@TOC
1.查DNS
yum -y install bind-utils bind whois
nslookup www.baidu.com
dig www.baidu.com
host www.baidu.com
rndc reload #重新加载服务
rndc flush #清空缓存2.实战案例:实现DNS正向主服务器
2.1.实验目的
搭建DNS正向主服务器,实现web服务器基于FQDN的访问2.2.环境要求
| 主机ip | 角色 | 备注 |
|---|---|---|
| 10.0.0.8 | DNS服务端 | 为客户端主机提供DNS解析服务 |
| 10.0.0.100 | web服务器 | 提供web网站 |
| 10.0.0.18 | DNS客户端 | 客户端主机将DNS指向10.0.0.8 |
2.3.前提准备
#关闭SELinux
getenforce
sestatus
#关闭防火墙
systemctl status firewalld
#时间同步
systemctl status chronyd2.4.安装软件【rocky8】
yum -y install bind bind-utils
systemctl start named #第一次启动服务2.5.修改bind 配置文件【rocky8】
vim /etc/named.conf
#注释掉下面两行
# listen-on port 53 { 127.0.0.1; }
# allow-query { localhost; };vim /etc/named.rfc1912.zones
#加上下面内容
zone "wang.org" IN {
type master;
file "wang.org.zone";
};2.6.DNS区域数据库文件【rocky8】
vim /var/named/wang.org.zone
$TTL 86400
@ IN SOA dns.wang.org. admin.magedu.com. ( 2024110216 3H 10M 1D 1W )
NS dns1
dns1 A 10.0.0.8
www A 10.0.0.18
db A 10.0.0.200cp -p /var/named/named.localhost /var/named/wang.org.zone
#如果没有加-p选项,需要修改所有者或权限。chgrp named wang.org.zonevim /var/named/wang.org.zone
$TTL 1D
@ IN SOA master admin.wang.org. (
20211102 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
www A 10.0.0.18
db A 10.0.0.2002.7.修改文件权限【rocky8】
chmod 640 /var/named/wang.org.zone
chgrp named /var/named/wang.org.zone
#chown root.named /var/named/wang.org.zone
ll /var/named/wang.org.zone2.8.检查配置文件和数据库文件格式,并启动服务【rocky8】
named-checkzone wang.org /var/named/wang.org.zone
rndc reload #不是第一次启动服务
curl www.wang.org2.9.修改DNS【rocky8】
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.0.0.8
#centos7 以上版执行现下面命令生效
nmcli con reload
nmcli con up eth0
#centos 6 执行下面命令生效
service network restart
#有以下记录,算是成功
cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.0.0.82.10.实现WEB服务【ubuntu100】
yum -y install nginx
echo "www.wang.com --- this page from 10.0.0.18" > /usr/share/nginx/html/index.html
systemctl start nginx2.11.测试【rocky8】
curl www.wang.org
2.12.在windows物理机上测试
- 将Vmnet8网卡的DNS 设为 10.0.0.206,然后在浏览器内访问域名
3.实战:实现DNS自解析
| 主机ip | 角色 | 备注 |
|---|---|---|
| 10.0.0.100 | DNS SERVER | 为客户端主机提供DNS解析服务 |
| 10.0.0.18 | web 网站 | 提供web网站 |
| 10.0.0.8 | DNS客户端 | 客户端主机将DNS指向10.0.0.100 |
3.1.安装软件ubuntu100
apt install -y bind9 bind9-utils bind9-host3.2.ubuntu100【新增 zones 记录】
vim /etc/bind/named.conf.default-zones
zone "linux-magedu.com" IN{ # IN 可以省略不写
type master;
file "/etc/bind/db.linux-magedu.com";
};3.3.ubuntu100【设置具体解析规则】
vim /etc/bind/db.linux-magedu.com
linux-magedu.com. 86400 IN SOA linux-magedu-dns. admin.linux-magedu.com. ( 123 3H 15M 1D 1W )
linux-magedu.com. 86400 IN NS dns1.linux-magedu.com.
dns1.linux-magedu.com. 86400 IN A 10.0.0.100
www.linux-magedu.com. 86400 IN A 10.0.0.18上述资源记录可以进行修改
[root@ubuntu ~]# cat /etc/bind/db.linux-magedu.com
$TTL 86400 #定义全局TTL,定义之后具体记录可以省略此字段
@ IN SOA linux-magedu-dns. admin.linux-magedu.com. ( 123 3H 15M 1D 1W )
NS dns1
dns1 A 10.0.0.206
www A 10.0.0.210
#用@表示域名
#dns1.linux-magedu.com. 可以写成 dns1
#因为在 /etc/bind/named.conf.default-zones 中明确指定了该配置文件用来解析的域名是 linuxmagedu.com
#www.linux-magedu.com. 可以写成 www
#多条记录中,如果后面记录字段值与前面记录字段值相同,则可以省略3.4.修改权限,修改属主属组
chmod 640 /etc/bind/db.linux-magedu.com
chgrp bind /etc/bind/db.linux-magedu.com
#chown root.bind /var/named/wang.org.zone
ll /var/named/wang.org.zone3.5.语法检查
named-checkzone linux-magedu.com /etc/bind/db.linux-magedu.com3.6.重载生效
rndc reload3.7.在web服务主机上实现网站【服务端rocky18】
yum -y install nginx
echo "www.linux-magedu.com --- this page from 10.0.0.18" > /usr/share/nginx/html/index.html
systemctl start nginx3.8.在客户端主机上进行测试【客户端rocky8】
#先修改客户端主机的DNS服务器地址
[19:11:01 root@Rocky8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search 9
nameserver 10.0.0.100
curl www.linux-magedu.com
host www.linux-magedu.com
ping www.linux-magedu.com -c1
[19:15:33 root@Rocky8 ~]# curl www.linux-magedu.com
www.linux-magedu.com --- this page from 10.0.0.183.9.在windows物理机上测试
- 将Vmnet8网卡的DNS 设为 10.0.0.206,然后在浏览器内访问域名
4.实战:实现从服务器slave
| 主机ip | 角色 | 备注 |
|---|---|---|
| 10.0.0.8 | DNS主服务端 | 为客户端主机提供DNS解析服务 |
| 10.0.0.18 | DNS从服务端 | 为客户端主机提供DNS解析服务 |
| 10.0.0.100 | web服务器 | 提供web网站 |
| 10.0.0.7 | DNS客户端 | 客户端主机将DNS指向10.0.0.8 |
4.1.修改bind 配置文件【master】
vim /etc/named.conf
#注释掉下面两行
# listen-on port 53 { 127.0.0.1; }
# allow-query { localhost; };
#加上这段
#只允许从服务器进行区域传输
allow-transfer { 从服务器IP;};vim /etc/named.rfc1912.zoneszone "wang.org" IN{
type slave;
file "wang.org.zone";
};4.2.DNS区域数据库文件【master】
vim /var/named/wang.org.zone
$TTL 86400
@ IN SOA dns.wang.org. admin.magedu.com. ( 2024110216 3H 10M 1D 1W )
NS dns1
dns1 A 10.0.0.8
www A 10.0.0.18
db A 10.0.0.200cp -p /var/named/named.localhost /var/named/wang.org.zone
#如果没有加-p选项,需要修改所有者或权限。chgrp named wang.org.zonevim /var/named/wang.org.zone
$TTL 1D
@ IN SOA master admin.wang.org. (
20211102 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
www A 10.0.0.18
db A 10.0.0.2004.3.修改文件权限【master】
chmod 640 /var/named/wang.org.zone
chgrp named /var/named/wang.org.zone
#chown root.named /var/named/wang.org.zone
ll /var/named/wang.org.zone4.4.检查配置文件和数据库文件格式,并启动服务【master】
named-checkzone wang.org /var/named/wang.org.zone
rndc reload #不是第一次启动服务4.5.修改bind 配置文件【slave】
vim /etc/named.conf
#注释掉下面两行
# listen-on port 53 { 127.0.0.1; }
# allow-query { localhost; };
#加上这段
#不允许其它主机进行区域传输
allow-transfer { none;};vim /etc/named.rfc1912.zoneszone "wang.org" IN{
type slave;
masters {10.0.0.8;};
file "slaves/wang.org.slave.zone";
};4.6.启动服务器,自动同步数据库文件是否自动生成【slave】
[20:39:34 root@slave ~]# systemctl enable --now named
[20:39:42 root@slave ~]# ll /var/named/slaves
total 4
-rw-r--r-- 1 named named 273 Nov 2 20:39 wang.org.slave.zone4.7.启动服务端【server】
yum -y install nginx
echo "www.wang.com --- this page from 10.0.0.18" > /usr/share/nginx/html/index.html
systemctl start nginx4.8.启动客户端【client】
dig www.wang.org @10.0.0.18- 修改DNS
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.0.0.8
DNS2=10.0.0.18systemctl restart network
ping www.wang.org
dig www.wang.org
- 关闭主服务器
rndc stop
ss -ntlp- 修改主配置文件-查看是否同步
[21:01:36 root@master ~]# vim /var/named/wang.org.zone
$TTL 86400
@ IN SOA dns.wang.org. admin.magedu.com. ( 2024110220 3H 10M 1D 1W )
NS dns1
NS dns2
dns1 A 10.0.0.8
dns2 A 10.0.0.18
www A 10.0.0.100
db A 10.0.0.200
rndc reload
4.9.拒绝访问53端口
## DNS什么时候使用端口号 53/tcp 和 53/udp
tcp53是用来实现同步数据用的,不影响查询
udp53也要影响同步ss -ntlu
iptables -A INPUT -p tcp --dport 53 -j REJECT
5.实战:启用缓存
yum -y install nscd
systemctl status nscd
systemctl enable --now nscd
# 启用缓存
nscd -g6.实战:实现DNS反向解析
- [rocky8 ~]
vim /etc/named.rfc1912.zones
# 最底下添加
zone "0.0.10.in-addr.arpa" IN {
type master;
file "10.0.0.zone";
};cd /var/named
vim 10.0.0.zone
$TTL 1D
@ IN SOA ns admin ( 1 1H 10M 3D 3H )
NS ns.wang.org.
100 PTR www.wang.org.
200 PTR www.a.com.named-checkconf
named-checkzone 0.0.10.in-addr.arpa 10.0.0.zone- [centos7 ~]
dig -t ptr 100.0.0.10.in-addr.arpa
dig -x 10.0.0.1007.install_dns.sh
#!/bin/bash
DOMAIN=wang.org
HOST=www
HOST_IP=10.0.0.100
LOCALHOST=`hostname -I | awk '{print $1}'`
. /etc/os-release
color () {
RES_COL=60
MOVE_TO_COL="echo -en \\033[${RES_COL}G"
SETCOLOR_SUCCESS="echo -en \\033[1;32m"
SETCOLOR_FAILURE="echo -en \\033[1;31m"
SETCOLOR_WARNING="echo -en \\033[1;33m"
SETCOLOR_NORMAL="echo -en \E[0m"
echo -n "$1" && $MOVE_TO_COL
echo -n "["
if [ $2 = "success" -o $2 = "0" ] ;then
${SETCOLOR_SUCCESS}
echo -n $" OK "
elif [ $2 = "failure" -o $2 = "1" ] ;then
${SETCOLOR_FAILURE}
echo -n $"FAILED"
else
${SETCOLOR_WARNING}
echo -n $"WARNING"
fi
${SETCOLOR_NORMAL}
echo -n "]"
echo
}
install_dns () {
if [ $ID = 'centos' -o $ID = 'rocky' ];then
yum install -y bind bind-utils
elif [ $ID = 'ubuntu' ];then
apt update
apt install -y bind9 bind9-utils bind9-host
else
color "不支持此操作系统,退出!" 1
exit
fi
}
config_dns () {
if [ $ID = 'centos' -o $ID = 'rocky' ];then
sed -i -e '/listen-on/s/127.0.0.1/localhost/' -e '/allow-query/s/localhost/any/' -e 's/dnssec-enable yes/dnssec-enable no/' -e 's/dnssec-validation yes/dnssec-validation no/' /etc/named.conf
cat >> /etc/named.rfc1912.zones <<EOF
zone "$DOMAIN" IN {
type master;
file "$DOMAIN.zone";
};
EOF
cat > /var/named/$DOMAIN.zone <<EOF
\$TTL 1D
@ IN SOA master admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A ${LOCALHOST}
$HOST A $HOST_IP
EOF
chmod 640 /var/named/$DOMAIN.zone
chgrp named /var/named/$DOMAIN.zone
#chown root.named /var/named/$DOMAIN.zone
elif [ $ID = 'ubuntu' ];then
sed -i 's/dnssec-validation auto/dnssec-validation no/' /etc/bind/named.conf.options
cat >> /etc/bind/named.conf.default-zones <<EOF
zone "$DOMAIN" IN {
type master;
file "/etc/bind/$DOMAIN.zone";
};
EOF
cat > /etc/bind/$DOMAIN.zone <<EOF
\$TTL 1D
@ IN SOA master admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A ${LOCALHOST}
$HOST A $HOST_IP
EOF
chgrp bind /etc/bind/$DOMAIN.zone
else
color "不支持此操作系统,退出!" 1
exit
fi
}
start_service () {
systemctl enable named
systemctl restart named
systemctl is-active named.service
if [ $? -eq 0 ] ;then
color "DNS 服务安装成功!" 0
else
color "DNS 服务安装失败!" 1
exit 1
fi
}
install_dns
config_dns
start_service8.实战:子域的实现
| 主机ip | 角色 | 备注 |
|---|---|---|
| 10.0.0.8 | DNS主服务端 | 为客户端主机提供DNS解析服务 |
| 10.0.0.18 | DNS从服务端 | 为客户端主机提供DNS解析服务 |
| 10.0.0.28 | 子域 | 为客户端主机提供DNS解析服务 |
| 10.0.0.100 | web服务器 | 提供web网站 |
| 10.0.0.7 | DNS客户端 | 客户端主机将DNS指向10.0.0.8 |
[10:31:28 root@master ~]# vim /var/named/wang.org.zone
$TTL 86400
@ IN SOA dns.wang.org. admin.magedu.com. ( 2024110226 3H 10M 1D 1W )
NS dns1
NS dns2
dns1 A 10.0.0.8
dns2 A 10.0.0.18
www A 10.0.0.100
db A 10.0.0.200
www.sh A 1.1.1.1[09:55:42 root@centos7 ~]# dig www.sh.wang.org
[10:31:28 root@master ~]# vim /var/named/wang.org.zone
$TTL 86400
@ IN SOA dns.wang.org. admin.magedu.com. ( 2024110226 3H 10M 1D 1W )
NS dns1
NS dns2
bj NS bjdns
dns1 A 10.0.0.8
dns2 A 10.0.0.18
bjdns A 10.0.0.28
www A 10.0.0.100
db A 10.0.0.200
www.sh A 1.1.1.1[10:33:54 root@Rocky8 ~]# bash install_dns.sh
