域名系统(英文:Domain Name System,缩写:DNS)是internet的一项服务。它作为将域名和IP地址相互映射服务,能够使人更方便地访问互联网。DNS使用TCP和UDP端口53。当前,对于每一级域名长度的限制是63个字符,域名总长度则不能超过253个字符。
讲解内容:
DNS名称解析方式
DNS查询类型
DNS服务器类型
区域数据库文件详解
Centos7安装配置BIND
BIND主从服务器配置
BIND安全相关配置
BIND view视图配置
一、DNS名称解析方式
DNS名称解析方式分为两种:
名称 ---> IP
例如:此处命令会在后面工具中具体详解
# 可以看出“名称”www.magedu.com对应的ip是101.200.188.230
# dig -t A www.magedu.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.magedu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17179 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 10 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.magedu.com.INA ;; ANSWER SECTION: www.magedu.com.589INA101.200.188.230 ;; AUTHORITY SECTION: magedu.com.159640INNSv2s1.xundns.com. magedu.com.159640INNSv2s2.xundns.com.
例如:此处命令会在后面工具中具体详解
# 可以看出“IP"172.16.0.1对应的名称是server.mageliunx.com.
IP ---> 名称
# dig -x 172.16.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 172.16.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1126 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;1.0.16.172.in-addr.arpa.INPTR ;; ANSWER SECTION: 1.0.16.172.in-addr.arpa. 86400INPTRserver.magelinux.com. ;; AUTHORITY SECTION: 16.172.in-addr.arpa.86400INNSserver.magelinux.com. ;; ADDITIONAL SECTION: server.magelinux.com.86400INA172.16.0.1 ;; Query time: 2 msec ;; SERVER: 172.18.0.1#53(172.18.0.1) ;; WHEN: Fri Apr 08 21:47:00 CST 2016 ;; MSG SIZE rcvd: 116
二、DNS查询类型
DNS查询类型分为:
递归查询
迭代查询
下图是本人对dns查询过程的理解
三、DNS服务器类型
主DNS服务器:维护所负责解析的域数据库的那台服务器:读写操作均可进行;
从DNS服务器:从主DNS服务器那里或其他的从DNS服务器那里“复制”一份解析库;但只能进行读操作
“复制”操作的实施方式
序列号:serial,也即是数据库版本号;主服务器数据库内容发生变化时,其版本号递增;
刷新时间间隔:refresh,从服务器每多久到从服务器检查序列号更新情况;
重试时间间隔:retry,从服务器从主服务器请求同步解析失败时,再次发起请求尝试的时间间隔
过期时长:expire,从服务器始终联系不到主服务器时,多久之后放弃主服务器同步;停止提供服务。
否定答案的缓存时长:缓存错误的地址的时间此内容在BIND中的区域文件中配置
例如:
$TTL 33600 @ IN SOA ns1.magedu.com. admin.magedu.com. ( 2016040801 ;seria 2H ;refresh 10M ;retry 1W ;expire 1D ;negative answer ttl )
四、区域数据库文件详解
区域文件一般存于/var/named/下,以ZONE_NAME.zone命名,其中包含了很多参数。
资源记录:Resource Record,简称rr
记录类型有:A,AAAA,PTR,SOA,NS,CNAME,MX
语法:
name [TTL] IN RR_TYPE value
SOA:Start Of Authority,其实授权记录()额区域解析库有且只能有一个SOA记录,而且必须放在第一条
NS:Name Service,域名服务记录;一个区域解析库可以有多个NS记录;其中一个为主的
A:Address,地址记录,FQDN --> IPV4
AAAA:地址记录, FQDN --> IPv6
CNAME:Canonical Name,别名记录
PTR:Pointer,反向指针记录:IP --> FQDN
MX:Mail eXchanger,邮件交换器
优先级:0-99,数字越小优先级越高
使用方法及格式:
SOA:
name: 当前区域的名字;例如”mageud.com.”,或者“2.3.4.in-addr.arpa.”;
value:有多部分组成
(1) 当前区域的区域名称(也可以使用主DNS服务器名称);
(2) 当前区域管理员的邮箱地址;但地址中不能使用@符号,一般使用点号来替代;
(3) (主从服务协调属性的定义以及否定答案的TTL)
例如:
$TTL 33600 @ IN SOA ns1.magedu.com. admin.magedu.com. ( 2016040801 ;seria 2H ;refresh 10M ;retry 1W ;expire 1D ;negative answer ttl )
NS:
name:当前区域的区域名称
value:当前区域的某DNS服务器的名字,例如ns.magedu.com.
