SRE 第五次作业
Linux系统内核
内核设计流派
- 单内核(Monolithic Kernel)
- 高性能优先,集成所有核心功能以减少模块通信开销
- 典型代表:Linux(传统架构)、BSD、早期 Unix
- 微内核(Microkernel)
- 仅保留进程调度、内存管理、IPC 等最基础功能在内核空间,文件系统、驱动等全在用户空间以服务运行。强制拆分 功能到用户空间,牺牲部分性能换稳定性
- 典型代表: QNX、Minix、早期 Windows NT 设计
- 混合内核(Hybrid Kernel)
- 基础核心功能(进程、内存管理)在内核空间,驱动、文件系统等可灵活选择内核 /用户空间(或通过动态模块加载)
- 典型代表:Windows(NT 之后架构)、Linux(通过 LKM 实现类混合特性)
- 外核(Exokernel)
- 仅提供最底层硬件抽象(内存分片、CPU 时间片分配)在内核空间,文件系统、驱动等全在用户空间由应用实现
- 典型代表:学术研究项目(如 MIT Exokernel),暂未大规模商用
linux内核
内核 + 根文件系统 → 构成 Linux 最基础的 “软件包”
Linux 虽归类为单内核,但通过可加载内核模块(LKM) 实现动态功能扩展,使其兼具单内核的高性能与混合内核的灵活性,这也是其广泛适配多场景的关键优势
内核模块
内核模块是 Linux 操作系统中一种可动态加载和卸载的代码单元,它允许在不重新编译内核的情况下,向内核添加新功能或修改现有功能
在 Linux 内核编译配置过程里,你会在配置文件(像 /boot/config-6.8.0-90-generic)中看到用 y 和 m 来代表不同编译选项的情况
- 直接编译进内核的功能
- 一旦编译完成,这个功能或驱动就会成为内核的一部分,在系统启动时自动加载,没办法动态地加载或者卸载
- 如果某个功能是系统运行必不可少的,或者该功能的使用频率非常高,而且很少会发生变化,那么将其直接编译进内核(y)是比较合适的。这样可以减少系统启动时加载模块的开销,提高系统的启动速度和稳定性
- 可选择加载的内核模块
- 这样在系统启动之后,你可以根据实际需求动态地加载或者卸载这个模块,不用重新编译内核
- 要是某个功能不是经常使用,或者你希望能够灵活地启用或禁用该功能,那么把它编译成内核模块(m)是更好的选择。这样可以避免内核过于庞大,同时方便在需要的时候进行加载和卸载
内核模块相关命令
lsmod
用途: 用于列出当前系统中已加载的内核模块信息,包括模块名称、大小、使用情况等
案例:
lxh@ubuntu:~/rsyncd$ lsmod | wc -l
90
lxh@ubuntu:~/rsyncd$ lsmod | head
Module Size Used by
nfsd 847872 1
auth_rpcgss 184320 1 nfsd
nfs_acl 12288 1 nfsd
lockd 143360 1 nfsd
grace 12288 2 nfsd,lockd
sunrpc 802816 6 nfsd,auth_rpcgss,lockd,nfs_acl
tls 155648 0
qrtr 53248 2
vsock_loopback 12288 0
lxh@ubuntu:~/rsyncd$
modinfo
用途:检查模块的依赖等信息,可以查看到模块对应的文件路径
案例:
lxh@ubuntu:~/rsyncd$ modinfo ipip
filename: /lib/modules/6.8.0-90-generic/kernel/net/ipv4/ipip.ko.zst
alias: netdev-tunl0
alias: rtnl-link-ipip
license: GPL
description: IP/IP protocol decoder library
srcversion: D823EA84FF60E08CB3A274B
depends: ip_tunnel,tunnel4
retpoline: Y
intree: Y
name: ipip
vermagic: 6.8.0-90-generic SMP preempt mod_unload modversions
sig_id: PKCS#7
signer: Build time autogenerated kernel key
sig_key: 6C:3D:A0:D5:63:80:5D:65:C2:33:DB:AE:65:2D:C0:29:6C:01:30:57
sig_hashalgo: sha512
signature: 2B:CC:04:B2:82:E9:66:BE:F2:1A:E2:07:51:52:F5:04:3A:1F:E2:75:
57:A2:55:AF:FF:2F:8B:D1:D6:97:96:2F:1A:B1:5D:14:CF:C0:57:A5:
CD:A7:27:C1:0F:B3:79:0D:3B:A7:A0:09:A1:31:70:72:88:BE:F6:C2:
A1:BB:9E:52:25:1E:D3:0E:B4:89:1B:9E:13:B3:6D:A8:0D:67:88:EB:
24:60:69:8B:5E:08:EB:7E:0E:D0:B8:42:65:C0:DF:BA:F6:1E:7A:19:
D6:B5:F2:DF:8E:52:61:E1:42:06:44:7F:FF:46:AE:B8:C9:A0:43:02:
84:C1:B2:4F:20:B7:4A:E0:6F:1A:5A:0F:85:BC:76:E2:0D:7F:7C:D6:
2F:31:FF:E4:22:B5:EE:6D:7C:9C:2E:42:DF:10:E8:20:FD:DA:D6:70:
6A:D6:A9:AD:B7:30:CC:60:4E:E3:74:55:6F:7C:2F:37:5A:42:52:FE:
DE:4C:C2:7E:64:23:22:BA:50:AC:6D:D6:A3:17:D2:8D:A2:23:3C:DE:
69:D6:5A:08:AF:5C:6D:FE:5B:F7:22:38:6F:4B:6D:E7:9E:72:5A:59:
BD:22:6C:AF:97:D1:17:DF:24:BC:70:EA:45:49:DE:CC:8E:F1:87:97:
E6:48:EF:43:D4:85:9D:B9:76:22:96:44:3D:68:57:BF:0B:94:15:B5:
9C:B3:AB:3B:A6:EF:3D:8E:BA:8E:F8:84:1A:B3:03:36:FD:DF:DA:20:
CB:21:0D:C1:A5:83:69:62:24:03:6E:86:C8:5D:73:49:E4:4F:F5:28:
72:E6:36:14:9F:45:45:B1:C2:47:69:E2:BE:A4:F5:85:8C:62:EF:71:
C9:E3:6D:DE:A7:71:67:50:3D:71:4D:C9:10:84:64:7A:13:68:94:C8:
F3:B0:07:62:E8:C0:4C:CF:21:54:B6:57:42:9C:79:94:A7:7F:22:A6:
93:6C:C8:0F:16:58:B9:05:C4:9B:A6:6F:70:BC:8A:23:44:C6:16:BE:
10:B0:09:BA:16:4E:73:CA:10:57:68:BD:27:CB:6F:34:19:6D:C5:E2:
58:4B:60:7D:1F:06:D7:F2:B2:77:5E:8B:80:13:E5:E7:54:9C:FB:E9:
0E:46:20:99:EC:59:D1:4E:2E:4A:3A:BC:4A:92:23:BA:4C:E2:A6:56:
DA:C8:49:65:1F:E0:56:B3:CC:87:03:97:BF:ED:2D:0F:AF:89:3D:4E:
48:CA:F2:65:6B:4A:43:85:5E:EC:41:F1:26:77:58:AA:D9:9B:3A:5F:
59:11:60:DF:50:ED:EF:92:87:BF:0D:17:98:DF:4F:C1:3D:84:4F:B5:
59:44:25:9A:F3:DD:A9:AD:82:D6:C6:15
parm: log_ecn_error:Log packets received with corrupted ECN (bool)
lxh@ubuntu:~/rsyncd$
modprobe
用途: 用于智能地加载和卸载内核模块,它会自动处理模块之间的依赖关系。当加载一个模块时,modprobe 会检查该模块的依赖关系,并先加载其依赖的模块;卸载模块时,也会检查是否有其他模块依赖于该模块,如果没有,则卸载该模块及其依赖的模块
选项:
- -r:卸载指定内核模块以及依赖
案例:
lxh@ubuntu:~/rsyncd$ lsmod | grep ipip # ipip模块未被加载
lxh@ubuntu:~/rsyncd$
lxh@ubuntu:~/rsyncd$ sudo modprobe ipip # 加载ipip模块以及依赖
lxh@ubuntu:~/rsyncd$
lxh@ubuntu:~/rsyncd$ lsmod | grep ipip # ipip模块成功加载
ipip 20480 0
tunnel4 12288 1 ipip
ip_tunnel 32768 1 ipip
lxh@ubuntu:~/rsyncd$
lxh@ubuntu:~/rsyncd$ sudo modprobe -r ipip # 卸载ipip模块
lxh@ubuntu:~/rsyncd$
lxh@ubuntu:~/rsyncd$ lsmod | grep ipip
lxh@ubuntu:~/rsyncd$
内核参数
内核参数是操作系统中用于调整和优化系统性能和行为的关键设置
内核参数的作用
- 提高系统性能
- 通过调整内核参数,可以使系统更高效地利用硬件资源,如CPU、内存和I/O等,从而提升整体性能
- 增强系统稳定性
- 合理的内核参数设置可以减少系统崩溃和死机的概率,提高系统的可靠性
- 提升系统安全性
- 适当的内核参数调整可以减少潜在的安全风险,增强系统的安全性
设置内核参数
sysctl
用途:查看、设置内核参数
选项:
- -a:显示所有内核参数
- -p:默认重载/etc/sysctl.conf文件,可以指定需要重载的文件路径
- -w:临时设置内核参数
案例:
# 临时设置方法1
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
0
root@ubuntu:~#
root@ubuntu:~# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
root@ubuntu:~#
root@ubuntu:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@ubuntu:~#
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
1
root@ubuntu:~#
root@ubuntu:~# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
root@ubuntu:~#
# 临时设置方法2
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
0
root@ubuntu:~#
root@ubuntu:~# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 0
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
root@ubuntu:~#
root@ubuntu:~# sysctl -w "net.ipv4.ip_forward=1"
net.ipv4.ip_forward = 1
root@ubuntu:~#
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
1
root@ubuntu:~#
root@ubuntu:~# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward
# 永久设置
root@ubuntu:~# vim /etc/sysctl.conf
net.ipv4.ip_forward = 1
root@ubuntu:~#
root@ubuntu:~# sysctl -p
net.ipv4.ip_forward = 1
root@ubuntu:~#
root@ubuntu:~# cat /proc/sys/net/ipv4/ip_forward
1
root@ubuntu:~#
root@ubuntu:~# sysctl -a | grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
net.ipv4.ip_forward_update_priority = 1
net.ipv4.ip_forward_use_pmtu = 0
root@ubuntu:~#
Linux系统的启动流程
计算机开机后,启动流程的核心链路
电源通电 → BIOS 初始化硬件 → BIOS 加载 Bootloader → Bootloader 加载操作系统 → 系统启动完成
BIOS加电自检
对于一台计算机来讲,通电后第一件事件就是运行BIOS程序,BIOS程序最先做的,就是对硬件执行POST(加电自检),如果硬件自检不通过,会显示相应的错误,还会有相应的蜂鸣音
- POST(加电自检)
- Power-On-Self-Test (加电自检),是硬件程序BIOS芯片中的一个主要功能,负责完成对CPU、主板、内存、硬盘子系统、显示子系统、串并行接口、键盘等硬件情况的检测
- BIOS(基本输入输出系统)
- Basic Input and Output System(基本输入输出系统),保存着有关计算机系统最重要的基本输入输出程序,系统信息设置,开机加电自检程序和系统启动自举程序等
- BIOS 就是一个程序,其代码存储在主板的一颗ROM存储芯片上,ROM是只能读不能写的,这颗芯片上的BIOS程序,在主板出厂的时候,己经固化好了,所以不管断不断电,这个BIOS程序都会一直存储在这颗芯片上
- 当我们修改了BIOS里面的某些设置时,这个修改的数据是存储在另外一颗RAM存储芯片上,RAM掉电后数据就会消失,所以主板上有一颗纽扣电池来给这个RAM供电,当这颗纽扣电池没电了,BIOS里面的设置项,就又恢复成出厂设置了
BIOS与UEFI
- BIOS(基本输入输出系统)
