一、DNS服务的安装和配置
DNS的实现为BIND(Berkerly Internat Name Domain), 后来移交给ISC维护(www.isc.org).
DNS服务的程序包名为bind, 程序名为named.
所需要的安装包如下:
- bind
- bind-libs
- bind-utils
- bind-chroot: /var/named/chroot/, 可选
1.1 bind安装
使用CentOS系统可通过yum直接安装, 也可以选择编译安装.
# yum安装
~]# yum install bind bind-libs bind-utils bind-chroot
# 编译安装请参考README
1.2 bind的配置文件
bind的服务脚本: CentOS 6(/etc/rc.d/init.d/named); CentOS 7(/usr/lib/systemd/system/named.service)
主配置文件: /etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
解析库文件: /var/named/ZONE_NAME.zone
NOTE:
- rndc(remote named domain controller)默认与bind安装中哎同一主机, 且只能通过127.0.0.1来连接named进程, 提供辅助性的管理功能.
- 一台物理服务器可同时为多个区域提供解析
- 必须要有根区域文件
- 应该有两个(如果包括IPv6的地址, 甚至更多)实现localhost和本地会还地址的解析库
主配置文件用于定义监听地址, 端口号、安全策略、日志和区域配置等.
# /etc/named.conf
# 全局配置: option {};
# 日志子系统配置: logging {};
# /etc/named.rfc1912.zones
# 区域定义: 本机能够为哪些zone进行解析, 就要定义哪些zone
# zone "zone_name" IN {};
NOTE: 任何服务程序如果期望能够通过网络被其他主机访问, 至少应该监听在一个能与外部主机通信的IP地址上.
1.3 bind的配置
缓存名称服务器的配置:
# 修改外部监听地址
listen-on port 53 {192.168.123.132; 127.0.0.1; };
# 关闭dnssec
dnssec-enable no;
denssec-validation no;
# 修改allow-query
allow-query { any; };
# 配置文件示例:
[root@docker-package etc]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.123.132; 127.0.0.1; };
// listen-on-v6 port 53 { ::1; }; # IPv6地址如果没有使用可以将其注释
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
// bindkeys-file "/etc/named.iscdlv.key";
// managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@leistudy yum.repos.d]# systemctl start named
[root@leistudy yum.repos.d]# ss -tunl | grep ":53\b"
udp UNCONN 0 0 192.168.123.100:53 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
tcp LISTEN 0 10 192.168.123.100:53 *:*
tcp LISTEN 0 10 127.0.0.1:53 *:*
主DNS服务器正向区域配置:
# 在缓存dns服务器的基础上加zone文件
# 在/etc/named.rfc1912.zones文件中定义区域
# 示例:
[root@leistudy yum.repos.d]# vim /etc/named.rfc1912.zones
zone "leistudy.com" IN {
type master;
file "leistudy.com.zone";
};
# 定义区域解析库文件
# 宏定义
# 资源记录
# 示例:
[root@leistudy ~]# cd /var/named/
[root@leistudy named]# ls
chroot data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@leistudy named]# vim leistudy.com.zone
$TTL 86400
$ORIGIN leistudy.com.
@ IN SOA ns1.leistudy.com. admin.leistudy.com (
2018032901
1H
5M
7D
1D
)
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.123.100
ns2 IN A 192.168.123.101
mx1 IN A 192.168.123.100
mx2 IN A 192.168.123.101
www IN A 192.168.123.100
web IN CNAME www
# 检查zone配置文件是否有错误
[root@leistudy named]# named-checkzone "leistudy.com" /var/named/leistudy.com.zone
zone leistudy.com/IN: loaded serial 2018032901
OK
# 重新加载配置文件
[root@leistudy named]# rndc reload
server reload successful
# 测试
[root@leistudy named]# dig -t A www.leistudy.com @192.168.123.100
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -t A www.leistudy.com @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29655
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.leistudy.com. IN A
;; ANSWER SECTION:
www.leistudy.com. 86400 IN A 192.168.123.100
;; AUTHORITY SECTION:
leistudy.com. 86400 IN NS ns2.leistudy.com.
leistudy.com. 86400 IN NS ns1.leistudy.com.
;; ADDITIONAL SECTION:
ns1.leistudy.com. 86400 IN A 192.168.123.100
ns2.leistudy.com. 86400 IN A 192.168.123.101
;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Thu Mar 29 17:11:04 CST 2018
;; MSG SIZE rcvd: 129
主DNS服务器反向区域配置:
# 区域名称: 网络地址反写.in-addr.arpa
192.168.123. --> 100.16.172.in-addr.arpa
# 定义区域: /etc/named.rfc1912.zones
[root@leistudy ~]# vim /etc/named.rfc1912.zones
zone "123.168.192.in-addr.arpa" IN {
type master;
file "123.168.192.in-addr.arpa.zone";
};
# 定义反向区域解析库文件
[root@leistudy ~]# vim /var/named/123.168.192.in-addr.arpa.zone
$TTL 86400
$ORIGIN 123.168.192.in-addr.arpa.
