DNS总览
权威名称服务器
存储并提供某区域(整个DNS域或DNS域的一部分)的实际数据。
权威名称服务器的类型包括:
Master:包含原始区域数据。有时称作“主要”名称服务器
Slave:备份服务器,通过区域传送从Masterfwq获得的区域数据的副本。有时称作“次要”名称服务器
非权威/递归名称服务器
客户端通过其查找来自权威名称服务器的数据。递归名称服务器的类型包括仅缓存名称服务器:仅用于查找,对于非重要数据之外的任何内容都不具有权威性
一些重要的options指令
listen-on 控制named侦听的IPv4地址
listen-on-v6 控制named侦听IPv6地址
allow-query控制哪些客户端可以向DNS服务器询问信息
forwarders包含DNS查询将转发至的名称服务器的列表(而不是直接联系外部名称服务器;在设有防火墙的情况中很有用)
所有这些指令会大括号中以分号分隔的元素视为地址匹配列表
回环接口:系统内部服务访问的地址,无法与外界连通
1.安装部署dns
先设置ip gateway,yum源,再执行下面命令
[root@station Desktop]# yum install bind
[root@station Desktop]# systemctl start named #敲键盘以生成/etc/rndc.key文件
[root@station Desktop]# systemctl stop firewalld
[root@station Desktop]# systemctl disabled firewalld
yum install bind
主配置文件:/etc/named.conf
子配置文件:/etc/named.rfc1912.zones
2.高速缓存
服务端:
[root@station Desktop]# vim /etc/named.conf listen-on port 53 { any; }; #侦听所有ip4地址listen-on-v6 port 53 { ::1; }; #允许DNS侦听的ip6地址allow-query { any; }; #允许所有客户端可以向DNS服务器询问信息forwarders { 114.114.114.114; };#包含DNS查询将转发至114.114.114.114,元素分隔需要加分号dnssec-validation no;
[root@station Desktop]# systemctl restart named #重启
在客户端:
[root@localhost ~]# vim /etc/resolv.confnameserver 172.25.254.152 #服务端ip
[root@localhost ~]# dig www.baidu.com
服务端:
vim /etc/named.conf
重启服务
客户端:vim /etc/resolv.conf
dig www.baidu.com
第一次时间长,需要从114那里获得
dig www.baidu.com
第二次时间短,已被高速缓存,直接从172.252.54.152获得
3.正向解析
服务端:
[root@localhost ~]# vim /etc/resolv.conf
nameserver 172.25.254.152 #服务端自己的ip
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "linux.com" IN { type master;file "linux.com.zone";allow-update { none; };
};
[root@localhost ~]# cd /var/named/
[root@localhost named]# cp -p named.localhost linux.com.zone
[root@localhost named]# vim linux.com.zone
$TTL 1D
@ IN SOA dns.liunx.com. li.linux.com. (0 ; serial1D ; refresh #重新刷新1H ; retry #重新尝试1W ; expire #最长有效期3H ) ; minimum #最短有效期NS dns.linux.com.
dns A 172.25.254.152
jk A 172.25.254.180
[root@localhost named]# systemctl restart named
测试:
dig www.linux.com
dig dns.linux.com
dig jk.linux.com
服务端:
vim /etc/resolv.conf
vim /etc/named.rfc1912.zones
/var/named/linux.com.zone内容
客户端测试:
dig www.linux.com
dig dns.linux.com
dig jk.linux.com
[root@localhost named]# vim linux.com.zone$TTL 1D
@ IN SOA dns.linux.com. lin.linux.com. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS dns.linux.com.
dns A 172.25.254.152
jk A 172.25.254.180
www CNAME node1.linux.com. #将规范的ip解析为不规范的ip
node1 A 172.25.254.111
node1 A 172.25.254.222
[root@localhost named]# systemctl restart named
测试:
dig www.linux.com
dig www.linux.com
vim /var/named/linux.com.zone
dig www.linux.com
dig www.linux.com
4.反向解析
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN {type master;file "linux.com.ptr";allow-update { none; };};
[root@localhost ~]# cd /var/named/
[root@localhost named]# cp -p named.loopback linux.com.ptr
[root@localhost named]# vim linux.com.ptr
[root@localhost named]# systemctl restart named
$TTL 1D
@ IN SOA dns.linux.com. lin.linux.com. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS dns.linux.com.
dns A 172.25.254.140
101 PTR www.linux.com.
202 PTR hello.linux.com.测试:
dig -x 172.25.254.101
dig -x 172.25.254.202
vim /etc/named.rfc1912.zones
/var/named/linux.com.ptr内容
测试:
dig -x 172.25.254.101
dig -x 172.25.254.202
5.搭建内外网DNS服务器
[root@localhost named]# cp -p westos.com.zone westos.com.inter #创建外网文件
[root@localhost named]# vim westos.com.inter $TTL 1D
@ IN SOA dns.linux.com. lin.linux.com. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS dns.linux.com.
dns A 192.168.1.152
jk A 192.168.1.180
www CNAME node1.linux.com.
node1 A 192.168.1.111
node1 A 192.168.1.222
[root@localhost named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inter #创建外网子配置文件
[root@localhost named]# vim /etc/named.rfc1912.inter
zone "linux.com" IN {type master;file "linux.com.inter"; #zone改为interallow-update { none; };
};
[root@localhost named]# vim /etc/named.conf
/* #注释掉
zone "." IN {type hint;file "named.ca";
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
*/
view localnet { #编写viewmatch-clients {172.25.254.152; };zone "." IN{type hint;file "named.ca";};
include "/etc/named.rfc1912.zones";
};view inter {match-clients {any; };zone "." IN{type hint;file "named.ca";};
include "/etc/named.rfc1912.inter";
};
[root@localhost named]# systemctl restart named
测试:
dig www.westos.com #内网
dig www.westos.com #外网
/var/named/westos.com.inter内容
/etc/named.rfc1912.inter内容
/etc/named.conf 内容
内网测试:
外网测试:
6.DNS集群
为了缓冲主DNS服务器的压力,需要设置辅助DNS
主DNS的设定:
[root@localhost named]# vim /etc/named.conf
注释掉之前的
[root@localhost named]# vim /etc/named.rfc1912.zones
zone "linux.com" IN {type master;file "linux.com.zone";allow-update { none; };aslo-notify { 172.25.254.252; }; #主动通知172.25.254.252
};
辅助DNS的设定:
[root@localhost ~]# vim /etc/resolv.conf
nameserver 172.25.254.252
[root@localhost ~]# vim /etc/named.conf
options {listen-on port 53 { any; };listen-on-v6 port 53 { ::1; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query { any; };
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "westos.com" IN {type slave;masters { 172.25.254.152; };file "slaves/westos.com.zone";allow-update { none; };
};
测试:
主DNS
[root@localhost named]# vim westos.com.zone
更改ip和serial值
辅助DNS
dig www.westos.com
主DNS:
/etc/named.conf内容:
/etc/named.rfc1912.zones内容:
辅助DNS里:
/etc/resolv.conf内容:
/etc/named.conf内容:
etc/named.rfc1912.zones内容:
在主DNS的/var/named/linux.com.zone里更改ip和serial值(如果不改serial值,辅助DNS则同步不到主DNS更改的ip)
辅助DNS :dig www.linux.com
ip已同步
7.DNS远程更新
服务端:
[root@localhost named]# cp -p linux.com.zone /mnt #先拷贝文件到/mnt备用,方便恢复
[root@localhost named]# vim /etc/named.rfc1912.zonesallow-update { 172.25.254.240; }; #允许谁更新
[root@localhost named]# systemctl restart named
客户端:上传
[root@localhost ~]# nsupdate
> server 172.25.254.152
> update add test.westos.com 86400 A 172.25.254.111 #上传DNS
> send
测试:dig test.westos.com
服务端重启
[root@localhost named]# systemctl restart named
/var/named/westos.com.zone -->配置文件被更新
客户端:删除
[root@localhost ~]# nsupdate
> server 172.25.254.152
> update delete test.westos.com #删除DNS
> send
服务端:
[root@localhost named]# rm -fr westos.com.zone* #删掉被更新的文件
[root@localhost named]# cp -p /mnt/westos.com.zone . #恢复文件
服务端:vim /etc/named.rfc1912.zones
客户端上传DNS:
服务端重启,/var/named/westos.com.zone配置文件被更新
dig www.linux.com —->已上传
客户端删除DNS:
服务端恢复文件
如果上传失败,查看一下火墙是否关闭,selinux的状态,还有/var/named/的权限,是否对其所有组可写
8.DNS密钥
服务端设置:
[root@localhost named]# cd /mnt
[root@localhost mnt]# ls
linux.com.zone
[root@localhost mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST linux #生成密钥
Klinux.+157+62860
[root@localhost mnt]# ls
Klinux.+157+62860.key Klinux.+157+62860.private linux.com.zone
[root@localhost mnt]# cat Klinux.+157+62860.key
linux. IN KEY 512 3 157 eNGcsO4kfoRec4RyB2WDeQ==
[root@localhost mnt]# cp -p /etc/rndc.key /etc/linux.key
[root@localhost mnt]# vim /etc/linux.key
key "linux" { algorithm hmac-md5;secret "eNGcsO4kfoRec4RyB2WDeQ=="; #密码
};
[root@localhost mnt]# cd /var/named/
[root@localhost named]# systemctl restart named
[root@localhost named]# vim /etc/named.confinclude "/etc/linux.key";
[root@localhost named]# vim /etc/named.rfc1912.zonesallow-update { key linux; }; #允许有密钥的客户端更新
[root@localhost named]# systemctl restart named
[root@localhost named]# cd /mnt/
[root@localhost mnt]# scp Klinux.+157+62860.* root@172.25.254.252:/mnt/ #把密钥传给客户端
客户端:
[root@localhost mnt]# nsupdate -k Klinux.+157+62860.private
> server 172.25.254.152
> update add hello.linux.com 86400 A 172.25.254.111
> send
服务端:
把密钥传给客户端
/etc/linux.key内容:
/etc/named.conf内容:
/etc/named.rfc1912.zones内容:
客户端:更新DNS
服务端:dig hello.linux.com —>已上传
9.动态域名服务
服务端:
先恢复/var/named/linux.com.zone
安装dhcp
[root@localhost named]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
[root@localhost named]# vim /etc/dhcp/dhcpd.conf7 option domain-name "linux.com";8 option domain-name-servers 172.25.254.152;14 ddns-update-style interim;29 subnet 172.25.254.0 netmask 255.255.255.0 {30 range 172.25.254.250 172.25.254.252;31 option routers 172.25.254.152;32 }33 key linux {34 algorithm hmac-md5;35 secret eNGcsO4kfoRec4RyB2WDeQ==;36 };37 38 zone linux.com. {39 primary 127.0.0.1;40 key linux;41 }
[root@localhost named]# systemctl restart dhcpd
客户端:
[root@localhost Desktop]# hostnamectl set-hostname lin.linux..com
[root@lin Desktop]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
BOOTPROTO=dhcp
[root@lin Desktop]# systemctl restart network
[root@lin Desktop]# dig lin.linux.com
服务端:
/etc/dhcp/dhcpd.conf内容:
重启dhcp服务
客户端:
/etc/sysconfig/network-scripts/ifcfg-eth0内容: