====DNS 服务器====
uplooking.com
126.com
sina.com
yahoo.com
===name space 命名空间 如何给互联网上的主机命名的
DNS数据是: 层次化的,分布式的数据库
权威名称服务器:
存储并提供某个区域的实际数据,比如126.com域的DNS服务器,它记录了126.com域中所有主机
的记录,例如:
www.126.com. x.x.x.x
ftp.126.com. y.y.y.y
==权威名称服务器类型包括:
Master: 主DNS服务器,包含原始区域的数据
Slave: 备份DNS服务器,通过(区域传输)从Master服务器获得区域数据的副本
非权威名称服务器/递归DNS服务器:
(不)存储某个区域的实际数据
Caching only: 仅缓存DNS服务器,虽然可以提供查询,但查询的内容不具有权威性
====DNS查询流程 www.126.com
client:
1. 客户端查询自己的缓存(包含hosts中的记录),将查询发送/etc/resolv.conf中的DNS服务器
DNS Server:
2. 如果DNS服务器对于请求的信息具有权威性,会将(权威答案)发送到客户端
权威答案:肯定,否定
3. 否则(不具有权威性),如果DNS服务器在其缓存中有请求信息,则将(非权威答案)发送到客户端
4. 如果缓存中没有该查询信息,DNS服务器将搜索权威DNS服务器以查找信息:
从根区域开始,按照DNS层次结构向下搜索,直至对于信息具有权威的名称服务器,为客户端获答案
DNS服务器将信息传递给客户端 ,并在自己的缓存中保留一个副本,以备以后查找
===主DNS服务器
一、安装
[root@station230 ~]# yum -y install bind bind-chroot caching-nameserver
二、配置
[root@station230 ~]# vim /var/named/chroot/etc/named.conf 主配置文件
options {
directory "/var/named"; //数据库文件存放的位置
};
zone "uplooking.com" { //创建域uplooking.com
type master;
file "uplooking.com.zone";
};
[root@station230 ~]# vim /var/named/chroot/var/named/uplooking.com.zone 数据库文件
$TTL 7200
uplooking.com. IN SOA dns.uplooking.com. root.uplooking.com. ( 20121112 1H 15M 1W 1D )
uplooking.com. IN NS dns.uplooking.com.
dns.uplooking.com. IN A 192.168.2.115
www.uplooking.com. IN A 192.168.2.168
======================================
数据库文件特点:
@ 表示当前域名
www.sina.com. = www
主机名 域名 主机名
继承
$TTL 7200
@ IN SOA dns.sina.com. root (
20121113
1H
15M
1W
1D )
IN NS dns
dns IN A 192.168.2.115
www IN A 192.168.2.125
ftp IN A 192.168.2.118
oa IN A 192.168.2.119
$TTL 7200
@ IN SOA ns1.baidu.com. root (
2013032600
1H
15M
1W
1D )
IN NS ns1
ns1 IN A 192.168.2.180
www IN A 192.168.2.95
ftp IN A 192.168.2.3
oa IN A 192.168.2.4
bbs IN CNAME www
@ IN MX 10 mail
mail IN A 192.168.2.10
=======================================
[root@station230 ~]# service named restart
停止 named: [确定]
启动 named: [确定]
[root@station230 ~]# chkconfig named on
[root@localhost ~]# tail /var/log/messages
Mar 23 03:58:17 localhost named[12542]: using up to 4096 sockets
Mar 23 03:58:17 localhost named[12542]: loading configuration from '/etc/named.conf'
Mar 23 03:58:17 localhost named[12542]: using default UDP/IPv4 port range: [1024, 65535]
Mar 23 03:58:17 localhost named[12542]: using default UDP/IPv6 port range: [1024, 65535]
Mar 23 03:58:17 localhost named[12542]: listening on IPv4 interface lo, 127.0.0.1#53
Mar 23 03:58:17 localhost named[12542]: listening on IPv4 interface eth0, 192.168.2.180#53
Mar 23 03:58:17 localhost named[12542]: command channel listening on 127.0.0.1#953
Mar 23 03:58:17 localhost named[12542]: command channel listening on ::1#953
Mar 23 03:58:17 localhost named[12542]: zone uplooking.com/IN: loaded serial 2013032600
Mar 23 03:58:17 localhost named[12542]: running
===================================================================
RHEL6利用模板:
[root@station230 ~]# ls /usr/share/doc/bind-9.3.6/sample/
etc var
[root@station230 ~]# cp -rf /usr/share/doc/bind-9.3.6/sample/* /var/named/chroot/
===================================================================
三、测试
[root@station230 ~]# dig @192.168.2.115 www.uplooking.com
==@192.168.2.115 使用DNS服务器192.168.2.115解析
==baidu.com 反向区
baidu.com 192.168.2.0/24
和相应的正向区必须一一对应
主机名必须全名
[root@station230 ~]# vim /var/named/chroot/etc/named.conf
zone "2.168.192.in-addr.arpa" {
type master;
file "192.168.2.zone";
};
[root@station230 named]# cd /var/named/chroot/var/named/
[root@station230 named]# cp baidu.com.zone 192.168.2.zone
$TTL 7200
@ IN SOA ns1.baidu.com. root.baidu.com. (
2013032600
1H
15M
1W
1D )
IN NS ns1.baidu.com.
