RHCE DNS
DNS
- DNS
- 1.1 DNS介绍
- 1.2 安装bind,配置文件
- 1.3 正向解析文件模板
- 1.4 反向解析文件模板
- 1.5 转发服务器实验
- 1.6 解析web服务器实验
- 1.7 区域传送
DNS
1.1 DNS介绍
1.2 安装bind,配置文件
[root@localhost ~]# ll /mnt
total 0
drwxr-xr-x. 2 root root 6 Oct 13 20:09 hgfs
[root@localhost ~]# mount /dev/sr0 /mnt
mount: /mnt: WARNING: source write-protected, mounted read-only.
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# ll
total 8
-rw-r--r--. 1 root root 358 Oct 13 21:17 redhat.repo
-rw-r--r--. 1 root root 184 Oct 19 21:26 wangluo.repo
[root@localhost yum.repos.d]# cd -
/root
[root@localhost ~]# dnf install bind -y
Updating Subscription Management repositories.
Unable to read consumer identity
...
...python3-bind-32:9.16.23-14.el9_3.noarch python3-ply-3.11-14.el9.noarch Complete!
[root@localhost ~]# ll /etc/named.conf
-rw-r-----. 1 root named 1722 Sep 20 2023 /etc/named.conf
# 配置文件解析
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//options {listen-on port 53 { 127.0.0.1; };directory "/var/named";/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.- If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so willcause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatlyreduce such attack surface *//* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
};
zone "haha.com" IN {type master;file "named.haha";
};
[root@localhost ~]# cd /var/named/
[root@localhost named]# ll
total 16
drwxrwx---. 2 named named 6 Sep 20 2023 data
drwxrwx---. 2 named named 6 Sep 20 2023 dynamic
-rw-r-----. 1 root named 2253 Sep 20 2023 named.ca
-rw-r-----. 1 root named 152 Sep 20 2023 named.empty
-rw-r-----. 1 root named 152 Sep 20 2023 named.localhost
-rw-r-----. 1 root named 168 Sep 20 2023 named.loopback
drwxrwx---. 2 named named 6 Sep 20 2023 slaves[root@localhost named]# vim named.haha
[root@localhost named]# cat named.haha
$TTL 1D
@ IN SOA @ admin.haha,com, (01111)IN NS ns.haha.com.IN MX 10 mail.haha.com.
ns IN A 2.2.2.131
mail IN A 2.2.2.131
www IN A 2.2.2.131
news IN A 2.2.2.131
ww IN CNAME www.haha.com.
[root@localhost named]# systemctl start nginx
[root@localhost named]# firewall-cmd --permanent --add-service=dns
success
[root@localhost named]# firewall-cmd --reload
success
[root@localhost named]# dig -t NS haha.com @2.2.2.131; <<>> DiG 9.16.23-RH <<>> -t NS haha.com @2.2.2.131
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@localhost named]# dig -t MX haha.com @2.2.2.131[root@localhost named]# dig -t A www.haha.com @2.2.2.131[root@localhost named]# dig -t A news.haha.com @2.2.2.131[root@localhost named]# dig -t A CNAME ww.haha.com @2.2.2.1311.3 正向解析文件模板
序列号(Serial):
格式为yyyymmddnn,nn代表这一天是第几次修改。辅名字服务器通过比较这个序列号是否加载一份新的
区数据拷贝。
refresh(刷新):
告诉该区的辅助服务器相隔多久检查该区的数据是否是最新的。单位为秒。刷新率从1200到43200秒不
等。
retry(重试):
如果辅名字服务器超过刷新间隔时间后无法访问主服务器,那么它就开始隔一段时间重试连接一次。这个
时间通常比刷新时间短,但也不一定非要这样。默认的刷新率是1800秒。然而,它可以在180到
2419200秒之间变化。
expire(过期或期满):
如果在期满时间内辅名字服务器还不能和主服务器连接上,辅名字服务器就使用这个我失效。这就意味着
辅名字服务器将停止关于该区的回答,因为这些区数据太旧了,没有用了。设置时间要比刷新和重试时间
长很多,以周为单位是较合理的。默认的过期时间是1,209,600秒。
否定缓存TTL(生存期):
TTL是Time-to-Live的缩写,是指一个数据包或数据生存的时间段。其他服务器使用这个值来知道他们
应该在缓存中保留多久的数据。默认值是3600秒或1小时。
[root@localhost ~]# vim /etc/named.conf
[root@localhost named]# cat /etc/named.conf
options{ listen-on port 53 {2.2.2.129; };directory "/var/named";
};
zone "baidu.com" IN {type master;file "named.baidu.com";
};[root@localhost ~]# cd /var/named/
[root@localhost named]# ll
total 16
drwxrwx---. 2 named named 6 Sep 20 2023 data
drwxrwx---. 2 named named 6 Sep 20 2023 dynamic
-rw-r-----. 1 root named 2253 Sep 20 2023 named.ca
-rw-r-----. 1 root named 152 Sep 20 2023 named.empty
-rw-r-----. 1 root named 152 Sep 20 2023 named.localhost
-rw-r-----. 1 root named 168 Sep 20 2023 named.loopback
drwxrwx---. 2 named named 6 Sep 20 2023 slaves[root@localhost named]# cat named.baidu.com
$TTL 1D
@ IN SOA @ admin.baidu.com. (0531015)IN NS ns.baidu.com.IN MX 10 mail.baidu.com.