- BIOS在1975年就诞生了,使用汇编语言编写,当初只有16位,因此只能访问1M的内存,其中前640K称为基本内存,后384K内存留给开机和各类BI0S本身使用。BIOS只能识别到主引导记录(MBR)初始化的硬盘,最大支持2T的硬盘,4个主分区(逻辑分区中的扩展分区除外)
- UEFI(统一的可扩展固件接口)
- EFI(可扩展固件接口)
- EFI是Intel为PC固件的体系结构、接口和服务提出的建议标准。其主要目的是为了提供一组在OS 加载之前(启动前)在所有平台上一致的、正确指定的启动服务,被看做是BIOS的继任者,或者理解为新版BIOS
- UEFI是由EFI1.10为基础发展起来的,它的所有者已不再是Intel,而是一个称作Unified EFIForm的国际组织
- UEFI是一种详细描述类型接口的标准。UEFI相当于一个轻量化的操作系统,提供了硬件和操作系统之间的一个接口,提供了图形化的操作界面。最关键的是引入了GPT分区表,支持2T以上的硬盘,硬盘分区不受限制
- EFI(可扩展固件接口)
- BIOS和UEFI区别
- BIOS采用了16位汇编语言编写,只能运行在实模式(内存寻址方式由16位段寄存器的内容乘以16(10H)当做段基地址,加上16位偏移地址形成20位的物理地址)下,可访问的内存空间为1MB,只支持字符操作界面
- UEF采用32位或者64位的C语言编写,突破了实模式的限制,可以达到最大的寻址空间,支持图形操作界面,使用文件方式保存信息,支持GPT分区启动,适合和较新的系统和硬件的配合使用
- BIOS+MBR与UEFI+GPT搭配
- MSDN(MicrosoftDeveloperNetwork)指出,Windows只能安装于BIOS+MBR或是UEFI+GPT的组合上,而BIOS+GPT和UEFI+MBR是不允许的
- Linux可以混用,没有搭配限制
Bootloader加载内核
bootloader
Bootloader叫引导加载器,引导程序。它是底层硬件与上层应用软件(操作系统)之间的一个中间接口软件。它不是BIOS中的功能,也不是操作系统中的功能,它是一个独立的软件,运行在BIOS之后,操作系统启动之前。它的主要作用就是引导操作系统启动
对于一台主机来说,它允许在同一台主机上,安装多个操作系统,那么我们如何确定启动哪个系统,这就是bootloader的作用
- GRUB(GRand Unified Bootloader)
- Grand 统一启动加载程序,又称多系统引导管理器
- GRUB是Linux系统中最为常见的Bootloader之一。它支持多种操作系统,包括Linux、Windows、Mac OS等。GRUB具有强大的功能和灵活的配置选项,如通过配置文件进行定制(添加启动项、设置启动顺序等)
Bootloader的核心作用
- 定位系统内核
- 从硬盘分区中找到操作系统的内核文件(如 Linux 的 vmlinuz、Windows 的 ntoskrnl.exe )
- 加载内核到内存
- 把内核文件从硬盘读入内存,并准备好启动参数(如传递硬件信息、系统启动选项 )
- 启动操作系统
- 把控制权交给内核,由内核继续初始化系统、挂载文件系统,最终进入桌面 / 命令行
- 多系统支持
- 如果电脑装了多个系统(如 Windows + Linux ),Bootloader 会提供选择菜单(如 GRUB 的启动菜单 ),让用户选启动的系统
grub
grub配置文件
- grub1的配置文件在 /boot/grub/grub.conf
- grub2的配置文件在 /boot/grub2/grub.cfg
vmlinuz
- 一个压缩的内核镜像文件,包含了Linux内核的压缩版本以及相关的启动信息
- 在系统启动时,引导加载程序(如GRUB)会加载vmlinuz文件,并将其解压缩到内存中,然后,操作系统的控制权会转移到内核镜像,从而启动Linux操作系统
- vmlinuz文件包含了操作系统的核心功能、驱动程序和必要的文件系统支持,负责初始化硬件设备、管理进程、提供系统调用接口等
initramfs
-
一个在内存中的临时根文件系统
-
它在Linux内核启动之前被加载到内存中。initramfs包含了内核启动所需的文件系统模块和驱动程序,使得内核能够顺利地加载真正的根文件系统。一旦真正的根文件系统加载完成,initramfs就会被卸载,系统将转移到真正的根文件系统上运行
-
initramfs是系统启动过程中连接 GRUB 和实际根文件系统的关键组件,作用是帮内核 “准备好挂载根文件系统的条件”
-
运作逻辑
- 被 GRUB 加载到内存:系统启动时,GRUB 会把initramfs.img(打包好的内存文件系统镜像)和内核(vmlinuz)一起加载到内存中,然后把控制权交给内核
- 内核解压并挂载 initramfs:内核启动后,会先解压initramfs.img,并将其作为临时的根文件系统挂载(此时系统的 “根” 是内存里的 initramfs,而不是硬盘上的实际根分区)
- 执行 initramfs 里的初始化脚本:initramfs 中包含一个init脚本(或systemd),它会完成以下核心工作
- 加载硬件驱动:比如硬盘控制器、RAID、LVM、加密分区等所需的内核模块(因为这些驱动可能不在内核内置里)
- 处理特殊存储:如果根分区是 LVM、RAID、加密盘(如 LUKS),initramfs 会先激活这些逻辑卷、组装 RAID、解密分区
- 准备挂载实际根文件系统:等硬件 / 存储就绪后,找到/etc/fstab(或 GRUB 传递的root=参数)指定的根分区,将其挂载到/sysroot目录
- 切换到实际根文件系统:当实际根分区挂载到/sysroot后,initramfs 会执行pivot_root(或switch_root)命令,把系统的根从 “内存里的 initramfs” 切换到 “硬盘上的/sysroot(即实际根分区)”,然后启动实际根分区里的init进程(或systemd),完成后续系统启动流程
Bootloader分段存放于硬盘的各个位置,分阶段进行加载
OS系统启动
init进程
init进程是内核启动的第一个用户级进程,它的进程ID(PID)通常为1
init进程作用
- 系统初始化
- init进程在系统启动时执行一系列初始化操作,如设置系统环境、挂载文件系统等
- 启动其他进程
- 根据系统配置文件(如Linux中的/etc/inittab),init进程会启动其他必要的系统进程和服务
- 监控与管理
- init进程还会监控系统中的其他进程,确保它们正常运行,并在必要时进行重启或终止
一些开机相关的文件
初始化脚本/etc/rc.d/rc.sysinit
作用:
- 设置主机名
- 设置欢迎信息
- 激活udev和selinux
- 挂载/etc/fstab文件中定义的文件系统
- 检测根文件系统,并以读写方式重新挂载根文件系统
- 设置系统时钟
- 激活swap设备
- 根据/etc/sysctl.conf文件设置内核参数
- 激活lvm及software raid设备
- 加载额外设备的驱动程序
- 清理操作
rc启动文件/etc/rc.d/rc
控制服务脚本在指定运行级别的开机自动运行,不同运行级别运行不同服务
- /etc/rcN.d/KNN
- 当前级别下需要停止的服务
- K(kill) 开头表示关闭服务,K后面的数字表示运行顺序,数字越小,越先运行,表示越先被停止,这类服务通常是要依赖其它服务
- /etc/rcN.d/SNN
- 当前级别下需要启动的服务
- S(start) 开头表示开启服务,S后面的数字表示运行顺序,数字越小,越先运行,表示越先被启动,这类服务通常是要被其它服务依赖
自定义启动文件/etc/rc.d/rc.local
不便或不需写为服务脚本放置于/etc/rc.d/init.d/目录,且又想开机时自动运行的命令,可直接放置于/etc/rc.d/rc.local文件中
/etc/rc.d/rc.local在指定运行级别脚本后运行
运行级别
Linux 的运行级别(Runlevels)是一种定义系统操作模式的机制,用于控制系统启动后的行为和服务的可用性。不同的运行级别对应不同的系统状态,例如多用户模式、单用户模式、图形界面模式等
运行级别说明
- 0:关机
- 1:单用户模式(root自动登录),single,维护模式
- 2:多用户模式,启动网络功能,但不会启动NFS;维护模式
- 3:多用户模式,正常模式;文本界面
- 4:预留级别;可同3级别
- 5:多用户模式,正常模式;图形界面
- 6:重启
运行级别与target的对应
切换级别的方式
- 永久切换
- systemctl set-default
- /etc/inittab
- 临时切换
- init N
systemd服务
systemd
从 2015 年开始,绝大多数主流 Linux 发行版均完成了 systemd 的适配,使其全面替代 System V、BSD 风格等传统 init 程序,成为 Linux 系统中主流的系统初始化与服务管理套件
Systemd 新特性
- 系统引导时实现服务并行启动
- 按需启动守护进程
- 自动化的服务依赖关系管理
- 同时采用socket式与D-Bus总线式激活服务
- socket与服务程序分离
- 向后兼容sysv init脚本
- 使用systemctl 命令管理,systemctl命令固定不变,不可扩展
- 非由systemd启动的服务,systemctl无法与之通信和控制
- 系统状态快照
systemctl
用途:管理systemd服务,ubuntu在下载软件包以后,会自动运行对应服务,并且是开机会自动启动;而红帽系列的Linux在下载软件包以后,不会自动运行对应服务
子命令:
- start:启动服务
- stop:停止服务
- restart:重启服务
- reload:重载服务,在没有重启进程的情况下,生效修改后的配置文件
- status:查看服务状态,也可以看到服务启动过程的日志
- mask:禁止服务启动
- unmask:恢复服务可启动
- is-active:检查服务是否已启动
- enable:设定服务为开机启动
- enable --now:设定服务开机启动,并且切换为启动状态
- disable:设定服务开机禁止启动
- disable --now:设定服务开机禁用,并且切换为停止状态
- list-dependencies:查看服务的依赖
- daemon-reload:重载unit配置文件,不会重启或停止已运行的服务
案例:
root@ubuntu:~# systemctl status named.service
● named.service - BIND Domain Name Server
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Sat 2026-01-17 10:54:51 CST; 1 day 8h ago
Docs: man:named(8)
Main PID: 904 (named)
Status: "running"
Tasks: 8 (limit: 2210)
Memory: 27.7M (peak: 27.9M)
CPU: 443ms
CGroup: /system.slice/named.service
└─904 /usr/sbin/named -f -u bind
Jan 18 10:54:50 ubuntu named[904]: network unreachable resolving '_ta-4f66-9728/NULL/IN': 2001:500:12::d0d#53
Jan 18 10:54:50 ubuntu named[904]: network unreachable resolving '_ta-4f66-9728/NULL/IN': 2001:503:c27::2:30#53
Jan 18 10:54:50 ubuntu named[904]: network unreachable resolving '_ta-4f66-9728/NULL/IN': 2001:500:9f::42#53
Jan 18 10:54:50 ubuntu named[904]: network unreachable resolving '_ta-4f66-9728/NULL/IN': 2001:500:2d::d#53
Jan 18 10:54:50 ubuntu named[904]: network unreachable resolving '_ta-4f66-9728/NULL/IN': 2001:500:a8::e#53
Jan 18 10:54:51 ubuntu named[904]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Jan 18 10:54:51 ubuntu named[904]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Jan 18 10:54:51 ubuntu named[904]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Jan 18 10:54:51 ubuntu named[904]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Jan 18 10:54:51 ubuntu named[904]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
root@ubuntu:~#
控制单元Unit
在systemd中,unit是一个基本概念,表示一个系统功能或服务
unit表示不同类型的systemd对象,systemd会根据配置文件和设置,启动各种units(包括服务(service)、设备(device)、挂载点(mount)、监听(socket)等)
每个unit都有一个名称和一个类型,systemd使用依赖关系来确保正确的启动顺序
常见Unit类型
- service
- 对应.service后缀的文件
- 定义系统服务
- socket
- 对应.socket后缀的文件
- 定义进程间通信用的socket文件,可以延迟启动,按需启动
- target
- 对应.target后缀的文件
- 不同服务的集合,用于模拟运行级别
- device
- 对应.device后缀的文件
- 用于定义内核识别的设备
- mount
- 对应.mount后缀的文件
- 定义文件系统挂载点
- automount
- 对应.automount后缀的文件
- 文件系统的自动挂载点
- swap
- 对应.swap后缀的文件
