毕业设计之dns搭建:
[apps@dns_sever ~]$ sudo yum install -y bind [apps@dns_sever ~]$ sudo vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; any;}; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; any;}; recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
注意:上面修改了 加入两个any
将dnssec 相关的都设置为no
Domain Name System Security Extensions (DNSSEC)DNS安全扩展,是由IETF提供的一系列DNS安全认证的机制
DNSSEC是为解决DNS欺骗和缓存污染而设计的一种安全机制。
由于内网dns,只用于内网的域名解析,所以不用添加
修改子配置文件:
[root@dnssever.quan.bbs ~]$vim /etc/named.rfc1912.zones // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "quan.bbs" IN { type master; file "quan.bbs.zone"; allow-update { none; }; };
编辑详细的dns解析文件:
[root@dnssever.quan.bbs ~]$vim /var/named/quan.bbs.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS dns.quan.bbs. dns A 192.168.111.222 lvsA.load A 192.168.111.131 lvsB.load A 192.168.111.132 webone A 192.168.111.141 webtwo A 192.168.111.142 mysql A 192.168.111.151 mysql.bkone A 192.168.111.152 mysql.bktwo A 192.168.111.153 ansz A 192.168.111.111 jp A 192.168.111.122 dnsserver A 192.168.111.222
解析:
zone 通常具有以下几种标志:
SOA:开始验证 (Start of Authority);
NS:名称服务器 (NameServer),后面记录的数据是 DNS 服务器的意思;
A:地址 (Address),后面记录的是 IP 的对应 (最重要)。
测试:
[root@dnssever.quan.bbs ~]$yum install bind-utils [root@dnssever.quan.bbs ~]$vim /etc/resolv.conf ; generated by /sbin/dhclient-script search localdomain one.bbs nameserver 192.168.111.222 nameserver 8.8.8.8 检测 [root@dnssever.quan.bbs ~]$nslookup webone.quan.bbs Server: 192.168.111.222 Address: 192.168.111.222#53 Name: webone.quan.bbs Address: 192.168.111.141
另外一个测试工具dig(也是再bind-utils包里面的)
!!!可以指定dns服务器进行域名解析:
[root@dnssever.quan.bbs ~]$dig @8.8.8.8 webone.quan.bbs ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> @8.8.8.8 webone.quan.bbs ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 53714 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;webone.quan.bbs. IN A ####没记录 ;; AUTHORITY SECTION: . 86396 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020021600 1800 900 604800 86400 ;; Query time: 25 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Feb 16 23:36:25 2020 ;; MSG SIZE rcvd: 108 [root@dnssever.quan.bbs ~]$dig @192.168.111.222 webone.quan.bbs ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> @192.168.111.222 webone.quan.bbs ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33348 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;webone.quan.bbs. IN A ;; ANSWER SECTION: webone.quan.bbs. 86400 IN A 192.168.111.141 ;; AUTHORITY SECTION: quan.bbs. 86400 IN NS dns.quan.bbs. ;; ADDITIONAL SECTION: dns.quan.bbs. 86400 IN A 192.168.111.222 ;; Query time: 0 msec ;; SERVER: 192.168.111.222#53(192.168.111.222) ;; WHEN: Sun Feb 16 23:36:28 2020 ;; MSG SIZE rcvd: 83
将其他服务器加上dns服务器即可
注:建议直接再网卡上加dns服务器,按照小范围和大范围设置
dns配置文件解析:
主配置文件:
options { listen-on port 53 { 127.0.0.1; }; 监听方式:ip地址为指定监听 any为全网监听 listen-on-v6 port 53 { ::1; }; 是指当主机有多个网卡的时候,无论客户端连接哪个ip directory "/var/named"; 如果为any 都得到回应 dump-file "/var/named/data/cache_dump.db"; dns缓存 statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; 允许哪些人查询,any为任何人,可以ip指定谁,分号结尾 recursion yes; 是否递归 dnssec-enable yes; DNS安全扩张机制——签名认证 dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; zone "." IN { 跟域服务器 type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
子配置文件
/etc/named.rfc1912.zones
正向解析区域文件的模板 zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; 反向 zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; };
cat /var/named/named.localhost
$TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial *主从才有用 跟新序列号 1D ; refresh * 更新间隔-从服务器下载数据 1H ; retry * 失败重试 1W ; expire * 区域文件的过期时间 3H ) ; minimum * 缓存的最小生存时间 NS @ A 127.0.0.1 AAAA ::1 里面需要认识的符号:$TTL 缓存的生存时间 @ 当前域,域子配置文件有关 IN 互联网 SOA 开始授权 NS dns服务器 name server A ipv4 AAAA IPV6 CNAME 别名 MX 邮件交互记录 5 苏子代表优先级,数字越小,优先级越高
