<服务>DNS
目录:
DNS
DNS 是域名系统 (Domain Name System)的缩写,它是由解析器和域名服务器组成的。域名服务器是指保存有该网络中所有主机的域名和对应IP地址,并具有将域名转换为IP地址功能的服务器。其中域名必须对应一个IP地址,而IP地址不一定有域名。域名系统采用类似目录树的等级结构。域名服务器为客户机/服务器模式中的服务器方,它主要有两种形式:主服务器和转发服务器。将域名映射为IP地址的过程就称为“域名解析”。在Internet上域名与IP地址之间是一对一(或者多对一)的,域名虽然便于人们记忆,但机器之间只能互相认识IP地址,它们之间的转换工作称为域名解析,域名解析需要由专门的域名解析服务器来完成,DNS就是进行域名解析的服务器。 DNS命名用于Internet等TCP/IP,通过用户友好的名称查找计算机和服务。当用户在应用程序中输入DNS名称时,DNS服务可以将此名称解析为与之相关的其他信息,如IP地址。因为,你在上网时输入的网址,是通过域名解析系统解析找到了相对应的IP地址,这样才能上网。其实,域名的最终指向是IP。
是否需要架设本地的DNS服务器呢,如果在主机比较多,并且需要频繁的修改的时候可以选择架设DNS服务器。
[root@why-1 UnlimitedJCEPolicy]# dig +www.whysdomain.com
Invalid option: +www.whysdomain.com
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
{global-d-opt} host [@local-server] {local-d-opt}
[ host [@local-server] {local-d-opt} [...]]
Use "dig -h" (or "dig -h | more") for complete list of options
[root@why-1 UnlimitedJCEPolicy]# dig +trace www.whysdomain.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> +trace www.whysdomain.com
;; global options: +cmd
. 81579 IN NS c.root-servers.net.
. 81579 IN NS k.root-servers.net.
. 81579 IN NS h.root-servers.net.
. 81579 IN NS d.root-servers.net.
. 81579 IN NS m.root-servers.net.
. 81579 IN NS e.root-servers.net.
. 81579 IN NS l.root-servers.net.
. 81579 IN NS j.root-servers.net.
. 81579 IN NS i.root-servers.net.
. 81579 IN NS g.root-servers.net.
. 81579 IN NS a.root-servers.net.
. 81579 IN NS b.root-servers.net.
. 81579 IN NS f.root-servers.net.
;; Received 228 bytes from 192.168.0.1#53(192.168.0.1) in 160 ms
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
;; Received 496 bytes from 192.33.4.12#53(192.33.4.12) in 379 ms
whysdomain.com. 172800 IN NS dns9.hichina.com.
whysdomain.com. 172800 IN NS dns10.hichina.com.
;; Received 179 bytes from 192.43.172.30#53(192.43.172.30) in 196 ms
www.whysdomain.com. 600 IN A 121.42.37.139
;; Received 52 bytes from 42.120.221.14#53(42.120.221.14) in 18 ms
通过主机名查询到IP的过程被称为正解 通过IP查询到主机名的过程被称为反解
不管正解反解,每个domian都是一个zone,要DNS可以解析多个domain
反解需要IDC等机房单独提供,另外反解一般都在邮件上。
SOA NS A
IP地址的所有人 ICANN(互联网名称与数字地址分配机构)对计算机使用的IP进行分配和管理,然后分配给区域性的IP地址机构进行IP段分配,进而像网络服务商进行分配IP。
APNIC是亚太地区的负责机构
CNNIC是中国地区的负责机构,负责提供IP地址和AS号码分配管理服务
AS自治系统是使用内部路由协议的一组网络,如果成员的单位网络路由器准备采用EGP,BGP或IDRP协议,可以申请AS号码,一般单位网络规模较大,而且有多个出口就需要AS号码,如果只有一个出口,可以采用静态路由或其他协议,这样可以不需要AS号码
DNS分为Master和slave Master从本机读取区文件,zone信息通过修改和设定,修改后要重启生效,生效后会同步到zone文件上 slave定时从Master上同步zone文件更新,定时向Master查看序列号 序列号在Master更新修改内容后,需要增加序列号,重启DNS服务后,Master会主动告知Slave更新
DNS全网使用需要注册自己的DNS,并且需要同时注册两个,并且分配在不同的机房。
配置文件 /etc/hosts 这个是主机名和IP映射的文件 /etc/resolv.conf 这里记录DNS服务器 /etc/nsswitch.conf 决定hosts,resolv.conf解析的优先级
查询命令 host,nslookup,dig,whois(jwhois包)
dig -t mx
dig -x 121.42.37.139
安装DNS
下载安装
[root@why-3 ~]# tar xf bind-9.7.3-P1.tar.gz
[root@why-3 ~]# cd bind-9.7.3-P1
[root@why-3 bind-9.7.3-P1]# ./configure --prefix=/usr/local/named -enable-threads
[root@why-3 bind-9.7.3-P1]# make
[root@why-3 bind-9.7.3-P1]# make install
[root@why-3 bind-9.7.3-P1]# groupadd bind
[root@why-3 bind-9.7.3-P1]# useradd bind -g bind -d /usr/local/named -s /sbin/nologin
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@why-3 bind-9.7.3-P1]# chown -R bind.bind /usr/local/named/
[root@why-3 bind-9.7.3-P1]# chmod -R 700 /usr/local/named/etc/
[root@why-3 bind-9.7.3-P1]# mkdir /var/named
[root@why-3 bind-9.7.3-P1]# chown -R bind.bind /var/named
生成对应
生成所有的跟服务器文件
[root@why-3 ~]# cd /var/named
[root@why-3 named]# dig > named.root
[root@why-3 named]# cat named.root
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58834
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 255280 IN NS d.root-servers.net.
