#################################
####### 配置高速缓存DNS ########
#################################
################
### DNS总揽 ###
################
##权威名称服务器
-存储并提供某个区域整个DNS域或DNS域的一部分的实际数据。权威名称服务器的类型包括
*Master包含原始区域数据。有时称作“主要”名称服务器
*Slaver备份服务器通过区域传送从Master服务器获得的区域数据的副本。有时称作“次要”名称服务器
##非权威/递归名称服务器
-客户端通过其查找来自权威名称服务器的数据。递归名称服务器的类型包括
*仅缓存名称服务器仅用于查找对于非数据之外的任何内容都不具有权威性
##DNS查找
-客户端上的Stub解析器将查询发送至/etc/resolv.conf中的名称服务器
-如果名称服务器
#########环境搭建##########
1.client端
ip172.25.254.119
dns/etc/resolv.conf172.25.254.219
1)修改主机名为client
[root@localhost ~]# hostnamectl set-hostname client.example.com
[root@localhost ~]# reboot
Connection to 172.25.254.119 closed by remote host.
Connection to 172.25.254.119 closed.
2配置client端的DNS服务器的地址
[root@client ~]# vim /etc/resolv.conf
# Generated by NetworkManager
domain example.com
search example.com
nameserver 172.25.254.219
2.server端
ip172.25.254.219
dhs172.25.254.219
yum仓库/etc/yum.repos.d/rhel_dvd.repohttp://172.25.254.250/rhel7
1修改主机名为dns-server
[root@localhost ~]# hostnamectl set-hostname dns-server.example.com
[root@localhost ~]# reboot
Connection to 172.25.254.219 closed by remote host.
Connection to 172.25.254.219 closed.
2)配置yum仓库
[root@dns-server ~]# vim /etc/yum.repos.d/rhel_dvd.repo
# Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000
[rhel_dvd]
gpgcheck = 0
enabled = 1
baseurl = http://172.25.254.19/rhel7.0
name = Remote cla***oom copy of dvd
[root@dns-server ~]# yum clean all##注意要刷新yum源
3安装bind9DNS服务软件
[root@dns-server ~]# yum install bind -y
4开启DNS服务
[root@dns-server ~]# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: inactive (dead)
[root@dns-server ~]# systemctl start named
--------------------------------------------------------------------------
注意启动过程太慢也许是因为系统刚开机所以加密字符不够导致的。可以通过在server端上敲击键盘或移动鼠标来增加无序字符来解决该问题。
系统会将无序字符存储在/dev/ramdom中可以cat /dev.random查看
[root@dns-server ~]# cat /dev/random
3:HxYK)T
加密字符存放在/etc/rndc.key中可以cat /etc/rndc.key查看
[root@dns-server ~]# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "SriFRo71w6fL0Gf8tAeapA==";
};
---------------------------------------------------------------------------
5配置防火墙
[root@dns-server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ftp ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@dns-server ~]# firewall-cmd --permanent --add-service=dns
success
[root@dns-server ~]# firewall-cmd --reload
success
[root@dns-server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns ftp ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
6)修改selinux为警告模式非必要
[root@dns-server ~]# setenforce 0
#########DNS本地高速缓存服务器##########
1开启dns在所有端口上的tcp-53端口
[root@client ~]# dig www.baidu.com
connection timed out; no servers could be reached
##此时显示没有dns server可达是因为DNS server的tcp端口未开启
[root@dns-server ~]# netstat -antuple | grep named
##此处显示named的tcp-53端口只在127.0.0.1环回口开启了。
[root@dns-server ~]# rpm -qc bind##查看bind的配置文件都有哪些
/etc/logrotate.d/named
/etc/named.conf##此文件为主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
[root@dns-server ~]# vim /etc/named.conf
11 listen-on port 53 { 127.0.0.1; };
||
\/
11 listen-on port 53 { any; };
[root@dns-server ~]# systemctl restart named##重启服务后生效
2)配置DNS server回答所有人的dns请求
[root@client ~]# dig www.baidu.com
