONE NAME --> FQDN
name : 当前区域的区域名称
value :当前区域的某DNS服务器的名字,例如 ns.magedu.com.;
注意:一个区域可以有多个ns记录;
范例:
baidu.com. 86400 IN NS ns1.baidu.com.
baidu.com. 86400 IN NS ns2.baidu.com.
toxingwang.com. 600 IN NS ns1.toxingwang.com.
toxingwang.com. 600 IN NS ns2.toxingwang.com.
ns1.toxingwang.com. 600 IN A 192.168.8.100
ns2.toxingwang.com. 600 IN A 192.168.8.101
注:NS记录除了NS记录本身,还应该包含 NS 对应 A 记录
● MX 记录: 邮件交换记录,用于电子邮件程序发送邮件时根据收信人的地址后缀来定位邮件服务器。
-------------------------------------------------------------------------------------------------------------------------------------
MX(Mail eXchanger): ZONE NAME --> FQDN
记录格式:
ZONE NAME TTL IN MX pri VALUE
name : 当前区域的区域名称
value :当前区域某邮件交换器的主机名;
优先级:0-99,数字越小级别越高
注意:MX记录可以有多个;但每个记录的 value 之前应该有一个数字表示其优先级;
范例:
baidu.com. IN MX 10 mx1.baidu.com.
baidu.com. IN MX 20 mx2.baidu.com.
toxingwang.com. 600 IN MX 10 mail.toxingwang.com.
mail.toxingwang.com. 600 IN A 192.168.8.3
● A 记录: 主机记录,A 记录是用于名称解析的重要记录,它将特定的主机名映射到对应主机的IP地址上。
-------------------------------------------------------------------------------------------------------------------------------------
A(address): FQDN-->IPv4
name :某FQDN,例如 www.baidu.com.
value :某 IPv4 地址;
范例:
www.baidu.com. IN A 1.1.1.1
www.baidu.com. IN A 1.1.1.2
bbs.baidu.com. IN A 1.1.1.1
● AAAA 记录: IPv6 主机记录,与 A 记录对应,用于将特定的主机名映射到一个主机的IPv6地址。
-------------------------------------------------------------------------------------------------------------------------------------
name :FQDN
value : IPv6 地址
● PTR 记录:反向解析记录,用于将一个IP地址映射到对应的域名,也可以看成是 A 记录的反向,IP 地址的反向解析。
-------------------------------------------------------------------------------------------------------------------------------------
name :IP地址,有特定格式,IP反过来写,而且加特定后缀;例如 1.2.3.4 的记录应该写为 4.3.2.1.in-addr.arpa.;
value :FQND
范例:
4.3.2.1.in-addr.arpa. IN PTR www.baidu.com.
● CNAME 记录:别名记录,用于将某个别名指向到某个 A 记录上,这样就不需要再为某个新名字另外创建一条新的 A 记录。
-------------------------------------------------------------------------------------------------------------------------------------
CNAME(Canonical NAME): FQDN-->FQDN
name :FQDN格式的别名;
value :FQDN格式的正式名字;
范例:
web.baidu.com. IN CNAME www.baidu.com.
www2.toxingwang.com. IN CNAME www.toxingwang.com.
● SRV 记录:服务位置记录,用于定义提供特定服务的服务器的位置,如主机(hostname),端口(port number)等。
-------------------------------------------------------------------------------------------------------------------------------------
● NAPTR 记录: 它提供了正则表达式方式去映射一个域名。NAPTR 记录非常著名的一个应用是用于 ENUM 查询。
-------------------------------------------------------------------------------------------------------------------------------------
注释:
---------------------------------------------------------------------------------------------------------------------------------------------
(1) 一定从行首开始,所有配置数据一定要从行首开始,前面不可有空格符。若有空格符,代表延续前一个 domain 的意思。非常重要!
(2) 这个点 (.) 很重要,他代表一个完整主机名 (FQDN) 而不是仅有 hostname 而已。
(3) #/; 代表注释符号,两个符号都能使用
(4) TTL可以从全局继承;
(5) @表示当前区域的名称;
(6) 相邻的两条记录其 name 相同时,后面的可省略;
(7) 对于正向区域来说,各 MX,NS 等类型的记录的 value 为 FQDN,此 FQDN 应该有一个 A 记录;
(8) $TTL : 为了简化每笔 RR 记录是设置,可以将 TTL 放到最前面统一设置;
(9) $ORIGIN : 这个值可以重新指定 zone 的定义。在默认的情况下,这个正反向数据库文件中的 zone 是由 named.conf 所指定的,就是 zone 那个参数的
功能。不过,这个 zone 是可以改的,就是用 $ORIGIN 来修改。通常这个设置值很少用到。
*
*
*
2. 实践部署
---------------------------------------------------------------------------------------------------------------------------------------------
部署环境:
操作系统 :CentOS 7.4
DNS 服务器 IP : 192.168.1.10
内网域名 :sansovo.org
2.1 安装 DNS 服务器 : BIND
---------------------------------------------------------------------------------------------------------------------------------------------
■ 安装
-----------------------------------------------------------------------------------------------------------------------------------------
[devalone@online ~]$ sudo yum install bind
查看服务是否开机运行, DNS 服务名称为 named
[root@online ~]# sudo systemctl list-unit-files | grep 'named'
named-setup-rndc.service static
named.service disabled
由输出可知 named.service 是关闭的。
设置 named.service 开机运行:
[root@online ~]# systemctl enable named.service
启动 named.service:
[root@online ~]# systemctl start named.service
■ 防火墙设置: 设置防火墙放行 dns 服务端口:53/tcp 和 53/udp
-----------------------------------------------------------------------------------------------------------------------------------------
CentOS 7 默认使用 firewalld 防火墙,使用如下指令设置:
● 查看firewalld服务当前所使用的区域:
[root@online ~]# firewall-cmd --get-default-zone
public
[root@online ~]# firewall-cmd --zone=public --query-service=dns
no
● 设置 firewalld 服务中 dns 服务为永久允许,并立即生效:
[root@online ~]# firewall-cmd --permanent --zone=public --add-service=dns
success
[root@online ~]# firewall-cmd --reload
success
再次查询验证:
[root@online ~]# firewall-cmd --zone=public --query-service=dns
yes
防火墙设置完成。
2.2 配置 BIND:
---------------------------------------------------------------------------------------------------------------------------------------------
主配置文件:
/etc/named.conf
或其包含的文件:
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
解析库文件:
/var/named/目录下;
[root@online ~]# ll /var/named
drwxrwx---. 2 named named 23 4月 24 17:02 data
drwxrwx---. 2 named named 60 4月 24 17:03 dynamic
-rw-r-----. 1 root named 2281 5月 22 2017 named.ca
-rw-r-----. 1 root named 152 12月 15 2009 named.empty
-rw-r-----. 1 root named 152 6月 21 2007 named.localhost
-rw-r-----. 1 root named 168 12月 15 2009 named.loopback
drwxrwx---. 2 named named 6 1月 22 21:30 slaves
一般命名为:ZONE_NAME.zone
注意: (1) 一台 DNS 服务器可同时为多个区域提供解析;
(2) 必须要有根区域解析库文件: named.ca;
(3) 还应该有两个区域解析库文件:localhost 和 127.0.0.1 的正反向解析库;
正向:named.localhost
反向:named.loopback
■ 主配置文件格式:
-----------------------------------------------------------------------------------------------------------------------------------------
全局配置段:
options { ... }
日志配置段:
logging { ... }
区域配置段:
zone { ... }
那些由本机负责解析的区域,或转发的区域;
注意:每个配置语句必须以分号结尾;
associated with each resource record.
缓存服务器配置:
-----------------------------------------------------------------------------------------------------------------------------------------
监听能与外部主机通信的地址;
listen-on port 53;
listen-on port 53 { 192.168.1.10; };
测试时,建议关闭dnssec
/*
这两个值改为 no, 不需要安全策略,否则无法解析外网
*/
dnssec-enable no;
dnssec-validation no;
关闭仅允许本地查询:
□ allow-query
-------------------------------------------------------------------------------------------------------------------------------------
Specifies which hosts are allowed to ask ordinary DNS questions. allow-query may also be specified in the zone statement, in which case
it overrides the options allow-query statement. If not specified, the default is to allow queries from all hosts.
/*
allow-query { localhost; };
或改成内网网段,只为内网用户提供解析
*/
allow-query { 192.168.1.0/24; };
打开递归查询:
/*
打开递归查询,可递归查询到公网 DNS 服务器并缓存本地,查询外网服务器信息,如 www.baidu.com
默认为 no , 即 DNS 服务器使用迭代方式查询。
这里为 yes, 这是客户端的查询模式。意思是本身解析不了,转发给上级路由解析,递归查询。
缓存服务器设为 yes; 权威服务器为 no
*/
recursion yes;
■ 工具
-----------------------------------------------------------------------------------------------------------------------------------------
● 管理工具:
-------------------------------------------------------------------------------------------------------------------------------------
named-checkconf :检查配置文件语法错误:
named-checkconf [/etc/named.conf]
named-checkzone :The named-checkzone program checks a master file for syntax and consistency.
rndc:The remote name daemon control (rndc) program allows the system administrator to control the operation of a name server.
端口 953/tcp,但默认监听于 127.0.0.1 地址,因此仅允许本地使用;
重新载入配置信息:
rndc reload
● 诊断工具:Diagnostic Tools
------------------------------------------------------------------------------------------------------------------------------------
The dig, host, and nslookup programs are all command line tools for manually querying name servers. They differ in style and output
format.
dig, host, nslookup 等
■ 配置解析正向区域
-----------------------------------------------------------------------------------------------------------------------------------------
步骤:
① 定义区域(在/etc/named.conf或/etc/named.rfc1912.zones)
allow-update: 是实现 DDNS 的重要配置。
---------------------------------------------------------------------------------------------------------------------------------
Specifies which hosts are allowed to submit Dynamic DNS updates for master zones. The default is to deny updates from all hosts.
Note that allowing updates based on the requestor's IP address is insecure
② 定义数据文件(/var/named/xxx.zone)
权限及属组修改:
修改该文件的权限为 640,属主属组为 root:named
检查语法错误
# named-checkzone ZONE_NAME ZONE_FILE
# named-checkconf
③ 重载配置文件:
rndc reload
详细配置:
----------------------------------------------------------------------------------------------------------------------------------------
① 定义区域
zone "sansovo.org" IN {
type master;
file "sansovo.org.zone";
allow-update { 192.168.1.0/24; };
};
注意:区域名称即为域名;
② 定义数据文件(编辑一个名为 sansovo.org.zone 的文件与第一步的 file 所指的相同)
文件为:/var/named/sansovo.org.zone
内容:
------------------------------------------------------------------------------------------------------------------------------------
$TTL 1D
$ORIGIN sansovo.org.
@ IN SOA sansovo.org. devalone.sohu.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS online.sansovo.org.
online IN A 192.168.1.10
repo IN A 192.168.1.99
检查语法错误:
[root@online ~]# named-checkconf
[root@online ~]# named-checkzone sansovo.org /var/named/sansovo.org.zone
zone sansovo.org/IN: loaded serial 0
OK
③ 重载配置文件
[root@online ~]# rndc reload
server reload successful
■ 配置解析反向区域
-----------------------------------------------------------------------------------------------------------------------------------------
步骤:
① 定义反向区域(在/etc/named.conf或/etc/named.rfc1912.zones)
② 定义区域解析库文件(/var/named/xxx.zone)
③ 重载配置文件
详细配置:
----------------------------------------------------------------------------------------------------------------------------------------
① 定义反向区域
zone "1.168.192.in-addr.arpa" IN {
type master;
file "1.168.192.zone";
allow-update { 192.168.1.0/24; };
};
注意:反向区域的名字
反写的网段地址.in-addr.arpa
如:1.168.192.in-addr.arpa
② 定义区域解析库文件(主要记录为PTR)
文件为:/var/named/1.168.192.zone
内容:
$TTL 1D
$ORIGIN 1.168.192.in-addr.arpa.
@ IN SOA 1.168.192.in-addr.arpa. devalone.sohu.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS online.sansovo.org.
10 IN PTR online.sansovo.org
99 IN PTR repo.sansovo.org
检查语法错误:
[root@online ~]# named-checkconf
[root@online ~]# named-checkzone 1.168.192.in-addr.arpa /var/named/1.168.192.zone
zone 1.168.192.in-addr.arpa/IN: loaded serial 0
OK
③ 重载配置文件
[root@online ~]# rndc reload
server reload successful
■ 配置主-从 DNS 服务器
-----------------------------------------------------------------------------------------------------------------------------------------
Slave DNS 配置步骤:
① 定义一个从区域(/var/named/slaves)
zone "ZONE_NAME" IN {
type slave;
file "slaves/ZONE_NAME.zone";
masters { MASTER_IP; };
}
配置文件语法检查:named-checkconf
② 重载配置
rndc reload
注意:
-------------------------------------------------------------------------------------------------------------------------------------
确保区域数据文件中为每个从服务配置 NS 记录,并且在正向区域文件需要每个从服务器的 NS 记录的主机名配置一个 A 记录,且此 A 后面的地址为
真正的从服务器的IP地址;
时间要同步: ntpdate
■ DNS 子域授权
-----------------------------------------------------------------------------------------------------------------------------------------
子域授权就相当于是划片管理,是由上至下的授权。由根 "." 开始。
DNS中最重要的就是 NS 记录,其中每个 NS 里面的负责人就是 SOA,在父域上定义一条 NS 记录和一条 A 记录就可以完成子域授权了。
范例:正向解析区域授权子域(/var/named/baidu.com.zone):
-------------------------------------------------------------------------------------------------------------------------------------
zhangsan.baidu.com. IN NS ns1.zhangsan.baidu.com.
s1. zhangsan.baidu.com. IN A IP.AD.DR.ESS(子域服务器ip)
lisi.baidu.com. IN NS ns1.lisi.baidu.com.
ns1.lisi.baidu.com. IN A IP.AD.DR.ESS
此子域就相当于一个域了,可以再给此子域添加正向解析记录。
■ 定义转发 Forwarding
-----------------------------------------------------------------------------------------------------------------------------------------
Even a caching name server does not necessarily perform the complete recursive lookup itself. Instead, it can forward some or all of the
queries that it cannot satisfy from its cache to another caching name server, commonly referred to as a forwarder
There may be one or more forwarders, and they are queried in turn until the list is exhausted or an answer is found. Forwarders are
typically used when you do not wish all the servers at a given site to interact directly with the rest of the Internet servers. A typical
scenario would involve a number of internal DNS servers and an Internet firewall. Servers unable to pass packets through the firewall would
forward to the server that can do it, and that server would query the Internet DNS servers on the internal server's behalf.
注:被转发的服务器必须允许为当前服务做递归;
① 区域转发:仅转发对某特定区域的解析请求;
-------------------------------------------------------------------------------------------------------------------------------------
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先转发;转发器不响应时,自行去迭代查询;
only:只转发;
② 全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;;
-------------------------------------------------------------------------------------------------------------------------------------
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
.. ...
};
■ BIND 中的安全相关的配置:
-----------------------------------------------------------------------------------------------------------------------------------------
● acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集合内的所有主机实现统一调用;
-------------------------------------------------------------------------------------------------------------------------------------
acl acl_name {
ip;
net/prelen;
};
范例:
acl mynet {
172.16.0.0/16;
127.0.0.0/8;
};
bind 有四个内置的 acl :
-------------------------------------------------------------------------------------------------------------------------------------
none:没有一个主机;
any:任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
● 访问控制指令:
-------------------------------------------------------------------------------------------------------------------------------------
allow-query {}; 允许查询的主机;白名单;
allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求;
allow-update {}; DDNS,允许动态更新区域数据库文件中内容;
● 视图:
-------------------------------------------------------------------------------------------------------------------------------------
view VIEW_NAME {
zone
zone
zone
}
view internal {
match-clients { 172.16.0.0/8; };
zone "magedu.com" IN {
type master;
file "magedu.com/internal";
};
};
view external {
match-clients { any; };
zone "magecdu.com" IN {
type master;
file magedu.com/external";
};
};
3. DNS 高级特性
---------------------------------------------------------------------------------------------------------------------------------------------
■ 通知:Notify
-----------------------------------------------------------------------------------------------------------------------------------------
DNS NOTIFY is a mechanism that allows master servers to notify their slave servers of changes to a zone's data. In response to a NOTIFY
from a master server, the slave will check to see that its version of the zone is the current version and, if not, initiate a zone transfer.
注:
-----------------------------------------------------------------------------------------------------------------------------------------
As a slave zone can also be a master to other slaves, named, by default, sends NOTIFY messages for every zone it loads. Specifying notify
master-only; will cause named to only send NOTIFY for master zones that it loads.
■ 动态更新:Dynamic Update
-----------------------------------------------------------------------------------------------------------------------------------------
Dynamic Update is a method for adding, replacing or deleting records in a master server by sending it a special form of DNS messages.
The format and meaning of these messages is specified in RFC 2136.
Dynamic update is enabled by including an allow-update or an update-policy clause in the zone statement.
If the zone's update-policy is set to local, updates to the zone will be permitted for the key local-ddns, which will be generated by named
at startup.
Dynamic updates using Kerberos signed requests can be made using the TKEY/GSS protocol by setting either the tkey-gssapi-keytab option,
or alternatively by setting both the tkey-gssapi-credential and tkey-domain options. Once enabled, Kerberos signed requests will be matched
against the update policies for the zone, using the Kerberos principal as the signer for the request.
Updating of secure zones (zones using DNSSEC) follows RFC 3007: RRSIG, NSEC and NSEC3 records affected by updates are automatically
regenerated by the server using an online zone key. Update authorization is based on transaction signatures and an explicit server policy.
★ 动态更新策略:Dynamic Update Policies ★
-------------------------------------------------------------------------------------------------------------------------------------
BIND 9 supports two alternative methods of granting clients the right to perform dynamic updates to a zone, configured by the
allow-update and update-policy option, respectively.
The allow-update clause works the same way as in previous versions of BIND. It grants given clients the permission to update any record
of any name in the zone.
The update-policy clause allows more fine-grained control over what updates are allowed. A set of rules is specified, where each rule
either grants or denies permissions for one or more names to be updated by one or more identities. If the dynamic update request message
is signed (that is, it includes either a TSIG or SIG(0) record), the identity of the signer can be determined.
Rules are specified in the update-policy zone option, and are only meaningful for master zones. When the update-policy statement is
present, it is a configuration error for the allow-update statement to be present. The update-policy statement (except when set to
local) only examines the signer of a message; the source address is not relevant.
A pre-defined update-policy rule can be switched on with the command update-policy local;. Switching on this rule in a zone causes named
to generate a TSIG session key and place it in a file. That key will then be allowed to update the zone, if the update request is sent
from localhost. By default, the session key is stored in the file /var/run/named/session.key; the key name is "local-ddns" and the key
algorithm is HMAC-SHA256. These values are configurable with the session-keyfile, session-keyname and session-keyalg options, respectively).
A client on the local system, if it is run with appropriate permissions, may read the session key from the key file and use the key to
sign update requests. The zone's update policy will be set to allow that key to change any record within the zone. Assuming the key name
is "local-ddns", this policy is:
update-policy { grant local-ddns zonesub any; };
...with an additional restriction that only clients connecting from the local system will be permitted to send updates.
Note that only one session key is generated; all zones configured to use update-policy local will accept the same key.
The command nsupdate -l implements this feature, sending requests to localhost and signing them using the key retrieved from the session
key file.
Other rule definitions look like this:
( grant | deny ) identity nametype [ name ] [ types ]
■ 日志文件: The journal file
-----------------------------------------------------------------------------------------------------------------------------------------
All changes made to a zone using dynamic update are stored in the zone's journal file. This file is automatically created by the server
when the first dynamic update takes place. The name of the journal file is formed by appending the extension .jnl to the name of the
corresponding zone file unless specifically overridden. The journal file is in a binary format and should not be edited manually.
4. 服务器实践配置
---------------------------------------------------------------------------------------------------------------------------------------------
4.1 主配置文件 /etc/named.conf 内容:配置为权威服务器 AUTHORITATIVE DNS server
-----------------------------------------------------------------------------------------------------------------------------------------
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.1.10; }; // 默认为 127.0.0.1 即本机,只有本机可访问。指定明确的本机 IP 地址或 any 使网内其他机器可访问
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 192.168.1.0/24; }; // 默认为 127.0.0.1 即本机,只有本机可访问。指定明确的 IP 地址、网段、或 any 使网内其他机器可访问
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
/*
打开递归查询,可递归查询到公网 DNS 服务器并缓存本地,查询外网服务器信息,如 www.baidu.com
默认为 no , 即 DNS 服务器使用迭代方式查询。
这里为 yes, 这是客户端的查询模式。意思是本身解析不了,转发给上级路由解析,递归查询。
缓存服务器设为 yes; 权威服务器为 no
*/
recursion yes;
/*
关闭 dnssec-* 安全策略,本机在内网私有环境下使用,暂不考虑安全问题
*/
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run"; // 服务器运行日志文件
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
4.2 区域配置文件 /etc/named.rfc1912.zones 添加如下内容:为私有网络配置 正向-反向 两个区域 zone
-----------------------------------------------------------------------------------------------------------------------------------------
zone "sansovo.org" IN {
type master;
file "sansovo.org.zone";
allow-update { 192.168.1.0/24; }; // 在不考虑安全情况下,允许私有网络内 DHCP 动态更新客户主机 IP , 即 A 记录
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "1.168.192.zone";
allow-update { 192.168.1.0/24; }; // 同上
};
4.3 为两个区域数据文件设置内容:
-----------------------------------------------------------------------------------------------------------------------------------------
正向 zone :/var/named/sansovo.org.zone
$TTL 1D
$ORIGIN sansovo.org.
