热门标签
热门文章
- 1信息系统项目管理师第一章_左人右龟上鹰
- 2一个完整的购物商城系统是一个庞大且复杂的任务,涉及到前端、后端、数据库等多个方面。
- 3docker 安装与使用日记_docker slim
- 4Unity优化大全(八)之 GPU-Ligh和其他_unity gpu opaque
- 5MySQL长时间事务_MySQL-长事务详解
- 6sql 前100条_在100,900之前的sql
- 7this beta version of Typora is expired, please download and install a newer version.Typora的保姆级最新解决方法_无法下载this beta version of typora is expired
- 8循环顺序队列_c语言请设计void clearqueue(seqqueue *q)函数。 该函数清除循环顺序队列q
- 9一文掌握大模型数据准备、模型微调、部署使用全流程_如何给大模型的数据
- 10OWASP固件安全性测试指南_fstm
当前位置: article > 正文
Linux上DNS原理介绍、正向解析和反向解析、主从DNS同步、批量域名正/反向解析_linux dns正反向解析配置
作者:从前慢现在也慢 | 2024-06-01 05:04:57
赞
踩
linux dns正反向解析配置
本文基于Linux上CentOS 7版本配合bind(named)服务进行演示
目录
3.区域配置文件在/etc/named.rfc1912.zones
1.named-checkconf /etc/named.conf
2.named-checkzone 域名 /var/named/.zone区域文件
5.检查主配置文件和数据配置文件格式并重启named服务,启动没有报错再进行测试
一.DNS域名服务器原理及作用等介绍
1.DNS简介:
DNS是互联网上的一项服务,担任域名和IP地址相互映射的一个分布式数据库,相较于IP,域名更便于记忆能够使人更方便的访问互联网。但是计算机只能基于IP来识别对方,而且要上网或通过网络传输数据,也是基于IP地址完成。
2.原理简单介绍
用户输入域名或IP地址,服务器查找与域名或IP地址相匹配的IP地址或域名,从而去打开我们想要访问的网站。域名解析主要分为正向解析和反向解析。正向解析就是将域名解析成IP地址,反向解析就是将IP地址解析成域名,通常用的最多的是正向域名解析
3.常见域名后缀
(1).edu 教育机构域名后缀
(2).pub 公共大众域名后缀
(3).cn 中国国家顶级域名后缀
(4).org 非盈利组织域名后缀
(5).com 商业组织域名后缀
(6).gov 政府部门域名后缀
(7).net 网络服务商域名后缀
4.DNS域名服务器类型
(1)缓存服务器
负责接收解析器发送过来的DNS解析请求,通过依次查询根域名服务器、顶级域名服务器、二级域名服务器来获得DNS条目,然后把相应结果发送给解析器,根据DNS条目的TTL进行缓存,多用于企业局域网内部、运营商等领域
(2)转发域名服务器
接受解析器发送过来的DNS请求,转发给指定的上级域名服务器获得DNS解析条目,然后把响应结果发送给解析器,不缓存,仅仅是转发。
(3)权威域名服务器
根域名服务器:是最高层次也是最重要的域名服务器,负责对(.com,.cn等顶级域名向下授权)所有的根域名服务器都知道所有的顶级域名服务器的域名和IP地址,从根本上保证了域名解析服务。一般情况下域名服务器并不直接把待查询的域名直接解析出结果返回给用户,会引导本地域名服务器找一个服务器进行查询。
顶级域名服务器:管理在该顶级域名服务器成功注册的二级域名,收到DNS查询时可以立即返回结果。
二级域名服务器:服务于具体域名解析
(4)权限域名服务器
主要作用是负责管理“区”的域名服务器。权限不能查询结果返回时,就会引导用户下一步该寻找哪一个域名服务器。
(5)本地域名服务器
本地域名服务器对域名系统非常重要。用户发出DNS查询请求时,这个查询请求报文就会先发送给本地域名服务器进行解析。
5.DNS服务器的对应关系查询方式
DNS采用分布式数据结构来存放数据信息。
(1)递归查询
客户端向本地DNS服务器发出查询的过程一般是递归查询,就是当本地DNS服务器没有缓存该DNS信息时,他代替(充当)客户端进行继续一步一步查询。
开启递归查询等同于将DNS服务器开放,造成大量数据流量流入流出。
禁用递归查询
- options {
- listen-on port 53 { 192.168.2.135; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- secroots-file "/var/named/data/named.secroots";
- recursing-file "/var/named/data/named.recursing";
- recursion no; #禁用递归查询
- }
(2)迭代查询
本地DNS服务器向根域名服务器的发送请求的过程一般是迭代查询,也就是根域名服务器会引导本地DNS服务器到顶级域名,二级域名这样一层一层的去访问,最后返回解析成功结果或错误结果给本地DNS服务器再发给客户端。
6.具体解析过程
(1)客户端输出域名,发出访问请求
(2)进行本地域名解析查询,查询本地DNS缓存,hosts文件等,如果缓存有记录就返回结果。
(3)本地DNS服务器查询,上一步没有结果返回时,系统向本网络内配置了的本地DNS服务器发送DNS查询请求,如果是本地DNS服务器的数据库有缓存,则返回结果,当然还要考虑一个是否开启转发模式。
当本地DNS服务器开启未转发模式时,他就只负责管理或用户指定了的DNS记录,所以返回成功结果或域名不存在的错误信息。开启转发模式时,他就会在自己解析失败后转发给根域名服务器,进行迭代查询。
(4)根域名查询,上述无结果时就由本地DNS服务器去向根域名服务器发送解析请求,根域名返回器对应的顶级域名服务器地址,本地DNS服务器转而向顶级、二级等域名服务器发出请求,依次查询
(5)若是在上面步骤查询到了结果,就返回结果给本地DNS服务器,本地DNS进行缓存再发送给用户的操作系统
(6)用户的操作系统收到后进行本地缓存,再返回给用户,如浏览器界面等
(7)若都没有查询到结果则返回错误信息
二.bind(named)服务配置文件介绍
1.主配置文件在/etc/named.conf
主要用来定义bind服务程序的运行
- //
- // named.conf
- //
- // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
- // server as a caching only nameserver (as a localhost DNS resolver only).
- //
- // See /usr/share/doc/bind*/sample/ for example named configuration files.
- //
- // See the BIND Administrator's Reference Manual (ARM) for details about the
- // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
-
- options {
- listen-on port 53 { 192.168.2.160; };
- //需要监听的真实服务器ip,如果所有地址都监听可以只写端口,括号内可填any
- listen-on-v6 port 53 { ::1; };
- //定义数据文件目录
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt"; //统计档案、文件
- memstatistics-file "/var/named/data/named_mem_stats.txt"; //分配统计目录
- recursing-file "/var/named/data/named.recursing";
- secroots-file "/var/named/data/named.secroots";
- allow-query { 192.168.2.0/24; }; //允许某个网段的用户查询
- //允许那个网段的用户发起查询请求。可以填写any
- /*
- - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- - If you are building a RECURSIVE (caching) DNS server, you need to enable
- recursion.
- - If your recursive DNS server has a public IP address, you MUST enable access
- control to limit queries to your legitimate users. Failing to do so will
- cause your server to become part of large scale DNS amplification
- attacks. Implementing BCP38 within your network would greatly
- reduce such attack surface
- */
- recursion yes; //允许递归
-
- dnssec-enable yes;
- dnssec-validation yes;
-
- /* Path to ISC DLV key */
- bindkeys-file "/etc/named.root.key";
- managed-keys-directory "/var/named/dynamic";
-
- pid-file "/run/named/named.pid";
- session-keyfile "/run/named/session.key";
- };
-
- logging { //指定日志记录分类和他们的目标位置
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- };
- };
-
- zone "." IN {
- type hint;
- file "named.ca";
- }; //区域配置内容
- include "/etc/named.rfc1912.zones"; //包含其他的配置文件
- include "/etc/named.root.key";
2.数据配置文件目录在/var/named
用来保存ip和域名的真实映射关系产生的数据配置文件
- [root@sulibao ~]# ll /var/named/
- total 16
- drwxrwx--- 2 named named 23 Jan 14 14:36 data
- drwxrwx--- 2 named named 60 Jan 14 14:59 dynamic
- -rw-r----- 1 root named 2253 Aug 20 2021 named.ca
- -rw-r----- 1 root named 152 Aug 20 2021 named.empty
- -rw-r----- 1 root named 152 Aug 20 2021 named.localhost
- -rw-r----- 1 root named 168 Aug 20 2021 named.loopback
- drwxrwx--- 2 named named 6 Aug 20 2021 slaves
3.区域配置文件在/etc/named.rfc1912.zones
保存的是域名和ip对应关系所在位置,没有包含具体的域名和ip对应关系
- // named.rfc1912.zones:
- //
- // Provided by Red Hat caching-nameserver package
- //
- // ISC BIND named zone configuration for zones recommended by
- // RFC 1912 section 4.1 : localhost TLDs and address zones
- // and https://tools.ietf.org/html/rfc6303
- // (c)2007 R W Franks
- //
- // See /usr/share/doc/bind*/sample/ for example named configuration files.
- //
- // Note: empty-zones-enable yes; option is default.
- // If private ranges should be forwarded, add
- // disable-empty-zone "."; into options
- //
-
- zone "localhost.localdomain" IN {
- type master;
- file "named.localhost";
- allow-update { none; };
- };
- zone "localhost" IN {
- type master;
- file "named.localhost";
- allow-update { none; };
- };
-
- zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
- type master;
- file "named.loopback";
- allow-update { none; };
- };
-
- zone "1.0.0.127.in-addr.arpa" IN {
- type master;
- file "named.loopback";
- allow-update { none; };
- };
- zone "0.in-addr.arpa" IN {
- type master;
- file "named.empty";
- allow-update { none; };
- };
三.named(bind服务)命令部分参数详解
1.named-checkconf /etc/named.conf
检查主配置文件是否书写正确(不检查逻辑错误),没有报错则为书写正确
[root@sulibao etc]# named-checkconf /etc/named.conf 2.named-checkzone 域名 /var/named/.zone区域文件
检查数据配置文件是否书写正确
- [root@sulibao etc]# named-checkzone 域名 /var/named/.zone区域文件
- zone ssll.com/IN: loaded serial 0
- OK
3.测试域名是否可用
(1)host 域名 地址(服务器的地址)
- [root@sulibao ~]# host 域名 192.168.xx.xx
- Using domain server:
- Name: 192.168.xx.xx
- Address: 192.168.xx.xx#xx
- Aliases:
-
- www.ssll.com has address 192.168.xx.xx
(2)nslookup 域名/IP地址或nslookup 域名 主服务器IP
使用nslookup 域名进行测试时,需要更改配置文件/etc/resolv.conf,将原本的nameserver地址改为自己配置的主服务器的地址,使用该服务器来进行解析,不然就需要每次测试的时候再在后面指定主服务器IP
- [root@sulibao ~]# vim /etc/resolv.conf
- # Generated by NetworkManager
- nameserver 192.168.xx.xx
- ~
- ~
- ~
- ~
- [root@sulibao ~]# nslookup dhcp.ssll.com
- Server: 192.168.xx
- Address: 192.168.xx.xx#53
-
- Name: dhcp.ssll.com
- Address: 192.168.xx.xx
(3)dig 域名/IP地址或dig 域名 主服务器的IP
- [root@sulibao ~]# dig www.ssll.com
-
- ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.ssll.com
- ;; global options: +cmd
- ;; Got answer:
- ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17437
- ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
-
- ;; OPT PSEUDOSECTION:
- ; EDNS: version: 0, flags:; udp: 4096
- ; COOKIE: 3d40fb765259182859905d8e63c2bf2121052d8929894483 (good)
- ;; QUESTION SECTION:
- ;www.ssll.com. IN A
-
- ;; ANSWER SECTION:
- www.ssll.com. 86400 IN A 192.168.xx.xx
-
- ;; AUTHORITY SECTION:
- ssll.com. 86400 IN NS dns.ssll.com.
-
- ;; ADDITIONAL SECTION:
- dns.ssll.com. 86400 IN A 192.168.xx.xx
-
- ;; Query time: 1 msec
- ;; SERVER: 192.168.xx.xx#53(192.168.xx.xx)
- ;; WHEN: Sat Jan 14 22:41:37 CST 2023
- ;; MSG SIZE rcvd: 119
4.bind服务所含文件参数介绍
- [root@sulibao ~]# rpm -ql bind
- /etc/logrotate.d/named
- /etc/named
- /etc/named.conf //bind主配置文件
- /etc/named.iscdlv.key
- /etc/named.rfc1912.zones //定义zone的文件,区域配置文件
- /etc/named.root.key
- /etc/rndc.conf
- /etc/rndc.key
- /etc/rwtab.d/named
- /etc/sysconfig/named
- /run/named
- /usr/bin/arpaname
- /usr/bin/named-rrchecker
- /usr/lib/python2.7/site-packages/isc
- /usr/lib/python2.7/site-packages/isc-2.0-py2.7.egg-info
- /usr/lib/python2.7/site-packages/isc/__init__.py
- /usr/lib/python2.7/site-packages/isc/__init__.pyc
- /usr/lib/python2.7/site-packages/isc/__init__.pyo
- /usr/lib/python2.7/site-packages/isc/checkds.py
- /usr/lib/python2.7/site-packages/isc/checkds.pyc
- /usr/lib/python2.7/site-packages/isc/checkds.pyo
- /usr/lib/python2.7/site-packages/isc/coverage.py
- /usr/lib/python2.7/site-packages/isc/coverage.pyc
- /usr/lib/python2.7/site-packages/isc/coverage.pyo
- /usr/lib/python2.7/site-packages/isc/dnskey.py
- /usr/lib/python2.7/site-packages/isc/dnskey.pyc
- /usr/lib/python2.7/site-packages/isc/dnskey.pyo
- /usr/lib/python2.7/site-packages/isc/eventlist.py
- /usr/lib/python2.7/site-packages/isc/eventlist.pyc
- /usr/lib/python2.7/site-packages/isc/eventlist.pyo
- /usr/lib/python2.7/site-packages/isc/keydict.py
- /usr/lib/python2.7/site-packages/isc/keydict.pyc
- /usr/lib/python2.7/site-packages/isc/keydict.pyo
- /usr/lib/python2.7/site-packages/isc/keyevent.py
- /usr/lib/python2.7/site-packages/isc/keyevent.pyc
- /usr/lib/python2.7/site-packages/isc/keyevent.pyo
- /usr/lib/python2.7/site-packages/isc/keymgr.py
- /usr/lib/python2.7/site-packages/isc/keymgr.pyc
- /usr/lib/python2.7/site-packages/isc/keymgr.pyo
- /usr/lib/python2.7/site-packages/isc/keyseries.py
- /usr/lib/python2.7/site-packages/isc/keyseries.pyc
- /usr/lib/python2.7/site-packages/isc/keyseries.pyo
- /usr/lib/python2.7/site-packages/isc/keyzone.py
- /usr/lib/python2.7/site-packages/isc/keyzone.pyc
- /usr/lib/python2.7/site-packages/isc/keyzone.pyo
- /usr/lib/python2.7/site-packages/isc/parsetab.py
- /usr/lib/python2.7/site-packages/isc/parsetab.pyc
- /usr/lib/python2.7/site-packages/isc/parsetab.pyo
- /usr/lib/python2.7/site-packages/isc/policy.py
- /usr/lib/python2.7/site-packages/isc/policy.pyc
- /usr/lib/python2.7/site-packages/isc/policy.pyo
- /usr/lib/python2.7/site-packages/isc/rndc.py
- /usr/lib/python2.7/site-packages/isc/rndc.pyc
- /usr/lib/python2.7/site-packages/isc/rndc.pyo
- /usr/lib/python2.7/site-packages/isc/utils.py
- /usr/lib/python2.7/site-packages/isc/utils.pyc
- /usr/lib/python2.7/site-packages/isc/utils.pyo
- /usr/lib/systemd/system/named-setup-rndc.service
- /usr/lib/systemd/system/named.service
- /usr/lib/tmpfiles.d/named.conf
- /usr/lib64/bind
- /usr/libexec/generate-rndc-key.sh
- /usr/sbin/ddns-confgen
- /usr/sbin/dnssec-checkds
- /usr/sbin/dnssec-coverage
- /usr/sbin/dnssec-dsfromkey
- /usr/sbin/dnssec-importkey
- /usr/sbin/dnssec-keyfromlabel
- /usr/sbin/dnssec-keygen
- /usr/sbin/dnssec-keymgr
- /usr/sbin/dnssec-revoke
- /usr/sbin/dnssec-settime
- /usr/sbin/dnssec-signzone
- /usr/sbin/dnssec-verify
- /usr/sbin/genrandom
- /usr/sbin/isc-hmac-fixup
- /usr/sbin/lwresd
- /usr/sbin/named
- /usr/sbin/named-checkconf //检测/etc/named.conf书写,使用named-checkconf检查
- /usr/sbin/named-checkzone //检测zone和对应zone文件的语法
- named-checkzone 域名 zone文件
- /usr/sbin/named-compilezone
- /usr/sbin/named-journalprint
- /usr/sbin/nsec3hash
- /usr/sbin/rndc //远程dns管理工具
- /usr/sbin/rndc-confgen //生成rndc密钥
- /usr/sbin/tsig-keygen
- /usr/share/doc/bind-9.11.4
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch01.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch02.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch03.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch04.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch05.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch06.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch07.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch08.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch09.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch10.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch11.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch12.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.ch13.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.html
