BIND: Berkeley Internet Name Domain
該工具目前由ISC組織代為維護(hù)砌创,站點(diǎn):ISC.org
Bind是DNS協(xié)議的一種實(shí)現(xiàn)虏缸,其運(yùn)行的進(jìn)程名為named
程序包:
- bind:提供的dns server程序、以及幾個(gè)常用的測(cè)試程序嫩实;
- bind-libs:被bind和bind-utils包中的程序共同用到的庫(kù)文件刽辙;
- bind-utils:bind客戶端程序集,例如dig, host, nslookup等甲献;
- bind-chroot:選裝宰缤,為了安全目的,讓named運(yùn)行于jail模式(沙箱)下晃洒;
bind主配置文件
/etc/named.conf
包含進(jìn)來(lái)其它文件:
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
options {
listen-on port 53 { 127.0.0.1; }; #設(shè)置監(jiān)控能與外部主機(jī)通信的IP地址
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #指定區(qū)域數(shù)據(jù)文件的存放目錄
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; }; #限制查詢的來(lái)源為本地
recursion yes; #是否開啟遞歸查詢
dnssec-enable yes; #學(xué)習(xí)時(shí)建議關(guān)閉
dnssec-validation yes; #學(xué)習(xí)時(shí)建議關(guān)閉
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN { #根區(qū)域慨灭,包含著多個(gè)DNS頂級(jí)域信息
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones"; #把區(qū)域管理文件的內(nèi)容包含進(jìn)此文件
include "/etc/named.root.key";
格式:
配置段 | 格式 |
---|---|
全局配置段 | options { ... } |
日志配置段 | logging { ... } |
區(qū)域配置段 | zone { ... } |
zone:那些由本機(jī)負(fù)責(zé)解析的區(qū)域,或轉(zhuǎn)發(fā)的區(qū)域
注意:每個(gè)配置語(yǔ)句必須以分號(hào)結(jié)尾
緩存名稱服務(wù)器的配置:
監(jiān)聽能與外部主機(jī)通信的地址
listen-on port 53;
listen-on port 53 { 172.16.100.67; };
學(xué)習(xí)時(shí)锥累,建議關(guān)閉dnssec
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
關(guān)閉僅允許本地查詢:
//allow-query { localhost; };
(單行注釋)
檢查配置文件語(yǔ)法錯(cuò)誤:
named-checkconf [/etc/named.conf]
解析庫(kù)文件:/var/named/目錄下
一般名字為:ZONE_NAME.zone
注意:
(1) 一臺(tái)DNS服務(wù)器可同時(shí)為多個(gè)區(qū)域提供解析缘挑;
(2) 必須要有根區(qū)域解析庫(kù)文件: named.ca;
正向:named.localhost
反向:named.loopback
bind輔助程序:
rndc:remote name domain contoller桶略,遠(yuǎn)程名稱服務(wù)器控制工具
工作在953/tcp端口语淘,但默認(rèn)監(jiān)聽于127.0.0.1地址,因此僅允許本地使用际歼;
bind程序安裝完成之后惶翻,默認(rèn)即可做緩存名稱服務(wù)器使用;如果沒有專門負(fù)責(zé)解析的區(qū)域鹅心,直接即可啟動(dòng)服務(wù)吕粗;
- CentOS 6: service named start
- CentOS 7: systemctl start named.service
[root@promote ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2019-05-13 17:44:41 CST; 15s ago
Process: 7837 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 7834 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7839 (named)
CGroup: /system.slice/named.service
└─7839 /usr/sbin/named -u named -c /etc/named.conf
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 0.in-addr.arpa/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone localhost.localdomain/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone localhost/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: all zones loaded
May 13 17:44:41 promote.cache-dns.local named[7839]: running
May 13 17:44:41 promote.cache-dns.local named[7839]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 13 17:44:41 promote.cache-dns.local named[7839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 13 17:44:41 promote.cache-dns.local systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.
