BIND, named, DNS
named: named.named
resoving:
数据文件
IP-->FQDN
ZONE NAME --> NS, MX
查询:stub resolver
递归
缓存功能:
DNS RT
$TTL 宏
$ORIGIN mageedu.com.
$GENERATE
NAME [TTL] IN RT VALUE
SOA:
@ IN SOA MASTER_NS_SERVER_FQDN ADMIN_MAILBOX (
)
NS:
@ IN NS NS_SERVER_FQDN
MX:
@ IN MX pri MX_SERVER_FQDN
A
AAAA
PTR
CNAME
Alias IN CNAME FQDN
named: /usr/sbin/named
SOCKET IP:PORT
tcp
udp
被打开
/etc/named.conf
/etc/rc.d/init.d/functions
/etc/rc.d/init.d/named /etc/sysconfig/named
service named start
bind
named, named
bind97
dig:
aa: Authority Answer
泛域解析:输入错误的域名解析到一个特定的IP地址;
*.mageedu.com. IN A
axfr: 完全区域传送
ixfr:增量区域传送
区域:
主、从
rndc:DNS远程控制工具;
[root@Smoke named]# vim mageedu.com.zone(编辑mageedu.com区域数据文件mageedu.com.zone)
$TTL 86400
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101
2H
10M
7D
2D )
IN NS ns1
IN MX 10 mail
ns1 IN A 172.16.100.1
mail IN A 172.16.100.2
www IN A 172.16.100.1
www IN A 172.16.100.3
ftp IN CNAME www
mageedu.com. IN A 172.16.100.3
*.mageedu.com. IN A 172.16.100.3(*.mageedu.com.的A记录泛域解析为172.16.100.3)
定义给那些客户端递归:
[root@Smoke named]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
recursion yes;(允许递归,给所有客户端都递归,默认也是开启)
allow-recursion { 172.16.0.0/16; };(只允许给172.16.0.0/16网段的客户端递归)
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
再试之前先去掉全局选项中定义的allow-recursion允许给那些主机递归;
[root@Smoke named]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
[root@Smoke named]# man dig(查看dig命令的man帮助文档)
+[no]tcp(+表示以某种方式工作,+[no]表示不以某种方式工作)
+[no]recurse(+recure递归,+[no]recures不递归)
[root@Smoke named]# dig +recurse -t A www.sohu.com @172.16.100.1(通过172.16.100.1的DNS服务器查找www.sohu.com的A记录,+recurse表示递归)
[root@Smoke named]# dig -t A www.sohu.com @172.16.100.1(通过172.16.100.1的DNS服务器查找www.sohu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.sohu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34050
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sohu.com. IN A
;; Query time: 4983 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 22:30:45 2014
;; MSG SIZE rcvd: 30
[root@Smoke named]# ping www.googole.com.hk(测试www.gogole.com.hk连通性)
PING www.googole.com.hk (185.53.178.8) 56(84) bytes of data.
64 bytes from 185.53.178.8: icmp_seq=1 ttl=128 time=5296 ms
64 bytes from 185.53.178.8: icmp_seq=2 ttl=128 time=5323 ms
64 bytes from 185.53.178.8: icmp_seq=3 ttl=128 time=5659 ms
64 bytes from 185.53.178.8: icmp_seq=4 ttl=128 time=5580 ms
64 bytes from 185.53.178.8: icmp_seq=5 ttl=128 time=5427 ms
64 bytes from 185.53.178.8: icmp_seq=6 ttl=128 time=5359 ms
--- www.googole.com.hk ping statistics ---
7 packets transmitted, 6 received, 14% packet loss, time 10401ms
rtt min/avg/max/mdev = 5296.800/5441.128/5659.488/134.635 ms, pipe 6
[root@Smoke named]# dig -t A www.sohu.com @172.16.100.1(通过172.16.100.1的DNS服务器查找www.sohu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.sohu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15915
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sohu.com. IN A
;; ANSWER SECTION:
www.sohu.com. 1635 IN CNAME gs.a.sohu.com.
gs.a.sohu.com. 300 IN CNAME fxa.a.sohu.com.
fxa.a.sohu.com. 300 IN A 117.34.8.50
;; AUTHORITY SECTION:
a.sohu.com. 3600 IN NS z.a.sohu.com.
a.sohu.com. 3600 IN NS y.a.sohu.com.
a.sohu.com. 3600 IN NS x.a.sohu.com.
a.sohu.com. 3600 IN NS s.a.sohu.com.
a.sohu.com. 3600 IN NS w.a.sohu.com.
a.sohu.com. 3600 IN NS k.a.sohu.com.
a.sohu.com. 3600 IN NS v.a.sohu.com.
;; Query time: 4071 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 22:33:04 2014
;; MSG SIZE rcvd: 195
提示:有解析结果,这个结果就是递归的;
[root@Smoke named]# dig +recurse -t A www.sohu.com @172.16.100.1(通过172.16.100.1的DNS服务器查找www.sohu.com的A记录,+recurse允许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +recurse -t A www.sohu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60816
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sohu.com. IN A
;; ANSWER SECTION:
www.sohu.com. 1539 IN CNAME gs.a.sohu.com.
gs.a.sohu.com. 204 IN CNAME fxa.a.sohu.com.
fxa.a.sohu.com. 208 IN A 117.34.8.50
;; AUTHORITY SECTION:
a.sohu.com. 3508 IN NS w.a.sohu.com.
a.sohu.com. 3508 IN NS y.a.sohu.com.
a.sohu.com. 3508 IN NS z.a.sohu.com.
a.sohu.com. 3508 IN NS x.a.sohu.com.
a.sohu.com. 3508 IN NS v.a.sohu.com.
a.sohu.com. 3508 IN NS s.a.sohu.com.
a.sohu.com. 3508 IN NS k.a.sohu.com.
;; Query time: 11 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 22:34:36 2014
;; MSG SIZE rcvd: 195
[root@Smoke named]# dig +norecurse -t A www.sohu.com @172.16.100.1(通过172.16.100.1的DNS服务器查找www.sohu.com的A记录,+norecurse不允许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +norecurse -t A www.sohu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59342
;; flags: qr ra; QUERY: 1, ANSWER: 3, AUTHORITY: 7, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sohu.com. IN A
;; ANSWER SECTION:
www.sohu.com. 1460 IN CNAME gs.a.sohu.com.
gs.a.sohu.com. 125 IN CNAME fxa.a.sohu.com.
fxa.a.sohu.com. 129 IN A 117.34.8.50
;; AUTHORITY SECTION:
a.sohu.com. 3429 IN NS y.a.sohu.com.
a.sohu.com. 3429 IN NS x.a.sohu.com.
a.sohu.com. 3429 IN NS k.a.sohu.com.
a.sohu.com. 3429 IN NS v.a.sohu.com.
a.sohu.com. 3429 IN NS z.a.sohu.com.
a.sohu.com. 3429 IN NS s.a.sohu.com.
a.sohu.com. 3429 IN NS w.a.sohu.com.
;; Query time: 3 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 22:35:55 2014
;; MSG SIZE rcvd: 195
提示:这里有结果是因为有缓存了;
[root@Smoke named]# dig +norecurse -t A www.baidu.com @172.16.100.1(通过172.16.100.1的DNS服务器查找www.baidu.com的A记录,+norecurse不允
许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +norecurse -t A www.baidu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48814
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; AUTHORITY SECTION:
com. 171900 IN NS f.gtld-servers.net.
com. 171900 IN NS h.gtld-servers.net.
com. 171900 IN NS m.gtld-servers.net.
com. 171900 IN NS k.gtld-servers.net.
com. 171900 IN NS c.gtld-servers.net.
com. 171900 IN NS b.gtld-servers.net.
com. 171900 IN NS d.gtld-servers.net.
com. 171900 IN NS g.gtld-servers.net.
com. 171900 IN NS l.gtld-servers.net.
com. 171900 IN NS a.gtld-servers.net.
com. 171900 IN NS e.gtld-servers.net.
com. 171900 IN NS i.gtld-servers.net.
com. 171900 IN NS j.gtld-servers.net.
;; Query time: 1 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 22:37:19 2014
;; MSG SIZE rcvd: 255
提示:不递归,对方直接让你自己去查根,根告诉你属于.com,你自己去找.com,所以你自己从.com服务器找一个出来;
[root@Smoke named]# dig +norecurse -t A www.baidu.com @a.gtld-servers.net(通过a.gtld-servers.net的DNS服务器查找www.baidu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +norecurse -t A www.baidu.com @a.gtld-servers.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2711
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;www.baidu.com. IN A
;; AUTHORITY SECTION:
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; ADDITIONAL SECTION:
dns.baidu.com. 172800 IN A 202.108.22.220
ns2.baidu.com. 172800 IN A 61.135.165.235
ns3.baidu.com. 172800 IN A 220.181.37.10
ns4.baidu.com. 172800 IN A 220.181.38.10
ns7.baidu.com. 172800 IN A 119.75.219.82
;; Query time: 1265 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Sun Dec 14 22:40:39 2014
;; MSG SIZE rcvd: 201
提示:现在得到的是baidu.com.,还不是www.baidu.com.,还没有最终结果,com.最终返回的是baidu的DNS服务器的A记录;
[root@Smoke named]# dig +norecurse -t A www.baidu.com @dns.baidu.com(通过dns.baidu.com的DNS服务器查找www.baidu.com的A记录,+norecurse递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +norecurse -t A www.baidu.com @dns.baidu.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17268
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 5
;; QUESTION SECTION:
;www.baidu.com. IN A(www.baidu.com.的A记录)
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.(www.baidu.com.是www.a.shifen.com.的别名,这是使用了CDN的结果)
;; AUTHORITY SECTION:
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
;; ADDITIONAL SECTION:
ns1.a.shifen.com. 1200 IN A 61.135.165.224
ns2.a.shifen.com. 1200 IN A 180.149.133.241
ns3.a.shifen.com. 1200 IN A 61.135.162.215
ns4.a.shifen.com. 1200 IN A 115.239.210.176
ns5.a.shifen.com. 1200 IN A 119.75.222.17
;; Query time: 58 msec
;; SERVER: 220.181.37.10#53(220.181.37.10)
;; WHEN: Sun Dec 14 22:49:01 2014
;; MSG SIZE rcvd: 228
[root@Smoke named]# man dig(查看dig命令的man帮助文档)
+[no]trace(追踪,能够跟踪整个DNS的解析过程)
[root@Smoke named]# dig +trace -t A www.baidu.com @172.16.100.1(通过DNS服务器172.16.100.1查找www.baidu.com的A记录,+trace追踪整个解析过程)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +trace -t A www.baidu.com @172.16.100.1
;; global options: +cmd
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
;; Received 228 bytes from 172.16.100.1#53(172.16.100.1) in 5 ms
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
;; Received 503 bytes from 192.58.128.30#53(J.ROOT-SERVERS.NET) in 90 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.31.80.30#53(d.gtld-servers.net) in 506 ms
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
;; Received 228 bytes from 220.181.38.10#53(ns4.baidu.com) in 53 ms
提示:第一次先提交给根,根返回的是com.,.com返回的是baidu.com.,baidu.com.返回的是www.baidu.com.,DNS解析就经过这几个过程,这就是递归的;
[root@Smoke named]# dig +recurse -t A www.baidu.com @172.16.100.1(通过DNS服务器172.16.100.1查找www.baidu.com的A记录,+recurse允许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +recurse -t A www.baidu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34537
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1143 IN CNAME www.a.shifen.com.
www.a.shifen.com. 269 IN A 180.97.33.107
www.a.shifen.com. 269 IN A 180.97.33.108
;; AUTHORITY SECTION:
a.shifen.com. 1169 IN NS ns2.a.shifen.com.
a.shifen.com. 1169 IN NS ns3.a.shifen.com.
a.shifen.com. 1169 IN NS ns5.a.shifen.com.
a.shifen.com. 1169 IN NS ns4.a.shifen.com.
a.shifen.com. 1169 IN NS ns1.a.shifen.com.
;; Query time: 5 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 22:59:54 2014
;; MSG SIZE rcvd: 180
提示:我们的服务器是完全给我们做递归查询的,我们可以得到答案的,如果拒绝递归,只能到我们这查询我们负责的区域了,其他的都不给;
[root@Smoke named]# vim /etc/named.conf(编辑named服务器主配置文件)
options {
directory "/var/named";
recursion no;(拒绝给所有客户端递归)
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke named]# dig +recurse -t A www.baidu.com @172.16.100.1(通过DNS服务器172.16.100.1查找www.baidu.com的A记录,+recurse允许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +recurse -t A www.baidu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 22176
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.baidu.com. IN A
;; Query time: 3 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 23:12:27 2014
;; MSG SIZE rcvd: 31
提示:没有结果,不给你任何答案;
[root@Smoke named]# dig +recurse -t A www.mageedu.com @172.16.100.1(通过DNS服务器172.16.100.1查找www.mageedu.com的A记录,+recurse允许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +recurse -t A www.mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8907
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 600 IN A 172.16.100.1
www.mageedu.com. 600 IN A 172.16.100.3
;; AUTHORITY SECTION:
mageedu.com. 600 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 600 IN A 172.16.100.1
;; Query time: 3 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Dec 14 23:13:26 2014
;; MSG SIZE rcvd: 99
提示:解析自己的域名,解析DNS服务器172.16.100.1自己的域,这事实上就不是递归的概念,因此不给它递归,它就不能把我们的服务器设置为DNS服务器,设置为DNS服务器
也没有意义的;
[root@Smoke named]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };(只允许给172.16.100.0/16网段的客户端递归)
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
[root@Smoke named]# service named reload(重新加载named服务器的配置文件)
Reloading named: [ OK ]
[root@Smoke ~]# dig +recurse -t A www.baidu.com @172.16.100.1(通过DNS服务器172.16.100.1查找www.baidu.com的A记录,+recurse允许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +recurse -t A www.baidu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38209
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
www.a.shifen.com. 300 IN A 180.97.33.108
www.a.shifen.com. 300 IN A 180.97.33.107
;; AUTHORITY SECTION:
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
;; Query time: 680 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Mon Dec 15 00:11:15 2014
;; MSG SIZE rcvd: 180
[root@Smoke ~]# dig +recurse -t A www.baidu.com @127.0.0.1(通过DNS服务器127.0.0.1查找www.baidu.com的A记录,+recurse允许递归)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +recurse -t A www.baidu.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 18279
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.baidu.com. IN A
;; Query time: 5 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Dec 15 00:12:53 2014
;; MSG SIZE rcvd: 31
提示:127.0.0.1还是本机地址,127.0.0.1不给递归,因为只给172.16.0.0/16网段递归;
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
提示:named主配置文件只允许给172.16.0.0/16网段递归,连本机都递归不了,因此放行的最大权限本机应该不受限制的,可以把127.0.0.0/8网段再方行;
一旦定义好DNS服务器,一般来讲是要允许很多主机客户端到我们这实现发出查询请求的,如果不允许查询,有个家伙恶意到我们这发起查询请求,不想让他查询;
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
allow-query(只允许谁来查询)
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
};
[root@Smoke ~]# man dig(查看dig命令的man帮助文档)
The -t option sets the query type to type. It can be any valid query type which is supported in BIND 9. The default query
type is "A",
unless the -x option is supplied to indicate a reverse lookup. A zone transfer can be requested by specifying a type of AX
FR. When an(-x可以反向查询,AXFR完全区域传输)
incremental zone transfer (IXFR) is required, type is set to ixfr=N. The incremental zone transfer will contain the changes
made to the(IXFR增量区域传送)
zone since the serial number in the zone's SOA record was N.
[root@Smoke ~]# dig -t axfr mageedu.com(-t axfr完全区域传送mageedu.com区域)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t axfr mageedu.com
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040101 3600 300 172800 21600
mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN MX 10 mail.mageedu.com.
*.mageedu.com. 600 IN A 172.16.100.3
ftp.mageedu.com. 600 IN CNAME www.mageedu.com.
mail.mageedu.com. 600 IN A 172.16.100.2
ns1.mageedu.com. 600 IN A 172.16.100.1
www.mageedu.com. 600 IN A 172.16.100.1
www.mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040101 3600 300 172800 21600
;; Query time: 2 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Mon Dec 15 00:28:57 2014
;; XFR size: 11 records (messages 1, bytes 266)
[root@Smoke ~]# export LANG=en(更改语言编码变量为en)
[root@Smoke ~]# man dig(查看dig命令的man帮助文档)
[root@Smoke ~]# cd /var/named/(切换到/var/named目录)
[root@Smoke named]# vim mageedu.com.zone(编辑mageedu.com区域数据文件mageedu.com.zone)
$TTL 86400
mageedu.com. IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040102(每次更改一次版本号加1)
2H
10M
7D
2D )
IN NS ns1
IN MX 10 mail
ns1 IN A 172.16.100.1
mail IN A 172.16.100.2
www IN A 172.16.100.1
www IN A 172.16.100.3
ftp IN CNAME www
mageedu.com. IN A 172.16.100.3
pop IN A 172.16.100.4(pop.mageedu.com.的A记录为172.16.100.4)
*.mageedu.com. IN A 172.16.100.3
[root@Smoke named]# service named reload(重新加载named服务主配置文件)
Reloading named: [ OK ]
[root@Smoke named]# dig -t IXFR=2013040101 mageedu.com(增量传送mageedu.com区域,-t IXFR=2013040101版本以后发生的所有改变内容)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t IXFR=2013040101 mageedu.com
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040102 3600 300 172800 21600
mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN MX 10 mail.mageedu.com.
*.mageedu.com. 600 IN A 172.16.100.3
ftp.mageedu.com. 600 IN CNAME www.mageedu.com.
mail.mageedu.com. 600 IN A 172.16.100.2
ns1.mageedu.com. 600 IN A 172.16.100.1
pop.mageedu.com. 600 IN A 172.16.100.4
www.mageedu.com. 600 IN A 172.16.100.1
www.mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040102 3600 300 172800 21600
;; Query time: 6 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Mon Dec 15 00:45:34 2014
;; XFR size: 12 records (messages 1, bytes 286)
[root@Smoke named]# dig -t IXFR=2013040102 mageedu.com(增量传送mageedu.com区域,-t IXFR=2013040102版本以后发送的所有改变的内容)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t IXFR=2013040102 mageedu.com
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040102 3600 300 172800 21600
;; Query time: 4 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Mon Dec 15 00:46:55 2014
;; XFR size: 1 records (messages 1, bytes 75)(产生一条新记录)
dig -t AXFR(完全区域传送) | IXFR增量区域传送)可以获得对方区域所有内容,通过传送过来的内容可以判断对方的网络结构,所以这是很不安全的,区域传送不能让任何
人都来传送,只允许从服务器来传送,其它任何主机都不能允许;
[root@Smoke named]# vim /etc/named.conf(编辑named主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
# allow-transfer(允许谁来发送区域传送,如果写到全局选项对每个区域都生效)
};
zone "." IN {
type hint;
file "named.ca";
allow-transfer { none; };(根区域也不允许任何人发送区域传送)
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };(对于localhost区域不可能作为任何从服务器,所以不允许任何主机发送区域传送)
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };(对于0.0.127.in-addr.arpa区域不可能作为任何从服务器,所以不允许任何主机发送区域传送)
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 172.16.100.2; };(mageedu.com区域只允许172.16.10.2发送区域传送)
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 172.16.100.2; };(100.16.172.in-addr.arpa区域允许172.16.100.2发送区域传送)
};
假设等会建立从服务器172.16.100.2;
[root@Smoke named]# service named reload(重新加载named服务主配置文件)
Reloading named: [ OK ]
[root@Smoke named]# dig -t axfr mageedu.com(-t axfr完全区域传送mageedu.com区域)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t axfr mageedu.com
;; global options: +cmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040102 3600 300 172800 21600
mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN MX 10 mail.mageedu.com.
*.mageedu.com. 600 IN A 172.16.100.3
ftp.mageedu.com. 600 IN CNAME www.mageedu.com.
mail.mageedu.com. 600 IN A 172.16.100.2
ns1.mageedu.com. 600 IN A 172.16.100.1
pop.mageedu.com. 600 IN A 172.16.100.4
www.mageedu.com. 600 IN A 172.16.100.1
www.mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040102 3600 300 172800 21600
;; Query time: 1 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Mon Dec 15 01:03:48 2014
;; XFR size: 12 records (messages 1, bytes 286)
提示:我们自己本机不是172.16.100.2,所以不是允许区域传送的客户端,没有生效;
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named:
Error in named configuration:
/etc/named.conf:9: option 'allow-transfer' is not allowed in 'hint' zone '.'
[FAILED]
提示:根区域没必要定义allow-transfer;
[root@Smoke named]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 172.16.100.2; };
};
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke named]# dig -t axfr mageedu.com(-t axfr完全传送mageedu.com区域)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t axfr mageedu.com
;; global options: +cmd
; Transfer failed.
提示:无法传送,本机都无法传送;
新增一台主机更改IP地址为172.16.100.2/24,DNS指向自己,搜索域名改为mageedu.com;
[root@Smoke ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0(编辑eth0配置文件)
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:0C:29:8C:BF:0A
ONBOOT=yes
IPADDR=172.16.100.2
NETMASK=255.255.255.0
[root@Smoke ~]# vim /etc/resolv.conf(编辑DNS指向文件)
search mageedu.com(搜索域名)
nameserver 172.16.100.2
[root@Smoke ~]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1:
Determining IP information for eth1... done.
