07-DNS服务项目实战-01
部署DNS主服务器【正向解析】
参考资料:https://blog.51cto.com/u_15380738/4715365#1DNS_1
在主配置文件中定义区域
[19:20:23 root@vb01 ~]# egrep -v "//|^$" /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; // listen-on port 53 { 127.0.0.1;192.168.0.0/24; }; /*注销掉53端口绑定特定IP,表示该机器的任何IP都监听;也可以改为localhost,表示dns机器的所有IP地址*/ listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /*表示不限制访问来源,允许所有网段的机器进行dns查询*/ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/rndc.key";
定义区域解析库文件
内容包括 : - 宏定义 - 资源记录 范例:区域数据库 [19:28:00 root@vb01 ~]# egrep -v "//|^$" /etc/named.rfc1912.zones zone "chengzi.org" IN { type master; file "chengzi.org.zone"; };
// 新增chengzi.org域,该域下的具体配置在/var/named/ zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; };
配置区域数据库chengzi.org.zone
[19:28:20 root@vb01 ~]# cat /var/named/chengzi.org.zone $TTL 1D @ IN SOA master chengzi.org. ( 2022052110 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 192.168.56.11 www A 192.168.56.12 k8snode1 A 192.168.56.35 k8snode2 A 192.168.56.37 db A 192.168.56.12 * A 192.168.56.12 @ A 192.168.56.12
-
注意:更新区域数据库记录时,一定要记得更新版本号serial
语法检查
#主配置文件语法检查 named-checkconf #解析库文件语法检查 named-checkzone chengzi.org /var/named/chengzi.org.zone #配置生效 #三种方式 rndc reload systemctl reload named service named reload
客户端测试
[root@centos8-01 ~]# grep DNS /etc/sysconfig/network-scripts/ifcfg-eth0 DNS1=192.168.56.11 #DNS1=202.181.202.140 [root@centos8-01 ~]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.56.11 [root@centos8-01 ~]# dig +short www.chengzi.org 192.168.56.12 [root@centos8-01 ~]# dig +short k8snode1.chengzi.org 192.168.56.35 [root@centos8-01 ~]# dig +short k8snode2.chengzi.org 192.168.56.37 [root@centos8-01 ~]# dig +short db.chengzi.org 192.168.56.12 [root@centos8-01 ~]# dig +short abcdefg.chengzi.org 192.168.56.12
![]()
允许动态更新
- 动态更新:可以通过远程更新区域数据库的资源记录
- 实现动态更新,需要在指定的zone语句块中:Allow-update {any;};
- 范例:
chmod 770 /var/named setsebool -P named_write_master_zones on #开启SELinux才需要执行此步 nsupdate >server 127.0.0.1 >zone magedu.org >update add ftp.magedu.org 88888 IN A 8.8.8.8 >send >update delete www.magedu.org A >send #测试 dig ftp.magedu.org @127.0.0.1 ls -l /var/named/magedu.org.zone.jnl cat /var/named/magedu.org.zone
启用DNS客户端缓存功能
- 在高并发的服务器场景中,对DNS的服务器查询性能有较高的要求
- 如果在客户端启用DNS缓存功能,可以大幅减轻DNS服务器的压力,同时也能提高DNS客户端名称解析速度
CentOS 启用DNS客户端缓存
- CentOS 默认没有启用DNS客户端缓存,安装nscd(Name Service Cache Daemon,名称服务缓存守护进程)包可以支持DNS缓存功能,减少DNS服务器压力,提高DNS查询速度
yum -y install nscd && systemctl enable --now nscd #查看缓存统计信息 nscd -g #清除DNS客户端缓存 nscd -i hosts