查看其監(jiān)聽的端口:
[root@promote ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7839/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6848/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 7839/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7068/master
tcp6 0 0 ::1:53 :::* LISTEN 7839/named
tcp6 0 0 :::22 :::* LISTEN 6848/sshd
tcp6 0 0 ::1:953 :::* LISTEN 7839/named
tcp6 0 0 ::1:25 :::* LISTEN 7068/master
udp 0 0 127.0.0.1:53 0.0.0.0:* 7839/named
udp 0 0 0.0.0.0:68 0.0.0.0:* 6652/dhclient
udp6 0 0 ::1:53 :::* 7839/named
測(cè)試工具:
dig命令:
格式:dig [-t RR_TYPE] name [@SERVER] [query options]
用于測(cè)試dns系統(tǒng),因此其不會(huì)查詢hosts文件
若未安裝dig命令旭愧,則使用yum install bind-utils -y
安裝
查詢選項(xiàng):
+[no]trace:跟蹤解析過(guò)程
+[no]recurse:進(jìn)行遞歸解析
[root@promote ~]# dig -t A www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43204
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 8299 IN CNAME www.a.shifen.com.
www.a.shifen.com. 8299 IN A 111.13.100.91
www.a.shifen.com. 8299 IN A 111.13.100.92
;; Query time: 13 msec
;; SERVER: 221.131.143.69#53(221.131.143.69)
;; WHEN: Mon May 13 17:54:10 CST 2019
;; MSG SIZE rcvd: 101
注意:反向解析測(cè)試
dig -x IP
[root@promote ~]# dig -x 121.51.36.46
模擬完全區(qū)域傳送:
dig -t axfr DOMAIN [@server]
host命令:
格式:host [-t RR_TYPE] name SERVER_IP
[root@promote ~]# host -t A www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 111.13.100.92
www.a.shifen.com has address 111.13.100.91
[root@promote ~]# host -t NS baidu.com
baidu.com name server ns4.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns3.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns2.baidu.com.
[root@promote ~]# host -t MX baidu.com
baidu.com mail is handled by 15 mx.n.shifen.com.
baidu.com mail is handled by 20 mx1.baidu.com.
baidu.com mail is handled by 20 jpmx.baidu.com.
baidu.com mail is handled by 20 mx50.baidu.com.
baidu.com mail is handled by 10 mx.maillb.baidu.com.
nslookup命令:
格式:nslookup [-options] [name] [server]
交互式模式:
nslookup>
server IP:以指定的IP為DNS服務(wù)器進(jìn)行查詢
set q=RR_TYPE:要查詢的資源記錄類型
name:要查詢的名稱
[root@promote ~]# nslookup
> server 192.168.0.105
Default server: 192.168.0.105
Address: 192.168.0.105#53
> set q=A
> www.sohu.com
rndc命令:
named服務(wù)控制命令
[root@promote ~]# rndc status
version: 9.9.4-RedHat-9.9.4-73.el7_6 <id:8f9657aa>
CPUs found: 8
worker threads: 8
UDP listeners per interface: 8
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
清空緩存
rndc flush
正反解析區(qū)域的配置流程
配置解析一個(gè)正向區(qū)域:
以magedu.com域?yàn)槔?/p>
(1) 定義區(qū)域
在主配置文件中或主配置文件輔助配置文件中實(shí)現(xiàn)
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
};
注意:區(qū)域名字即為域名
(2) 建立區(qū)域數(shù)據(jù)文件(主要記錄為A或AAAA記錄)
在/var/named目錄下建立區(qū)域數(shù)據(jù)文件
文件為:/var/named/magedu.com.zone
[root@promote named]# vim magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA ns1.magedu.com. dnsadmin.magedu.com. (
