DNS and Bind
一.BIND的安装及配置
1.BIND:Berkeley Internet Name Domain;现在由ISC.org进行维护,并且该组织也提供DHCPD服务
1.dns:是一个协议
2.bind:是dns协议的一种实现方式
3.named:bind程序的运行进程名
2.bind程序包:使用yum list all bind*进行查看
一般默认安装的程序包
1.bind-libs:被bind和bind-utils包中的程序共同用到的库文件
2.bind-utils:bind客户端程序集,例如dig,host,nslookup等
一般默认不会进行安装的程序包
1.bind:提供的dns server程序,以及几个常用的测试程序
2.bind-chroot:选装,让named运行于jail模式下,即为了防止其程序被劫持,将其运行在一个临时的根中
3.bind:使用yum -y install bind进行安装bind
1.主配置文件:/etc/named.conf或者包含进来其它文件
1)/etc/named.iscdlv.key
2)/etc/named.rfc1912.zones
3) /etc/named.root.key
2.解析库文件:位于/var/named目录下;其下文件一般名字为ZONE_NAME.zone
需要注意:
1)一台DNS服务器可以同时为多个区域提供解析
2)必须要有根区域解析库文件:named.ca
3)还应该有两个区域解析库文件:localhost和127.0.0.1的正反向解析库;其正向解析库:named.localhost;反向解析库:named.loopback
[root@sakura ~]# ls /var/named/
data dynamic named.ca named.empty named.localhost named.loopback slaves
ps:需要注意根域的服务器全球一共有13个
4.rndc:remote name domain contoller
953/tcp,监听于tcp的953端口,但默认监听于127.0.0.1地址,因此仅允许本地使用
5.bind程序安装完成之后,默认即可做为缓存名称服务器使用;如果没有专门负责解析的区域,直接即可启动服务
1.Centos 6:service named start
2.Centos 7:systemctl start named.service
6.主配置文件格式
"主配置文件格式"
1.全局配置段:options {...}
2.日志配置段:logging {...}
3.区域配置段:zone {...};即那些由本机负责解析的区域,或转发的区域
ps:需要注意每一个配置语句必须以分号进行结尾,并且{}中的结尾也需要以分号结尾,否则会有语法错误
"缓存名称服务器的配置"
1.监听能与外部主机通信的地址
1)listen-on port 53
2)listen-on port { 192.168.3.100; };
2.测试时,建议关闭dnssec(dns secure)
1)dnssec-enable no;
2)dnssec-validation no;
3)dnssec-lookaside no;
4)此次测试在named配置文件中未发现第三项
3.关闭仅允许本地查询
1)//allow-query { localhost; };
"检查配置文件语法错误"
1.named-checkconf [/etc/named.conf]
[root@sakura ~]# named-checkconf /etc/named.conf
"检查无误进行启动named"
[root@sakura ~]# systemctl start named.service
[root@sakura ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since 五 2019-06-14 23:32:00 CST; 5s ago
"查看其端口,发现tcp,udp的53号端口都已经初处于监听状态"
ps:需要注意
1.可以观察到由rndc监听的127.0.0.1的953端口也处于监听状态
2.DNS服务会监听tcp/53端口,用于进行区域传送;也会监听udp/53端口,用于进行解析功能
[root@sakura ~]# netstat -tunlp | grep ".*named"
tcp 0 0 192.168.3.100:53 0.0.0.0:* LISTEN 10225/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 10225/named
tcp6 0 0 ::1:53 :::* LISTEN 10225/named
tcp6 0 0 ::1:953 :::* LISTEN 10225/named
udp 0 0 192.168.3.100:53 0.0.0.0:* 10225/named
udp6 0 0 ::1:53 :::* 10225/named
"更改DNS服务器为自身"
[root@sakura ~]# vim /etc/resolv.conf
1 # Generated by NetworkManager
2 nameserver 192.168.3.100
7.测试工具:dig,host,nslookup等
1) dig命令语法:dig [-t RR_TYPE] name [@SERVER] [query options]
其用于测试dns系统,因此其不会查询hosts文件
1.查询选项
1)+[no]trace:跟踪解析过程
2)+[no]recurse:进行递归解析
2.反向解析
1)dig -x IP
3.模拟完全区域传送
1)dig -t axfr DOMAIN [@server]
dig正向解析测试
[root@sakura ~]# dig -t A www.apple.com @192.168.3.100
; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.1 <<>> -t A www.apple.com @192.168.3.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13951
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 8, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION: "提问部分"
;www.apple.com. IN A
;; ANSWER SECTION: "答案部分,可以看到其所对应的别名最终被转换为IP"
www.apple.com. 1520 IN CNAME www.apple.com.edgekey.net.
