1、简述DNS服务器原理,并搭建主-辅服务器。
DNS服务器的工作原理
DNS(Domain Name Service)它是应用层协议,C/S架构,默认工作在TCP和UDP的53号端口,服务器软件bind是由美国伯克利大学研发,它的主要作用是把互联网域名解析成对应的ip地址,从而实现访问远端主机的需求。以访问www.baidu.com为例来说说DNS的工作流程;首先浏览器访问www.baidu.com,它会先去本机的/etc/hosts文件中查看有没有www.baidu.com记录,如果有,它就会拿着对应的ip去访问,如没有那么它就会去问我们主机上配置的DNS服务器(比如小区DNS服务器,各个网络运营上的DNS服务器),如果在主机指定的DNS服务器上能够查到对应的ip,DNS服务器会把对应的ip告诉浏览器,从而浏览器拿着给定这个ip去访问;如果指定的DNS服务器上没有对应的ip记录,那么指定的DNS会去根服务器问,说根服务器,我要访问www.baidu.com这台主机,请问你那里有它的ip记录吗?根查看了数据库文件后告诉来查的DNS服务说 我这里没有,但是com是我的子域我有com域的ip地址,你去问下com这个域吧,接着我们指定的那个DNS服务器又会拿着根给的com域的ip去问com,说com呀,我要访问www.baidu.com这台主机,请问你那里有它的ip记录吗?com查了下自己的数据库文件说,我这里没有,但是baidu这个域是我的子域,我把baidu这个域的地址给你,你去问下它吧;我们指定的DNS服务器又拿着com给的baidu.com的ip地址,去问baidu.com这个域,说我要访问www.baidu.com,请问你那里有它的ip记录吗?baidu.com一听,www.baidu.com不就是我本域的主机吗,它立马就告诉我们指定的DNS服务器说,我这里有www.baidu.com主机的地址,然后baidu.com就把对应的ip地址给了我们指定的DNS服务器,这时DNS服务器就把自己最后得到的ip地址在本机上缓存一份,然后把地址告诉我们浏览器,浏览器拿着这个地址直接去访问,这时浏览器拿到IP地址后就可以正常的访问到www.baidu.com这台主机后台的web服务。这就是DNS工作的大概流程,简单讲就是我们要去访问某台主机(非ip地址访问),首先会去/etc/hosts文件中查询是否有对应的ip记录,如果有,就拿着这个地址去访问,如果没有就会去找我们指定的DNS服务器问,如果指定的DNS服务器没有,它会帮着我们去根上问,去对应子域上问,问上一圈,如果还是没有,那么我们指定的DNS服务器就会告诉我们说没有你要访问的地址,如果有就告诉我们。
权威DNS主服务器的搭建
1)安装BIND包
[root@test ~]#yum install -y bind 已加载插件:fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.aliyun.com * extras: mirrors.aliyun.com * updates: mirrors.aliyun.com base | 3.6 kB 00:00:00 dockerrepo | 2.9 kB 00:00:00 epel | 5.4 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 正在解决依赖关系 --> 正在检查事务 ---> 软件包 bind.x86_64.32.9.11.4-9.P2.el7 将被 安装 --> 正在处理依赖关系 bind-libs-lite(x86-64) = 32:9.11.4-9.P2.el7,它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在处理依赖关系 bind-libs(x86-64) = 32:9.11.4-9.P2.el7,它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在处理依赖关系 liblwres.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在处理依赖关系 libisccfg.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在处理依赖关系 libisccc.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在处理依赖关系 libisc.so.169()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在处理依赖关系 libdns.so.1102()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在处理依赖关系 libbind9.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要 --> 正在检查事务 ---> 软件包 bind-libs.x86_64.32.9.11.4-9.P2.el7 将被 安装 --> 正在处理依赖关系 bind-license = 32:9.11.4-9.P2.el7,它被软件包 32:bind-libs-9.11.4-9.P2.el7.x86_64 需要 ---> 软件包 bind-libs-lite.x86_64.32.9.9.4-74.el7_6.2 将被 升级 --> 正在处理依赖关系 libdns-export.so.100()(64bit),它被软件包 12:dhclient-4.2.5-68.el7.centos.1.x86_64 需要 --> 正在处理依赖关系 libisc-export.so.95()(64bit),它被软件包 12:dhclient-4.2.5-68.el7.centos.1.x86_64 需要 ---> 软件包 bind-libs-lite.x86_64.32.9.11.4-9.P2.el7 将被 更新 --> 正在检查事务 ---> 软件包 bind-license.noarch.32.9.9.4-74.el7_6.2 将被 升级 ---> 软件包 bind-license.noarch.32.9.11.4-9.P2.el7 将被 更新 ---> 软件包 dhclient.x86_64.12.4.2.5-68.el7.centos.1 将被 升级 ---> 软件包 dhclient.x86_64.12.4.2.5-77.el7.centos 将被 更新 --> 正在处理依赖关系 dhcp-libs(x86-64) = 12:4.2.5-77.el7.centos,它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要 --> 正在处理依赖关系 dhcp-common = 12:4.2.5-77.el7.centos,它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要 --> 正在处理依赖关系 libisc-export.so.169()(64bit),它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要 --> 正在处理依赖关系 libdns-export.so.1102()(64bit),它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要 --> 正在检查事务 ---> 软件包 bind-export-libs.x86_64.32.9.11.4-9.P2.el7 将被 安装 ---> 软件包 dhcp-common.x86_64.12.4.2.5-68.el7.centos.1 将被 升级 ---> 软件包 dhcp-common.x86_64.12.4.2.5-77.el7.centos 将被 更新 ---> 软件包 dhcp-libs.x86_64.12.4.2.5-68.el7.centos.1 将被 升级 ---> 软件包 dhcp-libs.x86_64.12.4.2.5-77.el7.centos 将被 更新 --> 解决依赖关系完成 依赖关系解决 ============================================================================================================================================ Package 架构 版本 源 大小 ============================================================================================================================================ 正在安装: bind x86_64 32:9.11.4-9.P2.el7 base 2.3 M 为依赖而安装: bind-export-libs x86_64 32:9.11.4-9.P2.el7 base 1.1 M bind-libs x86_64 32:9.11.4-9.P2.el7 base 154 k 为依赖而更新: bind-libs-lite x86_64 32:9.11.4-9.P2.el7 base 1.1 M bind-license noarch 32:9.11.4-9.P2.el7 base 88 k dhclient x86_64 12:4.2.5-77.el7.centos base 285 k dhcp-common x86_64 12:4.2.5-77.el7.centos base 176 k dhcp-libs x86_64 12:4.2.5-77.el7.centos base 133 k 事务概要 ============================================================================================================================================ 安装 1 软件包 (+2 依赖软件包) 升级 ( 5 依赖软件包) 总下载量:5.3 M Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/8): bind-export-libs-9.11.4-9.P2.el7.x86_64.rpm | 1.1 MB 00:00:00 (2/8): bind-libs-9.11.4-9.P2.el7.x86_64.rpm | 154 kB 00:00:00 (3/8): bind-9.11.4-9.P2.el7.x86_64.rpm | 2.3 MB 00:00:00 (4/8): bind-libs-lite-9.11.4-9.P2.el7.x86_64.rpm | 1.1 MB 00:00:00 (5/8): dhclient-4.2.5-77.el7.centos.x86_64.rpm | 285 kB 00:00:00 (6/8): bind-license-9.11.4-9.P2.el7.noarch.rpm | 88 kB 00:00:00 (7/8): dhcp-common-4.2.5-77.el7.centos.x86_64.rpm | 176 kB 00:00:00 (8/8): dhcp-libs-4.2.5-77.el7.centos.x86_64.rpm | 133 kB 00:00:00 -------------------------------------------------------------------------------------------------------------------------------------------- 总计 3.9 MB/s | 5.3 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction 正在更新 : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64 1/13 正在更新 : 32:bind-license-9.11.4-9.P2.el7.noarch 2/13 正在更新 : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64 3/13 正在安装 : 32:bind-libs-9.11.4-9.P2.el7.x86_64 4/13 正在更新 : 12:dhcp-common-4.2.5-77.el7.centos.x86_64 5/13 正在安装 : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64 6/13 正在更新 : 12:dhclient-4.2.5-77.el7.centos.x86_64 7/13 正在安装 : 32:bind-9.11.4-9.P2.el7.x86_64 8/13 清理 : 12:dhclient-4.2.5-68.el7.centos.1.x86_64 9/13 清理 : 12:dhcp-common-4.2.5-68.el7.centos.1.x86_64 10/13 清理 : 32:bind-libs-lite-9.9.4-74.el7_6.2.x86_64 11/13 清理 : 32:bind-license-9.9.4-74.el7_6.2.noarch 12/13 清理 : 12:dhcp-libs-4.2.5-68.el7.centos.1.x86_64 13/13 验证中 : 12:dhcp-common-4.2.5-77.el7.centos.x86_64 1/13 验证中 : 32:bind-license-9.11.4-9.P2.el7.noarch 2/13 验证中 : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64 3/13 验证中 : 32:bind-libs-9.11.4-9.P2.el7.x86_64 4/13 验证中 : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64 5/13 验证中 : 32:bind-9.11.4-9.P2.el7.x86_64 6/13 验证中 : 12:dhclient-4.2.5-77.el7.centos.x86_64 7/13 验证中 : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64 8/13 验证中 : 12:dhcp-common-4.2.5-68.el7.centos.1.x86_64 9/13 验证中 : 12:dhclient-4.2.5-68.el7.centos.1.x86_64 10/13 验证中 : 32:bind-license-9.9.4-74.el7_6.2.noarch 11/13 验证中 : 32:bind-libs-lite-9.9.4-74.el7_6.2.x86_64 12/13 验证中 : 12:dhcp-libs-4.2.5-68.el7.centos.1.x86_64 13/13 已安装: bind.x86_64 32:9.11.4-9.P2.el7 作为依赖被安装: bind-export-libs.x86_64 32:9.11.4-9.P2.el7 bind-libs.x86_64 32:9.11.4-9.P2.el7 作为依赖被升级: bind-libs-lite.x86_64 32:9.11.4-9.P2.el7 bind-license.noarch 32:9.11.4-9.P2.el7 dhclient.x86_64 12:4.2.5-77.el7.centos dhcp-common.x86_64 12:4.2.5-77.el7.centos dhcp-libs.x86_64 12:4.2.5-77.el7.centos 完毕! [root@test ~]#
2)查看bind包所有文件的位置
[root@test ~]#rpm -ql bind /etc/logrotate.d/named /etc/named /etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/rwtab.d/named /etc/sysconfig/named /run/named ……省略部分内容 /var/log/named.log /var/named /var/named/data /var/named/dynamic /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback /var/named/slaves [root@test ~]#
说明:从上面查出来的信息看,大概可以了解bind的配置文件是/etc/named.conf
3)修改配置文件,修改 listen-on port 53 { 127.0.0.1; };为listen-on port 53 { localhost; }; 和修改allow-query { localhost; }; 为allow-query { any; };
[root@test ~]#grep -v "^//" /etc/named.conf options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@test ~]#
说明:也可以选择注释listen-on port 53 { 127.0.0.1; };和allow-query { localhost; }; 这两行,这个配置文件的注释同C语言注释一样,用"//"来注释
4)增加区域数据库文件的配置,从上面的配置文件中我们主要到最后两个include 的指令,其中include "/etc/named.rfc1912.zones"; 就是定义区域数据库文件的内容
[root@test ~]#cat >> /etc/named.rfc1912.zones << EOF > zone "test.com" IN { > type master; > file "test.com.zone"; > > }; > EOF [root@test ~]#tail -5 /etc/named.rfc1912.zones zone "test.com" IN { type master; file "test.com.zone"; }; [root@test ~]#
说明:以上配置是定义一个test.com的区域,其类型为master(主) ,区域数据库文件名为 “test.com.zone” ,这里需要注意这个文件名是相对域/var/named这个目录的,也就说区域数据库文件必须存放在/var/named这个目录下。这个工作目录的定义可从主配置文件中的directory 这个选项来指定或更改
5)创建区域数据库文件
[root@test ~]#cat /var/named/test.com.zone $TTL 1D @ IN SOA dns1 admin ( 0 1D 1H 1W 3H ); NS dns1 dns1 A 192.168.0.99 www A 1.1.1.1 blog A 2.2.2.2 [root@test ~]#
说明:区域数据库文件的格式是name [TTL] IN rr_type value其中TTL可从全局继承,@可用于引用当前区域的名字,同一个名字可以通过多条记录定义多个不同的值;此时DNS服务器会以轮询方式响应。同一个值也可能有多个不同的定义名字;通过多个不同的名字指向同一个值进行定义;此仅表示通过多个不同的名字可以找到同一个主机;name: 当前区域的名字,例如“test.com”; value: 有多部分组成,1、 当前区域的主DNS服务器的FQDN,也可以使用当前区域的名字;2、当前区域管理员的邮箱地址;但地址中不能使用@符号,一般用.替换,例如admin.test.com. 3、主从服务区域传输相关定义以及否定的答案的统一的TTL;第一个数字表示序列号,第二个表示刷新时间,第三个表示主从服务器同步失败重试的时间间隔,第四个表示,从服务器同步失败后,多久数据文件内容过期,第五个表示缓存否定答案的TTL值。以上还需要注意的是名字没有以.结尾,默认会补上本域的名称
6)检查主配置文件和区域数据库文件是否正确,然后在启动服务
[root@test ~]#named-checkconf [root@test ~]#named-checkzone test.com /var/named/test.com.zone zone test.com/IN: loaded serial 0 OK [root@test ~]#systemctl start named [root@test ~]#
7)测试
[root@test ~]#dig www.test.com @192.168.0.99 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14227 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.test.com. IN A ;; ANSWER SECTION: www.test.com. 86400 IN A 1.1.1.1 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: 日 12月 29 23:29:46 CST 2019 ;; MSG SIZE rcvd: 92 [root@test ~]#dig blog.test.com @192.168.0.99 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62941 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;blog.test.com. IN A ;; ANSWER SECTION: blog.test.com. 86400 IN A 2.2.2.2 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: 日 12月 29 23:29:57 CST 2019 ;; MSG SIZE rcvd: 93 [root@test ~]#
说明:dig工具来自bind-utils这个包,这个包主要是测试工具,包括host工具,dig工具,nslookup工具等测试工具。从上面的测试数据看,正向主DNS服务是搭建成功的。
8)在/etc/named.rfc1912.zones文件中添加反向区域文件的配置
[root@test ~]#tail -4 /etc/named.rfc1912.zones zone "0.168.192.in-addr.arpa" { type master; file "192.168.0.zone"; }; [root@test ~]#
说明:反向DNS的区域必须将IP地址倒着写,且后面必须是.in-addr.arpa结尾 里面的文件名称可任意填写,这里的文件名称也是必须放在/var/named这个目录下,同正向区域数据文件放在一个目录
9)创建反向区域数据文件
[root@test ~]#cat /var/named/192.168.0.zone $TTL 1D @ IN SOA dns1 admin (0 3H 10M 1D 1H ); NS dns1 dns1 A 192.168.0.99 99 PTR dns1.test.com. 100 PTR www.test.com. 101 PTR blog.test.com. [root@test ~]#
说明:反向区域数据库文件同正向区域数据库文件格式相同,反向记录必须是PTR 类型其他同正向区域数据库文件类似,这里还需要注意一点的是,PTR后面的域名必须以.结尾,否则它会默认给你补本域的信息上去。
10)检查区域文件,重新读取配置文件,时期反向区域数据库文件生效
[root@test ~]#named-checkzone 192.168.0.zone /var/named/192.168.0.zone zone 192.168.0.zone/IN: loaded serial 0 OK [root@test ~]#rndc reload server reload successful [root@test ~]#
11)测试反向解析
[root@test ~]#dig -x 192.168.0.99 @192.168.0.99 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.99 @192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61308 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;99.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 99.0.168.192.in-addr.arpa. 86400 IN PTR dns1.test.com. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa. ;; ADDITIONAL SECTION: dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: 日 12月 29 23:58:39 CST 2019 ;; MSG SIZE rcvd: 116 [root@test ~]#dig -x 192.168.0.100 @192.168.0.99 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.100 @192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23462 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;100.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 100.0.168.192.in-addr.arpa. 86400 IN PTR www.test.com. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa. ;; ADDITIONAL SECTION: dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: 日 12月 29 23:58:50 CST 2019 ;; MSG SIZE rcvd: 116 [root@test ~]#dig -x 192.168.0.101 @192.168.0.99 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.101 @192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17401 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;101.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 101.0.168.192.in-addr.arpa. 86400 IN PTR blog.test.com. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa. ;; ADDITIONAL SECTION: dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: 日 12月 29 23:58:58 CST 2019 ;; MSG SIZE rcvd: 117 [root@test ~]#
说明:可看到我们分别把192.168.0.99、100、101这三个主机对应的主机名给解析出来了,这里不要同前面的正向区域数据库中的数据混淆,这个反向解析可把不同的ip解析成相同的名字,这个和正向解析本质上没有联系。它相当于是两个不同的域,互不干扰。
到此dns主服务器就搭建完毕,接下来实现DNS从服务器
1)在上面的实验上把主服务器上的配置文件中添加 allow_transfer { 192.168.0.151;};,并且在其数据库文件中添加从服务器的NS记录 以及A记录
[root@test ~]#grep "transfer" /etc/named.conf allow-transfer { 192.168.0.151; }; [root@test ~]#cat /var/named/test.com.zone $TTL 1D @ IN SOA dns1 admin ( 0 1D 1H 1W 3H ); NS dns1 NS dns2 dns1 A 192.168.0.99 dns2 A 192.168.0.151 www A 1.1.1.1 blog A 2.2.2.2 [root@test ~]#cat /var/named/192.168.0.zone $TTL 1D @ IN SOA dns1 admin (0 3H 10M 1D 1H ); NS dns1 NS dns2 dns1 A 192.168.0.99 dns2 A 192.168.0.151 99 PTR dns1.test.com. 100 PTR www.test.com. 101 PTR blog.test.com. [root@test ~]#
2)在从服务器上安装bind包,并在其配置文件中配置 allow-transfer {none;}; 并注释listen-on port 53 { 127.0.0.1; };和allow-query { localhost; };
[root@test-node1 ~]#yum install -y bind [root@test-node1 ~]#cat /etc/named.conf ……省略部分内容 options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; // allow-query { localhost; }; allow-transfer { none; }; recursion yes; ……省略部分内容
3)在/etc/named.rfc1912.zonesz中配置区域数据文件信息
[root@test-node1 ~]#cat >> /etc/named.rfc1912.zones << EOF > zone "test.com" { > type slave; > masters {192.168.0.99;}; > file "slaves/test.com.zone"; > }; > EOF [root@test-node1 ~]#cat >> /etc/named.rfc1912.zones << EOF > zone "0.168.192.in-addr.arpa" { > type slave; > masters { 192.168.0.99; }; > file "slaves/192.168.0.zone"; > }; > EOF [root@test-node1 ~]# [root@test-node1 ~]#tail /etc/named.rfc1912.zones zone "test.com" { type slave; masters {192.168.0.99;}; file "slaves/test.com.zone"; }; zone "0.168.192.in-addr.arpa" { type slave; masters { 192.168.0.99; }; file "slaves/192.168.0.zone"; }; [root@test-node1 ~]#
说明:在从服务器上需要写明区域的名称,类型配成slave,并指明masters ,后面的files 是同步文件的存放地,这个存放地需要named这个账号有写的权限,否则将无法完成同步
4)在从服务器上检查配置文件,并启动服务
[root@test-node1 ~]#ll /var/named/slaves/ total 0 [root@test-node1 ~]#named-checkconf [root@test-node1 ~]#/etc/init.d/named start Generating /etc/rndc.key: [ OK ] Starting named: [ OK ] [root@test-node1 ~]#ll /var/named/slaves/ total 8 -rw-r--r-- 1 named named 449 Dec 30 00:35 192.168.0.zone -rw-r--r-- 1 named named 336 Dec 30 00:35 test.com.zone [root@test-node1 ~]#
说明:启动服务后可看到/var/named/slaves/目录下把我们需要的区域数据库文件给同步过来了,接下来测试,在另一台主机上把DNS1设置成主DNS服务器地址,DNS2设置成从DNS服务器地址,然后在主挂掉的情况下,看下从DNS是否可工作
5)测试
[root@ansible_centos6 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.0.99 nameserver 192.168.0.151 [root@ansible_centos6 ~]# dig www.test.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.test.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22293 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.test.com. IN A ;; ANSWER SECTION: www.test.com. 86400 IN A 1.1.1.1 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 4 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: Mon Dec 30 00:46:46 2019 ;; MSG SIZE rcvd: 81 [root@ansible_centos6 ~]# dig -x 192.168.0.99 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48024 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;99.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 99.0.168.192.in-addr.arpa. 86400 IN PTR dns1.test.com. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa. ;; ADDITIONAL SECTION: dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99 ;; Query time: 3 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: Mon Dec 30 00:47:00 2019 ;; MSG SIZE rcvd: 105 [root@ansible_centos6 ~]#
说明:这是主DNS存活情况下的测试是可以正常解析
主DNS挂掉的情况
[root@ansible_centos6 ~]# dig www.test.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.test.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21730 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.test.com. IN A ;; ANSWER SECTION: www.test.com. 86400 IN A 1.1.1.1 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 1 msec ;; SERVER: 192.168.0.151#53(192.168.0.151) ;; WHEN: Mon Dec 30 00:50:43 2019 ;; MSG SIZE rcvd: 81 [root@ansible_centos6 ~]# dig -x 192.168.0.99 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63933 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;99.0.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 99.0.168.192.in-addr.arpa. 86400 IN PTR dns1.test.com. ;; AUTHORITY SECTION: 0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa. ;; ADDITIONAL SECTION: dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99 ;; Query time: 1 msec ;; SERVER: 192.168.0.151#53(192.168.0.151) ;; WHEN: Mon Dec 30 00:50:55 2019 ;; MSG SIZE rcvd: 105 [root@ansible_centos6 ~]#
说明:可看到主DNS服务器挂掉,从服务器是可以提供服务的,况且查询的内容同主的一模一样
2、搭建并实现智能DNS。
1)在上面的实验环境中,更改配置文件
[root@test ~]#cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html acl cdnet { 192.168.0.0/24; }; acl bjnet { 172.16.1.0/24; }; acl shnet { any; }; options { listen-on port 53 { localhost; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; allow-transfer { 192.168.0.151; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; include "/etc/named.root.key"; view view_cd { match-clients {cdnet;}; include "/etc/named.zone.cd"; include "/etc/named.rfc1912.zones"; }; view view_bj { match-clients { bjnet; }; include "/etc/named.zone.bj"; include "/etc/named.rfc1912.zones"; }; view view_sh { match-clients { shnet; }; include "/etc/named.zone.sh"; include "/etc/named.rfc1912.zones"; }; [root@test ~]#
说明:这个是主配置文件,主要添加了 3段acl和3段view 这里需要注意一点的是,一旦配置了view,所有的区域配置必须写在view中,所有我们还需要把根区域的配置文件到/etc/named.rfc1912.zones里 ,然后在view 里用include 把区域配置文件导入即可,借鉴上面的思想,我们也可以把不同地区的区域配置文件也用不同的文件给存起来,实现方便管理,然后也用include 指定导入到各自的view,这样就实现了 不同的网络客户端,访问不同的区域文件。最后我们还需要建立各自的区域数据库文件。
2)把根区域配置文件放入到/etc/named.rfc1912.zones
[root@test ~]#cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "." IN { type hint; file "named.ca"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "0.168.192.in-addr.arpa" { type master; file "192.168.0.zone"; }; [root@test ~]#
3)创建各自的区域配置文件
[root@test ~]#cat >> /etc/named.zone.cd << EOF > zone "test.com" IN { > type master; > file "test.com.zone.cd"; > }; > EOF [root@test ~]#cat >> /etc/named.zone.bj << EOF > zone "test.com" IN { > type master; > file "test.com.zone.bj"; > }; > EOF [root@test ~]#cat >> /etc/named.zone.sh << EOF > zone "test.com" IN { > type master; > file "test.com.zone.sh"; > }; > EOF [root@test ~]#cat /etc/named.zone.cd zone "test.com" IN { type master; file "test.com.zone.cd"; }; [root@test ~]#cat /etc/named.zone.bj zone "test.com" IN { type master; file "test.com.zone.bj"; }; [root@test ~]#cat /etc/named.zone.sh zone "test.com" IN { type master; file "test.com.zone.sh"; }; [root@test ~]#
4)准备各自区域的数据库文件
[root@test ~]#cat /var/named/test.com.zone.cd $TTL 1D @ IN SOA dns1 admin ( 0 2D 1H 3D 1D ) NS dns1 dns1 A 192.168.0.99 www A 3.3.3.3 blog A 4.4.4.4 [root@test ~]#cat /var/named/test.com.zone.bj $TTL 1D @ IN SOA dns1 admin ( 0 2D 1H 3D 1D ) NS dns1 dns1 A 192.168.0.99 www A 5.5.5.5 blog A 6.6.6.6 [root@test ~]#cat /var/named/test.com.zone.sh $TTL 1D @ IN SOA dns1 admin ( 0 2D 1H 3D 1D ) NS dns1 dns1 A 192.168.0.99 www A 7.7.7.7 blog A 8.8.8.8 [root@test ~]# [root@test ~]#ll /var/named/ 总用量 36 -rw-r--r-- 1 root root 188 12月 30 00:28 192.168.0.zone drwxrwx--- 2 named named 23 12月 29 23:23 data drwxrwx--- 2 named named 60 12月 30 01:01 dynamic -rw-r----- 1 root named 2253 4月 5 2018 named.ca -rw-r----- 1 root named 152 12月 15 2009 named.empty -rw-r----- 1 root named 152 6月 21 2007 named.localhost -rw-r----- 1 root named 168 12月 15 2009 named.loopback drwxrwx--- 2 named named 6 8月 8 20:16 slaves -rw-r--r-- 1 root root 154 12月 30 00:10 test.com.zone -rw-r--r-- 1 root root 112 12月 30 21:33 test.com.zone.bj -rw-r--r-- 1 root root 112 12月 30 21:31 test.com.zone.cd -rw-r--r-- 1 root root 117 12月 30 21:35 test.com.zone.sh [root@test ~]#find /var/named/ -name "test.com.zone*" /var/named/test.com.zone /var/named/test.com.zone.cd /var/named/test.com.zone.bj /var/named/test.com.zone.sh [root@test ~]#find /var/named/ -name "test.com.zone*"|xargs chown root.named [root@test ~]#ll /var/named/ 总用量 36 -rw-r--r-- 1 root root 188 12月 30 00:28 192.168.0.zone drwxrwx--- 2 named named 23 12月 29 23:23 data drwxrwx--- 2 named named 60 12月 30 01:01 dynamic -rw-r----- 1 root named 2253 4月 5 2018 named.ca -rw-r----- 1 root named 152 12月 15 2009 named.empty -rw-r----- 1 root named 152 6月 21 2007 named.localhost -rw-r----- 1 root named 168 12月 15 2009 named.loopback drwxrwx--- 2 named named 6 8月 8 20:16 slaves -rw-r--r-- 1 root named 154 12月 30 00:10 test.com.zone -rw-r--r-- 1 root named 112 12月 30 21:33 test.com.zone.bj -rw-r--r-- 1 root named 112 12月 30 21:31 test.com.zone.cd -rw-r--r-- 1 root named 117 12月 30 21:35 test.com.zone.sh [root@test ~]# [root@test ~]#find /var/named/ -name "test.com.zone*"|xargs chmod o-r [root@test ~]#ll /var/named/ 总用量 36 -rw-r--r-- 1 root root 188 12月 30 00:28 192.168.0.zone drwxrwx--- 2 named named 23 12月 29 23:23 data drwxrwx--- 2 named named 60 12月 30 01:01 dynamic -rw-r----- 1 root named 2253 4月 5 2018 named.ca -rw-r----- 1 root named 152 12月 15 2009 named.empty -rw-r----- 1 root named 152 6月 21 2007 named.localhost -rw-r----- 1 root named 168 12月 15 2009 named.loopback drwxrwx--- 2 named named 6 8月 8 20:16 slaves -rw-r----- 1 root named 154 12月 30 00:10 test.com.zone -rw-r----- 1 root named 112 12月 30 21:33 test.com.zone.bj -rw-r----- 1 root named 112 12月 30 21:31 test.com.zone.cd -rw-r----- 1 root named 117 12月 30 21:35 test.com.zone.sh [root@test ~]#
说明:通过上面的配置后,我们最终希望各自的地区的用户访问各自区域的数据文件,从而实现了不同区域的用户,获取不同ip地址信息。这里还是建议把新建的权限属组给改成named,虽然不改是可以的,但是权限比较大,应该只允许named有读权限就好了。
5)检查配置文件,重启服务
[root@test ~]#named-checkconf [root@test ~]#named-checkzone test.com /var/named/test.com.zone.cd zone test.com/IN: loaded serial 0 OK [root@test ~]#named-checkzone test.com /var/named/test.com.zone.bj zone test.com/IN: loaded serial 0 OK [root@test ~]#named-checkzone test.com /var/named/test.com.zone.sh zone test.com/IN: loaded serial 0 OK [root@test ~]#rndc reload server reload successful [root@test ~]#
6)测试
模拟成都的用户访问DNS
[qiuhom@test-node1 ~]$ip a l 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:24:81:68:ce:45 brd ff:ff:ff:ff:ff:ff inet 192.168.0.151/24 brd 192.168.0.255 scope global eth0 inet6 fe80::224:81ff:fe68:ce45/64 scope link valid_lft forever preferred_lft forever [qiuhom@test-node1 ~]$ [qiuhom@test-node1 ~]$dig www.test.com @192.168.0.99 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> www.test.com @192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51022 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.test.com. IN A ;; ANSWER SECTION: www.test.com. 86400 IN A 3.3.3.3 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 2 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: Mon Dec 30 22:20:02 2019 ;; MSG SIZE rcvd: 81 [qiuhom@test-node1 ~]$dig blog.test.com @192.168.0.99 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> blog.test.com @192.168.0.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4979 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;blog.test.com. IN A ;; ANSWER SECTION: blog.test.com. 86400 IN A 4.4.4.4 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 1 msec ;; SERVER: 192.168.0.99#53(192.168.0.99) ;; WHEN: Mon Dec 30 22:20:12 2019 ;; MSG SIZE rcvd: 82 [qiuhom@test-node1 ~]$
说明:通过192.168.0.0/24主机访问的结果是指定view里指定的数据库文件的内容.
模拟北京的用户访问DNS
[root@test ~]#ip a l 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:30:18:51:af:3c brd ff:ff:ff:ff:ff:ff inet 192.168.0.99/24 brd 192.168.0.255 scope global noprefixroute enp2s0 valid_lft forever preferred_lft forever inet 172.16.1.2/16 brd 172.16.255.255 scope global noprefixroute enp2s0:0 valid_lft forever preferred_lft forever inet6 fe80::230:18ff:fe51:af3c/64 scope link valid_lft forever preferred_lft forever 3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000 link/ether 00:30:18:51:af:3d brd ff:ff:ff:ff:ff:ff 4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:d6:07:f1:b0 brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 scope global docker0 valid_lft forever preferred_lft forever [root@test ~]#dig www.test.com @172.16.1.2 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @172.16.1.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33773 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.test.com. IN A ;; ANSWER SECTION: www.test.com. 86400 IN A 5.5.5.5 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 172.16.1.2#53(172.16.1.2) ;; WHEN: 一 12月 30 22:24:07 CST 2019 ;; MSG SIZE rcvd: 92 [root@test ~]#dig blog.test.com @172.16.1.2 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @172.16.1.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8001 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;blog.test.com. IN A ;; ANSWER SECTION: blog.test.com. 86400 IN A 6.6.6.6 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 172.16.1.2#53(172.16.1.2) ;; WHEN: 一 12月 30 22:24:18 CST 2019 ;; MSG SIZE rcvd: 93 [root@test ~]#
模拟上海的用户访问DNS
[root@test ~]#dig www.test.com @127.0.0.1 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50994 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.test.com. IN A ;; ANSWER SECTION: www.test.com. 86400 IN A 7.7.7.7 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 一 12月 30 22:25:52 CST 2019 ;; MSG SIZE rcvd: 92 [root@test ~]#dig blog.test.com @127.0.0.1 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @127.0.0.1 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10062 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;blog.test.com. IN A ;; ANSWER SECTION: blog.test.com. 86400 IN A 8.8.8.8 ;; AUTHORITY SECTION: test.com. 86400 IN NS dns1.test.com. ;; ADDITIONAL SECTION: dns1.test.com. 86400 IN A 192.168.0.99 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: 一 12月 30 22:25:58 CST 2019 ;; MSG SIZE rcvd: 93 [root@test ~]#
说明:在本机使用127.0.0.1 去查,named会走回环地址去访问DNS,这个时候acl就会匹配到shnet ,从而访问view_sh说指定的区域数据库文件内容。这里要注意一点就是acl它默认是从上往下匹配,若匹配到就不往下匹配,所以127.0.0.1 既不属于192.168.0.0/24 这个网络,也不属于172.16.1.0/24这个网络,所以它会被any匹配到。
到此智能DNS的搭建就完成了,事实上智能DNS的主要作用就是智能的区分不同来源的用户访问不同的区域文件,从而实现用户访问到的DNS是离自己最近的服务器,在互联网中的应用有CDN(内容分发网络),它的背后实现就是智能DNS。把不同的区域的用户通过智能DNS分别分向不同地区的DNS服务器上去,从而实现了用户访问网站的服务器是离自己最近的服务器,CDN实现了加快用户的访问同时还减轻了网站主服务器的压力和带宽。
3、编译安装Mariadb,并启动后可以正常登录
1)准备源码包
[root@test ~]#rz rz waiting to receive. zmodem trl+C ȡ 100% 70172 KB 23390 KB/s 00:00:03 0 Errors.. [root@test ~]#ls mariadb-10.2.19.tar.gz mariadb-10.2.19.tar.gz [root@test ~]#
2)安装依赖环境包
[root@test ~]# yum install bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel gcc gcc-c++ cmake ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel -y
3)创建系统账号,并解压源码
[root@test ~]# useradd -r -s /sbin/nologin -d /app/mysql/ mysql [root@test ~]# getent passwd mysql mariadb:x:989:983::/app/mysql/:/sbin/nologin [root@test ~]# tar xf mariadb-10.2.19.tar.gz [root@test ~]# cd mariadb-10.2.19/ [root@test mariadb-10.2.19]#
4)cmake 编译并指定编译选项
cmake . -DCMAKE_INSTALL_PREFIX=/app/mysql -DMYSQL_DATADIR=/data/mysql/ -DSYSCONFDIR=/etc/mysql -DMYSQL_USER=mysql -DWITH_INNOBASE_STORAGE_ENGINE=1 -DWITH_ARCHIVE_STORAGE_ENGINE=1 -DWITH_BLACKHOLE_STORAGE_ENGINE=1 -DWITH_PARTITION_STORAGE_ENGINE=1 -DWITHOUT_MROONGA_STORAGE_ENGINE=1 -DWITH_DEBUG=0 -DWITH_READLINE=1 -DWITH_SSL=system -DWITH_ZLIB=system -DWITH_LIBWRAP=0 -DENABLED_LOCAL_INFILE=1 -DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock -DDEFAULT_CHARSET=utf8 -DDEFAULT_COLLATION=utf8_general_ci
