(一)DNS简介:
DNS,全称Domain Name System,即域名解析系统。域名是通过DNS来实现的,每个域名代表一个IP,DNS就是用来在ip地址与域名之间进行转换的服务。
DNS帮助用户在互联网上寻找路径。在互联网上的每一个计算机都拥有一个唯一的地址,称作“IP地址”(即互联网协议地址)
由于IP地址难以记忆,一般用域名来进行管理(ip地址偏重底层,而DNS则偏重于应用层)
1,DNS功能
每个IP地址都可以有一个主机名,主机名由一个或多个字符串组成,字符串之间用小数点隔开。有了主机名,就不要死记硬背每台IP设备的IP地址,只要记住相对直观有意义的主机名就行了。这就是DNS协议所要完成的功能。
主机名到IP地址的映射有两种方式:
1)静态映射,每台设备上都配置主机到IP地址的映射,各设备独立维护自己的映射表,而且只供本设备使用;
2)动态映射,建立一套域名解析系统(DNS),只在专门的DNS服务器上配置主机到IP地址的映射,网络上需要使用主机名通信的设备,首先需要到DNS服务器查询主机所对应的IP地址。
通过主机名,最终得到该主机名对应的IP地址的过程叫做域名解析(或主机名解析)。在解析域名时,可以首先采用静态域名解析的方法,如果静态域名解析不成功,再采用动态域名解析的方法。可以将一些常用的域名放入静态域名解析表中,这样可以大大提高域名解析效率。
2,DNS组成:dns由类型,域名,和主机名三部分构成
1).类型:标识此域名的类型,一般常见的有.com,.org,.net,.gov等等
2)域名:域的名称 如baidu ppdai google等等
3)主机名:该域中某台主机的名称,eg:www,ftp,ntp,mail等等
3,DNS的工作原理
以访问www.为例说明(主机为Windows系统)
客户端首先检查本地c:\windows\system32\drivers\etc\host文件,是否有对应的IP地址,若有,则直接访问WEB站点,若无
客户端检查本地缓存信息,若有,则直接访问WEB站点,若无
本地DNS检查缓存信息,若有,将IP地址返回给客户端,客户端可直接访问WEB站点,若无
本地DNS检查区域文件是否有对应的IP,若有,将IP地址返回给客户端,客户端可直接访问WEB站点,若无,
本地DNS根据cache.dns文件中指定的根DNS服务器的IP地址,转向根DNS查询。
根DNS收到查询请求后,查看区域文件记录,若无,则将其管辖范围内.com服务器的IP地址告诉本地DNS服务器
.com服务器收到查询请求后,查看区域文件记录,若无,则将其管辖范围内.xxx服务器的IP地址告诉本地DNS服务器
.xxx服务器收到查询请求后,分析需要解析的域名,若无,则查询失败,若有,返回www.的IP地址给本地服务器
本地DNS服务器将www.的IP地址返回给客户端,客户端通过这个IP地址与WEB站点建立连接
4,DNS客户端
日常使用支持网络的计算机一般都是作为dns客户端使用,应用程序,服务,进程等通过OS底层功能发起对DNS服务器查询对指定的域名进行解析。解析以下几种方式来进行:
1). 文件:/etc/hosts,/etc/networks
2). DNS: /etc/resolv.conf
3). NIS:现已被淘汰了
可以通过配置文件/etc/nsswitch.conf控制查询的顺序,hosts: files dns myhostname
5,DNS查询命令:
- 使用host命令用于dns查询。host www.baidu.com
[root@localhost ~]# host www.baidu.com www.baidu.com is an alias for www.a.shifen.com. www.a.shifen.com has address 115.239.210.27 www.a.shifen.com has address 115.239.211.112
-
使用nslookup命令进行查询。 nslookup www.baidu.com
[root@localhost ~]# nslookup www.baidu.com Server: 192.168.1.218 Address: 192.168.1.218#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 115.239.211.112 Name: www.a.shifen.com Address: 115.239.210.27
- 使用dig命令进行查询(推荐)。dig www.baidu.com
[root@localhost ~]# dig www.baidu.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> www.baidu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,status: NOERROR,id: 7129 ;; flags: qr rd ra; QUERY: 1,ANSWER: 3,AUTHORITY: 5,ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; ednS: version: 0,flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 545 IN CNAME www.a.shifen.com. www.a.shifen.com. 248 IN A 61.135.169.125 www.a.shifen.com. 248 IN A 61.135.169.121 ;; AUTHORITY SECTION: a.shifen.com. 545 IN NS ns3.a.shifen.com. a.shifen.com. 545 IN NS ns2.a.shifen.com. a.shifen.com. 545 IN NS ns4.a.shifen.com. a.shifen.com. 545 IN NS ns5.a.shifen.com. a.shifen.com. 545 IN NS ns1.a.shifen.com. ;; ADDITIONAL SECTION: ns1.a.shifen.com. 545 IN A 61.135.165.224 ns5.a.shifen.com. 545 IN A 119.75.222.17 ns2.a.shifen.com. 545 IN A 180.149.133.241 ns4.a.shifen.com. 545 IN A 115.239.210.176 ns3.a.shifen.com. 545 IN A 61.135.162.215 ;; Query time: 0 msec ;; SERVER: 172.20.66.112#53(172.20.66.112) ;; WHEN: Fri Mar 30 17:26:26 CST 2018 ;; MSG SIZE rcvd: 271