Ubuntu 启用DNS客户端缓存
- ubuntu 默认会启用DNS客户端缓存
systemctl status systemd-resolved.service systemd-resolve --statistics #清空缓存 systemd-resolve --flush-caches systemd-resolve --statistics
别名解析
#服务端配置 [21:46:51 root@vb01 ~]# cat /var/named/chengzi.org.zone $TTL 1D @ IN SOA master chengzi.org. ( 2022052121 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 192.168.56.11 www CNAME chengzi.glb chengzi.glb CNAME chengzi.gbl.cdn chengzi.gbl.cdn A 192.168.56.12 k8snode1 A 192.168.56.35 k8snode2 A 192.168.56.37 db A 192.168.56.12 * A 192.168.56.12 @ A 192.168.56.12 @ MX 10 mail1 @ MX 20 mail2 mail1 A 192.168.56.11 mail2 A 192.168.56.12 [21:46:44 root@vb01 ~]# rndc reload WARNING: key file (/etc/rndc.key) exists, but using default configuration file (/etc/rndc.conf) server reload successful [21:46:46 root@vb01 ~]# named-checkconf [21:46:48 root@vb01 ~]# named-checkzone chengzi.org /var/named/chengzi.org.zone zone chengzi.org/IN: loaded serial 2022052121 OK #客户端测试 [nameke@centos8-01 ~]$ dig www.chengzi.org|grep chengzi.org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.chengzi.org ;www.chengzi.org. IN A www.chengzi.org. 86400 IN CNAME chengzi.glb.chengzi.org. chengzi.glb.chengzi.org. 86400 IN CNAME chengzi.gbl.cdn.chengzi.org. chengzi.gbl.cdn.chengzi.org. 86400 IN A 192.168.56.12 chengzi.org. 86400 IN NS master.chengzi.org. master.chengzi.org. 86400 IN A 192.168.56.11
实现反向DSN解析
反向解析配置说明
- 反向区域:即将IP反向解析为FQDN
- 区域名称:网络地址反写.in-addr.arpa
实例: 172.16.100. --> 100.16.172.in-addr.arpa. (2) 定义区域解析库文件 zone "ZONE_NAME" IN { type {master|slave|forward}; file "网络地址.zone" }; 注意:不需要MX,以PTR记录为主 范例: $TTL 86400 $ORIGIN 16.172.in-addr.arpa. @ IN SOA ns1.magedu.org. admin.magedu.org. ( 2015042201 1H 5M 7D 1D ) IN NS ns1.magedu.org. 1.2 IN PTR www.magedu.org. 3.4 IN PTR mx1.magedu.org. #实现以下解析 172.16.2.1 www.magedu.org. 172.16.4.3 mx1.magedu.org.
反向解析实战
- 主配置文件/etc/named.rfc1912.zones增加反向解析域
[00:51:30 root@vb01 /var/named]# egrep -v "//" /etc/named.rfc1912.zones // 增加反向解析域名 zone "56.168.192.in-addr.arpa" IN { type master; file "192.168.56.arpa"; }; zone "chengzi.org" IN { type master; file "chengzi.org.zone"; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; };
- 配置反向解析域内容
cd /var/named && cp -p named.loopback 192.168.56.arpa [00:51:44 root@vb01 /var/named]# cat 192.168.56.arpa $TTL 1D @ IN SOA master admin.chengzi.org. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master.chengzi.org.