[10:34:50 root@Rocky8 ~]# dig www.bj.wang.org @127.0.0.1
[10:55:15 root@Rocky8 ~]# vim /var/named/bj.wang.org.zone
$TTL 1D
@ IN SOA master admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.28
www A 2.2.2.2dig www.bj.wang.org
[10:55:15 root@Rocky8 ~]# vim /var/named/bj.wang.org.zone
$TTL 1D
@ IN SOA master admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.28
www A 3.3.3.3# 清除缓存信息,不清楚否则等一天
[10:56:29 root@master ~]# rndc flush
9.实战:只能DNS的实现
9.1.DNS 服务器的网卡配置
#配置两个IP地址
#eth0:10.0.0.7/24
#eth1: 192.168.10.7/24[14:52:18 root@centos7 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:cb:3a:dd brd ff:ff:ff:ff:ff:ff
inet 10.0.0.7/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:cb:3a:e7 brd ff:ff:ff:ff:ff:ff
inet 192.168.10.7/24 brd 192.168.10.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fecb:3ae7/64 scope link
valid_lft forever preferred_lft forever#配置两个IP地址
#eth0:10.0.0.8/24
#eth1: 192.168.10.8/24[14:59:43 root@master ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:62:cb:f7 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.0.0.8/24 brd 10.0.0.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe62:cbf7/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:0c:29:62:cb:01 brd ff:ff:ff:ff:ff:ff
altname enp11s0
altname ens192
inet 192.168.10.8/24 brd 192.168.10.255 scope global noprefixroute eth1
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fe62:cb01/64 scope link
valid_lft forever preferred_lft forever9.2.主DNS服务端配置文件实现 view
vim /etc/named.conf#在文件最前面加下面行
acl test_net {
10.0.0.0/24;
172.16.0.0/24;
};
acl product_net{
192.168.10.0/24;
};#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
# 末尾注释掉
// zone "." IN {
// type hint;
// file "named.ca";
// };
#其它略# 创建view
view test_view {
match-clients {test_net;};
include "/etc/named.rfc1912.zones.test";
};
view product_view {
match-clients {product_net;};
include "/etc/named.rfc1912.zones.product";
};
#include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";9.3.实现区域配置文件
vim /etc/named.rfc1912.zones.product# 前面添加
zone "wang.org" IN {
type master;
file "wang.org.zone.product";
};
# 末尾添加
zone "." IN {
type hint;
file "named.ca";
};vim /etc/named.rfc1912.zones.test# 前面添加
zone "wang.org" IN {
type master;
file "wang.org.zone.test";
};
# 末尾添加
zone "." IN {
type hint;
file "named.ca";
};chgrp named /etc/named.rfc1912.zones.test
chgrp named /etc/named.rfc1912.zones.product9.4.创建区域数据库文件
vim /var/named/wang.org.zone.test
$TTL 86400
@ IN SOA dns.wang.org. admin.magedu.com. ( 2024110226 3H 10M 1D 1W )
NS dns1
dns1 A 10.0.0.8
www A 10.0.0.100vim /var/named/wang.org.zone.product
$TTL 86400
@ IN SOA dns.wang.org. admin.magedu.com. ( 2024110226 3H 10M 1D 1W )
NS dns1
dns1 A 192.168.10.8
www A 10.0.0.100
* A 10.0.0.123
@ A 10.0.0.121chgrp named /var/named/wang.org.zone.test
chgrp named /var/named/wang.org.zone.product
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务9.5.客户端测试
10.客户端诊断工具,查看IP走向
tcpdump -i eth0 udp port 53 -nn
11.面试题
DNS工作原理
递归和迭代查询的区别
DNS什么时候使用端口号 53/tcp 和 53/udp
tcp53是用来实现同步数据用的,不影响查询
udp53也要影响同步CDN工作原理
上家公司域名解析是怎么解析的,哪个平台解析的
企业外部用的阿里云的,内部自己搭的DNS软件bind
评论