一、高速缓存服务配置
1.服务端安装高速缓存服务 yum install bind -y
2.服务端开启高速缓存服务 systemctl start named
[[email protected] ~]# systemctl start named
正常开启后生成文件 /etc/rndc.key
[[email protected] ~]# ll /etc/rndc.key
-rw-r----- 1 root named 77 Apr 25 03:02 /etc/rndc.key
3.客户端修改DNS配置文件 /etc/resolv.conf
1 # Generated by NetworkManager
2 search ilt.example.com example.com
3 nameserver 172.25.254.250
4.当服务端只允许53接口回环使用时 ##防火墙关闭 /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
客户端无法访问
[[email protected] ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com
;; global options: +cmd
;; connection timed out; no servers could be reached
5.当服务端53接口共享,但只允许本地用户访问时
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
客户端访问被拒绝
[[email protected] ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53598
6.当服务端不能解析域名时
[[email protected] ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63026
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
7.服务端配置ok时
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forwarders {172.25.254.77;};
客户端实验
[[email protected] ~]# dig www.qq.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59247
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; Query time: 0 msec
;; SERVER: 172.25.254.108#53(172.25.254.108)
;; WHEN: Wed Apr 25 15:13:13 CST 2018
;; MSG SIZE rcvd: 39
二、本地正向解析配置
1.修改dns解析地址 /etc/resolv.conf
# Generated by NetworkManager
search ilt.example.com
nameserver 172.25.254.108
2.修改named服务配置文件,改为本地解析 /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
3.修改配置文件 /etc/named.rfc1912.zones
type master;
file "westos.com.zone";
allow-update { none; };
};
4.新建文件 ##在/var/named目录下
cp -p named.localhost westos.com.zone
修改文件
@ IN SOA @ root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.177
hello A 172.25.254.150
hi A 172.25.254.151
5.本机测试:
dig hello.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49145
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;hello.westos.com. IN A
;; ANSWER SECTION:
hello.westos.com. 86400 IN A 172.25.254.150
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.177
三、本地反向解析配置
1.修改dns解析地址 /etc/resolv.conf
2.修改named服务配置文件,改为本地解析 /etc/named.conf
3.修改配置文件 /etc/named.rfc1912.zones
type master;
file "westos.com.ptr";
allow-update { none; };
};
4.新建文件 ##在/var/named目录下
cp -p named.loopback westos.com.prt
$TTL 1D
@ IN SOA @ root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.177
111 PTR test.westos.com.
112 PTR hello.westos.com.
5.本机测试:
dig -x 172.25.254.111
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3189
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;111.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 IN PTR test.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.177
注意:本地(正向/反向)解析时,若named配置文件找不到该域名/IP地址,会访问失败
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18925
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.254.25.172.in-addr.arpa. IN PTR
四、dns解析设置
轮询式域名解析
1.修改配置文件 westos.com.zone ##在/var/named目录下
$TTL 1D
@ IN SOA @ root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.108
hello CNAME www
www A 172.25.254.111
www A 172.25.254.122
2.本地解析时,域名解析出现轮询式
dig hello.westos.com
;; ANSWER SECTION:
hello.westos.com. 86400 IN CNAME www.westos.com.
www.westos.com. 86400 IN A 172.25.254.111
www.westos.com. 86400 IN A 172.25.254.122
;; ANSWER SECTION:
hello.westos.com. 86400 IN CNAME www.westos.com.
www.westos.com. 86400 IN A 172.25.254.122
www.westos.com. 86400 IN A 172.25.254.111
辅助主机解析
1.辅助主机配置yum源,安装bind,打开named服务
2.辅助主机修改DNS配置文件 ##本地
# Generated by NetworkManager
search example.com
nameserver 172.25.254.208
3.辅助主机修改配置文件 /etc/named.rfc1912.zones
zone "westos.com" IN {
type slave;
masters {172.25.254.108;};
file "slaves/westos.com.zone";
allow-update { none; };
};
4.本地主机修改配置文件
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { none; };
allow-transfer {172.25.254.208;}; ##允许208主机同步
also-notify {172.25.254.208;}; ##当文件变更时,通知208主机
};
5.本地主机修改文件westos.com.zone
$TTL 1D
@ IN SOA @ root.westos.com. (
042601 ; serial ##最后一次修改时间
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.108
hello CNAME www
www A 172.25.254.101
www A 172.25.254.102
6.本地主机重启named服务,dig hello.westos.com
;; ANSWER SECTION:
hello.westos.com. 86400 IN CNAME www.westos.com.
www.westos.com. 86400 IN A 172.25.254.101
www.westos.com. 86400 IN A 172.25.254.102
辅助主机重启named服务,dig hello.westos.com
;; ANSWER SECTION:
hello.westos.com. 86400 IN CNAME www.westos.com.
www.westos.com. 86400 IN A 172.25.254.101
www.westos.com. 86400 IN A 172.25.254.102
双向域名解析
其他主机
DNS域名解析文件 /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 172.25.254.108
本地主机
1.新建文件 ##在目录 /var/named
cp -p westos.com.zone westos.com.inter
修改IP地址
$TTL 1D
@ IN SOA @ root.westos.com. (
042601 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 192.168.0.108
hello CNAME www
www A 192.168.0.101
www A 192.168.0.102
2.新建配置文件
cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inter
修改zones
zone "westos.com" IN {
type master;
file "westos.com.inter";
allow-update { none; };
allow-transfer {172.25.254.208;};
also-notify {172.25.254.208;};
};
3.修改主配置文件 ##/etc/named.conf
注释原来的zone
/*
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
*/
新增本地(local)域名解析和其他主机(any)域名解析
view localnet {
match-clients{172.25.254.108;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
};
view anynet {
match-clients{any;};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.inter";
};
4.重启named服务后实验
本地域名解析时
;; ANSWER SECTION:
hello.westos.com. 86400 IN CNAME www.westos.com.
www.westos.com. 86400 IN A 172.25.254.101
www.westos.com. 86400 IN A 172.25.254.102
其他主机域名解析时
;; ANSWER SECTION:
hello.westos.com. 86400 IN CNAME www.westos.com.
www.westos.com. 86400 IN A 192.168.0.102
www.westos.com. 86400 IN A 192.168.0.101
远程更新 ##注意:selinux状态不能为Enforcing!
