摘要:博文參考主配置文件格式全局配置段日志子系統配置段區域定義段區域定義本機能夠為哪些進行解析,就要定義哪些注意每個配置語句必須以分號結尾任何服務程序如果期望其能夠通過網絡被其它主機訪問,至少應該監聽在一個能與外部主機通信的緩存名稱服務器的配置監
博文參考
http://zhang789.blog.51cto.com/11045979/1858610
https://segmentfault.com/a/1190000010332312
主配置文件格式
全局配置段:
options { … }
日志子系統配置段:
logging { … }
區域定義段:
zone “ZONE_NAME” IN { … }
區域定義:本機能夠為哪些zone進行解析,就要定義哪些zone
注意:
每個配置語句必須以分號結尾
任何服務程序如果期望其能夠通過網絡被其它主機訪問,至少應該監聽在一個能與外部主機通信的IP
緩存名稱服務器的配置
監聽能與外部主機通信的地址
listen-on port 53
listen-on port 53 { 172.16.252.245; }
dnssec: 建議關閉dnssec,設為no(自己做實驗時建議關閉)
dnssec-enable no
dnssec-validation no
dnssec-lookaside no
關閉僅允許本地查詢:
//allow-query { localhost; }
檢查配置文件語法錯誤:
named-checkconf /etc/named.conf
檢查區域配置文件錯誤:
named-checkzone “rookie.com” /var/named/rookie.com.zone
例:[root@localhost ~]#vim /etc/named.conf
測試命令dig:
dig [-t type] name [@SERVER] [query options]
dig 只用于測試dns 系統,不會查詢hosts 文件進行解析
查詢選項:
+[no]trace程:跟蹤解析過程 : dig +trace rookie.com
+[no]recurse:進行遞歸解析
[root@localhost ~]#dig -t A www.baidu.com @172.16.252.254 +trace
測試反向解析:
dig -x IP = dig -t ptr reverseip.in-addr.arpa
模擬區域傳送:
dig -t axfr ZONE_NAME @SERVER
dig -t axfr rookie.com @10.10.10.11
dig -t axfr 100.1.10.in-addr.arpa @172.16.1.1
dig -t NS . @114.114.114.114
dig -t NS . @a.root-servers.net
[root@localhost ~]#dig -t NS baidu.com @172.16.0.1
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35043
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;baidu.com. IN NS
;; ANSWER SECTION:
baidu.com. 54644 IN NS ns7.baidu.com.
baidu.com. 54644 IN NS ns3.baidu.com.
baidu.com. 54644 IN NS ns4.baidu.com.
baidu.com. 54644 IN NS dns.baidu.com.
baidu.com. 54644 IN NS ns2.baidu.com.
;; ADDITIONAL SECTION:
ns2.baidu.com. 140982 IN A 61.135.165.235
ns4.baidu.com. 140982 IN A 220.181.38.10
dns.baidu.com. 140982 IN A 202.108.22.220
ns3.baidu.com. 140982 IN A 220.181.37.10
ns7.baidu.com. 140982 IN A 119.75.219.82
;; Query time: 2 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Thu Jun 01 07:22:38 EDT 2017
;; MSG SIZE rcvd: 208
[root@localhost ~]#dig -t NS baidu.com @172.16.0.1 +nocomments
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t NS baidu.com @172.16.0.1 +nocomments
;; global options: +cmd
;baidu.com. IN NS
baidu.com. 54627 IN NS dns.baidu.com.
baidu.com. 54627 IN NS ns3.baidu.com.
baidu.com. 54627 IN NS ns2.baidu.com.
baidu.com. 54627 IN NS ns4.baidu.com.
baidu.com. 54627 IN NS ns7.baidu.com.
ns2.baidu.com. 140965 IN A 61.135.165.235
ns4.baidu.com. 140965 IN A 220.181.38.10
dns.baidu.com. 140965 IN A 202.108.22.220
ns3.baidu.com. 140965 IN A 220.181.37.10
ns7.baidu.com. 140965 IN A 119.75.219.82
;; Query time: 1 msec
;; SERVER: 172.16.0.1#53(172.16.0.1)
;; WHEN: Thu Jun 01 07:22:56 EDT 2017
;; MSG SIZE rcvd: 208
測試命令host:
host [-t type] name [SERVER]
host -t NS rookie.com 172.16.0.1
host -t soa rookie.com
host -t mx rookie.com
host -t axfr rookie.com
host 1.2.3.4
nslookup命令:nslookup [-option] [name | -] [server]
交互式模式:
nslookup>
server IP:指明使用哪個DNS server進行查詢
set q=RR_TYPE:指明查詢的資源記錄類型
name:要查詢的名稱
[root@localhost ~]#nslookup
> server 172.16.0.1
Default server: 172.16.0.1
Address: 172.16.0.1#53
> set q=a
> www.tencent.com
Server: 172.16.0.1
Address: 172.16.0.1#53
Non-authoritative answer:
www.tencent.com canonical name = upfile.wj.qq.com.cloud.tc.qq.com.
upfile.wj.qq.com.cloud.tc.qq.com canonical name = ssd.tcdn.qq.com.
Name: ssd.tcdn.qq.com
Address: 111.202.99.24
Name: ssd.tcdn.qq.com
Address: 111.202.99.25
Name: ssd.tcdn.qq.com
Address: 111.202.99.23
Name: ssd.tcdn.qq.com
Address: 123.125.110.21
Name: ssd.tcdn.qq.com
Address: 123.125.110.12
Name: ssd.tcdn.qq.com
Address: 123.125.110.11
Name: ssd.tcdn.qq.com
Address: 123.125.110.22
命令rndc:
rndc:remote name domain contoller(遠程域名控制器)
953/tcp,但默認監聽于127.0.0.1地址,因此僅允許本地使用
rndc –> rndc (953/tcp)
rndc COMMAND
命令:
reload:重載主配置文件和區域解析庫文件
reload zonename:重載區域解析庫文件
retransfer zonename:手動啟動區域傳送,而不管序列號是否增加
notify zonename:重新對區域傳送發通知
reconfig:重載主配置文件
querylog:開啟或關閉查詢日志文件/var/log/message
trace:遞增debug 一個級別
trace LEVEL:指定使用的級別
notrace:為將調試級別設置為 0
flush:清空DNS
[root@localhost ~]#rndc status
version: 9.9.4-RedHat-9.9.4-37.el7 版本
CPUs found: 4 CPU
worker threads: 4 線程
UDP listeners per interface: 4 接口
number of zones: 101 區域數
debug level: 0 調試級別
xfers running: 0 運行
xfers deferred: 0 延遲
soa queries in progress: 0 正在進行的SOA查詢
query logging is OFF 查詢記錄
recursive clients: 0/0/1000 遞歸客戶端
tcp clients: 0/100 TCP客戶端
server is up and running 服務器啟動并運行
配置主DNS 服務器:
在主配置文件中定義區域
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
定義區域解析庫文件
出現的內容
宏定義
資源記錄
主配置文件語法檢查:
named-checkconf
解析庫文件語法檢查:
named-checkzone "rookie.com" /var/named/rookie.com.zone
rndc status|reload ;service named reload
注意:實驗配置前需要特別注意三點
關閉防火墻
關閉SElinux
時間必須同步
配置解析一個正向區域
以rookie.com域為例:
定義區域
在主配置文件中(/etc/named.conf)或主配置文件輔助配置文件(/etc/named.rfc1912.conf)中實現
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com" IN {
type master;
file "rookie.com.zone";
};
注意:區域名字即為域名
建立區域數據文件(主要記錄為A或AAAA記錄)
在/var/named目錄下建立區域數據文件;
文件為:/var/named/rookie.com.zone
[root@localhost /var/named]#vim rookie.com.zone
$TTL 600(全局變量 緩存600秒)
rookie.com.(域名) IN SOA rookie.com. admin.rookie.com.管理員郵箱 (
2017060101 序列號
1H 刷新時間間隔一小時
5M 重試時間間隔五分鐘
1W 過期時間一周
6H ) 否定答案的TTL值六小時
IN NS dns1.rookie.com.
IN NS dns2.rookie.com.
dns1.rookie.com. IN A 172.16.250.149
dns2.rookie.com. IN A 172.16.252.245
www.rookie.com. IN A 172.16.0.1
web IN CNAME www
權限及屬組修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
[root@localhost /var/named]#ll
總用量 20
drwxrwx--- 2 named named 6 11月 12 2016 data
drwxrwx--- 2 named named 6 11月 12 2016 dynamic
-rw-r----- 1 root named 2076 1月 28 2013 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
-rw-r----- 1 root named 301 6月 1 00:22 rookie.com.zone
檢查語法錯誤:
[root@localhost /var/named]#named-checkconf
[root@localhost /var/named]#named-checkzone "rookie.com" /var/named/rookie.com.zone
zone rookie.com/IN: loaded serial 2017060101
OK
讓服務器重載配置文件和區域數據文件
[root@localhost /var/named]#rndc reload
[root@localhost ~]#systemctl restart named.service
驗證
[root@localhost /var/named]#dig -t A www.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38718
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com. IN A
;; ANSWER SECTION:
www.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns1.rookie.com.
rookie.com. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: 四 6月 01 01:02:13 CST 2017
;; MSG SIZE rcvd: 129
也可以通過修改/etc/hosts省略IP
[root@localhost /var/named]#vim /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
search magedu.com
#nameserver 172.16.0.1
[root@localhost /var/named]#dig -t A www.rookie.com
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39628
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com. IN A
;; ANSWER SECTION:
www.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns2.rookie.com.
rookie.com. 600 IN NS dns1.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 四 6月 01 01:08:08 CST 2017
;; MSG SIZE rcvd: 129
配置解析一個反向區域
定義區域
在主配置文件中或主配置文件輔助配置文件中實現;
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "16.172.in-addr.arpa" IN {
type master;
file "172.16.zone";
};
注意:反向區域的名字
反寫的網段地址.in-addr.arpa
16.172.in-addr.arpa
定義區域解析庫文件(主要記錄為PTR)
[root@localhost ~]#vim /var/named/172.16.zone
$TTL 600
@ IN SOA rookie.com. admin.rookie.com. (
2017060101
1H
5M
2W
1D )
@ IN NS dns1.rookie.com.
@ IN NS dns2.rookie.com.
149.250 IN PTR dns1.rookie.com.
245.252 IN PTR dns2.rookie.com.
125.252 IN PTR www.rookie.com.
權限及屬組修改:
[root@localhost /var/named]#chgrp named /var/named/rookie.com.zone
[root@localhost /var/named]#chmod o= /var/named/rookie.com.zone
檢查語法錯誤:
[root@localhost ~]#named-checkconf
[root@localhost ~]#named-checkzone "172.16" /var/named/172.16.zone
zone 172.16/IN: loaded serial 2017060101
讓服務器重載配置文件和區域數據文件
[root@localhost ~]#rndc reload
[root@localhost ~]#systemctl restart named.service
驗證
[root@localhost /var/named]#dig -x 172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -x 172.16.259.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8132
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;149.259.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
149.259.16.172.in-addr.arpa. 600 IN PTR dns1.rookie.com.
;; AUTHORITY SECTION:
16.172.in-addr.arpa. 600 IN NS dns1.rookie.com.
16.172.in-addr.arpa. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 四 6月 01 01:44:45 CST 2017
;; MSG SIZE rcvd: 150
主從服務器:
注意:從服務器是區域級別的概念;
主區域配置:可以參照上面的正向區域配置和反向區域配置
從區域配置:
On Slave
定義從區域 (以另一虛擬機為例)
[root@localhost ~]#vim /etc/named.rfc1912.zones
zone "rookie.com." IN {
type slave;
file "slaves/rookie.com.zone";
masters { 172.16.250.149; }; #指明主節點
};
[root@localhost ~]#vim /etc/named.conf
options {
//listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
配置文件語法檢查:
[root@localhost ~]#named-checkconf
主/從都要重載配置
[root@localhost ~]#rndc reload
[root@localhost ~]#systemctl restart named.service
[root@localhost ~]#ll /var/named/slaves/ (文件已經同步)
total 4
-rw-r--r-- 1 named named 414 Jun 1 03:01 rookie.com.zone
驗證 從
[root@localhost ~]#dig -t A www.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A www.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5639
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.rookie.com. IN A
;; ANSWER SECTION:
www.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns1.rookie.com.
rookie.com. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: Thu Jun 01 03:41:02 EDT 2017
;; MSG SIZE rcvd: 129
修改主配置文件,并重新測試
[root@localhost /var/named]#vim rookie.com.zone
$TTL 600
rookie.com. IN SOA rookie.com. admin.rookie.com. (
2017060102
1H
5M
1W
6D )
IN NS dns1.rookie.com.
