dns全称domain name service,是域名解析服务。
客户端中:
/etc/resolv.conf是dns指向文件,划线部分是dns服务器的ip。
服务器中:
? ? ? ? 服务名称为named,主配置文件为/etc/named.conf,数据文件目录为/var/named,所使用端口为53。
验证命令:
dig?www.westos.com? ? ? ? ? ? ##地址详细解析信息
?查询状态:NOERROR(查询成功)、REFUSED(服务拒绝访问)、SERVFAIL(查询失败)、NXDOMAIN(不存在)
一、dns的安装及使用
dnf install bind.x86_64 -y???????????????????????????????????????????? ##安装包是bind
systemctl enable --now named
firewall-cmd --permanent --add-service=dns??????????? ##让火墙允许dns
firewall-cmd --reload
vim /etc/named.conf?????????????????????? ##编写主配置文件
11???????? listen-on port 53 { any; };?? ??? ??????? ##在本地所有网络接口上开启53端口
19???????? allow-query???? { any; };?? ??? ????????? ##允许查询A记录的客户端列表
34???????? dnssec-validation no;?? ??? ????????????? ##禁用dns检测使dns能够缓存外部信息到本机systemctl restart named
测试:
另一台主机dns指向到服务器(172.25.254.144)。但因为服务器不能上网,所以查询失败。
二、dns正向解析
vim /etc/named.rfc1912.zones??????? ##zone文件里有模板,复制后更改信息即可
zone "westos.com" IN {?? ??? ???????????????##维护的域名
??????? type master;?? ??? ? ? ? ? ? ? ? ?? ##当前服务器位主dns
??????? file "westos.com.zone";?? ????????? ##域名A记录文件
??????? allow-update { none; };? ? ? ? ? ?? ##允许更新主机列表
};cd /var/named/
cp -p named.localhost westos.com.zone???????? ##复制模板,-p 把所有组同步
vim westos.com.zone
$TTL 1D?? ??? ? #TIME-TO-LIVE(dns地址保存时间长度)
@?????? IN SOA? dns.westos.com. root.westos.com. (?? ? #SOA授权起始(Start of Authority)
??????????????? ????? 0?????? ; serial?? ?#域名版本序列号
????????????????????? 1D????? ; refresh?? ? #刷新时间(辅助dns)
????????????????????? 1H????? ; retry?? ??? ?#重试时间(辅助dns)
????????????????????? 1W????? ; expire?? ?#过期时间(辅助dns,查询失败过期停止对辅助域名的应答)
????????????????????? 3H )??? ; minimum?? ?#A记录最短有效期
???????????????????????????????? NS????????????????? dns.westos.com.
dns????????????????????????????? A?????????????????? 172.25.254.144
www??????????????????? ??????? CNAME????????????? westos.a?? ??? ? ##规范域名
westos.a??????????????????? A?????????????????? 172.25.254.111 ? ??##正向解析记录
westos.a??????????????????? A? ???????????????? 172.25.254.112? ??? ????
westos.com.????????????? MX 1???????????? 172.25.254.144???? ##邮件解析记录systemctl restart named
测试:
在另一台主机上dns指向服务器(172.25.254.144)
?
三、dns反向解析
vim /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN { ##反着写
?? ?type master;
?? ?file "172.25.254.ptr"; ##数据文件
?? ?allow-update { none; };
};cd /var/named/
cp -p named.loopback 172.25.254.ptr?????? ##复制模板
vim 172.25.254.ptr
$TTL 1D
@?? ?IN SOA?? ?dns.westos.com. root.westos.com. (
?? ??? ??? ??? ??? ?0?? ? ; serial
?? ??? ??? ??? ??? ?1D?? ?; refresh
?? ??? ??? ??? ??? ?1H?? ?; retry
?? ??? ??? ??? ??? ?1W?? ?; expire
?? ??? ??? ??? ??? ?3H ) ?; minimum
?? ??????? NS?? ? ? dns.westos.com.
dns?? ? A?? ?????172.25.254.144
233 ? PTR ?? ? news.westos.com.systemctl restart named
测试:
四、dns双向解析
一个dns服务器可以同时为两个网段的主机提供服务。
实验素材:两台客户端分别处于172.25.254.0、1.1.1.0两个网段,服务器有这两个网段的ip
?配置:
cd /var/named/
cp -p westos.com.zone westos.com.inter
vim westos.com.inter? ? ? ?##将172.25.254.0网段该为1.1.1.0? ??
$TTL 1D
@?????? IN SOA? dns.westos.com. root.westos.com. (
??????????????????????????????????????? 0?????? ; serial
??????????????????????????????????????? 1D????? ; refresh
??????????????????????????????????????? 1H????? ; retry
??????????????????????????????????????? 1W????? ; expire
??????????????????????????????????????? 3H )??? ; minimum
????????????????????? NS?????????? dns.westos.com.
dns?????? ? ? ? ? A????????????1.1.1.144
www??????????? CNAME??????? westos.a
westos.a? ?? A??????????? 1.1.1.111
westos.a???? A??????????? 1.1.1.112
westos.com.? MX 1????? 1.1.1.144?cp -p /etc/named.rfc1912.zones? /etc/named.rfc1912.inters
vim /etc/named.rfc1912.inters? ? ? ?##改数据文件
zone "westos.com" IN {
?? ?type master;
?? ?file "westos.com.inter";
?? ?allow-update { none; };
};?vim /etc/named.conf
/* ## /*之下注释掉
zone "." IN {
??????? type hint;
??????? file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
*/ ## */之上注释掉
view localnet {
??????? match-clients { 1.1.1.0/24; }; ##1.1.1.0网段采用此策略
??????? zone "." IN {
??????????????? type hint;
??????????????? file "named.ca";
??????? };
??????? include "/etc/named.rfc1912.inters";
};
view internet {
??????? match-clients { any; }; ##其他网段采用此策略
??????? zone "." IN {
??????????????? type hint;
??????????????? file "named.ca";
??????? };
??????? include "/etc/named.rfc1912.zones";
};?systemctl restart named
测试:
分别在2个网段的主机中作同样域名的地址解析,得到的A记录不同
?
五、dns集群
当一台dns服务器的访问量过大时,我们可以设置slave dns,即辅助dns。用来缓解主dns的压力。
主dns(172.25.254.150):
vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { none; };
also-notify { 172.25.254.250; }; ##数据变化主动通知的辅助dns
};slave?dns(172.25.254.250):
dnf install bind -y
systemctl disable --now firewalld
vim /etc/named.conf
11 listen-on port 53 { any; }; ##在本地所有网络接口上开启53端口
19 allow-query { any; }; ##允许查询A记录的客户端列表
34 dnssec-validation no; ##禁用dns检测使dns能够缓存外部信息到本机vim /etc/named.rfc1912.zone
zone "westos.com" IN {
type slave; ##dns状态位辅助dns
masters { 172.25.254.150; }; ##主dns的ip
file "slaves/westos.com.zone"; ##同步数据文件
};systemctl restart named
测试:
在dns主机上更改数据文件,并增加serial序列号,重启named。
slaves dns上解析www.westos.com ,看到的信息已与主机同步。
六、ddns(dhcp+dns)
dnssec-keygen -a HMAC-SHA256 -b 128 -n HOST westoskey? ? ?##生成秘钥
cat Kwestoskey.+163+59420.key? ? ? ? ? ##查看秘钥名称与加密字符?
westoskey. IN KEY 512 3 163 Y3pzVU+c9HBiy6qr+a/AdQ==
?cp -p /etc/rndc.key /etc/westos.key? ? ? ? ? ?##复制秘钥文件模板
vim /etc/westos.key
key "westoskey" { ##指定秘钥名称
algorithm hmac-sha256; ##加密方式
secret "Y3pzVU+c9HBiy6qr+a/AdQ=="; ##加密字符
};vim /etc/named.conf
include "/etc/westos.key"; ##指定秘钥文件vim /etc/named.rfc1912.zones
zone "westos.com" IN {
type master;
file "westos.com.zone";
allow-update { key westoskey; };
also-notify { 172.25.254.250; };
};vim /etc/dhcpd/dhcpd.conf
7 option domain-name "westos.com"; ##域名
8 option domain-name-servers 172.25.254.150;
14 ddns-update-style interim;
32 subnet 172.25.254.0 netmask 255.255.255.0 { ##网段、子网掩码
33 range 172.25.254.70 172.25.254.80;
34 option routers 172.25.254.150; ##网关
35 }
36
37 key westoskey { ##把秘钥给dhcp
38 algorithm hmac-sha256;
39 secret Y3pzVU+c9HBiy6qr+a/AdQ== ;
40 };
41
42 zone westos.com. {
43 primary 127.0.0.1; ##回环接口
44 key westoskey;
45 }systemctl restart named
systemctl restart dhcpd
测试:
思路:客户端中,设置客户端网络为dhcp,保证ip可以从dhcp服务中获取。更改客户端主机名为westosa.westos.com
dig westosa.westos.com
1)查看/etc/resolv.conf内容,没有nameserver
2)重启网卡获取ip。查看/etc/resolv.conf内容,nameserver为服务器ip,说明获取成功,ip为172.25.254.70。
3)主机名为westosa.westos.com?属于westos.com这个域。
4)dig westosa.westos.com
?
?