DNS服务端:DNS1 IP:192.168.10.63
DNS客户端:DNS2 IP:192.168.10.64
DNS(Domain Name System)域名系统,在TCP/IP网络中有着非常重要的作用,能够提供域名和IP地址的解析服务。
DNS是一个分布式数据库,命名系统采用层次的逻辑结构,如同一个倒置的树,这个逻辑的树形结构称为域名空间,由于DNS划分了域名空间,所以各机构可以使用自己的域名空间创建DNS信息。
注意:DNS域名空间中,输的最大深度不超过127层,树中每个节点最长可以存储63个字符。
1、域和域名
DNS 树的每个节点代表一个域,通过这些节点,对整个域名空间进行划分,成为一个层次结构。
域名空间的每个域的名字,通过域名进行表示。
域名:通常由一个完全合格域名(FQDN)标识。FQDN能准确表示出其相对于DNS 域树根的位置,也就是节点到DNS 树根的完整表述方式,从节点到树根采用反向书写,并将每个节点用“.”分隔,对于DNS 域google 来说,其完全正式域名(FQDN)为google.com。
例如,google为com域的子域,其表示方法为google.com,而www为google域中的子域,可以使用www.google.com表示。
由最顶层到下层,可以分为:根域、顶级域、二级域、子域。
DNS 根域下面是顶级域,也由Internet 域名注册授权机构管理。共有3 种类型的顶级域。
组织域:采用3 个字符的代号,表示DNS 域中所包含的组织的主要功能或活动。比如com 为商业机构组织,edu 为教育机构组织,gov 为政府机构组织,mil 为军事机构组织,net 为网络机构组织,org 为非营利机构组织,int 为国际机构组织。
地址域:采用两个字符的国家或地区代号。如cn 为中国,kr 为韩国,us 为美国。
反向域:这是个特殊域,名字为in-addr.arpa,用于将IP 地址映射到名字(反向查询)。
对于顶级域的下级域,Internet 域名注册授权机构授权给Internet 的各种组织。当一个组织获得了对域名空间某一部分的授权后,该组织就负责命名所分配的域及其子域,包括域中的计算机和其他设备,并管理分配的域中主机名与IP 地址的映射信息。
2、区(Zone)
区是DNS 名称空间的一部分,其包含了一组存储在DNS 服务器上的资源记录。
使用区的概念,DNS 服务器回答关于自己区中主机的查询,每个区都有自己的授权服务器。
3、主域名服务器和辅助域名服务器
当区的辅助服务器启动时,它与该区的主控服务器进行连接并启动一次区传输,区辅助服务器定期与区主控服务器通信,查看区数据是否改变,如果改变了,它就启动一次数据更新传输。
每个区都必须有主服务器,另外每个区至少有一台辅助服务器,否则如果该区的主服务器崩溃了,就无法解析该区的名称。
辅助服务器的优点:
(1)、容错能力:配置辅助服务器之后,在该区的出服务器崩溃的情况下,客户机仍旧能解析该区的名称。一般把区的主服务器和区的辅助服务器安装在不同的子网上,这样如果一个子网的连接中断,DNS客户机还能直接查询另一个子网上的名称服务器。
(2)、减少广域链路的通信量:如果某个区在远程有大量客户机,用户就可以在远程添加该区的辅助服务器,并把远程的客户机配置成先查询这些服务器,这样就能防止远程客户机通过慢速链路通信来进行DNS查询。
(3)、减轻主服务器的负载
辅助服务器能回答该区的查询,从而减少该区主服务器必须回答的查询数。
4、DNS相关概念
(1)、DNS服务器:运行DNS服务器程序的计算机储存DNS数据库信息。DNS服务器会尝试解析客户机的查询请求。在解答查询时,如果DNS服务器能提供所请求的信息,就知接回应解析结果,如果该DNS服务器没有相应的域名信息,则为客户机提供另一个能帮助解析查询到额服务器地址,如果以上两种方法均不行,则回应客户机没有所请求的信息或者请求的信息不存在。
(2)、DNS缓存:DNS服务器在解析客户机请求时,如果本地没有该DNS信息,则可以询问其他DNS服务器,当其他的域名服务器返回查询结果时,该DNS服务器会将结果记录在本地的缓存中,成为DNS缓存。当下一次客户机提交相同请求时,DNS服务器能够直接使用缓存中的DNS信息进行解析。
DNS查询方式:递归查询和迭代查询
通过8个步骤的解析过程就使得客户端可以顺利访问www.163.com 这个域名,但实际应用中,通常这个过程是非常迅速的。
(1)、客户机提交域名解析请求,并将该请求发送给本地的域名服务器;
(2)、当本地的域名服务器收到请求后,就先查询本地的缓存,如果有查询的DNS信息记录,则直接返回查询的结果,如果没有该记录,本地域名服务器就把请求发给根域名服务器。
(3)、根域名服务器再返回给本地域名服务器一个所查询域的顶级域名服务器的地址。
(4)、本地服务器再向返回的域名服务器发送请求。
(5)、接收到该查询请求的域名服务器查询其缓存和记录,如果有相关信息则返回客户机查询结果,否则通知客户机下级的域名服务器的地址。
(6)、本地域名服务器将查询请求发送给返回的DNS服务器。
(7)、域名服务器返回本地服务器查询结果(如果该域名服务器不包含查询的DNS信息,查询过程将重复<6><7>步骤,直到返回解析信息或解析失败的回应)。
(8)、本地域名服务器将返回的结果保存到缓存,并且将结果返回给客户机。
两种查询方式:
(1)、递归查询:
递归查询是一种DNS服务器的查询方式,在该模式下DNS服务器接收到客户机请求,必须使用一个准确的查询结果回复客户机。如果DNS服务器本地没有存储查询DNS信息,那么该服务器会询问其他服务器,并将返回的查询结果提交给客户机。
(2)、迭代查询:
DNS服务器另外一种查询方式是迭代查询,当客户机发送查询请求时,DNS服务器并不会直接回复查询结果,而是告诉客户机另一台DNS服务器地址,客户级再向这台DNS服务器提交请求,依次循环直到返回查询的结果为止。
[root@DNS2 ~]# vim /etc/services 端口: tcp/53 udp/53 #用于客户端查询 tcp/953 udp/953 #用于DNS主从同步
安装DNS:
BIND简介:全称是Berkeley Internet Name Domain(伯克利因特网名称域系统);主要有三个版本:BIND4、BIND8、BIND9.
