一、简述DNS服务器原理,并搭建主-辅服务器。
当前TCP/IP网络中的设备之间进行通信,是利用和依赖于IP地址实现的。但数字形式的IP地址是很难记忆的。当网络设备众多,想要记住每个设备的IP地址,可以说是“不可能完成的任务”。那么如何解决这一难题呢?我们可以给每个网络设备起一个友好的名称,如:www.abc.com,这种由文字组成的名称,显而易见要更容易记忆。但是计算机不会理解这种名称的,我们可以利用一种名字解析服务将名称转化成(解析)成IP地址。从而我们就可以利用名称来直接访问网络中设备了。除此之外还有一个重要功能,利用名称解析服务可以实现主机和IP的解耦,即:当主机IP变化时,只需要修改名称服务即可,用户仍可以通过原有的名称进行访问而不受影响。
DNS工作原理: 第一步:客户机提出域名解析请求,并将该请求发送给本地的域名服务器。 第二步:当本地的域名服务器收到请求后,就先查询本地的缓存,如果有该纪录项,则本地的域名服务器就直接把查询的结果返回。 第三步:如果本地的缓存中没有该纪录,则本地域名服务器就直接把请求发给根域名服务器,然后根域名服务器再返回给本地域名服务器一个所查询域(根的子域) 的主域名服务器的地址。 第四步:本地服务器再向上一步返回的域名服务器发送请求,然后接受请求的服务器查询自己的缓存,如果没有该纪录,则返回相关的下级的域名服务器的地址。 第五步:重复第四步,直到找到正确的纪录。 第六步:本地域名服务器把返回的结果保存到缓存,以备下一次使用,同时还将结果返回给客户机。
搭建主从DNS服务器,我们假设有一个wjwj.le的域。
1、需要两台服务器实现,在两台服务器安装DNS服务相关软件,并启动服务。
[root@centos8 ~]#dnf -y install bind bind-utils
[root@centos8 ~]#systemctl enable --now named
开始配置主服务器
2、修改配置文件,使DNS服务监听服务器上所有IP地址,并为所有客户提供服务。
[root@centos8 ~]#vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#在options下添加从服务器地址,只允许从服务器同步,以保证安全。
allow-transfer {10.0.0.88;};
3、定义区域解析库文件并设置权限。
[root@centos8 /var/named]#vim /var/named/wjwj.le.zone
$TTL 1D
@ IN SOA ns1 admin.wjwj.le. (
20201201 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS ns1
@ NS ns2
ns1 A 10.0.0.78
ns2 A 10.0.0.88
www A 10.0.0.7
www2 CNAME websrv
websrv A 10.0.0.6
websrv A 10.0.0.7
[root@centos8 ~]#chmod 640 /var/named/wjwj.le.zone;chgrp named /var/named/wjwj.le.zone
4、编辑 /etc/named.rfc1912.zones 文件,将区域解析库文件名写入。
[root@centos8 ~]#vim /etc/named.rfc1912.zones
zone "wjwj.le" IN {
type master;
file "wjwj.le.zone";
5、使用命令检查配置文件和区域解析库文件是否有错误。
[root@centos8 ~]#named-checkconf
[root@centos8 ~]#named-checkzone "wjwj.le" /var/named/wjwj.le.zone
zone wjwj.le/IN: loaded serial 20201201
OK
6、使配置文件生效。
[root@centos8 ~]rndc reload
下面开始配置从服务器。
7、修改配置文件,使DNS服务监听服务器上所有IP地址,并为所有IP地址的客户提供服务。
[root@centos8 ~]#vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#在options下添加以从服务器地址,防止其他主机同步:
allow-transfer {10.0.0.88;};
8、编辑从服务器的/etc/named.rfc1912.zones文件,添加从服务器配置。从服务器不需要单独编写解析库文件,直接和主服务器同步,并且保存的是加密格式,不能直接查看。
[root@centos88 ~]#vim /etc/named.rfc1912.zones
zone "wjwj.le" IN {
type slave;
masters {10.0.0.78};
file "slave/wjwj.le.zone.slave";
};
9、修改从服务器DNS服务配置文件,使DNS服务监听服务器上所有IP地址,并为所有的客户提供服务。
[root@centos8 ~]#vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#在options下添加以从服务器地址,防止其他主机同步,增加安全性
allow-transfer {none;};
10、使配置文件生效。
[root@centos88 ~]rndc reload
11、测试服务是否正常。
#测试主服务器
[root@centos76 ~]#host www2.wjwj.le 10.0.0.78
Using domain server:
Name: 10.0.0.78
Address: 10.0.0.78#53
Aliases:
www2.wjwj.le is an alias for websrv.wjwj.le.