- 用于标识swap设备
- timer
- 对应.timer后缀的文件
- 用于安排激活另一个单元的计时器
- path
- 对应.path后缀的文件
- 用于定义文件系统中的文件或目录,常用于当文件系统变化时,延迟激活服务,如spool 目录
- slice
- 对应.slice后缀的文件
- 通过 Linux 控制组节点 (cgroups) 限制资源
- scope
- 对应.scope后缀的文件
- systemd 总线接口的信息,常用于管理外部系统进程
unit的配置文件所在目录
- /usr/lib/systemd/system/
- 存放系统 / 软件包安装时自带的默认 unit 配置,是服务 “基础定义”
- 如果其他高优先级目录(/run、/etc )没有同名配置覆盖,systemd 就会加载这里的文件
- /lib/systemd/system/
- 和 /usr/lib/systemd/system/ 实际是同一个目录的软链接映射(不同系统可能实现有别,但功能上可认为等价 ),都用于存放系统 / 软件包默认的 unit 基础配置文件
- /run/systemd/system/
- 是系统运行时动态生成 unit 文件的目录,用于进程运行中临时调整、新增配置
- 一般是 “Session 级别”(随系统运行周期动态变化)的临时配置,重启后内容可能丢失 (优先级最高但重启易失 )
- 比如程序运行中动态生成的服务适配配置,优先用这里的文件覆盖其他目录同名配置
- /etc/systemd/system/
- 管理员自定义、扩展 unit 配置的核心目录
- 用于存放用户 / 管理员手动添加、修改的 unit 文件,或通过 systemctl enable 等命令自动创建的软链接
- 这里的配置优先级高,可覆盖 /usr/lib/systemd/system/ 里的默认配置,用于个性化定制服务
unit配置文件格式
- [Unit]:定义与Unit类型无关的通用选项;用于提供unit的描述信息、unit行为及依赖关系等
- Description:描述信息
- Documentation:帮助信息
- After:定义unit的启动次序,表示当前unit应该晚于哪些unit启动,其功能与Before相反
- Before:定义unit的启动次序,表示当前unit应该早于哪些unit启动,其功能与After相反
- Requires:依赖到的其它units,强依赖,被依赖的units无法激活时,当前unit也无法激活
- Wants:依赖到的其它units,弱依赖
- Conflicts:定义units间的冲突关系
- [Service]:与特定类型相关的专用选项;此处为Service类型
- Type:定义影响ExecStart及相关参数的功能的unit进程启动类型
- EnvironmentFile:环境配置文件
- PIDFile:指明生成进程文件路径
- ExecStartPre:ExecStart前运行,可以有多条
- ExecStart:指明启动unit要运行命令或脚本的绝对路径
- ExecStartPost:ExecStart后运行,可以有多条
- ExecReload:指明重新加载unit 配置要运行的命令或脚本
- ExecStop:指明停止unit要运行的命令或脚本
- KillSignal:以何信号杀死进程,默认SIGTERM
- KillMode:以何种方式杀死进程control-group|process|mixed|none
- TimeoutStopSec:在超过此时间后,如果进程没有被杀死,则继续使用SIGKILL配置或FinalKillSignal配置停止进程
- PrivateTmp:布尔值,true 表示会生成私有的tmp目录,路径是/tmp/systemd-private-UUID-NAME.service-XXXXX/tmp/
- Restart:当守护进程意外终止时,是否自动重启
- RestartSec:意外终止到自动重启之间的时间间隔,其目的是保证前面的程序彻底退出,默认值100ms
- [Install]:定义由“systemctl enable”以及"systemctl disable“命令在实现服务启用或禁用时用到的一些选项
- Alias:别名,可使用systemctl command Alias.service
- WantedBy:工作模式,就是在哪种运行级别下
- Also:安装本服务的时候还要安装别的相关服务
自定义服务hello_world.service
首先测试服务脚本可以正常运行
root@ubuntu:~# while true; do sleep 1;echo "hello world" >> /root/hello_world.txt;done
root@ubuntu:~#
root@ubuntu:~# /bin/bash hello_world.sh
^C
root@ubuntu:~# cat hello_world.txt
hello world
hello world
hello world
hello world
hello world
hello world
hello world
hello world
hello world
root@ubuntu:~#
然后创建服务unit配置文件 hello_world.service 到 /lib/systemd/system 目录下
root@ubuntu:~# cd /lib/systemd/system
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# vim hello_world.service
[Unit]
Description=hello world service
[Service]
ExecStart=/bin/bash /root/hello_world.sh
[Install]
WantedBy=multi-user.target
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# systemctl status hello_world.service
○ hello_world.service - hello world service
Loaded: loaded (/usr/lib/systemd/system/hello_world.service; disabled; preset: enabled)
Active: inactive (dead)
Jan 18 19:38:08 ubuntu systemd[1]: /usr/lib/systemd/system/hello_world.service:1: Unknown section 'unit'. Ignoring.
Jan 18 19:38:08 ubuntu systemd[1]: /usr/lib/systemd/system/hello_world.service:4: Unknown section 'service'. Ignoring.
Jan 18 19:38:08 ubuntu systemd[1]: hello_world.service: Service has no ExecStart=, ExecStop=, or SuccessAction=. Refusing.
Jan 18 19:38:08 ubuntu systemd[1]: /usr/lib/systemd/system/hello_world.service:1: Unknown section 'unit'. Ignoring.
Jan 18 19:38:08 ubuntu systemd[1]: /usr/lib/systemd/system/hello_world.service:4: Unknown section 'service'. Ignoring.
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# echo -n > /root/hello_world.txt
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# cat /root/hello_world.txt
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# systemctl start hello_world.service
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# systemctl status hello_world.service
● hello_world.service - hello world service
Loaded: loaded (/usr/lib/systemd/system/hello_world.service; disabled; preset: enabled)
Active: active (running) since Sun 2026-01-18 19:43:11 CST; 4s ago
Main PID: 12910 (bash)
Tasks: 2 (limit: 2210)
Memory: 568.0K (peak: 1.0M)
CPU: 20ms
CGroup: /system.slice/hello_world.service
├─12910 /bin/bash /root/hello_world.sh
└─12915 sleep 1
Jan 18 19:43:11 ubuntu systemd[1]: Started hello_world.service - hello world service.
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# cat /root/hello_world.txt
hello world
hello world
hello world
hello world
root@ubuntu:/lib/systemd/system#
root@ubuntu:/lib/systemd/system# cat /root/hello_world.txt
hello world
hello world
hello world
hello world
hello world
hello world
hello world
hello world
hello world
hello world
hello world
hello world
root@ubuntu:/lib/systemd/system#
DNS服务
DNS介绍
域名
域名,又称网域,顾名思义,是一个域的名称。 是一串用点号分隔的字符,可以用来标识网络中某台主机或某个节点,由DNS服务维护域名和主机IP地址之间的映射关系,当我们在网络中访问某个域名时,实际上访问的是该域名对应的IP地址所标识的主机
域名由英文字母,数字和英文连字符(-) 组成,且不区分大小写
域名层级
每一层级的域名长度不能超过63个字符,多级域名加起来不能超过255个字符。域名最多可以有127级
允许定义子域,子域名与上级域名之间用 . (点号)分隔,最上层节点的域名称为顶级域名(TLD,Top-Level Domain),第二层节点的域名称为二级域名,依此类推。级别最低的域名写在最左边,而级别最高的域名写在最右边
实际上,在顶级域名之上,还有一个域名叫根域,只不过在使用中一般省略不写
根域
根域对应的是符号 .
全球共有13组IPV4根域名服务器,其中10组在美国,2组在欧洲,1组在亚洲。13组IPV4根域名服务器,并不是说只有13台服务器(1主12辅),而是指有13个IP地址向外提供一级域名的DNS解析服务,每个IP地址对应的,都是多机集群,根服务器系统由12个独立的根服务器运营商运营的1916个实例组成
IPV6根域名服务器全球是25组服务器
一级域/顶级域
又称顶级域名,可分为三类,一类代表国家和地区(cn,hk,......),一类代表各类组织(com,edu,......),以及新顶级域名(如.xyz、.top等)或其他特殊顶级域名(包括一些基础设施顶级域名和.arpa用于逆向域名解析,以及国际化域名允许使用非ASCII字符)
二级域
某个具体组织,单位,机构,商业公司或个人使用,需要向域名管理机构申请(付费)才能获得使用权
三级及三级以上域
二级域名以下的域名,由使用该域名的组织自行分配
工作原理
DNS查询类型
-
递归查询
- 指DNS服务器在收到用户发起的请求时,必须向用户返回一个准确的查询结果。如果DNS服务器本地没有存储与之对应的信息,则该服务器需要询问其他服务器,并将返回的查询结果提交给用户
- 一般客户机和本地DNS服务器之间属于递归查询,即当客户机向DNS服务器发出请求后,若DNS服务器本身不能解析,则会向另外的DNS服务器发出查询请求,得到最终的肯定或否定的结果后转交给客户机
- 此查询的源和目标保持不变,为了查询结果只需要发起一次查询
-
迭代查询
- 指DNS服务器在收到用户发起的请求时,并不直接回复查询结果,而是告诉另一台DNS服务器的地址,用户再向这台DNS服务器提交请求,这样依次反复,直到返回查询结果
- 一般情况下本地的DNS服务器向其它DNS服务器的查询属于迭代查询,如:若对方不能返回权威的结果,则它会向下一个DNS服务器(参考前一个DNS服务器返回的结果)再次发起进行查询,直到返回查询的结果为止
- 此查询的源不变,但查询的目标不断变化,为查询结果一般需要发起多次查询
DNS查询案例
-
在浏览器中输入一个域名
-
首先查询浏览器缓存,然后查询主机缓存,接着查询/etc/hosts文件,如果都没有该域名对应的解析结果,那么通过配置的本地DNS服务器进行迭代查询
-
本地DNS服务器会先找根域名服务器,根域名服务器会返回这个域名中对应的顶级域名服务器的地址
-
本地DNS服务器再找顶级域名服务器,顶级域名服务器会返回这个域名中对应的二级域名服务器的地址
-
持续迭代查询,直到权威域名服务器返回解析结果到本地DNS服务器
-
本地DNS服务器进行缓存后,再将结果返回到本地主机,本地主机进行相应数据缓存
bind软件包
bind:(Berkeley Internet Name Domain) ,它是一款实现DNS服务的开放源码软件,由伯克利大学开发,能够提供双向解析,转发,子域授权,view 等功能,使用广泛,目前Internet上半数以上的DNS服务器都是由Bind来实现的
虽然软件包名为bind(ubuntu中为bind9),但是服务名为named
lxh@ubuntu:~$ dpkg -L bind9
/.
/etc
/etc/apparmor.d
/etc/apparmor.d/force-complain
/etc/apparmor.d/local
/etc/apparmor.d/usr.sbin.named
/etc/bind
/etc/bind/bind.keys
/etc/bind/db.0
/etc/bind/db.127
/etc/bind/db.255
/etc/bind/db.empty
/etc/bind/db.local
/etc/bind/named.conf
/etc/bind/named.conf.default-zones
/etc/bind/named.conf.local
/etc/bind/named.conf.options
/etc/bind/zones.rfc1918
/etc/default
...
lxh@ubuntu:~$
lxh@ubuntu:~$ systemctl status named.service
● named.service - BIND Domain Name Server
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; preset: enabled)
Active: active (running) since Thu 2026-01-01 17:07:52 CST; 2h 25min ago
Docs: man:named(8)
Main PID: 908 (named)
Status: "running"
Tasks: 8 (limit: 2210)
Memory: 27.8M (peak: 28.1M)
CPU: 255ms
CGroup: /system.slice/named.service
└─908 /usr/sbin/named -f -u bind
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './NS/IN': 2801:1b8:10::b#53
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Jan 01 17:07:52 ubuntu named[908]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Jan 01 17:07:53 ubuntu named[908]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Jan 01 17:07:53 ubuntu named[908]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
lxh@ubuntu:~$
常用的配置文件
ubuntu环境
主配置文件:/etc/bind/named.conf
lxh@ubuntu:~$ cat /etc/bind/named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
lxh@ubuntu:~$
域配置文件:/etc/bind/named.conf.default-zones
lxh@ubuntu:~$ cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
lxh@ubuntu:~$
解析库文件:/etc/bind/db.*
lxh@ubuntu:~$ ls /etc/bind/db.*
/etc/bind/db.0 /etc/bind/db.127 /etc/bind/db.255 /etc/bind/db.empty /etc/bind/db.local
lxh@ubuntu:~$
lxh@ubuntu:~$ cat /etc/bind/db.0
;
; BIND reverse data file for "this host on this network" zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
lxh@ubuntu:~$
rocky环境
主配置文件:/etc/named.conf
[root@Rocky ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@Rocky ~]#
域配置文件:/etc/named.rfc1912.zones
[root@Rocky ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
[root@Rocky ~]#
解析库文件:/var/named/named.*
[root@Rocky ~]# ls /var/named/named.*
/var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback
[root@Rocky ~]#
[root@Rocky ~]# cat /var/named/named.ca
; <<>> DiG 9.18.20 <<>> -4 +tcp +norec +nostats @d.root-servers.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47286
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1450
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS a.root-servers.net.
. 518400 IN NS b.root-servers.net.
. 518400 IN NS c.root-servers.net.
. 518400 IN NS d.root-servers.net.
. 518400 IN NS e.root-servers.net.
. 518400 IN NS f.root-servers.net.
. 518400 IN NS g.root-servers.net.
. 518400 IN NS h.root-servers.net.
. 518400 IN NS i.root-servers.net.
. 518400 IN NS j.root-servers.net.
. 518400 IN NS k.root-servers.net.
. 518400 IN NS l.root-servers.net.
. 518400 IN NS m.root-servers.net.
;; ADDITIONAL SECTION:
a.root-servers.net. 518400 IN A 198.41.0.4
b.root-servers.net. 518400 IN A 170.247.170.2
c.root-servers.net. 518400 IN A 192.33.4.12
d.root-servers.net. 518400 IN A 199.7.91.13
e.root-servers.net. 518400 IN A 192.203.230.10
f.root-servers.net. 518400 IN A 192.5.5.241
g.root-servers.net. 518400 IN A 192.112.36.4
h.root-servers.net. 518400 IN A 198.97.190.53
i.root-servers.net. 518400 IN A 192.36.148.17
j.root-servers.net. 518400 IN A 192.58.128.30
k.root-servers.net. 518400 IN A 193.0.14.129
l.root-servers.net. 518400 IN A 199.7.83.42
m.root-servers.net. 518400 IN A 202.12.27.33
a.root-servers.net. 518400 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 518400 IN AAAA 2801:1b8:10::b
c.root-servers.net. 518400 IN AAAA 2001:500:2::c
d.root-servers.net. 518400 IN AAAA 2001:500:2d::d
e.root-servers.net. 518400 IN AAAA 2001:500:a8::e
f.root-servers.net. 518400 IN AAAA 2001:500:2f::f
g.root-servers.net. 518400 IN AAAA 2001:500:12::d0d
h.root-servers.net. 518400 IN AAAA 2001:500:1::53
i.root-servers.net. 518400 IN AAAA 2001:7fe::53
j.root-servers.net. 518400 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 518400 IN AAAA 2001:7fd::1
l.root-servers.net. 518400 IN AAAA 2001:500:9f::42
m.root-servers.net. 518400 IN AAAA 2001:dc3::35
[root@Rocky ~]#
域配置文件格式
该文件中定义了域名和具体解析规则文件的对应关系
示例文件解析
lxh@ubuntu:~$ cat /etc/bind/named.conf.default-zones
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/usr/share/dns/root.hints";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
lxh@ubuntu:~$
- 双斜杆//
- 表示注释行
- zone
- 定义一个域
- type
- 该DNS服务器在该域中的角色
- file
- 定义该域的解析库文件路径
- 实现域名和具体解析规则文件的对应
- 如果写文件的相对路径,相对的是配置文件中的 directory 指定目录
Rocky中的 directory 默认为 /var/named
[root@Rocky ~]# cat /etc/named.conf | grep directory
directory "/var/named";
managed-keys-directory "/var/named/dynamic";
[root@Rocky ~]#
Ubuntu中的 directory 默认为 /var/cache/bind(下面的案例中,解析库文件位于 /etc/bind/ 目录)
root@ubuntu:~# cat /etc/bind/named.conf.options | grep directory
directory "/var/cache/bind";
root@ubuntu:~#
解析库文件格式
解析库文件定义域名的具体解析规则,该文件由多条资源记录组成,每一行都是一条资源记录,在RFC文档中,DNS解析记录被称为Resource Recode(资源记录),缩写为 RR
资源记录格式
一条资源记录由5个字段构成
-
Owner
- 记录的所有者,通常是一个域名
-
TTL(Time to Live)
- 生存时间,指定其他DNS服务器在放弃缓存该记录之前应将其缓存多长时间
- 默认单位是秒,也可以加单位。M(分), H(时), D(天), W(周)
- 继承SOA记录的TTL时,可忽略该属性
- 所有的TTL可以 抽取出来,单独以 $变量的方式存在具体的记录中 TTL就可以省略,比如 $TTL 3H
-
CLASS
- 类,指示记录所属的类别。最常用的类别是IN(Internet类)
- IN 表明这条DNS记录是遵循互联网标准的,并且适用于在互联网上进行域名解析
-
TYPE
- 类型,指示记录的类型。如A记录(表示IPv4地址)、AAAA记录(表示IPv6地址)、NS记录(表示权威名称服务器)等
-
RDATA
- 资源数据,随CLASS和TYPE的变化而变化,用于描述与记录相关的具体信息
示例记录解析
;资源记录1
mage.com. 604800 IN SOA magedu-dns. admin.magedu.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;资源记录2
mage.com. 604800 IN NS DNS1
;资源记录3
DNS1 604800 IN A 10.0.0.13
- 每条资源记录一般占用一行
- 从左到右依次为Owner、TTL、CLASS、TYPE、RDATA
- 5个字段之间使用空白字符进行分隔,一般相同字段对齐,显得清楚明了
资源记录类型
- SOA记录
- a marks the start of a zone of authority,标记权威区域的开始
- SOA 记录表示此DNS是该域名的权威解析服务器,当在查询的过程中,各级缓存都没有要查询的内容时,最后会通过递归查询的方式到达此DNS服务器,并请求此域名的SOA记录
- 案例
@ 604800 IN SOA localhost. root.localhost. (
1 ; Serial # 序列号
604800 ; Refresh # 刷新时间
86400 ; Retry # 重试时间
2419200 ; Expire # 过期时间
604800 ) ; Negative Cache TTL # 最小TTL
- NS记录
- Name Server,域名服务器
- 域名服务器 (NS) 记录用于确定哪些服务器为一个网域提供DNS解析服务。一般来说,为了服务的安全可靠,一个域名,至少应该有两条NS记录,保证服务的冗余,防止出现单点失败
- 一般与A记录搭配使用,指定其他DNS服务器的具体IP地址
- NS 记录的作用是指定 “负责解析这个域名” 的权威 DNS 服务器 —— 相当于告诉全球网络:“要查 xxx.com 的 IP,去问这几台服务器就对了”
- 案例
@ 604800 IN NS dns
dns 604800 IN A 10.0.0.152
- A记录
- internet Address,ipv4地址
- 将FQDN解析成IPV4地址,这是最常用的一种解析类
- 可以使用泛域名:*.magedu.com.
- 案例
dns 604800 IN A 10.0.0.152
- CNAME记录
- Canonical Name Record,别名记录
- CNAME一个很重要的用处是委托解析——CNAME解析本身不得到IP。后面会查询这个CNAME别名的A记录来获得相应的IP地址
- 可以实现将域名指向CDN或负载均衡服务的域名(如 www.example.com → cdn.provider.com)
- 工作原理
- 用户查询:向DNS服务器发起 www.example.com 的查询
- DNS服务器响应:返回 www.example.com 的CNAME记录,指向 example.com
- 浏览器继续查询 example.com 的A记录,获取IP地址(如 192.0.2.1)
- 案例
www 604800 IN CNAME example.com.
-
PTR记录
-
a domain name pointer,域名指针
-
用于反向解析IP地址为域名,通常用于邮件服务器的反向解析验证
-
in-addr.arpa上面还有根域,in-addr.arpa是针对IPv4地址的,ip6.arpa是针对IPv6地址的
![image-20260118135720977]()
-
正常的解析路径
- 当查询者(如邮件服务器)要反向解析 180.101.50.242 时
- 先从顶层反向域(.in-addr.arpa)开始查询,通过层级 NS 记录,迭代查询找到 180.in-addr.arpa 的权威 DNS 服务器(由 IP 分配机构管理)
- 再通过 180.in-addr.arpa 的 NS 记录,迭代查询找到 101.180.in-addr.arpa 的权威 DNS 服务器
- 继续通过 101.180.in-addr.arpa 的 NS 记录,迭代查询找到 50.101.180.in-addr.arpa 的权威 DNS 服务器(这一步通常是 ISP 的 DNS 服务器)
- 最终,在 50.101.180.in-addr.arpa 的权威 DNS 服务器上,迭代查询到 242.50.101.180.inaddr.arpa 对应的 PTR 记录
-
案例
-
1 604800 IN PTR www.mage.com.
示例文件解析
完整的文件内容
lxh@ubuntu:~$ cat /etc/bind/db.local
;
; BIND data file for local loopback interface
;
localhost. 604800 IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
localhost. 604800 IN NS localhost.
localhost. 604800 IN A 127.0.0.1
localhost. 604800 IN AAAA ::1
lxh@ubuntu:~$
简单记录方式
- 如果连续多行记录,某一列出现重复的内容,可以只保留第一行的内容,其他行,同列的内容,可以省略
- $TTL 604800 表示该解析库文件中的所有资源记录,TTL值均为604800秒,后续资源记录可省略TTL字段
- 特殊符号@ 代指该解析库文件对应的区域名称,即域配置中zone后面的域名
lxh@ubuntu:~$ cat /etc/bind/db.local
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
NS localhost.