[ OK ]
[root@Smoke ~]# ifconfig eth0(查看eth0接口信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:8C:BF:0A
inet addr:172.16.100.2 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe8c:bf0a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:35132 errors:0 dropped:0 overruns:0 frame:0
TX packets:11469 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5436619 (5.1 MiB) TX bytes:6815156 (6.4 MiB)
Interrupt:67 Base address:0x2000
[root@Smoke ~]# dig -t axfr mageedu.com @172.16.100.1(-t axfr完全区域传送mageedu.com区域)
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> -t axfr mageedu.com @172.16.100.1
;; global options: printcmd
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040102 3600 300 172800 21600
mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN NS ns1.mageedu.com.
mageedu.com. 600 IN MX 10 mail.mageedu.com.
*.mageedu.com. 600 IN A 172.16.100.3
ftp.mageedu.com. 600 IN CNAME www.mageedu.com.
mail.mageedu.com. 600 IN A 172.16.100.2
ns1.mageedu.com. 600 IN A 172.16.100.1
pop.mageedu.com. 600 IN A 172.16.100.4
www.mageedu.com. 600 IN A 172.16.100.1
www.mageedu.com. 600 IN A 172.16.100.3
mageedu.com. 600 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040102 3600 300 172800 21600
;; Query time: 2 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Tue Nov 11 16:23:42 2014
;; XFR size: 12 records (messages 1)
提示:172.16.100.2主机给区域传送;
配置DNS从服务器:
[root@localhost ~]# rpm -e bind-libs bind-utils(卸载bind-libs库文件和bind-utils客户端工具软件)
[root@localhost ~]# cd /etc/yum.repos.d/(切换到/etc/yum.repos.d目录)
[root@localhost yum.repos.d]# ls(查看当前目录文件及子目录)
rhel-debuginfo.repo
[root@localhost yum.repos.d]# scp 172.16.100.1:/etc/yum.repos.d/smoke.repo ./(通过scp远程复制172.16.100.1主机/etc/yum.repos.d/smoke.
repo文件到当前目录)
The authenticity of host '172.16.100.1 (172.16.100.1)' can't be established.
RSA key fingerprint is ea:32:fd:b5:e6:d2:75:e2:c2:c2:8c:63:d4:82:4c:48.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.100.1' (RSA) to the list of known hosts.
root@172.16.100.1's password:
smoke.repo 100% 279
0.3KB/s 00:00
提示:复制yum源配置文件;
[root@localhost yum.repos.d]# ls(查看当前目录文件及子目录)
rhel-debuginfo.repo smoke.repo
[root@localhost yum.repos.d]# cd(切换到root用户家目录)
[root@localhost ~]# yum -y install bind97 bind97-utils(安装bind97主软件包和工具包)
[root@localhost ~]# ls /var/named/(查看named服务区域数据文件目录)
data dynamic named.ca named.empty named.localhost named.loopback slaves
提示:/var/named目录下的文件跟配置主服务器的内容都是一抹一样,无论在主从服务器,它们在/var/named目录都有slaves目录;
切换到主DNS服务器:
[root@Smoke named]# ls(查看当前目录文件及子目录)
172.16.100.zone data dynamic mageedu.com.zone named.ca named.empty named.localhost named.loopback slaves
提示:主服务器/var/named目录也存在slaves目录;
[root@Smoke named]# ll(查看当前目录文件及子目录详细信息)
total 72
-rw-r----- 1 root named 236 Dec 14 21:13 172.16.100.zone
drwxrwx--- 2 named named 4096 Nov 17 2011 data
drwxrwx--- 2 named named 4096 Nov 17 2011 dynamic
-rw-r----- 1 root named 340 Dec 15 00:37 mageedu.com.zone
-rw-r----- 1 root named 1892 Feb 18 2008 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 4096 Nov 17 2011 slaves
提示:slaves目录特性属主属组都是named,属组也有写权限;
[root@Smoke named]# ll -d .(查看当前目录本身详细信息)
drwxr-x--- 5 root named 4096 Dec 15 01:10 .
提示:对/var/named目录而言,属组是named,属组没有写权限,如果让从服务从主服务同步文件过来的时候直接保存到/var/named目录是不能保存进来;
切换到从DNS服务器:
[root@localhost ~]# ls -ld /var/named/(查看/var/named目录本身详细信息)
drwxr-x--- 5 root named 4096 03-06 07:26 /var/named/
提示:查看从服务器/var/named目录,区域文件不是自己手动建立的,而是从主服务器同步过来的,同步以named进程同步,named进程属主是named用户,属组是named组,
因此访问/var/named目录是以named用户,named组身份访问,/var/named目录named用户和named组没有写权限,同步放进/var/named目录是不能建立起来的,因此直
接放到/var/named目录是不可以的;
[root@localhost ~]# ls -l /var/named/(查看当前目录文件及子目录详细信息)
总计 56
drwxrwx--- 2 named named 4096 2011-11-17 data
drwxrwx--- 2 named named 4096 2011-11-17 dynamic
-rw-r----- 1 root named 1892 2008-02-18 named.ca
-rw-r----- 1 root named 152 2009-12-15 named.empty
-rw-r----- 1 root named 152 2007-06-21 named.localhost
-rw-r----- 1 root named 168 2009-12-15 named.loopback
drwxrwx--- 2 named named 4096 2011-11-17 slaves
提示:它们专门给我们准备了slaves目录,用来同步过来文件的时候,放到/var/named/slaves目录下,因此有两种方案,要么是把/var/named目录改为属组有写权限,要么
把同步过来的文件放在/var/named/slave目录;
[root@localhost ~]# setenforce 0(关闭selinux)
[root@localhost ~]# mv /etc/named.conf /etc/named.conf.orig(更改named.conf文件名字为named.conf.orig)
提示:备份原来的named服务主配置文件;
[root@localhost ~]# scp 172.16.100.1:/etc/named.conf /etc/(通过scp远程复制172.16.100.1主机/etc/named.conf文件到当前主机/etc目录)
root@172.16.100.1's password:
named.conf 100% 536
0.5KB/s 00:00
提示:从服务器的named主配置文件named.conf和主服务器named主配置文件named.conf类似,将主服务器的named.conf复制到从服务器/etc/目录;
[root@localhost ~]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type slave;(区域类型,从服务器)
file "slaves/mageedu.com.zone";(区域数据文件/var/named/slaves/mageedu.com.zone)
masters { 172.16.100.1; };(指定主服务器)
allow-transfer { none; };(不允许任何主机区域传送)
};
zone "100.16.172.in-addr.arpa" IN {
type slave;(区域类型,从服务器)
file "slaves/172.16.100.zone";(区域数据文件/var/named/slaves/172.16.100.zone)
masters { 172.16.100.1; };(指定主服务器)
allow-transfer { none; };(不允许任何主机区域传送)
};
提示:可以做两台服务器DNS1和DNS2,正向区域DNS1为主,反向区域DNS1为从,正向区域DNS2为从,反向区域DNS2为主,互为主从;
[root@localhost ~]# named-checkconf(检查named主配置文件语法)
[root@localhost ~]# service named start(启动named服务)
Starting named: [FAILED]
提示:启动失败;
[root@localhost ~]# tail /var/log/messages(查看/var/log/messages文件后10行日志信息)
Mar 6 08:16:34 localhost rhsmd: This system is missing one or more valid entitlement certificates. Please run subscription-manager
for more information.
Mar 6 08:17:25 localhost named[16526]: starting BIND 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 -u named
Mar 6 08:17:25 localhost named[16526]: built with '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--target=i386-redhat
-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--
datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/usr/com' '--mandir=
/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--
disable-static' '--disable-openssl-version-check' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables' 'CPPFLAGS= -DDIG_SIGCHASE' 'CXXFLAGS=-O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i386 -mtune=generic -fasync
hronous-unwind-tables' 'FFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstac
Mar 6 08:17:25 localhost named[16526]: adjusted limit on open files from 1024 to 1048576
Mar 6 08:17:25 localhost named[16526]: found 1 CPU, using 1 worker thread
Mar 6 08:17:25 localhost named[16526]: using up to 4096 sockets
Mar 6 08:17:25 localhost named[16526]: loading configuration from '/etc/named.conf'
Mar 6 08:17:25 localhost named[16526]: none:0: open: /etc/named.conf: permission denied
Mar 6 08:17:25 localhost named[16526]: loading configuration: permission denied
Mar 6 08:17:25 localhost named[16526]: exiting (due to fatal error)
提示:/etc/named.conf: permission denied(没有权限);
[root@localhost ~]# ll /etc/named.conf(查看named服务主配置文件)
-rw-r----- 1 root root 588 Mar 6 07:59 /etc/named.conf
提示:/etc/named.conf属于root组,而且其他用户没有任何读权限,所以named用户读不到;
[root@localhost ~]# chgrp named /etc/named.conf(更改named.conf文件属组为named)
[root@localhost ~]# ll /etc/named.conf(查看named.conf文件详细信息)
-rw-r----- 1 root named 588 Mar 6 07:59 /etc/named.conf
[root@localhost ~]# service named start(启动named服务)
Starting named: [ OK ]
提示:启动成功;
切换到主服务器查看服务器日志:
[root@Smoke ~]# tail /var/log/messages(查看messages日志文件后10行)
Dec 15 05:13:58 Smoke named[4484]: the working directory is not writable
Dec 15 05:13:58 Smoke named[4484]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Dec 15 05:13:58 Smoke named[4484]: zone 100.16.172.in-addr.arpa/IN: loaded serial 2013040101
Dec 15 05:13:58 Smoke named[4484]: zone mageedu.com/IN: loaded serial 2013040102
Dec 15 05:13:58 Smoke named[4484]: zone localhost/IN: loaded serial 0
Dec 15 05:13:58 Smoke named[4484]: running
Dec 15 05:15:16 Smoke named[4484]: client 172.16.100.2#55270: transfer of '100.16.172.in-addr.arpa/IN': AXFR started(client 172.16.1
00.2区域100.16.172.in-addr.arpa数据文件完全传送启动)
Dec 15 05:15:16 Smoke named[4484]: client 172.16.100.2#55270: transfer of '100.16.172.in-addr.arpa/IN': AXFR ended(client 172.16.100
.2区域100.16.172.in-addr.arpa数据文件完全传送结束)
Dec 15 05:15:16 Smoke named[4484]: client 172.16.100.2#39635: transfer of 'mageedu.com/IN': AXFR started(client 172.16.100.2区域mag
eedu.com数据文件完全传送启动)
Dec 15 05:15:16 Smoke named[4484]: client 172.16.100.2#39635: transfer of 'mageedu.com/IN': AXFR ended(client 172.16.100.2区域mage
edu.com数据文件完全传送结束)
切换到从服务器查看服务器日志:
[root@localhost ~]# tail /var/log/messages(查看messages日志文件后10行)
Mar 6 10:39:17 localhost named[4413]: zone localhost/IN: loaded serial 0
Mar 6 10:39:17 localhost named[4413]: running
Mar 6 10:39:17 localhost named[4413]: zone 100.16.172.in-addr.arpa/IN: Transfer started.(区域100.16.172.in-addr.arpa数据传送启动)
Mar 6 10:39:17 localhost named[4413]: transfer of '100.16.172.in-addr.arpa/IN' from 172.16.100.1#53: connected using 172.16.100.2#
55270(从这里开始)
Mar 6 10:39:17 localhost named[4413]: zone 100.16.172.in-addr.arpa/IN: transferred serial 2013040101(序列号)
Mar 6 10:39:17 localhost named[4413]: transfer of '100.16.172.in-addr.arpa/IN' from 172.16.100.1#53: Transfer completed: 1 messages,
7 records, 219 bytes, 0.005 secs (43800 bytes/sec)(传送结束,传递过来7个记录,219字节数据)
Mar 6 10:39:17 localhost named[4413]: zone mageedu.com/IN: Transfer started.(区域mageedu.com数据传送启动)
Mar 6 10:39:17 localhost named[4413]: transfer of 'mageedu.com/IN' from 172.16.100.1#53: connected using 172.16.100.2#39635(从这里开始)
Mar 6 10:39:17 localhost named[4413]: zone mageedu.com/IN: transferred serial 2013040102(序列号)
Mar 6 10:39:17 localhost named[4413]: transfer of 'mageedu.com/IN' from 172.16.100.1#53: Transfer completed: 1 messages, 12 records,
286 bytes, 0.007 secs (40857 bytes/sec)(传送结束,传送过来12个记录,286字节数据)
[root@localhost ~]# cd /var/named/(切换到/var/named目录)
[root@localhost named]# ls(查看当前目录文件及子目录)
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# cd slaves/(切换到slaves目录)
[root@localhost slaves]# ls(查看当前目录文件及子目录)
172.16.100.zone mageedu.com.zone
提示:传送过来的区域数据文件;
[root@localhost slaves]# vim mageedu.com.zone(编辑mageedu.com.zone数据文件)
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040102 ; serial(自动加上注释)
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
A 172.16.100.3
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 172.16.100.3
ftp CNAME www
mail A 172.16.100.2
ns1 A 172.16.100.1
pop A 172.16.100.4
www A 172.16.100.1
A 172.16.100.3
提示:ORIGIN和TTL可以声明多次;
[root@localhost slaves]# vim 172.16.100.zone(编辑172.16.100.zone数据文件)
$ORIGIN .
$TTL 600 ; 10 minutes
100.16.172.in-addr.arpa IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
$ORIGIN 100.16.172.in-addr.arpa.
1 PTR ns1.mageedu.com.
PTR www.mageedu.com.
2 PTR mail.mageedu.com.
3 PTR www.mageedu.com.
测试增量区域传送:切换到主服务器增解析条目;
[root@Smoke named]# vim mageedu.com.zone(编辑mageedu.com.zone数据文件)
$TTL 600
mageedu.com. IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040103(增加版本号数为3)
1H
5M
2D
6H )
IN NS ns1
IN MX 10 mail
ns1 IN A 172.16.100.1
mail IN A 172.16.100.2
www IN A 172.16.100.1
www IN A 172.16.100.3
ftp IN CNAME www
mageedu.com. IN A 172.16.100.3
pop IN A 172.16.100.4
*.mageedu.com. IN A 172.16.100.3
imap IN A 172.16.100.5(增加imap.mageedu.com.的正向解析)
[root@Smoke named]# service named reload(重新加载配置文件)
Reloading named: [ OK ]
查看主服务器日志信息:
[root@Smoke named]# tail /var/log/messages(查看日messages日志文件后10行)
Dec 15 06:03:10 Smoke dhclient: DHCPACK from 192.168.210.254 (xid=0x5cb3ff5b)
Dec 15 06:03:10 Smoke dhclient: bound to 192.168.210.128 -- renewal in 709 seconds.
Dec 15 06:11:45 Smoke named[4484]: received control channel command 'reload'
Dec 15 06:11:45 Smoke named[4484]: loading configuration from '/etc/named.conf'
Dec 15 06:11:45 Smoke named[4484]: using default UDP/IPv4 port range: [1024, 65535]
Dec 15 06:11:45 Smoke named[4484]: using default UDP/IPv6 port range: [1024, 65535]
Dec 15 06:11:45 Smoke named[4484]: the working directory is not writable
Dec 15 06:11:45 Smoke named[4484]: reloading configuration succeeded
Dec 15 06:11:45 Smoke named[4484]: reloading zones succeeded(重新加载区域成功)
Dec 15 06:11:45 Smoke named[4484]: zone mageedu.com/IN: loaded serial 2013040103(加载的版本号)
查看从服务器日志信息:
[root@localhost slaves]# tail /var/log/messages
Mar 6 10:39:17 localhost named[4413]: zone localhost/IN: loaded serial 0
Mar 6 10:39:17 localhost named[4413]: running
Mar 6 10:39:17 localhost named[4413]: zone 100.16.172.in-addr.arpa/IN: Transfer started.
Mar 6 10:39:17 localhost named[4413]: transfer of '100.16.172.in-addr.arpa/IN' from 172.16.100.1#53: connected using 172.16.100.2#55270
Mar 6 10:39:17 localhost named[4413]: zone 100.16.172.in-addr.arpa/IN: transferred serial 2013040101
Mar 6 10:39:17 localhost named[4413]: transfer of '100.16.172.in-addr.arpa/IN' from 172.16.100.1#53: Transfer completed: 1 messages,
7 records, 219 bytes, 0.005 secs (43800 bytes/sec)
Mar 6 10:39:17 localhost named[4413]: zone mageedu.com/IN: Transfer started.
Mar 6 10:39:17 localhost named[4413]: transfer of 'mageedu.com/IN' from 172.16.100.1#53: connected using 172.16.100.2#39635
Mar 6 10:39:17 localhost named[4413]: zone mageedu.com/IN: transferred serial 2013040102
Mar 6 10:39:17 localhost named[4413]: transfer of 'mageedu.com/IN' from 172.16.100.1#53: Transfer completed: 1 messages, 12 records,
286 bytes, 0.007 secs (40857 bytes/sec)
提示:没传送;
[root@localhost slaves]# cat mageedu.com.zone(查看mageedu.com.zone数据文件内容)
$ORIGIN .
$TTL 600 ; 10 minutes
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040102 ; serial(版本号仍然是2)
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
A 172.16.100.3
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 172.16.100.3
ftp CNAME www
mail A 172.16.100.2
ns1 A 172.16.100.1
pop A 172.16.100.4
www A 172.16.100.1
A 172.16.100.3
提示:从服务器的区域数据文件版本仍然是2,说明传送没发生;
切换到主服务器:
[root@Smoke named]# vim /etc/named.conf(编辑named主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
notify yes;(启动通知功能,一旦主服务器更改区域数据文件,就通知从服务器来同步)
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 172.16.100.2; };
};
[root@Smoke named]# service named reload(重新加载named服务配置文件)
Reloading named: [ OK ]
提示:一直主从同步完成不了,不是通知,而是默认不会通知,只是忘记了,一个域内有多少台DNS服务器,那么每一个DNS服务器区域当中应该有条记录的;
[root@Smoke named]# vim mageedu.com.zone(编辑mageedu.com.zone区域数据文件)
$TTL 86400
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101
2H
10M
7D
2H )
IN NS ns1
IN NS ns2(定义ns2作为DNS服务器)
IN MX 10 mail
ns1 IN A 172.16.100.1
ns2 IN A 172.16.100.2(定义ns2的正向记录)
mail IN A 172.16.100.2
www IN A 172.16.100.1
www IN A 172.16.100.3
ftp IN CNAME www
mageedu.com. IN A 172.16.100.3
pop IN A 172.16.100.4
*.mageedu.com. IN A 172.16.100.3
imap IN A 172.16.100.5
提示:我们值定义了当前这一台172.16.100.1作为DNS服务器,没定义172.16.100.2也是DNS服务器;
[root@Smoke named]# vim 172.16.100.zone(编辑172.16.100.zone区域数据文件)
$TTL 86400
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101
1H
5M
2D
6H )
IN NS ns1.mageedu.com.
IN NS ns2.mageedu.com.
1 IN PTR ns1.mageedu.com.
2 IN PTR mail.mageedu.com.
2 IN PTR ns2.mageedu.com.(添加ns2的PTR记录)
3 IN PTR www.mageedu.com.
4 IN PTR pop.mageedu.com.
5 IN PTR imap.mageedu.com.
[root@Smoke named]# service named reload(重新加载named服务配置文件)
Reloading named: [ OK ]
切换到从服务器:
[root@localhost slaves]# ls(查看当前目录文件及子目录)
172.16.100.zone mageedu.com.zone
[root@localhost slaves]# rm -rf *(删除/var/named/slaves下所有文件)
提示:删除从服务器同步过来的所有数据文件,让它从新做一次全新的区域传送;
[root@localhost slaves]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@localhost slaves]# ls(查看当前目录文件及子目录)
172.16.100.zone mageedu.com.zone
提示:同步过来的数据文件;
[root@localhost slaves]# cat mageedu.com.zone(查看mageedu.com.zone文件内容)
$ORIGIN .
$TTL 86400 ; 1 day
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101 ; serial
7200 ; refresh (2 hours)
600 ; retry (10 minutes)
604800 ; expire (1 week)
7200 ; minimum (2 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
A 172.16.100.3
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 172.16.100.3
ftp CNAME www
imap A 172.16.100.5
mail A 172.16.100.2
ns1 A 172.16.100.1
ns2 A 172.16.100.2
pop A 172.16.100.4
www A 172.16.100.1
A 172.16.100.3
[root@localhost slaves]# cat 172.16.100.zone(查看172.16.100.zone数据文件)
$ORIGIN .
$TTL 86400 ; 1 day
100.16.172.in-addr.arpa IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040101 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
$ORIGIN 100.16.172.in-addr.arpa.
1 PTR ns1.mageedu.com.
2 PTR ns2.mageedu.com.
PTR mail.mageedu.com.