180 IN PTR ns1.baidu.com.
95 IN PTR www.baidu.com.
3 IN PTR ftp.baidu.com.
4 IN PTR oa.baidu.com.
10 IN PTR mail.baidu.com.
95 IN PTR bbs.baidu.com.
===baidu.com 正向区
$TTL 7200
@ IN SOA ns1.baidu.com. root (
2013032600
1H
15M
1W
1D )
IN NS ns1
ns1 IN A 192.168.2.180
www IN A 192.168.2.95
ftp IN A 192.168.2.3
oa IN A 192.168.2.4
bbs IN CNAME www
@ IN MX 10 mail
mail IN A 192.168.2.10
===============辅助DNS================================
[root@slave ~]# yum -y install bind bind-chroot caching-nameserver
[root@slave ~]# cd /var/named/chroot/etc/
[root@slave etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@slave etc]# mv named.caching-nameserver.conf named.conf
正/反向区
[root@localh ~]# vim /var/named/chroot/etc/named.conf //主配置文件
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
};
zone "126.com" {
type slave;
file "slaves/126.com.zone-slave"; //辅助DNS数据库文件
masters { 192.168.2.115; }; //指定主DNS服务器地址
};
zone "2.168.192.in-addr.arpa" {
type slave;
file "slaves/192.168.zone-slave";
masters { 192.168.2.115; };
};
[root@localh slaves]# service named restart
[root@localh ~]# ls /var/named/chroot/var/named/slaves/ //辅助DNS数据库文件存储目录
126.com.zone-slave 192.168.zone-slave
====================================
辅助DNS区域传输失败后检查方法:
1. Master阻止
2. Slave本身的问题,比如写入目录没有权限(因为DNS进程是以named用户运行)
[root@slave etc]# tail /var/log/messages
Mar 22 18:08:22 localhost named[8738]: zone baidu.com/IN: Transfer started.
Mar 22 18:08:22 localhost named[8738]: transfer of 'baidu.com/IN' from 192.168.2.180#53: connected using 192.168.2.199#55886
Mar 22 18:08:22 localhost named[8738]: dumping master file: tmp-2hcvlAaZn2: open: permission denied
Mar 22 18:08:22 localhost named[8738]: transfer of 'baidu.com/IN' from 192.168.2.180#53: failed while receiving responses: permission denied
Mar 22 18:08:22 localhost named[8738]: transfer of 'baidu.com/IN' from 192.168.2.180#53: end of transfer
Mar 22 18:08:23 localhost named[8738]: zone 2.168.192.in-addr.arpa/IN: Transfer started.
Mar 22 18:08:23 localhost named[8738]: transfer of '2.168.192.in-addr.arpa/IN' from 192.168.2.180#53: connected using 192.168.2.199#53821
Mar 22 18:08:23 localhost named[8738]: dumping master file: tmp-jgjQyPtcoX: open: permission denied
Mar 22 18:08:23 localhost named[8738]: transfer of '2.168.192.in-addr.arpa/IN' from 192.168.2.180#53: failed while receiving responses: permission denied
Mar 22 18:08:23 localhost named[8738]: transfer of '2.168.192.in-addr.arpa/IN' from 192.168.2.180#53: end of transfer
[root@slave etc]# ps aux |grep named
named 8738 0.0 0.6 38920 3328 ? Ssl 18:08 0:00 /usr/sbin/named -u named -t /var/named/chroot
root 8751 0.0 0.1 4264 704 pts/3 R+ 18:10 0:00 grep named
[root@slave etc]# ll -d /var/named/chroot/var/named/
drwxr-x--- 4 root named 4096 03-22 18:01 /var/named/chroot/var/named/
[root@slave etc]# ll -d /var/named/chroot/var/named/slaves/ //named用户可以写入
drwxrwx--- 2 named named 4096 2004-07-27 /var/named/chroot/var/named/slaves/
====================================
====主从之间的区域传输限制:zone transfer,在主DNS服务器上做限制
方法一:基于主机的访问控制
[root@station230 ~]# vim /var/named/chroot/etc/named.conf
options {
directory "/var/named";
allow-transfer { 192.168.2.2; }; //允许传输
};
[root@station230 ~]# service named restart
辅助DNS服务器端测试:
[root@localh ~]# cd /var/named/chroot/var/named/slaves/
[root@localh slaves]# ls
126.com.zone-slave 192.168.zone-slave
[root@localh slaves]# rm -rf * //删除原来传输的数据库文件
[root@localh slaves]# service named restart
停止 named:. [确定]
启动 named: [确定]
[root@localh slaves]# ls //没有传输成功
[root@slave slaves]# tail /var/log/messages
Mar 22 18:19:55 localhost named[8867]: command channel listening on ::1#953
Mar 22 18:19:55 localhost named[8867]: running
Mar 22 18:19:55 localhost named[8867]: zone baidu.com/IN: Transfer started.
