DNS高速缓存分离解析
DNS高速缓存&分离解析
1. 高速缓存
| 主机 | 角色 | 系统 | IP |
|---|---|---|---|
| client | 客户端 | redhat9.6 | 192.168.72.7 |
| server | 域名解析服务器 | redhat9.6 | 192.168.72.18 |
| cache | 域名解析缓存服务器 | redhat9.6 | 192.168.72.48 |
1.1 配置域名解析器
1、修改主机名
[root@lcoalhost ~]# hostnamectl hostname server
2、修改IP地址
[root@server ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.18/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@server ~]# nmcli c up ens160
3、安装软件
[root@server ~]# dnf install bind -y4、修改主配置文件
[root@server ~]# vim /etc/named.conf
[root@server ~]# cat /etc/named.conf
options {listen-on port 53 { 192.168.72.18; }; //监听的IP,一般写本机IP地址directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file "/var/named/data/named.secroots";recursing-file "/var/named/data/named.recursing";allow-query { any; }; //指定允许查询的服务器recursion yes;dnssec-validation no; //关闭校验managed-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";include "/etc/crypto-policies/back-ends/bind.config";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};zone "." IN {type hint;file "named.ca";
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";4、修改区域配置文件
[root@server ~]# vim /etc/named.rfc1912.zones
[root@server ~]# cat /etc/named.rfc1912.zones
zone "exam.com" IN {type master;file "exam.com.zone";allow-update { none; };
};zone "72.168.192.in-addr.arpa" IN {type master;file "exam.com.arpa.zone";allow-update { none; };
};
5、编写正向解析区域数据文件
# 1. 进入区域数据存放目录
[root@server ~]# cd /var/named
[root@server named]# ls
data example.com.arpa.zone managed-keys.bind named.ca named.localhost slaves
dynamic example.com.zone managed-keys.bind.jnl named.empty named.loopback# 2. 复制模板文件
[root@server named]# cp -p named.localhost exam.com.zone# 3. 编辑数据文件
[root@server named]# vim exam.com.zone
[root@server named]# cat exam.com.zone
$TTL 1D
@ IN SOA @ admin.exam.com. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS ns
ns A 192.168.72.18
www A 192.168.72.8
web CNAME www
6、编写反向区域数据文件
[root@server named]# cp -p named.loopback exam.com.arpa.zone
[root@server named]# vim exam.com.arpa.zone
[root@server named]# cat exam.com.arpa.zone
$TTL 1D
@ IN SOA @ admin.exam.com. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS ns
ns A 192.168.72.18
8 PTR www.exam.com.
7、启动服务
# 1. 验证配置文件的语法
[root@server named]# named-checkconf -z /etc/named.conf
zone exam.com/IN: loaded serial 0
zone 72.168.192.in-addr.arpa/IN: loaded serial 0
[root@server named]# named-checkzone exam.com /var/named/exam.com.zone
zone exam.com/IN: loaded serial 0
OK# 2. 启动服务
[root@server named]# systemctl start named
8、防火墙放行服务
[root@server named]# firewall-cmd --permanent --add-service=dns
success
[root@server named]# firewall-cmd --reload
1.2 配置客户端
1、修改主机名
[root@lcoalhost ~]# hostnamectl hostname client
2、修改IP地址
[root@client ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.7/24 ipv4.gateway 192.168.72.2 ipv4.dns 192.168.72.48 connection.autoconnect yes
[root@client ~]# nmcli c up ens160
3、安装测试工具
[root@client ~]# dnf install -y bind-utils
4、解析验证
[root@client ~]# dig -t A www.exam.com @192.168.72.18; <<>> DiG 9.16.23-RH <<>> -t A www.exam.com @192.168.72.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10461
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c5474d5b3fa7c2c001000000690eab6f453bae94fbcb7f0c (good)
;; QUESTION SECTION:
;www.exam.com. IN A;; ANSWER SECTION:
www.exam.com. 86400 IN A 192.168.72.8;; Query time: 1 msec
;; SERVER: 192.168.72.18#53(192.168.72.18)
;; WHEN: Sat Nov 08 10:31:12 CST 2025
;; MSG SIZE rcvd: 85[root@client ~]# dig -x 192.168.72.8 @192.168.72.18; <<>> DiG 9.16.23-RH <<>> -x 192.168.72.8 @192.168.72.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32784
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56749646e7158c8401000000690eab87bde5965ad465847f (good)
;; QUESTION SECTION:
;8.72.168.192.in-addr.arpa. IN PTR;; ANSWER SECTION:
8.72.168.192.in-addr.arpa. 86400 IN PTR www.exam.com.;; Query time: 0 msec
;; SERVER: 192.168.72.18#53(192.168.72.18)
;; WHEN: Sat Nov 08 10:31:37 CST 2025
;; MSG SIZE rcvd: 1081.3 配置缓存服务器
1、修改主机名
[root@lcoalhost ~]# hostnamectl hostname cache
2、修改IP地址
[root@cache ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.48/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@cache ~]# nmcli c up ens160
3、安装软件
[root@cache ~]# dnf install -y bind
4、修改主配置文件
[root@cache ~]# vim /etc/named.conf
[root@cache ~]# cat /etc/named.conf
options {listen-on port 53 { any; };directory "/var/named";allow-query { any; };forwarders { 192.168.72.18; };recursion yes;dnssec-validation no;
};
5、启动服务
[root@cache ~]# systemctl start named
6、防火墙放行服务
[root@cache ~]# firewall-cmd --permanent --add-port=53/tcp --add-port=53/udp
success
[root@cache ~]# firewall-cmd --reload
success
1.4 修改客户端
1、修改客户端的DNS
[root@client ~]# nmcli c modify ens160 ipv4.dns 192.168.72.48
[root@client ~]# nmcli c up ens160
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
2、测试解析
[root@client ~]# dig -t A www.exam.com @192.168.72.48; <<>> DiG 9.16.23-RH <<>> -t A www.exam.com @192.168.72.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54060
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bd9d29d56e81686c01000000690eae4b87d476c70adfd7df (good)
;; QUESTION SECTION:
;www.exam.com. IN A;; ANSWER SECTION:
www.exam.com. 86400 IN A 192.168.72.8;; Query time: 13 msec
;; SERVER: 192.168.72.48#53(192.168.72.48)
;; WHEN: Sat Nov 08 10:43:24 CST 2025
;; MSG SIZE rcvd: 85[root@client ~]# dig -t A www.exam.com @192.168.72.48; <<>> DiG 9.16.23-RH <<>> -t A www.exam.com @192.168.72.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62714
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 220bee834226ff2501000000690eae4ff05f88554a6450a8 (good)
;; QUESTION SECTION:
;www.exam.com. IN A;; ANSWER SECTION:
www.exam.com. 86396 IN A 192.168.72.8;; Query time: 0 msec
;; SERVER: 192.168.72.48#53(192.168.72.48)
;; WHEN: Sat Nov 08 10:43:28 CST 2025
;; MSG SIZE rcvd: 85
2. 分离解析
| 主机名 | 角色 | 系统 | IP |
|---|---|---|---|
| web1 | 外网Web服务器 | redhat9.6 | 172.25.16.102 |
| web2 | 内网Web服务器 | redhat9.6 | 192.168.72.102 |
| ns1 | 分离服务器 | redhat9.6 | 192.168.72.101 172.25.16.101 |
| client1 | 外网客户机 | redhat9.6 | 172.25.16.106 |
| client2 | 内网客户机 | redhat9.6 | 192.168.72.106 |
2.1 环境准备
克隆5台服务器,并根据上表所示设置服务器的网络连接类型。web1、client1网络类型为仅主机模式。web2 和 client2 是 NAT 模式。ns1 服务有两块网卡,一块为仅主机模式,一块为 NAT 模式。
2.2 配置外网Web服务器
1、修改主机名
[root@localhost ~]# hostnamectl hostname web1
2、修改IP
[root@localhost ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 172.25.16.102/24 ipv4.dns 172.25.16.101 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160
3、安装nginx
[root@web1 ~]# dnf install nginx -y
4、修改首页
[root@web1 ~]# echo "$(hostname) - $(hostname -I)" > /usr/share/nginx/html/index.html
5、启动服务
[root@web1 ~]# systemctl start nginx
6、访问测试
[root@web1 ~]# curl localhost
web1 - 172.25.16.102
7、放行端口
[root@web1 ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@web1 ~]# firewall-cmd --reload
success2.3 配置内网Web服务器
1、修改主机名
[root@localhost ~]# hostnamectl hostname web2
2、修改IP
[root@localhost ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.102/24 ipv4.gateway 192.168.72.2 ipv4.dns 192.168.72.101 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160
3、安装nginx
[root@web2 ~]# dnf install nginx -y
4、修改首页
[root@web2 ~]# echo "$(hostname) - $(hostname -I)" > /usr/share/nginx/html/index.html
5、启动服务
[root@web2 ~]# systemctl start nginx
6、访问测试
[root@web2 ~]# curl localhost
web2 - 192.168.72.102
7、放行端口
[root@web2 ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@web2 ~]# firewall-cmd --reload
success
2.4 配置分离解析服务器
1、修改主机名
[root@localhost ~]# hostnamectl hostname ns1
2、修改外网IP
# 1. 查看连接名称
[root@localhost ~]# nmcli c show
NAME UUID TYPE DEVICE
ens160 102dfc24-9f7b-361b-8d11-405d00c1bfee ethernet ens160
Wired connection 1 0ae80679-343b-38e7-a5da-adc8281548e2 ethernet ens224
lo 42381583-4c98-4e59-ada6-229f46eca8b5 loopback lo # 2. 修改连接名称,将Wired connection 1修改为ens224
[root@localhost ~]# nmcli c modify Wired\ connection\ 1 connection.id ens224
[root@localhost ~]# nmcli c show
NAME UUID TYPE DEVICE
ens160 102dfc24-9f7b-361b-8d11-405d00c1bfee ethernet ens160
ens224 0ae80679-343b-38e7-a5da-adc8281548e2 ethernet ens224
lo 42381583-4c98-4e59-ada6-229f46eca8b5 loopback lo # 3. 修改IP地址
[root@localhost ~]# nmcli c m ens224 ipv4.method manual ipv4.addresses 172.25.16.101/24 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens224
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)# 4. 查看网卡信息
[root@localhost ~]# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500inet 172.25.16.101 netmask 255.255.255.0 broadcast 172.25.16.255inet6 fe80::2d20:87a9:a9ac:1549 prefixlen 64 scopeid 0x20<link>ether 00:0c:29:64:da:9f txqueuelen 1000 (Ethernet)RX packets 55 bytes 6532 (6.3 KiB)RX errors 0 dropped 0 overruns 0 frame 0TX packets 33 bytes 2958 (2.8 KiB)TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3、修改内网IP
[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.101/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160
4、安装软件
[root@ns1 ~]# dnf install bind -y
5、修改主配置文件
[root@ns1 ~]# vim /etc/named.conf
[root@ns1 ~]# cat /etc/named.conf
options {listen-on port 53 { any; }; // { 172.25.16.101; 192.168.72.101; } 这里修改了directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file "/var/named/data/named.secroots";recursing-file "/var/named/data/named.recursing";allow-query { any; }; // 这里修改了recursion yes;dnssec-validation no; // 这里修改了managed-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";include "/etc/crypto-policies/back-ends/bind.config";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
6、修改区域配置文件
[root@ns1 ~]# vim /etc/named.rfc1912.zones
[root@ns1 ~]# cat /etc/named.rfc1912.zones
view "LAN" {match-clients { 192.168.72.0/24; };zone "exam.com" IN {type master;file "lan.exam.com.zone";};zone "." IN {type hint;file "named.ca";};
};view "WAN" {match-clients { 172.25.16.0/24; };zone "exam.com" IN {type master;file "wan.exam.com.zone";};zone "." IN {type hint;file "named.ca";};
};
7、编写内网区域数据文件
[root@ns1 ~]# cd /var/named/
[root@ns1 named]# cp -p named.localhost lan.exam.com.zone
[root@ns1 named]# vim lan.exam.com.zone
[root@ns1 named]# cat lan.exam.com.zone
$TTL 1D
@ IN SOA exam.com. admin.exam.com. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS ns
ns A 192.168.72.101
www A 192.168.72.102
8、编写外网区域数据文件
[root@ns1 named]# cp -p lan.exam.com.zone wan.exam.com.zone
[root@ns1 named]# vim wan.exam.com.zone
[root@ns1 named]# cat wan.exam.com.zone
$TTL 1D
@ IN SOA exam.com. admin.exam.com. (0 ; serial1D ; refresh1H ; retry1W ; expire3H ) ; minimumNS ns
ns A 172.25.16.101
www A 172.25.16.102
9、启动服务器
[root@ns1 named]# systemctl start named
10、放行服务
[root@ns1 named]# firewall-cmd --permanent --add-service=dns
success
[root@ns1 named]# firewall-cmd --reload
success
2.5 配置外网客户端
1、修改主机名
2、修改IP和DNS
[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 172.25.16.106/24 ipv4.gateway 172.25.16.101 ipv4.dns 172.25.16.101 autoconnect yes
[root@localhost ~]# nmcli c up ens160
3、安装工具
[root@localhost ~]# dnf install -y bind-utils
4、验证
[root@localhost ~]# curl www.exam.com
web1 - 172.25.16.102
2.6 配置内网客户端
1、修改主机名
2、修改IP和DNS
[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.106/24 ipv4.gateway 192.168.72.101 ipv4.dns 192.168.72.101 autoconnect yes
[root@localhost ~]# nmcli c up ens160
3、安装工具
[root@localhost ~]# dnf install -y bind-utils
4、验证
[root@localhost ~]# curl www.exam.com
web2 - 192.168.72.102