- /usr/share/doc/bind-9.11.4/Bv9ARM.pdf
- /usr/share/doc/bind-9.11.4/CHANGES
- /usr/share/doc/bind-9.11.4/README
- /usr/share/doc/bind-9.11.4/isc-logo.pdf
- /usr/share/doc/bind-9.11.4/man.arpaname.html
- /usr/share/doc/bind-9.11.4/man.ddns-confgen.html
- /usr/share/doc/bind-9.11.4/man.delv.html
- /usr/share/doc/bind-9.11.4/man.dig.html
- /usr/share/doc/bind-9.11.4/man.dnssec-checkds.html
- /usr/share/doc/bind-9.11.4/man.dnssec-coverage.html
- /usr/share/doc/bind-9.11.4/man.dnssec-dsfromkey.html
- /usr/share/doc/bind-9.11.4/man.dnssec-importkey.html
- /usr/share/doc/bind-9.11.4/man.dnssec-keyfromlabel.html
- /usr/share/doc/bind-9.11.4/man.dnssec-keygen.html
- /usr/share/doc/bind-9.11.4/man.dnssec-keymgr.html
- /usr/share/doc/bind-9.11.4/man.dnssec-revoke.html
- /usr/share/doc/bind-9.11.4/man.dnssec-settime.html
- /usr/share/doc/bind-9.11.4/man.dnssec-signzone.html
- /usr/share/doc/bind-9.11.4/man.dnssec-verify.html
- /usr/share/doc/bind-9.11.4/man.dnstap-read.html
- /usr/share/doc/bind-9.11.4/man.genrandom.html
- /usr/share/doc/bind-9.11.4/man.host.html
- /usr/share/doc/bind-9.11.4/man.isc-hmac-fixup.html
- /usr/share/doc/bind-9.11.4/man.lwresd.html
- /usr/share/doc/bind-9.11.4/man.mdig.html
- /usr/share/doc/bind-9.11.4/man.named-checkconf.html
- /usr/share/doc/bind-9.11.4/man.named-checkzone.html
- /usr/share/doc/bind-9.11.4/man.named-journalprint.html
- /usr/share/doc/bind-9.11.4/man.named-nzd2nzf.html
- /usr/share/doc/bind-9.11.4/man.named-rrchecker.html
- /usr/share/doc/bind-9.11.4/man.named.conf.html
- /usr/share/doc/bind-9.11.4/man.named.html
- /usr/share/doc/bind-9.11.4/man.nsec3hash.html
- /usr/share/doc/bind-9.11.4/man.nslookup.html
- /usr/share/doc/bind-9.11.4/man.nsupdate.html
- /usr/share/doc/bind-9.11.4/man.pkcs11-destroy.html
- /usr/share/doc/bind-9.11.4/man.pkcs11-keygen.html
- /usr/share/doc/bind-9.11.4/man.pkcs11-list.html
- /usr/share/doc/bind-9.11.4/man.pkcs11-tokens.html
- /usr/share/doc/bind-9.11.4/man.rndc-confgen.html
- /usr/share/doc/bind-9.11.4/man.rndc.conf.html
- /usr/share/doc/bind-9.11.4/man.rndc.html
- /usr/share/doc/bind-9.11.4/named.conf.default
- /usr/share/doc/bind-9.11.4/notes.html
- /usr/share/doc/bind-9.11.4/notes.pdf
- /usr/share/doc/bind-9.11.4/sample
- /usr/share/doc/bind-9.11.4/sample/etc
- /usr/share/doc/bind-9.11.4/sample/etc/named.conf
- /usr/share/doc/bind-9.11.4/sample/etc/named.rfc1912.zones
- /usr/share/doc/bind-9.11.4/sample/var
- /usr/share/doc/bind-9.11.4/sample/var/named
- /usr/share/doc/bind-9.11.4/sample/var/named/data
- /usr/share/doc/bind-9.11.4/sample/var/named/my.external.zone.db
- /usr/share/doc/bind-9.11.4/sample/var/named/my.internal.zone.db
- /usr/share/doc/bind-9.11.4/sample/var/named/named.ca
- /usr/share/doc/bind-9.11.4/sample/var/named/named.empty
- /usr/share/doc/bind-9.11.4/sample/var/named/named.localhost
- /usr/share/doc/bind-9.11.4/sample/var/named/named.loopback
- /usr/share/doc/bind-9.11.4/sample/var/named/slaves
- /usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.ddns.internal.zone.db
- /usr/share/doc/bind-9.11.4/sample/var/named/slaves/my.slave.internal.zone.db
- /usr/share/man/man1/arpaname.1.gz
- /usr/share/man/man1/named-rrchecker.1.gz
- /usr/share/man/man5/named.conf.5.gz
- /usr/share/man/man5/rndc.conf.5.gz
- /usr/share/man/man8/ddns-confgen.8.gz
- /usr/share/man/man8/dnssec-checkds.8.gz
