1,DNS功能
每个IP地址都可以有一个主机名,主机名由一个或多个字符串组成,字符串之间用小数点隔开。有了主机名,就不要死记硬背每台IP设备的IP地址,只要记住相对直观有意义的主机名就行了。这就是DNS协议所要完成的功能。
主机名到IP地址的映射有两种方式:
1)静态映射,每台设备上都配置主机到IP地址的映射,各设备独立维护自己的映射表,而且只供本设备使用;
2)动态映射,建立一套域名解析系统(DNS),只在专门的DNS服务器上配置主机到IP地址的映射,网络上需要使用主机名通信的设备,首先需要到DNS服务器查询主机所对应的IP地址。
通过主机名,最终得到该主机名对应的IP地址的过程叫做域名解析(或主机名解析)。在解析域名时,可以首先采用静态域名解析的方法,如果静态域名解析不成功,再采用动态域名解析的方法。可以将一些常用的域名放入静态域名解析表中,这样可以大大提高域名解析效率。
2,DNS组成:dns由类型,域名,和主机名三部分构成
1).类型:标识此域名的类型,一般常见的有.com,.org, .net , .gov等等
2)域名:域的名称 如baidu ppdai google等等
3)主机名:该域中某台主机的名称,eg:www, ftp, ntp,mail等等
3,DNS的工作原理
以访问www.为例说明(主机为Windows系统)
客户端首先检查本地c:\windows\system32\drivers\etc\host文件,是否有对应的IP地址,若有,则直接访问WEB站点,若无
客户端检查本地缓存信息,若有,则直接访问WEB站点,若无
本地DNS检查缓存信息,若有,将IP地址返回给客户端,客户端可直接访问WEB站点,若无
本地DNS检查区域文件是否有对应的IP,若有,将IP地址返回给客户端,客户端可直接访问WEB站点,若无,
本地DNS根据cache.dns文件中指定的根DNS服务器的IP地址,转向根DNS查询。
根DNS收到查询请求后,查看区域文件记录,若无,则将其管辖范围内.com服务器的IP地址告诉本地DNS服务器
.com服务器收到查询请求后,查看区域文件记录,若无,则将其管辖范围内.xxx服务器的IP地址告诉本地DNS服务器
.xxx服务器收到查询请求后,分析需要解析的域名,若无,则查询失败,若有,返回www.的IP地址给本地服务器
本地DNS服务器将www.的IP地址返回给客户端,客户端通过这个IP地址与WEB站点建立连接
4,DNS客户端
日常使用支持网络的计算机一般都是作为dns客户端使用,应用程序,服务,进程等通过OS底层功能发起对dns服务器查询对指定的域名进行解析。解析以下几种方式来进行:
1). 文件:/etc/hosts , /etc/networks
2). DNS: /etc/resolv.conf
3). NIS:现已被淘汰了
可以通过配置文件/etc/nsswitch.conf控制查询的顺序,hosts: files dns myhostname
5,DNS查询命令:
[root@localhost ~]# host www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 115.239.210.27
www.a.shifen.com has address 115.239.211.112
使用nslookup命令进行查询。 nslookup www.baidu.com
[root@localhost ~]# nslookup www.baidu.com
Server: 192.168.1.218
Address: 192.168.1.218#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 115.239.211.112
Name: www.a.shifen.com
Address: 115.239.210.27
[root@localhost ~]# dig www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.2 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7129
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 545 IN CNAME www.a.shifen.com.
www.a.shifen.com. 248 IN A 61.135.169.125
www.a.shifen.com. 248 IN A 61.135.169.121
;; AUTHORITY SECTION:
a.shifen.com. 545 IN NS ns3.a.shifen.com.
a.shifen.com. 545 IN NS ns2.a.shifen.com.
a.shifen.com. 545 IN NS ns4.a.shifen.com.
a.shifen.com. 545 IN NS ns5.a.shifen.com.
a.shifen.com. 545 IN NS ns1.a.shifen.com.
;; ADDITIONAL SECTION:
ns1.a.shifen.com. 545 IN A 61.135.165.224
ns5.a.shifen.com. 545 IN A 119.75.222.17
ns2.a.shifen.com. 545 IN A 180.149.133.241
ns4.a.shifen.com. 545 IN A 115.239.210.176
ns3.a.shifen.com. 545 IN A 61.135.162.215
;; Query time: 0 msec
;; SERVER: 172.20.66.112#53(172.20.66.112)
;; WHEN: Fri Mar 30 17:26:26 CST 2018
;; MSG SIZE rcvd: 271
(二)安装配置DNS软件BIND
序号 | IP | 功能 |
---|---|---|
1 | 172.20.66.112 | 主DNS服务器 |
2 | 172.20.66.108 | 从DNS服务器 |
1,安装bind-chroot DNS服务器
[root@localhost ~]# yum install bind-chroot bind-utils -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* epel: ftp.cuhk.edu.hk
Resolving Dependencies
--> Running transaction check
---> Package bind-chroot.x86_64 32:9.9.4-51.el7_4.2 will be installed
备注:
CentOS7不同于6,只需要安装bind-chroot,就会自动安装主程序包bind和库bind-libs。同时安装bind-utils(包含host和dig程序的包)
CentOS7下安装了bind-chroot之后,若要使用named-chroot.service,则需要关闭named.service。两者只能运行一个
2,通过rpm -ql bind-chroot查询所安装的文件[root@localhost ~]# rpm -ql bind-chroot
3,拷贝bind相关文件,准备bind-chroot环境
[root@localhost chroot]# cp -R /usr/share/doc/bind-9.9.4/sample/etc/* /var/named/chroot/etc/
[root@localhost chroot]# cp -R /usr/share/doc/bind-9.9.4/sample/var/* /var/named/chroot/var/
[root@localhost chroot]# ls /var/named/chroot/etc/
named named.conf named.rfc1912.zones pki
[root@localhost chroot]# ls /var/named/chroot/var/
log named run tmp
备注:由于安装了bind-chroot,BIND会被封装到一个伪根目录内,原先的文件配置文件的路径位置变为:
/var/named/chroot/etc/named.conf ---------BIND服务主配置文件
/var/named/chroot/var/named/ ----------zone文件
直接安装bind配置文件在:
/etc/named.conf -BIND服务主配置文件
/var/named/ -zone文件
4,在bind chroot的目录中创建相关文件
[root@localhost named]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@localhost named]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@localhost named]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@localhost named]# touch /var/named/chroot/var/named/data/named.run
[root@localhost named]# mkdir /var/named/chroot/var/named/dynamic
[root@localhost named]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
5,将bind锁定文件设置为可写。
[root@localhost named]# chmod -R 777 /var/named/chroot/var/named/data/
[root@localhost named]# chmod -R 777 /var/named/chroot/var/named/dynamic/
6,将/etc/named.conf文件拷贝到bind-chroot目录里,并进行编辑最简配置
[root@localhost named]# cp /etc/named.conf /var/named/chroot/etc/named.conf
[root@localhost etc]# vim /var/named/chroot/etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
allow-query { any; };
directory "/var/named";
recursion yes;
};
zone "lqb.com" {
type master;
file "lqb.com.zon";
};
7,创建转发域
[root@localhost named]# vim /var/named/chroot/var/named/lqb.com.zon
$TTL 1D
$ORIGIN lqb.com.
@ IN SOA lqb.com. admin.lqb.com. (
20170526; serial
1D ; refresh
1H ; retry
1W ; expire
3H ; minimum
)
IN NS ns1.lqb.com.
ns1 IN A 192.168.99.99
www IN A 172.20.66.110
ftp IN A 10.128.105.250
8,设置开机启动bind-chroot服务
[root@localhost named]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
[root@localhost named]# systemctl stop named
[root@localhost named]# systemctl disable named
[root@localhost named]# systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
[root@localhost named]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2018-03-30 17:12:55 CST; 4s ago
Process: 3184 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 3180 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 3185 (named)
CGroup: /system.slice/named-chroot.service
└─3185 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Mar 30 17:12:55 localhost.localdomain named[3185]: zone 0.in-addr.arpa/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone lqb.com/IN: loaded serial 20170526
Mar 30 17:12:55 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Mar 30 17:12:55 localhost.localdomain named[3185]: zone localhost/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arp...rial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: zone localhost.localdomain/IN: loaded serial 0
Mar 30 17:12:55 localhost.localdomain named[3185]: all zones loaded
Mar 30 17:12:55 localhost.localdomain named[3185]: running
Mar 30 17:12:55 localhost.localdomain named[3185]: zone lqb.com/IN: sending notifies (serial 20170526)
Hint: Some lines were ellipsized, use -l to show in full.
(三)在客户端进行测试使用
(1),在客户端修改dns配置文件/etc/resolv.conf
[root@HTD-CATIT ~]# vim /etc/resolv.conf
# Generated by NetworkManager
nameserver 172.20.66.110
(2),通过host,nslookup 和dig 进行测试
[root@HTD-CATIT ~]# ping www.lqb.com
PING www.lqb.com (172.20.66.110) 56(84) bytes of data.
64 bytes from 172.20.66.110: icmp_seq=1 ttl=64 time=7.16 ms
64 bytes from 172.20.66.110: icmp_seq=2 ttl=64 time=0.733 ms
^C
--- www.lqb.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1067ms
rtt min/avg/max/mdev = 0.733/3.946/7.160/3.214 ms
[root@HTD-CATIT ~]# nslookup www.lqb.com
Server: 172.20.66.112
Address: 172.20.66.112#53
Name: www.lqb.com
Address: 172.20.66.110
[root@HTD-CATIT ~]# host www.lqb.com
www.lqb.com has address 172.20.66.110
[root@HTD-CATIT ~]# dig www.lqb.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.37.rc1.el6 <<>> www.lqb.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35029
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.lqb.com. IN A
;; ANSWER SECTION:
www.lqb.com. 86400 IN A 172.20.66.110
;; AUTHORITY SECTION:
lqb.com. 86400 IN NS ns1.lqb.com.
;; ADDITIONAL SECTION:
ns1.lqb.com. 86400 IN A 192.168.99.99
;; Query time: 0 msec
;; SERVER: 172.20.66.112#53(172.20.66.112)
;; WHEN: Fri Mar 30 17:22:19 2018
;; MSG SIZE rcvd: 79
备注:
1,测试的大概的步骤如下:
2,完整的named.conf配置文件如下:
[root@localhost named]# cat /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator‘s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "lqb.com" {
type master;
file "lqb.com.zon";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
3,完整的/var/named/chroot/var/named/lqb.com.zon配置
[root@localhost named]# vim /var/named/chroot/var/named/lqb.com.zon
$TTL 1D
$ORIGIN lqb.com.
@ IN SOA lqb.com. admin.lqb.com. (
20170526; serial
1D ; refresh
1H ; retry
1W ; expire
3H ; minimum
)
IN NS ns1.lqb.com.
ns1 IN A 192.168.99.99
www IN A 172.20.66.110
ftp IN A 10.128.105.250
CentOS7.4下DNS服务器软件BIND安装及相关的配置(一)
原文:http://blog.51cto.com/liqingbiao/2093064