BIND:Berkeley Internet name domain
DNS:Domain name service
域名:www.centos.com(主机名,FQDN:Full Qualified domain name,也可以称完全限定域名)
DNS:名称解析,Name Resolving.名称转换(背后查询过程,数据库)
FQDN<-->IP :双向转换
nsswitch:本地名称转换服务
配置文件:/etc/nsswitch.conf
hosts: file dns
file是指到/etc/hosts文件中查找记录
dns是指到DNS服务中查找记录
stub resolver:根解析(本机服务)
Example:
主机ping www.baidu.com的时候:
1、首先调用stub resolver服务,到nsswithc服务中查找hosts记录
2、首先查找file类别,到/etc/hosts文件中查找,如果没有记录,再到DNS中查找相关记录
ICANN:域名顶级域管理机构
TLD:Top Level Domain 顶级域。.com .org .net等属于顶级域
顶级域(TLD)常见三类:
1、组织域:.com , .org .net .cc
2、国家域: .cn, .tw,.hk, .iq, .jp,等
3、反向域:将IP地址转换成主机名
IP-->FQDN(反向解析)
FQDN-->IP(正向解析)
正向和反向使用的不是同一个数据库, 是分别两个独立的数据库做查询
DNS查询方式:
1、递归查询
查询方式:A-->B-->C;C-->B-->A
2、迭代查询
查询方式:A-->B(B没有值,给出一个参考值,可能C知道)A-->C; C-->A
两段式查询方式:
客户端递归,NS服务器迭代(互联网查询模块)
DNS:分布式数据库
上级仅知道其直接下级
下级默认只知道根的位置
DNS服务的工作方式:
接受本地客户端的查询请求,一般是递归方式
外部客户端请求,请求权威答案
肯定答案;TTL值
否定答案:TTL值
外部客户端请求,请求非权威答案
主、从结构:
主DNS服务器:修改数据
辅助DNS服务器:请求数据同步
1、主DNS版本号,数据变化在serial number号码加1
2、从DNS,由refresh定义请求数据的时间周期,再由retry定义重试时间请求数据。最后由 expire定义过期时间,认定DNS挂机
3、否定时间时长:nagetive answer TTL
缓存DNS服务器
不负责权威答案,只负责缓存DNS记录
转发器:
不缓存,只转发DNS请求
数据库中的每一个条目称作一个资源记录(resource record,RR)
资源记录类型:
A(address):FQDN-->IPV4
AAAA:FQDN-->IPV6
PTR(pointer):IP-->FQDN
NS(Name Server):Zone Name --> FQDN
MX(Mail Exchanger):Zone Name -->FQDN
SOA(Start of Authority):用于标示本区域内,多个主从DNS如何完成数据同步
CNAME(Canonical Name):FQDN-->FQDN
TXT
CHAOS
SRV
资源记录的格式:
NAME [TTL] IN RRT(资源类型) VALUE
www.btsbox.com. IN A 1.1.1.1
1.1.1.1 IN PTR www.btsbox.com.
NS示例:
btsbox.com. 600 IN NS ns1.btsbox.com.
btsbox.com. 600 IN NS ns2.btsbox.com.
ns1.btsbox.com 600 IN A 1.1.1.2
ns2.btsbox.com 600 IN A 1.1.1.4
MX示例:
Zone Name TTL IN MX pri VALUE
btsbox.com. 600 IN MX 10 mail.btsbox.com.
mail.btsbox.com. 600 IN A 1.1.1.3
MX优先级:0-99,数字越小级别越高、
SOA示例:
zone name TTL IN SOA FQDN ADMINSTRATOR_MAILBOX (
serial number
refresh
retry
expire
na ttl)
时间单位:H(小时)、M(分钟)、D(天)、W(周)、默认单位是秒
邮箱格式:admin.btsbox.com
@有特殊意义,表示区域名称,即btsbox.com
@ 600 IN SOA ns1.btsbox.com. admin.btsbox.com. (
2015060801 ;serial number
1H
5M
1W
1D )
CNAME示例:
www2.btsbox.com. IN CNAME www.btsbox.com.