注意:一个区域可以有多个ns记录
例如:
zhaoxin.com. 86400 IN NS ns1.zhaoxin.com.
zhaoxin.com. 86400 IN NS ns2.zhaoxin.com.
MX:
name: 当前区域的区域名称
value:当前区域某邮件交换器的主机名;
注意:MX记录可以有多个;但每个记录的value之前应该有一个数字表示其优先级;
例如:
zhaoxin.com. IN MX 10 mx1.zhaoxin.com.
zhaoxin.com. IN MX 20 mx2.zhaoxin.com.
A:
name:某FQDN,例如www.maged.com.
value:某IPV4地址
例如:
www.zhaoxin.com. IN A 222.145.33.26
www.zhaoxin.com. IN A 222.145.33.26
AAAA:
name:FQDN
value:IPV6
PTR:
name:IP地址,有特定格式,IP反过来写,而且加特定后缀:例如172.16.100.10应该写为10.100.16.172.in-addr.arpa
value:FQDN
例如:
10.100.16.172.in-addr.arpa IN PTR www.zhaoxin.com.
CNAME:
name:FQDN格式的别名;
value:FQDN格式的正式名字;
例如:
web.zhaoxin.com. IN CNAME www.zhaoxin.com.
有以下几点需要注意:
(1) TTL可以从全局继承;
(2) @表示当前区域的名称;
(3) 相邻的两条记录其name相同时,后面的可省略;
(4) 对于正向区域来说,各MX,NS等类型的记录的value为FQDN,此FQDN应该有一个A记录;
五、Centos 7安装配置BIND
主配置文件
介绍配置文件之前先介绍一下BIND
BIND: Berkeley Internet Name Domain(由伯克利学校开发)
dns:协议
bind:dns协议的一种实现
named:bind程序运行的进程名
程序包组成:
bind-libs:被bind和bind-utils包中的程序共同用到的库文件;
bind-utils:bind客户端程序集,例如dig, host, nslookup等;
bind:提供的dns server程序、以及几个常用的测试程序;
bind-chroot:选装,让named运行于jail模式下;
centos 7 bind配置文件:
主配置文件:/etc/named.conf
或包含进来其他文件
/etc/named.iscdly.key
/etc/named.rfc1912.zones
/etc/named.root.key
centos 7中一般配置区域在/etc/rfc1912.zones,全局配置在/etc/named.conf中
1、主配置文件格式:
全局配置段:
options { ... } # 注意内容前后有空格
日志配置端:
logging { ... }
区域配置端:
zone { ... }
配置那些由本机负责解析的区域,或转发的区域
注意:每个语句必须以分号结尾
2、缓存名称服务器的配置:(注意此处的配置应该在使用前操作)
监听能与外部主机通信的地址:
listen-on port 53 { 172.18.4.1; };
学习时,建议关闭dnssec
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside no;
关闭仅允许本地查询:
//allow-query { localhost; }; 单行注释用“//”
解析库文件
/var/named/目录下:
一般名字为:ZONE_NAME.zone
例如:magedu.com.zone
172.16.100.zone
注意:
1、一台DNS服务器可同时为多个区域提供解析
2、必须要有跟区域解析库文件:named.ca
3、还应该有两个区域解析库文件:localhost和127.0.0.1的正反向解析库
正向:named.localhost
反向:named.loopback
检查配置文件语法错误
named-checkconf [/etc/named.conf]
named-checkzone ZONE_NAME ZONE_FILE
# named-checkzone magedu.com. magedu.com.zone zone magedu.com/IN: loaded serial 2016040801 OK # named-checkconf /etc/named.conf #
测试及管理工具
dig命令:
语法:dig [-t RR_TYPE] name [@SERVER] [query options]
# dig -t A ns1.magedu.com @172.18.250.108 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A ns1.magedu.com @172.18.250.108 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6933 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.magedu.com.INA ;; ANSWER SECTION: ns1.magedu.com.33600INA172.18.250.108 ;; AUTHORITY SECTION: magedu.com.33600INNSns2.magedu.com. magedu.com.33600INNSns1.magedu.com. ;; ADDITIONAL SECTION: ns2.magedu.com.33600INA172.18.250.108 ;; Query time: 0 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 09 13:54:42 CST 2016 ;; MSG SIZE rcvd: 107
作用:用于测试dns系统,因此其不会查询hosts文件