A 127.0.0.1
AAAA ::1
lxh@ubuntu:~$
DNS解析命令
dig
用途:进行DNS解析
选项:
- -t:指定所要解析的资源记录类型
- -x:反向解析IP地址为域名
注意:一般查看三个内容
- flags部分中是否有 aa(表示从权威服务器获得解析结果)
- ANSWER SECTION中的解析结果
- SERVER中的本次负责解析的DNS服务器
案例:
lxh@ubuntu:~$ dig www.baidu.com # 正向解析域名www.baidu.com为IPv4地址
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29383
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN A 36.152.44.132
www.a.shifen.com. 5 IN A 36.152.44.93
;; AUTHORITY SECTION:
a.shifen.com. 5 IN NS ns5.a.shifen.com.
a.shifen.com. 5 IN NS ns3.a.shifen.com.
a.shifen.com. 5 IN NS ns4.a.shifen.com.
a.shifen.com. 5 IN NS ns2.a.shifen.com.
a.shifen.com. 5 IN NS ns1.a.shifen.com.
;; ADDITIONAL SECTION:
ns5.a.shifen.com. 5 IN AAAA 240e:bf:b801:1006:0:ff:b04f:346b
ns5.a.shifen.com. 5 IN AAAA 240e:940:603:a:0:ff:b08d:239d
ns3.a.shifen.com. 5 IN A 36.155.132.12
ns3.a.shifen.com. 5 IN A 153.3.238.162
ns4.a.shifen.com. 5 IN A 14.215.177.229
ns4.a.shifen.com. 5 IN A 111.20.4.28
ns5.a.shifen.com. 5 IN A 180.76.76.95
ns1.a.shifen.com. 5 IN A 110.242.68.42
ns2.a.shifen.com. 5 IN A 220.181.33.32
;; Query time: 137 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Jan 01 19:13:31 CST 2026
;; MSG SIZE rcvd: 359
lxh@ubuntu:~$
lxh@ubuntu:~$ dig -t AAAA www.baidu.com # 正向解析域名www.baidu.com为IPv6地址
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -t AAAA www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2265
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 10
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.baidu.com. IN AAAA
;; ANSWER SECTION:
www.baidu.com. 5 IN CNAME www.a.shifen.com.
www.a.shifen.com. 5 IN AAAA 2409:8c20:6:123c:0:ff:b0f6:b2d
www.a.shifen.com. 5 IN AAAA 2409:8c20:6:1794:0:ff:b080:87f0
;; AUTHORITY SECTION:
a.shifen.com. 5 IN NS ns5.a.shifen.com.
a.shifen.com. 5 IN NS ns1.a.shifen.com.
a.shifen.com. 5 IN NS ns3.a.shifen.com.
a.shifen.com. 5 IN NS ns2.a.shifen.com.
a.shifen.com. 5 IN NS ns4.a.shifen.com.
;; ADDITIONAL SECTION:
ns5.a.shifen.com. 5 IN A 180.76.76.95
ns1.a.shifen.com. 5 IN A 110.242.68.42
ns2.a.shifen.com. 5 IN A 220.181.33.32
ns3.a.shifen.com. 5 IN A 36.155.132.12
ns3.a.shifen.com. 5 IN A 153.3.238.162
ns4.a.shifen.com. 5 IN A 14.215.177.229
ns4.a.shifen.com. 5 IN A 111.20.4.28
ns5.a.shifen.com. 5 IN AAAA 240e:bf:b801:1006:0:ff:b04f:346b
ns5.a.shifen.com. 5 IN AAAA 240e:940:603:a:0:ff:b08d:239d
;; Query time: 212 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Jan 01 19:13:45 CST 2026
;; MSG SIZE rcvd: 383
lxh@ubuntu:~$
lxh@ubuntu:~$ dig -x 8.8.8.8 # 反向解析8.8.8.8
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -x 8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46407
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;8.8.8.8.in-addr.arpa. IN PTR
;; ANSWER SECTION:
8.8.8.8.in-addr.arpa. 5 IN PTR dns.google.
;; Query time: 167 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Jan 01 19:15:53 CST 2026
;; MSG SIZE rcvd: 73
lxh@ubuntu:~$
lxh@ubuntu:~$ dig -t ptr 8.8.8.8.in-addr.arpa. # 与dig -x 8.8.8.8效果一致
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -t ptr 8.8.8.8.in-addr.arpa.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24501
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;8.8.8.8.in-addr.arpa. IN PTR
;; ANSWER SECTION:
8.8.8.8.in-addr.arpa. 5 IN PTR dns.google.
;; Query time: 160 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Thu Jan 01 19:16:49 CST 2026
;; MSG SIZE rcvd: 73
lxh@ubuntu:~$
lxh@ubuntu:~$ dig www.baidu.com @8.8.8.8 # 指定DNS服务器进行解析
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> www.baidu.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7066
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 55 IN CNAME www.a.shifen.com.
www.a.shifen.com. 28 IN CNAME www.wshifen.com.
www.wshifen.com. 298 IN A 103.235.46.102
www.wshifen.com. 298 IN A 103.235.46.115
;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Thu Jan 01 19:22:01 CST 2026
;; MSG SIZE rcvd: 127
lxh@ubuntu:~$
host
用途:进行DNS解析
选项:
- -t:指定所要解析的资源记录类型
- -a:显示所有信息
案例:
lxh@ubuntu:~$ host www.baidu.com 8.8.8.8
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com is an alias for www.wshifen.com.
www.wshifen.com has address 103.235.46.102
www.wshifen.com has address 103.235.46.115
lxh@ubuntu:~$
lxh@ubuntu:~$ host -a www.baidu.com 8.8.8.8
Trying "www.baidu.com"
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11576
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN ANY
;; ANSWER SECTION:
www.baidu.com. 1148 IN CNAME www.a.shifen.com.
Received 58 bytes from 8.8.8.8#53 in 54 ms
lxh@ubuntu:~$
nslookup
用途:进行DNS解析,Linux与Windows均支持
选项:
- -t:指定所要解析的资源记录类型
案例:
lxh@ubuntu:~$ nslookup www.baidu.com 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
www.a.shifen.com canonical name = www.wshifen.com.
Name: www.wshifen.com
Address: 103.235.46.102
Name: www.wshifen.com
Address: 103.235.46.115
lxh@ubuntu:~$
lxh@ubuntu:~$ nslookup # 支持交互式进行域名解析
> www.baidu.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 36.152.44.93
Name: www.a.shifen.com
Address: 36.152.44.132
Name: www.a.shifen.com
Address: 2409:8c20:6:123c:0:ff:b0f6:b2d
Name: www.a.shifen.com
Address: 2409:8c20:6:1794:0:ff:b080:87f0
> www.jd.com
Server: 127.0.0.53
Address: 127.0.0.53#53
Non-authoritative answer:
www.jd.com canonical name = www.jd.com.gslb.qianxun.com.
www.jd.com.gslb.qianxun.com canonical name = www.jd.com.s.galileo.jcloud-cdn.com.
www.jd.com.s.galileo.jcloud-cdn.com canonical name = wwwv6.jcloudimg.com.
Name: wwwv6.jcloudimg.com
Address: 112.49.49.3
Name: wwwv6.jcloudimg.com
Address: 2409:8c34:d00:c:8000::3
>
lxh@ubuntu:~$
whois
用途:用于查询域名和IP地址注册信息的工具,一般在Web的站长工具中使用
案例:
lxh@ubuntu:~$ whois www.baidu.com
No match for "WWW.BAIDU.COM".
>>> Last update of whois database: 2026-01-01T11:28:16Z <<<
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
lxh@ubuntu:~$
管理工具rndc
用途:通过rndc,管理员可以在本地或远程监控服务器的运行状态,并执行如关闭、重载、刷新缓存、增加或删除区域(zone)等操作,而无需停止DNS服务器的工作
子命令:
- status:查看BIND服务状态
- reload:重载主配置文件和解析库文件
- reconfig:重载主配置文件
- reload zonename:重载指定解析库文件
- retransfer zonename:手动启动区域传送,而不管序列号是否增加
- flush:清空DNS服务器的所有缓存记录
注意:rndc命令依赖于 named 服务,否则无法运行
案例:
lxh@ubuntu:~$ sudo rndc status
version: BIND 9.18.39-0ubuntu0.24.04.2-Ubuntu (Extended Support Version) <id:>
running on localhost: Linux x86_64 6.8.0-90-generic #91-Ubuntu SMP PREEMPT_DYNAMIC Tue Nov 18 14:14:30 UTC 2025
boot time: Thu, 01 Jan 2026 09:07:50 GMT
last configured: Thu, 01 Jan 2026 09:07:52 GMT
configuration file: /etc/bind/named.conf
CPUs found: 2
worker threads: 2
UDP listeners per interface: 2
number of zones: 103 (98 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 0/150
TCP high-water: 0
server is up and running
lxh@ubuntu:~$
DNS缓存及相关命令
DNS缓存是将解析数据存储在靠近发起请求的客户端的位置,也可以说DNS数据是可以缓存在任意位置,最终目的是以此减少递归查询过程,可以更快的让用户获得请求结果
Linux和Windows
Windows查看DNS缓存:ipconfig /displaydns
Windows清除DNS缓存:ipconfig /flushdns
Linux查看DNS缓存:resolvectl show-cache
Linux清除DNS缓存:resolvectl flush-caches
resolvectl
用途:可以用于查看或者清除DNS缓存
子命令:
- show-cache:查看DNS缓存
- flush-caches:清除DNS缓存
案例:
lxh@ubuntu:~$ sudo resolvectl show-cache # DNS缓存为空
Scope protocol=dns ifindex=3 ifname=ens38
No entries.
Scope protocol=dns ifindex=2 ifname=ens33
No entries.
Scope protocol=dns
No entries.
lxh@ubuntu:~$
lxh@ubuntu:~$ dig www.baidu.com > /dev/null # 进行DNS解析,DNS缓存解析结果
lxh@ubuntu:~$
lxh@ubuntu:~$ sudo resolvectl show-cache # 可以查看到生成的DNS缓存
Scope protocol=dns ifindex=3 ifname=ens38
No entries.
Scope protocol=dns ifindex=2 ifname=ens33
www.a.shifen.com IN A 36.152.44.132
www.a.shifen.com IN A 36.152.44.93
www.baidu.com IN CNAME www.a.shifen.com
Scope protocol=dns
No entries.
lxh@ubuntu:~$
lxh@ubuntu:~$ sudo resolvectl flush-caches # 清除DNS缓存
lxh@ubuntu:~$
lxh@ubuntu:~$ sudo resolvectl show-cache # DNS缓存为空
Scope protocol=dns ifindex=3 ifname=ens38
No entries.
Scope protocol=dns ifindex=2 ifname=ens33
No entries.
Scope protocol=dns
No entries.
lxh@ubuntu:~$
DNS实践
单台DNS服务器进行正向解析
环境准备
rocky关闭防火墙和SELINUX避免影响效果
[root@Rocky ~]# systemctl disable --now firewalld # 关闭防火墙
[root@Rocky ~]#
[root@Rocky ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config # 关闭SELINUX
[root@Rocky ~]#
[root@Rocky ~]# reboot
rocky确认bind软件包已经安装
[root@Rocky ~]# yum list --installed bind
Installed Packages
bind.x86_64 32:9.11.36-16.el8_10.6 @appstream
[root@Rocky ~]#
配置文件修改
[root@Rocky ~]# vim /etc/named.conf
options {
listen-on port 53 { any; }; # 设置为在所有接口监听
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; }; # 设置为允许任何主机进行DNS解析
[root@Rocky ~]# vim /etc/named.rfc1912.zones
...
zone "mage.com" { # 添加新的区域
type master;
file "named.mage.com";
};
[root@Rocky ~]#
[root@Rocky ~]# vim /var/named/named.mage.com
;mage.com的解析库文件
$TTL 1D
@ IN SOA mage.dns. admin.mage.com (
20260101 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ;最小TTL
)
@ IN NS dns
dns IN A 10.0.0.152
www IN A 10.0.0.1
web IN A 10.0.0.2
[root@Rocky ~]#
检查文件语法
[root@Rocky named]# named-checkconf # 检查配置文件语法
[root@Rocky named]#
[root@Rocky named]# named-checkzone named.mage named.mage.com # 检查解析库文件语法
zone named.mage/IN: loaded serial 20260101
OK
[root@Rocky named]#
开启DNS服务
[root@Rocky named]# systemctl start named
[root@Rocky named]#
[root@Rocky named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2026-01-01 21:16:13 CST; 2s ago
Process: 2710 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2708 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking o>
Main PID: 2712 (named)
Tasks: 7 (limit: 11046)
Memory: 19.7M
CGroup: /system.slice/named.service
└─2712 /usr/sbin/named -u named -c /etc/named.conf
Jan 01 21:16:13 Rocky named[2712]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Jan 01 21:16:13 Rocky named[2712]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Jan 01 21:16:13 Rocky named[2712]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Jan 01 21:16:13 Rocky named[2712]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Jan 01 21:16:13 Rocky named[2712]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Jan 01 21:16:13 Rocky named[2712]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Jan 01 21:16:14 Rocky named[2712]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Jan 01 21:16:14 Rocky named[2712]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Jan 01 21:16:15 Rocky named[2712]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Jan 01 21:16:15 Rocky named[2712]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 38696 is now trusted, waiving >
[root@Rocky named]#
[root@Rocky named]# netstat -tunlp | grep 53
tcp 0 0 10.0.0.152:53 0.0.0.0:* LISTEN 2712/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2712/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1800/dnsmasq
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2712/named
tcp6 0 0 ::1:953 :::* LISTEN 2712/named
udp 0 0 0.0.0.0:5353 0.0.0.0:* 952/avahi-daemon: r
udp 0 0 192.168.122.1:53 0.0.0.0:* 2712/named
udp 0 0 10.0.0.152:53 0.0.0.0:* 2712/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2712/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 1800/dnsmasq
udp6 0 0 :::5353 :::* 952/avahi-daemon: r
udp6 0 0 :::53 :::* 2712/named
[root@Rocky named]#
测试验证
root@ubuntu:~# dig www.mage.com @10.0.0.152
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> www.mage.com @10.0.0.152
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7635
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 47933587ebe39837a8548a276956747e6ca78a7c62b6802c (good)
;; QUESTION SECTION:
;www.mage.com. IN A
;; ANSWER SECTION:
www.mage.com. 86400 IN A 10.0.0.1 # 成功实现DNS解析
;; AUTHORITY SECTION:
mage.com. 86400 IN NS dns.mage.com.
;; ADDITIONAL SECTION:
dns.mage.com. 86400 IN A 10.0.0.152
;; Query time: 2 msec
;; SERVER: 10.0.0.152#53(10.0.0.152) (UDP) # 解析的DNS服务器为rocky主机
;; WHEN: Thu Jan 01 21:19:59 CST 2026
;; MSG SIZE rcvd: 119
root@ubuntu:~#
root@ubuntu:~# dig web.mage.com @10.0.0.152
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> web.mage.com @10.0.0.152
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35247
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c9158c296cb058c143a500036956748fdd66a22a182264b0 (good)
;; QUESTION SECTION:
;web.mage.com. IN A
;; ANSWER SECTION:
web.mage.com. 86400 IN A 10.0.0.2
;; AUTHORITY SECTION:
mage.com. 86400 IN NS dns.mage.com.
;; ADDITIONAL SECTION:
dns.mage.com. 86400 IN A 10.0.0.152
;; Query time: 2 msec
;; SERVER: 10.0.0.152#53(10.0.0.152) (UDP)
;; WHEN: Thu Jan 01 21:20:15 CST 2026
;; MSG SIZE rcvd: 119
root@ubuntu:~#
单台DNS服务器进行反向解析
环境准备
rocky关闭防火墙和SELINUX避免影响效果
[root@Rocky ~]# systemctl disable --now firewalld # 关闭防火墙
[root@Rocky ~]#
[root@Rocky ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config # 关闭SELINUX
[root@Rocky ~]#
[root@Rocky ~]# reboot
rocky确认bind软件包已经安装
[root@Rocky ~]# yum list --installed bind
Installed Packages
bind.x86_64 32:9.11.36-16.el8_10.6 @appstream
[root@Rocky ~]#
配置文件修改
[root@Rocky ~]# vim /etc/named.conf
options {
listen-on port 53 { any; }; # 设置为在所有接口监听
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; }; # 设置为允许任何主机进行DNS解析
[root@Rocky ~]# vim /etc/named.rfc1912.zones
...
zone "0.0.10.in-addr.arpa" {
type master;
file "named.0.0.10.in-addr.arpa";
};
[root@Rocky ~]#
[root@Rocky ~]# vim /var/named/named.0.0.10.in-addr.arpa
;0.0.10.in-addr.arpa的解析库文件
$TTL 1D
@ IN SOA mage.dns. admin.mage.com (
20260101 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ;最小TTL
)
@ IN NS dns.mage.com.
dns.mage.com. IN A 10.0.0.152
1 IN PTR www.mage.com.
2 IN PTR web.mage.com.
[root@Rocky ~]#
检查文件语法
[root@Rocky ~]# named-checkconf
[root@Rocky ~]#
[root@Rocky ~]# named-checkzone 0.0.10.in-addr.arpa named.0.0.10.in-addr.arpa
named.0.0.10.in-addr.arpa:11: ignoring out-of-zone data (dns.mage.com)
zone 0.0.10.in-addr.arpa/IN: loaded serial 20260101
OK
[root@Rocky ~]#
开启DNS服务
[root@Rocky named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: inactive (dead)
[root@Rocky named]#
[root@Rocky named]# systemctl start named
[root@Rocky named]#
[root@Rocky named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2026-01-01 22:49:06 CST; 4s ago
Process: 2488 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 2484 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking o>
Main PID: 2489 (named)
Tasks: 7 (limit: 11046)
Memory: 24.7M
CGroup: /system.slice/named.service
└─2489 /usr/sbin/named -u named -c /etc/named.conf
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:506#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:408#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:837#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:209#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:7e2#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:30b#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:606#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:121#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:937#53
Jan 01 22:49:10 Rocky named[2489]: network unreachable resolving 'erin.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:606#53
lines 1-21/21 (END)
[root@Rocky named]#
[root@Rocky named]# netstat -ntulp | grep 53
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2489/named
tcp 0 0 10.0.0.152:53 0.0.0.0:* LISTEN 2489/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2489/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1735/dnsmasq
tcp6 0 0 ::1:953 :::* LISTEN 2489/named
tcp6 0 0 :::53 :::* LISTEN 2489/named
udp 0 0 0.0.0.0:5353 0.0.0.0:* 972/avahi-daemon: r
udp 0 0 192.168.122.1:53 0.0.0.0:* 2489/named
udp 0 0 10.0.0.152:53 0.0.0.0:* 2489/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2489/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 1735/dnsmasq
udp6 0 0 :::5353 :::* 972/avahi-daemon: r
udp6 0 0 :::53 :::* 2489/named
[root@Rocky named]#
测试验证
root@ubuntu:~# dig -x 10.0.0.1 @10.0.0.152
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -x 10.0.0.1 @10.0.0.152
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49104
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 6e21e3a85a546286299fa7a5695689af58161ae5eb63e27e (good)
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.10.in-addr.arpa. 86400 IN PTR www.mage.com.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 86400 IN NS dns.mage.com.
;; Query time: 1 msec
;; SERVER: 10.0.0.152#53(10.0.0.152) (UDP)
;; WHEN: Thu Jan 01 22:50:24 CST 2026
;; MSG SIZE rcvd: 122
root@ubuntu:~#
root@ubuntu:~# dig -x 10.0.0.2 @10.0.0.152
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -x 10.0.0.2 @10.0.0.152
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9568
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1974826102efd4e48a574375695689b4a69f52b6571c360c (good)
;; QUESTION SECTION:
;2.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
2.0.0.10.in-addr.arpa. 86400 IN PTR web.mage.com.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 86400 IN NS dns.mage.com.
;; Query time: 1 msec
;; SERVER: 10.0.0.152#53(10.0.0.152) (UDP)
;; WHEN: Thu Jan 01 22:50:28 CST 2026
;; MSG SIZE rcvd: 122
root@ubuntu:~#
root@ubuntu:~# dig -t ptr 2.0.0.10.in-addr.arpa. @10.0.0.152
; <<>> DiG 9.18.39-0ubuntu0.24.04.2-Ubuntu <<>> -t ptr 2.0.0.10.in-addr.arpa. @10.0.0.152
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19651
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 37e1f7ed1b7842313ab663ed695689c89c2b7b73fe2ec8c0 (good)
;; QUESTION SECTION:
;2.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
2.0.0.10.in-addr.arpa. 86400 IN PTR web.mage.com.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 86400 IN NS dns.mage.com.
;; Query time: 1 msec
;; SERVER: 10.0.0.152#53(10.0.0.152) (UDP)
;; WHEN: Thu Jan 01 22:50:49 CST 2026
;; MSG SIZE rcvd: 122
root@ubuntu:~#
主从DNS服务器进行正向解析
环境准备
OpenEuler关闭防火墙和SELINUX避免影响效果
[root@OpenEuler ~]# systemctl disable --now firewalld
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
[root@OpenEuler ~]#
[root@OpenEuler ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
[root@OpenEuler ~]#
OpenEuler确认bind软件包已经安装
[root@OpenEuler ~]# yum list --installed bind
Installed Packages
bind.x86_64 32:9.18.21-5.oe2403sp2 @update
[root@OpenEuler ~]#
Ubuntu确认bind9软件包已经安装
root@ubuntu:~# apt list --installed bind9
Listing... Done
bind9/noble-updates,noble-security,now 1:9.18.39-0ubuntu0.24.04.2 amd64 [installed]
N: There is 1 additional version. Please use the '-a' switch to see it
root@ubuntu:~#
配置文件修改
root@ubuntu:~# vim /etc/bind/named.conf.default-zones
...
zone "mage.com" {
type master;
file "/etc/bind/db.mage.com";
allow-transfer {10.0.0.162;};
};
root@ubuntu:~# vim /etc/bind/db.mage.com
;mage.com的解析库文件
$TTL 604800
@ IN SOA mage.dns. admin.mage.com. (
2 ; 序列号
5 ; 刷新时间
86400 ; 重试时间
2419200 ; 过期时间
604800 ) ; 最小TTL
@ IN NS dns1
@ IN NS dns2
dns1 IN A 10.0.0.150
dns2 IN A 10.0.0.162
www IN A 10.0.0.1
web IN A 10.0.0.2
root@ubuntu:~#
[root@OpenEuler ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
[root@OpenEuler ~]#
[root@OpenEuler ~]# vim /etc/named.rfc1912.zones
...