3 PTR www.mageedu.com.
4 PTR pop.mageedu.com.
5 PTR imap.mageedu.com.
重新测试增量区域传送同步:
切换到主服务器:
[root@Smoke named]# vim mageedu.com.zone(编辑mageedu.com.zone区域数据文件)
$TTL 86400
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040102(版本号加1)
2H
10M
7D
2H )
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 172.16.100.1
ns2 IN A 172.16.100.2
mail IN A 172.16.100.2
www IN A 172.16.100.1
www IN A 172.16.100.3
ftp IN CNAME www
mageedu.com. IN A 172.16.100.3
pop IN A 172.16.100.4
*.mageedu.com. IN A 172.16.100.3
imap IN A 172.16.100.5
hello IN A 172.16.100.6(增加hello.mageedu.com.的A记录)
[root@Smoke named]# service named reload(重新加载named配置文件)
Reloading named: [ OK ]
[root@Smoke named]# tail /var/log/messages(查看messages日志文件后10行)
Dec 15 07:09:01 Smoke named[4484]: loading configuration from '/etc/named.conf'
Dec 15 07:09:01 Smoke named[4484]: using default UDP/IPv4 port range: [1024, 65535]
Dec 15 07:09:01 Smoke named[4484]: using default UDP/IPv6 port range: [1024, 65535]
Dec 15 07:09:01 Smoke named[4484]: the working directory is not writable
Dec 15 07:09:01 Smoke named[4484]: reloading configuration succeeded
Dec 15 07:09:01 Smoke named[4484]: reloading zones succeeded
Dec 15 07:09:01 Smoke named[4484]: zone mageedu.com/IN: loaded serial 2013040102(区域mageddu.com加载序列号2013040102)
Dec 15 07:09:01 Smoke named[4484]: zone mageedu.com/IN: sending notifies (serial 2013040102)(发送通知,序列号是2013040102)
Dec 15 07:09:01 Smoke named[4484]: client 172.16.100.2#45364: transfer of 'mageedu.com/IN': AXFR-style IXFR started(client 172.16.100
.2开始增量区域传送)
Dec 15 07:09:01 Smoke named[4484]: client 172.16.100.2#45364: transfer of 'mageedu.com/IN': AXFR-style IXFR ended(client 172.16.100.2
增量区域传送结束)
切换到从服务器:
[root@localhost slaves]# tail /var/log/messages(查看message日志文件后10行)
Mar 6 12:28:17 localhost named[4709]: transfer of '100.16.172.in-addr.arpa/IN' from 172.16.100.1#53: connected using 172.16.100.2#54741
Mar 6 12:28:17 localhost named[4709]: zone 100.16.172.in-addr.arpa/IN: transferred serial 2013040101
Mar 6 12:28:17 localhost named[4709]: transfer of '100.16.172.in-addr.arpa/IN' from 172.16.100.1#53: Transfer completed: 1 messages,
10 records, 278 bytes, 0.007 secs (39714 bytes/sec)
Mar 6 12:28:17 localhost named[4709]: zone 100.16.172.in-addr.arpa/IN: sending notifies (serial 2013040101)
Mar 6 12:33:01 localhost named[4709]: client 172.16.100.1#37371: received notify for zone 'mageedu.com'
Mar 6 12:33:01 localhost named[4709]: zone mageedu.com/IN: Transfer started.
Mar 6 12:33:01 localhost named[4709]: transfer of 'mageedu.com/IN' from 172.16.100.1#53: connected using 172.16.100.2#45364
Mar 6 12:33:01 localhost named[4709]: zone mageedu.com/IN: transferred serial 2013040102
Mar 6 12:33:01 localhost named[4709]: transfer of 'mageedu.com/IN' from 172.16.100.1#53: Transfer completed: 1 messages, 16 records,
363 bytes, 0.004 secs (90750 bytes/sec)(传送mageedu.com区域,传输完成,1条记录)
Mar 6 12:33:01 localhost named[4709]: zone mageedu.com/IN: sending notifies (serial 2013040102)(区域mageedu.com发送通知序列号2013040102)
[root@localhost slaves]# cat mageedu.com.zone(查看mageedu.com.zone区域数据文件)
$ORIGIN .
$TTL 86400 ; 1 day
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040102 ; serial
7200 ; refresh (2 hours)
600 ; retry (10 minutes)
604800 ; expire (1 week)
7200 ; minimum (2 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
A 172.16.100.3
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 172.16.100.3
ftp CNAME www
hello A 172.16.100.6(增量区域传送的hello的A记录)
imap A 172.16.100.5
mail A 172.16.100.2
ns1 A 172.16.100.1
ns2 A 172.16.100.2
pop A 172.16.100.4
www A 172.16.100.1
A 172.16.100.3
提示:刚才所有的错误忘记添加从服务器的NS记录,当新增一台NS服务器以后,一定要将它的NS记录添加进来,放在本区域所能支持的DNS列表当中;
测试反向增量区域传送:
切换到主服务器:
[root@Smoke named]# vim 172.16.100.zone(编辑172.16.100.zone数据文件)
$TTL 86400
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040102(版本号加1)
1H
5M
2D
6H )
IN NS ns1.mageedu.com.
IN NS ns2.mageedu.com.
1 IN PTR ns1.mageedu.com.
2 IN PTR mail.mageedu.com.
2 IN PTR ns2.mageedu.com.
3 IN PTR www.mageedu.com.
4 IN PTR pop.mageedu.com.
5 IN PTR imap.mageedu.com.
6 IN PTR hello.mageedu.com.(给hello.mageedu.com.建立PRT记录)
[root@Smoke named]# service named reload(重新加载named服务配置文件)
Reloading named: [ OK ]
[root@Smoke named]# !tail(查看message日志文件后10行)
tail /var/log/messages
Dec 15 07:19:19 Smoke named[4484]: loading configuration from '/etc/named.conf'
Dec 15 07:19:19 Smoke named[4484]: using default UDP/IPv4 port range: [1024, 65535]
Dec 15 07:19:19 Smoke named[4484]: using default UDP/IPv6 port range: [1024, 65535]
Dec 15 07:19:19 Smoke named[4484]: the working directory is not writable
Dec 15 07:19:19 Smoke named[4484]: reloading configuration succeeded
Dec 15 07:19:19 Smoke named[4484]: reloading zones succeeded
Dec 15 07:19:19 Smoke named[4484]: zone 100.16.172.in-addr.arpa/IN: loaded serial 2013040102
Dec 15 07:19:19 Smoke named[4484]: zone 100.16.172.in-addr.arpa/IN: sending notifies (serial 2013040102)(发送区域100.16.172.in-
addr.arpa区域通知序列号2013040102)
Dec 15 07:19:19 Smoke named[4484]: client 172.16.100.2#51816: transfer of '100.16.172.in-addr.arpa/IN': AXFR-style IXFR started
Dec 15 07:19:19 Smoke named[4484]: client 172.16.100.2#51816: transfer of '100.16.172.in-addr.arpa/IN': AXFR-style IXFR ended
切换到从服务器:
[root@localhost slaves]# cat 172.16.100.zone(查看172.16.100.zone数据文件)
$ORIGIN .
$TTL 86400 ; 1 day
100.16.172.in-addr.arpa IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040102 ; serial
3600 ; refresh (1 hour)
300 ; retry (5 minutes)
172800 ; expire (2 days)
21600 ; minimum (6 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
$ORIGIN 100.16.172.in-addr.arpa.
1 PTR ns1.mageedu.com.
2 PTR ns2.mageedu.com.
PTR mail.mageedu.com.
3 PTR www.mageedu.com.
4 PTR pop.mageedu.com.
5 PTR imap.mageedu.com.
6 PTR hello.mageedu.com.(增量传送过滤的hello.mageedu.com.的PTR记录)
通过rndc控制DNS服务器:
[root@Smoke ~]# rndc -h(查看rndc的帮助)
Usage: rndc [-c config](指定配置文件) [-s server](指定远程服务器) [-p port](指定端口)
[-k key-file ](以那个key文件向外发送)[-y key] [-V] command(子命令)
command is one of the following:
reload Reload configuration file and zones.(通知某个服务器重读配置文件和区域数据文件)
reload zone [class [view]](只重读区域数据文件,可以指定某个区域)
Reload a single zone.
refresh zone [class [view]](做维护的)
Schedule immediate maintenance for a zone.
retransfer zone [class [view]](重传)
Retransfer a single zone without checking serial number.
freeze Suspend updates to all dynamic zones.(可以将动态区域冻结)
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
notify zone [class [view]](手动向某个区域发送通知)
Resend NOTIFY messages for the zone.
reconfig Reload configuration file and new zones only.(只重读配置文件和新区域文件)
sign zone [class [view]]
Update zone keys, and sign as needed.
stats Write server statistics to the statistics file.(收集服务器统计信息)
querylog Toggle query logging.(是否打开查询日志)
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.(停止named服务器)
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.(清空缓存)
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
validation newstate [view]
Enable / disable DNSSEC validation.
*restart Restart the server.(重启服务器)
* == not yet implemented
Version: 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4
[root@Smoke ~]# rndc-confgen > /etc/rndc.conf(生成rndc配置文件)
[root@Smoke ~]# cat /etc/rndc.conf(查看rndc.conf文件内容)
# Start of rndc.conf(rndc.conf文件开始行)
key "rndc-key" {
algorithm hmac-md5;
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf(rndc.conf文件结束行)
# Use with the following in named.conf, adjusting the allow list as needed:(把底下的脚本内容放到named.conf文件中,把前面注释去掉)
# key "rndc-key" {
# algorithm hmac-md5;
# secret "MjF/k3H0bQkQDufA4fQZKw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@Smoke ~]# vim /etc/rndc.conf(编辑rndc.conf配置文件)
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {(将光标移动到当前行)
# algorithm hmac-md5;
# secret "MjF/k3H0bQkQDufA4fQZKw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
:.,$-1w >> /etc/named.conf(从光标所处行到倒数第二行的内容追加保存写入/etc/named.conf文件)
[root@Smoke ~]# vim /etc/named.conf(编辑named.conf文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 172.16.100.2; };
};
key "rndc-key" {(定义的rndc-key)(将光标移动到当前行)
algorithm hmac-md5;(hmac-md5的密钥)
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
controls {
inet 127.0.0.1 port 953(只监在127.0.0.1端口953)
allow { 127.0.0.1; } keys { "rndc-key"; };(keys交rndc-key)
};
:.,$s/^# //g(查找当前行到最后一行,查找行首为#空格统统替换成什么都没有)
[root@Smoke ~]# vim /etc/rndc.conf(编辑rndc.conf配置文件)
# Start of rndc.conf
key "rndc-key" {(也定义了rndc-key)
algorithm hmac-md5;(那段密钥)
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
options {
default-key "rndc-key";(默认密钥是什么)
default-server 127.0.0.1;(默认服务器是什么)
default-port 953;(默认端口)
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "MjF/k3H0bQkQDufA4fQZKw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@Smoke ~]# rndc -h(查看rndc命令帮助)
Usage: rndc [-c config](指定配置文件) [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
notify zone [class [view]]
Resend NOTIFY messages for the zone.
reconfig Reload configuration file and new zones only.
sign zone [class [view]]
Update zone keys, and sign as needed.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
validation newstate [view]
Enable / disable DNSSEC validation.
*restart Restart the server.
* == not yet implemented
Version: 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4
[root@Smoke ~]# rndc -c /etc/rndc.conf status(-c指定rndc.conf配置文件,查看服务器状态)
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.(key无效)
提示:显示key无效;
[root@Smoke ~]# rm /etc/rndc.key(删除/etc/rndc.key文件)
rm: remove regular file `/etc/rndc.key'? y
注意:安装bind97以后它会自动提供一个rndc.key文件,把这个key文件删除;
[root@Smoke ~]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke ~]# rndc -c /etc/rndc.conf status(-c指定rndc.conf配置文件,查看named服务器状态)
version: 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4(版本号)
CPUs found: 1(CPU数量)
worker threads: 1(named工作进程)
number of zones: 16
debug level: 0
xfers running: 0(有没有发送区域传送)
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running(服务器状态运行)
[root@Smoke ~]# rndc -c /etc/rndc.conf notify "mageedu.com"(-c指定rndc.conf配置文件,通知mageedu.com区域)
zone notify queued
[root@Smoke ~]# tail /var/log/messages(查看messages文件日志信息后10行)
Dec 15 07:54:12 Smoke named[5590]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Dec 15 07:54:12 Smoke named[5590]: zone 100.16.172.in-addr.arpa/IN: loaded serial 2013040102
Dec 15 07:54:12 Smoke named[5590]: zone mageedu.com/IN: loaded serial 2013040102
Dec 15 07:54:12 Smoke named[5590]: zone localhost/IN: loaded serial 0
Dec 15 07:54:12 Smoke named[5590]: running
Dec 15 07:54:12 Smoke named[5590]: zone mageedu.com/IN: sending notifies (serial 2013040102)
Dec 15 07:54:12 Smoke named[5590]: zone 100.16.172.in-addr.arpa/IN: sending notifies (serial 2013040102)
Dec 15 07:56:40 Smoke named[5590]: received control channel command 'notify'
Dec 15 07:56:56 Smoke named[5590]: received control channel command 'notify mageedu.com'
Dec 15 07:56:56 Smoke named[5590]: zone mageedu.com/IN: sending notifies (serial 2013040102)(发送通知)
[root@Smoke ~]# rndc -c /etc/rndc.conf flush(清除服务器缓存)
[root@Smoke ~]# rndc -c /etc/rndc.conf stop(停止服务器)
[root@Smoke ~]# netstat -tunlp(查看当前系统服务,-t代表tcp,-u代表udp,-n数字显示,-l监听端口,-p显示进程名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3538/./hpiod
tcp 0 0 0.0.0.0:872 0.0.0.0:* LISTEN 3234/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3195/portmap
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3559/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3571/cupsd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3608/sendmail
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 4088/sshd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3543/python
tcp 0 0 :::22 :::* LISTEN 3559/sshd
tcp 0 0 ::1:6011 :::* LISTEN 4088/sshd
udp 0 0 0.0.0.0:514 0.0.0.0:* 3113/syslogd
udp 0 0 0.0.0.0:54297 0.0.0.0:* 3774/avahi-daemon
udp 0 0 0.0.0.0:68 0.0.0.0:* 3001/dhclient
udp 0 0 0.0.0.0:866 0.0.0.0:* 3234/rpc.statd
udp 0 0 0.0.0.0:869 0.0.0.0:* 3234/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3774/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 3195/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 3571/cupsd
udp 0 0 :::58985 :::* 3774/avahi-daemon
udp 0 0 :::5353 :::* 3774/avahi-daemon
提示:检查有没有53号端口,确定named服务停止;
[root@Smoke ~]# service named start(启动named服务)
Starting named: [ OK ]
[root@Smoke ~]# rndc stop(停止named服务)
[root@Smoke ~]# service named start
Starting named: [ OK ]
提示:当把rndc.key文件删除,不通过-c指定rndc.key文件;
控制远程主机:当前主服务器让172.16.100.2控制;
[root@Smoke ~]# vim /etc/named.conf(编辑named.conf主配置文件)
options {
directory "/var/named";
allow-recursion { 172.16.100.0/16; };
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 172.16.100.2; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
controls {
inet 172.16.100.1 port 953(指定监听地址)
allow { 172.16.100.2; } keys { "rndc-key"; };(指定允许控制的主机和keys文件)
};
[root@Smoke ~]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke ~]# netstat -tnlp(查看系统服务,-t代表tcp,-n数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 3538/./hpiod
tcp 0 0 0.0.0.0:872 0.0.0.0:* LISTEN 3234/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 3195/portmap
tcp 0 0 192.168.210.128:53 0.0.0.0:* LISTEN 5769/named
tcp 0 0 172.16.100.1:53 0.0.0.0:* LISTEN 5769/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 5769/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3559/sshd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 3571/cupsd
tcp 0 0 172.16.100.1:953 0.0.0.0:* LISTEN 5769/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3608/sendmail
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 4088/sshd
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 3543/python
tcp 0 0 :::22 :::* LISTEN 3559/sshd
tcp 0 0 ::1:6011 :::* LISTEN 4088/sshd
提示:监听的地址为172.16.100.1:953;
[root@Smoke ~]# scp /etc/rndc.conf 172.16.100.2:/root(通过scp复制本地/etc/rndc.conf文件到远程主机172.16.100.2的/root目录)
The authenticity of host '172.16.100.2 (172.16.100.2)' can't be established.
RSA key fingerprint is 89:76:bc:a3:db:68:83:e1:20:ce:d4:69:eb:73:0d:f1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.100.2' (RSA) to the list of known hosts.
root@172.16.100.2's password:
rndc.conf 100% 479 0.5KB/s 00:00
切换到从服务器172.16.100.2:
[root@localhost slaves]# cd(切换到当前用户家目录)
[root@localhost ~]# ls(查看当前目录文件及子目录)
anaconda-ks.cfg install.log install.log.syslog rndc.conf
[root@localhost ~]# vim rndc.conf(编辑rndc.conf文件)
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
options {
default-key "rndc-key";
default-server 172.16.100.1;(更改服务器地址为172.16.100.1)
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "MjF/k3H0bQkQDufA4fQZKw==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@localhost ~]# rndc -c rndc.conf status(-c指定rndc.conf文件,显示服务器状态)
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,(远程服务器使用老版本命令协议)
* this host is not authorized to connect,
* the clocks are not synchronized, or(时间不同步)
* the key is invalid.
[root@localhost ~]# date(查看当前系统时间)
Fri Mar 6 13:42:19 CST 2015
切换到主服务器172.16.100.1:
[root@Smoke ~]# date(查看服务器系统时间)
Mon Dec 15 08:18:28 CST 2014
提示:将时间同步后就可以使用,一般不要开放rndc允许远程控制,相当危险;
假设我们公司规模扩展,有两个部门都期望自我实现自己的DNS服务器管理,域名叫mageedu.com,以前所有的主机都位于www.mageedu.com的主机上,后来公司财务部和市场部,每个部门各自都需要自己的web页面,于是就做了www.mageedu.com/fin,通过这个路径访问的都是财务部的,通过www.mageedu.com/market访问都是市场部的,看上去似乎很完美,但过段时间发现财务部市场部可以独立出去了,它们都期望能够使用自己的名称,或通过自己的链接来访问,就算它们都从属于mageedu的组织,但是期望它们使用的主机名称可以这样访问,访问财务部网站使用www.fin.mageedu.com,访问市场部www.market.ageedu.com,这里多了一个层次,后面有我们的根域,而后有顶级域或叫一级域、二级域、多了一个新的小组织,现在需要三个组织需要独立管理,分别是财务部、市场部、还有自身的;
任何一个子域都需要的父域的授权才可以;
正向区域:
SUB_ZONE_NAME(子域区域名称) IN NS(子域域名服务器) NSSERVER_SUB_ZONE_NAME(子域服务器名称)
NSSERVER_SUB_ZONE_NAME IN A IP(任何一个NS条目都应该有一个相应A记录)
.com
mageedu.com. IN NS ns1.mageedu.com.
IN NS ns2.mageedu.com.
ns1.mageedu.com. IN A 172.16.100.1
ns2.magedu.com. IN A 172.16.100.2
dig -t A www.baidu.com @172.16.100.1
.
.com
.com
mageedu.com.
mageedu.com.
fin.mageedu.com. IN NS ns1.fin.mageedu.com.
fin.mageedu.com. IN NS ns2.fin.mageedu.com.
ns1.fin.mageedu.com. IN A 172.16.100.8
ns2.fin.mageedu.com. IN A 172.16.100.9
market.mageedu.com. IN NS ns1.market.mageedu.com.
ns1.market.mageedu.com. IN A 172.16.100.108
全局转发:
forward {only|first}:指定转发机制,可以写在/etc/named.conf的全局options当中,将转发所有请求,除了自己负责的域;
only:如果我这里解析不了都转发给指定那台服务器,如果指定那台服务器不给解析,就算了;
first:先转发给指定那台服务器,如果指定服务器不给答案,自己就去找.根;
forwarders {};:指定转发给那个DNS服务器;
声明转发域:只转发某个区域的请求转发给某台DNS服务器;
zone "ZONE_NAME" IN {
type forward;
};
实现fin子域创建,market子域只建立条目(没有服务器,无法工作),对于子域只建一台服务器,只建一个ns1;
首先在父域授权(父域服务器中的主名称服务器):
[root@Smoke ~]# cd /var/named/(气和到/var/named目录)
[root@Smoke named]# ls(查看当前目录文件及子目录)
172.16.100.zone data dynamic mageedu.com.zone named.ca named.empty named.localhost named.loopback slaves
[root@Smoke named]# vim mageedu.com.zone(编辑mageedu.com.zone区域数据文件)
$TTL 86400
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040103(版本号加1,不然从服务器得不到数据)
2H
10M
7D
2H )
IN NS ns1
IN NS ns2
IN MX 10 mail
ns1 IN A 172.16.100.1
ns2 IN A 172.16.100.2
mail IN A 172.16.100.2
www IN A 172.16.100.1
www IN A 172.16.100.3
ftp IN CNAME www
mageedu.com. IN A 172.16.100.3
pop IN A 172.16.100.4
*.mageedu.com. IN A 172.16.100.3
imap IN A 172.16.100.5
hello IN A 172.16.100.6
fin IN NS ns1.fin(定义ns1.fin.mageedu.com.子域)
ns1.fin IN A 172.16.100.8(定义子域ns1.fin.mageedu.com.的A记录)
market IN NS ns1.market(定义ns1.market.mageedu.com.子域)
ns1.market IN A 172.16.100.108(定义子域ns1.market.mageedu.com.的A记录)
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke named]# tail /var/log/messages(查看messages文件日志后10行)
Mar 8 03:58:19 Smoke named[6565]: the working directory is not writable
Mar 8 03:58:19 Smoke named[6565]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 8 03:58:19 Smoke named[6565]: zone 100.16.172.in-addr.arpa/IN: loaded serial 2013040102
Mar 8 03:58:19 Smoke named[6565]: zone mageedu.com/IN: loaded serial 2013040103
Mar 8 03:58:19 Smoke named[6565]: zone localhost/IN: loaded serial 0
Mar 8 03:58:19 Smoke named[6565]: running
Mar 8 03:58:19 Smoke named[6565]: zone 100.16.172.in-addr.arpa/IN: sending notifies (serial 2013040102)
Mar 8 03:58:19 Smoke named[6565]: zone mageedu.com/IN: sending notifies (serial 2013040103)(区域mageedu.com发送通知,序列号2013040103)
Mar 8 03:58:19 Smoke named[6565]: client 172.16.100.2#38631: transfer of 'mageedu.com/IN': AXFR-style IXFR started
Mar 8 03:58:19 Smoke named[6565]: client 172.16.100.2#38631: transfer of 'mageedu.com/IN': AXFR-style IXFR ended
切换到父域名服务器的从名称服务器:
[root@localhost ~]# cd /var/named/slaves/(切换到/var/named/slaves目录)
[root@localhost slaves]# cat mageedu.com.zone(查看mageedu.com.zone区域数据文件内容)
$ORIGIN .
$TTL 86400 ; 1 day
mageedu.com IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040103 ; serial
7200 ; refresh (2 hours)
600 ; retry (10 minutes)
604800 ; expire (1 week)
7200 ; minimum (2 hours)
)
NS ns1.mageedu.com.
NS ns2.mageedu.com.
A 172.16.100.3
MX 10 mail.mageedu.com.
$ORIGIN mageedu.com.
* A 172.16.100.3
fin NS ns1.fin
$ORIGIN fin.mageedu.com.
ns1 A 172.16.100.8
$ORIGIN mageedu.com.
ftp CNAME www
hello A 172.16.100.6
imap A 172.16.100.5
mail A 172.16.100.2
market NS ns1.market
$ORIGIN market.mageedu.com.
ns1 A 172.16.100.108
$ORIGIN mageedu.com.
ns1 A 172.16.100.1
ns2 A 172.16.100.2
pop A 172.16.100.4
www A 172.16.100.1
A 172.16.100.3
切换父域服务器中的主名称服务器:
[root@Smoke named]# dig -t NS fin.mageedu.com @172.16.100.1(通过DNS服务器172.16.100.1查找fin.mageedu.com的NS记录)
[root@Smoke named]# dig -t NS mageedu.com(查看mageedu.com的NS记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t NS mageedu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15746
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 7
;; QUESTION SECTION:
;mageedu.com. IN NS
;; ANSWER SECTION:
mageedu.com. 5 IN NS v1s2.xundns.com.
mageedu.com. 5 IN NS v1s1.xundns.com.
;; ADDITIONAL SECTION:
v1s1.xundns.com. 5 IN A 116.10.189.88
v1s1.xundns.com. 5 IN A 113.17.169.34
v1s1.xundns.com. 5 IN A 60.214.139.35
v1s1.xundns.com. 5 IN A 115.238.253.246
v1s2.xundns.com. 5 IN A 61.164.248.214
v1s2.xundns.com. 5 IN A 116.10.184.143
v1s2.xundns.com. 5 IN A 14.29.32.164
;; Query time: 75 msec
;; SERVER: 192.168.210.2#53(192.168.210.2)
;; WHEN: Sun Mar 8 04:04:40 2015
;; MSG SIZE rcvd: 186
提示:子域不给我们答案,因为子域服务器不存在,联系不上子域服务器,所以就算在父域建立了子域条目,仍然需要跟子域通信;
[root@Smoke named]# dig -t A ns1.fin.mageedu.com @172.16.100.1(通过DNS服务器172.16.100.1查找ns1.fin.mageedu.com的A记录)
提示:A记录也找不到;
建立子域服务器:
[root@Smoke ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0(配置eth0接口IP地址)
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:0C:29:8C:BF:0A
ONBOOT=yes
IPADDR=172.16.100.8
NETMASK=255.255.255.0
[root@Smoke ~]# vim /etc/resolv.conf(配置DNS指向自己)
search fin.mageedu.com(搜索的域)
nameserver 172.16.100.8(DNS指向自己)
[root@Smoke ~]# service network restart(重启网络服务器)
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1:
Determining IP information for eth1... done.
[ OK ]
[root@Smoke ~]# ifconfig eth0(查看eth0接口信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:8C:BF:0A
inet addr:172.16.100.8 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe8c:bf0a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:37347 errors:0 dropped:0 overruns:0 frame:0
TX packets:13575 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5635511 (5.3 MiB) TX bytes:7102486 (6.7 MiB)
Interrupt:67 Base address:0x2000
[root@Smoke ~]# ping 172.16.100.1(ping测试172.16.100.1)
PING 172.16.100.1 (172.16.100.1) 56(84) bytes of data.
64 bytes from 172.16.100.1: icmp_seq=1 ttl=64 time=1.53 ms
--- 172.16.100.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 1.533/1.533/1.533/0.000 ms
[root@Smoke ~]# ping 172.16.100.2(ping测试172.16.100.2)
PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=3.20 ms
--- 172.16.100.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 3.208/3.208/3.208/0.000 ms
[root@Smoke ~]# rpm -e bind-libs bind-utils(卸载bind-libs库文件和bind-utils客户端工具软件)
[root@Smoke ~]# yum list all | grep bind(查看yum源列表将结果送给管道只显示bind相关)
ypbind.i386 3:1.19-12.el5_6.1 installed
bind.i386 30:9.3.6-20.P1.el5 c5-media
bind-chroot.i386 30:9.3.6-20.P1.el5 c5-media
bind-devel.i386 30:9.3.6-20.P1.el5 c5-media
bind-libbind-devel.i386 30:9.3.6-20.P1.el5 c5-media
bind-libs.i386 30:9.3.6-20.P1.el5 c5-media
bind-sdb.i386 30:9.3.6-20.P1.el5 c5-media
bind-utils.i386 30:9.3.6-20.P1.el5 c5-media
bind97.i386 32:9.7.0-6.P2.el5_7.4 c5-media
bind97-chroot.i386 32:9.7.0-6.P2.el5_7.4 c5-media
bind97-devel.i386 32:9.7.0-6.P2.el5_7.4 c5-media
bind97-libs.i386 32:9.7.0-6.P2.el5_7.4 c5-media
bind97-utils.i386 32:9.7.0-6.P2.el5_7.4 c5-media
kdebindings.i386 3.5.4-6.el5 c5-media
kdebindings-devel.i386 3.5.4-6.el5 c5-media
samba3x-winbind.i386 3.5.10-0.107.el5 c5-media
samba3x-winbind-devel.i386 3.5.10-0.107.el5 c5-media
system-config-bind.noarch 4.0.3-5.el5.centos c5-media
[root@Smoke ~]# yum -y install bind97 bind97-utils(安装bind97主软件包和工具包)
[root@Smoke ~]# vim /etc/sysconfig/selinux(编辑selinux文件)
SELINUX=permissive(关闭selinux)
提示:编辑/etc/sysconfig/selinux不会立即生效,需要重启,或者通过setenforce 0立即关闭;
[root@Smoke ~]# setenforce 0(关闭selinux)
[root@Smoke ~]# mv /etc/named.conf /etc/named.conf.orig(改变named.conf文件名字为named.conf.orig)
提示:备份原来的named服务主配置文件;
[root@Smoke ~]# scp 172.16.100.1:/etc/named.conf /etc/(通过scp远程复制172.16.100.1:/etc/named.conf文件到当前主机/etc/目录)
root@172.16.100.1's password:
named.conf 100% 718 0.7KB/s 00:00
[root@Smoke named]# ll /etc/named.conf(查看named.conf文件详细信息)
-rw-r----- 1 root root 357 Nov 11 17:40 /etc/named.conf
[root@Smoke named]# chgrp named /etc/named.conf(更改named.conf文件属组为named)
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "fin.mageedu.com" IN {(定义fin.mageedu.com区域)
type master;(区域类型,主DNS服务器)
file "fin.mageedu.com.zone";(通过file定义区域数据文件为/var/named/fin.mageedu.com.zone)
};
:.,$d(从当前行到最后一行删除原来的区域配置)
[root@Smoke named]# service named start(启动named服务器)
Starting named: [ OK ]
[root@Smoke named]# chkconfig named on(开机自动启动named服务)
[root@Smoke named]# chkconfig --list named(查看named服务在不同系统级别启动情况)
named 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@Smoke named]# scp 172.16.100.1:/var/named/mageedu.com.zone .(通过scp远程复制172.16.100.1:/var/named/mageedu.com.zone到当前目录)
root@172.16.100.1's password:
mageedu.com.zone 100% 520 0.5KB/s 00:00
[root@Smoke named]# scp 172.16.100.1:/var/named/172.16.100.zone .(通过scp远程复制172.16.100.1:/var/named/172.16.100.zone到当前目录)
root@172.16.100.1's password:
172.16.100.zone 100% 347 0.3KB/s 00:00
[root@Smoke named]# ll /var/named/(查看/var/named/目录文件及子目录详细信息)
total 72
-rw-r----- 1 root root 347 Nov 11 17:44 172.16.100.zone
drwxrwx--- 2 named named 4096 Nov 18 2011 data
drwxrwx--- 2 named named 4096 Nov 18 2011 dynamic
-rw-r----- 1 root root 212 Nov 11 17:56 fin.mageedu.com.zone
-rw-r----- 1 root named 1892 Feb 18 2008 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 4096 Nov 18 2011 slaves
[root@Smoke named]# chgrp named fin.mageedu.com.zone 172.16.100.zone(更改文件fin.mageedu.com.zone和172.16.100.zone属组)
[root@Smoke named]# ls(查看当前目录文件及子目录)
172.16.100.zone dynamic named.ca named.localhost slaves
data mageedu.com.zone named.empty named.loopback
[root@Smoke named]# mv mageedu.com.zone fin.mageedu.com.zone(重命名mageedu.com.zone为fin.mageedu.com.zone)
[root@Smoke named]# vim fin.mageedu.com.zone(编辑fin.mageedu.com.zone数据文件)
$TTL 86400
@ IN SOA ns1.fin.mageedu.com. admin.fin.mageedu.com. (
2013040101
2H
10M
7D
2H )
IN NS ns1
IN MX 10 mail
ns1 IN A 172.16.100.8
mail IN A 172.16.100.9
www IN A 172.16.100.10
:%s@mageedu.com@fin.mageedu.com@g(全文查找mageedu.com替换成fin.mageedu.com)
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke named]# dig -t A www.fin.mageedu.com @172.16.100.8(通过172.16.100.8查找www.fin.mageedu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.fin.mageedu.com @172.16.100.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15661
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.fin.mageedu.com. IN A
;; ANSWER SECTION:
www.fin.mageedu.com. 86400 IN A 172.16.100.10
;; AUTHORITY SECTION:
fin.mageedu.com. 86400 IN NS ns1.fin.mageedu.com.
;; ADDITIONAL SECTION:
ns1.fin.mageedu.com. 86400 IN A 172.16.100.8
;; Query time: 1 msec
;; SERVER: 172.16.100.8#53(172.16.100.8)
;; WHEN: Tue Nov 11 18:14:48 2014
;; MSG SIZE rcvd: 87
[root@Smoke named]# dig -t NS fin.mageedu.com @172.16.100.8(通过172.16.100.8查找fin.mageedu.com的NS记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t NS fin.mageedu.com @172.16.100.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19012
;; flags: qr aa rd ra;(通过子域解析有aa) QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;fin.mageedu.com. IN NS
;; ANSWER SECTION:
fin.mageedu.com. 86400 IN NS ns1.fin.mageedu.com.
;; ADDITIONAL SECTION:
ns1.fin.mageedu.com. 86400 IN A 172.16.100.8
;; Query time: 3 msec
;; SERVER: 172.16.100.8#53(172.16.100.8)
;; WHEN: Tue Nov 11 18:15:50 2014
;; MSG SIZE rcvd: 67
切换到父域服务器中的主名称服务器:
[root@Smoke named]# dig -t A ns1.fin.mageedu.com @172.16.100.1(通过172.16.100.1查找ns1.fin.mageedu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A ns1.fin.mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37073
;; flags: qr rd ra;(通过父域解析没有aa) QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ns1.fin.mageedu.com. IN A
;; ANSWER SECTION:
ns1.fin.mageedu.com. 86400 IN A 172.16.100.8
;; AUTHORITY SECTION:
fin.mageedu.com. 86400 IN NS ns1.fin.mageedu.com.
;; Query time: 6 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 06:04:33 2015
;; MSG SIZE rcvd: 67
提示:只要子域存在就不会有问题,它需要联系子域,让子域提供真正的信息;
[root@Smoke named]# dig -t NS fin.mageedu.com @172.16.100.1(通过172.16.100.1查找fin.mageedu.com的NS记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t NS fin.mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3305
;; flags: qr rd ra;(通过父域解析没有aa) QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;fin.mageedu.com. IN NS
;; ANSWER SECTION:
fin.mageedu.com. 86293 IN NS ns1.fin.mageedu.com.
;; ADDITIONAL SECTION:
ns1.fin.mageedu.com. 86293 IN A 172.16.100.8
;; Query time: 2 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 06:06:20 2015
;; MSG SIZE rcvd: 67
提示:通过父域自己解析的,通过子域自己解析有flags: qr aa rd ra;而通过父域自己解析是flags: qr rd ra;没有aa;
[root@Smoke named]# dig -t NS fin.mageedu.com @172.16.100.8(通过172.16.100.8查找fin.mageedu.com的NS记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t NS fin.mageedu.com @172.16.100.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17200
;; flags: qr aa rd ra(通过指向子域有aa); QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;fin.mageedu.com. IN NS
;; ANSWER SECTION:
fin.mageedu.com. 86400 IN NS ns1.fin.mageedu.com.
;; ADDITIONAL SECTION:
ns1.fin.mageedu.com. 86400 IN A 172.16.100.8
;; Query time: 6 msec
;; SERVER: 172.16.100.8#53(172.16.100.8)
;; WHEN: Sun Mar 8 06:09:22 2015
;; MSG SIZE rcvd: 67
提示:在父域服务器的主名称服务器将主机指向子域172.16.100.8解析有aa标记,这意味着向父域服务器找没错,但是父域自己没有答案,它去找子域;
通过windows的cmd(命令提示符)的nslookup解析:
C:\Users\Smoke>nslookup(通过nslookup命令解析)
默认服务器: XiaoQiang
Address: 192.168.31.1
> server 172.16.100.1(指定DNS服务器为父域主DNS服务器)
默认服务器: [172.16.100.1]
Address: 172.16.100.1
> set q=A(设置为查找A记录)
> www.mageedu.com(查找www.mageedu.com的A记录)
服务器: [172.16.100.1]
Address: 172.16.100.1
名称: www.mageedu.com
Addresses: 172.16.100.3
172.16.100.1
> set q=A(设置为查找A记录)
> www.fin.mageedu.com(查找www.fin.mageedu.com的A记录)
服务器: [172.16.100.1]
Address: 172.16.100.1
非权威应答:(提示:非权威答案)
名称: www.fin.mageedu.com
Address: 172.16.100.10
> server 172.16.100.8(指定DNS服务器为子域DNS服务器)
默认服务器: [172.16.100.8]
Address: 172.16.100.8
> set q=A(设置为查找A记录)
> www.fin.mageedu.com
服务器: [172.16.100.8]
Address: 172.16.100.8
名称: www.fin.mageedu.com(提示:通过子域直接解析www.fin.mageedu.com是权威答案)
Address: 172.16.100.10
> set q=A(设置为查找A记录)
> www.mageedu.com(查找www.mageedu.com的A记录)
服务器: [172.16.100.8]
Address: 172.16.100.8
非权威应答:
名称: www.mageedu.com
Address: 122.10.114.94
提示:通过子域DNS服务器172.16.100.8查找父域www.mageedu.com的A记录,不能解析出来,因为子域不知道父域在那,下层不知道上层,先去找.根,.根找com,com
找mageedu,不能找到,根本联系不到我们服务器上来,因为没有在com注册,虽然解析出来122.10.114.94,这是因为互联网确实有www.mageedu.com这个域名,而且是
非权威应答;
在自己公司内部建立两个名称服务器有子域还有父域,还必须得上互联网,而且我们测试用的,如何让子域找到父域,可以告诉子域父域在什么地方就可以了,定义转发即可;
让子域将所有的请求都转发给父域,而不是自己来解析,当然父域要能给子域做递归才行:
切换到子域DNS服务器:
[root@Smoke named]# vim /etc/named.conf(编辑DNS主配置文件)
options {
directory "/var/named";
forward first ;(指定转发机制为first,先转发给指定那台服务器,如果指定服务器不给答案,自己就去找.根)
forwarders { 172.16.100.1; };(指定转发给父域主DNS服务器172.16.100.1,转发是对那些请求的解析,自己负责的是fin.mageedu.com区域,如果向服
务器请求子域,它自己就解析答案,如果请求的不是子域,而是其他任何域都转发出去了,这个参数在全局选项配置,这将都会转发出去,无论请求那个网段的,如果只是期望转
发一个域,只是对父域请求转发给父域,而不是所有的都转发,也可以的)
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "fin.mageedu.com" IN {
type master;
file "fin.mageedu.com.zone";
提示:编辑子域DNS服务器的主配置文件;
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
通过windows的cmd(命令提示符)的nslookup解析:
> set q=A(设置为查找A记录)
> www.fin.mageedu.com(查找子域www.fin.mageedu.com的A记录)
服务器: [172.16.100.8]
Address: 172.16.100.8
名称: www.fin.mageedu.com
Address: 172.16.100.10
> set q=A(设置为查找A记录)
> www.mageedu.com(查找父域www.mageedu.com的A记录)
服务器: [172.16.100.8]
Address: 172.16.100.8
非权威应答:(提示:非权威答案)
名称: www.mageedu.com
Addresses: 172.16.100.3
172.16.100.1
[root@Smoke named]# dig +trace -t A www.baidu.com(查找www.baidu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> +trace -t A www.baidu.com
;; global options: +cmd
. 518291 IN NS b.root-servers.net.
. 518291 IN NS d.root-servers.net.
. 518291 IN NS a.root-servers.net.
. 518291 IN NS g.root-servers.net.
. 518291 IN NS f.root-servers.net.
. 518291 IN NS j.root-servers.net.
. 518291 IN NS m.root-servers.net.
. 518291 IN NS i.root-servers.net.
. 518291 IN NS c.root-servers.net.
. 518291 IN NS h.root-servers.net.
. 518291 IN NS e.root-servers.net.
. 518291 IN NS l.root-servers.net.
. 518291 IN NS k.root-servers.net.
;; Received 496 bytes from 172.16.100.8#53(172.16.100.8) in 2 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 491 bytes from 193.0.14.129#53(k.root-servers.net) in 312 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
baidu.com. 172800 IN NS ns3.baidu.com.
baidu.com. 172800 IN NS ns4.baidu.com.
baidu.com. 172800 IN NS ns7.baidu.com.
;; Received 201 bytes from 192.26.92.30#53(c.gtld-servers.net) in 590 ms
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
;; Received 228 bytes from 119.75.219.82#53(ns7.baidu.com) in 94 ms
提示:结果过程,首先根,com.,然后baidu.com.,仍然是迭代出来的,但是这个答案,不是服务器自己找根的,而是转发给父域名称服务器得到的答案,当然这里显示不
出来父域处理的过程,这个请求其实请求给父域了,但是父域本身不负责www.baidu.com的权威解析,因此把它转发出去意义也不大,事实对子域而言可以只转发对于父域请
求到父域,剩下的都自己来处理,只要自己能上互联网都可以;
设置只转发对父域请求到父域:
[root@Smoke named]# vim /etc/named.conf(编辑子域DNS服务器named主配置文件)
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "fin.mageedu.com" IN {
type master;
file "fin.mageedu.com.zone";
};
zone "mageedu.com" IN {(定义区域mageedu.com)
type forward;(类型为转发)
forward first ;(指定转发机制为first,先转发给指定那台服务器,如果指定服务器不给答案,自己就去找.根)
forwarders { 172.16.100.1; };(指定转发给父域主DNS服务器172.16.100.1,如果向服务器mageedu.com区域,就转发给父域主DNS服务器,只对父域请
求转发给父域,这样就只对这一个区域的解析进行转发,对于其他区域就不进行转发;)
};
[root@Smoke named]# named-checkconf(检查主配置文件语法)
[root@Smoke named]# service named restart(重新启动named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
通过windows的cmd(命令提示符)的nslookup解析:
> set q=A(设置为查询A记录)
> www.mageedu.com(查询www.mageedu.com的A记录)
服务器: [172.16.100.8]
Address: 172.16.100.8
非权威应答:
名称: www.mageedu.com
Addresses: 172.16.100.3
172.16.100.1
[root@Smoke named]# vim /etc/named.conf(编辑子域named主配置文件)
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "fin.mageedu.com" IN {
type master;
file "fin.mageedu.com.zone";
};
zone "mageedu.com" IN {
type forward;
forward first ;
forwarders { 172.16.100.1; };
};
提示:由此可见,直接定义新的区域,而这个区域是我们的父区域,只将这个区域的请求转发就可以了,此时我们还在本机请求www.baidu.com.,它就不再使用父域服务器来
完成了,而是子域服务器自身完成的;
对于父域来说,所有对于com.的请求都转发给谁了;
切换到父域主DNS服务器:
[root@Smoke named]# dig -t A www.baidu.com @172.16.100.1(通过172.16.100.1查找www.baidu.com的A记录)
提示:当前服务器不负责www.baidu.com域,接下来服务器将请求转发给.根,然后再com.,然后再baidu.com.,如果要对com.的请求都直接转发给com.服务器行不行?可
以自己试试;
[root@Smoke named]# dig -t NS com(查找com的NS记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t NS com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45200
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;com. IN NS
;; ANSWER SECTION:
com. 5 IN NS c.gtld-servers.net.
com. 5 IN NS e.gtld-servers.net.
com. 5 IN NS j.gtld-servers.net.
com. 5 IN NS f.gtld-servers.net.
com. 5 IN NS d.gtld-servers.net.
com. 5 IN NS g.gtld-servers.net.
com. 5 IN NS k.gtld-servers.net.
com. 5 IN NS l.gtld-servers.net.
com. 5 IN NS h.gtld-servers.net.
com. 5 IN NS i.gtld-servers.net.
com. 5 IN NS b.gtld-servers.net.
com. 5 IN NS m.gtld-servers.net.
com. 5 IN NS a.gtld-servers.net.