2017010801
1H
10M
3D
1D )
IN NS ns1
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.100.67
mx1 IN A 172.16.100.68
mx2 IN A 172.16.100.69
www IN A 172.16.100.67
web IN CNAME www
bbs IN A 172.16.100.70
bbs IN A 172.16.100.71
權(quán)限及屬組修改:
chgrp named /var/named/magedu.com.zone
chmod o= /var/named/magedu.com.zone
檢查語(yǔ)法錯(cuò)誤:
named-checkzone ZONE_NAME ZONE_FILE
named-checkconf
(3) 讓服務(wù)器重載配置文件和區(qū)域數(shù)據(jù)文件
rndc reload
或systemctl reload named.service
示例:
首先編輯主配置文件/etc/named.conf中的全局配置颅筋,設(shè)置監(jiān)聽服務(wù)器IP地址及允許DNS查詢請(qǐng)求等設(shè)置:
[root@localhost named]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
recursion no;
dnssec-enable no;
dnssec-validation no;
然后編輯/etc/named.rfc1912.zones文件,設(shè)置正向區(qū)域:
[root@localhost named]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-update { none; };
};
隨后在/var/named/目錄下創(chuàng)建區(qū)域數(shù)據(jù)文件magedu.com.zone:
[root@localhost named]# vim /var/named/magedu.com.zone
$TTL 3600
@ IN SOA ns.magedu.com. 10XXXXXX83.qq.com. (
20180421
1D
1H
1W
3H
)
@ IN NS ns.magedu.com.
magedu.com. IN MX 10 mx1.magedu.com.
magedu.com. IN MX 20 mx2.magedu.com.
mx1 IN A 192.168.0.1
mx2 IN A 192.168.0.2
ns IN A 192.168.0.188
qq IN A 114.114.114.114
www IN A 199.247.21.135
web IN CNAME www
最后檢查相關(guān)配置文件是否有錯(cuò)誤:
[root@localhost named]# named-checkconf /etc/named.conf
[root@localhost named]# named-checkzone magedu.com /var/named/magedu.com.zone
zone magedu.com/IN: loaded serial 20180421
OK
如沒有報(bào)錯(cuò)输枯,重啟加載啟動(dòng)named服務(wù):
[root@localhost named]# systemctl restart named
在其他主機(jī)上驗(yàn)證解析結(jié)果:
[root@localhost ~]# nslookup
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=A
> www.magedu.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: www.magedu.com
Address: 199.247.21.135
> mx1.magedu.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: mx1.magedu.com
Address: 192.168.0.1
> web.magedu.com
Server: 192.168.0.188
Address: 192.168.0.188#53
web.magedu.com canonical name = www.magedu.com.
Name: www.magedu.com
Address: 199.247.21.135
> qq.magedu.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: qq.magedu.com
Address: 114.114.114.114
> www.magedu.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: www.magedu.com
Address: 199.247.21.135
解析成功议泵。
配置解析一個(gè)反向區(qū)域
(1) 定義區(qū)域
在主配置文件中或主配置文件輔助配置文件中實(shí)現(xiàn)
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
vim /etc/named.rfc1912.zones
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
注意:反向區(qū)域的名字
反寫的網(wǎng)段地址.in-addr.arpa
100.16.172.in-addr.arpa
(2) 定義區(qū)域解析庫(kù)文件(主要記錄為PTR)
示例:區(qū)域名稱為100.16.172.in-addr.arpa;
$TTL 3600
$ORIGIN 100.16.172.in-addr.arpa.
@ IN SOA ns1.magedu.com. nsadmin.magedu.com. (
2017010801
1H
10M
3D
12H )
IN NS ns1.magedu.com.
