作者:dbtan |【转载时请以超链接形式标明文章出处作者信息】


DNS服务器:域名→IP

完整的FQDN:www.dbtan.com.

. 根域

.com .edu .org .net .cn 一级域名(顶级域名)

.163 .sohu 二级域名

www 三级域名

间接迭代(默认):向父级查询;若没有,找根越。

自己去找。

递归:向上一级(父级)查询,一级一级的查询,再返回。

消耗DNS服务器。

记录类型:

A :A记录。

PTR:反向记录,IP→域名。

MX:邮件记录。

SOA:起始授权记录。

NS:DNS记录。

CNAME:别名记录。

注:SOA、NS、A记录是必不可少的。

安装DNS服务器需要安装以下三个数据包:

bind-utils-9.3.3-7.el5 查询用

bind-chroot-9.3.3-7.el5 安全机制

caching-nameserver-9.3.3-7.el5 配置文件

DNS服务器的主控配置文件:

/var/named/chroot/etc/named.conf 要手写此配置文件

可参见模板:

[root@vm5: /var/named/chroot/var/named]#rpm -ql bind

-----------------------------前略--------------------------------

/usr/share/doc/bind-9.3.3/sample/etc/named.conf 此为DNS配置文件的模板

-----------------------------后略--------------------------------

[root@vm5:/var/named/chroot/var/named]#vim /usr/share/doc/bind-9.3.3/sample/etc/named.conf

//

// See the BIND Administrator's Reference Manual (ARM) for details, in:

// file:///usr/share/doc/bind-*/arm/Bv9ARM.html

// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and

// its manual.

//

options

{

/* make named use port 53 for the source of all queries, to allow

* firewalls to block all ports except 53:

*/

query-source port 53;

query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory:

directory "/var/named"; // the default

dump-file "data/cache_dump.db";

statistics-file "data/named_stats.txt";

memstatistics-file "data/named_mem_stats.txt";

};

logging

{

/* If you want to enable debugging, eg. using the 'rndc trace' command,

* named will try to write the 'named.run' file in the $directory (/var/named).

* By default, SELinux policy does not allow named to modify the /var/named directory,

* so put the default debug log file in data/ :

*/

channel default_debug {

file "data/named.run";

severity dynamic;

};

};

//

// All BIND 9 zones are in a "view", which allow different zones to be served

// to different types of client addresses, and for options to be set for groups

// of zones.

//

// By default, if named.conf contains no "view" clauses, all zones are in the

// "default" view, which matches all clients.

//

// If named.conf contains any "view" clause, then all zones MUST be in a view;

// so it is recommended to start off using views to avoid having to restructure

// your configuration files in the future.

//

view "localhost_resolver"

{

/* This view sets up named to be a localhost resolver ( caching only nameserver ).

* If all you want is a caching-only nameserver, then you need only define this view:

*/

match-clients { localhost; };

match-destinations { localhost; };

recursion yes;

# all views must contain the root hints zone:

include "/etc/named.root.hints";

/* these are zones that contain definitions for all the localhost

* names and addresses, as recommended in RFC1912 - these names should

* ONLY be served to localhost clients:

*/

include "/etc/named.rfc1912.zones";

};

view "internal"

{

/* This view will contain zones you want to serve only to "internal" clients

that connect via your directly attached LAN interfaces - "localnets" .

*/

match-clients { localnets; };

match-destinations { localnets; };

recursion yes;

// all views must contain the root hints zone:

include "/etc/named.root.hints";

// include "named.rfc1912.zones";

// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably

// also be included in the "localhost_resolver" view above :

zone "my.internal.zone" {

type master;

file "my.internal.zone.db";

};

zone "my.slave.internal.zone" {

type slave;

file "slaves/my.slave.internal.zone.db";

masters { /* put master nameserver IPs here */ 127.0.0.1; } ;

// put slave zones in the slaves/ directory so named can update them

};

zone "my.ddns.internal.zone" {

type master;

allow-update { key ddns_key; };

file "slaves/my.ddns.internal.zone.db";

// put dynamically updateable zones in the slaves/ directory so named can update them

};

};

key ddns_key

{

algorithm hmac-md5;

secret "use /usr/sbin/dns-keygen to generate TSIG keys";

};

view "external"

{

/* This view will contain zones you want to serve only to "external" clients

* that have addresses that are not on your directly attached LAN interface subnets:

*/

match-clients { !localnets; !localhost; };

match-destinations { !localnets; !localhost; };

recursion no;

// you'd probably want to deny recursion to external clients, so you don't

// end up providing free DNS service to all takers

// all views must contain the root hints zone:

include "/etc/named.root.hints";

// These are your "authoritative" external zones, and would probably

// contain entries for just your web and mail servers:

zone "my.external.zone" {

type master;

file "my.external.zone.db";

};

};

DNS数据文件:

/var/named/chroot/var/named/目录下,为DNS数据文件。

[root@vm5: /var/named/chroot/var/named]#ls -F

data/ localhost.zone named.ca named.local slaves/ zone.sohu.com

localdomain.zone named.broadcast named.ip6.local named.zero sohu.com.zone

13台根域服务器在:

[root@vm5: /var/named/chroot/var/named]#vim named.ca

; formerly NS.NIC.DDN.MIL

;

. 3600000 NS G.ROOT-SERVERS.NET.

G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4

;

; formerly AOS.ARL.ARMY.MIL

;

. 3600000 NS H.ROOT-SERVERS.NET.

H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53

;

; formerly NIC.NORDU.NET

;

. 3600000 NS I.ROOT-SERVERS.NET.

