DNS概念:
簡(jiǎn)單來(lái)講DNS就是系統(tǒng)上的一個(gè)占用53端口的服務(wù)言沐,用來(lái)提供域名和IP地址的相互轉(zhuǎn)換恩闻。比如你訪問(wèn)ip.gs塌衰,路由器是不可能知道這個(gè)地址豌注,你需要先連接到DNS服務(wù)器挺邀,DNS服務(wù)器會(huì)返回ip.gs的IP地址揉忘,這樣在網(wǎng)上就可以正常的路由了。反向解析是用來(lái)實(shí)現(xiàn)證明你這個(gè)IP地址是被認(rèn)可的端铛,尤其可以用來(lái)抵御偽造的郵件服務(wù)器泛濫泣矛。
一、安裝BIND服務(wù)器軟件并啟動(dòng)
1.安裝bind:
yum install bind bind-chroot nslookup -y
在安裝完BIND后禾蚕,系統(tǒng)會(huì)多一個(gè)用戶named您朽。
2.啟動(dòng)DNS服務(wù)
systemctl start named.service
3.查看named進(jìn)程是否正常啟動(dòng):
[root@test-node2 named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2018-05-29 22:19:41 CST; 12min ago
Process: 1422 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1420 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1425 (named)
CGroup: /system.slice/named.service
└─1425 /usr/sbin/named -u named -c /etc/named.conf
4.DNS采用的UDP協(xié)議,監(jiān)聽53號(hào)端口换淆,進(jìn)一步檢驗(yàn)named工作是否正常:
ss -anpu |grep name
5.防火墻開放TCP和UDP的53號(hào)端口:
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
6.測(cè)試:
[root@test-node2 named]# dig www.baidu.com @192.168.1.92
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.baidu.com @192.168.1.92
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 375
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; Query time: 321 msec
;; SERVER: 192.168.1.92#53(192.168.1.92)
;; WHEN: 二 5月 29 22:37:38 CST 2018
;; MSG SIZE rcvd: 42
返回?cái)?shù)據(jù)無(wú)異常哗总。初步配置完成!
二倍试、DNS服務(wù)的相關(guān)配置文件
對(duì)于BIND讯屈,需要配置的主要文件為/etc/named.conf。另外兩個(gè)文件县习,/etc/named.isc-dlv.key保存加密用的可以涮母,/etc/named.rfc1912.zones擴(kuò)展配置文件。
1.修改主配置文件/etc/named.conf
要注意在修改之前要先進(jìn)行備份躁愿,使用cp -p /etc/named.conf /etc/named.conf.bak
命令備份哈蝇,參數(shù)-p表示備份文件與源文件的屬性一致。
vim /etc/named.conf修改文件:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
2.修改/etc/named.rfc1912.zones
//正向區(qū)域配置
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { none; };
};
//反向區(qū)域配置
zone "1.168.192.in-addr.arpa" IN {
type master;
file "hello.com.local";
allow-update { none; };
};
3.添加/var/named/hello.com.zone
可以將模板文件復(fù)制一份攘已,在進(jìn)行修改
使用命令cp -p /var/named/named.localhost /var/named/hello.com.zone
進(jìn)入hello.com.zone 進(jìn)行配置
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.92
www A 192.168.1.92
4.添加/var/named/hello.com.local
$TTL 1D
@ IN SOA hello.com. root (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.92
AAAA ::1
92 IN PTR www.hello.com.
三炮赦、在Linux下的DNS客戶端的設(shè)置及測(cè)試
配置/etc/resolv.conf文件。
nameserver 192.168.1.92
BIND軟件包本身提供了測(cè)試工具nslookup
[root@test-node2 named]# nslookup hello.com
Server: 192.168.1.92
Address: 192.168.1.92#53
Name: hello.com
Address: 192.168.1.92
四. 添一條dns (node1 192.168.1.91)
vim /etc/named.rfc1912.zones
//加入一個(gè)域名node1
zone "node1" IN {
type master;
file "data/node1.zone";
allow-update { none; };
};
cd /var/named/
cp -p named.localhost data/node1.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.91
[root@test-node2 named]# nslookup node1
Server: 192.168.1.92
Address: 192.168.1.92#53
Name: node1
Address: 192.168.1.91