Mar 22 18:19:55 localhost named[8867]: transfer of 'baidu.com/IN' from 192.168.2.180#53: connected using 192.168.2.199#36640
Mar 22 18:19:55 localhost named[8867]: transfer of 'baidu.com/IN' from 192.168.2.180#53: failed while receiving responses: REFUSED
Mar 22 18:19:55 localhost named[8867]: transfer of 'baidu.com/IN' from 192.168.2.180#53: end of transfer
Mar 22 18:19:56 localhost named[8867]: zone 2.168.192.in-addr.arpa/IN: Transfer started.
Mar 22 18:19:56 localhost named[8867]: transfer of '2.168.192.in-addr.arpa/IN' from 192.168.2.180#53: connected using 192.168.2.199#57686
Mar 22 18:19:56 localhost named[8867]: transfer of '2.168.192.in-addr.arpa/IN' from 192.168.2.180#53: failed while receiving responses: REFUSED
Mar 22 18:19:56 localhost named[8867]: transfer of '2.168.192.in-addr.arpa/IN' from 192.168.2.180#53: end of transfer
方法二:TSIG事务签名
1. 在主DNS服务器上生成key,并复制到辅助DNS服务器
=============================================================================
[root@station230 ~]# cat /var/named/chroot/etc/rndc.key 参考文件
key "rndckey" {
algorithm hmac-md5;
secret "hyjFoAfF0zZj6AxB0LMTM0489itQhTFZwf37Eb9iNxRCaGCMaVAc5xqA41wg";
};
=============================================================================
==手动生成key
主DNS 生成TSIG key
[root@station230 ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST tsig-key
-a HMAC-MD5 指定加密算法
-b 128 key长度,128位
-n HOST tsig-key //-n HOST 名字类型为HOST, key名tsig-key
[root@station230 ~]# cp Ktsig-key.+157+47568.private /var/named/chroot/etc/tsig-key
[root@station230 ~]# vim /var/named/chroot/etc/tsig-key
key "tsig-key" { //key名字
Algorithm HMAC-MD5;
secret "mLnb7ujYRTnedlOOENvOmA==";
};
[root@station230 ~]# chmod 644 /var/named/chroot/etc/tsig-key
===直接使用rndc.key文件产生
也可以:
[root@master ~]# cd /var/named/chroot/etc/
[root@master etc]# cp rndc.key tsig.key
[root@master etc]# chmod 644 tsig.key
复制到辅助DNS服务器
[root@station230 ~]# rsync -a /var/named/chroot/etc/tsig-key 192.168.2.9:/var/named/chroot/etc/
[root@localh ~]# cat /var/named/chroot/etc/tsig-key
key "tsig-key" {
Algorithm HMAC-MD5;
secret "mLnb7ujYRTnedlOOENvOmA==";
};
2.使用KEY进行区域传输限制
主DNS:
[root@station230 ~]# vim /var/named/chroot/etc/named.conf
options {
directory "/var/named";
allow-transfer { key tsig-key; }; //允许持有该key的主机进行区域传输
};
include "/etc/tsig-key"; //包含key文件
[root@station230 ~]# service named restart
辅助DNS:
options {
directory "/var/named";
};
include "/etc/tsig-key";
server 192.168.2.115 {
keys { tsig-key; };
};
========================================================================
警告:使用TSIG区域传输时,主/辅时钟必须同步!!!
[root@localh slaves]# tail /var/log/messages
Nov 13 15:38:30 localh named[4470]: zone 126.com/IN: refresh: failure trying master 192.168.2.115#53 (source 0.0.0.0#0): clocks are unsynchronized
Nov 13 15:38:31 localh named[4470]: zone 2.168.192.in-addr.arpa/IN: refresh: failure trying master 192.168.2.115#53 (source 0.0.0.0#0): clocks are unsynchronized
[root@station230 ~]# ssh 192.168.2.9 date 111315502012;date 111315502012
root@192.168.2.9's password:
2012年 11月 13日 星期二 15:50:00 CST
2012年 11月 13日 星期二 15:50:00 CST
========================================================================
[root@localh slaves]# service named restart
停止 named: [确定]
启动 named: [确定]
[root@localh slaves]# tail /var/log/messages
Nov 13 15:50:23 localh named[4552]: listening on IPv4 interface lo, 127.0.0.1#53
Nov 13 15:50:23 localh named[4552]: listening on IPv4 interface eth0, 192.168.2.9#53
Nov 13 15:50:23 localh named[4552]: listening on IPv4 interface vmnet1, 192.168.212.1#53
Nov 13 15:50:23 localh named[4552]: listening on IPv4 interface vmnet8, 192.168.23.1#53
Nov 13 15:50:23 localh named[4552]: command channel listening on 127.0.0.1#953
Nov 13 15:50:23 localh named[4552]: command channel listening on ::1#953
Nov 13 15:50:23 localh named[4552]: zone 2.168.192.in-addr.arpa/IN: loaded serial 2012111300
Nov 13 15:50:23 localh named[4552]: zone 126.com/IN: loaded serial 2012111300
Nov 13 15:50:23 localh named[4552]: zone uplooking.com/IN: loaded serial 20121112
Nov 13 15:50:23 localh named[4552]: running
[root@localh slaves]# ls
126.com.zone-slave 192.168.zone-slave
==========高级部分================
zone transfer注意事项:(在第一次完全copy之后)
方法一:
数据库文件中:(必须)包含辅助DNS的记录
IN NS dns1 //主DNS
IN NS dns2 //辅助DNS
dns IN A 192.168.2.115
dns2 IN A 192.168.2.116
主DNS主配置文件中:
options {
directory "/var/named";
notify yes; //开启通知功能
};
方法二:
根提示区域:(主/辅)
作用:让DNS服务器能够找到根服务器
======================================================================
[root@station230 ~]# vim /var/named/chroot/etc/named.conf
zone "." {
type hint;
file "named.ca"; //named.ca根提示文件(包括全世界13台根服务器的地址)
};
[root@station230 ~]# ls /var/named/chroot/var/named/named.ca
/var/named/chroot/var/named/named.ca
获得根提示文件的方法:
1. 下载
2. 安装caching-nameserver,自动产生
3. # ls /usr/share/doc/bind-9.3.6/sample/var/named/named.root
=======DNS转发=============
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
forward first; //优先转发
forwarders { 202.106.0.20;
8.8.8.8; };
};
当转发功能和根提示都存在,可以通过forward设置使用的优先级
forward only;
forward first;
客户端查询:
nslookup,host,dig
# cat /etc/resolv.conf
nameserver 192.168.2.115
# nslookup www.126.com
[root@station5 ~]# nslookup
> www.126.com
Server: 192.168.2.115
Address: 192.168.2.115#53
> set q=soa //指定查询类型,不区分大小写
> 126.com
Server: 192.168.2.115
Address: 192.168.2.115#53
126.com
origin = dns.126.com
mail addr = root.126.com
serial = 2012111400
refresh = 3600
retry = 900
expire = 604800
minimum = 86400
[root@station5 ~]# nslookup
> server 192.168.2.168 //临时指定使用的DNS服务器
Default server: 192.168.2.168
Address: 192.168.2.168#53
> www.sina.com
Server: 192.168.2.168
Address: 192.168.2.168#53
Name: www.sina.com
Address: 192.168.2.120
> 192.168.2.168
Server: 192.168.2.168
Address: 192.168.2.168#53
168.2.168.192.in-addr.arpa name = dns.sina.com.
>
[root@station5 ~]# host www.126.com
www.126.com has address 192.168.2.222
[root@station5 ~]# host 192.168.2.222
[root@station5 ~]# host -t SOA 126.com //指定查看记录类型为SOA
126.com has SOA record dns.126.com. root.126.com. 2012111400 3600 900 604800 86400
[root@station5 ~]# host -t NS 126.com //指定查看记录类型为NS
126.com name server dns.126.com.
126.com name server dns2.126.com.
[root@station5 ~]# host -t MX 126.com //指定查看记录类型为MX
126.com mail is handled by 10 mail.126.com.
