DNS(Domain Name System,域名系统),万维网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过域名,最终得到该域名对应的IP地址的过程叫做域名解析(或主机名解析)。DNS协议运行在UDP协议之上,使用端口号53。
1、高速缓存需要的软件bind 安装软件[root@localhost ~]# yum install bind -y 2、高速缓存需要的服务named 开启服务,如果在开启的过程中卡住,是因为加密字符不够,敲击键盘和鼠标可以生成加密字符,加密字符文件在/etc/rndc.key 文件中
[root@localhost ~]# systemctl start named [root@localhost ~]# systemctl status named named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled) Active: active (running) since Wed 2018-05-02 07:14:06 EDT; 27s ago Process: 2505 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)3、关闭防火墙并查看接口 查看服务端口53,此时端口只开启在lo回环接口,127.0.0.1代表回环接口ip 4、查找并修改配置文件,打开服务机53接口
[root@localhost ~]# rpm -qc bind 查找配置文件 /etc/logrotate.d/named /etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/sysconfig/named /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback [root@localhost ~]# vim /etc/named.conf 修改配置文件 11 listen-on port 53 { any; }; 修改53接口对所有网卡开启 12 listen-on-v6 port 53 { ::1; }; 13 directory "/var/named"; 14 dump-file "/var/named/data/cache_dump.db"; 15 statistics-file "/var/named/data/named_stats.txt"; 16 memstatistics-file "/var/named/data/named_mem_stats.txt"; 17 allow-query { any; }; 修改允许连接的客户主机为所有人 18 forwarders{ 172.25.254.77; }; 转法请求到172.25.254.77的主机5、重启named服务查看接口 此时端口53开启在多有的网卡上,包括eth0网卡,ip=172.25.254.177
[root@localhost ~]# systemctl restart named [root@localhost ~]# netstat -antlupe | grep named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 63090 3266/named tcp 0 0 172.25.254.177:53 0.0.0.0:* LISTEN 25 63085 3266/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 63083 3266/named tcp6 0 0 ::1:953 :::* LISTEN 25 63091 3266/named tcp6 0 0 ::1:53 :::* LISTEN 25 63087 3266/named udp 0 0 172.25.254.177:53 0.0.0.0:* 25 63084 3266/named udp 0 0 127.0.0.1:53 0.0.0.0:* 25 63082 3266/named udp6 0 0 ::1:53 :::* 25 63086 3266/named二、客户端测试 1、修改客户端配置文件
[root@localhost ~]# vim /etc/resolv.conf2、客户端测试
[root@localhost ~]# dig www.baidu.com可以看到百度的域名
正向解析:通过域名查找ip 1、修改配置文件
[root@localhost ~]# vim /etc/named.conf 删除掉添加的forwarders行2、修改副配置文件
24 zone "westos.com" IN { 添加westos.com域 25 type master; 主域名 26 file "westos.com.zone"; 正向解析域名文件 27 allow-update { none; }; 远程不可写 28 };3、修改正向解析域名文件
[root@localhost ~]# rpm -ql bind 查看所有跟bind有关的文件目录 [root@localhost ~]# cd /var/named/ [root@localhost named]# ls data dynamic named.ca named.empty named.localhost named.loopback slaves查看域名文件规则
[root@localhost named]# vim named.loopback $TTL 1D @ IN SOA @ rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 AAAA ::1 PTR localhost.生成westos.com.zone文件
[root@localhost named]# cp -p named.loopback westos.com.zone [root@localhost named]# vim westos.com.zone NS dns.westos.com. dns A 172.25.254.177 地址解析服务器 www A 172.25.254.249 指定域名解析 A表示正向解析 bbs A 172.25.254.148注意该文件中后面如果不加点表示自动会加westos.com 4、重启服务
[root@localhost named]# systemctl restart named5、客户端测试:
[root@localhost ~]# vim /etc/resolv.conf 修改文件的nameserver为172.25.254.177 [root@localhost ~]# dig www.westos.com 测试 ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46458 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.westos.com. IN A ;; ANSWER SECTION: www.westos.com. 86400 IN A 172.25.254.249 ;; AUTHORITY SECTION: westos.com. 86400 IN NS dns.westos.com. ;; ADDITIONAL SECTION: dns.westos.com. 86400 IN A 172.25.254.177 ;; Query time: 1 msec ;; SERVER: 172.25.254.177#53(172.25.254.177) ;; WHEN: Wed May 02 09:14:04 EDT 2018 ;; MSG SIZE rcvd: 93反向解析:通过ip查找域名 1、修改配置文件[root@localhost named]# vim /etc/named.rfc1912.zones 反向解析配置文件规则 2、添加反向解析 3、配置反向解析文件[root@localhost named]# vim westos.com.pty 4、重置服务
[root@localhost named]# vim westos.com.pty5、客户端测试
[root@localhost ~]# dig -x 172.25.254.246 反向解析需要加-x ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.246 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48801 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;246.254.25.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 246.254.25.172.in-addr.arpa. 86400 IN PTR tm.westos.com.254.25.172.in-addr.arpa. ;; AUTHORITY SECTION: 254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com. ;; ADDITIONAL SECTION: dns.westos.com. 86400 IN A 172.25.254.177 ;; Query time: 1 msec ;; SERVER: 172.25.254.177#53(172.25.254.177) ;; WHEN: Wed May 02 09:42:57 EDT 2018 ;; MSG SIZE rcvd: 128为了网址在访问过程中压力过大,所以我们进行轮询式解析 进行该配置之前,首先要作dns正向解析 1、修改域名配置文件vim /var/named/westos.com.zone 2、重置服务 3、客户端访问测试 第一次访问 第二次访问
需要环境:主dns服务端172.25.254.177,辅助dns服务端172.25.254.178,客户端172.25.254.77 主从服务端都需安装bind软件,开启named服务,关闭防火墙
1、主服务端修改配置文件vim /etc/named.rfc1912.zone 如图 25 zone “westos.com” IN { 26 type master; 27 file “westos.com.zone”; 28 allow-update { none; }; 29 allow-transfer { 172.25.254.178; }; 允许传输到178服务器上 30 also-notify { 172.25.254.178; }; 当域名变化时自动通知178服务器 31 }; 2、重启服务
1、修改配置文件vim /etc/named.conf 2、修改named配置文件 vim /etc/named.rfc1912.zones 3、重置服务
一、测试1 1、将客户端dns改为辅助dns服务端 2、dig查询域名ip
[root@foundation77 ~]# dig www.westos.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.westos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40836 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.westos.com. IN A ;; ANSWER SECTION: www.westos.com. 86400 IN A 172.25.254.248 www.westos.com. 86400 IN A 172.25.254.249 ;; AUTHORITY SECTION: westos.com. 86400 IN NS dns.westos.com. ;; ADDITIONAL SECTION: dns.westos.com. 86400 IN A 172.25.254.177 ;; Query time: 0 msec ;; SERVER: 172.25.254.178#53(172.25.254.178) ;; WHEN: Thu May 03 00:37:22 CST 2018 ;; MSG SIZE rcvd: 1092、测试2 修改主服务端的域名配置文件 并更新序列号
vim /var/named/westos.com.zone $TTL 1D @ IN SOA dns.westos.com. root.westos.com. ( 2018050201 ; serial 序列号 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS dns.westos.com. dns A 172.25.254.177 www A 172.25.254.201 www A 172.25.254.202 bbs A 172.25.254.1482、重置服务 3、在客户端查询域名ip为主服务端修改过的ip
[root@foundation77 ~]# dig www.westos.com ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> www.westos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63539 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.westos.com. IN A ;; ANSWER SECTION: www.westos.com. 86400 IN A 172.25.254.201 www.westos.com. 86400 IN A 172.25.254.202 ;; AUTHORITY SECTION: westos.com. 86400 IN NS dns.westos.com. ;; ADDITIONAL SECTION: dns.westos.com. 86400 IN A 172.25.254.177 ;; Query time: 0 msec ;; SERVER: 172.25.254.178#53(172.25.254.178) ;; WHEN: Thu May 03 00:47:06 CST 2018 ;; MSG SIZE rcvd: 109dns双向解析是指内网和外网分离解析 此实验前需要将named服务的所有配置文件还原
内网172.25.254.177 www.westos.com------172.25.254.xxx 外网any www.westos.com-------192.168.254.xxx1、修改配置文件/ect/named.conf,加入内外网分离解析
50 /* 51 zone "." IN { 52 type hint; 53 file "named.ca"; 54 }; 55 56 include "/etc/named.rfc1912.zones"; 57 include "/etc/named.root.key"; 58 */ 59 view localnet 60 match-clients { 172.25.254.177; }; 61 zone "." IN { 62 type hint; 63 file "named.ca"; 64 }; 65 include "/etc/named.rfc1912.zones"; 66 }; 67 view Anynet 68 match-clients { any; }; 69 zone "." IN { 70 type hint; 71 file "named.ca"; 72 }; 73 include "/etc/named.rfc1912.inter"; 74 };2、分别修改内网和外网配置文件 删除掉/etc.named.rfc1912.zones 文件中的dns集群配置
allow-transfer { 172.25.254.178; }; 删除 also-notify { 172.25.254.178; }; vim /etc/named.rfc1912.inter 25 zone "westos.com" IN { 26 type master; 27 file "westos.com.inter"; 28 allow-update { none; }; 29 };3、分别配置内外网域名文件
[root@localhost named]# cp -p westos.com.zone westos.com.inter [root@localhost named]# vim westos.com.inter通过%s/172.254/192.168/g 批量替换
4、测试 修改内外网的nameserver都为服务端dns 内网主机测试 外网测试 结果为内外网解析分离配置成功
需要环境:删除内外网分离解析的配置内容 1、修改named配置文件
25 zone "westos.com" IN { 26 type master; 27 file "westos.com.zone"; 28 allow-update { 172.25.254.178; }; 允许172.25.254.178主机远程更新2、备份域名配置文件,并给/var/named/目录g+w权限
[root@localhost ~]# cd /var/named/ [root@localhost named]# cp -p westos.com.zone /mnt [root@localhost named]# chmod g+w /var/named/3、重启服务 4、客户机172.25.254.178进行修改测试 nsupdate是一个动态DNS更新工具,可以向DNS服务器提交更新记录的请求,它可以从区文件中添加和删除资源记录,而不需要手动编辑区文件
[root@localhost ~]# nsupdate > server 172.25.254.177 > update add hello.westos.com 86400 A 172.25.254.100 新增 > send > update delete bbs.westos.com 删除 > send > quit效果:
[root@localhost ~]# dig bbs.westos.com ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> bbs.westos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 5523 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;bbs.westos.com. IN A ;; AUTHORITY SECTION: westos.com. 10800 IN SOA dns.westos.com. root.westos.com. 2 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 172.25.254.177#53(172.25.254.177) ;; WHEN: Thu May 03 12:45:09 EDT 2018 ;; MSG SIZE rcvd: 88bbs.westos.com已经dig不通
[root@localhost ~]# dig hello.westos.com ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> hello.westos.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50231 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;hello.westos.com. IN A ;; ANSWER SECTION: hello.westos.com. 86400 IN A 172.25.254.100 ;; AUTHORITY SECTION: westos.com. 86400 IN NS dns.westos.com. ;; ADDITIONAL SECTION: dns.westos.com. 86400 IN A 172.25.254.177新增的heelo.westos.com可以dig通 服务机域名配置文件被修改
