推荐连接:
目录:
dns服务基础
bind9安装配置
bind9正反向区域及主从同步 bind的高级应用
DNS服务安装及应用
BIND的安装配置:
BIND: Berkeley Internet Name Domain, 现在由ISC.org组织维护,ISC还负责维护dhcp;
- dns: 协议
- bind: dns协议的一种实现
- named:bind程序的运行的进程名
程序包:
bind-libs:被bind和bind-utils包中的程序共同用到的库文件;
bind-utils:bind客户端程序集,例如dig, host, nslookup等;
bind:提供的dns server程序、以及几个常用的测试程序;
bind-chroot:选装,让named运行于jail模式下;
bind默认是运行在根之上的,bing很早之前就有了,因此它可能会有一些漏洞,一旦这些进程被劫持了,劫持进程的人就拥有了运行用户的权限,这个进程就有可能访问根上的文件;如果把他切换到一个假根上,即便进程被劫持了,它也只能访问假根上的文件;让一个程序运行在沙箱或者jail内,程序被劫持破坏,它所威胁的也只是整个沙箱;
演示: 安装:bind程序 [root@centos7 yum.repos.d]# yum -y install bind 已加载插件:fastestmirror, langpacks Loading mirror speeds from cached hostfile 正在解决依赖关系 --> 正在检查事务 ---> 软件包 bind.x86_64.32.9.9.4-18.el7 将被 安装 --> 解决依赖关系完成 依赖关系解决 ============================================================ Package 架构 版本 源 大小 ============================================================ 正在安装: bind x86_64 32:9.9.4-18.el7 haha 1.8 M 事务概要 ============================================================ 安装 1 软件包 总下载量:1.8 M 安装大小:4.3 M Downloading packages: bind-9.9.4-18.el7.x86_64.rpm | 1.8 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在安装 : 32:bind-9.9.4-18.el7.x86_64 1/1 验证中 : 32:bind-9.9.4-18.el7.x86_64 1/1 已安装: bind.x86_64 32:9.9.4-18.el7 完毕! [root@centos7 yum.repos.d]# rpm -ql bind /etc/NetworkManager/dispatcher.d/13-named /etc/logrotate.d/named /etc/named /etc/named.conf #主配置文件 /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/rwtab.d/named /etc/sysconfig/named /etc/tmpfiles.d/named.conf /run/named /usr/lib/systemd/system/named-setup-rndc.service /usr/lib/systemd/system/named.service #bind启动程序 /usr/lib64/bind /usr/libexec/generate-rndc-key.sh /usr/sbin/arpaname /usr/sbin/ddns-confgen /usr/sbin/dnssec-checkds /usr/sbin/dnssec-coverage /usr/sbin/dnssec-dsfromkey /usr/sbin/dnssec-keyfromlabel /usr/sbin/dnssec-keygen /usr/sbin/dnssec-revoke /usr/sbin/dnssec-settime /usr/sbin/dnssec-signzone /usr/sbin/dnssec-verify /usr/sbin/genrandom /usr/sbin/isc-hmac-fixup /usr/sbin/lwresd /usr/sbin/named #主服务程序 /usr/sbin/named-checkconf #检查配置文件有没有语法错误 /usr/sbin/named-checkzone #检查区域数据库文件有无语法错误 /usr/sbin/named-compilezone #手动编译区域数据库文件为二进制格式 /usr/sbin/named-journalprint /usr/sbin/nsec3hash /usr/sbin/rndc #远程名称域控制器 /usr/sbin/rndc-confgen /usr/share/doc/bind-9.9.4 /var/log/named.log /var/named #区域数据库文件和辅助性文件存放的目录 /var/named/data /var/named/dynamic /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback /var/named/slaves [root@centos7 yum.repos.d]# ls /var/named/ data dynamic named.ca named.empty named.localhost named.loopback slaves [root@centos7 yum.repos.d]# cat /var/named/named.ca . 518400 IN NS a.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS f.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS m.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 3600000 IN A 198.41.0.4 a.root-servers.net. 3600000 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 3600000 IN A 192.228.79.201 c.root-servers.net. 3600000 IN A 192.33.4.12 d.root-servers.net. 3600000 IN A 199.7.91.13 d.root-servers.net. 3600000 IN AAAA 2001:500:2d::d e.root-servers.net. 3600000 IN A 192.203.230.10 f.root-servers.net. 3600000 IN A 192.5.5.241 f.root-servers.net. 3600000 IN AAAA 2001:500:2f::f g.root-servers.net. 3600000 IN A 192.112.36.4 h.root-servers.net. 3600000 IN A 128.63.2.53 h.root-servers.net. 3600000 IN AAAA 2001:500:1::803f:235 i.root-servers.net. 3600000 IN A 192.36.148.17 i.root-servers.net. 3600000 IN AAAA 2001:7fe::53 j.root-servers.net. 3600000 IN A 192.58.128.30 j.root-servers.net. 3600000 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 3600000 IN A 193.0.14.129 k.root-servers.net. 3600000 IN AAAA 2001:7fd::1 l.root-servers.net. 3600000 IN A 199.7.83.42 l.root-servers.net. 3600000 IN AAAA 2001:500:3::42 m.root-servers.net. 3600000 IN A 202.12.27.33 m.root-servers.net. 3600000 IN AAAA 2001:dc3::35 [root@centos7 yum.repos.d]# cat /var/named/named.localhost #正向解文件 $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 [root@centos7 yum.repos.d]# cat /var/named/named.loopback #反向解析文件 $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 PTR localhost.
