DNS軟體bind-實現DNS伺服器

goodbay說拜拜發表於2022-05-02

DNS伺服器軟體::bind,powerdns,dnsmasq,unbound,coredns

BIND相關程式包

  • bind:伺服器
  • bind-libs:相關庫
  • bind-utils:客戶端
  • bind-chroot:安全包,將dns相關檔案放至/var/named/chroot/

BIND包相關檔案

  • BIND主程式:/usr/sbin/named
  • 服務指令碼和Unit名稱:/etc/rc.d/init.d/named,/usr/lib/systemd/system/named.service
  • 主配置檔案:/etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
  • 管理工具:/usr/sbin/rndc:remote name domain controller,預設與bind安裝在同一主機,且 只能通過127.0.0.1連線named程式,提供輔助性的管理功能;953/tcp
  • 解析庫檔案:/var/named/ZONE_NAME.ZONE

主配置檔案

  • 全域性配置:options {};
  • 日誌子系統配置:logging {};
  • 區域定義:本機能夠為哪些zone進行解析,就要定義哪些zone   zone "ZONE_NAME" IN {};

注意:

  • 任何服務程式如果期望其能夠通過網路被其它主機訪問,至少應該監聽在一個能與外部主機通訊的 IP地址上
  • 快取名稱伺服器的配置:監聽外部地址即可
  • dnssec: 建議關閉dnssec,設為no

主配置檔案語法檢查

named-checkconf

解析庫檔案語法檢查

named-checkzone "magedu.org" /var/named/magedu.org.zone          #centos8沒有整個命令

配置生效

#三種方式
#rndc reload
#systemctl reload named
#service named reload

實現DNS正向主從伺服器

實驗裝置:伺服器

    centos8   地址10.0.0.88;centos7  地址10.0.0.77

     客戶端

    centos7 地址10.0.0.7

設定域名:magedu.org

客戶端DNS解析:主伺服器掉線,自動連線 “從伺服器”解析

主伺服器配置

1、編輯配置檔案 /etc/named.conf

[root@centos8-liyj ~]#vim /etc/named.conf
註釋//  圖片中藍色行
新增    allow-transfer { 10.0.0.77;};   #只允許從伺服器進行區域傳輸

 

修改

dnssec-enable yes;      #改為no
dnssec-validation yes;  #改為no



DNS軟體bind-實現DNS伺服器
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
//      allow-query     { localhost; };
        allow-transfer { 10.0.0.77; };
        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable no;
        dnssec-validation no;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置檔案

 

2、編輯/etc/named.rfc1912.zones

再最後新增以下內容
zone "magedu.org" IN {
        typer master;
        file "magedu.org.zone"; #檔案目錄,預設/var/named/
};                  #在named.conf檔案中定義了directory  "/var/named";

DNS軟體bind-實現DNS伺服器
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//

zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};
zone "magedu.org" IN {
        typer master;
        file "magedu.org.zone";
};
named.rfc1912.zones

 3、編輯DNS區域資料庫檔案

[root@centos8-liyj /etc/named]#cd /var/named/
[root@centos8-liyj /var/named]#ls
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves

3.1複製named.localhost檔案格式,重新編輯

[root@centos8-liyj /var/named]#cp -p named.localhost magedu.org.zone    #-p   複製原格式許可權    
[root@centos8-liyj /var/named]#ll                        或者手動修改:chgrp named magedu.org.zone
total 20
drwxrwx--- 2 named named    6 Aug 25  2021 data
drwxrwx--- 2 named named    6 Aug 25  2021 dynamic
-rw-r----- 1 root  named  152 Aug 25  2021 magedu.org.zone              #檔案許可權為640 ,強制 屬主root,陣列named
-rw-r----- 1 root  named 2253 Aug 25  2021 named.ca
-rw-r----- 1 root  named  152 Aug 25  2021 named.empty
-rw-r----- 1 root  named  152 Aug 25  2021 named.localhost
-rw-r----- 1 root  named  168 Aug 25  2021 named.loopback
drwxrwx--- 2 named named    6 Aug 25  2021 slaves
[root@centos8-liyj /var/named]#vim magedu.org.zone 

