客服微信
作者:泡杯长岛冰茶
|
虚拟机 |
操作系统版本 |
角色 |
ip 地址 |
域名 |
|
unbound |
Redhat 8.4 |
缓存DNS服务器 |
172.16.50.194 |
- |
|
unbound-dns1 |
Redhat 8.4 |
权威主DNS主服务器 |
172.16.50.195 |
yunbee.net50.16.172.in-addr.arpa |
|
unbound-dns2 |
Redhat 8.4 |
权威主DNS备服务器 |
172.16.50.196 |
yunbee.net与50.16.172.in-addr.arpa |
|
unbound-dns3 |
Redhat 8.4 |
权威主DNS服务器 |
172.16.50.177 |
ql.com与zj.yunbee.net |
[root@bind-dns1 ~]# ip a s |grep ens192|grep inet inet 172.16.50.195/24 brd 172.16.50.255 scope global noprefixroute ens192 [root@localhost ~]# hostnamectl set-hostname bind-dns1 [root@bind-dns1 ~]# systemctl disable firewalld --now sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config [root@bind-dns1 ~]# setenforce 0 setenforce: SELinux is disabled
[root@bind-dns1 ~]# mount /dev/sr0 /mnt/ mount: /mnt: WARNING: device write-protected, mounted read-only. [root@localhost ~]# cat /etc/yum.repos.d/local_baseos.repo [local_BaseOS] name=local_baseOS baseurl=file:///mnt/BaseOS gpgcheck=0 [local_AppStream] name=local_AppStream baseurl=file:///mnt/AppStream gpgcheck=0 [root@localhost ~]# yum install bind -y [root@bind-dns1 ~]# rpm -qc bind /etc/logrotate.d/named /etc/named.conf /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/sysconfig/named /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback
options {
listen-on port 53 { 172.16.50.195; };
listen-on-v6 port 53 { ::1; };
directory "/var/named"; ##
定义主目录
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
include "/etc/named.rfc1912.zones"; //see /etc/named.rfc1912.zones
include "/etc/named.root.key";
zone "yunbee.net" IN {
type master; ## 声明为主dns
file "yunbee.net.zone"; ##/var/named/yunbee.net.zone 定义一个正向查询 yunbee.net.zone文件
};
zone "50.16.172.in-addr.arpa" IN {
type master; ## 声明为主dns
file "yunbee.arpa.zone"; ##/var/named/yunbee.arpa.zone 定义一个反向查询 yunbee.net.zone文件
};
listen-on port 53 { 172.16.50.195; }; 监听在那个IP地址上
allow-query { any; }; 允许客户端访问查询的地址清单
也可以定义访问例表
acl group1 { 172.16.50.0/24; }; office1 假设这个是内外地址
acl group2 { 172.16.20.0/24; group1; }; office2 假设这个是内外地址
acl group3 { 221.0.0.0/8;; }; 假设这个是外地址
你可以定义传输控制 , 下面是语法 (如果你将你的dns服务器放置在公网IP上,一般用slave节点 ,配合acl访问控制)
view "office" {
match-clients { "group2"; };
zone "." IN {
type hint;
file "named.ca";
};
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone";
allow-transfer { group2; };
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "yunbee.arpa.zone.";
allow-transfer { group2; };
};
};
view "other-office" {
match-clients { "group3"; };
zone "." IN {
type hint;
file "named.ca";
};
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone.bak";
allow-transfer { group2; };
};
};
[root@bind-dns1 named]# cp -a named.localhost yunbee.net.zone [root@bind-dns1 named]# ll total 24 drwxrwx---. 2 named named 6 Feb 15 2021 data drwxrwx---. 2 named named 6 Feb 15 2021 dynamic -rw-r-----. 1 root named 2253 Feb 15 2021 named.ca -rw-r-----. 1 root named 152 Feb 15 2021 named.empty -rw-r-----. 1 root named 152 Feb 15 2021 named.localhost -rw-r-----. 1 root named 168 Feb 15 2021 named.loopback drwxrwx---. 2 named named 6 Feb 15 2021 slaves -rw-r-----. 1 root named 168 Feb 15 2021 yunbee.arpa.zone -rw-r-----. 1 root named 152 Feb 15 2021 yunbee.net.zone
默认是缩写
cd /var/named; [root@bind-dns1 named]# vim yunbee.net.zone $TTL 1D ## 全局 (Time to live)缓存时间 @ IN SOA @ root.yunbee.net. ( 0 ; serial ##序号,每次修改时必需更新,且只能加大 1D ; refresh ##刷新时间 1H ; retry ##主从DNS连接失败时,重新尝试建立连接刷新 1W ; expire ##过期时间,重新尝试建立连接刷新到达这个值将不再尝试连接 3H ) ; minimum ## 查询失败的dns缓存 NS @ A 127.0.0.1 www A 172.16.50.30 www0 A 172.16.50.31 ftp CNAME www0
补全写法
[root@bind-dns1 named]# vim yunbee.net.zone $TTL 1D yunbee.net. IN SOA yunbee.net. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum yunbee.net. IN NS yunbee.net. yunbee.net. IN A 172.16.50.195 www.yunbee.net. IN A 172.16.50.30 www0.yunbee.net. IN A 172.16.50.31 ftp.yunbee.net. IN CNAME www0
简写
[root@bind-dns1 named]# cp -a named.loopback yunbee.arpa.zone [root@bind-dns1 named]# vim yunbee.arpa.zone $TTL 1D @ IN SOA @ root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 PTR localhost. 30 PTR www.yunbee.net. 31 PTR www0.yunbee.net. 30 PTR ftp.yunbee.net.
补全写法
$TTL 1D 50.16.172.in-addr.arpa. IN SOA 50.16.172.in-addr.arpa. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum 50.16.172.in-addr.arpa. IN NS 50.16.172.in-addr.arpa. 50.16.172.in-addr.arpa. IN A 172.16.50.195 195.50.16.172.in-addr.arpa. IN PTR 50.16.172.in-addr.arpa. 30.50.16.172.in-addr.arpa. IN PTR www.yunbee.net. 31.50.16.172.in-addr.arpa. IN PTR www0.yunbee.net. 30.50.16.172.in-addr.arpa. IN PTR ftp.yunbee.net.
常用写法
$TTL 1D 50.16.172.in-addr.arpa. IN SOA yunbee.net. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum 50.16.172.in-addr.arpa. IN NS yunbee.net. 30.50.16.172.in-addr.arpa. IN PTR www.yunbee.net. 31.50.16.172.in-addr.arpa. IN PTR www0.yunbee.net. 30.50.16.172.in-addr.arpa. IN PTR ftp.yunbee.net.
[root@bind-dns1 named]# named-checkconf /etc/named.conf [root@bind-dns1 named]# named-checkzone yunbee.net yunbee.net.zone zone yunbee.net/IN: loaded serial 0 OK [root@bind-dns1 named] # named-checkzone 50.16.172.in-addr.arpa yunbee.arpa.zone zone 50.16.172.in-addr.arpa/IN: loaded serial 0 OK [root@bind-dns1 named]# systemctl enable named --now Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service. [root@bind-dns1 named]# netstat -tupnl |grep 53 tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3527/named tcp 0 0 172.16.50.195:53 0.0.0.0:* LISTEN 3527/named tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1892/dnsmasq tcp6 0 0 ::1:953 :::* LISTEN 3527/named tcp6 0 0 ::1:53 :::* LISTEN 3527/named
dig
dig查询DNS服务器。
查看www.baidu.com 解析的过程
dig -t A www.baidu.com +trace
host
host是一个DNS查找工具。
rndc
rndc控制BIND的操作。
rndc-confgen
rndc-confgen生成rndc.conf文件
named-checkconf
named-checkconf检查named.conf文件的语法。
named-checkzone
named-checkzone检查区域文件的合法性。
dig axfr @classroom.example.com example.com 下载example.com域里的信息 (allow-transfer 放开)
host -l example.com 下载example.com域里的信息 (allow-transfer 放开)
[root@bind-dns1 named]# dig www.yunbee.net @172.16.50.195 ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> www.yunbee.net @172.16.50.195 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 90796274012a6bfe8721ebd5613db035692b46030af15e94 (good) ;; QUESTION SECTION: ;www.yunbee.net. IN A ;; ANSWER SECTION: www.yunbee.net. 86400 IN A 172.16.50.30 ;; AUTHORITY SECTION: yunbee.net. 86400 IN NS yunbee.net. ;; ADDITIONAL SECTION: yunbee.net. 86400 IN A 172.16.50.195 ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Sun Sep 12 15:45:57 CST 2021 ;; MSG SIZE rcvd: 117 [root@bind-dns1 named]# dig -x 172.16.50.30 ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> -x 172.16.50.30 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14845 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 62f62f6fe747fd806770e97a613db08a5c92c7680172ae74 (good) ;; QUESTION SECTION: ;30.50.16.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 30.50.16.172.in-addr.arpa. 86400 IN PTR www.yunbee.net. 30.50.16.172.in-addr.arpa. 86400 IN PTR ftp.yunbee.net. ;; AUTHORITY SECTION: 50.16.172.in-addr.arpa. 86400 IN NS yunbee.net. ;; ADDITIONAL SECTION: yunbee.net. 86400 IN A 172.16.50.195 ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Sun Sep 12 15:47:22 CST 2021 ;; MSG SIZE rcvd: 158
[root@bind-dns1 named]# host -l yunbee.net yunbee.net name server yunbee.net. yunbee.net has address 172.16.50.195 www.yunbee.net has address 172.16.50.30 www0.yunbee.net has address 172.16.50.31
[root@bind-dns1 named]# dig axfr @172.16.50.195 yunbee.net ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> axfr @172.16.50.195 yunbee.net ; (1 server found) ;; global options: +cmd yunbee.net. 86400 IN SOA yunbee.net. root.yunbee.net. 0 86400 3600 604800 10800 yunbee.net. 86400 IN NS yunbee.net. yunbee.net. 86400 IN A 172.16.50.195 ftp.yunbee.net. 86400 IN CNAME www0.yunbee.net. www.yunbee.net. 86400 IN A 172.16.50.30 www0.yunbee.net. 86400 IN A 172.16.50.31 yunbee.net. 86400 IN SOA yunbee.net. root.yunbee.net. 0 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Sun Sep 12 15:52:36 CST 2021 ;; XFR size: 7 records (messages 1, bytes 233)
[root@localhost ~]# mount /dev/sr0 /mnt/ mount: /mnt: WARNING: device write-protected, mounted read-only. [root@localhost ~]# yum install bind -y
[root@bind-dns1 ~]# ip a s |grep ens192|grep inet inet 172.16.50.196/24 brd 172.16.50.255 scope global noprefixroute ens192 [root@localhost ~]# hostnamectl set-hostname bind-dns2 [root@bind-dns1 ~]# systemctl disable firewalld --now sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config [root@bind-dns1 ~]# setenforce 0 setenforce: SELinux is disabled
[root@localhost ~]# vim /etc/named.conf
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone";
allow-transfer { 172.16.50.196; }; ### 添加一行
also-notify { 172.16.50.196; }; ### 添加一行
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "yunbee.arpa.zone";
allow-transfer { 172.16.50.196; }; ### 添加一行
also-notify { 172.16.50.196; }; ### 添加一行
};
[root@localhost ~]# sed -i 's/127.0.0.1;/172.16.50.196;/' /etc/named.conf
[root@localhost ~]# sed -i 's/localhost;/any;/' /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "yunbee.net" IN {
type slave;
file "yunbee.net.zone";
masters { 172.16.50.195; };
also-notify { 172.16.50.195; };
};
zone "50.16.172.in-addr.arpa" IN {
type slave;
file "yunbee.arpa.zone";
masters { 172.16.50.195; };
also-notify { 172.16.50.195; };
};
systemctl enable named --now
[root@localhost ~]# netstat -tunpl |grep :53
tcp 0 0 172.16.50.196:53 0.0.0.0:* LISTEN 32966/named
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1897/dnsmasq
udp 0 0 172.16.50.196:53 0.0.0.0:* 32966/named
udp 0 0 192.168.122.1:53 0.0.0.0:* 1897/dnsmasq
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1009/avahi-daemon:
[root@bind-dns2 ~]# cd /var/named/
[root@bind-dns2 named]# ll
total 24
drwxrwx--- 2 named named 23 Sep 12 16:11 data
drwxrwx--- 2 named named 60 Sep 12 16:11 dynamic
-rw-r----- 1 root named 2253 Feb 15 2021 named.ca
-rw-r----- 1 root named 152 Feb 15 2021 named.empty
-rw-r----- 1 root named 152 Feb 15 2021 named.localhost
-rw-r----- 1 root named 168 Feb 15 2021 named.loopback
drwxrwx--- 2 named named 6 Feb 15 2021 slaves
-rw-r--r-- 1 named named 326 Sep 12 16:11 yunbee.arpa.zone
-rw-r--r-- 1 named named 331 Sep 12 16:11 yunbee.net.zone
[root@bind-dns2 named]# nslookup www.yunbee.net
Server: 172.16.50.196
Address: 172.16.50.196#53
Name: www.yunbee.net
Address: 172.16.50.30
[root@cache-dns ~]# cat /etc/unbound/conf.d/yunbee.com.conf server: interface: 172.16.50.194 access-control: 0.0.0.0/0 allow domain-insecure: "com." domain-insecure: "cn." domain-insecure: "net." forward-zone: name: "." forward-addr: 172.16.50.196
在企业里面一般采用多套bind做权威DNS,客户端采用unbound服务器,笔者环境当前客户端连接也是unbound DNS服务器。
C:\Users\Administrator>ping www.baidu.com 正在 Ping www.a.shifen.com [14.215.177.39] 具有 32 字节的数据: 来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51 来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51 来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51 14.215.177.39 的 Ping 统计信息: 数据包: 已发送 = 3,已接收 = 3,丢失 = 0 (0% 丢失), 往返行程的估计时间(以毫秒为单位): 最短 = 26ms,最长 = 26ms,平均 = 26ms C:\Users\Administrator>nslookup www0.yunbee.net 服务器: UnKnown Address: 172.16.50.194 非权威应答: 名称: www0.yunbee.net Address: 172.16.50.31172
vim /etc/named.conf
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone";
allow-transfer { 172.16.50.196; };
also-notify { 172.16.50.196; };
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "yunbee.arpa.zone";
allow-transfer { 172.16.50.196; };
also-notify { 172.16.50.196; };
};
/////////////////////// 可以将ql.com 这个域的查询转发到 172.16.50.177
zone "ql.com" IN {
type forward;
forwarders { 172.16.50.177; };
};
[root@bind-dns3 named]# vim /etc/named.conf
zone "ql.com" IN {
type master;
file "ql.com.zone";
};
zone "20.16.172.in-addr.arpa" IN {
type master;
file "ql.arpa.zone";
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "ql.arpa.50.zone";
};
[root@bind-dns3 named]# cat ql.com.zone
$TTL 1D
@ IN SOA @ root.ql.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
vcenter A 172.16.20.210
www A 172.16.20.200
www0 A 172.16.20.199
host1 A 172.16.50.50
host2 A 172.16.50.51
host3 A 172.16.50.52
[root@bind-dns1 ~]# hostname
bind-dns1
[root@bind-dns1 ~]# nslookup www.ql.com
Server: 172.16.50.195
Address: 172.16.50.195#53
Non-authoritative answer:
Name: www.ql.com
Address: 172.16.20.200
[root@bind-dns1 ~]# nslookup host1.ql.com
Server: 172.16.50.195
Address: 172.16.50.195#53
Non-authoritative answer:
Name: host1.ql.com
Address: 172.16.50.50
zj.yunbee.net -->172.16.50.177
[root@bind-dns3 named]# hostname
bind-dns3
[root@bind-dns3 named]# ip a s |grep ens192|grep inet
inet 172.16.50.177/24 brd 172.16.50.255 scope global noprefixroute ens192
[root@bind-dns3 named]#
[root@bind-dns3 named]# tail -30 /etc/named.conf
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
zone "zj.yunbee.net" IN {
type master;
file "zj.yunbee.net.zone";
};
[root@bind-dns3 named]# cat zj.yunbee.net.zone
$TTL 1D
@ IN SOA @ root.zj.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 172.16.50.177
qlhost1 A 172.16.20.10
qlhost2 A 172.16.20.11
qlhost3 A 172.16.20.99
[root@bind-dns1 named]# hostname
bind-dns1
[root@bind-dns1 named]# ip a s |grep ens192|grep inet
inet 172.16.50.195/24 brd 172.16.50.255 scope
[root@bind-dns1 named]# cat yunbee.net.zone
$TTL 1D
yunbee.net. IN SOA yunbee.net. root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
yunbee.net. IN NS yunbee.net.
yunbee.net. IN A 172.16.50.195
www.yunbee.net. IN A 172.16.50.30
www0.yunbee.net. IN A 172.16.50.31
ftp.yunbee.net. IN CNAME www0
zj.yunbee.net. IN NS zj.yunbee.net.
zj.yunbee.net. IN A 172.16.50.177
[root@bind-dns1 named]# hostname
bind-dns1
[root@bind-dns1 named]# ip a s |grep ens192|grep inet
inet 172.16.50.195/24 brd 172.16.50.255 scope global noprefixroute ens192
[root@bind-dns1 named]#
[root@bind-dns1 named]# cat yunbee.net.zone
$TTL 1D
yunbee.net. IN SOA yunbee.net. root.yunbee.net. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
yunbee.net. IN NS yunbee.net.
yunbee.net. IN A 172.16.50.195
www.yunbee.net. IN A 172.16.50.30
www0.yunbee.net. IN A 172.16.50.31
ftp.yunbee.net. IN CNAME www0
zj.yunbee.net. IN NS zj.yunbee.net.
zj.yunbee.net. IN A 172.16.50.177
[root@bind-dns1 named]# nslookup qlhost1.zj.yunbee.net
Server: 172.16.50.195
Address: 172.16.50.195#53
Non-authoritative answer:
Name: qlhost1.zj.yunbee.net
Address: 172.16.20.10
[root@bind-dns1 named]# dig -t A qlhost1.zj.yunbee.net @172.16.50.195
; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> -t A qlhost1.zj.yunbee.net @172.16.50.195
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9141 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: bb7387e025885a188f05e654613ec6dc7b348ab522ba7c99 (good) ;; QUESTION SECTION: ;qlhost1.zj.yunbee.net. IN A ;; ANSWER SECTION: qlhost1.zj.yunbee.net. 85890 IN A 172.16.20.10 ;; AUTHORITY SECTION: zj.yunbee.net. 86400 IN NS zj.yunbee.net. ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Mon Sep 13 11:34:52 CST 2021 ;; MSG SIZE rcvd: 108
本篇完
