资讯专栏INFORMATION COLUMN

DNS服务器(二)

pingink / 3087人阅读

摘要:博文参考主配置文件格式全局配置段日志子系统配置段区域定义段区域定义本机能够为哪些进行解析,就要定义哪些注意每个配置语句必须以分号结尾任何服务程序如果期望其能够通过网络被其它主机访问,至少应该监听在一个能与外部主机通信的缓存名称服务器的配置监

博文参考
http://zhang789.blog.51cto.com/11045979/1858610
https://segmentfault.com/a/1190000010332312
主配置文件格式
 全局配置段:

        options { … }

日志子系统配置段:

        logging { … }

区域定义段:

        zone “ZONE_NAME” IN { … }

区域定义:本机能够为哪些zone进行解析,就要定义哪些zone

注意:

每个配置语句必须以分号结尾

任何服务程序如果期望其能够通过网络被其它主机访问,至少应该监听在一个能与外部主机通信的IP 
缓存名称服务器的配置

监听能与外部主机通信的地址

listen-on port 53

listen-on port 53 { 172.16.252.245; }

dnssec: 建议关闭dnssec,设为no(自己做实验时建议关闭)

   dnssec-enable no

   dnssec-validation no

   dnssec-lookaside no

关闭仅允许本地查询:

   //allow-query  { localhost; }

检查配置文件语法错误:

    named-checkconf               /etc/named.conf 

检查区域配置文件错误:

    named-checkzone “rookie.com” /var/named/rookie.com.zone

例:[root@localhost ~]#vim /etc/named.conf

测试命令dig:
dig [-t type] name [@SERVER] [query options]

dig 只用于测试dns 系统,不会查询hosts 文件进行解析

查询选项:

+[no]trace程:跟踪解析过程 : dig +trace rookie.com

+[no]recurse:进行递归解析

[root@localhost ~]#dig -t A www.baidu.com @172.16.252.254 +trace
测试反向解析:

dig -x IP = dig -t ptr reverseip.in-addr.arpa

模拟区域传送:
dig  -t  axfr  ZONE_NAME @SERVER

dig  -t  axfr  rookie.com @10.10.10.11

dig  -t  axfr  100.1.10.in-addr.arpa @172.16.1.1

dig  -t  NS  .  @114.114.114.114

dig  -t  NS  .  @a.root-servers.net 
[root@localhost ~]#dig -t NS baidu.com @172.16.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35043
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN  NS
 
;; ANSWER SECTION:
baidu.com.  54644   IN  NS  ns7.baidu.com.
baidu.com.  54644   IN  NS  ns3.baidu.com.
baidu.com.  54644   IN  NS  ns4.baidu.com.
baidu.com.  54644   IN  NS  dns.baidu.com.
baidu.com.  54644   IN  NS  ns2.baidu.com.
 
;; ADDITIONAL SECTION:
ns2.baidu.com.  140982  IN  A   61.135.165.235
ns4.baidu.com.  140982  IN  A   220.181.38.10
dns.baidu.com.  140982  IN  A   202.108.22.220
ns3.baidu.com.  140982  IN  A   220.181.37.10
ns7.baidu.com.  140982  IN  A   119.75.219.82
 
;; Query time: 2 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Thu Jun 01 07:22:38 EDT 2017
;; MSG SIZE  rcvd: 208

[root@localhost ~]#dig -t NS baidu.com @172.16.0.1 +nocomments
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1 +nocomments
;; global options: +cmd
;baidu.com. IN  NS
baidu.com.  54627   IN  NS  dns.baidu.com.
baidu.com.  54627   IN  NS  ns3.baidu.com.
baidu.com.  54627   IN  NS  ns2.baidu.com.
baidu.com.  54627   IN  NS  ns4.baidu.com.
baidu.com.  54627   IN  NS  ns7.baidu.com.
ns2.baidu.com.  140965  IN  A   61.135.165.235
ns4.baidu.com.  140965  IN  A   220.181.38.10
dns.baidu.com.  140965  IN  A   202.108.22.220
ns3.baidu.com.  140965  IN  A   220.181.37.10
ns7.baidu.com.  140965  IN  A   119.75.219.82
;; Query time: 1 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Thu Jun 01 07:22:56 EDT 2017
;; MSG SIZE  rcvd: 208
测试命令host:
host [-t type] name [SERVER]

host   -t   NS   rookie.com 172.16.0.1

host   -t   soa   rookie.com

host   -t   mx   rookie.com

host   -t   axfr   rookie.com

host 1.2.3.4

nslookup命令:nslookup [-option] [name | -] [server]

交互式模式:

nslookup>

server IP:指明使用哪个DNS server进行查询

set q=RR_TYPE:指明查询的资源记录类型

name:要查询的名称 
[root@localhost ~]#nslookup
> server 172.16.0.1
Default server: 172.16.0.1
Address: 172.16.0.1#53
> set q=a
> www.tencent.com
Server: 172.16.0.1
Address:    172.16.0.1#53
 