查询选项:
+[no]trace:跟踪解析过程
+[no]recurse:进行递归解析
反向解析:
dig -x IP
# dig -x 202.106.0.20 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -x 202.106.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47349 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;20.0.106.202.in-addr.arpa.INPTR ;; ANSWER SECTION: 20.0.106.202.in-addr.arpa. 5181INPTRgjjline.bta.net.cn. ;; AUTHORITY SECTION: 106.202.in-addr.arpa.5179INNSns.bta.net.cn. 106.202.in-addr.arpa.5179INNSns2.bta.net.cn. ;; ADDITIONAL SECTION: ns.bta.net.cn.74848INA202.96.0.133 ns2.bta.net.cn.74848INA202.106.196.28 ;; Query time: 3 msec ;; SERVER: 172.18.0.1#53(172.18.0.1) ;; WHEN: Sat Apr 09 14:01:22 CST 2016 ;; MSG SIZE rcvd: 153
模拟完全区域传送:
dig -t axfr DOMAIN [@server]
# dig -t axfr magedu.com. @172.18.250.108 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t axfr magedu.com. @172.18.250.108 ;; global options: +cmd magedu.com.33600INSOAns1.magedu.com. admin.magedu.com. 2016040801 7200 600 604800 86400 magedu.com.33600INNSns1.magedu.com. magedu.com.33600INNSns2.magedu.com. magedu.com.33600INMX10 mx1.magedu.com. magedu.com.33600INMX15 mx2.magedu.com. mx1.magedu.com.33600INA172.18.250.111 mx2.magedu.com.33600INA172.18.250.112 ns1.magedu.com.33600INA172.18.250.108 ns2.magedu.com.33600INA172.18.250.108 www.magedu.com.33600INA172.18.250.108 magedu.com.33600INSOAns1.magedu.com. admin.magedu.com. 2016040801 7200 600 604800 86400 ;; Query time: 3 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 09 14:01:58 CST 2016 ;; XFR size: 11 records (messages 1, bytes 266)
host命令:
host [-t RR_TYPE] name SERVER_IP
# host 172.16.0.1 1.0.16.172.in-addr.arpa domain name pointer server.magelinux.com. # host -t A www.magedu.com www.magedu.com has address 101.200.188.230
nslookup命令:
nslookup [-options] [name] [server]
# nslookup www.magedu.com Server:172.18.0.1 Address:172.18.0.1#53 Non-authoritative answer: Name:www.magedu.com Address: 101.200.188.230
rndc命令:named服务控制命令
# rndc status version: 9.9.4-RedHat-9.9.4-29.el7 <id:8f9657aa> CPUs found: 1 worker threads: 1 UDP listeners per interface: 1 number of zones: 102 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running # rndc flush # rndc reload server reload successful
配置一个正向区域
