1、DNS的基礎知識

上網時本輸入IP就可以了，但人們方便記憶的是字串。所以，DNS就誕生了，DNS負責域名（字串）到IP的轉換

正向查詢：最基本的通過主機名查IP 反向查詢：用IP來查主機名

迭代查詢：去查詢dns時。伺服器不直接告訴你答案。而是讓你去找另一臺主機去問答案

遞迴查詢：去查詢dns時，問的誰。誰就直接告訴你答案。

常常聽別人說什麼智慧DNS。其實大概意思就是將同一個主機名解析到不同的伺服器上以達到負載均衡的效果。

2.客戶端的dns查詢時的配置檔案

/etc/hosts                預設優先查詢這個 /etc/resolv.conf          DNS寫在這裡面 /etc/nsswitch.conf      查詢優先順序的設在這裡

3.BIND--伯克利因特網名字域名系統

這就是配置dns服務所需要的軟體。可以直接使用yum安裝

4.最專業的dns查詢命令dig

[[email protected] ~]# dig www.xupt.edu.cn

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> www.xupt.edu.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.xupt.edu.cn.		IN	A

;; ANSWER SECTION:
www.xupt.edu.cn.	86400	IN	A	222.24.19.47

;; AUTHORITY SECTION:
xupt.edu.cn.		172799	IN	NS	XYU04.xupt.edu.cn.
xupt.edu.cn.		172799	IN	NS	XYU03.xupt.edu.cn.
xupt.edu.cn.		172799	IN	NS	XYU02.xupt.edu.cn.
xupt.edu.cn.		172799	IN	NS	XYU01.xupt.edu.cn.

;; ADDITIONAL SECTION:
XYU04.xupt.edu.cn.	172799	IN	A	221.11.22.35
XYU02.xupt.edu.cn.	172799	IN	A	202.117.128.3
XYU01.xupt.edu.cn.	172799	IN	A	202.117.128.2
XYU03.xupt.edu.cn.	172799	IN	A	222.24.19.2

;; Query time: 1093 msec
;; SERVER: 192.168.1.234#53(192.168.1.234)
;; WHEN: Fri Nov 11 14:44:06 CST 2016
;; MSG SIZE  rcvd: 204
 

輸出資訊有這幾個部分 1.QUESTION   （問題） 2.ANSWER  （回答） 3.AUTHORITY  （驗證）
一點一點來看。

;; ANSWER SECTION:
www.xupt.edu.cn.	86400	IN	A	222.24.19.47

這是回答部分。 這裡查到的是A記錄。也就是adress。後面的222.24.19.47 就是這個網址的IP。輸入這個IP也能進入那個網站

好了，接著看看

;; AUTHORITY SECTION:
xupt.edu.cn.		172799	IN	NS	XYU04.xupt.edu.cn.
xupt.edu.cn.		172799	IN	NS	XYU03.xupt.edu.cn.
xupt.edu.cn.		172799	IN	NS	XYU02.xupt.edu.cn.
xupt.edu.cn.		172799	IN	NS	XYU01.xupt.edu.cn.

這上面的記錄是 NS記錄（Name server）。這就是西安郵電學院的dns伺服器地址。他負責告訴xupt.edu.cn.這個域裡面都有哪些主機。其實那個A記錄222.24.19.47就是這些NS伺服器做的。你如果想要讓大家訪問自己搭建的網站，搭建網站是不夠的。必須搭建一個DNS伺服器來解析自己網站的域名。（當然需要向上級DNS伺服器登記。在這裡就是在.edu 那裡登記。才可以讓別人查到你的網站。域名是要買的！！）
下個部分

;; ADDITIONAL SECTION:
XYU04.xupt.edu.cn.	172799	IN	A	221.11.22.35
XYU02.xupt.edu.cn.	172799	IN	A	202.117.128.3
XYU01.xupt.edu.cn.	172799	IN	A	202.117.128.2
XYU03.xupt.edu.cn.	172799	IN	A	222.24.19.2

這裡記錄著NS伺服器的IP地址。看，還是A記錄。A記錄都是由主機名得知Ip地址。
這個部分就是說這次查詢服務是那個DNS伺服器提供的。（這個是我搭建的dns）

;; Query time: 1093 msec
;; SERVER: 192.168.1.234#53(192.168.1.234)
;; WHEN: Fri Nov 11 14:44:06 CST 2016
;; MSG SIZE  rcvd: 204