[root@station5 ~]# dig www.126.com //使用/etc/resolv.conf设置的DNS
[root@station5 ~]# dig @192.168.2.168 www.126.com //使用指定的DNS
=====视图view,智能DNS=====
[root@station230 ~]# vim /var/named/chroot/etc/named.conf
view cnc {
match-clients { 192.168.2.168; };
zone "126.com" {
type master;
file "126.com.zone-cnc";
};
};
view cmcc {
match-clients { any; };
zone "126.com" {
type master;
file "126.com.zone-cmcc";
};
};
# cat /var/named/chroot/var/named/126.com.zone-cnc
www IN A 1.1.1.1
bbs IN A 1.2.3.8
oa IN CNAME ftp
# cat /var/named/chroot/var/named/126.com.zone-cmcc
www IN A 2.2.2.2
扩展:
方法一:
acl cnc { 192.168.2.168; 192.168.3.0/24; }; 定义访问控制列表
acl cmcc { 192.168.4.0/24; };
view cnc {
match-clients { cnc; };
zone "126.com" {
type master;
file "126.com.zone-cnc";
};
};
view cmcc {
match-clients { any; }; //any不用定义
zone "126.com" {
type master;
file "126.com.zone-cmcc";
};
};
方法二:
[root@station230 ~]# cat /var/named/chroot/var/named/cnc.txt
acl cnc {
192.168.2.168;
192.168.3.0/24;
};
[root@station230 ~]# vim /var/named/chroot/etc/named.conf
include "/var/named/cnc.txt";
==================子域授权===============
父域 126.com. 192.168.2.115
子域 it.126.com. 192.168.2.168
===父域授权
[root@station230 ~]# vim /var/named/chroot/var/named/126.com.zone
it.126.com. IN NS dns.it.126.com.
dns.it.126.com. IN A 192.168.2.168
将it.126.com子域授权给dns.it.126.com.主机
子域服务器:
zone "it.126.com" {
type master;
file "it.126.com.zone";
};
分别使用父域DNS 和 子域的DNS 测试
把子域DNS stop
客户端解析工具:
===dig====
# dig @192.168.2.180 www.baidu.com //@指定使用的DNS服务器
===host===
[root@station80 ~]# cat /etc/resolv.conf
nameserver 192.168.2.180
[root@station80 ~]# host www.baidu.com
www.baidu.com has address 192.168.2.95
[root@station80 ~]# host 192.168.2.95
95.2.168.192.in-addr.arpa domain name pointer bbs.baidu.com.
95.2.168.192.in-addr.arpa domain name pointer www.baidu.com.
[root@station80 ~]# host -t SOA baidu.com //查询baidu.com SOA
baidu.com has SOA record ns1.baidu.com. root.baidu.com. 2013032600 3600 900 604800 86400
[root@station80 ~]# host -t NS baidu.com //查询baidu.com DNS服务器
baidu.com name server ns1.baidu.com.
[root@station80 ~]# host -t MX baidu.com //查询baidu.com 邮件服务器
baidu.com mail is handled by 10 mail.baidu.com.
===nslookup== windows,linux均支持
[root@station80 ~]# cat /etc/resolv.conf
nameserver 192.168.2.180
[root@station80 ~]# nslookup www.baidu.com //非交互式
Server: 192.168.2.180
Address: 192.168.2.180#53
Name: www.baidu.com
Address: 192.168.2.95
[root@station80 ~]# nslookup //交互式,默认使用的DNS服务器是/etc/resolv.conf
> www.baidu.com
Server: 192.168.2.180
Address: 192.168.2.180#53
Name: www.baidu.com
Address: 192.168.2.95
[root@localhost named]# nslookup
> server 192.168.2.91 //通过server指令指定当前使用的DNS服务器
Default server: 192.168.2.91
Address: 192.168.2.91#53
>
> www.uplooking.com //正向
Server: 192.168.2.91
Address: 192.168.2.91#53
Name: www.uplooking.com
Address: 192.168.2.98
>
> 192.168.2.98 //反向
Server: 192.168.2.91
Address: 192.168.2.91#53
98.2.168.192.in-addr.arpa name = www.uplooking.com.
>
[root@station80 ~]# nslookup
> set q=soa //设置查询SOA
> baidu.com
Server: 192.168.2.180
Address: 192.168.2.180#53
baidu.com
origin = ns1.baidu.com
mail addr = root.baidu.com
serial = 2013032600
refresh = 3600
retry = 900
expire = 604800
minimum = 86400
> set q=mx //设置查询MX
> baidu.com
Server: 192.168.2.180
Address: 192.168.2.180#53
baidu.com mail exchanger = 10 mail.baidu.com.