版权声明:欢迎转载,转载请注明出处! https://blog.csdn.net/miss1181248983/article/details/90779267
DNS配置介绍
主配置文件/etc/named.conf
options {...}; 设定DNS服务器全局环境
listen-on port 53 {...;}; DNS服务named监听的端口和ip
directory 定义数据库文件存放的目录,即zone file的存放目录
dump-file/statistics-file/memstatistics-file
关于named服务的统计信息的文件
allow-query {...;}; 允许询问我DNS服务器的主机
allow-transfer {...;}; 是否允许slave DNS对领域数据进行转发
allow-update {...;}; 动态DNS更新
recursion 是否支持递归查询,设置为no将不能访问根服务器
forward 是否支持转发
only 表示只进行转发
first 表示优先
默认first
forwarders {ip1;ip2;....;}; 指定转发的上层DNS服务器IP
zone "xxx" IN {...}; 区域描述声明
type 指定zone类型
hint 表示跟服务器
master 表示该区域的主DNS服务器
slave 表示该区域的从DNS服务器
file 表示DNS数据库文件放在哪里
view " " {...}; 域名视图描述声明
acl "xxx" {...;}; 定义访问控制列表,名字为xxx
内置的acl:localhost/localnet/any/none:本地主机的IP/该局域网的所有IP/任何IP/所有都不
include " "; 将过多的zone声明写入一个文件当中,以免主配置文件过于繁琐
数据库文件/var/named/*
DNS服务器的数据库记录信息
$TTL 该区域的记录信息能够在客户端的缓存中存活多长时间
SOA 一个区域的记录信息的开始,必须标识
格式为:区域 IN SOA 主DNS服务器域名 邮件服务器域名 (
serial; 序列号,从DNS的序列号如果小于它则会更新数据
refresh; 从DNS服务器多长时间检查一次主DNS的数据
retry; 从DNS服务器连接主DNS失败后,多长时间后重新连接
expire; 从DNS始终无法连接主DNS,从DNS的数据库文件何时失效
minimum; 如果DNS服务器查询结果失败,此失败信息会在缓存缓存中存活多长时间
)
NS 管理区域的DNS服务器名称,每个域名都有自己的NS记录,必须标识
A 主机名对应的IPv4地址,必须标识
AAAA ipv6的地址
MX 表示区域的邮件服务器的域名
CNAME 主机别名,用于域名内部的跳转,为服务器配置提供灵活性。变更域名的IP地址的时候,只需要修改别名
格式为:别名 IN CNAME DNS服务器的域名
PTR PoinTeR的缩写,逆向查询记录,后边记录的数据就是反解到的主机名,反向解析数据库文件必须标识
对于SOA部分,例如:
1804170045
5
5
2592000
3600
表示:2018/4/17第45次刷新,slave每5秒连接master,连接失败则在5秒之后再次连接,直到2592000秒,查询失败的记录在其他DNS服务器中存活3600秒
DNS解析常用命令
查询主机名IP的命令
host [option] <FQDN> [server]
-a 列出详细信息
-l 列出domain所管理的所有主机名的信息
nsloopup <FQDN> [server]
支持正解和反解
dig [option] <FQDN> [@server]
+trace 从根服务器开始追踪
- t <type> 指定查询的数据类别
-x 反解查询
whois <domain>
查询注册的domain的信息
该命令来自jwhois软件
rndc reload 重新读取named.conf
named-checkconf 检查主配置文件named.conf的语法
安装DNS
- 规划:
1. 指定区域lzxlinux.com,该DNS服务器的域名为master.lzxlinux.com,同时有另外一个域名为www.lzxlinux.com;
2. 该域名服务器有一个别名叫做ftp.lzxlinux.com;
3. 该区域内有一台名为www.lzxlinux.com的邮件服务器;
4. 该DNS服务器的IP为192.168.30.254,并且用同网段另一台机器192.168.30.131来测试;
5. 该DNS服务器支持正向解析和反向解析。
一个服务器可以是一个IP对应多个域名,同样也可以一个域名对应多个IP。
- 安装:
yum install -y bind*
- 修改配置:
vim /etc/named.conf
options {
listen-on port 53 { 192.168.30.254; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "lzxlinux.com" IN {
type master;
file "named.lzxlinux.com";
};