. 255280 IN NS a.root-servers.net.
. 255280 IN NS l.root-servers.net.
. 255280 IN NS k.root-servers.net.
. 255280 IN NS b.root-servers.net.
. 255280 IN NS g.root-servers.net.
. 255280 IN NS e.root-servers.net.
. 255280 IN NS i.root-servers.net.
. 255280 IN NS j.root-servers.net.
. 255280 IN NS c.root-servers.net.
. 255280 IN NS h.root-servers.net.
. 255280 IN NS f.root-servers.net.
. 255280 IN NS m.root-servers.net.
;; Query time: 320 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sat Feb 25 20:51:23 2017
;; MSG SIZE rcvd: 228
生成bind主配置文件
[root@why-3 named]# cd /usr/local/named/etc/
[root@why-3 etc]# ll
total 4
-rw-r--r-- 1 bind bind 2544 Feb 25 18:07 bind.keys
[root@why-3 etc]# ../sbin/rndc-confgen > rndc.conf
[root@why-3 etc]# tail -10 rndc.conf | head -9 | sed s/#\//g > named.conf
[root@why-3 etc]# cat named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "etAeV9UeBY0NCngcy+Hx2A==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
named.conf为bind的主配置文件,/var/named为zone文件存放的目录,pid文件默认放置在/var/run/named/
DNS的分类
缓存DNS和转发DNS
配置转发DNS
[root@why-3 etc]# vi named.conf
options {
listen-on port 53 { any; }; #监听端口和主机,主机为any,默认为127.0.0.1
directory "/var/named"; #zone file文件放置目录
allow-query { any; }; #可以进行DNS查询请求的主机,默认也为所有主机
recursion yes;
forward only; #DNS是否仅进行转发,如果为yes,则将查询权交给上层DNS服务器,而不进行.服务器的查询
forwarders { 114.114.114.114;8.8.8.8;8.8.4.4; }; #上层DNS服务器
};
启动DNS
[root@why-3 etc]# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf -u bind
[root@why-3 etc]# tail -10 /var/log/messages
Feb 28 22:53:04 why-3 named[24336]: using default UDP/IPv4 port range: [1024, 65535]
Feb 28 22:53:04 why-3 named[24336]: using default UDP/IPv6 port range: [1024, 65535]
Feb 28 22:53:04 why-3 named[24336]: listening on IPv4 interface lo, 127.0.0.1#53
Feb 28 22:53:04 why-3 named[24336]: listening on IPv4 interface eth0, 192.168.0.203#53
Feb 28 22:53:04 why-3 named[24336]: generating session key for dynamic DNS
Feb 28 22:53:04 why-3 named[24336]: set up managed keys zone for view _default, file 'managed-keys.bind'
Feb 28 22:53:04 why-3 named[24336]: command channel listening on 127.0.0.1#953
Feb 28 22:53:04 why-3 named[24336]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Feb 28 22:53:04 why-3 named[24336]: managed-keys-zone ./IN: loaded serial 0
Feb 28 22:53:04 why-3 named[24336]: running
解析流程
进行抓包
[root@why-3 etc]# tcpdump -K dst port 53
另一端进行dig
[root@why-3 ~]# dig www.baidu.com @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> www.baidu.com @127.0.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@why-3 ~]# dig google.com @127.0.0.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> google.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9354
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 295 IN A 64.233.188.139
google.com. 295 IN A 64.233.188.100
google.com. 295 IN A 64.233.188.101
google.com. 295 IN A 64.233.188.102
google.com. 295 IN A 64.233.188.113
google.com. 295 IN A 64.233.188.138
;; Query time: 2421 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Feb 28 23:03:31 2017
;; MSG SIZE rcvd: 124
抓包端查看
[root@why-3 etc]# tcpdump -K dst port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:03:29.572888 IP 192.168.0.203.12444 > public1.114dns.com.domain: 13724+ [1au] A? google.com. (39)
23:03:29.573970 IP 192.168.0.203.60871 > google-public-dns-a.google.com.domain: 31252+ PTR? 114.114.114.114.in-addr.arpa. (46)
23:03:29.916904 IP 192.168.0.203.40715 > google-public-dns-a.google.com.domain: 53858+ PTR? 203.0.168.192.in-addr.arpa. (44)
23:03:31.573294 IP 192.168.0.203.18747 > google-public-dns-a.google.com.domain: 28640+ [1au] A? google.com. (39)