bind程序:
主配置文件:/etc/named.conf 或包含进来其它文件:/etc/named.iscdlv.key ;/etc/named.rfc1912.zones; /etc/named.root.key 解析库文件: /var/named/目录下;一般名字为:ZONE_NAME.zone 注意: (1) 一台DNS服务器可同时为多个区域提供解析;包括正向反向; (2) 必须要有根区域解析库文件: named.ca; (3) 还应该有两个区域解析库文件:localhost和127.0.0.1的正反向解析库; 正向:named.localhost 反向:named.loopback 注意: named.ca named.localhost named.loopback是rpm包制作者提供的; bind辅助类程序: rndc:remote name domain contoller 远程名称域控制器 953/tcp,但默认监听于127.0.0.1地址,因此仅允许本地使用; 主配置文件/etc/named.conf格式: 全局配置段:options { ... } 日志配置段:logging { ... } 区域配置段:zone { ... },定义由本机负责解析的区域,或转发的区域; 注意:每个配置语句必须以分号结尾; **** 花括号内{ }前后有空格 缓存名称服务器的配置: 监听能与外部主机通信的地址; listen-on port 53; #监听所有地址 listen-on port 53 { 172.16.39.1; }; 学习时,建议关闭dnssec dnssec-enable no; dnssec-validation no; dnssec-lookaside no; 关闭仅允许本地查询: //allow-query { localhost; }; 注意:配置文件注释C语言风格,单行//,多行/* xxxxxx */
演示:/etc/named.conf修改 options { listen-on port 53 { 172.16.249.254; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; 检查配置文件语法错误: named-checkconf [/etc/named.conf] bind程序安装完成之后,默认即可做缓存名称服务器使用;如果没有专门负责解析的区域,直接即可启动服务; CentOS 6: service named start CentOS 7: systemctl start named.service 如果要测试本地DNS解析,可以修改/etc/resolv.confDNS指向自己,使用测试工具测试; 演示:启动dns并检查状态 [root@centos7 ~]# systemctl start named.service [root@centos7 ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since 二 2016-01-12 10:08:33 CST; 7s ago Process: 2631 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 2629 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS) Main PID: 2633 (named) CGroup: /system.slice/named.service └─2633 /usr/sbin/named -u named 1月 12 10:08:33 centos7 named[2633]: zone 0.in-addr.arpa/IN: loaded serial 0 1月 12 10:08:33 centos7 named[2633]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 1月 12 10:08:33 centos7 named[2633]: zone localhost.localdomain/IN: loaded serial 0 1月 12 10:08:33 centos7 named[2633]: zone localhost/IN: loaded serial 0 1月 12 10:08:33 centos7 named[2633]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...l 0 1月 12 10:08:33 centos7 named[2633]: all zones loaded 1月 12 10:08:33 centos7 named[2633]: running 1月 12 10:08:33 centos7 systemd[1]: Started Berkeley Internet Name Domain (DNS). 1月 12 10:08:33 centos7 named[2633]: error (network unreachable) resolving './DNSKE...#53 1月 12 10:08:33 centos7 named[2633]: error (network unreachable) resolving './NS/IN...#53 Hint: Some lines were ellipsized, use -l to show in full. 报错: error (network unreachable) resolving './DNSKE...#53 不能访问互联网,这并不是严重问题可以忽略 #查看端口状态tcp53号端口、udp53号端口、rndc953号端口监听了 [root@centos7 ~]# netstat -lnp | grep named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2633/named tcp6 0 0 ::1:53 :::* LISTEN 2633/named tcp6 0 0 ::1:953 :::* LISTEN 2633/named udp6 0 0 ::1:53 :::* 2633/named [root@centos7 ~]# ss -lnp | grep named u_dgr UNCONN 0 0 * 29563 * 322 users:(("named",2633,3)) tcp UNCONN 0 0 ::1:53 :::* users:(("named",2633,513),("named",2633,512)) tcp LISTEN 0 128 127.0.0.1:953 *:* users:(("named",2633,21)) tcp LISTEN 0 10 ::1:53 :::* users:(("named",2633,20)) tcp LISTEN 0 128 ::1:953 :::* users:(("named",2633,22)) #修改配置文件 /etc/resolv.conf,DNS服务指向自己 [root@centos7 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 172.16.245.254 #确保防火墙、selinux关闭 [root@centos7 ~]# iptables -L -n [root@centos7 ~]# getenforce Permissive
测试工具: dig, host, nslookup等
dig命令:用于测试dns系统,因此其不会查询hosts文件;
dig [-t RR_TYPE] name [@SERVER] [query options] 参数说明: -t:指明资源类型 name:资源记录对应的值 @SERVER :以指定服务器做测试 query options:查询选项,也可以写在前面; 查询常用选项: +[no]trace:跟踪解析过程;no不跟踪; +[no]recurse:进行递归解析;no不递归; 注意:反向解析测试 dig -x IP 模拟完全区域传送: dig -t axfr DOMAIN [@server]
演示:dig测试 [root@centos7 ~]# dig -t A www.bamaface.com @172.16.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A www.bamaface.com @172.16.0.1 ;; global options: +cmd 全局属性 ;; Got answer: 获得答案 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30624 ;; flags(标志位): qr(查询请求) rd ra(答案); QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION:假选项段;没有意义,忽略; ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: 问题段 ;www.bamaface.com. IN A ;; ANSWER SECTION: 答案段 www.bamaface.com. 3600 IN CNAME host.bamaface.com. host.bamaface.com. 3600 IN A 198.145.20.140 ;; AUTHORITY SECTION:权威段,谁来负责解析的,可以看到有2个dns服务器; bamaface.com. 172799 IN NS ns10.domaincontrol.com. bamaface.com. 172799 IN NS ns09.domaincontrol.com. ;; ADDITIONAL SECTION:权威段解析 ns09.domaincontrol.com. 170957 IN A 216.69.185.5 ns10.domaincontrol.com. 170957 IN A 208.109.255.5 ;; Query time: 758 msec 查询时长 ;; SERVER: 172.16.0.1#53(172.16.0.1) 由哪个IP主机进行操作 ;; WHEN: 二 1月 12 10:35:35 CST 2016 时间 ;; MSG SIZE rcvd: 164 #跟踪+trace,显示其解析过程,基于迭代方式解析;注意网络不好会解析很慢,阻塞 [root@centos7 ~]# dig +trace -t A www.bamaface.com @172.16.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> +trace -t A www.bamaface.com @172.16.0.1 ;; global options: +cmd . 517866 IN NS d.root-servers.net. . 517866 IN NS b.root-servers.net.
host命令:
host [-t RR_TYPE] name SERVER_IP
演示:host命令 A记录 [root@centos7 ~]# host -t A bamaface.com 172.16.0.1 bamaface.com has address 198.145.20.140 NS记录 [root@centos7 ~]# host -t NS bamaface.com 172.16.0.1 bamaface.com name server ns09.domaincontrol.com. bamaface.com name server ns10.domaincontrol.com. MX记录 [root@centos7 ~]# host -t MX bamaface.com 172.16.0.1 bamaface.com mail is handled by 0 smtp.secureserver.net. bamaface.com mail is handled by 10 mailstore1.secureserver.net.
nslookup命令:分为交互式和命令式,最好使用交互式
nslookup [-options] [name] [server]
演示: [root@centos7 ~]# nslookup > server 172.16.0.1 #不指定server则默认指定/etc/resolv.conf文件DNS为准; Default server: 172.16.0.1 Address: 172.16.0.1#53 > set q=A > www.bamaface.com Server: 172.16.0.1 Address: 172.16.0.1#53 Non-authoritative answer: www.bamaface.com canonical name = host.bamaface.com. Name: host.bamaface.com Address: 198.145.20.140 > exit
rndc命令:named服务控制命令
(1)rndc -h 显示全部子 (2)rndc flush 清空服务器中dns缓存 (3)rndc stop :可关闭dns服务;尽量不要请求远程连接; (4)rndc reload 重载区域配置文件,可以致命一个区域名重新加载 (5)rndc status:查看DNS服务器状态
演示: [root@centos7 ~]# rndc status version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa> CPUs found: 2 #CPU数量 worker threads: 2 #工作线程 UDP listeners per interface: 2 #UDP在接口的监听百分比 number of zones: 101 #区域的数量 debug level: 0 #调错等级 xfers running: 0 #运行中的xfers xfers deferred: 0 #延迟的xfers soa queries in progress: 0 #正在进行的SOA查询有多少个 query logging is OFF #查询日志功能是关闭的 recursive clients: 0/0/1000 #递归查询的客户端有多少个,最多允许1000个 tcp clients: 0/100 #tcp客户端有多少个,最多允许100个 server is up and running #服务器处于正常的启动状
bind9正反向区域及主从同步
配置解析一个正向区域:
三步:(1) 定义区域 ; (2) 建立区域数据文件(主要记录为A或AAAA记录) (3) 让服务器重载配置文件和区域数据文件