;; Query time: 26 msec
;; SERVER: 192.168.210.2#53(192.168.210.2)
;; WHEN: Sun Mar 8 07:20:48 2015
;; MSG SIZE rcvd: 245
提示:要解析全部的,找到它的A记录,把A记录都填写到/etc/named.conf文件中的forwarders当中就可以了;
allow-recursion {};:能够被递归的客户端来源;
allow-query {};:允许查询的客户端;
allow-transfer {};:允许实现区域传送的客户端;
axfr:完全区域传送
ixfr:增量区域传送
allow-query { 172.16.0.0/16; 127.0.0.0/8; 10.0.0.0/8; }
allow等全局选项定义允许客户端,如果客户端非常多,定义起来比较麻烦,可以使用acl实现;
acl ACL_NAME {
172.16.0.0/16;
127.0.0.0/8;
};:访问控制列表,花括号不用写在一行,只要成组出现就行,而后使用allow等全局选项定义的时候直接把ACL_NAME写上,就可以了;
ACL使用实例:
acl inet {
172.16.0.0/16;
127.0.0.0/8
};:定义ACL
allow-query { innet; }:调用ACL;
named内置的两个常用列表:
none;:谁都没有;
any;:所有的;
ACL必须要先定义才能使用,一般而言对于主配置文件来说,ACL是写在最上头的;
telecom:电信
unicom:联通
在互联网上有着很多这样应用场景,这也是中国的现状决定的,中国有两大网络运营商电信和连通,电信和联通的接口是两个各自独立的网络,它们彼此之间网络没有结合起来,比如说在各地都有接入点,不是这样子,而是两个独立的网络,而后在某个机房里面,有个总接口把它两个网络连起来了,好像在北京方庄机房里面把电信和联通连通起来了,而它们总带宽大概只有100G,电信和联通两边交互非常的慢,在独立运营商内交互速度比较快的,这样就造成这样的结果,我们建立一个网站放在联通网络机房里面,而后来自电信的客户访问速度非常的慢,事实上联通内部访问速度是非常快的,因为它是在同一个网络里面,这个就没有带宽的概念,这个带宽在你的网络接口上,但是我们打开百度、淘宝速度都非常快,为什么呢?它可能有很多种情况,简单的方法是,弄两台服务器,两个运营商各弄一个,网站的页面是一模一样的,但这样会有一个问题,比如将来要更新一下网站里面的页面,比如是论坛网站,我更新了联通里面的A服务器的页面,处于电信里面的B服务器会不会更新,比如用户第一次访问登录到联通的服务器上来,过一会又换一个位置上网,竟然接入的是电信网络,很可能访问的是B服务器,导致两次访问的内容可能是不一样的,或者是网通客户端发的帖子,来自电信的用户看不见,A和B服务器必须要同步,他俩同步要占据很多带宽,那怎么办,有些机房是双线接入的,网通有一根,电信有一根,而后在自己内部使用协议实现路由,所以把服务器就放一台,只不过给它配两个地址,或者配一个地址,只要服务器自身或机房本身能够实现双线接入,而且使用一个IP地址就可以接入两个网络的话,那也可以,这是一种简单的方案,有时候还有一种极端的情况,像淘宝这样的站点,一旦搞一个活动的话,要多少用户蜂拥而至,一台服务器扛不住,就算用一组服务器能抗的住,这都很难很难,因此它可以把全国划分这样几个大区,而后在每个大区里面,先不管用户来自那个网络的,假如都是双线机房,可以把整个国家划分好几个大区,在每个区域里面放一组服务器,用户的交易就可以直接在这个服务器上完成,将来要统计一个有多少笔交易产生的时候,可以在最后再进行汇总,只不过它的交易只要在离用户最近的服务器来完成就可以,我们的网络地址是有河南网通、上海网通、浙江网通,它们每一个地方运营商,它们使用的网段地址是不一样的,而且它们在亚太数据库是有说明的,这是来自中国的河南网通,中国的上海网通,中国的浙江网通等等,有时候可以根据客户端的来源来判断它到底是来自那个网络的,比如有个家伙期望访问我们的站点,在访问站点的时候它首先要将域名转换成IP地址,但在这个家伙提起域名解析的时候,我们到底返回是谁,我这里有三台服务器,内容都一模一样,如果把DNS里面加了三条A记录的话,到底返回用户是那个,是轮流的,用户第一次访问可能是最近的,第二次访问可能不是第一次访问的服务器,第三次可能最远的,能不能实现一种方案,固定下来,任何用户访问的时候都返回离他最近的那台主机的IP地址,不让它轮流了,这种解析机制,我们的DNS能够根据客户端的来源所属的网络进行判断,并且返回一个我们事先定义好的IP地址,这种机制称作智能DNS,它是怎么智能的,DNS服务器在自己内部可以做视图(View),什么叫视图,简单来讲,我们的DNS服务器就负责解析一个域名www.mageedu.com,我们现在把我们的客户端分为两类,一类是来自于联通(Unicom)网的,一类是来自电信(Telecom)网的,现在我们服务器期望来自于联通网的,解析www.mageedu.com结果是位于我们联通机房服务器的地址,而来自于电信网络的,返回的是来自电信机房服务器地址,怎么实现,简单来讲,将我们的数据文件切割成两部分,而后根据客户端来源来进行判断,如果客户端来源是联通(Unicom),我们就查找第一个文件,而来自于电信(Telecom)的就查找第二个文件,用两个文件分别用于应对来自不网络的用户请求,这样子就带来了,判断客户端来源,如果发现客户端属于联通(Unicom)网,我们就查找属于联通(Unicom)专门用于解析的文件,来自于电信(Telecom)网络,我们就查找来自于电信那个解析文件,由此我们把一个域名,解析的结果就可以一分为二,因此这种结果我们称之为类似于脑裂(split brain)的结果,让本来好好的一个整体从中间切割开来了,人的大脑是分成左右半球的,中间靠中枢连接起来,而且双方就靠这个中枢来协调的,一旦这个协调中枢不小心遭到破坏,左右就难以协调了,所以这就是脑裂,它左右不协调,虽然我们这个不协调,但是对于DNS我们是有意为之的,有意让它不协调的,这完全可以实现,我们可以多分几个,只要把客户端分为几类,我们就可以提供多少个不同的数据文件,比如对全国来讲,我们可以按照各个地域进行区分,浙江联通、浙江电信、上海联通、上海电信,各自有,可以把全国根据行政区化,根据行政区化内的网络把它划分成70个不同的网络模型,都完全是可以的,有没有公司在各地70个机房都放上服务器,当然如果各地的各个运营商如果都能放一台服务器,它的速度要快的多,因为它每个用户访问的时候都是离自己最近的,而且是同网的服务器,对于有些有实力的企业这没什么问题,比如百度、淘宝、腾讯;这些绝对是有,它们在各地机房都有服务器,这就是为什么打开某一个站点的时候,为什么速度总是那么快的原因,当然这并不排除百度本身就很小页面,打开速度也很快,但是它在各地机房里面其实都是有服务器的,它们放的可能不一定是服务器,不一定是原服务器,而是缓存服务器,对我们来讲我们用的最多的就是web,它给我们的web提供web缓存,或者叫web对象缓存,这就意味着我们在各地机房都放一台服务器,而我们的服务器本身,我们的服务器组就在我们公司内建一个双线机房,我们在各地的网络里面都各自放了一个缓存服务器,当用户第一次来访问的时候,假如这个用户它属于这个离他最近网络的,第一次访问缓存没有相关内容,于是这个缓存服务器会自己联系我们的服务器取到内容,取到内容以后缓存到本地,把我们的web页面缓存至本地了,而后再返回给客户端,缓存的是web对象,不是DNS的结果,同样的道理当同一个网络中的第二个用户来访问的时候,它也是提交给同一个缓存服务器,缓存服务器中有结果,所以就直接从缓存服务器中返回,我们的原始服务器将来只修改原始服务器,来自于另外一个网络中的用户访问另一个离他最近的服务器,这个服务器初始也没有内容,所以第一次都是有点慢,一旦运行一段时间之后,这里面的内容都会被缓存到离用户最近的家门口的服务器,所以用户以后再访问,有绝大多数内容都可以实现从用户的门口进行返回,这是什么速度,打开要快的多了,而像这种网络,首先第一我能判断用户的来源并返回离他最近的那么一个服务器的这种网络,而且这个网络本身能够根据我们的原始服务器取得内容以后缓存到本地,它就叫做CDN(Content Delivery Network),我们原始服务器把内容都推送到用户的家门口,现在很多的web服务器都是动态类型的,但是页面当中的图片都是静态的,因此我们这里能缓存的通常都是静态内容,只有把哪些动态内容才从原始服务器进行获取,而且动态内容里面有绝大部分也可以经过策略设定后也能够静态化并且缓存到用户本地,所以这种结果速度要快的多了,由此CDN的一个比较著名的前提是要能够判断客户端来源,而且要能够根据客户端来返回一个离他最近的服务器地址,因此智能DNS对于现代网络运营来讲是比较重要的功能,虽然它并非是必须的,因为内容分发网络(CDN),自己有自己的分发路由功能;
CDN:Content Delivery Network,内容分发网络;
定义视图:
view VIEW_NAME { :定义视图,VIEW_NAME视图名字,在option全局选项中使用;
};:定义视图,VIEW_NAME视图名字,在option全局选项中使用指令对视图来讲几乎都可以使用,除了directory这样的指令之外,其它像allow-query、allow-recursion、yes、no等等,这些指令在视图中都可以使用;
view VIEW_NAME {
};
一旦定义了视图,所有的区域都必须定义在视图中;
根区域视图定义:
zone "." IN:根区域只需要定义到需要递归的view当中就可以了,作为DNS服务器,没有必要给别人递归,只给自己内网客户端递归,因此跟内网本身没有关系的我们统统不允许递归;
实现这种功能:
假设说我们有两个网络,一个是172.16.0.0/16的网络,一个是其他网,凡是来自于172.16.0.0和127.0.0.0/8的,我们都假设为Telecom(电信)的,除了172.16.0.0/16和127.0.0.0/8的,我们都假设为Telecom(电信)的,剩下其它的都统统假设为联通(Unicom)网,那么来自于不同客户端用户请求同一个域名,或者同一个解析的时候,看结果是不是可以做到不相同;
catagory:日志源
查询
区域传送
可以通过catagory自定义日志来源
channel:日志保存位置
syslog:/var/log/message
file:自定义保存日志信息的文件
loggin {
};
queryperf:DNS服务器压力测试;
[root@Smoke named]# vim /etc/named.conf(编辑named服务主配置文件)
acl innet {(定义ACL,必须写在最上面,如果ACL名称中间有空格最好用""引号引起来)
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };(调用ACL)
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 172.16.100.2; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
controls {
inet 172.16.100.1 port 953
allow { 172.16.100.2; } keys { "rndc-key"; };
};
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke named]# tail /var/log/messages(查看messages日志文件后10行)
Mar 8 07:27:03 Smoke named[989]: automatic empty zone: B.E.F.IP6.ARPA
Mar 8 07:27:03 Smoke named[989]: command channel listening on 172.16.100.1#953
Mar 8 07:27:03 Smoke named[989]: the working directory is not writable
Mar 8 07:27:03 Smoke named[989]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Mar 8 07:27:03 Smoke named[989]: zone 100.16.172.in-addr.arpa/IN: loaded serial 2013040102
Mar 8 07:27:03 Smoke named[989]: zone mageedu.com/IN: loaded serial 2013040103
Mar 8 07:27:03 Smoke named[989]: zone localhost/IN: loaded serial 0
Mar 8 07:27:03 Smoke named[989]: running
Mar 8 07:27:03 Smoke named[989]: zone mageedu.com/IN: sending notifies (serial 2013040103)
Mar 8 07:27:03 Smoke named[989]: zone 100.16.172.in-addr.arpa/IN: sending notifies (serial 2013040102)
假设说我们有两个网络,一个是172.16.0.0/16的网络,一个是其他网,凡是来自于172.16.0.0和127.0.0.0/8的,我们都假设为Telecom(电信)的,除了172.16.0
.0/16和127.0.0.0/8的,我们都假设为Telecom(电信)的,剩下其它的都统统假设为联通(Unicom)网,那么来自于不同客户端用户请求同一个域名,或者同一个解析
的时候,看结果是不是可以做到不相同;
我们就以做的配置好的DNS服务器为例,我们把这台服务器做下简单设置,另外两台父域的从服务器和子域名服务器都不用了,用于实现智能解析,为了能够实现智能效果,在
互联网上我们的客户端来源可能是各种各样的,由于我们的服务器是在互联网上,所以它能够应付来自于所有客户端的请求,但是我们这台主机能不能路由,也可以;
切换到原来的父域主服务器(后面用IP地址代替服务器):
[root@Smoke ~]# ifconfig eth0(查看eth0接口信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:CC:FA:AE
inet addr:172.16.100.1 Bcast:172.16.100.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fecc:faae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:13180 errors:0 dropped:0 overruns:0 frame:0
TX packets:10847 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1204484 (1.1 MiB) TX bytes:1386041 (1.3 MiB)
Interrupt:67 Base address:0x2000
提示:我们现在自己属于172.16.100.0网络,
[root@Smoke ~]# route -n(查看路由表)
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 172.16.100.254 0.0.0.0 UG 0 0 0 eth0
提示:网关是指向172.16.100.254;
再找一台主机,使用父域的从DNS服务器,把这台主机改成192.168.0.0/24的网络,然后网关指向192.168.0.254/24;
切换到原来的父域的从服务器(后面用IP地址代替服务器):
[root@localhost ~]# service named stop(停止named服务)
Stopping named: [ OK ]
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0(编辑eth0接口地址)
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:0C:29:B8:44:39
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
提示:假设这台主机属于联通网络;
切换到原来子域服务器(后面用IP地址代替服务器):
[root@Smoke ~]# ifconfig eth0(查看eth0接口信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:8C:BF:0A
inet addr:172.16.100.8 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:fe8c:bf0a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:50062 errors:0 dropped:0 overruns:0 frame:0
TX packets:27542 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:6717271 (6.4 MiB) TX bytes:9470417 (9.0 MiB)
Interrupt:67 Base address:0x2000
把172.16.100.1当作服务器,把172.16.100.8和192.168.0.1当作客户端,这是两个不同的客户端,我们看这两个不同的客户端是不是完全可以得到不同的结果;
[root@Smoke ~]# service named stop(停止named服务)
Stopping named: [ OK ]
切换到172.16.100.1服务器:
接下来安装DNS,我们这里已经安装好了;
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 172.16.100.2; };
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 172.16.100.2; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "MjF/k3H0bQkQDufA4fQZKw==";
};
controls {
inet 172.16.100.1 port 953
allow { 172.16.100.2; } keys { "rndc-key"; };
};
提示:需要定义它具有智能解析的功能,要想实现具有智能解析的过程,要使用视图(View),DNS使用视图的方法非常简单,先man一下;
[root@Smoke ~]# man named.conf(查看named主配置文件man帮助文档)
VIEW
view string(名称) optional_class(可选的) {
match-clients { address_match_element; ... };
match-destinations { address_match_element; ... };
match-recursive-only boolean;
key string {
algorithm string;
secret string;
};
zone string optional_class {
...
};
server ( ipv4_address[/prefixlen] | ipv6_address[/prefixlen] ) {
...
};
trusted-keys {
string integer integer integer quoted_string;
[...]
};
提示:每一个视图在定义的时候,只需要给它一个名字即可,一旦定义了视图,所有的区域都必须定义在视图中,根区域只需要递归的view(视图)当中就可以了,作为DNS服
务器,没有必要给别人递归,只给自己内网客户端递归,因此跟内网本身没有关系的我们统统不允许递归,由此可以划分三个视图;
定义三个视图:一个叫内网、一个叫电信、一个叫联通,电信和联通的都不用做递归,所以只要不递归,就不用给它提供根的解析,只要不递归,就不用提供根的解析,因此把服
务器放到互联网上,哪怕连本地的客户端都不允许给它递归的时候,或者说不负责给客户端来递归查询,只是工作在互联网的时候,连根区域都不用声明,它们就可以工作起来,
一般来讲我们应该提供根区域,随意在一个视图中提供就可以了;
[root@Smoke ~]# cp /etc/named.conf /root/(复制named.conf文件到根用户家目录)
提示:备份named主配置文件;
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
acl telecom {(定义telecom视图允许来自哪些网段的客户端)
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
};
view telecom {(定义视图telecom)
match-clients { telecom; };(指定判定哪些客户端,用于匹配来自于什么地方的客户端,telecom通过ACl匹配的网段)
zone "mageedu.com" IN {(定义magedu.com区域)
type master;(区域类型,主名称服务器)
file "telecom.mageedu.com.zone";(通过file指定mageedu.com区域数据文件/var/named/telecom.mageedu.com.zone)
};
};
view unicom {
match-clients { any; };(指定判定哪些客户端,用于匹配来自于什么地方的客户端,any代表所有)
zone "mageedu.com" IN {(定义mageedu.com区域)
type master;(区域类型,主名称服务器)
file "unicom.mageedu.com.zone";(通过file指定mageedu.com区域数据文件/var/named/unicom.mageedu.com.zone)
};
};
提示:我们只做正向区域,不做反向区域;
[root@Smoke ~]# man named.conf(查看named.conf配置文件man帮助文档)
VIEW
view string optional_class {
match-clients { address_match_element; ... };(指定判定哪些客户端,用于匹配来自于什么地方的客户端)
[root@Smoke ~]# named-checkconf(检查named主配置文件语法)
/etc/named.conf:8: undefined ACL 'innet'
/etc/named.conf:8: undefined ACL 'innet'
提示:报错,第8行没有找到ACL innect;
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
};
[root@Smoke ~]# named-checkconf(检查named主配置文件语法)
建立区域数据文件:
[root@Smoke ~]# cd /var/named/(切换到/var/named目录)
[root@Smoke named]# ls(查看当前目录文件及子目录)
172.16.100.zone data dynamic mageedu.com.zone named.ca named.empty named.localhost named.loopback slaves
[root@Smoke named]# vim telecom.mageedu.com.zone(编辑telecom.mageedu.com.zone文件)
$TTL 43200
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040201
1H
10M
7D
1D )
IN NS ns1
IN MX 10 mail
ns1 IN A 172.16.100.1
mail IN A 172.16.100.2
www IN A 172.16.100.3
[root@Smoke named]# chgrp named telecom.mageedu.com.zone(更改telecom.mageedu.com.zone文件的属组为named)
[root@Smoke named]# chmod 640 telecom.mageedu.com.zone(更改telecom.mageedu.com.zone文件权限为640)
[root@Smoke named]# cp -p telecom.mageedu.com.zone unicom.mageedu.com.zone(复制telecom.mageedu.com.zone文件叫unicom.mageedu.com.zone
,-p保留原文件属性)
[root@Smoke named]# ll(查看当前目录文件及子目录相信信息)
total 88
-rw-r----- 1 root named 347 Dec 15 07:19 172.16.100.zone
drwxrwx--- 2 named named 4096 Nov 17 2011 data
drwxrwx--- 2 named named 4096 Nov 17 2011 dynamic
-rw-r----- 1 root named 520 Mar 8 03:52 mageedu.com.zone
-rw-r----- 1 root named 1892 Feb 18 2008 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 4096 Nov 17 2011 slaves
-rw-r----- 1 root named 207 Mar 8 09:36 telecom.mageedu.com.zone
-rw-r----- 1 root named 207 Mar 8 09:36 unicom.mageedu.com.zone
[root@Smoke named]# vim unicom.mageedu.com.zone(编辑unicom.mageedu.com.zone文件)
$TTL 43200
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040201
1H
10M
7D
1D )
IN NS ns1
IN MX 10 mail
ns1 IN A 172.16.100.1
mail IN A 192.168.0.16
www IN A 192.168.0.17
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
测试:
切换到192.168.0.1主机,通过192.168.0.1的主机进行测试:
[root@localhost ~]# dig -t A www.mageedu.com @172.16.100.1(通过主机172.16.100.1解析www.mageedu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22063
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.17
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.100.1
;; Query time: 138 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 09:16:11 2015
;; MSG SIZE rcvd: 83
提示:www.mageedu.com.的A记录是192.168.0.17,服务器是172.16.100.1;
切换到172.16.100.8主机,通过172.16.100.8的主机进行测试:
[root@Smoke ~]# dig -t A www.mageedu.com @172.16.100.1(通过172.16.100.1查找www.mageedu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33068
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 172.16.100.3
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.100.1
;; Query time: 10 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Tue Nov 11 22:07:01 2014
;; MSG SIZE rcvd: 83
提示:www.mageedu.com的A记录为172.16.100.3,服务器是172.16.100.1,来自于不同客户端的,结果就不一样;
使用windows的cmd(命令提示符),通过nslookup解析测试:
C:\Users\Smoke>nslookup(地址解析)
默认服务器: XiaoQiang
Address: 192.168.31.1
> server 172.16.100.1(指定NS服务器为172.16.100.1)
默认服务器: [172.16.100.1]
Address: 172.16.100.1
> set q=A(设置为解析A记录)
> www.mageedu.com
服务器: [172.16.100.1]
Address: 172.16.100.1
名称: www.mageedu.com
Address: 172.16.100.3
> exit(退出)
提示:结果为172.16.100.3,实现将一个域名解析成两种不同的样子,这种机制就叫做view(视图);
一台DNS服务器还可以为多个域同时提供解析,我们现在解析的是mageedu.com.,假如我们还有各域叫a.net,假如a.net不想区分网络,怎么办,a.net无论来自那个网段,
解析的结果都一样;
切换到172.16.100.1的DNS服务器:
[root@Smoke ~]# vim /etc/named.conf(编辑named主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
提示:只要定义区域都必须要位于视图中,两个视图都需要写,只不过a.net的区域数据文件是同一个文件,这样就不会造成某些网段无法解析a.net区域,这样就能实现如
果同时解析多个域,但有些域里边不想使用不同的结果,这样也可以的;
[root@Smoke named]# ls(查看当前目录文件及子目录)
172.16.100.zone dynamic named.ca named.localhost slaves unicom.mageedu.com.zone
data mageedu.com.zone named.empty named.loopback telecom.mageedu.com.zone
[root@Smoke named]# vim a.net.zone(编辑a.net.zone区域数据文件)
$TTL 43200
@ IN SOA ns1.a.net. admin.a.net. (
2013040201
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 172.16.100.1
www IN A 172.16.100.100
[root@Smoke named]# chgrp named a.net.zone(更改a.net.zone的属组为named)
[root@Smoke named]# chmod 640 a.net.zone(更改a.net.zone文件权限为640)
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
切换到172.16.100.8主机,通过172.16.100.8主机进行测试:
[root@Smoke ~]# dig -t A www.a.net @172.16.100.1(通过172.16.100.1查询www.a.net的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.a.net @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49857
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.a.net. IN A
;; ANSWER SECTION:
www.a.net. 43200 IN A 172.16.100.100
;; AUTHORITY SECTION:
a.net. 43200 IN NS ns1.a.net.
