DNS
1 基础知识
1.1 基本概念
– DNS即英文Domain Name System的缩写,中文翻译为域名系统,系统的核心是DNS协议
– DNS协议是DNS客户端与服务端的通讯协议,协议支持吧FQDN(完全资格域名)翻译成IP地址
– DNS服端是指为DNS客户端提供名称解析服务器端应用程序
1.2 BIND简介
– BIND是英文Berkeley Internet Name Domain的翻译
– BIND是DNS协议服务端应用程序的具体实现,他为DNS客户端提供名称解析服务
2 最佳实践
2.1 系统环境配置
2.1.1 配置以太网地址与DNS
In dnsSer0[1-2]
cat /etc/redhat-release
案例使用的系统版本如下,
Red Hat Enterprise Linux release 8.2 (Ootpa)
2.1.2 配置以太网地址与DNS
In dnsSer01
nmcli connection show nmcli con delete ens33 nmcli device nmcli con add ifname ens33 con-name ens33 type ethernet nmcli con modify ens33 ipv4.addresses "10.168.0.60/24" nmcli con modify ens33 ipv4.gateway 10.168.0.1 nmcli con modify ens33 ipv4.dns "202.96.128.86 202.96.128.166" nmcli con modify ens33 ipv4.method manual nmcli con modify ens33 ipv6.method ignore nmcli con modify ens33 conconnect.autoconnect yes nmcli con modify ens33 connection.autoconnect-priority -999 nmcli con up ens33
In dnsSer02
nmcli connection show nmcli con delete ens33 nmcli device nmcli con add ifname ens33 con-name ens33 type ethernet nmcli con modify ens33 ipv4.addresses "10.169.0.60/24" nmcli con modify ens33 ipv4.gateway 10.169.0.1 nmcli con modify ens33 ipv4.dns "202.96.128.86 202.96.128.166" nmcli con modify ens33 ipv4.method manual nmcli con modify ens33 ipv6.method ignore nmcli con modify ens33 conconnect.autoconnect yes nmcli con modify ens33 connection.autoconnect-priority -999 nmcli con up ens33
2.1.3 配置主机名称
In dnsSer0[1,2]
hostnamectl set-hostname dnsser0[1-2].cmdschool.org
2.1.4 安装名称解析套件并测试名称解析
In dnsSer0[1,2] & Client[1,2]
dnf install -y bind-utils host -t A www.cmdschool.org
2.1.5 配置NTP与时区
In dnsSer0[1,2]
dnf install -y chrony
以上命令安装ntp的相关包,然后使用如下命令检查时间服务器配置,
grep ^server /etc/chrony.conf
可见如下配置,
server 0.centos.pool.ntp.org iburst server 1.centos.pool.ntp.org iburst server 2.centos.pool.ntp.org iburst server 3.centos.pool.ntp.org iburst
另外,我们建议你使用如下命令定义时区,
timedatectl set-timezone Asia/Shanghai
2.1.6 安装ssh客户端工具包
In dnsSer0[1,2]
dnf install -y openssh-clients
2.2 DNS的基本环境配置
2.2.1 安装Bind的相关包
In dnsSer0[1,2]
dnf install -y bind-chroot
2.2.2 停止并禁用dns服务
In dnsSer0[1,2]
systemctl status named.service systemctl stop named.service systemctl disable named.service
2.2.3 启动dns的chroot服务并设置自启动
In dnsSer0[1,2]
systemctl start named-chroot.service systemctl enable named-chroot.service systemctl status named-chroot.service
2.2.4 关闭DNS的IPV6地址
In dnsSer0[1-2]
echo 'OPTIONS="-4"' >> /etc/sysconfig/named
2.2.5 配置防火墙
In dnsSer0[1,2]
firewall-cmd --permanent --add-service dns firewall-cmd --reload firewall-cmd --list-all
2.3 普通的DNS配置范例
2.3.1 修改配置
In dnsSer0[1,2]
cp /etc/named.conf /etc/named.conf.defautl vim /etc/named.conf
以上命令修改主配置,配置修改如下,
options {
listen-on port 53 { 127.0.0.1; any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view internet {
