参考:centos7搭建DNS服务完整版
CentOS 7 配置DNS服务
Centos7 DNS 服务器配置步骤
--use
一、DNS服务类型
主机记录 | 记录类型 | 记录值 |
ns1 | A | 192.168.1.1 |
ns2 | A | 192.168.1.2 |
www | A | 192.168.1.100 |
bbs | CNAME | www |
ftp | A | 192.168.1.110 |
mail | MX 10 | 192.168.1.120 |
1.1 服务配置说明:
// 正向解析文件
[root@localhost ~]# vim /var/named/ssx.com.hosts
$TTL 1D
@ IN SOA @ root.ssx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns.ssx.com.
@ IN A 10.11.0.133 // 该配置允许访问 ssx.com, 注: 使用时,本注释要删除
dns IN A 10.11.0.133
www IN A 10.11.0.133
smb IN A 10.11.0.133
ftp IN A 10.11.0.133
# =========================================== #
#或者
$TTL 1D
@ IN SOA @ root.ssx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns.ssx.com.
@ IN A 10.11.0.133 // 该配置允许访问 ssx.com, 注: 使用时,本注释要删除
* IN A 10.11.0.133
# ================================================================== #
// 反向解析文件
[root@localhost ~]# vi /var/named/ssx.com.back
$TTL 1D
@ IN SOA @ root.ssx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.ssx.com.
100 IN PTR dns.ssx.com
101 IN PTR www.ssx.com
102 IN PTR smb.ssx.com
103 IN PTR ftp.ssx.com
# =========================================== #
#或者
[root@vm ~]# vi /var/named/openshift.hosts.arpa
$TTL 1D
@ IN SOA @ root. (
2019070700 ; serial
3H ; refresh
30M ; retry
2W ; expiry
1W ) ; minimum
@ IN NS ns1.my-ocp-cluster.com.
10 IN PTR api.my-ocp-cluster.com
11 IN PTR api-int.my-ocp-cluster.com
12 IN PTR bootstrap.my-ocp-cluster.com
100 IN PTR master0.my-ocp-cluster.com
101 IN PTR master1.my-ocp-cluster.com
102 IN PTR master2.my-ocp-cluster.com
103 IN PTR worker0.my-ocp-cluster.com
104 IN PTR worker1.my-ocp-cluster.com
1.2 服务字段说明:
# 说明
$TTL 缓存生存周期
@ = zonename = ssx.com 当前域
IN 互联网
SOA 开始授权
NS dns服务器
A ipv4正向, 将域名转换为对应的IP地址
AAAA ipv6
CNAME 别名
MX 邮件交互记录
5 数字代表优先级, 数字越小优先级越高
PTR 将IP地址转换为对应的域名
0 ; serial --更新序列号,可以是 10 位以内的整数
1D ; refresh --刷新时间,重新下载地址数据的间隔
1H ; retry --重试延时,下载失败后的重试间隔
3D ; expire --失效时间,超过该时间仍无法下载则放弃
1D ) ; minimum 无效解析记录的生存周期
@代表zone的意思,现在@代表ssx.com.;
SOA代表资源记录的名称为起始授权记录;
root.ssx.com.表示有问题找该管理员;
0代表序列号;
1D代表更新频率为1天;
1H代表失败重新尝试时间为1小时;
3W代表失效时间为1周;
3H代表缓存时间为3小时
@dns.ssx.com. 是你的主机名加上域名(注意细节com.的点点)
然后添加主机记录
- NS dns.ssx.com. 本机的域名
- dns A 192.168.10.100 dns为ssx.com的域名前坠,对应着192.168.10.100
- www A 192.168.10.101 www为ssx.com的域名前坠,对应着192.168.10.101
- ftp A 192.168.10.103 ftp为ssx.com的域名前坠,对应着192.168.10.103
1.3 DNS记录类型详解
1.A记录
A记录是最常见和最常用的一种记录类型,用于指定主机名和IP(IPv4)地址之间的关系。
通过添加A记录,网站管理者可以将域名与网站服务器地址进行绑定。
2.AAAA记录
与A记录相对的是,AAAA记录是用于将域名解析到IPv6地址的一种DNS记录类型。
国内很多解析服务器不支持AAAA记录的设置,如果想进行AAAA记录解析,
就需要将域名的NS记录指向一些专业的域名解析厂商。
3.CNAME记录
CNAME记录也是比较常用的一种记录类型,它是主机名到主机名的映射。
如果需要将域名指向另一个域名,而不是一个IP地址,那么就需要添加一条CNAME记录。
在CDN、企业邮箱、全局流量管理等业务场景下,经常会使用到CNAME记录。
4.NS记录
NS记录用于将子域名交给其他DNS服务商解析时使用,
从某种意义上来讲NS记录相当于设置子域名解析服务器的A记录,
用于在解析请求时确定该服务器的IP地址。
大多数域名注册商默认使用自己的NS记录来解析用户的域名,
但用户也可以设置NS记录指向更专业安全的域名解析厂商。
