BIND(Berkeley Internet Name Domain) is an implementation of the DNS(Domain Name System) (Blob 12)

逆神陽 ? ? Linux干貨

正向解析區域、反向解析區域;主/從;子域;基本安全控制;

概述
遞歸請求:發起一次查詢,就會有結果;
迭代查詢:發起N次查詢,才有結果;

注冊域名流程

注冊域名:在Top Level Domain的DNS服務器主機的解析庫中添加子域(條目);子域指向的主機即為解析 子域 的dns服務器;
子域DNS服務器:需要一個有公網IP的主機;

  • ?代理商,一個主機解析數萬條;
  • 自己買;
  • ?dnspod.cn, dns.la

DNS一次完整解析請求:

hosts –> 本地緩存 –> 指向的運營商DNS(recursion)
自己負責的域:返回
自己不負責的域:緩存 –> 出去迭代(iteration)

DNS

解析:用給出的鍵在區域解析庫中查找值;

 

:無形的,邏輯的概念;正向解域區域 + 反向解析區域

區域:物理,一個一個的解析庫對應的主機; 正向解析區域 或 反向解析區域;

正向解析區域對應了一棵正向解析樹;
反向解析區域對應了一棵反向解析樹;

區域解析庫的格式:每行有一條RR(Resource Record)記錄;

$TTL 3600 <– 解析的結果可以緩存的時長;
$ORIGIN magedu.com. <– 域名省略時,可以自動補充此后綴
@ IN SOA ns1.magedu.com. nsadmin.magedu.com. ( <– @(域名代替者) IN(關鍵字) SOA(RR_TYPE:資源記錄) ns1.magedu.com(可以主DNS地址或域名) 郵件地址;
2017112902 <– serial, 修改時,此解析庫所在主機會自動通知其它主機;
1H <– refresh,刷新時間,間隔多久去主或從dns服務器同步一次數據;
10M <– retry, 同步不成功時,重試時間間隔;如果>=refresh的時間;沒有意義;
1W <– expire, 從服務器聯系不到主服務器時,從長時間放棄從角色;
1D) <– 否定答案的TTL值;或者“否定答案”的緩存時長;
IN NS ns1 <– 域名 IN RR_TYPE(NS) 主機名
IN NS ns2
IN MX 10 mx1 <– 域名 IN RR_TYPE(MX PRI_NUM) 主機名
IN MX 20 mx2
ns1 IN A 172.16.0.6 <– 主機名 IN A IP
ns2 IN A 172.16.0.7
mx1 IN A 172.16.0.6
mx2 IN A 172.16.0.7
www IN A 172.16.0.7
web IN CNAME www <– 別名 IN CNAME 主機名(正式名稱);可以通過此別名訪問正式名稱;
bbs IN A 172.16.0.6
bbs IN A 172.16.0.7
pop3 IN A 172.16.0.7

ops IN NS ns1.ops <– 類似于A記錄的格式的子域授權記錄
ns1.ops IN A 172.16.0.8 <– 子域DNS的A記錄;

配置一個DNS服務器,先決條件是有根域的位置/var/named/{ZONE_NAME.zone} 其名稱可以隨意:從以上的圖中可知:為我們遞歸的主機,首先需要去找根,迭代出結果:遞歸返回給我們;
(1) 允許查詢:allow-query { IP; }; DNS主機,必須能查詢;
(2) 允許遞歸:allow-recursion { IP; }; DNS主機,僅為自己人遞歸;因為大量的遞歸請求會消耗資源;

注意:
如果查詢不通過時,即使遞歸通過;這是自己的DNS;
allow-query { loacalhost; };
recursion yes;
如果查詢通過時,遞歸不通過:此主機僅負責解析自己負責的域
allow-query { any; };
allow-recursion { localhost; };
如果查詢通過時,遞歸通過;此主機可以作為公共的DNS;
allow-query { any; };
allow-recursion { any; };
如果需要訪問控制功能;
allow-query { any; };
allow-recursion { 172.16.0.0/16; };

手動測試DNS解析命令:dig, host, nslookup
RR_TYPE: A, NS, SOA, MX, PTR
格式:
正向解析:dig -t RR_TYPE FQDN @DNS_SERVER_IP
反向解析:dig -x IP @DNS_SERVER_IP
host -t RR_TYPE FQDN DNS_SERVER_IP
nslookup
> server DNS_SERVER_IP
> set q=RR_TYPE
> FQDN|IP
> exit

轉發非我所負責的域,就轉發;注意:接收請求的主機,應該為轉發的主機遞歸
區域轉發:解析非我所負責的域的主機,且解析此域內的主機才轉發;
全局轉發:解析非我所負責的域的主機,統統轉發;

配置DNS,為所有主機遞歸;

[root@localhost ~]# yum -y install bind bind-libs bind-utils
配置dns:
options {
directory “/var/named”;
//allow-query { localhost; };
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
};

[root@localhost ~]# named-checkconf
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# netstat -tunlp | fgrep 53
tcp 0 0 172.16.0.7:53 0.0.0.0:* LISTEN 14513/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 14513/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 14513/named
tcp6 0 0 ::1:953 :::* LISTEN 14513/named
udp 0 0 172.16.0.7:53 0.0.0.0:* 14513/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 14513/named

在本機測試或在其他主機測試是否能查詢:
[root@localhost ~]# dig -t A www.magedu.com @172.16.0.7

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15524
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 17

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A

;; ANSWER SECTION:
www.magedu.com. 600 IN A 101.200.188.230

;; AUTHORITY SECTION:
magedu.com. 172800 IN NS ns2.alidns.com.
magedu.com. 172800 IN NS ns1.alidns.com.

;; ADDITIONAL SECTION:
ns1.alidns.com. 172800 IN A 140.205.81.21
ns1.alidns.com. 172800 IN A 106.11.141.111
ns1.alidns.com. 172800 IN A 106.11.141.121
ns1.alidns.com. 172800 IN A 106.11.211.51
ns1.alidns.com. 172800 IN A 106.11.211.61
ns1.alidns.com. 172800 IN A 140.205.41.11
ns1.alidns.com. 172800 IN A 140.205.41.21
ns1.alidns.com. 172800 IN A 140.205.81.11
ns2.alidns.com. 172800 IN A 106.11.141.112
ns2.alidns.com. 172800 IN A 106.11.141.122
ns2.alidns.com. 172800 IN A 106.11.211.52
ns2.alidns.com. 172800 IN A 106.11.211.62
ns2.alidns.com. 172800 IN A 140.205.41.12
ns2.alidns.com. 172800 IN A 140.205.41.22
ns2.alidns.com. 172800 IN A 140.205.81.12
ns2.alidns.com. 172800 IN A 140.205.81.22

;; Query time: 1584 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 21:00:35 CST 2017
;; MSG SIZE rcvd: 358

[root@localhost ~]# host -t A www.magedu.com 172.16.0.7
Using domain server:
Name: 172.16.0.7
Address: 172.16.0.7#53
Aliases:

www.magedu.com has address 101.200.188.230
[root@localhost ~]# nslookup
> server 172.16.0.7
Default server: 172.16.0.7
Address: 172.16.0.7#53
> set q=SOA
> magedu.com
Server: 172.16.0.7
Address: 172.16.0.7#53

Non-authoritative answer:
magedu.com
origin = dns9.hichina.com
mail addr = hostmaster.hichina.com
serial = 2016112113
refresh = 3600
retry = 1200
expire = 3600
minimum = 360

Authoritative answers can be found from:
magedu.com nameserver = ns2.alidns.com.
magedu.com nameserver = ns1.alidns.com.
ns1.alidns.com internet address = 140.205.81.11
ns1.alidns.com internet address = 140.205.81.21
ns1.alidns.com internet address = 106.11.141.111
ns1.alidns.com internet address = 106.11.141.121
ns1.alidns.com internet address = 106.11.211.51
ns1.alidns.com internet address = 106.11.211.61
ns1.alidns.com internet address = 140.205.41.11
ns1.alidns.com internet address = 140.205.41.21
ns2.alidns.com internet address = 140.205.81.22
ns2.alidns.com internet address = 106.11.141.112
ns2.alidns.com internet address = 106.11.141.122
ns2.alidns.com internet address = 106.11.211.52
ns2.alidns.com internet address = 106.11.211.62
ns2.alidns.com internet address = 140.205.41.12
ns2.alidns.com internet address = 140.205.41.22
ns2.alidns.com internet address = 140.205.81.12
> exit

配置主DNS:

(1) 正向

[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “magedu.com” IN {
type master;
file “magedu.com.zone”;
};
[root@localhost ~]# cd /var/named
[root@localhost named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# vim magedu.com.zone <– 編輯后退出有語法著色;
[root@localhost named]# vim magedu.com.zone
$ORIGIN magedu.com.
@ IN SOA @ nsadmin.magedu.com (
20171129
1H
10M
1W
1D)
IN NS ns1
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.0.7
mx1 IN A 172.16.0.7
mx2 IN A 172.16.0.6
www IN A 172.16.0.7
web IN CNAME www
bbs IN A 172.16.0.7
bbs IN A 172.16.0.6

[root@localhost named]# ll <– 注意權限;root.named 且為640
總用量 20
drwxrwx— 2 named named 22 11月 29 20:58 data
drwxrwx— 2 named named 6 3月 6 2015 dynamic
-rw-r–r– 1 root root 269 11月 29 21:12 magedu.com.zone
-rw-r—– 1 root named 2076 1月 28 2013 named.ca
-rw-r—– 1 root named 152 12月 15 2009 named.empty
-rw-r—– 1 root named 152 6月 21 2007 named.localhost
-rw-r—– 1 root named 168 12月 15 2009 named.loopback
drwxrwx— 2 named named 6 3月 6 2015 slaves

