目录
动态更新
[root@centos7:named]# pwd
/var/named
[root@centos7:named]# cat baidu.com.zone
$TTL 1D
@ IN SOA dns1 admin.baidu.com. (
1807222001 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1
dns1 A 192.168.31.7
web-nginx01 A 1.1.1.1
web-nginx01 A 1.1.1.2
app-tomcat02 A 2.2.2.2
www CNAME web-nginx01
dns服务
[root@centos7:~]# cat /etc/named.rfc1912.zones
zone "baidu.com" IN {
type master;
file "baidu.com.zone";
};
------------------
[root@client:~ ]# nsupdate
> server 192.168.31.7
> zone baidu.com
> update add ftp.baidu.com 88888 IN A 8.8.8.8
> send
update failed: REFUSED #拒绝访问
>
[root@centos7:~]# cat /etc/named.rfc1912.zones
zone "baidu.com" IN {
type master;
file "baidu.com.zone";
allow-update { any; }; #在文件中把none改为any即可,允许更新
};
------
[root@client:~ ]# nsupdate
> server 192.168.31.7
> zone baidu.com
> update add ftp.baidu.com 88888 IN A 8.8.8.8
> send
update failed: SERVFAIL #失败,查看日志
>
[root@centos7:~]# tail /var/log/messages
Jul 23 11:07:57 centos7 named[2518]: client 192.168.31.27#35695: updating zone 'baidu.com/IN': adding an RR at 'ftp.baidu.com' A
Jul 23 11:07:57 centos7 named[2518]: baidu.com.zone.jnl: create: permission denied
#权限问题,先把用户指令放到baidu.com.zone.jnl临时文件中,过一会再放到baidu.com.zone中
[root@centos7:named]# ps aux | grep named
named 2518 0.0 5.2 310484 106400 ? Ssl 10:28 0:00 /usr/sbin/named -u named -c /etc/named.conf
#named账号以named身份执行
root 3127 0.0 0.0 112708 972 pts/0 S+ 11:11 0:00 grep --color=auto named
[root@centos7:named]# ll /var/named -d
drwxr-x--- 5 root named 172 Jul 22 21:40 /var/named #组没有写权限,named没有权限写,报错
[root@centos7:named]# chmod 770 /var/named
[root@centos7:named]# ll /var/named -d
drwxrwx--- 5 root named 172 Jul 22 21:40 /var/named
#再次在客户端执行命令,服务端的文件如下
[root@centos7:named]# ll
total 28
-rw-r--r-- 1 root root 159 Jul 22 21:24 192.168.31.zone
-rw-r----- 1 root named 278 Jul 22 21:40 baidu.com.zone
-rw-r--r-- 1 named named 713 Jul 23 11:19 baidu.com.zone.jnl #等待同步完成后,会把baidu.com.zone文件打乱,不太好
#查看数据库内容如下,看不了
[root@centos7:named]# cat baidu.com.zone.jnl
;BIND LOG V9
k¸ㇸk¸⼫¸분顡iducomQ5dns1baiducomadminbaiducomk¸р :*0JbaiducomQ5dns1baiducomadminbaiducomk¸р :*0ftpbaiduc[root@centos7:named]# XshellXshellXshellXshellXshellXshellXshellXshellXshel
#专门工具查看此类型数据库文件
[root@centos7:named]# named-journalprint baidu.com.zone.jnl
del baidu.com. 86400 IN SOA dns1.baidu.com. admin.baidu.com. 1807222001 86400 3600 604800 10800
add baidu.com. 86400 IN SOA dns1.baidu.com. admin.baidu.com. 1807222002 86400 3600 604800 10800 #SOA记录
add ftp.baidu.com. 88888 IN A 8.8.8.8 #A记录 88888为TTL
[root@client:~ ]# dig ftp.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> ftp.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 295
#客户端动态删除dns记录
[root@client:~ ]# nsupdate
> server 192.168.31.7
> zone baidu.com
> update delete ftp.baidu.com A
> send
>
[root@client:~ ]# dig ftp.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> ftp.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35823 #status,没有此记录
=============================
=============================
=============================
主从服务器
从服务器dns,保障安全,提高容错能力;windows ipv4也有两个dns
环境如下,centos7主dns服务(192.168.31.7)
[root@centos7:etc]# vim /etc/named.conf
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion no;
/etc/named.rfc1912.zones
[root@centos7:etc]# cat /etc/named.rfc1912.zones
zone "baidu.com" IN {
type master;
file "baidu.com.zone";
allow-update { any; };
};
zone "31.168.192.in-addr.arpa" IN {
type master;
file "192.168.31.zone";
};
[root@centos7:~]# cat /var/named/baidu.com.zone
$TTL 86400 ; 1 day
@ IN SOA dns1.baidu.com. admin.baidu.com. (
1807222003 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns1.baidu.com.
app-tomcat02 A 2.2.2.2
dns1 A 192.168.31.7
web-nginx01 A 1.1.1.1
A 1.1.1.2
www CNAME web-nginx01
——————————
#客户端(192.168.31.27)添加主从dns地址
[root@client:~ ]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.31.7
nameserver 192.168.31.17
搭建从服务器centos7(192.168.31.17),关闭selinux,防火墙
#改从服务器主机名为slave
[root@centos7:~]# hostname slave
[root@centos7:~]# exit
[root@slave:~]#
[root@slave:~]# rpm -q bind
package bind is not installed
[root@slave:~]# yum install bind -y
[root@slave:~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; }; #注释掉默认所有ip都可以监听
directory "/var/named"; #区域文件默认相对路径为/var/named
***省略****
// allow-query { localhost; }; #注释掉默认所有人都可以查询
[root@slave:~]# vim /etc/named.rfc1912.zones
zone "baidu.com" IN {
type slave;
masters {192.168.31.7;};
file "slaves/baidu.com.slave.zone"; #相对路径/var/named/baidu.com.slave.zone
};
[root@slave:named]# pwd
/var/named
[root@slave:slaves]# systemctl start named #启动服务会自动从主服务器dns拉取文件
[root@slave:slaves]# ls
baidu.com.slave.zone #启动服务生成的文件
#此文件数据库,cat查看不了
[root@slave:slaves]# file baidu.com.slave.zone
baidu.com.slave.zone: data
[root@slave:slaves]# named-compilezone -f raw -o -zone baidu.com baidu.com.slave.zone
zone baidu.com/IN: loaded serial 1807222003
dump zone to -zone...done
OK
______________
#停止主服务器dns的服务
[root@centos7:~]# systemctl stop named
[root@client:~ ]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 330
****省略*****
;; SERVER: 192.168.31.17#53(192.168.31.17)
#启动主服务dns
[root@centos7:~]# systemctl start named
从客户端dig www.qq.com 主服务没有,去从服务,没有,结束
#centos6在搭建一个从服务器dns
[root@centos6 ~ ]#yum install bind
其余完全和centos7这个从服务器一样
[root@centos6 ~ ]#yum install bind
[root@centos6 ~ ]#cd /var/named/slaves
[root@centos6 slaves ]#service named restart #文件拉取不过来
[root@centos6 slaves ]#ll
total 0
[root@centos6 slaves ]#tail /var/log/messages
Jul 20 14:45:17 centos6 named[2824]: managed-keys-zone ./IN: loaded serial 2
Jul 20 14:45:17 centos6 named[2824]: running
Jul 20 14:45:17 centos6 named[2824]: zone baidu.com/IN: refresh: unexpected rcode (SERVFAIL) from master 192.168.31.7#53 (source 0.0.0.0#0)
#查看日志,由于主服务器上dns之前做了一个动态更新的实验,需要删除
[root@centos7:named]# ll
total 28
-rw-r--r-- 1 root root 159 Jul 22 21:24 192.168.31.zone
-rw-r--r-- 1 named named 355 Jul 23 12:56 baidu.com.zone
-rw-r--r-- 1 named named 914 Jul 23 11:25 baidu.com.zone.jnl #删除此文件
drwxrwx--- 2 named named 23 Jul 21 09:41 data
drwxrwx--- 2 named named 31 Jul 23 10:28 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 6 Apr 13 02:48 slaves
[root@centos7:named]# rm -rf baidu.com.zone.jnl
[root@centos7:named]# systemctl restart named
[root@centos6 slaves ]#service named restart
[root@centos6 slaves ]#ll
total 4
-rw-r--r-- 1 named named 392 Jul 20 14:59 baidu.com.slave.zone
#主dns
[root@centos7:~]# vim /etc/named.conf
allow-transfer { 192.168.31.6;192.168.31.17; }; #在options选项中添加一行,表示只允许这两个从服务器拉取数据
[root@centos7:~]# systemctl restart named
#另把两个从服务器也添加一行为:allow-transfer { none }; 即从服务器不允许任何人拉取数据,重启服务
[root@client:~ ]# dig -t axfr baiduc.com @192.168.31.7
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -t axfr baiduc.com @192.168.31.7
;; global options: +cmd
; Transfer failed. #看不了/var/named/baidu.com.zone的内容
#主服务dns变化后,从服务器可以拉取数据,但主服务dns却无法推数据,需要在主dns服务上添加如下一行
[root@centos7:~]# vim /var/named/baidu.com.zone
$TTL 86400 ; 1 day
@ IN SOA dns1.baidu.com. admin.baidu.com. (
1807222004 ; serial #数据库版本调大
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns1.baidu.com.
