ineternet dns架构的实现
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ineternet dns架构的实现相关的知识,希望对你有一定的参考价值。
ineternet dns架构的实现互联网中dns的架构为下图所示
主机 | OS | IP |
---|---|---|
www | centos6 | 192.168.73.2 |
client | centos6 | 192.168.73.3 |
mylinuxopsdns1 | centos7 | 192.168.73.10 |
mylinuxopsdns2 | centos7 | 192.168.73.20 |
comdns | centos7 | 192.168.73.30 |
rootdns | centos7 | 192.168.73.40 |
ldns | centos7 | 192.168.73.50 |
一、在www主机上部署httpd服务
1.启动httpd服务
[[email protected] ~]# service httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for www
httpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
2.为http主机创建一个zhuye
[[email protected] ~]# echo "<h1>welcome to mylinuxops.com</h1>" > /var/www/html/index.html
3.测试
[[email protected] ~]# curl 192.168.73.2
<h1>welcome to mylinuxops.com</h1>
二、配置mylinuxopsdns1
1.安装bind服务
[[email protected] ~]# yum install bind -y
2.启动服务应设置为开机启动
[[email protected] ~]# systemctl start named
[[email protected] ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
3.修改dns主配置文件
将监听地址和允许访问的主机注释
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
4.修改区域配置文件,添加区域记录
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "mylinuxops.com" IN {
type master;
file "mylinuxops.com.zone";
};
5.创建区域数据库文件
[[email protected] ~]# cp -p /var/named/{named.localhost,mylinuxops.com.zone}
[[email protected] ~]# vim /var/named/mylinuxops.com.zone
$TTL 1D
@ IN SOA master admin.mylinuxops.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.73.10
slave A 192.168.73.20
www A 192.168.73.2
6.检查语法错误
[[email protected] ~]# named-checkconf
[[email protected] ~]# named-checkzone mylinuxops.com /var/named/mylinuxops.com.zone
zone mylinuxops.com/IN: loaded serial 0
OK
7.重读配置文件
[[email protected] ~]# rndc reload
8.在client主机上测试
[[email protected] ~]# dig www.mylinuxops.com @192.168.73.10
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.mylinuxops.com @192.168.73.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24888
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.mylinuxops.com. IN A
;; ANSWER SECTION:
www.mylinuxops.com. 86400 IN A 192.168.73.2
;; AUTHORITY SECTION:
mylinuxops.com. 86400 IN NS master.mylinuxops.com.
;; ADDITIONAL SECTION:
master.mylinuxops.com. 86400 IN A 192.168.73.10
;; Query time: 1 msec
;; SERVER: 192.168.73.10#53(192.168.73.10)
;; WHEN: Fri Apr 19 04:23:08 2019
;; MSG SIZE rcvd: 89
三、配置dns从服务器mylinuxopsdns2
1.安装bind服务
[[email protected] ~]# yum install bind -y
2.启动dns服务设置为开机自动启动
[[email protected] ~]# systemctl start named
[[email protected] ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
3.修改主配置文件
将端口行和允许访问的主机注释
[[email protected] ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
4.修改区域配置文件
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "mylinuxops.com" IN {
type slave;
masters {192.168.73.10;};
file "slaves/mylinuxops.zone";
};
5.检查语法错误
[[email protected] ~]# named-checkconf
6.重读配置文件
[[email protected] ~]# rndc reload
7.查看区域数据库文件是否已经被拉取到本地
[[email protected] ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 298 Apr 23 04:40 mylinuxops.zone
8.安全加固
由于主从dns服务器都没有对能拉取区域数据库的主机加以限制,这样是非常不安全的,所以需要对主机的安全行进行加固
8.1对从服务器主配置文件修改,添加allow-transfer
[[email protected] ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-transfer {none;};
// allow-query { localhost; };
[[email protected] ~]# rndc reload
server reload successful
8.2对主服务器主配置文件修改,添加allow-transfer只允许从服务来拉取数据
[[email protected] ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-transfer {192.168.73.20;};
// allow-query { localhost; };
[[email protected] ~]# rndc reload
server reload successful
四、搭建com域dns服务器
1.安装dns服务
[[email protected] ~]# yum install bind -y
2.修改dns主配置文件
将监听的ip和允许访问的主机行注释
[[email protected] ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
3.修改区域文件添加com域
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "com" IN {
type master;
file "com.zone";
};
4.创建区域数据库文件
[[email protected] ~]# cp -p /var/named/{named.localhost,com.zone}
[[email protected] ~]# vim /var/named/com.zone
$TTL 1D
@ IN SOA master admin.mylinuxops.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
mylinuxops NS ns1
mylinuxops NS ns2
master A 192.168.73.30
ns1 A 192.168.73.10
ns2 A 192.168.73.20
5.检查配置文件语法
[[email protected] ~]# named-checkconf
[[email protected] ~]# named-checkzone com /var/named/com.zone
zone com/IN: loaded serial 0
OK
6.启动服务
[[email protected] ~]# systemctl restart named
7.测试
在client端进行测试
[[email protected] ~]# dig www.mylinuxops.com @192.168.73.30
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com. IN A
;; ANSWER SECTION:
www.mylinuxops.com. 86400 IN A 192.168.73.2
;; AUTHORITY SECTION:
mylinuxops.com. 86400 IN NS ns2.com.