说明:如果出错需要删除 CMakeCache.txt 然后重新在用cmake指定编译选项生成makefile文件,在编译
5)上面cmake没有错误的情况下,在执行make && make install
……省略部分内容 -- Looking for krb5_free_unparsed_name -- Looking for krb5_free_unparsed_name - found -- Looking for event.h -- Looking for event.h - found -- Configuring done -- Generating done -- Build files have been written to: /root/mariadb-10.2.19 [root@test mariadb-10.2.19]# make -j 4 && make install
说明:make -j 表示指定多少线程来编译,-j 4 表示用4个线程同时来编译,这是一种多线程的编译方式
6)准备path环境
[root@test ~]# echo 'PATH=/app/mysql/bin:$PATH' > /etc/profile.d/mysql.sh [root@test ~]# cat /etc/profile.d/mysql.sh PATH=/app/mysql/bin:$PATH [root@test ~]# . /etc/profile.d/mysql.sh [root@test ~]#
7)生成数据库文件
[root@test ~]# cd /app/mysql/ [root@test mysql]# scripts/mysql_install_db --datadir=/data/mysql/ --user=mysql Installing MariaDB/MySQL system tables in '/data/mysql/' ... OK To start mysqld at boot time you have to copy support-files/mysql.server to the right place for your system PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER ! To do so, start the server, then issue the following commands: './bin/mysqladmin' -u root password 'new-password' './bin/mysqladmin' -u root -h test password 'new-password' Alternatively you can run: './bin/mysql_secure_installation' which will also give you the option of removing the test databases and anonymous user created by default. This is strongly recommended for production servers. See the MariaDB Knowledgebase at http://mariadb.com/kb or the MySQL manual for more instructions. You can start the MariaDB daemon with: cd '.' ; ./bin/mysqld_safe --datadir='/data/mysql/' You can test the MariaDB daemon with mysql-test-run.pl cd './mysql-test' ; perl mysql-test-run.pl Please report any problems at http://mariadb.org/jira The latest information about MariaDB is available at http://mariadb.org/. You can find additional information about the MySQL part at: http://dev.mysql.com Consider joining MariaDB's strong and vibrant community: https://mariadb.org/get-involved/ [root@test mysql]#
8)准备配置文件
[root@test mysql]# cp /app/mysql/support-files/my-huge.cnf /etc/my.cnf [root@test mysql]#
9)准备启动脚本
[root@test mysql]# cp /app/mysql/support-files/mysql.server /etc/init.d/mysqld [root@test mysql]#
10)启动服务 ,登录数据库
[root@test mysql]# chkconfig --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@test mysql]# chkconfig --add mysqld [root@test mysql]# chkconfig --list Note: This output shows SysV services only and does not include native systemd services. SysV configuration data might be overridden by native systemd configuration. If you want to list systemd services use 'systemctl list-unit-files'. To see services enabled on particular target use 'systemctl list-dependencies [target]'. mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off network 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@test mysql]# service mysqld start Starting mysqld (via systemctl): [ OK ] [root@test mysql]# ss -ntl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:22 *:* LISTEN 0 100 127.0.0.1:25 *:* LISTEN 0 128 :::22 :::* LISTEN 0 100 ::1:25 :::* LISTEN 0 80 :::3306 :::* [root@test mysql]# mysql Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 10 Server version: 10.2.19-MariaDB-log Source distribution Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others. Type 'help;' or 'h' for help. Type 'c' to clear the current input statement. MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | mysql | | performance_schema | | test | +--------------------+ 4 rows in set (0.00 sec) MariaDB [(none)]>
到此编译安装mariadb数据库就完成了。