Linux 基础 之 企业级域名解析服务(高级缓存DNS)
DNS是Domain Name System的英文缩写,被翻译为域名系统,是英特网的一项核心服务,它作为可以将域名和IP相互映射的一个数据库,使用户在访问互联网时只需要记住简单的域名(如www.baidu.com),而不需要记住复杂的被机器直接读取的IP数字串,即DNS的工作就是当用户在输入域名时,帮助用户自动找到该域名对应的IP从而使用户在使用互联网时更加方便。
一、DNS的高速缓存
在虚拟机Desktop内操作:
[root@dns ~]# nm-connection-editor ##添加IP:172.25.254.129
[root@dns ~]# vim /etc/yum.repos.d/rhel_dvd.repo ##配置YUM源
[root@dns ~]# yum serch dns ##查看安装包
[root@dns ~]# yum install bind -y ##下载DNS
[root@dns ~]# systemctl start firewalld
[root@dns ~]# systemctl stop firewalld ##关闭火墙
[root@dns ~]# cat /etc/rndc.key ##查看钥匙,没有,再打开虚拟机,敲键盘
cat: /etc/rndc.key: No such file or directory
[root@dns ~]# systemctl start named
[root@dns ~]# cat /etc/rndc.key ##就有了
key "rndc-key" {
algorithm hmac-md5;
secret "kOP3eM8YWlVv84biS8w3RA==";
};
[root@dns ~]# netstat -antlpe | grep named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 106943 2999/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 106886 2999/named
tcp6 0 0 ::1:953 :::* LISTEN 25 106944 2999/named
tcp6 0 0 ::1:53 :::* LISTEN 25 106888 2999/named
[root@dns ~]# rpm -qc bind ##查看配置文件
/etc/logrotate.d/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
[root@dns ~]# vim /etc/named.conf ##找到配置文件
内容:
options {
listen-on port 53 { any; }; ##任何人都可以
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; ##任何IP都可以
forwarders { 114.114.114.114; }; ## 所要询问的 DNS
dnssec-validation no; ##互联网认证
[root@dns ~]# systemctl restart named ##重启
[root@dns ~]# vim /etc/resolv.conf ##向你的虚拟机问
内容:
nameserver 172.25.254.129
[root@dns ~]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 54214
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; Query time: 13 msec
;; SERVER: 172.25.254.129#53(172.25.254.129)
;; WHEN: Sat May 19 03:54:58 EDT 2018
;; MSG SIZE rcvd: 42
[kiosk@foundation29 Desktop]$ su - root
Password:
Last login: Sat May 19 15:22:51 CST 2018 on pts/4
[root@foundation29 ~]# vim /etc/resolv.conf ##向你的虚拟机问
内容:
nameserver 172.25.254.129
[root@foundation29 ~]# dig www.baidu.com
很显然,第二次的访问比第一次的时间要快。因为在一次的访问后就有了内容。
二、DNS的正向解析
[root@dns ~]# vim /etc/named.rfc1912.zones ##编写域文件,如下,一定记住注意空格以及符号
内容:
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { none; };
};
[root@dns named]# cd /var/named/ ##DNS的环境
[root@dns named]# ls ##显示
data named.ca named.localhost slaves
dynamic named.empty named.loopback westos.com.zone
[root@dns named]# cp -p named.localhost westos.com.zone ##因为有权限问题,所以用-p
[root@dns named]# vim westos.com.zone ##解析文件,切记空格问题。
内容:
$TTL 1D
2 @ IN SOA dns.westos.com. jane.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.129
