簡(jiǎn)介
- DNS服務(wù)器牽扯到家庭匀归,企業(yè)秧骑,公司渣淤,國(guó)家等等領(lǐng)域,只要是互聯(lián)網(wǎng)不必須就要用到他
- DNS(Domain Name Server均抽,域名服務(wù)器)是進(jìn)行域名(domain name)和與之相對(duì)應(yīng)的IP地址 (IP address)轉(zhuǎn)換的服務(wù)器
- DNS中保存了一張域名(domain name)和與之相對(duì)應(yīng)的IP地址 (IP address)的表,以解析消息的域名
- 這一篇我講演示DNF服務(wù)器搭建
- 第二篇主要講的是根服務(wù)器和COM服務(wù)器的搭建取具,并和其他DNS服務(wù)器通信的演示
- 那我們開(kāi)始
DNS域名和DNS域名結(jié)構(gòu)
| 名稱 |
代表意義 |
| com |
公司脖隶、行號(hào)、企業(yè) |
| org |
組織暇检、機(jī)構(gòu) |
| edu |
教育單位 |
| gov |
政府單位 |
| net |
網(wǎng)絡(luò)产阱、通信 |
| mil |
軍事單位 |
- 根域
- 服務(wù)器主要用來(lái)管理互聯(lián)網(wǎng)的主目錄,全世界只有13臺(tái)(這13臺(tái)根域名服務(wù)器名字分別為“A”至“M”)块仆,1個(gè)為主根服務(wù)器在美國(guó)
- 其余12個(gè)均為輔根服務(wù)器构蹬,其中9個(gè)在美國(guó),歐洲2個(gè)悔据,位于英國(guó)和瑞典庄敛,亞洲1個(gè)位于日本
- 一級(jí)域名:Top Level Domain: tld
- com, edu, mil, gov, net, org, int,arpa
- 一級(jí)域名中只含有一個(gè)“.”,且“.”左邊要有內(nèi)容字段科汗。一級(jí)域名又被稱為頂級(jí)域名
- 三類:組織域藻烤、國(guó)家域(.cn, .ca, .hk, .tw)、反向域
- 二級(jí)域名
- 二級(jí)域名的權(quán)重高于二級(jí)目錄,二級(jí)域名是作為一個(gè)獨(dú)立的域名出現(xiàn)在互聯(lián)網(wǎng)上怖亭,而二級(jí)目錄是以網(wǎng)站子頁(yè)面出現(xiàn)的涎显,所以很多人認(rèn)為兩者之間的權(quán)重相同,這種認(rèn)識(shí)是錯(cuò)誤的
- 很多人都誤把帶www當(dāng)成一級(jí)域名兴猩,把其他前綴的當(dāng)成二級(jí)域名期吓,是錯(cuò)誤的。正確的域名劃分為:
- .com 頂級(jí)域名
- baidu.com 一級(jí)域名
-
www.baidu.com 二級(jí)域名
- bbs.baidu .com 二級(jí)域名
- tieba.baidu .com 二級(jí)域名
- 三級(jí)域名
- 三級(jí)域名是形如“www.beiji.baidu.com”的域名峭跳,可以當(dāng)做是二級(jí)域名的子域名膘婶,特征為域名包含三個(gè)“.”缺前,一般來(lái)說(shuō)蛀醉,三級(jí)域名都是免費(fèi)的
- 最多127級(jí)域名
- 他用于,域名的反向解析
DNS原理
- 比如說(shuō)我想訪問(wèn)一個(gè)網(wǎng)站衅码,你的網(wǎng)卡指定了DNS拯刁,一般電信或聯(lián)通,鐵通等等的技術(shù)員逝段,會(huì)給網(wǎng)卡配他們的DNS服務(wù)器的
- 電腦會(huì)發(fā)出一個(gè)信號(hào)垛玻,這個(gè)信號(hào)就是發(fā)給你指定的DNS服務(wù)器的,這個(gè)信號(hào)就是你想訪問(wèn)的這個(gè)網(wǎng)站
- 但是這個(gè)DNS服務(wù)器正好里面沒(méi)有這條記錄奶躯,他會(huì)去找根服務(wù)器
- 根服務(wù)器里面存放的是所有的帚桩,頂級(jí)域名服務(wù)器的DNS,如
.com,.cn
- 根里面就沒(méi)有這個(gè)地址嘹黔,但是他會(huì)推薦你去找個(gè)哪個(gè)頂級(jí)域名結(jié)尾的服務(wù)器如
.com結(jié)尾的DNS服務(wù)器
- 結(jié)果你電腦又去找
