Linux bind DNS配置
1,DNS服务 yum -y bind* cach
BIND 提供DNS服务
libnss_file.so
libnss_dns.so
系统调用这两个库文件来解析
配置文件在/etc/nsswitch.conf 根据这个配置文件的先后顺序来解析
. 根域
.com. / .cn. 顶级域
组织域:.com .org .net .cc
国家域:.cn .tw .hk .iq .ir .jp
反向域:IP-->FQDN
查询:
递归:只发出一次请求
迭代:发出多次请求
互联网查询 先递归,后迭代,
递归客户端,非递归客户端
主DNS服务器负责数据的修改
辅助DNS服务器负责数据的同步
nameserver 必须递归,因为需要直接需要答案
serial number 数据版本号
refresh 刷新时间
retry 重试时间
expire 过期时间,认为多长时间
nagative answer TTL 否定回答的緩存時間
缓存DNS服务器
转发器
数据库中的每一个条目就叫一个资源记录,资源记录必须有谁是DNS服务器,谁是mail服务器
资源记录格式:
TTL 600 默认; NAMETTL(更新過期時間) IN() RRT(资源记录类型) VALUE(资源值) nginx.vmware.xx. IN A 1.1.1.1 vmware.xx. IN NS ns01.vmware.xx. ns01.vmware.xx. IN A 1.1.1.2 mail01.vmware.xx. IN A 1.1.1.1
资源记录类型:
SOA(Start Of Authority):起始授權記錄
ZONE NAME TTL IN SOA FQDN ADMINISTRATOR_MAILBOX( serial number refersh retry expire na ttl)
nginx.com.600 IN SOA ns1.vmware.xx. admin.vmware.xx.( 2015010501 1H 5M 1W 1D)
時間單位:M(分鐘)‘H(小時)’D(天)‘W(週),默認為秒
MX(Mail eXchange):ZONE NAME -----> FQDN vmware.xx. IN MX 10 mail01.vmware.xx.
需要加优先级(0-99),数字越小级别越高,针对邮件服务器
NS(name Server) :DOMAIN NAME----->FQDN A(address):FQDN---->IP AAAA :FQDN---->ipv6 PTR(pointer)反向:IP----->FQDN 1.1.1.1 IN PTR nginx.vmware.xx. CNAME(Canonical Name):FQDN--->FQDN 別名記錄 www2.vmware.xx. IN CNAME www.vmware.xx.
查詢類型:
正向區域文件
vmware.xx. IN SOA
反向區域文件
0.168.192.in-addr.arpa. IN SOA 1.168.192.in-addr.arpa. IN www.vmware.xx. 2 IN nginx.vmware.xx.
區域傳送:
完全區域傳送(第一次複製數據)axfr
增量區域傳送 ixfr
區域類型:
主區域:master
從區域:slave
提示區域:hint
轉發區域:forward
bind:
/etc/named.conf
BIND進程的工作屬性
/etc/rndc.key
rndc:Remote Name Domain Controller
密鑰文件
配置信息:
/etc/rndc.conf /var/named/
區域數據文件
/etc/rc.d/init.d/named
{start|stop|restart|status|reload|configtest}
yum info caching-nameserver
安裝後可以使其成為緩存服務器
DNS監聽的端口
53/udp 53/tcp 從服務器複製主服務器使用 953/tcp rndc
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
啟動時使用
rndc-confgen -r /dev/urandom > /etc/rndc.conf rndc-confgen -r /dev/urandom -a
手動生成rndc.key
dig > named.root dig -t RT NAME @DNSSERVER dig -t NS(A,NS,MX,PTR) vmware.xx dig -x IP 反向查詢 dig +recurse +trace -t A vmware.xx @10.207.237.110 dig -t axfr vmware.xx 完全区域传送 dig -t ixfr vmware.xx 增量区域传送
nslookup> server IP 設定DNS服務器 set q=RT(區域類型) NAME
named.conf
directory "/var/named"
recursion yes; 開啟递归查询,允许进行外面的用户递归查询;
allow-recursion { 10.207.237.0/24; };允许为10.207.237.网段的用户递归
allow-query { any; };允许那些用户进行查询;
allow-transfer { 10.207.237.112; }; 增加在zone区域中
allow-transfer { none; }; 不允许区域传送;
zone "."IN{
type hint;
file "named.ca";
};
zone "localhost"IN{
type master;
file "named.localhost";
all-transfer { none;};
};
zone "0.0.127.in-addr.arpa"IN{
type master;
file "named.loopback";
all-transfer { none;};
};
zone "vmware.xx" IN {
type master;
file "vmware.xx.zone";
allow-transfer { 10.207.237.110; };
};
zone "237.207.10.in-addr.arpa" IN {
type master;
file "237.207.10.zone";
allow-transfer { 10.207.237.110; };
};
acl china_zz {
10.207.237.0/24;
};
acl china_cd {
10.244.0.0/16;
};
DNS试图配置文档
named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;
notify yes;
};
logging {
channel query_log {
file "/var/log/named/query_log.log" versions 3 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
channel axfr_log {
file "/var/log/named/transfer_log.log" versions 5 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
category queries { query_log; };
category xfer-out { axfr_log; };
};
acl china_zz {
10.207.237.0/24;
};
acl china_cd {
10.244.0.0/16;
};
view china_zz{
match-clients { china_zz; };
zone "vmware.xx" IN {
type master;
file "china_zz.vmware.xx.zone";
