DNS简介:
DNS(domain name system):是一个分布式、层级化的主机管理架构,通过配置DNS服务器地址,可实现域名到IP地址的解析,从而实现网络的访问。
DNS是一个倒置的树状结构,最顶层是根服务器,负责顶级域名的管理,顶级域名服务器负责二级域名的管理,以此类推。其结构如下图:
DNS解析流程: DNS解析主机IP的流程: 假设查询域名为:www.enterda.com
- 查询本地主机的hosts文件,若有相关解析记录则返回给客户端,若没有则进行第2步。
- 本机向指定DNS server(NS1)发起查询请求,NS1收到客户端请求后会查询其缓存记录,若有相关解析记录则返回给客户端,若没有则进行第3步。
- NS1向根服务器发起查询请求,根服务器会告知NS1向.com服务器查询,并告知.com服务器的地址。
- NS1向.com服务器发起查询请求,.com服务器会告知NS1向enterda.com服务器查询,并告知enterda.com服务器的地址。
- NS1向enterda.com服务器发起查询请求,enterda.com服务器收到请求后查询本机的解析记录,将对应的ip地址返回给NS1。
- NS1收到解析结果后,将结果缓存在本地DNS缓存中,之后将解析结果返回给客户端。
在整个解析的过程中涉及两个查询阶段:递归查询和迭代查询,查询过程(图片来源:DNS解析过程)如下:
DNS资源记录: DNS对应的端口为UDP和TCP 53端口。 DNS解析过程中会查询解析记录,解析记录在DNS中称为DNS数据库,分为正解和反解。正解:域名到IP地址解析。反解:IP地址到域名的解析。每个域名对应的解析记录称为域(zone)。zone中有众多的RR资源记录:A,AAA, PTR, SOA, NS, CNAME, MX: SOA:start of authority。 NS:DNS服务器(name server)。 A:address,其后对应IP地址。 AAAA:ipv6地址。 PTR:反解到主机名。 CNAME:主机别名。 MX:邮件服务器。 资源记录(RR)格式: name [TTL] IN rr_type value SOA: enterda.com. 86400 IN SOA ns.enterda.com. nsadmin.enterda.com. (2019070301 ;序列号 2H :刷新时间 10M :重试时间 1W :过期时间 1D :否定答案的TTL,快取时间 ) 参数说明: enterda.com:当前区域的名字 86400:TTL ns.enterda.com. :域名服务器 nsadmin.enterda.com.:管理员邮箱 NS: enterda.com. IN NS ns1.enterda.com. enterda.com. IN NS ns2.enterda.com. MX: enterda.com. IN MX 10 mx1.enterda.com. enterda.com. IN MX 20 mx2.enterda.com. A: www.enterda.com. IN A 1.1.1.1 linux.enterda.com. IN A 1.1.1.2 PTR: 4.3.2.1.in-addr.arpa. IN PTR oa.enterda.com. 简写为: 4 IN PRT oa.enterda.com. CNAME: web.enterda.com IN CNAME www.enterda.com
安装部署DNS服务: 一、安装DNS服务器软件 bind、bind-libs、bind-utils 二、相关配置文件设定 主配置文件:/etc/named.conf /etc/named.rfc1912.zones 数据库文件存放目录:/var/named 启动脚本:/usr/lib/systemd/system/name.service 启动命令:/usr/sbin/named 修改配置文件:/etc/named.conf
vi /etc/named.conf
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query {any; };
recursion yes;
//forward only;
//forwarders{
//8.8.8.8;
//114.114.114.114;
};
//dnssec-enable yes;
//dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging { channel default_debug { file "data/named.run"; severity dynamic; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 在配置文件 /etc/named.rfc1912.zones中,加入如下配置: zone "enterda.com" IN { type master; file "enterda.com"; }; zone "52.168.192.in-addr.arpa" IN { type master; file "named.192.168.52"; }; 正解配置文件: $TTL 1D $ORIGIN enterda.com. enterda.com. IN SOA ns1.enterda.com. nsadmin.enterda.com.( 2015040101 1H 10M 1W 1D ) enterda.com. IN NS ns1.enterda.com. ns1.enterda.com. IN A 192.168.52.100 www IN A 192.168.52.101 enterda.com. IN MX 10 mail.enterda.com. mail.enterda.com. IN A 192.168.52.234 web IN CNAME www 反解配置文件: $TTL 1D @ IN SOA ns1.enterda.com. nsadmin.enterda.com. (2015040101 1H 10M 1W 1D) @ IN NS ns1.enterda.com. 100 IN PTR ns1.enterda.com. 101 IN PTR www.enterda.com. 234 IN PTR mail.enterda.com. DNS服务器测试: dig [-t type] name @SERVER #正解 dig -x IP @SERVER #反解 dig -t axfr ZONE_NAME @SERVER #模拟区域传送 host -a name SERVER nslookup name SERVER
DNS主从同步: 主服务器配置: vi /etc/name.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recurs
- If you are building a RECURSIVE (caching) DNS server, you need to ena
recursion.