5.MX记录
MX记录是邮件交换记录,主要用于邮箱解析,
在发送邮件时根据收件人的地址后缀进行邮件服务器的定位。
MX记录的权重对邮件服务非常重要,发送邮件时,会先对域名进行解析,
查找MX记录,按照权重从小到大的顺序联通服务器进行邮件发送。
6.TXT记录
TXT记录,一般用于某个主机名的标识和说明,通过设置TXT记录可以使别人更方便地联系到你。
此外TXT记录还常用于做SPF反垃圾邮件和SSL证书的DNS验证等。
7.PTR记录
PTR记录可以简单理解为A记录的反向记录,用于将一个IP地址指向对应的主机名,
实现通过IP地址访问域名。
8.SOA记录
SOA记录又叫起始授权机构记录,NS标记多台解析服务器,
SOA记录用于表明在众多NS记录中哪一台才是主服务器。
当要查询的域名在所有递归解析服务器中没有域名解析的缓存时,
就会回源来请求此域名的SOA记录,获取提供权威解析服务的地址。
9.SRV记录
SRV记录即服务定位(SRV)资源记录,用于定义提供特定服务的服务器的位置,
如主机(hostname),端口(port number)等。
10.URL转发
URL转发,是将当前访问的域名指向另一个网络地址,可以分为显性转发和隐性转发两种。
显性URL:将域名指向另一个网络地址时,访问域名自动跳转至目标网址,地址栏显示为目标网站地址。
隐性URL:访问域名跳转到目标网站,但地址栏显示为原网站地址。
1.4 常用配置文件检查命令
[root@localhost ~]# named-checkconf -z "$NAMEDCONF"
# 检查主配置文件
[root@localhost ~]# named-checkconf
二、服务安装与配置快速示例
2.1 快速示例1(use) :
# 临时关闭SELinux与防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
# 永久关闭
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@localhost ~]# systemctl disable firewalld
#查看selinux, firewalld 状态
[root@localhost ~]# getenforce
Permissive
[root@localhost ~]# systemctl status firewalld
# 1. 安装DNS服务
[root@vm ~]# yum -y install bind bind-utils
# 2. 启动DNS服务
[root@vm ~]# systemctl enable named --now
[root@vm ~]# systemctl status named
[root@vm ~]# systemctl stop named
[root@vm ~]# systemctl start named
[root@vm ~]# systemctl restart named
# 3. 修改 NAME_SERVER 和 ifcfg 文件
[root@vm ~]# vi /etc/resolv.conf
nameserver 127.0.0.1
[root@vm ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens3
# 添加或修改如下内容(192.168.0.134为本机DNS所在机器ip)
DNS1=192.168.0.134
# 重启网络服务
[root@vm ~]# systemctl restart network
# 4. 修改named.conf配置文件
[root@vm ~]# cp /etc/named.conf{,_bak}
# 说明:
# listen-on port 53 {192.168.80.150;}; 设置为本地的IP地址即可。
# listen-on port 53 { any; }; 。设置为所有IP地址均可访问
# allow-query {any;} 设置为所有人都可以访问。
[root@Centos7-1 ~]# vi /etc/named.conf
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
# 设置为所有IP地址均可访问
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# 设置为所有人都可以访问。
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
# 配置 recursion, forward, forwarders 字段
recursion yes;
forward first;
forwarders { 8.8.8.8; };
# 配置 dnssec-enable, dnssec-validation 字段
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
// 关联 zones 文件
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
# 5. 修改 zones 文件 及 解析文件
5.1 编辑 zone 文件
[root@vm ~]# cp /etc/named.rfc1912.zones{,_bak}
[root@vm ~]# cat >> /etc/named.rfc1912.zones << EOF
zone "my-ocp-cluster.com" IN {
type master;
file "openshift.hosts";
allow-update { none; };
};
zone "134.0.11.10.in-addr.arpa" IN {
type master;
file "openshift.hosts.arpa";
allow-update { none; };
};
EOF
5.2 编辑正向解析文件
[root@vm ~]# vi /var/named/openshift.hosts
$TTL 1D
@ IN SOA @ root. (
2019070700 ; serial
3H ; refresh
30M ; retry
2W ; expiry
1W ) ; minimum
@ NS ns1.my-ocp-cluster.com.
ns1 IN A 192.168.0.134
helper IN A 192.168.0.134
api IN A 192.168.0.134
api-int IN A 192.168.0.134
*.apps IN A 192.168.0.134
bootstrap IN A 192.168.0.134
master0 IN A 192.168.0.120
master1 IN A 192.168.0.122
master2 IN A 192.168.0.123
worker0 IN A 192.168.0.124
worker1 IN A 192.168.0.125
# 5.3 编辑反向解析文件
[root@vm ~]# vi /var/named/openshift.hosts.arpa
$TTL 1D
@ IN SOA @ root. (
2019070700 ; serial
3H ; refresh
30M ; retry
2W ; expiry
1W ) ; minimum
@ IN NS ns1.my-ocp-cluster.com.
10 IN PTR api.my-ocp-cluster.com
11 IN PTR api-int.my-ocp-cluster.com
12 IN PTR bootstrap.my-ocp-cluster.com
100 IN PTR master0.my-ocp-cluster.com
101 IN PTR master1.my-ocp-cluster.com
102 IN PTR master2.my-ocp-cluster.com
103 IN PTR worker0.my-ocp-cluster.com
104 IN PTR worker1.my-ocp-cluster.com
# 添加完文件后修改文件属性
[root@vm ~]# chown :named /var/named/openshift*
# 6. 重启DNS服务
[root@vm ~]# systemctl restart named
# 检测配置文件
[root@vm ~]# named-checkconf -z /etc/named.rfc1912.zones
# 检测正向解析文件
[root@vm ~]# named-checkzone my-ocp-cluster.com /var/named/openshift.hosts
# 检测反向解析文件
[root@vm ~]# named-checkzone 134.0.168.192.in-addr.arpa /var/named/openshift.hosts.arpa
# 7. 分别配置集群其它节点DNS访问地址
[root@vm ~]# vi /etc/resolv.conf
[root@openshift-base ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.0.133
[root@vm ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens3
# 添加或修改如下内容(192.168.0.134为本机DNS所在机器ip)
DNS1=192.168.0.134
# 重启网络服务
[root@vm ~]# systemctl restart network
# 8. 正向检测解析
# 其它按此方法域名依次检测即可
[root@centos7 ~]# nslookup master0.my-ocp-cluster.com
Server: 192.168.0.134
Address: 192.168.0.134#53
Name: master0.my-ocp-cluster.com
Address: 192.168.0.120
# 9. 反向检测解析
[root@openshift-base ocp]# nslookup 192.168.0.134
120.0.11.10.in-addr.arpa name = master0.my-ocp-cluster.com.
