DNS
https://blog.51cto.com/shiliguo/4870819
DNS:域名系统,应用层协议。域名和IP地址相互映射的分布式数据库,服务器端:53/udp,53/tcp
-----------------------------------------------------------------------------------------------------------------------------------------------------
DNS解析优先级: 本地hosts文件--dns,可以修改
centos系统: /etc/nsswitch.conf
根域----顶级域名---二级域名----三级域名
顶级域名:com,gov,org等 顶级域名存储的域名是二级域名
二级域名:goole.com,baidu.com等 二级域名存储的域名是三级域名
三级域名:www.baidu.com 本质是主机
----------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS查询类型:
递归查询:客户机和本地DNS服务器之间属于递归查询,客户机向DNS发出请求后,如果DNS服务器本身不能解析,则向另外的DNS服务器发出请求,得到最终的肯定或否定的结果转交给客户机。此查询的源和目标保持不变,为了查询结果只发起一次查询
迭代查询:本地DNS向其他DNS服务器的查询属于迭代查询,如果对方不能返回权威的结果,则向下一个DNS服务器再次发起查询,知道返回结果为止。此查询的源不变,但是查询的目标不断变化,为查询结果一般需要发起多次查询。
------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS服务器类型
主DNS服务器:管理和维护所负责的域名解析库的服务器
从DNS服务器:从主服务器或者从服务器复制解析库副本
缓存DNS服务器(转发器)
各种资源记录
记录类型:A,AAAA,PTR,SOA,NS,CNAME,MX
SOA:起始授权记录;一个区域解析库有且仅有一个SOA记录,必须位于解析库的第一条记录
A:正向解析
AAAA:ipv6正向解析
PTR:反向解析
NS:标明当前区域的DNS服务器
CNAME:别名记录
MX:邮件交换器
-------------------------------------------------------------------------------------------------------------------------------------------------------------
DNS服务器软件:bind,powerdns,dnsmasq,coredns
以下选择bind安装DNS服务
yum -y install bind bind-utils
主配置脚本:/etc/named.conf /etc/named.rfc1912.zones
正向解析库文件: /var/named/named.localhost
反向解析库文件: /var/named/named.loopback
根域名服務器配置: /var/named/named.ca
注意:
一台服务器可同时为多个域名提供解析 ,必须要有根域名文件
主配置文件 /etc/named.conf
全局配置: options{}
日志子系统配置:logging{}
区域定义:本地能够为那些zone进行解析,就要定义那些zone
注意:
任何服务程序如果希望能通过网络被其他主机访问,至少应该就监听在一个能与外部主机通信的IP地址上
缓存DNS服务器的配置:监听外部地址即可
dnssec:设为no
设置了114.114.114.114Dns,所以能够访问外网。将DNS设置为本地,依旧可以访问外网。这是因为dns服务器天生知道根服务器。
将其他服务器的DNS只向DNS服务器,依旧可以上网。需要修改DNS的named.conf
rndc reload 或者 systemctl restart named
------------------------------------------------------------------------------------------------------------------------------------------------
搭建DNS正向主服务器,实现web服务器基于FQDN的访问
主DNS服务器:192.168.89.140
web服务器:192.168.89.142
访问web的客户端:192.168.89.141
第一步:所有服務器关闭selinux,防火墙,开启时间同步
第二步:140节点进行操作
1安装bind ---------------yum -y install bind bind-utils
2 vim /etc/named.conf
3 vim /etc/named.rfc1912.zones
ty.org 域 IN可写可不写 ty.org.zone可以随意命名(a.txt都行)
4 DNS区域数据库文件 cp -p /var/named/named.localhost /var/named/ty.org.zone(a.txt)
vim /var/named/ty.org.zone
master=master.ty.org. DNS服务器
www=www.ty.org. web服务器
5 .rndc reload
第三步:142节点配置httpd
1. yum install -y httpd && systemctl enable --now httpd
第四步: 141测试是否能够访问www.ty.org(这里是因为我将dns已经指向了192.168.89.140,httpd默认页面内容为ty)
如果用户访问输入有问题,比如输入wwwwwwwwww.ty.org,ty.org无法解析,域文件配置修改为
----------------------------------------------------------------------------------------------------------------------------
named配置检查
named-checkconf 检查named.conf
named-checkzone ty.org /var/named/ty.org.zone 检查域文件配置
--------------------------------------------------------------------------------------------------------------------------------
启用DNS客户端缓存加快访问速度
yum install -y nscd
systemctl enable --now nscd
-----------------------------------------------------------------------------------------------------------------------------------
增加从DNS服务器143节点
1.yum install -y bind
2.vim /etc/named.conf
3.vim /etc/named.rfc1912.zones
4 .systemctl enable --now named
5.140主DNS节点关闭dns服务 rndc stop,客户端141节点访问web测试
但是此时无法主从同步,修改140节点配置形成主从不同 vim /var/named/ty.org.zone
高危:DNS默认允许从任何节点抓取数据库==================141为例抓取
预防操作:主节点允许从节点抓取,从节点禁止任何节点抓取
141抓取尝试
==========================================-=============================
子域添加,144作为子域节点。多用于异地DNS管理。
DNS父域 ,DNS主节点: 140节点
DNS子域:144节点
父域,子域的web服务器:142节点
DNS从节点:143节点
访问web客户端:141节点
配置修改如下-------------------------------
1.140节点添加子域 vim /var/named/ty.org.zone 然后重启rndc
2.144节点安装bind
3.144节点配置 vim /etc/named.conf
4 vim /etc/named.rfc1912.zones,,-----------这里的son必须和父域的数据库文件的一致
5.vim /var/named/son.zone,--------------------重启服务rndc
6 141节点测试子域
实现缓存DNS服务器==============================添加146节点
1.146节点安装bind
2.vim /etc/named.conf
3.重启服务
1.1 搭建DNS实现Internet DNS架构 1.2 环境要求(使用centos7) 需要8台主机 DNS客户端:10.0.0.6/24 本地DNS服务器(只缓存):10.0.0.8/24 转发目标DNS服务器:10.0.0.18/24 根DNS服务器:10.0.0.28/24 org域DNS服务器:10.0.0.38/24 mageedu.org域主DNS服务器:10.0.0.48/24 mageedu.org域从DNS服务器:10.0.0.58/24 www.mageedu.org的web服务器:10.0.0.68/24 1.3 前提准备 关闭selinux 关闭防火墙 时间同步 1.4 实现步骤 1.4.1 各主机的网络配置(看图要求) #在客户端配置DNS服务器地址 [15:23:40 root@centos7 ~]#vim /etc/sysconfig/network-scripts/ifcfg-ens33 ME=eth0 DEVICE=eth0 BOOTPROTO=static IPADDR=10.0.0.6 NETMASK=255.255.255.0 DNS1=10.0.0.8 ONBOOT=yes #重启网卡 [15:37:22 root@centos7 ~]#systemctl restart network 1.4.2 实现web服务 #在web服务器10.0.0.68/24上实现 [15:02:45 root@centos7 ~]#yum install -y httpd [15:02:45 root@centos7 ~]#echo www.mageedu.org > /var/www/html/index.html [15:02:45 root@centos7 ~]#systemctl restart httpd.service 1.4.3 实现mageedu.org域的主DNS服务器 #在mageedu.org域主DNS服务器10.0.0.48/24上实现 [15:44:51 root@centos7 ~]#yum install bind -y [15:45:13 root@centos7 ~]#vim /etc/named.conf #注释掉下面两行 // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; #只允许从服务器进行区域传输,从服务器地址是10.0.0.58 allow-transfer {10.0.0.58;}; [15:50:07 root@centos7 ~]#vim /etc/named.rfc1912.zones #添加这段 zone "mageedu.org" { type master; file "mageedu.org.zone"; }; [15:52:40 root@centos7 ~]#cd /var/named/ [15:53:38 root@centos7 named]#cp -a named.localhost mageedu.org.zone [15:51:15 root@centos7 ~]#vim mageedu.org.zone 1 $TTL 1D 2 @ IN SOA master admin.mageedu.org. ( 3 1 ; serial 4 1D ; refresh 5 1H ; retry 6 1W ; expire 7 3H ) ; minimum 8 NS master 9 NS slave 10 master A 10.0.0.48 11 slave A 10.0.0.58 12 www A 10.0.0.68 #重启named服务 [15:54:07 root@centos7 named]#systemctl restart named 1.4.4 实现megeedu.org域的从DNS服务器配置 #在megeedu.org域从DNS服务器10.0.0.58/24上实现 [15:56:31 root@centos7 ~]#yum install bind -y [15:56:48 root@centos7 ~]#vim /etc/named.conf #注释掉这两行 // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; #不允许其他主机进行区域传输 allow-transfer { none;}; [15:58:34 root@centos7 ~]#vim /etc/named.rfc1912.zones #添加这段 zone "mageedu.org" { type slave; masters {10.0.0.48;}; #主服务器IP file "slaves/mageedu.org.slave"; }; #重启named服务 [15:59:46 root@centos7 ~]#systemctl restart named [16:00:16 root@centos7 ~]#ls /var/named/slaves/mageedu.org.slave #查看区域数据库文件是否生成 /var/named/slaves/mageedu.org.slave 1.4.5 实现org域的主DNS服务器 #在org域的主DNS服务器10.0.0.38/24上实现 [16:02:12 root@centos7 named]#yum install -y bind [16:02:39 root@centos7 named]#vim /etc/named.conf #注释掉这两行 // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; [16:03:26 root@centos7 named]#vim /etc/named.rfc1912.zones #添加这段 zone "org" { type master; file "org.zone"; }; [16:04:20 root@centos7 ~]#cd /var/named/ [16:04:32 root@centos7 named]#cp -a named.localhost org.zone 1 $TTL 1D 2 @ IN SOA master admin.mageedu.org. ( 3 1 ; serial 4 1D ; refresh 5 1H ; retry 6 1W ; expire 7 3H ) ; minimum 8 NS master 9 mageedu NS mageeduns1 10 mageedu NS mageeduns2 11 master A 10.0.0.38 12 mageeduns1 A 10.0.0.48 13 mageeduns2 A 10.0.0.58 #重启named服务 [16:05:48 root@centos7 named]#systemctl restart named 1.4.6 实现根域的主DNS服务器 #在根域的主DNS服务器10.0.0.28/24上实现 [16:07:35 root@centos7 ~]#yum install bind -y [16:08:07 root@centos7 ~]#vim /etc/named.conf #注释掉这两行 // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; #来到文件最后面,本来是这样的 zone "." IN { type hint; file "named.ca"; }; #改为 zone "." IN { type master; file "root.zone"; }; [16:10:03 root@centos7 ~]#cd /var/named/ [16:12:21 root@centos7 named]#cp -a named.localhost root.zone [16:12:41 root@centos7 named]#vim root.zone 1 $TTL 1D 2 @ IN SOA master admin.mageedu.org. ( 3 1 ; serial 4 1D ; refresh 5 1H ; retry 6 1W ; expire 7 3H ) ; minimum 8 NS master 9 org NS orgns 10 master A 10.0.0.28 11 orgns A 10.0.0.38 #安全加固 [16:13:17 root@centos7 named]#chmod 640 root.zone #重启named服务 [16:14:02 root@centos7 named]#systemctl restart named 1.4.7 实现转发目标的DNS服务器 #在转发目标的DNS服务器10.0.0.18/24上实现 [16:16:39 root@centos7 ~]#yum install bind -y #注释掉这两行 [16:17:42 root@centos7 ~]#vim /etc/named.conf // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; #修改这两行33行和34行,yes改为no 33 dnssec-enable no; 34 dnssec-validation no; [16:20:57 root@centos7 ~]#cd /var/named/ [16:21:14 root@centos7 named]#vim named.ca #添加这行 a.root-servers.net. 3600000 IN A 10.0.0.28 #重启named服务 [16:22:36 root@centos7 named]#systemctl restart named 1.4.8 实现本地只缓存DNS服务器 #在转发目标的DNS服务器10.0.0.8/24上实现 [15:19:52 root@centos7 ~]#yum install -y bind [16:25:25 root@centos7 ~]#vim /etc/named.conf #注释掉这两行 // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; #添加这两行 forward only; forwarders {10.0.0.18;}; #修改这两行33行和34行,yes改为no 33 dnssec-enable no; 34 dnssec-validation no; #重启named服务 [16:26:46 root@centos7 ~]#systemctl restart named 1.4.9 客户端测试 [16:17:26 root@centos7 ~]#cat /etc/resolv.conf # Generated by NetworkManager search cxz.cn nameserver 10.0.0.8 #安装测试软件 [16:28:36 root@centos7 ~]#yum install bind-utils.x86_64 [16:29:46 root@centos7 ~]#curl www.mageedu.org www.mageedu.org
=======================================子域
分类: LINUX
2015-08-03 19:01:26
问题:
假设在一个公司(域)内有两个部门(子域),这两个部门是可以独立出去的并且希望实现DNS的自我管理,那么就可以实行子域授权。子域授权就是在原有的域上再划分出一个小的区域并指定新DNS服务器。在这个小的区域中如果有客户端请求解析,则只要找新的子DNS服务器。这样的做的好处可以减轻主DNS的压力,也有利于管理
前提:任何的子域必须得到其父域的授权才可以授权;父域子域不一定在同一个网段,但是必须能相互通信;
过程:
1.在父域中定义子域的相关NS记录和A记录
1.1父域的正向区域数据文件:
[root@localhost named]# cat mageedu.com.zone
$TTL 600
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2015073108
1H
5M
2D
6H )
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.85.128
ns2 IN A 192.168.85.133
mail IN A 192.168.85.129
www IN A 192.168.85.133
pop IN A 192.168.85.130
ftp IN CNAME www
lw IN A 192.168.85.134
a1 IN NS ns1.a1
ns1.a1 IN A 192.168.85.136
b2 IN NS ns1.b2
ns1.b2 IN A 192.168.85.140
#上面四行定义了两个子域a1.mageedu.com和b2.mageedu.com
1.2 重新加载named服务
[root@localhost named]# service named reload
Reloading named: [ OK ]
1.3 查看日志是否发送了更新
[root@localhost named]# tail /var/log/messages
Aug 3 01:51:04 localhost named[2482]: client 192.168.85.133#35544: transfer of 'mageedu.com/IN': AXFR started
Aug 3 01:51:04 localhost named[2482]: client 192.168.85.133#35544: transfer of 'mageedu.com/IN': AXFR ended
Aug 3 01:51:29 localhost named[2482]: received SIGHUP signal to reload zones
Aug 3 01:51:29 localhost named[2482]: loading configuration from '/etc/named.conf'
Aug 3 01:51:29 localhost named[2482]: using default UDP/IPv4 port range: [1024, 65535]
Aug 3 01:51:29 localhost named[2482]: using default UDP/IPv6 port range: [1024, 65535]
Aug 3 01:51:29 localhost named[2482]: sizing zone task pool based on 5 zones
Aug 3 01:51:29 localhost named[2482]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 3 01:51:29 localhost named[2482]: reloading configuration succeeded
Aug 3 01:51:29 localhost named[2482]: reloading zones succeeded
1.4 在从服务器133上查看是否更新(如果没有更新确保防火墙,SElinux等关闭了或者重新加载服务)
[root@localhost slaves]# cat mageedu.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2015073108 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
a1 NS ns1.a1
$ORIGIN a1.mageedu.com.