23:03:34.922219 IP 192.168.0.203.38478 > public1.114dns.com.domain: 53858+ PTR? 203.0.168.192.in-addr.arpa. (44)
23:03:34.958101 IP 192.168.0.203.60934 > google-public-dns-a.google.com.domain: 17632+ PTR? 8.8.8.8.in-addr.arpa. (38)
23:03:39.963415 IP 192.168.0.203.39035 > public1.114dns.com.domain: 17632+ PTR? 8.8.8.8.in-addr.arpa. (38)
23:03:44.968140 IP 192.168.0.203.60934 > google-public-dns-a.google.com.domain: 17632+ PTR? 8.8.8.8.in-addr.arpa. (38)
23:03:49.973075 IP 192.168.0.203.39035 > public1.114dns.com.domain: 17632+ PTR? 8.8.8.8.in-addr.arpa. (38)
^C
9 packets captured
9 packets received by filter
0 packets dropped by kernel
DNS记录
[root@why-3 etc]# dig whysdomain.com @127.0.0.1
;; ANSWER SECTION:
whysdomain.com. 599 IN A 121.42.37.139
这个599为TTL,含义是此记录被其他DNS服务器查询到后,保持在对方的DNS服务器上缓存多久,单位为秒,在机房搬迁需要更换解析IP的时候需要调低此值方便快速生效。 IN代表Internet
正解
解析格式 记录 | 网络 | 记录标识 | 描述 ---|---|---|--- 主机名. | IN | A | IPV4的IP地址 主机名. | IN | AAAA | IPV6的IP地址 域名. | IN | NS | 管理此域名的服务器主机名字 域名. | IN | SOA | 管理此域名的七个重要参数 域名. | IN | MX | 接收邮件的服务器主机名字 主机别名 | IN | CNAME | 实际的主机名字 域名 | IN | TXT | 文本信息,多以spf的文本格式出现,用于登记域名的所有外发邮件的所有IP地址,用于反垃圾邮件
SOA
[root@why-3 etc]# dig -t soa whysdomain.com
;; ANSWER SECTION:
whysdomain.com. 600 IN SOA dns9.hichina.com. hostmaster.hichina.com. 2016111710 3600 1200 3600 360
- dns9.hichina.com. Master DNS服务器主机名
- hostmaster.hichina.com. 管理员的邮件的email,因为@有特别意义,所以实质是hostmaster@hichina.com.
- 2016111710 序列号,年月日序号,slave判断是否主动更新master的zone文件的依据
- 3600 刷新频率,slave向master请求更新的时间,默认为8个小时
- 1200 刷新失败重试时间
- 3600 失效时间,如果尝试时间一直失败,达到这个时间就不再尝试连接
- 360 缓存时间,如果没有TTL指定时间,则以该配置为准
MX
[root@why-3 etc]# dig -t mx whysdomain.com
;; ANSWER SECTION:
whysdomain.com. 599 IN MX 10 mxw.mxhichina.com.
whysdomain.com. 599 IN MX 5 mxn.mxhichina.com.
5和10为优先级,数值约小,越有优先处理权,与权重不同
TXT
TXT主要是反垃圾邮件 收到该域名的邮件,然后根据域名的SPF记录,确定发送服务器的IP是否与SPF记录中已发布的IP地址匹配,如果匹配会得一个正分,如果不匹配为负分,然后进行筛选。
[root@why-3 etc]# dig -t txt baidu.com
;; ANSWER SECTION:
baidu.com. 6951 IN TXT "google-site-verification=GHb98-6msqyx_qqjGl5eRatD3QTHyVB6-xQ3gJB5UwM"
baidu.com. 6951 IN TXT "v=spf1 include:spf1.baidu.com include:spf2.baidu.com include:spf3.baidu.com a mx ptr -all"
-all代表除以上部分,其他都不可以
反解
[root@why-3 etc]# dig -x whysdomain
;; QUESTION SECTION:
;whysdomain.in-addr.arpa. IN PTR
如果是ip的话就会为139.37.42.121,但是我实际的IP地址为121.42.37.139
配置DNS服务
修改配置文件
[root@why-3 etc]# vi named.conf
options {
listen-on port 53 { any; };
directory "/var/named";
allow-query { any; };
allow-transfer { none; }; #不允许传输
forwarders { 114.114.114.114;8.8.8.8;8.8.4.4; };
};
zone "." IN {
type hint;
file "named.root";
};
zone "whysdomain.com" IN {
type master; #类型,分三种,hint为跟,master主和slave从
file "whysdomain.com.zone"; #zone文件名
allow-update { none; }; #允许更新
allow-transfer { 192.168.0.203; };
notify yes;
also-notify { 192.168.0.203; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
allow-transfer { 192.168.0.203; };
};
如果需要注释,在其前面加';'
zone文件格式
[root@why-3 ~]# cd /var/named/
[root@why-3 named]# ll
total 4
-rw-r--r-- 1 root root 868 Feb 25 20:51 named.root
[root@why-3 named]# vi whysdomain.com.zone
$TTL 38400
whysdomain.com. IN SOA ns1.whysdomain.com. webmaster.whysdomain.com.(
2017030100
10800
3600
604800
38400)
IN NS ns1.whysdomain.com.
; IN NS ns2.whysdomain.com.
ns1 IN A 192.168.0.203
;ns2 IN A 192.168.0.130
IN MX 5 mail
www IN A 192.168.0.203
blog IN CNAME www
mail IN A 192.168.0.203
[root@why-3 named]# vi 192.168.0.zone
$TTL 600
@ IN SOA ns1.whysdomain.com. www.whysdomain.com. (
2017030100
1D
1H
1W
3H )
@ IN NS ns1.whysdomain.com.
;@ IN NS ns2.whysdomain.com.
203 IN PTR ns1.whysdomain.com.
;130 IN PTR ns2.whysdomain.com.
203 In PTR www.whysdomain.com.
@在whysdomain.com.zone中代表'whysdomain.com.',而在192.168.0.zone中代表'192.168.0.',后边的记录如果最后带点,则代表主机名+域名,为FQDN,而如果不带点,则代表为主机名
重启DNS服务
[root@why-3 etc]# ps -ef | grep bind
rpc 1395 1 0 Feb28 ? 00:00:00 rpcbind
bind 25367 1 0 21:25 ? 00:00:00 /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf -u bind
root 25378 24920 0 21:27 pts/4 00:00:00 grep bind
[root@why-3 etc]# kill 25367
[root@why-3 etc]# ps -ef | grep bind
rpc 1395 1 0 Feb28 ? 00:00:00 rpcbind
root 25382 24920 0 21:27 pts/4 00:00:00 grep bind
[root@why-3 etc]# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf -u bind
可能会遇到的问题
[root@why-3 etc]# cat /var/log/messages
Mar 1 21:27:33 why-3 named[25384]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Mar 1 21:27:33 why-3 named[25384]: managed-keys-zone ./IN: loaded serial 0
可以通过以下命令解决
[root@why-3 etc]# touch /var/named/managed-keys.bind
配置文件和zone文件检测
[root@why-3 etc]# /usr/local/named/sbin/named-checkconf /usr/local/named/etc/named.conf
[root@why-3 etc]# /usr/local/named/sbin/named-checkzone whysdomain.com /var/named/whysdomain.com.zone
zone whysdomain.com/IN: loaded serial 2017030100
OK
[root@why-3 etc]# /usr/local/named/sbin/named-checkzone 0.168.192.in-addr.arpa /var/named/192.168.0.zone
zone 0.168.192.in-addr.arpa/IN: loaded serial 2017030100
OK
设置路由
[root@why-3 etc]# vi /etc/resolv.conf
[root@why-3 etc]# cat !$
cat /etc/resolv.conf
# Generated by NetworkManager
#nameserver 8.8.8.8
nameserver 192.168.0.203
nameserver 114.114.114.114
解析域名
[root@why-3 etc]# dig ns1.whysdomain.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> ns1.whysdomain.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9326
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.whysdomain.com. IN A
;; ANSWER SECTION:
ns1.whysdomain.com. 38400 IN A 192.168.0.203
;; AUTHORITY SECTION:
whysdomain.com. 38400 IN NS ns1.whysdomain.com.
;; Query time: 0 msec
;; SERVER: 192.168.0.203#53(192.168.0.203)
;; WHEN: Wed Mar 1 21:54:46 2017
;; MSG SIZE rcvd: 66
接卸
[root@why-3 etc]# dig -x 192.168.0.203
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.0.203
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;203.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
203.0.168.192.in-addr.arpa. 600 IN PTR ns1.whysdomain.com.
203.0.168.192.in-addr.arpa. 600 IN PTR www.whysdomain.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 600 IN NS ns1.whysdomain.com.
;; ADDITIONAL SECTION:
ns1.whysdomain.com. 38400 IN A 192.168.0.203
;; Query time: 0 msec
;; SERVER: 192.168.0.203#53(192.168.0.203)
;; WHEN: Wed Mar 1 21:55:15 2017
;; MSG SIZE rcvd: 124
主从DNS
首先明确,slave端是不保存zone文件的
Master端设置
[root@why-3 ~]# vi /usr/local/named/etc/named.conf
所有的allow-transfer { none; };
修改为allow-transfer { 192.168.0.130; };
在zone文件中的ns2记录取消注释,并修改序列号加一
Slave端设置
Slave端根据上述在刚才配置ns2的主机上编译安装,到生成named.conf为止,按下方修改配置文件并启动
[root@why etc]# vi named.conf
添加
options {
listen-on port 53 { any; };
directory "/var/named";
allow-query { any; };
recursion yes;
forward only;
forwarders { 114.114.114.114;8.8.8.8;8.8.4.4; };
};
zone "whysdomain.com" IN {
type slave; #类型为slave
file "whysdomain.com.zone"; #zone文件名
masters { 192.168.0.203; }; #master地址
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "192.168.0.zone";
masters { 192.168.0.203; };
};
[root@why etc]# /usr/local/named/sbin/named-checkconf /usr/local/named/etc/named.conf
[root@why etc]# tail -f /var/log/messages
Jan 6 11:04:32 why named[19753]: starting BIND 9.7.3-P1 -c /usr/local/named/etc/named.conf -u bind
Jan 6 11:04:32 why named[19753]: built with '--prefix=/usr/local/named' '-enable-threads'
Jan 6 11:04:32 why named[19753]: adjusted limit on open files from 4096 to 1048576
Jan 6 11:04:32 why named[19753]: found 1 CPU, using 1 worker thread
Jan 6 11:04:32 why named[19753]: using up to 4096 sockets
Jan 6 11:04:32 why named[19753]: loading configuration from '/usr/local/named/etc/named.conf'
Jan 6 11:04:32 why named[19753]: reading built-in trusted keys from file '/usr/local/named/etc/bind.keys'
Jan 6 11:04:32 why named[19753]: using default UDP/IPv4 port range: [1024, 65535]
Jan 6 11:04:32 why named[19753]: using default UDP/IPv6 port range: [1024, 65535]
Jan 6 11:04:32 why named[19753]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 6 11:04:32 why named[19753]: listening on IPv4 interface eth0, 192.168.0.130#53
Jan 6 11:04:33 why named[19753]: generating session key for dynamic DNS
Jan 6 11:04:33 why named[19753]: set up managed keys zone for view _default, file 'managed-keys.bind'
Jan 6 11:04:33 why named[19753]: command channel listening on 127.0.0.1#953
Jan 6 11:04:33 why named[19753]: managed-keys-zone ./IN: loading from master file managed-keys.bind failed: file not found
Jan 6 11:04:33 why named[19753]: managed-keys-zone ./IN: loaded serial 0
Jan 6 11:04:33 why named[19753]: running
Jan 6 11:04:33 why named[19753]: zone 0.168.192.in-addr.arpa/IN: Transfer started.
Jan 6 11:04:33 why named[19753]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.203#53: connected using 192.168.0.130#41597
Jan 6 11:04:33 why named[19753]: zone 0.168.192.in-addr.arpa/IN: transferred serial 2017030101
Jan 6 11:04:33 why named[19753]: transfer of '0.168.192.in-addr.arpa/IN' from 192.168.0.203#53: Transfer completed: 1 messages, 7 records, 216 bytes, 0.002 secs (108000 bytes/sec)
Jan 6 11:04:33 why named[19753]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 2017030101)
Jan 6 11:04:33 why named[19753]: zone whysdomain.com/IN: Transfer started.
Jan 6 11:04:33 why named[19753]: transfer of 'whysdomain.com/IN' from 192.168.0.203#53: connected using 192.168.0.130#34051
Jan 6 11:04:33 why named[19753]: zone whysdomain.com/IN: transferred serial 2017030101
Jan 6 11:04:33 why named[19753]: transfer of 'whysdomain.com/IN' from 192.168.0.203#53: Transfer completed: 1 messages, 10 records, 258 bytes, 0.001 secs (258000 bytes/sec)
Jan 6 11:04:33 why named[19753]: zone whysdomain.com/IN: sending notifies (serial 2017030101)
可以在日志中看到Transfer completed: 1 messages, 10 records, 258 bytes, 0.001 secs (258000 bytes/sec)同步到10条记录
添加域名解析
[root@why-3 etc]# vi /var/named/whysdomain.com.zone
添加两个三级域名,并修改序列值
a.www IN A 192.168.0.203
b.www IN A 192.168.0.203
重新加载named配置文件
[root@why-3 etc]# rndc reload
server reload successful
如果出现以下问题,可能是由于以前安装过bind服务造成的
[root@why-3 named]# rndc reload
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
/etc/rndc.key与/usr/local/named/etc/rndc.conf中的secret不一致,修改一致即可。
reload后slave端的日志
[root@why ~]# tail -f /var/log/messages
Jan 6 11:40:00 why named[19753]: client 192.168.0.203#42148: received notify for zone 'whysdomain.com'
Jan 6 11:40:00 why named[19753]: zone whysdomain.com/IN: Transfer started.
Jan 6 11:40:00 why named[19753]: transfer of 'whysdomain.com/IN' from 192.168.0.203#53: connected using 192.168.0.130#34565
Jan 6 11:40:00 why named[19753]: zone whysdomain.com/IN: transferred serial 2017030102
Jan 6 11:40:00 why named[19753]: transfer of 'whysdomain.com/IN' from 192.168.0.203#53: Transfer completed: 1 messages, 12 records, 294 bytes, 0.003 secs (98000 bytes/sec)
Jan 6 11:40:00 why named[19753]: zone whysdomain.com/IN: sending notifies (serial 2017030102)
查看Slave端同步到的zone文件
[root@why etc]# cat /var/named/whysdomain.com.zone
$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
whysdomain.com IN SOA ns1.whysdomain.com. webmaster.whysdomain.com. (
2017030102 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
38400 ; minimum (10 hours 40 minutes)
)
NS ns1.whysdomain.com.
NS ns2.whysdomain.com.
$ORIGIN whysdomain.com.
blog CNAME www
mail A 192.168.0.203
ns1 A 192.168.0.203
ns2 A 192.168.0.130
MX 5 mail
www A 192.168.0.203
$ORIGIN www.whysdomain.com.