2.2 安装与配置简洁示例2
详细配置可参考下面章节:
# 1. 安装DNS服务
[root@vm ~]# yum -y install bind bind-utils
# 2. 启动DNS服务
[root@vm ~]# systemctl enable named --now
[root@vm ~]# systemctl status named
[root@vm ~]# systemctl stop named
[root@vm ~]# systemctl start named
[root@vm ~]# systemctl restart named
# 3. 修改 NAME_SERVER
[root@vm ~]# vi /etc/resolv.conf
nameserver 127.0.0.1
# 4. 修改named.conf配置文件
[root@vm ~]# cp /etc/named.conf{,_bak}
[root@vm ~]# sed -i -e "s/listen-on port.*/listen-on port 53 { any; };/" /etc/named.conf
[root@vm ~]# sed -i -e "s/allow-query.*/allow-query { any; };/" /etc/named.conf
[root@vm ~]# sed -i '/recursion yes;/a \
forward first; \
forwarders { 8.8.8.8; };' /etc/named.conf
[root@vm ~]# sed -i -e "s/dnssec-enable.*/dnssec-enable no;/" /etc/named.conf
[root@vm ~]# sed -i -e "s/dnssec-validation.*/dnssec-validation no;/" /etc/named.conf
# 5. 修改 zones 文件
[root@vm ~]# cat >> /etc/named.rfc1912.zones << EOF
zone "crc.testing" IN {
type master;
file "crc.testing.zone";
allow-update { none; };
};
zone "apps-crc.testing" IN {
type master;
file "apps-crc.testing.zone";
allow-update { none; };
};
EOF
[root@vm ~]# cat > /var/named/crc.testing.zone << EOF
\$TTL 1D
@ IN SOA crc.testing. admin.crc.testing. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.crc.testing.
* IN A ${NAME_SERVER}
EOF
[root@vm ~]# cat > /var/named/apps-crc.testing.zone << EOF
\$TTL 1D
@ IN SOA apps-crc.testing. admin.apps-crc.testing. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.apps-crc.testing.
* IN A ${NAME_SERVER}
EOF
# 6. 重启DNS服务
[root@vm ~]# systemctl restart named
三、服务安装详细步骤
3.1 关闭SELinux与防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld
# 永久关闭
[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
[root@localhost ~]# systemctl disable firewalld
3.2 配置网卡
配置网卡,使其可以访问本地DNS, 详情可参考:Centos7修改DNS Server
windows修改DNS配置,可参考:win10修改DNS配置
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-eno16777736
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.1.1
NETMASK=255.255.255.0
DNS1=114.114.114.114
DNS2=127.0.0.1 # 访问本地DNS服务
3.3 yum 安装DNS服务
安装bind包, vim包:
[root@localhost ~]# yum install -y bind* vim*
# 查看bind是否完成
[root@localhost yum.repos.d]# rpm -aq |grep bind
# 状态管理
systemctl enable named --now
systemctl status named
systemctl stop named
systemctl start named
systemctl restart named
# 修改本机 nameserver
[root@localhost yum.repos.d]# vi /etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1
3.3.1 /etc/named.conf文件说明:
...... //略
options{
listen-on port 53 { 127.0.0.1;); // 指定BIND侦听的DNS查询请求的本 // 机即P地址及端口
// listen-on port 53 { any; }; // 设置为所有IP地址均可访问
listen-on-v6 port 53{::1;}; // 限于 IPv6
directory "/var/named"; // 指定区域配置文件所在的路径
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost;}; // 指定接收DNS查询请求的客户端
// allow-query {any;} // 设置为所有人都可以访问。
recursion yes;
dnssec-enable yes;
dnssec-validation yes; // 改为no可以忽略SELinux影响
dnssec-lookaside auto;
forwarders { 192.168.1.1; }; // 指明转发器是谁
// first:优先使用转发器,如果查询不到再使用本地DNS;
// only:仅使用转发器,如果查询不到则返回DNS客户端查询失败;
forward first;
.....