ns1 A 192.168.85.136
$ORIGIN mageedu.com.
b2 NS ns1.b2
$ORIGIN b2.mageedu.com.
ns1 A 192.168.85.140
$ORIGIN mageedu.com.
ftp CNAME www
lw A 192.168.85.134
mail A 192.168.85.129
ns1 A 192.168.85.128
ns2 A 192.168.85.133
pop A 192.168.85.130
www A 192.168.85.133
1.5 在主服务器128上查看子域是否建立成功
[root@localhost named]# dig -t NS a1.mageedu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS a1.mageedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16439
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;a1.mageedu.com. IN NS
;; Query time: 10 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 01:58:48 2015
;; MSG SIZE rcvd: 32
这里没有显示有相关信息,这是因为我们虽然已经成功建立了记录信息,但是父域服务器链接不到子域服务器,无法与子域服务器进行通信,所以,下一步需要建立子域以及子域服务器
2. 建立子域服务器
2.1 重开一台主机进行基础配置
IP:192.168.85.136
网关:和父域服务器网关相同
掩码:和父域服务器掩码相同
DNS1:192.168.85.136(指向自己)
搜索域:a1.mageedu.com
2.2 安装bind后并编辑配置文件(因为是克隆主DNS服务器的所以包已经装好,各个配置文件都还在,所以修改源配置文件即可)
主配置文件:
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "a1.mageedu.com" IN {
type master;
file "a1.mageedu.com.zone";
};
正向数据文件(之做正向测试,所以反向的不修改了)
[root@localhost named]# cat a1.mageedu.com.zone
$TTL 600
@ IN SOA ns1.a1.mageedu.com. admin.a1.mageedu.com. (
2015080301
1H
5M
2D
6H )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.85.136
mail IN A 192.168.85.137
www IN A 192.168.85.138
重新启动named服务
2.3 用136本机测试
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33477
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 600 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 4 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 02:28:58 2015
;; MSG SIZE rcvd: 86
2.4 用父域DNS服务器测试
[root@localhost named]# dig -t A @192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 360 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 7 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 02:34:44 2015
;; MSG SIZE rcvd: 86
这样看来书需要子域建立并能相互通信父域才能解析子域,子域才能解析;
3.转发DNS
一般,如果没有特殊配置,父域可以解析子域记录但是子域却不能解析父域记录;
父域128解析子域136的A记录:
[root@localhost named]# dig -t A @192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8886
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 600 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 10 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 02:45:01 2015
;; MSG SIZE rcvd: 86
子域136解析父域128的A记录:
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49493
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN A
;; AUTHORITY SECTION:
mageedu.com. 600 IN SOA f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1425539659 3600 180 1209600 180
;; Query time: 32 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 02:46:20 2015
;; MSG SIZE rcvd: 107
解决办法:
定义子域转发使得子域将所有的请求都转发给父域来解析而不是自己来解析
3.1 作为转发器转发
3.1.1编辑子域的主配置文件为(其他没变的地方省略了):
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
forward first;
forwarders { 192.168.85.128; };
};
其中 forward 有only和first两个选项;子域无法解析时,forward为only表示只转发给某服务器,如果这些服务器不提供或者无法解析
那么就无法解析;为first表示首先转发给某服务器解析,如果解析失败就转交给根解析....
