实验1:在centos7上部署dns实现对magedu.com的正向解析及对192.168.153的反向解析
1.
[root@centos7(nanyibo) ~]# yum -y install bind
2.
[root@centos7(nanyibo) ~]# vim /etc/named.conf
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
allow-query { any; };
……
include "/etc/named.magedu.zones";
3.
[root@centos7(nanyibo) ~]# cp -p /etc/named.rfc1912.zones /etc/named.magedu.zones
[root@centos7(nanyibo) ~]# vim /etc/named.magedu.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
zone "153.168.192.in-addr.arpa" IN {
type master;
file "192.168.153.zone";
};
[root@centos7(nanyibo) ~]# named-checkconf
4.
[root@centos7(nanyibo) ~]# cd /var/named/
[root@centos7(nanyibo) named]# cp -p named.localhost magedu.com.zone
[root@centos7(nanyibo) named]# vim magedu.com.zone
$TTL 1D
@ IN SOA @ admin.magedu.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
magedu.com. NS ns1.magedu.com.
ns1.magedu.com. 3600 IN A 192.168.153.7
www A 192.168.153.6
[root@centos7(nanyibo) named]# cp -p magedu.com.zone 192.168.153.zone
[root@centos7(nanyibo) named]# vim 192.168.153.zone
$TTL 1D
@ IN SOA magedu.com. admin.magedu.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS ns1.magedu.com.
7 PTR ns1.magedu.com.
6 PTR www.magedu.com.
5.
[root@centos7(nanyibo) ~]# named-checkzone magedu.com /var/named/magedu.com.zone
zone magedu.com/IN: loaded serial 0
OK
[root@centos7(nanyibo) ~]# named-checkzone 153.168.192.in-addr.arpa /var/named/192.168.153.zone
zone 153.168.192.in-addr.arpa/IN: loaded serial 0
OK
[root@centos7(nanyibo) ~]# rndc reload
server reload successful
或
[root@centos7(nanyibo) ~]# systemctl restart named
6.客户端测试
[root@centos6(nanyibo) ~]# vim /etc/resolv.conf
nameserver 192.168.153.7
[root@centos6(nanyibo) ~]# nslookup
> www.magedu.com
Server: 192.168.153.7
Address: 192.168.153.7#53
Name: www.magedu.com
Address: 192.168.153.6
> 192.168.153.6
Server: 192.168.153.7
Address: 192.168.153.7#53
6.153.168.192.in-addr.arpa name = www.magedu.com.
dig测试
[root@centos6(nanyibo) ~]# dig -t ns magedu.com @192.168.153.7
[root@centos6(nanyibo) ~]# dig www.magedu.com @192.168.153.7
[root@centos6(nanyibo) ~]# dig -x 192.168.153.7 @192.168.153.7
实验2:DNS的主从
1.yum -y install bind
2.vim /etc/name.conf
3.vim /etc/name.rfc1912.zones
zone "magedu.com" IN {
type slave;
masters { 192.168.153.7; };
file "slaves/magedu.com.ZONE";
};
4.service named restart
在主dns上应该设置allow-transfer来确保只有授权的机器才能做从dns
allow-transfer { 192.168.153.6; };
dig -t axfr magedu.com @192.168.153.7
实验三、
client:192.168.153.5
caching-only: 192.168.153.10
.: 192.168.153.9
com: 192.168.153.8
magedu.com: master 192.168.153.7 slave 192.168.153.6
1.除client以外,所有机器安装bind,并都清空防火墙和关闭selinux。
所有安装bind的主机配置name.conf,修改2个any,2个no,除caching-only以外,都把递归设置为no。
2.除root以外,所有机器修改named.ca,内容如下
. 518400 IN NS a.root-servers.net.
a.root-servers.net. 3600000 IN A 192.168.153.9
3.配置root
a. name.conf中删除name.ca的项目
b. rfc1912文件
zone "." IN {
type master;
file "root.zone";
};
c. root.zone
$TTL 1D
@ IN SOA ns. admin. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.
ns. A 192.168.153.9
com. NS ns.com.
ns.com. A 192.168.153.8
d.启动named
4.配置com
a. rfc1912文件
zone "com" IN {
type master;
file "com.zone";
};
b. com.zone
$TTL 1D
@ IN SOA ns.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.com.
ns A 192.168.153.8
magedu.com. NS ns1.magedu.com.
magedu.com. NS ns2.magedu.com.
ns1.magedu.com. A 192.168.153.7
ns2.magedu.com. A 192.168.153.6
c.启动named
5.配置主magedu.com
a. rfc1912文件
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
b. magedu.com.zone
$TTL 1D
@ IN SOA ns1.magedu.com. rname.invalid. (
2018091301 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.magedu.com.