BIND8融合了许多提高效率、稳定性和安全性的技术,而BIND9增加了一些超前的理念:IPv6支持、密钥支持、多处理支持、线程安全操作、增量区传送等等。
#安装程序 [root@DNS1 ~]# yum install -y bind bind-chroot bind-utils #bind-9.7.3-8.P3.el6.x86_64.rpm #该包为DNS 服务的主程序包。 #bind-chroot-9.7.3-8.P3.el6.x86_64.rpm # 提高安全性。 #bind-chroot是bind的一个功能,使bind可以在一个chroot 的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中. #bind-utils-9.7.3-8.P3.el6.x86_64.rpm #该包为客户端工具,默认安装,用于搜索域名指令。 #DNS服务器相关配置文件: [root@DNS1 ~]# ls /etc/named.conf /etc/named.conf named.conf 是BIND 的核心配置文件,它包含了BIND 的基本配置,但其并不包括区域数据。 /var/named/ 目录为DNS数据库文件存放目录,每一个域文件都放在这里 启动服务查看端口 启动服务: [root@DNS1 ~]# systemctl start named [root@DNS1 ~]# systemctl enable named Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service. [root@DNS1 ~]# systemctl status named [root@DNS1 ~]# netstat -pantul | grep 53 tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1234/named udp 0 0 127.0.0.1:53 0.0.0.0:* 1234/named
[root@DNS2 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 114.114.114.114 [root@DNS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32 DNS1=114.114.114.114 [root@DNS2 ~]# ping www.baidu.com PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data. 64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=1 ttl=128 time=63.6 ms 64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=2 ttl=128 time=30.2 ms 64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=3 ttl=128 time=14.4 ms 64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=4 ttl=128 time=21.3 ms ^C --- www.a.shifen.com ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 12081ms rtt min/avg/max/mdev = 14.436/32.438/63.660/18.883 ms #注意:DNS服务器地址还可以使用默认网关或者114.114.114.114这样的公共DNS服务地址
修改配置文件,实战举例
比如说我们cat /etc/named.conf , 我们会发现其整体分为三段:
options:对全局生效
zone:针对某区域生效
重点说一下Type参数:
type字段指定区域的类型,对于区域的管理至关重要,一共分为六种:
Master:主DNS服务器:拥有区域数据文件,并对此区域提供管理数据;
Slave:辅助DNS服务器:拥有主DNS服务器的区域数据文件的副本,辅助DNS服务器会从主DNS服务器同步所有区域数据;
Stub:stub区域和slave类似,但其只复制主DNS服务器上的NS记录,而不像辅助服务器会复制所有的区域数据。
Forward:一个forward zone 是每个域的配置转发的主要部分。一个zone语句中的type forward可以包括一个forward或forwarders子句,它会在区域名称给定的域中查询。如果没有forwarders语句或者forwarders是空表,那么这个域就不会有转发,消除了options语句中有关转发的配置。
Hint:根域名服务器的初始化组指定使用线索区域hint zone,当服务器启动时,它使用根线索来查找根域名服务器,并找到最近的根域名服务器列表。
配置正向解析区域
授权DNS 服务器管理edu.cn 区域,并把该区域的区域文件命名为edu.cn。
[root@DNS1 ~]# vim /etc/named.conf options { listen-on port 53 { any; }; #修改为any listen-on-v6 port 53 { any; }; #修改为any directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; #修改为any recursion yes; #默认支持递归查询 dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; #添加这一行 /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "edu.cn" IN { type master; file "edu.cn.zone"; }; #添加这一个区域 include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; #注意,这里不要重启DNS服务!!!
