linux网络服务之dns
dns:即domain name system,用于实现从域名到IP的转换,在DNS系统出现之前,windows系统通过主机文件(c:\windwos\system32\drivers\etc\hosts)提供域名转换功能,linux通过主机文件(/etc/hosts)提供域名转换功能。
默认情况下,操作系统DNS解析的查找步骤:
主机文件---->DNS缓存---->DNS服务器
在linux系统中,通过调整配置文件(/etc/nsswitch.conf ),可以调整查找步骤
# vim /etc/nsswitch.conf 文件中有一行 hosts: files dns //files表示主机文件,先查找主机文件查找dns服务器 如果改成: hosts: dns files //这样优先查找dns
linux平台的dns软件叫bind,即Berkeley Internet Name Domain,DNS服务器的类型:
1.主DNS服务器
2.辅助DNS服务器
3.缓存DNS服务器
bind的数据库文件叫做区域数据文件,区域数据文件由资源记录组成。
资源记录的类型:
1.SOA:Start Of Authority,起始授权机构
2.NS:Name Server,域名服务器
3.MX:Mail Exchange,邮件交换器
4.A:Address,A记录(从FQDN到IP的转换)
5.PTR: 反向记录(从IP到FQDN的转换)
6.AAAA: IPv6的A记录(从FQDN到IPv6的转换)
7.CNAME: 别名记录
资源记录的格式:
name [ttl] IN RRtype Value name: 区域名称,简写为@ ttl: DNS缓存时间 value: 主DNS服务器的FQDN
SOA:只能有一个
@ 600 IN SOA ns.py.com. root.py.com. ( 2014092201; 序列号 2H; 刷新时间 1H; 重试时间 1D; 过期时间 )
NS记录:可以有多条
@ 600 IN NS ns.py.com.
A记录:只能定义在正向区域数据文件中
www 600 IN A 192.168.57.1
MX记录:可以有多条
@ 600 IN MX 10 mail
PTR记录:
1 600 IN PTR www.py.com.
CNAME记录:
ftp 600 IN CNAME www
主DNS服务器的安装配置:
1.安装dns服务器软件
# yum -y install bind
服务器的IP为:192.168.57.23,域名为py.com
2.配置:主配置文件(/etc/named.conf)
# vim /var/named.conf
options {
// listen-on port 53 { 127.0.0.1; }; #定义named服务侦听的端口和IP地址,默认为侦听 所有IP地址的53号端口。
// listen-on-v6 port 53 { ::1; }; #针对IPv6的侦听端口和IP设置。
directory "/var/named"; #定义工作目录(即区域文件的路径)
allow-query { localhost; }; #此项通常仅用于服务器是缓存名称服务器时,只开 放查询功能给本地客户端;
recursion yes; #定义允许递归查询的IP
zone "." IN {
type hint;
file "named.ca";
};
//以下四行新增加
zone "py.com" IN {
type master;
file "py.com.zone";
};
//以下四行新增加
zone "57.168.192.in-addr.arpa" IN {
type master;
file "named.py.com";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
检查主配置文件语法
# named-checkconf
3.配置正向区域:区域配置文件(/var/named/py.com.zone)
# vim py.com.zone $TTL 1D @ IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial #序列号 1H ; refresh #每隔多久到主服务器检查一次 5M ; retry #重试时间,应该小于refresh时间 3D ; expire #过期时间 12H ) ; minimum IN NS ns.py.com. ns IN A 192.168.57.23 s1 IN A 192.168.57.1 s2 IN A 192.168.57.2 mail IN A 192.168.57.3 mail2 IN A 192.168.57.4 www IN CNAME s1 ftp IN CNAME s2 @ IN MX 10 mail @ IN MX 20 mail //修改文件权限 # chown root:named py.com.zone # chmod 640 py.com.zone //检查区域配置文件语法 # named-checkzone py.com "/var/named/py.com.zone" zone py.com/IN: loaded serial 2014092201 OK
4.配置正向区域:区域配置文件(/var/named/named.py.com)
# vim /var/named/named.py.com $TTL 1D @ IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial 1H ; refresh 5M ; retry 3D ; expire 12H ) ; minimum IN NS ns.py.com. 1 IN PTR s1.py.com. 2 IN PTR s2.py.com. 3 IN PTR mail.py.com. 4 IN PTR mail2.py.com. //修改文件权限 # chown root:named named.py.com # chmod 640 named.py.com //检查配置文件 # named-checkzone 57.168.192.in-addr.arpa /var/named/named.py.com zone 57.168.192.in-addr.arpa/IN: loaded serial 2014092201 OK
5.启动named服务
# service named start
6.排错:可以查看日志文件排错
# tail -f /var/log/messages
7.测试:测试工具有dig,host,nslookup
//修改服务器的DNS指向本机IP
# vim /etc/resolv.conf
nameserver 192.168.57.23