67 IN PTR ns1.magedu.com.
68 IN PTR mx1.magedu.com.
69 IN PTR mx2.magedu.com.
70 IN PTR bbs.magedu.com.
71 IN PTR bbs.magedu.com.
67 IN PTR www.magedu.com.
權(quán)限及屬組修改:
chgrp named /var/named/172.16.100.zone
chmod o= /var/named/172.16.100.zone
檢查語(yǔ)法錯(cuò)誤:
named-checkzone ZONE_NAME ZONE_FILE
named-checkconf
(3) 讓服務(wù)器重載配置文件和區(qū)域數(shù)據(jù)文件
rndc reload
或systemctl reload named.service
示例:
在上述案例1的基礎(chǔ)上桃熄,首先在/etc/named.rfc1912.zones中編輯添加反向區(qū)域:
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
allow-update { none; };
};
然后在/var/named目錄下生成反向區(qū)域文件192.168.0.zone:
[root@localhost named]# vim /var/named/192.168.0.zone
$TTL 3600
@ IN SOA ns.magedu.com. 10XXXXXXX3.qq.com. (
20180421
1D
1H
1W
3H
)
@ IN NS ns.magedu.com.
ns IN A 192.168.0.188
1 IN PTR mx1.magdu.com.
2 IN PTR mx2.magdu.com.
188 IN PTR ns.magedu.com.
隨后使用命令檢查相應(yīng)的配置文件:
[root@localhost named]# named-checkconf /etc/named.conf
[root@localhost named]# named-checkconf /etc/named.rfc1912.zones
[root@localhost named]# named-checkzone 0.168.192.in-addr.arpa /var/named/192.168.0.zone
zone 0.168.192.in-addr.arpa/IN: loaded serial 20180421
OK
如無(wú)報(bào)錯(cuò)先口,則重新啟動(dòng)named服務(wù):
[root@localhost named]# systemctl restart named
在其他主機(jī)上測(cè)試結(jié)果:
[root@localhost ~]# nslookup
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=NS
> 192.168.0.1
Server: 192.168.0.188
Address: 192.168.0.188#53
1.0.168.192.in-addr.arpa name = mx1.magdu.com.
> 192.168.0.188
Server: 192.168.0.188
Address: 192.168.0.188#53
188.0.168.192.in-addr.arpa name = ns.magedu.com.
> 192.168.0.2
Server: 192.168.0.188
Address: 192.168.0.188#53
2.0.168.192.in-addr.arpa name = mx2.magdu.com.
>
反向解析成功。
主從服務(wù)器:
配置一個(gè)從區(qū)域:
注意:從服務(wù)器是區(qū)域級(jí)別的概念
在從服務(wù)器上:
(1) 定義區(qū)域
定義一個(gè)從區(qū)域:
zone "ZONE_NAME" IN {
type slave;
file "slaves/ZONE_NAME.zone";
masters { MASTER_IP; };
};
注意:type類型是slave,file后面是相對(duì)于/var/named/目錄的相對(duì)路徑
配置文件語(yǔ)法檢查:named-checkconf
(2) 重載配置
rndc reload
systemctl reload named.service
在主服務(wù)器上:
確保區(qū)域數(shù)據(jù)文件中為每個(gè)從服務(wù)配置NS記錄碉京,并且在正向區(qū)域文件中厢汹,需要為每個(gè)從服務(wù)器的NS記錄的主機(jī)名配置一個(gè)A記錄,且此A后面的地址為真正的從服務(wù)器的IP地址谐宙;序列號(hào)要+1
注意:時(shí)間要同步烫葬,ntpdate命令;
示例:
配置DNS主服務(wù)器
編輯修改/etc/named.conf文件:
[root@Master ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.0.188; }; #監(jiān)聽本機(jī)IP
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 192.168.0.0/24; }; #允許來(lái)自192.168.0.0/24網(wǎng)段的的解析請(qǐng)求卧惜;
recursion yes; #開啟遞歸查詢
forward only; #啟用轉(zhuǎn)發(fā)域功能厘灼,對(duì)于本域無(wú)法解析的請(qǐng)求夹纫,只做轉(zhuǎn)發(fā)處理咽瓷;
forwarders { 114.114.114.114; }; #指定轉(zhuǎn)發(fā)的DNS服務(wù)器;
dnssec-enable no; #關(guān)閉DNS安全擴(kuò)展功能舰讹;
dnssec-validation no; #關(guān)閉DNS安全驗(yàn)證茅姜;
};
.....