- /usr/share/man/man8/dnssec-coverage.8.gz
- /usr/share/man/man8/dnssec-dsfromkey.8.gz
- /usr/share/man/man8/dnssec-importkey.8.gz
- /usr/share/man/man8/dnssec-keyfromlabel.8.gz
- /usr/share/man/man8/dnssec-keygen.8.gz
- /usr/share/man/man8/dnssec-keymgr.8.gz
- /usr/share/man/man8/dnssec-revoke.8.gz
- /usr/share/man/man8/dnssec-settime.8.gz
- /usr/share/man/man8/dnssec-signzone.8.gz
- /usr/share/man/man8/dnssec-verify.8.gz
- /usr/share/man/man8/genrandom.8.gz
- /usr/share/man/man8/isc-hmac-fixup.8.gz
- /usr/share/man/man8/lwresd.8.gz
- /usr/share/man/man8/named-checkconf.8.gz
- /usr/share/man/man8/named-checkzone.8.gz
- /usr/share/man/man8/named-compilezone.8.gz
- /usr/share/man/man8/named-journalprint.8.gz
- /usr/share/man/man8/named.8.gz
- /usr/share/man/man8/nsec3hash.8.gz
- /usr/share/man/man8/rndc-confgen.8.gz
- /usr/share/man/man8/rndc.8.gz
- /usr/share/man/man8/tsig-keygen.8.gz
- /var/log/named.log
- /var/named
- /var/named/data
- /var/named/dynamic
- /var/named/named.ca //根解析库
- /var/named/named.empty
- /var/named/named.localhost //本地主机解析库
- /var/named/named.loopback
- /var/named/slaves //从服务器文件夹,配置主从服务器同步时可以用来存放从主服务器同步过来的文件
四.使用bind(named)服务配置正向解析
以ssll.com做演示,当前虚拟机1(192.168.2.160)作为是主服务器。
1.下载bind服务并开启
- [root@sulibao ~]# yum install -y bind
- [root@sulibao ~]# systemctl start named
- [root@sulibao ~]# systemctl enable named
2.制定配置计划
www.xx.com——分配一个真实ip
dns.xx.com——分配一个真实ip
dhcp.xx.com——可以选择分配虚拟地址
nfs.xx.com——可以选择分配虚拟地址
ntp.xx.com——可以选择分配虚拟地址
3.修改主配置文件/etc/named.conf
(1)修改监听的服务器的地址为真实地址
- [root@sulibao ~]# vim /etc/named.conf
- listen-on port 53 { 192.168.2.160; };
- allow-query { 192.168.2.0/24; };
(2)配置区域文件,我们是手动创建区域文件所以需要并注释掉最后的其他配置文件
- zone "ssll.com" IN {
- type master; //master指的是服务器主区域
- file "ssll.zone";
- };
- #include "/etc/named.rfc1912.zones";
- #include "/etc/named.root.key";
4.配置数据配置文件/var/named/
(1)在/var/named/下vim一个“.zone”结尾的区域文件
[root@sulibao ~]# vim /var/named/ssll.zone
(2) 目前里面内容为空,格式有点不好把控,可以使用cp命令去将本地数据配置文件拷贝到本文件
- [root@sulibao ~]# cd /var/named/
- [root@sulibao named]# ll
- total 20
- drwxrwx--- 2 named named 23 Jan 14 14:28 data
- drwxrwx--- 2 named named 31 Jan 14 14:44 dynamic
- -rw-r----- 1 root named 2253 Apr 5 2018 named.ca
- -rw-r----- 1 root named 152 Dec 15 2009 named.empty
- -rw-r----- 1 root named 152 Jun 21 2007 named.localhost
- -rw-r----- 1 root named 168 Dec 15 2009 named.loopback
- drwxrwx--- 2 named named 6 Oct 4 15:06 slaves
- -rw-r--r-- 1 root root 879 Jan 14 14:32 ssll.zone
- [root@sulibao named]# cp -a named.localhost ssll.zone
- //-a可以将组合权限等一起复制
- $TTL 1D
- @ IN SOA @ rname.invalid. (
- 0 ; serial
- 1D ; refresh
- 1H ; retry
- 1W ; expire
- 3H ) ; minimum
- NS @
- A 127.0.0.1
- AAAA ::1
(3) 进行配置
- $TTL 1D
- @ IN SOA dns.ssll.com. test.163.com ( 0 1D 1H 1W 3H )
- IN NS dns.ssll.com.
- IN MX 10 mail.ssll.com.
- dns.ssll.com. IN A 192.168.2.160
- mail.ssll.com. IN A 192.168.2.161
- www.ssll.com. IN A 192.168.2.160
- dnss IN CNAME dns
- #CNAME别名,访问dns.ssll.com时,允许将dns替换为dnss
- ftp IN A 192.168.xx.xx
- dhcp IN A 192.168.xx.xx
- ntp IN A 192.168.xx.xx
$TTL 1D表示缓存时间为一天
@表示代替域名充当占位符(区域文件)
IN:表示互联网
SOA:表示开始权限记录
dns.ssll.com处写主域名服务器名称
NS表示记录域名记录,由哪一台主机服务器去解析当前所定义的域主机
test.163.com处写区域文件管理员的邮件地址,“@”用“.”代替
MX表示邮件交换记录,后面写数字和接收邮件的服务器主机名字(10数字表示优先级,范围0-50,越小优先级越高)
括号内参数:0 表示serial——更新序列号,标记新旧程度
1D 表示refresh——刷新时间
1H 表示retry ——重试时间,连接不上时多长时间重试一次
1W 表示expire——失效时间,如果一直重连接不上,多长时间后就不再连接
3H 表示minimum——无效解析记录的缓存时间
CNAME别名,访问dns.ssll.com时,允许将dns替换为dnss
5.检查主配置文件和数据配置文件格式并重启named服务,启动没有报错再进行测试
- [root@sulibao ~]# named-checkconf /etc/named.conf
- [root@sulibao ~]# named-checkzone ssll.com /var/named/ssll.zone
- zone ssll.com/IN: loaded serial 0
- OK
- [root@sulibao ~]# systemctl restart httpd
- [root@sulibao ~]# systemctl restart named
6.进行测试
(1)Linux上测试,另外开一台虚拟机使用host,dig,nslookup(前文已经介绍)、ping命令进行测试,同时也可以试试像mail.ssll.com,dns.ssll.com,dhcp.ssll.com 等域名看看是否能通
- [root@sulibao ~]# nslookup www.ssll.com
- Server: 192.168.2.160
- Address: 192.168.2.160#53
- //这里出现在主配置文件设置的监听地址端口就可视为而成功了
-
- Name: www.ssll.com
- Address: 192.168.2.160
-
- [root@sulibao ~]# nslookup mail.ssll.com
- Server: 192.168.2.161
- Address: 192.168.2.161#53
-
- Name: mail.ssll.com
- Address: 192.168.2.161
-
- [root@sulibao ~]# nslookup dns.ssll.com
- Server: 192.168.2.160
- Address: 192.168.2.160#53
-
- Name: dns.ssll.com
- Address: 192.168.2.160
-
- [root@sulibao ~]# nslookup ftp.ssll.com
- Server: 192.168.xx.xx
- Address: 192.168.xx.xx#53
-
- Name: ftp.ssll.com
- Address: 192.168.xx.xx
-
- [root@sulibao ~]# nslookup ntp.ssll.com
- Server: 192.168.xx.xx
- Address: 192.168.xx.xx#53
-
- Name: ntp.ssll.com
- Address: 192.168.xx.xx
-
- [root@sulibao ~]# nslookup dhcp.ssll.com
- Server: 192.168.xx.xx
- Address: 192.168.xx.xx#53
-
- Name: dhcp.ssll.com
- Address: 192.168.xx.xx
-
如果此处测试不成功,并且排除了配置文件的错误,可以试试在网络设置里将你虚拟机的 VMnet8网卡的ipv4dns服务设置为手动并指定为你dns服务器的ip地址
(2)windows上ping域名
为域名放行将ip 和域名的映射关系写入hosts文件。
windows powershell——管理员身份运行
- Windows PowerShell
- 版权所有(C) Microsoft Corporation。保留所有权利。
-
- 安装最新的 PowerShell,了解新功能和改进!https://aka.ms/PSWindows
-
- PS C:\WINDOWS\system32> cd .\drivers\etc\
- PS C:\WINDOWS\system32\drivers\etc> ls
-
-
- 目录: C:\WINDOWS\system32\drivers\etc
-
-
- Mode LastWriteTime Length Name
- ---- ------------- ------ ----
- -a---- 2023/1/13 13:52 873 hosts
- -a---- 2022/5/7 13:22 3683 lmhosts.sam
- -a---- 2022/5/12 12:16 407 networks
- -a---- 2022/5/12 12:16 1358 protocol
- -a---- 2022/5/12 12:16 17635 services
-
-
- PS C:\WINDOWS\system32\drivers\etc> notepad .\hosts
- PS C:\WINDOWS\system32\drivers\etc>
也可以到浏览器中使用域名访问之前的文章中配置的内容
五.使用bind(named)服务配置反向解析
在第四节的基础上进行
以ssll.com做演示,当前虚拟机1作为是主服务器。
1.修改主配置文件/etc/named.conf
只需要在区域文件书写处新添加区域文件即可
- [root@sulibao ~]# vim /etc/named.conf
- zone "2.168.192.in-addr.arpa" IN {
- //倒着写你服务器ip所在网段,最后一位0可以省略,后缀需要加上.in-addr-arpa
- type master;
- file "2.168.192.zone";
- };
2.修改数据配置文件
在/var/named/目录下vim一个2.168.192.zone 文件
PRT表示反向解析
- [root@sulibao ~]# vim /var/named/2.168.192.zone
- //基本格式和正向解析相同
- $TTL 1D
- @ IN SOA dns.ssll.com. test.163.com (
- 0
- 1D
- 1H
- 1W
- 3H
- )
- IN NS dns.ssll.com.
-
- //将域名与IP指向反过来书写,这里的因为都属于是同一网段只需要写末尾一位
- 160 IN PTR dns.ssll.com
- 161 IN PTR mail.ssll.com
- 160 IN PTR www.ssll.com
- xx IN PTR ftp
- xx IN PTR dhcp
- xx IN PTR ntp
3.检查书写并重启服务
- [root@sulibao ~]# named-checkconf /etc/named.conf
- [root@sulibao ~]# named-checkzone 2.168.192 /var/named/2.168.192.zone
- zone 2.168.192/IN: loaded serial 0
- OK
- [root@sulibao ~]# systemctl restart named
4.测试
nslookup 被解析的ip (主服务服务器ip)
- [root@localhost named]# nslookup 192.168.2.10
- ** server can't find 10.2.168.192.in-addr.arpa: NXDOMAIN
- [root@localhost named]# nslookup 192.168.2.160
- 160.2.168.192.in-addr.arpa name = dns.ssll.com.2.168.192.in-addr.arpa.
六.实现DNS主从服务器同步(完全/增量区域传送)
1.复制(同步)整个区域的文件叫完全区域传送
除开上文用到的虚拟机1重新开一台虚拟机2(192.168.2.170),虚拟机1作为主服务器,虚拟机2作为从服务器。保证网卡连接可用,selinux和防火墙关闭,下载并启动bind服务。
2.主从配置演示
(1)配置主服务器(虚拟机1)的主配置文件/etc/named.conf
- [root@sulibao ~]# vim /etc/named.conf
- allow-query { 192.168.2.0/24; }; //找到这一行,在下面添加一行
- allow-transfer { 192.168.2.0/24; }; //网段相同,属于区域传送内容
保存退出,可以检查一下书写
(2)配置从服务器(虚拟机2)的主配置文件/etc/named.conf
将监听处改为自己的本机IP
listen-on port 53 { 192.168.2.170; };
写区域文件将类型指定为slave从服务器类型,再指定从哪台服务器同步,写上服务器ip地址,将同步的区域文件放在/var/named下的slavles文件夹中
- zone "ssll.com" IN {
- type slave; //slave指的是从服务器区域,也叫辅助区域
- masters { 192.168.2.160; }; #指定同步的主机
- file "slaves/ssll.zone"; //名称指定是主服务器的.zone文件,会自动在/var/named/slaves下生成
- };
- [root@sulibao ~]# cd /var/named/slaves/
- [root@sulibao slaves]# ll
- total 4
- -rw-r--r-- 1 named named 500 Jan 14 20:04 ssll.zone
(3)检查书写并重启服务
- [root@sulibao ~]# named-checkconf /etc/named.conf
- [root@sulibao ~]# systemctl restart named
(4)测试,这里只能解析你主服务器上配置了的域名,主服务器上配置了反向解析,从服务器同步过来也可以解析配置了的ip
- [root@SLB slaves]# tail -1 /etc/resolv.conf
- nameserver 192.168.2.170
- [root@SLB slaves]# nslookup www.ssll.com
- Server: 192.168.2.170
- Address: 192.168.2.170#53
-
- Name: www.ssll.com
- Address: 192.168.2.160
-
- [root@SLB slaves]# nslookup mail.ssll.com
- Server: 192.168.2.170
- Address: 192.168.2.170#53
-
- Name: mail.ssll.com
- Address: 192.168.2.161
3.增量区域传送简介
只复制(同步)区域的变化的文件叫增量区域传送,配置主从dns服务器时如果更改了主服务器配置文件的新旧程度值,需要在主服务器的数据配置文件中作修改,才能在从服务器同步文件时间。
主配置文件的/var/named/下的ssll.zone文件
注意:修改了0,从服务器对文件作比较后,只同步更新的时间不同步更旧的时间(即序号比原序号大才能同步)。
七.实现批量域名解析(正/反向解析)
基于前文已经配置了正反向解析的前提下再进行配置批量解析
1.正向解析
(1)在你前面配置正向解析的区域文件中进行更改内容
/var/named/ssll.zone
- [root@sulibao ~]# vim /var/named/ssll.zone
- 在最后一行加上这行,以批量解析10-15为例,你也可以写成你配置的各个域名对应的地址范围
- $GENERATE 10-15 $.ssll.com. IN A 192.168.2.$
- 这个$符就表示替换你前面写的值,后面的$同理
(2)检查书写后重启服务
- [root@sulibao ~]# named-checkzone ssll.com /var/named/ssll.zone
- zone ssll.com/IN: loaded serial 0
- OK
- [root@sulibao ~]# systemctl restart named
(3)测试
- [root@sulibao ~]# nslookup www.ssll.com
- Server: 192.168.xx.xx
- Address: 192.168.xx.xx#53
-
- Name: www.ssll.com
- Address: 192.168.xx.xx
-
- [root@sulibao ~]# nslookup 10.ssll.com
- Server: 192.168.xx
- Address: 192.168.xx.xx#53
-
- Name: 10.ssll.com
- Address: 192.168.2.10
-
- [root@sulibao ~]# nslookup 13.ssll.com
- Server: 192.168.2.xx
- Address: 192.168.2.xx#53
-
- Name: 13.ssll.com
- Address: 192.168.2.13
2.反向解析
(1)在你前面配置反向解析的区域文件中进行更改内容
/var/named/2.168.192.zone
- [root@sulibao ~]# vim /var/named/2.168.192.zone
- 在最后一行加上这行,以批量解析10-15为例,你也写成你配置的各个域名对应的地址范围
- $GENERATE 10-15 $ IN PTR $.ssll.com
(2)检查书写后重启服务
- [root@sulibao ~]# named-checkzone 2.168.192 /var/named/2.168.192.zone
- zone 2.168.192/IN: loaded serial 0
- OK
- [root@sulibao ~]# systemctl restart named
(3)测试
- [root@sulibao ~]# nslookup 192.168.xx.xx
- xx.2.168.192.in-addr.arpa name = dns.ssll.com.
-
- [root@sulibao ~]# nslookup 192.168.2.10
- 10.2.168.192.in-addr.arpa name = 10.ssll.com.2.168.192.in-addr.arpa.
-
- [root@sulibao ~]# nslookup 192.168.2.15
- 15.2.168.192.in-addr.arpa name = 15.ssll.com.2.168.192.in-addr.arpa.
-
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/从前慢现在也慢/article/detail/656078
推荐阅读
相关标签