[root@DNS1 ~]# cd /var/named/ [root@DNS1 named]# cp -a named.localhost edu.cn.zone [root@DNS1 named]# cat edu.cn.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 [root@DNS1 named]# vim edu.cn.zone $TTL 1D edu.cn. IN SOA dns.edu.cn root.edu.cn. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum edu.cn. NS dns.edu.cn. dns.edu.cn. A 192.168.10.63 www.edu.cn. A 192.168.10.63 www1.edu.cn. CNAME www.edu.cn. 配置文件参数说明: $TTL 1D ;设置有效地址解析记录的默认缓存时间,默认为1天也就是1D。 edu.cn. IN SOA dns.edu.cn. root. edu.cn. #原来的@表示当前的域edu.cn.,为方便大家记忆,我们这里,直接写成edu.cn. #设置SOA记录为:dns.edu.cn. #在此配置文件中写域名时,都把根. 也要写上。 #域管理邮箱root.edu.cn.0由于@有其他含义,所以用“.”代替@。 0 ;更新序列号,用于标示数据库的变换,可以在10位以内,如果存在辅助DNS区域,建议每次更新完数据库,手动加1. 1D ;刷新时间,从域名服务器更新该地址数据库文件的间隔时间,默认为1天 1H ;重试延时,从域名服务器更新地址数据库失败以后,等待多长时间,默认为1小时 1W ; 到期,失效时间,超过该时间仍无法更新地址数据库,则不再尝试,默认为一周 3H ;设置无效地址解析记录(该数据库中不存在的地址)默认缓存时间。设置无效记录,最少缓存时间为3小时 NS @ ;域名服务器记录,用于设置当前域的DNS服务器的域名地址 A 127.0.0.1 ; 设置域名服务器的A记录,地址为ipv4的地址127.0.0.1,可以设置成192.168.100.102 AAAA ::1 ; 设置域名服务器的A记录,地址为ipv6的地址。
SOA:区域授权起始记录,区域文件第一条记录,而且一个区域文件值能有一条;
NS:域的授权名称服务器;
MX:域的邮件交换器,要跟着一个优先级值,越小越高。
A:IPV4主机地址;
AAAA:IPV6主机地址;
PTR:解析IP的指针;
CNAME:权威(正式)名称,定义别名记录。
重启DNS服务器
[root@DNS1 named]# systemctl restart named [root@DNS1 named]# systemctl status named
在服务端配置DNS解析地址
[root@DNS1 named]# vim /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.10.63 [root@DNS1 named]# systemctl restart network [root@DNS1 named]# cat /etc/resolv.conf # Generated by NetworkManager nameserver192.168.10.63 用nslookup工具验证DNS服务是否正常 如果没有nslookup命令,请按照以下方法解决: [root@DNS1 named]# which nslookup /usr/bin/which: no nslookup in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) [root@DNS1 named]# yum provides nslookup Loaded plugins: product-id, search-disabled-repos, subscription- : manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. 32:bind-utils-9.9.4-37.el7.x86_64 : Utilities for querying DNS name : servers Repo : rhel7 Matched from: Filename : /usr/bin/nslookup [root@DNS1 named]# yum install -y bind-utils-9.9.4-37.el7.x86_64 或者 执行yum install -y *nslookup*安装一下nslookup相关包 [root@DNS1 named]# nslookup www.edu.cn Server: 192.168.10.63 Address: 192.168.10.63#53 Name: www.edu.cn Address: 192.168.10.63 [root@DNS1 named]# nslookup www1.edu.cn Server: 192.168.10.63 Address: 192.168.10.63#53 www1.edu.cn canonical name = www.edu.cn. Name: www.edu.cn Address: 192.168.10.63 [root@DNS1 named]# ping www.edu.cn PING www.edu.cn (192.168.10.63) 56(84) bytes of data. 64 bytes from DNS1 (192.168.10.63): icmp_seq=1 ttl=64 time=0.019 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=2 ttl=64 time=0.056 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=3 ttl=64 time=0.104 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=4 ttl=64 time=0.104 ms ^C --- www.edu.cn ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3008ms rtt min/avg/max/mdev = 0.019/0.070/0.104/0.037 ms [root@DNS1 named]# ping www1.edu.cn PING www.edu.cn (192.168.10.63) 56(84) bytes of data. 64 bytes from DNS1 (192.168.10.63): icmp_seq=1 ttl=64 time=0.027 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=2 ttl=64 time=0.056 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=3 ttl=64 time=0.092 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=4 ttl=64 time=0.141 ms ^C --- www.edu.cn ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3006ms rtt min/avg/max/mdev = 0.027/0.079/0.141/0.042 ms [root@DNS1 named]# iptables -F [root@DNS1 named]# systemctl stop firewalld
