西部开源学习笔记BOOK3《DNS本地高速缓存服务器》
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了西部开源学习笔记BOOK3《DNS本地高速缓存服务器》相关的知识,希望对你有一定的参考价值。
#################################
####### 配置高速缓存DNS ########
#################################
################
### DNS总揽 ###
################
##权威名称服务器
-存储并提供某个区域整个DNS域或DNS域的一部分的实际数据。权威名称服务器的类型包括
*Master包含原始区域数据。有时称作“主要”名称服务器
*Slaver备份服务器通过区域传送从Master服务器获得的区域数据的副本。有时称作“次要”名称服务器
##非权威/递归名称服务器
-客户端通过其查找来自权威名称服务器的数据。递归名称服务器的类型包括
*仅缓存名称服务器仅用于查找对于非数据之外的任何内容都不具有权威性
##DNS查找
-客户端上的Stub解析器将查询发送至/etc/resolv.conf中的名称服务器
-如果名称服务器
#########环境搭建##########
1.client端
ip172.25.254.119
dns/etc/resolv.conf172.25.254.219
1)修改主机名为client
[[email protected] ~]# hostnamectl set-hostname client.example.com
[[email protected] ~]# reboot
Connection to 172.25.254.119 closed by remote host.
Connection to 172.25.254.119 closed.
2配置client端的DNS服务器的地址
[[email protected] ~]# vim /etc/resolv.conf
# Generated by NetworkManager
domain example.com
search example.com
nameserver 172.25.254.219
2.server端
ip172.25.254.219
dhs172.25.254.219
yum仓库/etc/yum.repos.d/rhel_dvd.repohttp://172.25.254.250/rhel7
1修改主机名为dns-server
[[email protected] ~]# hostnamectl set-hostname dns-server.example.com
[[email protected] ~]# reboot
Connection to 172.25.254.219 closed by remote host.
Connection to 172.25.254.219 closed.
2)配置yum仓库
[[email protected] ~]# vim /etc/yum.repos.d/rhel_dvd.repo
# Created by cloud-init on Thu, 10 Jul 2014 22:19:11 +0000
[rhel_dvd]
gpgcheck = 0
enabled = 1
baseurl = http://172.25.254.19/rhel7.0
name = Remote classroom copy of dvd
[[email protected] ~]# yum clean all##注意要刷新yum源
3安装bind9DNS服务软件
[[email protected] ~]# yum install bind -y
4开启DNS服务
[[email protected] ~]# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: inactive (dead)
[[email protected] ~]# systemctl start named
--------------------------------------------------------------------------
注意启动过程太慢也许是因为系统刚开机所以加密字符不够导致的。可以通过在server端上敲击键盘或移动鼠标来增加无序字符来解决该问题。
系统会将无序字符存储在/dev/ramdom中可以cat /dev.random查看
[[email protected] ~]# cat /dev/random
3:HxYK)T
加密字符存放在/etc/rndc.key中可以cat /etc/rndc.key查看
[[email protected] ~]# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "SriFRo71w6fL0Gf8tAeapA==";
};
---------------------------------------------------------------------------
5配置防火墙
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ftp ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --permanent --add-service=dns
success
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns ftp ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
6)修改selinux为警告模式非必要
[[email protected] ~]# setenforce 0
#########DNS本地高速缓存服务器##########
1开启dns在所有端口上的tcp-53端口
[[email protected] ~]# dig www.baidu.com
connection timed out; no servers could be reached
##此时显示没有dns server可达是因为DNS server的tcp端口未开启
[[email protected] ~]# netstat -antuple | grep named
##此处显示named的tcp-53端口只在127.0.0.1环回口开启了。
[[email protected] ~]# rpm -qc bind##查看bind的配置文件都有哪些
/etc/logrotate.d/named
/etc/named.conf##此文件为主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
[[email protected] ~]# vim /etc/named.conf
11 listen-on port 53 { 127.0.0.1; };
||
\/
11 listen-on port 53 { any; };
[[email protected] ~]# systemctl restart named##重启服务后生效
2)配置DNS server回答所有人的dns请求
[[email protected] ~]# dig www.baidu.com
status: REFUSED
##此时client的dns请求被拒绝了是因为DNS server的配置未设置为响应所有人的dns请求
[[email protected] ~]# vim /etc/named.conf
17 allow-query { localhost; };
||
\/
17 allow-query { any; };
