第21章,DNS服务

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了第21章,DNS服务相关的知识,希望对你有一定的参考价值。

更多内容请点击:

Linux学习从入门到打死也不放弃,完全笔记整理(持续更新,求收藏,求点赞~~~~) 

http://blog.51cto.com/13683480/2095439


第21章,DNS服务

 

本章内容:

               名字解析

               DNS服务

               实现主从服务器

               实现子域

               实现view

               编译安装bind

               压力测试

               DNS排错

               

 

DNS服务:-----------------------------------------------------------------------

               DNS:Domain Name Service     应用层协议

                     使用C/S结构,使用端口为 udp:53,tcp:53

                     其中,名字解析服务使用udp53,主从同步传输使用tcp53和udp53

               

               BIND:Bekerley Internet Name Domin     dns解析服务器端实现软件

                     ISC维护的服务之一(www.isc.org)

 

               本地名称解析配置文件:hosts

                     linux:     /etc/hosts

                     windows: %WINDIR%/system32/dvivers/etc/hosts

                     格式为:

                                   IPADDR FQDN1  FQDN2..

                                   122.10.117.2  www.test2.com www.test2.com ...

                                    ...

               

DNS解析:

               一次完整的查询请求过程:

                            clint--—>  本地host文件 ---> DNS Service  local cache ---> DNS Server(recursion)

                            ---> server cache  ---> iteration(迭代) ---> 根  --->顶级域名dns---> 二级域名dns...

                            --->  结果返回,本地local将结果缓存至本地

               

               DNS查询类型:

                     递归查询:recursion

                                    客户机只一次申请,返回结果。需要请求的dns服务器开启递归查询。

                    

                     迭代查询:iteration

                                    支持递归查询的dns服务器,在收到解析请求之后,如果请求的解析地址

                                    非自己提供,会从根域自顶而下,依次寻找解析服务器,得到结果之后返回

                                    给申请主机。

                                    此查询过程就称为迭代

               

               名称服务器:域内负责解析本域内的名称的主机

               

               根服务器:全球共13组,美国10  欧洲2 日本1

               

               解析类型:

                            正向解析: FQDN ---> IP

                            反向解析: IP----> FQDN

                             

                             注意:正反向解析是两个不同的名称空间,是两颗不同的解析树

                             

 

                             

DNS服务器类型:

               主DNS服务器: 

                             管理和维护所负责解析的域内解析库的服务器

               从DNS服务器:

                             从主服务器或另一台从服务器‘复制’(区域传送)解析库文件

                             

               缓存DNS服务器:

                             转发器,自己不负责任何区域解析,但是收到解析请求之后,会从根域开始自上而下

                             寻找解析,一旦找到,提交给用户,且会将结果暂时缓存起来,供其他用户查询

                            必须支持递归

 

名词解释:

               区域传送:    从服务器从主服务器同步解析库

                             完全传送:传送整个解析库

                             增量传送:传递解析库变化的那部分内容

                             

               序列号:

                             解析库版本号,主服务器解析库修改时,递增其序列号

               

               刷新时间间隔:

                             从服务器从主服务器请求同步解析的时间间隔

               

               重试时间间隔:

                             从服务器同步失败时,再次尝试时间间隔

               

               过期时长:

                             从服务器联系不到主服务器时,多久后停止服务

               

               通知机制:

                            notify  ,主服务器解析库发生变化时,会主动通知从服务器

               

               解析答案:

                            肯定答案:dns服务器通过迭代或者本地缓存得到肯定结果返回给用户

                             否定答案:请求的条目不存在等原因导致无法返回结果

                             权威答案:由负责所查询区域的区域解析服务器返回的结果

                             非权威答案:通过缓存返回的结果

 

               区域解析库:由众多解析记录(RR)组成

                            资源记录:Resource Record

                             

记录类型:

               SOA:      Start Of  Authority,起始授权记录,用于标记自己,一个区域解析库有且仅能有一个

                                    SOA记录,必须位于解析库的第一条记录

               A:          将 FQDN---> IP

               AAAA:    FQDN--->  IPv6

               PTR:       PoinTeR, IP -->  FQDN

               NS: Name  Server,专用于标明当前区域的DNS服务器

               CNAME:  Canonical Name,  别名记录 FQDN ---> FQDN

               MX:      Mail eXchanger, 邮件交换器

                             

资源记录定义的格式:

               语法:   name  [TTL] IN      rr_tpye           value

               注意:

                     1     TTL(time to live  )生存时间,可从全局继承

                     2     @ 可用于引用当前区域的名字

                     3     同一个名字可以通过多条记录定义多个不同的值,此时DNS服务器会以

                            轮询方式相应

                     4      同一个值也可能有多个不同的定义名字,通过多个不同的名字指向同一个值

                             进行定义,此仅表示通过多个不同的名字可以找到同一个主机

                    

                    

               SOA记录:

                            name:  当前区域的名字,例如"alitaobao.com"

                             value:由多部分组成

                                   1     当前区域的主dns服务器的fqdn,也可以使用当前区域的名字

                                   2     当前区域管理员的邮箱地址;但地址中不能使用@符号,用‘.’替换

                                   3     主从服务区域相关定义以及否定答案的统一TTL

                            例如:

                            @    IN     SOA       ns1.alitaobao.com.  admin.alitaobao.com. (

                                                         20180060201  ;序列号

                                                         2H                  ;刷新时间

                                                         10M               ;重试时间

                                                         1W                ;过期时间

                                                         1D   )           ;否定答案的TTL值

                             

                            其中";" 表示注释

                              

               NS记录:

                             name:当前区域的名字

                             value:当前区域的某dns服务器的名字,例如ns.alitaobao.com.

                             一个区域可以有多个NS记录

                                    例如:     

                                           alitaobao.com.      IN    NS    ns1.alitaobao.com.

                                           alitaobao.com.      IN    NS    ns2.alitaobao.com.        

                            注意:

                                   1     相邻的两个资源记录的name相同时,后续的可省略

                                   2     对NS记录而言,任何一个ns记录后面的服务器名字,都应该有一个A记录

                                    

               MX记录:

                             name:当前区域的名字

                             value:当前区域的某邮件服务器(smtp服务器)的主机名

                            一个区域内,MX记录可以有多个,但每个记录的value之前应该有一个数字

                            (0-99,并且是5的倍数),表示此服务器的优先级,数字越小优先级越高

                                    例如:

                                           alitaobao.com.      IN    MX 5       mx1.alitaobao.com.

                                                                       IN    MX 10     mx2.alitaobao.com.

                            注意:

                                   对MX记录而言,任何一个MX记录后面的服务器名字,都应该在后续有一个A记录

                                    

               A记录:

                            name:     某主机的FQDN,例如www.alitaobao.com.

                            value:     主机名对应主机的IP地址

                                    例如:

                                           www.alitaobao.com.     IN    A      1.1.1.1

                                           ops.alitaobao.com.       IN    A      2.2.2.2

                                           mx1.alitaobao.com.      IN    A      3.3.3.3

                                           mx2.alitaobao.com.      IN    A      4.4.4.4

                                           $GENERATE 1-254 HOST$  A     1.2.3.$

                                           *.alitaobao.com.    IN    A      5.5.5.5

                                           alitaobao.com.             IN    A     6.6.6.6

                                           

                            *     泛域名解析,代表任意字段,

                                    避免用户写错名称时给错误答案,可通过泛域名解析至某特定地址

                                    

               AAAA:

                            name: FQDN

                            value:IPv6

                    

               PTR:

                            name: IP,有特定格式,把IP地址反过来写,加上特定后缀 in-addr.arpa.

                            value:     FQDN

                                    例如:

                                           4.3.2.1.in-addr.apra.     IN  PTR     a.alitaobao.com.

                                   如1.2.3为网络地址,可简写成:

                                          4     IN     PTR         a.alitaobao.com.

                             注意:网络地址及后缀可省略,主机地址依然需要反着写如:

                                           4.3   IN    PTR         a.alitaobao.com.

 

               别名记录CNAME:

                            name:     别名的FQDN

                            value:   真正名字的FQDN

                                    例如:

                                           www.alitaobao.     IN   CNAME  webserver.alitaobao.com.

                                           

                             

子域:

               子域授权:

                             每个域的名称服务器,都是通过其上级名称服务器在解析库进行授权

               类似根域授权tld:

                            .com.      IN     NS   ns1.com.

                            .com.      IN     NS   ns2.com.

                            ns1.com. IN     A     2.2.2.1

                            ns2.com. IN     A     2.2.2.2

               在.com的名称服务器上,授权alitaobao.com.,需要在解析库中增加如下资源记录

                            alitaobao.com.             IN    NS    ns1.alitaobao.com.

                            alitaobao.com.             IN    NS    ns2.alitaobao.com.

                            alitaobao.com.             IN    NS    ns3.alitaobao.com.

                             ns1.alitaobao.com. IN    A      3.3.3.1

                             ns2.alitaobao.com. IN    A      3.3.3.2

                             ns3.alitaobao.com. IN    A      3.3.3.3

               

               glue record:    粘合记录,父域授权子域的记录

               

               

bind:----------------------------------------------------------------------------

               :     dns服务服务器端实现

               

               使用yum安装的服务脚本和名称:

                            centos6:       /etc/rc.d/init.d/named

                            centos7:       /usr/lib/systemd/system/named.service

               主配置文件:

                             /etc/named.conf

                             /etc/named.rfc1912.zones

                             /etc/rndc.key

               解析库文件:

                             /var/named/ZONE_NAME.zone

 

 

               注意:

                     1     一台物理服务器可同时为多个区域提供解析

                     2     必须要有根区域文件;  named.ca

                                    生成named.ca:dig -t NS .  @a.root-servers.net. > /var/named/named.ca

                     3     应该有两个(如果包括ipv6的,应该更多)实现localhost和本地回环地址的解析库

                    

               rndc:     remote name domain controller 远程名称域控制器

                            默认与bind安装在同一主机,且只能通过127.0.0.1连接named进程

                             提供辅助性的管理功能:953/tcp

                             

配置文件:

主配置文件:/etc/named.conf   

                            全局配置:options {};

                            日志子系统配置:logging {};

                            区域定义:    本机能够为哪些zone进行解析,就要定义哪些zone

                                                  zone "zone_name" IN    {};

                                                  一般定义在:/etc/named.rfc1912.zones 中

               特别注意:

                            每一行必须以";"结尾,

                            { ;};   花括号内外结尾都必须加;

                    

               设置监听接口与端口:

                             options{

                                   listen-on  port 53 { IP; };

                            };

                             

                             默认配置为只监听回环地址,可直接修改成需要监听的IP地址

                                           或者localhost

                             也可以删除此行,或使用"//"将此行这注释掉,默认监听全部本地接口

               

               设置zones文件目录:

                            directory       "/var/named"

                             

               访问控制列表:

                            bind内置4个控制列表:

                                           none:    没有一个主机

                                           any:      任意主机

                                           localhost:本机

                                           localnet:本网段,即本机的IP 同掩码运算后得到的网络地址

 

               访问控制指令:

                            allow-query  {};     允许查询的主机;白名单

                                                                一旦定义,名单以外的主机禁止访问

                            allow-transfer  {}; 允许区域传送的主机;白名单

                            allow-recursion  {};允许递归的主机,白名单,建议全局使用

                            allow-update  {};    允许动态更新数据库中的内容

                             

                             访问控制指令可以写在options{};中,表示全局有效

                                           也可以写在zone""{};定义中,针对指定区域

                                           范围越小优先级越高

 

               其他选项:

                            recursion yes|no; 是否开启递归功能

                             

                            dnssec-enable  yes;              此两项为安全选项,如非特别需要,或者非常熟悉此功能配置

                            dnssec-validation  yes;  否则建议关:闭

               

               根区域定义:

                            zone "." IN  {

                                   type  hint;

                                   file  "named.ca";

                             };

               

实验1:配置缓存名称服务器

               步骤:     centos7.5为例

                     1     yum 安装  bind

                     2     修改主配置文件,注释掉listen-on 和 allow-query 两行,修改dnssec 两行值为no

                     3     开启named服务   systemctl start named;systemctl enable named

                     4     使用ss -tunl  查看tcp udp 53端口记忆tcp953端口是否正常开启

                     5     在另外一台虚拟机上测试是否可以正常解析

                                   dig  www.baidu.com @192.168.65.155

 

实验2: 配置主dns服务器,且实现ip地址轮询

               环境配置:

                            还是实验1中的dns服务器,现需要配置区域  alitaobao.com 的正向解析区域

                            服务器ip地址:192.168.65.155 静态ip 另外还一块网卡通过dhcp连接外部网络

                             http服务器两台且处于运行状态

                                           192.168.65.150       页面 web1.alitaobao.com

                                           192.168.65.128       页面 web2.alitaobao.com

               实现步骤:

                     1     在主配置文件中添加区域

                                          vim  /etc/named.rfc1912.zones

                                          zone  "alitaobao.com" IN {

                                                  type master;

                                                  file "alitaobao.zone";

                                           };

                     2     配置区域解析库文件

                                          vim  alitaobao.zone

                                          $TTL  86400

                                          @       IN       SOA     ns1.alitaobao.com.   fun.alitaobao.com. (

                                                                                     2018060201

                                                                                     1H

                                                                                     10M

                                                                                     3D

                                                                                     1D )

                                                         IN      NS      ns1

                                                         IN      NS      ns2

                                           ns1     IN      A        192.168.65.155

                                           ns2     IN      A        192.168.65.160

                                           www     IN      A        192.168.65.128

                                                         IN      A       192.168.65.150

                                          @       IN       A        192.168.65.128

                                                         IN      MX 5    mx1

                                                         IN      MX 10   mx2

                                           mx1     IN      A        192.168.65.155

                                           mx2     IN      A        192.168.65.155

                                          *       IN       A       192.168.65.128      

                    

                     3     修改文件属组和权限

                                          chown  :named /var/named/alitaobao.zone

                                          chmod  640 /var/named/alitaobao.zone

 

                     4     检查配置:

                                           named-checkconf         检查主配置文件语法错误

                                           named-checkzone "alitaobao.com"  /var/named/alitaobao.zone

                                                         检查区域解析库文件语法是否错误

                    

                     5     重读配置文件:

                                           使用rndc reload 命令重读配置文件

                    

                     6     使用dig -t A  www.alitaobao.com @192.168.65.155 测试解析

                    

                     7     在另外一台虚拟机上测试打开www.alitaobao.com 是否轮询

                                           修改/etc/resolv.conf 默认dns为192.168.65.155

                                           使用curl www.alitaobao.com 测试页面

                    

                     结果:随机打开web1 和web2 页面

 

 

测试命令:

               dig:       

                            dig [-t type] name  [@server] [query options]

                                           只用于测试dns系统,不会查询本地hosts文件解析

                            查询选项:

                                           +[no]trace      跟踪解析过程:dig +trace baidu.com

                                                                不管是否制定dns服务器,始终从根开始

                                           +[no]recurse:进行递归解析

                             

                            测试反向解析:

                                          dig -x  IP

                                          dig -t  ptr 反写ip.in-addr.arpa

                            模拟区域传送:

                                          dig -t  axfr zone_name @server

                                          dig -t  axfr alitaobao.com @192.168.65.155

                                          dig -t  axfr 65.168.192.in-addr.arpa @192.168.65.155

                                          dig -t  NS . @a.root-servers.net

        

               host:

                            host [-t tpye] name  [SERVER]

                                    例如:

                                          host  -t NS alitaobao.com 192.168.65.155

                                          host  -t axfr alitaobao.com 192.168.65.155

                                          host  alitaobao.com

                                           

               nslookup:

                            nslookup [-option]  [name|-] [server]

                                    例如:

                                           nslookup www.alitaobao.com [192.168.65.155]

                             

                            交互式命令:

                                   nslookup

                                   >server IP             用于切换dns服务器

                                   >set  q=type 用于切换查询类型

                                   >FQDN                要查询的名称

 

rndc命令使用:

               用法:rndc COMMAND

               COMMAND:

                            reload                           从在主配置文件和区域解析库文件

                            reload  ZONE_NAME     重载指定区域解析库文件

                            retransfer  ZONE_NAME        手动启动区域传送,而不管序列号是否增加

                            notify  ZONE_NAME      重新对区域传送发通知

                            reconfig                重载主配置文件

                            querylog               开启或关闭查询日志文件/var/log/message

                            trace                           递增debug一个级别

                            trace LEVEL                 指定使用的debug级别

                            notrace                        将调试级别设置为0

                            flush                            清空dns服务器的所有缓存记录

 

               

反向区域:

               区域名称:网络地址反写.in-addr.arpa.

                            172.15.100. --->  100.15.172.in-addr.arpa.

