dns:即domain name system,用于实现从域名到IP的转换,在DNS系统出现之前,windows系统通过主机文件(c:\windwos\system32\drivers\etc\hosts)提供域名转换功能,linux通过主机文件(/etc/hosts)提供域名转换功能。
默认情况下,操作系统DNS解析的查找步骤:
主机文件---->DNS缓存---->DNS服务器
在linux系统中,通过调整配置文件(/etc/nsswitch.conf ),可以调整查找步骤
# vim /etc/nsswitch.conf 文件中有一行 hosts: files dns //files表示主机文件,先查找主机文件查找dns服务器 如果改成: hosts: dns files //这样优先查找dns
linux平台的dns软件叫bind,即Berkeley Internet Name Domain,DNS服务器的类型:
1.主DNS服务器
2.辅助DNS服务器
3.缓存DNS服务器
bind的数据库文件叫做区域数据文件,区域数据文件由资源记录组成。
资源记录的类型:
1.SOA:Start Of Authority,起始授权机构
2.NS:Name Server,域名服务器
3.MX:Mail Exchange,邮件交换器
4.A:Address,A记录(从FQDN到IP的转换)
5.PTR: 反向记录(从IP到FQDN的转换)
6.AAAA: IPv6的A记录(从FQDN到IPv6的转换)
7.CNAME: 别名记录
资源记录的格式:
name [ttl] IN RRtype Value name: 区域名称,简写为@ ttl: DNS缓存时间 value: 主DNS服务器的FQDN
SOA:只能有一个
@ 600 IN SOA ns.py.com. root.py.com. ( 2014092201; 序列号 2H; 刷新时间 1H; 重试时间 1D; 过期时间 )
NS记录:可以有多条
@ 600 IN NS ns.py.com.
A记录:只能定义在正向区域数据文件中
www 600 IN A 192.168.57.1
MX记录:可以有多条
@ 600 IN MX 10 mail
PTR记录:
1 600 IN PTR www.py.com.
CNAME记录:
ftp 600 IN CNAME www
主DNS服务器的安装配置:
1.安装dns服务器软件
# yum -y install bind
服务器的IP为:192.168.57.23,域名为py.com
2.配置:主配置文件(/etc/named.conf)
# vim /var/named.conf options { // listen-on port 53 { 127.0.0.1; }; #定义named服务侦听的端口和IP地址,默认为侦听 所有IP地址的53号端口。 // listen-on-v6 port 53 { ::1; }; #针对IPv6的侦听端口和IP设置。 directory "/var/named"; #定义工作目录(即区域文件的路径) allow-query { localhost; }; #此项通常仅用于服务器是缓存名称服务器时,只开 放查询功能给本地客户端; recursion yes; #定义允许递归查询的IP zone "." IN { type hint; file "named.ca"; }; //以下四行新增加 zone "py.com" IN { type master; file "py.com.zone"; }; //以下四行新增加 zone "57.168.192.in-addr.arpa" IN { type master; file "named.py.com"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 检查主配置文件语法 # named-checkconf
3.配置正向区域:区域配置文件(/var/named/py.com.zone)
# vim py.com.zone $TTL 1D @ IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial #序列号 1H ; refresh #每隔多久到主服务器检查一次 5M ; retry #重试时间,应该小于refresh时间 3D ; expire #过期时间 12H ) ; minimum IN NS ns.py.com. ns IN A 192.168.57.23 s1 IN A 192.168.57.1 s2 IN A 192.168.57.2 mail IN A 192.168.57.3 mail2 IN A 192.168.57.4 www IN CNAME s1 ftp IN CNAME s2 @ IN MX 10 mail @ IN MX 20 mail //修改文件权限 # chown root:named py.com.zone # chmod 640 py.com.zone //检查区域配置文件语法 # named-checkzone py.com "/var/named/py.com.zone" zone py.com/IN: loaded serial 2014092201 OK
4.配置正向区域:区域配置文件(/var/named/named.py.com)
# vim /var/named/named.py.com $TTL 1D @ IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial 1H ; refresh 5M ; retry 3D ; expire 12H ) ; minimum IN NS ns.py.com. 1 IN PTR s1.py.com. 2 IN PTR s2.py.com. 3 IN PTR mail.py.com. 4 IN PTR mail2.py.com. //修改文件权限 # chown root:named named.py.com # chmod 640 named.py.com //检查配置文件 # named-checkzone 57.168.192.in-addr.arpa /var/named/named.py.com zone 57.168.192.in-addr.arpa/IN: loaded serial 2014092201 OK
5.启动named服务
# service named start
6.排错:可以查看日志文件排错
# tail -f /var/log/messages
7.测试:测试工具有dig,host,nslookup
//修改服务器的DNS指向本机IP # vim /etc/resolv.conf nameserver 192.168.57.23 //host命令格式: host [-t type] {name} [server] # host -t A s1.py.com 192.168.57.23 Using domain server: Name: 192.168.57.23 Address: 192.168.57.23#53 Aliases: s1.py.com has address 192.168.57.1 # host -t CNAME www.py.com 192.168.57.23 Using domain server: Name: 192.168.57.23 Address: 192.168.57.23#53 Aliases: www.py.com is an alias for s1.py.com. # host -t PTR 1.57.168.192.in-addr.arpa 192.168.57.23 Using domain server: Name: 192.168.57.23 Address: 192.168.57.23#53 Aliases: 1.57.168.192.in-addr.arpa domain name pointer s1.py.com. //dig命令格式: # dig [-t type] [name] [@server] [query options] 常用的query options: +[no]trace +[no]recurse +[no]tcp # dig -t A s1 @192.168.57.23 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t A s1 @192.168.57.23 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62522 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;s1. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014092200 1800 900 604800 86400 ;; Query time: 31 msec ;; SERVER: 192.168.57.23#53(192.168.57.23) ;; WHEN: Mon Sep 22 15:26:24 2014 ;; MSG SIZE rcvd: 95 # dig -t CNAME www @192.168.57.23 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t CNAME www @192.168.57.23 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55815 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www. IN CNAME ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014092200 1800 900 604800 86400 ;; Query time: 33 msec ;; SERVER: 192.168.57.23#53(192.168.57.23) ;; WHEN: Mon Sep 22 15:26:38 2014 ;; MSG SIZE rcvd: 96 //nslookup命令格式: # nslookup 回车 >server server_ip >set q=RRtype >name # nslookup > server 192.168.57.23 Default server: 192.168.57.23 Address: 192.168.57.23#53 > set q=A > s1.py.com Server: 192.168.57.23 Address: 192.168.57.23#53 Name: s1.py.com Address: 192.168.57.1