10 hello A 172.25.254.229
[root@dns named]# systemctl restart named ##重启DNS,如果出现报错,拉么查看火墙关闭,查看是否内容写错。
“@”符表示在子配置文件中所设定的那个域名(westos.com),该文件中所有的域名如dns.westos.com的结尾都需要添加一个“.”,否则会被该@符读取
第一行的TTL是一种设定,后面的1D表示该记录文件里面的各项记录的预设TTL值为86400秒,即刚好一天
IN定义出目前的记录类型是属于internet class的
SOA表示目前区域的授权记录开始,其后面的值为区域授权主机和管理信箱
serial表示修改的时间及次数,当自己在修改记录文件时需要更改serial的值,否则修改无法被slave识别;
refresh表示数据多久进行一次更新
retry表示如果slave的对数据更新失败后,多久后进行重试
expire记录逾期时间,即超过该时间slave未与master进行联系,系统会放弃retry并标记该数据标识为过期
minimum最小预设TTL的值,如果在文件开头没有设置TTL的值,将以该处的值为准
这里172.25.254.129表示从129获得解析;172.25.254.229表示把要维护的域www,westos.com解析为172.25.254.229;
NS表示域名的名称服务器;
A表示名称至ipv4地址。
[root@dns named]# vim /etc/resolv.conf ##编写配置文件,加入虚拟机的IP,使其向虚拟机提问
写进去: nameserver 172.25.254.129
[root@dns named]# dig hello.westos.com ##问一下,记住,这里要写的是解析文件里的名称
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43234 ##成功
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com. IN A
;; ANSWER SECTION:
hello.westos.com. 86400 IN A 172.25.254.229 ##出现了hello后的IP
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.129
;; Query time: 0 msec ##时间很快
;; SERVER: 172.25.254.129#53(172.25.254.129)
;; WHEN: Sat May 19 04:26:29 EDT 2018
;; MSG SIZE rcvd: 95
CNAME解析轮询
[root@dns named]# ls
data named.ca named.localhost slaves
dynamic named.empty named.loopback westos.com.zone
[root@dns named]# vim westos.com.zone
内容是:
1 $TTL 1D
2 @ IN SOA dns.westos.com. jane.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.129
10 hello A 172.25.254.229
11 www CNAME nodel.westos.com. ##CNAME是将不规则名称改为不规则的名称
12 nodel A 172.25.254.111
13 nodel A 172.25.254.222
[root@dns named]# systemctl restart named ##重启DNS
[root@dns named]# dig www.westos.com
[root@dns named]# dig www.westos.com
##两次dig就会发现,IP 172.25.254.111 和 172.25.254.222 再上下交换
三、反向解析
[root@dns ~]# vim /etc/resolv.conf ##确定自己的虚拟机IP在内
[root@dns ~]# vim /etc/named.rfc1912.zones ##编写域文件
内容是:
zone "254.25.172.in-addr.arpa" IN {
type master;
file "westos.com.ptr";
allow-update { none; };
};
[root@dns ~]# cd /var/named ##dns的环境
[root@dns named]# ls
data named.ca named.localhost slaves
dynamic named.empty named.loopback westos.com.zone
[root@dns named]# cp -p named.loopback westos.com.ptr ##named.loopack是westos.com.ptr的模板
[root@dns named]# ls
data named.ca named.localhost slaves westos.com.zone
dynamic named.empty named.loopback westos.com.ptr
[root@dns named]# vim westos.com.ptr
##编写解析文件,PTR 表示地址至名称,为了查看结果明显,将111 222 表示两个不同的域名
内容是:
1 $TTL 1D
2 @ IN SOA dns.westos.com. jane.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.129
10 111 PTR www.westos.com.
11 222 PTR hello.westos.com.