11 PTR master.chengzi.org. 12 PTR www.chengzi.org. 35 PTR k8snode1.chengzi.org. 37 PTR k8snode2.chengzi.org.
- 检查正向解析域反向解析的语法配置
rndc reload named-checkconf named-checkzone 56.168.192.in-addr.arpa 192.168.56.arpa
named-checkzone chengzi.org /var/named/chengzi.org.zone
- 客户端测试
dig -t ptr 37.56.168.192.in-addr.arpa @192.168.56.11|grep chengzi.org dig -t ptr 35.56.168.192.in-addr.arpa @192.168.56.11|grep chengzi.org dig -t ptr 12.56.168.192.in-addr.arpa @192.168.56.11|grep chengzi.org dig -t ptr 11.56.168.192.in-addr.arpa @192.168.56.11|grep chengzi.org host 192.168.56.12 nslookup 192.168.56.12
部署从DNS服务器
- 只有一台主DNS服务器,存在单点失败的问题,可以建立主DNS服务器的备份服务器,即从服务器来实现DNS服务的容错机制。
- 从服务器可以自动和主服务器进行单向的数据同步,从而和主DNS服务器一样,也可以对外提供查询服务,但从服务器不提供数据更新服务。
DNS从服务器要求
1. 应该为一台独立的名称服务器
2. 主服务器的区域解析库文件中必须有一条NS记录指向从服务器
3. 从服务器只需要定义区域,而无须提供解析库文件;解析库文件应该放置于/var/named/slaves/目
录中
4. 主服务器得允许从服务器作区域传送
5. 主从服务器时间应该同步,可通过ntp进行
6. bind程序的版本应该保持一致;否则,应该从高,主低
定义从区域
zone "ZONE_NAME" IN { type slave; masters { MASTER_IP; }; file "slaves/ZONE_NAME.zone"; };
实战环境要求
#需要四台主机 DNS主服务器:192.168.56.11 DNS从服务器1:192.168.56.35
DNS从服务器2:192.168.56.123
WEB服务器:192.168.56.12 DNS客户端:192.168.56.37 #前期准备 关闭SElinux 关闭防火墙【也可以设置对应的防火墙规则】 时间同步
DNS主节点服务端配置
- 主配置/etc/named.conf授权slave节点同步数据
[20:48:50 root@admin-dns ~]# egrep -v "^/" /etc/named.conf options { // listen-on port 53 { 127.0.0.1; };//注释掉 // listen-on port 53 { 127.0.0.1;192.168.0.0/24; };//注释掉 listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; allow-transfer { 192.168.56.35;192.168.56.123; };//允许从节点拉取数据
[20:48:55 root@admin-dns ~]# egrep -v "^/" /etc/named.rfc1912.zones zone "56.168.192.in-addr.arpa" IN { type master; file "192.168.56.arpa"; allow-transfer { 192.168.56.35;192.168.56.123; }; }; zone "chengzi.org" IN { type master; file "chengzi.org.zone"; allow-transfer { 192.168.56.35;192.168.56.123; }; };
- 正向解析配置文件添加两个slave从节点
[20:50:24 root@admin-dns ~]# cat /var/named/chengzi.org.zone $TTL 1D @ IN SOA master.chengzi.org. admin.chengzi.org. ( 052128 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master.chengzi.org. NS slave1 NS slave2 master A 192.168.56.11 slave1 A 192.168.56.35 slave2 A 192.168.56.123 www CNAME chengzi.glb chengzi.glb CNAME chengzi.gbl.cdn chengzi.gbl.cdn A 192.168.56.12 k8snode1 A 192.168.56.123 k8snode2 A 192.168.56.37 db A 192.168.56.12 * A 192.168.56.12 @ A 192.168.56.12 @ MX 10 mail1 @ MX 20 mail2 mail1 A 192.168.56.11 mail2 A 192.168.56.12
- 反向解析添加记录
[20:51:50 root@admin-dns ~]# cat /var/named/192.168.56.arpa $TTL 1D @ IN SOA master admin.chengzi.org. ( 2 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master.chengzi.org. NS slave1.chengzi.org. NS slave2.chengzi.org. 11 PTR master.chengzi.org. 35 PTR slave1.chengzi.org. 123 PTR slave2.chengzi.org. 12 PTR www.chengzi.org. 123 PTR k8snode1.chengzi.org. 37 PTR k8snode2.chengzi.org.
