centos7部署dns
文章索引:
一、服務相關介紹
二、實驗:搭建正向主DNS伺服器
三、實驗:搭建反向解析伺服器
四、實驗:泛域名解析,如wwww.baidu.com也可以正常訪問
一、服務相關介紹
DNS服務,程式包名bind,程式名named
1、程式包:
bind:提供dns server程式,以及幾個常用的測試程式;
bind-libs:被bind和bind-utils包中的程式共同用到的庫檔案;
bind-utils:bind程式端程式集,提供了,dig,host,nslookup等相關工具;
bind-chroot:選裝,提供了一種安全機制;通常公司內部使用不需要安裝;
2、bind
服務指令碼:/etc/rc.d/init.d/named
主配置檔案:/etc/named.conf,/etc/named.rfc1912.zones,/etc/rndc.key(遠端管理,其實只在本地)
解析庫檔案:/var/named/ZONE_NAME.ZONE
注意:
1)一臺物理伺服器可同時為多個區域提供解析;
2)必須有根區域檔案;named.ca
3)應該有兩個(不包括ipv6)實現localhost和本地迴環地址的解析庫;
正向:named.localhost
反向:named.loopback
rndc命令:remote name domain controller,預設與bind安裝在同一個主機,且只能通過127.0.0.1來倆姐named程序;提供輔助性的管理功能;埠953/tcp
二、開始搭建正向主DNS伺服器
1、安裝yum install bind -y
1 Installed: 2 bind.x86_64 32:9.9.4-61.el7_5.1 3 4 Dependency Updated: 5 bind-libs.x86_64 32:9.9.4-61.el7_5.1 bind-libs-lite.x86_64 32:9.9.4-61.el7_5.1 6 bind-license.noarch 32:9.9.4-61.el7_5.1 bind-utils.x86_64 32:9.9.4-61.el7_5.1
cat /var/named/named.ca 看一下全球的13各根節點
1 [[email protected] ~]# cat /var/named/named.ca 2 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3.2 <<>> +bufsize=1200 +norec @a.root-servers.net 3 ; (2 servers found) 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17380 7 ;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27 8 9 ;; OPT PSEUDOSECTION: 10 ; EDNS: version: 0, flags:; udp: 1472 11 ;; QUESTION SECTION: 12 ;. IN NS 13 14 ;; ANSWER SECTION: 15 . 518400 IN NS a.root-servers.net. 16 . 518400 IN NS b.root-servers.net. 17 . 518400 IN NS c.root-servers.net. 18 . 518400 IN NS d.root-servers.net. 19 . 518400 IN NS e.root-servers.net. 20 . 518400 IN NS f.root-servers.net. 21 . 518400 IN NS g.root-servers.net. 22 . 518400 IN NS h.root-servers.net. 23 . 518400 IN NS i.root-servers.net. 24 . 518400 IN NS j.root-servers.net. 25 . 518400 IN NS k.root-servers.net. 26 . 518400 IN NS l.root-servers.net. 27 . 518400 IN NS m.root-servers.net. 28 29 ;; ADDITIONAL SECTION: 30 a.root-servers.net. 3600000 IN A 198.41.0.4 31 a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 32 b.root-servers.net. 3600000 IN A 192.228.79.201 33 b.root-servers.net. 3600000 IN AAAA 2001:500:84::b 34 c.root-servers.net. 3600000 IN A 192.33.4.12 35 c.root-servers.net. 3600000 IN AAAA 2001:500:2::c 36 d.root-servers.net. 3600000 IN A 199.7.91.13 37 d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d 38 e.root-servers.net. 3600000 IN A 192.203.230.10 39 e.root-servers.net. 3600000 IN AAAA 2001:500:a8::e 40 f.root-servers.net. 3600000 IN A 192.5.5.241 41 f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f 42 g.root-servers.net. 3600000 IN A 192.112.36.4 43 g.root-servers.net. 3600000 IN AAAA 2001:500:12::d0d 44 h.root-servers.net. 3600000 IN A 198.97.190.53 45 h.root-servers.net. 3600000 IN AAAA 2001:500:1::53 46 i.root-servers.net. 3600000 IN A 192.36.148.17 47 i.root-servers.net. 3600000 IN AAAA 2001:7fe::53 48 j.root-servers.net. 3600000 IN A 192.58.128.30 49 j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30 50 k.root-servers.net. 3600000 IN A 193.0.14.129 51 k.root-servers.net. 3600000 IN AAAA 2001:7fd::1 52 l.root-servers.net. 3600000 IN A 199.7.83.42 53 l.root-servers.net. 3600000 IN AAAA 2001:500:9f::42 54 m.root-servers.net. 3600000 IN A 202.12.27.33 55 m.root-servers.net. 3600000 IN AAAA 2001:dc3::35 56 57 ;; Query time: 18 msec 58 ;; SERVER: 198.41.0.4#53(198.41.0.4) 59 ;; WHEN: Po kv臎 22 10:14:44 CEST 2017 60 ;; MSG SIZE rcvd: 811 61 62 [[email protected] ~]#
檢視一下監聽埠是否監聽
1 [[email protected] ~]# ss -tunlop |grep 53 2 udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=603,fd=12)) 3 udp UNCONN 0 0 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=5)) 4 tcp LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=6))
2、修改主配置檔案:
全域性配置:options{}
日誌子系統配置:logging{}
區域定義:本機能夠為哪些zone進行解析,就要定義哪些zone;
zone "ZONE_NAME" IN {}
注意:任何服務程式如果期望其能夠通過網路被其他主機訪問,至少應該監聽在一個能與外部主機通訊的IP地址上;
備份配置檔案
cp -v /etc/named.conf {,.bak}
編輯vim /etc/named.conf
1 [[email protected] ~]# vim /etc/named.conf 2 3 // 4 // named.conf 5 // 6 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 7 // server as a caching only nameserver (as a localhost DNS resolver only). 8 // 9 // See /usr/share/doc/bind*/sample/ for example named configuration files. 10 // 11 // See the BIND Administrator's Reference Manual (ARM) for details about the 12 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html 13 14 options { 15 listen-on port 53 {192.168.216.198; 127.0.0.1; }; #新增本機地址 16 //listen-on-v6 port 53 { ::1; }; #註釋v6 17 directory "/var/named"; #定義區域配置檔案路徑 18 dump-file "/var/named/data/cache_dump.db"; # 19 statistics-file "/var/named/data/named_stats.txt"; 20 memstatistics-file "/var/named/data/named_mem_stats.txt"; 21 allow-query { any; }; 22 23 /* 24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 25 - If you are building a RECURSIVE (caching) DNS server, you need to enable 26 recursion. 27 - If your recursive DNS server has a public IP address, you MUST enable access 28 control to limit queries to your legitimate users. Failing to do so will 29 cause your server to become part of large scale DNS amplification 30 attacks. Implementing BCP38 within your network would greatly 31 reduce such attack surface 32 */ 33 recursion yes; 34 35 dnssec-enable yes; #學習過程可以關掉 36 dnssec-validation yes; #可以先關掉 37 38 /* Path to ISC DLV key */ 39 bindkeys-file "/etc/named.iscdlv.key"; 40 41 managed-keys-directory "/var/named/dynamic"; 42 43 pid-file "/run/named/named.pid"; 44 session-keyfile "/run/named/session.key"; 45 }; 46 47 logging { 48 channel default_debug { 49 file "data/named.run"; 50 severity dynamic; 51 }; 52 }; 53 54 zone "." IN { 55 type hint; 56 file "named.ca"; 57 }; 58 59 include "/etc/named.rfc1912.zones"; #這個檔案定義區域配置檔案 60 include "/etc/named.root.key"; 61 62 ~ 63 ~ 64 ~ 65 ~ 66 "/etc/named.conf" 59L, 1723C written
重啟服務檢視監聽埠的變化
