Linux DNS

#Linux DNS

1 背景知识

DNS 可以将域名解析为 IP 地址 。也可以将 IP 地址反向解析为域名
DNS 域名空间 是一种树状的结构,类似于一个到生长的数,DNS 域名空间 的定点称之为根(.) ,使用 . 表示。

DNS 服务器负责管理一个有限的范围(一个或几个域),范围内可以管理主机域名与IP地址的对应关系,这些 DNS域 或IP地址段称之为“zone”。

edu
edu
net
net
gov
gov
com
com
aming.com
aming.com
www.aming.com
www.aming.com
"."
"."Text is not SVG - cannot display

2 需要安装的软件

dnf install bind bind-utils  -y

3 查看相关配置文件

rpm -qc bind 
rpm -qc bind-utils

4 启动DNS

systemctl start bind 
systemctl enable bind

5 配置DNS 解析区域

5.1 域名服务器配置

  1. 编辑 named.conf
vi  /etc/named.conf
  1. 修改DNS 配置,常用参数如下。
参数 说明
listen-on 域名服务器监听端口
directory 域名缓存和配置的目录。
allow-query 允许哪些客户端能够连接。 
options {
        listen-on port 53 { 192.168.10.175; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

5.2 配置DNS 域

  1. 编辑 named.conf
vi  /etc/named.conf
  1. 填写需要解析的域。
zone "web1.com" IN {
        type master;
        file "web1.com.db";
};

zone "web2.com" IN {
        type master;
        file "web2.com.db";
};

6 配置DNS 解析条目

6.1 配置解析文件web1.com.db

vi /var/named/web1.com.db


$TTL 1D
@       IN SOA  ns.web1.com. root.ns.web1.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns.web1.com.
ns      A       192.168.10.175
www     A       192.168.10.175

6.2 配置解析文件web2.com.db

vi /var/named/web2.com.db


$TTL 1D
@       IN SOA  ns.web2.com. root.ns.web2.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns.web2.com.
ns      A       192.168.10.175
www     A       192.168.10.175

6.3 修改解析文件权限

chown named:named /var/named/web1.com.db /var/named/web2.com.db
Warning

注意 web{1,2}.com.db 文件的权限,对于 named 用户没有权限时则,解析将会失败。

7 测试DNS 有效性

nestloop www.web1.com server1
nestloop www.web2.com server1

ping www.web1.com
ping www.web2.com

8 DNS

即访问非kevin .cn域名时将解析转发到这几个DNS地址(分别为阿里的DNS、google的DNS)上进行解析。 注意这里转发的是DNS地址 ,没有指定DNS转发域名。

 forward first;
 forwarders {            
 223.5.5.5;         
 223.6.6.6;
 8.8.8.8;
 8.8.4.4;};