(二)安装配置DNS软件BIND
| 序号 | IP | 功能 |
|---|---|---|
| 1 | 172.20.66.112 | 主DNS服务器 |
| 2 | 172.20.66.108 | 从DNS服务器 |
1,安装bind-chroot DNS服务器
[root@localhost ~]# yum install bind-chroot bind-utils -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * epel: ftp.cuhk.edu.hk Resolving Dependencies --> Running transaction check ---> Package bind-chroot.x86_64 32:9.9.4-51.el7_4.2 will be installed
备注: CentOS7不同于6,只需要安装bind-chroot,就会自动安装主程序包bind和库bind-libs。同时安装bind-utils(包含host和dig程序的包) CentOS7下安装了bind-chroot之后,若要使用named-chroot.service,则需要关闭named.service。两者只能运行一个
2,通过rpm -ql bind-chroot查询所安装的文件[root@localhost ~]# rpm -ql bind-chroot
3,拷贝bind相关文件,准备bind-chroot环境
[root@localhost chroot]# cp -R /usr/share/doc/bind-9.9.4/sample/etc/* /var/named/chroot/etc/ [root@localhost chroot]# cp -R /usr/share/doc/bind-9.9.4/sample/var/* /var/named/chroot/var/ [root@localhost chroot]# ls /var/named/chroot/etc/ named named.conf named.rfc1912.zones pki [root@localhost chroot]# ls /var/named/chroot/var/ log named run tmp
备注:由于安装了bind-chroot,BIND会被封装到一个伪根目录内,原先的文件配置文件的路径位置变为: /var/named/chroot/etc/named.conf ---------BIND服务主配置文件 /var/named/chroot/var/named/ ----------zone文件 直接安装bind配置文件在: /etc/named.conf -BIND服务主配置文件 /var/named/ -zone文件
4,在bind chroot的目录中创建相关文件,由于默认是没有配置文件,拷贝模板配置文件/usr/share/doc/bind-9.9.4/sample/在这个目录下
[root@server98 chroot]# cp -rv /usr/share/doc/bind-9.9.4/sample/etc/* /var/named/chroot/etc/ "/usr/share/doc/bind-9.9.4/sample/etc/named.conf" -> "/var/named/chroot/etc/named.conf" "/usr/share/doc/bind-9.9.4/sample/etc/named.rfc1912.zones" -> "/var/named/chroot/etc/named.rfc1912.zones" [root@server98 chroot]# cp -rv /usr/share/doc/bind-9.9.4/sample/var/* /var/named/chroot/var/ "/usr/share/doc/bind-9.9.4/sample/var/named/data" -> "/var/named/chroot/var/named/data" "/usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.db" -> "/var/named/chroot/var/named/my.external.zone.db" "/usr/share/doc/bind-9.9.4/sample/var/named/my.internal.zone.db" -> "/var/named/chroot/var/named/my.internal.zone.db" "/usr/share/doc/bind-9.9.4/sample/var/named/named.ca" -> "/var/named/chroot/var/named/named.ca" "/usr/share/doc/bind-9.9.4/sample/var/named/named.empty" -> "/var/named/chroot/var/named/named.empty" "/usr/share/doc/bind-9.9.4/sample/var/named/named.localhost" -> "/var/named/chroot/var/named/named.localhost" "/usr/share/doc/bind-9.9.4/sample/var/named/named.loopback" -> "/var/named/chroot/var/named/named.loopback" "/usr/share/doc/bind-9.9.4/sample/var/named/slaves" -> "/var/named/chroot/var/named/slaves" "/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.ddns.internal.zone.db" -> "/var/named/chroot/var/named/slaves/my.ddns.internal.zone.db" "/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.slave.internal.zone.db" -> "/var/named/chroot/var/named/slaves/my.slave.internal.zone.db"