DNS从节点服务端配置
- 配置主配置文件
options { // listen-on port 53 { 127.0.0.1; }; // listen-on port 53 { 127.0.0.1;192.168.0.0/24; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; allow-query-cache { any; }; allow-transfer { none; };//不允许其他任何机器来从节点拉取数据
- 从节点定义区域及同步数据文件路径
zone "chengzi.org" IN { type slave; masters { 192.168.56.11; }; file "slaves/chengzi.org.zone";//此为同步主节点正向解析记录的数据文件 }; zone "56.168.192.in-addr.arpa" IN { type slave; masters { 192.168.56.11; }; file "slaves/chengzi.org.slave";//此为同步主节点反向解析记录的数据文件 };
- 主从节点重新加载配置
#主节点 rndc reload named-checkconf named-checkzone chengzi.org /var/named/chengzi.org.zone named-checkzone 56.168.192.in-addr.arpa /var/named/192.168.56.arpa systemctl reload named.service #从节点 rndc reload named-checkconf systemctl reload named.service
- 客户端测试
#正向解析 dig www.chengzi.org @192.168.56.11|grep chengzi.org dig www.chengzi.org @192.168.56.35|grep chengzi.org #反向解析 dig -t ptr 123.56.168.192.in-addr.arpa. @192.168.56.11|grep chengzi.org dig -t ptr 123.56.168.192.in-addr.arpa. @192.168.56.35|grep chengzi.org
- 主节点与slave1宕机测试
#主节点挂掉,测试结果 [21:12:51 root@admin-dns ~]# systemctl stop named.service [root@centos8-01 ~]# dig www.chengzi.org|grep SERVER ;; SERVER: 192.168.56.35#53(192.168.56.35) #主节点master和slave1同时挂掉,测试结果 [root@centos8-01 ~]# dig www.chengzi.org @192.168.56.123|grep SERVER ;; SERVER: 192.168.56.123#53(192.168.56.123)
实现子域委派和转发查询
- 将子域委派给其它主机管理,实现分布式DNS数据库
- 正向解析区域子域方法
#定义两个子域区域 shanghai.magedu.org. IN NS ns1.ops.magedu.org. shanghai.magedu.org. IN NS ns2.ops.magedu.org. shenzhen.magedu.org. IN NS ns1.shenzhen.magedu.org. shenzhen.magedu.org. IN NS ns2.shenzhen.magedu.org. ns1.shanghai.magedu.org. IN A 1.1.1.1 ns2.shanghai.magedu.org. IN A 1.1.1.2 ns1.shenzhen.magedu.org. IN A 1.1.1.3 ns2.shenzhen.magedu.org. IN A 1.1.1.4
实现DNS父域和子域服务
参考资料:https://www.cnblogs.com/linchenkai/p/14258787.html
#需要五台主机 DNS父域服务器:192.168.56.11 DNS子域服务器:192.168.56.28、192.168.56.123 父域的web服务器:192.168.56.12,www.chengzi.org 子域的web服务器:
192.168.56.28:www.shanghai.chengzi.org、www.shanghai.magedu.org
192.168.56.123:www.guangzhou.chengzi.org、www.guangzhou.chengzi.org DNS客户端:192.168.56.37
- dns-master父域服务器端
[15:17:32 root@admin-dns ~]# egrep -v "^/" /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; // listen-on port 53 { 127.0.0.1;192.168.0.0/24; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; allow-transfer { 192.168.56.123;192.168.56.28; };//允许子域服务器同步解析记录数据
[15:18:02 root@admin-dns ~]# egrep -v "/" /etc/named.rfc1912.zones zone "magedu.org" IN { type master; file "magedu.org.zone"; }; zone "56.168.192.in-addr.arpa" IN { type master; file "192.168.56.arpa"; allow-transfer { 192.168.56.28;192.168.56.123; }; }; zone "chengzi.org" IN { type master; file "chengzi.org.zone"; allow-transfer { 192.168.56.28;192.168.56.123; };//两个子域服务器,分别为上海、广州地区 };
[15:21:02 root@admin-dns ~]# egrep -v "/" /var/named/chengzi.org.zone $TTL 1D @ IN SOA master.chengzi.org. admin.chengzi.org. ( 052139 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master.chengzi.org. guangzhou NS guangzhoudns master A 192.168.56.11 guangzhoudns A 192.168.56.123 www CNAME websvr websvr A 192.168.56.12 [15:23:57 root@admin-dns ~]# egrep -v "/" /var/named/magedu.org.zone $TTL 1D @ IN SOA master admin.magedu.org. ( 1 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master shanghai NS shanghains master A 192.168.56.11 shanghains A 192.168.56.28 websrv A 192.168.56.12 www CNAME websrv