allow-transfer { any; };
};
zone "207.10.in-addr.arpa" IN {
type master;
file "237.10.zone";
allow-transfer { 10.207.237.111; };
};
};
view china_cd{
match-clients { china_cd; };
zone "vmware.xx" IN {
type master;
file "china_cd.vmware.xx.zone";
allow-transfer { 10.207.237.111; };
};
zone "244.10.in-addr.arpa" IN {
type master;
file "244.10.zone";
allow-transfer { 10.207.237.111; };
};
};
view any{
match-clients { any; };
zone "vmware.xx" IN {
type master;
file "other.vmware.xx.zone";
allow-transfer { 10.207.237.111; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
};
#include "/etc/named.rfc1912.zones";
china_zz.vmware.xx.zone
$TTL 600 @ IN SOA ns01.vmware.xx. admin.vmware.xx. ( 2015010701 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns01.vmware.xx. NS ns02.vmware.xx. MX 10 mail.vmware.xx. mail A 10.207.237.113 ns02 A 10.207.237.111 ns01 A 10.207.237.110 www A 10.207.237.112 www A 10.207.237.109
china_cd.vmware.xx.zone
$TTL 600 @ IN SOA ns01.vmware.xx. admin.vmware.xx. ( 2015010701 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns01.vmware.xx. NS ns02.vmware.xx. MX 10 mail.vmware.xx. mail A 10.207.237.113 ns01 A 10.207.237.110 ns02 A 10.207.237.111 www A 10.244.235.235 www A 10.244.235.236
237.207.10.zone
$TTL 600 @ IN SOA ns01.vmware.xx. admin.vmware.xx. ( 2015010701 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns01.vmware.xx. NS ns02.vmware.xx. 113 PTR mail.vmware.xx. 111 PTR ns02.vmware.xx. 110 PTR ns01.vmware.xx. 112 PTR www.vmware.xx. 109 PTR www.vmware.xx.
主从区域传送时,必须在区域文件中指明辅助DNS的NS记录,才可以进行区域传送,如上所示;
rndc 远程管理DNS服务器
子域授权
SUB_ZONE_NAMEINNSNSSERVER_SUB_ZONE_NAME NSSERVER_SUB_ZONE_NAME INA IP
DNS 视图定义;
viewchina_zz {
match-clients { china_zz; };
zone"vmware.xx" IN {
typemaster;
file"china_zz.vmware.xx.zone"
allow-transfer
};
};
linux bind DNS配置以下为所有之配置文件
named.conf
options {
listen-on port 53 { any; };
directory "/usr/local/named/etc";
pid-file "/usr/local/named/var/run/named.pid";
dump-file "/usr/local/named/data/cache_dump.db";
statistics-file "/usr/local/named/data/named_stats.txt";
memstatistics-file "/usr/local/named/data/named_mem_stats.txt";
forwarders { 10.207.238.100; };
allow-query { any; };
recursion yes;
notify yes;
};
logging {
channel query_log {
file "/var/log/named/query_log.log" versions 3 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
channel axfr_log {
file "/var/log/named/transfer_log.log" versions 5 size 10M;
print-time yes;
print-severity yes;
print-category yes;
severity dynamic;
};
category queries { query_log; };
category xfer-out { axfr_log; };
};
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "vmware.xx" IN {
type master;
file "vmware.xx.zone";
allow-transfer { 10.207.237.200; };
};
zone "vmware.zz" {
type master;
database "mysqldb vmware sc 127.0.0.1 root cisco1989";
allow-transfer { 10.207.237.200; };
};
zone "237.207.10.in-addr.arpa" IN {
type master;
file "10.207.237.zone";
allow-transfer { 10.207.237.200; };
};
zone "238.207.10.in-addr.arpa" IN {
type master;
file "10.207.238.zone";
allow-transfer { 10.207.237.200; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "PESyIEZ6P7LE6D1v0MFQBA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
named.localhost 本地正向解析
$TTL 1D @ IN SOA @ rname.invalid. ( 0; serial 1D; refresh 1H; retry 1W; expire 3H ); minimum NS @ A 127.0.0.1 AAAA ::1
named.loopback 本地反向解析
$TTL 1D @ IN SOA @ rname.invalid. ( 0; serial 1D; refresh 1H; retry 1W; expire 3H ); minimum NS @ A 127.0.0.1 AAAA ::1 PTR localhost.
