实验：实现ineternet dns架构

前期准备：我使用的是192.168.141.xx网段，centos6做localdns，centos7做www.magedu.com，需要7台机器，分别是： client,ldns,rootdns,comdns,magedumasterdns,mageduslavedns,webserver(www.magedu.com) 为了安全，我们做一步检测一步，步骤：从下往上建服务，从master,到slave,comdns,rootdns,ldns。 A、搭建centos7的网站并编辑各部分的IP地址： [root@centos7 ~]# yum install httpd [root@centos7 ~]# vim /var/www/html/index.html welcome to magedu.com
[root@centos7 ~]# systemctl restart httpd [root@centos7 ~]# [root@master ~]# ip a 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:89:2c:05 brd ff:ff:ff:ff:ff:ff inet** 192.168.141.27/24** brd 192.168.141.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fe89:2c05/64 scope link valid_lft forever preferred_lft forever [root@slave ~]# ip a 2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:0c:29:e2:dd:28 brd ff:ff:ff:ff:ff:ff inet **192.168.141.37/24 **brd 192.168.141.255 scope global noprefixroute ens33 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fee2:dd28/64 scope link valid_lft forever preferred_lft forever [root@comdns ~]# ip a 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:40:40:73 brd ff:ff:ff:ff:ff:ff inet 192.168.141.17/24 brd 192.168.141.255 scope global eth0 inet6 fe80::20c:29ff:fe40:4073/64 scope link valid_lft forever preferred_lft forever [root@rootdns ~]# ip a 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:43:c8:a8 brd ff:ff:ff:ff:ff:ff inet 192.168.141.7/24 brd 192.168.141.255 scope global eth0 inet6 fe80::20c:29ff:fe43:c8a8/64 scope link valid_lft forever preferred_lft forever [root@LocalDNS ~]# ip a 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:83:dd:6c brd ff:ff:ff:ff:ff:ff inet **192.168.141.6/24 **brd 192.168.141.255 scope global eth0 inet6 fe80::20c:29ff:fe83:dd6c/64 scope link valid_lft forever preferred_lft forever B、配置相关的配置文件： [root@master ~]# vim /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; // allow-query { localhost; }; allow-transfer {192.168.141.37;};
将此两项注释掉。并加入 “ allow-transfer {192.168.141.37;}; ”表示只允许从服务器来抓取记录。 [root@master ~]# rndc reload server reload successful 此处要重启一下服务。 [root@master ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: zone "magedu.com" { type master; file "magedu.com.zone"; }; 把“ zone ..}; ”添入。 [root@master ~]# vim /var/named/magedu.com.zone

$TTL 1D @ IN SOA master admin.magedu.com ( 1 1D 1H 1W 3H ) NS master NS slave master A 192.168.141.27 slave A 192.168.141.37 www A 192.168.141.254
此步骤是编辑该文件，把网站的域名写入。 更改权限及所属组： [root@master ~]# chmod 640 /var/named/magedu.com.zone [root@master ~]# chgrp named /var/named/magedu.com.zone [root@master ~]# systemctl start named [root@master ~]# systemctl enable named Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /us r/lib/systemd/system/named.service. 因为我恢复了快照，数据没有了，我就重新编辑了数据库，在此处补上内容如下： [root@master ~]# vim magedu.com.zone $TTL 1D @ IN SOA master admin.magedu.com ( 1 1D 1H 1W 3H ) NS master NS slave master A 192.168.141.27 slave A 192.168.141.37 www A 192.168.141.254
我们现在重启一下服务，如下所示，没有报错提示，说明已经成功。 [root@master ~]# systemctl restart named [root@master ~]# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2019-02-14 14:22:29 CST; 21s ago Process: 21030 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 21045 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 21042 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 21047 (named) Tasks: 7 CGroup: /system.slice/named.service └─21047 /usr/sbin/named -u named -c /etc/named.conf