.comDNS服務(wù)器,如果你是二級(jí)域名的話就找到了账嚎,如果你是三級(jí)域名那還要繼續(xù)找下去
- 但是他只是知道他的IP,并不是這個(gè)網(wǎng)站的服務(wù)器儡蔓,你會(huì)跟著這個(gè)IP找到這個(gè)IP的DNS服務(wù)器
- 最后就是找到了郭蕉,因?yàn)檫@個(gè)DNS服務(wù)器肯定知道他服務(wù)器的IP,最后你們就可以握手喂江,通信了
- 不過(guò)我們電腦都會(huì)有連個(gè)DNS服務(wù)器IP召锈,就算一個(gè)壞了我們一樣可以請(qǐng)求找另外一個(gè)DNS服務(wù)器
DNS解析
- DNS查詢類型:
- 遞歸查詢 :遞歸說(shuō)簡(jiǎn)單點(diǎn)就是,負(fù)責(zé)到底都是他一個(gè)人获询,獲取到最終結(jié)果
- 迭代查詢 : 迭代的意思就是涨岁,你問(wèn)他問(wèn)題他幫你推薦一個(gè)人叫你去問(wèn)別人問(wèn)題
- 名稱服務(wù)器:域內(nèi)負(fù)責(zé)解析本域內(nèi)的名稱的主機(jī)
- 根服務(wù)器:13組服務(wù)器
- 中9個(gè)在美國(guó),
- 歐洲2個(gè)吉嚣,位于英國(guó)和瑞典
- 亞洲1個(gè)位于日本
- 解析類型:
- FQDN --> IP
- IP --> FQDN
- 注意:正反向解析是兩個(gè)不同的名稱空間卵惦,是兩棵不同的解析樹(shù)
BIND等DNS軟件
- 提醒DNS服務(wù)的有很多種軟件
- 其中用的最多的還是BIND
- BIND是伯克利大學(xué)發(fā)布的一款軟件
- 最近新的來(lái)代替BIND的軟件,叫unbound
- 我們?cè)谶@里安裝的還是BIND瓦戚,首先我們來(lái)看看他的安裝包
[root@localhost ~]# yum info bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
Name : bind
Arch : x86_64
Epoch : 32
Version : 9.9.4 <<<版本
Release : 37.el7
Size : 1.8 M
Repo : bash
Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server
URL : http://www.isc.org/products/BIND/ <<官方網(wǎng)站
License : ISC
Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS
: (Domain Name System) protocols. BIND includes a DNS server (named),
: which resolves host names to IP addresses; a resolver library
: (routines for applications to use when interfacing with DNS); and
: tools for verifying that the DNS server is operating properly.
- 我們也來(lái)看看unbound沮尿,因?yàn)閯偝鰜?lái)市場(chǎng)上反應(yīng)好像不是很大,因?yàn)樘?/li>
[root@localhost ~]# yum info unbound
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Available Packages
Name : unbound
Arch : x86_64
Version : 1.4.20 <<版本
Release : 28.el7
Size : 473 k
Repo : bash
Summary : Validating, recursive, and caching DNS(SEC) resolver
URL : http://www.nlnetlabs.nl/unbound/ <<官方網(wǎng)站
License : BSD
Description : Unbound is a validating, recursive, and caching DNS(SEC) resolver.
