######DNS######
linux中dns服务器分为三类:
1.缓存域名服务器,也叫高速缓存服务器。无负责解析的区域,只是缓存域名查询的结果到本地,提高客户访问时的速度。
2.主域名服务器,负责解析一个或多个区域,也可以起到缓存域名服务器的作用。
3.从域名服务器,主域名服务器的备份,所有的数据来源于主域名服务器。
A记录:说明一个域名对应的ip是多少
NS记录:说明区域内那些服务器负责解析。
SOA记录:说明负责解析的服务器哪一个时主服务器。
MX记录:邮件交换记录。
PTR记录:A记录的逆向记录。
CNAME记录:别名记录。
(1) SOA资源记录
每个数据库文件按的开始处都包含了一个起始授权记录(Start of Authority
Record),简称SOA记录。SOA定义了域的全局参数,进行整个域的管 理设置。一个
区域文件只允许存在唯一的SOA记录。
(2) NS资源记录
名称服务器(NS)资源记录表示该区的授权服务器,它 们表示SOA资源记录中指定
的该区的主和辅助服务器,也表示了任何授权区的服务器。每个区在区根处至 少包含
一个NS记录。
(3) A资源记录
地址(A)资源记录把FQDN映射到IP地址,因而解析器能查询FQDN对应的IP地址。
(4) PTR资源记录
相对于A资源记录,指针(PTR)记录把IP地址映射到FQDN。
(5) CNAME资源记录
规范名字(CNAME)资源记录创建特定FQDN的别名。用户可以通过定义的CANME
记录中的别名来访问
(6) MX资源记录
邮件交换(MX)资源记录为DNS域名指定邮件交换服务器。邮件交换服务器是为
DNS域名处理或转发邮件的主机。处理邮 件指把邮件投递到目的地或转交另一不同类
型的邮件传送者。转发邮件指把邮件发送到最终目的服务器。
(7) 泛域名解析记录
除了在数据库文件中定义的资源记录以为,其他的所有域名都可以被DNS所解析出
来。
客户端(ip:172.25.254.228):
[root@nds-client ~]# vim /etc/resolv.conf
nameserver 172.25.254.128
在server端(ip:172.25.254.128)
###配置nds正向解析###
1.安装软件。
[root@dns-server named]# yum install bind -y
[root@dns-server named]# systemctl stop firewalld
或firewall-cmd --permanent --add-service=dns ###添加dns服务到火墙
firewall-cmd --reload
[root@dns-server named]# systemctl start named
(注意:执行此命令时,因生成加密字符,需在server主机里面点一下才能启动)
[root@dns-server named]# cat /dev/random
@gFM~?
S(u
[root@dns-server named]# ll /etc/rndc.key
-rw-r-----. 1 root named 77 Dec 1 20:38 /etc/rndc.key
[root@dns-server named]# cat /etc/rndc.key ###生成的钥匙
key "rndc-key" {
algorithm hmac-md5;
secret "C2mMI0hT1puWW68Ytt4CMQ==";
};
2.设置配置文件。
[root@dns-server named]# vim /etc/named.conf ###编辑配置文件
10 options {
11 listen-on port 53 { any; }; ###从任意地址都可以访问53端口
12 listen-on-v6 port 53 { ::1; }; ###关闭ipv6选项
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query {any; }; ###允许所有人使用
18 forwarders { 172.25.254.250; }; ###缓存谁的内容
32 dnssec-validation no; ###在查询dns时是否加密
[root@nds-server ~]# systemctl restart named
[root@nds-server ~]# netstat -antlpe | grep 53
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 25 43075 2121/named
tcp 0 0 172.25.254.128:53 0.0.0.0:* LISTEN 25 43070 2121/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 43068 2121/named
tcp 0 0 172.25.254.128:22 172.25.254.28:55354 ESTABLISHED 0 25162 1407/sshd: root@pts
tcp6 0 0 ::1:953 :::* LISTEN 25 43076 2121/named
tcp6 0 0 ::1:53 :::* LISTEN 25 43072 2121/named
[root@dns-server etc]# vim /etc/named.rfc1912.zones
25 zone "westos.com" IN { ####指定要维护的域名
26 type master;
27 file "westos.com.zone"; ####指定A记录文件名
28 };
[root@dns-server etc]# cp -p /var/named/named.localhost /var/named/westos.com.zone
[root@dns-server named]# vim /var/named/westos.com.zone ####编写A记录文件
1 $TTL 1D
2 @ IN SOA dns.westos.com. root.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com. ###指定dns主机
9 dns A 172.25.254.128 ###指定dns主机
10 music A 172.25.254.111
11 bbs CNAME music.westos.com.