强调一下:此时的forward是写在全局配置里的,如果请求的是子域本身内的就可以直接解析,请求的是子域外的其他域的无论请求的
是哪一个网段的都将转发出去
3.1.12重启服务后测试
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35719
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.133
;; AUTHORITY SECTION:
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN NS ns2.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 600 IN A 192.168.85.128
ns2.mageedu.com. 600 IN A 192.168.85.133
#这里确实给出了应答,只不过是非权威应答
;; Query time: 21 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 03:14:34 2015
;; MSG SIZE rcvd: 117
3.2 作为转发域转发
3.2.1子域服务器136上测试其他域:
[root@localhost named]# dig +trace -t A /> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A @192.168.85.136
;; global options: +cmd
. 512769 IN NS l.root-servers.net.
. 512769 IN NS e.root-servers.net.
. 512769 IN NS i.root-servers.net.
. 512769 IN NS f.root-servers.net.
. 512769 IN NS k.root-servers.net.
. 512769 IN NS a.root-servers.net.
. 512769 IN NS j.root-servers.net.
. 512769 IN NS b.root-servers.net.
. 512769 IN NS h.root-servers.net.
. 512769 IN NS c.root-servers.net.
. 512769 IN NS d.root-servers.net.
. 512769 IN NS m.root-servers.net.
. 512769 IN NS g.root-servers.net.
;; Received 508 bytes from 192.168.85.128#53(192.168.85.128) in 5163 ms #这里是父域完成的;
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
;; Received 491 bytes from 192.112.36.4#53(192.112.36.4) in 17567 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.31.80.30#53(192.31.80.30) in 388 ms
. 1200 IN CNAME /> a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
;; Received 228 bytes from 202.108.22.220#53(202.108.22.220) in 23 ms
这里子域来追踪解析的A记录,但是子域并不负责该域,无法解析,所以就转交给了父域处理(父域处理过程并没有显示);
此时父域也不负责baidu域的权威解析,所以转发出去也并没有多大意义,事实上对于子域而言,我们可以只转发对父域的请求到父域,而
剩下的自己处理(自己能连通互联网);
3.2.2 编辑子域的主配置文件为:
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "a1.mageedu.com" IN {
type master;
file "a1.mageedu.com.zone";
};
zone "mageedu.com" IN { #定义将请求转发的域
type forward;
forward first;
forwarders { 192.168.85.128; };
};
这样,就只对这一个域转发解析请求而不对其他的域转发了
3.2.3 重启服务后测试
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43895
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.133
;; AUTHORITY SECTION:
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN NS ns2.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 600 IN A 192.168.85.128
ns2.mageedu.com. 600 IN A 192.168.85.133
;; Query time: 21 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 03:35:25 2015
;; MSG SIZE rcvd: 117
3.2.4 对其他域测试
[root@localhost named]# dig +trace -t A /> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A @192.168.85.136
;; global options: +cmd
. 518283 IN NS e.root-servers.net.
. 518283 IN NS k.root-servers.net.
. 518283 IN NS l.root-servers.net.
. 518283 IN NS m.root-servers.net.
. 518283 IN NS j.root-servers.net.
. 518283 IN NS a.root-servers.net.
. 518283 IN NS h.root-servers.net.
. 518283 IN NS f.root-servers.net.
. 518283 IN NS i.root-servers.net.
. 518283 IN NS g.root-servers.net.
. 518283 IN NS d.root-servers.net.
. 518283 IN NS b.root-servers.net.
. 518283 IN NS c.root-servers.net.
;; Received 496 bytes from 192.168.85.136#53(192.168.85.136) in 63 ms #不再是父域完成的而是子域服务器自己完成的
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
;; Received 503 bytes from 192.5.5.241#53(192.5.5.241) in 4117 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.12.94.30#53(192.12.94.30) in 979 ms
. 1200 IN CNAME /> a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
;; Received 228 bytes from 220.181.38.10#53(220.181.38.10) in 29 ms
4.补充
接上面的配置继续,此时用父域服务器来解析可知,父域不负责该域,所以将请求交给了根 根交给了.com域
.com域交给了baidu域然后才找到记录;
我们可以配置将对.com 的请求都转发给.com的服务器;
一下实在父域服务器上测试:
4.1 首先获得.com的NS记录在找到对应的A记录
[root@localhost named]# dig -t NS com @192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS com @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19117
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15
;; QUESTION SECTION:
;com. IN NS
;; ANSWER SECTION:
com. 164836 IN NS l.gtld-servers.net.
com. 164836 IN NS m.gtld-servers.net.
com. 164836 IN NS e.gtld-servers.net.
com. 164836 IN NS b.gtld-servers.net.
com. 164836 IN NS h.gtld-servers.net.
com. 164836 IN NS d.gtld-servers.net.
com. 164836 IN NS f.gtld-servers.net.
com. 164836 IN NS k.gtld-servers.net.
com. 164836 IN NS c.gtld-servers.net.
com. 164836 IN NS j.gtld-servers.net.
com. 164836 IN NS g.gtld-servers.net.
com. 164836 IN NS i.gtld-servers.net.
com. 164836 IN NS a.gtld-servers.net.
