#################################

####### 配置高速缓存DNS ########

#################################

 

################

### DNS总揽 ###

################

##权威名称服务器

-存储并提供某个区域整个DNS域或DNS域的一部分的实际数据。权威名称服务器的类型包括

*Master包含原始区域数据。有时称作“主要”名称服务器

*Slaver备份服务器通过区域传送从Master服务器获得的区域数据的副本。有时称作“次要”名称服务器

##非权威/递归名称服务器

-客户端通过其查找来自权威名称服务器的数据。递归名称服务器的类型包括

*仅缓存名称服务器仅用于查找对于非数据之外的任何内容都不具有权威性

##DNS查找

-客户端上的Stub解析器将查询发送至/etc/resolv.conf中的名称服务器

-如果名称服务器

 

 

#########环境搭建##########

1.client

ip172.25.254.119

dns/etc/resolv.conf172.25.254.219

 

1)修改主机名为client

[root@localhost ~]# hostnamectl set-hostname client.example.com

[root@localhost ~]# reboot

Connection to 172.25.254.119 closed by remote host.

Connection to 172.25.254.119 closed.

2配置client端的DNS服务器的地址

[root@client ~]# vim /etc/resolv.conf

# Generated by NetworkManager

 domain example.com

 search example.com

 nameserver 172.25.254.219

 

 

2.server

ip172.25.254.219

dhs172.25.254.219

yum仓库/etc/yum.repos.d/rhel_dvd.repohttp://172.25.254.250/rhel7

 

1修改主机名为dns-server

[root@localhost ~]# hostnamectl set-hostname dns-server.example.com

[root@localhost ~]# reboot

Connection to 172.25.254.219 closed by remote host.

Connection to 172.25.254.219 closed.

2)配置yum仓库

[root@dns-server ~]# vim /etc/yum.repos.d/rhel_dvd.repo

# Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000

[rhel_dvd]

gpgcheck = 0

enabled = 1

baseurl = http://172.25.254.19/rhel7.0

name = Remote cla***oom copy of dvd

[root@dns-server ~]# yum clean all##注意要刷新yum

3安装bind9DNS服务软件

[root@dns-server ~]# yum install bind -y

4开启DNS服务

[root@dns-server ~]# systemctl status named

named.service - Berkeley Internet Name Domain (DNS)

   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)

   Active: inactive (dead)

 

[root@dns-server ~]# systemctl start named

--------------------------------------------------------------------------

注意启动过程太慢也许是因为系统刚开机所以加密字符不够导致的。可以通过在server端上敲击键盘或移动鼠标来增加无序字符来解决该问题。

系统会将无序字符存储在/dev/ramdom中可以cat /dev.random查看

[root@dns-server ~]# cat /dev/random

3:HxYK)T

加密字符存放在/etc/rndc.key中可以cat /etc/rndc.key查看

[root@dns-server ~]# cat /etc/rndc.key

key "rndc-key" {

algorithm hmac-md5;

secret "SriFRo71w6fL0Gf8tAeapA==";

};

---------------------------------------------------------------------------

5配置防火墙

[root@dns-server ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client ftp ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

[root@dns-server ~]# firewall-cmd --permanent --add-service=dns

success

[root@dns-server ~]# firewall-cmd --reload

success

[root@dns-server ~]# firewall-cmd --list-all

public (default, active)

  interfaces: eth0

  sources:

  services: dhcpv6-client dns ftp ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

6)修改selinux为警告模式非必要

[root@dns-server ~]# setenforce 0

 

 

#########DNS本地高速缓存服务器##########

1开启dns在所有端口上的tcp-53端口

[root@client ~]# dig www.baidu.com

connection timed out; no servers could be reached

##此时显示没有dns server可达是因为DNS servertcp端口未开启

[root@dns-server ~]# netstat -antuple | grep named

##此处显示namedtcp-53端口只在127.0.0.1环回口开启了。

[root@dns-server ~]# rpm -qc bind##查看bind的配置文件都有哪些

/etc/logrotate.d/named

/etc/named.conf##此文件为主配置文件

/etc/named.iscdlv.key

/etc/named.rfc1912.zones

/etc/named.root.key

/etc/rndc.conf

/etc/rndc.key

/etc/sysconfig/named

/var/named/named.ca

/var/named/named.empty

/var/named/named.localhost

/var/named/named.loopback

[root@dns-server ~]# vim /etc/named.conf

 11         listen-on port 53 { 127.0.0.1; };

  ||

  \/

 11         listen-on port 53 { any; };

[root@dns-server ~]# systemctl restart named##重启服务后生效

 

2)配置DNS server回答所有人的dns请求

[root@client ~]# dig www.baidu.com

status: REFUSED

##此时clientdns请求被拒绝了是因为DNS server的配置未设置为响应所有人的dns请求

[root@dns-server ~]# vim /etc/named.conf

 17         allow-query     { localhost; };

||

\/

 17         allow-query     { any; };

[root@dns-server ~]# systemctl restart named##重启服务后生效

 

3)配置本地高速缓存DNS server获取dns的途径

[root@client ~]# dig www.baidu.com

status: SERVFAIL

##此时DNS server提供服务失败了是因为本地高速缓存DNS需要从其他DNS服务器上获取dns信息

[root@dns-server ~]# vim /etc/named.conf

 18         forwarders      { 172.25.254.250; };##18行添加该信息

[root@dns-server ~]# systemctl restart named##重启服务后生效

[root@client ~]# dig www.baidu.com##验证成功获取到dns解析

 

最后注意因为是本地高速缓存DNS所以在公网上未注册所以要关闭dns安全认证

4)关闭DNS安全认证(dnssec-validation)

[root@dns-server ~]# vim /etc/named.conf

 33         dnssec-validation yes;

       ||

       \/

 33         dnssec-validation no;

[root@dns-server ~]# systemctl restart named##重启服务后生效

 

#########DNS正向解析##########

[root@dns-server ~]# vim /etc/named.conf

 51 zone "." IN {

 52         type hint;

 53         file "named.ca";

 54 };

 55

 56 include "/etc/named.rfc1912.zones";##指向了该文件

 57 include "/etc/named.root.key";

[root@dns-server ~]# vim /etc/named.rfc1912.zones

 19 zone "localhost" IN {

 20         type master;

 21         file "named.localhost";

 22         allow-update { none; };

 23 };

 24

 25 zone "tbr.com" IN {

 26         type master;

 27         file "tbr.com.zone";##指向了该文件

 28         allow-update { none; };

 29 };

##25-29行是模仿19-23行的模板而来的

 

[root@dns-server ~]# cd /var/named/

[root@dns-server named]# ls

data      named.empty      slaves        

dynamic   named.localhost  

named.ca  named.loopback   

[root@dns-server named]# cp -p named.localhost tbr.com.zone

##注意此处cp一定要加-p保证通过模板复制的文件的所属组为named

[root@dns-server named]# ll

total 32

drwxrwx---. 2 named named   22 1120 01:23 data

drwxrwx---. 2 named named 4096 1121 02:55 dynamic

-rw-r-----. 1 root  named 2076 1月  28 2013 named.ca

-rw-r-----. 1 root  named  152 1215 2009 named.empty

-rw-r-----. 1 root  named  152 6月  21 2007 named.localhost

-rw-r-----. 1 root  named  168 1215 2009 named.loopback

drwxrwx---. 2 named named    6 1月  29 2014 slaves

-rw-r-----. 1 root  named  210 1120 03:15 tbr.com.zone

否则的话会变成

-rw-r-----. 1 root  root   210 1120 03:15 tbr.com.zone

 

[root@dns-server named]# vim tbr.com.zone

$TTL 1D

@       IN SOA  @ rname.invalid. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      @

        A       127.0.0.1

        AAAA    ::1

||

\/

 

$TTL 1D

@       IN SOA  dns.tbr.com. root.tbr.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

                NS      dns.tbr.com.

dns             A       172.25.254.219

www           A       172.25.254.19

wwwA172.25.254.18

bbs             CNAME   www.tbr.com.

tbr.com.        MX 1    172.25.254.219.

##dns.tbr.com.指的是dns server的名称

##注意此处的域名都是以.结尾的否则的话系统会自动加上/etc/named.rfc1912.zones文件中配置的后缀.tbr.com

 

##注意当多个ANAME的一个域名对应多个ip时此时DNS server会对该条dns解析进行轮询机制。现象如下

当频繁地执行dig www.tbr.com时两个ip的先后顺序会不断轮询变换。如图

 

 

[root@dns-server ~]# systemctl restart named##重启服务后生效

 

 

测试

[root@client ~]# dig -t mx tbr.com

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx tbr.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41997

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;tbr.com.INMX

 

;; ANSWER SECTION:

tbr.com.86400INMX1 172.25.254.219.

 

;; AUTHORITY SECTION:

tbr.com.86400INNSdns.tbr.com.

 

;; ADDITIONAL SECTION:

dns.tbr.com.86400INA172.25.254.219

 

;; Query time: 1 msec

;; SERVER: 172.25.254.219#53(172.25.254.219)

;; WHEN: 1121 04:06:07 EST 2016

;; MSG SIZE  rcvd: 100

 

[root@client ~]# dig www.tbr.com ##测试ANAME

 

[root@client ~]# dig bbs.tbr.com##测试CNAME

 

[root@client ~]# mail root@tbr.com##测试MX邮件解析

Subject: dawda

fdawda

caw

.

EOT

[root@client ~]# mailq

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

C8A7717E849      462 Sun Nov 20 03:05:10  root@localhost.localdomain

              (connect to 172.25.254.219[172.25.254.219]:25: No route to host)

                                         root@tbr.com

 

0938717E857      437 Mon Nov 21 04:09:23  root@client.example.com

              (connect to 172.25.254.219[172.25.254.219]:25: No route to host)

                                         root@tbr.com

 

-- 1 Kbytes in 2 Requests.

