DNS服务器(二)
博文参考
http://zhang789.blog.51cto.com/11045979/1858610 https://segmentfault.com/a/1190000010332312
主配置文件格式
全局配置段: options { … } 日志子系统配置段: logging { … } 区域定义段: zone “ZONE_NAME” IN { … } 区域定义:本机能够为哪些zone进行解析,就要定义哪些zone 注意: 每个配置语句必须以分号结尾 任何服务程序如果期望其能够通过网络被其它主机访问,至少应该监听在一个能与外部主机通信的IP
缓存名称服务器的配置
监听能与外部主机通信的地址
listen-on port 53
listen-on port 53 { 172.16.252.245; }
dnssec: 建议关闭dnssec,设为no(自己做实验时建议关闭)
dnssec-enable no dnssec-validation no dnssec-lookaside no
关闭仅允许本地查询:
//allow-query { localhost; }
检查配置文件语法错误:
named-checkconf /etc/named.conf
检查区域配置文件错误:
named-checkzone “rookie.com” /var/named/rookie.com.zone
例:[root@localhost ~]#vim /etc/named.conf
测试命令dig:
dig [-t type] name [@SERVER] [query options] dig 只用于测试dns 系统,不会查询hosts 文件进行解析 查询选项: +[no]trace程:跟踪解析过程 : dig +trace rookie.com +[no]recurse:进行递归解析 [root@localhost ~]#dig -t A www.baidu.com @172.16.252.254 +trace
测试反向解析:
dig -x IP = dig -t ptr reverseip.in-addr.arpa
模拟区域传送:
dig -t axfr ZONE_NAME @SERVER dig -t axfr rookie.com @10.10.10.11 dig -t axfr 100.1.10.in-addr.arpa @172.16.1.1 dig -t NS . @114.114.114.114 dig -t NS . @a.root-servers.net
[root@localhost ~]#dig -t NS baidu.com @172.16.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35043 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;baidu.com. IN NS ;; ANSWER SECTION: baidu.com. 54644 IN NS ns7.baidu.com. baidu.com. 54644 IN NS ns3.baidu.com. baidu.com. 54644 IN NS ns4.baidu.com. baidu.com. 54644 IN NS dns.baidu.com. baidu.com. 54644 IN NS ns2.baidu.com. ;; ADDITIONAL SECTION: ns2.baidu.com. 140982 IN A 61.135.165.235 ns4.baidu.com. 140982 IN A 220.181.38.10 dns.baidu.com. 140982 IN A 202.108.22.220 ns3.baidu.com. 140982 IN A 220.181.37.10 ns7.baidu.com. 140982 IN A 119.75.219.82 ;; Query time: 2 msec ;; SERVER: 172.16.0.1#53(172.16.0.1) ;; WHEN: Thu Jun 01 07:22:38 EDT 2017 ;; MSG SIZE rcvd: 208 [root@localhost ~]#dig -t NS baidu.com @172.16.0.1 +nocomments ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1 +nocomments ;; global options: +cmd ;baidu.com. IN NS baidu.com. 54627 IN NS dns.baidu.com. baidu.com. 54627 IN NS ns3.baidu.com. baidu.com. 54627 IN NS ns2.baidu.com. baidu.com. 54627 IN NS ns4.baidu.com. baidu.com. 54627 IN NS ns7.baidu.com. ns2.baidu.com. 140965 IN A 61.135.165.235 ns4.baidu.com. 140965 IN A 220.181.38.10 dns.baidu.com. 140965 IN A 202.108.22.220 ns3.baidu.com. 140965 IN A 220.181.37.10 ns7.baidu.com. 140965 IN A 119.75.219.82 ;; Query time: 1 msec ;; SERVER: 172.16.0.1#53(172.16.0.1) ;; WHEN: Thu Jun 01 07:22:56 EDT 2017 ;; MSG SIZE rcvd: 208
测试命令host:
host [-t type] name [SERVER] host -t NS rookie.com 172.16.0.1 host -t soa rookie.com host -t mx rookie.com host -t axfr rookie.com host 1.2.3.4 nslookup命令:nslookup [-option] [name | -] [server] 交互式模式: nslookup> server IP:指明使用哪个DNS server进行查询 set q=RR_TYPE:指明查询的资源记录类型 name:要查询的名称