NS dns2.baidu.com. #添加此行
NS dns3.baidu.com. #添加此行
dns2 A 192.168.31.6 #添加此行
dns3 A 192.168.31.17 #添加此行
app-tomcat02 A 2.2.2.2
dns1 A 192.168.31.7
web-nginx01 A 1.1.1.1
A 1.1.1.2
www CNAME web-nginx01
[root@centos7:~]# systemctl restart named
#主根据版本号push到从服务器
[root@centos7:~]# iptables -A INPUT -p udp --dport 53 -j REJECT
udp53端口被防火墙阻挡,会影响客户端查询
[root@centos7:~]# iptables -F
tcp,udp主从复制(版本号大于从服务器才会更新)
从服务器dns可以有从服务器dns
==============================
=============================
=============================
===============================
子域
总部北京 分部上海(子域)
#子域中主机少的话,可以放到主域中,为一条记录
[root@centos7:~]# vim /var/named/baidu.com.zone
添加 www.hanghai A 10.1.1.1
#单独建立一个文件,同一个主机上有一个主域,子域
[root@centos7:named]# vim /etc/named.rfc1912.zones
zone "shanghai.baidu.com" IN { #域shanghai.baidu.com
type master;
file "shanghai.baidu.com.zone";
};
[root@centos7:~]# cp -p /var/named/baidu.com.zone /var/named/shanghai.baidu.com.zone
[root@centos7:named]# cat shanghai.baidu.com.zone
$TTL 86400 ; 1 day
@ IN SOA dns1 admin (
1807222004 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns1
dns1 A 192.168.31.7
www A 3.3.3.3
mail A 5.5.5.5
[root@centos7:named]# systemctl restart named
[root@client:~ ]# dig www.shanghai.baidu.com @192.168.31.7
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> www.shanghai.baidu.com @192.168.31.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7089
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.shanghai.baidu.com. IN A
;; ANSWER SECTION:
www.shanghai.baidu.com. 86400 IN A 3.3.3.3
;; AUTHORITY SECTION:
shanghai.baidu.com. 86400 IN NS dns1.shanghai.baidu.com.
;; ADDITIONAL SECTION:
dns1.shanghai.baidu.com. 86400 IN A 192.168.31.7
;; Query time: 0 msec
;; SERVER: 192.168.31.7#53(192.168.31.7)
;; WHEN: Mon Jul 23 15:14:37 CST 2018
;; MSG SIZE rcvd: 102
--------
实验:实现子域的委派
192.168.31.7作为主域,192.168.31.17做为子域,分部杭州
注意:关闭/etc/named.conf中的dnssec功能:
dnssec-enable no;
dnssec-validation no;
[root@slave:~]# cd /var/named/slaves/
[root@slave:slaves]# rm -f baidu.com.slave.zone
[root@slave:slaves]#
#主域
[root@centos7:named]# cat baidu.com.zone
$TTL 86400 ; 1 day
@ IN SOA dns1.baidu.com. admin.baidu.com. (
1807222004 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns1.baidu.com.