以zhaoxin.com域为例:
1、定义区域
在主配置文件中或主配置文件辅助配置文件中实现;
# vim /etc/named.rfc1912.zones
zone "zhaoxin.com" IN {
type master;
file "zhaoxin.com.zone";
}; # 注意:区域名字即为域名
2、建立区域数据文件(主要记录为A或AAAA记录等)
在/var/named目录下建立区域数据文件
文件为:/var/named/zhaoxin.com.zone
$TTL 33600 $ORIGIN zhaoxin.com. @ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. ( 2016040801 2H 10M 1W 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 15 mx2 mx1 IN A 172.18.250.111 mx2 IN A 172.18.250.112 ns1 IN A 172.18.250.108 ns2 IN A 172.18.250.108 www IN A 172.18.250.108
# named-checkzone zhaoxin.com zhaoxin.com.zone zone zhaoxin.com/IN: loaded serial 2016040801 OK # named-checkconf
3、检查配置文件及区域配置文件,修改属组和权限
# chgrp named /var/named/zhaoxin.com.zone # chmod o= /var/named/zhaoxin.com.zone # ll /var/named/zhaoxin.com.zone -rw-r----- 1 root named 293 Apr 9 14:15 /var/named/zhaoxin.com.zone
4、让服务器重载配置文件和区域数据文件:
# rndc reload 或者
# systemctl reload named.service
# rndc reload server reload successful # ss -tnl|grep 53 LISTEN 0 10 172.18.250.108:53 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 128 ::1:953 :::*
5、验证
# 注意:此处的172.18.250.108是我本机ip,可以再/etc/resolv.conf中修改dns地址后就可以省略次ip;
# dig -t A www.zhaoxin.com @172.18.250.108 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.zhaoxin.com @172.18.250.108 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39443 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.zhaoxin.com.INA ;; ANSWER SECTION: www.zhaoxin.com.33600INA172.18.250.108 ;; AUTHORITY SECTION: zhaoxin.com.33600INNSns2.zhaoxin.com. zhaoxin.com.33600INNSns1.zhaoxin.com. ;; ADDITIONAL SECTION: ns1.zhaoxin.com.33600INA172.18.250.108 ns2.zhaoxin.com.33600INA172.18.250.108 ;; Query time: 2 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 09 14:24:01 CST 2016 ;; MSG SIZE rcvd: 128
配置一个反向区域
1、定义区域
在主配置文件中或主配置文件辅助配置文件中实现;
# vim /etc/named.rfc1912.zones
zone "250.18.172.in-addr.arpa" IN {
type master;
file "172.18.250.zone";
}; # 注意:反向区域的名字
2、建立区域数据文件(主要记录为PTR)
在/var/named目录下建立区域数据文件
文件为:/var/named/172.18.250.zone
# vim /var/named/172.18.250.zone $TTL 3600 $ORIGIN 250.18.172.in-addr.arpa. @ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. ( 2016010501 1H 10M 3D 12H ) IN NS ns1.zhaoxin.com. 108 IN PTR ns1.zhaoxin.com. 111 IN PTR mx1.zhaoxin.com. 112 IN PTR mx2.zhaoxin.com. 108 IN PTR www.zhaoxin.com.
3、检查配置文件及区域配置文件,修改属组和权限
# named-checkconf # named-checkzone 250.18.172.in-addr.arpa 172.18.250.zone zone 250.18.172.in-addr.arpa/IN: loaded serial 2016010501 OK
4、让服务器重载配置文件和区域数据文件:
# rndc reload 或者
# systemctl reload named.service
# rndc reload server reload successful # ss -tnl|grep 53 LISTEN 0 10 172.18.250.108:53 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 128 ::1:953 :::*
5、验证
# 注意:此处的172.18.250.108是我本机ip,可以再/etc/resolv.conf中修改dns地址后就可以省略次ip;
# dig -x 172.18.250.108 @172.18.250.108 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 172.18.250.108 @172.18.250.108 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52168 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;108.250.18.172.in-addr.arpa.INPTR ;; ANSWER SECTION: 108.250.18.172.in-addr.arpa. 3600 INPTRns1.zhaoxin.com. 108.250.18.172.in-addr.arpa. 3600 INPTRwww.zhaoxin.com. ;; AUTHORITY SECTION: 250.18.172.in-addr.arpa. 3600INNSns1.zhaoxin.com. ;; ADDITIONAL SECTION: ns1.zhaoxin.com.33600INA172.18.250.108 ;; Query time: 0 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 09 14:33:29 CST 2016 ;; MSG SIZE rcvd: 133
六、BIND主从服务器
注意:从服务器是区域级别的概念
主区域配置:可以参照上面的正向区域配置和反向区域配置
配置一个从区域:
On Master配置
注意:
a、确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件需要每个从服务器的NS记录的主机名配置一个A记录,且此A后面的地址为真正的从服务器的IP地址
b、时间要同步
ntpdate命令
1、添加从dns服务器地址
# vim /var/named/zhaoxin.com.zone $TTL 33600 $ORIGIN zhaoxin.com. @ INSOAns1.zhaoxin.com.admin.zhaoxin.com. ( 2016040801 2H 10M 1W 1D ) INNSns1 IN NSns2 INMX 10 mx1 INMX 15 mx2 ns1INA172.18.250.108 ns2INA172.18.250.28 mx1INA172.18.250.111 mx2INA172.18.250.112 wwwINA172.18.250.108 # vim /var/named/172.18.250.zone # cat /var/named/172.18.250.zone $TTL 3600 $ORIGIN 250.18.172.in-addr.arpa. @ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. ( 2016010501 1H 10M 3D 12H ) IN NS ns1.zhaoxin.com. IN NS ns2.zhaoxin.com. 108 IN PTR ns1.zhaoxin.com. 28 IN PTR ns2.zhaoxin.com. 111 IN PTR mx1.zhaoxin.com. 112 IN PTR mx2.zhaoxin.com. 108 IN PTR www.zhaoxin.com.
2、同步时间
# 我本地有时间服务器,如果没有时间服务器的可以去网络上搜一下,保证两台服务器时间一直就好
# ntpdate 172.18.0.19 Apr 15:00:52 ntpdate[3721]: step time server 172.18.0.1 offset -5.768812 sec
3、重载配置
# rndc reload server reload successful
On Slav配置
1、定义区域
# vim /etc/named.rfc1912.zones
zone "zhaoxin.com" IN {
type slave;
file "slaves/zhaoxin.com.zone";
masters { 172.18.250.108; };
};
zone "250.18.172.in-addr.arpa" IN {
type slave;
file "slaves/172.18.250.zone";
masters { 172.18.250.108; };
};2、同步时间并修改配置文件
# ntpdate 172.18.0.1
9 Apr 15:11:57 ntpdate[1772]: step time server 172.18.0.1 offset -5.583571 sec
# vim /etc/named.conf
listen-on port 53 { 172.18.250.28; };3、重载配置
# rndc reload server reload successful # ll /var/named/slaves/ total 8 -rw-r--r-- 1 named named 500 Apr 9 15:09 172.18.250.zone -rw-r--r-- 1 named named 476 Apr 9 15:09 zhaoxin.com.zone
# 此处可以看到,文件已经同步过来,下面进行测试
# 注意,在Centos 7中同步数据是加密的,所以不能查看文件内容
# dig -t A www.zhaoxin.com @172.18.250.28 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A www.zhaoxin.com @172.18.250.28 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35060 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.zhaoxin.com.INA ;; ANSWER SECTION: www.zhaoxin.com.33600INA172.18.250.108 ;; AUTHORITY SECTION: zhaoxin.com.33600INNSns2.zhaoxin.com. zhaoxin.com.33600INNSns1.zhaoxin.com. ;; ADDITIONAL SECTION: ns1.zhaoxin.com.33600INA172.18.250.108 ns2.zhaoxin.com.33600INA172.18.250.28 ;; Query time: 1 msec ;; SERVER: 172.18.250.28#53(172.18.250.28) ;; WHEN: Sat Apr 09 15:15:13 CST 2016 ;; MSG SIZE rcvd: 128
4、添加新记录并测试测试
