author:JevonWei
版权声明:原创作品修改/var/named/下的数据库文件的数据时,需手动修改serial序列号
UDP协议53端口用于用户DNS查询,TCP协议53端口用于主从DNS传输及同步数据库数据
DNS配置文件
/etc/named.conf \\主配置文件/etc/named.rfc1912.zones \\指明DNS的数据库对应文件/var/named/ \\DNS的数据库文件 /var/named/slaves/ \\从DNS的数据库文件
/etc/named.conf配置文件的设置
listen-on port 53 { localhost; }; \监听所有端口,或指定监听某个IP,eg{192.168.198.199;192.168.198.130;}; 仅监听这两个IP的53端口
allow-query { any; }; \允许所有主机查询此DNS服务器 allow-transfer { 192.168.198.11;}; \仅允许192.168.198.11获取主DNS的数据库数据,在主DNS中设置 allow-transfer { none;}; \不允许任何人截取DNS数据库数据 recursion yes; 允许递归查询 allow-update {any;} \是否允许动态更新 dnssec-enable no; \与安全相关,创建子域和DNS转发时需设置为no dnssec-validation no;\与安全相关,创建子域时和DNS转发需设置为noforward first|only; \only只转发,不查找;first先转发,再去根上查找
forwarders {192.168.198.134;}; \指向转发的IP主DNS
安装bind软件包
yum -y install bind systemctl start named systemctl enable named setenforce 0 firewall-cmd --add-service=rpc-bind --permanent firewall-cmd --reload iptables -F修改/etc/named.conf文件
vim /etc/named.conf options { listen-on port 53 { localhost; }; \\ 允许主机上的所有IP监听53号端口 allow-query { any; }; \\允许所有主机查询此DNS服务器 allow-transfer { 192.168.198.11;}; \\仅允许192.168.198.11获取主DNS的数据库数据,在主DNS中设置vim /etc/named.rfc1912.zones
正向解析
zone "danran.com" IN { \danran.com为域名 type master; \域的类型为主DNS file "danran.zone"; \对应的区域数据库文件 allow-update { none; }; \DNS数据库不更新 }; 反向解析 zone "198.168.192.in-addr.arpa" IN { \域名danran的IP网段192.168.198反向记录 type master; \类型为主DNS file "IP.danran.zone"; \DNS反向解析的数据库文件 allow-update { none; }; \不更新 };新建DNS数据库文件
正向解析文件
cp -p /var/named/named.localhost /var/named/danran.zone \复制数据库模板文件为danran.zone,danran.zone数据库文件在/etc/named.rfc1912.zones中已定义 vim /var/named/danran.zone $TTL 1D \生命缓存期1天,全局继承 @ IN SOA ns1.danran.com. dnsadmin.danran.com. ( \第一个@代表当前域即danran.com,SOA为起始授权记录,ns1.danran.com为DNS服务器,dnsadmin.danran.com.为邮箱服务器,注意主机名后必须有.,否则还将再次补全域名danran.con,即ns1.danran.com.danran.com 0 ;serial \序列号,自定义,手动刷新调整,只能增大不能减小 1D ;refresh \刷新时间 1H ;retry \重试时间 1W ;expire \过期时间 3H );minimum \否定答案的TTL值 NS ns1 \ns1为解析服务器,省略域名,自动补全域名 NS ns2 \指定从DNS服务器 ns1 A 192.168.198.134 \ns1主机为本机,则ns1 解析为本机IP192.168.198.134 ns2 A 192.168.198.131 \ns2DNS服务器解析为192.168.198.11dan A 192.168.198.40 \\dan.danran.com解析为IP192.168.198.40 websrv A 192.168.198.50 \\websrv服务对应两个主机IP,即可实现负载均衡的目的 websrv A 192.168.198.51 ftpsrv A 192.168.198.52 www CNAME websrv \\省略域名自动补全域名 ftp CNAME \\CNAME为别名记录 ftpsrv.danran.com. \\不省略域名,则主机名后必须加. @ MX 10 mailsrv1 \\@代表danran.com.域名,MX为邮件的记录标识,10为邮件服务器的优先级,数字越大,代表优先级越高 danran.com. MX 20 mailsrv2 \\danran.com.为域名,也用@替代,MX为邮件的记录标识,10为邮件服务器的优先级,数字越大,代表优先级越高 mailsrv1 A 192.168.198.60 mailsrv2 A 192.168.198.61 @ A 192.168.198.70 \\直接访问danran.com域名的主机将IP解析为192.168.198.70 $GENERATE 1-4 server$ A 192.168.198.$ \\表示server1-server10解析的IP地址为192.168.198.1-192.168.198.10 * A 192.168.198.80 \\将未定义的主机名解析为192.168.198.80
反向解析文件
cp -p /var/named/named.loopback IP.danran.zone \复制反向解析文件的模板并命名为IP.danran.zone,同/etc/named.rfc1912.zones文件中记录的反向解析文件名一致 vim /var/named/IP.danran.zone $TTL 1D @ IN SOA ns1.danran.com. admin.danran.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ); minimum NS @A 192.168.198.134 134 PTR ns1.danran.com. 131 PTR ns2.danran.com. 50 PTR websrv.danran.com. 51 PTR websrv.danran.com. 52 PTR ftpsrv.danran.com. 60 PTR mailsrv1.danran.com. 61 PTR mailsrv2.danran.com. 100 PTR test.com
named-checkconf \检查named.conf配置文件的语法 named-checkzone "danran.com" /var/named/danran.zone \检查/var/named/danran.zone区域数据库文件的语法错误 rndc reload\systemctl restart named \重新加载配置文件或重启服务
客户端访问测试
dig www.danran.com @192.168.198.134 \指定192.168.198.134DNS服务器,解析www.danran.com
host www.danran.com 192.168.198.134 \指定192.168.198.134DNS服务器,解析www.danran.comnslookup
[root@danran ~]# nslookup > server 192.168.198.134 Default server: 192.168.198.134 Address: 192.168.198.134#53 > www.danran.com Server: 192.168.198.134 Address: 192.168.198.134#53www.danran.com canonical name = websrv.danran.com. Name: websrv.danran.com Address: 1.1.1.1 Name: websrv.danran.com Address: 3.3.3.3
dig -t MX danran.com @192.168.198.134 \访问测试mail服务解析
dig -t NS danran.com @192.168.198.134 \查询NS解析服务器IP
dig server1.danran.com
辅DNS (Centos 6)
安装bind程序包
yum -y install bind chkconfig named on service named start iptables -F setenforce 0vim /etc/named.conf
options { listen-on port 53 { localhost; }; \允许本机的所有地址监听53号端口 allow-query { any; }; \允许所有设备查此DNS服务 allow-transfer { none;}; \不允许任何人截取DNS数据库数据vim /etc/named.rfc1912.zones
从DNS的正向解析文件记录 zone "danran.com" IN { type slave; \DNS类型为从属DNS masters { 192.168.198.134;}; \主DNS为192.168.198.134 file "slaves/danran.slave"; \从DNS的数据库文件为slaves/danran.slave }; 从DNS的反向解析文件记录 zone "198.168.192.in-addr.arpa" IN { type slave; \DNS类型为从属DNS masters { 192.168.198.134; }; \主DNS为192.168.198.134 file "slaves/IP.danran.slave"; \从DNS的数据库文件为slaves/danran.slave };加载配置文件或重启服务生效
rndc reload service named restart 加载named的配置文件,即/var/named/slaves/danran.slave和/var/named/slaves/IP.danran.slave数据库文件自动与主DNS192.168.198.134同步客户端访问测试
dig www.danran.com @192.168.198.11
转发DNS
安装bind
yum -y install bind chkconfig named on service named start iptables -F setenforce 0
全局转发
- vim /etc/named.conf options { listen-on port 53 { localhost; }; allow-query { any; }; forward first|only; \only只转发,不查找;first先转发,再去根上查找 forwarders {192.168.198.134;}; \转发到192.168.198.134上 dnssec-enable no; dnssec-validation no;
- rndc reload
- 访问测试 dig www.danran.com @192.168.198.11
局部转发(仅转发danran.com域)
vim /etc/named.conf
options { listen-on port 53 { localhost; }; allow-query { any; };vim /etc/named.rfc1912.zones
zone "danran.com" IN { type forward; forward only; forwarders {192.168.198.134;}; };- rndc reload
客户端访问测试
dig www.danran.com @192.168.198.11子域
子域同父域在同一个服务器上
新建子域jevon.danran.com
vim /etc/named.rfc1912.zones
zone "jevon.danran.com" IN {
type master; file "jevon.danran.zone"; allow-update { none; }; };编辑jevon.danran.com域的数据库文件
编辑正向解析文件
cp -p /var/named/danran.zone /var/named/jevon.danran.zone \带权限复制数据库文件 vim /var/named/jevon.danran.zone $TTL 1D @ IN SOA ns1.jevon.danaran.com. dnsadmin.jevon.danran.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.jevon.danran.com. NS ns2ns1 A 192.168.198.134 ns2 A 192.168.198.11 websrv A 192.168.198.51 ftpsrv A 192.168.198.52 www CNAME websrv
编辑反向解析文件
cp -p /var/named/IP.danran.zone /var/named/IP.jevon.danran.zone vim /var/named/IP.jevon.danran.zone $TTL 1D @ IN SOA ns1.jevon.danran.com. admin.jevon.danran.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @A 192.168.198.134 134 PTR ns1.jevon.danran.com. 131 PTR ns2.jevon.danran.com. 51 PTR websrv.jevon.danran.com. 52 PTR ftpsrv.jevon.danran.com.
- 加载配置文件 rndc reload
访问测试
dig www.jevon.danran.com @192.168.198.134
子域同父域不在同一台服务器上
新建子域zijie.danran.com
在主DNS上
vim /etc/named.conf
options { listen-on port 53 { localhost; }; \ 允许主机上的所有IP监听53号端口 allow-query { any; }; \允许所有主机查询此DNS服务器 dnssec-enable no; \与安全相关,设置为no dnssec-validation no; \与安全相关,设置为novim /var/named/danran.zone
$TTL 1D @ IN SOA ns1.danran.com. dnsadmin.danran.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.danran.com.zijie NS ns3
ns3 A 192.168.198.11 ns1 A 192.168.198.134dan A 192.168.198.40
websrv A 192.168.198.51
ftpsrv A 192.168.198.52 www CNAME websrv
3. rndc reload
子域服务端
vim /etc/named.rfc1912.zones
zone "zijie.danran.com" IN { type master; file "zijie.danran.zone"; };vim /var/named/zijie.danran.zone
@ IN SOA ns1.zijie.danran.com. dnsadmin ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1ns1 A 192.168.198.11
dan A 192.168.198.140
websrv A 192.168.198.151 ftpsrv A 192.168.198.152 www CNAME websrvvim /var/named/zijie.IP.danran.zone
$TTL 1D @ IN SOA ns1 admin ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @A 192.168.198.11
11 PTR ns1
150 PTR websrv
151 PTR websrv 152 PTR ftpsrv110 PTR test.com
rndc reload //加载配置文件
客户端访问测试
dig www.zijie.danran.com @192.168.198.134
view
从不同源地址发出的请求,返回不同的查询结果
主DNS服务器
创建不同地区的数据库
vim /var/named/danran.zone.bj $TTL 1D @ IN SOA ns1 dnsadmin ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1ns1 A 192.168.198.134 websrv A 192.168.198.51 www CNAME websrv
vim /var/named/danran.zone.bj
$TTL 1D @ IN SOA ns1 dnsadmin.danran.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1.danran.com.ns1 A 192.168.198.134 websrv A 192.168.198.251 www CNAME websrv
vim /var/named/danran.zone
@ IN SOA ns1 dnsadmin ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1ns1 A 192.168.198.134
websrv A 192.168.198.60 www CNAME websrv编辑配置文件
vim /etc/named.conf acl beijing { 192.168.198.11; 192.168.10.0/24; }; \beijing的IP访问 acl zhengzhou {192.168.198.131;};\zhengzhou的IP访问 acl other {any;};options { listen-on port 53 { any; }; allow-query { any; }; view beijingview { match-clients {beijing;}; \\同acl beijing {192.168.198.11;};中的北京一致 include "/etc/named.beijingview.zones"; }; view zhengzhouview { match-clients {zhengzhou;}; \\同acl zhengzhou {192.168.198.131;};中的zhengzhou一致 include "/etc/named.zhengzhou.zones"; }; view otherview { match {other;}; \\acl other {any;};的客户端 include "/etc/named.rfc1912.zones"; };- vim /etc/named.rfc1912.zones zone "." IN { type hint file "named.ca"; }; zone "danran.com" IN { type master; file "danran.zone"; };
- cat /etc/named.beijingview.zones \编辑beijing地区的区域配置文件,同/etc/named.conf记录一致 zone "danran.com" IN { type master; file "danran.zone.bj"; };
- vim /etc/named.zhengzhouview.zones\编辑zhengzhou的区域配置文件 zone "danran.com" IN { type master; file "danran.zone.zz"; };
rndc reload
动态更新
远程动态更新时,不会修改原有的数据库文件,而是生成一个/var/named/danran.zone.jnl文件
主DNS服务器上:
vim /etc/named.conf 添加 allow-update {any;}; chmod 770 /var/named \/var/named添加w权限 setsebool -P named_write_zones on客户端
[root@danran ~]# nsupdate
server 192.168.198.134
zone danran.com update add jevon.danran.com 4000 IN A 3.3.3.3 \添加jevon.danran.com 4000 IN A 3.3.3.3记录到danrna.com域中 send update delete mailsrv1 A \删除danran.com域中的mailsrv1的DNS解析记录数据 send软件包bind-chroot
将DNS文件的/目录迁移到/var/named/chroot下
yum -y install bind-chroot
systemctl start named-chroot systemctl enable named-chroot ls /var/named/chroot ll /var/named/chroot/etc/named.conf /etc/named.conf -rw-r-----. 1 root named 1728 Jul 26 16:32 /etc/named.conf -rw-r-----. 1 root named 1728 Jul 26 16:32 /var/named/chroot/etc/named.conf mount | tail -n 10 \查看挂载信息可知, bind-chroot软件包是将通过挂载达到的切换根的目的 cat /usr/libexec/setup-named-chroot.sh \挂载操作是通过/usr/libexec/setup-named-chroot.sh脚本实现的挂载,从而将named的根目录切换到/var/named/chroot下
DNS的相关介绍点击链接
http://119.23.52.191/dns%e6%9c%8d%e5%8a%a1/