[[email protected] ~]# systemctl restart named##重启服务后生效
3)配置本地高速缓存DNS server获取dns的途径
[[email protected] ~]# dig www.baidu.com
status: SERVFAIL
##此时DNS server提供服务失败了是因为本地高速缓存DNS需要从其他DNS服务器上获取dns信息
[[email protected] ~]# vim /etc/named.conf
18 forwarders { 172.25.254.250; };##在18行添加该信息
[[email protected] ~]# systemctl restart named##重启服务后生效
[[email protected] ~]# dig www.baidu.com##验证成功获取到dns解析
最后注意因为是本地高速缓存DNS所以在公网上未注册所以要关闭dns安全认证
4)关闭DNS安全认证(dnssec-validation)
[[email protected] ~]# vim /etc/named.conf
33 dnssec-validation yes;
||
\/
33 dnssec-validation no;
[[email protected] ~]# systemctl restart named##重启服务后生效
#########DNS正向解析##########
[[email protected] ~]# vim /etc/named.conf
51 zone "." IN {
52 type hint;
53 file "named.ca";
54 };
55
56 include "/etc/named.rfc1912.zones";##指向了该文件
57 include "/etc/named.root.key";
[[email protected] ~]# vim /etc/named.rfc1912.zones
19 zone "localhost" IN {
20 type master;
21 file "named.localhost";
22 allow-update { none; };
23 };
24
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone";##指向了该文件
28 allow-update { none; };
29 };
##25-29行是模仿19-23行的模板而来的
[[email protected] ~]# cd /var/named/
[[email protected] named]# ls
data named.empty slaves
dynamic named.localhost
named.ca named.loopback
[[email protected] named]# cp -p named.localhost tbr.com.zone
##注意此处cp一定要加-p保证通过模板复制的文件的所属组为named
[[email protected] named]# ll
total 32
drwxrwx---. 2 named named 22 11月 20 01:23 data
drwxrwx---. 2 named named 4096 11月 21 02:55 dynamic
-rw-r-----. 1 root named 2076 1月 28 2013 named.ca
-rw-r-----. 1 root named 152 12月 15 2009 named.empty
-rw-r-----. 1 root named 152 6月 21 2007 named.localhost
-rw-r-----. 1 root named 168 12月 15 2009 named.loopback
drwxrwx---. 2 named named 6 1月 29 2014 slaves
-rw-r-----. 1 root named 210 11月 20 03:15 tbr.com.zone
否则的话会变成
-rw-r-----. 1 root root 210 11月 20 03:15 tbr.com.zone
[[email protected] named]# vim tbr.com.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
||
\/
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
dns A 172.25.254.219
www A 172.25.254.19
wwwA172.25.254.18
bbs CNAME www.tbr.com.
tbr.com. MX 1 172.25.254.219.
##dns.tbr.com.指的是dns server的名称
##注意此处的域名都是以.结尾的否则的话系统会自动加上/etc/named.rfc1912.zones文件中配置的后缀.tbr.com
##注意当多个ANAME的一个域名对应多个ip时此时DNS server会对该条dns解析进行轮询机制。现象如下
当频繁地执行dig www.tbr.com时两个ip的先后顺序会不断轮询变换。如图
[[email protected] ~]# systemctl restart named##重启服务后生效
测试
[[email protected] ~]# dig -t mx tbr.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -t mx tbr.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41997
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;tbr.com.INMX
;; ANSWER SECTION:
tbr.com.86400INMX1 172.25.254.219.
;; AUTHORITY SECTION:
tbr.com.86400INNSdns.tbr.com.
;; ADDITIONAL SECTION:
dns.tbr.com.86400INA172.25.254.219
;; Query time: 1 msec
;; SERVER: 172.25.254.219#53(172.25.254.219)
;; WHEN: 一 11月 21 04:06:07 EST 2016
;; MSG SIZE rcvd: 100
[[email protected] ~]# dig www.tbr.com ##测试ANAME
[[email protected] ~]# dig bbs.tbr.com##测试CNAME
[[email protected] ~]# mail [email protected]##测试MX邮件解析
Subject: dawda
fdawda
caw
.
EOT
[[email protected] ~]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
C8A7717E849 462 Sun Nov 20 03:05:10 [email protected]
(connect to 172.25.254.219[172.25.254.219]:25: No route to host)
0938717E857 437 Mon Nov 21 04:09:23 [email protected]
(connect to 172.25.254.219[172.25.254.219]:25: No route to host)
-- 1 Kbytes in 2 Requests.
