DNS是什么及BIND讲解内容
域名系统(英文:Domain Name System,缩写:DNS)是internet的一项服务。它作为将域名和IP地址相互映射服务,能够使人更方便地访问互联网。DNS使用TCP和UDP端口53。当前,对于每一级域名长度的限制是63个字符,域名总长度则不能超过253个字符。
讲解内容:
DNS名称解析方式
DNS查询类型
DNS服务器类型
区域数据库文件详解
Centos7安装配置BIND
BIND主从服务器配置
BIND安全相关配置
BIND view视图配置
一、DNS名称解析方式
DNS名称解析方式分为两种:
名称 ---> IP
例如:此处命令会在后面工具中具体详解
# 可以看出“名称”www.magedu.com对应的ip是101.200.188.230
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
# dig -t A www.magedu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 17179
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com.INA
;; ANSWER SECTION:
www.magedu.com.589INA101.200.188.230
;; AUTHORITY SECTION:
magedu.com.159640INNSv2s1.xundns.com.
magedu.com.159640INNSv2s2.xundns.com.
|
例如:此处命令会在后面工具中具体详解
# 可以看出“IP"172.16.0.1对应的名称是server.mageliunx.com.
IP ---> 名称
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
# dig -x 172.16.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 172.16.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 1126
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.16.172.
in
-addr.arpa.INPTR
;; ANSWER SECTION:
1.0.16.172.
in
-addr.arpa. 86400INPTRserver.magelinux.com.
;; AUTHORITY SECTION:
16.172.
in
-addr.arpa.86400INNSserver.magelinux.com.
;; ADDITIONAL SECTION:
server.magelinux.com.86400INA172.16.0.1
;; Query
time
: 2 msec
;; SERVER: 172.18.0.1
#53(172.18.0.1)
;; WHEN: Fri Apr 08 21:47:00 CST 2016
;; MSG SIZE rcvd: 116
|
二、DNS查询类型
DNS查询类型分为:
递归查询
迭代查询
下图是本人对dns查询过程的理解
三、DNS服务器类型
主DNS服务器:维护所负责解析的域数据库的那台服务器:读写操作均可进行;
从DNS服务器:从主DNS服务器那里或其他的从DNS服务器那里“复制”一份解析库;但只能进行读操作
“复制”操作的实施方式
序列号:serial,也即是数据库版本号;主服务器数据库内容发生变化时,其版本号递增;
刷新时间间隔:refresh,从服务器每多久到从服务器检查序列号更新情况;
重试时间间隔:retry,从服务器从主服务器请求同步解析失败时,再次发起请求尝试的时间间隔
过期时长:expire,从服务器始终联系不到主服务器时,多久之后放弃主服务器同步;停止提供服务。
否定答案的缓存时长:缓存错误的地址的时间此内容在BIND中的区域文件中配置
例如:
|
1
2
3
4
5
6
7
8
9
|
$TTL 33600
@ IN SOA ns1.magedu.com. admin.magedu.com. (
2016040801 ;seria
2H ;refresh
10M ;retry
1W ;expire
1D ;negative answer ttl
)
|
四、区域数据库文件详解
区域文件一般存于/var/named/下,以ZONE_NAME.zone命名,其中包含了很多参数。
资源记录:Resource Record,简称rr
记录类型有:A,AAAA,PTR,SOA,NS,CNAME,MX
语法:
name [TTL] IN RR_TYPE value
SOA:Start Of Authority,其实授权记录()额区域解析库有且只能有一个SOA记录,而且必须放在第一条
NS:Name Service,域名服务记录;一个区域解析库可以有多个NS记录;其中一个为主的
A:Address,地址记录,FQDN --> IPV4
AAAA:地址记录, FQDN --> IPv6
CNAME:Canonical Name,别名记录
PTR:Pointer,反向指针记录:IP --> FQDN
MX:Mail eXchanger,邮件交换器
优先级:0-99,数字越小优先级越高
使用方法及格式:
SOA:
name: 当前区域的名字;例如”mageud.com.”,或者“2.3.4.in-addr.arpa.”;
value:有多部分组成
(1) 当前区域的区域名称(也可以使用主DNS服务器名称);
(2) 当前区域管理员的邮箱地址;但地址中不能使用@符号,一般使用点号来替代;
(3) (主从服务协调属性的定义以及否定答案的TTL)
例如:
$TTL 33600@ IN SOA ns1.magedu.com. admin.magedu.com. (2016040801 ;seria2H ;refresh10M ;retry1W ;expire1D ;negative answer ttl)
NS:
name:当前区域的区域名称
value:当前区域的某DNS服务器的名字,例如ns.magedu.com.