TTL值可以省略
域和区域的区别:
域:Domain
区域:Zone
.com域的DNS记录
btsbox.com. IN NS ns.btsbox.com.
ns.btsbox.com. IN A 116.228.3.99
本地域记录(btsbox.com. 192.168.0.0/24):
首先建立两个区域文件:
正向区域如下:
btsbox.com. IN SOA admin.btsbox.com. (
www IN A 192.168.0.1
反向区域文件:
0.168.192.in-addr.arpa. IN SOA
1.0.168.192.in-addr.arpa. IN PTR www.btsbox.com.
1 IN PTR www.btsbox.com.(简写)
区域传送的类型:
完全区域传送:axfr
增量区域传送:ixfr
区域类型
主区域:master
从区域:slave
提示区域:hint,即义根的位置
转发区域:forward
BIND服务配置相关:
/etc/named.conf
BIND进程的工作属性
区域定义
/etc/rndc.key
rndc:Remote Name Domain Controller,让BIND远程运行的密钥文件
配置信息:/etc/rndc.conf
/var/named/
区域数据文件
/etc/rc.d/init.d/named
服务脚本 {start|stop|restart|status|reload|configtest}
二进制程序:named
bind-chroot:
默认情况下工作在/下
用户:named
组:named
caching-nameserver软件包:
让bind服务变成一个缓存服务器
named-checkconfig
named-checkzone
dig:Domain information Gropher
[root@Centos6 named]# dig -t NS . #查询根域的NS记录 -t 指定查询的类型 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS . ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2049 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 86321 IN NS l.root-servers.net. . 86321 IN NS j.root-servers.net. . 86321 IN NS b.root-servers.net. . 86321 IN NS k.root-servers.net. . 86321 IN NS d.root-servers.net. . 86321 IN NS a.root-servers.net. . 86321 IN NS m.root-servers.net. . 86321 IN NS f.root-servers.net. . 86321 IN NS c.root-servers.net. . 86321 IN NS e.root-servers.net. . 86321 IN NS i.root-servers.net. . 86321 IN NS h.root-servers.net. . 86321 IN NS g.root-servers.net. ;; Query time: 2 msec ;; SERVER: 202.96.209.5#53(202.96.209.5) ;; WHEN: Mon Jun 8 15:34:39 2015 ;; MSG SIZE rcvd: 228
DNS监听的协议和端口:
UDP,TCP /53
953/TCP,rndc监听的端口
SOCKET:套接字
IP:PORT
named.conf配置文件格式:
zone "ZONE NAME" {
type {master|slave|hint|forward};
};
主区域
file "区域数据文件"
从区域
file "区域数据文件"
master { master_IP;};
[root@Centos6 named]# vim /etc/named.conf #手动创建named.conf文件格式,其为基本格式
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
[root@Centos6 named]# chown root:named /etc/named.conf #修改文件的属主,属组
[root@Centos6 named]# chmod 640 /etc/named.conf #修改文件权限
[root@Centos6 named]# named-checkconf #使用bind内置命令named-checkconf命令检查语法错误
[root@Centos6 named]# named-checkzone "." /var/named/named.ca #检查根DNS设置语法错误
zone ./IN: has 0 SOA records
zone ./IN: not loaded due to errors.