以bamaface.com域为例: (1) 定义区域 在主配置文件中或主配置文件辅助配置文件中实现; /etc/named.conf:文件一般只有根"."文件区域的配置信息;但其能包含include"/etc/named.rfc1912.zones"文件中定义自定义的区域; /etc/named.rfc1912.zones:rfc1912:遵循1912规范的各区域请求注解文档 zone "ZONE_NAME" IN { //区域名字即为域名 type {master|slave|hint|forward}; //仅有一台主机为DNS服务器此处一定有master; /* master(主)|slave(从)|hint(根)|forward(转发) */ file "ZONE_NAME.zone"; //相对路径表示在/var/named目录下,也可以使用绝对路径; }; 注意:区域名字即为域名;
演示: #修改主配置文件 /etc/named.conf [root@centos7 ~]# sed -n '10,17p;51,57p' /etc/named.conf options { listen-on port 53 { 172.16.249.254; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; #named.rfc1912.zones 文件添加域 bamaface.com [root@centos7 ~]# tail -5 /etc/named.rfc1912.zones zone "bamaface.com" IN { type master; file "bamaface.com.zone"; };
(2) 建立区域数据文件(主要记录为A或AAAA记录) 在/var/named目录下建立区域数据文件; 文件为:/var/named/bamaface.com.zone $TTL 3600 $ORIGIN bamaface.com. @ IN SOA ns1.bamaface.com. dnsadmin.bamaface.com. ( 2017010801 1H 10M 3D 1D ) IN NS ns1 IN MX 10 mx1 IN MX 20 mx2 ns1 IN A 172.16.100.67 mx1 IN A 172.16.100.68 mx2 IN A 172.16.100.69 www IN A 172.16.100.67 web IN CNAME www bbs IN A 172.16.100.70 bbs IN A 172.16.100.71 权限及属组修改: # chgrp named /var/named/bamaface.com.zone # chmod o= /var/named/bamaface.com.zone 检查语法错误: # named-checkzone ZONE_NAME ZONE_FILE # named-checkconf
演示: #建立区域数据文件 [root@centos7 ~]# cat /var/named/bamaface.com.zone $TTL 3600 ;宏定义,以下继承 $ORIGIN bamaface.com. ;为了保证万无一失,后面补上域名 @ IN SOA ns1.bamaface.com. dnsadmin.bamaface.com. ( 2017011101 ;serial序列号 1H ;refresh刷新时长 10M ;retry重试时长 1W ;expire过期时长 1D ;negative answer ttl否定答案的TTL ) IN NS ns1 ;NS记录中,name第一个可以为空继承上面的,value可以简写,写全后面必须加点号 IN MX 10 mx1 IN MX 20 mx2 ;在正向解析力NS\MX必须有个A记录; ns1 IN A 172.16.249.254 mx1 IN A 172.16.39.2 mx2 IN A 172.16.39.3 ;下面配置互联网上经常被访问的服务; www IN A 172.16.39.1 web IN CNAME www bbs IN A 172.16.39.10 bbs IN A 172.16.39.11 #权限及属组修改;其他用户不可读,属组named; [root@centos7 ~]# chgrp named /var/named/bamaface.com.zone [root@centos7 ~]# chmod o= /var/named/bamaface.com.zone [root@centos7 ~]# ll /var/named/bama* -rw-r-----. 1 root named 834 1月 12 12:01 /var/named/bamaface.com.zone #语法检查 [root@centos7 ~]# named-checkconf #检查配置文件 [root@centos7 ~]# named-checkzone bamaface.com /var/named/bamaface.com.zone #检查区域和区域文件语法 zone bamaface.com/IN: loaded serial 2017011101 OK
(3) 让服务器重载配置文件和区域数据文件 # rndc reload 或 # systemctl reload named.service
演示: [root@centos7 ~]# rndc status number of zones: 101 #让服务器重载配置文件和区域数据文件 [root@centos7 ~]# rndc reload server reload successful [root@centos7 ~]# rndc status number of zones: 102 #测试检查正向解析 [root@centos7 ~]# dig -t A web.bamaface.com @172.16.249.254 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A web.bamaface.com @172.16.249.254 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39891 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;web.bamaface.com. IN A ;; ANSWER SECTION: web.bamaface.com. 3600 IN CNAME www.bamaface.com. www.bamaface.com. 3600 IN A 172.16.39.1 ;; AUTHORITY SECTION: bamaface.com. 3600 IN NS ns1.bamaface.com. ;; ADDITIONAL SECTION: ns1.bamaface.com. 3600 IN A 172.16.249.254 ;; Query time: 0 msec ;; SERVER: 172.16.249.254#53(172.16.249.254) ;; WHEN: 二 1月 12 12:18:59 CST 2016 ;; MSG SIZE rcvd: 113 [root@centos7 ~]# dig -t A bbs.bamaface.com @172.16.249.254 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t A bbs.bamaface.com @172.16.249.254 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12491 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bbs.bamaface.com. IN