- 上海子域服务器192.168.56.28
[15:16:56 root@vb06 ~]# egrep -v "^/" /etc/named.conf options { //listen-on port 53 { 127.0.0.1; }; // listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; allow-transfer { none; }; recursion yes; dnssec-enable no;//关闭key认证 dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
#定义子域服务器的解析区域 [15:25:35 root@vb06 ~]# egrep -v "^/" /etc/named.rfc1912.zones // shanghai.chengzi.org子域配置
zone "shanghai.chengzi.org" IN { type master; file "shanghai.chengzi.org.zone"; }; // shanghai.magedu.org子域配置 zone "shanghai.magedu.org" IN { type master; file "shanghai.magedu.org.zone"; };
#56.28子域服务器分别定义上海、广州子域解析记录 [15:28:12 root@vb06 ~]# cat /var/named/shanghai.magedu.org.zone $TTL 1D @ IN SOA master admin.magedu.org. ( 052302 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 192.168.56.28 websrv A 192.168.56.12 www A 192.168.56.35 [15:29:04 root@vb06 ~]# cat /var/named/shanghai.chengzi.org.zone $TTL 1D @ IN SOA master admin.chengzi.org. ( 052220 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 192.168.56.28 k8snode1 A 192.168.56.37 www A 192.168.56.123
- 广州子域服务器192.168.56.123
[15:16:56 root@dns-node2 ~]# egrep -v "^/" /etc/named.conf options { // listen-on port 53 { 127.0.0.1; }; // listen-on port 53 { 127.0.0.1;192.168.0.0/24; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; #allow-query { localhost; }; allow-query { any; }; allow-query-cache { any; }; allow-transfer { none; };//该子域服务器没有下级,则禁止其他机器同步拉取解析记录 recursion yes; dnssec-enable no;//关闭认证 dnssec-validation no; bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
[15:34:15 root@dns-node2 ~]# egrep -v "^/" /etc/named.rfc1912.zones //主从节点配置 zone "chengzi.org" IN { type slave; masters { 192.168.56.11; }; file "slaves/chengzi.org.zone"; }; // guangzhou.chengzi.org子域配置 zone "guangzhou.chengzi.org" IN { type master; file "guangzhou.chengzi.org.zone"; allow-transfer { none; }; }; // 反向解析配置 zone "56.168.192.in-addr.arpa" IN { type slave; masters { 192.168.56.11; }; file "slaves/chengzi.org.slave"; };
#广州子域解析记录 [15:36:28 root@dns-node2 ~]# cat /var/named/guangzhou.chengzi.org.zone $TTL 1D @ IN SOA master admin.chengzi.org. ( 052230 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 192.168.56.123 websrv A 192.168.56.12 www A 192.168.56.35
- 主服务器与子域服务器56.28/56.123重新加载测试
#主服务器 rndc reload named-checkconf named-checkzone chengzi.org /var/named/chengzi.org.zone #上海子域服务器56.28 rndc reload named-checkconf named-checkzone shanghai.magedu.org /var/named/shanghai.magedu.org.zone named-checkzone shanghai.magedu.org /var/named/shanghai.chengzi.org.zone #广州子域服务器56.123 rndc reload named-checkconf named-checkzone guangzhou.chengzi.org /var/named/guangzhou.chengzi.org.zone
- 客户端192.168.56.37测试
[root@c8-client01 ~]# dig www.guangzhou.chengzi.org|grep org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.guangzhou.chengzi.org ;www.guangzhou.chengzi.org. IN A www.guangzhou.chengzi.org. 74649 IN A 192.168.56.35 guangzhou.chengzi.org. 86400 IN NS guangzhoudns.chengzi.org. guangzhoudns.chengzi.org. 86400 IN A 192.168.56.123 [root@c8-client01 ~]# [root@c8-client01 ~]# dig www.guangzhou.magedu.org|grep org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.guangzhou.magedu.org ;www.guangzhou.magedu.org. IN