IN NS dns2.rookie.com.
dns1.rookie.com. IN A 172.16.250.149
dns2.rookie.com. IN A 172.16.252.245
www.rookie.com. IN A 172.16.252.125
web IN CNAME www
ftp IN CNAME www
[root@localhost ~]#dig -t A ftp.rookie.com @172.16.250.149
; <<>> DiG 9.9.4-RedHat-9.9.4-37.el7 <<>> -t A ftp.rookie.com @172.16.250.149
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30068
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.rookie.com. IN A
;; ANSWER SECTION:
ftp.rookie.com. 600 IN CNAME WWW.rookie.com.
WWW.rookie.com. 600 IN A 172.16.252.125
;; AUTHORITY SECTION:
rookie.com. 600 IN NS dns1.rookie.com.
rookie.com. 600 IN NS dns2.rookie.com.
;; ADDITIONAL SECTION:
dns1.rookie.com. 600 IN A 172.16.250.149
dns2.rookie.com. 600 IN A 172.16.252.245
;; Query time: 0 msec
;; SERVER: 172.16.250.149#53(172.16.250.149)
;; WHEN: Thu Jun 01 03:46:11 EDT 2017
;; MSG SIZE rcvd: 147
On Master
確保區域數據文件中為每個從服務配置NS記錄,并且在正向區域文件需要每個從服務器的NS記錄的主機名配置一個A記錄,且此A后面的地址為真正的從服務器的IP地
注意:時間要同步
ntpdate命令
子域授權:
正向解析區域授權子域的方法:
ops.rookie.com. IN NS ns1.ops.rookie.com.
ops.rookie.com. IN NS ns2.ops.rookie.com.
ns1.ops.rookie.com. IN A IP.AD.DR.ESS
ns2.ops.rookie.com. IN A IP.AD.DR.ESS
定義轉發:
注意:被轉發的服務器必須允許為當前服務做遞歸;
區域轉發:僅轉發對某特定區域的解析請求;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先轉發;轉發器不響應時,自行去迭代查詢;
only:只轉發
全局轉發:針對凡本地沒有通過zone定義的區域查詢請求,通通轉給某轉發器;
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
.. ...
};
轉發服務器
注意:被轉發的服務器需要能夠為請求者做遞歸,否則轉發請求不予進行
first:首先轉發;轉發器不響應時,自行去迭代查詢
only:只轉發
全局轉發: 對非本機所負責解析區域的請求, 全 轉發給指定的服務器
Options {
fforward {only|first};
forwarders { SERVER_IP; };
};
特定區域轉發:僅轉發對特定的區域的請求,比全局轉發優先級高
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
注意:關閉dnssec 功能:
dnssec-enable no;
dnssec-validation no;
bind中的安全相關的配置:
acl:訪問控制列表;把一個或多個地址歸并一個命名的集合,隨后通過此名稱即可對此集合內的所有主機實現統一調用
格式:
acl acl_name {
ip;
net/prelen;
……
};
示例:
acl mynet {
172.16.0.0/16;
10.10.10.10;
};
bind有四個內置的acl:
none:沒有一個主機
any:任意主機
localhost:本機
localnet:本機的IP同掩碼運算后得到的網絡地址
注意:只能先定義,后使用,因此一般定在配置文件中,處于options
訪問控制的指令:
allow-query {};允許查詢的主機;白名單
allow-transfer {};允許向哪些主機做區域傳送;默認為向所有主機;應該配置僅允許從服務器
allow-recursion {}; 允許哪此主機向當前DNS服務器發起遞歸查詢請求
allow-update {}; DDNS,允許動態更新區域數據庫文件中內容
bind view(視圖):
view:視圖,一個bind 服務器可定義多個view ,每個view中可定義一個或多個zone
每個view 用來匹配一組客戶端
多個view 內可能需要對同一個區域進行解析,但使用不同的區域解析庫文件
view VIEW_NAME {
zone
zone
zone
}
view internal {
match-clients { 172.16.0.0/8; };
zone "rookie.com" IN {
type master;
file "rookie.com/internal";
};
};
view external {
match-clients { any; };
zone "rookie.com" IN {
type master;
file rookie.com/external";
};
};