在開始dns伺服器的配置前需要知道一些基本的概念。 www.xupt.edu.cn.   分為幾個部分。 1 ."." 根域。就是個點. 。平時可以省略  2.cn 中國的國家域 3.edu這個域。 4.自己申請的域名 xupt。 5前面的www是主機名。也可以由news、ftp、mail多了去了。。 比如百度新聞的網站叫news.baidu.com.所以千萬不要以為網站都是www開頭的。


說了這麼多。就是要引出一個概念zone。對。就是域。那上面的網站的域是什麼呢。當然是 xupt.edu.cn.   那想要讓別人訪問www.xupt.edu.cn當然就需要在自己將要搭建DNS配置上xupt.edu.cn這個zone了。這樣 才能向網際網路上的朋友解析www.xupt.edu.cn。
一會的配置還有幾個概念。那就hint （根域）。當你的DNS伺服器為自己的客戶提供查詢服務時。就需要 查自己的快取。但快取當然是有限的。所以不知道的域名就需要問最頂級的根域。根域會告訴你。想要解 析這個域名你需要找誰。
還有個本地域

2.DNS伺服器的搭建

1.相關軟體的安裝（提前搭建好yum源）

[[email protected] ~]# yum -y install bind-libs bind-utils bind bind-chroot
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.nwsuaf.edu.cn
 * extras: mirrors.nwsuaf.edu.cn
 * updates: mirrors.nwsuaf.edu.cn
Resolving Dependencies   ##後面的安裝過程是自動的。所以我就省略了

來看看這幾個包

[[email protected] ~]# rpm -qa |grep '^bind'
bind-9.9.4-29.el7_2.4.x86_64        ##bind主程式所需軟體
bind-license-9.9.4-29.el7_2.4.noarch    ##認證相關的
bind-utils-9.9.4-29.el7_2.4.x86_64      ##客戶端查詢主機名的相關工具
bind-chroot-9.9.4-29.el7_2.4.x86_64     ##給named程序根切換，為了安全
bind-libs-9.9.4-29.el7_2.4.x86_64       ##bind所需的庫檔案

一些和配置相關的配置檔案
/etc/named.conf:         配置檔案
/etc/sysconfig/named:由該檔案控制是否啟用chroot及額外引數
/var/named:                資料庫預設放置位置
/var/run/named：named程式執行時預設將pid-file放置在此目錄

安裝了bind-chroot後相應的目錄變為：
/var/named/chroot/etc/named.conf
/var/named/chroot/var/named/ZONE_file
/var/named/chroot/var/run/named/PID_file

先開啟/etc/named.conf看看。這裡面是配置樣板（只是樣板，不能直接用。需要改！！）

options {
        listen-on port 53 { 127.0.0.1; };     ##監聽那個主機53埠
        listen-on-v6 port 53 { ::1; };        ##ipv6版本的啦
        directory       "/var/named";         ##資料庫預設放的位置
        dump-file       "/var/named/data/cache_dump.db";      ##一些統計資訊
        statistics-file "/var/named/data/named_stats.txt";    ##
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };    ##允許誰查詢，設定時當然需要將這句刪掉。允許誰都可以查詢
        recursion yes;    ##允許誰遞迴。只為內網使用者遞迴就好了。要是給誰都遞迴會累死伺服器的


        dnssec-enable yes;    ##
        dnssec-validation yes;


        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";


        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};


logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


zone "." IN {      ##根域的zone
        type hint;
        file "named.ca";         ##檔案放的位置
};


include "/etc/named.rfc1912.zones";      ##還有內容在這兩個檔案中
include "/etc/named.root.key";

2.開始修改配置檔案

options {
        listen-on port 53 { 192.168.1.192; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        allow-recursion { 192.168.1.0/24; };
        blackhole { 192.168.1.234};
};


zone "." IN {
        type hint;
        file "named.ca";
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-transfer { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-transfer { none; };
}；

zone "double2.com" IN {
        type master; 
        file "double2.com.zone";
        allow-transfer { 192.168.1.192; };
};




zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.1.zone";
        allow-transfer { 192.168.1.192; };
};

可以用 named-checkconf 檢查配置檔案是否出錯。

[[email protected] ~]# named-checkconf 
/etc/named.conf:9: missing ';' before '}'

我寫錯了。。。。第九行有個語法錯誤。忘加;了

好了。再配置資料庫檔案(在/var/named下) 建立一個檔案。許可權都改成和named.ca一樣。看看許可權

[[email protected] named]# ll -Z named.ca 
-rw-r-----. root named system_u:object_r:named_conf_t:s0 named.ca

好了，建立吧

$TTL 600
double2.com.    IN      SOA     ns.double2.com. admin.double2.com. (
                                2016110101
                                1H
                                5M
                                2D
                                6H )