注意:一个区域可以有多个ns记录
例如:
zhaoxin.com. 86400 IN NS ns1.zhaoxin.com.
zhaoxin.com. 86400 IN NS ns2.zhaoxin.com.
MX:
name: 当前区域的区域名称
value:当前区域某邮件交换器的主机名;
注意:MX记录可以有多个;但每个记录的value之前应该有一个数字表示其优先级;
例如:
zhaoxin.com. IN MX 10 mx1.zhaoxin.com.
zhaoxin.com. IN MX 20 mx2.zhaoxin.com.
A:
name:某FQDN,例如www.maged.com.
value:某IPV4地址
例如:
www.zhaoxin.com. IN A 222.145.33.26
www.zhaoxin.com. IN A 222.145.33.26
AAAA:
name:FQDN
value:IPV6
PTR:
name:IP地址,有特定格式,IP反过来写,而且加特定后缀:例如172.16.100.10应该写为10.100.16.172.in-addr.arpa
value:FQDN
例如:
10.100.16.172.in-addr.arpa IN PTR www.zhaoxin.com.
CNAME:
name:FQDN格式的别名;
value:FQDN格式的正式名字;
例如:
web.zhaoxin.com. IN CNAME www.zhaoxin.com.
有以下几点需要注意:
(1) TTL可以从全局继承;
(2) @表示当前区域的名称;
(3) 相邻的两条记录其name相同时,后面的可省略;
(4) 对于正向区域来说,各MX,NS等类型的记录的value为FQDN,此FQDN应该有一个A记录;
五、Centos 7安装配置BIND
主配置文件
介绍配置文件之前先介绍一下BIND
BIND: Berkeley Internet Name Domain(由伯克利学校开发)
dns:协议
bind:dns协议的一种实现
named:bind程序运行的进程名
程序包组成:
bind-libs:被bind和bind-utils包中的程序共同用到的库文件;
bind-utils:bind客户端程序集,例如dig, host, nslookup等;
bind:提供的dns server程序、以及几个常用的测试程序;
bind-chroot:选装,让named运行于jail模式下;
centos 7 bind配置文件:
主配置文件:/etc/named.conf
或包含进来其他文件
/etc/named.iscdly.key
/etc/named.rfc1912.zones
/etc/named.root.key
centos 7中一般配置区域在/etc/rfc1912.zones,全局配置在/etc/named.conf中
1、主配置文件格式:
全局配置段:
options { ... } # 注意内容前后有空格
日志配置端:
logging { ... }
区域配置端:
zone { ... }
配置那些由本机负责解析的区域,或转发的区域
注意:每个语句必须以分号结尾
2、缓存名称服务器的配置:(注意此处的配置应该在使用前操作)
监听能与外部主机通信的地址:
listen-on port 53 { 172.18.4.1; };
学习时,建议关闭dnssec
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
关闭仅允许本地查询:
//allow-query { localhost; }; 单行注释用“//”
解析库文件
/var/named/目录下:
一般名字为:ZONE_NAME.zone
例如:magedu.com.zone
172.16.100.zone
注意:
1、一台DNS服务器可同时为多个区域提供解析
2、必须要有跟区域解析库文件:named.ca
3、还应该有两个区域解析库文件:localhost和127.0.0.1的正反向解析库
正向:named.localhost
反向:named.loopback
检查配置文件语法错误
named-checkconf [/etc/named.conf]
named-checkzone ZONE_NAME ZONE_FILE
|
1
2
3
4
5
|
# named-checkzone magedu.com. magedu.com.zone
zone magedu.com
/IN
: loaded serial 2016040801
OK
# named-checkconf /etc/named.conf
#
|
测试及管理工具
dig命令:
语法:dig [-t RR_TYPE] name [@SERVER] [query options]
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
# dig -t A ns1.magedu.com @172.18.250.108
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A ns1.magedu.com @172.18.250.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 6933
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.magedu.com.INA
;; ANSWER SECTION:
ns1.magedu.com.33600INA172.18.250.108
;; AUTHORITY SECTION:
magedu.com.33600INNSns2.magedu.com.
magedu.com.33600INNSns1.magedu.com.
;; ADDITIONAL SECTION:
ns2.magedu.com.33600INA172.18.250.108
;; Query
time
: 0 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 09 13:54:42 CST 2016
;; MSG SIZE rcvd: 107
|
作用:用于测试dns系统,因此其不会查询hosts文件
查询选项:
+[no]trace:跟踪解析过程
+[no]recurse:进行递归解析
反向解析:
dig -x IP
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
# dig -x 202.106.0.20
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -x 202.106.0.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 47349
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;20.0.106.202.
in
-addr.arpa.INPTR
;; ANSWER SECTION:
20.0.106.202.
in
-addr.arpa. 5181INPTRgjjline.bta.net.cn.
;; AUTHORITY SECTION:
106.202.
in
-addr.arpa.5179INNSns.bta.net.cn.
106.202.
in
-addr.arpa.5179INNSns2.bta.net.cn.
;; ADDITIONAL SECTION:
ns.bta.net.cn.74848INA202.96.0.133
ns2.bta.net.cn.74848INA202.106.196.28
;; Query
time
: 3 msec
;; SERVER: 172.18.0.1
#53(172.18.0.1)
;; WHEN: Sat Apr 09 14:01:22 CST 2016
;; MSG SIZE rcvd: 153
|
模拟完全区域传送:
dig -t axfr DOMAIN [@server]
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
# dig -t axfr magedu.com. @172.18.250.108
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t axfr magedu.com. @172.18.250.108
;; global options: +cmd
magedu.com.33600INSOAns1.magedu.com. admin.magedu.com. 2016040801 7200 600 604800 86400
magedu.com.33600INNSns1.magedu.com.
magedu.com.33600INNSns2.magedu.com.
magedu.com.33600INMX10 mx1.magedu.com.
magedu.com.33600INMX15 mx2.magedu.com.
mx1.magedu.com.33600INA172.18.250.111
mx2.magedu.com.33600INA172.18.250.112
ns1.magedu.com.33600INA172.18.250.108
ns2.magedu.com.33600INA172.18.250.108
www.magedu.com.33600INA172.18.250.108
magedu.com.33600INSOAns1.magedu.com. admin.magedu.com. 2016040801 7200 600 604800 86400
;; Query
time
: 3 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 09 14:01:58 CST 2016
;; XFR size: 11 records (messages 1, bytes 266)
|
host命令:
host [-t RR_TYPE] name SERVER_IP
|
1
2
3
4
|
# host 172.16.0.1
1.0.16.172.
in
-addr.arpa domain name pointer server.magelinux.com.
# host -t A www.magedu.com
www.magedu.com has address 101.200.188.230
|
nslookup命令:
nslookup [-options] [name] [server]
|
1
2
3
4
5
6
7
|
# nslookup www.magedu.com
Server:172.18.0.1
Address:172.18.0.1
#53
Non-authoritative answer:
Name:www.magedu.com
Address: 101.200.188.230
|
rndc命令:named服务控制命令
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# rndc status
version: 9.9.4-RedHat-9.9.4-29.el7 <
id
:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries
in
progress: 0
query logging is OFF
recursive clients: 0
/0/1000
tcp clients: 0
/100
server is up and running
# rndc flush
# rndc reload
server reload successful
|
配置一个正向区域
以zhaoxin.com域为例:
1、定义区域
在主配置文件中或主配置文件辅助配置文件中实现;
|
1
2
3
4
5
|
# vim /etc/named.rfc1912.zones
zone
"zhaoxin.com"
IN {
type
master;
file
"zhaoxin.com.zone"
;
};
|
# 注意:区域名字即为域名
2、建立区域数据文件(主要记录为A或AAAA记录等)
在/var/named目录下建立区域数据文件
文件为:/var/named/zhaoxin.com.zone
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
$TTL 33600
$ORIGIN zhaoxin.com.
@ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. (
2016040801
2H
10M
1W
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 15 mx2
mx1 IN A 172.18.250.111
mx2 IN A 172.18.250.112
ns1 IN A 172.18.250.108
ns2 IN A 172.18.250.108
www IN A 172.18.250.108
|
|
1
2
3
4
|
# named-checkzone zhaoxin.com zhaoxin.com.zone
zone zhaoxin.com
/IN
: loaded serial 2016040801
OK
# named-checkconf
|
3、检查配置文件及区域配置文件,修改属组和权限
|
1
2
3
4
|
# chgrp named /var/named/zhaoxin.com.zone
# chmod o= /var/named/zhaoxin.com.zone
# ll /var/named/zhaoxin.com.zone
-rw-r----- 1 root named 293 Apr 9 14:15
/var/named/zhaoxin
.com.zone
|
4、让服务器重载配置文件和区域数据文件:
# rndc reload 或者
# systemctl reload named.service
|
1
2
3
4
5
6
|
# rndc reload
server reload successful
# ss -tnl|grep 53
LISTEN 0 10 172.18.250.108:53 *:*
LISTEN 0 128 127.0.0.1:953 *:*
LISTEN 0 128 ::1:953 :::*
|
5、验证
# 注意:此处的172.18.250.108是我本机ip,可以再/etc/resolv.conf中修改dns地址后就可以省略次ip;
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
# dig -t A www.zhaoxin.com @172.18.250.108
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.zhaoxin.com @172.18.250.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 39443
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zhaoxin.com.INA
;; ANSWER SECTION:
www.zhaoxin.com.33600INA172.18.250.108
;; AUTHORITY SECTION:
zhaoxin.com.33600INNSns2.zhaoxin.com.
zhaoxin.com.33600INNSns1.zhaoxin.com.
;; ADDITIONAL SECTION:
ns1.zhaoxin.com.33600INA172.18.250.108
ns2.zhaoxin.com.33600INA172.18.250.108
;; Query
time
: 2 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 09 14:24:01 CST 2016
;; MSG SIZE rcvd: 128
|
配置一个反向区域
1、定义区域
在主配置文件中或主配置文件辅助配置文件中实现;
|
1
2
3
4
5
|
# vim /etc/named.rfc1912.zones
zone
"250.18.172.in-addr.arpa"
IN {
type
master;
file
"172.18.250.zone"
;
};
|
# 注意:反向区域的名字
2、建立区域数据文件(主要记录为PTR)
在/var/named目录下建立区域数据文件
文件为:/var/named/172.18.250.zone
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# vim /var/named/172.18.250.zone
$TTL 3600
$ORIGIN 250.18.172.
in
-addr.arpa.
@ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. (
2016010501
1H
10M
3D
12H )
IN NS ns1.zhaoxin.com.
108 IN PTR ns1.zhaoxin.com.
111 IN PTR mx1.zhaoxin.com.
112 IN PTR mx2.zhaoxin.com.
108 IN PTR www.zhaoxin.com.
|
3、检查配置文件及区域配置文件,修改属组和权限
|
1
2
3
4
|
# named-checkconf
# named-checkzone 250.18.172.in-addr.arpa 172.18.250.zone
zone 250.18.172.
in
-addr.arpa
/IN
: loaded serial 2016010501
OK
|
4、让服务器重载配置文件和区域数据文件:
# rndc reload 或者
# systemctl reload named.service
|
1
2
3
4
5
6
|
# rndc reload
server reload successful
# ss -tnl|grep 53
LISTEN 0 10 172.18.250.108:53 *:*
LISTEN 0 128 127.0.0.1:953 *:*
LISTEN 0 128 ::1:953 :::*
|
5、验证
# 注意:此处的172.18.250.108是我本机ip,可以再/etc/resolv.conf中修改dns地址后就可以省略次ip;
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
# dig -x 172.18.250.108 @172.18.250.108
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 172.18.250.108 @172.18.250.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 52168
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;108.250.18.172.
in
-addr.arpa.INPTR
;; ANSWER SECTION:
108.250.18.172.
in
-addr.arpa. 3600 INPTRns1.zhaoxin.com.
108.250.18.172.
in
-addr.arpa. 3600 INPTRwww.zhaoxin.com.
;; AUTHORITY SECTION:
250.18.172.
in
-addr.arpa. 3600INNSns1.zhaoxin.com.