@ IN SOA sansovo.org. devalone.sohu.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS online.sansovo.org.
online IN A 192.168.1.10
repo IN A 192.168.1.99
反向 zone :/var/named/1.168.192.zone
$TTL 1D
$ORIGIN 1.168.192.in-addr.arpa.
@ IN SOA 1.168.192.in-addr.arpa. devalone.sohu.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS online.sansovo.org.
10 IN PTR online.sansovo.org
99 IN PTR repo.sansovo.org
4.4 配置一个 cache-only DNS server (可选)
-----------------------------------------------------------------------------------------------------------------------------------------
有个只需要 . 这个 zone file 的简单 DNS 服务器,称这种没有自己公开的 DNS 数据库的服务器为 cache-only (仅缓存) DNS server, 也就是最开始
服务器角色定义中的缓存服务器:Caching Name Servers 。
这个 DNS server 只有缓存搜寻结果的功能,也就是说,他本身并没有主机名与 IP 正反向区域的数据库文件,完全是由对外的查询来提供他的数据源。
那如果连 . 都不想要呢?那就要指定一个上层 DNS 服务器作为此服务器的 forwarding (转递) 目标,将原本自己要往 . 查询的任务,丢给上层 DNS 服务器
去查询即可。 如此一来,我们这部具有 forwarding 功能的 DNS 服务器,甚至连 . 都不需要了。
cache only 的 DNS 并不存在数据库 (其实还是存在 . 这个 root 域的 zone file), 因此不论是谁来查询数据,此 DNS 便开始从自己的缓存以及 . 查起。
如果具有 forwarding 功能,那即使此 DNS 具有 . 这个 zone file,这部 DNS 还是会将查询权委托给上层 DNS 查询,此 DNS 服务器即成为 DNS 客户端。
cache-only 只要加上个 forwarders 的设置即可指定 forwarding 的数据。
通常架设 cache only DNS 服务器大都是为了系统安全。
options {
listen-on port 53 { 192.168.1.10; }; // 默认为 127.0.0.1 即本机,只有本机可访问。指定明确的本机 IP 地址或 any 使网内其他机器可访问
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 192.168.1.0/24; }; // 默认为 127.0.0.1 即本机,只有本机可访问。指定明确的 IP 地址、网段、或 any 使网内其他机器可访问
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
/*
打开递归查询,可递归查询到公网 DNS 服务器并缓存本地,查询外网服务器信息,如 www.baidu.com
默认为 no , 即 DNS 服务器使用迭代方式查询。
这里为 yes, 这是客户端的查询模式。意思是本身解析不了,转发给上级路由解析,递归查询。
缓存服务器设为 yes; 权威服务器为 no
*/
recursion yes; //将自己视为客户端的一种查询模式
/*
这个设置可以让此 DNS 服务器仅进行 forward,即使有 . 这个 zone file 的设置,也不会使用 . 的数据,
只会将查询权交给上层 DNS 服务器,是 cache only DNS 最常见的设置
*/
forward only;
forwarders {
202.99.96.68; /* 转发到上层目标 DNS 服务器的 IP 地址,避免服务器挂掉,可设多个 DNS , 这里用了两个联通的 DNS 服务器 */
202.99.104.68;
};
/*
关闭 dnssec-* 安全策略,本机在内网私有环境下使用,暂不考虑安全问题
*/
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run"; // 服务器运行日志文件
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
注:
----------------------------------------------------------------------------------------
/etc/named.rfc1912.zones 文件中不需要定义区域, /var/named/目录下也不需要 zone 数据库文件
5. 客户端配置
---------------------------------------------------------------------------------------------------------------------------------------------
对于客户端配置主要是添加域名服务器,把刚配置好的 DNS 服务器 IP 地址添加到域名解析 DNS 列表中。
Linux 客户机:
-----------------------------------------------------------------------------------------------------------------------------------------
[root@online ~]# vi /etc/resolv.conf
search sansovo.org
nameserver 192.168.1.10
nameserver 192.168.1.1 # 用于备用 DNS , 当主 DNS 服务器关闭使用此 DNS 仍可以访问公网
Window 客户机:
-----------------------------------------------------------------------------------------------------------------------------------------
打开网络和共享中心->网络属性-> IP 属性,添加 DNS IP 地址
配置 DHCP 服务器
-----------------------------------------------------------------------------------------------------------------------------------------
内网路由器通常带有 DHCP 服务器,配置后启动即可。
缺省域名 : sansovo.org
主DNS服务器 : 192.168.1.10
备用DNS服务器 :192.168.1.1 # 当主 DNS 服务器关闭使用此 DNS 仍可以访问公网
Linux 客户机可能遇到的问题处理:
-----------------------------------------------------------------------------------------------------------------------------------------
Linux 主机使用 DHCP 取得 IP, 当我修改过 /etc/resolv.conf 之后,隔不多久这个文件又会恢复成原本的样子,这是什么原因?该如何处理?