[root@DNS2 ~]# vim /etc/resolv.conf nameserver 192.168.10.63 [root@DNS2 ~]# nslookup www1.edu.cn Server: 192.168.10.63 Address: 192.168.10.63#53 www1.edu.cn canonical name = www.edu.cn. Name: www.edu.cn Address: 192.168.10.63 [root@DNS2 ~]# nslookup www.edu.cn Server: 192.168.10.63 Address: 192.168.10.63#53 Name: www.edu.cn Address: 192.168.10.63 [root@DNS2 ~]# ping www.edu.cn PING www.edu.cn (192.168.10.63) 56(84) bytes of data. 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=1 ttl=64 time=0.334 ms 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=2 ttl=64 time=0.841 ms 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=3 ttl=64 time=2.41 ms 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=4 ttl=64 time=0.792 ms ^C --- www.edu.cn ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3007ms rtt min/avg/max/mdev = 0.334/1.095/2.413/0.786 ms [root@DNS2 ~]# ping www1.edu.cn PING www.edu.cn (192.168.10.63) 56(84) bytes of data. 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=1 ttl=64 time=0.774 ms 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=2 ttl=64 time=0.801 ms 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=3 ttl=64 time=0.779 ms 64 bytes from 192.168.10.63 (192.168.10.63): icmp_seq=4 ttl=64 time=2.13 ms ^C --- www.edu.cn ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3010ms rtt min/avg/max/mdev = 0.774/1.122/2.136/0.586 ms 补充:域名解析辅助配置文件 [root@DNS2 ~]# vim /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.10.63 www.edu.cn 192.168.10.63 www1.edu.cn [root@DNS2 ~]# iptables -F [root@DNS2 ~]# systemctl stop firewalld [root@DNS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.10.64 GATEWAY=192.168.10.2 NETMASK=255.255.255.0 DNS1=192.168.10.63 [root@DNS2 ~]# systemctl restart network
[root@DNS2 ~]# ping www.edu.cn PING www.edu.cn (192.168.10.63) 56(84) bytes of data. 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=1 ttl=64 time=0.329 ms 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=2 ttl=64 time=3.18 ms 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=3 ttl=64 time=0.709 ms 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=4 ttl=64 time=2.35 ms ^C --- www.edu.cn ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3006ms rtt min/avg/max/mdev = 0.329/1.644/3.182/1.170 ms [root@DNS2 ~]# ping www1.edu.cn PING www1.edu.cn (192.168.10.63) 56(84) bytes of data. 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=1 ttl=64 time=0.217 ms 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=2 ttl=64 time=0.788 ms 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=3 ttl=64 time=3.33 ms 64 bytes from www.edu.cn (192.168.10.63): icmp_seq=4 ttl=64 time=1.11 ms ^C --- www1.edu.cn ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3008ms rtt min/avg/max/mdev = 0.217/1.363/3.330/1.180 ms
[root@DNS1 named]# vim /etc/named.conf zone "edu.cn" IN { type master; file "edu.cn.zone"; }; zone "10.168.192.in-addr.arpa" IN { type master; file "192.168.10.arpa"; }; [root@DNS1 named]# cp -a named.loopback 192.168.10.arpa [root@DNS1 named]# vim 192.168.10.arpa $TTL 1D @ IN SOA edu.cn. root.edu.cn. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns.edu.cn. ns A 192.168.10.63 63 PTR ns.edu.cn. 63 PTR www.edu.cn. [root@DNS1 named]# systemctl restart named [root@DNS1 named]# nslookup 192.168.10.63 63.10.168.192.in-addr.arpa name = www.edu.cn. 63.10.168.192.in-addr.arpa name = ns.edu.cn. [root@DNS2 named]# nslookup 192.168.10.63 63.10.168.192.in-addr.arpa name = www.edu.cn. 63.10.168.192.in-addr.arpa name = ns.edu.cn.
