DNS基础介绍

三、DNS介绍

DNS系统

dns(Domain Name Server) 它的作用是将域名解析为IP地址，或将I地址解析为域名。

需要运行在三层和四层，需要有TCP或UDP协议，并且许哟啊绑定端口，53。在使用时先通过UDP去查询，UDP查询不到在使用TCP查询。

域和域名

• 因特网采用层次树状结构的域名结构
• 域名的结构由若干分量组成，各分量之间用“点”隔开，分别代表不同级别的域名。
• 每一级的域名都是由英文字母和数字组成，不超过63个字符，不区分大小写字母
• 级别越低的域名写在最左边，而级别最高的顶级域名写在最右边。
• 完整的域名不超过255个字符。

bind软件

安装

[root@tomcat1 ~]# dnf install bind -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use subscription-manager to register.Last metadata expiration check: 0:43:29 ago on Sat 15 Nov 2025 02:25:12 PM CST.
Package bind-32:9.16.23-14.el9_3.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!

查看

[root@tomcat1 ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf   # 主配置文件
/etc/named.rfc1912.zones  # 区域数据配置文件
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named 	# 区域数据目录
/var/named/named.ca
/var/named/named.empty  # 正向解析模板文件
/var/named/named.localhost
/var/named/named.loopback # 反向解析模板文件
/var/named/slaves # 辅助区域配置文件存放目录
/usr/lib/systemd/system/named.service	# 服务启动文件

查看正向解析模板文件

[root@tomcat1 ~]# cat /var/named/named.empty
$TTL 3H
@       IN SOA  @ rname.invalid. (0       ; serial   序号1D      ; refresh   刷新时间1H      ; retry  	重试时间1W      ; expire	过期时间3H )    ; minimum 	否定缓存时间NS      @A       127.0.0.1AAAA    ::1

查看反向解析模板文件

[root@tomcat1 ~]# cat /var/named/named.loopback
$TTL   1D  表示缓存时间	
@       IN SOA  @ rname.invalid. (0       ; serial1D      ; refresh1H      ; retry1W      ; expire3H )    ; minimumNS      @A       127.0.0.1AAAA    ::1PTR     localhost.

服务启动文件

[root@tomcat1 ~]# cat /usr/lib/systemd/system/named.service
[Unit]
Description=Berkeley Internet Name Domain (DNS)
Wants=nss-lookup.target  # 依赖关系弱
Wants=named-setup-rndc.service
Before=nss-lookup.target
After=named-setup-rndc.service
After=network.target[Service]
Type=forking  # 进程的关系
Environment=NAMEDCONF=/etc/named.conf
EnvironmentFile=-/etc/sysconfig/named
Environment=KRB5_KTNAME=/etc/named.keytab
PIDFile=/run/named/named.pidExecStartPre=/bin/bash -c 'if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi'
ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS
ExecReload=/bin/sh -c 'if /usr/sbin/rndc null > /dev/null 2>&1; then /usr/sbin/rndc reload; else /bin/kill -HUP $MAINPID; fi'ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'PrivateTmp=true[Install]
WantedBy=multi-user.target

查看主配置文件

[root@tomcat1 ~]# cat /etc/named.conf# 配置的核心选项
options {
# 监听主机的53端口，以ipv4的格式来监听，一般写当前1主机的IP地址，注意此文件中每一行结束使用的分号listen-on port 53 { 127.0.0.1; };  listen-on-v6 port 53 { ::1; };#  指定区域数据文件存放目录directory       "/var/named";# 指定缓存文件所在路径dump-file       "/var/named/data/cache_dump.db";# 指定统计文件所在路径statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";# 指定安全文件所在路径secroots-file   "/var/named/data/named.secroots";recursing-file  "/var/named/data/named.recursing";# 是否允许查询，此配置可以删除，如果允许所有查询，将他的值改为any，如果值为localhost，只能当前主机查询allow-query     { localhost; };# 是否允许递归查询，一般设置为norecursion yes;dnssec-validation yes;managed-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";
# 进程pid文件pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";# 包含的配置include "/etc/crypto-policies/back-ends/bind.config";
};
# 日志配置
logging {channel default_debug {file "data/named.run";severity dynamic;};
};
# 根服务配置
zone "." IN {type hint;file "named.ca";
};
# 引入的区域数据配置文件
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

DNS正向解析配置

需求：将www.example.com解析为电脑中虚拟机的IP地址，比如我的ip地址为：192.168.11.7

实现步骤

1、安装bind软件

2、修改主配置文件

[root@tomcat1 ~]# vim /etc/named.conf
[root@tomcat1 ~]# cat /etc/named.conf
options {listen-on port 53 { 192.168.11.7; };listen-on-v6 port 53 { ::1; };directory       "/var/named";dump-file       "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file   "/var/named/data/named.secroots";recursing-file  "/var/named/data/named.recursing";allow-query     { any; };recursion yes;dnssec-validation no;managed-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */include "/etc/crypto-policies/back-ends/bind.config";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};
zone "examole.com" IN {type master;file    "example.com";
};zone "." IN {type hint;file "named.ca";
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

3、检测主配置文件是否有语法错误

[root@tomcat1 ~]# named-checkconf
[root@tomcat1 ~]#

执行这个命令后。如果没有其它信息，就表示配置成功。

4、编写区域数据配置文件

[root@tomcat1 named]# vim /etc/named/example.com
[root@tomcat1 named]# cat /etc/named/example.com
$TTL   1D
@       IN      SOA     ns.example.com.         admin.example.com.(01H1W2M1D)IN      NS      nsIN      MX 5    mail
ns      IN      A       192.168.11.7  # NS 记录要批改向当前DNS服务器的IP地址
www     IN      A       10.10.10.11		
mail    IN      A       92.68.22.14
web     IN      CNAME   www 	#  CNAME 记录时别名记录

5、检查区域数据匹配文件的语法

# 格式：named-checkzone 要解析的域名	这个区域解析对应区域数据文件的路径
[root@tomcat1 named]# named-checkzone example.com /var/named/example.com
zone example.com/IN: loaded serial 0
OK

6、启动服务

[root@tomcat1 named]# systemctl start named

7、检测解析是否成功

# 解析NS记录
# 使用格式：dig -t 要解释的记录类型	域名	@DNS
[root@tomcat1 named]# dig -t NS example.com @192.168.11.7; <<>> DiG 9.16.23-RH <<>> -t NS example.com @192.168.11.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18042
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1cab1b19449031ea0100000069184279305af82403e96456 (good)
;; QUESTION SECTION:
;example.com.                   IN      NS;; ANSWER SECTION:
example.com.            86400   IN      NS      ns.example.com.;; ADDITIONAL SECTION:
ns.example.com.         86400   IN      A       192.168.11.7;; Query time: 1 msec
;; SERVER: 192.168.11.7#53(192.168.11.7)
;; WHEN: Sat Nov 15 17:06:01 CST 2025
;; MSG SIZE  rcvd: 101# 解析A记录
[root@tomcat1 named]# dig -t A www.example.com @192.168.11.7; <<>> DiG 9.16.23-RH <<>> -t A www.example.com @192.168.11.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32783
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 401b4f865f9ed22701000000691849a342d418e7af897c7e (good)
;; QUESTION SECTION:
;www.example.com.               IN      A;; ANSWER SECTION:
www.example.com.        86400   IN      A       10.10.10.11;; Query time: 0 msec
;; SERVER: 192.168.11.7#53(192.168.11.7)
;; WHEN: Sat Nov 15 17:36:35 CST 2025
;; MSG SIZE  rcvd: 88

DNS反向解析配置

需求：将192.168.11.11解析为www.example.com

实现

1、修改主配置文件

[root@nginx named]# vim /etc/named.conf
[root@nginx named]# cat /etc/named.conf
options {listen-on port 53 { 192.168.11.11; };listen-on-v6 port 53 { ::1; };directory       "/var/named";dump-file       "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file   "/var/named/data/named.secroots";recursing-file  "/var/named/data/named.recursing";recursion yes;dnssec-validation no;managed-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */include "/etc/crypto-policies/back-ends/bind.config";
};logging {channel default_debug {file "data/named.run";severity dynamic;};
};zone "example.com" IN{type master;file "example.zone";
};
zone "11.168.192.in-addr.arpa" IN {type master;file    "fanxiang.zone";};zone "." IN {type hint;file "named.ca";
};include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

2、检测主配置文件的语法

[root@nginx named]# named-checkconf

3、编写区域数据反向解析文件

[root@nginx named]# vim /var/named/fanxiang.zone[root@nginx named]# cat  /var/named/fanxiang.zone
$TTL 1D
@       IN      SOA     ns.example.com. admin.example.com.  (71D1W2M1D )IN      NS      ns
ns      IN      A       192.168.11.11
11      IN      PTR     www.example.com

4、检测区域文件的语法

[root@nginx named]# named-checkzone 11.168.192.in-addr.arpa /var/named/fanxiang.zone
zone 11.168.192.in-addr.arpa/IN: loaded serial 7
OK

5、启动服务

[root@nginx named]# systemctl restart named

6、检测解析是否成功

[root@nginx named]# dig -x 192.168.11.11 @192.168.11.11; <<>> DiG 9.16.23-RH <<>> -x 192.168.11.11 @192.168.11.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45844
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 8b3bad278c4996be010000006918506272ccf6f64ae906b3 (good)
;; QUESTION SECTION:
;11.11.168.192.in-addr.arpa.    IN      PTR;; ANSWER SECTION:
11.11.168.192.in-addr.arpa. 86400 IN    PTR     www.example.com.11.168.192.in-addr.arpa.;; Query time: 1 msec
;; SERVER: 192.168.11.11#53(192.168.11.11)
;; WHEN: Sat Nov 15 18:05:22 CST 2025
;; MSG SIZE  rcvd: 136