1.对本地文件进行备份
cp -p /var/named/westos.com.zone /mnt
2.修改本地配置文件 /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { 172.25.254.208; }; ##允许208主机远程更新
allow-transfer {172.25.254.208;};
also-notify {172.25.254.208;};
};
3.此时目录/var/named/中组内用户没有w权限
-rw-r----- 1 root named 229 Apr 26 01:38 westos.com.zone
远程主机无法实现更新
[[email protected] named]# nsupdate
> server 172.25.254.108
> update delete hello.westos.com
> send
update failed: SERVFAIL
4.本地主机修改/var/named/权限
[[email protected] named]# chmod g+w /var/named/
远程主机可以实现更新
[[email protected] named]# nsupdate
> server 172.25.254.108
> update delete hello.westos.com ##删除
> send
[[email protected] named]# nsupdate
> server 172.25.254.108
> update add hello.westos.com 86400 A 172.25.254.120 ##添加
> send ##86400为1天秒数,有效期
5.本地主机重启named服务
生成westos.com.zone.jnl文件,且westos.com.zone被改变
$ORIGIN .
$TTL 86400 ; 1 day
westos.com IN SOA westos.com. root.westos.com. (
42603 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns.westos.com.
$ORIGIN westos.com.
dns A 172.25.254.108
hello A 172.25.254.120
www A 172.25.254.101
A 172.25.254.102
远程更新加密 ##注意:selinux状态不能为Enforcing!
1.还原配置文件
2.生成加**匙 ##实验环境为/mnt
dnssec-****** -a HMAC-MD5 -b 128 -n HOST westos
-a ##加密方式 -b ##密码大小bits -n ##nametype,域名解析
[[email protected] mnt]# ls
Kwestos.+157+02231.key Kwestos.+157+02231.private westos.com.zone
3.编辑**文件
cp -p /etc/rndc.key /etc/westos.key
key "westos" {
algorithm hmac-md5;
secret "wLb7wlj95YfZFUK8nZ1Oqw==";
};
4.修改配置文件 /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { key westos; };
allow-transfer {172.25.254.208;};
also-notify {172.25.254.208;};
};
5.修改主配置文件 /etc/named.conf
include "/etc/westos.key"; ##新增**文件
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
6.把**文件传送给远程主机 ##实验环境为/mnt
scp Kwestos.+157+02231* [email protected]:/mnt
7.本地主机重启后,远程主机可以更新dns
[[email protected] named]# cd /mnt
[[email protected] mnt]# ls
Kwestos.+157+02231.key Kwestos.+157+02231.private
[[email protected] mnt]# nsupdate -k Kwestos.+157+02231.private
> server 172.25.254.108
> update add hello.westos.com 86400 A 172.25.254.120
> send
> quit
五、动态域名解析 ##花生壳
1.还原配置文件,本地主机(服务端)安装dhcp
2.修改dhcp配置文件 /etc/dhcp/dhcpd.conf
[[email protected] named]# cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y ##有覆盖提示,说明文件正确
# option definitions common to all supported networks...
option domain-name "westos.com"; ##域名
option domain-name-servers 172.25.254.108; ##dns服务器
default-lease-time 600;
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim; ##dns的更新工作方式
ad-hoc interim none
# This is a very basic subnet declaration.
subnet 172.25.254.0 netmask 255.255.255.0 { ##子网、子网掩码
range 172.25.254.50 172.25.254.60; ##IP地址池
option routers 172.25.254.108; ##网关
}
key westos {
algorithm hmac-md5; ##key的加密方式
secret wLb7wlj95YfZFUK8nZ1Oqw==; ##key的密码
};
zone westos.com. {
primary 127.0.0.1; ##主机内部回环接口
key westos; ##读取的加密文件为westos
}
3.远程主机访问dns
注意:远程主机的网卡工作模式为dhcp,修改主机名为name.westos.com
建议:格式化虚拟机,修改主机名
本地主机重启dhcpd服务、named服务,远程主机可dig本机
(例:远程主机名为bbs.westos.com)
[[email protected] ~]# dig bbs.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> bbs.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29752
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.westos.com. IN A
;; ANSWER SECTION:
bbs.westos.com. 300 IN A 172.25.254.50
本地主机的域同步更新
$ORIGIN .
$TTL 86400 ; 1 day
westos.com IN SOA westos.com. root.westos.com. (
42602 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
604800 ; expire (1 week)
10800 ; minimum (3 hours)
)
NS dns.westos.com.
$ORIGIN westos.com.
$TTL 300 ; 5 minutes
bbs A 172.25.254.50 ##新增的域名解析内容
TXT "0006177289b2ae3cbee2c9dc00838c2c46"
$TTL 86400 ; 1 day
dns A 172.25.254.108
hello CNAME www
www A 172.25.254.101
A 172.25.254.102