};
// 以下用于指定BIND服务的日志参数
logging {
channel default debug {
file "data/named.run"; // 日志文件目录: /var/named/data
severity dynamic;
};
};
zone "." IN { // 用于指定根服务器的配置信息,一般不能改动
type hint;
file "named.ca";
};
include "/etc/named.zones"; // 指定主配置文件,一定根据实际修改
include "/etc/named.root.key";
3.3.2 /etc/named.rfc1912.zones文件说明:
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "ocp4.my-ocp-cluster.com" IN { // 正向解析,这里定义要访问的基域,例如 正向解析要访问*.ssx.com, 那么这里就要写成ssx.com
type master;
file "openshift.hosts";
allow-update { none; };
};
zone "134.0.11.10.in-addr.arpa" IN { // 这里定义要访问的反向解析地址, 这里的10.168.192是ip的前几段(前几段都可以)的倒写
type master;
file "openshift.hosts.arpa";
allow-update { none; };
};
zone "ssx.com" IN { // 正向根域文件的定义, 即域名名称, 访问示例: ping www.ssx.com
type master; // 作为根域
file "ssx.com.hosts"; // 根域正向解析文件名
};
zone "10.168.192.in-addr.arpa" IN { // 反向根域文件的定义, 这里的10.168.192是ip的前几段(前几段都可以)的倒写
type master; // 作为根域
file "ssx.com.back"; // 根域反向解析文件名
};
查看DNS服务器IP地址信息:
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=9f92031e-cb20-4cde-b796-6935a082ba86
DEVICE=ens33
# 检查项
BOOTPROTO=static
ONBOOT=yes
IPADDR=192.168.10.1
NETMASK=255.255.255.0
GATEWAY=192.168.10.254
DNS1=192.168.10.1
查看并检查配置的网络
[root@localhost ~]# ip add
四、服务配置
4.1 配置示例1
4.1.1 编辑dns配置文件
[root@Centos7-1 ~]# cp /etc/named.conf /etc/named.conf-bak
# or
[root@Centos7-1 ~]# cp /etc/named.conf{,_bak}
a. 编辑 /etc/named.conf 文件:
# listen-on port 53 {192.168.80.150;}; 设置为本地的IP地址即可。
# listen-on port 53 { any; }; 。设置为所有IP地址均可访问
# allow-query {any;} 设置为所有人都可以访问。
[root@Centos7-1 ~]# vi /etc/named.conf
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
# 设置为所有IP地址均可访问
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# 设置为所有人都可以访问。
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
# 配置 recursion, forward, forwarders 字段
recursion yes;
forward first;
forwarders { 114.114.114.114; 8.8.8.8; };
# 配置 dnssec-enable, dnssec-validation 字段
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
# 关联 zones 文件
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.zones";
b. 生成相应zones文件:
[root@Centos7-1 ~]#cp -p /etc/named.rfc1912.zones /etc/named.zones
c. 编辑 named.zones文件:
[root@localhost ~]# vim /etc/named.zones
# named.zones文件内容如下:
zone "ssx.com" IN { // 正向根域文件的定义, 即域名名称, 访问示例: ping www.ssx.com
type master; // 作为根域
file "ssx.com.hosts"; // 根域正向解析文件名
};
zone "10.168.192.in-addr.arpa" IN { // 反向根域文件的定义, 这里的10.168.192是ip的前几段(前几段都可以)的倒写
type master; // 作为根域
file "ssx.com.back"; // 根域反向解析文件名
};
d. 检查主配置文件:
[root@localhost ~]# named-checkconf
4.1.2 配置正向解析文件
先将/var/named/named.localhost 进行复制到/var/named/ssx.com.hosts中,目的是为了保存文件格式:
[root@localhost ~]#cp -p /var/named/named.localhost /var/named/ssx.com.hosts
a. 编辑ssx.com.hosts文件:
[root@localhost ~]# vim /var/named/ssx.com.hosts
$TTL 1D
@ IN SOA @ root.ssx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns.ssx.com.
@ IN A 10.11.0.133 // 该配置允许访问 ssx.com, 注: 使用时,本注释要删除
dns IN A 10.11.0.133
www IN A 10.11.0.133
smb IN A 10.11.0.133
ftp IN A 10.11.0.133
# =========================================== #
#或者
$TTL 1D
@ IN SOA @ root.ssx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns.ssx.com.