;; ADDITIONAL SECTION:
ns1.zhaoxin.com.33600INA172.18.250.108
;; Query
time
: 0 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 09 14:33:29 CST 2016
;; MSG SIZE rcvd: 133
|
六、BIND主从服务器
注意:从服务器是区域级别的概念
主区域配置:可以参照上面的正向区域配置和反向区域配置
配置一个从区域:
On Master配置
注意:
a、确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件需要每个从服务器的NS记录的主机名配置一个A记录,且此A后面的地址为真正的从服务器的IP地址
b、时间要同步
ntpdate命令
1、添加从dns服务器地址
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
# vim /var/named/zhaoxin.com.zone
$TTL 33600
$ORIGIN zhaoxin.com.
@ INSOAns1.zhaoxin.com.admin.zhaoxin.com. (
2016040801
2H
10M
1W
1D )
INNSns1
IN NSns2
INMX 10 mx1
INMX 15 mx2
ns1INA172.18.250.108
ns2INA172.18.250.28
mx1INA172.18.250.111
mx2INA172.18.250.112
wwwINA172.18.250.108
# vim /var/named/172.18.250.zone
# cat /var/named/172.18.250.zone
$TTL 3600
$ORIGIN 250.18.172.
in
-addr.arpa.
@ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. (
2016010501
1H
10M
3D
12H )
IN NS ns1.zhaoxin.com.
IN NS ns2.zhaoxin.com.
108 IN PTR ns1.zhaoxin.com.
28 IN PTR ns2.zhaoxin.com.
111 IN PTR mx1.zhaoxin.com.
112 IN PTR mx2.zhaoxin.com.
108 IN PTR www.zhaoxin.com.
|
2、同步时间
# 我本地有时间服务器,如果没有时间服务器的可以去网络上搜一下,保证两台服务器时间一直就好
|
1
2
|
# ntpdate 172.18.0.19
Apr 15:00:52 ntpdate[3721]: step
time
server 172.18.0.1 offset -5.768812 sec
|
3、重载配置
|
1
2
|
# rndc reload
server reload successful
|
On Slav配置
1、定义区域
|
1
2
3
4
5
6
7
8
9
10
11
|
# vim /etc/named.rfc1912.zones
zone
"zhaoxin.com"
IN {
type
slave;
file
"slaves/zhaoxin.com.zone"
;
masters { 172.18.250.108; };
};
zone
"250.18.172.in-addr.arpa"
IN {
type
slave;
file
"slaves/172.18.250.zone"
;
masters { 172.18.250.108; };
};
|
2、同步时间并修改配置文件
|
1
2
3
4
|
# ntpdate 172.18.0.1
9 Apr 15:11:57 ntpdate[1772]: step
time
server 172.18.0.1 offset -5.583571 sec
# vim /etc/named.conf
listen-on port 53 { 172.18.250.28; };
|
3、重载配置
|
1
2
3
4
5
6
|
# rndc reload
server reload successful
# ll /var/named/slaves/
total 8
-rw-r--r-- 1 named named 500 Apr 9 15:09 172.18.250.zone
-rw-r--r-- 1 named named 476 Apr 9 15:09 zhaoxin.com.zone
|
# 此处可以看到,文件已经同步过来,下面进行测试
# 注意,在Centos 7中同步数据是加密的,所以不能查看文件内容
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
# dig -t A www.zhaoxin.com @172.18.250.28
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A www.zhaoxin.com @172.18.250.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 35060
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zhaoxin.com.INA
;; ANSWER SECTION:
www.zhaoxin.com.33600INA172.18.250.108
;; AUTHORITY SECTION:
zhaoxin.com.33600INNSns2.zhaoxin.com.
zhaoxin.com.33600INNSns1.zhaoxin.com.
;; ADDITIONAL SECTION:
ns1.zhaoxin.com.33600INA172.18.250.108
ns2.zhaoxin.com.33600INA172.18.250.28
;; Query
time
: 1 msec
;; SERVER: 172.18.250.28
#53(172.18.250.28)
;; WHEN: Sat Apr 09 15:15:13 CST 2016
;; MSG SIZE rcvd: 128
|
4、添加新记录并测试测试
ON master:
ON Slave:
# 注意:slave上面没有进行任何操作就可以解析到。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
# dig -t A bbs.zhaoxin.com @172.18.250.28
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A bbs.zhaoxin.com @172.18.250.28
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 53442
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.zhaoxin.com.INA
;; ANSWER SECTION:
bbs.zhaoxin.com.33600INA172.18.250.66
;; AUTHORITY SECTION:
zhaoxin.com.33600INNSns1.zhaoxin.com.
zhaoxin.com.33600INNSns2.zhaoxin.com.