A ;; ANSWER SECTION: bbs.bamaface.com. 3600 IN A 172.16.39.11 bbs.bamaface.com. 3600 IN A 172.16.39.10 ;; AUTHORITY SECTION: bamaface.com. 3600 IN NS ns1.bamaface.com. ;; ADDITIONAL SECTION: ns1.bamaface.com. 3600 IN A 172.16.249.254 ;; Query time: 0 msec ;; SERVER: 172.16.249.254#53(172.16.249.254) ;; WHEN: 二 1月 12 12:19:17 CST 2016 ;; MSG SIZE rcvd: 111 [root@centos7 ~]# dig -t NS bamaface.com ... ... [root@centos7 ~]# dig -t MX bamaface.com ... ... [root@centos7 ~]# vim /etc/resolv.conf [root@centos7 ~]# host -t A web.bamaface.com web.bamaface.com is an alias for www.bamaface.com. www.bamaface.com has address 172.16.39.1 [root@centos7 ~]# host -t A bbs.bamaface.com bbs.bamaface.com has address 172.16.39.11 bbs.bamaface.com has address 172.16.39.10 [root@centos7 ~]# host -t NS bamaface.com bamaface.com name server ns1.bamaface.com. [root@centos7 ~]# host -t MX bamaface.com bamaface.com mail is handled by 20 mx2.bamaface.com. bamaface.com mail is handled by 10 mx1.bamaface.com.
配置解析一个反向区域
三步: (1) 定义区域 ;(2) 定义区域解析库文件(主要记录为PTR) ;(3) 让服务器重载配置文件和区域数据文件
(1) 定义区域 在主配置文件中或主配置文件辅助配置文件中实现; zone "ZONE_NAME" IN { type {master|slave|hint|forward}; file "ZONE_NAME.zone"; }; 注意:反向区域的名字 反写的网段地址.in-addr.arpa 100.16.172.in-addr.arpa (2) 定义区域解析库文件(主要记录为PTR) 示例,区域名称为100.16.172.in-addr.arpa; $TTL 3600 $ORIGIN 100.16.172.in-addr.arpa. @ IN SOA ns1.bamaface.com. nsadmin.bamaface.com. ( 2017010801 1H 10M 3D 12H ) IN NS ns1.bamaface.com. 67 IN PTR ns1.bamaface.com. 68 IN PTR mx1.bamaface.com. 69 IN PTR mx2.bamaface.com. 70 IN PTR bbs.bamaface.com. 71 IN PTR bbs.bamaface.com. 67 IN PTR www.bamaface.com. 权限及属组修改: # chgrp named /var/named/172.16.100.zone # chmod o= /var/named/172.16.100.zone 检查语法错误: # named-checkzone ZONE_NAME ZONE_FILE # named-checkconf (3) 让服务器重载配置文件和区域数据文件 # rndc reload 或 # systemctl reload named.service
演示:dns配置反向解析 (1) 定义区域 [root@centos7 ~]# tail -5 /etc/named.rfc1912.zones zone "39.16.172.in-addr.arpa" IN { type master; file "172.16.39.zone"; }; (2) 定义区域解析库文件(主要记录为PTR) [root@centos7 ~]# cat /var/named/172.16.39.zone $TTL 3600 $ORIGIN 39.16.172.in-addr.arpa. @ IN SOA ns1.bamaface.com. nsadmin.magedu.com.( 2017011101 1H 10M 3D 12H ) IN NS ns1.bamaface.com. ;反向区域中value是不可省略的; ;这里不需要MX记录的,MX是用来标记邮箱记录的,每个A记录只需要有PTR记录就可以 254.249.16.172.in-addr.arpa. IN NS ns1.bamaface.com. 1 IN PTR www.bamaface.com. 1 IN PTR web.bamaface.com. 2 IN PTR mx1.bamaface.com. 3 IN PTR mx2.bamaface.com. 10 IN PTR bbs.bamaface.com. 11 IN PTR bbs.bamaface.com. 权限及属组修改 [root@centos7 ~]# chgrp named /var/named/172.16.39.zone [root@centos7 ~]# chmod o= /var/named/172.16.39.zone [root@centos7 ~]# ll /var/named/172.16.39.zone -rw-r-----. 1 root named 576 1月 12 13:10 /var/named/172.16.39.zone 检查语法错误 [root@centos7 ~]# named-checkconf [root@centos7 ~]# named-checkzone 39.16.172.in-addr.arpa /var/named/172.16.39.zone /var/named/172.16.39.zone:12: ignoring out-of-zone data (254.249.16.172.in-addr.arpa) zone 39.16.172.in-addr.arpa/IN: loaded serial 2017011101 OK (3) 让服务器重载配置文件和区域数据文件 [root@centos7 ~]# rndc reload server reload successful [root@centos7 ~]# rndc status version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa> CPUs found: 2 worker threads: 2 UDP listeners per interface: 2 number of zones: 103 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running (4)测试:dig -x 反向解析 [root@centos7 ~]# dig -x 172.16.39.