1静檬、簡述DNS服務(wù)器原理,并搭建主-輔服務(wù)器尉姨。
用戶以域名方式訪問某個網(wǎng)站庵朝,其實最終還是通過ip進行訪問的;而將域名轉(zhuǎn)換為Ip的過程就需要用到DNS(Domain Name system)服務(wù)。一開始的網(wǎng)絡(luò)的規(guī)模很小九府,完成域名和ip對應(yīng)關(guān)系的解析椎瘟,可以使用hosts解決方案,即在hosts文件中設(shè)置一條記錄后侄旬;
本地名稱解析配置文件:hosts
linux主機中的hosts:/etc/hosts
windows主機中的hosts:%WINDIR%/system32/drivers/etc/hosts
#在每一臺主機中都有這樣的ip對應(yīng)域名的記錄
122.10.117.2 www.magedu.com
93.46.8.89 www.google.com
例如:122.10.117.2 www.magedu.com 我們通過瀏覽器訪問www.magedu.com時肺蔚,直接就去訪問122.10.117.2主機的對應(yīng)web服務(wù)即可。
當網(wǎng)絡(luò)的規(guī)模變得像如今的互聯(lián)網(wǎng)這樣的規(guī)模的時候儡羔,hosts已經(jīng)不能滿足需求宣羊,所以就有了DNS,它是一個分布式數(shù)據(jù)庫系統(tǒng)汰蜘,實現(xiàn)DNS服務(wù)器軟件有:bind仇冯,powerdns,unbound在了解DNS之前我們先來看一看DNS的結(jié)構(gòu):
image-20200527133024400.png
首先在每個DNS服務(wù)器中族操,都首先知道自己的“祖宗”,也就是全球13臺對應(yīng)的DNS根服務(wù)器苛坚。
#在bind軟件中查看全球13臺的根域服務(wù)器
[root@c7-37-102-mini ~]# cat /var/named/named.ca
; <<>> DiG 9.11.3-RedHat-9.11.3-3.fc27 <<>> +bufsize=1200 +norec @a.root-servers.net
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46900
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 199.9.14.201
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2001:500:200::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
;; Query time: 24 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Thu Apr 05 15:57:34 CEST 2018
;; MSG SIZE rcvd: 811
所以在查找某個域名的時候,它會先去查看對應(yīng)的13臺根服務(wù)器色难,13臺根服務(wù)器會根據(jù)泼舱,所給的域名,去返回對應(yīng)下級域名稱的服務(wù)器枷莉,這樣一級一級的查詢柠掂,最終查詢到所需要域名的ip地址。
DNS服務(wù)器的類型:
主DNS服務(wù)器
管理和維護所負責(zé)解析的域內(nèi)解析庫的服務(wù)器 依沮;
從DNS服務(wù)器
從主服務(wù)器或從服務(wù)器“復(fù)制”(區(qū)域傳輸)解析庫副本涯贞;
緩存DNS服務(wù)器(轉(zhuǎn)發(fā)器)
只緩存服務(wù)器,沒有任何的區(qū)域數(shù)據(jù)庫危喉,只是根據(jù)事先有的 根DNS服務(wù)器ip宋渔,轉(zhuǎn)發(fā)至互聯(lián)網(wǎng),進而查詢到所需解析辜限』始穑可以設(shè)置緩存時長;
bind實現(xiàn)DNS主-從服務(wù)器
規(guī)劃準備:三臺虛擬機
| 192.168.37.102 | DNS主服務(wù)器 |
|---|---|
| 192.168.37.100 | DNS從服務(wù)器 |
| 192.168.37.101 | 測試主機 |
實現(xiàn)目標:
192.168.37.102作為DNS的主服務(wù)器的薄嫡,負責(zé)解析magedu.com的域氧急;
192.168.37.100作為DNS的從服務(wù)器的,主服務(wù)器有改變毫深,主動復(fù)制到從服務(wù)器上吩坝;主服務(wù)器宕機,從服務(wù)器負責(zé)解析區(qū)域數(shù)據(jù)庫哑蔫;
192.168.37.101作為測試主機測試DNS服務(wù)的功能钉寝;
1. 主服務(wù)器的安裝配置過程-bind
#192.168.37.102安裝bind包
[root@c7-37-102-mini ~]# yum install bind -y
Installed:
bind.x86_64 32:9.11.4-16.P2.el7_8.3
Dependency Installed:
GeoIP.x86_64 0:1.5.0-14.el7
audit-libs-python.x86_64 0:2.8.5-4.el7
bind-libs.x86_64 32:9.11.4-16.P2.el7_8.3
bind-libs-lite.x86_64 32:9.11.4-16.P2.el7_8.3
bind-license.noarch 32:9.11.4-16.P2.el7_8.3
checkpolicy.x86_64 0:2.5-8.el7
geoipupdate.x86_64 0:2.5.0-1.el7
libcgroup.x86_64 0:0.41-21.el7
libsemanage-python.x86_64 0:2.5-14.el7
policycoreutils-python.x86_64 0:2.5-34.el7
python-IPy.noarch 0:0.75-6.el7
python-ply.noarch 0:3.4-11.el7
setools-libs.x86_64 0:3.3.8-4.el7
Dependency Updated:
policycoreutils.x86_64 0:2.5-34.el7
Complete!
#A. 配置主DNS服務(wù)器
#192.168.37.102主配置文件/etc/named.conf的配置
#實現(xiàn)解析magedu區(qū)域的主DNS服務(wù)器
[root@c7-37-102-mini network-scripts]# vim /etc/named.conf //
#主配置文件主要配置3項弧呐,監(jiān)聽端口,允許查詢的主機嵌纲,默認端口53
options {
listen-on port 53 { localhost; };
#對本機所有ip監(jiān)聽
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.t
xt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
#可以讓所有主機查詢
#B .建立magedu區(qū)域解析庫俘枫,可以存放在主配置文件中,也可以存放在解析庫/etc/named.rfc1912.zones文件里
zone "magedu.com" IN
{
type master;
#類型為主服務(wù)器標志
file "magedu.com.zone";
};
#B.在/var/named/magedu.com.zone下建立區(qū)域數(shù)據(jù)庫文件
[root@c7-37-102-mini ~]# vim /var/named/magedu.com.zone
#注釋在用的時候請去掉
$TTL 86400
#緩存時長1天
magedu.com. IN SOA @ adim.magedu.com. (
0 ; serial
#版本號
1D ; refresh
#拉取的間隔1天
1H ; retry
#嘗試間隔1h
1W ; expire
#有效時長
3H ) ; minimum
#不存在記錄的緩存時長
NS master
NS slave
master A 192.168.37.102
#指定主節(jié)點DNS服務(wù)器的ip
slave A 192.168.37.100
#指定從節(jié)點DNS服務(wù)器的ip
#ns記錄后面必須跟A記錄以指定ip
ftp A 192.168.37.201
#ftp服務(wù)器
www CNAME websrv
websrv A 192.168.37.2
#演示www的解析web服務(wù)器
* A 4.4.4.4
#泛域名解析
};
------------------------------------------------------------------------------
[root@c7-37-102-mini ~]# cat /var/named/magedu.com.zone
[root@c7-37-102-mini ~]# vim /var/named/magedu.com.zone
slave A 192.168.37.100
$TTL 86400
magedu.com. IN SOA @ adim.magedu.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.37.102
slave A 192.168.37.100
ftp A 192.168.37.200
www CNAME websrv
baba A 9.9.9.9
websrv A 192.168.37.2
* A 4.4.4.4
@ A 2.2.2.2
------------------------------------------------------------------------------
#配置好以后逮走,開啟服務(wù)
[root@c7-37-102-mini ~]# systemctl start named
#測試機測試
[root@C7-37-100-destop ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.37.102
[root@c7-37-103-mini ~]# dig baba.magedu.com @192.168.37.102
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> baba.magedu.com @192.168.37.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27424
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baba.magedu.com. IN A
;; ANSWER SECTION:
baba.magedu.com. 86400 IN A 9.9.9.9
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS slave.magedu.com.
magedu.com. 86400 IN NS master.magedu.com.