websrv.wjwj.le has address 10.0.0.6
websrv.wjwj.le has address 10.0.0.7
#测试从服务器是否正常
[root@centos76 ~]#host www2.wjwj.le 10.0.0.88
Using domain server:
Name: 10.0.0.88
Address: 10.0.0.88#53
Aliases:
www2.wjwj.le is an alias for websrv.wjwj.le.
websrv.wjwj.le has address 10.0.0.6
websrv.wjwj.le has address 10.0.0.7
12、在主服务器的区域解析库文件中添加一条记录,测试从服务器是否能改自动同步。
[root@centos8 ~]#vim /var/named/wjwj.le.zone
#添加一条记录
ftp A 10.0.0.111
#务必修改版本号,把数值改大一些即可,否则从服务器不会同步
#使配置生效
[root@centos8 ~]#rndc reload
server reload successful
#使用另外一台主机进行测试,测试从服务器数据是否正确
[root@centos76 ~]#dig ftp.wjwj.le @10.0.0.88
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.3 <<>> ftp.wjwj.le @10.0.0.88
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46485
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.wjwj.le. IN A
;; ANSWER SECTION:
ftp.wjwj.le. 86400 IN A 10.0.0.111
;; AUTHORITY SECTION:
wjwj.le. 86400 IN NS ns2.wjwj.le.
wjwj.le. 86400 IN NS ns1.wjwj.le.
;; ADDITIONAL SECTION:
ns1.wjwj.le. 86400 IN A 10.0.0.78
ns2.wjwj.le. 86400 IN A 10.0.0.88
;; Query time: 1 msec
;; SERVER: 10.0.0.88#53(10.0.0.88)
;; WHEN: Fri Dec 25 17:28:48 CST 2020
;; MSG SIZE rcvd: 124
13、主从DNS服务搭建成功。
二、搭建并实现智能DNS。
智能DNS可以根据用户IP地址判断用户所在地区和线路,返回给用户最合适的IP地址,加速用户访问。我们假设北京的网段是192.168.0.0/24,上海的网段是10.0.0.0/24来模拟智能DNS服务。
1、安装DNS软件并启动。
[root@centos8 ~]#yum install bind bind-utils -y;systemctl enable --now named
2、给服务器添加一个192.168.0.100/24的IP.
[root@centos8 ~]#ip a a 192.168.0.100/24 dev bond0 label bond0:1
3、修改配置文件。
[root@centos8 ~]#vim /etc/named.conf
#在文件最前面加下面行
acl beijing {
192.168.0.0/24;
};
acl shanghai {
10.0.0.0/24;
};
acl other {
any;
};
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
# 创建view
view beijingview {
match-clients { beijing;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients { shanghai;};
include "/etc/named.rfc1912.zones.sh";
};
view otherview {
match-clients { other;};
include "/etc/named.rfc1912.zones.other";
};
#删除以下内容
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
4、分别创建区域配置文件,设置权限。
[root@centos8 ~]#vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
zone "wjwj.le" {
type master;
file "wjwj.le.zone.bj";
};
[root@centos8 ~]#vim /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "wjwj.le" {
type master;
file "wjwj.le.zone.sh";
};
[root@centos8 ~]#vim /etc/named.rfc1912.zones.other
zone "." IN {
type hint;
file "named.ca";
};
zone "wjwj.le" {
type master;
file "wjwj.le.zone.other";
};
[root@centos8 ~]#chmod 640 /etc/named.rfc1912.zones*;chgrp named /etc/named.rfc1912.zones*
[root@centos8 ~]#ll /etc/named.rfc1912.zones*
-rw-r----- 1 root named 1219 Dec 25 18:39 /etc/named.rfc1912.zones
-rw-r----- 1 root named 118 Dec 25 21:13 /etc/named.rfc1912.zones.bj
-rw-r----- 1 root named 121 Dec 25 21:14 /etc/named.rfc1912.zones.other
-rw-r----- 1 root named 118 Dec 25 21:13 /etc/named.rfc1912.zones.sh
5、分别创建不同地区区域数据库文件,可复制现有文件进行修改。
[root@centos8 ~]#vim /var/named/wjwj.le.zone.bj
$TTL 1D
@ IN SOA ns1 admin.wjwj.le. (
20201203 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS ns1
@ NS ns2
ns1 A 10.0.0.78
ns2 A 10.0.0.88
www A 192.168.0.100
[root@centos8 ~]#vim /var/named/wjwj.le.zone.sh
$TTL 1D
@ IN SOA ns1 admin.wjwj.le. (
20201203 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS ns1
@ NS ns2
ns1 A 10.0.0.78
ns2 A 10.0.0.88
www A 10.0.0.100
[root@centos8 ~]#vim /var/named/wjwj.le.zone.other
$TTL 1D
@ IN SOA ns1 admin.wjwj.le. (
20201203 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS ns1
@ NS ns2
ns1 A 10.0.0.78
ns2 A 10.0.0.88
www A 127.0.0.1
6、使配置生效
[root@centos8 ~]#rndc reload
server reload successful
7、测试不同IP访问效果,实现智能DNS功能。
[root@centos76 ~]#host www.wjwj.le 192.168.0.100
Using domain server:
Name: 192.168.0.100
Address: 192.168.0.100#53
Aliases:
www.wjwj.le has address 192.168.0.100
[root@centos76 ~]#host www.wjwj.le 10.0.0.88
Using domain server:
Name: 10.0.0.88
Address: 10.0.0.88#53
Aliases:
www.wjwj.le has address 10.0.0.100
[root@centos8 ~]#host www.wjwj.le 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:
www.wjwj.le has address 127.0.0.1
三、编译安装Mariadb,并启动后可以正常登录。
1、安装相关依赖包。
[root@centos8 ~]#yum -y install bison zlib-devel libcurl-devel boost-devel gcc gcc-c++ cmake ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel
2、创建用户和数据目录。
[root@centos8 ~]#useradd -r -s /sbin/nologin -d /data/mysql mysql
3、准备数据库目录。
[root@centos8 ~]#mkdir /data/mysql
[root@centos8 ~]#chown mysql.mysql /data/mysql
4、准备源码包并解压缩。
[root@centos8 /data]#tar xf mariadb-10.2.31.tar.gz
5、开始编译安装。
[root@centos8 /data]#cd mariadb-10.2.31/
[root@centos8 /data/mariadb-10.2.31]#cmake . \
-DCMAKE_INSTALL_PREFIX=/app/mysql \
-DMYSQL_DATADIR=/data/mysql/ \
-DSYSCONFDIR=/etc/ \
-DMYSQL_USER=mysql \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITHOUT_MROONGA_STORAGE_ENGINE=1 \
-DWITH_DEBUG=0 \
-DWITH_READLINE=1 \
-DWITH_SSL=system \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci
[root@centos8 /data/mariadb-10.2.31]#make -j 4 && make install
6、生成数据库文件。
[root@centos8 /data/mariadb-10.2.31]#cd /app/mysql/
[root@centos8 /app/mysql]#scripts/mysql_install_db --datadir=/data/mysql/ --user=mysql
Installing MariaDB/MySQL system tables in '/data/mysql/' ...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:
'./bin/mysqladmin' -u root password 'new-password'
'./bin/mysqladmin' -u root -h centos88.wj3721.top password 'new-password'
Alternatively you can run:
'./bin/mysql_secure_installation'
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.
You can start the MariaDB daemon with:
cd '.' ; ./bin/mysqld_safe --datadir='/data/mysql/'
You can test the MariaDB daemon with mysql-test-run.pl
cd './mysql-test' ; perl mysql-test-run.pl
Please report any problems at http://mariadb.org/jira
The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
7、准备配置文件、启动脚本,并启动服务。
[root@centos8 /app/mysql]#cp /app/mysql/support-files/my-huge.cnf /etc/my.cnf
[root@centos8 /app/mysql]#cp /app/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@centos8 /app/mysql]#chkconfig --add mysqld
[root@centos8 /app/mysql]#service mysqld start
Starting mysqld (via systemctl): [ OK ]
8、安全初始化,设置root密码,其他均选y,否则不用输入密码就可登录,还有其他安全隐患。
[root@centos8 ~]#mysql_secure_installation
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none):
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password:
Re-enter new password:
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n]
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n]
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n]
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
9、登录数据库,需要输入账号密码才能登录。
[root@centos88 ~]#mysql
ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: NO)
[root@centos88 ~]#mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 19
Server version: 10.2.31-MariaDB-log Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>