;; ADDITIONAL SECTION:
ns1.zhaoxin.com.33600INA172.18.250.108
ns2.zhaoxin.com.33600INA172.18.250.28
;; Query
time
: 1 msec
;; SERVER: 172.18.250.28
#53(172.18.250.28)
;; WHEN: Sat Apr 09 15:20:19 CST 2016
;; MSG SIZE rcvd: 128
|
七、子域授权和DNS转发
1、子域配置
主域服务器配置:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
# vim /var/named/zhaoxin.com.zone
$TTL 33600
$ORIGIN zhaoxin.com.
@ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. (
2016040803
2H
10M
1W
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 15 mx2
ns1 IN A 172.18.250.108
ns2 IN A 172.18.250.28
mx1 IN A 172.18.250.111
mx2 IN A 172.18.250.112
www IN A 172.18.250.108
bbs IN A 172.18.250.66
ops IN NS ns1.ops
ns1 IN A 172.18.17.24
# rndc reload
server reload successful
|
子域服务器配置:
a、修改配置文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 172.18.17.24; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named"
;
dump-
file
"/var/named/data/cache_dump.db"
;
statistics-
file
"/var/named/data/named_stats.txt"
;
memstatistics-
file
"/var/named/data/named_mem_stats.txt"
;
#allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server,
do
NOT
enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST
enable
access
control to limit queries to your legitimate
users
. Failing to
do
so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion
yes
;
dnssec-
enable
no;
dnssec-validation no;
# vim /etc/named.rfc1912.zones
zone
"ops.zhaoxin.com"
IN {
type
master;
file
"ops.zhaoxin.com.zone"
;
};
|
b、修改区域文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
# vim /var/named/ops.zhaoxin.com.zone
$TTL 33600
$ORIGIN ops.zhaoxin.com.
@ IN SOA ns1.ops.zhaoxin.com. admin.ops.zhaoxin.com. (
2016040803
2H
10M
1W
1D )
IN NS ns1
ns1 IN A 172.18.17.24
www IN A 172.18.17.24
|
c、修改权限
|
1
2
|
# chown .named ops.zhaoxin.com.zone
# chmod o= ops.zhaoxin.com.zone
|
d、启动服务并测试
|
1
2
3
4
5
6
7
|
# systemctl start named.service
# ss -tnl|grep 53
LISTEN 0 10 172.18.17.24:53 *:*
LISTEN 0 10 127.0.0.1:53 *:*
LISTEN 0 128 127.0.0.1:953 *:*
LISTEN 0 10 ::1:53 :::*
LISTEN 0 128 ::1:953 :::*
|
通过子域测试
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
# dig -t A www.ops.zhaoxin.com @172.18.17.24
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A www.ops.zhaoxin.com @172.18.17.24
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 46104
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.zhaoxin.com.INA
;; ANSWER SECTION:
www.ops.zhaoxin.com.33600INA172.18.17.24
;; AUTHORITY SECTION:
ops.zhaoxin.com.33600INNSns1.ops.zhaoxin.com.
;; ADDITIONAL SECTION:
ns1.ops.zhaoxin.com.33600INA172.18.17.24
;; Query
time
: 0 msec
;; SERVER: 172.18.17.24
#53(172.18.17.24)
;; WHEN: Sat Apr 09 16:47:49 CST 2016
;; MSG SIZE rcvd: 98
|
通过主域测试
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
# dig -t A www.ops.zhaoxin.com @172.18.250.108
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A www.ops.zhaoxin.com @172.18.250.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 3566
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.zhaoxin.com.INA
;; ANSWER SECTION:
www.ops.zhaoxin.com.33600INA172.18.17.24
;; AUTHORITY SECTION:
ops.zhaoxin.com.33600INNSns1.ops.zhaoxin.com.
;; ADDITIONAL SECTION:
ns1.ops.zhaoxin.com.33600INA172.18.17.24
;; Query
time
: 3 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 09 16:50:05 CST 2016
;; MSG SIZE rcvd: 98
|
2、dns转发
dns转发,一般指向外网的dns服务器,当本地没有记录时会向外网dns服务器发起查询请求。
注意:被转发的服务器必须允许为当前服务做递归;
(1) 区域转发:仅转发对某特定区域的解析请求;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先转发;转发器不响应时,自行去迭代查询;
only:只转发;
(2) 全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
.. ...
};
a、首先用本地查询www.baidu.com(此时没有做dns转发)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
# dig -t A www.baidu.com @172.18.250.108
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @172.18.250.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL,
id
: 24127
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.INA
;; Query
time
: 1 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 09 16:53:02 CST 2016
;; MSG SIZE rcvd: 42
|
b、配置dns转发
添加forward
|
1
2
3
4
5
6
7
8
9
10
|
# vim /etc/named.conf
options {
listen-on port 53 { 172.18.250.108; };
//listen-on-v6
port 53 { ::1; };
directory
"/var/named"
;
dump-
file
"/var/named/data/cache_dump.db"
;
statistics-
file
"/var/named/data/named_stats.txt"
;
memstatistics-
file
"/var/named/data/named_mem_stats.txt"
;
forward {only};
forwarders { 172.18.0.1; };
|
检查配置文件并重载配置:
|
1
2
3
|
# named-checkconf
# rndc reload
server reload successful
|
测试:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
# dig -t A www.baidu.com @172.18.250.108
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @172.18.250.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR,
id
: 1855
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com.INA
;; ANSWER SECTION:
www.baidu.com.179INCNAMEwww.a.shifen.com.
www.a.shifen.com.128INA61.135.169.121
www.a.shifen.com.128INA61.135.169.125
;; AUTHORITY SECTION:
a.shifen.com.1028INNSns3.a.shifen.com.
a.shifen.com.1028INNSns5.a.shifen.com.
a.shifen.com.1028INNSns4.a.shifen.com.
a.shifen.com.1028INNSns2.a.shifen.com.
a.shifen.com.1028INNSns1.a.shifen.com.
;; ADDITIONAL SECTION:
ns5.a.shifen.com.1028INA119.75.222.17
ns4.a.shifen.com.1028INA115.239.210.176
ns3.a.shifen.com.1028INA61.135.162.215
ns2.a.shifen.com.1028INA180.149.133.241
ns1.a.shifen.com.1028INA61.135.165.224
;; Query
time
: 1 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 09 17:02:11 CST 2016
;; MSG SIZE rcvd: 271
|
八、BIND安全相关配置(acl)
acl:访问控制列表:把一个或多个地址归并一个命名的集合,随后通过次名称即可对此集全内的所有主机实现统一调用
acl acl_bame {
ip;
net/prelen;
};
示例:
acl mynet {
172.18.0.0/16;
127.0.0.0/8;
};
bind有四个内置的acl
none:没有一个主机;
any:任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
访问控制指令:
allow-query {}; 允许查询的主机;白名单;
allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求;
allow-update {}; DDNS,允许动态更新区域数据库文件中内容;
测试:
1、修改文件,仅允许172.16.0.0/16网段可查询
|
1
2
3
4
5
6
7
8
9
10
11
12
|
# vim /etc/named.rfc1912.zones
acl mynet {
172.16.0.0
/16
;
127.0.0.0
/8
;
};
# vim /etc/named.rfc1912.zones
zone
"zhaoxin.com"
IN {
type
master;
file
"zhaoxin.com.zone"
;
acl-query { mynet; };
};
# systemctl restart named
|
测试是否能解析
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:69:45:7B
inet addr:172.18.4.2 Bcast:172.18.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fe69:457b
/64
Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2750 errors:0 dropped:0 overruns:0 frame:0
TX packets:329 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:467611 (456.6 KiB) TX bytes:33023 (32.2 KiB)
# dig -t A www.zhaoxin.com @172.18.250.108
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -t A www.zhaoxin.com @172.18.250.108
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED,
id
: 5215
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.zhaoxin.com.INA
;; Query
time
: 4 msec
;; SERVER: 172.18.250.108
#53(172.18.250.108)
;; WHEN: Sat Apr 9 15:37:15 2016
;; MSG SIZE rcvd: 33
|
# 可以看出此服务器不在规定范围内,不能解析
2、修改为18网段测试是否能够解析