:
: The C implementation of Unbound is developed and maintained by NLnet
: Labs. It is based on ideas and algorithms taken from a java prototype
: developed by Verisign labs, Nominet, Kirei and ep.net.
:
: Unbound is designed as a set of modular components, so that also
: DNSSEC (secure DNS) validation and stub-resolvers (that do not run
: as a server, but are linked into an application) are easily possible.
- dnsmasq,也提供了一些簡(jiǎn)單的DNS服務(wù)和DHCP服務(wù)
[root@localhost ~]# yum info dnsmasq
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Installed Packages
Name : dnsmasq
Arch : x86_64
Version : 2.66
Release : 21.el7
Size : 464 k
Repo : installed
From repo : anaconda
Summary : A lightweight DHCP/caching DNS server
URL : http://www.thekelleys.org.uk/dnsmasq/
License : GPLv2
Description : Dnsmasq is lightweight, easy to configure DNS forwarder and DHCP server.
: It is designed to provide DNS and, optionally, DHCP, to a small network.
: It can serve the names of local machines which are not in the global
: DNS. The DHCP server integrates with the DNS server and allows machines
: with DHCP-allocated addresses to appear in the DNS with names configured
: either in each host or in a central configuration file. Dnsmasq supports
: static and dynamic DHCP leases and BOOTP for network booting of diskless
: machines.
DNS服務(wù)器搭建
- 接下來(lái)我將配置DNS服務(wù)器
- 我是在
CentOS7.3上面演示的那我們開(kāi)始
- 當(dāng)然在開(kāi)始之前先運(yùn)行下
yum repolist查看下下yum源是否正常
- 還要在做實(shí)驗(yàn)之前先把防火墻和SElinux全給關(guān)了以免出問(wèn)題
- 首先安裝
bind,運(yùn)行命令yum -y install bind
[root@localhost ~]# yum -y install bind
Total 20 MB/s | 2.8 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-libs-9.9.4-37.el7.x86_64 1/2
Installing : 32:bind-9.9.4-37.el7.x86_64 2/2
Verifying : 32:bind-9.9.4-37.el7.x86_64 1/2
Verifying : 32:bind-libs-9.9.4-37.el7.x86_64 2/2
Installed:
bind.x86_64 32:9.9.4-37.el7
Dependency Installed:
bind-libs.x86_64 32:9.9.4-37.el7
Complete!
- 在運(yùn)行
rpm -ql bind,看一下他的文件列表
[root@localhost ~]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf <<配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/arpaname
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/var/log/named.log <<日志
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca << 世界十三個(gè)根服務(wù)器地址
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
- 我們?nèi)ビ妹?
cat /var/named/named.ca進(jìn)去看下
;; ADDITIONAL SECTION:
a.root-servers.net. 3600000 IN A 198.41.0.4 <<ipv4地址 這個(gè)地址在美國(guó)畜疾,可以把IP粘貼到百度上可以查出來(lái)
a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 <<ipv6地址
b.root-servers.net. 3600000 IN A 192.228.79.201
c.root-servers.net. 3600000 IN A 192.33.4.12
d.root-servers.net. 3600000 IN A 199.7.91.13
d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d
e.root-servers.net. 3600000 IN A 192.203.230.10
f.root-servers.net. 3600000 IN A 192.5.5.241
f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f
g.root-servers.net. 3600000 IN A 192.112.36.4
h.root-servers.net. 3600000 IN A 128.63.2.53
h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235