5,将bind锁定文件设置为可写。
[root@localhost named]# chmod -R 777 /var/named/chroot/var/named/data/ [root@localhost named]# chmod -R 777 /var/named/chroot/var/named/dynamic/
6,将/etc/named.conf文件拷贝到bind-chroot目录里,并进行编辑最简配置
[root@localhost named]# cp /etc/named.conf /var/named/chroot/etc/named.conf
[root@localhost etc]# vim /var/named/chroot/etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
allow-query { any; };
directory "/var/named";
recursion yes;
};
zone "lqb.com" {
type master;
file "lqb.com.zon";
};
7,创建转发域
[root@localhost named]#cp /var/named/named.localhost /var/named/chroot/var/named/lqb.zone
[root@localhost named]# vim /var/named/chroot/var/named/lqb.com.zon
$TTL 1D
$ORIGIN lqb.com.
@ IN SOA lqb.com. admin.lqb.com. (
20170526; serial
1D ; refresh
1H ; retry
1W ; expire
3H ; minimum
)
IN NS ns1.lqb.com.
ns1 IN A 192.168.99.99
www IN A 172.20.66.110
ftp IN A 10.128.105.250
8,设置开机启动bind-chroot服务
[root@localhost named]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
[root@localhost named]# systemctl stop named
[root@localhost named]# systemctl disable named
[root@localhost named]# systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
[root@localhost named]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2018-03-30 17:12:55 CST; 4s ago
Process: 3184 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited,status=0/SUCCESS)
Process: 3180 ExecStartPre=/bin/bash -c if [ ! "$disABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited,status=0/SUCCESS)
Main PID: 3185 (named)
CGroup: /system.slice/named-chroot.service
└─3185 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Mar 30 17:12:55 localhost.localdomain named[3185]: zone 0.in-addr.arpa/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone lqb.com/IN: loaded serial 20170526
Mar 30 17:12:55 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Mar 30 17:12:55 localhost.localdomain named[3185]: zone localhost/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp...rial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone localhost.localdomain/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: all zones loaded
Mar 30 17:12:55 localhost.localdomain named[3185]: running
Mar 30 17:12:55 localhost.localdomain named[3185]: zone lqb.com/IN: sending notifies (serial 20170526)
Hint: Some lines were ellipsized,use -l to show in full.