ns IN A 2.2.2.129
ww IN A 2.2.2.129
mail IN A 2.2.2.129
www IN A 2.2.2.129
ftp IN CNAME www[root@localhost named]# vim named.baidu.com
[root@localhost named]# systemctl start named
[root@localhost named]# dig -t NS baidu.com @2.2.2.129; <<>> DiG 9.16.23-RH <<>> -t NS baidu.com @2.2.2.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17992
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4e971650a34d8ea7010000006726e8b14bf7b178da33434c (good)
;; QUESTION SECTION:
;baidu.com. IN NS;; ANSWER SECTION:
baidu.com. 86400 IN NS ns.baidu.com.;; ADDITIONAL SECTION:
ns.baidu.com. 86400 IN A 2.2.2.129;; Query time: 0 msec
;; SERVER: 2.2.2.129#53(2.2.2.129)
;; WHEN: Sun Nov 03 11:06:25 CST 2024
;; MSG SIZE rcvd: 99
[root@localhost named]# dig -t MX baidu.com @2.2.2.129; <<>> DiG 9.16.23-RH <<>> -t MX baidu.com @2.2.2.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57619
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 643eef2da90d563b010000006726e948fae6d3a96e668d2e (good)
;; QUESTION SECTION:
;baidu.com. IN MX;; ANSWER SECTION:
baidu.com. 86400 IN MX 10 mail.baidu.com.;; ADDITIONAL SECTION:
mail.baidu.com. 86400 IN A 2.2.2.129;; Query time: 0 msec
;; SERVER: 2.2.2.129#53(2.2.2.129)
;; WHEN: Sun Nov 03 11:08:56 CST 2024
;; MSG SIZE rcvd: 103
[root@localhost named]# dig -t A www.baidu.com @2.2.2.129; <<>> DiG 9.16.23-RH <<>> -t A www.baidu.com @2.2.2.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54037
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 53ac0feb6cde4a04010000006726e97df778881461e5cd15 (good)
;; QUESTION SECTION:
;www.baidu.com. IN A;; ANSWER SECTION:
www.baidu.com. 86400 IN A 2.2.2.129;; Query time: 0 msec
;; SERVER: 2.2.2.129#53(2.2.2.129)
;; WHEN: Sun Nov 03 11:09:49 CST 2024
;; MSG SIZE rcvd: 86
[root@localhost named]# dig -t CNAME ftp.baidu.com @2.2.2.129; <<>> DiG 9.16.23-RH <<>> -t CNAME ftp.baidu.com @2.2.2.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13953
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 7e4027f84f4dc660010000006726e9b87c4e229d96f09027 (good)
;; QUESTION SECTION:
;ftp.baidu.com. IN CNAME;; ANSWER SECTION:
ftp.baidu.com. 86400 IN CNAME www.baidu.com.;; Query time: 1 msec
;; SERVER: 2.2.2.129#53(2.2.2.129)
;; WHEN: Sun Nov 03 11:10:48 CST 2024
;; MSG SIZE rcvd: 88
1.4 反向解析文件模板
[root@localhost named]# vim /etc/named.conf
[root@localhost named]# cat /etc/named.conf
options{ listen-on port 53 {2.2.2.129; };directory "/var/named";
};
zone "baidu.com" IN {type master;file "named.baidu.com";
};
zone "2.2.2.in-addr.arpa" IN {type master;file "named.fanxiang";
};
[root@localhost named]# ll
total 28
drwxrwx---. 2 named named 6 Sep 20 2023 data
drwxrwx---. 2 named named 6 Sep 20 2023 dynamic
-rw-r--r--. 1 named named 821 Nov 3 11:05 managed-keys.bind
-rw-r--r--. 1 named named 1045 Nov 3 11:05 managed-keys.bind.jnl
-rw-r--r--. 1 root root 346 Nov 3 11:05 named.baidu.com
-rw-r-----. 1 root named 2253 Sep 20 2023 named.ca
-rw-r-----. 1 root named 152 Sep 20 2023 named.empty
-rw-r-----. 1 root named 152 Sep 20 2023 named.localhost
-rw-r-----. 1 root named 168 Sep 20 2023 named.loopback
drwxrwx---. 2 named named 6 Sep 20 2023 slaves
[root@localhost named]# cp named.baidu.com /var/named/named.fanxiang
[root@localhost named]# vim /var/named/named.fanxiang
[root@localhost named]# cat /var/named/named.fanxiang
$TTL 1D
@ IN SOA @ admin.baidu.com. (013510)IN NS ns.baidu.com.