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.39.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44555 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;1.39.16.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.39.16.172.in-addr.arpa. 3600 IN PTR web.bamaface.com.39.16.172.in-addr.arpa. 1.39.16.172.in-addr.arpa. 3600 IN PTR www.bamaface.com. ;; AUTHORITY SECTION: 39.16.172.in-addr.arpa. 3600 IN NS ns1.bamaface.com. ;; ADDITIONAL SECTION: ns1.bamaface.com. 3600 IN A 172.16.249.254 ;; Query time: 0 msec ;; SERVER: 172.16.249.254#53(172.16.249.254) ;; WHEN: 二 1月 12 13:22:18 CST 2016 ;; MSG SIZE rcvd: 148 [root@centos7 ~]# dig -x 172.16.39.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -x 172.16.39.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26874 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;1.39.16.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.39.16.172.in-addr.arpa. 3600 IN PTR www.bamaface.com. 1.39.16.172.in-addr.arpa. 3600 IN PTR web.bamaface.com.39.16.172.in-addr.arpa. ;; AUTHORITY SECTION: 39.16.172.in-addr.arpa. 3600 IN NS ns1.bamaface.com. ;; ADDITIONAL SECTION: ns1.bamaface.com. 3600 IN A 172.16.249.254 ;; Query time: 1 msec ;; SERVER: 172.16.249.254#53(172.16.249.254) ;; WHEN: 二 1月 12 13:22:57 CST 2016 ;; MSG SIZE rcvd: 148
bind9主从同步
注意:从服务器是区域级别的概念
配置一个从区域:相对简单
On Slave
(1) 定义区域
定义一个从区域;
zone "ZONE_NAME" IN {
type slave;
file "slaves/ZONE_NAME.zone";
masters { MASTER_IP; };
};
配置文件语法检查:named-checkconf
(2) 重载配置
rndc reload
systemctl reload named.service
On Master
(1) 确保区域数据文件中为每个从服务配置NS记录,并且在正向区域文件需要每个从服务器的NS记录的主机名配置一个A记录,且此A后面的地址为真正的从服务器的IP地址;
注意:时间要同步;
ntpdate命令;
演示: #slave服务器:配置好yum源,yum安装bind程序 [root@localhost yum.repos.d]# yum list all bind* #slave服务器:编辑named.conf主文件,能监听外部地址,此时DNS服务就是一个缓存服务器了; [root@localhost yum.repos.d]# sed -n '11,18p; 31,33p' /etc/named.conf listen-on port 53 { 127.0.0.1;172.16.39.100; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; //allow-query { localhost; }; dnssec-enable no; dnssec-validation no; dnssec-lookaside no; #slave服务器:检查语法启动named [root@localhost ~]# named-checkconf [root@localhost ~]# systemctl start named.service [root@localhost ~]# systemctl status named.service named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled) Active: active (running) since 三 2016-01-13 00:50:01 CST; 6s ago #slave服务器:配置正向区域的从区域 [root@localhost ~]# tail -5 /etc/named.rfc1912.zones zone "bamaface.com" IN { type slave; file "slaves/bamaface.com.zone"; masters { 172.16.249.254; }; }; #master服务器:正向区域配置文件增加NS记录,并指向slave服务器; [root@centos7 yum.repos.d]# cat /var/named/bamaface.com.zone $TTL 3600 ;宏定义,以下继承 $ORIGIN bamaface.com. ;为了保证万无一失,后面补上域名 @ IN SOA ns1.bamaface.com. dnsadmin.bamaface.com. ( 2017011102 ;serial序列号;每次重启服务动态加1 1H ;refresh刷新时长 10M ;retry重试时长 1W ;expire过期时长 1D ;negative answer ttl否定答案的TTL ) IN NS ns1 IN NS ns2 ;NS记录中,name第一个可以为空继承上面的,value可以简写,写全后面必须加点号 IN MX 10 mx1 IN MX 20 mx2 ;在正向解析力NS\MX必须有个A记录; ns1 IN A 172.16.249.254 ns2 IN A 172.16.39.100 mx1 IN A 172.16.39.2 mx2 IN A 172.16.39.3 ;下面配置互联网上经常被访问的服务; www IN A 172.16.39.1 web IN CNAME www bbs IN A 172.16.39.10 bbs IN A 172.16.39.11 [root@centos7 yum.repos.d]# named-checkzone bamaface.com /var/named/bamaface.com.zone zone bamaface.com/IN: loaded serial 