[root@Centos6 named]# named-checkzone "localhost" /var/named/named.localhost
zone localhost/IN: loaded serial 0
OK
[root@Centos6 named]# named-checkzone "0.0.127.in-addr.arpa" /var/named/named.loopback
zone 0.0.127.in-addr.arpa/IN: loaded serial 0
OK
#检查区域语法格式为:
named-checkzone "区域" 区域数据文件,默认根的装载为报以上错误
[root@Centos6 named]# service named start
启动 named:named:正在运行 [确定]
[root@Centos6 named]# tail /var/log/messages #日志默认会加载到/var/log/messages文件中
Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: 9.E.F.IP6.ARPA
Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: A.E.F.IP6.ARPA
Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: B.E.F.IP6.ARPA
Jun 8 16:49:38 Centos6 named[20760]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jun 8 16:49:38 Centos6 named[20760]: command channel listening on 127.0.0.1#953
Jun 8 16:49:38 Centos6 named[20760]: command channel listening on ::1#953
Jun 8 16:49:38 Centos6 named[20760]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Jun 8 16:49:38 Centos6 named[20760]: zone localhost/IN: loaded serial 0
Jun 8 16:49:38 Centos6 named[20760]: managed-keys-zone ./IN: loaded serial 3
Jun 8 16:49:38 Centos6 named[20760]: running
添加btsbox.com域:
[root@Centos6 named]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "btsbox.com" IN {
type master;
file "btsbox.com.zone";
}; #添加btsbox.com域
[root@Centos6 named]# cat /var/named/btsbox.com.zone #添加btsbox.com正向解析配置
$TTL 600 # $符号为宏引用,必须添加
@ IN SOA ns1.btsbox.com. admin.btsbox.com. (
20150608
10M
2M
2D
1W )
IN NS ns1
IN MX 10 mail
ns1 IN A 10.189.9.202
mail IN A 10.189.9.202
www IN A 10.189.9.202
www IN A 10.189.9.203
ftp IN CNAME www
[root@Centos6 named]# named-checkzone "btsbox.com" /var/named/btsbox.com.zone
zone btsbox.com/IN: loaded serial 20150608
OK
[root@Centos6 named]# chmod 640 /var/named/btsbox.com.zone
[root@Centos6 named]# chown root:named /var/named/btsbox.com.zone
dig -t RT NAME
dig -t NS btsbox.com
[root@Centos6 ~]# dig +trace -t A www.baidu.com @10.189.9.202 #使用dig跟踪路由 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A www.baidu.com @10.189.9.202 ;; global options: +cmd . 518384 IN NS f.root-servers.net. . 518384 IN NS k.root-servers.net. . 518384 IN NS m.root-servers.net. . 518384 IN NS h.root-servers.net. . 518384 IN NS i.root-servers.net. . 518384 IN NS g.root-servers.net. . 518384 IN NS j.root-servers.net. . 518384 IN NS d.root-servers.net. . 518384 IN NS c.root-servers.net. . 518384 IN NS e.root-servers.net. . 518384 IN NS b.root-servers.net. . 518384 IN NS l.root-servers.net. . 518384 IN NS a.root-servers.net. ;; Received 492 bytes from 10.189.9.202#53(10.189.9.202) in 114240 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. ;; Received 491 bytes from 128.63.2.53#53(128.63.2.53) in 101272 ms baidu.com. 172800 IN NS dns.baidu.com. baidu.com. 172800 IN NS ns2.baidu.com. baidu.com. 172800 IN NS ns3.baidu.com. baidu.com. 172800 IN NS ns4.baidu.com. baidu.com. 172800 IN NS ns7.baidu.com. ;; Received 201 bytes from 192.41.162.30#53(192.41.162.30) in 491 ms www.baidu.com. 1200 IN CNAME www.a.shifen.com. a.shifen.com. 1200 IN NS ns1.a.shifen.com. a.shifen.com. 1200 IN NS ns5.a.shifen.com. a.shifen.com. 1200 IN NS ns4.a.shifen.com. a.shifen.com. 1200 IN NS ns2.a.shifen.com. a.shifen.com. 1200 IN NS ns3.a.shifen.com. ;; Received 228 bytes from 220.181.38.10#53(220.181.38.10) in 