[root@localhost named]# chown :named magedu.com.zone
[root@localhost named]# chmod o= magedu.com.zone

[root@localhost named]# named-checkconf <– 編輯配置,沒有檢查語法

[root@localhost named]# named-checkzone magedu.com magedu.com.zone <– 檢查區域解析庫語法
zone magedu.com/IN: loaded serial 20171129
OK

[root@localhost named]# rndc status <– 裝載前的zones數據 101
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

[root@localhost named]# rndc reload <–裝載
server reload successful

[root@localhost named]# rndc status <– 裝載后的數據:102
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

本機測試或其它主機測試
[root@localhost named]# dig -t A www.magedu.com @172.16.0.7

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58114
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A

;; ANSWER SECTION:
www.magedu.com. 3600 IN A 172.16.0.7

;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7

;; Query time: 1 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 21:16:38 CST 2017
;; MSG SIZE rcvd: 93

[root@localhost ~]# host -t SOA magedu.com 172.16.0.7
Using domain server:
Name: 172.16.0.7
Address: 172.16.0.7#53
Aliases:

magedu.com has SOA record magedu.com. nsadmin.magedu.com.magedu.com. 20171129 3600 600 604800 86400

[root@localhost ~]# nslookup
> server 172.16.0.7
Default server: 172.16.0.7
Address: 172.16.0.7#53
> set q=MX
> magedu.com
Server: 172.16.0.7
Address: 172.16.0.7#53

magedu.com mail exchanger = 20 mx2.magedu.com.
magedu.com mail exchanger = 10 mx1.magedu.com.
> exit

[root@localhost ~]#

(2) 反向

 

注意反向的域名是IP地址網絡段反寫;或不變部分反寫:例如:使用172.16.0.1-255/16時,可以反寫為16.172.in-addr.arpa. 或 0.16.172.in-addr.arpa; 假如第三位變時,則只能使用前者;
[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “0.16.172.in-addr.arpa” IN {
type master;
file “172.16.0.zone”;
};

[root@localhost named]# vim -O 172.16.0.zone magedu.com.zone
$TTL 3600
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA @ nsadmin.magedu.com. (
20171129
1H
10M
1W
1D)
IN NS ns1.magedu.com.
7 IN PTR ns1.magedu.com.
7 IN PTR mx1.magedu.com.
6 IN PTR mx2.magedu.com.
7 IN PTR www.magedu.com.
6 IN PTR bbs.magedu.com.
7 IN PTR bbs.magedu.com.

[root@localhost named]# ll
總用量 24
-rw-r–r– 1 root root 275 11月 29 22:17 172.16.0.zone
drwxrwx— 2 named named 22 11月 29 20:58 data
drwxrwx— 2 named named 6 3月 6 2015 dynamic
-rw-r—– 1 root named 269 11月 29 21:12 magedu.com.zone
-rw-r—– 1 root named 2076 1月 28 2013 named.ca
-rw-r—– 1 root named 152 12月 15 2009 named.empty
-rw-r—– 1 root named 152 6月 21 2007 named.localhost
-rw-r—– 1 root named 168 12月 15 2009 named.loopback
drwxrwx— 2 named named 6 3月 6 2015 slaves

[root@localhost named]# chgrp named 172.16.0.zone
[root@localhost named]# chmod o= 172.16.0.zone

[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone 0.16.172.in-addr.arpa 172.16.0.zone
zone 0.16.172.in-addr.arpa/IN: loaded serial 20171129
OK

[root@localhost named]# rndc status
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 102
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

[root@localhost named]# rndc reload
server reload successful

[root@localhost named]# rndc status
version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa>
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 103
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

測試解析:
[root@localhost named]# dig -x 172.16.0.6 @172.16.0.7

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.0.6 @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53414
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;6.0.16.172.in-addr.arpa. IN PTR

;; ANSWER SECTION:
6.0.16.172.in-addr.arpa. 3600 IN PTR mx2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.

;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 3600 IN NS ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7

;; Query time: 1 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 22:23:03 CST 2017
;; MSG SIZE rcvd: 132

[root@localhost named]# host -t PTR 172.16.0.7 172.16.0.7
Using domain server:
Name: 172.16.0.7
Address: 172.16.0.7#53
Aliases:

7.0.16.172.in-addr.arpa domain name pointer bbs.magedu.com.
7.0.16.172.in-addr.arpa domain name pointer www.magedu.com.
7.0.16.172.in-addr.arpa domain name pointer mx1.magedu.com.
7.0.16.172.in-addr.arpa domain name pointer ns1.magedu.com.