12 westos.com. MX 1 172.25.254.110.
注意:不加“.”的后面会自动加westos.com域
客户端执行效果:
第10条执行效果:
[root@nds-client ~]# dig music.westos.com
;; ANSWER SECTION:
music.westos.com.86400INA172.25.254.111
第11条执行效果:
[root@nds-client ~]# dig bbs.westos.com
bbs.westos.com.86400INCNAMEmusic.westos.com.
第12条执行效果:
[root@nds-client ~]# mail test@westos.com ###发送邮件
Subject: sdsf
afds
af
.
EOT
[root@nds-client ~]# mailq
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
6294926BADD 448 Fri Dec 2 21:21:14 root@nds-client.example.com
(connect to 172.25.254.110[172.25.254.110]:25: No route to host)
test@westos.com
[root@nds-client ~]# postsuper -d 6294926BADD ###删除邮件
postsuper: 6294926BADD: removed
postsuper: Deleted: 1 message
####逆向解析#####
[root@nds-server named]# vim /etc/named.rfc1912.zones
37 zone "1.0.0.127.in-addr.arpa" IN {
38 type master;
39 file "named.loopback";
40 allow-update { none; };
41 };
42
43 zone "254.25.172.in-addr.arpa" IN {
44 type master;
45 file "westos.comNaNr";
46 allow-update { none; };
47 };
[root@nds-server named]# vim westos.comNaNr
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.128
111 PTR www.westos.com.
[root@nds-server named]# systemctl restart named
客户端执行效果:
[root@nds-client ~]# dig -x 172.25.254.111
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 INPTRwww.westos.com.
###内外网限制访问###
[root@nds-server named]# cp -p westos.com.zone westos.com.inter
[root@nds-server named]# vim westos.com.inter
1 $TTL 1D
2 @ IN SOA dns.westos.com. root.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 192.168.1.128
10 music A 192.168.1.111
11 bbs CNAME music.westos.com.
12 westos.com. MX 1 192.168.1.110.
[root@nds-server named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter
[root@nds-server named]# vim /etc/named.rfc1912.zones.inter
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.inter";
28 allow-update { none; };
29 };
[root@nds-server named]# vim /etc/named.conf
50 /*
51 zone "." IN {
52 type hint;
53 file "named.ca";
54 };
55
56 include "/etc/named.rfc1912.zones";
57 include "/etc/named.root.key";
58 */
59 view localnet {
60 match-clients { 172.25.254.228; }; ###只允许172.25.254.228访问/etc/named.rfc1912.zones(172.25.254.0/24此网段全部)
61
62 zone "." IN {
63 type hint;
64 file "named.ca";
65 };
66
67 include "/etc/named.rfc1912.zones";
68 };
69
70 view any {
71 match-clients { any; }; ###其他的访问/etc/named.rfc1912.zones.inter
72
73 zone "." IN {
74 type hint;
75 file "named.ca";
76 };
77
78 include "/etc/named.rfc1912.zones.inter";
79 };
[root@nds-server named]# systemctl restart named
实验结果:
172.25.254.228用户:
[root@nds-client ~]# dig music.westos.com
;; ANSWER SECTION:
music.westos.com.86400INA172.25.254.111
172.25.254.90用户:
[root@localhost ~]# dig music.westos.com
;; ANSWER SECTION:
music.westos.com.86400INA192.168.1.111
######辅助dns#####
###dns内容同步####
在辅助机安装bind。
[root@nds-client slaves]# yum install bind -y
[root@nds-client ~]# firewall-cmd --permanent --add-service=dns
success
[root@nds-client ~]# firewall-cmd --reload
success
[root@nds-client ~]# systemctl start named
[root@nds-client ~]# vim /etc/named.conf
11 // listen-on port 53 { 127.0.0.1; };
17 // allow-query { localhost; };
32 dnssec-validation no;
[root@nds-client slaves]# vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type slave;
27 masters { 172.25.254.128; };
28 file "slaves/westos.com.zone";
29 allow-update { none; };
30 };
[root@nds-client ~]# systemctl restart named
[root@nds-client ~]# cd /var/named/slaves/
[root@nds-client slaves]# ls
westos.com.zone
[server机]
[root@nds-server named]# vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { none; };
29 also-notify { 172.25.254.228; }; ####让172.25.254.228dns同步主的dns
30 };
注意:当serial前的数字“0”不同时,在可以同步。
3 0 ; serial
#####dns升级#####
[root@nds-server named]# vim /etc/named.rfc1912.zones
25 zone "westos.com" IN {
26 type master;
27 file "westos.com.zone";
28 allow-update { 172.25.254.228; }; ###允许172.25.254.128对其dns添加A记录
29 };
[root@nds-server named]# chmod 770 /var/named/
[root@nds-server named]# setsebool -P named_write_master_zones 1
[root@nds-client named]# nsupdate
> server 172.25.254.128
> update add www.westos.com 86400 A 172.25.254.111
> send
效果:
[root@nds-server named]# systemctl restart named
[root@nds-server named]# vim westos.com.zone
1 $ORIGIN .