27 ms [root@Centos6 ~]# dig +recurse -t A www.baidu.com @10.189.9.202 #使用dig递归查询DNS记录 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +recurse -t A www.baidu.com @10.189.9.202 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22798 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 688 IN CNAME www.a.shifen.com. www.a.shifen.com. 300 IN A 115.239.211.112 www.a.shifen.com. 300 IN A 115.239.210.27 ;; AUTHORITY SECTION: a.shifen.com. 691 IN NS ns2.a.shifen.com. a.shifen.com. 691 IN NS ns4.a.shifen.com. a.shifen.com. 691 IN NS ns1.a.shifen.com. a.shifen.com. 691 IN NS ns5.a.shifen.com. a.shifen.com. 691 IN NS ns3.a.shifen.com. ;; ADDITIONAL SECTION: ns1.a.shifen.com. 691 IN A 61.135.165.224 ns3.a.shifen.com. 691 IN A 61.135.162.215 ns2.a.shifen.com. 691 IN A 180.149.133.241 ns4.a.shifen.com. 691 IN A 115.239.210.176 ns5.a.shifen.com. 691 IN A 119.75.222.17 ;; Query time: 33 msec ;; SERVER: 10.189.9.202#53(10.189.9.202) ;; WHEN: Wed Jun 10 12:55:09 2015 ;; MSG SIZE rcvd: 260 [root@Centos6 named]# dig -t axfr mageedua.com #axfr:完全区域传送 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t axfr mageedua.com ;; global options: +cmd mageedua.com. 86400 IN SOA ns1.mageedua.com. admin.mageedua.com. 201506090 86400 3600 604800 10800 mageedua.com. 86400 IN NS ns1.mageedua.com. mageedua.com. 86400 IN MX 10 mail.mageedua.com. ftp.mageedua.com. 86400 IN CNAME www.mageedua.com. mail.mageedua.com. 86400 IN A 10.189.9.202 ns1.mageedua.com. 86400 IN A 10.189.9.202 www.mageedua.com. 86400 IN A 10.189.9.202 www.mageedua.com. 86400 IN A 10.189.9.203 mageedua.com. 86400 IN SOA ns1.mageedua.com. admin.mageedua.com. 201506090 86400 3600 604800 10800 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jun 10 13:12:58 2015 ;; XFR size: 9 records (messages 1, bytes 233) [root@Centos6 named]# dig -t ixfr=201506092 mageedua.com #ixfr:增量区域传送。当我们在增加新的记录后,需在serial中将数值加1,以上为201506090,修改后的为201506091 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t ixfr=201506092 mageedua.com ;; global options: +cmd mageedua.com. 86400 IN SOA ns1.mageedua.com. admin.mageedua.com. 201506090 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Jun 10 13:13:52 2015 ;; XFR size: 1 records (messages 1, bytes 76) #提示有一个增量区域文件被传送
泛域名解析
在DNS 正向中添加A记录
btsbox.com. IN A 10.189.9.201 *.btsbox.com. IN A 10.189.9.201 #IP可以为WWW服务,即跳转到www.btsbox.com主机
允许DNS递归:
options {
directory "/var/named";
recursion yes; 允许递归查询,这种情况会让外网随意的主机都可以使用递归查询
allow-recursion { 10.189.9.0/24; };允许10.189.9.0这个网段的主机递归
allow-query { localhost; }; 只允许本机查询DNS请求
allow-transfer { 10.189.9.203; }; #只允许203的这台主机做区域传送,写在options中,对所有区域生效,一般情况写到区域条目中
allow-transfer { none; }; #不允许区域传送,一般对没有从DNS的区域,例:localhost区域
notify yes; #表示启用通知功能,配置变化通知从服务器
dnssec-enable no;
dnssec-validation no;
};
masters { 10.189.9.202; }; #指定主服务器是谁
axfr:完全区域传送
ixfr:增量区域传送
区域的主、从结构:
添加从DNS服务器,需在正向和反向中添加NS记录及NS的反向记录,不然同步将不能成功
[root@Centos6 named]# cat mageedua.com.zone #首先添加NS2的NS记录并添加相应A记录
$TTL 86400
@ IN SOA ns1.mageedua.com. admin.mageedua.com. (
201506092 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 10.189.9.202
ns2 IN A 10.189.9.201
[root@Centos6 named]# cat 9.189.10.zone #再添加NS2的反射指针
$TTL 86400
@ IN SOA ns1.mageedua.com. admin.mageedua.com. (
201506092 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.mageedua.com.
IN NS ns2.mageedua.com.
201 IN PTR ns2.mageedua.com.
202 IN PTR ns1.mageedua.com.
[root@Centos6 named]# cat /etc/named.mageedua.com.zons #主DNS服务器上配置
zone "mageedua.com" IN {
type master;
file "mageedua.com.zone";
allow-transfer { 10.189.9.201; }; #定义能同步axfr ixfr的主机
};
zone "9.189.10.in-addr.arpa" IN {
type master;
file "9.189.10.zone";
allow-transfer { 10.189.9.201; }; #定义能同步axfr ixfr的主机
};
#从服务器上的配置
options {
directory "/var/named";
allow-recursion { 10.189.9.0/24; 127.0.0.1; };
};
zone "." IN {
file "named.ca";
type hint;
};
zone "localhost" IN {
file "named.localhost";
type master;
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
file "named.loopback";
type master;
allow-transfer { none; };
};
zone "mageedua.com" IN {
file "slaves/mageedua.com.zone";
type slave; #定义类型为从服务器
masters { 10.189.9.202; }; #定义主服务器的主机
allow-transfer { none; }; #定义不能查询AXFR IXFR
};
zone "9.189.10.in-addr.arpa" IN {
file "slaves/9.189.10.zone";
type slave;
masters { 10.189.9.202; };
allow-transfer { none; };
};
rndc实现控制DNS服务:
[root@Centos6 named]# rndc-confgen >> /etc/rndc.conf
[root@Centos6 named]# vim /etc/rndc.conf #默认在安装bind服务时,会产生/etc/rndc.key,需删除
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "vAv9U7k+jaHYI0gwdru1dA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "vAv9U7k+jaHYI0gwdru1dA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
#将添加注释的行添加到/etc/named.conf文件中,并去掉注释文件
[root@Centos6 named]# cat /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "vAv9U7k+jaHYI0gwdru1dA==";
};
controls {
inet 10.189.9.202 port 953
allow { 10.189.9.202; } keys { "rndc-key"; };
};
[root@Centos6 named]# rndc -c /etc/rndc.conf flush
[root@Centos6 named]# rndc -c /etc/rndc.conf notify "mageedua.com"
zone notify queued
[root@Centos6 named]# rndc -c /etc/rndc.conf stop
[root@Centos6 named]# rndc -c /etc/rndc.conf status
#rndc命令,可以使用rndc -h查看相关选项
子域授权:
btsbox.com.:父域
格式如下:
fin.btsbox.com. IN NS ns1.fin.btsbox.com.
fin.btsbox.com. IN NS ns2.fin.btsbox.com.
ns1.fin.btsbox.com. IN A 10.189.9.11
ns2.fin.btsbox.com. IN A 10.189.9.12
market.btsbox.com. IN NS ns1.market.btsbox.com.
ns1.market.btsbox.com. IN A 10.189.10.11
#在主域中定义子域的NS记录和名称
[root@Centos6 named]# cat /var/named/mageedua.com.zone
$TTL 86400
@ IN SOA ns1.mageedua.com. admin.mageedua.com. (
201506093 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 10.189.9.202
ns2 IN A 10.189.9.201
mail IN A 10.189.9.202
www IN A 10.189.9.202
www IN A 10.189.9.203
ftp IN CNAME www
pop IN A 10.189.9.204
imap IN A 10.189.9.205
fin IN NS ns1 #定义fin的子域及NS记录
ns1 IN A 10.189.9.110
market IN NS ns1
ns1 IN A 10.189.9.111 #定义market的子域及NS记录
#在子域的NS服务器上搭建bind服务,并且写好主配置文件及区域文件
[root@localhost ~]# cat /etc/named.conf
options {
directory "/var/named";
allow-recursion { 10.189.9.0/24; 127.0.0.1; };
};
zone "fin.mageedua.com" IN {
file "fin.mageedua.com.zone";
type master;
};
[root@localhost ~]# cat /var/named/fin.mageedua.com.zone
$TTL 86400
@ IN SOA ns1.fin.mageedua.com. admin.fin.mageedua.com. (
2015060901
1D
1H
30M
1D )
IN NS ns1
ns1 IN A 10.189.9.110
#只有在子域中的NS服务器正常工作的情况下,才能在父域的NS服务器中查询到子域的ns记录
[root@Centos6 named]# dig -t NS fin.mageedua.com @10.189.9.202
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS fin.mageedua.com @10.189.9.202
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13505
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;fin.mageedua.com. IN NS
;; ANSWER SECTION:
fin.mageedua.com. 86400 IN NS ns1.fin.mageedua.com.