1 [[email protected] ~]# systemctl restart named 2 [[email protected] ~]# ss -tunlp |grep 53 3 udp UNCONN 0 0 *:5353 *:* users:(("avahi-daemon",pid=603,fd=12)) 4 udp UNCONN 0 0 192.168.216.198:53 *:* users:(("named",pid=5349,fd=519),("named",pid=5349,fd=518),("named",pid=5349,fd=517),("named",pid=5349,fd=516)) 5 udp UNCONN 0 0 127.0.0.1:53 *:* users:(("named",pid=5349,fd=515),("named",pid=5349,fd=514),("named",pid=5349,fd=513),("named",pid=5349,fd=512)) 6 udp UNCONN 0 0 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=5)) 7 tcp LISTEN 0 10 192.168.216.198:53 *:* users:(("named",pid=5349,fd=22)) 8 tcp LISTEN 0 10 127.0.0.1:53 *:* users:(("named",pid=5349,fd=21)) 9 tcp LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=2184,fd=6)) 10 tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",pid=5349,fd=23)) 11 tcp LISTEN 0 128 ::1:953 :::* users:(("named",pid=5349,fd=24)) 12 [[email protected] ~]#
3、修改區域解析檔案
1 [[email protected] ~]# vim /etc/named.rfc1912.zones 2 3 zone "www.web1.com" 4 // named.rfc1912.zones: 5 // 6 // Provided by Red Hat caching-nameserver package 7 // 8 // ISC BIND named zone configuration for zones recommended by 9 // RFC 1912 section 4.1 : localhost TLDs and address zones 10 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt 11 // (c)2007 R W Franks 12 // 13 // See /usr/share/doc/bind*/sample/ for example named configuration files. 14 // 15 16 zone "localhost.localdomain" IN { 17 type master; 18 file "named.localhost"; 19 allow-update { none; }; 20 }; 21 22 zone "localhost" IN { 23 type master; 24 file "named.localhost"; 25 allow-update { none; }; 26 }; 27 28 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 29 type master; 30 file "named.loopback"; 31 allow-update { none; }; 32 }; 33 34 zone "1.0.0.127.in-addr.arpa" IN { 35 type master; 36 file "named.loopback"; 37 allow-update { none; }; 38 }; 39 40 zone "0.in-addr.arpa" IN { 41 type master; 42 file "named.empty"; 43 allow-update { none; }; 44 }; 45 zone "zhangxingeng.com" IN { 46 type master; 47 file "zhangxingeng.com.zone"; 48 };
4、建立區域解析資料庫檔案(也就是正向解析)
vim /var/named/zhangxingeng.com.zone
1 [[email protected] ~]# cat /var/named/zhangxingeng.com.zone 2 $TTL 1D 3 @ IN SOA zhangxingeng.com. admin.zhangxingeng.com. ( 4 20181120 ; serial 5 1D ; refresh 6 1H ; retry 7 1W ; expire 8 3H ) ; minimum 9 IN NS web1.zhangxingeng.com. 10 IN MX 10 mail.zhangxigneng.com. 11 IN NS dns1.zhangxingeng.com. 12 web1 IN A 192.168.216.199 13 dns1 IN A 192.168.216.198 14 mail IN A 192.168.216.128 15 www IN A 192.168.216.129 17 [[email protected] ~]#
5、測試
named-checkconf 主配置檔案語法
named-checkzone "zhangxingeng.com" /var/named/zhangxingeng.com.zone 解析庫檔案語法檢查
6、重啟服務
sytemctl reload named或rndc reload
7、node5(dns伺服器)安裝nginx,http伺服器
yum -y install nginx
systemctl start nginx
systemctl enable nginx
8、web1測試 同樣安裝nginx
用dig命令測試
格式
dig [-t RR_TYPE] name [@server] [query options]
查詢
+[no]trace:跟蹤解析過程;
+[no]recurse:進行遞迴解析;
反向解析
dig -x IPADDR
預設完全區域傳輸
dig -t axfr DOMAIN [@server]
比如:
查詢baidu.com的NS記錄
dig -t NS baidu.com
跟蹤解析www.baidu.com的過程
dig +trace www.baidu.com
解析www.baidu.com的A記錄
dig -t A www.baidu.com