               

               1     定义区域

               

               2     定义区域解析库文件

                     注意:不需要MX 以PTR记录为主

                    

 

实验3:配置反向区域解析:

               1     定义区域

                                   vim  /etc/named.rfc1912.zones

                                   zone  "65.168.192.in-addr.arpa" IN {

                                          type  master;

                                          file  "65.168.192.in-addr.arpa.zone";                                                

                                    };

 

               2     定义区域解析库文件

                                   vim  /var/named/65.168.192.in-addr.arpa.zone

                                   $TTL  86400

                                   @       IN       SOA     ns1.alitaobao.com.  admin.alitaobao.com. (

                                                                              2018060201

                                                                              1H

                                                                              10M

                                                                              3D

                                                                              1D )

                                                  IN      NS      ns1.alitaobao.com.

                                                  IN      NS      ns2.alitaobao.com.

                                   128     IN       PTR      www.alitaobao.com.

                                   150     IN       PTR      www.alitaobao.com.

 

               3     修改权限并重载配置文件

                                   chown :named  /var/named/65.168.192.in-addr.arpa.zone

                                   chmod 640  /var/named/65.168.192.in-addr.arpa.zone

                                   rndc  reload

               

               4     测试:

                                   dig -x  192.168.65.128 @192.168.65.155

                                   dig -t ptr  128.65.168.192.in-addr.arpa @192.168.65.155

                                   host -t ptr  192.168.65.128

                     注意:host命令查询ptr记录可以不用反写ip

                    

允许动态更新:未复现

               ? 指定的zone语句块中:Allow-update {any;};

                            ? chmod 770  /var/named

                            ? setsebool  -P named_write_master_zones on  

                                    此命令需要开启selinux

                                    未复现

                            ?  nsupdate

                            ? >server  127.0.0.1

                            ? >zone  magedu.com

                            ? >update add  ftp.magedu.com 88888 IN A 8.8.8.8

                            ?  >send

                            ? >update delete  www.magedu.com A

                            ? >send  

                            ? 测试:dig ftp.magedu.com @127.0.0.1

                            ll  /var/named/magedu.com.zone.jnl

                            cat  /var/named/magedu.com.zone            

                    

 

从服务器:

               注意事项:

                     1     应该为一台独立的名称服务器

                     2     主服务器的区域解析库文件中必须有一条NS记录指向从服务器

                     3      从服务器只需要定义区域,而无需提供解析库文件,解析库文件应该放置于

                            /var/named/slaves/  目录中

                     4     主服务器得允许从服务器做区域传送

                     5     主从服务器时间应该同步,可通过ntp进行

                     6     bind程序的版本应该保持一致,否则,应该从高主低

                     7     如主服务器down掉之后,过期时间到了过了但是服务器还没上线

                             从服务器将会停止服务

               

               定义从区域的方法:

                            zone "ZONE_NAME" IN  {

                                   type  slave;

                                   masters  { MASTER_IP; };

                                   file  "slaves/ZONE_NAME.zone.slave";

                             };

               

 

实验4:配置正反向从服务器,并实现主从同步             

               1     开启另外一台虚拟机,ip为192.168.65.160 ,作为从dns服务器使用

               2     使用yum  install bind 安装bind

               3      修改主配置文件,监听端口,允许访问的列表,dnssec

               4     定义正向区域zone

                                   vim  /etc/named.rfc1912.zones

                                   zone  "alitaobao.com" IN {

                                                  type slave;

                                                  masters { 192.168.65.155; };

                                                  file "slaves/alitaobao.com.zone.slave";

                                   };                  

               5     定义反向区域zone                                   

                                   zone  "65.168.192.in-addr.arpa." IN {

                                                  type slave;

                                                  masters { 192.168.65.155; };

                                                  file "slaves/65.168.192.in-addr.arpa.zone.slave";

                                    };

               

               6     开启服务,systemctl start named

               

               7     查看区域解析库文件是否已同步

                                    [[email protected] /var/named/slaves]#ls

                                    65.168.192.in-addr.arpa.zone.slave   alitaobao.com.zone.slave

                     还可以通过日志查看:

                                   tail -f  /var/log/messages

                     也可以在主服务器中查看日志

                                    

               8     测试名字解析

                                   dig  www.alitaobao.com @192.168.65.160

                                   dig -t MX  alitaobao.com @192.168.65.160

               

               9      主服务器修改解析,更新序列号之后,查看是否同步

                            使用tail -f /var/log/messages   查看已同步

                    

                      主服务器修改解析,不更新序列号,查看是否同步

                                    未同步

                                    

                      主服务器单独修改序列号,未更新解析记录,查看是否同步

                                    会同步

               

                     主服务器设置allow-transfer { none; }; 且修改解析和序列号:

                                    查看日志:

                                    主服务器端     zone transfer 'alitaobao.com/IXFR/IN' denied

                                    从服务器端     failed while receiving responses: REFUSED

 

 

实验5:实现子域授权

               使用另外一台虚拟机192.168.65.150 作为子域 baidu.alitaobao.com 的dns服务器

               1     在父域上授权子域:

                            vim  /var/named/alitaobao.zone   

                            添加两条记录

                            baidu   IN       NS       ns1.baidu

                            ns1.baidu IN    A        192.168.65.128

               2     子域服务器修改主配置文件选项

               3     子域服务器修改定义区域,增加

                                   zone  "baidu.alitaobao.com" {

                                          type  master;

                                          file  "baidu.alitaobao.com.zone";

                                    };

 

               4     子域服务器定义区域解析库文件:

                                   $TTL  86400

                                   @       IN       SOA     ns1.baidu.alitaobao.com.  fun.baidu.taobao.com. (

                                                                              2018050201

                                                                              1D

                                                                              30M

                                                                              7D

                                                                              1D )

                                                  IN      NS      ns1

                                   ns1     IN       A        192.168.65.150

                                   www     IN       A        192.168.65.128

                                   *       IN       A       192.168.65.128                    

               

               5     启动服务

               

               6     测试:

                            dig  www.baidu.alitaobao.com @192.168.65.150

                             

               7     注意:需关闭dnssec功能

               

 

实验6:实现区域转发和全局转发

               1     在测试机查询       dig ftp.alitaobao.com  @192.168.65.150

                     由于alitaobao.com 这个区域只是私自定义,并未在互联网上注册

                     所以通过baidu.alibaidu.com这个区域解析服务器查询时,由于子域并不知道父域ip

                     所以会从根域开始自上而下搜寻

                     当然找不到

 

               2     子域服务器设置区域转发,在192.168.65.150服务器上将区域alitaobao.com  转向192.168.65.155

                            vim  /etc/named.rfc1912.zones

                            zone "alitaobao.com"  IN {

                                          type  forward;

                                           forward only;

                                           forwarders { 192.168.65.155; };

                             };

                     执行rndc reload

               3     测试机测试dig ftp.alitaobao.com @192.168.65.150

                      会发现依然无法查看,注意此时需要子域服务器执行 rndc flush  清除缓存即可

                    

               4     设置全局转发:

                            在子域dns服务器主配置文件中定义全局配置:

                                           forward only;

                                           forwarders { 114.114.114.114;};

                             同时将上一步中区域转发注释掉或者删除

                            执行rndc reload

                            执行rndc flush

               

               5     测试机上测试       dig www.baidu.com  @192.168.65.150          OK

                                    测试        dig ftp.alitaobao.com @192.168.65.150            NOT OK

                     证明114 无法解析  ftp.alitaobao.com

                             

                     再次开启区域转发,reload flush

                     然后再次测试       dig ftp.alitaobao.com  @192.168.65.150             OK

                    

                     所以:    区域转发优先级高于全局转发

 

 

bind 中的ACL

               ACL: 访问控制列表

                             把一个或多个地址归并为一个集合,并通过一个统一的名称调用

                             

               格式:     

                            acl list_name  {

                                    ip;

                                    net;

                                    ...

                             };

               示例:

                            acl mymet  {

                                    172.20.0.0/16;

                                    10.10.10.10;

                            };

 

               系统自带列表: none,any,localhost,localnet

               

               注意:     只能先定义,后使用

                             因此一般定义在配置文件中,处于options的前面

              

               

bind view:

               view:    视图,用于实现只能DNS

                            一个bind服务器可以定义多个view,每个view中可以定义一个或多个zone

                            每个view用来匹配一组客户端

                            多个view内可能需要对同一个区域进行解析,但使用不同的区域解析库文件

                             

               注意:

                     1     一旦启用了view,所有的zone都只能定义在view中,

                     2     仅在允许递归请求的客户端所在view定义根区域

                     3     客户端请求到达时,是自上而下检查每个view所服务的客户端列表

                    

               格式:

                            view VIEW_NAME  {

                                   match-clients  { LIST ;};

                                   zone  "alitaobao.com" IN {

                                          type  master;

                                          file  "alibaidu.com.zone";

                                    };

                                   include  "/etc/named.rfc1912.zones"

                             };

                             

 

实验7: 通过view实现智能dns

               192.168.65.160       充当dns服务器,解析区域为baidu.com

               要求:

                            当192.168.65.128访问www.baidu.com时,指向1.1.1.1

                            当192.168.65.150访问www.baidu.com时,指向2.2.2.2

                            当192.168.65.155访问www.baidu.com时,指向3.3.3.3

               

               步骤:

               1     修改配置文件,vim /etc/named.conf 修改 必要选项

                     如:  listen-on allow-query dnssec

                    

               2     定义acl

                            acl list128  {

                             192.168.65.128;

                             };

                            acl list150  {

                                           192.168.65.150;

                             };

                            acl list155  {

                                           192.168.65.155;

                             };

               

               3     定义view,以及各个view中定义的区域"baidu.com"

                             

                            view huazhongnet  {

                                           match-clients { list128; };

                                          zone  "baidu.com" IN {

                                                         type master;

                                                         file "huazhongnet.zone";

                                           };

                                           include "/etc/named.rfc1912.zones";

 

                             };

 

                            view huanannet  {

                                           match-clients { list150; };

                                          zone  "baidu.com" IN {

                                                         type master;

                                                         file "huanannet.zone";

                                           };

                                           include "/etc/named.rfc1912.zones";

                             };

 

                            view huabeinet  {

                                           match-clients { list155; };

                                          zone  "baidu.com" IN {

                                                         type master;

                                                         file "huabeinet.zone";

                                           };

                                           include "/etc/named.rfc1912.zones";

                            };                         

                    

               4     将根域  "." 定义到/etc/named.rfc1912.zones中

                            zone "." IN  {

                                          type  hint;

                                          file  "named.ca";

                            };                         

 

               5     定义区域配置库文件 huazhongnet.zone,以及属组、权限修改

                            vim  /var/named/huazhongnet.zone

                            $TTL  86400

                            @       IN       SOA     ns1.baidu.com.  fun.baidu.com. (

                                                                       2018060201

                                                                       1D

                                                                       1H

                                                                       7D

                                                                       1D )

                                           IN      NS      ns1

                            ns1     IN       A        192.168.65.160

                            @       IN       A        1.1.1.1

                            www     IN       A        1.1.1.1

                            *       IN       A        1.1.1.1

                    

                     定义区域配置库文件 huanannet.zone,以及权限修改

                            $TTL  86400

                            @       IN       SOA     ns1.baidu.com.  fun.baidu.com. (

                                                                       2018060201

                                                                       1D

                                                                       1H

                                                                       7D

                                                                       1D )

                                           IN      NS      ns1

                            ns1     IN       A        192.168.65.160

                            @       IN       A        2.2.2.2

                            www     IN       A        2.2.2.2

                            *       IN       A        2.2.2.2

                    

                     定义区域配置库文件 huanannet.zone,以及权限修改

                            $TTL  86400

                            @       IN       SOA     ns1.baidu.com.  fun.baidu.com. (

                                                                       2018060201

                                                                       1D

                                                                       1H

                                                                       7D

                                                                       1D )

                                           IN      NS      ns1

                            ns1     IN       A        192.168.65.160

                            @       IN       A        3.3.3.3

                            www     IN       A        3.3.3.3

                                          IN      A        3.3.3.3

                                           

                     chgrp named  /var/named/*

                     chmod 640  /var/named/*

 

               6     启动服务并测试

                     在三台测试机上分别执行 host www.baidu.com 192.168.65.160

                     结果OK

               

 

编译安装bind:---------------------------------------------------------------------

 

编译安装步骤:

               1     建立named组和named账号

                            groupadd -g 53 -r  named

                            useradd -r -g named  -u 53 named

               2     安装开发包组

                            group install  "development tools"

        

               3     下载源码包,并解压,cd到解压目录

               4     less README,执行./configure   查看安装选项

               5     执行configure程序

                     ./configure  --prefix=/usr/local/bind9 --without-openssl --without-ipv6  

                             --sysconfdir=/etc/named --enable-threads  --disable-chroot

               

               6     make

               7     make  install

               

通用安装后配置:

               1     添加PATH路径

                     vim  /etc/profile.d/named.sh

                                    PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH

               

               2     添加库文件

                     vim  /etc/ld.so.conf.d/name.conf

                                    /usr/local/bind9/lib

                     ldconfig  -v

                     ln -sv  /usr/local/bind9/include /usr/include/named

               

