一、DNS及BIND的简介
DNS(Domain Name System),即域名系统。它使用层次结构的命名系统,将域名和IP地址相互映射,形成一个分布式数据库系统。DNS采用CS架构,服务器端工作在UDP协议端口53和TCP协议端口53上。FQDN(Fully Qualified Domain Name)完全限定域名,它是使用DNS的数状层级结构的完全路径域名来表示一个准确位置的主机。提供正向解析(FQDN—>IP)和反向解析(IP—>FQDN)的功能。目前DNS已经成为互联网通讯的基础服务。
BIND(Berkeley Internet Name Domain)BIND(Berkeley Internet Name Daemon)是现今互联网上最常使用的DNS服务器软件,使用BIND作为服务器软件的DNS服务器约占所有DNS服务器的九成。BIND现在由互联网系统协会(Internet Systems Consortium)负责开发与维护。
二、实验环境:
VM12、CentOS7.3 x64(作为DNS服务器,IP为172.16.252.77)、CentOS6.9 x64(作为测试机,IP地址为172.16.252.174)
三、实验前的准备:
因为本实验只是为了了解DNS的实现,所有关掉了CentOS7.3的防火墙,SELinux.
[root@hengxia ~]# getenforce # 查看当前selinux的运行状态
Enforcing
[root@hengxia ~]# vi /etc/selinux/config
SELINUX=enforcing改为SELINUX=permissive
[root@hengxia ~]# setenforce 0 # 使生效
[root@hengxia ~]# iptables -nvl
[root@hengxia ~]# systemctl disable firewalld # 设为下次开机禁止启动
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
[root@hengxia ~]# systemctl stop firewalld # 关闭防火墙
[root@hengxia ~]# iptables -vnL四、CentOS7.3上yum安装BIND,并启动
在CentOS7.3上安装BIND,并启动
[root@hengxia ~]# yum -y install bind
[root@hengxia ~]# rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf # 主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones # 区域解析库文件
...(中间省略)...
/run/named # 服务脚本使用此文件
...(中间省略)...
/var/log/named.log
/var/named # 服务根目录
...(中间省略)...
/var/named/slaves # 从服务器使用的区域解析目录
[root@hengxia ~]# systemctl start named # 启动服务
[root@hengxia ~]# systemctl enable named # 设为开机启动
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@hengxia ~]# ss -nult # 端口有问题,绑定在127.0.0.1,只有本地可用,不能对外服务
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
udp UNCONN 0 0 *:43451 *:*
udp UNCONN 0 0 127.0.0.1:53 *:*
udp UNCONN 0 0 *:68 *:*
udp UNCONN 0 0 ::1:53 :::*
udp UNCONN 0 0 :::16010 :::*
tcp LISTEN 0 10 127.0.0.1:53 *:*
tcp LISTEN 0 128 *:22 *:*
tcp LISTEN 0 128 127.0.0.1:953 *:*
tcp LISTEN 0 100 127.0.0.1:25 *:*
tcp LISTEN 0 10 ::1:53 :::*
tcp LISTEN 0 128 :::22 :::*
tcp LISTEN 0 128 ::1:953 :::*
tcp LISTEN 0 100 ::1:25 :::* 五、在CentOS7.3配置BIND
在CentOS7.3配置BIND
[root@centos6 ~]# yum install telnet -y
[root@centos6 ~]# telnet 172.16.252.77 53 # 访问DNS服务器的53端口被拒绝
Trying 172.16.252.77...
telnet: connect to address 172.16.252.77: Connection refused
[root@hengxia ~]# cp -p /etc/named.conf{,.bak} # 备份named.conf并修改
[root@hengxia ~]# vim /etc/named.conf
listen-on port 53 { 127.0.0.1; }; 将此行注释掉(默认绑定所有IP)或改为 listen-on port 53 { localhost; }; # 此处代表本机所有IP
[root@hengxia ~]# systemctl reload named #重新加载配置文件
[root@hengxia ~]# cd /etc/sysconfig/network-scripts/
[root@hengxia network-scripts]# vim ifcfg-ens33
[root@hengxia network-scripts]# cat ifcfg-ens33 # 修改默认DNS
HWADDR="00:0c:29:c2:73:07"
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
PEERDNS="yes"
PEERROUTES="yes"
IPV4_FAILURE_FATAL="no"
IPV6INIT="yes"
IPV6_AUTOCONF="yes"
IPV6_DEFROUTE="yes"
IPV6_PEERDNS="yes"
IPV6_PEERROUTES="yes"
IPV6_FAILURE_FATAL="no"
IPV6_ADDR_GEN_MODE="stable-privacy"
NAME="ens33"
UUID="5b68a5ab-1ef0-4d0d-9084-82e94508156c"
DNS1="127.0.0.1" # 因为CentOS7.3自己为DNS服务器,所以设自己为DNS服务器
IPADDR="172.16.252.77"
PREFIX=16
GATEWAY="172.16.0.1"
DEVICE="ens33"
ONBOOT="yes"
[root@hengxia network-scripts]# systemctl restart network
[root@hengxia ~]# cat /etc/resolv.conf # 查看默认DNS
# Generated by NetworkManager
search top
nameserver 127.0.0.1
[root@hengxia ~]# vim /etc/named.conf
将allow-query { localhost; } 改为 allow-query { localhost; 172.168.252.174; } 允许某个地址查询
或 改为 allow-query { localhost;any; } 或 改为 allow-query { localhost;0.0.0.0/0; } 或注释掉 允许所有地址查询
[root@hengxia ~]# named-checkconf # 检查配置文件named.conf
[root@hengxia ~]# systemctl reload named # 也可以使用rndc reload 作用是重新加载配置文件
六、在CentOS7.3搭建自己的域
在CentOS7.3上DNS搭建自己的域,让当前DNS解析www.hengxia.top域
1、将www.hengxia.top IP 关系存储在DNS上.
