DNS基础
一 概述
DNS服务器的分类:
根域名服务器、一级DNS服务器、二级DNS服务器、三级DNS服务器
正向解析: 域名-->IP
反射解析: IP ->域名
所有域名都以点结尾,例如 www.cnblogs.com.
域名的层级:
根域 .
一级域名: .cn .us .tw .hk .jp .kr
二级域名: .tedu.cn .com.dn .net.cn
三级域名: test1.com.cn test2.com.cn
FQDN: (Fully Qualified Domain Name)完全合格主机名,由两部分组成: 主机头部+域名
二 对linux下DNS功能测试
系统服务:named
端口 :TCP和UDP53
虚拟根环境:/var/named/chroot
主配置文件: /etc/named.conf
地址库文件: /var/named/
系统环境 [root@serverA ~]# cat /etc/redhat-release CentOS Linux release 7.5.1804 (Core) [root@serverA ~]# uname -r 3.10.0-862.el7.x86_64 [root@serverA ~]#
案例1: 在serverA上安装配置DNS服务,在client上验证
1 安装软件包
1 安装软件包 [root@serverA ~]# yum -y install bind bind-chroot bind-9.9.4-61.el7.x86_64 #域名服务包 bind-chroot-9.9.4-61.el7.x86_64 #提供虚拟根支持,牢笼政策防止bind中毒后的危险操作
2 修改named.conf配置文件
[root@serverA ~]# cp /etc/named.conf /etc/named.bak [root@serverA ~]# vim /etc/named.conf options { listen-on port 53 { any; }; #让bind程序允许所有客户端访问自己的53端,或者删除这一行也表示允许所有 directory "/var/named"; #地址库文件存放的路径 allow-query { any; }; #允许谁做DNS查询,any表示允许所有人,也可以删除本行,表示允许所有人 recursion yes; #默认值也是yes,所以本行也可以删除 }; zone "sven.cn" IN { #设置本机负责解析的域名是sven.cn type master; #本机是域名的主DNS服务器 file "sven.cn.zone"; #域名sven.cn的地址库文件名称,bind程序会去/var/named/目录下查找sven.cn.zone文件 };
3 修改地址库文件 [root@serverA ~]# cd /var/named [root@serverA named]# cp -p named.localhost sven.cn.zone
#从模版中复制一份进行修改,-p保持源文件属性不变.bind程序会创建一个named的用户,让named用户负责读取sven.cn.zone文件,
#所以此处named用户要对核对文件的权限 [root@serverA named]# ls -ld sven.cn.zone -rw-r----- 1 root named 152 Jun 21 2007 sven.cn.zone [root@serverA named]# vim sven.cn.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum
#文件的前7行保持不变,从第8行开始修改为如下配置 sven.cn. NS serverA #sven.cn这个域名由serverA.sven.cn.这台主机负责解析,注意sven.cn后面必须加. 如果不加.那么它会自动在名字后面加上本域的域名sven.cn serverA A 192.168.1.10 #因为DNS有这自动实例域名的规则,所以这里主机名只写成serverA那么程序会自动补齐为 serverA.sven.cn 这里的severA仅像当于一个变量,可以不用写真实的主机名
www A 192.168.1.200 #www.sven.cn 对应的IP地址是192.168.1.200
[root@serverA named]#
4 重启服务在cleint上验证 [root@serverA named]# systemctl restart named [root@client ~]# echo nameserver 192.168.1.10 >/etc/resolv.conf [root@client ~]# cat /etc/resolv.conf nameserver 192.168.1.10 [root@client ~]# [root@client ~]# [root@client ~]# nslookup www.sven.cn Server: 192.168.1.10 Address: 192.168.1.10#53 Name: www.sven.cn Address: 192.168.1.200 [root@client ~]# nslookup serverA.sven.cn Server: 192.168.1.10 Address: 192.168.1.10#53 Name: serverA.sven.cn Address: 192.168.1.10 [root@client ~]#
案例2: 多区域DNS解析
让serverA可以解析sven.cn和yurnero.cn这两个域名
1 在主配置文件中添第二个域名信息 options { listen-on port 53 { any; }; directory "/var/named"; allow-query { any; }; recursion yes; }; zone "sven.cn" IN { type master; file "sven.cn.zone"; }; zone "yurnero.cn" IN { #添加本机负责解析的第二个域名yurnero.cn type master; file "yurnero.cn.zone"; };
2 添加第二个域名的地址库文件 [root@serverA ~]# cd /var/named/ [root@serverA named]# cp -p sven.cn.zone yurnero.cn.zone [root@serverA named]# vim yurnero.cn.zone [root@serverA named]# cat /var/named/yurnero.cn.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum yurnero.cn. NS serverA serverA A 192.168.1.10 www A 192.168.1.200 [root@serverA named]#
3 重启服务和验证 [root@serverA named]# systemctl restart named [root@client ~]# nslookup www.sven.cn Server: 192.168.1.10 Address: 192.168.1.10#53 Name: www.sven.cn Address: 192.168.1.200 [root@client ~]# nslookup www.yurnero.cn Server: 192.168.1.10 Address: 192.168.1.10#53 Name: www.yurnero.cn Address: 192.168.1.200 [root@client ~]#
/etc/hosts与DNS /etc/hosts :主机名映射文件 当网络中没有DNS,同时又需要本机做域名解析时可以在这个文件中添加域名与IP的对应。它与DNS同时存在时,它的优先级在/etc/resolv.conf之前 缺点:只能为本机解析,无法为其它主机做解析
DNS服务器资源解析记录
NS 解析记录
A 正向地址解析记录
CNAME 解析记录的别名
1 个域名对应多个不同的IP地址实现DNS的轮询,从而实现负载均衡】
在yurnero.cn域名中实现DNS轮询 [root@serverA named]# vim /var/named/yurnero.cn.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum yurnero.cn. NS serverA serverA A 192.168.1.10 www A 192.168.1.200 www A 192.168.1.201 www A 192.168.1.202 www A 192.168.1.203 [root@serverA named]# systemctl restart named [root@serverA named]#
[root@client ~]# ping www.yurnero.cn
客户端多次访问服务器时,DNS地址库文件中的地址会轮询给予响应
泛域名解析
[root@serverA named]# vim /var/named/sven.cn.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum sven.cn. NS serverA serverA A 192.168.1.10 www A 192.168.1.200 * A 192.168.1.205 [root@serverA named]# [root@serverA named]# systemctl restart named 验证 [root@client ~]# ping wwww.sven.cn PING wwww.sven.cn (192.168.1.205) 56(84) bytes of data.--- wwww.sven.cn ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1065ms [root@client ~]# ping tttt.sven.cn PING tttt.sven.cn (192.168.1.205) 56(84) bytes of data.--- tttt.sven.cn ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1008ms [root@client ~]# ping serverA.sven.cn PING serverA.sven.cn (192.168.1.10) 56(84) bytes of data. 64 bytes from 192.168.1.10 (192.168.1.10): icmp_seq=1 ttl=255 time=0.838 ms--- serverA.sven.cn ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1003ms rtt min/avg/max/mdev = 0.838/1.580/2.322/0.742 ms [root@client ~]#
有规则泛域名解析
pc1.sven.cn ------>192.168.10.1
pc2.sven.cn ------>192.168.10.2
pc3.sven.cn ------>192.168.10.3
pc4.sven.cn ------>192.168.10.4
..........
pc50.sven.cn ------>192.168.10.50
内置函数: $GENERATE 制造连续范围数字
[root@serverA named]# vim /var/named/sven.cn.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum sven.cn. NS serverA serverA A 192.168.1.10 www A 192.168.1.200 * A 192.168.1.205 $GENERATE 1-50 pc$ A 192.168.10.$ [root@serverA named]# systemctl restart named [root@client ~]# ping pc1.sven.cn PING pc1.sven.cn (192.168.10.1) 56(84) bytes of data.--- pc1.sven.cn ping statistics --- 7 packets transmitted, 0 received, 100% packet loss, time 6221ms [root@client ~]# ping pc2.sven.cn PING pc2.sven.cn (192.168.10.2) 56(84) bytes of data.--- pc2.sven.cn ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4118ms [root@client ~]# ping pc50.sven.cn PING pc50.sven.cn (192.168.10.50) 56(84) bytes of data.--- pc50.sven.cn ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 1035ms [root@client ~]#
解析记录的别名
[root@serverA named]# cat /var/named/sven.cn.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum sven.cn. NS serverA serverA A 192.168.1.10 www A 192.168.1.200 * A 192.168.1.205 $GENERATE 1-50 pc$ A 192.168.10.$ ftp A 2.2.2.2 ftt CNAME ftp #当需要解析ftt.sven.cn时,它和ftp.sven.cn的解析结果是一样的,别名相当于 ftt A 2.2.2.2 [root@serverA named]# [root@serverA named]# systemctl restart named
验证: [root@client ~]# nslookup ftp.sven.cn Server: 192.168.1.10 Address: 192.168.1.10#53 Name: ftp.sven.cn Address: 2.2.2.2 [root@client ~]# nslookup ftt.sven.cn Server: 192.168.1.10 Address: 192.168.1.10#53 ftt.sven.cn canonical name = ftp.sven.cn. Name: ftp.sven.cn Address: 2.2.2.2 [root@client ~]#
DNS子域授权
serverA为DNS服务器,负责axe.com域名解析,serverB为DNS服务器,负责sh.axe.com域名解析
1 在serverA上添加axe.com的域名解析
1 在主配置文件中添加axe.com域名 [root@serverA named]# cat /etc/named.conf options { listen-on port 53 { any; }; directory "/var/named"; allow-query { any; }; recursion yes; }; zone "sven.cn" IN { type master; file "sven.cn.zone"; }; zone "yurnero.cn" IN { type master; file "yurnero.cn.zone"; }; zone "axe.com" IN { type master; file "axe.com.zone"; }; [root@serverA named]# 2 添加地址库配置文件 [root@serverA named]# cat axe.com.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum axe.com. NS serverA serverA A 192.168.1.10 www A 3.3.3.3 [root@serverA named]# 3 重启named服务及在client验证 [root@client ~]# [root@client ~]# nslookup www.axe.com 192.168.1.10 #如果client上没有配置/etc/resolv.conf,执行nslookup时可以直接加DNS服务器的地址 Server: 192.168.1.10 Address: 192.168.1.10#53 Name: www.axe.com Address: 3.3.3.3 [root@client ~]# [root@client ~]# #此时clien可以解析www.axe.com,无法解析www.sh.axe.com [root@client ~]# nslookup www.sh.axe.com 192.168.1.10 Server: 192.168.1.10 Address: 192.168.1.10#53 ** server can't find www.sh.axe.com: NXDOMAIN [root@client ~]#
2 在serverB上添加sh.axe.com的域名解析
[root@serverB ~]# yum -y install bind bind-chroot [root@serverB ~]# cp /etc/named.conf /etc/named.conf.bak [root@serverB ~]# cat /etc/named.conf options { directory "/var/named"; }; zone "sh.axe.com" IN { #在配置文件中指定负责的域名 type master; file "sh.axe.com.zone"; }; [root@serverB ~]# cd /var/named/ [root@serverB named]# cp -p named.localhost sh.axe.com.zone [root@serverB named]# cat sh.axe.com.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum sh.axe.com. NS pc11 #这里添加NS记录时用的pc11可以是一个不存在的主机名,它相当于变量。只要使sh.axe.com.对应的IP是192.168.1.11即可 pc11 A 192.168.1.11 www A 5.5.5.5 [root@serverB named]# systemctl restart named [root@serverB named]# 客户端验证 [root@client ~]# nslookup www.sh.axe.com 192.168.1.11 Server: 192.168.1.11 Address: 192.168.1.11#53 Name: www.sh.axe.com Address: 5.5.5.5 [root@client ~]#
3 在sertverA中添加子域sh.axe.com.
[root@serverA ~]# cat /var/named/axe.com.zone $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum axe.com. NS serverA sh.axe.com. NS pc11 #在serverA的地址库文件中添加子域的NS记录 serverA A 192.168.1.10 pc11 A 192.168.1.11 www A 3.3.3.3 [root@serverA ~]# systemctl restart named [root@serverA ~]# 验证,在serverA中去解析子域sh.axe.com [root@client ~]# nslookup www.sh.axe.com 192.168.1.10 Server: 192.168.1.10 Address: 192.168.1.10#53 Non-authoritative answer: #解析记录中多了一句非权限解答 Name: www.sh.axe.com Address: 5.5.5.5 [root@client ~]#
DNS的递归查询
客户端请求域名解析,主DNS服务器与其他DNS服务器交互,最终将解析结果带回来,默认DNS递归查询已开启
关闭DNS的递归查询 [root@serverA ~]# cat /etc/named.conf options { listen-on port 53 { any; }; directory "/var/named"; allow-query { any; }; recursion no; #关闭递归查询 }; zone "sven.cn" IN { type master; file "sven.cn.zone"; }; zone "yurnero.cn" IN { type master; file "yurnero.cn.zone"; }; zone "axe.com" IN { type master; file "axe.com.zone"; }; [root@serverA ~]# systemctl restart named 在客户端上再次查询时,client再去severA查询子域时,serverA就不同给client返回结果 [root@client ~]# [root@client ~]# nslookup www.sh.axe.com 192.168.1.10 Server: 192.168.1.10 Address: 192.168.1.10#53 Non-authoritative answer: *** Can't find www.sh.axe.com: No answer [root@client ~]#
DNS的迭代查询
递归查询被关闭之后,迭代查询就会自动打开。主DNS服务器与其他DNS服务器交互,然后返回给客户端一个地址,让客户端自己去查询
[root@client ~]# dig www.sh.axe.com 192.168.1.10 ; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.sh.axe.com 192.168.1.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20735 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.sh.axe.com. IN A ;; AUTHORITY SECTION: sh.axe.com. 86400 IN NS pc11.axe.com. ;; ADDITIONAL SECTION: pc11.axe.com. 86400 IN A 192.168.1.11 ;; Query time: 1 msec ;; SERVER: 192.168.1.10#53(192.168.1.10) ;; WHEN: Sun Apr 10 21:26:13 CST 2022 ;; MSG SIZE rcvd: 78 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 21004 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;192.168.1.10. IN A ;; Query time: 0 msec ;; SERVER: 192.168.1.10#53(192.168.1.10) ;; WHEN: Sun Apr 10 21:26:13 CST 2022 ;; MSG SIZE rcvd: 41 [root@client ~]#
注:客户端实际工作过程中,需要解析域名时首先是先去查询/etc/hosts 文件,这个文件无法解析时才会去找首选DNS,然后才是递归或者迭代查询