拓展
服务端如果想要ping通外网的话需要进行如下配置:
[root@DNS1 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.10.63 [root@DNS1 ~]# ping www.baidu.com ping: www.baidu.com: Name or service not known [root@DNS1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no NAME=ens33 DEVICE=ens33 ONBOOT=yes IPADDR=192.168.10.63 GATEWAY=192.168.10.2 NETMASK=255.255.255.0 DNS1=192.168.10.63 DNS2=192.168.10.2 [root@DNS1 ~]# systemctl restart network [root@DNS1 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.10.63 nameserver 192.168.10.2 [root@DNS1 ~]# ping www.baidu.com PING www.a.shifen.com (14.215.177.39) 56(84) bytes of data. 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=1 ttl=128 time=7.05 ms 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=2 ttl=128 time=7.13 ms 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=3 ttl=128 time=7.25 ms 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=4 ttl=128 time=6.32 ms
[root@DNS1 ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; //默认是支持递归查询的 #dnssec-enable yes; dnssec-validation no; #dnssec-lookaside auto; #但是要把dnssec-enable yes; 和dnssec-lookaside auto;这两行内容注释了,其它内容不用改,这样客户端才能更加稳定地进行递归查询。把dns加密通讯功能关闭,迭代查询才更加稳定。 [root@DNS1 ~]# systemctl restart named
路由器就是一个典型的转发服务器
[root@DNS1 ~]# vim /etc/named.conf 改: zone "edu.cn"IN{ type master; file "edu.cn.zone"; }; 如果不想要本地解析服务了,把这三行内容注释或者删除,再添加两行内容: forward first; //仅执行转发操作 ,only:仅转发;first:先查找本地zone,再转发forwarders { 114.114.114.114; }; //指定转发查询请求的DNS服务器列表 #即: options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; //允许递归查询 #dnssec-enable yes; dnssec-validation no; #dnssec-lookaside auto; forward first; //仅执行转发操作 ,only:仅转发;first:先查找本地zone,再转发 forwarders { 114.114.114.114; }; //指定转发查询请求的DNS服务器列表 #或者 /* forwarders { 114.114.114.114; 223.5.5.5; 223.6.6.6; 8.8.8.8; 8.8.4.4; }; */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; [root@DNS1 ~]# systemctl restart named
在另一台主机进行测试:
2、在另一台主机上进行测试: [root@DNS2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens32 DNS1=192.168.10.63 [root@DNS2 ~]# systemctl restart network [root@DNS2 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.10.63 [root@DNS2 ~]# ping www.baidu.com PING www.a.shifen.com (14.215.177.39) 56(84) bytes of data. 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=1 ttl=128 time=12.8 ms 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=2 ttl=128 time=8.68 ms 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=3 ttl=128 time=9.25 ms 64 bytes from 14.215.177.39 (14.215.177.39): icmp_seq=4 ttl=128 time=7.92 ms
同步时间
[root@DNS1 ~]# date 2022年 12月 08日 星期四 09:47:57 CST [root@DNS1 ~]# find / -name Shanghai /usr/share/zoneinfo/Asia/Shanghai /usr/share/zoneinfo/posix/Asia/Shanghai /usr/share/zoneinfo/right/Asia/Shanghai [root@DNS1 ~]# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime cp: overwrite ‘/etc/localtime’? y [root@DNS1 ~]# date -R Thu, 08 Dec 2022 09:48:43 +0800 [root@DNS1 ~]# yum install -y ntpdate [root@DNS1 ~]# echo nameserver 114.114.114.114 >> /etc/resolv.conf [root@DNS1 ~]# ntpdate 0.rhel.pool.ntp.org 8 Dec 09:49:43 ntpdate[1173]: adjust time server 119.28.183.184 offset -0.006689 sec [root@DNS1 ~]# watch date [root@DNS1 ~]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; #dnssec-enable yes; #dnssec-validation no; #dnssec-lookaside auto; /* Path to ISC DLV key */ #forward only ; #forwarders { 114.114.114.114; }; bindkeys-file "/etc/named.iscdlv.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; } zone "." IN { type hint; file "named.ca"; }; zone "edu.cn" IN { type master; file "edu.cn.zone"; allow-transfer { 192.168.10/24; }; #指定允许哪个网段的从DNS服务器,可以同步主DNS服务器zone文件,不写默认为所有。 }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@DNS1 ~]# systemctl restart named
主从时间一定要保持一致