;; Query time: 2614 msec
;; SERVER: 10.189.9.202#53(10.189.9.202)
;; WHEN: Wed Jun 10 17:05:05 2015
;; MSG SIZE rcvd: 52
定义子域的查询请求转发到父域:
/etc/named.conf中定义
options {
forward {only|first}; #only表示只转发到一个指定的ns服务器 first表示先转到到指定NS,不成功便到根递归查询
forwarders { 10.189.9.202; }; #配置转发到的NS地址
};
[root@localhost ~]# cat /etc/named.conf
options {
directory "/var/named";
allow-recursion { 10.189.9.0/24; 127.0.0.1; };
forward only;
forwarders { 10.189.9.202; };
};
zone "fin.mageedua.com" IN {
file "fin.mageedua.com.zone";
type master;
};
#以上是对子域进行全局转发
zone "mageedua.com" IN {
type forward;
forward first;
forwarders { 10.189.9.202; };
};
#可以建立一个区域,在区域里面配置区域的转发
named.conf相同属性组的引入方法:
acl ACL_NAME {
IP;
};
例:
acl innet {
10.189.9.0/24;
127.0.0.1/8;
192.168.0.0/24;
};
options {
directory "/var/named";
allow-recursion { innet; };
};
DNS视图功能:
注意点:
只要定义了视图,所有的区域都必须定义在视图中
如果解析的一个域,不需要区分网络,可以将此域在电信或者网通的视图中都添加一个解析区域
格式:
view VIEW_NAME {
};
[root@localhost named]# cat /etc/named.conf
acl telecom {
10.189.9.0/24;
};
acl unicom {
10.189.8.0/24;
};
options {
directory "/var/named";
allow-recursion { 127.0.0.1; };
allow-query { any; };
};
view telecom {
match-clients { telecom; };
zone "mageedua.com" IN {
type master;
file "telecom.mageedua.com.zone";
};
};
view unicom {
match-clients { unicom; };
zone "mageedua.com" IN {
type master;
file "unicom.mageedua.com.zone";
};
};
#在named.conf配置文件中,配置view功能,并在视图区域定义match-clients 参数,让match-clients引用acl列表,acl可以为电信IP列表,或者联通IP列表。最后在view视图中定义需要智能DNS的区域。一般情况,可以将区域划分三类: 1、内网视图 2、电信视图 3、联通视图
[root@localhost named]# cat telecom.mageedua.com.zone
$TTL 86400
@ IN SOA ns1.mageedua.com. admin.mageedua.com. (
2015061101
1D
1H
7D
1D )
IN NS ns1
IN MX 10 mail
ns1 IN A 10.189.9.110
mail IN A 10.189.9.111
www IN A 10.189.9.112 #电信www服务器为112的地址
[root@localhost named]# cat unicom.mageedua.com.zone
$TTL 86400
@ IN SOA ns1.mageedua.com. admin.mageedua.com. (
2015061101
1D
1H
7D
1D )
IN NS ns1
IN MX 10 mail
ns1 IN A 10.189.9.110
mail IN A 10.189.9.111
www IN A 10.189.9.113 #联通www服务器为113的地址
[root@localhost slaves]# dig -t A www.mageedua.com @10.189.9.110 #电信用户查询结果
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7_0.1 <<>> -t A www.mageedua.com @10.189.9.110
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58349
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mageedua.com. IN A
;; ANSWER SECTION:
www.mageedua.com. 86400 IN A 10.189.9.112
;; AUTHORITY SECTION:
mageedua.com. 86400 IN NS ns1.mageedua.com.