;; ADDITIONAL SECTION:
master.magedu.com. 86400 IN A 192.168.37.102
slave.magedu.com. 86400 IN A 192.168.37.100
;; Query time: 0 msec
;; SERVER: 192.168.37.102#53(192.168.37.102)
;; WHEN: Tue Jun 02 15:34:25 CST 2020
;; MSG SIZE rcvd: 133
#測試ftp
[root@C7-37-100-destop ~]# ping ftp.magedu.com
PING ftp.magedu.com (192.168.37.201) 56(84) bytes of data.
^C
#解析到ip地址
--- ftp.magedu.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
[root@C7-37-100-destop ~]# ping www.magedu.com
PING websrv.magedu.com (192.168.37.2) 56(84) bytes of data.
64 bytes from 192.168.37.2 (192.168.37.2): icmp_seq=1 ttl=128 time=0.618 ms
[root@C7-37-100-destop ~]# ping www.baidu.com
#測試緩存服務(wù)器的功能鸠蚪,從全球13臺根服務(wù)器查詢,最終得到結(jié)果
PING www.a.shifen.com (180.101.49.11) 56(84) bytes of data.
^C64 bytes from 180.101.49.11: icmp_seq=1 ttl=54 time=4.87 ms
--- www.a.shifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.872/4.872/4.872/0.000 ms
#也可以使用host师溅,dig工具檢測結(jié)果更直觀
[root@c7-37-103-mini ~]# host baba.magedu.com 192.168.37.102
Using domain server:
Name: 192.168.37.102
Address: 192.168.37.102#53
Aliases:
baba.magedu.com has address 9.9.9.9
#得到baba.magedu.com的ip
[root@c7-37-103-mini ~]# dig baba.magedu.com @192.168.37.102
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> baba.magedu.com @192.168.37.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47269
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baba.magedu.com. IN A
;; ANSWER SECTION:
baba.magedu.com. 86400 IN A 9.9.9.9
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS slave.magedu.com.
magedu.com. 86400 IN NS master.magedu.com.
;; ADDITIONAL SECTION:
master.magedu.com. 86400 IN A 192.168.37.102
slave.magedu.com. 86400 IN A 192.168.37.100
;; Query time: 1 msec
;; SERVER: 192.168.37.102#53(192.168.37.102)
;; WHEN: Tue Jun 02 15:37:21 CST 2020
;; MSG SIZE rcvd: 133
2. DNS從服務(wù)器的配置過程
#A.實現(xiàn)從服務(wù)器主動復(fù)制功能
#安裝bind略過
#直接在主配置文件中配置
[root@C7-37-100-destop ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
#直接注釋掉邓嘹,默認監(jiān)聽所有IP
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
#直接注釋掉,默認允許所有主機訪問
forward only;
#
forwarders { 192.168.37.102; };
zone "magedu.com" {
type slave;
masters {192.168.37.102;};
file "slaves/magedu.com.zone.slave";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
"/etc/named.conf" 68L, 1958C written
[root@C7-37-100-destop ~]# systemctl start named
[root@C7-37-100-destop ~]# ls /var/named/slaves/
#服務(wù)啟動后险胰,自動復(fù)制主服務(wù)器的解析庫文件過來汹押,且是加密格式,所有查看亂碼
magedu.com.zone.slave
[root@C7-37-100-destop ~]# cat /var/named/slaves/magedu.com.zone.slave
??^?/S???Q?
?magedu?com1?magedu?com?adim?magedu?com?Q? :05???Q?
?magedu?com??master?magedu?com(???Q??*?+aged+?c-+?????*???Q
#主動復(fù)制以實現(xiàn)
#192.168.37.101使用dig工具解析測試 需要安裝bind-utils
[root@c7-37-103-mini ~]# dig www.magedu.com @192.168.37.100
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> www.magedu.com @192.168.37.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23158
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN CNAME websrv.magedu.com.
websrv.magedu.com. 86400 IN A 192.168.37.2
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS slave.magedu.com.
magedu.com. 86400 IN NS master.magedu.com.
;; ADDITIONAL SECTION:
master.magedu.com. 86400 IN A 192.168.37.102
slave.magedu.com. 86400 IN A 192.168.37.100
;; Query time: 1 msec
;; SERVER: 192.168.37.100#53(192.168.37.100)
;; WHEN: Tue Jun 02 15:39:31 CST 2020
;; MSG SIZE rcvd: 153
#B.主服務(wù)器修改區(qū)域解析庫和版本號起便,查看從服務(wù)器是否實現(xiàn)復(fù)制功能
[root@c7-37-102-mini ~]# vim /var/named/magedu.com.zone
#版本號改成3
#添加一條mama記錄棚贾,用作100測試
$TTL 86400
magedu.com. IN SOA @ adim.magedu.com. (
3 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 192.168.37.102
slave A 192.168.37.100
ftp A 192.168.37.200
www CNAME websrv
baba A 9.9.9.9
websrv A 192.168.37.2
mama A 8.8.8.8
* A 4.4.4.4
@ A 2.2.2.2
#rndc reload重讀配置
#從服務(wù)器測試實現(xiàn)同步
[root@c7-37-103-mini ~]# host mama.magedu.com 192.168.37.100
Using domain server:
Name: 192.168.37.100
Address: 192.168.37.100#53
Aliases:
mama.magedu.com has address 8.8.8.8
3.DNS服務(wù)器安裝配置項
#主服務(wù)器需要配置,只允許從服務(wù)器可以拉取其數(shù)據(jù)
allow-transfer { 192.168.37.101; };
#從服務(wù)器不允許其它主機抓取數(shù)據(jù)
allow-transfer { none; };
#分別加入/etc/named.conf主配置文件中即可
4.測試機測試
[root@c7-37-101-mini ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
IPADDR=192.168.37.101
NETMASK=24
GATEWAY=192.168.37.2
DEFROUTE=yesIPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=eth0
DEVICE=eth0
ONBOOT=yes
DNS1=192.168.37.102
DNS2=192.168.37.100
~
<etwork-scripts/ifcfg-eth0" 18L, 331C written
[root@c7-37-101-mini ~]# systemctl restart network
Job for network.service failed because the control process exited with error code. See "systemctl status network.service" and "journalctl -xe" for details.
[root@c7-37-101-mini ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.37.102
nameserver 192.168.37.100
[root@c7-37-103-mini ~]# ping www.magedu.com
#主dns服務(wù)器生效解析到192.168.37.2
PING websrv.magedu.com (192.168.37.2) 56(84) bytes of data.
64 bytes from gateway (192.168.37.2): icmp_seq=1 ttl=128 time=0.314 ms
64 bytes from gateway (192.168.37.2): icmp_seq=2 ttl=128 time=0.209 ms
64 bytes from gateway (192.168.37.2): icmp_seq=3 ttl=128 time=0.359 ms
^C
--- websrv.magedu.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2005ms
rtt min/avg/max/mdev = 0.209/0.294/0.359/0.062 ms
[root@c7-37-103-mini ~]# ping baba.magedu.com
PING baba.magedu.com (9.9.9.9) 56(84) bytes of data.
^C64 bytes from 9.9.9.9: icmp_seq=1 ttl=128 time=225 ms
--- baba.magedu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 225.250/225.250/225.250/0.000 ms
#斷開192.168.37.102網(wǎng)絡(luò)榆综,測試也成功妙痹,會卡頓一會,就解析成功了
[root@c7-37-103-mini ~]# ping baba.magedu.com
PING baba.magedu.com (9.9.9.9) 56(84) bytes of data.
^C64 bytes from 9.9.9.9: icmp_seq=1 ttl=128 time=225 ms
--- baba.magedu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 225.915/225.915/225.915/0.000 ms
[root@c7-37-101-mini ~]# ping www.magedu.com
PING websrv.magedu.com (192.168.37.2) 56(84) bytes of data.
