我们知道相同网段内各网络设备之间是基于mac通信,而跨网络的不同主机之间是基于IP地址通信。随着世界主机数量爆炸式的增长,对于记住数目众多IP和想访问未知对方IP的主机成为一个痛点。通过基于人们熟知的文字访问主机应运而生。
DNS(Domain Name System,域名系统),因特网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过主机名,最终得到该主机名对应的IP地址的过程叫做域名解析(或主机名解析)。
DNS是一项十分基础服务,今天我们实现在linux下安装bind,DNS主从复制,view视图,转发,子域授权等功能。
安装包
bind-9.8.2-0.37.rc1.el6.x86_64.rpm
bind-libs-9.8.2-0.37.rc1.el6.x86_64.rpm
bind-utils-9.8.2-0.37.rc1.el6.x86_64.rpm
可直接使用 yum install -y bind安装自动解决依赖关系或者使用rpm分别安装各个包。
编辑/etc/named.conf配置文件
[root@test-2 ~]# cp /etc/named.conf /etc/named.conf_bak #先备份 [root@test-2 ~]# vi /etc/named.conf #先简单配置下 options { listen-on port 53 { 10.0.0.7; }; #监听IP及端口 directory "/var/named"; allow-query { any; }; #允许所有IP查询 recursion yes; #允许递归 }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "magedu.com" IN { #配置正向解析domain为magedu type master; #模式为master file "magedu/magedu.zone"; #区域文件存放地点 }; zone "0.0.10.a.in-addr.arpa" IN { #配置反像解析 type master; #模式为master file "magedu/10.0.0.zone"; }; #include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@test-2 magedu]# named-checkconf #检查配置文件
创建目录magedu,用于存放magedu域正向,反向解析文件
[root@test-2 ~]# cd /var/named/ [root@test-2 named]# mkdir magedu [root@test-2 named]# chown -R root:named magedu #设置属主和数组 [root@test-2 named]# chmod -R 750 magedu #设置权限为750,否则会提示权限问题 [root@test-2 named]# ls data dynamic magedu named.ca named.empty named.localhost named.loopback slaves
创建正向解析和反向解析文件
[root@test-2 named]# cd magedu/ [root@test-2 magedu]# vi magedu.zone #创建正向解析文件 $TTL 600 @ IN SOA magedu.com. dnsadmin.magedu.com. ( 20150915001 3m 3m 3d 1d) IN NS ns1.magedu.com. ns1 IN A 10.0.0.7 www IN A 10.0.0.11 bao IN A 10.0.0.12 [root@test-2 magedu]# vi 10.0.0.zone #创建反向解析文件 $TTL 600 @ IN SOA magedu.com. dnsadmin.magedu.com. ( 20150915001 3m 3m 3d 1d) IN NS ns1.magedu.com. 7 IN PTR ns1.magedu.com. 11 IN PTR www.magedu.com. 12 IN PTR bao.magedu.com. ~ [root@test-2 magedu]# chmod 640 10.0.0.zone magedu.zone #设置权限 [root@test-2 magedu]# named-checkzone magedu.com magedu.zone #检查配置文件是否正确 zone magedu.com/IN: loaded serial 2971045817 OK [root@test-2 magedu]# named-checkzone 0.0.10.a.in-addr.arpa 10.0.0.zone zone 0.0.10.a.in-addr.arpa/IN: loaded serial 2971045817 OK
启动named,验证DNS是否能够正解,反解
[root@test-2 magedu]# /etc/init.d/named start #启动配置named Starting named: [ OK ] [root@test-2 magedu]# dig -t A www.magedu.com @10.0.0.7 #正解www.magedu.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -t A www.magedu.com @10.0.0.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19681 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 600 IN A 10.0.0.11 ;; AUTHORITY SECTION: magedu.com. 600 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 600 IN A 10.0.0.7 ;; Query time: 4 msec ;; SERVER: 10.0.0.7#53(10.0.0.7) ;; WHEN: Tue Sep 15 21:06:12 2015 ;; MSG SIZE rcvd: 82 [root@test-2 magedu]# dig -x 10.0.0.11 @10.0.0.7 #反解10.0.0.11 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> -x 10.0.0.11 @10.0.0.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9952 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;11.0.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 11.0.0.10.in-addr.arpa. 600 IN PTR www.magedu.com. ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa. 600 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 600 IN A 10.0.0.7 ;; Query time: 1 msec ;; SERVER: 10.0.0.7#53(10.0.0.7) ;; WHEN: Tue Sep 15 21:24:41 2015 ;; MSG SIZE rcvd: 102
经验证,DNS已OK
view视图,可以实现,不同客户端IP解析域名时得到不同解析,而相同IP每次解析IP相同,模拟智能DNS实现区域负载的目的。
下面搭建view视图
修改配置文件/etc/named.conf
options { listen-on port 53 { 10.0.0.7; }; #由于没有加路由,只有让不同网段使用不同的DNS listen-on port 53 { 192.168.0.106; }; directory "/var/named"; allow-query { any; }; recursion yes; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view "lan" { #配置一个叫lan的视图 match-clients { 192.168.0.0/24; }; #设置不同网段使用不同的解析文件 zone "." IN { type hint; file "named.ca"; }; zone "magedu.com" IN { type master; file "magedu/magedu.zone"; }; zone "0.0.10.in-addr.arpa" IN { type master; file "magedu/10.0.0.zone"; }; }; view "wlan" { #配置一个叫wlan的视图 match-clients { 10.0.0.0/24; }; zone "." IN { type hint; file "named.ca"; }; zone "magedu.com" IN { type master; file "magedu/magedu.zone.wlan"; }; zone "0.0.10.in-addr.arpa" IN { type master; file "magedu/10.0.0.zone.wlan"; }; }; #include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
根据/etc/named.conf配置,需要新加magedu.zone.wlan,10.0.0.zone.wlan配置文件
[root@test-2 magedu]# cp 10.0.0.zone 10.0.0.zone.wlan #嘿嘿,偷个懒,然后再修改下里面内容 [root@test-2 magedu]# cp magedu.zone magedu.zone.wlan [root@test-2 magedu]# chwon :named magedu.zone.wlan 10.0.0.zone.wlan #修改属组 [root@test-2 magedu]# vi 10.0.0.zone.wlan $TTL 600 @ IN SOA magedu.com. dnsadmin.magedu.com. ( 20150915003 3m 3m 3d 1d) IN NS ns1.magedu.com. 7 IN PTR ns1.magedu.com. 111 #原来的11改成了111 IN PTR www.magedu.com. 122 #原来的12改成了122 IN PTR bao.magedu.com. [root@test-2 magedu] vi magedu.zone.wlan $TTL 600 @ IN SOA magedu.com. dnsadmin.magedu.com. ( 20150915003 3m 3m 3d 1d) IN NS ns1.magedu.com. ns1 IN A 10.0.0.7 www IN A 10.0.0.111 #把原来的11改成了111 bao IN A 10.0.0.122 #把原来的12改成了122
根据lan和wlan配置文件,如果是10.0.0.0/24网段的主机去dig -t a www.magedu.com则会返回10.0.0.111。
如果是192.168.0.0/24网段的主机去dig -t a www.magedu.com则会返回10.0.0.11。
下面我们验证是否正确
1: lo:mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4e:f0:1a brd ff:ff:ff:ff:ff:ff inet 192.168.0.105/24 brd 192.168.0.255 scope global eth0 #192.168.0.105 inet6 fe80::20c:29ff:fe4e:f01a/64 scope link valid_lft forever preferred_lft forever 3: eth1: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:0c:29:4e:f0:2e brd ff:ff:ff:ff:ff:ff inet 10.0.0.8/24 brd 10.0.0.255 scope global eth1 #10.0.0.8 inet6 fe80::20c:29ff:fe4e:f02e/64 scope link valid_lft forever preferred_lft forever [root@test-3 ~]# dig -t a www.magedu.com @10.0.0.7 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t a www.magedu.com @10.0.0.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43891 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 600 IN A 10.0.0.111 #使用10.0.0.7解析的结果 ;; AUTHORITY SECTION: magedu.com. 600 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 600 IN A 10.0.0.7 ;; Query time: 8 msec ;; SERVER: 10.0.0.7#53(10.0.0.7) ;; WHEN: Tue Sep 15 22:11:09 2015 ;; MSG SIZE rcvd: 82 [root@test-3 ~]# dig -t a www.magedu.com @192.168.0.106 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t a www.magedu.com @192.168.0.106 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51307 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.magedu.com. IN A ;; ANSWER SECTION: www.magedu.com. 600 IN A 10.0.0.11 #使用192.168.0.106的ip解析的结果 ;; AUTHORITY SECTION: magedu.com. 600 IN NS ns1.magedu.com. ;; ADDITIONAL SECTION: ns1.magedu.com. 600 IN A 10.0.0.7 ;; Query time: 4 msec ;; SERVER: 192.168.0.106#53(192.168.0.106) ;; WHEN: Tue Sep 15 22:16:44 2015 ;; MSG SIZE rcvd: 82
主从复制
在主DNS上/etc/named.conf配置
options { listen-on port 53 { 10.0.0.7; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; // dump-file "/var/named/data/cache_dump.db"; // statistics-file "/var/named/data/named_stats.txt"; // memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; allow-transfer { 10.0.0.8; }; #需要添加从配置允许的IP
创建从DNS服务器,配置跟主相似,然后修改/etc/name.conf,在“. zone”区域下面添加从的选项
zone "magedu.com" IN { type slave; #设置成从 file "slaves/magedu.zone"; #设置配置文件保存到slaves masters { 10.0.0.7; }; #配置主dns的ip }; zone "0.0.10.in-addr.arpa" IN { type slave; #设置成从 file "slaves/0.0.10.in-addr.arpa"; #设置配置文件保存到slaves masters { 10.0.0.7; }; #配置主dns的ip [root@test-3 ~]# /etc/init.d/named start [root@test-3 ~]# ls /var/name/slaves/ #已经同步过来 0.0.10.in-addr.arpa magedu.zone