www.apple.com.edgekey.net. 21321 IN CNAME www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net. 3322 IN CNAME e6858.e19.s.tl88.net.
e6858.e19.s.tl88.net. 20 IN A 221.230.146.237
;; AUTHORITY SECTION: "权威段,即是由谁来进行解析,可以看到有多个dns服务器"
e19.s.tl88.net. 3722 IN NS n7e19.s.tl88.net.
e19.s.tl88.net. 3722 IN NS n4e19.s.tl88.net.
e19.s.tl88.net. 3722 IN NS n2e19.s.tl88.net.
e19.s.tl88.net. 3722 IN NS n5e19.s.tl88.net.
e19.s.tl88.net. 3722 IN NS n6e19.s.tl88.net.
e19.s.tl88.net. 3722 IN NS n3e19.s.tl88.net.
e19.s.tl88.net. 3722 IN NS n0e19.s.tl88.net.
e19.s.tl88.net. 3722 IN NS n1e19.s.tl88.net.
;; ADDITIONAL SECTION: "最终将权威段的dns服务器解析成为了IP"
n3e19.s.tl88.net. 3722 IN A 58.222.30.53
n1e19.s.tl88.net. 3722 IN A 210.192.116.4
n0e19.s.tl88.net. 3722 IN A 88.221.81.192
n0e19.s.tl88.net. 3722 IN AAAA 2600:1480:e800::c0
n6e19.s.tl88.net. 3722 IN A 122.224.10.167
n4e19.s.tl88.net. 3722 IN A 58.222.30.47
n5e19.s.tl88.net. 3722 IN A 58.222.30.61
n2e19.s.tl88.net. 3722 IN A 58.222.30.45
n7e19.s.tl88.net. 3722 IN A 58.222.30.55
;; Query time: 63 msec
;; SERVER: 192.168.3.100#53(192.168.3.100)
;; WHEN: 六 6月 15 00:20:47 CST 2019
;; MSG SIZE rcvd: 503
2)host命令语法:host [-t RR_TYPE] name SERVER_IP
[root@sakura ~]# host -t A www.apple.com 192.168.3.100
Using domain server:
Name: 192.168.3.100
Address: 192.168.3.100#53
Aliases:
www.apple.com is an alias for www.apple.com.edgekey.net.
www.apple.com.edgekey.net is an alias for www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net is an alias for e6858.e19.s.tl88.net.
e6858.e19.s.tl88.net has address 221.230.146.237
3)nslookup命令语法:nslookup [-options] [name] [server]
交互式模式
1.nslookup>
1)server IP:以指定的IP为DNS服务器进行查询
2)set q=RR_TYPE:要查询的资源记录类型
3)name:要查询的名称
[root@sakura ~]# nslookup
> server 192.168.3.100 "输入指定的DNS服务器,若未指定即为DNS配置文件中的地址"
Default server: 192.168.3.100
Address: 192.168.3.100#53
> set q=A "指明查询A类型"
> lol.qq.com "指定要查询的name"
Server: 192.168.3.100
Address: 192.168.3.100#53
Non-authoritative answer:
lol.qq.com canonical name = lol.tc.qq.com.
lol.tc.qq.com canonical name = others.x2.tc.qq.com.
others.x2.tc.qq.com canonical name = tdns.x2.sched.dcloudstc.com.