Feb 14 14:22:29 master named[21047]: command channel listening on ::1#953 Feb 14 14:22:29 master named[21047]: managed-keys-zone: journal file is out of date: removing journal file Feb 14 14:22:29 master named[21047]: managed-keys-zone: loaded serial 2 Feb 14 14:22:29 master named[21047]: zone localhost/IN: loaded serial 0 Feb 14 14:22:29 master named[21047]: zone magedu.com/IN: loaded serial 1 Feb 14 14:22:29 master named[21047]: zone localhost.localdomain/IN: loaded serial 0 Feb 14 14:22:29 master named[21047]: all zones loaded Feb 14 14:22:29 master named[21047]: running Feb 14 14:22:29 master named[21047]: zone magedu.com/IN: sending notifies (serial 1) Feb 14 14:22:29 master systemd[1]: Started Berkeley Internet Name Domain (DNS). 我们现在去localdns上dig一下网络，显示如下： [root@LocalDNS ~]# dig www.magedu.com @192.168.141.27

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.magedu.com @192.168.141.27 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63810 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION: ;www.magedu.com. IN A

;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.141.254

;; AUTHORITY SECTION: magedu.com. 86400 IN NS slave.magedu.com. magedu.com. 86400 IN NS master.magedu.com.

;; ADDITIONAL SECTION: master.magedu.com. 86400 IN A 192.168.141.27 slave.magedu.com. 86400 IN A 192.168.141.37

;; Query time: 8 msec ;; SERVER: 192.168.141.27#53(192.168.141.27) ;; WHEN: Fri Feb 8 13:18:01 2019 ;; MSG SIZE rcvd: 121 到此，我们的主dns服务器已经建好。 C、我们现在去建从服务器： [root@slave ~]# vim /etc/named.conf // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; // allow-query { localhost; };
allow-transfer {none;}; 照例将此两项注释掉，我们为了安全起见，加入 “ allow-transter {none;}; ”作为从服务器是不允许任何人从我这里抓取记录的。 [root@slave ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: zone "magedu.com" { type sla[root@slave ~]# vim /etc/named.rfc1912.zones

// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "magedu.com" { type slave; masters {192.168.141.27;}; file "slaves/magedu.com.zone"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; 我们将 zone "magedu.com" { type slave; master {192.168.141.27;}; file "slaves/magedu.com.zone"; }填入。 [root@slave ~]# systemctl start named [root@slave ~]# ll /var/named/slaves/ total 4 -rw-r--r-- 1 named named 330 Feb 14 14:51 magedu.com.zone 以上内容可以看到，数据库内容已被成功复制过来了。说明主从已经实现复制了。 现在，我们去在localdns上dig一下网络： [root@LocalDNS ~]# dig www.magedu.com @192.168.141.37

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.magedu.com @192.168.141.37 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7460 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION: ;www.magedu.com. IN A

;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.141.254

;; AUTHORITY SECTION: magedu.com. 86400 IN NS slave.magedu.com. magedu.com. 86400 IN NS master.magedu.com.

;; ADDITIONAL SECTION: master.magedu.com. 86400 IN A 192.168.141.27 slave.magedu.com. 86400 IN A 192.168.141.37

;; Query time: 4 msec ;; SERVER: 192.168.141.37#53(192.168.141.37) ;; WHEN: Fri Feb 8 14:02:32 2019 ;; MSG SIZE rcvd: 121 说明已经成功。 此时如果我们想要主从同步，就要在配置文件中加入如下内容: 将“ blog A 192.168.141.154 ”加入。注意：现在的版本号就应该是“ 2 ”了。 [root@master ~]# vim magedu.com.zone $TTL 1D @ IN SOA master admin.magedu.com ( 2 1D 1H 1W 3H )
NS master NS slave master A 192.168.141.27 slave A 192.168.141.37 www A 192.168.141.254 blog A 192.168.141.154 [root@LocalDNS ~]# dig blog.magedu.com @192.168.141.37 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> blog.magedu.com @192.168.141.37 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56467 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION: ;blog.magedu.com. IN A

;; AUTHORITY SECTION: magedu.com. 10800 IN SOA master.magedu.com. admin.magedu.com.magedu.com. 1 86400 3600 604800 10800

;; Query time: 1 msec ;; SERVER: 192.168.141.37#53(192.168.141.37) ;; WHEN: Fri Feb 8 14:06:13 2019 ;; MSG SIZE rcvd: 93 此时就算是dig blog也能同步出现查询结果。 D、我们去建comdns。 [root@comdns ~]# vim /etc/named.conf // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; 照例注释掉该两项。 [root@comdns ~]# vim /etc/named.rfc1912.zones // named.rfc1912.zones: // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "com" { type master; file "com.zone"; }; 将该内容填入。 [root@comdns named]# vim com.zone