Non-authoritative answer:
www.tencent.com canonical name = upfile.wj.qq.com.cloud.tc.qq.com.
upfile.wj.qq.com.cloud.tc.qq.com    canonical name = ssd.tcdn.qq.com.
Name:   ssd.tcdn.qq.com
Address: 111.202.99.24
Name:   ssd.tcdn.qq.com
Address: 111.202.99.25
Name:   ssd.tcdn.qq.com
Address: 111.202.99.23
Name:   ssd.tcdn.qq.com
Address: 123.125.110.21
Name:   ssd.tcdn.qq.com
Address: 123.125.110.12
Name:   ssd.tcdn.qq.com
Address: 123.125.110.11
Name:   ssd.tcdn.qq.com
Address: 123.125.110.22
命令rndc:

rndc:remote name domain contoller(远程域名控制器)

    953/tcp,但默认监听于127.0.0.1地址,因此仅允许本地使用

    rndc –> rndc (953/tcp)

rndc COMMAND

命令:

reload:重载主配置文件和区域解析库文件

reload zonename:重载区域解析库文件

retransfer zonename:手动启动区域传送,而不管序列号是否增加

notify zonename:重新对区域传送发通知

reconfig:重载主配置文件

querylog:开启或关闭查询日志文件/var/log/message

trace:递增debug 一个级别

trace LEVEL:指定使用的级别

notrace:为将调试级别设置为 0

flush:清空DNS 
[root@localhost ~]#rndc status
version: 9.9.4-RedHat-9.9.4-37.el7   版本
CPUs found: 4   CPU
worker threads: 4   线程
UDP listeners per interface: 4  接口
number of zones: 101    区域数
debug level: 0  调试级别
xfers running: 0    运行
xfers deferred: 0   延迟
soa queries in progress: 0 正在进行的SOA查询
query logging is OFF    查询记录
recursive clients: 0/0/1000 递归客户端
tcp clients: 0/100  TCP客户端
server is up and running    服务器启动并运行
配置主DNS 服务器: 在主配置文件中定义区域

zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};

定义区域解析库文件
出现的内容

宏定义

资源记录

主配置文件语法检查:

named-checkconf

解析库文件语法检查:

named-checkzone "rookie.com" /var/named/rookie.com.zone
rndc status|reload ;service named reload

注意:实验配置前需要特别注意三点

关闭防火墙

关闭SElinux

时间必须同步

配置解析一个正向区域

以rookie.com域为例:

定义区域

在主配置文件中(/etc/named.conf)或主配置文件辅助配置文件(/etc/named.rfc1912.conf)中实现
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com" IN {
        type master;
        file "rookie.com.zone";
};
注意:区域名字即为域名

建立区域数据文件(主要记录为A或AAAA记录)

在/var/named目录下建立区域数据文件;
文件为:/var/named/rookie.com.zone
[root@localhost /var/named]#vim rookie.com.zone
$TTL 600(全局变量  缓存600秒)
rookie.com.(域名)         IN      SOA     rookie.com.     admin.rookie.com.管理员邮箱 (
                        2017060101     序列号
                        1H             刷新时间间隔一小时
                        5M             重试时间间隔五分钟
                        1W             过期时间一周
                        6H )           否定答案的TTL值六小时
                        IN      NS      dns1.rookie.com.
                        IN      NS      dns2.rookie.com.
dns1.rookie.com.        IN      A       172.16.250.149
dns2.rookie.com.        IN      A       172.16.252.245
www.rookie.com.         IN      A       172.16.0.1
web                     IN      CNAME   www
权限及属组修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
[root@localhost /var/named]#ll
总用量 20
drwxrwx--- 2 named named    6 11月 12 2016 data
drwxrwx--- 2 named named    6 11月 12 2016 dynamic
-rw-r----- 1 root  named 2076 1月  28 2013 named.ca
-rw-r----- 1 root  named  152 12月 15 2009 named.empty
-rw-r----- 1 root  named  152 6月  21 2007 named.localhost
-rw-r----- 1 root  named  168 12月 15 2009 named.loopback
-rw-r----- 1 root  named  301 6月   1 00:22 rookie.com.zone
检查语法错误:
[root@localhost /var/named]#named-checkconf 
[root@localhost /var/named]#named-checkzone "rookie.com" /var/named/rookie.com.zone
zone rookie.com/IN: loaded serial 2017060101
OK

让服务器重载配置文件和区域数据文件

[root@localhost /var/named]#rndc reload
[root@localhost ~]#systemctl restart named.service

验证

[root@localhost /var/named]#dig -t A www.rookie.com @172.16.250.149
 
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38718
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com.    IN  A
 
;; ANSWER SECTION:
www.rookie.com. 600 IN  A   172.16.252.125
 
;; AUTHORITY SECTION:
rookie.com. 600 IN  NS  dns1.rookie.com.
rookie.com. 600 IN  NS  dns2.rookie.com.
 