[root@localhost ~]#nslookup > server 172.16.0.1 Default server: 172.16.0.1 Address: 172.16.0.1#53 > set q=a > www.tencent.com Server: 172.16.0.1 Address: 172.16.0.1#53 Non-authoritative answer: www.tencent.com canonical name = upfile.wj.qq.com.cloud.tc.qq.com. upfile.wj.qq.com.cloud.tc.qq.com canonical name = ssd.tcdn.qq.com. Name: ssd.tcdn.qq.com Address: 111.202.99.24 Name: ssd.tcdn.qq.com Address: 111.202.99.25 Name: ssd.tcdn.qq.com Address: 111.202.99.23 Name: ssd.tcdn.qq.com Address: 123.125.110.21 Name: ssd.tcdn.qq.com Address: 123.125.110.12 Name: ssd.tcdn.qq.com Address: 123.125.110.11 Name: ssd.tcdn.qq.com Address: 123.125.110.22
命令rndc:
rndc:remote name domain contoller(远程域名控制器)
953/tcp,但默认监听于127.0.0.1地址,因此仅允许本地使用 rndc –> rndc (953/tcp)
rndc COMMAND
命令:
reload:重载主配置文件和区域解析库文件 reload zonename:重载区域解析库文件 retransfer zonename:手动启动区域传送,而不管序列号是否增加 notify zonename:重新对区域传送发通知 reconfig:重载主配置文件 querylog:开启或关闭查询日志文件/var/log/message trace:递增debug 一个级别 trace LEVEL:指定使用的级别 notrace:为将调试级别设置为 0 flush:清空DNS
[root@localhost ~]#rndc status version: 9.9.4-RedHat-9.9.4-37.el7 <id:8f9657aa> 版本 CPUs found: 4 CPU worker threads: 4 线程 UDP listeners per interface: 4 接口 number of zones: 101 区域数 debug level: 0 调试级别 xfers running: 0 运行 xfers deferred: 0 延迟 soa queries in progress: 0 正在进行的SOA查询 query logging is OFF 查询记录 recursive clients: 0/0/1000 递归客户端 tcp clients: 0/100 TCP客户端 server is up and running 服务器启动并运行
配置主DNS 服务器:
在主配置文件中定义区域
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
定义区域解析库文件
出现的内容 宏定义 资源记录 主配置文件语法检查: named-checkconf 解析库文件语法检查: named-checkzone "rookie.com" /var/named/rookie.com.zone rndc status|reload ;service named reload
注意:实验配置前需要特别注意三点
关闭防火墙
关闭SElinux
时间必须同步
配置解析一个正向区域
以rookie.com域为例:
定义区域
在主配置文件中(/etc/named.conf)或主配置文件辅助配置文件(/etc/named.rfc1912.conf)中实现 [root@localhost ~]#vim /etc/named.rfc1912.zones zone "rookie.com" IN { type master; file "rookie.com.zone"; }; 注意:区域名字即为域名
建立区域数据文件(主要记录为A或AAAA记录)
在/var/named目录下建立区域数据文件; 文件为:/var/named/rookie.com.zone [root@localhost /var/named]#vim rookie.com.zone $TTL 600(全局变量 缓存600秒) rookie.com.(域名) IN SOA rookie.com. admin.rookie.com.管理员邮箱 ( 2017060101 序列号 1H 刷新时间间隔一小时 5M 重试时间间隔五分钟 1W 过期时间一周 6H ) 否定答案的TTL值六小时 IN NS dns1.rookie.com. IN NS dns2.rookie.com. dns1.rookie.com. IN A 172.16.250.149 dns2.rookie.com. IN A 172.16.252.245 www.rookie.com. IN A 172.16.0.1 web IN CNAME www 权限及属组修改: [root@localhost /var/named]#chgrp named /var/named/rookie.com.zone [root@localhost /var/named]#chmod o= /var/named/rookie.com.zone [root@localhost /var/named]#ll 总用量 20 drwxrwx--- 2 named named 6 11月 12 2016 data drwxrwx--- 2 named named 6 11月 12 2016 dynamic -rw-r----- 1 root named 2076 1月 28 2013 named.ca -rw-r----- 1 root named 152 12月 15 2009 named.empty -rw-r----- 1 root named 152 6月 21 2007 named.localhost -rw-r----- 1 root named 168 12月 15 2009 named.loopback -rw-r----- 1 root named 301 6月 1 00:22 rookie.com.zone 检查语法错误: [root@localhost /var/named]#named-checkconf [root@localhost /var/named]#named-checkzone "rookie.com" /var/named/rookie.com.zone zone rookie.com/IN: loaded serial 2017060101 OK
让服务器重载配置文件和区域数据文件
[root@localhost /var/named]#rndc reload [root@localhost ~]#systemctl restart named.service
验证