mylinuxops.com. 86400 IN NS ns1.com.
;; ADDITIONAL SECTION:
ns1.com. 86400 IN A 192.168.73.10
ns2.com. 86400 IN A 192.168.73.20
;; Query time: 6 msec
;; SERVER: 192.168.73.30#53(192.168.73.30)
;; WHEN: Tue Apr 23 17:25:07 CST 2019
;; MSG SIZE rcvd: 131
五、搭建root域上的dns服务
1.安装dns服务
[[email protected] ~]# yum install bind -y
2.修改主配置文件
将监听地址和允许访问的主机行注释,修改最底下的根域
[[email protected] ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
....
zone "." IN {
type master;
file "root.zone";
};
3.创建根域数据库
[[email protected] ~]# cp -p /var/named/{named.localhost,root.zone}
[[email protected] ~]# vim /var/named/root.zone
$TTL 1D
@ IN SOA ns1 admin.mylinuxops.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1
com NS master
ns1 A 192.168.73.40
master A 192.168.73.30
4.检查语法错误
[[email protected] ~]# named-checkconf
[[email protected] ~]# named-checkzone . /var/named/root.zone
zone ./IN: loaded serial 0
OK
5.启动dns服务
[[email protected] ~]# systemctl start named
[[email protected] ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
6.测试
[[email protected] ~]# dig www.mylinuxops.com @192.168.73.40
; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com. IN A
;; ANSWER SECTION:
www.mylinuxops.com. 86400 IN A 192.168.73.2
;; AUTHORITY SECTION:
mylinuxops.com. 85104 IN NS ns1.com.
mylinuxops.com. 85104 IN NS ns2.com.
;; ADDITIONAL SECTION:
ns1.com. 85104 IN A 192.168.73.10
ns2.com. 85104 IN A 192.168.73.20
;; Query time: 2 msec
;; SERVER: 192.168.73.40#53(192.168.73.40)
;; WHEN: Tue Apr 23 17:59:09 CST 2019
;; MSG SIZE rcvd: 131
六、配置本地DNS
1.安装dns服务
[[email protected] ~]# yum install bind -y
2.修改本地DNS的主配置文件
将监听地址和允许访问的主机注释,将dnssec相关的两项关闭
[[email protected] ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
....
dnssec-enable no;
dnssec-validation no;
3.修改本地的根数据文件
将根数据库文件指向rootdns所在的地址,其余的全部删除
[[email protected] ~]# vim /var/named/named.ca
. 518400 IN NS a.root-servers.net.
a.root-servers.net. 3600000 IN A 192.168.73.40
七、在client进行测试
1.配置client端的网卡将其dns指向本地的dns服务器
[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=on
IPADDR=192.168.73.3
PREFIX=24
DNS1=192.168.73.50
2.重启服务
[[email protected] ~]# systemctl restart network
[[email protected] ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.73.50
3.测试访问www.mylinuxops.com
[[email protected] ~]# curl www.mylinuxops.com
<h1>welcome to mylinuxops.com</h1>
以上是关于ineternet dns架构的实现的主要内容,如果未能解决你的问题,请参考以下文章