[root@localhost named]# nslookup
> server 172.16.0.7
Default server: 172.16.0.7
Address: 172.16.0.7#53
> set q=PTR
> 172.16.0.6
Server: 172.16.0.7
Address: 172.16.0.7#53

6.0.16.172.in-addr.arpa name = bbs.magedu.com.
6.0.16.172.in-addr.arpa name = mx2.magedu.com.
> exit

[root@localhost named]#

從DNS配置

配置前準備

  • 主、從DNS時間同步,已經配置好了時間服務器: 172.16.0.247
    如果需要查看時間服務器如何配置,請移駕: https://www.mykernel.cn/archives/573
    [root@localhost named]# ntpdate 172.16.0.247 <– 主DNS: 172.16.0.7
    29 Nov 22:27:19 ntpdate[41180]: adjust time server 172.16.0.247 offset -0.051880 sec
    [root@localhost ~]# ntpdate 172.16.0.247 <– 從DNS: 172.16.0.6
    29 Nov 22:27:28 ntpdate[41204]: adjust time server 172.16.0.247 offset -0.008223 sec
  • 版本一致:
    [root@localhost named]# rpm -q bind <– 主DNS: 172.16.0.7
    bind-9.9.4-18.el7.x86_64
    [root@localhost ~]# rpm -q bind <– 從DNS: 172.16.0.6
    bind-9.9.4-18.el7.x86_64
  • 從DNS能從主DNS做區域傳送:
    [root@localhost ~]# dig -t axfr magedu.com @172.16.0.7

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t axfr magedu.com @172.16.0.7
;; global options: +cmd
magedu.com. 3600 IN SOA magedu.com. nsadmin.magedu.com.magedu.com. 20171129 3600 600 604800 86400
magedu.com. 3600 IN NS ns1.magedu.com.
magedu.com. 3600 IN MX 10 mx1.magedu.com.
magedu.com. 3600 IN MX 20 mx2.magedu.com.
bbs.magedu.com. 3600 IN A 172.16.0.7
bbs.magedu.com. 3600 IN A 172.16.0.6
mx1.magedu.com. 3600 IN A 172.16.0.7
mx2.magedu.com. 3600 IN A 172.16.0.6
ns1.magedu.com. 3600 IN A 172.16.0.7
web.magedu.com. 3600 IN CNAME www.magedu.com.
www.magedu.com. 3600 IN A 172.16.0.7
magedu.com. 3600 IN SOA magedu.com. nsadmin.magedu.com.magedu.com. 20171129 3600 600 604800 86400
;; Query time: 5 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 22:30:07 CST 2017
;; XFR size: 12 records (messages 1, bytes 299)

[root@localhost ~]# dig -t axfr 0.16.172.in-addr.arpa @172.16.0.7

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t axfr 0.16.172.in-addr.arpa @172.16.0.7
;; global options: +cmd
0.16.172.in-addr.arpa. 3600 IN SOA 0.16.172.in-addr.arpa. nsadmin.magedu.com. 20171129 3600 600 604800 86400
0.16.172.in-addr.arpa. 3600 IN NS ns1.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR mx2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR ns1.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR mx1.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR www.magedu.com.
7.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.
0.16.172.in-addr.arpa. 3600 IN SOA 0.16.172.in-addr.arpa. nsadmin.magedu.com. 20171129 3600 600 604800 86400
;; Query time: 4 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 22:30:20 CST 2017
;; XFR size: 9 records (messages 1, bytes 251)

[root@localhost ~]#

  • 在主DNS的解析庫中添加ns2記錄;ns2 A記錄指向從DNS主機;

 

1 正向的從

[root@localhost named]# vim -O magedu.com.zone 172.16.0.zone
[root@localhost named]# cat magedu.com.zone 172.16.0.zone | fgrep ns2
IN NS ns2
ns2 IN A 172.16.0.6
IN NS ns2.magedu.com.
6 IN PTR ns2.magedu.com.

>>>>
[root@localhost ~]# vim /etc/named.conf

options {
directory “/var/named”;
//allow-query { localhost; };
recursion yes;

dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
};

[root@localhost ~]# named-checkconf
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# systemctl status named.service
named.service – Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since 三 2017-11-29 22:39:37 CST; 5s ago
Process: 41274 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 41272 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
Main PID: 41276 (named)
CGroup: /system.slice/named.service
└─41276 /usr/sbin/named -u named

11月 29 22:39:37 localhost.localdomain named[41276]: managed-keys-zone: sync_keyzone:dns_journal_open -> unexpected error
11月 29 22:39:37 localhost.localdomain named[41276]: managed-keys-zone: unable to synchronize managed keys: unexpe…rror
11月 29 22:39:37 localhost.localdomain named[41276]: zone 0.in-addr.arpa/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone localhost/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0….al 0
11月 29 22:39:37 localhost.localdomain named[41276]: zone localhost.localdomain/IN: loaded serial 0
11月 29 22:39:37 localhost.localdomain named[41276]: all zones loaded
11月 29 22:39:37 localhost.localdomain named[41276]: running
11月 29 22:39:37 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.

[root@localhost ~]# netstat -tunlp | fgrep 53
tcp 0 0 172.16.0.6:53 0.0.0.0:* LISTEN 41276/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 41276/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 41276/named
tcp6 0 0 ::1:953 :::* LISTEN 41276/named
udp 0 0 172.16.0.6:53 0.0.0.0:* 41276/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 41276/named

[root@localhost ~]# vim + /etc/named.rfc1912.zones

zone “magedu.com” IN {
type slave;
file “slaves/magedu.com.zone”; <— 為什么是slaves目錄下?
masters { 172.16.0.7; };
};

[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# ls /var/named/slaves/
magedu.com.zone

<— 為什么是slaves目錄下?
[root@localhost ~]# ps axu | fgrep named <– named進程以普通用戶 named 身份運行;
named 41276 0.0 1.6 162652 16740 ? Ssl 22:39 0:00 /usr/sbin/named -u named

[root@localhost ~]# ls -ld /var/named <– named組對/var/named目錄沒有寫權限,所以不能修改此目錄下的文件;
drwxr-x— 5 root named 120 11月 29 22:28 /var/named

[root@localhost ~]# ls -ld /var/named/slaves <– named屬主對/var/named/slaves目錄有寫權限, 則named用戶可以修改此目錄下的文件,完成創建刪除操作;
drwxrwx— 2 named named 28 11月 29 22:42 /var/named/slaves
<– 主從同步,需要從服務從主DNS服務器那里復制一份副本,到從服務器;如果named進程沒有寫權限,將不能保留復制過來的文件;

測試解析:

[root@localhost ~]# dig -t A web.magedu.com @172.16.0.6

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A web.magedu.com @172.16.0.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 432
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;web.magedu.com. IN A

;; ANSWER SECTION:
web.magedu.com. 3600 IN CNAME www.magedu.com.
www.magedu.com. 3600 IN A 172.16.0.7

;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7

;; Query time: 0 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: 三 11月 29 22:47:42 CST 2017
;; MSG SIZE rcvd: 111

[root@localhost ~]# host -t MX magedu.com 172.16.0.6
Using domain server:
Name: 172.16.0.6
Address: 172.16.0.6#53
Aliases:

magedu.com mail is handled by 20 mx2.magedu.com.
magedu.com mail is handled by 10 mx1.magedu.com.

[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=A
> www.magedu.com
Server: 172.16.0.6
Address: 172.16.0.6#53

Name: www.magedu.com
Address: 172.16.0.7
> pop3.magedu.com
Server: 172.16.0.6
Address: 172.16.0.6#53

** server can’t find pop3.magedu.com: NXDOMAIN <— 注意 pop3不能解析
> exit

[root@localhost ~]#

===================>>>>>>>>>>>修改正向的主DNS解析庫(172.16.0.7); 注意: 修改serial
[root@localhost named]# vim magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA @ nsadmin.magedu.com (
20171130
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.0.7
ns2 IN A 172.16.0.6
mx1 IN A 172.16.0.7
mx2 IN A 172.16.0.6
www IN A 172.16.0.7
web IN CNAME www
bbs IN A 172.16.0.7
bbs IN A 172.16.0.6
pop3 IN A 172.16.0.7 <– 此為新增的條目

[root@localhost named]# named-checkzone magedu.com magedu.com.zone
zone magedu.com/IN: loaded serial 20171130
OK

[root@localhost named]# rndc reload
server reload successful

從服務器再次測試解析pop3.magedu.com

[root@localhost ~]# host -t A pop3.magedu.com 172.16.0.6
Using domain server:
Name: 172.16.0.6
Address: 172.16.0.6#53
Aliases:

pop3.magedu.com has address 172.16.0.7

[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=A
> pop3.magedu.com
Server: 172.16.0.6
Address: 172.16.0.6#53

Name: pop3.magedu.com
Address: 172.16.0.7
> exit

[root@localhost ~]#

 

2 反向的從

 

[root@localhost ~]# vim + /etc/named.rfc1912.zones

zone “0.16.172.in-addr.arpa” IN {
type slave;
file “slaves/0.16.172.in-addr.arpa”;
masters { 172.16.0.7; };
};

[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful
[root@localhost ~]# systemctl status named.service
11月 29 22:55:45 localhost.localdomain named[41276]: transfer of ‘0.16.172.in-addr.arpa/IN’ from 172.16.0.7#53: co…6344
11月 29 22:55:45 localhost.localdomain named[41276]: zone 0.16.172.in-addr.arpa/IN: transferred serial 20171129
11月 29 22:55:45 localhost.localdomain named[41276]: transfer of ‘0.16.172.in-addr.arpa/IN’ from 172.16.0.7#53: Tr…sec)
11月 29 22:55:45 localhost.localdomain named[41276]: zone 0.16.172.in-addr.arpa/IN: sending notifies (serial 20171129)

測試:
root@localhost ~]# dig -x 172.16.0.6 @172.16.0.6

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.0.6 @172.16.0.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62169
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;6.0.16.172.in-addr.arpa. IN PTR

;; ANSWER SECTION:
6.0.16.172.in-addr.arpa. 3600 IN PTR ns2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR mx2.magedu.com.
6.0.16.172.in-addr.arpa. 3600 IN PTR bbs.magedu.com.