9.检查配置是否正确。命令named-checkconf named-checkzone
[root@localhost named]#named-checkconf /var/named/chroot/etc/named.conf [root@localhost named]# named-checkzone lqb.com lqb.com.zon
(三)在客户端进行测试使用
(1),在客户端修改dns配置文件/etc/resolv.conf
[root@HTD-CATIT ~]# vim /etc/resolv.conf # Generated by NetworkManager nameserver 172.20.66.110
(2),通过host,nslookup 和dig 进行测试
[root@HTD-CATIT ~]# ping www.lqb.com PING www.lqb.com (172.20.66.110) 56(84) bytes of data. 64 bytes from 172.20.66.110: icmp_seq=1 ttl=64 time=7.16 ms 64 bytes from 172.20.66.110: icmp_seq=2 ttl=64 time=0.733 ms ^C --- www.lqb.com ping statistics --- 2 packets transmitted,2 received,0% packet loss,time 1067ms rtt min/avg/max/mdev = 0.733/3.946/7.160/3.214 ms [root@HTD-CATIT ~]# nslookup www.lqb.com Server: 172.20.66.112 Address: 172.20.66.112#53 Name: www.lqb.com Address: 172.20.66.110 [root@HTD-CATIT ~]# host www.lqb.com www.lqb.com has address 172.20.66.110 [root@HTD-CATIT ~]# dig www.lqb.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> www.lqb.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY,id: 35029 ;; flags: qr aa rd ra; QUERY: 1,ANSWER: 1,AUTHORITY: 1,ADDITIONAL: 1 ;; QUESTION SECTION: ;www.lqb.com. IN A ;; ANSWER SECTION: www.lqb.com. 86400 IN A 172.20.66.110 ;; AUTHORITY SECTION: lqb.com. 86400 IN NS ns1.lqb.com. ;; ADDITIONAL SECTION: ns1.lqb.com. 86400 IN A 192.168.99.99 ;; Query time: 0 msec ;; SERVER: 172.20.66.112#53(172.20.66.112) ;; WHEN: Fri Mar 30 17:22:19 2018 ;; MSG SIZE rcvd: 79
重要:
(一)服务启用的基本命令:由于是在CentOS7.X中,由于安装了伪根chroot,所以首先要把named服务禁用而启用named-chroot服务
[root@localhost named]# systemctl stop named
[root@localhost named]# systemctl disable named
[root@localhost named]# systemctl enable named-chroot
[root@server98 chroot]# systemctl restart named-chroot
(二)检查配置的基本命令:
[root@server98 chroot]# named-checkconf /var/named/chroot/etc/named.conf
[root@server98 chroot]# /usr/sbin/named-checkzone lqb.com /var/named/chroot/var/named/lqb.com.zon
zone lqb.com/IN: loaded serial 20170526
OK
(三)启用bind基本命令
[root@server98 chroot]# rndc reload ###重载主配置文件和区域解析库文件
server reload successful
[root@server98 chroot]# rndc reload lqb.com ###重载区域解析库文件
zone reload up-to-date
[root@server98 chroot]# rndc notify lqb.com ###新对区域传送发通知,当主从同步过程发生意外时
zone notify queued
[root@server98 chroot]# rndc reconfig ###重载主配置文件
[root@server98 chroot]#
备注:
1,测试的大概的步骤如下:
2,完整的named.conf配置文件如下:
[root@localhost named]# cat /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server,do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server,you need to enable
recursion.
- If your recursive DNS server has a public IP address,you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "lqb.com" {
type master;
file "lqb.com.zon";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
3,完整的/var/named/chroot/var/named/lqb.com.zon配置
[root@localhost named]# vim /var/named/chroot/var/named/lqb.com.zon
$TTL 1D
$ORIGIN lqb.com.
@ IN SOA lqb.com. admin.lqb.com. (
20170526; serial
1D ; refresh
1H ; retry
1W ; expire
3H ; minimum
)
IN NS ns1.lqb.com.
ns1 IN A 192.168.99.99
www IN A 172.20.66.110
ftp IN A 10.128.105.250