标签:dns
DNS介绍
DNS (Domain Name System)域名解析系统,主要用来解析IP 和域名的对应关系。
DNS有这几种不同的记录类型:
A记录:Adress记录,用来指定域名或主机名和IP的对应关系。域名对应的IP地址。
NS记录:Name Server ,域名服务器记录,用来指定该域名由哪个DNS服务器来进行解析。
MX记录:Mail Exchanger,邮件服务器的域名记录,通过解析@后的域名将邮件发送到指定服务器。
CNAME记录:Canonical Name, 别名记录,允许将多个域名映射到同一台计算机上。
TXT记录:一般指主机名或域名的说明。
查看DNS三个命令: dig nslookup host
dig可以方便清晰的查看dns的解析过程,使用host可以比较准确的查看当前主机的DNS解析记录,在有缓存干扰的情况下使用host查看是比较准确的。
DNS默认使用的UDP协议,使用53端口。在生产的实际应用中,DNS会优先使用UDP协议,在一些防火墙的限制下,如果UDP传输不成功,会使用TCP协议,所以在部署DNS时,需要允许DNS的TCP和UDP的数据包通过网络。
DNS的安装部署
配置指南及参数说明:http://www.zytrax.com/books/dns/ch7/hkpng.html
配置主DNS
安装需要的组件:
# yum install -y bind-utils bind bind-devel bind-chroot
首先需要利用脚本生成一个rndc的配置文件和 rndc的key:
# /sbin/rndc-confgen -r /dev/urandom > /etc/rndc.conf
# cat /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "zIGnSUO1Y8iBkw0jyJzGxA=="; # 密钥要在所有的文件中保持一致
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "zIGnSUO1Y8iBkw0jyJzGxA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf配置rndc.key的配置文件:
cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "zIGnSUO1Y8iBkw0jyJzGxA==";
};打开配置文件/etc/named.conf,修改其中的配置 :
options {
listen-on port 53 { any; }; # 监听的端口和IP
directory "/var/named"; # 主配置文件目录
dump-file "/var/named/data/cache_dump.db"; # 缓存的dumpDB文件路径,没有指定的情况下是在Directory目录
statistics-file "/var/named/data/named_stats.txt"; # DNS解析状态统计,可以做监控
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; #允许访问DNS服务器的主机,可以是IP段和主机名
recursion yes; # 开启递归查询
pid-file "/var/named/chroot/var/run/named/named.pid";
forwarders { # DNS转发服务器,用于本地DNS无域名解析记录情况
114.114.114.114;
8.8.8.8;
};
};
key "rndc-key" { # 值KEY进行验证
algorithm hmac-md5;
secret "zIGnSUO1Y8iBkw0jyJzGxA=="; # 此处的KEY是使用rndc命令中生成的,要保持一致
};
controls {
inet 127.0.0.1 port 953
allow {127.0.0.1; } keys {"rndc-key"; };
};
logging { #日志信息级别
channel warning { #告警日志,及日志存放的路径,单个文件大小
file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns { # 访问日志 记录10个,每个大小最大为100m
file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
serverity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { #默认使用warning日志配置
warning;
};
category queries { #调用访问日志配置
general_dns;
};
};
include "/var/named/chroot/etc/view.conf"; #包含的一些配置文件配置主配置文件中指定的view 文件:
cat /var/named/chroot/etc/view.conf
view "View" { # view 名称
zone "test.com" { # 域名
type master; # 主 DNS
file "test.com.zone"; # 指定的域文件
allow-transfer { # 允许进行数据同步的主机,这里是slave,从DNS
192.168.1.11;
};
notify yes; # 如果主DNS记录发生变化,则通知从DNS同步
also-notify {
192.168.1.11;
};
};
};配置域文件:
[root@DNS-Server ~]# cat /var/named/chroot/etc/test.com.zone $ORIGIN . # 文件生效的域 . 代表使用后面指定的配置 $TTL 3600 ; 1 hour # 域名的生存周期 test.com IN SOA op.test.com dns.test.com. ( 2000 ; serial-number # 用于标记DNS记录是否发生了更改 900 ; refresh (15 minutes) 600 ; retry (10 minutes) 86400 ; expire (1 day) 3600 ; minimum (1 hour) ) NS op.test.com. # NS 记录 $ORIGIN test.com. shanks A 1.2.3.4 op A 1.2.3.4 t A 1.2.3.4
修改目录权限,并加入开机自启动:
cd /var && chown -R named.named named systemctl start named systemctl enable named
如果启动失败,显示PID无法读取,可以查看相关的配置文件和目录权限,同时,确认启动脚本中的PIDfile目录是否一致。
CentOS7 的服务管理脚本路径为: /usr/lib/systemd/system
启动成功后查看端口是否监听:
[root@DNS-Server system]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.1.10:53 0.0.0.0:* LISTEN 9972/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 9972/named tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 955/sshd tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 9972/named tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2057/master tcp6 0 0 :::22 :::* LISTEN 955/sshd tcp6 0 0 ::1:25 :::* LISTEN 2057/master [root@DNS-Server system]# netstat -lnup Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 192.168.1.10:53 0.0.0.0:* 9972/named udp 0 0 127.0.0.1:53 0.0.0.0:* 9972/named
查看是否能够解析:
[root@DNS-Server system]# dig @127.0.0.1 t.test.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @127.0.0.1 t.test.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38617 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;t.test.com. IN A ;; ANSWER SECTION: t.test.com. 3600 IN A 1.2.3.4 ;; AUTHORITY SECTION: test.com. 3600 IN NS OP.test.com. ;; ADDITIONAL SECTION: OP.test.com. 3600 IN A 1.2.3.4 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 06 15:29:47 CST 2016 ;; MSG SIZE rcvd: 88
配置从DNS
在另外一台机器上安装从DNS,可以使用master-slave 模式来对主从进行同步。
安装好后,配置named.conf,和master上保持相同:
# cat /etc/named.conf
options {
listen-on port 53 {any;};
directory "/var/named/chroot/etc/";
pid-file "/var/named/chroot/var/run/named/named.pid";
allow-query { any; };
Dump-file "/var/named/chroot/var/log/binddump.db";
Statistics-file "/var/named/chroot/var/log/named_stats";
zone-statistics yes;
memstatistics-file "log/mem_stats";
empty-zones-enable no;
forwarders {114.114.114.114;8.8.8.8; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "zIGnSUO1Y8iBkw0jyJzGxA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
channel warning {
file "/var/named/chroot/var/log/dns_warning" versions 10 size 10m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "/var/named/chroot/var/log/dns_log" versions 10 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
warning;
};
category queries {
general_dns;
};
};
include "/var/named/chroot/etc/view.conf";rndc.key和rndc.conf 文件也与master保持一致。
配置从DNS上的view文件:
[root@localhost ~]# cat /var/named/chroot/etc/view.conf
view "Slave view" { # view文件信息,可以自定义
zone "test.com" { # 域名名称
type slave; # 指定此服务器为slave
masters {192.168.1.10;}; # 指定主DNS ip
file "slave.test.com.zone"; # 定义文件名称,可以自定义
};
};修改目录权限,并加入开机启动:
cd /var && chown -R named.named named systemctl start named systemctl enable named
提示:如果服务已经启动的情况下,在修改了除named.conf 之外的配置文件时,只需要使用rndc reload 命令即可使配置生效。
当master和slave 同步之后,在指定的slave目录/var/named/chroot/etc 下生成 zone文件。
[root@DNS-Slave ~]# ls -l /var/named/chroot/etc/ total 8 drwxr-x---. 2 named named 6 Sep 28 21:14 named drwxr-x---. 3 named named 24 Dec 6 15:59 pki -rw-r--r--. 1 named named 268 Dec 6 20:15 slave.test.com.zone # 同步生成的文件 -rw-r--r--. 1 named named 136 Dec 6 18:00 view.conf
这里生成的文件是一个二进制文件,可以通过本地测试文件是否正确:
[root@DNS-Slave etc]# dig @127.0.0.1 t.test.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.4 <<>> @127.0.0.1 t.test.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16200 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;t.test.com.INA ;; ANSWER SECTION: t.test.com.3600INA1.2.3.4 ;; AUTHORITY SECTION: test.com.3600INNSOP.test.com. ;; ADDITIONAL SECTION: OP.test.com.3600INA1.2.3.4 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Dec 06 20:32:53 CST 2016 ;; MSG SIZE rcvd: 88
本文出自 “Trying” 博客,请务必保留此出处http://tryingstuff.blog.51cto.com/4603492/1880144
标签:dns
原文地址:http://tryingstuff.blog.51cto.com/4603492/1880144