a A 192.168.0.203
b A 192.168.0.203
可以看到,slave同步到数据都是按照格式来排列
DNS views
views,视图是根据用户的来源不同而返回给不同的查询结果,经常用于CDN公司,是解决目前区域间带宽小和延迟大的一种方法
views需要在name.conf中定义的。
views "internet" {
match-clients { 192.168.0.0/24; };
};
Internet是区域名,可以自定义,但是必须唯一,这样Internet视图只处理192.168.0.0/24网段的请求,也可以是引用文件
acl "cnc" { 192.168.0.0/24;192.168.1.0/24; };
views "internet" {
match-clients { "cnc"; };
};
格式通过acl进行定义
一般可以模板
acl "cnc" { 192.168.0.0/24;192.168.1.0/24; };
views "internet" {
match-clients { "cnc"; };
zone "whysdomain.com" IN {
type master;
file "whysdomain.com.cnc.zone";
};
};
views "external" {
match-clients { "any"; };
zone "whysdomain.com" IN {
type master;
file "whysdomain.com.any.zone";
};
};
在192.168.0.0/24或者192.168.1.0/24网段的IP地址发送的访问请求会使用视图internet进行处理,而不在这两个网段的都按照下面的external视图处理,这个视图是有先后顺序的。
不过由于有了视图,slave只能获取自己IP所在视图的DNS记录,所有slave节点要想同步所有视图必须有与视图数量相等数量的IP地址,slave端也需要配置好transfer-source参数,在views标签里,zone标签里指定master
例如slave端配置
acl "cnc" { 192.168.0.0/24;192.168.1.0/24; };
views "internet" {
match-clients { "cnc"; };
transfer-source 192.168.0.130;
zone "whysdomain.com" IN {
type slave;
masters { 192.168.0.230; };
file "whysdomain.com.cnc.zone";
};
};
192.168.0.130为slave的一个IP地址,代表通过这个IP去master同步该视图
DNS views配置
master端操作
[root@why-3 ~]# cd /var/named
[root@why-3 named]# mkdir dx wt other #生成电信,网通,其他目录用于存放zone文件
[root@why-3 named]# chown bind.bind dx wt other
[root@why-3 named]# ll | egrep 'dx|wt|other'
drwxr-xr-x 2 bind bind 4096 Mar 5 23:29 dx
drwxr-xr-x 2 bind bind 4096 Mar 5 23:29 other
drwxr-xr-x 2 bind bind 4096 Mar 5 23:29 wt
[root@why-3 named]# cp /usr/local/named/etc/named.conf /usr/local/named/etc/named.conf.old
[root@why-3 named]# vi /usr/local/named/etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "etAeV9UeBY0NCngcy+Hx2A==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
listen-on port 53 { any; };
directory "/var/named";
allow-query { any; };
allow-transfer { 192.168.0.130; };
forwarders { 114.114.114.114;8.8.8.8;8.8.4.4; };
};
include "wt.cfg"; #配置文件中用于定义acl wt
include "dx.cfg";
view "wtzone" {
match-clients { wt;192.168.0.130;!192.168.0.131;!192.168.0.132;}; #允许acl wt,和192.168.0.130
recursion yes;
allow-update {none;};
allow-transfer {192.168.0.130;};
notify yes;
also-notify {192.168.0.130;};
zone "." IN {
type hint;
file "named.root";
};
zone "whysdomain.com" IN {
type master;
file "wt/whysdomain.com.zone";
};
};
view "dxzone" {
match-clients { dx;!192.168.0.130;192.168.0.131;!192.168.0.132;};
recursion yes;
allow-update {none;};
allow-transfer {192.168.0.131;};
notify yes;
also-notify {192.168.0.131;};
zone "." IN {
type hint;
file "named.root";
};
zone "whysdomain.com" IN {
type master;
file "dx/whysdomain.com.zone";
};
};
view "otherzone" {
match-clients {any;!192.168.0.130;!192.168.0.131;192.168.0.132;};
recursion yes;
allow-update {none;};
allow-transfer {192.168.0.132;};
notify yes;
also-notify {192.168.0.132;};
zone "." IN {
type hint;
file "named.root";
};
zone "whysdomain.com" IN {
type master;
file "other/whysdomain.com.zone";
};
};
配置余下修改的acl和zone文件解析
[root@why-3 named]# vi wt.cfg
[root@why-3 named]# cat wt.cfg
acl wt {192.168.0.201;}; #把192.168.0.201定义为wt的ip,一会用201ip进行测试
[root@why-3 named]# vi dx.cfg
[root@why-3 named]# cat dx.cfg
acl dx {192.168.0.202;};
[root@why-3 named]# cp whysdomain.com.zone dx/
[root@why-3 named]# cp whysdomain.com.zone wt/
[root@why-3 named]# cp whysdomain.com.zone other/
[root@why-3 named]# vi dx/whysdomain.com.zone
拷贝原来的whysdomain.com.zone即可,修改解析的IP为192.168.0.210,当然也可以自定义,然后修改一下序列号
[root@why-3 named]# vi wt/whysdomain.com.zone
修改解析的IP为192.168.0.220,然后修改一下序列号
[root@why-3 named]# vi other/whysdomain.com.zone
修改解析的IP为192.168.0.230,然后修改一下序列号
[root@why-3 named]# /usr/local/named/sbin/named-checkconf /usr/local/named/etc/named.conf
[root@why-3 named]# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf -u bind
日志中可以看到这三个views
[root@why-3 ~]# tail -f /var/log/messages
Mar 6 00:18:11 why-3 named[28795]: running
Mar 6 00:18:11 why-3 named[28795]: zone whysdomain.com/IN/wtzone: sending notifies (serial 2017030600)
Mar 6 00:18:11 why-3 named[28795]: zone whysdomain.com/IN/dxzone: sending notifies (serial 2017030600)
Mar 6 00:18:11 why-3 named[28795]: zone whysdomain.com/IN/otherzone: sending notifies (serial 2017030600)
检验
通过192.168.0.201的IP地址指定DNS为192.168.0.203进行解析whysdomain.com的域名
[root@why-1 ~]# dig www.whysdomain.com @192.168.0.203
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> www.whysdomain.com @192.168.0.203
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50663
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.whysdomain.com. IN A
;; ANSWER SECTION:
www.whysdomain.com. 38400 IN A 192.168.0.220
;; AUTHORITY SECTION:
whysdomain.com. 38400 IN NS ns1.whysdomain.com.
whysdomain.com. 38400 IN NS ns2.whysdomain.com.
;; ADDITIONAL SECTION:
ns1.whysdomain.com. 38400 IN A 192.168.0.203
ns2.whysdomain.com. 38400 IN A 192.168.0.130
;; Query time: 3 msec
;; SERVER: 192.168.0.203#53(192.168.0.203)
;; WHEN: Mon Mar 6 00:27:18 2017
;; MSG SIZE rcvd: 120
通过192.168.0.201的IP地址指定DNS为192.168.0.203进行解析whysdomain.com的域名
[root@why-2 ~]# dig www.whysdomain.com @192.168.0.203
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.whysdomain.com @192.168.0.203
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41757
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.whysdomain.com. IN A
;; ANSWER SECTION:
www.whysdomain.com. 38400 IN A 192.168.0.210
;; AUTHORITY SECTION:
whysdomain.com. 38400 IN NS ns2.whysdomain.com.
whysdomain.com. 38400 IN NS ns1.whysdomain.com.
;; ADDITIONAL SECTION:
ns1.whysdomain.com. 38400 IN A 192.168.0.203
ns2.whysdomain.com. 38400 IN A 192.168.0.130
;; Query time: 1 msec
;; SERVER: 192.168.0.203#53(192.168.0.203)
;; WHEN: Sun Mar 5 02:12:48 2017
;; MSG SIZE rcvd: 120
通过非192.168.0.201和202主机的IP地址指定DNS为192.168.0.203进行解析whysdomain.com的域名,我这边用的windows系统
C:\Windows\System32>nslookup www.whysdomain.com 192.168.0.203
服务器: UnKnown
Address: 192.168.0.203
名称: www.whysdomain.com
Address: 192.168.0.230
可以看到wt的IP解析到whysdomain.com的IP地址为192.168.0.220,dx的IP解析到whysdomain.com的IP地址为192.168.0.210,other的IP解析到whysdomain.com的IP地址为192.168.0.230
slave端配置
[root@why ~]# ifconfig eth0:1 192.168.0.131 up #配置两个虚拟IP
[root@why ~]# ifconfig eth0:2 192.168.0.132 up
[root@why named]# vi wt.cfg
[root@why named]# vi dx.cfg
[root@why named]# mkdir dx wt other
[root@why named]# chown bind.bind dx wt other
[root@why named]# cp /usr/local/named/etc/named.conf /usr/local/named/etc/named.conf.old
[root@why named]# vi /usr/local/named/etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "58EYGWPzh2qMyN2YmK+6CQ==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options {
listen-on port 53 { any; };
directory "/var/named";
allow-query { any; };
allow-transfer { none; };
forwarders { 114.114.114.114;8.8.8.8;8.8.4.4; };
};
include "wt.cfg";
include "dx.cfg";
view "wtzone" {
match-clients { wt;192.168.0.130;!192.168.0.131;!192.168.0.132;};
recursion yes;
transfer-source 192.168.0.130;
allow-notify { 192.168.0.130;};
zone "." IN {
type hint;
file "named.root";
};
zone "whysdomain.com" IN {
type slave;
file "wt/whysdomain.com.zone";
masters {192.168.0.203;};
};
};
view "dxzone" {
match-clients { dx;!192.168.0.130;192.168.0.131;!192.168.0.132;};
recursion yes;
transfer-source 192.168.0.131;
allow-notify { 192.168.0.131;};
zone "." IN {
type hint;
file "named.root";
};
zone "whysdomain.com" IN {
type slave;
file "dx/whysdomain.com.zone";
masters {192.168.0.203;};
};
};
view "otherzone" {
match-clients { any;!192.168.0.130;!192.168.0.131;192.168.0.132;};
recursion yes;
transfer-source 192.168.0.132;
allow-notify { 192.168.0.132;};
zone "." IN {
type hint;
file "named.root";
};
zone "whysdomain.com" IN {
type slave;
file "other/whysdomain.com.zone";
masters {192.168.0.203;};
};
};
Slave端重启了服务后能看到生成的zone文件
[root@why named]# /usr/local/named/sbin/named -c /usr/local/named/etc/named.conf -u bind
[root@why named]# tree .
.
├── 192.168.0.zone
├── dx
│ └── whysdomain.com.zone
├── dx.cfg
├── named.root
├── other
│ └── whysdomain.com.zone
├── whysdomain.com.zone
├── wt
│ └── whysdomain.com.zone
└── wt.cfg
3 directories, 8 files
可以看到日志中同步这三个views的信息
[root@why ~]# tail -40 /var/log/messages
Mar 6 01:10:35 why named[28170]: running
Mar 6 01:10:35 why named[28170]: zone whysdomain.com/IN/wtzone: Transfer started.
Mar 6 01:10:35 why named[28170]: transfer of 'whysdomain.com/IN/wtzone' from 192.168.0.203#53: connected using 192.168.0.130#43935
Mar 6 01:10:35 why named[28170]: zone whysdomain.com/IN/wtzone: transferred serial 2017030600
Mar 6 01:10:35 why named[28170]: transfer of 'whysdomain.com/IN/wtzone' from 192.168.0.203#53: Transfer completed: 1 messages, 12 records, 294 bytes, 0.002 secs (147000 bytes/sec)
Mar 6 01:10:35 why named[28170]: zone whysdomain.com/IN/wtzone: sending notifies (serial 2017030600)
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/dxzone: Transfer started.
