######DNS######

 

linuxdns服务器分为三类:

1.缓存域名服务器,也叫高速缓存服务器。无负责解析的区域,只是缓存域名查询的结果到本地,提高客户访问时的速度。

2.主域名服务器,负责解析一个或多个区域,也可以起到缓存域名服务器的作用。

3.从域名服务器,主域名服务器的备份,所有的数据来源于主域名服务器。

 

A记录:说明一个域名对应的ip是多少

NS记录:说明区域内那些服务器负责解析。

SOA记录:说明负责解析的服务器哪一个时主服务器。

MX记录:邮件交换记录。

PTR记录:A记录的逆向记录。

CNAME记录:别名记录。

 

(1) SOA资源记录

每个数据库文件按的开始处都包含了一个起始授权记录(Start of Authority

Record),简称SOA记录。SOA定义了域的全局参数,进行整个域的管 理设置。一个

区域文件只允许存在唯一的SOA记录。

(2) NS资源记录

名称服务器(NS)资源记录表示该区的授权服务器,它 们表示SOA资源记录中指定

的该区的主和辅助服务器,也表示了任何授权区的服务器。每个区在区根处至 少包含

一个NS记录。

(3) A资源记录

地址(A)资源记录把FQDN映射到IP地址,因而解析器能查询FQDN对应的IP地址。

(4) PTR资源记录

相对于A资源记录,指针(PTR)记录把IP地址映射到FQDN

(5) CNAME资源记录

规范名字(CNAME)资源记录创建特定FQDN的别名。用户可以通过定义的CANME

记录中的别名来访问

(6) MX资源记录

邮件交换(MX)资源记录为DNS域名指定邮件交换服务器。邮件交换服务器是为

DNS域名处理或转发邮件的主机。处理邮 件指把邮件投递到目的地或转交另一不同类

型的邮件传送者。转发邮件指把邮件发送到最终目的服务器。

(7) 泛域名解析记录

除了在数据库文件中定义的资源记录以为,其他的所有域名都可以被DNS所解析出

来。

 

 

 

客户端(ip172.25.254.228:

       [root@nds-client ~]# vim /etc/resolv.conf

       nameserver 172.25.254.128

 

server(ip:172.25.254.128)

###配置nds正向解析###

 

1.安装软件。

[root@dns-server named]# yum install bind -y

[root@dns-server named]# systemctl stop firewalld

firewall-cmd --permanent --add-service=dns      ###添加dns服务到火墙

  firewall-cmd --reload

 

[root@dns-server named]# systemctl start named

 

(注意:执行此命令时,因生成加密字符,需在server主机里面点一下才能启动)

[root@dns-server named]# cat /dev/random

@gFM~?

S(u

[root@dns-server named]# ll /etc/rndc.key

-rw-r-----. 1 root named 77 Dec  1 20:38 /etc/rndc.key

[root@dns-server named]# cat /etc/rndc.key    ###生成的钥匙

key "rndc-key" {

algorithm hmac-md5;

secret "C2mMI0hT1puWW68Ytt4CMQ==";

};

 

2.设置配置文件。

[root@dns-server named]# vim /etc/named.conf          ###编辑配置文件

 

 10 options {

 11         listen-on port 53 { any; };                ###从任意地址都可以访问53端口

 12         listen-on-v6 port 53 { ::1; };             ###关闭ipv6选项

 13         directory       "/var/named";

 14         dump-file       "/var/named/data/cache_dump.db";

 15         statistics-file "/var/named/data/named_stats.txt";

 16         memstatistics-file "/var/named/data/named_mem_stats.txt";

 17         allow-query     {any; };                  ###允许所有人使用

18         forwarders { 172.25.254.250; };            ###缓存谁的内容

32         dnssec-validation no;                     ###在查询dns时是否加密

 

[root@nds-server ~]# systemctl restart named

[root@nds-server ~]# netstat -antlpe | grep 53

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      25         43075      2121/named          

tcp        0      0 172.25.254.128:53       0.0.0.0:*               LISTEN      25         43070      2121/named          