編輯修改/etc/named.rfc1912.zones:
[root@Master ~]# vim /etc/named.rfc1912.zones
zone "magedu.com." IN { #創(chuàng)建正向解析域
type master;
file "magedu.com.zone";
allow-update { none; };
allow-transfer { 192.168.0.189;192.168.0.190; }; #允許同步DNS的輔助服務(wù)器IP;
notify yes; #啟用變更通告月匣,當(dāng)主服務(wù)器DNS區(qū)域文件發(fā)生變更后钻洒,通知從服務(wù)器進(jìn)行比較同步;
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
allow-update { none; };
allow-transfer { 192.168.0.189;192.168.0.190;};
notify yes;
};
新建/var/named/magedu.com.zone文件:
$TTL 3600
@ IN SOA ns1.magedu.com. 1XXXXXX3.qq.com. (
2018042101
1D
1H
1W
3H
)
magedu.com. IN NS ns1.magedu.com.
magedu.com. IN NS ns2.magedu.com.
magedu.com. IN NS ns3.magedu.com.
magedu.com. IN MX 10 mx1.magedu.com.
magedu.com. IN MX 20 mx2.magedu.com.
mx1 IN A 192.168.0.1
mx2 IN A 192.168.0.2
ns1 IN A 192.168.0.188
ns2 IN A 192.168.0.189
ns3 IN A 192.168.0.190
www IN A 199.247.21.135
web IN CNAME www
qq IN A 59.37.96.63
master IN A 192.168.0.188
slave1 IN A 192.168.0.189
slave2 IN A 192.168.0.190
新建/var/named/192.168.0.zone文件:
$TTL 3600
@ IN SOA ns1.magedu.com. 1XXXXXXX3.qq.com. (
2018042101
1D
1H
1W
3H
)
@ IN NS ns1.magedu.com.
@ IN NS ns2.magedu.com. #對(duì)于反向區(qū)域文件來(lái)說(shuō)锄开,從服務(wù)器的NS記錄是必須得素标,否則區(qū)域文件的同步會(huì)有問(wèn)題
@ IN NS ns3.magedu.com.
1 IN PTR mx1.magdu.com.
2 IN PTR mx2.magdu.com.
188 IN PTR ns1.magedu.com.
189 IN PTR ns2.magedu.com.
190 IN PTR ns3.magedu.com.
188 IN PTR master.magedu.com.
189 IN PTR slave1.magedu.com.
190 IN PTR slave2.magedu.com.
檢查相關(guān)的配置文件:
[root@Master ~]# named-checkconf /etc/named.conf
[root@Master ~]# named-checkzone magedu.com /var/named/magedu.com.zone
zone magedu.com/IN: loaded serial 2018042101
OK
[root@Master ~]# named-checkzone 0.168.192.ip-addr.arpa /var/named/192.168.0.zone
zone 0.168.192.ip-addr.arpa/IN: loaded serial 2018042101
OK
如沒有錯(cuò)誤則啟動(dòng)named服務(wù):
[root@Master ~]# systemctl status named
搭建DNS從服務(wù)器
在Slave server 1上編輯/etc/named.conf文件:
[root@Slave1 ~]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.0.189; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { 192.168.0.0/24; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
....
};
.....