                      NS      ns1 
ns1                   A       192.168.1.192
                      MX   5  mail
mail                  A       192.168.1.239
www                   A       192.168.1.222
www                   A       192.168.1.192
ftp                   CNAME   www 

更改許可權

[[email protected] named]# chmod 640 double2.com.zone 
[[email protected] named]# chgrp named double2.com.zone 

使用命令named-checkzone  "double2.com."  /var/named/double2.com.zone檢查是否有語法錯誤

[[email protected] named]# named-checkzone "double2.com." /var/named/double2.com.zone 
zone double2.com/IN: loaded serial 2016110101
OK

再寫反解的zone資料庫檔案

[[email protected] named]# vim 192.168.1.zone
[[email protected] named]# chmod 640 192.168.1.zone 
[[email protected] named]# chgrp named 192.168.1.zone 

內容：

$TTL 600 
@               IN      SOA     ns.double2.com. admin.double2.com. (
                                2016110101
                                1H  
                                5M  
                                2D  
                                6H )

@               IN      NS      ns1.double2.com.
@               IN      MX   5  mail.double2.com.
234             IN      PTR     ns1.double2.com.
239             IN      PTR     mail.double2.com.
222             IN      PTR     www.double2.com.
192             IN      PTR     www.double2.com.

檢查是否有錯誤

[[email protected] named]# named-checkzone "192.168.1.zone" /var/named/192.168.1.zone 
zone 192.168.1.zone/IN: 192.168.1.zone/MX 'mail.double2.com' (out of zone) has no addresses records (A or AAAA)
zone 192.168.1.zone/IN: loaded serial 2016110101
OK

3.開啟dns服務

[[email protected] named]# systemctl start named
[[email protected] named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2016-11-11 16:43:50 CST; 5s ago
  Process: 21291 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 21288 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 21294 (named)
   CGroup: /system.slice/named.service
           └─21294 /usr/sbin/named -u named

Nov 11 16:43:50 www named[21294]: managed-keys-zone: loaded serial 0
Nov 11 16:43:50 www named[21294]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Nov 11 16:43:50 www named[21294]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2016110101
Nov 11 16:43:50 www named[21294]: zone localhost/IN: loaded serial 0
Nov 11 16:43:50 www named[21294]: zone double2.com/IN: loaded serial 2016110101
Nov 11 16:43:50 www named[21294]: all zones loaded
Nov 11 16:43:50 www named[21294]: running
Nov 11 16:43:50 www named[21294]: zone double2.com/IN: sending notifies (serial 2016110101)
Nov 11 16:43:50 www named[21294]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2016110101)
Nov 11 16:43:50 www systemd[1]: Started Berkeley Internet Name Domain (DNS).

用自己配置的dns伺服器查詢一下。依舊使用強大的dig

[[email protected] named]# dig www.double2.com @192.168.1.192

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> www.double2.com @192.168.1.192
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65459
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.double2.com.		IN	A

;; ANSWER SECTION:
www.double2.com.	600	IN	A	192.168.1.192
www.double2.com.	600	IN	A	192.168.1.222

;; AUTHORITY SECTION:
double2.com.		600	IN	NS	ns1.double2.com.
double2.com.		600	IN	NS	ns2.double2.com.

;; ADDITIONAL SECTION:
ns1.double2.com.	600	IN	A	192.168.1.234
ns2.double2.com.	600	IN	A	192.168.1.192

;; Query time: 1 msec
;; SERVER: 192.168.1.192#53(192.168.1.192)
;; WHEN: Fri Nov 11 16:45:22 CST 2016
;; MSG SIZE  rcvd: 144

查出來了

下來再說一下主從dns 從dns伺服器會一直去從主dns同步資料。 只要在主dns伺服器那裡寫上這句

   allow-transfer { 192.168.1.192; };

就允許192來做192做懂dns伺服器。
192這臺主機現在是從。234這臺主機是主 將192這臺主機的/etc/named.conf中的這段改成這樣。其他的和234的配置檔案內容一樣

zone "double2.com" IN {
        type slave;
        file "slaves/double2.com.zone";
        masters { 192.168.1.234; };
        allow-transfer { none; };
};


zone "1.168.192.in-addr.arpa" IN {
        type slave;
        file "slaves/192.168.1.zone";
        masters { 192.168.1.234; };
        allow-transfer { none; };
};