2017011101 OK #master服务器:重启服务 [root@centos7 yum.repos.d]# rndc reload server reload successful [root@centos7 yum.repos.d]# rndc status version: 9.9.4-RedHat-9.9.4-18.el7 <id:8f9657aa> CPUs found: 2 worker threads: 2 UDP listeners per interface: 2 number of zones: 103 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/0/1000 tcp clients: 0/100 server is up and running #slave服务器:重启DNS服务 [root@localhost ~]# rndc reload server reload successful [root@localhost ~]# systemctl status named.service [root@localhost ~]# ls /var/named/slaves/ -l 总用量 4 #centos 7上位2进制编码 -rw-r--r--. 1 named named 601 1月 13 01:11 bamaface.com.zone #检查 [root@localhost ~]# host -t A www.bamaface.com 172.16.39.100 Using domain server: Name: 172.16.39.100 Address: 172.16.39.100#53 Aliases: www.bamaface.com has address 172.16.39.1 测试1:主DNS增加解析,验证从是否同步 #主DNS增加解析 [root@centos7 yum.repos.d]# sed -n '4p;25p' /var/named/bamaface.com.zone 2017011103 ;serial序列号;每次重启动态加1 pop3 IN A 172.16.39.12 #主DNS重启,查看同步状态; [root@centos7 yum.repos.d]# rndc reload server reload successful [root@centos7 yum.repos.d]# systemctl status named.service Active: active (running) since 二 2016-01-12 10:08:33 CST; 7h ago 1月 12 17:17:01 centos7 named[2633]: all zones loaded 1月 12 17:17:01 centos7 named[2633]: running 1月 12 17:17:01 centos7 named[2633]: zone bamaface.com/IN: loaded serial 2017011103 #可以看到加载后给从发文件 1月 12 17:17:01 centos7 named[2633]: zone bamaface.com/IN: sending notifies (serial 2017011103) 1月 12 17:17:01 centos7 named[2633]: client 172.16.39.100#33386 (bamaface.com): transfer of 'bama...rted 1月 12 17:17:01 centos7 named[2633]: client 172.16.39.100#33386 (bamaface.com): transfer of 'bama...nded #从DNS检查状态 [root@localhost ~]# systemctl status named.service 1月 13 01:16:47 localhost.localdomain named[3349]: zone bamaface.com/IN: Transfer started. 1月 13 01:16:47 localhost.localdomain named[3349]: transfer of 'bamaface.com/IN' from 172.16.249.2...386 1月 13 01:16:47 localhost.localdomain named[3349]: zone bamaface.com/IN: transferred serial 2017011103 #发现序列号改变,同步文件; 1月 13 01:16:47 localhost.localdomain named[3349]: transfer of 'bamaface.com/IN' from 172.16.249.2...ec) 1月 13 01:16:47 localhost.localdomain named[3349]: zone bamaface.com/IN: sending notifies (serial ...03) Hint: Some lines were ellipsized, use -l to show in full. [root@localhost ~]# dig -t A pop3.bamaface.com @172.16.39.100 测试2: 反向解析,简略过程 #slave服务器:增加区域数据谢指向master;并重启服务 [root@localhost ~]# tail -5 /etc/named.rfc1912.zones zone "39.16.172.in-addr.arpa" IN { type slave; file "slaves/172.16.39.zone"; masters { 172.16.249.254; }; }; [root@localhost ~]# rndc reload [root@localhost ~]# dig -x 172.16.39.1 @172.16.39.100 #master服务器:修改配置文件增加slave服务NS记录;并重启服务 [root@centos7 yum.repos.d]# cat /var/named/172.16.39.zone $TTL 3600 $ORIGIN 39.16.172.in-addr.arpa. @ IN SOA ns1.bamaface.com. nsadmin.magedu.com.( 2017011102 1H 10M 3D 12H ) IN NS ns1.bamaface.com. ;反向区域中value是不可省略的; IN NS ns2.bamaface.com. ;反向区域中value是不可省略的; ;这里不需要MX记录的,MX是用来标记邮箱记录的,每个A记录只需要有PTR记录就可以 254.249.16.172.in-addr.arpa. IN NS ns1.bamaface.com. 100 IN PTR ns2.bamaface.com. 1 IN PTR www.bamaface.com. [root@centos7 ~]# named-checkzone 39.16.172.in-addr.arpa /var/named/172.16.39.zone [root@centos7 yum.repos.d]# rndc reload
bind的高级应用
子域授权:
正向解析区域授权子域的方法:
ops.bamaface.com. IN NS ns1.ops.bamaface.com.
ops.bamaface.com. IN NS ns2.ops.bamaface.com.
ns1.ops.bamaface.com. IN A IP.AD.DR.ESS #子域名称的正常地址
ns2.ops.bamaface.com. IN A IP.AD.DR.ESS
演示:简略步骤 #父DNS增加子域授权 [root@centos7 ~]# cat /var/named/bamaface.com.zone $TTL 3600 ;宏定义,以下继承 $ORIGIN bamaface.com. ;为了保证万无一失,后面补上域名 @ IN SOA ns1.bamaface.com. dnsadmin.bamaface.com. ( 2017011104 ;serial序列号;每次重启动态加1 1H ;refresh刷新时长 10M ;retry重试时长 1W ;expire过期时长 1D ;negative answer ttl否定答案的TTL ) IN NS ns1 IN NS ns2 ;NS记录中,name第一个可以为空继承上面的,value可以简写,写全后面必须加点号 IN MX 10 mx1 IN MX 20 mx2 ;在正向解析力NS\MX必须有个A记录; ns1 IN A 172.16.249.254 ns2 IN A 172.16.39.100 mx1 IN A 172.16.39.2 mx2 IN A 172.16.39.3 ;下面配置互联网上经常被访问的服务; www IN A 172.16.39.1 web IN CNAME www bbs IN A 172.16.39.10 bbs IN A 172.16.39.11 pop3 IN A 172.16.39.12 ops IN NS ns1.ops ns1.ops IN A 172.16.39.101 #子域DNS服务器配置,改文件权限,重启服务 [root@localhost ~]# vim /etc/named.rfc1912.zones zone "ops.bamaface.com" IN { type master; file "ops.bamaface.com.zone"; }; [root@localhost ~]# vim /var/named/ops.bamaface.com.zone $TTL 3600 #ORIGIN ops.bamaface.com. @ IN SOA ns1.bamaface.com. dnsadmin.bamaface.com. ( 2017011101 ;serial序列号;每次重启动态加1 1H ;refresh刷新时长 10M ;retry重试时长 1W ;expire过期时长 1D ;negative answer ttl否定答案的TTL ) IN NS ns1 ns1 IN A 172.16.100.69 www IN A 172.16.100.69
定义转发:
注意:被转发的服务器必须允许为当前服务做递归; (1) 区域转发:仅转发对某特定区域的解析请求; zone "ZONE_NAME" IN { type forward; forward {first|only}; forwarders { SERVER_IP; }; };
first:首先转发;转发器不响应时,自行去迭代查询;
only:只转发;
演示: [root@localhost ~]# tail -5 /etc/named.rfc1912.zones zone "bamaface.com" IN { type forward; forward only; forwarders { 172.16.249.254; }; }; [root@localhost ~]# rndc reload server reload successful [root@localhost ~]# dig -t A www.bamaface.com @172.16.39.101
(2) 全局转发:针对凡本地没有通过zone定义的区域查询请求,通通转给某转发器; options { ... ... forward {only|first}; forwarders { SERVER_IP; }; .. ... };
bind中基本安全控制
acl:访问控制列表;把一个或多个地址归并一个命名的集合,随后通过此名称即可对此集全内的所有主机实现统一调用; 注意:acl 要定义在options之前; acl acl_name { ip; net/prelen; }; 示例: acl mynet { 172.16.0.0/16; 127.0.0.0/8; }; bind有四个内置的acl none:没有一个主机; any:任意主机; local:本机; localnet:本机所在的IP所属的网络; 访问控制指令:可放在全局或者区域中对应生效 allow-query {}; 允许查询的主机;白名单; allow-transfer {}; 允许向哪些主机做区域传送;默认为向所有主机;应该配置仅允许从服务器; allow-recursion {}; 允许哪此主机向当前DNS服务器发起递归查询请求;应该不允许;redhat定义允许; allow-update {}; DDNS,允许动态更新区域数据库文件中内容;
演示:访问控制列表 #修改区域配置或全局配置,这里修改区域文件 /etc/named.rfc1912.zones zone "bamaface.com" IN { type master; file "bamaface.com.zone"; allow-transfer { slaves; }; }; #主配置文件增加访问控制列表 acl {} [root@centos7 ~]# sed -n '9,15p' /etc/named.conf acl slaves { 172.16.39.100; 127.0.0.1; }; options { listen-on port 53 { 172.16.249.254; }; #重启服务,测试 [root@centos7 ~]# dig -t axfr bamaface.com @172.16.249.254 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t axfr bamaface.com @172.16.249.254 ;; global options: +cmd ; Transfer failed. [root@centos7 ~]# dig -t axfr bamaface.com @127.0.0.1 ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7 <<>> -t axfr bamaface.com @127.0.0.1