1 [[email protected] ~]# dig -t A dns1.zhangxingeng.com @192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A dns1.zhangxingeng.com @192.168.216.198 4 ;; global options: +cmd 5 ;; Got answer: 6 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57945 7 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 8 ;; WARNING: recursion requested but not available 9 10 ;; OPT PSEUDOSECTION: 11 ; EDNS: version: 0, flags:; udp: 4096 12 ;; QUESTION SECTION: 13 ;dns1.zhangxingeng.com. IN A 14 15 ;; Query time: 1 msec 16 ;; SERVER: 192.168.216.198#53(192.168.216.198) 17 ;; WHEN: Wed Nov 21 17:04:35 CST 2018 18 ;; MSG SIZE rcvd: 50
安裝nginx
yum install nginx -y
echo welcome to web1 >/usr/share/nginx/html/index.html
systemctl start nginx
systemctl enable nginx
ss -tunlp |grep 80
web1的web伺服器已經搭建好
更改dns
1 [[email protected] ~]# cat /etc/sysconfig/network-scripts/ifcfg-ens33 2 TYPE="Ethernet" 3 BOOTPROTO="dhcp" 4 DEFROUTE="yes" 5 PEERDNS="yes" 6 PEERROUTES="yes" 7 IPV4_FAILURE_FATAL="no" 8 IPV6INIT="yes" 9 IPV6_AUTOCONF="yes" 10 IPV6_DEFROUTE="yes" 11 IPV6_PEERDNS="yes" 12 IPV6_PEERROUTES="yes" 13 IPV6_FAILURE_FATAL="no" 14 IPV6_ADDR_GEN_MODE="stable-privacy" 15 NAME="ens33" 16 UUID="4f788080-131a-4f10-85a8-179b4f14ab48" 17 DEVICE="ens33" 18 ONBOOT="yes" 19 DNS1=192.168.216.198 20 [[email protected] ~]#
9、在node5上測試web1
1 [[email protected] ~]# curl web1.zhangxingeng.com 2 welcome to web1
三、開始搭建反向解析
1、定義區域檔案
1 ~ 2 [[email protected] named]# vim /etc/named.rfc1912.zones 3 4 // named.rfc1912.zones: 5 // 6 // Provided by Red Hat caching-nameserver package 7 // 8 // ISC BIND named zone configuration for zones recommended by 9 // RFC 1912 section 4.1 : localhost TLDs and address zones 10 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt 11 // (c)2007 R W Franks 12 // 13 // See /usr/share/doc/bind*/sample/ for example named configuration files. 14 // 15 16 zone "localhost.localdomain" IN { 17 type master; 18 file "named.localhost"; 19 allow-update { none; }; 20 }; 21 zone "localhost" IN { 22 type master; 23 file "named.localhost"; 24 allow-update { none; }; 25 }; 26 27 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 28 type master; 29 file "named.loopback"; 30 allow-update { none; }; 31 }; 32 33 zone "1.0.0.127.in-addr.arpa" IN { 34 type master; 35 file "named.loopback"; 36 allow-update { none; }; 37 }; 38 39 zone "0.in-addr.arpa" IN { 40 type master; 41 file "named.empty"; 42 allow-update { none; }; 43 }; 44 zone "zhangxingeng.com" IN { 45 type master; 46 file "zhangxingeng.com.zone"; 47 }; 48 zone "216.168.192.in-addr.arpa" IN { 49 type master; 50 file "192.168.216.zone"; 51 };
2、定義區域解析庫
cd /var/named/
1 [[email protected] named]# cat 192.168.216.zone 2 $TTL 3600 3 $ORIGIN 216.168.192.in-addr.arpa. 4 @ IN SOA zhangxingeng.com. admin.zhangxingeng.com. ( 5 20181120 ; serial 6 1D ; refresh 7 1H ; retry 8 1W ; expire 9 3H ) ; minimum 10 IN NS web1.zhangxingeng.com. 11 IN NS dns1.zhangxingeng.com. 12 199 IN PTR web1.zhangxingeng.com. 13 198 IN PTR dns1.zhangxingeng.com. 14 128 IN PTR mail.zhangxingeng.com. 15 129 IN PTR www.zhangxingeng.com.