;; ADDITIONAL SECTION:
ns1.a.net. 43200 IN A 172.16.100.1
;; Query time: 3 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Tue Nov 11 22:35:10 2014
;; MSG SIZE rcvd: 77
提示:www.a.net.的A记录为172.16.100.100;
切换到192.168.0.1主机,通过192.168.0.1主机进行测试:
[root@localhost ~]# dig -t A www.a.net @172.16.100.1
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.a.net @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24795
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.a.net. IN A
;; ANSWER SECTION:
www.a.net. 43200 IN A 172.16.100.100
;; AUTHORITY SECTION:
a.net. 43200 IN NS ns1.a.net.
;; ADDITIONAL SECTION:
ns1.a.net. 43200 IN A 172.16.100.1
;; Query time: 30 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 09:49:17 2015
;; MSG SIZE rcvd: 77
提示:www.a.net.的A记录为172.16.100.100;
解析两个域没有任何问题,只不过为每个域提供了域定义,首先先提供区域定义,而后提供区域数据文件就行了,比如1个、2个,给它1000个它也能解析,只不过我们要解
析1000个区域,什么概念,光zone就要写多少遍,如果还分网,分成电信和联通,每个区域都要写两遍,就意味着要写2000遍,什么概念,如果是10000个域名,那文件
得有多大,但是这个文件工作起来速度挺快的,这是因为我们的DNS服务器启动起来以后,它会将数据文件直接载入内存的,所以它的解析过程、查找过程都是在内存中完
成的,可不是在文件中一个一个找的,所以它的速度非常的快,由此每一次修改,新加一个域,改里面内容,重启下服务器,就意味着将整个数据文件要重新分写并重新载
入,如果文件比较大,这过程需要很长时间,这比较慢的,所以由此后来人们就使用了一种独特的办法,我们把区域的定义zone "ZONE_NAME"和type都不再写进named
主配置文件里面了,而是直接存放在数据库当中,放在表里面,我们的DNS服务器启动的时候它会自动到表里面把这些内容全部抽取出来存到内存里面去,而且新加的内容它
也不用每一次都去直接,那一个域用到了,它是临时查数据得到的结果,而不是直接载入内存的,这样好处,随时改随时能生效,不用重新读取,这样坏处,每一次读取都
要查数据库,在内存中可能在0.0001秒就能完成,而要通过数据库查找可能在10秒钟才能完成,所以固然使得管理方面,但速度要慢的多,但是对有一些公用服务器来讲,
这还是比较常用的做法,比方说像互联网上比较著名的两个项目,有一个叫dnspod,中国非常著名的免费的智能DNS提供商,也就是说将来你自己注册个域名以后,你可以
把你的域名服务器指向dnspod服务器,然后在dnspod上加点你的记录,它能实现智能解析的,不但能分网,还能分省和分网,可以把它分成教育网、电信、联通、还能分
成国外,这四种方式,甚至于你要是真付点钱,一年掏几百块钱使用费,它能解析的更多,全省每一地的都能解析,河南联通、河南电信、浙江联通、浙江电信、上海联通、
上海电信,它能分成70到80个不同的规模,也就意味着它每个域要建70个区域,但好在这个建立是在数据库中完成的,它是实时查找的,由于对方的服务器架构得当,所以
它的速度是比较快的,这是dnspod,它有免费的,免费的分的网的规模比较少一点,另外服务器可能慢一点,vip可能使用单独的服务器,速度还很快,当然不是你一个域
名单独的,而是里面就少的多了,可能免费的有4w个,而收费的只有5千个,所以这样速度要快的多,另外一个比较有名的是www.dns.la,国内排名第二的智能DNS服务器
提供商,有VIP和企业级的用户,直接登录www.dns.la注册用户帐号,它不提供域名注册,要到其他地方注册域名,然后把你的DNS服务器指向它的DNS服务器就可以了,
它分了很多种级别有VIP1、VIP2,还有企业级用户等等,可能不同的地方收费不一样,解析速度也不同,背后大概有10几台服务器位于全国很多个机房里边,所以说这种机
制它所实现的功能还是很强大的,要真正的实现将数据放到数据库当中,这还需要借助于其它的项目来实现,还需要借助很多额外的东西来实现;
DLZ:能够实现将DNS的数据放在mysql数据库中的一种机制,只是其中一种;
[root@Smoke ~]# yum list all | grep bind(查看所有yum源,将结果送给管道,通过grep只显示bind相关)
bind97.i386 32:9.7.0-6.P2.el5_7.4 installed
bind97-libs.i386 32:9.7.0-6.P2.el5_7.4 installed
bind97-utils.i386 32:9.7.0-6.P2.el5_7.4 installed
ypbind.i386 3:1.19-12.el5_6.1 installed
bind.i386 30:9.3.6-20.P1.el5 Base
bind-chroot.i386 30:9.3.6-20.P1.el5 Base
bind-devel.i386 30:9.3.6-20.P1.el5 Base
bind-libbind-devel.i386 30:9.3.6-20.P1.el5 Base
bind-libs.i386 30:9.3.6-20.P1.el5 Base
bind-sdb.i386(也是一种将数据放在数据库中的机制) 30:9.3.6-20.P1.el5 Base
bind-utils.i386 30:9.3.6-20.P1.el5 Base
bind97-chroot.i386 32:9.7.0-6.P2.el5_7.4 Base
bind97-devel.i386 32:9.7.0-6.P2.el5_7.4 Base
kdebindings.i386 3.5.4-6.el5 Base
kdebindings-devel.i386 3.5.4-6.el5 Base
samba3x-winbind.i386 3.5.10-0.107.el5 Base
samba3x-winbind-devel.i386 3.5.10-0.107.el5 Base
system-config-bind.noarch 4.0.3-5.el5 Base
提示:bind-sdb.i386也是一种将数据放在数据库中的机制,默认情况下bind的配置信息都是保存在它的配置文件和数据文件当中的,而有了bind-sdb驱动以后就能够实现
将数据放在数据库中了;
如何让DNS开启日志功能:比如有那个用户来查询了,可不可以给它记录下来,有那个用户来做区域传送了可不可以给它记录下来,真正在互联网使用并不建议记录日志的,因
为DNS服务器每秒钟接收到的查询次数可能会非常的多,而每一个都要记录日志的话,会导致系统速度过慢的,因为要产生大量的磁盘I/O去写日志信息的,所以性能本来可能
很好会变的很差的;
最简单方法:
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
querylog yes;(记录日志)
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
[root@Smoke ~]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
测试:切换到192.168.0.1主机,通过192.168.0.1主机进行解析测试;
[root@localhost ~]# dig -t A www.a.net @172.16.100.1(通过172.16.100.1的DNS服务器解析www.a.net的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.a.net @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9484
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.a.net. IN A
;; ANSWER SECTION:
www.a.net. 43200 IN A 172.16.100.100
;; AUTHORITY SECTION:
a.net. 43200 IN NS ns1.a.net.
;; ADDITIONAL SECTION:
ns1.a.net. 43200 IN A 172.16.100.1
;; Query time: 4 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Tue Nov 11 23:04:09 2014
;; MSG SIZE rcvd: 77
[root@localhost ~]# dig -t A www.mageedu.com @172.16.100.1(通过172.16.100.1DNS服务器查询www.mageedu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14780
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.17
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.100.1
;; Query time: 19 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 10:20:22 2015
;; MSG SIZE rcvd: 83
切换到172.16.100.1DNS服务器查询日志:
[root@Smoke ~]# tail /var/log/messages(查看messages日志文件后10行)
messages messages.1 messages.2 messages.3 messages.4
[root@Smoke ~]# tail /var/log/messages
Mar 8 11:52:09 Smoke named[5424]: zone a.net/IN/unicom: loaded serial 2013040201
Mar 8 11:52:09 Smoke named[5424]: running
Mar 8 11:55:04 Smoke kernel: eth0: link down
Mar 8 11:55:10 Smoke kernel: eth0: link up
Mar 8 11:58:21 Smoke named[5424]: client 172.16.100.8#46774: view telecom: query: www.mageedu.com IN A + (172.16.100.1)
Mar 8 11:59:31 Smoke named[5424]: client 172.16.100.8#40058: view telecom: query: www.a.net IN A + (172.16.100.1)
Mar 8 11:59:56 Smoke named[5424]: client 172.16.100.8#39823: view telecom: query: www.mageedu.com IN A + (172.16.100.1)
Mar 8 12:03:11 Smoke named[5424]: client 192.168.0.1#39104: view unicom: query: www.mageedu.com IN A + (172.16.100.1)
Mar 8 12:04:38 Smoke named[5424]: client 192.168.0.1#40371: view unicom: query: www.a.net IN A + (172.16.100.1)(客户端192.168.0.1
#40371客户端端口,基于view来自于unicom,查询www.a.net的A记录,通过172.16.100.1DNS服务器查询)
Mar 8 12:04:44 Smoke named[5424]: client 192.168.0.1#56639: view unicom: query: www.mageedu.com IN A + (172.16.100.1)(客户端192.1
68.0.1#56639客户端端口,基于view来自于unicom,查询www.mageedu.com的A记录,通过172.16.100.1DNS服务器查询)
Monitoring with logging(使用日志来监控bind的工作机制)
BIND has a very flexble and configurable logging system
channel defines where log information should go
Can use custom channel or user one of four predefined channels
category defines what should be logged
All log messages are divided into one of fifteen categories.
A category directive will be used to determine to which channels log messages should be directed.
Messages in one category may be directed to multiple channels
bind提供了一个非常具有弹性的日志系统,而这个日志系统需要定义为两个子系统,一个叫做channel,一个叫做category,所谓category就是说DNS产生日志的子系统在
什么地方,DNS当中有查询的、有区域传送的、还有错误发生的时候相关功能、还有服务器启动、服务器停止相关信息,所以所谓category就是类别的意思,还有第二种状态叫
做channel,channel是定义日志应该记录到什么地方去,一个category将会被定义发往那一个channel,一个category可以被定向到多个channel,但一个channel只能
属于一个category,一个日志类别所产生的信息可以发往多个不同的位置,但是每一个位置只能保存一种来自一个category的信息;
channel
channel defines target for logs(channel用于定义日志记录到什么地方)
Can syslog to any facility or use a file
Channels allow you to filter by message severity
Similar to syslog severity
critical error warning notice info debug [level] dynamic
debug and synamic are unique to BIND
default is info
channel用于定义日志记录到什么地方,channel记录日志方法有两种,一种叫syslog,一种叫file,日志级别有critical、error、warning、notice、info、debug、
dynamic(动态级别),dynamic和debug都是bind所独有的,bind的debug是有级别的,debug1、debug2、debug2,debug的级别不同,它所debug的信息详细程度也不
一样,一般数字越大信息越详细,默认是info级别;
channel
Additional options for verbose output
print-serverity(每记录一个信息,把信息级别也记录下来)
log the serverity level of messages
print-category(由那个category产生的信息)
log the category of messages
print-time(什么时间产生的信息,发往syslog就不用记录时间,syslog会自己产生时间)
log the date and timeof messages
Note:syslog() already records this information
Four predefined channels are:
channel "default syslog" { syslog daemon;severity info; }
channel "default debug" { file "named.run";severity dynamic; }
channel "default stderr" { stderr;severity info; };
channel "null" { null; };
定义channel,使用channel做关键字,指明channel的名称,然后指定日志方式,由谁来记录,级别等等,如果要记录到文件当中,还可以自己定义额外的保存信息;
category
category statement associates a category with a channel for logging
Fifteen categories to choose from
default Defines default channel for categories(为所有categories定义默认channel)
general Catch-all category for unclassified messages(普通日志信息)
client Client request problems
config Configuration file problems(配置文件当中产生的问题)
dispatch Dispatch of inbound packets to internal server modules
dnssec DNSSEC and TSIG
lame-servers Problems due to remote server misconfiguration
network Related to network operations(跟网络相关的)
notify NOTIFY announcements(跟通知相关的)
queries Query processing(产生查询相关产生的日志)
resolver Recursive query processing
security Accepted or denied requests(拒绝的查询请求)
update Dynamic updates
xfer-in Zone transfers received by the server(作为从服务器别人传进来的信息)
xfer-out Zone transfers sent by the server(传出去的信息)
category虽然是有所谓的日志源的,但事实上DNS的日志源,或者叫bind的日志源一共只有15个,除了这15个是不能自定义的,也就意味我们能定义的category是意味着,
我们可以定义多个源,多个日志来源的位置给它合并在一块是可以的;
An example
logging {(使用logging{}花括号,说明是日志)
channel my file {(使用channel定义通道名字my file)
file "log.msgs" versions 3 size 10k;(类型是file,日志文件log.msgs,文件保存为10k,一旦达到10k滚动,滚动之后保存3个版本)
severity dynamic;(日志级别synamic)
};
channel my syslog {(使用channel定义通道名字my syslog)
syslog local0;(日志类型是syslog,记录到local0文件)
severity info;(日志级别info)
};
category xfer-in { my_file; };(传入的日志放到my_file,一个category可以对应多个channel)
category update { my_syslog; };(动态更新日志放到my_syslog)
};
The logging Statement
logging {
[ channel channel_name {
( file path_name
[ versions ( number | unlimited ) ]
[ size size_spec ]
| syslog ( kern | user | mail | daemon | auth | syslog | lpr |
news | uucp | cron | authpriv | ftp |
local0 | local1 | local2 | local3 |
local4 | local5 | local6 | local7 )
| stderr
| null );
[ severity ( critical | error | warning | notice |
info | debug [ level ] | dynamic ); ]
[ print-category yes_or_no; ]
[ print-serverity yes_or_no; ]
);]
[ category category_name {
channel_name; [ channel_name; ...]
};]
...
};
定义日志信息:期望在/var/log/目录建立bind.conf用于记录查询日志;
切换到172.16.100.1的DNS服务器:
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
querylog yes;
};
logging {
channel querylog {(定义channel叫querylog)
file "/var/log/named/bind_query.log" versions 5 size 10M;(定义logging格式,使用syslog还是使用file,这里使用file保存到
/var/log/named/bind_query.log,保存5个版本,大小10M)
severity dynamic;(日志级别为dynamic)
print-category yes;(打印日志类别)
print-time yes; (打印时间)
print-severity yes; (记录日志级别)
};
category queries { querylog; };(使用category把日志信息记录到什么地方,queries类别的,记录到querylog)
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
提示:定义一个channel说明来自于catagory的日志,只要跟查询相关的都记录到querylog里面,querylog是channel,这个channel日志会保存到/var/log/bind_
query.log,注意:这个日志文件可能写不成,因为运行这个进程的用户是named,named对这个目录没有写权限,要么先创建bind_query.log文件,创建完成以后,给
它属主属组named用户,再不然简单点可以建立目录/var/log/named/bind_query.log,把这个目录属主属组给named;
[root@Smoke ~]# mkdir /var/log/named(创建目录/var/log/named)
[root@Smoke ~]# chown named:named /var/log/named/(更改/var/log/named目录的属主属组为named)
[root@Smoke ~]# chmod 770 /var/log/named/(更改/var/log/named目录的权限为770)
[root@Smoke ~]# named-checkconf(检测named主配置文件语法)
[root@Smoke ~]# service named restart(重启named服务)
Stopping named: . [ OK ]
Starting named: [ OK ]
测试:切换到192.168.0.1主机,使用192.168.0.1查询测试;
[root@localhost ~]# dig -t A www.mageedu.com @172.16.100.1(通过172.16.100.1的DNS服务器查询www.mageedu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54807
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.17
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.100.1
;; Query time: 26 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 11:28:55 2015
;; MSG SIZE rcvd: 83
[root@localhost ~]# dig -t A www.a.net @172.16.100.1(通过172.16.100.1的DNS服务器查询www.a.net的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.a.net @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59562
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.a.net. IN A
;; ANSWER SECTION:
www.a.net. 43200 IN A 172.16.100.100
;; AUTHORITY SECTION:
a.net. 43200 IN NS ns1.a.net.
;; ADDITIONAL SECTION:
ns1.a.net. 43200 IN A 172.16.100.1
;; Query time: 26 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 11:30:11 2015
;; MSG SIZE rcvd: 77
切换到172.16.100.1的DNS查看日志:
[root@Smoke ~]# cd /var/log/named/(切换到/var/log/named命令)
[root@Smoke named]# ls(查看当前目录文件及子目录)
bind_query.log
[root@Smoke named]# tail bind_query.log(超卡bind_query.log文件的后10行内容)
08-Mar-2015 13:50:46.961((print-time结果) queries:(print-category结果) info:(print-severity结果) client 192.168.0.1#44351:
view unicom: query: www.mageedu.com IN A + (172.16.100.1)
08-Mar-2015 13:52:03.637 queries: info: client 192.168.0.1#46082: view unicom: query: www.a.net IN A + (172.16.100.1)
[root@Smoke named]# vim /etc/named.conf(编辑named主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
querylog yes;
};
logging {
channel querylog {(定义channel叫querylog)
file "/var/log/named/bind_query.log" versions 5 size 10M;(定义logging格式,使用syslog还是使用file,这里使用file保存到
/var/log/bind_query.log,保存5个版本,大小10M)
severity dynamic;(日志级别为dynamic)
print-time yes; (打印时间)
};
category queries { querylog; };(使用category把日志信息记录到什么地方,queries类别的,记录到querylog)
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
提示:去掉print-category打印日志类别和print-severity记录日志级别去掉;
[root@Smoke named]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
测试:切换到192.168.0.1主机,通过192.168.0.1主机查询;
[root@localhost ~]# dig -t A www.a.net @172.16.100.1(通过172.16.100.1的dns服务器查询www.a.net的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A www.a.net @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25939
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.a.net. IN A
;; ANSWER SECTION:
www.a.net. 43200 IN A 172.16.100.100
;; AUTHORITY SECTION:
a.net. 43200 IN NS ns1.a.net.