#########DNS反向解析##########
[[email protected] named]# vim /etc/named.rfc1912.zones
37 zone "1.0.0.127.in-addr.arpa" IN {
38 type master;
39 file "named.loopback";
40 allow-update { none; };
41 };
42
43 zone "254.25.172.in-addr.arpa" IN {##表示172.25.254.0网段
44 type master;
45 file "tbr.comNaNr";
46 allow-update { none; };
47 };
##43-47行是模仿37-41行的模板而来的
[[email protected] ~]# cd /var/named/
[[email protected] named]# ls
data named.empty slaves
dynamic named.localhost tbr.com.zone
named.ca named.loopback
[root[email protected] named]# cp -p named.localhost tbr.comNaNr##注意此处一定要加-p
[[email protected] named]# vim tbr.com.zone
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
A 172.25.254.219
19 PTR www.tbr.com.
18 PTR www.hello.com.
##ip地址172.25.254.19---->www.tbr.com
##ip地址172.25.254.18---->www.hello.com
[[email protected] ~]# systemctl restart named##重启服务后生效
测试
[[email protected] ~]# dig -x 172.25.254.19##反向查询域名
#########DNS的内网外网解析##########
假设172.25.254.119为内网测试主机172.25.254.219为外网测试主机
1.主配置文件修改
[[email protected] named]# vim /etc/named.conf
51 /*\
52 zone "." IN {|
53 type hint;|
54 file "named.ca";|
55 };|->这部分注释掉
56 |
57 include "/etc/named.rfc1912.zones";|
58 include "/etc/named.root.key";|
59 *//
==================================================================
60 view localnet {
61 match-clients { 172.25.254.119; };##client端匹配172.25.254.119的主机
62 zone "." IN {\
63 type hint|
64 file "named.ca";|->从52-55行复制而来
65 };/
66 include "/etc/named.rfc1912.zones";
67 };
68
69
70 view internet {
71 match-clients { 172.25.254.219; };##client端匹配172.25.254.219的主机
72 zone "." IN {
73 type hint;
74 file "named.ca";
75 };
76 include "/etc/named.rfc1912.zones.inter";
77 };
##6171行中可以写成网段{ 172.25.254.0/24; };
/client端是172.25.254.119的区查看/etc/named.rfc1912.zones文件
##此部分的意义是|
\client端是172.25.254.119的区查看/etc/named.rfc1912.zones.inter文件
2./etc/named.rfc1912.zone与etc/named.rfc1912.zone.inter文件的配置
[[email protected] named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter##注意此处一定要加-p
##以/etc/named.rfc1912.zones为模板复制出外网主机读取的文件
[[email protected] named]# vim /etc/named.rfc1912.zones.inter
25 zone "tbr.com" IN {
26 type master;
27 file "tbr.com.zone.inter";##外网主机再区查看该文件
28 allow-update { none; };
29 };
3./var/named/tbr.com.zone.inter文件的配置
[[email protected] named]# ls
data named.empty slaves
dynamic named.localhost tbr.comNaNr
named.ca named.loopback tbr.com.zone
[[email protected] named]# cp -p tbr.com.zone tbr.com.zone.inter##注意此处一定要加-p
[[email protected] named]# ls
data named.empty slaves tbr.com.zone.inter
dynamic named.localhost tbr.comNaNr
named.ca named.loopback tbr.com.zone
[[email protected] named]# vim tbr.com.zone.inter
$TTL 1D
@ IN SOA dns.tbr.com. root.tbr.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.tbr.com.
dns A 172.25.0.219
www A 172.25.0.19
www A 172.25.0.18
bbs CNAME www.tbr.com.
tbr.com. MX 1 172.25.0.219.
[[email protected] ~]# systemctl restart named##重启服务后生效
《总结》
各个文件之间的逻辑关系
/client端是172.25.254.119的区查看/etc/named.rfc1912.zones文件
| ||
| \/
| /var/named/tbr.com.zone
/etc/named.conf -->|
(主配置文件) | /var/named/tbr.com.zone.inter
| /\
| ||
\client端是172.25.254.119的区查看/etc/named.rfc1912.zones.inter文件
补充
man 5 named.conf##查看named.conf文件的信息
以上是关于西部开源学习笔记BOOK3《DNS本地高速缓存服务器》的主要内容,如果未能解决你的问题,请参考以下文章