DNS概念:
简单来讲DNS就是系统上的一个占用53端口的服务,用来提供域名和IP地址的相互转换。比如你访问ip.gs,路由器是不可能知道这个地址,你需要先连接到DNS服务器,DNS服务器会返回ip.gs的IP地址,这样在网上就可以正常的路由了。反向解析是用来实现证明你这个IP地址是被认可的,尤其可以用来抵御伪造的邮件服务器泛滥。
一、安装BIND服务器软件并启动
1.安装bind:
yum install bind bind-chroot nslookup -y
在安装完BIND后,系统会多一个用户named。
2.启动DNS服务
systemctl start named.service
3.查看named进程是否正常启动:
[root@test-node2 named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since 二 2018-05-29 22:19:41 CST; 12min ago
Process: 1422 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1420 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1425 (named)
CGroup: /system.slice/named.service
└─1425 /usr/sbin/named -u named -c /etc/named.conf
4.DNS采用的UDP协议,监听53号端口,进一步检验named工作是否正常:
ss -anpu |grep name
5.防火墙开放TCP和UDP的53号端口:
firewall-cmd --permanent --add-service=dns
firewall-cmd --reload
6.测试:
[root@test-node2 named]# dig www.baidu.com @192.168.1.92
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.baidu.com @192.168.1.92
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 375
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; Query time: 321 msec
;; SERVER: 192.168.1.92#53(192.168.1.92)
;; WHEN: 二 5月 29 22:37:38 CST 2018
;; MSG SIZE rcvd: 42
返回数据无异常。初步配置完成!
二、DNS服务的相关配置文件
对于BIND,需要配置的主要文件为/etc/named.conf。另外两个文件,/etc/named.isc-dlv.key保存加密用的可以,/etc/named.rfc1912.zones扩展配置文件。
1.修改主配置文件/etc/named.conf
要注意在修改之前要先进行备份,使用cp -p /etc/named.conf /etc/named.conf.bak
命令备份,参数-p表示备份文件与源文件的属性一致。
vim /etc/named.conf修改文件:
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
2.修改/etc/named.rfc1912.zones
//正向区域配置
zone "hello.com" IN {
type master;
file "hello.com.zone";
allow-update { none; };
};
//反向区域配置
zone "1.168.192.in-addr.arpa" IN {
type master;
file "hello.com.local";
allow-update { none; };
};
3.添加/var/named/hello.com.zone
可以将模板文件复制一份,在进行修改
使用命令cp -p /var/named/named.localhost /var/named/hello.com.zone
进入hello.com.zone 进行配置
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.92
www A 192.168.1.92
4.添加/var/named/hello.com.local
$TTL 1D
@ IN SOA hello.com. root (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.92
AAAA ::1
92 IN PTR www.hello.com.
三、在Linux下的DNS客户端的设置及测试
配置/etc/resolv.conf文件。
nameserver 192.168.1.92
BIND软件包本身提供了测试工具nslookup
[root@test-node2 named]# nslookup hello.com
Server: 192.168.1.92
Address: 192.168.1.92#53
Name: hello.com
Address: 192.168.1.92
四. 添一条dns (node1 192.168.1.91)
vim /etc/named.rfc1912.zones
//加入一个域名node1
zone "node1" IN {
type master;
file "data/node1.zone";
allow-update { none; };
};
cd /var/named/
cp -p named.localhost data/node1.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.91
[root@test-node2 named]# nslookup node1
Server: 192.168.1.92
Address: 192.168.1.92#53
Name: node1
Address: 192.168.1.91