2 $TTL 86400 ; 1 day
3 westos.com IN SOA dns.westos.com. root.westos.com. (
4 2 ; serial
5 86400 ; refresh (1 day)
6 3600 ; retry (1 hour)
7 604800 ; expire (1 week)
8 10800 ; minimum (3 hours)
9 )
10 NS dns.westos.com.
11 MX 1 172.25.254.110.
12 $ORIGIN westos.com.
13 bbs CNAME music
14 dns A 172.25.254.128
15 music A 172.25.254.234
16 A 172.25.254.111
17 www A 172.25.254.111
######dns的升级用密码#####
##key的制作与处理##
[root@nds-server named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST lalala ###生成钥匙
Klalala.+157+08891
[root@nds-server named]# cat Klalala.+157+08891.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: 0M/4AyXAN1Om5Uz9qexZZw==
Bits: AAA=
Created: 20161203075913
Publish: 20161203075913
Activate: 20161203075913
[root@nds-server named]# cat Klalala.+157+08891.key
lalala. IN KEY 512 3 157 0M/4AyXAN1Om5Uz9qexZZw==
[root@nds-server named]# cp -p /etc/rndc.key /etc/westos.key
[root@nds-server named]# vim /etc/westos.key ###在文件中写入钥匙文件名,密码
1 key "lalala" {
2 algorithm hmac-md5;
3 secret "0M/4AyXAN1Om5Uz9qexZZw==";
4 };
[root@nds-server named]# vim /etc/named.rfc1912.zones
25 zone "westos.com" IN { ###拥有钥匙文件lalala的才能对其dns进行升级
26 type master;
27 file "westos.com.zone";
28 allow-update { key lalala; };
[root@nds-server named]# scp Klalala.+157+08891.* root@172.25.254.228:/mnt ###将钥匙给172.25.254.228
[root@nds-client mnt]# nsupdate -k Klalala.+157+08891.key ####有密钥时对dns升级
> server 172.25.254.128
> update add www.westos.com 86400 A 172.25.254.111
> send
> quit
效果:
[root@nds-server named]# systemctl restart named
1 $ORIGIN .
2 $TTL 86400 ; 1 day
3 westos.com IN SOA dns.westos.com. root.westos.com. (
4 2 ; serial
5 86400 ; refresh (1 day)
6 3600 ; retry (1 hour)
7 604800 ; expire (1 week)
8 10800 ; minimum (3 hours)
9 )
10 NS dns.westos.com.
11 MX 1 172.25.254.110.
12 $ORIGIN westos.com.
13 bbs CNAME music
14 dns A 172.25.254.128
15 music A 172.25.254.234
16 A 172.25.254.111
17 www A 172.25.254.111
#####在dhcp中使用key进行dns自动同步ip#####
[root@nds-server named]# yum install dhcp -y
[root@nds-server named]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@nds-server named]# vim /etc/dhcp/dhcpd.conf
7 option domain-name "westos.com";
8 option domain-name-servers 172.25.254.128;
14 ddns-update-style interim;
30 subnet 172.25.254.0 netmask 255.255.255.0 {
31 range 172.25.254.227 172.25.254.240;
32 option routers 172.25.254.128;
33 }
[root@nds-server named]# man 5 dhcpd.conf
找到
key DHCP_UPDATER {
algorithm hmac-md5;
secret pRP5FapFoJ95JEL06sv4PQ==;
};
zone EXAMPLE.ORG. {
primary 127.0.0.1;
key DHCP_UPDATER;
}
添加到/etc/dhcp/dhcpd.conf
35 key lalala {
36 algorithm hmac-md5;
37 secret 0M/4AyXAN1Om5Uz9qexZZw==;
38 };
39
40 zone westos.com. {
41 primary 127.0.0.1;
42 key lalala;
43 }
[root@nds-server named]# cat /etc/westos.key
key "lalala" {
algorithm hmac-md5;
secret "0M/4AyXAN1Om5Uz9qexZZw==";
};
[root@dns-server named]# rm -fr westos.com.zone westos.com.zone.jnl