安装程序:yum install -y bind bind-chroot bind-utils
[root@DNS2 ~]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; #dnssec-enable yes; #dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "edu.cn." IN { type slave; file "slaves/edu.cn.zone.file"; masters { 192.168.10.63; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; #这样从DNS服务器就可以从主DNS服务器上获取DNS解析记录信息了,写的时候注意一下slave slaves master masters单词的书写,有的加了s。 #重启从DNS服务器DNS服务后会在:/var/named/slaves文件夹下自动创建一个文件edu.cn.zone.file这个文件是从DNS服务器从主DNS服务器上获取的数据。这样随便一个DNS就可以获取主DNS服务器的解析记录,不安全,我后面会写如何进行主从认证。 #attention:主DNS记录中应该有两条NS记录,一条是主DNS的NS记录,一条是从DNS服务器的域名记录。 [root@DNS2 ~]# systemctl restart named [root@DNS2 ~]# ls /var/named/slaves/ #看到这个文件说明DNS主从配置成功哈哈!! edu.cn.zone.file #(如果没有这个文件,可以检查一下主DNS服务器和从DNS服务器防火墙是否已经关闭。)
[root@DNS2 ~]# vim /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.10.64 [root@DNS2 ~]# nslookup www.edu.cn Server: 192.168.10.64 Address: 192.168.10.64#53 Name: www.edu.cn Address: 192.168.10.63 [root@DNS2 ~]# nslookup dns.edu.cn Server: 192.168.10.64 Address: 192.168.10.64#53 Name: dns.edu.cn Address: 192.168.10.63
[root@DNS1 ~]# cd /var/named [root@DNS1 named]# vim edu.cn.zone $TTL 1D edu.cn. IN SOA dns.edu.cn. root.edu.cn. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum edu.cn. NS dns.edu.cn. dns.edu.cn. A 192.168.10.63 www.edu.cn. 1 A 192.168.10.63 #DNS做简单的负载均衡,1表示此记录在客户端保存1秒 www.edu.cn. 1 A 192.168.10.64 www.edu.cn. 1 A 192.168.10.65 www1.edu.cn. CNAME www.edu.cn. edu.cn. MX 10 mail.edu.cn. #添加邮件记录 mail.edu.cn. A 192.168.10.63 bbs.edu.cn. CNAME www.edu.cn. [root@DNS1 named]# systemctl restart named
主服务器
[root@DNS1 named]# ping www.edu.cn PING www.edu.cn (192.168.10.63) 56(84) bytes of data. 64 bytes from DNS1 (192.168.10.63): icmp_seq=1 ttl=64 time=0.035 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=2 ttl=64 time=0.126 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=3 ttl=64 time=0.068 ms 64 bytes from DNS1 (192.168.10.63): icmp_seq=4 ttl=64 time=0.062 ms ^C --- www.edu.cn ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3009ms rtt min/avg/max/mdev = 0.035/0.072/0.126/0.034 ms [root@DNS1 named]# nslookup www.edu.cn Server: 192.168.10.63 Address: 192.168.10.63#53 Name: www.edu.cn Address: 192.168.10.64 Name: www.edu.cn Address: 192.168.10.65 Name: www.edu.cn Address: 192.168.10.63
从服务器
[root@DNS2 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.10.64 [root@DNS2 ~]# nslookup www.edu.cn Server: 192.168.10.64 Address: 192.168.10.64#53 Name: www.edu.cn Address: 192.168.10.63 [root@DNS2 ~]# systemctl restart named [root@DNS2 ~]# nslookup www.edu.cn Server: 192.168.10.64 Address: 192.168.10.64#53 Name: www.edu.cn Address: 192.168.10.64 Name: www.edu.cn Address: 192.168.10.63 Name: www.edu.cn Address: 192.168.10.65
主服务器重启时,会主动给从服务器发送信息,让从服务器更新自己的记录,通讯端口采用TCP的53端口。
attention:TSIG事务签名 (主从DNS的时间必须一样)
同步时间
[root@DNS1 ~]# date Sat Nov 30 02:28:23 EST 2019 [root@DNS1 ~]# find / -name Shanghai /usr/share/zoneinfo/Asia/Shanghai /usr/share/zoneinfo/posix/Asia/Shanghai /usr/share/zoneinfo/right/Asia/Shanghai [root@DNS1 ~]# cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime cp: overwrite ‘/etc/localtime’? y [root@DNS1 ~]# date -R Sat, 30 Nov 2019 15:29:00 +0800 [root@DNS1 ~]# yum install -y ntpdate [root@DNS1 ~]# echo 114.114.114.114 >> /etc/resolv.conf [root@DNS1 ~]# ntpdate 0.rhel.pool.ntp.org #同步时间 [root@DNS1 ~]# watch date
rpm -qf查看文件或命令属于哪个安装包
