DNS學習筆記-服務的配置與基礎概念
阿新 • • 發佈:2018-11-11
1、DNS的基礎知識
上網時本輸入IP就可以了,但人們方便記憶的是字串。所以,DNS就誕生了,DNS負責域名(字串)到IP的轉換
正向查詢:最基本的通過主機名查IP 反向查詢:用IP來查主機名
迭代查詢:去查詢dns時。伺服器不直接告訴你答案。而是讓你去找另一臺主機去問答案
遞迴查詢:去查詢dns時,問的誰。誰就直接告訴你答案。
常常聽別人說什麼智慧DNS。其實大概意思就是將同一個主機名解析到不同的伺服器上以達到負載均衡的效果。
2.客戶端的dns查詢時的配置檔案
3.BIND--伯克利因特網名字域名系統
這就是配置dns服務所需要的軟體。可以直接使用yum安裝4.最專業的dns查詢命令dig
[[email protected] ~]# dig www.xupt.edu.cn
; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> www.xupt.edu.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.xupt.edu.cn. IN A
;; ANSWER SECTION:
www.xupt.edu.cn. 86400 IN A 222.24.19.47
;; AUTHORITY SECTION:
xupt.edu.cn. 172799 IN NS XYU04.xupt.edu.cn.
xupt.edu.cn. 172799 IN NS XYU03.xupt.edu.cn.
xupt.edu.cn. 172799 IN NS XYU02.xupt.edu.cn.
xupt.edu.cn. 172799 IN NS XYU01.xupt.edu.cn.
;; ADDITIONAL SECTION:
XYU04.xupt.edu.cn. 172799 IN A 221.11.22.35
XYU02.xupt.edu.cn. 172799 IN A 202.117.128.3
XYU01.xupt.edu.cn. 172799 IN A 202.117.128.2
XYU03.xupt.edu.cn. 172799 IN A 222.24.19.2
;; Query time: 1093 msec
;; SERVER: 192.168.1.234#53(192.168.1.234)
;; WHEN: Fri Nov 11 14:44:06 CST 2016
;; MSG SIZE rcvd: 204
輸出資訊有這幾個部分 1.QUESTION (問題) 2.ANSWER (回答) 3.AUTHORITY (驗證)
一點一點來看。
;; ANSWER SECTION:
www.xupt.edu.cn. 86400 IN A 222.24.19.47
這是回答部分。
這裡查到的是A記錄。也就是adress。後面的222.24.19.47 就是這個網址的IP。輸入這個IP也能進入那個網站
好了,接著看看
;; AUTHORITY SECTION:
xupt.edu.cn. 172799 IN NS XYU04.xupt.edu.cn.
xupt.edu.cn. 172799 IN NS XYU03.xupt.edu.cn.
xupt.edu.cn. 172799 IN NS XYU02.xupt.edu.cn.
xupt.edu.cn. 172799 IN NS XYU01.xupt.edu.cn.
這上面的記錄是
NS記錄(Name server)。這就是西安郵電學院的dns伺服器地址。他負責告訴xupt.edu.cn.這個域裡面都有哪些主機。其實那個A記錄222.24.19.47就是這些NS伺服器做的。你如果想要讓大家訪問自己搭建的網站,搭建網站是不夠的。必須搭建一個DNS伺服器來解析自己網站的域名。(當然需要向上級DNS伺服器登記。在這裡就是在.edu 那裡登記。才可以讓別人查到你的網站。域名是要買的!!)
下個部分
;; ADDITIONAL SECTION:
XYU04.xupt.edu.cn. 172799 IN A 221.11.22.35
XYU02.xupt.edu.cn. 172799 IN A 202.117.128.3
XYU01.xupt.edu.cn. 172799 IN A 202.117.128.2
XYU03.xupt.edu.cn. 172799 IN A 222.24.19.2
這裡記錄著NS伺服器的IP地址。看,還是A記錄。A記錄都是由主機名得知Ip地址。
這個部分就是說這次查詢服務是那個DNS伺服器提供的。(這個是我搭建的dns)
;; Query time: 1093 msec
;; SERVER: 192.168.1.234#53(192.168.1.234)
;; WHEN: Fri Nov 11 14:44:06 CST 2016
;; MSG SIZE rcvd: 204
在開始dns伺服器的配置前需要知道一些基本的概念。 www.xupt.edu.cn. 分為幾個部分。 1 ."." 根域。就是個點. 。平時可以省略 2.cn 中國的國家域 3.edu這個域。 4.自己申請的域名 xupt。 5前面的www是主機名。也可以由news、ftp、mail多了去了。。 比如百度新聞的網站叫news.baidu.com.所以千萬不要以為網站都是www開頭的。
說了這麼多。就是要引出一個概念zone。對。就是域。那上面的網站的域是什麼呢。當然是 xupt.edu.cn. 那想要讓別人訪問www.xupt.edu.cn當然就需要在自己將要搭建DNS配置上xupt.edu.cn這個zone了。這樣 才能向網際網路上的朋友解析www.xupt.edu.cn。
一會的配置還有幾個概念。那就hint (根域)。當你的DNS伺服器為自己的客戶提供查詢服務時。就需要 查自己的快取。但快取當然是有限的。所以不知道的域名就需要問最頂級的根域。根域會告訴你。想要解 析這個域名你需要找誰。
還有個本地域
2.DNS伺服器的搭建
1.相關軟體的安裝(提前搭建好yum源)
[[email protected] ~]# yum -y install bind-libs bind-utils bind bind-chroot
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.nwsuaf.edu.cn
* extras: mirrors.nwsuaf.edu.cn
* updates: mirrors.nwsuaf.edu.cn
Resolving Dependencies ##後面的安裝過程是自動的。所以我就省略了
來看看這幾個包
[[email protected] ~]# rpm -qa |grep '^bind'
bind-9.9.4-29.el7_2.4.x86_64 ##bind主程式所需軟體
bind-license-9.9.4-29.el7_2.4.noarch ##認證相關的
bind-utils-9.9.4-29.el7_2.4.x86_64 ##客戶端查詢主機名的相關工具
bind-chroot-9.9.4-29.el7_2.4.x86_64 ##給named程序根切換,為了安全
bind-libs-9.9.4-29.el7_2.4.x86_64 ##bind所需的庫檔案
一些和配置相關的配置檔案
/etc/named.conf: 配置檔案
/etc/sysconfig/named:由該檔案控制是否啟用chroot及額外引數
/var/named: 資料庫預設放置位置
/var/run/named:named程式執行時預設將pid-file放置在此目錄
安裝了bind-chroot後相應的目錄變為:
/var/named/chroot/etc/named.conf
/var/named/chroot/var/named/ZONE_file
/var/named/chroot/var/run/named/PID_file
先開啟/etc/named.conf看看。這裡面是配置樣板(只是樣板,不能直接用。需要改!!)