NS ns2.magedu.com.
ns1 A 192.168.153.7
ns2 A 192.168.153.6
www A 1.1.1.1
ftp A 2.2.2.2
* A 10.10.10.10
c.启动named
6.配置从magedu.com
a. rfc1912文件
zone "magedu.com" IN {
type slave;
masters { 192.168.153.7; };
file "slaves/MAGEDU.COM.ZONE";
};
b. 启动named
7.client修改/etc/resolv.conf
nameserver 192.168.153.10 #指向缓存caching-only
测试,可以反复的给主、从增加防火墙策略来测试查询www.magedu.com可以自动在主从间切换
iptables -A INPUT -p udp --dport 53 -j REJECT
iptables -F 删除
注意:测试时要清空caching-server上的缓存 rndc flush
实验四、
主从同步
解决在主 allow-transfer { 192.168}
在主dns上生成tsig公私钥对
1.在主dns上生成包含密钥字符串的钥匙文件
[root@dns_magedu(nanyibo) ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
2.读取生成的文件,复制其中的加密字符串
[root@dns_magedu(nanyibo) ~]# cat Kmaster-slave.+157+20659.key
master-slave. IN KEY 512 3 157 JSWJNylimpeBp49z5mXhPg==
把JSWJNylimpeBp49z5mXhPg== 复制
3.编写密钥文件
[root@dns_magedu(nanyibo) ~]# vim /etc/transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "JSWJNylimpeBp49z5mXhPg==";
};
设置权限为440,owner为root,group为named
4.编写named.conf
include "/etc/transfer.key";
options {
……
allow-transfer { key master-slave; };
……
}
5.将密钥文件发往从dns
[root@dns_magedu(nanyibo) ~]# rsync -pogv /etc/transfer.key [email protected]:/etc/
6.在从dns上配置启用密钥
[root@centos6(nanyibo) ~]# vim /etc/named.conf
include "/etc/transfer.key";
options {
}
server 192.168.153.7 {
keys { master-slave; };
};
7.重启服务named。可以下载zone文件,但不能使用dig -t axfr。
注意:主从之间时间要同步
实验五、
DNS视图:view 不同的client查询相同的记录返回不同的结果。
named.conf
view bjview {
match-clients { beijing; };
include "/etc/named.bj.zones";
};
view zzview {
match-clients { zhengzhou; };
include "/etc/named.zz.zones";
};
cat /etc/named.bj.zones
zone "example.com" IN {
type master;
file "example.com.zone";
};
cat /etc/named.zz.zones
zone "example.com" IN {
type master;
file "example.com.ZONE";
};
cat /var/named/example.com.zone
$TTL 1D
@ IN SOA ns.example.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.example.com.
ns A 192.168.153.10
www A 100.100.100.100
cat /var/named/example.com.ZONE
$TTL 1D
@ IN SOA ns.example.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.example.com.
ns A 192.168.153.10
www A 200.200.200.200
/etc/nsswitch.conf
hosts: files dns 决定了域名解析的顺序 hosts -> dns
CNAME:
music.magedu.com. CNAME music.qq.com.
实验六、
全局转发:
vim /etc/named.conf
options {
……
forward only|first;默认是first
forwarders { x.x.x.x; };
……
};
only: 本机有的结果优先,本机查不到,则交给转发。转发也查不到,则结束,报告查不到。
first: 本机有的结果优先,本机查不到,则交给转发。转发查不到(包含转发自己的以及转发迭代的),则本机再迭代。
特定区域转发:
zone "alibaba.com" {
type forward;
forwarders { 192.168.153.11; };
};
实验七、
编译dns
1.解压
tar xvf bind-9.12.1.tar.gz -C /usr/local/src/
2.useradd -u 25 -r -m -d /var/named -s /sbin/nologin named
3.yum -y groupinstall "development tools"
4../configure --prefix=/app/bind9 --sysconfdir=/etc/bind9 --without-openssl
5.make && make install
6.vim /etc/profile.d/mage.sh
export PATH=/app/bind9/sbin:$PATH
7.vim /etc/bind9/named.conf
options {
directory "/var/named";
};
zone "." {
type hint;
file "named.ca";
};
zone "test.com" {
type master;
file "test.com.zone";
};
8.vim /var/named/named.ca
. 518400 IN NS a.root-servers.net.
a.root-servers.net. 3600000 IN A 192.168.153.9
9.vim /var/named/test.com.zone
$TTL 1d
@ IN SOA ns.test.com. admin (1 1d 10m 1w 1d)
NS ns.test.com.
ns A 192.168.153.10
www A 123.123.123.123
10.named -u named -f &
11.rndc支持
rndc-confgen -r /dev/urandom > /etc/bind9/rndc.conf
12.tail /etc/bind9/rndc.conf >> /etc/bind9/named.conf 并去除#
13.killall -SIGHUP named
14.rndc reload
实验八、
dns的压力测试
1.[root@caching-server(nanyibo) ~]# cd /usr/local/src/bind-9.12.1/contrib/queryperf/
2.[root@caching-server(nanyibo) queryperf]# ./configure
3.[root@caching-server(nanyibo) queryperf]# make
4.[root@caching-server(nanyibo) queryperf]# cp queryperf /app/bind9/sbin/
5.写一个测试文件
[root@caching-server(nanyibo) ~]# tail /app/ceshidns.txt
www.aa.com A
test.com NS
test.com A
www.b.com A
a.com NS
www.magedu.com A
www.aa.com A
test.com NS
test.com A
www.b.com A
[root@caching-server(nanyibo) ~]# wc -l /app/ceshidns.txt
210240 /app/ceshidns.txt
6.[root@caching-server(nanyibo) ~]# queryperf -d /app/ceshidns.txt
实验九、