使用 DHCP 时,系统会主动的使用 DHCP 服务器传来的数据进行系统配置文件的修改。要保持 nameserver 信息正确,可采取三种种方法:
第一种方法,配置 DHCP 服务器使用正确的 DNS 地址信息;
第二种方法,应该告知系统,不要使用 DHCP 传来的服务器设定值。需要在 /etc/sysconfig/network-scripts/ifcfg-enp6s0f0 等相关文件内,增加一行:
“PEERDNS=no”
然后重新启动网络即可。
第三种方法,其实质是由 NetworkManager 服务控制,直接关闭掉该服务即可:此方法是静态 IP 地址的唯一方法。
[root@online ~]# systemctl stop NetworkManager
[root@online ~]# systemctl disable NetworkManager.service
6. 工具使用
---------------------------------------------------------------------------------------------------------------------------------------------
■ 客户端工具安装:
-----------------------------------------------------------------------------------------------------------------------------------------
yum install bind-utils
■ 查看服务器运行日志:
-----------------------------------------------------------------------------------------------------------------------------------------
[root@online etc]# cat /var/log/messages | grep named
[root@online etc]# cat /var/named/data/named.run
■ host - 使用域名服务器查询主机名字
-----------------------------------------------------------------------------------------------------------------------------------------
用法: host [ -l ] [ -v ] [ -w ] [ -r ] [ -d ] [ -t querytype ] [ -a ] host [ server ]
[root@www ~]# host [-a] FQDN [server]
[root@www ~]# host -l domain [server]
选项与参数:
-a :代表列出该主机所有的相关信息,包括 IP、TTL 与错误信息等
-l :若后面接的那个 domain 设定允许 allow-transfer 时,则列出该 domain 所管理的所有主机名对应数据
server:这个参数为可选项,如果要利用非 /etc/resolv.conf 内的 DNS 主机 来查询主机名与 IP 的对应时,就可以利用这个参数。
范例:
● [root@online ~]# host namenode.sansovo.org
namenode.sansovo.org has address 192.168.1.103
● [root@online ~]# host -a namenode.sansovo.org
Trying "namenode.sansovo.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51520
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;namenode.sansovo.org. IN ANY
;; ANSWER SECTION:
namenode.sansovo.org. 86400 IN A 192.168.1.103
;; AUTHORITY SECTION:
sansovo.org. 86400 IN NS online.sansovo.org.
;; ADDITIONAL SECTION:
online.sansovo.org. 86400 IN A 192.168.1.10
Received 91 bytes from 192.168.1.10#53 in 0 ms
● [root@online ~]# host -l sansovo.org
sansovo.org name server online.sansovo.org.
namenode.sansovo.org has address 192.168.1.103
online.sansovo.org has address 192.168.1.10
repo.sansovo.org has address 192.168.1.99
■ nslookup - query Internet name servers interactively
-----------------------------------------------------------------------------------------------------------------------------------------
用法: nslookup [-option] [name | -] [server]
[root@www ~]# nslookup [FQDN] [server]
[root@www ~]# nslookup
选项与参数:
① 可以直接在 nslookup 加上待查询的主机名或者是 IP ,[server] 可有
② 如果在 nslookup 后面没有加上任何主机名或 IP ,那将进入 nslookup 的查询功能
在 nslookup 的查询功能当中,可以输入其他参数来进行特殊查询,例如: set type=any :列出所有的信息 “正向区域方面配置文件”
set type=mx :列出与 mx 相关的信息!
范例:
直接搜索 repo.sansovo.org 的地址信息:
---------------------------------------------------------------------------------
[devalone@online ~]$ nslookup repo.sansovo.org
Server: 192.168.1.10
Address: 192.168.1.10#53
Name: repo.sansovo.org
Address: 192.168.1.99
进入 nslookup 查询界面:
--------------------------------------------------------------------------------
[devalone@online ~]$ nslookup
> 192.168.1.99
Server: 192.168.1.10
Address: 192.168.1.10#53
99.1.168.192.in-addr.arpa name = repo.sansovo.org.1.168.192.in-addr.arpa.