隨后編輯/etc/named.rfc1912.zones:
[root@Slave1 ~]# vim /etc/named.rfc1912.zones
zone "magedu.com" IN {
type slave; #指定類型為slave 萍悴;
file "slaves/magedu.com.zone"; #指定同步文件的存放路徑及名稱头遭;
masters { 192.168.0.188; }; #指定主服務(wù)器的IP;
masterfile-format text; #指定區(qū)域文件的格式為text,不指定有可能會(huì)為亂碼
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.0.zone";
masters { 192.168.0.188; };
masterfile-format text;
};
編輯完成后檢查相應(yīng)的配置文件:
[root@Slave1 ~]# named-checkconf /etc/named.conf
如無(wú)報(bào)錯(cuò)癣诱,則啟動(dòng)named服務(wù):
[root@Slave1 ~]# systemctl start named
[root@localhost ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since 六 2018-04-21 18:05:47 CST; 5s ago
Process: 11084 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 11081 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 11087 (named)
CGroup: /system.slice/named.service
└─11087 /usr/sbin/named -u named -c /etc/named.conf
4月 21 18:05:47 localhost.localdomain named[11087]: zone 0.168.192.in-addr.arpa/IN: Transfer started.
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.188#53: conn...42852
4月 21 18:05:47 localhost.localdomain named[11087]: zone 0.168.192.in-addr.arpa/IN: transferred serial 2018042101
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.188#53: Tran.../sec)
4月 21 18:05:47 localhost.localdomain named[11087]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 2018042101)
4月 21 18:05:47 localhost.localdomain named[11087]: zone magedu.com/IN: Transfer started.
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of 'magedu.com/IN' from 192.168.0.188#53: connected using ...41953
4月 21 18:05:47 localhost.localdomain named[11087]: zone magedu.com/IN: transferred serial 2018042101
4月 21 18:05:47 localhost.localdomain named[11087]: transfer of 'magedu.com/IN' from 192.168.0.188#53: Transfer complet.../sec)
4月 21 18:05:47 localhost.localdomain named[11087]: zone magedu.com/IN: sending notifies (serial 2018042101)
Hint: Some lines were ellipsized, use -l to show in full.
如上述過(guò)程所示计维,從服務(wù)器能正常同步主服務(wù)器的正向和反向解析區(qū)域文件。
測(cè)試DNS主從服務(wù)器的解析結(jié)果
主服務(wù)器正向解析:
[root@Slave2 ~]# dig -t A www.magedu.com @192.168.188
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.188
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55749
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION: #成功獲取正向解析結(jié)果
www.magedu.com. 3600 IN A 199.247.21.135
;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.
magedu.com. 3600 IN NS ns2.magedu.com.
magedu.com. 3600 IN NS ns3.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 192.168.0.188
ns2.magedu.com. 3600 IN A 192.168.0.189
ns3.magedu.com. 3600 IN A 192.168.0.190
;; Query time: 2 msec
;; SERVER: 192.168.0.188#53(192.168.0.188)
;; WHEN: Sat Apr 21 05:13:05 EDT 2018
;; MSG SIZE rcvd: 161
從服務(wù)器正向解析:
[root@Slave2 ~]# dig -t A www.magedu.com @192.168.189
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.magedu.com @192.168.189
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36011
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A
;; ANSWER SECTION: #成功獲取正向解析結(jié)果
www.magedu.com. 3600 IN A 199.247.21.135
;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.
magedu.com. 3600 IN NS ns3.magedu.com.
magedu.com. 3600 IN NS ns2.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 192.168.0.188
ns2.magedu.com. 3600 IN A 192.168.0.189
ns3.magedu.com. 3600 IN A 192.168.0.190
;; Query time: 1 msec
;; SERVER: 192.168.0.189#53(192.168.0.189)
;; WHEN: Sat Apr 21 05:13:02 EDT 2018
;; MSG SIZE rcvd: 161
主服務(wù)器反向解析:
[root@Slave2 ~]# dig -x 192.168.0.1 @192.168.0.188
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.0.1 @192.168.0.188
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64876
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION: #成功獲取反向解析結(jié)果
1.0.168.192.in-addr.arpa. 3600 IN PTR mx1.magdu.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600 IN NS ns2.magedu.com.
0.168.192.in-addr.arpa. 3600 IN NS ns3.magedu.com.