;; AUTHORITY SECTION:
0.16.172.in-addr.arpa. 3600 IN NS ns1.magedu.com.
0.16.172.in-addr.arpa. 3600 IN NS ns2.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7
ns2.magedu.com. 3600 IN A 172.16.0.6

;; Query time: 0 msec
;; SERVER: 172.16.0.6#53(172.16.0.6)
;; WHEN: 三 11月 29 22:56:38 CST 2017
;; MSG SIZE rcvd: 180

[root@localhost ~]# host -t PTR 172.16.0.6 172.16.0.6
Using domain server:
Name: 172.16.0.6
Address: 172.16.0.6#53
Aliases:

6.0.16.172.in-addr.arpa domain name pointer bbs.magedu.com.
6.0.16.172.in-addr.arpa domain name pointer mx2.magedu.com.
6.0.16.172.in-addr.arpa domain name pointer ns2.magedu.com.

[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=PTR
> 172.16.0.7
Server: 172.16.0.6
Address: 172.16.0.6#53

7.0.16.172.in-addr.arpa name = ns1.magedu.com.
7.0.16.172.in-addr.arpa name = bbs.magedu.com.
7.0.16.172.in-addr.arpa name = www.magedu.com.
7.0.16.172.in-addr.arpa name = mx1.magedu.com.
> exit

[root@localhost ~]#

============>>>>>>主服務器添加pop3.magedu.com反向解析;注意:修改serial
[root@localhost named]# vim 172.16.0.zone
$ORIGIN 0.16.172.in-addr.arpa.
@ IN SOA @ nsadmin.magedu.com. (
20171130
1H
10M
1W
1D)
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
7 IN PTR ns1.magedu.com.
6 IN PTR ns2.magedu.com.
7 IN PTR mx1.magedu.com.
6 IN PTR mx2.magedu.com.
7 IN PTR www.magedu.com.
6 IN PTR bbs.magedu.com.
7 IN PTR bbs.magedu.com.
7 IN PTR pop3.magedu.com.

[root@localhost named]# named-checkzone 0.16.172.in-addr.arpa 172.16.0.zone
[root@localhost named]# rndc status
[root@localhost named]# rndc reload
[root@localhost named]# rndc status

[root@localhost ~]# nslookup
> server 172.16.0.6
Default server: 172.16.0.6
Address: 172.16.0.6#53
> set q=PTR
> 172.16.0.7
Server: 172.16.0.6
Address: 172.16.0.6#53

7.0.16.172.in-addr.arpa name = ns1.magedu.com.
7.0.16.172.in-addr.arpa name = pop3.magedu.com.
7.0.16.172.in-addr.arpa name = mx1.magedu.com.
7.0.16.172.in-addr.arpa name = bbs.magedu.com.
7.0.16.172.in-addr.arpa name = www.magedu.com.
> exit

[root@localhost ~]#

配置子域:

  • 僅能修改主DNS服務器,因為從服務器不能修改解析庫,從服務器是從主服務器那里同步數據的;
  • 修改解析庫后需要將serial + 1,否則從服務器無法立即同步數據;

 

修改主DNS

[root@localhost named]# vim magedu.com.zone
$TTL 3600
$ORIGIN magedu.com.
@ IN SOA @ nsadmin.magedu.com (
20171131
1H
10M
1W
1D)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.0.7
ns2 IN A 172.16.0.6
mx1 IN A 172.16.0.7
mx2 IN A 172.16.0.6
www IN A 172.16.0.7
web IN CNAME www
bbs IN A 172.16.0.7
bbs IN A 172.16.0.6
pop3 IN A 172.16.0.7

ops IN NS ns1.ops
ns1.ops IN A 172.16.0.8

[root@localhost named]# named-checkzone magedu.com magedu.com.zone
zone magedu.com/IN: ops.magedu.com/NS ‘ns1.ops.magedu.com’ extra GLUE A record (172.16.0.8)
zone magedu.com/IN: ops.magedu.com/NS ‘ns1.ops.magedu.com’ missing GLUE A record (218.28.144.39)
zone magedu.com/IN: loaded serial 20171131
OK
[root@localhost named]# rndc reload
server reload successful

配置子域

[root@localhost ~]# rpm -q bind
未安裝軟件包 bind
[root@localhost ~]# yum -y install bind bind-libs bind-utils
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# named-checkconf
[root@localhost ~]# systemctl start named.service
[root@localhost ~]# netstat -tunl

