DNS服务器搭建(基础篇)
程序员文章站
2022-03-24 19:57:46
...
简介
域名系统(Domain Name System缩写DNS,Domain Name被译为域名)是因特网的一项核心服务,它作为可以将域名和IP地址相互映射的一个分布式数据库,能够使人更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。
域名系统(Domain Name System,DNS)是Internet上解决网上机器命名的一种系统。就像拜访朋友要先知道别人家怎么走一样,Internet上当一台主机要访问另外一台主机时,必须首先获知其地址,TCP/IP中的IP地址是由四段以“.”分开的数字组成,记起来总是不如名字那么方便,所以,就采用了域名系统来管理名字和IP的对应关系。
摘自:百度百科
注:其中,全球范围内的根域名服务器被分为13组,编号是从A-M。(鬼知道,我当时看了什么科普文章,说根域名服务器只有13个。)
简单来说,名字总比身份证号好记。
搭建服务
实验环境:
- CentOS-7-x86_64-DVD-1708
- win10
- VMware Workstation 15 Pro
实验目的:
学会搭建简单的DNS服务
安装bind软件包
BIND(Berkeley Internet Name Domain,伯克利因特网名称域)服务是全球范围内使用最广泛、最安全可靠且高效的域名解析服务程序。
[[email protected] ~]# yum install -y bind bind-utils # 安装bind,bind-utils软件包
[[email protected] ~]# rpm -qa | grep bind
bind-license-9.9.4-50.el7.noarch
bind-9.9.4-50.el7.x86_64
bind-libs-lite-9.9.4-50.el7.x86_64
bind-libs-9.9.4-50.el7.x86_64
bind-utils-9.9.4-50.el7.x86_64
[[email protected] ~]#
配置主配置文件
先来介绍一些概念:
Linux中跟DNS有关的文件
- /etc/resolv.conf: 配置DNS客户(该文件包含了主机域名搜索顺序和DNS服务器IP地址)。
- /etc/hosts: IP与主机名的映射关系。
- /etc/nsswitch.conf: 设置域名解析的先后顺序(其默认顺序是:hosts —> resolv.conf)。
正向解析和反向解析
- 正向解析:是指域名到IP地址的解析过程。
- 反向解析:是指IP地址到域名的解析过程。
[[email protected] ~]# vim /etc/named.conf # 编辑主配置文件
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; }; # 监听地址(服务器上的所有IP地址均可提供DNS域名解析服务)
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; }; # 允许查询(any,允许所有人向本地服务器请求DNS查询)
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint; # 服务类型(分为三种,hint(根区域)、master(主区域,常用)、slave(辅助区域))
file "named.ca"; # 指定配置文件
};
# 正向解析配置
zone "test.com" IN {
type master;
file "test.com.zone";
};
# 反向解析配置(注意后缀)
zone "101.16.172.in-addr.arpa" IN {
type master;
file "172.16.101.zone";
};
include "/etc/named.rfc1912.zones"; # 区域配置文件(通常情况下,都是将正反向配置放在此处)
include "/etc/named.root.key";
"/etc/named.conf" 77L, 1870C written
[[email protected] ~]#
配置正反区域配置文件
注:下面配置文件中,所有的域名都应使用FQDN(Fully Qualified Domain Name)全限定域名(例如:www.baidu.com.) ,避免不必要的麻烦。
正向区域配置文件
[[email protected] ~]# cd /var/named/
[[email protected] named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[[email protected] named]# cp -p named.localhost test.com.zone # 复制模板(权限一起复制)
[[email protected] named]# vim test.com.zone
$TTL 1D
# @:表示上面定义的区域中的名字(test.com.)
@ IN SOA test.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS test.com. # NS:nameserver
test.com. A 172.16.101.128 # A记录:指域名对应IP地址、。
www.test.com. A 172.16.101.128
ftp.test.com. A 172.16.101.129
"test.zone" 11L, 249C written
[[email protected] named]#
反向区域配置文件
[[email protected] named]# cp -p test.com.zone 172.16.101.zone
[[email protected] named]# vim 172.16.101.zone
$TTL 1D
@ IN SOA test.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS test.com.
128 PTR test.com. # PTR记录:指IP地址对应域名。
128 PTR www.test.com.
129 PTR ftp.test.com.
"172.16.101.zone" 11L, 221C written
[[email protected] named]#
DNS测试
[[email protected] named]# vim /etc/resolv.conf # 添加DNS服务器
# Generated by NetworkManager
search localdomain
nameserver 172.16.101.128
nameserver 172.16.101.2
nameserver 192.168.101.1
"/etc/resolv.conf" 5L, 124C written
[[email protected] named]# setenforce 0 # 关闭SELinux
[[email protected] named]# firewall-cmd --permanent --add-service=dns # DNS加入防火墙白名单
success
[[email protected] named]# firewall-cmd --reload
success
[[email protected] named]# systemctl start named # 启动服务
[[email protected] named]# dig www.test.com # 使用dig工具,正向测试
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26098
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 172.16.101.128
;; AUTHORITY SECTION:
test.com. 86400 IN NS test.com.
;; ADDITIONAL SECTION:
test.com. 86400 IN A 172.16.101.128
;; Query time: 0 msec
;; SERVER: 172.16.101.128#53(172.16.101.128)
;; WHEN: Fri Feb 07 09:27:21 EST 2020
;; MSG SIZE rcvd: 87
[[email protected] named]# dig -x 172.16.101.129 # 方向进行测试
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 172.16.101.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62936
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;129.101.16.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
129.101.16.172.in-addr.arpa. 86400 IN PTR ftp.test.com.
;; AUTHORITY SECTION:
101.16.172.in-addr.arpa. 86400 IN NS test.com.
;; ADDITIONAL SECTION:
test.com. 86400 IN A 172.16.101.128
;; Query time: 0 msec
;; SERVER: 172.16.101.128#53(172.16.101.128)
;; WHEN: Fri Feb 07 09:27:30 EST 2020
;; MSG SIZE rcvd: 112
[[email protected] named]#
注:一个简单的DNS服务器就此搭建完成。
疑难杂症
搭建得过程中,需要注意文件名别写错了。还有就是复制模板时,记得把权限带上。
上一篇: swap space交换分区创建: