ineternet dns架构的实现

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了ineternet dns架构的实现相关的知识,希望对你有一定的参考价值。

ineternet dns架构的实现

互联网中dns的架构为下图所示
技术图片

主机 OS IP
www centos6 192.168.73.2
client centos6 192.168.73.3
mylinuxopsdns1 centos7 192.168.73.10
mylinuxopsdns2 centos7 192.168.73.20
comdns centos7 192.168.73.30
rootdns centos7 192.168.73.40
ldns centos7 192.168.73.50

一、在www主机上部署httpd服务

1.启动httpd服务

[[email protected] ~]# service httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for www
httpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName
                                                           [  OK  ]

2.为http主机创建一个zhuye

[[email protected] ~]# echo "<h1>welcome to mylinuxops.com</h1>" > /var/www/html/index.html

3.测试

[[email protected] ~]# curl 192.168.73.2
<h1>welcome to mylinuxops.com</h1>

二、配置mylinuxopsdns1

1.安装bind服务

[[email protected] ~]# yum install bind -y

2.启动服务应设置为开机启动

[[email protected] ~]# systemctl start named
[[email protected] ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改dns主配置文件

将监听地址和允许访问的主机注释

options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

4.修改区域配置文件,添加区域记录

[[email protected] ~]# vim /etc/named.rfc1912.zones 
zone "mylinuxops.com" IN {
        type master;
        file "mylinuxops.com.zone";
};

5.创建区域数据库文件

[[email protected] ~]# cp -p /var/named/{named.localhost,mylinuxops.com.zone}
[[email protected] ~]# vim /var/named/mylinuxops.com.zone
$TTL 1D
@       IN SOA  master admin.mylinuxops.com (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      master
        NS      slave
master  A       192.168.73.10
slave   A       192.168.73.20
www     A       192.168.73.2

6.检查语法错误

[[email protected] ~]# named-checkconf 
[[email protected] ~]# named-checkzone mylinuxops.com /var/named/mylinuxops.com.zone 
zone mylinuxops.com/IN: loaded serial 0
OK

7.重读配置文件

[[email protected] ~]# rndc reload

8.在client主机上测试

[[email protected] ~]# dig www.mylinuxops.com @192.168.73.10

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.mylinuxops.com @192.168.73.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24888
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.mylinuxops.com.        IN  A

;; ANSWER SECTION:
www.mylinuxops.com. 86400   IN  A   192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.     86400   IN  NS  master.mylinuxops.com.

;; ADDITIONAL SECTION:
master.mylinuxops.com.  86400   IN  A   192.168.73.10

;; Query time: 1 msec
;; SERVER: 192.168.73.10#53(192.168.73.10)
;; WHEN: Fri Apr 19 04:23:08 2019
;; MSG SIZE  rcvd: 89

三、配置dns从服务器mylinuxopsdns2

1.安装bind服务

[[email protected] ~]# yum install bind -y

2.启动dns服务设置为开机自动启动

[[email protected] ~]# systemctl start named
[[email protected] ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改主配置文件

将端口行和允许访问的主机注释

[[email protected] ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

4.修改区域配置文件

[[email protected] ~]# vim /etc/named.rfc1912.zones 
zone "mylinuxops.com" IN {
        type slave;
        masters {192.168.73.10;};
        file "slaves/mylinuxops.zone";
};

5.检查语法错误

[[email protected] ~]# named-checkconf

6.重读配置文件

[[email protected] ~]# rndc reload

7.查看区域数据库文件是否已经被拉取到本地

[[email protected] ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 298 Apr 23 04:40 mylinuxops.zone

8.安全加固

由于主从dns服务器都没有对能拉取区域数据库的主机加以限制,这样是非常不安全的,所以需要对主机的安全行进行加固
8.1对从服务器主配置文件修改,添加allow-transfer

[[email protected] ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-transfer  {none;};
//      allow-query     { localhost; };

[[email protected] ~]# rndc reload
server reload successful

8.2对主服务器主配置文件修改,添加allow-transfer只允许从服务来拉取数据

[[email protected] ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-transfer  {192.168.73.20;};
//      allow-query     { localhost; };

[[email protected] ~]# rndc reload
server reload successful

四、搭建com域dns服务器

1.安装dns服务

[[email protected] ~]# yum install bind -y

2.修改dns主配置文件

将监听的ip和允许访问的主机行注释

[[email protected] ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

3.修改区域文件添加com域

[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "com" IN {
        type master;
        file "com.zone";
};

4.创建区域数据库文件

[[email protected] ~]# cp -p /var/named/{named.localhost,com.zone}
[[email protected] ~]# vim /var/named/com.zone
$TTL 1D
@       IN SOA  master admin.mylinuxops.com.  (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                NS      master
mylinuxops      NS      ns1
mylinuxops      NS      ns2
master          A       192.168.73.30
ns1             A       192.168.73.10
ns2             A       192.168.73.20

5.检查配置文件语法

[[email protected] ~]# named-checkconf 
[[email protected] ~]# named-checkzone com /var/named/com.zone 
zone com/IN: loaded serial 0
OK

6.启动服务

[[email protected] ~]# systemctl restart named

7.测试

在client端进行测试

[[email protected] ~]# dig www.mylinuxops.com @192.168.73.30

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com.        IN  A

;; ANSWER SECTION:
www.mylinuxops.com. 86400   IN  A   192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.     86400   IN  NS  ns2.com.
mylinuxops.com.     86400   IN  NS  ns1.com.

;; ADDITIONAL SECTION:
ns1.com.        86400   IN  A   192.168.73.10
ns2.com.        86400   IN  A   192.168.73.20

;; Query time: 6 msec
;; SERVER: 192.168.73.30#53(192.168.73.30)
;; WHEN: Tue Apr 23 17:25:07 CST 2019
;; MSG SIZE  rcvd: 131

五、搭建root域上的dns服务

1.安装dns服务

[[email protected] ~]# yum install bind -y

2.修改主配置文件

将监听地址和允许访问的主机行注释,修改最底下的根域

[[email protected] ~]# vim /etc/named.conf
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };
....
zone "." IN {
        type master;
        file "root.zone";
};

3.创建根域数据库

[[email protected] ~]# cp -p /var/named/{named.localhost,root.zone}
[[email protected] ~]# vim /var/named/root.zone
$TTL 1D
@       IN SOA  ns1 admin.mylinuxops.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1
com     NS      master
ns1     A       192.168.73.40
master  A       192.168.73.30

4.检查语法错误

[[email protected] ~]# named-checkconf 
[[email protected] ~]# named-checkzone . /var/named/root.zone 
zone ./IN: loaded serial 0
OK

5.启动dns服务

[[email protected] ~]# systemctl start named
[[email protected] ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

6.测试

[[email protected] ~]# dig www.mylinuxops.com @192.168.73.40

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com.        IN  A

;; ANSWER SECTION:
www.mylinuxops.com. 86400   IN  A   192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.     85104   IN  NS  ns1.com.
mylinuxops.com.     85104   IN  NS  ns2.com.

;; ADDITIONAL SECTION:
ns1.com.        85104   IN  A   192.168.73.10
ns2.com.        85104   IN  A   192.168.73.20

;; Query time: 2 msec
;; SERVER: 192.168.73.40#53(192.168.73.40)
;; WHEN: Tue Apr 23 17:59:09 CST 2019
;; MSG SIZE  rcvd: 131

六、配置本地DNS

1.安装dns服务

[[email protected] ~]# yum install bind -y

2.修改本地DNS的主配置文件

将监听地址和允许访问的主机注释,将dnssec相关的两项关闭

[[email protected] ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };
....
        dnssec-enable no;
        dnssec-validation no;

3.修改本地的根数据文件

将根数据库文件指向rootdns所在的地址,其余的全部删除

[[email protected] ~]# vim /var/named/named.ca
.                       518400  IN      NS      a.root-servers.net.
a.root-servers.net.     3600000 IN      A       192.168.73.40

七、在client进行测试

1.配置client端的网卡将其dns指向本地的dns服务器

[[email protected] ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=on
IPADDR=192.168.73.3
PREFIX=24
DNS1=192.168.73.50

2.重启服务

[[email protected] ~]# systemctl restart network
[[email protected] ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.73.50

3.测试访问www.mylinuxops.com

[[email protected] ~]# curl www.mylinuxops.com
<h1>welcome to mylinuxops.com</h1>

以上是关于ineternet dns架构的实现的主要内容,如果未能解决你的问题,请参考以下文章

DNS互联网架构的实现

Linux之实现Internet,DNS架构

实现DNS互联网架构

实现DNS互联网架构

搭建DNS主从服务器实现反向解析,子域,转发,智能DNS及排错和互联网DNS架构实验

Linux服务管理——DNS互联网架构模型实现