[root@localhost ~]# vim + /etc/named.rfc1912.zones

zone “ops.magedu.com” IN {
type mater;
file “ops.magedu.com.zone”;
};

[root@localhost ~]# cd /var/named
[root@localhost named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# vim ops.magedu.com.zone
[root@localhost named]# vim ops.magedu.com.zone <– 為了語法著色,第二次進入;
$TTL 3600
$ORIGIN ops.magedu.com.
@ IN SOA @ nsadmin.magedu.com. (
20171129
1H
10M
1W
1D)
IN NS ns1
ns1 IN A 172.16.0.8
www IN A 172.16.0.8
[root@localhost named]#
[root@localhost named]# ll
總用量 20
drwxrwx— 2 named named 22 11月 29 23:19 data
drwxrwx— 2 named named 6 3月 6 2015 dynamic
-rw-r—– 1 root named 2076 1月 28 2013 named.ca
-rw-r—– 1 root named 152 12月 15 2009 named.empty
-rw-r—– 1 root named 152 6月 21 2007 named.localhost
-rw-r—– 1 root named 168 12月 15 2009 named.loopback
-rw-r–r– 1 root root 146 11月 29 23:22 ops.magedu.com.zone
drwxrwx— 2 named named 6 3月 6 2015 slaves
[root@localhost named]# chgrp named ops.magedu.com.zone
[root@localhost named]# chmod o= ops.magedu.com.zone

[root@localhost named]# vim /etc/named.rfc1912.zones
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone ops.magedu.com ops.magedu.com.zone
zone ops.magedu.com/IN: loaded serial 20171129
OK
[root@localhost named]# rndc status
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]# rndc status

[root@localhost named]# dig -t A www.ops.magedu.com @172.16.0.8

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.ops.magedu.com @172.16.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21247
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.magedu.com. IN A

;; ANSWER SECTION:
www.ops.magedu.com. 3600 IN A 172.16.0.8

;; AUTHORITY SECTION:
ops.magedu.com. 3600 IN NS ns1.ops.magedu.com.

;; ADDITIONAL SECTION:
ns1.ops.magedu.com. 3600 IN A 172.16.0.8

;; Query time: 1 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: 三 11月 29 23:24:33 CST 2017
;; MSG SIZE rcvd: 97

[root@localhost named]# vim /etc/resolv.conf
nameserver 172.16.0.8

[root@localhost named]# host -t NS ops.magedu.com
ops.magedu.com name server ns1.ops.magedu.com.

注意:
子域能否解析父域?

[root@localhost named]# dig -t A www.magedu.com

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15234
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 17

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A

;; ANSWER SECTION:
www.magedu.com. 383 IN A 101.200.188.230

;; AUTHORITY SECTION:
magedu.com. 172583 IN NS ns1.alidns.com.
magedu.com. 172583 IN NS ns2.alidns.com.

;; ADDITIONAL SECTION:
ns1.alidns.com. 172583 IN A 106.11.211.61
ns1.alidns.com. 172583 IN A 140.205.41.11
ns1.alidns.com. 172583 IN A 140.205.41.21
ns1.alidns.com. 172583 IN A 140.205.81.11
ns1.alidns.com. 172583 IN A 140.205.81.21
ns1.alidns.com. 172583 IN A 106.11.141.111
ns1.alidns.com. 172583 IN A 106.11.141.121
ns1.alidns.com. 172583 IN A 106.11.211.51
ns2.alidns.com. 172583 IN A 140.205.41.12
ns2.alidns.com. 172583 IN A 140.205.41.22
ns2.alidns.com. 172583 IN A 140.205.81.12
ns2.alidns.com. 172583 IN A 140.205.81.22
ns2.alidns.com. 172583 IN A 106.11.141.112
ns2.alidns.com. 172583 IN A 106.11.141.122
ns2.alidns.com. 172583 IN A 106.11.211.52
ns2.alidns.com. 172583 IN A 106.11.211.62

;; Query time: 1 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: 三 11月 29 23:32:44 CST 2017
;; MSG SIZE rcvd: 358

不能

父域能否解析子域?

[root@localhost named]# dig -t A www.ops.magedu.com @172.16.0.7

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.ops.magedu.com @172.16.0.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35571
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.ops.magedu.com. IN A

;; ANSWER SECTION:
www.ops.magedu.com. 3600 IN A 172.16.0.8

;; AUTHORITY SECTION:
ops.magedu.com. 3600 IN NS ns1.ops.magedu.com.

;; ADDITIONAL SECTION:
ns1.ops.magedu.com. 3600 IN A 172.16.0.8

;; Query time: 1 msec
;; SERVER: 172.16.0.7#53(172.16.0.7)
;; WHEN: 三 11月 29 23:33:20 CST 2017
;; MSG SIZE rcvd: 97

開啟,子域的區域轉發:在子域主機上定義

[root@localhost named]# vim + /etc/named.rfc1912.zones

zone “magedu.com” IN {
type forward;
forward only;
forwarders { 172.16.0.7; 172.16.0.8; };
};

forward
first: 表示遞歸請求轉發過去后,不響應;自己再出去迭代;
only: 表示遞歸請求后,只等響應;

[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful

在測試子域解析父域:
[root@localhost named]# rndc flush
[root@localhost named]# dig -t A www.magedu.com @172.16.0.8

; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.magedu.com @172.16.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5087
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.magedu.com. IN A

;; ANSWER SECTION:
www.magedu.com. 3600 IN A 172.16.0.7

;; AUTHORITY SECTION:
magedu.com. 3600 IN NS ns1.magedu.com.
magedu.com. 3600 IN NS ns2.magedu.com.

;; ADDITIONAL SECTION:
ns1.magedu.com. 3600 IN A 172.16.0.7
ns2.magedu.com. 3600 IN A 172.16.0.6

;; Query time: 1204 msec
;; SERVER: 172.16.0.8#53(172.16.0.8)
;; WHEN: 三 11月 29 23:37:04 CST 2017
;; MSG SIZE rcvd: 127

[root@localhost named]#

基本安全配置:

 

1、可以全量傳送僅從服務器:
主DNS服務器修改:
zone “magedu.com” IN {
type master;
file “magedu.com.zone”;
allow-transfer { 172.16.0.6; };
};
zone “0.16.172.in-addr.arpa” IN {
type master;
file “172.16.0.zone”;
allow-transfer { 172.16.0.6; };
};

[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful

從服務修改
[root@localhost ~]# vim + /etc/named.rfc1912.zones
zone “magedu.com” IN {
type slave;
file “slaves/magedu.com.zone”;
masters { 172.16.0.7; };
allow-transfer { localhost; }; <– 因為從服務器沒有從服務器了呀!
};
zone “0.16.172.in-addr.arpa” IN {
type slave;
file “slaves/0.16.172.in-addr.arpa”;
masters { 172.16.0.7; };
allow-transfer { localhost; };
};

[root@localhost ~]# named-checkconf
[root@localhost ~]# rndc reload
server reload successful

子域主,沒有從:
[root@localhost named]# vim + /etc/named.rfc1912.zones
zone “ops.magedu.com” IN {
type master;
file “ops.magedu.com.zone”;
allow-transfer { localhost; };
};
[root@localhost named]# named-checkconf
[root@localhost named]# rndc reload
server reload successful

不應該允許別人更新解析庫:
allow-update { none; };

本文來自投稿,不代表Linux運維部落立場,如若轉載,請注明出處:http://www.www58058.com/89092

(0)
逆神陽逆神陽
上一篇 2017-11-29
下一篇 2017-11-30

相關推薦

  • 在CentOS 6上編譯安裝LAMP

    在CentOS 6上編譯安裝LAMP     在生產中如果需要使用較新的服務,而系統提供的rpm包又較老時該怎么辦呢?其實應用程序的安裝方式有多種,如:使用系統發行商提供rpm包或者下載源碼包手動編譯安裝也是可以的。今天我們編譯的服務不是一個單獨的而是一套。這套黃金搭檔從誕生之初到現在已經經過無數用戶的驗證,各大電商站點、門戶網站、以及各…

    Linux干貨 2017-04-23

  • Linux系統啟動基本流程

    Linux開機流程 如下圖 00×01、BISO自檢     硬件檢查,檢查硬件完整性,之后從開機BIOS開機硬件列表選擇BOOT設備     2. 00×02、MBR引導     從bootloader446…

    2017-07-09

  • Linux 入門基礎 及一些常見命令(下)

    date:                    顯示日期時間:date [OPTION]… [+FORMAT]        &nbsp…

    Linux干貨 2016-09-17

  • Linux基礎(九)-shell編程練習

    1、寫一個腳本,判斷當前系統上所有用戶的shell是否為可登錄shell(即用戶的shell不是/sbin/nologin);分別這兩類用戶的個數;通過字符串比較來實現; #!/bin/bash declare -i nologin=0 declare -i login=0 while read l…

    Linux干貨 2016-11-20

  • Linux Bash Shell練習

    Linux Bash Shell練習 1、寫一個腳本,完成以下功能: 假設某目錄(/etc/rc.d/rc3.d/)下分別有K開頭的文件和S開頭的文件若干 顯示所有以K開頭的文件的文件名,并且給其附加一個stop字符串 顯示所有以S開頭的文件的文件名,并且給其附加一個start字符串 分別統計S開頭和K開頭的文件各有多少 #!/bin/bash # for&…

    Linux干貨 2016-12-17

  • 六步建立yum倉庫

    建立yum倉庫

    Linux干貨 2018-03-26
欧美性久久久久