//host命令格式:
host [-t type] {name} [server]
# host -t A s1.py.com 192.168.57.23
Using domain server:
Name: 192.168.57.23
Address: 192.168.57.23#53
Aliases:
s1.py.com has address 192.168.57.1
# host -t CNAME www.py.com 192.168.57.23
Using domain server:
Name: 192.168.57.23
Address: 192.168.57.23#53
Aliases:
www.py.com is an alias for s1.py.com.
# host -t PTR 1.57.168.192.in-addr.arpa 192.168.57.23
Using domain server:
Name: 192.168.57.23
Address: 192.168.57.23#53
Aliases:
1.57.168.192.in-addr.arpa domain name pointer s1.py.com.
//dig命令格式:
# dig [-t type] [name] [@server] [query options]
常用的query options:
+[no]trace
+[no]recurse
+[no]tcp
# dig -t A s1 @192.168.57.23
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t A s1 @192.168.57.23
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62522
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;s1. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014092200 1800 900 604800 86400
;; Query time: 31 msec
;; SERVER: 192.168.57.23#53(192.168.57.23)
;; WHEN: Mon Sep 22 15:26:24 2014
;; MSG SIZE rcvd: 95
# dig -t CNAME www @192.168.57.23
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t CNAME www @192.168.57.23
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55815
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www. IN CNAME
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014092200 1800 900 604800 86400
;; Query time: 33 msec
;; SERVER: 192.168.57.23#53(192.168.57.23)
;; WHEN: Mon Sep 22 15:26:38 2014
;; MSG SIZE rcvd: 96
//nslookup命令格式:
# nslookup 回车
>server server_ip
>set q=RRtype
>name
# nslookup
> server 192.168.57.23
Default server: 192.168.57.23
Address: 192.168.57.23#53
> set q=A
> s1.py.com
Server: 192.168.57.23
Address: 192.168.57.23#53
Name: s1.py.com
Address: 192.168.57.1
辅助(从)DNS服务器的安装配置:
1.安装bind
# yum -y install bind
服务器IP:192.168.57.230,域名:py.com
2.配置:主配置文件(/etc/named.conf)
# vim /etc/named.conf
//增加以下行
zone "py.com" IN {
type slave;
masters { 192.168.57.23; };
file "slaves/py.com.zone";
};
zone "57.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.57.23; };
file "slaves/named.py.com";
};
//注释下面这一行
recursion yes;
//检查文件
# named-checkconf
3.启动named服务
# service named start
4.查看salves目录
# cd /var/named/slaves # cat py.com.zone $ORIGIN . $TTL 86400 ; 1 day py.com IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 259200 ; expire (3 days) 43200 ; minimum (12 hours) ) NS ns.py.com. MX 10 mail.py.com. MX 20 mail2.py.com. $ORIGIN py.com. ftp CNAME s2 mail A 192.168.57.3 mail2 A 192.168.57.4 ns A 192.168.57.23 s1 A 192.168.57.1 s2 A 192.168.57.2 www CNAME s1 # cat named.py.com $ORIGIN . $TTL 86400 ; 1 day 57.168.192.in-addr.arpa IN SOA ns.py.com. root.py.com. ( 2014092201 ; serial 3600 ; refresh (1 hour) 300 ; retry (5 minutes) 259200 ; expire (3 days) 43200 ; minimum (12 hours) ) NS ns.py.com. $ORIGIN 57.168.192.in-addr.arpa. 1 PTR s1.py.com. 2 PTR s2.py.com. 3 PTR mail.py.com. 4 PTR mail2.py.com.
