DNS服务管理
一、概述
概念
Domain Name Service,一套分布式的域名服务系统,即有多个DNS服务器遍布于世界。每个DNS服务器上存放着大量的机器域名和IP地址的映射,并且是动态更新。众多网络客户端程序都使用DNS协议来向DNS服务器查询目标主机的IP地址。
作用
正向解析:将已知的域名解析为IP地址反向解析:将已知的IP地址解析为域名
监听端口
53/udp | 53/TCP
默认运行用户
named
二、 完全限定域名
FQDN(Fully Qualified Domain Name)
组成
主机名.三级域.二级域名.顶级域名.
案例:www.baidu.com.
域类型
| 类型 | 举例 |
|---|---|
| 根域 | . |
| 顶级域 | cn、hk、uk、org、edu、com、mil、gov、net |
| 二级域 | baidu、163、sina、sohu |
三、DNS解析过程
客户端如何解析域名
-
本地DNS缓存
-
本地hosts文件,在DNS服务器诞生之前,所有的主机之间都是通过hosts文件进行的。
-
指向的DNS服务器IP:
递归查询:直接给出解析结果,客户机与本地DNS服务器之间的查询。(所答即所问)迭代查询:没有给出解析结果,本地DNS服务器与根等其他DNS服务器之间的查询。(所答非所问)
四、域名服务器的分类
根据作用
1.根域名服务器:最高层次的域名服务器,也是最重要的域名服务器。所有的根域名服务器都知道所有的顶级域名服务器的域名和IP地址。 2.顶级域名服务器:负责管理该顶级域名注册的二级域名。 3.权限域名服务器:负责一个“区”的域名服务器。 4.本地域名服务器:本地域名服务器不属于域名服务器的层次结构,但是它对域名系统非常重要。当一个主机发出DNS查询请求时,这个查询请求报文就发送给本地域名服务器。
根据应用场景
主服务器(Primary Name server) 为客户端提供域名解析的主要区域,主DNS服务器宕机,会启用从DNS服务器提供服务。辅助服务器(Second Name Server) 主服务器DNS长期无应答,从服务器也会停止提供服务,主从区域治安的同步采用周期性检查+通知的机制,从服务器周期性地检查主服务器上地记录情况,一旦发现修改就会同步,另外主服务器上如果又数据被修改了,会立即通知从服务器更新记录。高速缓存服务器(Cache-only server) 缓存服务器是一种不负责域名数据维护,也不负责域名解析地DNS服务类型。它将用户经常使用到的域名与IP地址解析记录保存在主机本地中,来提升下次解析的效率。
五、DNS服务器部署
使用的bind软件包进行安装实现DNS解析服务!!
安装bind包
[root@localhost ~]# yum install -y bind
核心文件解析
[root@localhost ~]# rpm -ql bind
/etc/named.conf #服务主配置文件
/etc/named.rfc1912.zones #服务主配置的额外配置文件
/var/named #区域文件数据目录
/var/named/named.ca #可信的根域名服务器,不要擅自更改
/var/named/named.empty #区域文件的模版文件
/var/named/named.localhost #区域文件的本地接口模版文件
/var/named/named.loopback #区域文件回环接口的模版文件
/var/named/slaves #从服务器的区域数据存储目录
/var/log/named.log #服务日志文件
命令解析
/usr/sbin/named #主服务运行命令
/usr/sbin/named-checkconf #服务主配置语法检查命令
/usr/sbin/named-checkzone #区域文件配置语法检查命令
/usr/sbin/named-journalprint #打印named程序运行日志
配置文件详解
服务主配置文件
六、配置主服务器单点架构
服务主文件配置
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.115.128; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
定义区域文件配置
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "jx.com" IN {type master;file "jx.com.zone";allow-update { none; };
};
zone "115.168.192.in-addr.arpa" IN {type master;file "192.168.115.zone";allow-update { none; };
};
正向解析文件配置
[root@localhost named]# cat jx.com.zone
$TTL 3H
@ IN SOA jx.com. root.jx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1.jx.com.
dns1 A 192.168.115.128
www A 192.168.115.129
mail A 192.168.115.130
ftp A 192.168.115.131
ww CNAME www.jx.com.
mail MX 10 mail.jx.com.
反向解析文件配置
[root@localhost named]# cat 192.168.115.zone
$TTL 3H
@ IN SOA jx.com. root.jx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1.jx.com.
128 PTR dns1.jx.com.
129 PTR www.jx.com.
130 PTR mail.jx.com.
131 PTR ftp.jx.com.
启动服务
[root@localhost named]# systemctl start named
解析测试
###配置DNS服务器地址
[root@localhost named]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.115.128
###安装nslookup
[root@localhost named]# yum install -y bind-utils
###解析测试
[root@localhost named]# nslookup 192.168.115.128
#####或者
[root@localhost named]# dig www.jx.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.15 <<>> www.jx.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10364
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.jx.com. IN A
;; ANSWER SECTION:
www.jx.com. 10800 IN A 192.168.115.129
;; AUTHORITY SECTION:
jx.com. 10800 IN NS dns1.jx.com.
;; ADDITIONAL SECTION:
dns1.jx.com. 10800 IN A 192.168.115.128
;; Query time: 0 msec
;; SERVER: 192.168.115.128#53(192.168.115.128)
;; WHEN: 二 1月 16 12:19:29 CST 2024
;; MSG SIZE rcvd: 90
七、 配置DNS主从架构
主服务配置
服务主文件配置
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.115.128; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
故障模拟
###关闭master服务器的NDS服务后,使用客户端进行解析,观察解析结果###
[root@localhost named]# systemctl stop named
八、配置DNS智能解析(视图解析或分区域解析)
智能解析(也称为视图解析或分区域解析)允许根据客户端IP地址返回不同的解析结果。以下是配置Bind DNS实现智能解析的详细步骤:
1. 安装Bind软件
# 在CentOS/RHEL上
yum install bind bind-utils -y
# 在Debian/Ubuntu上
apt-get install bind9 bind9utils -y