NS dns2.baidu.com.
hangzhou NS dns4 #添加
dns1 A 192.168.31.7
dns2 A 192.168.31.6
dns4 A 192.168.31.17 #添加
web-nginx01 A 1.1.1.1
A 1.1.1.2
www CNAME web-nginx01
mail A 9.9.9.9
[root@subdomain:~]# vim /etc/named.rfc1912.zones
zone "hangzhou.baidu.com" IN {
type master;
file "hangzhou.baidu.com.zone";
};
[root@subdomain:~]# cat /var/named/hangzhou.baidu.com.zone
$TTL 86400 ; 1 day
@ IN SOA dns1 admin (
1807222004 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns1
dns1 A 192.168.31.17
www A 7.7.7.7
[root@centos7:named]# systemctl restart named
[root@subdomain:~]# rndc reload
server reload successful
[root@client:~ ]# dig www.hangzhou.baidu.com @192.168.31.17
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> www.hangzhou.baidu.com @192.168.31.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53823
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 #aa权威记录
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.hangzhou.baidu.com. IN A
;; ANSWER SECTION:
www.hangzhou.baidu.com. 86400 IN A 7.7.7.7
;; AUTHORITY SECTION:
hangzhou.baidu.com. 86400 IN NS dns1.hangzhou.baidu.com.
;; ADDITIONAL SECTION:
dns1.hangzhou.baidu.com. 86400 IN A 192.168.31.17
;; Query time: 0 msec
;; SERVER: 192.168.31.17#53(192.168.31.17)
;; WHEN: Mon Jul 23 15:34:55 CST 2018
;; MSG SIZE rcvd: 102
[root@client:~ ]# dig www.hangzhou.baidu.com @192.168.31.7
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> www.hangzhou.baidu.com @192.168.31.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60565 #status没有错误
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 #非权威答案
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.hangzhou.baidu.com. IN A
;; ANSWER SECTION:
www.hangzhou.baidu.com. 86400 IN A 7.7.7.7
;; AUTHORITY SECTION:
hangzhou.baidu.com. 86400 IN NS dns4.baidu.com.
;; ADDITIONAL SECTION:
dns4.baidu.com. 86400 IN A 192.168.31.17
;; Query time: 1351 msec
;; SERVER: 192.168.31.7#53(192.168.31.7)
;; WHEN: Mon Jul 23 15:35:26 CST 2018
;; MSG SIZE rcvd: 102
--------
dns转发:
把dns收到的请求由默认到根域请求,转到其它dns服务器
条件转发:把特定域转到一个dns
#centos6恢复快照后
[root@centos6 network-scripts ]#vim ifcfg-Auto_eth1
HWADDR=00:0C:29:37:0C:A3
TYPE=Ethernet
BOOTPROTO=none
IPADDR=192.168.31.6
DNS1=192.168.31.7
[root@centos6 network-scripts ]#service network restart
[root@centos6 network-scripts ]#cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.31.7
---------
[root@centos7:named]# rm -rf shanghai.baidu.com.zone
[root@centos7:named]# cat baidu.com.zone
$TTL 86400 ; 1 day
@ IN SOA dns1.baidu.com. admin.baidu.com. (
1807222004 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns1.baidu.com.
dns1 A 192.168.31.7
web-nginx01 A 1.1.1.1
www CNAME web-nginx01
mail A 9.9.9.9
[root@centos7:named]# systemctl restart named
Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details.
[root@centos7:named]# vim /etc/named.rfc1912.zones
#删除上海区域信息后,
[root@centos7:named]# systemctl restart named
[root@subdomain:named]# mv hangzhou.baidu.com.zone wange.com.zone
[root@subdomain:named]# vim /etc/named.rfc1912.zones
zone "wange.com" IN {
type master;
file "wange.com.zone";
};
[root@subdomain:named]# systemctl restart named
[root@centos6 slaves ]#dig www.wange.com @192.168.31.17
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.wange.com @192.168.31.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16052
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.wange.com. IN A
;; ANSWER SECTION:
www.wange.com. 86400 IN A 7.7.7.7
;; AUTHORITY SECTION:
wange.com. 86400 IN NS dns1.wange.com.