Name: tdns.x2.sched.dcloudstc.com
Address: 180.97.146.142
Name: tdns.x2.sched.dcloudstc.com
Address: 180.97.146.144
Name: tdns.x2.sched.dcloudstc.com
Address: 180.153.105.195
Name: tdns.x2.sched.dcloudstc.com
Address: 180.97.146.145
Name: tdns.x2.sched.dcloudstc.com
Address: 180.97.146.143
>
4)rndc命令:named服务控制命令
1.rndc status:查看named服务状态
2.rndc flush:清空缓存
[root@sakura ~]# rndc status
version: 9.9.4-RedHat-9.9.4-74.el7_6.1 <id:8f9657aa>
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 101 "现有的区域数"
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 2/150
server is up and running
二.配置区域
1.配置解析一个正向区域
1.以kasumi.com域为例,首先定义区域
在主配置文件中或主配置文件辅助配置文件中实现:/etc/named.rfc1912.zones
ps:rfs为请求注解文档,描述每一种协议规范的官方资料
[root@sakura ~]# vim /etc/named.rfc1912.zones
zone "kasumi.com" IN {
type master;
file "kasumi.com.zone";
};
配置规范
zone "ZONE_NAME" IN {
type {master|slave|hint|forward}; "域类型:主服务器|从服务器|根服务器|转发服务器"
file "ZONE_NAME.zone";
};
ps:区域名字即为域名
2.建立区域数据文件(主要记录为A或AAAA记录)
"文件为:/var/named/kasumi.com.zone "
[root@sakura ~]# cat /var/named/kasumi.com.zone
$TTL 3600
$ORIGIN kasumi.com.
@ IN SOA ns1.kasumi.com. dnsadmin.kasumi.com. (
2019061501
1H
10M
1D
2D )
IN NS ns1
IN MX 10 mx1
IN MX 30 mx2
ns1 IN A 192.168.3.200
www IN A 192.168.3.200
mx1 IN A 192.168.3.201
mx2 IN A 192.168.3.202
web IN CNAME www
bbs IN A 192.168.3.205
bbs IN A 192.168.3.206
"权限及属组修改"
[root@sakura named]# chown .named /var/named/kasumi.com.zone
[root@sakura named]# chmod o= /var/named/kasumi.com.zone
"检查语法错误"
[root@sakura named]# named-checkzone kasumi.com /var/named/kasumi.com.zone
zone kasumi.com/IN: loaded serial 2019061501
OK
[root@sakura named]# named-checkconf
3.让服务器重载配置文件和区域数据文件
[root@sakura named]# systemctl reload named.service
[root@sakura named]# rndc reload
4.进行正向解析测试
"测试www.kasumi.com"
[root@sakura ~]# dig -t A www.kasumi.com @192.168.3.100
;; QUESTION SECTION:
;www.kasumi.com. IN A
;; ANSWER SECTION:
www.kasumi.com. 3600 IN A 192.168.3.200
;; AUTHORITY SECTION:
kasumi.com. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
"测试web.kasumi.com"
[root@sakura ~]# dig -t A web.kasumi.com @192.168.3.100
;; QUESTION SECTION:
;web.kasumi.com. IN A
;; ANSWER SECTION:
web.kasumi.com. 3600 IN CNAME www.kasumi.com.
www.kasumi.com. 3600 IN A 192.168.3.200
;; AUTHORITY SECTION:
kasumi.com. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
"解析bbs.kasumi.com"
[root@sakura ~]# dig -t A bbs.kasumi.com @192.168.3.100
;; QUESTION SECTION:
;bbs.kasumi.com. IN A
;; ANSWER SECTION:
bbs.kasumi.com. 3600 IN A 192.168.3.205
bbs.kasumi.com. 3600 IN A 192.168.3.206
;; AUTHORITY SECTION:
kasumi.com. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
"使用host命令进行测试"
[root@sakura ~]#
[root@sakura ~]# host -t A bbs.kasumi.com
bbs.kasumi.com has address 192.168.3.206
bbs.kasumi.com has address 192.168.3.205
[root@sakura ~]# host -t A web.kasumi.com
web.kasumi.com is an alias for www.kasumi.com.
www.kasumi.com has address 192.168.3.200
"测试NS类型"
[root@sakura ~]# dig -t NS kasumi.com
;; QUESTION SECTION:
;kasumi.com. IN NS
;; ANSWER SECTION:
kasumi.com. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
"测试MX类型"
[root@sakura ~]# dig -t MX kasumi.com
;; QUESTION SECTION:
;kasumi.com. IN MX
;; ANSWER SECTION:
kasumi.com. 3600 IN MX 30 mx2.kasumi.com.
kasumi.com. 3600 IN MX 10 mx1.kasumi.com.