@ IN A 10.11.0.133 // 该配置允许访问 ssx.com, 注: 使用时,本注释要删除
* IN A 10.11.0.133
# 说明
$TTL 缓存生存周期
@ = zonename = ssx.com 当前域
IN 互联网
SOA 开始授权
NS dns服务器
A ipv4正向, 将域名转换为对应的IP地址
AAAA ipv6
CNAME 别名
MX 邮件交互记录
5 数字代表优先级, 数字越小优先级越高
PTR 将IP地址转换为对应的域名
0 ; serial --更新序列号,可以是 10 位以内的整数
1D ; refresh --刷新时间,重新下载地址数据的间隔
1H ; retry --重试延时,下载失败后的重试间隔
3D ; expire --失效时间,超过该时间仍无法下载则放弃
1D ) ; minimum 无效解析记录的生存周期
@代表zone的意思,现在@代表ssx.com.;
SOA代表资源记录的名称为起始授权记录;
root.ssx.com.表示有问题找该管理员;
0代表序列号;
1D代表更新频率为1天;
1H代表失败重新尝试时间为1小时;
3W代表失效时间为1周;
3H代表缓存时间为3小时
@dns.ssx.com. 是你的主机名加上域名(注意细节com.的点点)
然后添加主机记录
- NS dns.ssx.com. 本机的域名
- dns A 192.168.10.100 dns为ssx.com的域名前坠,对应着192.168.10.100
- www A 192.168.10.101 www为ssx.com的域名前坠,对应着192.168.10.101
- ftp A 192.168.10.103 ftp为ssx.com的域名前坠,对应着192.168.10.103
b. 检查正向解析文件
[root@localhost ~]# named-checkzone ssx.com /var/named/ssx.com.hosts
zone ssx.com/IN: loaded serial 0
OK
4.1.3 配置反向解析文件
先将正向解析文件拷贝至/var/named/ssx.com.back
[root@localhost ~]#cp -p /var/named/ssx.com.hosts /var/named/ssx.com.back
[root@localhost ~]# vi /var/named/ssx.com.back
$TTL 1D
@ IN SOA @ root.ssx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.ssx.com.
100 IN PTR dns.ssx.com
101 IN PTR www.ssx.com
102 IN PTR smb.ssx.com
103 IN PTR ftp.ssx.com
检查反向解析文件:
[root@localhost ~]# named-checkzone 10.168.192.in-addr.arpa /var/named/ssx.com.back
zone 10.168.192.in-addr.arpa/IN: loaded serial 0
OK
4.1.4 启动named服务
[root@localhost ~]# systemctl start named
[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since 日 2019-06-02 14:03:52 CST; 5s ago
Process: 4860 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
Process: 3348 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Process: 4872 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 4870 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 4874 (named)
Tasks: 4
CGroup: /system.slice/named.service
└─4874 /usr/sbin/named -u named -c /etc/named.conf
6月 02 14:03:52 www.ssx.com named[4874]: zone 10.168.192.in-addr.arpa/IN: loaded ... 0
6月 02 14:03:52 www.ssx.com named[4874]: zone 1.0.0.127.in-addr.arpa/IN: loaded s... 0
6月 02 14:03:52 www.ssx.com named[4874]: zone localhost.localdomain/IN: loaded se... 0
6月 02 14:03:52 www.ssx.com named[4874]: zone ssx.com/IN: loaded serial 0
6月 02 14:03:52 www.ssx.com named[4874]: zone localhost/IN: loaded serial 0
6月 02 14:03:52 www.ssx.com named[4874]: all zones loaded
6月 02 14:03:52 www.ssx.com named[4874]: running
6月 02 14:03:52 www.ssx.com systemd[1]: Started Berkeley Internet Name Domain (DNS).
6月 02 14:03:52 www.ssx.com named[4874]: zone ssx.com/IN: sending notifies (serial 0)
6月 02 14:03:52 www.ssx.com named[4874]: zone 10.168.192.in-addr.arpa/IN: sending...0)
Hint: Some lines were ellipsized, use -l to show in full.
4.1.5 检测正向解析
[root@centos7 ~]# nslookup smb.ssx.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: smb.ssx.com
Address: 192.168.10.102
4.1.6 检测反向解析
[root@localhost ~]# nslookup 192.168.10.101
Server: 192.168.10.200
Address: 192.168.10.200#53
101.10.168.192.in-addr.arpa name = www.ssx.com.