named.root 顶级域解析
; <<>> DiG 9.9.7 <<>> ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56849 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 25 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4000 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 11055 IN NS k.root-servers.net. . 11055 IN NS i.root-servers.net. . 11055 IN NS c.root-servers.net. . 11055 IN NS e.root-servers.net. . 11055 IN NS a.root-servers.net. . 11055 IN NS m.root-servers.net. . 11055 IN NS g.root-servers.net. . 11055 IN NS d.root-servers.net. . 11055 IN NS f.root-servers.net. . 11055 IN NS h.root-servers.net. . 11055 IN NS j.root-servers.net. . 11055 IN NS l.root-servers.net. . 11055 IN NS b.root-servers.net. ;; ADDITIONAL SECTION: k.root-servers.net. 8316 IN A 193.0.14.129 k.root-servers.net. 8978 IN AAAA 2001:7fd::1 i.root-servers.net. 8323 IN A 192.36.148.17 i.root-servers.net. 8244 IN AAAA 2001:7fe::53 c.root-servers.net. 8153 IN A 192.33.4.12 c.root-servers.net. 8422 IN AAAA 2001:500:2::c e.root-servers.net. 8253 IN A 192.203.230.10 a.root-servers.net. 14310 IN A 198.41.0.4 a.root-servers.net. 8316 IN AAAA 2001:503:ba3e::2:30 m.root-servers.net. 8323 IN A 202.12.27.33 m.root-servers.net. 9520 IN AAAA 2001:dc3::35 g.root-servers.net. 8253 IN A 192.112.36.4 d.root-servers.net. 8253 IN A 199.7.91.13 d.root-servers.net. 8258 IN AAAA 2001:500:2d::d f.root-servers.net. 8253 IN A 192.5.5.241 f.root-servers.net. 8275 IN AAAA 2001:500:2f::f h.root-servers.net. 8323 IN A 128.63.2.53 h.root-servers.net. 8623 IN AAAA 2001:500:1::803f:235 j.root-servers.net. 8323 IN A 192.58.128.30 j.root-servers.net. 8518 IN AAAA 2001:503:c27::2:30 l.root-servers.net. 8279 IN A 199.7.83.42 l.root-servers.net. 8244 IN AAAA 2001:500:3::42 b.root-servers.net. 8151 IN A 192.228.79.201 b.root-servers.net. 8153 IN AAAA 2001:500:84::b ;; Query time: 34 msec ;; SERVER: 10.191.131.131#53(10.191.131.131) ;; WHEN: Thu Apr 02 13:52:18 CST 2015 ;; MSG SIZE rcvd: 768
rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "PESyIEZ6P7LE6D1v0MFQBA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "PESyIEZ6P7LE6D1v0MFQBA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of rndc.conf
vmware.xx.zone 正向解析
$TTL 600 @ IN SOA ns01.vmware.xx. jason.cahng.vmware.xx. ( 2015040201; serial 1D; refresh 1H; retry 1W; expire 3H ); minimum NS ns01.vmware.xx. MX 10 mail.vmware.xx. A 10.207.237.122 mail A 10.207.238.199 nessus01 A 10.207.238.93 nessus02 A 10.207.238.94 nessus03 A 10.207.238.95 nessus04 A 10.207.238.96 symantec CNAM Email.vmware.xx. ns01 A 10.207.237.122 ubuntu A 10.207.237.124 rd A 10.207.237.123 nessus A 10.207.237.121
10.207.237.zone 反向解析配置
$TTL 600 @ IN SOA ns01.vmware.xx. jason.chang.vmware.xx. ( 2015040201; serial 1D; refresh 1H; retry 1W; expire 3H ); minimum NS ns01.vmware.xx. 122 PTR ns01.vmware.xx. 124 PTR ubuntu.vmware.xx. 123 PTR rd.vmware.xx. 121 PTR nessus.vmware.xx.
10.207.238.zone 反向解析文件
$TTL 600 @ IN SOA ns01.vmware.xx. jason.chang.vmware.xx. ( 2015040201; serial 1D; refresh 1H; retry 1W; expire 3H ); minimum NS ns01.vmware.xx. 122 PTR ns01.vmware.xx. 93 PTR nessus01.vmware.xx. 94 PTR nessus02.vmware.xx. 95 PTR nessus03.vmware.xx. 96 PTR nessus04.vmware.xx.