zone "mage.com" {
type slave;
masters {10.0.0.150;};
file "slaves/named.mage.com";
};
[root@OpenEuler ~]#
检查文件语法
root@ubuntu:/etc/bind# named-checkconf
root@ubuntu:/etc/bind#
root@ubuntu:/etc/bind# named-checkzone mage.com db.mage.com
zone mage.com/IN: loaded serial 1
OK
root@ubuntu:/etc/bind#
[root@OpenEuler ~]# named-checkconf
[root@OpenEuler ~]#
开启DNS服务,并生效配置
root@ubuntu:/etc/bind# rndc reload
server reload successful
root@ubuntu:/etc/bind#
root@ubuntu:/etc/bind# netstat -tnulp | grep 53
tcp 0 0 10.0.0.150:53 0.0.0.0:* LISTEN 811/named
tcp 0 0 10.0.0.150:53 0.0.0.0:* LISTEN 811/named
tcp 0 0 10.0.0.159:53 0.0.0.0:* LISTEN 811/named
tcp 0 0 10.0.0.159:53 0.0.0.0:* LISTEN 811/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 811/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 811/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 811/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 811/named
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 641/systemd-resolve
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 641/systemd-resolve
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 811/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 811/named
tcp6 0 0 ::1:53 :::* LISTEN 811/named
tcp6 0 0 ::1:53 :::* LISTEN 811/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 811/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 811/named
tcp6 0 0 ::1:953 :::* LISTEN 811/named
tcp6 0 0 ::1:953 :::* LISTEN 811/named
udp 0 0 10.0.0.159:53 0.0.0.0:* 811/named
udp 0 0 10.0.0.159:53 0.0.0.0:* 811/named
udp 0 0 10.0.0.150:53 0.0.0.0:* 811/named
udp 0 0 10.0.0.150:53 0.0.0.0:* 811/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 811/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 811/named
udp 0 0 127.0.0.54:53 0.0.0.0:* 641/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 641/systemd-resolve
udp6 0 0 ::1:53 :::* 811/named
udp6 0 0 ::1:53 :::* 811/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 811/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 811/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 811/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 811/named
root@ubuntu:/etc/bind#
[root@OpenEuler named]# systemctl start named
[root@OpenEuler named]#
[root@OpenEuler named]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)
Active: active (running) since Fri 2026-01-02 00:43:23 CST; 4s ago
Process: 2535 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking>
Process: 2538 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 2541 (named)
Tasks: 22 (limit: 98652)
Memory: 5.3M ()
CGroup: /system.slice/named.service
└─2541 /usr/sbin/named -u named -c /etc/named.conf
Jan 02 00:43:23 OpenEuler named[2541]: transfer of 'mage.com/IN' from 10.0.0.150#53: Transfer completed: 1 messages, 8 records, 222 bytes, 0.009 secs (2466>
Jan 02 00:43:23 OpenEuler named[2541]: zone mage.com/IN: sending notifies (serial 1)
Jan 02 00:43:23 OpenEuler named[2541]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Jan 02 00:43:24 OpenEuler named[2541]: resolver priming query complete: success
Jan 02 00:43:24 OpenEuler named[2541]: checkhints: b.root-servers.net/A (170.247.170.2) missing from hints
Jan 02 00:43:24 OpenEuler named[2541]: checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints
Jan 02 00:43:24 OpenEuler named[2541]: checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
Jan 02 00:43:24 OpenEuler named[2541]: checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
Jan 02 00:43:24 OpenEuler named[2541]: managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
Jan 02 00:43:24 OpenEuler named[2541]: managed-keys-zone: Key 38696 for zone . is now trusted (acceptance timer complete)
[root@OpenEuler named]#
[root@OpenEuler named]# netstat -tunlp | grep 53
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2541/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2541/named
tcp 0 0 10.0.0.162:53 0.0.0.0:* LISTEN 2541/named
tcp6 0 0 ::1:53 :::* LISTEN 2541/named
tcp6 0 0 ::1:953 :::* LISTEN 2541/named
tcp6 0 0 fe80::20c:29ff:fe2a::53 :::* LISTEN 2541/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2541/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2541/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2541/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2541/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2541/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2541/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2541/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2541/named
udp6 0 0 ::1:53 :::* 2541/named
udp6 0 0 ::1:53 :::* 2541/named
udp6 0 0 ::1:53 :::* 2541/named
udp6 0 0 ::1:53 :::* 2541/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2541/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2541/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2541/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2541/named
[root@OpenEuler named]#
[root@OpenEuler named]# file slaves/named.mage.com # 同步过来的二进制文件
slaves/named.mage.com: Adobe Photoshop Color swatch, version 0, 2 colors; 1st RGB space (0), w 0x1, x 0x6956, y 0xa42b, z 0; 2nd RGB space (0), w 0, x 0, y 0, z 0
[root@OpenEuler named]#
测试验证
[lxh@Rocky ~]$ dig www.mage.com @10.0.0.150
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.6 <<>> www.mage.com @10.0.0.150
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54390
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: da754b68b6302d3a010000006956a56aff26b3660166e6b7 (good)
;; QUESTION SECTION:
;www.mage.com. IN A
;; ANSWER SECTION:
www.mage.com. 604800 IN A 10.0.0.1
;; Query time: 1 msec
;; SERVER: 10.0.0.150#53(10.0.0.150)
;; WHEN: Fri Jan 02 00:48:42 CST 2026
;; MSG SIZE rcvd: 85
[lxh@Rocky ~]$
[lxh@Rocky ~]$ dig www.mage.com @10.0.0.162
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.6 <<>> www.mage.com @10.0.0.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34842
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 50f02425ddfc8eff010000006956a571f9ac0388ccb75f8f (good)
;; QUESTION SECTION:
;www.mage.com. IN A
;; ANSWER SECTION:
www.mage.com. 604800 IN A 10.0.0.1
;; Query time: 1 msec
;; SERVER: 10.0.0.162#53(10.0.0.162)
;; WHEN: Fri Jan 02 00:48:49 CST 2026
;; MSG SIZE rcvd: 85
[lxh@Rocky ~]$
如果修改主DNS服务器的解析库文件
root@ubuntu:/etc/bind# vim /etc/bind/db.mage.com
;mage.com的解析库文件
$TTL 604800
@ IN SOA mage.dns. admin.mage.com. (
2 ; 序列号
604800 ; 刷新时间
86400 ; 重试时间
2419200 ; 过期时间
604800 ) ; 最小TTL
@ IN NS dns1
@ IN NS dns2
dns1 IN A 10.0.0.150
dns2 IN A 10.0.0.162
www IN A 10.0.0.3
web IN A 10.0.0.2
root@ubuntu:/etc/bind#
从DNS服务器会自动进行刷新同步
[lxh@Rocky ~]$ dig www.mage.com @10.0.0.162
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.6 <<>> www.mage.com @10.0.0.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31427
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 35ac24ae1edbdec9010000006956a74dfba5f1766ef87953 (good)
;; QUESTION SECTION:
;www.mage.com. IN A
;; ANSWER SECTION:
www.mage.com. 604800 IN A 10.0.0.3
;; Query time: 1 msec
;; SERVER: 10.0.0.162#53(10.0.0.162)
;; WHEN: Fri Jan 02 00:56:46 CST 2026
;; MSG SIZE rcvd: 85
[lxh@Rocky ~]$
主从DNS服务器进行反向解析
环境准备
OpenEuler关闭防火墙和SELINUX避免影响效果
[root@OpenEuler ~]# systemctl disable --now firewalld
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
[root@OpenEuler ~]#
[root@OpenEuler ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
[root@OpenEuler ~]#
OpenEuler确认bind软件包已经安装
[root@OpenEuler ~]# yum list --installed bind
Installed Packages
bind.x86_64 32:9.18.21-5.oe2403sp2 @update
[root@OpenEuler ~]#
Ubuntu确认bind9软件包已经安装
root@ubuntu:~# apt list --installed bind9
Listing... Done
bind9/noble-updates,noble-security,now 1:9.18.39-0ubuntu0.24.04.2 amd64 [installed]
N: There is 1 additional version. Please use the '-a' switch to see it
root@ubuntu:~#
配置文件修改
root@ubuntu:~# vim /etc/bind/named.conf.default-zones
...
zone "0.0.10.in-addr.arpa" {
type master;
file "/etc/bind/db.0.0.10.in-addr.arpa";
allow-transfer {10.0.0.162;};
};
root@ubuntu:~#
root@ubuntu:~# vim /etc/bind/db.0.0.10.in-addr.arpa
;0.0.10.in-addr.arpa的解析库文件
$TTL 604800
@ IN SOA mage.dns. admin.mage.com. (
2 ; 序列号
5 ; 刷新时间
86400 ; 重试时间
2419200 ; 过期时间
604800 ) ; 最小TTL
@ IN NS dns1.mage.com.
@ IN NS dns2.mage.com.
dns1.mage.com. IN A 10.0.0.150
dns2.mage.com. IN A 10.0.0.162
1 IN PTR www.mage.com.
2 IN PTR web.mage.com.
root@ubuntu:~#
[root@OpenEuler ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
[root@OpenEuler ~]#
[root@OpenEuler ~]# vim /etc/named.rfc1912.zones
...
zone "0.0.10.in-addr.arpa" {
type slave;
masters {10.0.0.150;};
file "slaves/named.0.0.10.in-addr.arpa";
};
[root@OpenEuler ~]#
检查文件语法
root@ubuntu:~# named-checkconf
root@ubuntu:~#
root@ubuntu:~# named-checkzone 0.0.10.in-addr.arpa /etc/bind/db.0.0.10.in-addr.arpa
/etc/bind/db.0.0.10.in-addr.arpa:11: ignoring out-of-zone data (dns1.mage.com)
/etc/bind/db.0.0.10.in-addr.arpa:12: ignoring out-of-zone data (dns2.mage.com)
zone 0.0.10.in-addr.arpa/IN: loaded serial 2
OK
root@ubuntu:~#
[root@OpenEuler ~]# named-checkconf
[root@OpenEuler ~]#
开启DNS服务,并生效配置
root@ubuntu:~# rndc reload
server reload successful
root@ubuntu:~#
root@ubuntu:~# netstat -ntulp | grep 53
tcp 0 0 10.0.0.159:53 0.0.0.0:* LISTEN 815/named
tcp 0 0 10.0.0.159:53 0.0.0.0:* LISTEN 815/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 815/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 815/named
tcp 0 0 10.0.0.150:53 0.0.0.0:* LISTEN 815/named
tcp 0 0 10.0.0.150:53 0.0.0.0:* LISTEN 815/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 815/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 815/named
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 667/systemd-resolve
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 667/systemd-resolve
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 815/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 815/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 815/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 815/named
tcp6 0 0 ::1:953 :::* LISTEN 815/named
tcp6 0 0 ::1:953 :::* LISTEN 815/named
tcp6 0 0 ::1:53 :::* LISTEN 815/named
tcp6 0 0 ::1:53 :::* LISTEN 815/named
udp 0 0 10.0.0.159:53 0.0.0.0:* 815/named
udp 0 0 10.0.0.159:53 0.0.0.0:* 815/named
udp 0 0 10.0.0.150:53 0.0.0.0:* 815/named
udp 0 0 10.0.0.150:53 0.0.0.0:* 815/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 815/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 815/named
udp 0 0 127.0.0.54:53 0.0.0.0:* 667/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 667/systemd-resolve
udp6 0 0 ::1:53 :::* 815/named
udp6 0 0 ::1:53 :::* 815/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 815/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 815/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 815/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 815/named
root@ubuntu:~#
[root@OpenEuler ~]# systemctl start named.service
[root@OpenEuler ~]#
[root@OpenEuler ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)
Active: active (running) since Fri 2026-01-02 09:49:49 CST; 3s ago
Process: 2061 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zo>
Process: 2068 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 2070 (named)
Tasks: 22 (limit: 98652)
Memory: 6.8M ()
CGroup: /system.slice/named.service
└─2070 /usr/sbin/named -u named -c /etc/named.conf
Jan 02 09:49:50 OpenEuler named[2070]: checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
Jan 02 09:49:50 OpenEuler named[2070]: checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'erin.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:837#53
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'erin.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:30b#53
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'erin.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:937#53
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:837#53
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'erin.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:7e2#53
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'erin.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:408#53
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'cody.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:30b#53
Jan 02 09:49:51 OpenEuler named[2070]: network unreachable resolving 'erin.ns.cloudflare.com/A/IN': 2400:cb00:2049:1::a29f:121#53
[root@OpenEuler ~]#
[root@OpenEuler ~]# netstat -ntulp | grep 53
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2070/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2070/named
tcp 0 0 10.0.0.162:53 0.0.0.0:* LISTEN 2070/named
tcp6 0 0 fe80::20c:29ff:fe2a::53 :::* LISTEN 2070/named
tcp6 0 0 ::1:953 :::* LISTEN 2070/named
tcp6 0 0 ::1:53 :::* LISTEN 2070/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2070/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2070/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2070/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2070/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2070/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2070/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2070/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2070/named
udp6 0 0 ::1:53 :::* 2070/named
udp6 0 0 ::1:53 :::* 2070/named
udp6 0 0 ::1:53 :::* 2070/named
udp6 0 0 ::1:53 :::* 2070/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2070/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2070/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2070/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2070/named
[root@OpenEuler ~]#
[root@OpenEuler ~]# file /var/named/slaves/named.0.0.10.in-addr.arpa
/var/named/slaves/named.0.0.10.in-addr.arpa: Adobe Photoshop Color swatch, version 0, 2 colors; 1st RGB space (0), w 0x1, x 0x6957, y 0x243d, z 0; 2nd RGB space (0), w 0, x 0, y 0, z 0
[root@OpenEuler ~]#
测试验证
[root@Rocky ~]# dig -x 10.0.0.1 @10.0.0.150
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.6 <<>> -x 10.0.0.1 @10.0.0.150
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3767
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 4565c08b13c30d0801000000695724c6db3d2232adc279a9 (good)
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.10.in-addr.arpa. 604800 IN PTR www.mage.com.
;; Query time: 1 msec
;; SERVER: 10.0.0.150#53(10.0.0.150)
;; WHEN: Fri Jan 02 09:52:07 CST 2026
;; MSG SIZE rcvd: 104
[root@Rocky ~]#
[root@Rocky ~]# dig -x 10.0.0.1 @10.0.0.162
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.6 <<>> -x 10.0.0.1 @10.0.0.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49799
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: f95d812d2282232b01000000695724cc1e75d392c8ede179 (good)
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.10.in-addr.arpa. 604800 IN PTR www.mage.com.
;; Query time: 1 msec
;; SERVER: 10.0.0.162#53(10.0.0.162)
;; WHEN: Fri Jan 02 09:52:12 CST 2026
;; MSG SIZE rcvd: 104
[root@Rocky ~]#
如果修改主DNS服务器的解析库文件
root@ubuntu:~# vim /etc/bind/db.0.0.10.in-addr.arpa
;0.0.10.in-addr.arpa的解析库文件
$TTL 604800
@ IN SOA mage.dns. admin.mage.com. (
3 ; 序列号
5 ; 刷新时间
86400 ; 重试时间
2419200 ; 过期时间
604800 ) ; 最小TTL
@ IN NS dns1.mage.com.
@ IN NS dns2.mage.com.
dns1.mage.com. IN A 10.0.0.150
dns2.mage.com. IN A 10.0.0.162
1 IN PTR WWW.mage.com.
2 IN PTR web.mage.com.
root@ubuntu:~#
从DNS服务器会自动进行刷新同步
[root@Rocky ~]# dig -x 10.0.0.1 @10.0.0.162
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.6 <<>> -x 10.0.0.1 @10.0.0.162
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33071
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 67a943aa43822e4d01000000695725ba96443bc3af5b5547 (good)
;; QUESTION SECTION:
;1.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.10.in-addr.arpa. 604800 IN PTR WWW.mage.com.
;; Query time: 1 msec
;; SERVER: 10.0.0.162#53(10.0.0.162)
;; WHEN: Fri Jan 02 09:56:10 CST 2026
;; MSG SIZE rcvd: 104
[root@Rocky ~]#
多台DNS服务器进行子域的递归正向解析
环境准备
OpenEuler关闭防火墙和SELINUX避免影响效果
[root@OpenEuler ~]# systemctl disable --now firewalld
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
[root@OpenEuler ~]#
[root@OpenEuler ~]# sed -i 's/SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
[root@OpenEuler ~]#
OpenEuler确认bind软件包已经安装
[root@OpenEuler ~]# yum list --installed bind
Installed Packages
bind.x86_64 32:9.18.21-5.oe2403sp2 @update
[root@OpenEuler ~]#
Ubuntu确认bind9软件包已经安装
root@ubuntu:~# apt list --installed bind9
Listing... Done
bind9/noble-updates,noble-security,now 1:9.18.39-0ubuntu0.24.04.2 amd64 [installed]
N: There is 1 additional version. Please use the '-a' switch to see it
root@ubuntu:~#
配置文件修改
[root@OpenEuler ~]# vim /etc/named.rfc1912.zones
...
zone "host.mage.com" {
type master;
file "named.host.mage.com";
};
[root@OpenEuler ~]#
[root@OpenEuler ~]# vim /var/named/named.host.mage.com
;host.mage.com的解析库文件
$TTL 1D
@ IN SOA mage.dns. admin.mage.com (
20260101 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ;最小TTL
)
@ IN NS dns
dns IN A 10.0.0.162
www IN A 10.0.0.1
[root@OpenEuler ~]#
[root@OpenEuler ~]# vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
[root@OpenEuler ~]#
root@ubuntu:~# vim /etc/bind/named.conf.default-zones
...
zone "mage.com" {
type master;
file "/etc/bind/db.mage.com";
};
root@ubuntu:~#
root@ubuntu:~# vim /etc/bind/db.mage.com
;mage.com的解析库文件
$TTL 1D
@ IN SOA mage.dns. admin.mage.com (
20260101 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ;最小TTL
)
@ IN NS dns
host IN NS subdns
dns IN A 10.0.0.150
subdns IN A 10.0.0.162
root@ubuntu:~#
检查文件语法
root@ubuntu:~# named-checkconf
root@ubuntu:~#
root@ubuntu:~# named-checkzone mage.com /etc/bind/db.mage.com
/etc/bind/db.mage.com:11: warning: sub_dns.mage.com: bad name (check-names)
/etc/bind/db.mage.com:13: sub_dns.mage.com: bad owner name (check-names)
zone mage.com/IN: loaded serial 20260101
OK
[root@OpenEuler ~]# named-checkconf
[root@OpenEuler ~]#
[root@OpenEuler ~]# named-checkzone host.mage.com /var/named/named.host.mage.com
zone host.mage.com/IN: loaded serial 20260101
OK
[root@OpenEuler ~]#
开启DNS服务,并生效配置
root@ubuntu:~# rndc reload
server reload successful
root@ubuntu:~#
root@ubuntu:~# netstat -ntulp | grep 53
tcp 0 0 10.0.0.150:53 0.0.0.0:* LISTEN 814/named
tcp 0 0 10.0.0.150:53 0.0.0.0:* LISTEN 814/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 814/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 814/named
tcp 0 0 10.0.0.159:53 0.0.0.0:* LISTEN 814/named
tcp 0 0 10.0.0.159:53 0.0.0.0:* LISTEN 814/named
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 655/systemd-resolve
tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN 655/systemd-resolve
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 814/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 814/named
tcp6 0 0 ::1:953 :::* LISTEN 814/named
tcp6 0 0 ::1:953 :::* LISTEN 814/named
tcp6 0 0 ::1:53 :::* LISTEN 814/named
tcp6 0 0 ::1:53 :::* LISTEN 814/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 814/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 814/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 814/named
tcp6 0 0 fe80::20c:29ff:fe08::53 :::* LISTEN 814/named
udp 0 0 10.0.0.159:53 0.0.0.0:* 814/named
udp 0 0 10.0.0.159:53 0.0.0.0:* 814/named
udp 0 0 10.0.0.150:53 0.0.0.0:* 814/named
udp 0 0 10.0.0.150:53 0.0.0.0:* 814/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 814/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 814/named
udp 0 0 127.0.0.54:53 0.0.0.0:* 655/systemd-resolve
udp 0 0 127.0.0.53:53 0.0.0.0:* 655/systemd-resolve
udp6 0 0 ::1:53 :::* 814/named
udp6 0 0 ::1:53 :::* 814/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 814/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 814/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 814/named
udp6 0 0 fe80::20c:29ff:fe08::53 :::* 814/named
root@ubuntu:~#
[root@OpenEuler ~]# systemctl start named
[root@OpenEuler ~]#
[root@OpenEuler ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disabled)
Active: active (running) since Fri 2026-01-02 10:25:33 CST; 4s ago
Process: 2011 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking>
Process: 2016 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Main PID: 2019 (named)
Tasks: 18 (limit: 98652)
Memory: 6.5M ()
CGroup: /system.slice/named.service
└─2019 /usr/sbin/named -u named -c /etc/named.conf
Jan 02 10:25:33 OpenEuler named[2019]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Jan 02 10:25:33 OpenEuler named[2019]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Jan 02 10:25:33 OpenEuler named[2019]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Jan 02 10:25:33 OpenEuler named[2019]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiv>
Jan 02 10:25:33 OpenEuler named[2019]: managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 38696 is now trusted, waiv>
Jan 02 10:25:33 OpenEuler named[2019]: resolver priming query complete: success
Jan 02 10:25:33 OpenEuler named[2019]: checkhints: b.root-servers.net/A (170.247.170.2) missing from hints
Jan 02 10:25:33 OpenEuler named[2019]: checkhints: b.root-servers.net/A (199.9.14.201) extra record in hints
Jan 02 10:25:33 OpenEuler named[2019]: checkhints: b.root-servers.net/AAAA (2801:1b8:10::b) missing from hints
Jan 02 10:25:33 OpenEuler named[2019]: checkhints: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints
[root@OpenEuler ~]# netstat -ntulp | grep 53
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2019/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2019/named
tcp 0 0 10.0.0.162:53 0.0.0.0:* LISTEN 2019/named
tcp6 0 0 ::1:953 :::* LISTEN 2019/named
tcp6 0 0 ::1:53 :::* LISTEN 2019/named
tcp6 0 0 fe80::20c:29ff:fe2a::53 :::* LISTEN 2019/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2019/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2019/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2019/named
udp 0 0 10.0.0.162:53 0.0.0.0:* 2019/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2019/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2019/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2019/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 2019/named
udp6 0 0 ::1:53 :::* 2019/named
udp6 0 0 ::1:53 :::* 2019/named
udp6 0 0 ::1:53 :::* 2019/named
udp6 0 0 ::1:53 :::* 2019/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2019/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2019/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2019/named
udp6 0 0 fe80::20c:29ff:fe2a::53 :::* 2019/named
[root@OpenEuler ~]#
测试验证
[root@Rocky ~]# dig www.host.mage.com @10.0.0.150
; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.6 <<>> www.host.mage.com @10.0.0.150
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19173
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: b5eed3839762035d0100000069575d4d973639f6881b0033 (good)
;; QUESTION SECTION:
;www.host.mage.com. IN A
;; ANSWER SECTION:
www.host.mage.com. 86400 IN A 10.0.0.1
;; Query time: 3 msec
;; SERVER: 10.0.0.150#53(10.0.0.150)
;; WHEN: Fri Jan 02 13:53:17 CST 2026
;; MSG SIZE rcvd: 90
[root@Rocky ~]#
浙公网安备 33010602011771号