辅助(从)DNS服务器的安装配置:
1.安装bind
# yum -y install bind
服务器IP:192.168.57.230,域名:py.com
2.配置:主配置文件(/etc/named.conf)
# vim /etc/named.conf //增加以下行 zone "py.com" IN { type slave; masters { 192.168.57.23; }; file "slaves/py.com.zone"; }; zone "57.168.192.in-addr.arpa" IN { type slave; masters { 192.168.57.23; }; file "slaves/named.py.com"; }; //注释下面这一行 recursion yes; //检查文件 # named-checkconf
3.启动named服务
# service named start
4.查看salves目录
# cd /var/named/slaves # cat py.com.zone $ORIGIN . $TTL 86400 ; 1 day py.com IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 259200 ; expire (3 days) 43200 ; minimum (12 hours) ) NS ns.py.com. MX 10 mail.py.com. MX 20 mail2.py.com. $ORIGIN py.com. ftp CNAME s2 mail A 192.168.57.3 mail2 A 192.168.57.4 ns A 192.168.57.23 s1 A 192.168.57.1 s2 A 192.168.57.2 www CNAME s1 # cat named.py.com $ORIGIN . $TTL 86400 ; 1 day 57.168.192.in-addr.arpa IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 259200 ; expire (3 days) 43200 ; minimum (12 hours) ) NS ns.py.com. $ORIGIN 57.168.192.in-addr.arpa. 1 PTR s1.py.com. 2 PTR s2.py.com. 3 PTR mail.py.com. 4 PTR mail2.py.com.
5.测试
# dig -t CNAME www.py.com @192.168.57.230 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t CNAME www.py.com @192.168.57.230 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42102 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.py.com. IN CNAME ;; ANSWER SECTION: www.py.com. 86400 IN CNAME s1.py.com. ;; AUTHORITY SECTION: py.com. 86400 IN NS ns.py.com. ;; ADDITIONAL SECTION: ns.py.com. 86400 IN A 192.168.57.23 ;; Query time: 0 msec ;; SERVER: 192.168.57.230#53(192.168.57.230) ;; WHEN: Mon Sep 22 15:52:04 2014 ;; MSG SIZE rcvd: 78
子DNS服务器的安装配置:
1.安装bind
# yum -y install bind
服务器IP:192.168.57.230,域名:tech.py.com
2.配置:主配置文件(/etc/named.conf)
//增加下列行 zone "tech.py.com" IN { type master; file "tech.py.com"; }; zone "58.168.192.in-addr.arpa" IN { type master; file "named.tech.py.com"; }; //检查配置文件 # named-checkconf
3.配置父DNS服务器的区域配置文件(/var/named/py.com.zone),授权子域
//增加下列行 tech.py.com. IN NS ns.tech.py.com. ns IN A 192.168.57.230
4.重启named服务
# service named restart
5.在主服务器上测试
# dig -t A www.tech.py.com @192.168.57.230 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t A www.tech.py.com @192.168.57.230 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13703 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.tech.py.com. IN A ;; Query time: 1 msec ;; SERVER: 192.168.57.230#53(192.168.57.230) ;; WHEN: Mon Sep 22 16:25:28 2014 ;; MSG SIZE rcvd: 33
配置区域转发:
区域转发负责把本机不能解析的请求发往指下的DNS服务器,可以在全局区配置转发,也可以配置特定区域转发。
格式如下:
//配置全局转发 # vim /etc/named.conf options { forward only|first; forwarders { IP; } }; //配置特定区域转发 # vim /var/named/py.com.zone zone "py.com" IN { type forward; forwarders { IP; } forward only|forward; };
bind配置选项:
//用于控制主DNS服务器允许区域复制给辅助DNS服务器的白名单(在主DNS服务器上配置) allow-transfer { ip; }; //用于服务器是缓存名称服务器时,只开放查询功能给本地客户端 allow-query { ip; }; //定义递归查询白名单(DNS服务器要配置转发的时候,本机的IP必须在对方的递归白名单中) allow-recursion { ip; }; //为了安全通常是关闭的。 allow-update { none; }; 定义ACL,用于上述选项的调用 acl ACL_NAME { 192.168.57.0/24; 10.245.32.0/21; }; bind的4个内置ACL: any: 任何主机 none: 无一主机 local: 本机 localnet: 本机所在的网络 //view:(针对不同来源的IP地址,使用不同的DNS区域文件) acl telecom { 202.96.0.0/16; }; acl unicom { 61.192.0.0/26; }; view telecom { match-clients { telecom; }; zone "py.com" IN { type master; file "py.com.telecom"; }; }; view unicom { match-clients { unicom; }; recursion no; zone "magelinux.com" IN { type master; file "py.com.unicom"; }; }; view default { match-clients { any; }; zone "py.com" IN { type master; file "py.com.unicom"; }; };