[root@dns named]# systemctl restart named ##重启
[root@dns named]# dig -x 172.25.254.111
##111 对应的 www.westos.com
[root@dns named]# dig -x 172.25.254.222
##222 对应 hello.westos.com
四、双向解析
[root@dns named]# cp -p westos.com.zone westos.com.inter
[root@dns named]# ls
data named.ca named.localhost slaves westos.com.ptr
dynamic named.empty named.loopback westos.com.inter westos.com.zone
[root@dns named]# vim westos.com.inter
:%s/172.25.254/192.168.0/g
[root@dns named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inter
[root@dns named]# vim /etc/named.rfc1912.inter
内容是:
zone "westos.com" IN {
type master;
file "westos.com.inter"; ##改zone为inter
allow-update { none; };
};
[root@dns named]# vim /etc/named.conf ## 注释/* */ 掉原来的写入新的
[root@dns named]# systemctl restart named
localnet表示本地,我这里匹配用户只有自己(用ip表示172.25.254.129),指定文件include是上面创建好的内网文件
inter表示外网 匹配用户其他所有(用ip表示一会用客户端测试),指定文件include是上面创建好的外网文件
[root@dns named]# dig www.westos.com ##虚拟机dig 对应的是172
[root@foundation66 ~]# vim /etc/resolv.conf ##一定写 nameserver 172.25.254.129 到第一行
[root@foundation66 ~]# dig www.westos.com ##真机dig 对应的192
五、解析辅助
[root@dns named]# vim /etc/named.conf ##打开之前注释掉的,注释掉之前写的
[root@dns named]# systemctl restart named 
这里需要再打开一台虚拟机,重置网络(ip配置为172.25.254.229) ,dns解析(nameserver=172.25.254.229),完成后重启网络;配置好yum源;将其shell名字改为dns-slave,下面再229这台主机上
打开server操作:
[root@dns-slave ~]# yum install bind -y ##下载DNS
[root@dns-slave ~]# vim /etc/named.conf ##打开主配置文件
内容是:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
dnssec-validation no;
[root@dns-slave ~]# vim /etc/named.rfc1912.zones
内容是:
zone "westos.com" IN {
type slave;
masters { 172.25.254.129; };
file "slaves/westos.com.zone";
allow-update { none; };
};
[root@dns-slave ~]# systemctl restart named
在desktop里操作:
[root@dns named]# vim /etc/named.rfc1912.zones
内容是:
zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { none; };
29 also-notify { 172.25.254.229; };
30
31 };
[root@dns named]# vim westos.com.zone
[root@dns named]# systemctl restart named
在server操作:
[root@dns-slave ~]# systemctl stop firewalld
[root@dns-slave ~]# systemctl disable firewalld
[root@dns-slave ~]# dig www.westos.com
六、DNS远程更新
在desktop操作:
[root@dns named]# vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { 172.25.254.66; }; ##这里写的是真机IP
29 also-notify { 172.25.254.229; };
30
31 };
[root@dns named]# systemctl restart named
[root@dns named]# > /var/log/messages
[root@dns named]# cd /var/named
[root@dns named]# ls
data named.ca named.localhost slaves westos.com.ptr
dynamic named.empty named.loopback westos.com.inter westos.com.zone
[root@dns named]# cp -p westos.com.zone /mnt/ ##用来还原备用
[root@dns named]# chmod 770 /var/named/ ##给一个可以写的权限 g+w
[root@dns named]# ll -d
drwxrwx--- 5 root named 4096 May 20 00:57 .
在真机里操作:
[kiosk@foundation66 Desktop]$ nsupdate
> server 172.25.254.129
> update add test.westos.com 86400 A 172.25.254.111
> send
>
在真机里重新打开一个shell测试(或者在server里测试也可以)
[kiosk@foundation66 Desktop]$ dig test.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> test.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29845
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;test.westos.com. IN A
;; ANSWER SECTION:
test.westos.com. 86400 IN A 172.25.254.111 ##测试成功
在desktop里操作:
[root@dns named]#systemctl restart named
[root@dns named]# vim westos.com.zone ##就可以看到被改变
在真机里操作:
[kiosk@foundation29 Desktop]$ nsupdate
> server 172.25.254.129
> update add test.westos.com 86400 A 172.25.254.111
> send
> update delete test.westos.com ##删除
> send
在desktop里操作:为了还原之前的westos.com.zone,前提是有 cp -p westos.com.zone /mnt/
[root@dns named]# ll
[root@dns named]# rm -fr westos.com.zone*
[root@dns named]# ll
[root@dns named]# cp -p /mnt/westos.com.zone .
