1、简述DNS服务器原理,并搭建主-辅服务器。
DNS服务原理
1、代理解析
2、http服务数据链路查询
3、服务器解析回传至DNS缓存
4、DNS查询缓存(查询分递归查询及迭代查询)
5、读取缓存返回解析值
搭建主-辅服务器
[root@centos8 ~]# yum -y install bind
[root@centos8 ~]# cat /etc/named.conf
......
#注释下面两行
options {
# listen-on port 53 { 127.0.0.1; };
# allow-query { localhost; };
......
[root@centos8 ~]# vim /etc/named.rfc1912.zones
#加入以下内容
zone "magedu.org" IN {
type master;
file "magedu.org.zone";
};
[root@centos8 ~]# cp -p /var/named/named.localhost /var/named/magedu.org.zone
[root@centos8 ~]# cat /var/named/magedu.org.zone
$TTL 1D
@ IN SOA master admin.magedu.org. (
20220515 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.28
www A 10.0.0.27
[root@centos8 ~]# systemctl start named
[root@centos8 ~]# yum -y install httpd
[root@centos8 ~]# echo www.magedu.org > /var/www/html/index.html
[root@centos8 ~]# systemctl start httpd
#在客户端测试
[root@centos6 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
#增加一行
DNS1=10.0.0.28
#重启生效
[root@centos6 ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining IP information for eth0... done.
[ OK ]
[root@centos6 ~]# cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search localdomain leizi
nameserver 10.0.0.28
[root@centos6 ~]# curl www.magedu.org
www.magedu.org
#从服务器架构配置
[root@centos8 ~]# yum -y install bind
[root@centos8 ~]# cat /etc/named.conf
......
#注释下面两行
options {
# listen-on port 53 { 127.0.0.1; };
# allow-query { localhost; };
#新增一行:不允许其他主机进行区域传播
allow-transfer { none;};
......
[root@centos8 ~]# vim /etc/named.rfc1912.zones
zone "magedu.org" {
type slave;
masters { 10.0.0.28;};
file "slaves/magedu.org.slave";
};
[root@centos8 ~]# systemctl start named
2、搭建并实现智能DNS。
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
[19:07:07 root@centos7 ~]#iptables -A INPUT -p tcp -m multiport --dport 21,22,23,80 -j ACCEPT
[21:45:08 root@centos7 ~]#iptables -A INPUT -j REJECT
[21:45:29 root@centos7 ~]#iptables -nvl
iptables v1.4.21: unknown option "-nvl"
Try `iptables -h' or 'iptables --help' for more information.
[21:45:36 root@centos7 ~]#iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
139 8088 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,22,23,80
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 24 packets, 2144 bytes)
pkts bytes target prot opt in out source destination
3、NAT原理总结
基本工作原理是地址转换:当私有网主机和公有网主机通信的IP包经过NAT网关时,将IP包中的源IP或目的IP在私有IP和NAT的公共IP之间进行转换
4、iptables实现SNAT和DNAT,并对规则持久保存。
SNAT使用方法
SNAT:基于nat表的target,适用于固定的公网IP
SNAT选项:
--to-source [ipaddr[-ipaddr]][:port[-port]]
--random
SNAT格式:
iptables -t nat -A POSTROUTING -s LocalNET ! -d LocalNet -j SNAT --to-source ExtIP
iptables实现SNAT
#启动路由转发
[22:11:34 root@centos7 ~]#cat /etc/sysctl.conf
net.ipv4.ip_forward=1
[22:12:34 root@centos7 ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j SNAT --to-source 10.0.0.28
DNAT使用方法
DNAT:nat表的target,适用于端口映射,即可重定向到本机,也可以支持重定向至不同主机的不同端口,但不支持多目标,即不支持负载均衡功能
DNAT选项:
--to-destination [ipaddr[-ipaddr]][:port[-port]]
DNAT 格式:
iptables -t nat -A PREROUTING -d ExtIP -p tcp|udp --dport PORT -j DNAT --todestination InterSeverIP[:PORT]
iptables实现DNAT
#启动路由转发
[root@centos6 ~]# cat /etc/sysctl.conf
net.ipv4.ip_forward=1
[root@centos6 ~]# iptables -t nat -A PREROUTING -d 192.168.0.8 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.7:8080
持久保存规则:
CentOS7,8
iptables-save > /PATH/TO/SOME_RULES_FILE
CentOS 6
#将规则覆盖保存至/etc/sysconfig/iptables文件中
service iptables save
加载规则:
CentOS 7,8 重新载入预存规则文件中规则:
iptables-restore < /PATH/FROM/SOME_RULES_FILE
CentOS 6
service iptables restart #会自动从/etc/sysconfig/iptables 重新载入规则