;; ADDITIONAL SECTION:
ns1.a.net. 43200 IN A 172.16.100.1
;; Query time: 28 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 11:42:29 2015
;; MSG SIZE rcvd: 77
[root@Smoke named]# tail bind_query.log(查看bind_query.log文件后10行)
08-Mar-2015 13:50:46.961 queries: info: client 192.168.0.1#44351: view unicom: query: www.mageedu.com IN A + (172.16.100.1)
08-Mar-2015 13:52:03.637 queries: info: client 192.168.0.1#46082: view unicom: query: www.a.net IN A + (172.16.100.1)
08-Mar-2015 14:04:17.411 client 192.168.0.1#57072: view unicom: query: www.a.net IN A + (172.16.100.1)
08-Mar-2015 14:04:21.292 client 192.168.0.1#50544: view unicom: query: www.a.net IN A + (172.16.100.1)
提示:现在只有时间,info级别没有了;
记录传输日志:
切换到172.16.100.1的DNS服务器;
[root@Smoke named]# vim /etc/named.conf(编辑named服务主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
querylog yes;
};
logging {
channel querylog {
file "/var/log/named/bind_query.log" versions 5 size 10M;
severity dynamic;
print-time yes;
};
channel xfer_log {(定义channel叫xfer_log)
file "/var/log/named/transfer.log" versions 5 size 10k;(定义logging格式,使用syslog还是file,这里使用file保存到/var/log
/named/transfer.log,保存5个版本,大小10k)
severity debug 3;(日志级别为debug 3)
print-time yes;(打印时间)
};
category queries { querylog; };
category xfer-out { xfer_log; };(使用category把日志信息记录到什么地方,xfer-out类别的记录到xfer_log)
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
[root@Smoke ~]# named-checkconf(检查主配置文件语法)
[root@Smoke ~]# service named restart(重启named服务)
Stopping named: [ OK ]
Starting named: [ OK ]
[root@Smoke named]# ls(查看/var/log/named目录文件及子目录)
bind_query.log transfer.log
提示:transfer.log日志文件已经有了;
[root@Smoke named]# tail transfer.log(查看transfer.log日志后10行)
提示:没有任何信息;
测试:切换到192.168.0.1主机,使用192.168.0.1主机做传输;
[root@localhost ~]# dig -t axfr mageedu.com @172.16.100.1(通过172.16.100.1做mageedu.com区域完全区域传送)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t axfr mageedu.com @172.16.100.1
;; global options: +cmd
mageedu.com. 43200 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040201 3600 600 604800 86400
mageedu.com. 43200 IN NS ns1.mageedu.com.
mageedu.com. 43200 IN MX 10 mail.mageedu.com.
mail.mageedu.com. 43200 IN A 192.168.0.16
ns1.mageedu.com. 43200 IN A 172.16.100.1
www.mageedu.com. 43200 IN A 192.168.0.17
mageedu.com. 43200 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040201 3600 600 604800 86400
;; Query time: 540 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Sun Mar 8 12:41:08 2015
;; XFR size: 7 records (messages 1, bytes 198)
[root@Smoke named]# tail transfer.log(查看transfer.log日志后10行)
08-Mar-2015 15:02:34.894 client 192.168.0.1#47435: view unicom: transfer of 'mageedu.com/IN': AXFR started
08-Mar-2015 15:02:34.903 client 192.168.0.1#47435: view unicom: transfer of 'mageedu.com/IN': AXFR ended
提示:这是一个非常具有弹性的日志系统,可以自己定义那种日志信息放在什么位置,当然一般来讲传输日志应该开启、查询日志和安全日志最好不要开启,因为它们所面临的
日志信息太多了,而跟更新相关的日志信息应该开启;
DNS服务器到底性能怎么样,DNS服务器的性能可以做测试,这个软件DNS服务器并没有提供给我们,只不过我们可以自己编译安装,叫dnstop-20110502.tar,dnstop是监
控DNS服务器在每秒种能够接收多少查询,而且都是对那个域名发起的查询请求的,除此之外bind-9.0.tar源码软件包当中有一个命令叫perf;
[root@Smoke ~]# rpm -ql bind97 | grep perf(查看bind97的rpm软件包生成文件将结果送给管道通过grep只显示perf)
提示:默认没有安装perf,需要自己安装;
[root@Smoke ~]# lftp 172.16.0.1(连接ftp服务器)
lftp 172.16.0.1:~> cd pub/Sources/bind/(切换到pub/Sources/bind目录)
lftp 172.16.0.1:/pub/Sources/bind> get bind-9.7.4.tar.gz(下载bind-9.7.4.tar.gz源码包)
8316839 bytes transferred
lftp 172.16.0.1:/pub/Sources/bind>bye(退出)
[root@Smoke ~]# ls bind-9.7.4.tar.gz(查看bind-9.7.4.tar.gz文件)
bind-9.7.4.tar.gz
[root@Smoke ~]# tar xf bind-9.7.4.tar.gz(解压bind-9.7.4.tar.gz文件)
[root@Smoke ~]# cd bind-9.7.4(切换到bind-9.7.4目录)
[root@Smoke bind-9.7.4]# ls(查看当前目录文件及子目录)
acconfig.h config.h.win32 docutil isc-config.sh.in RELEASE-NOTES-BIND-9.7.4.html
aclocal.m4 config.sub FAQ lib RELEASE-NOTES-BIND-9.7.4.pdf
Atffile config.threads.in FAQ.xml libtool.m4 RELEASE-NOTES-BIND-9.7.4.txt
bin configure HISTORY ltmain.sh release-notes.css
bind.keys configure.in install-sh make unit
CHANGES contrib isc-config.sh.1 Makefile.in util
config.guess COPYRIGHT isc-config.sh.docbook mkinstalldirs version
config.h.in doc isc-config.sh.html README win32utils
[root@Smoke bind-9.7.4]# cd contrib/(切换到contrib目录)
[root@Smoke contrib]# ls(查看当前目录文件及子目录)
dbus idn named-bootconf nslint-2.1a3 query-loc-0.4.0 sdb
dlz linux nanny pkcs11-keygen queryperf zkt
提示:有个目录叫querperf,dlz里面也有,所以在Bind97以后dlz的功能都已经自带了,只不过rpm包在编译的时候没有把它编译进来而已,我们自己以后./configure
with dlz mysql就能够实现基于dlz当中mysql去查询数据了,sdb也在这里,要使用sdb就编译sdb即可;
[root@Smoke contrib]# cd queryperf/(切换到queryperf目录)
[root@Smoke queryperf]# ls(查看当前目录文件及子目录)
config.h.in configure configure.in input Makefile.in missing queryperf.c README utils
[root@Smoke queryperf]# yum install gcc make(安装make编译工具)
[root@Smoke queryperf]# ./configure(配置queryperf)
[root@Smoke queryperf]# make(编译)
gcc -DHAVE_CONFIG_H -c queryperf.c
gcc -DHAVE_CONFIG_H queryperf.o -lnsl -lresolv -lm -o queryperf
[root@Smoke queryperf]# ls(查看当前目录文件及子目录)
config.h config.log configure input Makefile.in queryperf queryperf.o utils
config.h.in config.status configure.in Makefile missing queryperf.c README
提示:不用装,拷贝过去就能用;
[root@Smoke queryperf]# cp queryperf /bin/(复制queryperf到/bin目录)
[root@Smoke queryperf]# queryperf -h(查看queryperf的帮助)
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
Usage: queryperf [-d datafile](指定数据文件) [-s server_addr](指定服务器地址) [-p port](指定端口) [-q num_queries](指定查询多少次)
[-b bufsize] [-t timeout] [-n] [-l limit] [-f family] [-1]
[-i interval] [-r arraysize] [-u unit] [-H histfile]
[-T qps] [-e] [-D] [-c] [-v] [-h]
-d specifies the input data file (default: stdin)(要放一个文件,文件里面要说明白查询什么内容)
-s sets the server to query (default: 127.0.0.1)
-p sets the port on which to query the server (default: 53)
-q specifies the maximum number of queries outstanding (default: 20)
-t specifies the timeout for query completion in seconds (default: 5)
-n causes configuration changes to be ignored
-l specifies how a limit for how long to run tests in seconds (no default)
-1 run through input only once (default: multiple iff limit given)
-b set input/output buffer size in kilobytes (default: 32 k)
-i specifies interval of intermediate outputs in seconds (default: 0=none)
-f specify address family of DNS transport, inet or inet6 (default: any)
-r set RTT statistics array size (default: 50000)
-u set RTT statistics time unit in usec (default: 100)
-H specifies RTT histogram data file (default: none)
-T specify the target qps (default: 0=unspecified)
-e enable EDNS 0
-D set the DNSSEC OK bit (implies EDNS)
-c print the number of packets with each rcode
-v verbose: report the RCODE of each response on stdout
-h print this usage
[root@Smoke queryperf]# cd(切换到root家目录)
[root@Smoke ~]# vim test(编辑test文件)
www.mageedu.com A
mageedu.com NS
mageedu.com MX
提示:格式要指定查询那条记录,查询记录的类型是什么;
[root@Smoke ~]# queryperf -d test -s 172.16.100.1(通过queryperf命令-d指定查询文件,-s指定DNS服务器进行DNS服务器查询测试)
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 172.16.100.1)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 3 queries
Queries completed: 3 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.000622 sec
RTT min: 0.000027 sec
RTT average: 0.000331 sec
RTT std deviation: 0.000246 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sun Mar 8 15:56:57 2015
Finished at: Sun Mar 8 15:56:57 2015
Ran for: 0.001071 seconds
Queries per second: 2801.120448 qps(每秒钟完成多少查询)
[root@Smoke ~]# cd /var/log/named/(切换到/var/log/named目录)
[root@Smoke ~]# cd /var/log/named/
[root@Smoke named]# tail bind_query.log
08-Mar-2015 13:50:46.961 queries: info: client 192.168.0.1#44351: view unicom: query: www.mageedu.com IN A + (172.16.100.1)
08-Mar-2015 13:52:03.637 queries: info: client 192.168.0.1#46082: view unicom: query: www.a.net IN A + (172.16.100.1)
08-Mar-2015 14:04:17.411 client 192.168.0.1#57072: view unicom: query: www.a.net IN A + (172.16.100.1)
08-Mar-2015 14:04:21.292 client 192.168.0.1#50544: view unicom: query: www.a.net IN A + (172.16.100.1)
08-Mar-2015 15:02:34.758 client 192.168.0.1#47435: view unicom: query: mageedu.com IN AXFR -T (172.16.100.1)
08-Mar-2015 15:56:57.948 client 172.16.100.1#39882: view telecom: query: www.mageedu.com IN A + (172.16.100.1)
08-Mar-2015 15:56:57.959 client 172.16.100.1#39882: view telecom: query: mageedu.com IN NS + (172.16.100.1)
08-Mar-2015 15:56:57.960 client 172.16.100.1#39882: view telecom: query: mageedu.com IN MX + (172.16.100.1)
提示:完成查询,都记录了,看以下记录日志和不记录日志性能区别;
[root@Smoke named]# cd(切换到用户家目录)
[root@Smoke ~]# vim test(编辑test文件)
www.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
www.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
:1,$y
提示:通过从第一行到最后一行复制和粘贴将查询名称次数增加到5000行;
[root@Smoke ~]# queryperf -d test -s 172.16.100.1(通过queryperf命令-d指定查询文件,-s指定DNS服务器进行DNS服务器查询测试)
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 172.16.100.1)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 2548 queries
Queries completed: 2548 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.013599 sec
RTT min: 0.000022 sec
RTT average: 0.001100 sec
RTT std deviation: 0.000923 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sun Mar 8 16:06:13 2015
Finished at: Sun Mar 8 16:06:13 2015
Ran for: 0.300784 seconds
Queries per second: 8471.195276 qps
[root@Smoke ~]# wc -l /var/log/named/bind_query.log(统计bind_query.log文件行数)
2556 /var/log/named/bind_query.log
[root@Smoke ~]# vim test(编辑test文件)
www.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
www.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
:1,$y
提示:通过从第一行到最后一行复制和粘贴将查询名称次数增加到10万行;
[root@Smoke ~]# queryperf -d test -s 172.16.100.1(通过queryperf命令-d指定查询文件,-s指定DNS服务器进行DNS服务器查询测试)
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 172.16.100.1)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 1055544 queries
Queries completed: 1055544 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 2.514098 sec
RTT min: 0.000312 sec
RTT average: 0.001948 sec
RTT std deviation: 0.011065 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sun Mar 8 16:15:11 2015
Finished at: Sun Mar 8 16:16:54 2015
Ran for: 103.445871 seconds
Queries per second: 10203.829208 qps
[root@Smoke ~]# top(查看cpu占用率)
top - 16:16:45 up 17:16, 6 users, load average: 1.29, 1.11, 0.62
Tasks: 137 total, 2 running, 134 sleeping, 0 stopped, 1 zombie
Cpu(s): 64.4%us, 28.2%sy, 0.0%ni, 0.0%id, 0.0%wa, 2.7%hi, 4.7%si, 0.0%st
Mem: 1034676k total, 173732k used, 860944k free, 3600k buffers
Swap: 1052248k total, 94344k used, 957904k free, 91256k cached
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
6603 named 25 0 46348 1608 1220 S 81.2 0.2 1:15.91 named
7832 root 15 0 2564 1108 604 S 17.6 0.1 0:15.20 queryperf
7835 root 15 0 10228 2992 2400 R 0.3 0.3 0:00.09 sshd
1 root 15 0 2164 404 380 S 0.0 0.0 0:00.90 init
2 root RT -5 0 0 0 S 0.0 0.0 0:00.00 migration/0
3 root 34 19 0 0 0 S 0.0 0.0 0:00.00 ksoftirqd/0
4 root 10 -5 0 0 0 S 0.0 0.0 0:00.08 events/0
5 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 khelper
6 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kthread
9 root 10 -5 0 0 0 S 0.0 0.0 0:01.22 kblockd/0
10 root 20 -5 0 0 0 S 0.0 0.0 0:00.00 kacpid
178 root 18 -5 0 0 0 S 0.0 0.0 0:00.00 cqueue/0
181 root 10 -5 0 0 0 S 0.0 0.0 0:00.02 khubd
183 root 10 -5 0 0 0 S 0.0 0.0 0:00.00 kseriod
249 root 20 0 0 0 0 S 0.0 0.0 0:00.00 khungtaskd
251 root 15 0 0 0 0 S 0.0 0.0 0:02.49 pdflush
252 root 10 -5 0 0 0 S 0.0 0.0 0:01.23 kswapd0
253 root 18 -5 0 0 0 S 0.0 0.0 0:00.00 aio/0
474 root 11 -5 0 0 0 S 0.0 0.0 0:00.00 kpsmoused
505 root 10 -5 0 0 0 S 0.0 0.0 0:00.03 mpt_poll_0
506 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 mpt/0
507 root 19 -5 0 0 0 S 0.0 0.0 0:00.00 scsi_eh_0
提示:named进程要占用CPU的81.2%;
[root@Smoke ~]# scp test 172.16.100.8:/root(远程复制test文件到172.16.100.8主机的/root目录)
The authenticity of host '172.16.100.8 (172.16.100.8)' can't be established.
RSA key fingerprint is 42:e9:a1:a0:c1:7f:bd:02:4b:4a:eb:54:17:4b:80:1b.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.100.8' (RSA) to the list of known hosts.
root@172.16.100.8's password:
test 100% 18MB 17.5MB/s 00:01
[root@Smoke ~]# scp /bin/queryperf 172.16.100.8:/bin/(复制/bin/queryperf文件到远程主机172.16.100.8的/bin目录)
root@172.16.100.8's password:
queryperf 100% 33KB 33.3KB/s 00:00
切换到172.16.100.8主机进行压力测试:
[root@Smoke ~]# queryperf -d test -s 172.16.100.1(通过queryperf命令-d指定查询文件,-s指定DNS服务器进行DNS服务器查询测试)
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 172.16.100.1)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 1055544 queries
Queries completed: 1055544 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.024029 sec
RTT min: 0.000634 sec
RTT average: 0.002958 sec
RTT std deviation: 0.000798 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Wed Nov 12 02:49:52 2014
Finished at: Wed Nov 12 02:52:33 2014
Ran for: 160.610784 seconds
Queries per second: 6572.061811 qps
切换到172.16.100.1的DNS服务器查看日志:
[root@Smoke ~]# wc -l /var/log/named/bind_query.log(统计bind_query.log日志行数)
24622 /var/log/named/bind_query.log
[root@Smoke ~]# ls -lh !$(查看bind_query.log文件大小)
ls -lh /var/log/named/bind_query.log
-rw-r--r-- 1 named named 2.6M Mar 8 16:26 /var/log/named/bind_query.log
[root@Smoke ~]# lftp 172.16.0.1(连接172.16.0.1的ftp服务器)
lftp 172.16.0.1:~> cd pub/Sources/bind/(切换到/pub/Sources/bind目录)
lftp 172.16.0.1:/pub/Sources/bind> get dnstop-20110502.tar.gz(下载dnstop)
73083 bytes transferred
lftp 172.16.0.1:/pub/Sources/bind> byte(退出)
[root@Smoke ~]# ls dnstop-20110502.tar.gz(查看dnstop文件)
dnstop-20110502.tar.gz
[root@Smoke ~]# tar xf dnstop-20110502.tar.gz(解析dnstop文件)
[root@Smoke ~]# cd dnstop-20110502(切换到dnsto-20110502目录)
[root@Smoke dnstop-20110502]# ./configure(配置dnstop)
[root@Smoke dnstop-20110502]# make(编译)
提示:如果报错,需要安装libcap-devel;
[root@Smoke dnstop-20110502]# yum list all | grep cap(显示yum源列表将结果送给管道通过grep只显示cap相关)
libcap.i386 1.10-26 installed
libcap-devel.i386 1.10-26 installed
libpcap.i386 14:0.9.4-15.el5 installed
libtermcap.i386 2.0.8-46.1 installed
libtermcap-devel.i386 2.0.8-46.1 installed
mailcap.noarch 2.1.23-1.fc6 installed
termcap.noarch 1:5.5-1.20060701.1 installed
libpcap-devel.i386 14:0.9.4-15.el5 Base
openscap.i386 0.8.0-1.el5 Base
openscap-devel.i386 0.8.0-1.el5 Base
openscap-extra-probes.i386 0.8.0-1.el5 Base
openscap-perl.i386 0.8.0-1.el5 Base
openscap-python.i386 0.8.0-1.el5 Base
openscap-utils.i386 0.8.0-1.el5 Base
提示:libcap-devel是捕包工具,用于抓包;
[root@Smoke dnstop-20110502]# yum install libcap-devel(安装libcap-devel)
[root@Smoke dnstop-20110502]# yum -y install libpcap-devel(安装libpacap-devel)
[root@Smoke dnstop-20110502]# make clean(清除编译)
[root@Smoke dnstop-20110502]# ./configure(配置dnstop)
[root@Smoke dnstop-20110502]# make(编译)
gcc -g -O2 -DUSE_IPV6=1 -c dnstop.c
gcc -g -O2 -DUSE_IPV6=1 -c -o hashtbl.o hashtbl.c
gcc -g -O2 -DUSE_IPV6=1 -c -o inX_addr.o inX_addr.c
gcc -g -O2 -DUSE_IPV6=1 -c -o lookup3.o lookup3.c
gcc -g -O2 -DUSE_IPV6=1 -o dnstop dnstop.o hashtbl.o inX_addr.o lookup3.o -lresolv -lnsl -lpcap -lncurses
[root@Smoke dnstop-20110502]# ls(查看当前目录文件及子目录)
CHANGES config.log dnstop dnstop.o hashtbl.o inX_addr.h LICENSE Makefile
config.h config.status dnstop.8 hashtbl.c install-sh inX_addr.o lookup3.c Makefile.in
config.h.in configure dnstop.c hashtbl.h inX_addr.c known_tlds.h lookup3.o
[root@Smoke dnstop-20110502]# make install(编译安装)
install -m 755 dnstop /usr/local/bin
install -m 644 dnstop.8 /usr/local/share/man/man8
提示:叫dnstop安装到/usr/local/bin下;
[root@Smoke dnstop-20110502]# man dnstop(查看dnstop的man帮助文档)
dnstop [-46apsQR](-4表示抓ipv4包) [-b expression] [-i address](在那个网卡抓包) [-f filter] [-r interval](指定时间) [device]
(指定设备) [savefile]
[root@Smoke dnstop-20110502]# dnstop -4 -Q -R eth0(通过dnstop,-4代表ipv4,-Q查询次数,-R响应次数,eth0设备)
Queries: 0 new, 0 total Sun Mar 8 17:02:36 2015
Replies: 0 new, 0 total
Sources Count % cum%
------- --------- ------ ------
切换到172.16.100.8进程查询;
[root@Smoke ~]# dig -t A mageedu.com @172.16.100.1(通过172.16.100.1查询mageedu.com的A记录)
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-6.P2.el5_7.4 <<>> -t A mageedu.com @172.16.100.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58157
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;mageedu.com. IN A
;; AUTHORITY SECTION:
mageedu.com. 43200 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040201 3600 600 604800 86400
