使用unbound提供DNS域名解析服务
使用unbound提供DNS域名解析服务
# 作者:Eric # 微信:loveoracle11g # 先配yum仓库 [root@server1 ~]# cd /etc/yum.repos.d/ [root@server1 yum.repos.d]# ls [root@server1 yum.repos.d]# vim racooler.repo [racooler] name=rhel7 baseurl=file:///media/cdrom enabled=1 gpgcheck=0 [root@server1 yum.repos.d]# mkdir -p /media/cdrom [root@server1 yum.repos.d]# mount /dev/cdrom /media/cdrom/ mount: /dev/sr0 is write-protected, mounting read-only [root@server1 yum.repos.d]# yum repolist all Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. racooler | 4.1 kB 00:00:00 (1/2): racooler/group_gz | 134 kB 00:00:00 (2/2): racooler/primary_db | 3.4 MB 00:00:00 repo id repo name status racooler rhel7 enabled: 4,305 repolist: 4,305 [root@server1 yum.repos.d]# [root@server1 yum.repos.d]# yum clean Loaded plugins: langpacks, product-id, subscription-manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Error: clean requires an option: headers, packages, metadata, dbcache, plugins, expire-cache, rpmdb, all [root@server1 yum.repos.d]# [root@server1 yum.repos.d]# yum list all | wc -l 4405 # DNS的查询方式 迭代查询:服务器与服务器之间的查询。本地域名服务器向根域名服务器的查询通常是采用迭代查询(反复查询)。当根域名服务器收到本地域名服务器的迭代查询请求报文时,要么给出所要查询的IP地址,要么告诉本地域名服务器下一步应向那个域名服务器进行查询。然后让本地域名服务器进行后续的查询。 递归查询:客户端与服务器之间的查询。主机向本地域名服务器的查询一般都是采用递归查询。如果主机所询问的本地域名服务器不知道被查询域名的 IP 地址,那么本地域名服务器就以 DNS 客户的身份,向其他根域名服务器继续发出查询请求报文。最后会给客户端一个准确的返回结果,无论是成功与否。 # DNS解析类型 正向解析:由域名解析到IP地址。 反向解析:由IP地址解析到域名。 # 名称解析方式 hosts文件(etc/hosts)、dns、广播、解析缓存、dns、wins(windows中)等 DNS安装配置: 在RHEL5、6中dns都是用的是bind软件包,而在RHEL7用的是unbound安装包,配置文件也有了改变。 [root@server1 ~]# yum -y install unbound* [root@server1 ~]# systemctl start unbound [root@server1 ~]# systemctl enable unbound ln -s '/usr/lib/systemd/system/unbound.service' '/etc/systemd/system/multi-user.target.wants/unbound.service' [root@server1 ~]# systemctl stop iptables [root@server1 ~]# systemctl disable iptables [root@server1 ~]# systemctl mask iptables ln -s '/dev/null' '/etc/systemd/system/iptables.service' [root@server1 ~]# systemctl stop ebtables [root@server1 ~]# systemctl disable ebtables [root@server1 ~]# systemctl mask ebtables ln -s '/dev/null' '/etc/systemd/system/ebtables.service' [root@server1 ~]# firewall-cmd --permanent --add-service=dns success [root@server1 ~]# firewall-cmd --reload success [root@server1 ~]# firewall-cmd --list-all public (default, active) interfaces: eno16777728 sources: services: dhcpv6-client dns ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules: [root@server1 ~]# # DNS服务器上firewall开放DNS访问OK [root@server1 ~]# netstat -tunlp | grep unbound tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 2114/unbound tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2114/unbound tcp6 0 0 ::1:8953 :::* LISTEN 2114/unbound tcp6 0 0 ::1:53 :::* LISTEN 2114/unbound udp 0 0 127.0.0.1:53 0.0.0.0:* 2114/unbound udp6 0 0 ::1:53 :::* 2114/unbound [root@server1 ~]# [root@server1 ~]# ss -tunlp | grep unbound tcp UNCONN 0 0 127.0.0.1:53 *:* users:(("unbound",2114,5)) tcp UNCONN 0 0 ::1:53 :::* users:(("unbound",2114,3)) tcp LISTEN 0 5 127.0.0.1:8953 *:* users:(("unbound",2114,8)) tcp LISTEN 0 5 127.0.0.1:53 *:* users:(("unbound",2114,6)) tcp LISTEN 0 5 ::1:8953 :::* users:(("unbound",2114,7)) tcp LISTEN 0 5 ::1:53 :::* users:(("unbound",2114,4)) [root@server1 ~]# # 默认监听本地回环地址,也就是现在只有自己能访问DNS服务,其它主机不能访问本机的DNS服务。 [root@server1 ~]# vim /etc/unbound/unbound.conf # 修改监听地址 38 # interface: 0.0.0.0 39 interface: 0.0.0.0 # 让所有主机能够向本机查询DNS 177 # access-control: 0.0.0.0/0 refuse 178 access-control: 0.0.0.0/0 allow # 禁用服务用户 # 每个服务都是有其专用的服务用户,DNS的服务用户为unbound,实际情况下服务用户的启用有可能有安全隐患,这里要即禁用服务用户。 213 # username: "unbound" 214 username: "" [root@server1 ~]# systemctl restart unbound [root@server1 ~]# netstat -tunlp | grep unbound tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 2814/unbound tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 2814/unbound tcp6 0 0 ::1:8953 :::* LISTEN 2814/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 2814/unbound [root@server1 ~]# # 现在53号端口监听的是0.0.0.0,即所有网段都监听。 # 创建解析文件 [root@server1 ~]# hostname server1.example.com [root@server1 ~]# vim /etc/unbound/local.d/example.conf local-zone: "example.com." static local-data: "example.com. 86400 IN SOA ns.example.com. root 1 1D 1H 1W 1H" local-data: "ns.example.com. IN A 192.168.10.201" local-data: "www.example.com. IN A 192.168.10.201" local-data-ptr: "192.168.10.201 ns.example.com." local-data-ptr: "192.168.10.201 www.example.com." # 检查解析结果 [root@server1 ~]# unbound-checkconf unbound-checkconf: no errors in /etc/unbound/unbound.conf [root@server1 ~]# systemctl restart unbound [root@server1 ~]# [root@server1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777728 TYPE=Ethernet BOOTPROTO=static DEFROUTE=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_FAILURE_FATAL=no NAME=eno16777728 UUID=cbce3ee7-6d18-4fc1-9ad4-4d175aa4ddbc ONBOOT=yes IPADDR0=192.168.10.201 PREFIX0=24 GATEWAY0=192.168.10.1 DNS1=192.168.10.201 HWADDR=00:0C:29:FA:32:28 IPV6_PEERDNS=yes IPV6_PEERROUTES=yes [root@server1 ~]# systemctl restart network [root@server1 ~]# nslookup > 192.168.10.201 Server: 192.168.10.201 Address: 192.168.10.201#53 201.10.168.192.in-addr.arpa name = www.example.com. 201.10.168.192.in-addr.arpa name = ns.example.com. > www.example.com Server: 192.168.10.201 Address: 192.168.10.201#53 Name: www.example.com Address: 192.168.10.201 > exit [root@server1 ~]#