[root@dns named]# ll
七、DNS远程更新加密
(因为用上面那种方法别人改成相同的ip就可以更改你,所以比较危险,所以需要加密)
[root@dns named]# cd
[root@dns ~]# cd /mnt/
[root@dns mnt]# ls
westos.com.zone
[root@dns mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos ##加密类型为HMAC-MD5,大小为128,名称为westos。
Kwestos.+157+01563
[root@dns mnt]# ls
Kwestos.+157+01563.key Kwestos.+157+01563.private westos.com.zone
##这两个里的密码时一样的
[root@dns mnt]# cat Kwestos.+157+01563.key
westos. IN KEY 512 3 157 8IAvvrObwVuXlmD5frD0Bg==
[root@dns mnt]# cat Kwestos.+157+01563.private
Key: 8IAvvrObwVuXlmD5frD0Bg==
[root@dns mnt]# cp /etc/rndc.key /etc/westos.key -p
[root@dns mnt]# vim /etc/westos.key
内容是:
1 key "westos" {
2 algorithm hmac-md5;
3 secret "g7MUqB3GbJJVyBeaiBIbFw==";
4 };
~
[root@dns mnt]# vim /etc/named.conf
内容是:
43 include "/etc/westos.key";
[root@dns mnt]# vim /etc/named.rfc1912.zones
内容是:
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { key westos; };
29 also-notify { 172.25.254.229; };
30
31 };
[root@dns mnt]# systemctl restart named
[root@dns mnt]# ls
Kwestos.+157+14557.key Kwestos.+157+14557.private westos.com.zone
[root@dns mnt]# scp Kwestos.+157+14557.* [email protected]:/mnt/
在server里操作:
[root@dns-slave ~]# cd /mnt/
[root@dns-slave mnt]# ls
Kwestos.+157+14557.key Kwestos.+157+14557.private
[root@dns-slave mnt]# nsupdate -k Kwestos.+157+14557.private
> server 172.25.254.129
> update add hello.westos.com 86400 A 172.25.254.111
> send
; TSIG error with server: tsig indicates error
update failed: NOTAUTH(BADSIG) ##出现这个报错就是没有在desktop内重启named
> send ##重启之后就可以了
在desktop(主极端)查看:
[root@dns named]# dig hello.westos.com
在server里删除hello
[root@dns-slave mnt]# nsupdate -k Kwestos.+157+01563.private
> server 172.25.254.129
> update add hello.westos.com 86400 A 172.25.254.111
> send
> update delete hello.westos.com
> send
> 
在desktop(主极端)查看
[root@dns named]# dig hello.westos.com
八、DHCP对DNS进行动态更新
动态域名解析(又称花生壳)
以下步骤就是还原DNS的文件:
[root@dns mnt]# cd /var/named/
[root@dns named]# ls
data named.empty slaves westos.com.zone
dynamic named.localhost westos.com.inter westos.com.zone.jnl
named.ca named.loopback westos.com.ptr
[root@dns named]# rm -fr westos.com.zone*
[root@dns named]# ll
[root@dns named]# cp -p /mnt/westos.com.zone .
[root@dns named]# ll
[root@dns named]# systemctl restart named
在server中:
hostnamectl set-hostname linux.westos.com ##改名字就是为了让DHCP远程操作
再删除网关和IP,即:
vim /etc/sysconfig/network-scripts/ifcfg-eth0
systemctl restart network ##起不来
[root@dns named]# yum install dhcp -y
[root@dns named]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf ##安装DHCP模板配置文件命令
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@dns named]# vim /etc/westos.key ##查看钥匙
[root@dns named]# vim /etc/dhcp/dhcpd.conf
内容是:
7 option domain-name "westos.com";
8 option domain-name-servers 172.25.254.129;
打开注释掉的14行并改成 14 ddns-update-style interim;
删除27行
30 subnet 172.25.254.0 netmask 255.255.255.0 {
31 range 172.25.254.80 172.25.254.90;
32 option routers 172.25.254.129;
33 }
34 key westos {
35 algorithm hmac-md5;
36 secret g7MUqB3GbJJVyBeaiBIbFw==;
37 };
38 zone westos.com. {
39 primary 127.0.0.1;
40 key westos;
41 }
[root@dns named]# systemctl restart dhcpd
在server(客户端)客户端修改主机名字为
linux.westos.com
将其网络模式设置为dhcp并重启网络服务
dig linux.westos.com ##观测