A magedu.org. 10800 IN SOA master.magedu.org. admin.magedu.org. 1 86400 3600 604800 10800 [root@c8-client01 ~]# [root@c8-client01 ~]# [root@c8-client01 ~]# dig www.shanghai.magedu.org|grep org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.shanghai.magedu.org ;www.shanghai.magedu.org. IN A www.shanghai.magedu.org. 325 IN A 47.91.170.222 magedu.org. 40380 IN NS expirens4.hichina.com. magedu.org. 40380 IN NS expirens3.hichina.com. [root@c8-client01 ~]# [root@c8-client01 ~]# dig www.shanghai.chengzi.org|grep org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.shanghai.chengzi.org ;www.shanghai.chengzi.org. IN A chengzi.org. 10800 IN SOA master.chengzi.org. admin.chengzi.org. 52138 86400 3600 604800 10800 [root@c8-client01 ~]# dig www.shanghai.magedu.org|grep org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.shanghai.magedu.org ;www.shanghai.magedu.org. IN A www.shanghai.magedu.org. 325 IN A 47.91.170.222 magedu.org. 40380 IN NS expirens4.hichina.com. magedu.org. 40380 IN NS expirens3.hichina.com. [root@c8-client01 ~]# [root@c8-client01 ~]# dig www.shanghai.chengzi.org|grep org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.shanghai.chengzi.org ;www.shanghai.chengzi.org. IN A chengzi.org. 10800 IN SOA master.chengzi.org. admin.chengzi.org. 52138 86400 3600 604800 10800 [root@c8-client01 ~]# [root@c8-client01 ~]# dig www.chengzi.org|grep org ; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> www.chengzi.org ;www.chengzi.org. IN A www.chengzi.org. 86400 IN CNAME websvr.chengzi.org. websvr.chengzi.org. 86400 IN A 192.168.56.12 chengzi.org. 86400 IN NS master.chengzi.org. master.chengzi.org. 86400 IN A 192.168.56.11
DNS转发(缓存)服务器
DNS转发
- 利用DNS转发,可以将用户的DNS请求,转发至指定的DNS服务,而非默认的根DNS服务器,并将指定服务器查询的返回结果进行缓存,提高效率
- 注意:
- 1. 被转发的服务器需要能够为请求者做递归,否则转发请求不予进行
- 2. 在/etc/named.conf的全局配置块中,关闭dnssec功能
dnssec-enable no;
dnssec-validation no;
转发方式
全局转发
- 对非本机所负责解析区域的请求,全转发给指定的服务器
- 在全局配置块中实现:
Options { forward first|only; forwarders { ip;}; };
特定区域转发
- 仅转发对特定的区域的请求,比全局转发优先级高
zone "ZONE_NAME" IN { type forward; forward first|only; forwarders { ip;}; };
- first:先转发至指定DNS服务器,如果无法解析查询请求,则本服务器再去根服务器查询
- only: 先转发至指定DNS服务器,如果无法解析查询请求,则本服务器将不再去根服务器查询
实战案例:实现DNS forward(缓存)服务器
环境要求
#需要四台主机 DNS主服务器:192.168.56.11 DNS只缓存服务器:192.168.56.28 web服务器:192.168.56.12 DNS客户端:192.168.56.37
- 主DNS服务器192.168.56.11
#1、安装DNS yum install bind -y vim /etc/named.conf #2、注释掉两行 // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; vim /etc/named.rfc1912.zones #加上下面这段 zone "chengzi.org" { type master; file "chengzi.org.zone"; }; #3、设置解析记录 cp -p /var/named/named.localhost /var/named/chengzi.org.zone #如果没有-p,需要改权限。chgrp named chengzi.org.zone vim /var/named/chengzi.org.zone $TTL 1D @ IN SOA master admin.chengzi.org. ( 20220523 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 192.168.56.11 websrv A 192.168.56.12 www CNAME websrv #4、重新加载服务 systemctl start named #第一次启动服务 rndc reload #不是第一次启动服务
- 转发(只缓存)DNS服务器192.168.56.28
#1、安装DNS yum install bind -y vim /etc/named.conf #2、注释掉两行 // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; forward first; forwarders { 192.168.56.11; }; #3、关闭dnsec功能 dnssec-enable no; dnssec-validation no; systemctl start named #第一次启动服务 rndc reload #不是第一次启动服务
- 在客户端测试192.168.56.37
dig www.chengzi.org
curl www.chengzi.org
浙公网安备 33010602011771号