0.168.192.in-addr.arpa. 3600 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 192.168.0.188
ns2.magedu.com. 3600 IN A 192.168.0.189
ns3.magedu.com. 3600 IN A 192.168.0.190
;; Query time: 2 msec
;; SERVER: 192.168.0.188#53(192.168.0.188)
;; WHEN: Sat Apr 21 05:19:32 EDT 2018
;; MSG SIZE rcvd: 189
從服務(wù)器反向解析:
[root@Slave2 ~]# dig -x 192.168.0.188 @192.168.0.189
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.0.188 @192.168.0.189
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58662
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 4
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;188.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION: #成功獲取反向解析結(jié)果
188.0.168.192.in-addr.arpa. 3600 IN PTR ns1.magedu.com.
188.0.168.192.in-addr.arpa. 3600 IN PTR master.magedu.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 3600 IN NS ns2.magedu.com.
0.168.192.in-addr.arpa. 3600 IN NS ns3.magedu.com.
0.168.192.in-addr.arpa. 3600 IN NS ns1.magedu.com.
;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 192.168.0.188
ns2.magedu.com. 3600 IN A 192.168.0.189
ns3.magedu.com. 3600 IN A 192.168.0.190
;; Query time: 2 msec
;; SERVER: 192.168.0.189#53(192.168.0.189)
;; WHEN: Sat Apr 21 05:20:18 EDT 2018
;; MSG SIZE rcvd: 202
子域授權(quán):
正向解析區(qū)域授權(quán)子域的方法:
ops.magedu.com. IN NS ns1.ops.magedu.com.
ops.magedu.com. IN NS ns2.ops.magedu.com.
ns1.ops.magedu.com. IN A IP.AD.DR.ESS
ns2.ops.magedu.com. IN A IP.AD.DR.ESS
定義轉(zhuǎn)發(fā):
注意:被轉(zhuǎn)發(fā)的服務(wù)器必須允許為當(dāng)前服務(wù)做遞歸撕予;
(1) 區(qū)域轉(zhuǎn)發(fā):僅轉(zhuǎn)發(fā)對(duì)某特定區(qū)域的解析請(qǐng)求鲫惶;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先轉(zhuǎn)發(fā);轉(zhuǎn)發(fā)器不響應(yīng)時(shí)实抡,自行去迭代查詢欠母;
only:只轉(zhuǎn)發(fā);
(2) 全局轉(zhuǎn)發(fā):針對(duì)凡本地沒有通過(guò)zone定義的區(qū)域查詢請(qǐng)求吆寨,通通轉(zhuǎn)給某轉(zhuǎn)發(fā)器赏淌;
vim /etc/named.conf
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
... ...
};
bind中的安全相關(guān)的配置:
acl:訪問(wèn)控制列表;把一個(gè)或多個(gè)地址歸并一個(gè)命名的集合鸟废,隨后通過(guò)此名稱即可對(duì)此集合全內(nèi)的所有主機(jī)實(shí)現(xiàn)統(tǒng)一調(diào)用猜敢;
acl acl_name {
ip;
net/prelen;
};
示例:
acl mynet {
172.16.0.0/16;
127.0.0.0/8;
};
bind有四個(gè)內(nèi)置的acl
- none:沒有一個(gè)主機(jī)
- any:任意主機(jī)
- local:本機(jī)
- localnet:本機(jī)所在的IP所屬的網(wǎng)絡(luò)
訪問(wèn)控制指令 | 作用 |
---|---|
allow-query {}; | 允許查詢的主機(jī);白名單; |
allow-transfer {}; | 允許向哪些主機(jī)做區(qū)域傳送缩擂;默認(rèn)為向所有主機(jī)鼠冕;應(yīng)該配置僅允許從服務(wù)器; |
allow-recursion {}; | 允許哪此主機(jī)向當(dāng)前DNS服務(wù)器發(fā)起遞歸查詢請(qǐng)求胯盯; |
allow-update {}; | DDNS懈费,允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫(kù)文件中內(nèi)容; |
bind view 視圖(智能DNS實(shí)現(xiàn))
view就是將不同IP地址段發(fā)來(lái)的查詢響應(yīng)到不同的DNS解析博脑。
示例
192.168.0.189/32代表電信網(wǎng)絡(luò)憎乙,192.168.0.190/32代表聯(lián)通網(wǎng)絡(luò),進(jìn)行模擬測(cè)試
配置修改此前實(shí)例DNS主服務(wù)器的named.conf:
acl "telecom"{
192.168.0.189;
};
acl "unicom"{
192.168.0.190;
};
options{
...