status: REFUSED
##此时client的dns请求被拒绝了是因为DNS server的配置未设置为响应所有人的dns请求
[root@dns-server ~]# vim /etc/named.conf
17 allow-query { localhost; };
||
\/
17 allow-query { any; };
[root@dns-server ~]# systemctl restart named##重启服务后生效
3)配置本地高速缓存DNS server获取dns的途径
[root@client ~]# dig www.baidu.com
status: SERVFAIL
##此时DNS server提供服务失败了是因为本地高速缓存DNS需要从其他DNS服务器上获取dns信息
[root@dns-server ~]# vim /etc/named.conf
18 forwarders { 172.25.254.250; };##在18行添加该信息
[root@dns-server ~]# systemctl restart named##重启服务后生效
[root@client ~]# dig www.baidu.com##验证成功获取到dns解析
最后注意因为是本地高速缓存DNS所以在公网上未注册所以要关闭dns安全认证
4)关闭DNS安全认证(dnssec-validation)
[root@dns-server ~]# vim /etc/named.conf
33 dnssec-validation yes;
||
\/
33 dnssec-validation no;
[root@dns-server ~]# systemctl restart named##重启服务后生效
#########DNS正向解析##########
[root@dns-server ~]# vim /etc/named.conf
51 zone "." IN {
52 type hint;
53 file "named.ca";
54 };
55
56 include "/etc/named.rfc1912.zones";##指向了该文件
57 include "/etc/named.root.key";
[root@dns-server ~]# vim /etc/named.rfc1912.zones
19 zone "localhost" IN {
20 type master;
21 file "named.localhost";
22 allow-update { none; };
23 };
24
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone";##指向了该文件
28 allow-update { none; };
29 };
##25-29行是模仿19-23行的模板而来的
[root@dns-server ~]# cd /var/named/
[root@dns-server named]# ls
data named.empty slaves
dynamic named.localhost
named.ca named.loopback
[root@dns-server named]# cp -p named.localhost tbr.com.zone
##注意此处cp一定要加-p保证通过模板复制的文件的所属组为named
[root@dns-server named]# ll
total 32
drwxrwx---. 2 named named 22 11月 20 01:23 data
drwxrwx---. 2 named named 4096 11月 21 02:55 dynamic
-rw-r-----. 1 root named 2076 1月 28 2013 named.ca
-rw-r-----. 1 root named 152 12月 15 2009 named.empty
-rw-r-----. 1 root named 152 6月 21 2007 named.localhost
-rw-r-----. 1 root named 168 12月 15 2009 named.loopback
drwxrwx---. 2 named named 6 1月 29 2014 slaves
-rw-r-----. 1 root named 210 11月 20 03:15 tbr.com.zone
否则的话会变成
-rw-r-----. 1 root root 210 11月 20 03:15 tbr.com.zone
[root@dns-server named]# vim tbr.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
||
\/
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
dns A 172.25.254.219
www A 172.25.254.19
wwwA172.25.254.18
bbs CNAME www.tbr.com.
tbr.com. MX 1 172.25.254.219.
##dns.tbr.com.指的是dns server的名称
##注意此处的域名都是以.结尾的否则的话系统会自动加上/etc/named.rfc1912.zones文件中配置的后缀.tbr.com
##注意当多个ANAME的一个域名对应多个ip时此时DNS server会对该条dns解析进行轮询机制。现象如下
当频繁地执行dig www.tbr.com时两个ip的先后顺序会不断轮询变换。如图
[root@dns-server ~]# systemctl restart named##重启服务后生效
测试
[root@client ~]# dig -t mx tbr.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx tbr.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41997
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tbr.com.INMX
;; ANSWER SECTION:
tbr.com.86400INMX1 172.25.254.219.
;; AUTHORITY SECTION:
tbr.com.86400INNSdns.tbr.com.
;; ADDITIONAL SECTION:
dns.tbr.com.86400INA172.25.254.219
;; Query time: 1 msec
;; SERVER: 172.25.254.219#53(172.25.254.219)
;; WHEN: 一 11月 21 04:06:07 EST 2016
;; MSG SIZE rcvd: 100
[root@client ~]# dig www.tbr.com ##测试ANAME
[root@client ~]# dig bbs.tbr.com##测试CNAME
[root@client ~]# mail root@tbr.com##测试MX邮件解析
Subject: dawda
fdawda
caw
.
EOT
[root@client ~]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
C8A7717E849 462 Sun Nov 20 03:05:10 root@localhost.localdomain
(connect to 172.25.254.219[172.25.254.219]:25: No route to host)
root@tbr.com
0938717E857 437 Mon Nov 21 04:09:23 root@client.example.com
(connect to 172.25.254.219[172.25.254.219]:25: No route to host)
root@tbr.com
-- 1 Kbytes in 2 Requests.
#########DNS反向解析##########
[root@dns-server named]# vim /etc/named.rfc1912.zones
37 zone "1.0.0.127.in-addr.arpa" IN {
38 type master;
39 file "named.loopback";
40 allow-update { none; };
41 };
42
43 zone "254.25.172.in-addr.arpa" IN { ##表示172.25.254.0网段
44 type master;
45 file "tbr.comNaNr";
46 allow-update { none; };
47 };
##43-47行是模仿37-41行的模板而来的
[root@dns-server ~]# cd /var/named/
[root@dns-server named]# ls
data named.empty slaves
dynamic named.localhost tbr.com.zone
named.ca named.loopback
[root@dns-server named]# cp -p named.localhost tbr.comNaNr##注意此处一定要加-p
[root@dns-server named]# vim tbr.com.zone
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
A 172.25.254.219
19 PTR www.tbr.com.
18 PTR www.hello.com.
##ip地址172.25.254.19---->www.tbr.com
##ip地址172.25.254.18---->www.hello.com
[root@dns-server ~]# systemctl restart named##重启服务后生效
测试
[root@client ~]# dig -x 172.25.254.19##反向查询域名
#########DNS的内网外网解析##########
假设172.25.254.119为内网测试主机172.25.254.219为外网测试主机
1.主配置文件修改
[root@dns-server named]# vim /etc/named.conf
51 /*\
52 zone "." IN { |
53 type hint;|
54 file "named.ca";|
55 };|->这部分注释掉
56 |
57 include "/etc/named.rfc1912.zones";|
58 include "/etc/named.root.key";|
59 *//
==================================================================
60 view localnet {
61 match-clients { 172.25.254.119; };##client端匹配172.25.254.119的主机
62 zone "." IN { \
63 type hint|
64 file "named.ca";|->从52-55行复制而来
65 };/
66 include "/etc/named.rfc1912.zones";
67 };
68
69
70 view internet {
71 match-clients { 172.25.254.219; };##client端匹配172.25.254.219的主机
72 zone "." IN {
73 type hint;
74 file "named.ca";
75 };
76 include "/etc/named.rfc1912.zones.inter";
77 };
##6171行中可以写成网段{ 172.25.254.0/24; };
/client端是172.25.254.119的区查看/etc/named.rfc1912.zones文件
##此部分的意义是|
\client端是172.25.254.119的区查看/etc/named.rfc1912.zones.inter文件
2./etc/named.rfc1912.zone与etc/named.rfc1912.zone.inter文件的配置
[root@dns-server named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter##注意此处一定要加-p
##以/etc/named.rfc1912.zones为模板复制出外网主机读取的文件
[root@dns-server named]# vim /etc/named.rfc1912.zones.inter
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone.inter";##外网主机再区查看该文件
28 allow-update { none; };
29 };
3./var/named/tbr.com.zone.inter文件的配置
[root@dns-server named]# ls
data named.empty slaves
dynamic named.localhost tbr.comNaNr
named.ca named.loopback tbr.com.zone
[root@dns-server named]# cp -p tbr.com.zone tbr.com.zone.inter##注意此处一定要加-p
[root@dns-server named]# ls
data named.empty slaves tbr.com.zone.inter
dynamic named.localhost tbr.comNaNr
named.ca named.loopback tbr.com.zone
[root@dns-server named]# vim tbr.com.zone.inter
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
dns A 172.25.0.219
www A 172.25.0.19
www A 172.25.0.18
bbs CNAME www.tbr.com.
tbr.com. MX 1 172.25.0.219.
[root@dns-server ~]# systemctl restart named##重启服务后生效
《总结》
各个文件之间的逻辑关系
/client端是172.25.254.119的区查看/etc/named.rfc1912.zones文件
| ||
| \/
| /var/named/tbr.com.zone
/etc/named.conf -->|
(主配置文件) | /var/named/tbr.com.zone.inter
| /\
| ||
\client端是172.25.254.119的区查看/etc/named.rfc1912.zones.inter文件
补充
man 5 named.conf##查看named.conf文件的信息