5.测试
# dig -t CNAME www.py.com @192.168.57.230 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t CNAME www.py.com @192.168.57.230 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42102 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.py.com. IN CNAME ;; ANSWER SECTION: www.py.com. 86400 IN CNAME s1.py.com. ;; AUTHORITY SECTION: py.com. 86400 IN NS ns.py.com. ;; ADDITIONAL SECTION: ns.py.com. 86400 IN A 192.168.57.23 ;; Query time: 0 msec ;; SERVER: 192.168.57.230#53(192.168.57.230) ;; WHEN: Mon Sep 22 15:52:04 2014 ;; MSG SIZE rcvd: 78
子DNS服务器的安装配置:
1.安装bind
# yum -y install bind
服务器IP:192.168.57.230,域名:tech.py.com
2.配置:主配置文件(/etc/named.conf)
//增加下列行
zone "tech.py.com" IN {
type master;
file "tech.py.com";
};
zone "58.168.192.in-addr.arpa" IN {
type master;
file "named.tech.py.com";
};
//检查配置文件
# named-checkconf
3.配置父DNS服务器的区域配置文件(/var/named/py.com.zone),授权子域
//增加下列行 tech.py.com. IN NS ns.tech.py.com. ns IN A 192.168.57.230
4.重启named服务
# service named restart
5.在主服务器上测试
# dig -t A www.tech.py.com @192.168.57.230 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -t A www.tech.py.com @192.168.57.230 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 13703 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.tech.py.com. IN A ;; Query time: 1 msec ;; SERVER: 192.168.57.230#53(192.168.57.230) ;; WHEN: Mon Sep 22 16:25:28 2014 ;; MSG SIZE rcvd: 33
配置区域转发:
区域转发负责把本机不能解析的请求发往指下的DNS服务器,可以在全局区配置转发,也可以配置特定区域转发。
格式如下:
//配置全局转发
# vim /etc/named.conf
options {
forward only|first;
forwarders { IP; }
};
//配置特定区域转发
# vim /var/named/py.com.zone
zone "py.com" IN {
type forward;
forwarders { IP; }
forward only|forward;
};
bind配置选项:
//用于控制主DNS服务器允许区域复制给辅助DNS服务器的白名单(在主DNS服务器上配置)
allow-transfer { ip; };
//用于服务器是缓存名称服务器时,只开放查询功能给本地客户端
allow-query { ip; };
//定义递归查询白名单(DNS服务器要配置转发的时候,本机的IP必须在对方的递归白名单中)
allow-recursion { ip; };
//为了安全通常是关闭的。
allow-update { none; };
定义ACL,用于上述选项的调用
acl ACL_NAME {
192.168.57.0/24;
10.245.32.0/21;
};
bind的4个内置ACL:
any: 任何主机
none: 无一主机
local: 本机
localnet: 本机所在的网络
//view:(针对不同来源的IP地址,使用不同的DNS区域文件)
acl telecom {
202.96.0.0/16;
};
acl unicom {
61.192.0.0/26;
};
view telecom {
match-clients { telecom; };
zone "py.com" IN {
type master;
file "py.com.telecom";
};
};
view unicom {
match-clients { unicom; };
recursion no;
zone "magelinux.com" IN {
type master;
file "py.com.unicom";
};
};
view default {
match-clients { any; };
zone "py.com" IN {
type master;
file "py.com.unicom";
};
};