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/otherzone: Transfer started.
Mar 6 01:10:36 why named[28170]: transfer of 'whysdomain.com/IN/dxzone' from 192.168.0.203#53: connected using 192.168.0.131#59344
Mar 6 01:10:36 why named[28170]: transfer of 'whysdomain.com/IN/otherzone' from 192.168.0.203#53: connected using 192.168.0.132#32869
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/otherzone: transferred serial 2017030600
Mar 6 01:10:36 why named[28170]: transfer of 'whysdomain.com/IN/otherzone' from 192.168.0.203#53: Transfer completed: 1 messages, 12 records, 294 bytes, 0.002 secs (147000 bytes/sec)
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/otherzone: sending notifies (serial 2017030600)
Mar 6 01:10:36 why named[28170]: client 192.168.0.130#21468: view wtzone: received notify for zone 'whysdomain.com'
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/wtzone: notify from 192.168.0.130#21468: zone is up to date
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/dxzone: transferred serial 2017030600
Mar 6 01:10:36 why named[28170]: transfer of 'whysdomain.com/IN/dxzone' from 192.168.0.203#53: Transfer completed: 1 messages, 12 records, 294 bytes, 0.005 secs (58800 bytes/sec)
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/dxzone: sending notifies (serial 2017030600)
Mar 6 01:10:36 why named[28170]: client 192.168.0.130#13810: view wtzone: received notify for zone 'whysdomain.com'
Mar 6 01:10:36 why named[28170]: zone whysdomain.com/IN/wtzone: notify from 192.168.0.130#13810: zone is up to date
检验slave端
[root@why-2 ~]# dig www.whysdomain.com @192.168.0.130
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> www.whysdomain.com @192.168.0.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3575
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.whysdomain.com. IN A
;; ANSWER SECTION:
www.whysdomain.com. 38400 IN A 192.168.0.210
;; AUTHORITY SECTION:
whysdomain.com. 38400 IN NS ns1.whysdomain.com.
whysdomain.com. 38400 IN NS ns2.whysdomain.com.
;; ADDITIONAL SECTION:
ns1.whysdomain.com. 38400 IN A 192.168.0.203
ns2.whysdomain.com. 38400 IN A 192.168.0.130
;; Query time: 3 msec
;; SERVER: 192.168.0.130#53(192.168.0.130)
;; WHEN: Mon Mar 6 01:13:53 2017
;; MSG SIZE rcvd: 120
bind日志
默认的情况下是在/var/log/message下,可以在named.conf中自定义,有channel和category两个选项,channel是指定日志写入位置,categort是指定日志的写入情况。
日志级别 critical,error,warning,notice,info,debug和dynamic
- print-time在日志中是否需要写入时间
- print-saverity在日志中是否需要写入消息级别
- print-category在日志中是否需要写入日志级别
- category指定哪一种类别的数据使用哪个或哪个已定义的通道,在bind
- default匹配所有未明确指定的通道的类别
- general包含所有未明确分类的BIND消息
- client处理的用户请求
- database同bind内部数据库相关的信息,用来存储区数据和缓存记录
- dnssec处理DNSSEC签名的响应
- lame-servers发现错误授权
- network网络操作
- notify异步区变动通知
- queries查询日志
- resolver名字解析,包含对来自解析器的递归查询处理
- security认可/非认可的请求
- update动态更新事件
- xfer-in从远程名字服务器到本地名字服务器的区传送
- xfer-out从本地名字服务器到远程名字服务器的区传送
在named.conf中添加
logging {
channel query_log { #定义通道
file "query.log" version3 size 200m; #定义文件,版本,大小
severity info; #日志级别
print-category yes;
print-severity yes;
print-time yes;
};
category queries { #日志类别
query_log; #指定通道
default_debug; #状态
};
};
DNS中从通过加密同步
[root@why-3 ~]# cd /usr/local/named/etc/
[root@why-3 etc]# /usr/local/named/sbin/dnssec-keygen -a HMAC-MD5 -b 128 -n HOST m203-s130
Km203-s130.+157+23614
[root@why-3 etc]# ll
total 24
-rw------- 1 root root 53 Mar 6 21:10 Km203-s130.+157+23614.key
-rw------- 1 root root 165 Mar 6 21:10 Km203-s130.+157+23614.private
-rw-r--r-- 1 bind bind 2544 Feb 25 18:07 bind.keys
-rw-r--r-- 1 root root 1873 Mar 6 20:51 named.conf
-rw-r--r-- 1 root root 694 Mar 5 23:54 named.conf.old
-rw-r--r-- 1 root root 479 Feb 25 20:54 rndc.conf
在master的named.conf中添加
[root@why-3 etc]# cat Km203-s130.+157+23614.key
m203-s130. IN KEY 512 3 157 AQq4dadrKZgRVDdvW9UnhQ==
key "m203-s130" {
algorithm hmac-md5;
secret "AQq4dadrKZgRVDdvW9UnhQ==";
};
server 192.168.0.130 {
keys {m203-s130};
};
在salve的named.conf中添加
server 192.168.0.203 {
keys {m203-s130};
};
server中添加的都为对方的IP地址,然后allow-update和allow-transfer中就不需要写入IP,只需要写入key m203-s130即可allow-transfer{key m203-s130;};