$ORIGIN . $TTL 86400 ; 1 day westos.com IN SOA dns.westos.com. root.westos.com. ( 2 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS dns.westos.com. $ORIGIN westos.com. dns A 172.25.254.177 hello A 172.25.254.100 www A 172.25.254.201 www A 172.25.254.202在上一个实验的基础上,执行操作: 1、生成加密文件
[root@localhost named]# rm -fr westos.com.zone* [root@localhost named]# cp -p /mnt/westos.com.zone . [root@localhost named]# cd /mnt [root@localhost mnt]# ls westos.com.zone [root@localhost mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos 生成加密文件,-a指定加密算法,-n nametype -b,加密字符数 Kwestos.+157+143112、编辑key文件
[root@localhost mnt]# cp -p /etc/rndc.key /etc/westos.key [root@localhost mnt]# vim /etc/westos.key修改加密字符串为生成的加密字符串 3、编辑主配置文件vim /etc/named.conf **注意:**主配置文件里面include的位置不能乱放 4、修改named配置文件 vim /etc/named.rfc1912.zones
25 zone "westos.com" IN { 26 type master; 27 file "westos.com.zone"; 28 allow-update { key westos; }; 只允许有密钥的主机对dsn进行动态更新 29 allow-transfer { 172.25.254.178; }; 30 also-notify { 172.25.254.178; }; 31 };5、重启服务[root@localhost mnt]# systemctl restart named 6、将钥匙发送给客户端
[root@localhost mnt]# scp Kwestos.+157+14311* root@172.25.254.178:/mnt The authenticity of host '172.25.254.178 (172.25.254.178)' can't be established. ECDSA key fingerprint is eb:24:0e:07:96:26:b1:04:c2:37:0c:78:2d:bc:b0:08. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.25.254.178' (ECDSA) to the list of known hosts. root@172.25.254.178's password: Kwestos.+157+14311.key 100% 50 0.1KB/s 00:00 Kwestos.+157+14311.private 100% 165 0.2KB/s 00:007、在客户端测试
[root@localhost mnt]# nsupdate Kwestos.+157+14311.private > server 172.25.254.105 > update add hehe.westos.com 86400 A 172.25.254.200 > send > quit需要环境:key远程dns动态更新成功,dhcp服务
1、在服务端,还原之前操作
[root@localhost named]# rm -fr westos.com.zone* [root@localhost named]# cp -p /mnt/westos.com.zone . [root@localhost named]# systemctl restart named2、安装dhcp服务,并修改配置文件
[root@localhost ~]# yum install dhcp -y [root@localhost ~]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcp.conf [root@localhost ~]# vim /etc/dhcp/dhcp.conf 7 option domain-name "westos.com"; 8 option domain-name-servers 172.25.254.105; 14 ddns-update-style interim; 30 subnet 172.25.254.0 netmask 255.255.255.0 { 31 range 172.25.254.95 172.25.254.99; ##dhcp自动分配ip范围 32 option routers 172.25.254.105; 34 key westos { 35 algorithm hmac-md5; 36 secret 8yt5zpZhgUhBH/Lw6J6o1A==; ##key认证密码 37 }; 38 zone westos.com. { 39 primary 127.0.0.1; ##回环接口即可,内部网络 40 key westos; 41 }3、重启服务
root@localhost ~]# systemctl restart named [root@localhost ~]# systemctl restart dhcpd [root@localhost ~]# systemctl stop firewalld.service ##关闭防火墙4、客户端测试 <1>设置客户端获取ip的方式为dhcp获取; <2>当server端的dhcp配置成功后,重启网络,查看ip,更改主机名为xxx.westos.com,dig 主机名,看是否解析出对应的ip;
root@localhost ~]# hostnamectl set-hostname hehe.westos.com ##更改主机名<3>修改server端dhcp分配的区域,重复<2>操作,如果dig 主机名的结果随着ip的改变而改变,说明实验成功。 示图:dig主机名的ip为主机dhcp动态获取的ip,则实验成功.