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      25         43068      2121/named          

tcp        0      0 172.25.254.128:22       172.25.254.28:55354     ESTABLISHED 0          25162      1407/sshd: root@pts

tcp6       0      0 ::1:953                 :::*                    LISTEN      25         43076      2121/named          

tcp6       0      0 ::1:53                  :::*                    LISTEN      25         43072      2121/named          

 

[root@dns-server etc]# vim /etc/named.rfc1912.zones

 25 zone "westos.com" IN {                                ####指定要维护的域名

 26           type master;

 27           file "westos.com.zone";                     ####指定A记录文件名

 28   };

 

[root@dns-server etc]# cp -p /var/named/named.localhost  /var/named/westos.com.zone

[root@dns-server named]# vim /var/named/westos.com.zone    ####编写A记录文件

 

 1 $TTL 1D

  2 @       IN SOA  dns.westos.com. root.westos.com. (

  3                                         0       ; serial

  4                                         1D      ; refresh

  5                                         1H      ; retry

  6                                         1W      ; expire

  7                                         3H )    ; minimum

  8         NS      dns.westos.com.                    ###指定dns主机

  9 dns     A       172.25.254.128                     ###指定dns主机

 10 music   A       172.25.254.111

 11 bbs             CNAME   music.westos.com.

 12 westos.com.     MX 1    172.25.254.110.

注意:不加.”的后面会自动加westos.com

 

客户端执行效果:

10条执行效果:

[root@nds-client ~]# dig music.westos.com

;; ANSWER SECTION:

music.westos.com.86400INA172.25.254.111

 

11条执行效果:

[root@nds-client ~]# dig bbs.westos.com

bbs.westos.com.86400INCNAMEmusic.westos.com.

12条执行效果:

[root@nds-client ~]# mail test@westos.com            ###发送邮件

Subject: sdsf

afds

af

.

EOT

[root@nds-client ~]# mailq

-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------

6294926BADD      448 Fri Dec  2 21:21:14  root@nds-client.example.com

              (connect to 172.25.254.110[172.25.254.110]:25: No route to host)

                                         test@westos.com

[root@nds-client ~]# postsuper -d 6294926BADD                ###删除邮件

postsuper: 6294926BADD: removed

postsuper: Deleted: 1 message

 

 

 

####逆向解析#####

[root@nds-server named]# vim /etc/named.rfc1912.zones

 37 zone "1.0.0.127.in-addr.arpa" IN {

 38         type master;

 39         file "named.loopback";

 40         allow-update { none; };

 41 };

 42

 43 zone "254.25.172.in-addr.arpa" IN {

 44         type master;

 45         file "westos.comNaNr";

 46         allow-update { none; };

 47 };

[root@nds-server named]# vim westos.comNaNr

 

$TTL 1D

@       IN SOA  dns.westos.com. root.westos.com. (

                                        0       ; serial

                                        1D      ; refresh

                                        1H      ; retry

                                        1W      ; expire

                                        3H )    ; minimum

        NS      dns.westos.com.

dns     A       172.25.254.128

111     PTR     www.westos.com.

 

[root@nds-server named]# systemctl restart named

 

客户端执行效果:

[root@nds-client ~]# dig -x 172.25.254.111

 

;; ANSWER SECTION:

111.254.25.172.in-addr.arpa. 86400 INPTRwww.westos.com.

 

 

 

###内外网限制访问###

 

[root@nds-server named]# cp -p westos.com.zone westos.com.inter

[root@nds-server named]# vim westos.com.inter

1 $TTL 1D

  2 @       IN SOA  dns.westos.com. root.westos.com. (

  3                                         0       ; serial

  4                                         1D      ; refresh

  5                                         1H      ; retry

  6                                         1W      ; expire

  7                                         3H )    ; minimum

  8                 NS      dns.westos.com.

  9 dns             A       192.168.1.128

 10 music           A       192.168.1.111

 11 bbs             CNAME   music.westos.com.

 12 westos.com.     MX 1    192.168.1.110.

 

[root@nds-server named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inter

[root@nds-server named]# vim /etc/named.rfc1912.zones.inter

 

 25 zone "westos.com" IN {

 26          type master;

 27          file "westos.com.inter";

 28          allow-update { none; };

 29 };

 

[root@nds-server named]# vim /etc/named.conf

 

 50 /*

 51 zone "." IN {

 52         type hint;

 53         file "named.ca";

 54 };

 55

 56 include "/etc/named.rfc1912.zones";

 57 include "/etc/named.root.key";

 58 */

 59 view localnet {

 60      match-clients { 172.25.254.228; };            ###只允许172.25.254.228访问/etc/named.rfc1912.zones172.25.254.0/24此网段全部)

 61

 62         zone "." IN {

 63         type hint;

 64         file "named.ca";

 65 };

 66

 67 include "/etc/named.rfc1912.zones";

 68 };

 69

 70 view any {

 71         match-clients { any; };            ###其他的访问/etc/named.rfc1912.zones.inter

 72

 73         zone "." IN {

 74         type hint;

 75         file "named.ca";

 76 };

 77

 78 include "/etc/named.rfc1912.zones.inter";

 79 };

[root@nds-server named]# systemctl restart named

 

实验结果:

172.25.254.228用户:

[root@nds-client ~]# dig music.westos.com

;; ANSWER SECTION:

music.westos.com.86400INA172.25.254.111

 

172.25.254.90用户:

[root@localhost ~]# dig music.westos.com

;; ANSWER SECTION:

music.westos.com.86400INA192.168.1.111

 

######辅助dns#####

 

###dns内容同步####

 

在辅助机安装bind

[root@nds-client slaves]# yum install bind -y

[root@nds-client ~]# firewall-cmd --permanent --add-service=dns

success

[root@nds-client ~]# firewall-cmd --reload

success

[root@nds-client ~]# systemctl start named

[root@nds-client ~]# vim /etc/named.conf

 

11 //      listen-on port 53 { 127.0.0.1; };

17 //      allow-query     { localhost; };

32         dnssec-validation no;

 

 

 

 

[root@nds-client slaves]# vim /etc/named.rfc1912.zones

 

25 zone "westos.com" IN {

 26         type slave;

 27         masters { 172.25.254.128; };

 28         file "slaves/westos.com.zone";

 29         allow-update { none; };

 30 };

 

[root@nds-client ~]# systemctl restart named

[root@nds-client ~]# cd /var/named/slaves/

[root@nds-client slaves]# ls

westos.com.zone

 

 

[server]

 

[root@nds-server named]# vim /etc/named.rfc1912.zones

25 zone "westos.com" IN {

 26          type master;

 27          file "westos.com.zone";

 28          allow-update { none; };

 29          also-notify { 172.25.254.228; };            ####172.25.254.228dns同步主的dns

 30 };

 

 

 

 

注意:当serial前的数字“0”不同时,在可以同步。

 3                                         0       ; serial

 

 

 

#####dns升级#####

 

[root@nds-server named]# vim /etc/named.rfc1912.zones

25 zone "westos.com" IN {

 26          type master;

 27          file "westos.com.zone";

 28          allow-update { 172.25.254.228; };            ###允许172.25.254.128对其dns添加A记录

 29 };

 

[root@nds-server named]# chmod 770 /var/named/

[root@nds-server named]# setsebool -P named_write_master_zones 1

 

[root@nds-client named]# nsupdate

> server 172.25.254.128

> update add www.westos.com 86400 A 172.25.254.111

> send

 

 

 

效果:

[root@nds-server named]# systemctl restart named

[root@nds-server named]# vim westos.com.zone

 

 1 $ORIGIN .

  2 $TTL 86400      ; 1 day

  3 westos.com              IN SOA  dns.westos.com. root.westos.com. (

  4                                 2          ; serial

  5                                 86400      ; refresh (1 day)

  6                                 3600       ; retry (1 hour)

  7                                 604800     ; expire (1 week)

  8                                 10800      ; minimum (3 hours)

  9                                 )

 10                         NS      dns.westos.com.

 11                         MX      1 172.25.254.110.

 12 $ORIGIN westos.com.

 13 bbs                     CNAME   music

 14 dns                     A       172.25.254.128

 15 music                   A       172.25.254.234

 16                         A       172.25.254.111

 17 www                     A       172.25.254.111

 

######dns的升级用密码#####

 

##key的制作与处理##

[root@nds-server named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST lalala    ###生成钥匙

Klalala.+157+08891

[root@nds-server named]# cat Klalala.+157+08891.private

Private-key-format: v1.3

Algorithm: 157 (HMAC_MD5)

Key: 0M/4AyXAN1Om5Uz9qexZZw==

Bits: AAA=

Created: 20161203075913

Publish: 20161203075913

Activate: 20161203075913

[root@nds-server named]# cat Klalala.+157+08891.key

lalala. IN KEY 512 3 157 0M/4AyXAN1Om5Uz9qexZZw==

 

[root@nds-server named]# cp -p /etc/rndc.key /etc/westos.key

[root@nds-server named]# vim /etc/westos.key                ###在文件中写入钥匙文件名,密码

 

1 key "lalala" {

  2         algorithm hmac-md5;

  3         secret "0M/4AyXAN1Om5Uz9qexZZw==";

  4 };

 

[root@nds-server named]# vim /etc/named.rfc1912.zones

 

25 zone "westos.com" IN {                                    ###拥有钥匙文件lalala的才能对其dns进行升级

 26          type master;

 27          file "westos.com.zone";

 28          allow-update { key lalala; };

 

[root@nds-server named]# scp Klalala.+157+08891.* root@172.25.254.228:/mnt    ###将钥匙给172.25.254.228

 

 

[root@nds-client mnt]# nsupdate -k Klalala.+157+08891.key                     ####有密钥时对dns升级

> server 172.25.254.128

> update add www.westos.com 86400 A 172.25.254.111

> send

> quit

 

效果:

[root@nds-server named]# systemctl restart named

 

 1 $ORIGIN .

  2 $TTL 86400      ; 1 day

  3 westos.com              IN SOA  dns.westos.com. root.westos.com. (

  4                                 2          ; serial

  5                                 86400      ; refresh (1 day)

  6                                 3600       ; retry (1 hour)

  7                                 604800     ; expire (1 week)

  8                                 10800      ; minimum (3 hours)

  9                                 )

 10                         NS      dns.westos.com.

 11                         MX      1 172.25.254.110.

 12 $ORIGIN westos.com.

 13 bbs                     CNAME   music

 14 dns                     A       172.25.254.128

 15 music                   A       172.25.254.234

 16                         A       172.25.254.111

 17 www                     A       172.25.254.111

 

 

#####dhcp中使用key进行dns自动同步ip#####

 

[root@nds-server named]# yum install dhcp -y

[root@nds-server named]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf

cp: overwrite /etc/dhcp/dhcpd.conf? y

 

[root@nds-server named]# vim /etc/dhcp/dhcpd.conf

 

7 option domain-name "westos.com";

8 option domain-name-servers 172.25.254.128;

14 ddns-update-style interim;

30 subnet 172.25.254.0 netmask 255.255.255.0 {

31   range 172.25.254.227  172.25.254.240;

32   option routers 172.25.254.128;

33 }

 

[root@nds-server named]# man 5 dhcpd.conf

找到

 key DHCP_UPDATER {

         algorithm hmac-md5;

         secret pRP5FapFoJ95JEL06sv4PQ==;

       };

 

       zone EXAMPLE.ORG. {

         primary 127.0.0.1;

         key DHCP_UPDATER;

       }

添加到/etc/dhcp/dhcpd.conf

 

 35 key lalala {

 36          algorithm hmac-md5;

 37          secret 0M/4AyXAN1Om5Uz9qexZZw==;

 38 };

 39

 40 zone westos.com. {

 41          primary 127.0.0.1;

 42          key lalala;

 43 }

 

 

[root@nds-server named]# cat /etc/westos.key

key "lalala" {

algorithm hmac-md5;

secret "0M/4AyXAN1Om5Uz9qexZZw==";

};

 

[root@dns-server named]# rm -fr westos.com.zone westos.com.zone.jnl