$TTL 1D @ IN SOA master admin.magedu.com ( 2 1D 1H 1W 3H ) NS master master NS dns1 （子域委派给了27和37来管理） master NS dns2

master A 192.168.141.17 dns1 A 192.168.141.27 dns2 A 192.168.141.37 comdns是把magedu.com委派给141.37和141.27的， [root@comdns named]# service named start Starting named: [ OK ] 此时，我们去localdns上dig一下网络，192.168.141.17上没有blog，它被委派给了27和37，若能dig出结果，说明成功了，如下： [root@LocalDNS ~]# dig blog.magedu.com @192.168.141.17

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> blog.magedu.com @192.168.141.17 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 54859 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION: ;blog.magedu.com. IN A

;; AUTHORITY SECTION: magedu.com. 10800 IN SOA master.magedu.com. admin.magedu.com.magedu.com. 1 86400 3600 604800 10800

;; Query time: 8 msec ;; SERVER: 192.168.141.17#53(192.168.141.17) ;; WHEN: Fri Feb 8 15:34:11 2019 ;; MSG SIZE rcvd: 93

[root@LocalDNS ~]# dig www.magedu.com @192.168.141.17

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.magedu.com @192.168.141.17 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33362 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION: ;www.magedu.com. IN A

;; ANSWER SECTION: www.magedu.com. 86400 IN A 192.168.141.254

;; AUTHORITY SECTION: magedu.com. 86400 IN NS dns2.com. magedu.com. 86400 IN NS dns1.com.

;; ADDITIONAL SECTION: dns1.com. 86400 IN A 192.168.141.27 dns2.com. 86400 IN A 192.168.141.37

;; Query time: 7 msec ;; SERVER: 192.168.141.17#53(192.168.141.17) ;; WHEN: Fri Feb 8 15:37:07 2019 ;; MSG SIZE rcvd: 118 blog和www都没问题。

主从复制号称有容错性，我们把192.168.141.27的主服务down了，去dig27是无反应的，但是37是正常的，然而dig17同样可以查询出结果。所以，此处体现出容错性。

E、我们现在该建rootdns了。 [root@rootdns yum.repos.d]# vim /etc/named.conf // named.conf options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; recursion yes; 注释掉两项。 现在我们去localdns上dig一下网络： [root@LocalDNS ~]# dig www.magedu.com @192.168.141.7 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.magedu.com @192.168.141.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8006 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;www.magedu.com. IN A

;; ANSWER SECTION: www.magedu.com. 86020 IN A 192.168.141.254

;; AUTHORITY SECTION: magedu.com. 86020 IN NS dns1.com. magedu.com. 86020 IN NS dns2.com.

;; ADDITIONAL SECTION: dns2.com. 86020 IN A 192.168.141.37 dns1.com. 86020 IN A 192.168.141.27

;; Query time: 5 msec ;; SERVER: 192.168.141.7#53(192.168.141.7) ;; WHEN: Fri Feb 8 17:33:28 2019 ;; MSG SIZE rcvd: 118 目前，我们的7,17,27,37，都可以dig成功。 F、我们要搭建本地dns： [root@LocalDNS yum.repos.d]# vim /etc/named.conf [root@LocalDNS yum.repos.d]# vim /etc/named.conf // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; recursion yes; 此两处照例注释掉。

    dnssec-enable no;
    dnssec-validation no;此处的dns解密的两个功能都给关闭为“ no ”，
   /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

[root@LocalDNS yum.repos.d]# vim /var/named/named.ca

. 3600000 NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 192.168.141.254 上述内容解释：因为我们自己搭建了一个根，所以要修改 /var/named/named.ca ，把IP改为自己搭建的IP。 [root@LocalDNS yum.repos.d]# service named restart Stopping named: [ OK ] Generating /etc/rndc.key: [ OK ] Starting named: [ OK ] 到此，我们的dns配置就完成了。我们拿windows来测一下： 上图可看出，Windows可以ping通192.168.141.254的网站。 我们修改一下windows的ip就可以用www.magedu.com的名字来访问网站了。 到此，本实验正式结束。