^C64 bytes from 192.168.37.2: icmp_seq=1 ttl=128 time=0.172 ms
--- websrv.magedu.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.172/0.172/0.172/0.000 ms
[root@c7-37-101-mini ~]# dig www.magedu.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> www.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36597
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN CNAME websrv.magedu.com.
websrv.magedu.com. 86400 IN A 192.168.37.2
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS slave.magedu.com.
magedu.com. 86400 IN NS master.magedu.com.
;; ADDITIONAL SECTION:
master.magedu.com. 86400 IN A 192.168.37.102
slave.magedu.com. 86400 IN A 192.168.37.100
;; Query time: 0 msec
;; SERVER: 192.168.37.100#53(192.168.37.100)
;; WHEN: Tue Jun 02 15:58:49 CST 2020
;; MSG SIZE rcvd: 153
2鼻疮、搭建并實現(xiàn)智能DNS怯伊。
模擬bind實現(xiàn)智能DNS,即根據(jù)訪問用戶的ip的不同,返回不同的域名所對應(yīng)的ip判沟。
以192.168.37.102 作為DNS主服務(wù)器耿芹,實現(xiàn)智能DNS的邏輯,需要定義ACL,并配合view視圖來完成挪哄;具體過程如下:
#named.conf主文件的配置
[root@c7-37-102-mini named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl beijingnet {
192.168.37.0/24;
192.168.38.0/24;
};
acl shanghainet {
172.16.0.0/16;
172.18.0.0/16;
};
acl othernet {
any;
};
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view view_beijing {
match-clients {beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view view_shanghai {
match-clients {shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
view view_other {
match-clients {othernet;};
include "/etc/named.rfc1912.zones.other";
};
include "/etc/named.root.key";
#注意語法:include "/etc/named.rfc1912.zones.bj";
#使用不同的配置文件建立各自的區(qū)域
#A.beijing
[root@c7-37-102-mini named]# cat /etc/named.rfc1912.zones.bj
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "magedu.com" {
type master;
file "magedu.com.zone.bj";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
#B.shanghai
[root@c7-37-102-mini named]# cat /etc/named.rfc1912.zones.sh
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "magedu.com" {
type master;
file "magedu.com.zone.sh";
};
#C.other
[root@c7-37-102-mini named]# vim /etc/named.rfc1912.zones.other
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-defa
ult-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configurat
ion files.
//
zone "magedu.com" IN {
type master;
file "magedu.com.zone.other"
};
#文件權(quán)限設(shè)置
[root@c7-37-102-mini named]# ll /etc/named.rfc1912.zones*
-rw-r----- 1 root named 1057 Jun 1 17:04 /etc/named.rfc1912.zones
-rw-r----- 1 root root 1057 Jun 1 17:04 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root root 1060 Jun 1 17:05 /etc/named.rfc1912.zones.other
-rw-r----- 1 root root 1057 Jun 1 17:05 /etc/named.rfc1912.zones.sh
[root@c7-37-102-mini named]# chgrp named /etc/named.rfc1912.zones.*
[root@c7-37-102-mini named]# ll /etc/named.rfc1912.zones*
-rw-r----- 1 root named 1057 Jun 1 17:04 /etc/named.rfc1912.zones
-rw-r----- 1 root named 1057 Jun 1 17:04 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 1060 Jun 1 17:05 /etc/named.rfc1912.zones.other
-rw-r----- 1 root named 1057 Jun 1 17:05 /etc/named.rfc1912.zones.sh
#分別建立各自的區(qū)域數(shù)據(jù)庫
#A.beijing
[root@c7-37-102-mini named]# vim /var/named/magedu.com.zone.bj
#如果ip地址是192.168.37段的來訪問就返回beijing區(qū)域解析庫的ip192.168.37.103
$TTL 1D
@ IN SOA ns1 admin ( 1 1H 1H 1D 3H )
NS ns1
ns1 A 192.168.37.102
www A 192.168.37.103
[root@c7-37-102-mini named]# vim /var/named/magedu.com.zone.sh
#如果ip地址是192.168.37段的來訪問就返回shanghai區(qū)域解析庫的ip172.16.0.103
$TTL 1D
@ IN SOA ns1 admin ( 1 1H 1H 1D 3H )
NS ns1
ns1 A 192.168.37.102
www A 172.16.0.103
#如果ip地址是其它段的來訪問就返回shanghai區(qū)域解析庫的ip8.8.8.8
$TTL 1D
@ IN SOA ns1 admin ( 1 1H 1H 1D 3H )
NS ns1
ns1 A 192.168.37.102
www A 8.8.8.8
#開啟服務(wù)測試
systemctl start named
#客戶端測試
[root@c7-37-103-mini ~]# ip addr add 172.16.0.16/16 dev eth1
#添加一個172.16的地址以便測試
[root@c7-37-103-mini ~]# ip a show eth1
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:2b:f1:1e brd ff:ff:ff:ff:ff:ff
inet 192.168.1.5/24 brd 192.168.1.255 scope global noprefixroute dynamic eth1
valid_lft 68729sec preferred_lft 68729sec
inet 172.16.0.16/16 scope global eth1
valid_lft forever preferred_lft forever
inet6 240e:3a1:101f:62d0:27d0:885f:4784:4a13/64 scope global noprefixroute dynamic
valid_lft 259160sec preferred_lft 172760sec
inet6 fe80::69b6:5097:3274:c8b3/64 scope link noprefixroute
valid_lft forever preferred_lft forever
[root@c7-37-103-mini ~]# dig www.magedu.com @192.168.37.102
#測試192.168.37網(wǎng)段
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> www.magedu.com @192.168.37.102
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48370
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION:
www.magedu.com. 86400 IN A 192.168.37.100
;; AUTHORITY SECTION:
magedu.com. 86400 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 86400 IN A 192.168.37.102
;; Query time: 3 msec
;; SERVER: 192.168.37.102#53(192.168.37.102)
;; WHEN: Tue Jun 02 20:12:17 CST 2020
;; MSG SIZE rcvd: 93
[root@c7-37-103-mini ~]# host www.magedu.com 172.16.0.102
#使用172.16網(wǎng)段測試
Using domain server:
Name: 172.16.0.102
Address: 172.16.0.102#53
Aliases:
www.magedu.com has address 172.16.0.100
[root@c7-37-102-mini named]# host www.magedu.com 127.0.0.1
#本機測試
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
www.magedu.com has address 9.9.9.9
3吧秕、編譯安裝Mariadb,并啟動后可以正常登錄迹炼。
1. 獲取mariadb最新版本
官網(wǎng)獲取源碼www.mariadb.com
image-20200605135426817.png
源碼包的下載
https://downloads.mariadb.com/MariaDB/mariadb-10.2.32/source/源碼包的下載
https://downloads.mariadb.com/MariaDB/mariadb-10.2.32/source/mariadb-10.2.32.tar.gz 也可以直接wget
2. 源碼編譯安裝mariadb-10.2.32過程
準備用戶砸彬,數(shù)據(jù)庫存放目錄
root@C7-37-100-destop ~]# mkdir /data/mysql
#創(chuàng)建數(shù)據(jù)庫存放目錄
[root@C7-37-100-destop data]# mkdir app
[root@C7-37-100-destop data]# cd app/
[root@C7-37-100-destop app]# rz
#上傳源碼包
rz waiting to receive.
Starting zmodem transfer. Press Ctrl+C to cancel.
Transferring mariadb-10.2.32.tar.gz...
100% 71920 KB 23973 KB/sec 00:00:03 0 Errors
[root@C7-37-100-destop app]# useradd -r -s /sbin/nologin -d /data/mysql/ mysql
#創(chuàng)建所需用戶mysql,mysql組
[root@C7-37-100-destop app]# chown mysql.mysql -R /data/mysql/
#改變/data/mysql/目錄為mysql用戶斯入,mysql組
[root@C7-37-100-destop app]# tar xvf mariadb-10.2.32.tar.gz
#解壓包
安裝所需依賴包
yum install bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel gcc gcc-c++ cmake ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel
.......
Dependency Updated:
e2fsprogs.x86_64 0:1.42.9-17.el7
e2fsprogs-libs.x86_64 0:1.42.9-17.el7
glibc.x86_64 0:2.17-307.el7.1
glibc-common.x86_64 0:2.17-307.el7.1
libcom_err.x86_64 0:1.42.9-17.el7
libselinux.x86_64 0:2.5-15.el7
libselinux-python.x86_64 0:2.5-15.el7
libselinux-utils.x86_64 0:2.5-15.el7
libss.x86_64 0:1.42.9-17.el7
Complete!
漫長的編譯安裝過程
[root@C7-37-100-destop app]# cd mariadb-10.2.32/
[root@C7-37-100-destop mariadb-10.2.32]# cmake . \
-DCMAKE_INSTALL_PREFIX=/app/mysql \
-DMYSQL_DATADIR=/data/mysqldb/ \
-DSYSCONFDIR=/etc \
-DMYSQL_USER=mysql \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITHOUT_MROONGA_STORAGE_ENGINE=1 \
-DWITH_DEBUG=0 \
-DWITH_READLINE=1 \
-DWITH_SSL=system \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/tmp/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci
-- Generating done
-- Build files have been written to: /data/app/mariadb-10.2.32
#make && make install
[root@centos7 mariadb-10.2.32]# make && make install
Scanning dependencies of target INFO_BIN
[ 0%] Built target INFO_BIN
Scanning dependencies of target INFO_SRC
[ 0%] Built target INFO_SRC
Scanning dependencies of target abi_check
[ 0%] Built target abi_check
Scanning dependencies of target readline
編譯安裝后的配置
#準備環(huán)境變量
echo 'PATH=/app/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
. /etc/profile.d/mysql.sh
#生成數(shù)據(jù)庫文件
[root@C7-37-100-destop mariadb-10.2.32]# cd /app/mysql/
[root@C7-37-100-destop mysql]# scripts/mysql_install_db --datadir=/data/mysql/ --user=mysql
Installing MariaDB/MySQL system tables in '/data/mysql/' ...
2020-06-05 13:49:04 139869397948544 [Warning] 'THREAD_CONCURRENCY' is deprecated and will be removed in a future release.
2020-06-05 13:49:08 139869253547776 [Warning] Failed to load slave replication state from table mysql.gtid_slave_pos: 1146: Table 'mysql.gtid_slave_pos' doesn't exist
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:
'./bin/mysqladmin' -u root password 'new-password'
'./bin/mysqladmin' -u root -h C7-37-100-destop password 'new-password'
Alternatively you can run:
'./bin/mysql_secure_installation'
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.
You can start the MariaDB daemon with:
cd '.' ; ./bin/mysqld_safe --datadir='/data/mysql/'
You can test the MariaDB daemon with mysql-test-run.pl
cd './mysql-test' ; perl mysql-test-run.pl
Please report any problems at http://mariadb.org/jira
The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
#修改配置文件
cp /app/mysql/support-files/my-huge.cnf /etc/my.cnf
[root@C7-37-100-destop mysql]# vim /etc/my.cnf
[mysqld]
port = 3306
#主要要指定數(shù)據(jù)文件存放位置
datadir=/data/mysql
#準備啟動腳本
cp /app/mysql/support-files/mysql.server /etc/init.d/mysqld
啟動服務(wù)
#啟動服務(wù)
chkconfig --add mysqld ;service mysqld start
[root@C7-37-100-destop mysql]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.2.32-MariaDB-log Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
#至此已經(jīng)可以使用了
#最后可以跑一下安全加固腳本
[root@C7-37-100-destop bin]# /app/mysql/bin/mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] n
... skipping.
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] n
... skipping.
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
[root@C7-37-100-destop bin]# mysql -uroot -pcentos
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.2.32-MariaDB-log Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