$TTL 1D @ IN SOA ns1 admin.magedu.org. (
0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1            #主DNS
NS ns2            #從DNS ns1 A
10.0.0.88         #指向地址 ns2 A 10.0.0.77
[root@centos8-liyj /var/named]#systemctl start named      #第一次啟動
[root@centos8-liyj /var/named]#rndc reload          #不是第一次啟動使用rndc reload 載入 配置檔案,不會終端DNS服務
server reload successful
[root@centos8-liyj /var/named]#

主伺服器DNS-dig測試

[root@centos8-liyj /var/named]#dig ns1.magedu.org
#本機設定了DNS地址,聯通了外網,網際網路上由 ns1.magedu.org域名。解析如下
ns1.magedu.org. 5 IN A 47.91.170.222 #解析出外網地址,
                                      vim /etc/sysconfig/network-scripts/ifcfg-eth0
                                      刪除本機的DNS地址
[root@centos8-liyj /var/named]#cat /etc/sysconfig/network-scripts/ifcfg-eth0     #修改後,刪除了DNS地址,重啟網路卡服務
DEVICE="eth0"
NAME="eth0"
BOOTPROTO="static"
IPADDR=10.0.0.88
PREFIX=24
GATEWAY=10.0.0.2
ONBOOT="yes"
DNS軟體bind-實現DNS伺服器
[root@centos8-liyj /var/named]#dig ns1.magedu.org

; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> ns1.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23788
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a6b5b8d8778a6125c5397a2d626f938979def64920dcc8d5 (good)
;; QUESTION SECTION:
;ns1.magedu.org.            IN    A

;; ANSWER SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88

;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.

;; ADDITIONAL SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 02 16:17:13 CST 2022
;; MSG SIZE  rcvd: 135
dig域名測試正確

 

 

 從伺服器配置

[root@centos7-liyj ~]#vim /etc/named.conf 
註釋//

options {
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };

allow-transfer { none;};       #不允許其他主機進行區域傳輸

yes改為no

dnssec-enable no;
dnssec-validation no;

}

DNS軟體bind-實現DNS伺服器
options {
//    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
//    allow-query     { localhost; };
    allow-transfer { none; };
masterfile-format text;
    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;

    dnssec-enable no;
    dnssec-validation no;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.root.key";

    managed-keys-directory "/var/named/dynamic";

    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置檔案
[root@centos7-liyj ~]#vim /etc/named.rfc1912.zones     新增以下內容
zone "magedu.org" { type slave; masters { 10.0.0.88;};  file "slaves/magedu.org.slave"; #檔案目錄 };
DNS軟體bind-實現DNS伺服器
zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};

zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};
zone "magedu.org" {
    type slave;
    masters { 10.0.0.88;};
    file "slaves/magedu.org.slave";
};
配置檔案
systemctl start named          #第一次啟動服務
rndc reload                    #不是第一次啟動服務
ls /var/named/slaves/magedu.org.slave #檢視區域資料庫檔案是否生成
[root@centos7-liyj ]#ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 264 May  2 17:06 magedu.org.slave
[root@centos7-liyj ]#cat /var/named/slaves/magedu.org.slave    #從伺服器 自動生成檔案 
boXQ                                    檢視內容亂碼,不允許從伺服器看到配置
    mageduorg6ns1mageduorgadminmageduorgQ    :*0DQ 
                                                     mageduorgns1mageduorgns2mageduorg*Qns1mageduorg 
X*Qns2mageduorg 

 

解決亂碼問題:

新增
masterfile-format text;
重啟服務 systemctl restart named


DNS軟體bind-實現DNS伺服器
[root@centos7-liyj /var/named/slaves]#cat /var/named/slaves/magedu.org.slave 
$ORIGIN .
$TTL 86400    ; 1 day
magedu.org        IN SOA    ns1.magedu.org. admin.magedu.org. (
                0          ; serial
                86400      ; refresh (1 day)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                10800      ; minimum (3 hours)
                )
            NS    ns1.magedu.org.
            NS    ns2.magedu.org.
$ORIGIN magedu.org.
ns1            A    10.0.0.88
ns2            A    10.0.0.77
從無伺服器magedu.org.slave

 

DNS gid測試

首先修改 eth0 網路卡配置,刪除dns地址,新增dns=10.0.0.88

[root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE="eth0"
NAME="eth0"
BOOTPROTO="static"
IPADDR=10.0.0.77
PREFIX=24
GATEWAY=10.0.0.2
DNS3=10.0.0.88
ONBOOT="yes"

 

DNS軟體bind-實現DNS伺服器
[root@centos7-liyj /var/named/slaves]#dig ns2.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39354
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns2.magedu.org.            IN    A

;; ANSWER SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77

;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.

;; ADDITIONAL SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88

;; Query time: 0 msec
;; SERVER: 10.0.0.88#53(10.0.0.88)
;; WHEN: Mon May 02 17:53:49 CST 2022
;; MSG SIZE  rcvd: 107
域名解析

 

 客戶端域名解析 

修改客戶端DNS1 為  10.0.0.88  DNS2為10.0.0.77

[root@centos7-liyj ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0 
[root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE="eth0"
NAME="eth0"
BOOTPROTO="static"
IPADDR=10.0.0.7
PREFIX=24
GATEWAY=10.0.0.2
DNS1=10.0.0.77
DNS2=10.0.0.88
ONBOOT="yes"

測試,DNS主從伺服器都線上

yum install -y bind-utils

DNS軟體bind-實現DNS伺服器
[root@centos7-liyj ~]#dig ns1.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26563
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns1.magedu.org.            IN    A

;; ANSWER SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88

;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.

;; ADDITIONAL SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77

;; Query time: 0 msec
;; SERVER: 10.0.0.88#53(10.0.0.88)
;; WHEN: Mon May 02 18:04:39 CST 2022
;; MSG SIZE  rcvd: 107

[root@centos7-liyj ~]#dig ns2.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7070
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns2.magedu.org.            IN    A

;; ANSWER SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77

;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.

;; ADDITIONAL SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88

;; Query time: 0 msec
;; SERVER: 10.0.0.88#53(10.0.0.88)
;; WHEN: Mon May 02 18:04:47 CST 2022
;; MSG SIZE  rcvd: 107
域名解析

 

 

 DNS主伺服器掉線

[root@centos8-liyj ~]#systemctl stop named
[root@centos8-liyj ~]#systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

客戶端解析

DNS軟體bind-實現DNS伺服器
[root@centos7-liyj ~]#dig ns2.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57974
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.magedu.org.            IN    A

;; ANSWER SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77

;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns2.magedu.org.
magedu.org.        86400    IN    NS    ns1.magedu.org.

;; ADDITIONAL SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88

;; Query time: 1 msec
;; SERVER: 10.0.0.77#53(10.0.0.77)
;; WHEN: Mon May 02 18:11:26 CST 2022
;; MSG SIZE  rcvd: 107

[root@centos7-liyj ~]#dig ns1.magedu.org

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3739
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.magedu.org.            IN    A

;; ANSWER SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88

;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns2.magedu.org.
magedu.org.        86400    IN    NS    ns1.magedu.org.

;; ADDITIONAL SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77

;; Query time: 1 msec
;; SERVER: 10.0.0.77#53(10.0.0.77)
;; WHEN: Mon May 02 18:11:37 CST 2022
;; MSG SIZE  rcvd: 107
正常解析額

 

相關文章