[root@localhost /var/named]#dig -t A www.rookie.com @172.16.250.149 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38718 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.rookie.com. IN A ;; ANSWER SECTION: www.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns1.rookie.com. rookie.com. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 172.16.250.149#53(172.16.250.149) ;; WHEN: 四 6月 01 01:02:13 CST 2017 ;; MSG SIZE rcvd: 129 也可以通过修改/etc/hosts省略IP [root@localhost /var/named]#vim /etc/resolv.conf ; generated by /usr/sbin/dhclient-script search magedu.com #nameserver 172.16.0.1 [root@localhost /var/named]#dig -t A www.rookie.com ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39628 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.rookie.com. IN A ;; ANSWER SECTION: www.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns2.rookie.com. rookie.com. 600 IN NS dns1.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 四 6月 01 01:08:08 CST 2017 ;; MSG SIZE rcvd: 129
配置解析一个反向区域
定义区域
在主配置文件中或主配置文件辅助配置文件中实现; [root@localhost ~]#vim /etc/named.rfc1912.zones zone "16.172.in-addr.arpa" IN { type master; file "172.16.zone"; }; 注意:反向区域的名字 反写的网段地址.in-addr.arpa 16.172.in-addr.arpa
定义区域解析库文件(主要记录为PTR)
[root@localhost ~]#vim /var/named/172.16.zone $TTL 600 @ IN SOA rookie.com. admin.rookie.com. ( 2017060101 1H 5M 2W 1D ) @ IN NS dns1.rookie.com. @ IN NS dns2.rookie.com. 149.250 IN PTR dns1.rookie.com. 245.252 IN PTR dns2.rookie.com. 125.252 IN PTR www.rookie.com. 权限及属组修改: [root@localhost /var/named]#chgrp named /var/named/rookie.com.zone [root@localhost /var/named]#chmod o= /var/named/rookie.com.zone 检查语法错误: [root@localhost ~]#named-checkconf [root@localhost ~]#named-checkzone "172.16" /var/named/172.16.zone zone 172.16/IN: loaded serial 2017060101
让服务器重载配置文件和区域数据文件
[root@localhost ~]#rndc reload [root@localhost ~]#systemctl restart named.service
验证
[root@localhost /var/named]#dig -x 172.16.250.149 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 172.16.259.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8132 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;149.259.16.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 149.259.16.172.in-addr.arpa. 600 IN PTR dns1.rookie.com. ;; AUTHORITY SECTION: 16.172.in-addr.arpa. 600 IN NS dns1.rookie.com. 16.172.in-addr.arpa. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 四 6月 01 01:44:45 CST 2017 ;; MSG SIZE rcvd: 150
主从服务器:
注意:从服务器是区域级别的概念;
主区域配置:可以参照上面的正向区域配置和反向区域配置
从区域配置:
On Slave
定义从区域 (以另一虚拟机为例)
[root@localhost ~]#vim /etc/named.rfc1912.zones zone "rookie.com." IN { type slave; file "slaves/rookie.com.zone"; masters { 172.16.250.149; }; #指明主节点 }; [root@localhost ~]#vim /etc/named.conf options { //listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no;
配置文件语法检查:
[root@localhost ~]#named-checkconf
主/从都要重载配置
[root@localhost ~]#rndc reload [root@localhost ~]#systemctl restart named.service [root@localhost ~]#ll /var/named/slaves/ (文件已经同步) total 4 -rw-r--r-- 1 named named 414 Jun 1 03:01 rookie.com.zone
验证 从
[root@localhost ~]#dig -t A www.rookie.com @172.16.250.149 ; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5639 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.rookie.com. IN A ;; ANSWER SECTION: www.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns1.rookie.com. rookie.com. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 172.16.250.149#53(172.16.250.149) ;; WHEN: Thu Jun 01 03:41:02 EDT 2017 ;; MSG SIZE rcvd: 129
修改主配置文件,并重新测试
[root@localhost /var/named]#vim rookie.com.zone $TTL 600 rookie.com. IN SOA rookie.com. admin.rookie.com. ( 2017060102 1H 5M 1W 6D ) IN NS dns1.rookie.com. IN NS dns2.rookie.com. dns1.rookie.com. IN A 172.16.250.149 dns2.rookie.com. IN A 172.16.252.245 www.rookie.com. IN A 172.16.252.125 web IN CNAME www ftp IN CNAME www
[root@localhost ~]#dig -t A ftp.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A ftp.rookie.com @172.16.250.149 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30068 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ftp.rookie.com. IN A ;; ANSWER SECTION: ftp.rookie.com. 600 IN CNAME WWW.rookie.com. WWW.rookie.com. 600 IN A 172.16.252.125 ;; AUTHORITY SECTION: rookie.com. 600 IN NS dns1.rookie.com. rookie.com. 600 IN NS dns2.rookie.com. ;; ADDITIONAL SECTION: dns1.rookie.com. 600 IN A 172.16.250.149 dns2.rookie.com. 600 IN A 172.16.252.245 ;; Query time: 0 msec ;; SERVER: 172.16.250.149#53(172.16.250.149) ;; WHEN: Thu Jun 01 03:46:11 EDT 2017 ;; MSG SIZE rcvd: 147
On Master
确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件需要每个从服务器的NS记录的主机名配置一个A记录,且此A后面的地址为真正的从服务器的IP地
注意:时间要同步
ntpdate命令
子域授权:
正向解析区域授权子域的方法:
ops.rookie.com. IN NS ns1.ops.rookie.com.
ops.rookie.com. IN NS ns2.ops.rookie.com.
ns1.ops.rookie.com. IN A IP.AD.DR.ESS
ns2.ops.rookie.com. IN A IP.AD.DR.ESS
定义转发:
注意:被转发的服务器必须允许为当前服务做递归;
区域转发:仅转发对某特定区域的解析请求;
zone "ZONE_NAME" IN { type forward; forward {first|only}; forwarders { SERVER_IP; }; }; first:首先转发;转发器不响应时,自行去迭代查询; only:只转发
全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;
options { ... ... forward {only|first}; forwarders { SERVER_IP; }; .. ... };
转发服务器
注意:被转发的服务器需要能够为请求者做递归,否则转发请求不予进行
first:首先转发;转发器不响应时,自行去迭代查询 only:只转发
全局转发: 对非本机所负责解析区域的请求, 全 转发给指定的服务器
Options { fforward {only|first}; forwarders { SERVER_IP; }; };
特定区域转发:仅转发对特定的区域的请求,比全局转发优先级高
zone "ZONE_NAME" IN { type forward; forward {first|only}; forwarders { SERVER_IP; }; }; 注意:关闭dnssec 功能: dnssec-enable no; dnssec-validation no;
bind中的安全相关的配置:
acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集合内的所有主机实现统一调用 格式: acl acl_name { ip; net/prelen; …… }; 示例: acl mynet { 172.16.0.0/16; 10.10.10.10; };
bind有四个内置的acl:
none:没有一个主机 any:任意主机 localhost:本机 localnet:本机的IP同掩码运算后得到的网络地址
注意:只能先定义,后使用,因此一般定在配置文件中,处于options
访问控制的指令:
allow-query {};允许查询的主机;白名单
allow-transfer {};允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器
allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求
allow-update {}; DDNS,允许动态更新区域数据库文件中内容
bind view(视图):
view:视图,一个bind 服务器可定义多个view ,每个view中可定义一个或多个zone
每个view 用来匹配一组客户端
多个view 内可能需要对同一个区域进行解析,但使用不同的区域解析库文件
view VIEW_NAME { zone zone zone } view internal { match-clients { 172.16.0.0/8; }; zone "rookie.com" IN { type master; file "rookie.com/internal"; }; }; view external { match-clients { any; }; zone "rookie.com" IN { type master; file rookie.com/external"; }; };