DNS,综合案例:实现internet的DNS服务架构
搭建DNS实现internet dns 架构
环境要求
需要8台主机
DNS客户端:10.0.0.6/24
本地DNS服务器(只缓存):10.0.0.8/24
转发目标DNS服务器:10.0.0.18/24
根DNS服务器:10.0.0.28/24
org域DNS服务器:10.0.0.38/24
weirui.org域主DNS服务器:10.0.0.48/24
weirui.org域从DNS服务器:10.0.0.58/24
www.weirui.org的WEB服务器:10.0.0.68/24
前提准备
关闭selinux 关闭防火墙 时间同步
实现步骤
各种主机的网络配置
客户端配置
#在客户端配置DNS服务器地址
vim /etc/sysconfig/network-scripts/ifcfg-ens33
NAME=eth0
DEVICE=eth0
BOOTPROTO=static
IPADDR=10.0.0.6
NETMASK=255.255.255.0
DNS1=10.0.0.8
ONBOOT=yes
service network restart
实现web服务
#在web服务器10.0.0.68/24上实现
yum install httpd
echo www.weirui.org > /var/www/html/index.html
systemctl start httpd
实现weirui.org域的主dns服务器
#在weirui.org域主DNS服务器10.0.0.48/24上实现
yum install bind -y
vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#只允许从服务器进行区域传输,添加内容
allow-transfer { 从服务器IP;};
vim /etc/named.rfc1912.zones
#加上这段
zone "weirui.org" {
type master;
file "weirui.org.zone";
};
vim /var/named/weirui.org.zone
$TTL 1D
@ IN SOA master admin.weirui.org. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 10.0.0.48
slave A 10.0.0.58
www A 10.0.0.68
#yum -y install bind-utils
#named-checkconf
#named-checkzone weirui.org /var/named/weirui.org.zone
#chmod 640 /var/named/weirui.org.zone
#chgrp named /var/named/weirui.org.zone
#systemctl start named #第一次启动服务
#rndc reload #不是第一次启动服务
实现weirui.org域的从DNS服务器配置
#在weirui.org域从DNS服务器10.0.0.58/24上实现
yum install bind -y
vim /etc/named.conf
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#不允许其它主机进行区域传输,添加内容
allow-transfer { none;};
vim /etc/named.rfc1912.zones
zone "weirui.org" {
type slave;
masters { 主服务器IP;}; file "slaves/weirui.org.slave";
};
#named-check #检查语法
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务
ls /var/named/slaves/weirui.org.slave #查看区域数据库文件是否生成
实现org域的主DNS服务器
#在org域的主DNS服务器10.0.0.38/24上实现
yum install bind -y
#vim /etc/named.conf
#注释掉两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#vim /etc/named.rfc1912.zones
#加上这段
zone "org" {
type master;
file "org.zone";
};
#vim /var/named/org.zone
$TTL 1D
@ IN SOA master admin.weirui.org. ( 1 1D 1H 1W 3D )
NS master
weirui NS weiruins1
weirui NS weiruins2
master A 10.0.0.38
weiruins1 A 10.0.0.48
weiruins2 A 10.0.0.58
#chmod 640 /var/named/org.zone
#chgrp named /var/named/org.zone
#systemctl start named #第一次启动服务
#rndc reload #不是第一次启动服务
实现根域的主DNS服务器
#在根域的主DNS服务器10.0.0.28/24上实现
yum install bind -y
#vim /etc/named.conf
#注释掉两行,第13行和第21行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#将下面行改为:
zone "." IN {
type master;
file "root.zone";
};
#vim /var/named/root.zone
$TTL 1D
@ IN SOA master admin.weirui.org. ( 1 1D 1H 1W 3D )
NS master
org NS orgns
master A 10.0.0.28
orgns A 10.0.0.38
#安全加固
chgrp named /var/named/root.zone
chmod 640 /var/named/root.zone
systemctl start named #第一次启动
rndc reload #不是第一次启动
实现转发目标的DNS服务器
#在转发目标的DNS服务器10.0.0.18/24上实现
yum install bind -y
vim /etc/named.conf
#注释掉两行,第13行和第21行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
dnssec-enable no;
dnssec-validation no
vim /var/named/named.ca
. 518400 IN NS a.root-servers.net.
a.root-servers.net. 3600000 IN A 10.0.0.28
systemctl start named #第一次启动
rndc reload #不是第一次启动
实现本地缓存DNS服务器
#在转发目标的DNS服务器10.0.0.8/24上实现
yum install bind -y
vim /etc/named.conf
#注释掉两行,第13行和第21行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#添加转发服务器地址
forward only;
forwarders { 10.0.0.18;};
#关闭安全加密
dnssec-enable no;
dnssec-validation no
systemctl start named #第一次启动
rndc reload #不是第一次启动
客户端测试
#cat /etc/resolv.conf
nameserver 10.0.0.8
#dig www.weirui.org
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> www.weirui.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40755
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.weirui.org. IN A
;; ANSWER SECTION:
www.weirui.org. 86181 IN A 10.0.0.68
;; AUTHORITY SECTION:
weirui.org. 86181 IN NS ns2.weirui.org.
weirui.org. 86181 IN NS ns1.weirui.org.
;; ADDITIONAL SECTION:
ns2.weirui.org. 86181 IN A 10.0.0.48
ns1.weirui.org. 86181 IN A 10.0.0.58
;; Query time: 1 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Fri May 10 17:28:39 CST 2019
;; MSG SIZE rcvd: 127 成功
#curl www.weirui.org
www.weirui.org
#客户端诊断工具,查看IP走向
#tcpdump -i eth0 udp port 53 -nn
10:40:48.116236 IP 10.0.0.6.40255 > 10.0.0.26.53: 30543+ A? www.weirui.org. (32)
10:40:48.116278 IP 10.0.0.6.40255 > 10.0.0.26.53: 2993+ AAAA? www.weirui.org. (32)
10:40:48.116635 IP 10.0.0.26.16061 > 10.0.0.17.53: 57114+% [1au] A? www.weirui.org. (43)
10:40:48.116712 IP 10.0.0.26.12121 > 10.0.0.17.53: 48589+% [1au] AAAA? www.weirui.org. (43)
10:40:48.118915 IP 10.0.0.17.43187 > 10.0.0.27.53: 52745% [1au] A? www.weirui.org. (43)
10:40:48.118930 IP 10.0.0.17.53131 > 10.0.0.27.53: 18699% [1au] AAAA? www.weirui.org. (43)
10:40:48.120486 IP 10.0.0.17.40652 > 10.0.0.27.53: 55943 [1au] NS? . (28)
10:40:48.121721 IP 10.0.0.27.53 > 10.0.0.17.43187: 52745 0/1/2 (78)
10:40:48.122582 IP 10.0.0.27.53 > 10.0.0.17.53131: 18699 0/1/2 (78)
10:40:48.123839 IP 10.0.0.27.53 > 10.0.0.17.40652: 55943* 1/0/2 NS master. (63)
10:40:48.130035 IP 10.0.0.17.51804 > 10.0.0.37.53: 38792% [1au] A? www.weirui.org. (43)
10:40:48.130074 IP 10.0.0.17.54721 > 10.0.0.37.53: 19424% [1au] AAAA? www.weirui.org. (43)
10:40:48.132568 IP 10.0.0.37.53 > 10.0.0.17.51804: 38792 0/2/3 (123)
10:40:48.132580 IP 10.0.0.37.53 > 10.0.0.17.54721: 19424 0/2/3 (123)
10:40:48.134568 IP 10.0.0.17.43536 > 10.0.0.28.53: 61837% [1au] A? www.weirui.org. (43)
10:40:48.134926 IP 10.0.0.28.53 > 10.0.0.17.43536: 61837* 1/0/1 A 10.0.0.38 (59)
10:40:48.135508 IP 10.0.0.17.33788 > 10.0.0.28.53: 21937% [1au] AAAA? www.weirui.org. (43)
10:40:48.135693 IP 10.0.0.28.53 > 10.0.0.17.33788: 21937* 0/1/1 (92)
10:40:48.137954 IP 10.0.0.17.53 > 10.0.0.26.16061: 57114 1/2/3 A 10.0.0.38 (139)
10:40:48.139019 IP 10.0.0.26.53 > 10.0.0.6.40255: 30543 1/2/2 A 10.0.0.38 (128)
10:40:48.139395 IP 10.0.0.17.53 > 10.0.0.26.12121: 48589 0/1/1 (92)
10:40:48.139631 IP 10.0.0.26.53 > 10.0.0.6.40255: 2993 0/1/0 (81)