zone "30.168.192.in-addr.arpa" IN { #反解zone的格式,必须将IP倒着写
type master;
file "named.192.168.30";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 修改正向解析数据库文件:
正解数据库文件中必须要有$TTL、SOA、NS、A记录
vim /var/named/named.lzxlinux.com
$TTL 1D
@ IN SOA master.lzxlinux.com. www.lzxlinux.com. (
2019053101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS master.lzxlinux.com. ;
@ IN MX 10 www.lzxlinux.com. ;
master.lzxlinux.com. IN A 192.168.30.254 ;
www.lzxlinux.com. IN A 192.168.30.254 ;
ftp.lzxlinux.com. IN CNAME www.lzxlinux.com. ;
- 修改反向解析数据库文件:
反解数据库文件中必须要有$TTL、SOA、NS、PTR记录
vim /var/named/named.192.168.30
$TTL 1D
@ IN SOA master.lzxlinux.com. www.lzxlinux.com. (
2019053101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS master.lzxlinux.com. ;
254 IN PTR master.lzxlinux.com. ;
254 IN PTR www.lzxlinux.com. ;
- 启动named服务:
systemctl start named
- 解析测试:
到 192.168.30.131 上测试
vim /etc/sysconfig/network-scripts/ifcfg-ens33
#DNS1="8.8.8.8" #禁掉外网DNS
DNS1="192.168.30.254"
yum install -y bind-utils
dig master.lzxlinux.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> master.lzxlinux.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;master.lzxlinux.com. IN A
;; ANSWER SECTION:
master.lzxlinux.com. 86400 IN A 192.168.30.254
;; AUTHORITY SECTION:
lzxlinux.com. 86400 IN NS master.lzxlinux.com.
;; Query time: 2 msec
;; SERVER: 192.168.30.254#53(192.168.30.254)
;; WHEN: Sun Jun 02 21:45:20 EDT 2019
;; MSG SIZE rcvd: 78
正向解析成功。
dig -x 192.168.30.254
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -x 192.168.30.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7803
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;254.30.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
254.30.168.192.in-addr.arpa. 86400 IN PTR www.lzxlinux.com.
254.30.168.192.in-addr.arpa. 86400 IN PTR master.lzxlinux.com.
;; AUTHORITY SECTION:
30.168.192.in-addr.arpa. 86400 IN NS master.lzxlinux.com.
;; ADDITIONAL SECTION:
master.lzxlinux.com. 86400 IN A 192.168.30.254
;; Query time: 1 msec
;; SERVER: 192.168.30.254#53(192.168.30.254)
;; WHEN: Sun Jun 02 21:50:03 EDT 2019
;; MSG SIZE rcvd: 137
反向解析成功。
dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29209
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1083 IN CNAME www.a.shifen.com.