注意。兩邊都關閉一下防火牆。 之後會在slaves 下發現同步過來的資料

[[email protected] slaves]# ls
192.168.1.zone  double2.com.zone

4.允許其他主機管理dns服務（rndc）

[[email protected] slaves]# rndc-confgen |tee /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
	algorithm hmac-md5;
	secret "QAoyGs28T9V++cROXrO9xQ==";
};

options {
	default-key "rndc-key";
	default-server 127.0.0.1;
	default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# 	algorithm hmac-md5;
# 	secret "QAoyGs28T9V++cROXrO9xQ==";
# };
# 
# controls {
# 	inet 127.0.0.1 port 953
# 		allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

輸入如下命令。將下面的檔案寫入主dns伺服器的配置檔案

key "rndc-key" {
        algorithm hmac-md5;
        secret "/S2bPHkqXDX12ttgwTlN1A==";
};
controls {
        inet 192.168.1.234 port 953
        allow { 192.168.1.192; } keys { "rndc-key"; };
};

192主機的/etc/rndc配置檔案寫入如下

key "rndc-key" {
        algorithm hmac-md5;
        secret "/S2bPHkqXDX12ttgwTlN1A==";
};

options {
        default-key "rndc-key";
        default-server 192.168.1.234;
        default-port 953;
};

好了。可以遠端控制234那臺主機的dns了。使用rndc命令

[[email protected] slaves]# rndc -c /etc/rndc.conf status
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

rndc命令很強大的

ww slaves]# rndc -h
Usage: rndc [-b address] [-c config] [-s server] [-p port]
	[-k key-file ] [-y key] [-V] command

command is one of the following:

  reload	Reload configuration file and zones.
  reload zone [class [view]]
		Reload a single zone.
  refresh zone [class [view]]
		Schedule immediate maintenance for a zone.
  retransfer zone [class [view]]
		Retransfer a single zone without checking serial number.
  freeze	Suspend updates to all dynamic zones.
  freeze zone [class [view]]
		Suspend updates to a dynamic zone.
  thaw		Enable updates to all dynamic zones and reload them.
  thaw zone [class [view]]
		Enable updates to a frozen dynamic zone and reload it.
  sync [-clean]	Dump changes to all dynamic zones to disk, and optionally
		remove their journal files.
  sync [-clean] zone [class [view]]
		Dump a single zone's changes to disk, and optionally
		remove its journal file.
  notify zone [class [view]]
		Resend NOTIFY messages for the zone.
  reconfig	Reload configuration file and new zones only.
  sign zone [class [view]]
		Update zone keys, and sign as needed.
  loadkeys zone [class [view]]
		Update keys without signing immediately.
  stats		Write server statistics to the statistics file.
  querylog newstate
		Enable / disable query logging.
  dumpdb [-all|-cache|-zones] [view ...]
		Dump cache(s) to the dump file (named_dump.db).
  secroots [view ...]
		Write security roots to the secroots file.
  stop		Save pending updates to master files and stop the server.
  stop -p	Save pending updates to master files and stop the server
		reporting process id.
  halt		Stop the server without saving pending updates.
  halt -p	Stop the server without saving pending updates reporting
		process id.
  trace		Increment debugging level by one.
  trace level	Change the debugging level.
  notrace	Set debugging level to 0.
  flush 	Flushes all of the server's caches.
  flush [view]	Flushes the server's cache for a view.
  flushname name [view]
		Flush the given name from the server's cache(s)
  flushtree name [view]
		Flush all names under the given name from the server's cache(s)
  status	Display status of the server.
  recursing	Dump the queries that are currently recursing (named.recursing)
  tsig-list	List all currently active TSIG keys, including both statically
		configured and TKEY-negotiated keys.
  tsig-delete keyname [view]	
		Delete a TKEY-negotiated TSIG key.
  validation newstate [view]
		Enable / disable DNSSEC validation.
  addzone ["file"] zone [class [view]] { zone-options }
		Add zone to given view. Requires new-zone-file option.
  delzone ["file"] zone [class [view]]
		Removes zone from given view. Requires new-zone-file option.
  signing -list zone [class [view]]
		List the private records showing the state of DNSSEC
		signing in the given zone.
  signing -clear <keyid>/<algorithm> zone [class [view]]
		Remove the private record that indicating the given key
		has finished signing the given zone.
  signing -clear all zone [class [view]]
		Remove the private records for all keys that have
		finished signing the given zone.
  signing -nsec3param none zone [class [view]]
		Remove NSEC3 chains from zone.
  signing -nsec3param hash flags iterations salt zone [class [view]]
		Add NSEC3 chain to zone if already signed.
		Prime zone with NSEC3 chain if not yet signed.
  *restart	Restart the server.

* == not yet implemented
Version: 9.9.4-RedHat-9.9.4-29.el7_2.4