修改/etc/named.conf 填加域与域数据库的关系,也可以在/etc/named.rfc1912.zones中添加,
建议在/etc/named.rfc1912.zones中添加
zone "hengxia.top" IN { # hengxia.top是域名
type master; # 表示权威DNS,即第一个
file "hengxia.top.zone"; # 域数据库,默认位于/var/named/下面,只需告知文件名 hengxia.top.zone是库文件名
};
2、以/var/named目录下的named.localhost为蓝本,创建hengxia.top.zone文件 ,创建区域数据库
[root@hengxia ~]# cd /var/named
[root@hengxia named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@hengxia named]# cp -p named.localhost hengxia.top.zone # 注意cp -p 保持原有属性, 用cp 要用 chgrp named hengxia.top.zone
[root@hengxia named]# cat hengxia.top.zone # 解析区域数据库格式,存放名字与IP的对应关系
$TTL 1D # 统一定义TTL(过期时间、缓存时间)
@ IN SOA @ rname.invalid. ( # SOA记录 IN internet技术 IN第一条要写,后面可以省略,可继承第一条IN rname.invalid. 资源的类型 #
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @ # 代表当前配置域,例如配置hengxia.top,就代表hengxia.top
A 127.0.0.1 # A记录 名字 到 IP 对应IPv4地址
AAAA ::1 # A记录 名字 到 IP 对应IPv6地址
[root@hengxia named]# vim hengxia.top.zone
[root@hengxia named]# cat hengxia.top.zone
$TTL 1D
@ IN SOA dns1.hengxia.top dnsadmin.hengxia.top. (
201707262051 ; serial
10M ; refresh
3M ; retry
1D ; expire
3D ) ; minimum
NS dns1
NS dns2
dns1 A 172.16.252.77
dns2 A 172.16.252.174
websrv A 1.1.1.1
ftpsrv A 2.2.2.2
[root@hengxia named]# named-checkconf # 检查/etc/下与named有关文件
[root@hengxia named]# named-checkzone hengxia.top /var/named/hengxia.top.zone # 检查域数据库文件
dns_rdata_fromtext: /var/named/hengxia.top.zone:2: near '201707262051': out of range # 序列号超出范围
zone hengxia.top/IN: loading from master file /var/named/hengxia.top.zone failed: out of range
zone hengxia.top/IN: not loaded due to errors.
[root@hengxia named]# vim hengxia.top.zone
[root@hengxia named]# named-checkzone hengxia.top /var/named/hengxia.top.zone
zone hengxia.top/IN: loaded serial 2017072601
OK
[root@hengxia named]# rndc reload七、在CentOS6.9上测试DNS
[root@centos6 ~]# yum -y install bind bind-utils # 测试工具 dig host nslookup 来自 bind-utils包
[root@centos6 ~]# dig www.hengxia.top @172.16.252.77
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.hengxia.top @172.16.252.77
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 53941
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.hengxia.top. IN A
;; Query time: 7 msec
;; SERVER: 172.16.252.77#53(172.16.252.77)
;; WHEN: Wed Jul 26 19:13:37 2017
;; MSG SIZE rcvd: 33
[root@centos6 ~]# dig websrv.hengxia.top @172.16.252.77 # 测试成功,说明CentOS7.3上的域搭建成功
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> websrv.hengxia.top @172.16.252.77
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49446
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 # aa 说明是权威结果
;; QUESTION SECTION:
;websrv.hengxia.top. IN A
;; ANSWER SECTION:
websrv.hengxia.top. 86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
hengxia.top. 86400 IN NS dns1.hengxia.top.
hengxia.top. 86400 IN NS dns2.hengxia.top.
;; ADDITIONAL SECTION:
dns1.hengxia.top. 86400 IN A 172.16.252.77
dns2.hengxia.top. 86400 IN A 172.16.252.174
;; Query time: 3 msec
;; SERVER: 172.16.252.77#53(172.16.252.77)
;; WHEN: Wed Jul 26 19:17:38 2017
;; MSG SIZE rcvd: 122