;; ADDITIONAL SECTION:
dns1.wange.com. 86400 IN A 192.168.31.17
;; Query time: 9 msec
;; SERVER: 192.168.31.17#53(192.168.31.17)
;; WHEN: Fri Jul 20 16:59:48 2018
;; MSG SIZE rcvd: 82
[root@centos7:named]# vim /etc/named.conf
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forward first; #dns没有,就转发,目的dns没有,就到根域查找
forwarders {192.168.31.17;}; #转发目的dns,
dnssec-enable no; #由yes改为no dnssec是dns的安全机制
dnssec-validation no; #有yes改为no
[root@centos7:named]# systemctl restart named
[root@centos6 slaves ]#dig www.wange.com @192.168.31.7
# 改为forward only; 没有的都转发,并且转发的服务器也没有,不会到根域去查找
[root@centos6 ~ ]#dig www.wange.com @192.168.31.7
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.wange.com @192.168.31.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15099
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.wange.com. IN A
;; ANSWER SECTION:
www.wange.com. 86400 IN A 7.7.7.7
;; AUTHORITY SECTION:
wange.com. 86400 IN NS dns1.wange.com.
;; ADDITIONAL SECTION:
dns1.wange.com. 86400 IN A 192.168.31.17
;; Query time: 2 msec
;; SERVER: 192.168.31.7#53(192.168.31.7)
;; WHEN: Fri Jul 20 18:21:14 2018
;; MSG SIZE rcvd: 82
删除/etc/named.conf,把上述转发放到此文件中,只有wange.com才转发,其它的不转
[root@centos7:~]# vim /etc/named.rfc1912.zones
zone "wange.com" IN {
type forward;
forward first;
forwarders { 192.168.31.17;};
};
清空服务器dns缓存 rndc flush
===========================
==========================
============================
===========================
实验:智能DNS
智能DNS介绍
- CDN: Content Delivery Network内容分发网络
- 一般来说,阿里,腾讯有自建的机房,但也仅仅是华东地区布局,并没有覆盖全国,此类花费太巨。一般有专门提供CDN的服务商如:蓝汛,网宿,帝联等,
适合稍有规模的企业,另阿里,腾讯也对外提供CDN服务,价格稍贵
示例:如做视频的企业,流量较大,一般购买CDN较为划算,比提高企业带宽花费少,还能提供用户体验,一般把视频推到众多CDN服务器上去,定时更新,如果cdn上的视频没有,则去访问企业服务器的视频,且视频类网站如现在发展的IPTV基于ip的电视节目,都有和联通,电信,移动合作,利用他们的机房和线路,可以做到CDN,另外基于一些其它的策略如广播,单播,组播等技术可以解决视频带宽问题
CDN图
如百度,访问时,给一个别名,用户在搜索别名,根据用户的ip所在地和别名,决策离用户较近的ip地址,最后访问较近的百度服务器。此类DNS称为智能DNS
[root@centos7:~]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8879
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN A 61.135.169.125
www.a.shifen.com. 5 IN A 61.135.169.121
;; Query time: 69 msec
;; SERVER: 192.168.139.2#53(192.168.139.2)
;; WHEN: Mon Jul 23 19:22:47 CST 2018
;; MSG SIZE rcvd: 90
bind有四个内置的acl:
none: 没有一个主机
any: 任意主机
localhost: 本机
localnet: 本机的IP同掩码运算后得到的网络地址
注意:只能先定义,后使用;因此一般定义在配置文件中,处于options的前面
实验环境:假设有北京公司,上海公司,其它公司等,三个地区的主机
[root@centos7:~]# vim /etc/named.conf
acl beijingnet {
192.168.31.0/24;
10.0.0.0/8;
};
acl shanghainet {
172.18.0.0/16;
};
acl othernet {
any;
}; #有前后顺序,any为任何主机都可以
options {
li
[root@centos7:named]# cp -p baidu.com.zone baidu.com.zone.bj
[root@centos7:named]# cp -p baidu.com.zone baidu.com.zone.sh
[root@centos7:named]# cp -p baidu.com.zone baidu.com.zone.other
[root@centos7:named]# pwd
/var/named
[root@centos7:named]# cat baidu.com.zone
$TTL 86400 ; 1 day
@ IN SOA dns1.baidu.com. admin.baidu.com. (
1807222004 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns1.baidu.com.
dns1 A 192.168.31.7
web-nginx01 A 192.168.31.1
www CNAME web-nginx01
mail A 9.9.9.9
[root@centos7:named]# cat baidu.com.zone.bj
***省略***
web-nginx01 A 1.1.1.1
***省略***
[root@centos7:named]# cat baidu.com.zone.sh
***省略***
web-nginx01 A 2.2.2.2
***省略***
[root@centos7:named]# cat baidu.com.zone.other
***省略***
web-nginx01 A 3.3.3.3
***省略***
把acl和定义的区域文件连接起来 acl zone、需要用到view
只要用到view,/etc/named.conf文件中的zone区域都要放到include文件中去
[root@centos7:etc]# vim /etc/named.conf
zone "." IN {
type hint;
file "named.ca";
};
#把上述zone{};放到如下文件中去
[root@centos7:etc]# vim /etc/named.rfc1912.zones
[root@centos7:etc]# vim named.conf
***省略***
view beijingview {
match-clients {beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients {shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients {othernet;};
include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.rfc1912.zones"; #此行删除
include "/etc/named.root.key";
[root@centos7:etc]# cp named.rfc1912.zones named.rfc1912.zones.bj -p
[root@centos7:etc]# cp named.rfc1912.zones named.rfc1912.zones.sh -p
[root@centos7:etc]# cp named.rfc1912.zones named.rfc1912.zones.other -p
[root@centos7:etc]# vim named.rfc1912.zones.bj
zone "baidu.com" IN {
type master;
file "baidu.com.zone.bj";
};
[root@centos7:etc]# vim named.rfc1912.zones.sh
zone "baidu.com" IN {
type master;
file "baidu.com.zone.sh";
};
[root@centos7:etc]# vim named.rfc1912.zones.other
zone "baidu.com" IN {
type master;
file "baidu.com.zone.other";
};
[root@centos7:etc]# ll named.rfc1912.zones*
-rw-r----- 1 root named 1150 Jul 23 19:44 named.rfc1912.zones
-rw-r----- 1 root named 1129 Jul 23 19:56 named.rfc1912.zones.bj
-rw-r----- 1 root named 1132 Jul 23 19:57 named.rfc1912.zones.other
-rw-r----- 1 root named 1129 Jul 23 19:57 named.rfc1912.zones.sh
#检查一个配置文件,没有错误
[root@centos7:etc]# named-checkconf
[root@centos7:etc]# rndc reload
server reload successful
[root@centos6 ~ ]#dig www.baidu.com @192.168.31.7
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.baidu.com @192.168.31.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33059
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 86400 IN CNAME web-nginx01.baidu.com.
web-nginx01.baidu.com. 86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
baidu.com. 86400 IN NS dns1.baidu.com.
;; ADDITIONAL SECTION:
dns1.baidu.com. 86400 IN A 192.168.31.7
;; Query time: 0 msec
;; SERVER: 192.168.31.7#53(192.168.31.7)
;; WHEN: Fri Jul 20 20:40:33 2018
;; MSG SIZE rcvd: 108
dns服务器还有一个桥接模式的ip地址为172.18.122.109/16
[root@centos6 ~ ]#dig www.baidu.com @172.18.122.109
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.baidu.com @172.18.122.109
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29423
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 86400 IN CNAME web-nginx01.baidu.com.
web-nginx01.baidu.com. 86400 IN A 2.2.2.2
;; AUTHORITY SECTION:
baidu.com. 86400 IN NS dns1.baidu.com.
;; ADDITIONAL SECTION:
dns1.baidu.com. 86400 IN A 192.168.31.7
;; Query time: 4 msec
;; SERVER: 172.18.122.109#53(172.18.122.109)
;; WHEN: Fri Jul 20 20:45:19 2018
;; MSG SIZE rcvd: 108
[root@centos7:etc]# dig www.baidu.com @127.0.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4462
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 86400 IN CNAME web-nginx01.baidu.com.
web-nginx01.baidu.com. 86400 IN A 3.3.3.3
;; AUTHORITY SECTION:
baidu.com. 86400 IN NS dns1.baidu.com.
;; ADDITIONAL SECTION:
dns1.baidu.com. 86400 IN A 192.168.31.7
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Jul 23 20:10:30 CST 2018
;; MSG SIZE rcvd: 119