4.1.7 Linux客户机测试
Client1与DNS服务器的通信畅通
a. 客户机操作:
[root@Client1 ~]# vim /etc/resolv.conf
nameserver 192.168.10.100
search ssx.com
b. Linux客户机关闭防火墙
[root@Client1 ~]#systemctl stop firewalld
c. 客户机验证
[root@client1 ~]# nslookup
> server // 显示真实本机NDS server信息
> www.ssx.com // 显示真实本机配置信息
> 192.168.10.102 // 显示真实本机配置信息
4.2 配置示例4
4.2.1 编辑主配置文件(named.conf)
[root@localhost ~]# vim /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
4.2.2 编辑区域配置文件(named.rfc1912.zones)
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "1.168.192.in-addr.arpa" IN {
type master;
file "infanx.com.loopback";
allow-update { none; };
};
zone "infanx.com" IN {
type master;
file "infanx.com.empty";
allow-update { none; };
};
4.2.3 编辑正反向配置文件
[root@localhost ~]# cd /var/named
[root@localhost named]# cp -p named.localhost infanx.com.empty
[root@localhost named]# cp -p named.loopback infanx.com.loopback
正向文件:
$TTL 1D
@ IN SOA ns1.infanx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
IN NS ns2
ns1 IN A 192.168.1.1
ns2 IN A 192.168.1.2
www IN A 192.168.1.100
bbs IN CNAME www
ftp IN A 192.168.1.110
mail IN MX 10 192.168.1.120
反向文件:
$TTL 1D
@ IN SOA ns1.infanx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.infanx.com.
IN NS ns2.infanx.com.
1 IN PTR ns1.infanx.com.
2 IN PTR ns2.infanx.com.
100 IN PTR www.infanx.com.
100 IN PTR bbs.infanx.com.
110 IN PTR ftp.infanx.com.
120 IN PTR mail.infanx.com.
4.4 配置示例5
4.4.1 编辑主配置文件(named.conf)
默认配置即可:
[root@localhost ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
forward first;
forwarders { 114.114.114.114; 8.8.8.8; };
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
4.4.2 编辑区域配置文件(named.rfc1912.zones)
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "api.crc.testing" IN {
type master;
file "api.crc.testing.zone";
allow-update { none; };
};
zone "console-openshift-console.apps-crc.testing" IN {
type master;
file "console-openshift-console.apps-crc.testing.zone";
allow-update { none; };
};
4.4.3 编辑正反向配置文件
[root@localhost ~]# cd /var/named
[root@localhost named]# cp -p named.localhost console-openshift-console.apps-crc.testing.zone
[root@localhost named]# cp -p named.loopback api.crc.testing.zone
正向文件:
vi api.crc.testing.zone
$TTL 1D
@ IN SOA ns1.infanx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
IN NS ns2
ns1 IN A 192.168.1.1
ns2 IN A 192.168.1.2
www IN A 192.168.1.100
bbs IN CNAME www
ftp IN A 192.168.1.110
mail IN MX 10 192.168.1.120
反向文件:
$TTL 1D
@ IN SOA ns1.infanx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.infanx.com.
IN NS ns2.infanx.com.
1 IN PTR ns1.infanx.com.
2 IN PTR ns2.infanx.com.
100 IN PTR www.infanx.com.
100 IN PTR bbs.infanx.com.
110 IN PTR ftp.infanx.com.
120 IN PTR mail.infanx.com.
4.4.4 检查正向解析文件
[root@localhost ~]# named-checkzone ssx.com /var/named/ssx.com.hosts
4.5 重启DNS服务
[root@localhost named]# systemctl restart named
4.6 测试解析记录
按照2.2章节配置结果进行配置:
[root@localhost named]# nslookup
> ns1.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: ns1.infanx.com
Address: 192.168.1.1
> ns2.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: ns2.infanx.com
Address: 192.168.1.2
> www.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: www.infanx.com
Address: 192.168.1.100
> bbs.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
bbs.infanx.com canonical name = www.infanx.com.