@ IN SOA ns1.leistudy.com. admin.leistudy.com. (
2018032901
1H
5M
7D
1D
)
IN NS ns1.leistudy.com.
IN NS ns2.leistudy.com.
100 IN PTR ns1.leistudy.com.
101 IN PTR ns2.leistudy.com.
100 IN PTR mx1.leistudy.com.
101 IN PTR mx2.leistudy.com.
100 IN PTR www.leistudy.com.
# 区域解析库文件测试
[root@leistudy ~]# named-checkzone "123.168.192.in-addr.arpa" /var/named/123.168.192.in-addr.arpa.zone
zone 123.168.192.in-addr.arpa/IN: loaded serial 2018032901
OK
# 重新加载配置文件
[root@leistudy ~]# rndc reload
server reload successful
# 反解测试
[root@leistudy ~]# host -t PTR 192.168.123.100 192.168.123.100
Using domain server:
Name: 192.168.123.100
Address: 192.168.123.100#53
Aliases:
100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.
[root@leistudy ~]# dig -x 192.168.123.100 @192.168.123.100
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> -x 192.168.123.100 @192.168.123.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34713
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.123.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.123.168.192.in-addr.arpa. 86400 IN PTR www.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN PTR ns1.leistudy.com.
100.123.168.192.in-addr.arpa. 86400 IN PTR mx1.leistudy.com.
;; AUTHORITY SECTION:
123.168.192.in-addr.arpa. 86400 IN NS ns2.leistudy.com.
123.168.192.in-addr.arpa. 86400 IN NS ns1.leistudy.com.
;; ADDITIONAL SECTION:
ns1.leistudy.com. 86400 IN A 192.168.123.100
ns2.leistudy.com. 86400 IN A 192.168.123.101
;; Query time: 0 msec
;; SERVER: 192.168.123.100#53(192.168.123.100)
;; WHEN: Fri Mar 30 10:06:13 CST 2018
;; MSG SIZE rcvd: 187
主从复制:
# 1. 从服务器应该为一台独立的名称服务器
# 2. 主服务器的区域解析库文件中必须有一条NS记录指向从服务器
# 3. 从服务器只需要定义区域, 而无需提供解析库文件, 解析库文件应该放置于/var/named/slaves目录中
# 4. 主服务器得允许从服务器做区域传送
# 5. 主从无武器时间应该同步, 可同ntp进行
# 6. bind程序的版本应该保持一致, 否则应该从高主低
# 定义从区域:
[root@ns2 ~]# ip add sh | grep ens33 | tail -1
inet 192.168.123.101/24 brd 192.168.123.255 scope global ens33
[root@ns2 slaves]# vim /etc/named.rfc1912.zones
zone "leistudy.com" IN {
type slave;
masters { 192.168.123.100; };
file "slaves/leistudy.com.zone";
};
zone "123.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.123.100; };
file "slaves/123.168.192.in-addr.arpa.zone";
};
# 查看区域文件是否同步
[root@ns2 slaves]# cd /var/named/slaves/
[root@ns2 slaves]# ll
total 8
-rw-r--r--. 1 named named 416 Mar 30 10:44 123.168.192.in-addr.arpa.zone
-rw-r--r--. 1 named named 561 Mar 30 10:46 leistudy.com.zone
# 测试
[root@ns2 slaves]# host -t A www.leistudy.com 192.168.123.101
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases:
www.leistudy.com has address 192.168.123.100
[root@ns2 slaves]# host -t PTR 192.168.123.100 192.168.123.101
Using domain server:
Name: 192.168.123.101
Address: 192.168.123.101#53
Aliases:
100.123.168.192.in-addr.arpa domain name pointer ns1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer mx1.leistudy.com.
100.123.168.192.in-addr.arpa domain name pointer www.leistudy.com.
二、rndc命令
rndc用于连接rndc服务端, rndc服务端随着named一起启动, 监听端口号为tcp的953号端口号.
[root@ns2 slaves]# ss -tnl | grep ":953\b"
LISTEN 0 128 127.0.0.1:953 *:*
LISTEN 0 128 ::1:953 :::*
# 用法: rndc COMMAND
# COMMAND:
# reload: 重载主配置文件和区域解析库文件
# relaod zone: 只重载区域解析库文件, 不重载主配置文件
# retransfer zone: 手动启动区域传送过程, 而不管序列号是否增加
# notify zone: 重新对区域传送发通知
# reconfig: 重载主配置文件
# querylog: 开启或关闭查询日志
# trace: 递增debug级别
# trace [LEVEL]: 指定使用的级别