;; AUTHORITY SECTION:
kasumi.com. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
mx1.kasumi.com. 3600 IN A 192.168.3.201
mx2.kasumi.com. 3600 IN A 192.168.3.202
ns1.kasumi.com. 3600 IN A 192.168.3.200
2.配置反向解析区域
1.定义区域
在主配置文件中或配置文件辅助配置文件中实现
[root@sakura ~]# vim /etc/named.rfc1912.zones
zone "3.168.192.in-addr.arpa" IN {
type master;
file "192.168.3.zone";
};
配置规范
zone "ZONE_NAME" IN {
type {master|slave|hint|forward}; "域类型:主服务器|从服务器|根服务器|转发服务器"
file "ZONE_NAME.zone";
};
ps:反向区域的名字,即反写的网段地址.in-addr.arpa
2.定义区域解析库文件(主要记录PTR)
测试,区域名称为3.168.192.in-addr-arpa
[root@sakura named]# cat /var/named/192.168.3.zone
$TTL 3600
$ORIGIN 3.168.192.in-addr.arpa.
@ IN SOA ns1.kasumi.com. nsadmin.kasumi.com. (
2019061502
1H
10M
1D
12H )
IN NS ns1.kasumi.com.
200 IN PTR ns1.kasumi.com.
201 IN PTR mx1.kasumi.com.
202 IN PTR mx2.kasumi.com.
205 IN PTR bbs.kasumi.com
206 IN PTR bbs.kasumi.com.
200 IN PTR www.kasumi.com.
"权限及属组修改"
[root@sakura named]# chown .named /var/named/192.168.3.zone
[root@sakura named]# chmod o= /var/named/192.168.3.zone
[root@sakura named]# ll /var/named/192.168.3.zone
-rw-r-----. 1 root named 311 6月 15 01:33 /var/named/192.168.3.zone
"检查语法错误"
[root@sakura named]# named-checkzone 3.168.192.in-addr.arpa /var/named/192.168.3.zone
zone 3.168.192.in-addr.arpa/IN: loaded serial 2019061502
OK
[root@sakura named]# named-checkconf
3.让服务器重载配置文件和区域数据文件
[root@sakura named]# systemctl reload named.service
[root@sakura named]# rndc reload
4.进行测试
"测试反向解析192.168.3.200"
[root@sakura named]# dig -x 192.168.3.200
;; QUESTION SECTION:
;200.3.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
200.3.168.192.in-addr.arpa. 3600 IN PTR ns1.kasumi.com.
200.3.168.192.in-addr.arpa. 3600 IN PTR www.kasumi.com.
;; AUTHORITY SECTION:
3.168.192.in-addr.arpa. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
"反向解析192.168.3.205"
[root@sakura named]# dig -x 192.168.3.205
;; QUESTION SECTION:
;205.3.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
205.3.168.192.in-addr.arpa. 3600 IN PTR bbs.kasumi.com.3.168.192.in-addr.arpa.
;; AUTHORITY SECTION:
3.168.192.in-addr.arpa. 3600 IN NS ns1.kasumi.com.
;; ADDITIONAL SECTION:
ns1.kasumi.com. 3600 IN A 192.168.3.200
"host命令解析"
[root@sakura named]# host -t PTR 192.168.3.200
200.3.168.192.in-addr.arpa domain name pointer www.kasumi.com.3.168.192.in-addr.arpa.
200.3.168.192.in-addr.arpa domain name pointer ns1.kasumi.com.