- If your recursive DNS server has a public IP address, you MUST enable
control to limit queries to your legitimate users. Failing to do so w
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging { channel default_debug { file "data/named.run"; bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging { channel default_debug { file "data/named.run"; severity dynamic; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 在配置文件 /etc/named.rfc1912.zones中,加入如下配置: zone "enterda.com" IN { type master; file "enterda.com"; allow-transfer { 192.168.52.101; }; }; zone "52.168.192.in-addr.arpa" IN { type master; file "named.192.168.52"; allow-transfer { 192.168.52.101; }; }; 正解配置修改: $TTL 1D $ORIGIN enterda.com. enterda.com. IN SOA ns1.enterda.com. nsadmin.enterda.com.( 2015040101 1H 10M 1W 1D ) enterda.com. IN NS ns1.enterda.com. enterda.com. IN NS slave.enterda.com. ns1.enterda.com. IN A 192.168.52.100 slave.enterda.com. IN A 192.168.52.101 www IN A 192.168.52.101 enterda.com. IN MX 10 mail.enterda.com. mail.enterda.com. IN A 192.168.52.100 web IN CNAME www 反解配置文件修改: $TTL 86400 @ IN SOA ns1.enterda.com. nsadmin.enterda.com. (2015040101 1H 10M 1W 1D) @ IN NS ns1.enterda.com. @ IN NS slave.enterda.com. 100 IN PTR ns1.enterda.com. 101 IN PTR slave.enterda.com. 101 IN PTR www.enterda.com. 从服务器配置: vi /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; };
/*
recursion.
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging { channel default_debug { file "data/named.run"; severity dynamic; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 在配置文件 /etc/named.rfc1912.zones中,加入如下配置: zone "enterda.com" IN { type slave; file "slaves/enterda.com"; masters {192.168.52.100;}; }; zone "52.168.192.in-addr.arpa" IN { type slave; file "slaves/named.192.168.52"; masters {192.168.52.100;}; };
子域授权 上级域名服务器授权: $TTL 1D $ORIGIN enterda.com. enterda.com. IN SOA ns1.enterda.com. nsadmin.enterda.com.( 2015040101 1H 10M 1W 1D ) enterda.com. IN NS ns1.enterda.com. enterda.com. IN NS slave.enterda.com. ops.enterda.com. IN NS ns1.ops.enterda.com. ns1.enterda.com. IN A 192.168.52.100 slave.enterda.com. IN A 192.168.52.101 www IN A 192.168.52.101 enterda.com. IN MX 10 mail.enterda.com. mail.enterda.com. IN A 192.168.52.100 web IN CNAME www ns1.ops.enterda.com. IN A 192.168.50.100 下级域名服务器配置: vi /etc/named.conf
vi /etc/named.conf
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query {any; };
recursion yes;
//forward only;
//forwarders{
//8.8.8.8;
//114.114.114.114;
};
//dnssec-enable yes;
//dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging { channel default_debug { file "data/named.run"; severity dynamic; }; };
zone "." IN { type hint; file "named.ca"; };
include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 在配置文件 /etc/named.rfc1912.zones中,加入如下配置: zone "ops.enterda.com" IN { type master; file "ops.enterda.com"; }; zone "50.168.192.in-addr.arpa" IN { type master; file "named.ops.192.168.50"; }; 正解配置文件ops.enterda.com: $TTL 1D $ORIGIN ops.enterda.com. ops.enterda.com. IN SOA ns1.ops.enterda.com. nsadmin.ops.enterda.com.( 2015040101 1H 10M 1W 1D ) ops.enterda.com. IN NS ns1.ops.enterda.com. ns1.ops.enterda.com. IN A 192.168.50.100 www IN A 192.168.52.101 ops.enterda.com. IN MX 10 mail.ops.enterda.com. mail.ops.enterda.com. IN A 192.168.50.234 web IN CNAME www 反解配置文件named.ops.192.168.50: $TTL 1D @ IN SOA ns1.ops.enterda.com. nsadmin.ops.enterda.com. (2015040101 1H 10M 1W 1D) @ IN NS ns1.ops.enterda.com. 100 IN PTR ns1.ops.enterda.com. 101 IN PTR www.ops.enterda.com. 234 IN PTR mail.ops.enterda.com. 启动/停止/重启DNS服务器: systemctl start|stop|restart named.service 至此,DNS服务、主从同步、子域授权配置完成。 注意事项: 在配置和测试过程中,建议关闭防火墙,iptables, selinux ; systemctl stop firewalld systemctl stop iptables setenforce 0
