DNS服务器软件::bind,powerdns,dnsmasq,unbound,coredns
BIND相关程序包
- bind:服务器
- bind-libs:相关库
- bind-utils:客户端
- bind-chroot:安全包,将dns相关文件放至/var/named/chroot/
BIND包相关文件
- BIND主程序:/usr/sbin/named
- 服务脚本和Unit名称:/etc/rc.d/init.d/named,/usr/lib/systemd/system/named.service
- 主配置文件:/etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
- 管理工具:/usr/sbin/rndc:remote name domain controller,默认与bind安装在同一主机,且 只能通过127.0.0.1连接named进程,提供辅助性的管理功能;953/tcp
- 解析库文件:/var/named/ZONE_NAME.ZONE
主配置文件
- 全局配置:options {};
- 日志子系统配置:logging {};
- 区域定义:本机能够为哪些zone进行解析,就要定义哪些zone zone "ZONE_NAME" IN {};
注意:
- 任何服务程序如果期望其能够通过网络被其它主机访问,至少应该监听在一个能与外部主机通信的 IP地址上
- 缓存名称服务器的配置:监听外部地址即可
- dnssec: 建议关闭dnssec,设为no
主配置文件语法检查
named-checkconf
解析库文件语法检查
named-checkzone "magedu.org" /var/named/magedu.org.zone
配置生效
#三种方式
#rndc reload
#systemctl reload named
#service named reload
实现DNS正向主从服务器
实验设备:服务器
centos8 地址10.0.0.88;centos7 地址10.0.0.77
客户端
centos7 地址10.0.0.7
设置域名:magedu.org
客户端DNS解析:主服务器掉线,自动连接 “从服务器”解析
主服务器配置
1、编辑配置文件 /etc/named.conf
[root@centos8-liyj ~]#vim /etc/named.conf
注释// 图片中蓝色行
添加 allow-transfer { 10.0.0.77;}; #只允许从服务器进行区域传输
修改
dnssec-enable yes; #改为no
dnssec-validation yes; #改为no
options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; allow-transfer { 10.0.0.77; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
2、编辑/etc/named.rfc1912.zones
再最后添加以下内容 zone "magedu.org" IN { typer master; file "magedu.org.zone"; #文件目录,默认/var/named/ }; #在named.conf文件中定义了directory "/var/named";
// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and https://tools.ietf.org/html/rfc6303 // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // Note: empty-zones-enable yes; option is default. // If private ranges should be forwarded, add // disable-empty-zone "."; into options // // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and https://tools.ietf.org/html/rfc6303 // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // Note: empty-zones-enable yes; option is default. // If private ranges should be forwarded, add // disable-empty-zone "."; into options // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "magedu.org" IN { typer master; file "magedu.org.zone"; };
3、编辑DNS区域数据库文件
[root@centos8-liyj /etc/named]#cd /var/named/ [root@centos8-liyj /var/named]#ls data dynamic named.ca named.empty named.localhost named.loopback slaves
3.1复制named.localhost文件格式,重新编辑
[root@centos8-liyj /var/named]#cp -p named.localhost magedu.org.zone #-p 复制原格式权限 [root@centos8-liyj /var/named]#ll 或者手动修改:chgrp named magedu.org.zone total 20 drwxrwx--- 2 named named 6 Aug 25 2021 data drwxrwx--- 2 named named 6 Aug 25 2021 dynamic -rw-r----- 1 root named 152 Aug 25 2021 magedu.org.zone #文件权限为640 ,强制 属主root,数组named -rw-r----- 1 root named 2253 Aug 25 2021 named.ca -rw-r----- 1 root named 152 Aug 25 2021 named.empty -rw-r----- 1 root named 152 Aug 25 2021 named.localhost -rw-r----- 1 root named 168 Aug 25 2021 named.loopback drwxrwx--- 2 named named 6 Aug 25 2021 slaves
[root@centos8-liyj /var/named]#vim magedu.org.zone
$TTL 1D @ IN SOA ns1 admin.magedu.org. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1 #主DNS
NS ns2 #从DNS ns1 A 10.0.0.88 #指向地址 ns2 A 10.0.0.77
[root@centos8-liyj /var/named]#systemctl start named #第一次启动 [root@centos8-liyj /var/named]#rndc reload #不是第一次启动,使用rndc reload 加载 配置文件,不会终端DNS服务 server reload successful [root@centos8-liyj /var/named]#
主服务器DNS-dig测试
[root@centos8-liyj /var/named]#dig ns1.magedu.org #本机设置了DNS地址,联通了外网,互联网上由 ns1.magedu.org域名。解析如下
ns1.magedu.org. 5 IN A 47.91.170.222 #解析出外网地址,
vim /etc/sysconfig/network-scripts/ifcfg-eth0
删除本机的DNS地址
[root@centos8-liyj /var/named]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 #修改后,删除了DNS地址,重启网卡服务 DEVICE="eth0" NAME="eth0" BOOTPROTO="static" IPADDR=10.0.0.88 PREFIX=24 GATEWAY=10.0.0.2 ONBOOT="yes"
[root@centos8-liyj /var/named]#dig ns1.magedu.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> ns1.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23788 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a6b5b8d8778a6125c5397a2d626f938979def64920dcc8d5 (good) ;; QUESTION SECTION: ;ns1.magedu.org. IN A ;; ANSWER SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 02 16:17:13 CST 2022 ;; MSG SIZE rcvd: 135
从服务器配置
[root@centos7-liyj ~]#vim /etc/named.conf
注释//
options {
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
allow-transfer { none;}; #不允许其他主机进行区域传输
yes改为no
dnssec-enable no;
dnssec-validation no;
}
options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; // allow-query { localhost; }; allow-transfer { none; }; masterfile-format text; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[root@centos7-liyj ~]#vim /etc/named.rfc1912.zones 添加以下内容
zone "magedu.org" { type slave; masters { 10.0.0.88;}; file "slaves/magedu.org.slave"; #文件目录 };
zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "magedu.org" { type slave; masters { 10.0.0.88;}; file "slaves/magedu.org.slave"; };
systemctl start named #第一次启动服务 rndc reload #不是第一次启动服务 ls /var/named/slaves/magedu.org.slave #查看区域数据库文件是否生成
[root@centos7-liyj ]#ll /var/named/slaves/ total 4 -rw-r--r-- 1 named named 264 May 2 17:06 magedu.org.slave [root@centos7-liyj ]#cat /var/named/slaves/magedu.org.slave #从服务器 自动生成文件 boXQ 查看内容乱码,不允许从 mageduorg6ns1mageduorgadminmageduorgQ :*0DQ 服务器看到配置 mageduorgns1mageduorgns2mageduorg*Qns1mageduorg X*Qns2mageduorg
解决乱码问题:
添加 masterfile-format text;重启服务 systemctl restart named
[root@centos7-liyj /var/named/slaves]#cat /var/named/slaves/magedu.org.slave $ORIGIN . $TTL 86400 ; 1 day magedu.org IN SOA ns1.magedu.org. admin.magedu.org. ( 0 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS ns1.magedu.org. NS ns2.magedu.org. $ORIGIN magedu.org. ns1 A 10.0.0.88 ns2 A 10.0.0.77
DNS gid测试
首先修改 eth0 网卡配置,删除dns地址,添加dns=10.0.0.88
[root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NAME="eth0" BOOTPROTO="static" IPADDR=10.0.0.77 PREFIX=24 GATEWAY=10.0.0.2 DNS3=10.0.0.88 ONBOOT="yes"
[root@centos7-liyj /var/named/slaves]#dig ns2.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39354 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns2.magedu.org. IN A ;; ANSWER SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; Query time: 0 msec ;; SERVER: 10.0.0.88#53(10.0.0.88) ;; WHEN: Mon May 02 17:53:49 CST 2022 ;; MSG SIZE rcvd: 107
客户端域名解析
修改客户端DNS1 为 10.0.0.88 DNS2为10.0.0.77
[root@centos7-liyj ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0 [root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NAME="eth0" BOOTPROTO="static" IPADDR=10.0.0.7 PREFIX=24 GATEWAY=10.0.0.2 DNS1=10.0.0.77 DNS2=10.0.0.88 ONBOOT="yes"
测试,DNS主从服务器都在线
yum install -y bind-utils
[root@centos7-liyj ~]#dig ns1.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26563 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns1.magedu.org. IN A ;; ANSWER SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; Query time: 0 msec ;; SERVER: 10.0.0.88#53(10.0.0.88) ;; WHEN: Mon May 02 18:04:39 CST 2022 ;; MSG SIZE rcvd: 107 [root@centos7-liyj ~]#dig ns2.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7070 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns2.magedu.org. IN A ;; ANSWER SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; Query time: 0 msec ;; SERVER: 10.0.0.88#53(10.0.0.88) ;; WHEN: Mon May 02 18:04:47 CST 2022 ;; MSG SIZE rcvd: 107
DNS主服务器掉线
[root@centos8-liyj ~]#systemctl stop named [root@centos8-liyj ~]#systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: inactive (dead)
客户端解析
[root@centos7-liyj ~]#dig ns2.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57974 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns2.magedu.org. IN A ;; ANSWER SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns2.magedu.org. magedu.org. 86400 IN NS ns1.magedu.org. ;; ADDITIONAL SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; Query time: 1 msec ;; SERVER: 10.0.0.77#53(10.0.0.77) ;; WHEN: Mon May 02 18:11:26 CST 2022 ;; MSG SIZE rcvd: 107 [root@centos7-liyj ~]#dig ns1.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3739 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.magedu.org. IN A ;; ANSWER SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns2.magedu.org. magedu.org. 86400 IN NS ns1.magedu.org. ;; ADDITIONAL SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; Query time: 1 msec ;; SERVER: 10.0.0.77#53(10.0.0.77) ;; WHEN: Mon May 02 18:11:37 CST 2022 ;; MSG SIZE rcvd: 107