 

 

 

 

#########DNS反向解析##########

[root@dns-server named]# vim /etc/named.rfc1912.zones

 37 zone "1.0.0.127.in-addr.arpa" IN {

 38         type master;

 39         file "named.loopback";

 40         allow-update { none; };

 41 };

 42

 43 zone "254.25.172.in-addr.arpa" IN {

##表示172.25.254.0网段

 44         type master;

 45         file "tbr.comNaNr";

 46         allow-update { none; };

 47 };

##43-47行是模仿37-41行的模板而来的

 

[root@dns-server ~]# cd /var/named/

[root@dns-server named]# ls

data      named.empty      slaves        

dynamic   named.localhost  tbr.com.zone

named.ca  named.loopback   

[root@dns-server named]# cp -p named.localhost tbr.comNaNr##注意此处一定要加-p

[root@dns-server named]# vim tbr.com.zone

$TTL 1D

@       IN SOA  dns.tbr.com. root.tbr.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      dns.tbr.com.

        A       172.25.254.219

19      PTR     www.tbr.com.

18      PTR     www.hello.com.

 

##ip地址172.25.254.19---->www.tbr.com

##ip地址172.25.254.18---->www.hello.com

 

[root@dns-server ~]# systemctl restart named##重启服务后生效

 

测试

[root@client ~]# dig -x 172.25.254.19##反向查询域名

 

 

#########DNS的内网外网解析##########

假设172.25.254.119为内网测试主机172.25.254.219为外网测试主机

 

1.主配置文件修改

[root@dns-server named]# vim /etc/named.conf

 51 /*\

 52 zone "." IN {

|

 53         type hint;|

 54         file "named.ca";|

 55 };|->这部分注释掉

 56 |

 57 include "/etc/named.rfc1912.zones";|

 58 include "/etc/named.root.key";|

 59 *//

==================================================================

 60 view localnet {

 61         match-clients { 172.25.254.119;  };##client端匹配172.25.254.119的主机

 62         zone "." IN {

\

 63         type hint|

 64         file "named.ca";|->52-55行复制而来

 65 };/

 66 include "/etc/named.rfc1912.zones";

 67 };

 68

 69

 70 view internet {

 71         match-clients { 172.25.254.219;  };##client端匹配172.25.254.219的主机

 72         zone "." IN {

 73         type hint;

 74         file "named.ca";

 75 };

 76 include "/etc/named.rfc1912.zones.inter";

 77 };

##6171行中可以写成网段{ 172.25.254.0/24; };

      /client端是172.25.254.119的区查看/etc/named.rfc1912.zones文件

##此部分的意义是|

     \client端是172.25.254.119的区查看/etc/named.rfc1912.zones.inter文件

 

2./etc/named.rfc1912.zoneetc/named.rfc1912.zone.inter文件的配置

[root@dns-server named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter##注意此处一定要加-p

##/etc/named.rfc1912.zones为模板复制出外网主机读取的文件

[root@dns-server named]# vim /etc/named.rfc1912.zones.inter

 25 zone "tbr.com" IN {

 26         type master;

 27         file "tbr.com.zone.inter";##外网主机再区查看该文件

 28         allow-update { none; };

 29 };

 

3./var/named/tbr.com.zone.inter文件的配置

[root@dns-server named]# ls

data      named.empty      slaves       

dynamic   named.localhost  tbr.comNaNr

named.ca  named.loopback   tbr.com.zone

[root@dns-server named]# cp -p tbr.com.zone tbr.com.zone.inter##注意此处一定要加-p

[root@dns-server named]# ls

data      named.empty      slaves        tbr.com.zone.inter

dynamic   named.localhost  tbr.comNaNr

named.ca  named.loopback   tbr.com.zone

[root@dns-server named]# vim tbr.com.zone.inter

$TTL 1D

@       IN SOA  dns.tbr.com. root.tbr.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

                NS      dns.tbr.com.

dns             A       172.25.0.219

www            A       172.25.0.19

www            A        172.25.0.18

bbs             CNAME   www.tbr.com.

tbr.com.        MX 1    172.25.0.219.

[root@dns-server ~]# systemctl restart named##重启服务后生效

 

《总结》

各个文件之间的逻辑关系

                /client端是172.25.254.119的区查看/etc/named.rfc1912.zones文件

               |                                    ||

               |                                    \/

               |                    /var/named/tbr.com.zone

/etc/named.conf -->|

   (主配置文件)  |                                    /var/named/tbr.com.zone.inter

                |                                /\

                |                                ||

                \client端是172.25.254.119的区查看/etc/named.rfc1912.zones.inter文件

 

 

 

补充

man 5 named.conf##查看named.conf文件的信息