options {
listen-on port 53 { 127.0.0.1; }; ##監聽那個主機53埠
listen-on-v6 port 53 { ::1; }; ##ipv6版本的啦
directory "/var/named"; ##資料庫預設放的位置
dump-file "/var/named/data/cache_dump.db"; ##一些統計資訊
statistics-file "/var/named/data/named_stats.txt"; ##
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; }; ##允許誰查詢,設定時當然需要將這句刪掉。允許誰都可以查詢
recursion yes; ##允許誰遞迴。只為內網使用者遞迴就好了。要是給誰都遞迴會累死伺服器的
dnssec-enable yes; ##
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN { ##根域的zone
type hint;
file "named.ca"; ##檔案放的位置
};
include "/etc/named.rfc1912.zones"; ##還有內容在這兩個檔案中
include "/etc/named.root.key";
2.開始修改配置檔案
options {
listen-on port 53 { 192.168.1.192; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-recursion { 192.168.1.0/24; };
blackhole { 192.168.1.234};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "double2.com" IN {
type master;
file "double2.com.zone";
allow-transfer { 192.168.1.192; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.192; };
};
可以用 named-checkconf 檢查配置檔案是否出錯。
[[email protected] ~]# named-checkconf
/etc/named.conf:9: missing ';' before '}'
我寫錯了。。。。第九行有個語法錯誤。忘加;了
好了。再配置資料庫檔案(在/var/named下) 建立一個檔案。許可權都改成和named.ca一樣。看看許可權
[[email protected] named]# ll -Z named.ca
-rw-r-----. root named system_u:object_r:named_conf_t:s0 named.ca
好了,建立吧
$TTL 600
double2.com. IN SOA ns.double2.com. admin.double2.com. (
2016110101
1H
5M
2D
6H )
NS ns1
ns1 A 192.168.1.192
MX 5 mail
mail A 192.168.1.239
www A 192.168.1.222
www A 192.168.1.192
ftp CNAME www
更改許可權
[[email protected] named]# chmod 640 double2.com.zone
[[email protected] named]# chgrp named double2.com.zone
使用命令named-checkzone "double2.com." /var/named/double2.com.zone檢查是否有語法錯誤
[[email protected] named]# named-checkzone "double2.com." /var/named/double2.com.zone
zone double2.com/IN: loaded serial 2016110101
OK
再寫反解的zone資料庫檔案
[[email protected] named]# vim 192.168.1.zone
[[email protected] named]# chmod 640 192.168.1.zone
[[email protected] named]# chgrp named 192.168.1.zone
內容:
$TTL 600
@ IN SOA ns.double2.com. admin.double2.com. (
2016110101
1H
5M
2D
6H )
@ IN NS ns1.double2.com.
@ IN MX 5 mail.double2.com.
234 IN PTR ns1.double2.com.
239 IN PTR mail.double2.com.
222 IN PTR www.double2.com.
192 IN PTR www.double2.com.
檢查是否有錯誤
[[email protected] named]# named-checkzone "192.168.1.zone" /var/named/192.168.1.zone
zone 192.168.1.zone/IN: 192.168.1.zone/MX 'mail.double2.com' (out of zone) has no addresses records (A or AAAA)
zone 192.168.1.zone/IN: loaded serial 2016110101
OK
3.開啟dns服務
[[email protected] named]# systemctl start named
[[email protected] named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2016-11-11 16:43:50 CST; 5s ago
Process: 21291 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 21288 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 21294 (named)
CGroup: /system.slice/named.service
└─21294 /usr/sbin/named -u named
Nov 11 16:43:50 www named[21294]: managed-keys-zone: loaded serial 0
Nov 11 16:43:50 www named[21294]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Nov 11 16:43:50 www named[21294]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2016110101
Nov 11 16:43:50 www named[21294]: zone localhost/IN: loaded serial 0
Nov 11 16:43:50 www named[21294]: zone double2.com/IN: loaded serial 2016110101
Nov 11 16:43:50 www named[21294]: all zones loaded
Nov 11 16:43:50 www named[21294]: running
Nov 11 16:43:50 www named[21294]: zone double2.com/IN: sending notifies (serial 2016110101)
Nov 11 16:43:50 www named[21294]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2016110101)
Nov 11 16:43:50 www systemd[1]: Started Berkeley Internet Name Domain (DNS).
用自己配置的dns伺服器查詢一下。依舊使用強大的dig
[[email protected] named]# dig www.double2.com @192.168.1.192
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> www.double2.com @192.168.1.192
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65459
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.double2.com. IN A
;; ANSWER SECTION:
www.double2.com. 600 IN A 192.168.1.192
www.double2.com. 600 IN A 192.168.1.222
;; AUTHORITY SECTION:
double2.com. 600 IN NS ns1.double2.com.
double2.com. 600 IN NS ns2.double2.com.
;; ADDITIONAL SECTION:
ns1.double2.com. 600 IN A 192.168.1.234
ns2.double2.com. 600 IN A 192.168.1.192
;; Query time: 1 msec
;; SERVER: 192.168.1.192#53(192.168.1.192)
;; WHEN: Fri Nov 11 16:45:22 CST 2016
;; MSG SIZE rcvd: 144
查出來了
下來再說一下主從dns 從dns伺服器會一直去從主dns同步資料。 只要在主dns伺服器那裡寫上這句
allow-transfer { 192.168.1.192; };
就允許192來做192做懂dns伺服器。
192這臺主機現在是從。234這臺主機是主 將192這臺主機的/etc/named.conf中的這段改成這樣。其他的和234的配置檔案內容一樣
zone "double2.com" IN {
type slave;
file "slaves/double2.com.zone";
masters { 192.168.1.234; };
allow-transfer { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.1.zone";
masters { 192.168.1.234; };
allow-transfer { none; };
};
注意。兩邊都關閉一下防火牆。 之後會在slaves 下發現同步過來的資料
[[email protected] slaves]# ls
192.168.1.zone double2.com.zone
4.允許其他主機管理dns服務(rndc)
[[email protected] slaves]# rndc-confgen |tee /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "QAoyGs28T9V++cROXrO9xQ==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "QAoyGs28T9V++cROXrO9xQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
輸入如下命令。將下面的檔案寫入主dns伺服器的配置檔案
key "rndc-key" {
algorithm hmac-md5;
secret "/S2bPHkqXDX12ttgwTlN1A==";
};
controls {
inet 192.168.1.234 port 953
allow { 192.168.1.192; } keys { "rndc-key"; };
};
192主機的/etc/rndc配置檔案寫入如下
key "rndc-key" {
algorithm hmac-md5;
secret "/S2bPHkqXDX12ttgwTlN1A==";
};
options {
default-key "rndc-key";
default-server 192.168.1.234;
default-port 953;
};
好了。可以遠端控制234那臺主機的dns了。使用rndc命令
[[email protected] slaves]# rndc -c /etc/rndc.conf status
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
rndc命令很強大的
ww slaves]# rndc -h
Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
sync [-clean] Dump changes to all dynamic zones to disk, and optionally
remove their journal files.
sync [-clean] zone [class [view]]
Dump a single zone's changes to disk, and optionally
remove its journal file.
notify zone [class [view]]
Resend NOTIFY messages for the zone.
reconfig Reload configuration file and new zones only.
sign zone [class [view]]
Update zone keys, and sign as needed.
loadkeys zone [class [view]]
Update keys without signing immediately.
stats Write server statistics to the statistics file.
querylog newstate
Enable / disable query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
secroots [view ...]
Write security roots to the secroots file.
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
flushtree name [view]
Flush all names under the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
tsig-list List all currently active TSIG keys, including both statically
configured and TKEY-negotiated keys.
tsig-delete keyname [view]
Delete a TKEY-negotiated TSIG key.
validation newstate [view]
Enable / disable DNSSEC validation.
addzone ["file"] zone [class [view]] { zone-options }
Add zone to given view. Requires new-zone-file option.
delzone ["file"] zone [class [view]]
Removes zone from given view. Requires new-zone-file option.
signing -list zone [class [view]]
List the private records showing the state of DNSSEC
signing in the given zone.
signing -clear <keyid>/<algorithm> zone [class [view]]
Remove the private record that indicating the given key
has finished signing the given zone.
signing -clear all zone [class [view]]
Remove the private records for all keys that have
finished signing the given zone.
signing -nsec3param none zone [class [view]]
Remove NSEC3 chains from zone.
signing -nsec3param hash flags iterations salt zone [class [view]]
Add NSEC3 chain to zone if already signed.
Prime zone with NSEC3 chain if not yet signed.
*restart Restart the server.
* == not yet implemented
Version: 9.9.4-RedHat-9.9.4-29.el7_2.4