www.a.shifen.com. 212 IN A 115.239.211.112
www.a.shifen.com. 212 IN A 115.239.210.27
;; Query time: 7 msec
;; SERVER: 192.168.30.254#53(192.168.30.254)
;; WHEN: Sun Jun 02 21:50:47 EDT 2019
;; MSG SIZE rcvd: 101
外网解析成功。
配置主从DNS
每个域名中至少需要两台DNS服务器来管理该域名,提供不间断的查询服务,一个master,一个slave,slave自己没有数据库,需要从master那里同步,并且master需要开启数据库传输。
- 规划:
192.168.30.254作主DNS服务器,域名为master.lzxlinux.com,192.168.30.253作从DNS服务器,域名为slave.lzxlinux.com,他们共同管理区域lzxlinux.com
- 修改主DNS配置:
vim /etc/named.conf
options {
listen-on port 53 { 192.168.30.254; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-transfer { none; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "lzxlinux.com" IN {
type master;
file "named.lzxlinux.com";
allow-transfer { 192.168.30.253; };
};
zone "30.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.30";
allow-transfer { 192.168.30.253; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 修改主DNS正向解析数据库文件:
vim /var/named/named.lzxlinux.com
$TTL 1D
@ IN SOA master.lzxlinux.com. www.lzxlinux.com. (
2019053101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS master.lzxlinux.com. ;
@ IN NS slave.lzxlinux.com. ;
@ IN MX 10 www.lzxlinux.com. ;
master.lzxlinux.com. IN A 192.168.30.254 ;
slave.lzxlinux.com. IN A 192.168.30.253 ;
www.lzxlinux.com. IN A 192.168.30.254 ;
ftp.lzxlinux.com. IN CNAME www.lzxlinux.com. ;
- 修改主DNS反向解析数据库文件:
vim /var/named/named.192.168.30
$TTL 1D
@ IN SOA master.lzxlinux.com. www.lzxlinux.com. (
2019053101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS master.lzxlinux.com. ;
@ IN NS slave.lzxlinux.com. ;
254 IN PTR master.lzxlinux.com. ;
254 IN PTR www.lzxlinux.com. ;
253 IN PTR slave.lzxlinux.com. ;
- 修改从DNS配置:
vim /etc/named.conf
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-transfer { none; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "lzxlinux.com" IN {
type slave;
file "slaves/named.lzxlinux.com";
masters { 192.168.30.254; };
};
zone "30.168.192.in-addr.arpa" IN {
type slave;
file "slaves/named.192.168.30";
masters { 192.168.30.254; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 重启主从DNS上named服务:
systemctl restart named
从DNS上/var/named/slaves/
目录中自动多出两个文件,这是从DNS同步主DNS的解析数据库
ll /var/named/slaves/
total 8
-rw-r--r-- 1 named named 383 Jun 3 10:51 named.192.168.30
-rw-r--r-- 1 named named 449 Jun 3 10:51 named.lzxlinux.com
- 查看
/var/log/messages
日志,有同步传输过程:
vim /var/log/messages
Jun 3 10:51:02 test6 named[6660]: zone 30.168.192.in-addr.arpa/IN: Transfer started.
Jun 3 10:51:02 test6 named[6660]: transfer of '30.168.192.in-addr.arpa/IN' from 192.168.30.254#53: connected using 192.168.30.253#44120
Jun 3 10:51:02 test6 named[6660]: zone 30.168.192.in-addr.arpa/IN: transferred serial 2019053101
Jun 3 10:51:02 test6 named[6660]: transfer of '30.168.192.in-addr.arpa/IN' from 192.168.30.254#53: Transfer completed: 1 messages, 7 records, 220 bytes, 0.005 secs (44000 bytes/sec)
Jun 3 10:51:02 test6 named[6660]: zone 30.168.192.in-addr.arpa/IN: sending notifies (serial 2019053101)
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 192.203.230.10#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 192.33.4.12#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 192.58.128.30#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:500:84::b#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 192.36.148.17#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 193.0.14.129#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 198.41.0.4#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 199.7.91.13#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 192.5.5.241#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 199.7.83.42#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 202.12.27.33#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 192.228.79.201#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 192.112.36.4#53
Jun 3 10:51:02 test6 named[6660]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Jun 3 10:51:02 test6 named[6660]: FORMERR resolving './NS/IN': 198.97.190.53#53
Jun 3 10:51:02 test6 named[6660]: zone lzxlinux.com/IN: Transfer started.
