DNS查询类型
递归查询:一般客户机和本地DNS服务器之间属于递归查询,即当客户机向DNS服务器发出请求后,
若DNS服务器本身不能解析,则会向另外的DNS服务器发出查询请求,得到最终的肯定或否定的结
果后转交给客户机。此查询的源和目标保持不变,为了查询结果只需要发起一次查询
迭代查询:一般情况下(有例外)本地的DNS服务器向其它DNS服务器的查询属于迭代查询,如:若对
方不能返回权威的结果,则它会向下一个DNS服务器(参考前一个DNS服务器返回的结果)再次发起
进行查询,直到返回查询的结果为止。此查询的源不变,但查询的目标不断变化,为查询结果一般需
要发起多次查询
完整的查询请求经过的流程
Client -->hosts文件 --> Client DNS Service Local Cache --> DNS Server (recursion递
归) --> DNS Server Cache -->DNS iteration(迭代) --> 根--> 顶级域名DNS-->二级域名DNS…
解析形式
正向:FQDN( Fully Qualified Domain Name) --> IP
反向: IP --> FQDN
各种资源记录
记录类型:A, AAAA, PTR, SOA, NS, CNAME, MX
SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,必须位于解析库的第一条记录
A:internet Address,作用,FQDN --> IP
AAAA:FQDN --> IPv6
PTR:PoinTeR,IP --> FQDN
NS:Name Server,专用于标明当前区域的DNS服务器
CNAME : Canonical Name,别名记录
MX:Mail eXchanger,邮件交换器
TXT:对域名进行标识和说明的一种方式,一般做验证记录时会使用此项,如:SPF(反垃圾邮件)记录,https验证等,
资源记录定义的
name [TTL] IN rr_type value
注意:
- TTL可从全局继承
- 使用 "@" 符号可用于引用当前区域的域名
- 同一个名字可以通过多条记录定义多个不同的值;此时DNS服务器会以轮询方式响应
- 同一个值也可能有多个不同的定义名字;通过多个不同的名字指向同一个值进行定义;此仅表示通
过多个不同的名字可以找到同一个主机
安装软件
[root@localhost ~]# dnf install -y bind bind-utils
3.2 BIND包相关文件
BIND主程序:/usr/sbin/named
服务脚本和Unit名称:/etc/rc.d/init.d/named,/usr/lib/systemd/system/named.service
主配置文件:/etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
管理工具:/usr/sbin/rndc:remote name domain controller,默认与bind安装在同一主机,且
只能通过127.0.0.1连接named进程,提供辅助性的管理功能;953/tcp
解析库文件:/var/named/ZONE_NAME.ZONE
注意:
(1) 一台物理服务器可同时为多个区域提供解析
(2) 必须要有根区域文件;named.ca
(3) 应该有两个(如果包括ipv6的,应该更多)实现localhost和本地回环地址的解析库
主配置文件
全局配置:options {};
日志子系统配置:logging {};
区域定义:本机能够为哪些zone进行解析,就要定义哪些zone
zone "ZONE_NAME" IN {};
注意:
任何服务程序如果期望其能够通过网络被其它主机访问,至少应该监听在一个能与外部主机通信的
IP地址上
缓存名称服务器的配置:监听外部地址即可
dnssec: 建议关闭dnssec,设为no
正向主服务器
搭建DNS正向主服务器,实现web服务器基于FQDN的访问
环境要求
需要三台主机
DNS服务端:172.31.0.38
web服务器:172.31.0.48
DNS客户端:172.31.0.18
前提准备
关闭SElinux
[root@localhost ~]# sed -ri 's/^(SELINUX=).*/1disabled/' /etc/selinux/config
关闭防火墙
[root@localhost ~]# systemctl disable --now firewalld
时间同步
实现主DNS服务器
[root@localhost ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; }; 这行注释
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
// allow-query { localhost; }; 这行注释
修改bind 配置文件
[root@localhost ~]# vim /etc/named.rfc1912.zones
# #加上下面内容
zone "longxuan.vip" IN {
type master;
file "longxuan.vip.zone";
};
DNS区域数据库文件
[root@localhost ~]# cp -p /var/named/named.localhost /var/named/longxuan.vip.zone
# 如果没有加-p选项,需要修改所有者或权限。chgrp named longxuan.vip.zone
改配置文件
[root@localhost ~]# vim /var/named/longxuan.vip.zone
$TTL 1D
@ IN SOA master admin.longxuan.vip. (
2021050100 ; serial
2H ; refresh
10M ; retry
1W ; expire
3D ) ; minimum
NS master
master A 172.31.0.38
www A 172.31.0.48
DNS区域数据库文件表示:
2021050100 ;序列号
2H ;刷新时间
10M ;重试时间
1W ;过期时间
1D ;否定答案的TTL值
rndc 命令
利用rndc工具可以实现管理DNS功能
rndc 监听端口: 953/tcp
命令格式:
rndc COMMAND
COMMAND:
status: 查看状态
reload: 重载主配置文件和区域解析库文件
reload zonename: 重载区域解析库文件
retransfer zonename: 手动启动区域传送,而不管序列号是否增加
notify zonename: 重新对区域传送发通知
reconfig: 重载主配置文件
querylog: 开启或关闭查询日志文件/var/log/message
trace: 递增debug一个级别
trace LEVEL: 指定使用的级别
notrace:将调试级别设置为 0
flush:清空DNS服务器的所有缓存记录
检查配置文件和数据库文件格式,并启动服务
[root@localhost ~]# named-checkconf
[root@localhost ~]# named-checkzone longxuan.vip /var/named/longxuan.vip.zone
zone longxuan.vip/IN: loaded serial 2021050100
OK
[root@localhost ~]# systemctl start named #第一次启动服务,启动成功后建议之后启动使用下面的启动命令
[root@localhost ~]# rndc reload
server reload successful
48服务器安装web
[19:22:41 root@centos8 ~]# yum install httpd -y
配置主页面
[19:23:30 root@centos8 ~]# echo 123longwang > /var/www/html/index.html
设置开机启动
[19:23:55 root@centos8 ~]# systemctl enable --now httpd
改18服务器的DNS指向38服务器
[11:31:37 root@sz-kx-centos8 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=172.31.0.38
重启网卡
[11:31:37 root@sz-kx-centos8 ~]# nmcli connection reload
[11:32:11 root@sz-kx-centos8 ~]# nmcli connection
NAME UUID TYPE DEVICE
eth0 ea74cf24-c2a2-ecee-3747-a2d76d46f93b ethernet eth0
[11:32:17 root@sz-kx-centos8 ~]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
检查DNS是否生效
[11:32:22 root@sz-kx-centos8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search com
nameserver 172.31.0.38
安装bind-utils客户端验证
[11:34:25 root@sz-kx-centos8 ~]# yum install bind-utils -y
使用命令curl查看
[11:37:25 root@sz-kx-centos8 ~]# curl www.longxuan.vip
123longwang
或者使用命令dig检查
dig只用于测试dns系统,不会查询hosts文件进行解析
[13:00:08 root@sz-kx-centos8 ~]# dig www.longxuan.vip
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> www.longxuan.vip
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42016
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: df511acaa3a808793567f781608f839736bb9834bf28a070 (good)
;; QUESTION SECTION:
;www.longxuan.vip. IN A
;; ANSWER SECTION:
www.longxuan.vip. 86400 IN A 172.31.0.48
;; AUTHORITY SECTION:
longxuan.vip. 86400 IN NS master.longxuan.vip.
;; ADDITIONAL SECTION:
master.longxuan.vip. 86400 IN A 172.31.0.38
;; Query time: 0 msec
;; SERVER: 172.31.0.38#53(172.31.0.38)
;; WHEN: Mon May 03 13:01:11 CST 2021
;; MSG SIZE rcvd: 126
实验一
当客户输入w或者多个w时域名解析报错如下:
[13:01:11 root@sz-kx-centos8 ~]# curl w.longxuan.vip
curl: (6) Could not resolve host: w.longxuan.vip
[13:01:12 root@sz-kx-centos8 ~]# curl wwww.longxuan.vip
curl: (6) Could not resolve host: wwww.longxuan.vip
在DNS服务器添加泛域名解析如下:
[root@localhost named]# vim /var/named/longxuan.vip.zone
$TTL 1D
@ IN SOA master admin.longxuan.vip. (
2021050100 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.31.0.38
www A 172.31.0.48
* A 172.31.0.48
重启服务
[root@localhost named]# rndc reload
server reload successful
客户端重新验证
[13:57:48 root@sz-kx-centos8 ~]# curl wwww.longxuan.vip
123longwang
[13:58:36 root@sz-kx-centos8 ~]# curl wwwwwww.longxuan.vip
123longwang
[13:58:39 root@sz-kx-centos8 ~]#
[13:58:39 root@sz-kx-centos8 ~]# curl w.longxuan.vip
123longwang
实验二
当客户输入没有www报错如下:
[14:03:24 root@sz-kx-centos8 ~]# curl longxuan.vip
curl: (6) Could not resolve host: longxuan.vip
[14:03:29 root@sz-kx-centos8 ~]# dig longxuan.vip
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> longxuan.vip
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16770
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 84614510b5c973afbbb3aec6608f9244fc0c612bf22e209e (good)
;; QUESTION SECTION:
;longxuan.vip. IN A
;; AUTHORITY SECTION:
longxuan.vip. 10800 IN SOA master.longxuan.vip. admin.longxuan.vip. 1 86400 3600 604800 10800
;; Query time: 1 msec
;; SERVER: 172.31.0.38#53(172.31.0.38)
;; WHEN: Mon May 03 14:03:49 CST 2021
;; MSG SIZE rcvd: 118
在DNS服务器添加@本机域名如下:
$TTL 1D
@ IN SOA master admin.longxuan.vip. (
2021050100 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.31.0.38
www A 172.31.0.48
* A 172.31.0.48
@ A 172.31.0.48
重启服务
[root@localhost named]# rndc reload
server reload successful
客户端重新验证
[14:03:49 root@sz-kx-centos8 ~]# curl longxuan.vip
123longwang
[14:07:33 root@sz-kx-centos8 ~]# dig longxuan.vip
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> longxuan.vip
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40065
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 961290535492e7cce123a1e4608f9327f24f52f4c123a043 (good)
;; QUESTION SECTION:
;longxuan.vip. IN A
;; ANSWER SECTION:
longxuan.vip. 86400 IN A 172.31.0.48
;; AUTHORITY SECTION:
longxuan.vip. 86400 IN NS master.longxuan.vip.
;; ADDITIONAL SECTION:
master.longxuan.vip. 86400 IN A 172.31.0.38
;; Query time: 0 msec
;; SERVER: 172.31.0.38#53(172.31.0.38)
;; WHEN: Mon May 03 14:07:36 CST 2021
;; MSG SIZE rcvd: 122
实验三
MX 记录,邮箱记录
[root@localhost named]# vim /var/named/longxuan.vip.zone
$TTL 1D
@ IN SOA master admin.longxuan.vip. (
2021050100 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.31.0.38
www A 172.31.0.48
* A 172.31.0.48
@ A 172.31.0.48
@ MX 10 mail1
@ MX 20 mail2
mail1 A 172.31.0.200
mail2 A 172.31.0.201
重启服务
[root@localhost named]# rndc reload
server reload successful
客户端验证
[14:07:36 root@sz-kx-centos8 ~]# dig mail1@longxuan.vip
实验四
CNAME别名记录
[root@localhost named]# vim /var/named/longxuan.vip.zone
$TTL 1D
@ IN SOA master admin.longxuan.vip. (
2021050100 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 172.31.0.38
www CNAME cdn.longxuan.vip.
cdn CNAME vip.longxuan.vip.
vip A 172.31.0.48
* A 172.31.0.48
@ A 172.31.0.48
@ MX 10 mail1
@ MX 20 mail2
mail1 A 172.31.0.200
mail2 A 172.31.0.201
重启服务
[root@localhost named]# rndc reload
server reload successful
客户端验证
[14:35:57 root@sz-kx-centos8 ~]# dig www.longxuan.vip
; <<>> DiG 9.11.20-RedHat-9.11.20-5.el8_3.1 <<>> www.longxuan.vip
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36532
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 814078f016db31384f9c94f1608f9a43ed6453aac61e9ff3 (good)
;; QUESTION SECTION:
;www.longxuan.vip. IN A
;; ANSWER SECTION:
www.longxuan.vip. 86400 IN CNAME cdn.longxuan.vip.
cdn.longxuan.vip. 86400 IN CNAME vip.longxuan.vip.
vip.longxuan.vip. 86400 IN A 172.31.0.48
;; AUTHORITY SECTION:
longxuan.vip. 86400 IN NS master.longxuan.vip.
;; ADDITIONAL SECTION:
master.longxuan.vip. 86400 IN A 172.31.0.38
;; Query time: 0 msec
;; SERVER: 172.31.0.38#53(172.31.0.38)
;; WHEN: Mon May 03 14:37:56 CST 2021
;; MSG SIZE rcvd: 162
