<服务>DNS服务器
目录:
DNS服务器的分类
主DNS服务器(Primary DNS Server)
保存着主配置文件和zone的配置文件,该域的所有配置修改都是在这台服务器上进行修改。
从DNS服务器(Secondary DNS Server)
保存着zone配置文件,zone配置均为从主DNS服务器抓去而来的。只能通过修改主DNS上的配置进而进行同步。一般做冗余负载使用,当主DNS服务器崩溃或者崩溃了就可以起到负载作用。
缓存DNS服务器(Caching only Server)
通过缓存提供服务,不保存配置文件,一般用于负载均衡和加速访问。
安装主DNS服务器
DNS服务器需要的软件包
- bind:程序和相关文件
- bind-utils:提供dns测试工具,nslookup,dig等
- bind-chroot:提供伪装根目录/var/named/chroot
[root@why-1 ~]# yum install -y bind bind-chroot bind-utils
主配置文件
[root@why-1 ~]# vi /etc/named.conf
options {
directory "/var/named"; #区域文件存储目录
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #对所有主机提供查询服务
allow-query-cache { any; }; #开启所有主机查询缓存
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging { #定义记录所有查询主机内容和信息日志
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";#载入扩展文件
include "/etc/named.root.key";
添加扩展文件(扩展文件可以写在主配置文件中)
[root@why-1 ~]# vi /etc/named.rfc1912.zones
zone "why.cn" IN {#正向声明
type master;
file "why.cn.zone";
};
zone "241.163.10.in-addr.arpa" IN {#反向声明
type master;
file "10.163.241.rev";
};
in-addr.arp标记为反向域, master代表主域
这个241.163.10是ip反着输入。 看下我的IP,file中是按着正常顺序。
编辑扩展文件zone
正向解析
[root@why-1 named]# cp named.localhost why.cn.zone
[root@why-1 named]# pwd
/var/named
[root@why-1 named]# vi why.cn.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
IN MX 10 mail.why.cn.
www IN A 10.163.241.39
mail IN A 10.163.241.39
注意域名要在最后加上那个'.'
反向解析
[root@why-1 named]# cp named.localhost 10.163.241.rev
[root@why-1 named]# vi 10.163.241.rev
$TTL 1D
@ IN SOA @ rname.invalid. (
12 ; serial
28800 ; refresh
14400 ; retry
3600000 ; expire
86400 ) ; minimum
@ IN NS ns.why.cn.
39 IN A www.why.cn.
这个39为why-1的主机的最后一台机器
确保配置文件有读的权限
[root@why-1 named]# ll
total 40
-rw-r----- 1 root root 181 Nov 9 22:41 241.163.10.zone
drwxr-x--- 6 root named 4096 Nov 9 10:34 chroot
drwxrwx--- 2 named named 4096 Nov 2 23:53 data
drwxrwx--- 2 named named 4096 Nov 2 23:53 dynamic
-rw-r----- 1 root named 3171 Jan 11 2016 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 4096 Nov 2 23:53 slaves
-rw-r----- 1 root root 222 Nov 9 22:23 why.cn.zone
[root@why-1 named]# chmod +r *
[root@why-1 named]# ll
total 36
drwxr-xr-- 6 root named 4096 Nov 9 10:34 chroot
drwxrwxr-- 2 named named 4096 Nov 9 23:49 data
drwxrwxr-- 2 named named 4096 Nov 9 23:50 dynamic
-rw-r--r-- 1 root named 3171 Jan 11 2016 named.ca
-rw-r--r-- 1 root named 152 Dec 15 2009 named.empty
-rw-r--r-- 1 root named 152 Jun 21 2007 named.localhost
-rw-r--r-- 1 root named 168 Dec 15 2009 named.loopback
drwxrwxr-- 2 named named 4096 Nov 2 23:53 slaves
-rw-r--r-- 1 root root 222 Nov 9 22:23 why.cn.zone
检查主配置文件是否有错误
[root@why-1 named]# named-checkconf
/etc/named.conf
检查 zone配置文件是否有错误
[root@why-1 named]# named-checkzone why.cn /var/named/why.cn.zone
zone why.cn/IN: loaded serial 0
OK
格式为
named-checkzone [-djqvD] [-c class] [-f inputformat] [-F outputformat] [-t directory] [-w directory] [-k (ignore|warn|fail)] [-n (ignore|warn|fail)] [-m (ignore|warn|fail)] [-r (ignore|warn|fail)] [-i (full|full-sibling|local|local-sibling|none)] [-M (ignore|warn|fail)] [-S (ignore|warn|fail)] [-W (ignore|warn)] [-o filename] zonename filename
设置DNS服务器为本机
[root@why-1 named]# vi /etc/resolv.conf
options timeout:1 attempts:1 rotate
#nameserver 10.202.72.118
#nameserver 10.202.72.116
nameserver 127.0.0.1
重启DNS服务
[root@why-1 named]# service named restart Stopping named: [ OK ] Starting named: [ OK ]
验证服务
[root@why-1 named]# dig www.why.cn
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> www.why.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56656
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.why.cn. IN A
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 9 23:50:41 2016
;; MSG SIZE rcvd: 28
[root@why-2 ~]# dig www.why.cn
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> www.why.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10400
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.why.cn. IN A
;; Query time: 0 msec
;; SERVER: 10.163.241.39#53(10.163.241.39)
;; WHEN: Wed Nov 9 23:55:23 2016
;; MSG SIZE rcvd: 28
[root@why-2 ~]# dig -x 10.163.241.39
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x 10.163.241.39
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18358
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;39.241.163.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
39.241.163.10.in-addr.arpa. 86400 IN PTR www.why.cn.
;; AUTHORITY SECTION:
241.163.10.in-addr.arpa. 86400 IN NS ns.why.cn.
;; Query time: 0 msec
;; SERVER: 10.163.241.39#53(10.163.241.39)
;; WHEN: Thu Nov 10 00:21:08 2016
;; MSG SIZE rcvd: 85
[root@why-2 ~]# ssh www.why.cn
The authenticity of host 'www.why.cn (10.163.241.39)' can't be established.
RSA key fingerprint is 60:d5:5c:34:b7:ef:5f:0a:bc:bf:7b:7c:29:81:42:16.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'www.why.cn' (RSA) to the list of known hosts.
Last login: Thu Nov 10 09:44:25 2016 from 223.223.188.66
Welcome to aliyun Elastic Compute Service!
[root@why-1 ~]#
配置从DNS服务器
确保SElinux和防火墙没有开启
[root@why-1 ~]# getenforce
Disabled
需要开放主DNS服务器上的53端口和953端口
因为是云主机,就不设置了。
[root@why-1 ~]# iptables -F
[root@why-1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
配置
在Master和Slave机器上
去除 options {}中的'listen-on port 53' 和 'listen-on-v6 port 53' 两项
[root@why-1 ~]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
在Slave机器上
只需要配置一下/etc/named.rfc1912.zones
zone "why.cn" IN {
type slave;
masters { 10.163.241.39; };
file "slaves/why.cn.zone";
};
zone "241.163.10.in-addr.arpa" IN {
type slave;
masters { 10.163.241.39; };
file "slaves/10.163.241.rev";
};
注意master中的为master的IP地址并以';'结尾,前后都有空格,file是zone文件保存的位置,一般都在以/var/named/为根目录的slaves目录,如果指定其他目录,需要给那个目录named:named和770权限。
把DNS服务器指向本机
[root@why-2 ~]# vi /etc/resolv.conf
nameserver 127.0.0.1
看一下现在的slave下是没有文件的
[root@why-2 ~]# ll /var/named/slaves/
total 0
重启named服务
[root@why-2 ~]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@why-2 ~]# ll /var/named/slaves/
total 8
-rw-r--r-- 1 named named 354 Nov 10 16:01 10.163.241.rev
-rw-r--r-- 1 named named 357 Nov 10 16:01 why.cn.zone
验证
修改why-1上的DNS为why-2的IP地址,重启network
[root@why-1 ~]# vi /etc/resolv.conf
[root@why-1 ~]# service network restart
[root@why-2 slaves]# dig -t a www.why.cn
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t a www.why.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55046
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;www.why.cn. IN A
;; ANSWER SECTION:
www.why.cn. 86400 IN A 10.163.241.39
;; AUTHORITY SECTION:
why.cn. 86400 IN NS why.cn.
;; ADDITIONAL SECTION:
why.cn. 86400 IN A 127.0.0.1
why.cn. 86400 IN AAAA ::1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 10 16:17:55 2016
;; MSG SIZE rcvd: 102
[root@why-2 slaves]# dig -t mx www.why.cn
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.3 <<>> -t mx www.why.cn
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14900
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;www.why.cn. IN MX
;; AUTHORITY SECTION:
why.cn. 10800 IN SOA why.cn. rname.invalid. 0 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Nov 10 16:18:11 2016
;; MSG SIZE rcvd: 77
[root@why-2 slaves]# ssh www.why.cn
Last login: Thu Nov 10 15:23:24 2016 from 223.223.188.66
Welcome to aliyun Elastic Compute Service!
[root@why-1 ~]#
这样一个从DNS服务器就配置成功了。
缓存服务器
缓存服务器只需要配置一个配置文件即可
[root@why-2 ~]# vi /etc/named.conf
options {
directory "/var/named";
forwarders { 218.30.19.40; };#定义转发请求目标IP
allow-query {any; };#允许所有客户查询
forwarders only;#不提供解析,将转发所有请求到forwarders列表
};