130 IN PTR ns.baidu.com.
1 IN PTR www.baidu.com.
2 IN PTR www.baidu.com.
3 IN PTR mail.baidu.com.
[root@localhost named]# systemctl restart named
[root@localhost named]# dig -x 2.2.2.129 @2.2.2.129; <<>> DiG 9.16.23-RH <<>> -x 2.2.2.129 @2.2.2.129
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 18992
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1d7afebcea9903f6010000006726efb6257935a95f9e1af5 (good)
;; QUESTION SECTION:
;129.2.2.2.in-addr.arpa. IN PTR;; AUTHORITY SECTION:
2.2.2.in-addr.arpa. 10 IN SOA 2.2.2.in-addr.arpa. admin.baidu.com. 0 1 3 5 10;; Query time: 0 msec
;; SERVER: 2.2.2.129#53(2.2.2.129)
;; WHEN: Sun Nov 03 11:36:22 CST 2024
;; MSG SIZE rcvd: 130
1.5 转发服务器实验
[root@localhost named]# vim /etc/named.conf
[root@localhost named]# cat /etc/named.conf
options { listen-on port 53 {2.2.2.129; };directory "/var/named";forward only;forwarders { 223.5.5.5; };
};
[root@localhost named]# systemctl restart named
[root@localhost named]# nmcli device show | grep DNS
IP4.DNS[1]: 2.2.2.2
[root@localhost named]# dig -t A www.baidu.com; <<>> DiG 9.16.23-RH <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4039
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 8;; QUESTION SECTION:
;www.baidu.com. IN A;; ANSWER SECTION:
www.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN A 183.2.172.42
www.a.shifen.com. 5 IN A 183.2.172.185;; AUTHORITY SECTION:
a.shifen.com. 5 IN NS ns5.a.shifen.com.
a.shifen.com. 5 IN NS ns3.a.shifen.com.
a.shifen.com. 5 IN NS ns4.a.shifen.com.
a.shifen.com. 5 IN NS ns1.a.shifen.com.
a.shifen.com. 5 IN NS ns2.a.shifen.com.;; ADDITIONAL SECTION:
ns5.a.shifen.com. 5 IN AAAA 240e:940:603:a:0:ff:b08d:239d
ns5.a.shifen.com. 5 IN AAAA 240e:bf:b801:1006:0:ff:b04f:346b
ns2.a.shifen.com. 5 IN A 220.181.33.32
ns3.a.shifen.com. 5 IN A 153.3.238.162
ns3.a.shifen.com. 5 IN A 36.155.132.12
ns4.a.shifen.com. 5 IN A 14.215.177.229
ns4.a.shifen.com. 5 IN A 111.20.4.28
ns5.a.shifen.com. 5 IN A 180.76.76.95;; Query time: 5 msec
;; SERVER: 2.2.2.2#53(2.2.2.2)
;; WHEN: Sun Nov 03 11:45:01 CST 2024
1.6 解析web服务器实验
[root@localhost named]# vim /etc/named.conf
[root@localhost named]# cat /etc/named.conf
options { listen-on port 53 {2.2.2.129; };directory "/var/named";
};
zone "haha.com" IN {type master;file "named.haha.com";
};
zone "2.2.2.in-addr.arpa" IN {type master;file "named.fanxiang";
};
[root@localhost named]# vim /var/named/named.haha.com
[root@localhost named]# cat /var/named/named.haha.com
$TTL 1D
@ IN SOA @ admin.haha.com. (013510)IN NS ns.haha.com.IN MX 10 mail.haha.com.
ns IN A 2.2.2.129
www IN A 2.2.2.129
[root@localhost named]# systemctl restart named
[root@localhost named]# curl www.haha.com1.7 区域传送
DNS主从复制,就是将主DNS服务器的解析库复制传送至从DNS服务器,进而从服务器就可以进行正
向、反向解析了。从服务器向主服务器查询更新数据,保证数据一致性,此为区域传送。也可以说,
DNS区域传送,就是DNS主从复制的实现方法,DNS主从复制是DNS区域传送的表现形式。
DNS区域传送有两种方式
axfr:完全区域传送
ixfr:增量区域传送
当一个新的DNS服务器添加到区域中并配置为从DNS服务器时,它则会执行完全区域传送,在主DNS服务器上获取完整的资源记录副本;同时,为了保证数据同步,主域名服务器有更新时也会及时通知辅助域名服务器从而进行更新(增量区域传送)。