;; ADDITIONAL SECTION:
i.gtld-servers.net. 170482 IN A 192.43.172.30
l.gtld-servers.net. 170476 IN A 192.41.162.30
j.gtld-servers.net. 170479 IN A 192.48.79.30
k.gtld-servers.net. 170475 IN A 192.52.178.30
a.gtld-servers.net. 170478 IN A 192.5.6.30
a.gtld-servers.net. 170478 IN AAAA 2001:503:a83e::2:30
h.gtld-servers.net. 170479 IN A 192.54.112.30
b.gtld-servers.net. 170477 IN A 192.33.14.30
b.gtld-servers.net. 170477 IN AAAA 2001:503:231d::2:30
g.gtld-servers.net. 170482 IN A 192.42.93.30
e.gtld-servers.net. 170481 IN A 192.12.94.30
f.gtld-servers.net. 170479 IN A 192.35.51.30
d.gtld-servers.net. 170491 IN A 192.31.80.30
m.gtld-servers.net. 170484 IN A 192.55.83.30
c.gtld-servers.net. 170489 IN A 192.26.92.30
;; Query time: 262 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 03:57:10 2015
;; MSG SIZE rcvd: 509
4.2 将相应的A记录写在forwards中即可;
假设在一个公司(域)内有两个部门(子域),这两个部门是可以独立出去的并且希望实现DNS的自我管理,那么就可以实行子域授权。子域授权就是在原有的域上再划分出一个小的区域并指定新DNS服务器。在这个小的区域中如果有客户端请求解析,则只要找新的子DNS服务器。这样的做的好处可以减轻主DNS的压力,也有利于管理
前提:任何的子域必须得到其父域的授权才可以授权;父域子域不一定在同一个网段,但是必须能相互通信;
过程:
1.在父域中定义子域的相关NS记录和A记录
1.1父域的正向区域数据文件:
[root@localhost named]# cat mageedu.com.zone
$TTL 600
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2015073108
1H
5M
2D
6H )
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 192.168.85.128
ns2 IN A 192.168.85.133
mail IN A 192.168.85.129
www IN A 192.168.85.133
pop IN A 192.168.85.130
ftp IN CNAME www
lw IN A 192.168.85.134
a1 IN NS ns1.a1
ns1.a1 IN A 192.168.85.136
b2 IN NS ns1.b2
ns1.b2 IN A 192.168.85.140
#上面四行定义了两个子域a1.mageedu.com和b2.mageedu.com
1.2 重新加载named服务
[root@localhost named]# service named reload
Reloading named: [ OK ]
1.3 查看日志是否发送了更新
[root@localhost named]# tail /var/log/messages
Aug 3 01:51:04 localhost named[2482]: client 192.168.85.133#35544: transfer of 'mageedu.com/IN': AXFR started
Aug 3 01:51:04 localhost named[2482]: client 192.168.85.133#35544: transfer of 'mageedu.com/IN': AXFR ended
Aug 3 01:51:29 localhost named[2482]: received SIGHUP signal to reload zones
Aug 3 01:51:29 localhost named[2482]: loading configuration from '/etc/named.conf'
Aug 3 01:51:29 localhost named[2482]: using default UDP/IPv4 port range: [1024, 65535]
Aug 3 01:51:29 localhost named[2482]: using default UDP/IPv6 port range: [1024, 65535]
Aug 3 01:51:29 localhost named[2482]: sizing zone task pool based on 5 zones
Aug 3 01:51:29 localhost named[2482]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Aug 3 01:51:29 localhost named[2482]: reloading configuration succeeded
Aug 3 01:51:29 localhost named[2482]: reloading zones succeeded
1.4 在从服务器133上查看是否更新(如果没有更新确保防火墙,SElinux等关闭了或者重新加载服务)
[root@localhost slaves]# cat mageedu.com.zone
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2015073108 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
a1 NS ns1.a1
$ORIGIN a1.mageedu.com.
ns1 A 192.168.85.136
$ORIGIN mageedu.com.
b2 NS ns1.b2
$ORIGIN b2.mageedu.com.
ns1 A 192.168.85.140
$ORIGIN mageedu.com.
ftp CNAME www
lw A 192.168.85.134
mail A 192.168.85.129
ns1 A 192.168.85.128
ns2 A 192.168.85.133
pop A 192.168.85.130
www A 192.168.85.133
1.5 在主服务器128上查看子域是否建立成功
[root@localhost named]# dig -t NS a1.mageedu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS a1.mageedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 16439
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;a1.mageedu.com. IN NS
;; Query time: 10 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 01:58:48 2015
;; MSG SIZE rcvd: 32
这里没有显示有相关信息,这是因为我们虽然已经成功建立了记录信息,但是父域服务器链接不到子域服务器,无法与子域服务器进行通信,所以,下一步需要建立子域以及子域服务器
2. 建立子域服务器
2.1 重开一台主机进行基础配置
IP:192.168.85.136
网关:和父域服务器网关相同
掩码:和父域服务器掩码相同
DNS1:192.168.85.136(指向自己)
搜索域:a1.mageedu.com
2.2 安装bind后并编辑配置文件(因为是克隆主DNS服务器的所以包已经装好,各个配置文件都还在,所以修改源配置文件即可)
主配置文件:
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "a1.mageedu.com" IN {
type master;
file "a1.mageedu.com.zone";
};
正向数据文件(之做正向测试,所以反向的不修改了)
[root@localhost named]# cat a1.mageedu.com.zone
$TTL 600
@ IN SOA ns1.a1.mageedu.com. admin.a1.mageedu.com. (
2015080301
1H
5M
2D
6H )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.85.136
mail IN A 192.168.85.137
www IN A 192.168.85.138
重新启动named服务
2.3 用136本机测试
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33477
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 600 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 4 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 02:28:58 2015
;; MSG SIZE rcvd: 86
2.4 用父域DNS服务器测试
[root@localhost named]# dig -t A @192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15029
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 360 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 7 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 02:34:44 2015
;; MSG SIZE rcvd: 86
这样看来书需要子域建立并能相互通信父域才能解析子域,子域才能解析;
3.转发DNS
一般,如果没有特殊配置,父域可以解析子域记录但是子域却不能解析父域记录;
父域128解析子域136的A记录:
[root@localhost named]# dig -t A @192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8886
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.138
;; AUTHORITY SECTION:
a1.mageedu.com. 600 IN NS ns1.a1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.a1.mageedu.com. 600 IN A 192.168.85.136
;; Query time: 10 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 02:45:01 2015
;; MSG SIZE rcvd: 86
子域136解析父域128的A记录:
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49493
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN A
;; AUTHORITY SECTION:
mageedu.com. 600 IN SOA f1g1ns1.dnspod.net. freednsadmin.dnspod.com. 1425539659 3600 180 1209600 180
;; Query time: 32 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 02:46:20 2015
;; MSG SIZE rcvd: 107
解决办法:
定义子域转发使得子域将所有的请求都转发给父域来解析而不是自己来解析
3.1 作为转发器转发
3.1.1编辑子域的主配置文件为(其他没变的地方省略了):
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
forward first;
forwarders { 192.168.85.128; };
};
其中 forward 有only和first两个选项;子域无法解析时,forward为only表示只转发给某服务器,如果这些服务器不提供或者无法解析
那么就无法解析;为first表示首先转发给某服务器解析,如果解析失败就转交给根解析....
强调一下:此时的forward是写在全局配置里的,如果请求的是子域本身内的就可以直接解析,请求的是子域外的其他域的无论请求的
是哪一个网段的都将转发出去
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35719
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.133
;; AUTHORITY SECTION:
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN NS ns2.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 600 IN A 192.168.85.128
ns2.mageedu.com. 600 IN A 192.168.85.133
#这里确实给出了应答,只不过是非权威应答
;; Query time: 21 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 03:14:34 2015
;; MSG SIZE rcvd: 117
3.2 作为转发域转发
3.2.1子域服务器136上测试其他域:
[root@localhost named]# dig +trace -t A /> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A @192.168.85.136
;; global options: +cmd
. 512769 IN NS l.root-servers.net.
. 512769 IN NS e.root-servers.net.
. 512769 IN NS i.root-servers.net.
. 512769 IN NS f.root-servers.net.
. 512769 IN NS k.root-servers.net.
. 512769 IN NS a.root-servers.net.
. 512769 IN NS j.root-servers.net.
. 512769 IN NS b.root-servers.net.
. 512769 IN NS h.root-servers.net.
. 512769 IN NS c.root-servers.net.
. 512769 IN NS d.root-servers.net.
. 512769 IN NS m.root-servers.net.
. 512769 IN NS g.root-servers.net.
;; Received 508 bytes from 192.168.85.128#53(192.168.85.128) in 5163 ms #这里是父域完成的;
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
;; Received 491 bytes from 192.112.36.4#53(192.112.36.4) in 17567 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.31.80.30#53(192.31.80.30) in 388 ms
. 1200 IN CNAME /> a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
;; Received 228 bytes from 202.108.22.220#53(202.108.22.220) in 23 ms
这里子域来追踪解析的A记录,但是子域并不负责该域,无法解析,所以就转交给了父域处理(父域处理过程并没有显示);
此时父域也不负责baidu域的权威解析,所以转发出去也并没有多大意义,事实上对于子域而言,我们可以只转发对父域的请求到父域,而
剩下的自己处理(自己能连通互联网);
3.2.2 编辑子域的主配置文件为:
[root@localhost named]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "a1.mageedu.com" IN {
type master;
file "a1.mageedu.com.zone";
};
zone "mageedu.com" IN { #定义将请求转发的域
type forward;
forward first;
forwarders { 192.168.85.128; };
};
这样,就只对这一个域转发解析请求而不对其他的域转发了
3.2.3 重启服务后测试
[root@localhost named]# dig -t A @192.168.85.136
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t A @192.168.85.136
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43895
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;. IN A
;; ANSWER SECTION:
. 600 IN A 192.168.85.133
;; AUTHORITY SECTION:
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN NS ns2.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 600 IN A 192.168.85.128
ns2.mageedu.com. 600 IN A 192.168.85.133
;; Query time: 21 msec
;; SERVER: 192.168.85.136#53(192.168.85.136)
;; WHEN: Mon Aug 3 03:35:25 2015
;; MSG SIZE rcvd: 117
3.2.4 对其他域测试
[root@localhost named]# dig +trace -t A /> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> +trace -t A @192.168.85.136
;; global options: +cmd
. 518283 IN NS e.root-servers.net.
. 518283 IN NS k.root-servers.net.
. 518283 IN NS l.root-servers.net.
. 518283 IN NS m.root-servers.net.
. 518283 IN NS j.root-servers.net.
. 518283 IN NS a.root-servers.net.
. 518283 IN NS h.root-servers.net.
. 518283 IN NS f.root-servers.net.
. 518283 IN NS i.root-servers.net.
. 518283 IN NS g.root-servers.net.
. 518283 IN NS d.root-servers.net.
. 518283 IN NS b.root-servers.net.
. 518283 IN NS c.root-servers.net.
;; Received 496 bytes from 192.168.85.136#53(192.168.85.136) in 63 ms #不再是父域完成的而是子域服务器自己完成的
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
;; Received 503 bytes from 192.5.5.241#53(192.5.5.241) in 4117 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.12.94.30#53(192.12.94.30) in 979 ms
. 1200 IN CNAME /> a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
;; Received 228 bytes from 220.181.38.10#53(220.181.38.10) in 29 ms
4.补充
接上面的配置继续,此时用父域服务器来解析可知,父域不负责该域,所以将请求交给了根 根交给了.com域
.com域交给了baidu域然后才找到记录;
我们可以配置将对.com 的请求都转发给.com的服务器;
一下实在父域服务器上测试:
4.1 首先获得.com的NS记录在找到对应的A记录
[root@localhost named]# dig -t NS com @192.168.85.128
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>> -t NS com @192.168.85.128
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19117
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 15
;; QUESTION SECTION:
;com. IN NS
;; ANSWER SECTION:
com. 164836 IN NS l.gtld-servers.net.
com. 164836 IN NS m.gtld-servers.net.
com. 164836 IN NS e.gtld-servers.net.
com. 164836 IN NS b.gtld-servers.net.
com. 164836 IN NS h.gtld-servers.net.
com. 164836 IN NS d.gtld-servers.net.
com. 164836 IN NS f.gtld-servers.net.
com. 164836 IN NS k.gtld-servers.net.
com. 164836 IN NS c.gtld-servers.net.
com. 164836 IN NS j.gtld-servers.net.
com. 164836 IN NS g.gtld-servers.net.
com. 164836 IN NS i.gtld-servers.net.
com. 164836 IN NS a.gtld-servers.net.
;; ADDITIONAL SECTION:
i.gtld-servers.net. 170482 IN A 192.43.172.30
l.gtld-servers.net. 170476 IN A 192.41.162.30
j.gtld-servers.net. 170479 IN A 192.48.79.30
k.gtld-servers.net. 170475 IN A 192.52.178.30
a.gtld-servers.net. 170478 IN A 192.5.6.30
a.gtld-servers.net. 170478 IN AAAA 2001:503:a83e::2:30
h.gtld-servers.net. 170479 IN A 192.54.112.30
b.gtld-servers.net. 170477 IN A 192.33.14.30
b.gtld-servers.net. 170477 IN AAAA 2001:503:231d::2:30
g.gtld-servers.net. 170482 IN A 192.42.93.30
e.gtld-servers.net. 170481 IN A 192.12.94.30
f.gtld-servers.net. 170479 IN A 192.35.51.30
d.gtld-servers.net. 170491 IN A 192.31.80.30
m.gtld-servers.net. 170484 IN A 192.55.83.30
c.gtld-servers.net. 170489 IN A 192.26.92.30
;; Query time: 262 msec
;; SERVER: 192.168.85.128#53(192.168.85.128)
;; WHEN: Mon Aug 3 03:57:10 2015
;; MSG SIZE rcvd: 509
4.2 将相应的A记录写在forwards中即可;
时来天地皆同力,运去英雄不自由