};
logging{
...
};
view telecom {
match-clients { telecom;};
zone "." IN {
type hint;
file "named.ca";
};
zone "charlie.com" IN {
type master;
file "charlie.com.zone.telecom";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view unicom {
match-clients { unicom;};
zone "." IN {
type hint;
file "named.ca";
};
zone "charlie.com" IN {
type master;
file "charlie.com.zone.unicom";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
view others {
match-clients { any;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
新建charlie.com.zone.telecom:
[root@Master ~]# vim /var/named/charlie.com.zone.telecom
$TTL 3600
@ IN SOA ns.charlie.com. 1XXXXXX3.qq.com (
00
1D
1H
1W
3H
)
@ IN NS ns.charlie.com.
ns IN A 192.168.0.188
@ IN MX 10 mx.charlie.com.
mx IN A 192.168.0.188
www IN A 1.1.1.1
blog IN A 1.1.1.2
新建charlie.com.zone.unicom:
[root@Master ~]# vim /var/named/charlie.com.zone.unicom
$TTL 3600
@ IN SOA ns.charlie.com. 1XXXXX3.qq.com. (
00
1D
1H
1W
3H
)
@ IN NS ns.charlie.com.
ns IN A 192.168.0.188
@ IN MX 10 mx.charlie.com.
mx IN A 192.168.0.188
www IN A 2.2.2.1
blog IN A 2.2.2.2
檢查相應(yīng)的配置文件:
[root@Master ~]# named-checkconf /etc/named.conf
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.telecom
zone charlie.com/IN: loaded serial 0
OK
[root@Master ~]# named-checkzone charlie.com /var/named/charlie.com.zone.unicom
zone charlie.com/IN: loaded serial 0
OK
重啟或重載named服務(wù):
[root@Master ~]# systemctl restart named
在192.168.0.189從服務(wù)器上驗(yàn)證解析結(jié)果:
[root@slave1 ~]# nslookup
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=A
> www.charlie.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: www.charlie.com
Address: 1.1.1.1 #能正確解析出指定的telecomIP叉趣;
> blog.charlie.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: blog.charlie.com
Address: 1.1.1.2 #能正確解析出指定的telecomIP泞边;
> ns1.magedu.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: ns1.magedu.com
Address: 192.168.0.188
在192.168.0.190從服務(wù)器上驗(yàn)證解析結(jié)果:
[root@slave2 ~]# nslookup
> server 192.168.0.188
Default server: 192.168.0.188
Address: 192.168.0.188#53
> set q=A
> www.charlie.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: www.charlie.com
Address: 2.2.2.1 #能正確解析出指定的unicomIP;
> blog.charlie.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: blog.charlie.com
Address: 2.2.2.2 #能正確解析出指定的unicomIP疗杉;
> ns1.magedu.com
Server: 192.168.0.188
Address: 192.168.0.188#53
Name: ns1.magedu.com
Address: 192.168.0.188
>
到此一個(gè)智能DNS解析便搭建完成了阵谚,如果能將公網(wǎng)上的電信和聯(lián)通IP分別寫入ACL列表中,并且將此服務(wù)器接入了多個(gè)運(yùn)營(yíng)商線路烟具,使得其能夠在公網(wǎng)上提供DNS解析梢什,那么此服務(wù)器就能為來(lái)自不同運(yùn)行商的客戶端IP提供智能DNS解析了。