match-clients { localhost; any; };
recursion yes;
include "/etc/named.rfc1912.zones";
include "/etc/named/named.internet.zones";
};
然后,你需要使用如下命令修本地域配置文件,
cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.default vim /etc/named.rfc1912.zones
靠前加入如下配置,
zone "." IN {
type hint;
file "named.ca";
};
2.3.2 增加正向解析
In dnsSer0[1,2]
vim /etc/named/named.internet.zones
子配置文件增加如下配置,
zone "cmdschool.org" IN {
type master;
file "cmdschool.org.internet.zone";
allow-update { none; };
};
然后使用如下命令修改DNS正解析文件
vim /var/named/cmdschool.org.internet.zone
修改如下配置,
$TTL 86400
@ IN SOA cmdschool.org. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
www IN A 47.90.98.232
2.3.3 增加反向解析
In dnsSer0[1,2]
vim /etc/named/named.internet.zones
子配置文件增加如下配置,
zone "98.90.47.in-addr.arpa" IN {
type master;
file "cmdschool.org.internet.rzone";
allow-update { none; };
};
需要注意的是,配置中的“98.90.47”是IP地址“47.90.98.232”的网络ID的反写,然后使用如下命令修改DNS反解文件
vim /var/named/cmdschool.org.internet.rzone
修改如下配置,
$TTL 86400
@ IN SOA cmdschool.org. root.cmdschool.org. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
232 IN PTR www.cmdschool.org.
需要注意的是,配置中的“232”是IP地址“47.90.98.232”的主机ID
2.3.4 修改配置文件权限
In dnsSer0[1,2]
chown root:named /etc/named/named.*.zones chmod 640 /etc/named/named.*.zones chown root:named /var/named/cmdschool.org.internet*zone chmod 640 /var/named/cmdschool.org.internet*zone
2.3.5 检查配置文件
In dnsSer0[1,2]
named-checkconf /etc/named.conf named-checkconf -t /var/named/chroot/ /etc/named.conf
2.3.6 重新启动服务使配置生效
In dnsSer0[1,2]
systemctl restart named-chroot.service
2.3.7 DNS服务测试
In dnsSer0[1,2]
nslookup > server 127.0.0.1 Default server: 127.0.0.1 Address: 127.0.0.1#53 > www.cmdschool.org Server: 127.0.0.1 Address: 127.0.0.1#53 Name: www.cmdschool.org Address: 47.90.98.232 > 47.90.98.232 232.98.90.47.in-addr.arpa name = www.cmdschool.org. >
然后,使用如下命令确认DNS指向新配置的服务器
In client01
nslookup > server 10.168.0.60 Default server: 10.168.0.60 Address: 10.168.0.60#53 > www.cmdschool.org Server: 10.168.0.60 Address: 10.168.0.60#53 Name: www.cmdschool.org Address: 47.90.98.232 > 47.90.98.232 232.98.90.47.in-addr.arpa name = www.cmdschool.org. > server 10.169.0.60 Default server: 10.169.0.60 Address: 10.169.0.60#53 > www.cmdschool.org Server: 10.169.0.60 Address: 10.169.0.60#53 Name: www.cmdschool.org Address: 47.90.98.232 > 47.90.98.232 232.98.90.47.in-addr.arpa name = www.cmdschool.org. >
然后,尝试使用你应该使用如下配置,
nmcli con modify ens33 ipv4.dns "10.168.0.60 10.169.0.60" nmcli con up ens33
确认后测试:
nslookup www.cmdschool.org
参阅文档
=================
bind的官方主页
—————
https://www.isc.org/bind/
管理员参考手册
—————
https://kb.isc.org/docs/aa-01031
https://baike.baidu.com/item/%E5%AE%8C%E6%95%B4%E5%9F%9F%E5%90%8D/10265500?fr=aladdin
没有评论