Jun 3 10:51:02 test6 named[6660]: transfer of 'lzxlinux.com/IN' from 192.168.30.254#53: connected using 192.168.30.253#56074
Jun 3 10:51:02 test6 named[6660]: zone lzxlinux.com/IN: transferred serial 2019053101
Jun 3 10:51:02 test6 named[6660]: transfer of 'lzxlinux.com/IN' from 192.168.30.254#53: Transfer completed: 1 messages, 9 records, 229 bytes, 0.033 secs (6939 bytes/sec)
Jun 3 10:51:02 test6 named[6660]: zone lzxlinux.com/IN: sending notifies (serial 2019053101)
配置子域DNS
- 规划:
192.168.30.254作主DNS服务器,域名为master.lzxlinux.com,192.168.30.253作从DNS服务器,域名为slave.lzxlinux.com,他们共同管理区域lzxlinux.com。
在lzxlinux.com.下委派子域centos.lzxlinux.com.,192.168.30.128作子域的DNS服务器,域名是dns.centos.lzxlinux.com。
- 修改上层主DNS正向解析数据库文件:
vim /var/named/named.lzxlinux.com
$TTL 1D
@ IN SOA master.lzxlinux.com. www.lzxlinux.com. (
2019053101 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS master.lzxlinux.com. ;
@ IN NS slave.lzxlinux.com. ;
@ IN MX 10 www.lzxlinux.com. ;
centos.lzxlinux.com. IN NS dns.centos.lzxlinux.com. ;
dns.centos.lzxlinux.com. IN A 192.168.30.128 ;
master.lzxlinux.com. IN A 192.168.30.254 ;
slave.lzxlinux.com. IN A 192.168.30.253 ;
www.lzxlinux.com. IN A 192.168.30.254 ;
ftp.lzxlinux.com. IN CNAME www.lzxlinux.com. ;
- 修改下层DNS配置:
注意:要开启子域DNS服务器的转发功能(forward),不开的话只能上层查询下层,下层查询不到上层
yum install -y bind*
vim /etc/named.conf
options {
listen-on port 53 { 192.168.30.128; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
forward first;
forwarders { 192.168.30.254; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "centos.lzxlinux.com" IN {
type master;
file "named.centos.lzxlinux.com";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- 修改下层DNS正向解析数据库文件:
注意:必须要指明邮件服务器 www.centos.lzxlinux.com.
vim /var/named/named.centos.lzxlinux.com
$TTL 600
@ IN SOA dns.centos.lzxlinux.com. www.centos.lzxlinux.com. (
2019053101 ; serial
3600 ; refresh
3600 ; retry
3600 ; expire
3600 ) ; minimum
@ IN NS dns.centos.lzxlinux.com. ;
@ IN MX 10 www.centos.lzxlinux.com. ;
dns IN A 192.168.30.128 ;
www IN A 192.168.30.128 ;
- 重启上层主DNS和下层DNS上named服务:
systemctl restart named
- 解析测试:
- 上层查询下层子域DNS服务器
dig dns.centos.lzxlinux.com @192.168.30.128
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> dns.centos.lzxlinux.com @192.168.30.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57592
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;dns.centos.lzxlinux.com. IN A
;; ANSWER SECTION:
dns.centos.lzxlinux.com. 600 IN A 192.168.30.128
;; AUTHORITY SECTION:
centos.lzxlinux.com. 600 IN NS dns.centos.lzxlinux.com.
;; Query time: 2 msec
;; SERVER: 192.168.30.128#53(192.168.30.128)
;; WHEN: Mon Jun 03 13:47:24 CST 2019
;; MSG SIZE rcvd: 82
解析成功。
- 下层查询上层DNS服务器:
dig master.lzxlinux.com @192.168.30.254
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> master.lzxlinux.com @192.168.30.254
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26944
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;master.lzxlinux.com. IN A
;; ANSWER SECTION:
master.lzxlinux.com. 86400 IN A 192.168.30.254
;; AUTHORITY SECTION:
lzxlinux.com. 86400 IN NS slave.lzxlinux.com.
lzxlinux.com. 86400 IN NS master.lzxlinux.com.
;; ADDITIONAL SECTION:
slave.lzxlinux.com. 86400 IN A 192.168.30.253
;; Query time: 0 msec
;; SERVER: 192.168.30.254#53(192.168.30.254)
;; WHEN: Mon Jun 03 13:49:39 CST 2019
;; MSG SIZE rcvd: 114
解析成功。
整个DNS服务相关的部署没有问题,过程到此结束。
更多资料参考: