2.服务端开启高速缓存服务 systemctl start named
注意:开启服务时,会因为加密字符不够,无法正常开启;敲击键盘或移动鼠标即可[root@localhost ~]# systemctl start named
wqedwdsacdsvfewfcdscdwfcewqcdcewfcwedscdsvfd bs iubgdwibvcgwtficywi8bdbogciuwdskjcnkcnclkndlcndvccewfefwcdsvcewcdfcdscdsdvevfdvcd[root@localhost ~]# wqedwdsacdstficywi8bdbogciuwdskjcnkcnclkndlcndvccewfefwcdsvcewcdfcdscdsdvevfdvcd^C 正常开启后生成文件 /etc/rndc.key [root@localhost ~]# ll /etc/rndc.key -rw-r----- 1 root named 77 Apr 25 03:02 /etc/rndc.key 3.客户端修改DNS配置文件 /etc/resolv.conf 1 # Generated by NetworkManager 2 search ilt.example.com example.com3 nameserver 172.25.254.250
4.当服务端只允许53接口回环使用时 ##防火墙关闭 /etc/named.conf options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; 客户端无法访问 [root@foundation8 ~]# dig www.qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com ;; global options: +cmd ;; connection timed out; no servers could be reached 5.当服务端53接口共享,但只允许本地用户访问时 options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; 客户端访问被拒绝 [root@foundation8 ~]# dig www.qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53598 6.当服务端不能解析域名时 [root@foundation8 ~]# dig www.qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 63026 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 7.服务端配置ok时 options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };forwarders {172.25.254.77;};
客户端实验 [root@foundation8 ~]# dig www.qq.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.qq.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59247 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; Query time: 0 msec ;; SERVER: 172.25.254.108#53(172.25.254.108) ;; WHEN: Wed Apr 25 15:13:13 CST 2018 ;; MSG SIZE rcvd: 39 二、本地正向解析配置 1.修改dns解析地址 /etc/resolv.conf # Generated by NetworkManager search ilt.example.comnameserver 172.25.254.108
2.修改named服务配置文件,改为本地解析 /etc/named.conf options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; };3.修改配置文件 /etc/named.rfc1912.zones
zone "westos.com" IN { type master; file "westos.com.zone"; allow-update { none; };};
4.新建文件 ##在/var/named目录下cp -p named.localhost westos.com.zone
修改文件
$TTL 1D @ IN SOA @ root.westos.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.westos.com. dns A 172.25.254.177 hello A 172.25.254.150 hi A 172.25.254.151 5.本机测试: dig hello.westos.com ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49145 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;hello.westos.com. IN A ;; ANSWER SECTION: hello.westos.com. 86400 IN A 172.25.254.150 ;; AUTHORITY SECTION: westos.com. 86400 IN NS dns.westos.com. ;; ADDITIONAL SECTION:dns.westos.com. 86400 IN A 172.25.254.177
三、本地反向解析配置1.修改dns解析地址 /etc/resolv.conf
2.修改named服务配置文件,改为本地解析 /etc/named.conf3.修改配置文件 /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN { type master; file "westos.com.ptr"; allow-update { none; }; }; 4.新建文件 ##在/var/named目录下cp -p named.loopback westos.com.prt
修改文件 $TTL 1D @ IN SOA @ root.westos.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.westos.com. dns A 172.25.254.177 111 PTR test.westos.com.112 PTR hello.westos.com.
5.本机测试: dig -x 172.25.254.111 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.111 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3189 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;111.254.25.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 111.254.25.172.in-addr.arpa. 86400 IN PTR test.westos.com. ;; AUTHORITY SECTION: 254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com. ;; ADDITIONAL SECTION: dns.westos.com. 86400 IN A 172.25.254.177 注意:本地(正向/反向)解析时,若named配置文件找不到该域名/IP地址,会访问失败 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18925 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;222.254.25.172.in-addr.arpa. IN PTR 四、dns解析设置 轮询式域名解析 1.修改配置文件 westos.com.zone ##在/var/named目录下 $TTL 1D @ IN SOA @ root.westos.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.westos.com. dns A 172.25.254.108 hello CNAME www www A 172.25.254.111 www A 172.25.254.122 2.本地解析时,域名解析出现轮询式 dig hello.westos.com ;; ANSWER SECTION: hello.westos.com. 86400 IN CNAME www.westos.com. www.westos.com. 86400 IN A 172.25.254.111 www.westos.com. 86400 IN A 172.25.254.122 ;; ANSWER SECTION: hello.westos.com. 86400 IN CNAME www.westos.com. www.westos.com. 86400 IN A 172.25.254.122 www.westos.com. 86400 IN A 172.25.254.111 辅助主机解析 1.辅助主机配置yum源,安装bind,打开named服务 2.辅助主机修改DNS配置文件 ##本地 # Generated by NetworkManager search example.com nameserver 172.25.254.208 3.辅助主机修改配置文件 /etc/named.rfc1912.zones zone "westos.com" IN { type slave; masters {172.25.254.108;}; file "slaves/westos.com.zone"; allow-update { none; }; }; 4.本地主机修改配置文件 zone "westos.com" IN { type master; file "westos.com.zone"; allow-update { none; }; allow-transfer {172.25.254.208;}; ##允许208主机同步 also-notify {172.25.254.208;}; ##当文件变更时,通知208主机 }; 5.本地主机修改文件westos.com.zone $TTL 1D @ IN SOA @ root.westos.com. ( 042601 ; serial ##最后一次修改时间 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.westos.com. dns A 172.25.254.108 hello CNAME www www A 172.25.254.101 www A 172.25.254.102 6.本地主机重启named服务,dig hello.westos.com ;; ANSWER SECTION: hello.westos.com. 86400 IN CNAME www.westos.com. www.westos.com. 86400 IN A 172.25.254.101 www.westos.com. 86400 IN A 172.25.254.102 辅助主机重启named服务,dig hello.westos.com ;; ANSWER SECTION: hello.westos.com. 86400 IN CNAME www.westos.com. www.westos.com. 86400 IN A 172.25.254.101 www.westos.com. 86400 IN A 172.25.254.102 双向域名解析 其他主机 DNS域名解析文件 /etc/resolv.conf # Generated by NetworkManager search example.com nameserver 172.25.254.108 本地主机 1.新建文件 ##在目录 /var/named cp -p westos.com.zone westos.com.inter 修改IP地址 $TTL 1D @ IN SOA @ root.westos.com. ( 042601 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.westos.com. dns A 192.168.0.108 hello CNAME www www A 192.168.0.101 www A 192.168.0.102 2.新建配置文件 cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.inter 修改zones zone "westos.com" IN { type master; file "westos.com.inter"; allow-update { none; }; allow-transfer {172.25.254.208;}; also-notify {172.25.254.208;}; }; 3.修改主配置文件 ##/etc/named.conf 注释原来的zone /* zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; */ 新增本地(local)域名解析和其他主机(any)域名解析 view localnet { match-clients{172.25.254.108;}; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; }; view anynet { match-clients{any;}; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.inter"; }; 4.重启named服务后实验 本地域名解析时 ;; ANSWER SECTION: hello.westos.com. 86400 IN CNAME www.westos.com. www.westos.com. 86400 IN A 172.25.254.101 www.westos.com. 86400 IN A 172.25.254.102 其他主机域名解析时 ;; ANSWER SECTION: hello.westos.com. 86400 IN CNAME www.westos.com. www.westos.com. 86400 IN A 192.168.0.102 www.westos.com. 86400 IN A 192.168.0.101 远程更新 ##注意:selinux状态不能为Enforcing! 1.对本地文件进行备份 cp -p /var/named/westos.com.zone /mnt 2.