区域授权
前提条件: 1.父域需要对子区域开启递归,
2.在区域记录有需要授权的子区域名称
3.在区域记录有子区域的NS记录和A记录
###主区域/etc/name.conf配置 options { listen-on port 53 { 10.0.0.7; }; directory "/var/named"; allow-query { any; }; recursion yes; #必须开启递归 allow-transfer { 10.0.0.8; }; ##对10.0.0.8开启白名单 }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "magedu.com" IN { type master; file "magedu/magedu.zone"; }; zone "0.0.10.in-addr.arpa" IN { type master; file "magedu/10.0.0.zone"; }; #include "/etc/named.rfc1912.zones"; //include "/etc/named.root.key"; ###必须关闭根key验证。 需要在主magedu.zone区域内最后添加子区域的NS和A记录 tech IN NS ns2.tech.magedu.com. ns2.tech IN A 10.0.0.8 #####子区域/etc/named.conf配置项最后,新增一个tech.magedu.com的zone zone "tech.magedu.com" IN { type master; file "magedu/tech.zone"; }; [root@test-3 magedu]# vi tech.magedu.zone $TTL 600 @ IN SOA tech.magedu.com. admin.magedu.com. ( 20150915001 3m 3m 3d 1d) IN NS ns2.tech.magedu.com. ns2 IN A 10.0.0.8 www IN A 10.0.0.100 [root@test-3 magedu]# chown :named tech.magedu.zone [root@test-3 magedu]# chmod 640 tech.magedu.zone [root@test ~]# dig -t a www.tech.magedu.com @10.0.0.7 #在其他服务器测试结果 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t a www.tech.magedu.com @10.0.0.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20702 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.tech.magedu.com. IN A ;; ANSWER SECTION: www.tech.magedu.com. 542 IN A 10.0.0.100 ;; AUTHORITY SECTION: tech.magedu.com. 542 IN NS ns2.tech.magedu.com. ;; ADDITIONAL SECTION: ns2.tech.magedu.com. 542 IN A 10.0.0.8 #让10.0.0.7去解析,确实10.0.0.8提供解析回答,证明,子域授权成功 ;; Query time: 7 msec ;; SERVER: 10.0.0.7#53(10.0.0.7) ;; WHEN: Thu Sep 17 03:18:36 2015 ;; MSG SIZE rcvd: 87
转发
前提条件:1.区域需要得到授权。
2.被转发主机需要有访问外部网络的能力
3.被转发主机需要对转发主机开启递归
[root@test ~]# dig -t a www.baidu.com @10.0.0.8 #没有开发转发前,不能解析到百度。 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t a www.baidu.com @10.0.0.8 ;; global options: +cmd ;; connection timed out; no servers could be reached ###转发到具有访问外部能力的主机10.0.0.7上 [root@test-3 magedu]# vi /etc/name.conf options { listen-on port 53 { 10.0.0.8; }; directory "/var/named"; allow-query { any; }; recursion yes; #必须开启递归 forward first; forwarders { 10.0.0.7; }; ##向10.0.0.7去转发 }; [root@test ~]# dig -t a www.baidu.com @10.0.0.8 #配置转发后 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6 <<>> -t a www.baidu.com @10.0.0.8 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29571 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 5 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 102 IN CNAME www.a.shifen.com.#解析成功 www.a.shifen.com. 546 IN A 119.75.218.70 www.a.shifen.com. 546 IN A 119.75.217.109 ;; AUTHORITY SECTION: a.shifen.com. 11 IN NS ns3.a.shifen.com. a.shifen.com. 11 IN NS ns1.a.shifen.com. a.shifen.com. 11 IN NS ns4.a.shifen.com. a.shifen.com. 11 IN NS ns2.a.shifen.com. a.shifen.com. 11 IN NS ns5.a.shifen.com. ;; ADDITIONAL SECTION: ns3.a.shifen.com. 257 IN A 61.135.162.215 ns5.a.shifen.com. 261 IN A 119.75.222.17 ns2.a.shifen.com. 148 IN A 180.149.133.241 ns1.a.shifen.com. 27 IN A 61.135.165.224 ns4.a.shifen.com. 304 IN A 115.239.210.176 ;; Query time: 13 msec ;; SERVER: 10.0.0.8#53(10.0.0.8) ;; WHEN: Thu Sep 17 03:31:37 2015 ;; MSG SIZE rcvd: 260
ACL 访问控制列表
acl ACL_NAME {
172.16.0.0/16
192.168.0.0/24
10.0.0.0/24
};
多用于 allow-transfer { ACL_NAME; }; allow-query { ACL_NAME; }; allow-recursion { ACL_NAME; };allow-update { ACL_NAME };match-clients { ACL_NAME; };等需要指定网络的{}内
注意:控制列表只有定义后才能使用,通常ACL要定义在named.conf最上方
内置的acl
any 任何主机
none 无一主机
local 本机
localnet 本机所在的网络