DNS伺服器軟體::bind,powerdns,dnsmasq,unbound,coredns
BIND相關程式包
- bind:伺服器
- bind-libs:相關庫
- bind-utils:客戶端
- bind-chroot:安全包,將dns相關檔案放至/var/named/chroot/
BIND包相關檔案
- BIND主程式:/usr/sbin/named
- 服務指令碼和Unit名稱:/etc/rc.d/init.d/named,/usr/lib/systemd/system/named.service
- 主配置檔案:/etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
- 管理工具:/usr/sbin/rndc:remote name domain controller,預設與bind安裝在同一主機,且 只能通過127.0.0.1連線named程式,提供輔助性的管理功能;953/tcp
- 解析庫檔案:/var/named/ZONE_NAME.ZONE
主配置檔案
- 全域性配置:options {};
- 日誌子系統配置:logging {};
- 區域定義:本機能夠為哪些zone進行解析,就要定義哪些zone zone "ZONE_NAME" IN {};
注意:
- 任何服務程式如果期望其能夠通過網路被其它主機訪問,至少應該監聽在一個能與外部主機通訊的 IP地址上
- 快取名稱伺服器的配置:監聽外部地址即可
- dnssec: 建議關閉dnssec,設為no
主配置檔案語法檢查
named-checkconf
解析庫檔案語法檢查
named-checkzone "magedu.org" /var/named/magedu.org.zone #centos8沒有整個命令
配置生效
#三種方式
#rndc reload
#systemctl reload named
#service named reload
實現DNS正向主從伺服器
實驗裝置:伺服器
centos8 地址10.0.0.88;centos7 地址10.0.0.77
客戶端
centos7 地址10.0.0.7
設定域名:magedu.org
客戶端DNS解析:主伺服器掉線,自動連線 “從伺服器”解析
主伺服器配置
1、編輯配置檔案 /etc/named.conf
[root@centos8-liyj ~]#vim /etc/named.conf
註釋// 圖片中藍色行
新增 allow-transfer { 10.0.0.77;}; #只允許從伺服器進行區域傳輸
修改
dnssec-enable yes; #改為no
dnssec-validation yes; #改為no
options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; allow-transfer { 10.0.0.77; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
2、編輯/etc/named.rfc1912.zones
再最後新增以下內容 zone "magedu.org" IN { typer master; file "magedu.org.zone"; #檔案目錄,預設/var/named/ }; #在named.conf檔案中定義了directory "/var/named";
// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and https://tools.ietf.org/html/rfc6303 // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // Note: empty-zones-enable yes; option is default. // If private ranges should be forwarded, add // disable-empty-zone "."; into options // // named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and https://tools.ietf.org/html/rfc6303 // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // Note: empty-zones-enable yes; option is default. // If private ranges should be forwarded, add // disable-empty-zone "."; into options // zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "magedu.org" IN { typer master; file "magedu.org.zone"; };
3、編輯DNS區域資料庫檔案
[root@centos8-liyj /etc/named]#cd /var/named/ [root@centos8-liyj /var/named]#ls data dynamic named.ca named.empty named.localhost named.loopback slaves
3.1複製named.localhost檔案格式,重新編輯
[root@centos8-liyj /var/named]#cp -p named.localhost magedu.org.zone #-p 複製原格式許可權 [root@centos8-liyj /var/named]#ll 或者手動修改:chgrp named magedu.org.zone total 20 drwxrwx--- 2 named named 6 Aug 25 2021 data drwxrwx--- 2 named named 6 Aug 25 2021 dynamic -rw-r----- 1 root named 152 Aug 25 2021 magedu.org.zone #檔案許可權為640 ,強制 屬主root,陣列named -rw-r----- 1 root named 2253 Aug 25 2021 named.ca -rw-r----- 1 root named 152 Aug 25 2021 named.empty -rw-r----- 1 root named 152 Aug 25 2021 named.localhost -rw-r----- 1 root named 168 Aug 25 2021 named.loopback drwxrwx--- 2 named named 6 Aug 25 2021 slaves
[root@centos8-liyj /var/named]#vim magedu.org.zone
$TTL 1D @ IN SOA ns1 admin.magedu.org. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1 #主DNS
NS ns2 #從DNS ns1 A 10.0.0.88 #指向地址 ns2 A 10.0.0.77
[root@centos8-liyj /var/named]#systemctl start named #第一次啟動 [root@centos8-liyj /var/named]#rndc reload #不是第一次啟動,使用rndc reload 載入 配置檔案,不會終端DNS服務 server reload successful [root@centos8-liyj /var/named]#
主伺服器DNS-dig測試
[root@centos8-liyj /var/named]#dig ns1.magedu.org #本機設定了DNS地址,聯通了外網,網際網路上由 ns1.magedu.org域名。解析如下
ns1.magedu.org. 5 IN A 47.91.170.222 #解析出外網地址,
vim /etc/sysconfig/network-scripts/ifcfg-eth0
刪除本機的DNS地址
[root@centos8-liyj /var/named]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 #修改後,刪除了DNS地址,重啟網路卡服務 DEVICE="eth0" NAME="eth0" BOOTPROTO="static" IPADDR=10.0.0.88 PREFIX=24 GATEWAY=10.0.0.2 ONBOOT="yes"
[root@centos8-liyj /var/named]#dig ns1.magedu.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> ns1.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23788 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: a6b5b8d8778a6125c5397a2d626f938979def64920dcc8d5 (good) ;; QUESTION SECTION: ;ns1.magedu.org. IN A ;; ANSWER SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon May 02 16:17:13 CST 2022 ;; MSG SIZE rcvd: 135
從伺服器配置
[root@centos7-liyj ~]#vim /etc/named.conf
註釋//
options {
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
allow-transfer { none;}; #不允許其他主機進行區域傳輸
yes改為no
dnssec-enable no;
dnssec-validation no;
}
options { // listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; // allow-query { localhost; }; allow-transfer { none; }; masterfile-format text; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[root@centos7-liyj ~]#vim /etc/named.rfc1912.zones 新增以下內容
zone "magedu.org" { type slave; masters { 10.0.0.88;}; file "slaves/magedu.org.slave"; #檔案目錄 };
zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "magedu.org" { type slave; masters { 10.0.0.88;}; file "slaves/magedu.org.slave"; };
systemctl start named #第一次啟動服務 rndc reload #不是第一次啟動服務 ls /var/named/slaves/magedu.org.slave #檢視區域資料庫檔案是否生成
[root@centos7-liyj ]#ll /var/named/slaves/ total 4 -rw-r--r-- 1 named named 264 May 2 17:06 magedu.org.slave [root@centos7-liyj ]#cat /var/named/slaves/magedu.org.slave #從伺服器 自動生成檔案 boXQ 檢視內容亂碼,不允許從伺服器看到配置 mageduorg6ns1mageduorgadminmageduorgQ :*0DQ mageduorgns1mageduorgns2mageduorg*Qns1mageduorg X*Qns2mageduorg
解決亂碼問題:
新增 masterfile-format text;重啟服務 systemctl restart named
[root@centos7-liyj /var/named/slaves]#cat /var/named/slaves/magedu.org.slave $ORIGIN . $TTL 86400 ; 1 day magedu.org IN SOA ns1.magedu.org. admin.magedu.org. ( 0 ; serial 86400 ; refresh (1 day) 3600 ; retry (1 hour) 604800 ; expire (1 week) 10800 ; minimum (3 hours) ) NS ns1.magedu.org. NS ns2.magedu.org. $ORIGIN magedu.org. ns1 A 10.0.0.88 ns2 A 10.0.0.77
DNS gid測試
首先修改 eth0 網路卡配置,刪除dns地址,新增dns=10.0.0.88
[root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NAME="eth0" BOOTPROTO="static" IPADDR=10.0.0.77 PREFIX=24 GATEWAY=10.0.0.2 DNS3=10.0.0.88 ONBOOT="yes"
[root@centos7-liyj /var/named/slaves]#dig ns2.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39354 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns2.magedu.org. IN A ;; ANSWER SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; Query time: 0 msec ;; SERVER: 10.0.0.88#53(10.0.0.88) ;; WHEN: Mon May 02 17:53:49 CST 2022 ;; MSG SIZE rcvd: 107
客戶端域名解析
修改客戶端DNS1 為 10.0.0.88 DNS2為10.0.0.77
[root@centos7-liyj ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0 [root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" NAME="eth0" BOOTPROTO="static" IPADDR=10.0.0.7 PREFIX=24 GATEWAY=10.0.0.2 DNS1=10.0.0.77 DNS2=10.0.0.88 ONBOOT="yes"
測試,DNS主從伺服器都線上
yum install -y bind-utils
[root@centos7-liyj ~]#dig ns1.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26563 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns1.magedu.org. IN A ;; ANSWER SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; Query time: 0 msec ;; SERVER: 10.0.0.88#53(10.0.0.88) ;; WHEN: Mon May 02 18:04:39 CST 2022 ;; MSG SIZE rcvd: 107 [root@centos7-liyj ~]#dig ns2.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7070 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;ns2.magedu.org. IN A ;; ANSWER SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns1.magedu.org. magedu.org. 86400 IN NS ns2.magedu.org. ;; ADDITIONAL SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; Query time: 0 msec ;; SERVER: 10.0.0.88#53(10.0.0.88) ;; WHEN: Mon May 02 18:04:47 CST 2022 ;; MSG SIZE rcvd: 107
DNS主伺服器掉線
[root@centos8-liyj ~]#systemctl stop named [root@centos8-liyj ~]#systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: inactive (dead)
客戶端解析
[root@centos7-liyj ~]#dig ns2.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57974 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns2.magedu.org. IN A ;; ANSWER SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns2.magedu.org. magedu.org. 86400 IN NS ns1.magedu.org. ;; ADDITIONAL SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; Query time: 1 msec ;; SERVER: 10.0.0.77#53(10.0.0.77) ;; WHEN: Mon May 02 18:11:26 CST 2022 ;; MSG SIZE rcvd: 107 [root@centos7-liyj ~]#dig ns1.magedu.org ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3739 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns1.magedu.org. IN A ;; ANSWER SECTION: ns1.magedu.org. 86400 IN A 10.0.0.88 ;; AUTHORITY SECTION: magedu.org. 86400 IN NS ns2.magedu.org. magedu.org. 86400 IN NS ns1.magedu.org. ;; ADDITIONAL SECTION: ns2.magedu.org. 86400 IN A 10.0.0.77 ;; Query time: 1 msec ;; SERVER: 10.0.0.77#53(10.0.0.77) ;; WHEN: Mon May 02 18:11:37 CST 2022 ;; MSG SIZE rcvd: 107