[root@DNS1 ~]# rpm -qf `which dnssec-keygen` bind-9.11.4-26.P2.el7_9.10.x86_64 (1)、加密: dnssec-keygen -a hmac-md5 -b 128 -n HOST 名字 [root@DNS1 ~]# cd /var/named/chroot/etc [root@DNS1 etc]# dnssec-keygen -a hmac-md5 -b 128 -n HOST dnskey -a hmac-md5:采用hmac-md5加密算法 -b 128:生成的密钥长度为128位 -n 密钥类型,我们选择主机类型:HOST -n: ZONE | HOST | ENTITY | USER | OTHER (DNSKEY generation defaults to ZONE) dnskey #为生成密钥的名字 生成时速度有点慢,因为生成密钥需要一些随机事件,因此我们可以通过移动鼠标或执行 find / 来产生一些随机事件。 等待一两分钟再查看生成的密钥对: [root@DNS1 etc]# ls Kdnskey.+157+34664.key Kdnskey.+157+34664.private named pki [root@DNS1 etc]# cat Kdnskey.+157+34664.private Private-key-format: v1.3 Algorithm: 157 (HMAC_MD5) Key: EroSvhbrg3izqxDpj+Ntdw== #这是密钥 Bits: AAA= Created: 20221208061215 Publish: 20221208061215 Activate: 20221208061215 [root@DNS1 etc]# cat Kdnskey.+157+34664.key dnskey. IN KEY 512 3 157 EroSvhbrg3izqxDpj+Ntdw==
[root@DNS1 ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; #取消这三行原来的注释 #forward only; #forwarders { 114.114.114.114; }; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; key "dnskey" { #先定义密钥的名称 algorithm hmac-md5; secret "EroSvhbrg3izqxDpj+Ntdw=="; }; zone "edu.cn." IN { type master; file "edu.cn.zone"; allow-transfer { key dnskey; };#采用密钥进行同步 }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@DNS1 ~]# systemctl restart named [root@DNS1 ~]# iptables -F [root@DNS1 ~]# systemctl stop firewalld [root@DNS1 ~]# vim /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three two values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@DNS1 ~]# setenforce 0 [root@DNS1 ~]# getenforce Permissive [root@DNS1 ~]# vim /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.10.63 [root@DNS1 ~]# nslookup www.edu.cn Server: 192.168.10.63 Address: 192.168.10.63#53 Name: www.edu.cn Address: 192.168.10.63 Name: www.edu.cn Address: 192.168.10.65 Name: www.edu.cn Address: 192.168.10.64
#先定义密钥 #采用密钥进行同步 [root@DNS2 ~]# vim /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; key "dnskey" { algorithm hmac-md5; secret "EroSvhbrg3izqxDpj+Ntdw=="; }; zone "edu.cn." IN { type slave; file "slaves/edu.cn.zone.file"; masters { 192.168.10.63 key dnskey; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@DNS2 ~]# systemctl restart named [root@DNS2 ~]# ls /var/named/slaves/ edu.cn.zone.file [root@DNS2 ~]# rm -rf /var/named/slaves/* [root@DNS2 ~]# systemctl restart named [root@DNS2 ~]# ls /var/named/slaves/ edu.cn.zone.file [root@DNS2 ~]# nslookup www.edu.cn Server: 192.168.10.64 Address: 192.168.10.64#53 Name: www.edu.cn Address: 192.168.10.65 Name: www.edu.cn Address: 192.168.10.63 Name: www.edu.cn Address: 192.168.10.64 #深入验证:尝试把秘钥写错,再测试DNS解析服务。
想让正反解析、递归查询、DNS转发、主从秘钥验证同时生效的话,需要对主服务器进行如下配置:
[root@DNS1 ~]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { any; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation no; #非常关键 dnssec-lookaside auto; forward first; forwarders { 114.114.114.114; 223.5.5.5; 223.6.6.6; 8.8.8.8; 8.8.4.4; }; #forward only; #forwarders { 114.114.114.114; }; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; key "dnskey" { algorithm hmac-md5; secret "EroSvhbrg3izqxDpj+Ntdw=="; }; zone "edu.cn." IN { type master; file "edu.cn.zone"; allow-transfer { key dnskey; }; }; zone "10.168.192.in-addr.arpa" IN { type master; file "192.168.10.arpa"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
测试工具
nslookup测试域名解析
(1)、非交互模式
语法:nslookup 域名或IP地址
eg:
[root@DNS1 ~]# nslookup www.edu.cn Server: 192.168.10.63 Address: 192.168.10.63#53 Name: www.edu.cn Address: 192.168.10.64 Name: www.edu.cn Address: 192.168.10.65 Name: www.edu.cn Address: 192.168.10.63
(2)、交互模式
(2)交互模式 [root@DNS1 ~]# nslookup > www.g.cn Server: 192.168.10.63 Address: 192.168.10.63#53 Non-authoritative answer: Name: www.g.cn Address: 203.208.40.95 Name: www.g.cn Address: 203.208.40.79 Name: www.g.cn Address: 203.208.40.87 Name: www.g.cn Address: 203.208.40.88 > Address: 203.208.49.177
dig命令
linux下使用dig命令来查询域名信息,当然也可以使用nslookup,但dig比nslookup更方便更强大一些。
使用 114.114.114.114 DNS服务器解析www.edu.cn
[root@DNS1 ~]# rpm -qf `which dig` bind-utils-9.11.4-26.P2.el7_9.10.x86_64 [root@DNS1 ~]# dig @114.114.114.114 www.edu.cn ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @114.114.114.114 www.edu.cn ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40652 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.edu.cn. IN A ;; ANSWER SECTION: www.edu.cn. 76 IN A 202.205.109.205 ;; Query time: 36 msec ;; SERVER: 114.114.114.114#53(114.114.114.114) ;; WHEN: 四 12月 08 15:50:48 CST 2022 ;; MSG SIZE rcvd: 55
使用 192.168.10.63 DNS服务器解析www.edu.cn
[root@DNS1 ~]# dig @192.168.10.63 www.edu.cn ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @192.168.10.63 www.edu.cn ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 824 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.edu.cn. IN A ;; ANSWER SECTION: www.edu.cn. 1 IN A 192.168.10.63 www.edu.cn. 1 IN A 192.168.10.65 www.edu.cn. 1 IN A 192.168.10.64 ;; AUTHORITY SECTION: edu.cn. 86400 IN NS dns.edu.cn. ;; ADDITIONAL SECTION: dns.edu.cn. 86400 IN A 192.168.10.63 ;; Query time: 0 msec ;; SERVER: 192.168.10.63#53(192.168.10.63) ;; WHEN: 四 12月 08 15:52:27 CST 2022 ;; MSG SIZE rcvd: 121 [root@DNS1 ~]# dig @114.114.114.114 www.baidu.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @114.114.114.114 www.baidu.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32430 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 1129 IN CNAME www.a.shifen.com. www.a.shifen.com. 206 IN A 14.215.177.39 www.a.shifen.com. 206 IN A 14.215.177.38 ;; Query time: 33 msec ;; SERVER: 114.114.114.114#53(114.114.114.114) ;; WHEN: 四 12月 08 15:53:06 CST 2022 ;; MSG SIZE rcvd: 101 [root@DNS1 ~]# dig @192.168.10.63 www.baidu.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @192.168.10.63 www.baidu.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13322 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 16 IN CNAME www.a.shifen.com. www.a.shifen.com. 32 IN A 14.215.177.39 www.a.shifen.com. 32 IN A 14.215.177.38 ;; AUTHORITY SECTION: . 518304 IN NS e.root-servers.net. . 518304 IN NS b.root-servers.net. . 518304 IN NS f.root-servers.net. . 518304 IN NS a.root-servers.net. . 518304 IN NS h.root-servers.net. . 518304 IN NS i.root-servers.net. . 518304 IN NS m.root-servers.net. . 518304 IN NS l.root-servers.net. . 518304 IN NS g.root-servers.net. . 518304 IN NS j.root-servers.net. . 518304 IN NS d.root-servers.net. . 518304 IN NS k.root-servers.net. . 518304 IN NS c.root-servers.net. ;; ADDITIONAL SECTION: g.root-servers.net. 518304 IN A 192.112.36.4 j.root-servers.net. 518304 IN A 192.58.128.30 e.root-servers.net. 518304 IN A 192.203.230.10 l.root-servers.net. 518304 IN A 199.7.83.42 d.root-servers.net. 518304 IN A 199.7.91.13 a.root-servers.net. 518304 IN A 198.41.0.4 b.root-servers.net. 518304 IN A 199.9.14.201 i.root-servers.net. 518304 IN A 192.36.148.17 m.root-servers.net. 518304 IN A 202.12.27.33 h.root-servers.net. 518304 IN A 198.97.190.53 c.root-servers.net. 518304 IN A 192.33.4.12 k.root-servers.net. 518304 IN A 193.0.14.129 f.root-servers.net. 518304 IN A 192.5.5.241 g.root-servers.net. 518304 IN AAAA 2001:500:12::d0d j.root-servers.net. 518304 IN AAAA 2001:503:c27::2:30 e.root-servers.net. 518304 IN AAAA 2001:500:a8::e l.root-servers.net. 518304 IN AAAA 2001:500:9f::42 d.root-servers.net. 518304 IN AAAA 2001:500:2d::d a.root-servers.net. 518304 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 518304 IN AAAA 2001:500:200::b i.root-servers.net. 518304 IN AAAA 2001:7fe::53 m.root-servers.net. 518304 IN AAAA 2001:dc3::35 h.root-servers.net. 518304 IN AAAA 2001:500:1::53 c.root-servers.net. 518304 IN AAAA 2001:500:2::c k.root-servers.net. 518304 IN AAAA 2001:7fd::1 f.root-servers.net. 518304 IN AAAA 2001:500:2f::f ;; Query time: 0 msec ;; SERVER: 192.168.10.63#53(192.168.10.63) ;; WHEN: 四 12月 08 16:01:04 CST 2022 ;; MSG SIZE rcvd: 884