               3     添加man  文档路径

                     vim  /etc/man.conf   man_db.conf                   分别对应centos6 centos7

                     添加一行路径记录

                     MANPATH             /usr/local/bind9/share/man

               

添加、编辑配置文件:

               1     编辑主配置文件

                     vim  /etc/named/named.conf

                                   options  {

                                                  directory        "/var/named/";

                                                  dnssec-enable no;

                                                  dnssec-validation no;

                                                  recursion yes;

                                    };

 

                                   zone "." IN  {

                                                  type hint;

                                                  file "named.ca";

                                     };

 

                                   zone  "localhost" IN {

                                                  type master;

                                                  file "named.localhost";

                                                  allow-update { none; };

                                    };

 

                                   zone  "1.0.0.127.in-addr.arpa" IN {

                                                  type master;

                                                  file "named.loopback";

                                                  allow-update { none; };

                                    };

 

               2     添加区域解析库文件

                     mkdir  /var/named

                     cd  /var/named

                    

                     生成named.ca

                                   dig +norec  @a.root-servers.net. > named.ca

                     生成named.localhost

                                   vim  named.localhost            

                                   $TTL  86400

                                   @       IN       SOA     ns1.localhost.  fun.localhost. (

                                                                              01

                                                                              1D

                                                                              1H

                                                                              3D

                                                                              1D )

                                                  IN      NS      localhost.

                                    localhost.      IN      A        127.0.0.1

                    

                     生成named.loopback

                                   vim  named.loopback

                                   $TTL  86400

                                   @       IN       SOA     localhost.      fun.localhost. (

                                                                              01

                                                                              1D

                                                                              1H

                                                                              3D

                                                                              1D )

                                                  IN      NS      @

                                                  IN      A       127.0.0.1

                                                  IN      PTR     localhost.

 

               3     修改配置文件权限

                                   chgrp -R  named /etc/named/

                                   chgrp -R  named /var/named/

                                   chmod -R 640  /etc/named/*

                                   chmod -R 640  /var/named/*

                     注意:   

                                    不要修改主目录/etc/named /var/named 权限

                                    如需修改,也必须保持named用户对主目录有rx权限

               

启动和测试服务:

                     man named                获取使用选项

                     named-checkconf       检查配置文件语法是否错误

                      named-checkzone  "zone" /zonefile    检查区域解析库文件语法是否错误

                     named -u named -f -g      前台启动,查看是否正常

                     如无异常使用 named -u named 启动后台执行

                      如没有添加区域,则默认为一台缓存dns服务器

                    

                      注意:编译安装启动的程序无法通过systemctl 控制启动和关闭

                      如通过后台执行,需要关闭程序,需要使用kill命令

                     例如:

                                   killall -1  named    重读配置文件

                                   killall named          关闭服务

                     如果最小化安装,默认没有killall的情况下

                            1     直接使用kill  配合ps命令

                            2     yum install psmisc 安装即可

                    

               

使用rndc:

               生成key:

                            rndc-confgen -r  /dev/urandom > /etc/named/rndc.conf

               写入主配置文件:

                            tail  /etc/named/rndc.conf >> /etc/named/named.conf

               删除注释:

                            vim  /etc/named/named.conf

                            删除写入key文件那几行前面的# 最后一行 #  End of named.conf 保留#

               重读配置文件:

                            killall -1  named

               测试使用rndc

                            rndc status  

                    

        

压力测试:

               编译压力测试工具:

                            cd  contrib/queryperf/

                             ./configure

                             make

                            cp queryperf  /usr/bind9/bin

               编辑测试文件:

                            vim  test.txt

                            www.magege.com  A

                             ....

                             一系列解析操作集合,视机器配置,一般10W行左右即可

               测试:

                            queryperf -d  test.txt -s 192.168.65.155

                             

               打开日志功能测试:

                            rndc  querylog

                            rndc  reload

                            queryperf -d  test.txt -s 192.168.65.155

                            wc -l  /var/log/message

 

笔记整理完成时间:2018年6月5日09:33:19

 

以上是关于第21章,DNS服务的主要内容,如果未能解决你的问题,请参考以下文章

计算机网络自顶向下方法第2章-应用层(application-layer).2

第13章 使用Bind提供域名解析服务

第4章 思科IOS

常见协议和标准

170325 第六章应用层 域名系统 DNS

Dns服务搭建文档