;; Query time: 7 msec
;; SERVER: 172.16.100.1#53(172.16.100.1)
;; WHEN: Wed Nov 12 03:33:06 2014
;; MSG SIZE rcvd: 75
[root@Smoke dnstop-20110502]# dnstop -4 -Q -R eth0(通过dnstop,-4代表ipv4,-Q查询次数,-R响应次数,eth0设备)
Queries: 0 new, 0 total Sun Mar 8 17:02:36 2015
Replies: 0 new, 0 total
Sources Count % cum%
------- --------- ------ ------
172.16.100.1 25 96.3 96.4
172.16.100.8 1 3.3 100.0
提示:输入2或者1还是交互式,dnstop可以监控DNS服务器的工作状态的;
把服务器172.16.100.1日志功能去掉响应速度能快点;
[root@Smoke ~]# vim /etc/named.conf(编辑named服务主配置文件)
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
allow-recursion { innet; };
querylog yes;
};
/*logging {
channel querylog {
file "/var/log/named/bind_query.log" versions 5 size 10M;
severity dynamic;
print-time yes;
};
channel xfer_log {
file "/var/log/named/transfer.log" versions 5 size 10k;
severity debug 3;
print-time yes;
};
category queries { querylog; };
category xfer-out { xfer_log; };
};
*/
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
提示:通过双//斜线将日志内容注释掉,这种注释方式比较独特是C语言的注释方法,多行注释使用*/;
[root@Smoke ~]# service named restart(重启named服务)
Stopping named: . [ OK ]
Starting named: [ OK ]
切换到172.16.100.8,不监控做压力测试:
[root@Smoke ~]# queryperf -d test -s 172.16.100.1(通过queryperf命令-d指定查询文件,-s指定DNS服务器进行DNS服务器查询测试)
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 172.16.100.1)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 1055544 queries
Queries completed: 1055544 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.024029 sec
RTT min: 0.000634 sec
RTT average: 0.002958 sec
RTT std deviation: 0.000798 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Wed Nov 12 02:49:52 2014
Finished at: Wed Nov 12 02:52:33 2014
Ran for: 160.610784 seconds
Queries per second: 26572.061811 qps
提示:关闭日志以后每秒查询次数直接上升多少,所以说日志对DNS服务器的影响是非常大的,尤其是查询日志;
DHCP:Dynamic Host Configuration Protocol <--bootp(DHCP前身协议)
无盘工作站:
早起网络当中计算机的主机是有一台服务器工作,服务器上有个硬盘,空间比较大,有很多客户机,每台客户机都有CPU和内存,键盘数据显示器等等,就是没有硬盘,没硬盘操作系统装那去,没有操作系统不可能开机使用,所以对用户来讲操作系统是人机交互的非常重要的通用软件层,但是现在没有硬盘,如何安装操作系统,当时硬盘还是非常昂贵的资源,所以不可能在每个主机配一个硬盘,而且也没必要,当时计算机性能还很差,由此就意味着每一个主机的操作系统都是装在服务器当中的硬盘的,主机要想启动起来要能够加载操作系统,就必须要能跟服务器通信,并且把自己所需要的文件都读进来,在通信之前需要,双方要能够建立通信必须要有IP地址,IP地址是配在操作系统上的,操作系统又没装,我们要想跟对方通信得有IP地址,IP地址是通过操作系统配置的,操作系统又没有硬盘安装,于是在这种主机上需要用独特的网卡,这个网卡在启动的时候,网卡自身它有ROM,网卡自身就有控制芯片,控制芯片中有一些指令,这些指令就可以完成一些独立的操作,这个芯片启动的时候它就开始向网络发送广播通告说我自己有个MAC地址,需要一个IP地址,我们有一个服务器它能够接收这种请求,并且它有一堆地址可以使用,这个地址列表通常叫做地址池,于是我们的服务器就从地址列表当中找一个空闲地址分给它使用了,既然给它了就不能给其他主机使用了,还需要注意的是这个地址一旦分配给这个主机以后就永远属于这个主机了,在刚开始的时候主机开机时候请求是动态的,但一旦它开机以后这个地址就永远属于它,服务器会标记这个IP地址和主机的MAC地址,所以它通过和MAC地址建立关联关系,一旦分配出去以后就建立关联关系,以后只有同一个MAC地址来申请这个地址就会给它来使用,所以这个地址就保留给这个主机,永久使用了,接下来有了IP地址就可以和服务器通信了,通信以后网卡就能够自动的实现服务器的应用程序加载进本地的内存并且启动起来,从而操作系统就启动起来了,像这种我们的IP地址是动态获得的,但是动态获得的有一个缺陷一旦获得以后,这个地址以后再申请还是这一个地址了,而且这个地址只能归这台主机使用,因为它要靠这个地址来引导操作系统,并且标记这个操作系统属于这个主机操作系统所安装的位置,像这一种能够实现地址的动态分配,但也是仅仅是第一次动态分配而已,为了引导主机启动的,所以称作叫做bootp;
后来随着计算机的发展,每一个客户机都可以有自己的硬盘,这就意味着每个主机都可以安装操作系统了,而且没有IP地址照样能启动,但是尽管如此,我们局域网内部主机非常的多,我们又期望这些主机彼此之间都能够通信,因此每个主机照样需要IP地址,怎么给这些主机配置IP地址,使用bootp固然能够分配地址,但是过段时间这个主机走了,从此以后不来了,这个地址分配给它以后再也不能分配给别的主机使用了,永远处于浪费状态,所以bootp协议已经不能再应付这种现象了,于是有了bootp的增强版DHCP,DHCP引荐了bootp所没有的概念叫做租约(lease),这个地址给你以后,你可以使用,但是不是永久使用,而是只有有限的使用期限,因此当关机以后,这个地址就会被释放掉,释放到可以地址列表中,一旦有其他主机启动需要地址,可以将这个地址继续分配给其他人使用了,如果要继续使用这个IP地址可以续租,对于DCHP续租比较提前,当你的租期到达一半的时候就要决定是否要续租了;
TCP/IP
IPADDR
NETMASK
GATEWAY
DNS
四个报文都是广播方式发送:
Client--> DHCPDISCOVER
DHCPOFFER <--- Server
Client--> DHCPREQUEST
DHCPACK <-- Server
续租使用单播:
Client--> DHCPREQUEST
DHCPACK <-- Server
DHCP Relay(中继器)
UDP:
67/udp:服务器监听udp的67号端口;
68/udp:客户端监听udp的68号端口;
[root@Smoke ~]# yum list all | grep dhcp(查看yum源列表将输出信息通过管道送给grep只显示dhcp相关)
dhcpv6-client.i386(dhcpv6客户端) 1.0.10-20.el5 installed
dhcp.i386(DHCP服务器端包) 12:3.0.5-31.el5 Base
dhcp-devel.i386 12:3.0.5-31.el5 Base
dhcpv6.i386(ipv6的DHCP) 1.0.10-20.el5 Base
libdhcp.i386 1.20-13.el5 Base
libdhcp-devel.i386 1.20-13.el5 Base
libdhcp4client.i386 12:3.0.5-31.el5 Base
libdhcp4client-devel.i386 12:3.0.5-31.el5 Base
libdhcp6client.i386 1.0.10-20.el5 Base
libdhcp6client-devel.i386 1.0.10-20.el5 Base
sblim-cmpi-dhcp.i386 1:1.0-49.el5 Base
sblim-cmpi-dhcp-devel.i386 1:1.0-49.el5 Base
sblim-cmpi-dhcp-test.i386 1:1.0-49.el5 Base
[root@Smoke ~]# yum -y install dhcp(安装dhcp,-y所有询问回答yes)
[root@Smoke ~]# rpm -ql dhcp(查看dhcp安装生成哪些文件列表)
/etc/dhcpd.conf(dhcp配置文件)
/etc/rc.d/init.d/dhcpd(DHCP启动脚本)
/etc/rc.d/init.d/dhcrelay(DHCP中继启动脚本)
/etc/sysconfig/dhcpd
/etc/sysconfig/dhcrelay
/usr/bin/omshell
/usr/sbin/dhcpd(提供服务的程序)
/usr/sbin/dhcrelay(提供DHCP中继程序)
/usr/share/doc/dhcp-3.0.5
/usr/share/doc/dhcp-3.0.5/IANA-arp-parameters
/usr/share/doc/dhcp-3.0.5/README
/usr/share/doc/dhcp-3.0.5/RELNOTES
/usr/share/doc/dhcp-3.0.5/api+protocol
/usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample
/usr/share/doc/dhcp-3.0.5/draft-ietf-dhc-authentication-14.txt
/usr/share/doc/dhcp-3.0.5/draft-ietf-dhc-dhcp-dns-12.txt
/usr/share/doc/dhcp-3.0.5/draft-ietf-dhc-failover-07.txt
/usr/share/doc/dhcp-3.0.5/ja_JP.eucJP
/usr/share/doc/dhcp-3.0.5/ja_JP.eucJP/dhclient-script.8
/usr/share/doc/dhcp-3.0.5/ja_JP.eucJP/dhclient.8
/usr/share/doc/dhcp-3.0.5/ja_JP.eucJP/dhclient.conf.5
/usr/share/doc/dhcp-3.0.5/ja_JP.eucJP/dhclient.leases.5
/usr/share/doc/dhcp-3.0.5/ja_JP.eucJP/dhcp-eval.5
/usr/share/doc/dhcp-3.0.5/ja_JP.eucJP/dhcp-options.5
/usr/share/doc/dhcp-3.0.5/rfc1542.txt
/usr/share/doc/dhcp-3.0.5/rfc2131.txt
/usr/share/doc/dhcp-3.0.5/rfc2132.txt
/usr/share/doc/dhcp-3.0.5/rfc2485.txt
/usr/share/doc/dhcp-3.0.5/rfc2489.txt
/usr/share/doc/dhcp-3.0.5/rfc951.txt
/usr/share/man/man1/omshell.1.gz
/usr/share/man/man5/dhcp-eval.5.gz
/usr/share/man/man5/dhcp-options.5.gz
/usr/share/man/man5/dhcpd-eval.5.gz
/usr/share/man/man5/dhcpd-options.5.gz
/usr/share/man/man5/dhcpd.conf.5.gz
/usr/share/man/man5/dhcpd.leases.5.gz
/usr/share/man/man8/dhcpd.8.gz
/usr/share/man/man8/dhcrelay.8.gz
/var/lib/dhcpd
/var/lib/dhcpd/dhcpd.leases(dhcp租约记录文件,那个地址分配给谁使用)
[root@Smoke ~]# vim /etc/dhcpd.conf(编辑dhcpd服务配置文件)
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample(在/usr/share/doc/dhcp*/dhcpd.conf.sample配置模版)
#
提示:在/usr/share/doc/dhcp*/dhcpd.conf.sample有dhcpd.conf的配置模版,可以复制过来修改;
[root@Smoke ~]# cp /usr/share/doc/dhcp-3.0.5/dhcpd.conf.sample /etc/dhcpd.conf(复制dhcpd.conf.sample到/etc/dhcp.conf,覆盖掉)
[root@Smoke ~]# vim /etc/dhcpd.conf(编辑dhcp.conf文件)
ddns-update-style interim;(动态dns的更新方式)
ignore client-updates;(是否忽略客户端更新,也是配合动态dns工作的,怎么去更新dns服务器上的数据的)
subnet 192.168.0.0 netmask 255.255.255.0(定义子网,可以定义多个子网,必须要定义一个本地地址池列表,所以必须要提供一个子网,这个子网要跟当前服务器
网卡所配置的IP地址要在同一网段,这是必须的,否则DHCP服务器启动不了) {
# --- default gateway
option routers 192.168.0.1;(默认网关)
option subnet-mask 255.255.255.0;(子网掩码)
# option nis-domain "domain.org";(nis)
option domain-name "domain.org";(域名,是/etc/resolv.conf中seach后面字符串,搜索域是什么)
option domain-name-servers 192.168.1.1;(dns服务器地址,多个逗号隔开,最多三个)
option time-offset -18000; # Eastern Standard Time(时间偏移,定义失去)
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range dynamic-bootp 192.168.0.128 192.168.0.254;(地址池,指定起始地址和结尾地址,linux分配地址是从主机位大到小分配)
default-lease-time 21600;(默认租约)
max-lease-time 43200;(最大租约)
# we want the nameserver to appear at a fixed address
host ns {(定义保留地址,ns标识符,无意义)
next-server marvin.redhat.com;(指下一个服务器,在于实现PIC当中的,向客户端提供文件服务器的,指定谁文件服务器的,从这个服务器获得
引导文件的)
hardware ethernet 12:34:56:78:AB:CD;(指定对方mac地址)
fixed-address 207.175.42.254;(指定分配的固定地址)
}
}
提示:动态dns更新方式,dns服务器的数据库数据文件中的建立,给每个主机名对应一个IP地址,建立对应关系,如果你的主机都是动态获得IP地址,数据文件中的对应关系会
发生改变的,DHCP每一次动态分配地址以后如果发生了改变,它会动态通知dns服务器把数据文件中的内容更新,这样非常危险,有人可能通过精巧的设计把你的域名改成它的IP地址;
[root@Smoke ~]# vim /etc/resolv.conf(编辑dns指向配置文件)
; generated by /sbin/dhclient-script
search localdomain(对应/etc/dhcp.conf文件中选项option domain-name)
nameserver 192.168.223.2
[root@Smoke ~]# vim /etc/dhcpd.conf(编辑dhcp.conf文件)
ddns-update-style interim;
ignore client-updates;
subnet 172.16.0.0 netmask 255.255.0.0 {(所属子网,要跟网卡在同一网段)
# --- default gateway
option routers 172.16.0.1;(网关)
option subnet-mask 255.255.0.0;(子网掩码)
# option nis-domain "domain.org";
option domain-name "mageedu.com";(域名)
option domain-name-servers 172.16.0.1,202.102.224.68;(DNS服务器)
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range 172.16.100.10 172.16.100.20;(range指定范围要把dynamic-bootp去掉,我们现在不是dynamic-bootp协议,是DHCP的协议,
default-lease-time 21600;(默认租约期限)
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
# host ns {
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 207.175.42.254;
# }
}
提示:每一行都要;分号结尾,没有;分号语法错误;
[root@Smoke ~]# service dhcpd start(启动dhcpd服务)
Starting dhcpd: [ OK ]
[root@Smoke ~]# netstat -unlp(查看系统服务,-u代表udp,-n以数字显示,-l监听端口,-p显示服务名称)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
udp 0 0 0.0.0.0:514 0.0.0.0:* 3113/syslogd
udp 0 0 0.0.0.0:54297 0.0.0.0:* 3774/avahi-daemon
udp 0 0 172.16.100.1:53 0.0.0.0:* 12933/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 12933/named
udp 0 0 0.0.0.0:67 0.0.0.0:* 13818/dhcpd
udp 0 0 0.0.0.0:866 0.0.0.0:* 3234/rpc.statd
udp 0 0 0.0.0.0:869 0.0.0.0:* 3234/rpc.statd
udp 0 0 0.0.0.0:5353 0.0.0.0:* 3774/avahi-daemon
udp 0 0 0.0.0.0:111 0.0.0.0:* 3195/portmap
udp 0 0 0.0.0.0:631 0.0.0.0:* 3571/cupsd
udp 0 0 :::58985 :::* 3774/avahi-daemon
udp 0 0 :::5353 :::*
提示:查看是否监听udp的67号端口,说明已经提供服务;
测试:打开一台linux测试机器;
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0(编辑eth0网卡配置文件)
# Advanced Micro Devices [AMD] 79c970 [PCnet32 LANCE]
DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=00:0C:29:B8:44:39
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
GATEWAY=192.168.0.254
提示:更改为DHCP;
[root@localhost ~]# service network restart(重启网络服务)
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining IP information for eth0... done.
[ OK ]
[root@localhost ~]# ifconfig eth0(查看eth0接口信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:B8:44:39
inet addr:172.16.100.20 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:feb8:4439/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3347338 errors:0 dropped:0 overruns:0 frame:0
TX packets:61116 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:290010310 (276.5 MiB) TX bytes:3876508 (3.6 MiB)
Interrupt:67 Base address:0x2000
提示:获得的地址是172.16.100.20;
获得固定IP地址:查看测试卷的mac地址为00:0C:29:B8:44:39;
切换到DHCP服务器;
[root@Smoke ~]# vim /etc/dhcpd.conf(编辑dhcpd服务配置文件)
ddns-update-style interim;
ignore client-updates;
subnet 172.16.0.0 netmask 255.255.0.0 {
# --- default gateway
option routers 172.16.0.1;
option subnet-mask 255.255.0.0;
# option nis-domain "domain.org";
option domain-name "mageedu.com";
option domain-name-servers 172.16.0.1,202.102.224.68;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range 172.16.100.10 172.16.100.20;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
host ns2 {(定义保留地址,ns2标识符,无意义)
hardware ethernet 00:0C:29:B8:44:39;(指定客户机的mac地址)
fixed-address 172.16.100.33;(指定分配的固定地址)
}
}
[root@Smoke ~]# service dhcpd restart(重启dhcpd服务)
Shutting down dhcpd: [ OK ]
Starting dhcpd: [ OK ]
测试:打开测试的DHCP客户机;
[root@localhost ~]# service network restart(重启网络服务)
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining IP information for eth0... done.
[ OK ]
[root@localhost ~]# ifconfig eth0(查看eth0接口信息)
eth0 Link encap:Ethernet HWaddr 00:0C:29:B8:44:39
inet addr:172.16.100.33 Bcast:172.16.255.255 Mask:255.255.0.0
inet6 addr: fe80::20c:29ff:feb8:4439/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3347605 errors:0 dropped:0 overruns:0 frame:0
TX packets:61335 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:290036505 (276.6 MiB) TX bytes:3902598 (3.7 MiB)
Interrupt:67 Base address:0x2000
提示:获得的IP地址是172.16.100.33,如果有多台DHCP服务器提供DHCP服务,专用地址优先级高,不仅仅是DHCP服务器响应速度决定客户机从那个DHCP服务器获取地址;
切换到DHCP服务器:
[root@Smoke ~]# tail /var/lib/dhcpd/dhcpd.leases(查看/var/lib/dhcpd/dhcpd.leases文件)
# This lease file was written by isc-dhcp-V3.0.5-RedHat
lease 172.16.100.20 {(分配的地址)
starts 0 2015/03/08 10:49:50;(租约起始时间)
ends 0 2015/03/08 16:49:50;(租约结束时间)
tstp 0 2015/03/08 16:49:50;
binding state active;
next binding state free;
hardware ethernet 00:0c:29:b8:44:39;(客户机MAC地址)
}
提示:/var/lib/dhcpd/dhcpd.leases是租约记录文件,那个IP地址分配给谁;
我们刚才客户端为了续租IP地址都有重启网络服务,其实也没必要这么麻烦,可以通过命令dhclient;
切换到DHCP客户机:
[root@localhost ~]# dhclient -h(查看dhclient帮助)
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Usage: dhclient [-1dqr] [-nwx] [-p <port>] [-s server] [-cf config-file] [-lf lease-file][-pf pid-file] [-e VAR=val]
[ -I <dhcp-client-identifier> ] [-B]
[ -H <host-name> | -F <fqdn.fqdn> ] [ -T <timeout> ]
[ -V <vendor-class-identifier> ]
[ -R <request option list> ]
[-sf script-file] [interface]
[root@localhost ~]# man dhclient(查看dhclient命令man帮助文档)
[root@localhost ~]# ifconfig eth0 down(down掉eth0接口)
[root@localhost ~]# dhclient(获取IP地址)
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth0/00:0c:29:b8:44:39
Sending on LPF/eth0/00:0c:29:b8:44:39
Sending on Socket/fallback
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 5 (xid=0x20c1fa55)(客户端发送DHCPDISCOVER消息)
DHCPOFFER from 172.16.100.1(DHCP服务器发的DHCPOFFER消息)
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x20c1fa55)(客户端发送的DHCPREQUEST消息)
DHCPACK from 172.16.100.1 (xid=0x20c1fa55)(服务器发送的DHCPACK消息)
bound to 172.16.100.20 -- renewal in 10783 seconds.(绑定使用172.16.100.20)
[root@localhost ~]# dhclient((获取IP地址)
dhclient(4955) is already running - exiting. (dhclient是个进程,已经运行起来了)
If you did not get this software from ftp.isc.org, please
get the latest from ftp.isc.org and install that before
requesting help.
If you did get this software from ftp.isc.org and have not
yet read the README, please read it before requesting help.
If you intend to request help from the dhcp-server@isc.org
mailing list, please read the section on the README about
submitting bug reports and requests for help.
Please do not under any circumstances send requests for
help directly to the authors of this software - please
send them to the appropriate mailing list as described in
the README file.
exiting.
提示:dhclient不能执行第二次,其实dhclient是个进程,已经运行起来了;
[root@localhost ~]# killall dhclient(杀死dhclient名称相关所有进程)
[root@localhost ~]# dhclient(获取IP地址)
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth0/00:0c:29:b8:44:39
Sending on LPF/eth0/00:0c:29:b8:44:39
Sending on Socket/fallback
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x4f62932f)
DHCPACK from 172.16.100.1 (xid=0x4f62932f)
bound to 172.16.100.20 -- renewal in 10701 seconds.
提示:将dhclient进程杀死后,就可以重新获取IP地址了;
这次172.16.100.20不给测试客户端了;
切换到DHCP服务器;
[root@Smoke ~]# vim /etc/dhcpd.conf(编辑dhcpd服务配置文件)
ddns-update-style interim;
ignore client-updates;
subnet 172.16.0.0 netmask 255.255.0.0 {
# --- default gateway
option routers 172.16.0.1;
option subnet-mask 255.255.0.0;
# option nis-domain "domain.org";
option domain-name "mageedu.com";
option domain-name-servers 172.16.0.1,202.102.224.68;
option time-offset -18000; # Eastern Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range 172.16.100.10 172.16.100.18;(更改地址池地址范围最大18)
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
host ns2 {
hardware ethernet 00:0C:29:B8:64:30;
fixed-address 172.16.100.33;
}
}
[root@Smoke ~]# service dhcpd restart(重启dhcp服务)
Shutting down dhcpd: [ OK ]
Starting dhcpd: [ OK ]
测试:切换到客户机进行DHCP地址获取测试;
[root@localhost ~]# killall dhclient(杀死所有dhclient进程)
[root@localhost ~]# dhclient(获取IP地址)
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth0/00:0c:29:b8:44:39
Sending on LPF/eth0/00:0c:29:b8:44:39
Sending on Socket/fallback
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x44c16daf)(续租)
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x44c16daf)(续租)
DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7 (xid=0x25c72ad7)
DHCPOFFER from 172.16.100.1
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0x25c72ad7)
DHCPACK from 172.16.100.1 (xid=0x25c72ad7)
bound to 172.16.100.18 -- renewal in 9920 seconds.
我们每次都要killall dhclient进程,不想使用killall,可以使用dhclient -d让获取地址工作在前台;
[root@localhost ~]# dhclient -d(使用-d选项让获取地址信息工作在前台,不想杀死dhclient进程,查看DHCP客户端获取地址过程,)
Internet Systems Consortium DHCP Client V3.0.5-RedHat
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth0/00:0c:29:b8:44:39
Sending on LPF/eth0/00:0c:29:b8:44:39
Sending on Socket/fallback
DHCPREQUEST on eth0 to 255.255.255.255 port 67 (xid=0xfdd1e60)
DHCPACK from 172.16.100.1 (xid=0xfdd1e60)
bound to 172.16.100.18 -- renewal in 10041 seconds.
提示:通过CTRL+C终止;
浙公网安备 33010602011771号