ON master:
ON Slave:
# 注意:slave上面没有进行任何操作就可以解析到。
# dig -t A bbs.zhaoxin.com @172.18.250.28 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A bbs.zhaoxin.com @172.18.250.28 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53442 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bbs.zhaoxin.com.INA ;; ANSWER SECTION: bbs.zhaoxin.com.33600INA172.18.250.66 ;; AUTHORITY SECTION: zhaoxin.com.33600INNSns1.zhaoxin.com. zhaoxin.com.33600INNSns2.zhaoxin.com. ;; ADDITIONAL SECTION: ns1.zhaoxin.com.33600INA172.18.250.108 ns2.zhaoxin.com.33600INA172.18.250.28 ;; Query time: 1 msec ;; SERVER: 172.18.250.28#53(172.18.250.28) ;; WHEN: Sat Apr 09 15:20:19 CST 2016 ;; MSG SIZE rcvd: 128
七、子域授权和DNS转发
1、子域配置
主域服务器配置:
# vim /var/named/zhaoxin.com.zone $TTL 33600 $ORIGIN zhaoxin.com. @ IN SOA ns1.zhaoxin.com. admin.zhaoxin.com. ( 2016040803 2H 10M 1W 1D ) IN NS ns1 IN NS ns2 IN MX 10 mx1 IN MX 15 mx2 ns1 IN A 172.18.250.108 ns2 IN A 172.18.250.28 mx1 IN A 172.18.250.111 mx2 IN A 172.18.250.112 www IN A 172.18.250.108 bbs IN A 172.18.250.66 ops IN NS ns1.ops ns1 IN A 172.18.17.24 # rndc reload server reload successful
子域服务器配置:
a、修改配置文件
# vim /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; 172.18.17.24; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
#allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
# vim /etc/named.rfc1912.zones
zone "ops.zhaoxin.com" IN {
type master;
file "ops.zhaoxin.com.zone";
};b、修改区域文件
# vim /var/named/ops.zhaoxin.com.zone $TTL 33600 $ORIGIN ops.zhaoxin.com. @ IN SOA ns1.ops.zhaoxin.com. admin.ops.zhaoxin.com. ( 2016040803 2H 10M 1W 1D ) IN NS ns1 ns1 IN A 172.18.17.24 www IN A 172.18.17.24
c、修改权限
# chown .named ops.zhaoxin.com.zone # chmod o= ops.zhaoxin.com.zone
d、启动服务并测试
# systemctl start named.service # ss -tnl|grep 53 LISTEN 0 10 172.18.17.24:53 *:* LISTEN 0 10 127.0.0.1:53 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 10 ::1:53 :::* LISTEN 0 128 ::1:953 :::*
通过子域测试
# dig -t A www.ops.zhaoxin.com @172.18.17.24 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A www.ops.zhaoxin.com @172.18.17.24 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46104 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ops.zhaoxin.com.INA ;; ANSWER SECTION: www.ops.zhaoxin.com.33600INA172.18.17.24 ;; AUTHORITY SECTION: ops.zhaoxin.com.33600INNSns1.ops.zhaoxin.com. ;; ADDITIONAL SECTION: ns1.ops.zhaoxin.com.33600INA172.18.17.24 ;; Query time: 0 msec ;; SERVER: 172.18.17.24#53(172.18.17.24) ;; WHEN: Sat Apr 09 16:47:49 CST 2016 ;; MSG SIZE rcvd: 98
通过主域测试
# dig -t A www.ops.zhaoxin.com @172.18.250.108 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> -t A www.ops.zhaoxin.com @172.18.250.108 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3566 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.ops.zhaoxin.com.INA ;; ANSWER SECTION: www.ops.zhaoxin.com.33600INA172.18.17.24 ;; AUTHORITY SECTION: ops.zhaoxin.com.33600INNSns1.ops.zhaoxin.com. ;; ADDITIONAL SECTION: ns1.ops.zhaoxin.com.33600INA172.18.17.24 ;; Query time: 3 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 09 16:50:05 CST 2016 ;; MSG SIZE rcvd: 98
2、dns转发
dns转发,一般指向外网的dns服务器,当本地没有记录时会向外网dns服务器发起查询请求。
注意:被转发的服务器必须允许为当前服务做递归;
(1) 区域转发:仅转发对某特定区域的解析请求;
zone "ZONE_NAME" IN {
type forward;
forward {first|only};
forwarders { SERVER_IP; };
};
first:首先转发;转发器不响应时,自行去迭代查询;
only:只转发;
(2) 全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器;
options {
... ...
forward {only|first};
forwarders { SERVER_IP; };
.. ...