i.root-servers.net. 3600000 IN A 192.36.148.17
i.root-servers.net. 3600000 IN AAAA 2001:7fe::53
j.root-servers.net. 3600000 IN A 192.58.128.30
j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 3600000 IN A 193.0.14.129
k.root-servers.net. 3600000 IN AAAA 2001:7fd::1
l.root-servers.net. 3600000 IN A 199.7.83.42
l.root-servers.net. 3600000 IN AAAA 2001:500:3::42
m.root-servers.net. 3600000 IN A 202.12.27.33
m.root-servers.net. 3600000 IN AAAA 2001:dc3::35
- 軟件包已解決裝好赴邻,接下來(lái)我啟動(dòng)DNS服務(wù)器,運(yùn)行命令
systemctl start named
- 在用命令
systemctl enable named,把他設(shè)為開(kāi)機(jī)啟動(dòng)
[root@localhost ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
- 既然服務(wù)已經(jīng)啟動(dòng)那我們看下他對(duì)應(yīng)的端口號(hào)
53端口打開(kāi)沒(méi)有啡捶,運(yùn)行命令 ss -nutl姥敛,他會(huì)用兩個(gè)端口一個(gè)是TCP的53一個(gè)是UDP的53
[root@localhost ~]# ss -nutl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:15562 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 *:68 *:*
udp UNCONN 0 0 ::1:53 :::*
udp UNCONN 0 0 :::10338 :::*
tcp LISTEN 0 10 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:953 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 10 ::1:53 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:953 :::*
tcp LISTEN 0 100 ::1:25 :::*
- 現(xiàn)在服務(wù)已經(jīng)啟動(dòng),但是他對(duì)應(yīng)的端口是有問(wèn)題的瞎暑,因?yàn)榻壴诹宋冶镜谻entOS7.3的本地網(wǎng)卡彤敛,既然綁定的別人怎么訪問(wèn)我的DNS服務(wù)器
- 我用我準(zhǔn)備好的客戶機(jī)
CentOS6.9來(lái)訪問(wèn)下我的DNS服務(wù)器
- 可以用命令
telnet 172.16.253.8 53,telnet如果是最小化安裝是沒(méi)有的需要重新安裝
-
172.16.253.8是我CentOS7.3的IP,53是指定的端口
[root@localhost ~]# telnet 172.16.253.8 53
Trying 172.16.253.8...
telnet: connect to address 172.16.253.8: Connection refused <<鏈接拒絕的意思
- 接下來(lái)我要打開(kāi)端口了赌,要打開(kāi)端口的話我們要進(jìn)入
/etc/named.conf,里面去修改配置文件
- 在改之前要注意下他的所有者和組的問(wèn)題墨榄,不然會(huì)出問(wèn)題,組必須要有讀權(quán)限勿她,備份配置文件的時(shí)候要注意
[root@localhost ~]# ll /etc/named.conf
-rw-r-----. 1 root named 1705 Mar 22 2016 /etc/named.conf
- 接下來(lái)我們修改配置文件袄秩,運(yùn)行命令
vim /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; }; << 要修改的行,或者把他注釋掉
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
- 把里面的
127.0.0.1刪除換成localhost,注釋掉也可以
- 修改玩以后逢并,執(zhí)行命令
systemctl reload named,來(lái)重新讀取配置文件
- 現(xiàn)在在執(zhí)行下
ss -nutl,命令查看下成功了沒(méi)
[root@localhost ~]# ss -nutl
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:15562 *:*
udp UNCONN 0 0 172.16.253.8:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 *:68 *:*
udp UNCONN 0 0 ::1:53 :::*
udp UNCONN 0 0 :::10338 :::*
tcp LISTEN 0 10 172.16.253.8:53 *:*
tcp LISTEN 0 10 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:953 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 10 ::1:53 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:953 :::*
tcp LISTEN 0 100 ::1:25 :::*
- 已經(jīng)成功之剧,我們?cè)谟梦业?code>CentOS6.9-1,的機(jī)器連接下
[root@localhost ~]# telnet 172.16.253.8 53
Trying 172.16.253.8...
Connected to 172.16.253.8.
Escape character is '^]'.
- 連接成功,這樣我的
CentOS7.3服務(wù)器就可以對(duì)外服務(wù)器了
- DNS服務(wù)配成功砍聊,呵呵這只能算是一個(gè)緩存服務(wù)器背稼,或轉(zhuǎn)發(fā)服務(wù)器
- 第二篇我將搭建根服務(wù)器的搭建和從等等的搭建