;; ADDITIONAL SECTION:
ns1.mageedua.com. 86400 IN A 10.189.9.110
;; Query time: 1 msec
;; SERVER: 10.189.9.110#53(10.189.9.110)
;; WHEN: 四 6月 11 10:26:21 CST 2015
;; MSG SIZE rcvd: 95
bind日志:
category:定义日志源
查询
区域传送
...
channel:日志保存的位置
channel类型:
syslog
file:可自定义保存日志信息的文件,可定义日志级别
日志级别如下:
critical
error
warning
notice
info
debug [level]
dynamic
category源定义类:
default
general
client
config
dispatch
dnssec
lame-servers
network
notify
queries
resolver
security
update
xfer-in
xfer-out
logging { #定义日志选项
channel query_log { #定义信道
file "/var/log/named/bind_query.log" versions 5 size 10M; #定义存放位置
severity dynamic; #定义日志级别
print-category yes; #记录category来源
print-time yes; #记录日志时间
print-severity yes; #记录日志级别
};
channel xfr_out {
file "/var/log/named/xfr_out.log";
severity debug;
print-time yes;
print-severity yes;
print-category yes;
};
category xfer-out { xfr_out; };
category queries { query_log; }; #定义日志来源并使用query_log信道记录
};
DNS压力测试
使用queryperf软件进行查询压力测试,(queryperf工具是bind源代码自带,需手动编译安装)
[root@localhost ~]# queryperf -h #查看帮助 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ Usage: queryperf [-d datafile] [-s server_addr] [-p port] [-q num_queries] [-b bufsize] [-t timeout] [-n] [-l limit] [-f family] [-1] [-i interval] [-r arraysize] [-u unit] [-H histfile] [-T qps] [-e] [-D] [-R] [-c] [-v] [-h] -d specifies the input data file (default: stdin) -s sets the server to query (default: 127.0.0.1) -p sets the port on which to query the server (default: 53) -q specifies the maximum number of queries outstanding (default: 20) -t specifies the timeout for query completion in seconds (default: 5) -n causes configuration changes to be ignored -l specifies how a limit for how long to run tests in seconds (no default) -1 run through input only once (default: multiple iff limit given) -b set input/output buffer size in kilobytes (default: 32 k) -i specifies interval of intermediate outputs in seconds (default: 0=none) -f specify address family of DNS transport, inet or inet6 (default: any) -r set RTT statistics array size (default: 50000) -u set RTT statistics time unit in usec (default: 100) -H specifies RTT histogram data file (default: none) -T specify the target qps (default: 0=unspecified) -e enable EDNS 0 -D set the DNSSEC OK bit (implies EDNS) -R disable recursion -c print the number of packets with each rcode -v verbose: report the RCODE of each response on stdout -h print this usage root@localhost ~]# queryperf -d test -s 10.189.9.202 #命令使用格式 DNS Query Performance Testing Tool Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $ [Status] Processing input data [Status] Sending queries (beginning with 10.189.9.202) [Status] Testing complete Statistics: Parse input file: once Ended due to: reaching end of file Queries sent: 651690 queries Queries completed: 651690 queries Queries lost: 0 queries Queries delayed(?): 0 queries RTT max: 0.633849 sec RTT min: 0.000249 sec RTT average: 0.000831 sec RTT std deviation: 0.001287 sec RTT out of range: 0 queries Percentage completed: 100.00% Percentage lost: 0.00% Started at: Thu Jun 11 14:59:14 2015 Finished at: Thu Jun 11 14:59:41 2015 Ran for: 27.499620 seconds Queries per second: 23698.145647 qps
注:可以使用dnstop工具对服务器进行抓包进行流量分析
互联网免费著名的DNS解析商:
dnspod
www.dns.la
临时性地关闭SElinux:
#getenforce
enforcing
#setenforce 0
#setenforce 1
永久关闭
vim /etc/selinux/config
SELINUX=enforcing 改为 disabled 或者permissive