;; ADDITIONAL SECTION:
dns1.rookie.com.    600 IN  A   172.16.250.149
dns2.rookie.com.    600 IN  A   172.16.252.245
 
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: 四 6月 01 01:02:13 CST 2017
;; MSG SIZE  rcvd: 129

也可以通过修改/etc/hosts省略IP
[root@localhost /var/named]#vim /etc/resolv.conf
 
; generated by /usr/sbin/dhclient-script
search magedu.com
#nameserver 172.16.0.1
 
[root@localhost /var/named]#dig -t A www.rookie.com 
 
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com.    IN  A
 
;; ANSWER SECTION:
www.rookie.com. 600 IN  A   172.16.252.125
 
;; AUTHORITY SECTION:
rookie.com. 600 IN  NS  dns2.rookie.com.
rookie.com. 600 IN  NS  dns1.rookie.com.
 
;; ADDITIONAL SECTION:
dns1.rookie.com.    600 IN  A   172.16.250.149
dns2.rookie.com.    600 IN  A   172.16.252.245
 
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 四 6月 01 01:08:08 CST 2017
;; MSG SIZE  rcvd: 129
配置解析一个反向区域

定义区域

在主配置文件中或主配置文件辅助配置文件中实现;
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "16.172.in-addr.arpa" IN {
        type master;
        file "172.16.zone";
};
注意:反向区域的名字
反写的网段地址.in-addr.arpa
   16.172.in-addr.arpa

定义区域解析库文件(主要记录为PTR)

[root@localhost ~]#vim /var/named/172.16.zone
$TTL 600
@       IN      SOA     rookie.com.     admin.rookie.com. (
                2017060101
                1H
                5M
                2W
                1D )
@               IN      NS      dns1.rookie.com.
@               IN      NS      dns2.rookie.com.
149.250         IN      PTR     dns1.rookie.com.
245.252         IN      PTR     dns2.rookie.com.
125.252         IN      PTR     www.rookie.com.
权限及属组修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
检查语法错误:
[root@localhost ~]#named-checkconf
[root@localhost ~]#named-checkzone "172.16" /var/named/172.16.zone
zone 172.16/IN: loaded serial 2017060101

让服务器重载配置文件和区域数据文件

[root@localhost ~]#rndc reload
[root@localhost ~]#systemctl restart named.service

验证

[root@localhost /var/named]#dig -x 172.16.250.149
 
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 172.16.259.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;149.259.16.172.in-addr.arpa.   IN  PTR
 
;; ANSWER SECTION:
149.259.16.172.in-addr.arpa. 600 IN PTR dns1.rookie.com.
 
;; AUTHORITY SECTION:
16.172.in-addr.arpa.    600 IN  NS  dns1.rookie.com.
16.172.in-addr.arpa.    600 IN  NS  dns2.rookie.com.
 
;; ADDITIONAL SECTION:
dns1.rookie.com.    600 IN  A   172.16.250.149
dns2.rookie.com.    600 IN  A   172.16.252.245
 
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 四 6月 01 01:44:45 CST 2017
;; MSG SIZE  rcvd: 150
主从服务器:

注意:从服务器是区域级别的概念;

主区域配置:可以参照上面的正向区域配置和反向区域配置

从区域配置:

On Slave

定义从区域 (以另一虚拟机为例)

[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com." IN {
        type slave;
        file "slaves/rookie.com.zone";
        masters { 172.16.250.149; };            #指明主节点
};

[root@localhost ~]#vim /etc/named.conf
options {
        //listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
 
        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;
 
        dnssec-enable no;
        dnssec-validation no;
配置文件语法检查:

[root@localhost ~]#named-checkconf

主/从都要重载配置

[root@localhost ~]#rndc reload
[root@localhost ~]#systemctl restart named.service
[root@localhost ~]#ll /var/named/slaves/    (文件已经同步)
total 4
-rw-r--r-- 1 named named 414 Jun  1 03:01 rookie.com.zone

验证 从

[root@localhost ~]#dig -t A www.rookie.com @172.16.250.149
 
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5639
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com.    IN  A
 
;; ANSWER SECTION:
www.rookie.com. 600 IN  A   172.16.252.125
 
;; AUTHORITY SECTION:
rookie.com. 600 IN  NS  dns1.rookie.com.
rookie.com. 600 IN  NS  dns2.rookie.com.
 