};
a、首先用本地查询www.baidu.com(此时没有做dns转发)
# dig -t A www.baidu.com @172.18.250.108 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @172.18.250.108 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 24127 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com.INA ;; Query time: 1 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 09 16:53:02 CST 2016 ;; MSG SIZE rcvd: 42
b、配置dns转发
添加forward
# vim /etc/named.conf
options {
listen-on port 53 { 172.18.250.108; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
forward {only};
forwarders { 172.18.0.1; };检查配置文件并重载配置:
# named-checkconf # rndc reload server reload successful
测试:
# dig -t A www.baidu.com @172.18.250.108 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @172.18.250.108 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1855 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com.INA ;; ANSWER SECTION: www.baidu.com.179INCNAMEwww.a.shifen.com. www.a.shifen.com.128INA61.135.169.121 www.a.shifen.com.128INA61.135.169.125 ;; AUTHORITY SECTION: a.shifen.com.1028INNSns3.a.shifen.com. a.shifen.com.1028INNSns5.a.shifen.com. a.shifen.com.1028INNSns4.a.shifen.com. a.shifen.com.1028INNSns2.a.shifen.com. a.shifen.com.1028INNSns1.a.shifen.com. ;; ADDITIONAL SECTION: ns5.a.shifen.com.1028INA119.75.222.17 ns4.a.shifen.com.1028INA115.239.210.176 ns3.a.shifen.com.1028INA61.135.162.215 ns2.a.shifen.com.1028INA180.149.133.241 ns1.a.shifen.com.1028INA61.135.165.224 ;; Query time: 1 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 09 17:02:11 CST 2016 ;; MSG SIZE rcvd: 271
八、BIND安全相关配置(acl)
acl:访问控制列表:把一个或多个地址归并一个命名的集合,随后通过次名称即可对此集全内的所有主机实现统一调用
acl acl_bame {
ip;
net/prelen;
};
示例:
acl mynet {
172.18.0.0/16;
127.0.0.0/8;
};
bind有四个内置的acl
none:没有一个主机;
any:任意主机;
local:本机;
localnet:本机所在的IP所属的网络;
访问控制指令:
allow-query {}; 允许查询的主机;白名单;
allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器;
allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求;
allow-update {}; DDNS,允许动态更新区域数据库文件中内容;
测试:
1、修改文件,仅允许172.16.0.0/16网段可查询
# vim /etc/named.rfc1912.zones
acl mynet {
172.16.0.0/16;
127.0.0.0/8;
};
# vim /etc/named.rfc1912.zones
zone "zhaoxin.com" IN {
type master;
file "zhaoxin.com.zone";
acl-query { mynet; };
};
# systemctl restart named测试是否能解析
# ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:0C:29:69:45:7B inet addr:172.18.4.2 Bcast:172.18.255.255 Mask:255.255.0.0 inet6 addr: fe80::20c:29ff:fe69:457b/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2750 errors:0 dropped:0 overruns:0 frame:0 TX packets:329 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:467611 (456.6 KiB) TX bytes:33023 (32.2 KiB) # dig -t A www.zhaoxin.com @172.18.250.108 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -t A www.zhaoxin.com @172.18.250.108 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 5215 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.zhaoxin.com.INA ;; Query time: 4 msec ;; SERVER: 172.18.250.108#53(172.18.250.108) ;; WHEN: Sat Apr 9 15:37:15 2016 ;; MSG SIZE rcvd: 33
# 可以看出此服务器不在规定范围内,不能解析
2、修改为18网段测试是否能够解析
