DNS
DNS查找
客户端上的Stub解析器将查询发送至/etc/resolv.conf 中的名称服务器。
如果名称服务器对于请求的信息具有权威性,会将权威答案发送至客户端;否则,名称服务器在其缓存中有请求信息,会将非权威答案发送至至客户端。
如果该缓存没有信息,名称服务器将会搜索权威名称服务器以查找信息,从根区域开始,按照DNS层次结构向下搜索,直至对于信息具有权威性的名称服务器,以此为客户端获取答案。在此情况中名称服务器将信息传递至客户端并在自己的缓存中保留一个副本,以备以后查找。
DNS资源记录
DNS区域采用资源记录的形式存储信息。每条资源记录均具有一个类型,表明其保留的数据类型
A:名称至IPv4地址
AAAA:名称至IPv6地址
CNAME:名称至“规范名称”(包含A/AAAA记录的另一个名称)
PTR:IPv4/IPv6地址至名称
MX:用于名称的邮件交换器(向何处发送其电子邮件)
NS:域名的名称服务器
SOA:“授权起始”,DNS区域的信息(管理信息)
DNS排错
它显示来自DNS查找的详细信息,其中包括为什么查询失败
:
NOERROR:查询成功
NXDOMAIN:DNS服务器提示不存在这样的名称
SERVFAIL:DNS服务器停机或DNSSEC响应验证失败
REFUSED:DNS服务器拒绝回答(也许是出于访问控制原因)
dig输出的部分内容
标题指出关于查询和答案信息,其中包括响应状态和设置的任何特殊标记(aa 表示权威答案,等等)
QUESTION:提出实际的DNS查询
ANSWER:响应(如果有)
AUTHORITY:负责域/区域的名称服务器
ADDITIONAL:提供的其他信息,通常是关于名称服务器底部的注释指出发送查询的递归名称服务器以及获得响应所花费的时间
1.安装部署DNS
1.下载dns高速缓存服务
yum install bind -y
2.开启服务
systemctl start named
3.关闭防火墙
systemctl stop firewalld.service
systemctl disable firewalld.service
4.查询named服务
netstat -antlupe | grep named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 47534 4695/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 47539 4695/named
tcp6 0 0 ::1:53 :::* LISTEN 25 47536 4695/named
tcp6 0 0 ::1:953 :::* LISTEN 25 47540 4695/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 25 47533 4695/named
udp6 0 0 ::1:53 :::* 25 47535 4695/named
相关文件:
/etc/named.conf ##主配置文件
/etc/name.rcf1912.zones ##子配置文件
/var/named ##数据目录
2.高速缓存DNS
vim /etc/named.conf ##更改named配置
10 options {
11 listen-on port 53 { any; }; ##在哪个ip开启接口
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { any; }; ##any允许谁来查看
18 forwarders { 114.114.114.114; }; ##
19
34 dnssec-validation no;
35 dnssec-lookaside auto;
:wq ##退出保存
测试:
在客户主机
vim /etc/resolv.conf
1 # Generated by NetworkManager
2 search ilt.example.com example.com
3 nameserver 172.25.254.132
在另一个任意客户主机
vim /etc/resolv.conf
1 # Generated by NetworkManager
2 search ilt.example.com example.com
3 nameserver 172.25.254.132
dig www.qq.com
dig www.qq.com
所需时间缩短
3.权威的DNS正向解析
vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { none; };
29 };
cd /var/named
cp -p named.localhost westos.com.zone ##复制模板
vim westos.com.zone
1 $TTL 1D ##客户可以将信息保存在主机中一天
2 @ IN SOA dns.westos.com. zhang.westos.com. ( ##以.结尾,否则自动补齐@符的值--.westos.com. 内容:客户可以看到的东西;查看文件的人可以看到由谁维护
3 0 ; serial
4 1D ; refresh ##一天之内更新信息
5 1H ; retry ##一小时内允许客户重试
6 1W ; expire ##客户可以查询一万天到期
7 3H ) ; minimum ##最小值
8 NS dns.westos.com.
9 dns A 172.25.254.100
10 www A 172.25.254.111
11 bbs A 172.25.254.222
systemctl restart named ##重启服务
测试:
在客户主机
vim /etc/resolv.conf
4 nameserver 172.25.254.180
dig www.westos.com
CNAME 别名记录
同一服务器多个ip
vim westos.com.zone
8 NS dns.westos.com.
9 dns A 172.25.254.132
10 www CNAME bbs.a.westos.com.
11 bbs.a A 172.25.254.111
12 bbs.a A 172.25.254.222
dig www.westos.com
MX(Mail Exchanger) 邮件交换记录
vim westos.com.zone
8 NS dns.westos.com.
9 dns A 172.25.254.132
10 www CNAME bbs.a.westos.com.
11 bbs.a A 172.25.254.111
12 bbs.a A 172.25.254.222
13 westos.com. MX 1 mail.westos.com.
14 mail A 172.25.254.100
systemctl restart named
测试:
mail [email protected]
mailq ##查询
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
BE0C519713E5 453 Tue Feb 19 21:48:15 [email protected]
(connect to mail.westos.com[172.25.254.100]:25: No route to host)
[email protected] ##被100拒绝
-- 0 Kbytes in 1 Request.
邮件发送到172.25.254.100上被拒绝。
postsuper -d BE0C519713E5 ##清楚邮件记录
4.权威的DNS反向解析
vim /etc/named.rfc1912.zones
49 zone "254.25.172.in-addr.arpa" IN {
50 type master;
51 file "172.25.254.ptr";
52 allow-update { none; };
53 };
cd /var/named
cp -p named.loopback 172.25.254.ptr
vim 172.25.254.ptr
1 $TTL 1D
2 @ IN SOA dns.westos.com. root.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.180
10 180 PTR dns.westos.com.
11 111 PTR www.westos.com.
12 222 PTR bbs.westos.com.
systemctl restart named
dig -x 172.25.254.111
dig -x 172.25.254.180
dig -x 172.25.254.222
5.DNS双向解析
vim /etc/named.conf
50
51 /*
52 zone "." IN {
53 type hint;
54 file "named.ca";
55 };
56 */
57 view localnet{
58 match-clients{ localhost; };
59 zone "." IN {
60 type hint;
61 file "named.ca";
62 };
63 include "/etc/named.rfc1912.zones";
64 };
65
66 view internet{
67 match-clients{ any; };
68 zone "." IN {
69 type hint;
70 file "named.ca";
71 };
72 include "/etc/named.rfc1912.inters";
73 };
74 include "/etc/named.root.key";
cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inters
vim /etc/named.rfc1912.inters
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.inters";
28 allow-update { none; };
29 };
cp -p westos.com.zone westos.com.inter
vim westos.com.inter
1 $TTL 1D
2 @ IN SOA dns.westos.com. zhang.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 192.168.0.180
10 www CNAME bbs.a.westos.com.
11 bbs.a A 192.168.0.222
12 bbs.a A 192.168.0.111
13 westos.com. MX 1 mail.westos.com.
14 mail A 192.168.0.100
测试:
本机dig
dig www.westos.com
客户机dig
dig www.westos.com
6.辅助DNS
主dns的设定
vim /etc/named.conf
为保证环境的纯净,先还原之前的设定
vim /etc/named.rfc1912.inters
19 zone "westos.com" IN {
20 type master;
21 file "westos.com.inter";
22 allow-update { none; };
23 also-notify { 172.25.254.100; };
24 };
systemctl restart named
注意:每次更改记录文件vim westos.com.inter,必须更改serial的值,这个值最大10位
建议修改为:年份+月份+日期+本日第几次修改
例如:2019022101
辅助dns上更改
yum install bind -y
systemctl start named
systemctl stop firewalld
10 options {
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";d
17 allow-query { any; };
34 dnssec-validation no;
35 dnssec-lookaside auto;
vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type slave;
27 masters { 172.25.254.180; };
28 file "slaves/westos.com.inter";
29 allow-update { none; };
30 };
systemctl restart named
测试:客户机
vim /etc/resolv.conf
4 nameserver 172.25.254.100
dig www.westos.com
vim /var/named/westos.com.inter ##更改主dns
systemctl restart named
dig www.westos.com ##再次查询
7.dns的远程更新
基于ip
vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.inter";
28 allow-update { 172.25.254.100; };
29 also-notify { 172.25.254.100; };
30 };
chmod 770 /var/named/
systemctl restart named
测试:
在100主机上
[root@dns2_server etc]# nsupdate
> server 172.25.254.180
> update add hello.westos.com 86400 A 172.25.254.123
> send
> quit
[root@dns2-server named]# nsupdate
> server 172.25.254.180
> update delete hello.westos.com ##删除
> send
> quit
注意!:
实验要注意要远程修改的主机selinux是哪种模式,使用getenforce查询
如果是Disabled可以正常修改
如果是Enforceing会被拒绝阿
getsebool -a | grep named ##查询named的开关
[root@dns-server named]# getsebool -a | grep named
named_tcp_bind_http_port --> off
named_write_master_zones --> off
setsebool -P named_write_master_zones on ##打开开关
[root@dns_server named]# getsebool -a | grep named
named_tcp_bind_http_port --> off
named_write_master_zones --> on
查询:
dig hellow.westos.com
此时主dns会生成westos.com.zone.jnl
当重启服务时,会永久修改westos.com.zone
基于key
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
cat Kwestos.+157+07152.key
westos. IN KEY 512 3 157 36/QGH4u/kOYbzXxeW2iSQ==
vim /etc/named.conf
43 include “/etc/westos.key”;
cp -p /etc/rndc.key /etc/westos.key
vim /etc/westos.key
1 key “westos” {
2 algorithm hmac-md5;
3 secret “36/QGH4u/kOYbzXxeW2iSQ==”;
4 };
vim /etc/named.rfc1912.inters
19 zone “westos.com” IN {
20 type master;
21 file “westos.com.inter”;
22 allow-update { key westos; };
23 also-notify { 172.25.254.232; };
24 };
systemctl restart named
测试:
scp Kwestos.+157+07152.* [email protected]:/mnt/
[root@dns2-server mnt]# nsupdate -k Kwestos.+157+07152.private
server 172.25.254.132
update add hello.westos.com 86400 A 172.25.254.123
send
quitsend
132主机
[root@dns-server named]# dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9625
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com. IN A
;; ANSWER SECTION:
hello.westos.com. 86400 IN A 172.25.254.123
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 192.168.0.100
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Feb 16 03:17:50 EST 2019
;; MSG SIZE rcvd: 95
8.ddns花生壳
vim /etc/dhcp/dhcpd.conf
ddns-update-style interim;
key testdns {
algorithm hmac-md5;
secret SJV/CnorS9NqoG0eZOYkag==;
}
zone testdns.com. {
primary 127.0.0.1;
key testdns;
}
systemctl restart dhcpd
systemctl restart named
##测试
设定一台主机网络的工作方式为DHCP
设定这台主机的主机名news.testdns.com,这个名称在原有的DHCP服务中是没有解析的
重启网络看IP和主机名称的解析