如何部署基础的DNS服务端?

DNS

1 基础知识

1.1 基本概念

– DNS即英文Domain Name System的缩写,中文翻译为域名系统,系统的核心是DNS协议
– DNS协议是DNS客户端与服务端的通讯协议,协议支持吧FQDN(完全资格域名)翻译成IP地址
– DNS服端是指为DNS客户端提供名称解析服务器端应用程序

1.2 BIND简介

– BIND是英文Berkeley Internet Name Domain的翻译
– BIND是DNS协议服务端应用程序的具体实现,他为DNS客户端提供名称解析服务

2 最佳实践

2.1 系统环境配置

2.1.1 配置以太网地址与DNS

In dnsSer0[1-2]

cat /etc/redhat-release

案例使用的系统版本如下,

Red Hat Enterprise Linux release 8.2 (Ootpa)

2.1.2 配置以太网地址与DNS

In dnsSer01

nmcli connection show
nmcli con delete ens33
nmcli device
nmcli con add ifname ens33 con-name ens33 type ethernet
nmcli con modify ens33 ipv4.addresses "10.168.0.60/24"
nmcli con modify ens33 ipv4.gateway 10.168.0.1
nmcli con modify ens33 ipv4.dns "202.96.128.86 202.96.128.166"
nmcli con modify ens33 ipv4.method manual
nmcli con modify ens33 ipv6.method ignore
nmcli con modify ens33 conconnect.autoconnect yes
nmcli con modify ens33 connection.autoconnect-priority -999
nmcli con up ens33

In dnsSer02

nmcli connection show
nmcli con delete ens33
nmcli device
nmcli con add ifname ens33 con-name ens33 type ethernet
nmcli con modify ens33 ipv4.addresses "10.169.0.60/24"
nmcli con modify ens33 ipv4.gateway 10.169.0.1
nmcli con modify ens33 ipv4.dns "202.96.128.86 202.96.128.166"
nmcli con modify ens33 ipv4.method manual
nmcli con modify ens33 ipv6.method ignore
nmcli con modify ens33 conconnect.autoconnect yes
nmcli con modify ens33 connection.autoconnect-priority -999
nmcli con up ens33

2.1.3 配置主机名称

In dnsSer0[1,2]

hostnamectl set-hostname dnsser0[1-2].cmdschool.org

2.1.4 安装名称解析套件并测试名称解析

In dnsSer0[1,2] & Client[1,2]

dnf install -y bind-utils
host -t A www.cmdschool.org

2.1.5 配置NTP与时区

In dnsSer0[1,2]

dnf install -y chrony

以上命令安装ntp的相关包,然后使用如下命令检查时间服务器配置,

grep ^server /etc/chrony.conf

可见如下配置,

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

另外,我们建议你使用如下命令定义时区,

timedatectl set-timezone Asia/Shanghai

2.1.6 安装ssh客户端工具包

In dnsSer0[1,2]

dnf install -y openssh-clients

2.2 DNS的基本环境配置

2.2.1 安装Bind的相关包

In dnsSer0[1,2]

dnf install -y bind-chroot

2.2.2 停止并禁用dns服务

In dnsSer0[1,2]

systemctl status named.service
systemctl stop named.service
systemctl disable named.service

2.2.3 启动dns的chroot服务并设置自启动

In dnsSer0[1,2]

systemctl start named-chroot.service
systemctl enable named-chroot.service
systemctl status named-chroot.service

2.2.4 关闭DNS的IPV6地址

In dnsSer0[1-2]

echo 'OPTIONS="-4"' >> /etc/sysconfig/named

2.2.5 配置防火墙

In dnsSer0[1,2]

firewall-cmd --permanent --add-service dns
firewall-cmd --reload
firewall-cmd --list-all

2.3 普通的DNS配置范例

2.3.1 修改配置

In dnsSer0[1,2]

cp /etc/named.conf /etc/named.conf.defautl
vim /etc/named.conf

以上命令修改主配置,配置修改如下,

options {
        listen-on port 53 { 127.0.0.1; any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view internet {
        match-clients      { localhost; any; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
        include "/etc/named/named.internet.zones";
};

然后,你需要使用如下命令修本地域配置文件,

cp /etc/named.rfc1912.zones /etc/named.rfc1912.zones.default
vim /etc/named.rfc1912.zones

靠前加入如下配置,

zone "." IN {
        type hint;
        file "named.ca";
};

2.3.2 增加正向解析

In dnsSer0[1,2]

vim /etc/named/named.internet.zones

子配置文件增加如下配置,

zone "cmdschool.org" IN {
        type master;
        file "cmdschool.org.internet.zone";
        allow-update { none; };
};

然后使用如下命令修改DNS正解析文件

vim /var/named/cmdschool.org.internet.zone

修改如下配置,

$TTL    86400
@               IN SOA  cmdschool.org. root (
                                        42              ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                IN NS           localhost
localhost       IN A            127.0.0.1
www             IN A            47.90.98.232

2.3.3 增加反向解析

In dnsSer0[1,2]

vim /etc/named/named.internet.zones

子配置文件增加如下配置,

zone "98.90.47.in-addr.arpa" IN {
        type master;
        file "cmdschool.org.internet.rzone";
        allow-update { none; };
};

需要注意的是,配置中的“98.90.47”是IP地址“47.90.98.232”的网络ID的反写,然后使用如下命令修改DNS反解文件

vim /var/named/cmdschool.org.internet.rzone

修改如下配置,

$TTL    86400
@       IN      SOA     cmdschool.org. root.cmdschool.org.  (
                                      1997022700 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      localhost.
232     IN      PTR     www.cmdschool.org.

需要注意的是,配置中的“232”是IP地址“47.90.98.232”的主机ID

2.3.4 修改配置文件权限

In dnsSer0[1,2]

chown root:named /etc/named/named.*.zones
chmod 640 /etc/named/named.*.zones
chown root:named /var/named/cmdschool.org.internet*zone
chmod 640 /var/named/cmdschool.org.internet*zone

2.3.5 检查配置文件

In dnsSer0[1,2]

named-checkconf /etc/named.conf
named-checkconf -t /var/named/chroot/ /etc/named.conf

2.3.6 重新启动服务使配置生效

In dnsSer0[1,2]

systemctl restart named-chroot.service

2.3.7 DNS服务测试

In dnsSer0[1,2]

nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> www.cmdschool.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   www.cmdschool.org
Address: 47.90.98.232
> 47.90.98.232
232.98.90.47.in-addr.arpa       name = www.cmdschool.org.
>

然后,使用如下命令确认DNS指向新配置的服务器
In client01

nslookup
> server 10.168.0.60
Default server: 10.168.0.60
Address: 10.168.0.60#53
> www.cmdschool.org
Server:         10.168.0.60
Address:        10.168.0.60#53

Name:   www.cmdschool.org
Address: 47.90.98.232
> 47.90.98.232
232.98.90.47.in-addr.arpa       name = www.cmdschool.org.
> server 10.169.0.60
Default server: 10.169.0.60
Address: 10.169.0.60#53
> www.cmdschool.org
Server:         10.169.0.60
Address:        10.169.0.60#53

Name:   www.cmdschool.org
Address: 47.90.98.232
> 47.90.98.232
232.98.90.47.in-addr.arpa       name = www.cmdschool.org.
>

然后,尝试使用你应该使用如下配置,

nmcli con modify ens33 ipv4.dns "10.168.0.60 10.169.0.60"
nmcli con up ens33

确认后测试:

nslookup www.cmdschool.org

参阅文档
=================

bind的官方主页
—————
https://www.isc.org/bind/

管理员参考手册
—————
https://kb.isc.org/docs/aa-01031

https://baike.baidu.com/item/%E5%AE%8C%E6%95%B4%E5%9F%9F%E5%90%8D/10265500?fr=aladdin

https://baike.baidu.com/item/%E5%9F%9F%E5%90%8D%E7%B3%BB%E7%BB%9F/2251573?fromtitle=DNS&fromid=427444&fr=aladdin

没有评论

发表评论

DNS
如何创建DNS邮件MX记录?

1 前言 一个问题,一篇文章,一出故事。 笔者一个邮件投递服务需要邮件MX记录的配合,于是整理此文。 …

DNS
如何实现DNS内外解析分离?

1 前言 一个问题,一篇文章,一出故事。 笔者生产环境同一个域名“www.cmdschool.org …

DNS
如何理解使用权威的DNS服务器

1 理论基础 1.1 关于权威应答的结论 关于DNS显示非权威应答(non-authoritativ …