修改本地配置文件 /etc/named.rfc1912.zones zone "westos.com" IN { type master; file "westos.com.zone"; allow-update { 172.25.254.208; }; ##允许208主机远程更新 allow-transfer {172.25.254.208;}; also-notify {172.25.254.208;}; }; 3.此时目录/var/named/中组内用户没有w权限 -rw-r----- 1 root named 229 Apr 26 01:38 westos.com.zone 远程主机无法实现更新 [root@localhost named]# nsupdate > server 172.25.254.108 > update delete hello.westos.com > send update failed: SERVFAIL 4.本地主机修改/var/named/权限 [root@localhost named]# chmod g+w /var/named/ 远程主机可以实现更新 [root@localhost named]# nsupdate > server 172.25.254.108 > update delete hello.westos.com ##删除 > send [root@localhost named]# nsupdate > server 172.25.254.108 > update add hello.westos.com 86400 A 172.25.254.120 ##添加 > send ##86400为1天秒数,有效期 5.本地主机重启named服务 生成westos.com.zone.jnl文件,且westos.com.zone被改变 $ORIGIN . $TTL 86400 ; 1 day westos.com IN SOA westos.com. root.westos.com. ( 42603 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS dns.westos.com. $ORIGIN westos.com. dns A 172.25.254.108 hello A 172.25.254.120 www A 172.25.254.101 A 172.25.254.102 远程更新加密 ##注意:selinux状态不能为Enforcing! 1.还原配置文件 2.生成加密钥匙 ##实验环境为/mnt dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos -a ##加密方式 -b ##密码大小bits -n ##nametype,域名解析 [root@localhost mnt]# ls Kwestos.+157+02231.key Kwestos.+157+02231.private westos.com.zone 3.编辑密钥文件 cp -p /etc/rndc.key /etc/westos.key key "westos" { algorithm hmac-md5; secret "wLb7wlj95YfZFUK8nZ1Oqw=="; }; 4.修改配置文件 /etc/named.rfc1912.zones zone "westos.com" IN { type master; file "westos.com.zone"; allow-update { key westos; }; allow-transfer {172.25.254.208;}; also-notify {172.25.254.208;}; }; 5.修改主配置文件 /etc/named.conf include "/etc/westos.key"; ##新增密钥文件 logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; 6.把密钥文件传送给远程主机 ##实验环境为/mnt scp Kwestos.+157+02231* root@172.25.254.208:/mnt 7.本地主机重启后,远程主机可以更新dns [root@localhost named]# cd /mnt [root@localhost mnt]# ls Kwestos.+157+02231.key Kwestos.+157+02231.private [root@localhost mnt]# nsupdate -k Kwestos.+157+02231.private > server 172.25.254.108 > update add hello.westos.com 86400 A 172.25.254.120 > send > quit 五、动态域名解析 ##花生壳 1.还原配置文件,本地主机(服务端)安装dhcp 2.修改dhcp配置文件 /etc/dhcp/dhcpd.conf [root@localhost named]# cp /usr/share/doc/dhcp*/dhcpd.conf.example /etc/dhcp/dhcpd.conf cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y ##有覆盖提示,说明文件正确 # option definitions common to all supported networks... option domain-name "westos.com"; ##域名 option domain-name-servers 172.25.254.108; ##dns服务器 default-lease-time 600; max-lease-time 7200; # Use this to enble / disable dynamic dns updates globally. ddns-update-style interim; ##dns的更新工作方式 ad-hoc interim none # This is a very basic subnet declaration. subnet 172.25.254.0 netmask 255.255.255.0 { ##子网、子网掩码 range 172.25.254.50 172.25.254.60; ##IP地址池 option routers 172.25.254.108; ##网关 } key westos { algorithm hmac-md5; ##key的加密方式 secret wLb7wlj95YfZFUK8nZ1Oqw==; ##key的密码 }; zone westos.com. { primary 127.0.0.1; ##主机内部回环接口 key westos; ##读取的加密文件为westos } 3.远程主机访问dns 注意:远程主机的网卡工作模式为dhcp,修改主机名为name.westos.com 建议:格式化虚拟机,修改主机名 本地主机重启dhcpd服务、named服务,远程主机可dig本机 (例:远程主机名为bbs.westos.com) [root@bbs ~]# dig bbs.westos.com ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> bbs.westos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29752 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bbs.westos.com. IN A ;; ANSWER SECTION: bbs.westos.com. 300 IN A 172.25.254.50 本地主机的域同步更新 $ORIGIN . $TTL 86400 ; 1 day westos.com IN SOA westos.com. root.westos.com. ( 42602 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS dns.westos.com. $ORIGIN westos.com. $TTL 300 ; 5 minutes bbs A 172.25.254.50 ##新增的域名解析内容 TXT "0006177289b2ae3cbee2c9dc00838c2c46" $TTL 86400 ; 1 day dns A 172.25.254.108 hello CNAME www www A 172.25.254.101 A 172.25.254.102