> set type=any
> repo.sansovo.org
Server: 192.168.1.10
Address: 192.168.1.10#53
Name: repo.sansovo.org
Address: 192.168.1.99
> www.baidu.com # 查询外网服务器信息,递归到公网 DNS 服务器
Server: 192.168.1.10
Address: 192.168.1.10#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Authoritative answers can be found from:
baidu.com nameserver = ns2.baidu.com.
baidu.com nameserver = ns7.baidu.com.
baidu.com nameserver = ns3.baidu.com.
baidu.com nameserver = dns.baidu.com.
baidu.com nameserver = ns4.baidu.com.
ns3.baidu.com internet address = 220.181.37.10
ns4.baidu.com internet address = 220.181.38.10
dns.baidu.com internet address = 202.108.22.220
ns2.baidu.com internet address = 61.135.165.235
ns7.baidu.com internet address = 119.75.219.82
>exit
退出
■ dig — 发送域名查询信息包到域名服务器
-----------------------------------------------------------------------------------------------------------------------------------------
Dig (domain information groper 域名信息搜索)是一个灵活的 命令行工具, 它可以用来从域名系统服务器中收集信息. Dig 有两种模式:简单交互模式
用于简单的查询,而批处理模式则可以对 包含多个查询条目的列表执行查询. 所有查询选项都可以从命令行输入.
用法: dig [@server] domain [〈query-type〉] [〈query-class〉] [+〈query-option〉] [-〈dig-option〉] [%comment]
[root@www ~]# dig [options] FQDN [@server]
通常简单的 dig 用法为下列格式:
dig @server domain query-type query-class
选项与参数:
@server :如果不以 /etc/resolv.conf 的设定来作为 DNS 查询,可在此填入其他的 IP
+trace :就是从 . 开始追踪
-t type :查询的数据主要有 mx, ns, soa 等类型
-x :查询反向信息
范例:
使用默认选项查询主机:
-----------------------------------------------------------------------------------------------------------------
[root@online ~]# dig online.sansovo.org
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> online.sansovo.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45026
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;online.sansovo.org. IN A
;; ANSWER SECTION:
online.sansovo.org. 86400 IN A 192.168.1.10
;; AUTHORITY SECTION:
sansovo.org. 86400 IN NS online.sansovo.org.
查询 soa 信息:
-----------------------------------------------------------------------------------------------------------------
[root@online ~]# dig -t soa online.sansovo.org
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t soa online.sansovo.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52268
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;online.sansovo.org. IN SOA
;; AUTHORITY SECTION:
sansovo.org. 10800 IN SOA sansovo.org. devalone.sohu.com. 0 86400 3600 604800 10800
;; Query time: 1 msec
;; SERVER: 192.168.1.10#53(192.168.1.10)
;; WHEN: 四 4月 26 10:34:26 CST 2018
;; MSG SIZE rcvd: 100
■ whois - client for the whois directory service
-----------------------------------------------------------------------------------------------------------------------------------------
查询域名注册信息,用于公网 DNS 注册信息查询。
用法:
[root@www ~]# whois [domainname] <==注意啊!是 domain 而不是 hostname
范例:
[root@online ~]# whois centos.org
Domain Name: CENTOS.ORG
Registry Domain ID: D103409469-LROR
Registrar WHOIS Server: whois.comlaude.com
Registrar URL: https://comlaude.com/whois
Updated Date: 2017-11-04T23:05:08Z
Creation Date: 2003-12-04T12:28:30Z
Registry Expiry Date: 2018-12-04T12:28:30Z
Registrar Registration Expiration Date:
.....................
■ rndc - name server control utility
-----------------------------------------------------------------------------------------------------------------------------------------
用法:
rndc [-b source-address] [-c config-file] [-k key-file] [-s server] [-p port] [-V] [-y key_id] {command}
command:
reload : Reload configuration file and zones.
reload zone [class [view]] : Reload the given zone.
stats : Write server statistics to the statistics file.
dumpdb [-all|-cache|-zone] [view ...] : Dump the server's caches (default) and/or zones to the dump file for the specified views.
If no view is specified, all views are dumped.
flush : Flushes the server's cache.
status : Display status of the server. Note that the number of zones includes the internal bind/CH zone and the default ./IN hint zone
if there is not an explicit root zone configured.
----------------------------------------------------------------------------------------------------------------------------------------------
参考: https://www.isc.org/downloads/bind/
https://www.isc.org/downloads/bind/doc/
http://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/Bv9ARM.html