;; ADDITIONAL SECTION:
dns1.rookie.com.    600 IN  A   172.16.250.149
dns2.rookie.com.    600 IN  A   172.16.252.245
 
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: Thu Jun 01 03:41:02 EDT 2017
;; MSG SIZE  rcvd: 129

修改主配置文件,并重新测试

[root@localhost /var/named]#vim rookie.com.zone
$TTL 600
rookie.com.             IN      SOA     rookie.com.     admin.rookie.com. (
                        2017060102
                        1H
                        5M  
                        1W
                        6D )
                        IN      NS      dns1.rookie.com.
                        IN      NS      dns2.rookie.com.
dns1.rookie.com.        IN      A       172.16.250.149
dns2.rookie.com.        IN      A       172.16.252.245
www.rookie.com.         IN      A       172.16.252.125
web                     IN      CNAME   www
ftp                     IN      CNAME   www

[root@localhost ~]#dig -t A ftp.rookie.com @172.16.250.149

; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A ftp.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30068
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
 
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.rookie.com.    IN  A
 
;; ANSWER SECTION:
ftp.rookie.com. 600 IN  CNAME   WWW.rookie.com.
WWW.rookie.com. 600 IN  A   172.16.252.125
 
;; AUTHORITY SECTION:
rookie.com. 600 IN  NS  dns1.rookie.com.
rookie.com. 600 IN  NS  dns2.rookie.com.
 
;; ADDITIONAL SECTION:
dns1.rookie.com.    600 IN  A   172.16.250.149
dns2.rookie.com.    600 IN  A   172.16.252.245
 
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: Thu Jun 01 03:46:11 EDT 2017
;; MSG SIZE  rcvd: 147
On Master

确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件需要每个从服务器的NS记录的主机名配置一个A记录,且此A后面的地址为真正的从服务器的IP地

注意:时间要同步

ntpdate命令

子域授权:

正向解析区域授权子域的方法:

ops.rookie.com. IN NS ns1.ops.rookie.com.
ops.rookie.com. IN NS ns2.ops.rookie.com.
ns1.ops.rookie.com. IN A IP.AD.DR.ESS
ns2.ops.rookie.com. IN A IP.AD.DR.ESS

定义转发:

注意:被转发的服务器必须允许为当前服务做递归;

区域转发:仅转发对某特定区域的解析请求;
zone  "ZONE_NAME"  IN {
type  forward;
forward  {first|only};
forwarders  { SERVER_IP; };
};

first:首先转发;转发器不响应时,自行去迭代查询;

only:只转发
全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;
options {
... ...
forward  {only|first};
forwarders  { SERVER_IP; };
.. ...
};
转发服务器

注意:被转发的服务器需要能够为请求者做递归,否则转发请求不予进行

first:首先转发;转发器不响应时,自行去迭代查询

only:只转发
全局转发: 对非本机所负责解析区域的请求, 全 转发给指定的服务器
Options {
fforward  {only|first};
forwarders  { SERVER_IP; };
};
特定区域转发:仅转发对特定的区域的请求,比全局转发优先级高
zone  "ZONE_NAME"  IN {
type  forward;
forward  {first|only};
forwarders  { SERVER_IP; };
};
注意:关闭dnssec 功能:
dnssec-enable no;
dnssec-validation no;
bind中的安全相关的配置:
acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集合内的所有主机实现统一调用

格式:

acl acl_name {
ip;
net/prelen;
……
};

示例:
acl mynet {
172.16.0.0/16;
10.10.10.10;
};
bind有四个内置的acl:
none:没有一个主机

any:任意主机

localhost:本机

localnet:本机的IP同掩码运算后得到的网络地址

注意:只能先定义,后使用,因此一般定在配置文件中,处于options

访问控制的指令:

allow-query {};允许查询的主机;白名单

allow-transfer {};允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器

allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求

allow-update {}; DDNS,允许动态更新区域数据库文件中内容

bind view(视图):

view:视图,一个bind 服务器可定义多个view ,每个view中可定义一个或多个zone

每个view 用来匹配一组客户端

多个view 内可能需要对同一个区域进行解析,但使用不同的区域解析库文件

view  VIEW_NAME {
zone
zone
zone
}

view internal  {
match-clients { 172.16.0.0/8; };
zone "rookie.com"  IN {
type master;
file  "rookie.com/internal";
};
};

view external {
match-clients { any; };
zone "rookie.com" IN {
type  master;
file  rookie.com/external";
};
};

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/39620.html

相关文章

  • DNS务器

    摘要:博文参考主配置文件格式全局配置段日志子系统配置段区域定义段区域定义本机能够为哪些进行解析,就要定义哪些注意每个配置语句必须以分号结尾任何服务程序如果期望其能够通过网络被其它主机访问,至少应该监听在一个能与外部主机通信的缓存名称服务器的配置监 博文参考 http://zhang789.blog.51cto.com/11045979/1858610 https://segmentfault...

    mochixuan 评论0 收藏0

发表评论

0条评论

最新活动
阅读需要支付1元查看
<