Name: www.infanx.com
Address: 192.168.1.100
> ftp.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: ftp.infanx.com
Address: 192.168.1.110
> mail.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Name: ftp.infanx.com
Address: 192.168.1.120
> 192.168.1.1
Server: 192.168.100.100
Address: 192.168.100.100#53
1.1.168.192.in-addr.arpa name = ns1.infanx.com.
> 192.168.1.2
Server: 192.168.100.100
Address: 192.168.100.100#53
2.1.168.192.in-addr.arpa name = ns2.infanx.com.
> 192.168.1.100
Server: 192.168.100.100
Address: 192.168.100.100#53
100.1.168.192.in-addr.arpa name = bbs.infanx.com.
100.1.168.192.in-addr.arpa name = www.infanx.com.
> 192.168.1.110
Server: 192.168.100.100
Address: 192.168.100.100#53
110.1.168.192.in-addr.arpa name = ftp.infanx.com.
> 192.168.1.120
Server: 192.168.100.100
Address: 192.168.100.100#53
120.1.168.192.in-addr.arpa name = mail.infanx.com.
五、缓存DNS(转发器)(选做)
在第二台服务器上安装DNS服务 作为主DNS服务器的缓存DNS
5.1 服务配置
安装DNS服务
编辑主配置文件
[root@localhost ~]# vim /etc/named.conf
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
// 指明转发器是谁
forwarders { 192.168.1.1; };
// first:优先使用转发器,如果查询不到再使用本地DNS;
// only:仅使用转发器,如果查询不到则返回DNS客户端查询失败;
forward first;
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
或者编辑区域配置文件 配置局部转发器 原理同上
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "infanx.com" IN {
type forward;
forwarders { 192.168.1.1; };
forward first;
};
重启DNS服务
进入slaves文件夹验证
[root@localhost ~]# cd /var/named/slaves
[root@localhost slaves]# ll
总用量 8
-rw-r--r--. 1 named named 466 2月 17 00:00 infanx.com.empty
-rw-r--r--. 1 named named 466 2月 17 00:00 infanx.com.loopback
六、辅助DNS(DNS集群)(选做)
6.1 题目要求
主DNS正反向文件中分别添加辅助DNS的 NS记录
和 A记录
6.2 服务配置
安装DNS服务 编辑区域配置文件
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/infanx.com.loopback";
masters { 192.168.1.1; };
};
zone "infanx.com" IN {
type slave;
file "slaves/infanx.com.empty";
masters { 192.168.1.1; };
};
zone “区域名称” IN {
type slave; //区域类型为辅助
file “slaves/文件名”; //文件必须保存在slaves下,其他目录没有权限
masters { IP1; IP2; }; //指出主服务器是谁
};
在主DNS上修改区域文件时,必须将SOA记录的serial加1,因为slave是通过serial值来进行判断更新的。
七、子DNS(子域授权)(选做)
父DNS配置DNS基础的正向解析文件
父DNS进行子域授权ftp.infanx.com
7.1 编辑父域正向文件添加NS记录指向子域主DNS
子域服务器安装DNS
编辑父域正向文件添加NS记录指向子域主DNS
frp IN NS ns1.frp
ns1.frp IN A 192.168.1.200
7.2 子域编辑区域配置文件
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "frp.infanx.com" IN {
type master;
file "frp.infanx.com.empty";
allow-update { none; };
};
7.3 为子域创建正向文件并添加解析记录
[root@localhost ~]# cd /var/named
[root@localhost named]# cp -p named.localhost frp.infanx.com.empty
[root@localhost named]# vim frp.infanx.com.empty
$TTL 1D
@ IN SOA ns1.frp.infanx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
ns1 IN A 192.168.1.200
nj IN A 192.168.1.201
hz IN A 192.168.1.202
sh IN A 192.168.1.203
7.4 重启服务并测试
[root@localhost named]# systemctl restart named
[root@localhost named]# nslookup
> ns1.frp.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: ns1.frp.infanx.com
Address: 192.168.100.200
> nj.frp.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: nj.frp.infanx.com
Address: 192.168.1.201
> hz.frp.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: hz.frp.infanx.com
Address: 192.168.1.202
> sh.frp.infanx.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: sh.frp.infanx.com
Address: 192.168.1.203