3、語法測試
[[email protected] named]# named-checkconf [[email protected] named]# named-checkzone zhangxingeng.com. zhangxingeng.com.zone zone zhangxingeng.com/IN: zhangxingeng.com/MX 'mail.zhangxigneng.com' (out of zone) has no addresses records (A or AAAA) zone zhangxingeng.com/IN: loaded serial 2018112001 OK [[email protected] named]# named-checkzone 216.168.192.in-addr.arpa. 192.168.216.zone zone 216.168.192.in-addr.arpa/IN: loaded serial 2018112001 OK [[email protected] named]#
4、重啟主伺服器配置
rndc reload
systemctl status named.service
5、測試
1 [[email protected] ~]# dig -t axfr zhangxingeng.com @192.168.216.198 2 3 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t axfr zhangxingeng.com @192.168.216.198 4 ;; global options: +cmd 5 zhangxingeng.com. 86400 IN SOA web1.zhangxingeng.com. admin.zhangxingeng.com. 2018112001 86400 3600 604800 10800 6 zhangxingeng.com. 86400 IN NS web1.zhangxingeng.com. 7 zhangxingeng.com. 86400 IN NS dns1.zhangxingeng.com. 8 zhangxingeng.com. 86400 IN MX 10 mail.zhangxigneng.com. 9 *.zhangxingeng.com. 86400 IN A 192.168.216.199 10 dns1.zhangxingeng.com. 86400 IN A 192.168.216.198 11 mail.zhangxingeng.com. 86400 IN A 192.168.216.128 12 web1.zhangxingeng.com. 86400 IN A 192.168.216.199 13 www.zhangxingeng.com. 86400 IN CNAME web1.zhangxingeng.com. 14 zhangxingeng.com. 86400 IN SOA web1.zhangxingeng.com. admin.zhangxingeng.com. 2018112001 86400 3600 604800 10800 15 ;; Query time: 2 msec 16 ;; SERVER: 192.168.216.198#53(192.168.216.198) 17 ;; WHEN: Wed Nov 21 20:31:09 CST 2018 18 ;; XFR size: 10 records (messages 1, bytes 273) 19 20 [[email protected] ~]# dig -t A zhangxingeng.com @192.168.216.198 21 22 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A zhangxingeng.com @192.168.216.198 23 ;; global options: +cmd 24 ;; Got answer: 25 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 57290 26 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 27 ;; WARNING: recursion requested but not available 28 29 ;; OPT PSEUDOSECTION: 30 ; EDNS: version: 0, flags:; udp: 4096 31 ;; QUESTION SECTION: 32 ;zhangxingeng.com. IN A 33 34 ;; Query time: 1 msec 35 ;; SERVER: 192.168.216.198#53(192.168.216.198) 36 ;; WHEN: Wed Nov 21 20:31:27 CST 2018 37 ;; MSG SIZE rcvd: 45 38 39 [[email protected] ~]# dig -t NS zhangxingeng.com @192.168.216.198 40 41 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS zhangxingeng.com @192.168.216.198 42 ;; global options: +cmd 43 ;; Got answer: 44 ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 44575 45 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 46 ;; WARNING: recursion requested but not available 47 48 ;; OPT PSEUDOSECTION: 49 ; EDNS: version: 0, flags:; udp: 4096 50 ;; QUESTION SECTION: 51 ;zhangxingeng.com. IN NS 52 53 ;; Query time: 1 msec 54 ;; SERVER: 192.168.216.198#53(192.168.216.198) 55 ;; WHEN: Wed Nov 21 20:31:37 CST 2018 56 ;; MSG SIZE rcvd: 45
四、泛域名解析,提高訪問的感受
即使將主機名寫錯,也能正常訪問
1、修改區域解析庫,新增一條A記錄即可
1 [[email protected] named]# vim /var/named/zhangxingeng.com.zone 2 3 $TTL 86400 4 $ORIGIN zhangxingeng.com. 5 @ IN SOA web1.zhangxingeng.com. admin.zhangxingeng.com. ( 6 2018112001 ; serial 7 1D ; refresh 8 1H ; retry 9 1W ; expire 10 3H ) ; minimum 11 IN NS web1.zhangxingeng.com. 12 IN NS dns1.zhangxingeng.com. 13 IN MX 10 mail.zhangxigneng.com. 14 web1 IN A 192.168.216.199 15 dns1 IN A 192.168.216.198 16 mail IN A 192.168.216.128 17 www IN CNAME web1 18 * IN A 192.168.216.199 19 ~ 20 ~
2、簡單測試一下
1 [[email protected] named]# curl web11.zhangxingeng.com 2 welcome to web1 3 [[email protected] named]#
待續。。。