I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17

;

; operated by VeriSign, Inc.

;

. 3600000 NS J.ROOT-SERVERS.NET.

J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30

;

; operated by RIPE NCC

;

. 3600000 NS K.ROOT-SERVERS.NET.

K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129

;

; operated by ICANN

;

. 3600000 NS L.ROOT-SERVERS.NET.

L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12

;

; operated by WIDE

;

. 3600000 NS M.ROOT-SERVERS.NET.

M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33

; End of File

项目一:配置DNS服务器:

配置主控DNS配置文件:

[root@vm5: /var/named/chroot/etc]#touch named.conf

[root@vm5: /var/named/chroot/etc]#vim named.conf

options {

directory "/var/named";

};

zone "up.com" IN { IN:表示Internet,可省略

type master;

file "up.com.db";

};

DNS数据文件目录下,建立DNS数据文件。

[root@vm5: /var/named/chroot/var/named]#touch up.com.db

[root@vm5: /var/named/chroot/var/named]#vim up.com.db

$TTL 86400

@ SOA dns.up.com. root.dns.up.com. ( 2008022500 修改日期(最长10位)

3H 刷新时间(小时)

15M 延迟15分钟,重试

1W 重试1周就不再重试了

1D ) 1天,同TTL 86400秒

NS dns.up.com.

dns.up.com. A 10.0.4.5

www.up.com. A 10.0.4.10

ftp.up.com. A 10.0.4.11

mail.up.com. MX 10 mail1.up.com.

mail1.up.com. A 10.0.4.12

web.up.com. CNAME www.up.com.

设置DNS服务器的IP地址。

[root@vm5: ~]#vim /etc/resolv.conf

nameserver 10.0.4.5

启动DNS服务,并进行测试,查看日志信息。

启动DNS服务:

[root@vm5: /var/named/chroot/var/named]#service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

测试DNS服务:

[root@vm5: /var/named/chroot/var/named]#host www.up.com

www.up.com has address 10.0.4.10

[root@vm5: /var/named/chroot/var/named]#host mail.up.com

mail.up.com mail is handled by 10 mail1.up.com.

[root@vm5: /var/named/chroot/var/named]#host ftp.up.com

ftp.up.com has address 10.0.4.11

[root@vm5: /var/named/chroot/var/named]#host web.up.com

web.up.com is an alias for www.up.com.

www.up.com has address 10.0.4.10

[root@vm5: /var/named/chroot/var/named]#host dns.up.com

dns.up.com has address 10.0.4.5

查看日志:

[root@vm5: /var/named/chroot/var/named]#tail /var/log/messages

Feb 6 11:26:41 vm5 named[5257]: starting BIND 9.3.3rc2 -u named -t /var/named/chroot

Feb 6 11:26:41 vm5 named[5257]: found 2 CPUs, using 2 worker threads

Feb 6 11:26:41 vm5 named[5257]: loading configuration from '/etc/named.conf'

Feb 6 11:26:41 vm5 named[5257]: listening on IPv4 interface lo, 127.0.0.1#53

Feb 6 11:26:41 vm5 named[5257]: listening on IPv4 interface eth0, 10.0.4.5#53

Feb 6 11:26:41 vm5 named[5257]: listening on IPv4 interface eth0:1, 192.168.0.5#53

Feb 6 11:26:41 vm5 named[5257]: command channel listening on 127.0.0.1#953

Feb 6 11:26:41 vm5 named[5257]: command channel listening on ::1#953

Feb 6 11:26:41 vm5 named[5257]: zone up.com/IN: loaded serial 2008022500

Feb 6 11:26:41 vm5 named[5257]: running

项目二:配置主/从DNS服务器:

说明:DNS服务器的IP10.0.4.5192.168.0.5

DNS服务器的IP10.0.4.51

DNS服务器的主控配置文件为项目一中的DNS配置文件。

设置:从DNS的主控配置文件。

[root@vm51: /var/named/chroot/etc]#vim named.conf

options {

directory "/var/named";

};

zone "up.com" IN {

type slave;

masters { 10.0.4.5; };

file "slaves/slave_up.com.db";

};

设置DNSIP地址。

[root@vm51: /var/named/chroot/etc]#vim /etc/resolv.conf

nameserver 10.0.4.5

启动从DNS服务器。

[root@vm51: /var/named/chroot/etc]#service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

查看从DNS的数据文件目录下:从主DNS服务器“学习”到了数据,数据文件名为slave_up.com.db

[root@vm51: /var/named/chroot/var/named/slaves]#vim slave_up.com.db

$ORIGIN . 省略.

$TTL 86400 ; 1 day

up.com IN SOA dns.up.com. root.dns.up.com. (

2008022500 ; serial

10800 ; refresh (3 hours)

900 ; retry (15 minutes)

604800 ; expire (1 week)

86400 ; minimum (1 day)

)

NS dns.up.com.

$ORIGIN up.com. 省略up.com.

dns A 10.0.4.5

ftp A 10.0.4.11

mail MX 10 mail1

mail1 A 10.0.4.12

web CNAME www

www A 10.0.4.10

测试从DNS服务器。

[root@vm51: /var/named/chroot/var/named/slaves]#nslookup www.up.com

Server: 10.0.4.5

Address: 10.0.4.5#53

Name: www.up.com

Address: 10.0.4.10

[root@vm51: /var/named/chroot/var/named/slaves]#dig mail.up.com

; <<>> DiG 9.3.3rc2 <<>> mail.up.com

;; global options: printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33488

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;mail.up.com. IN A

;; AUTHORITY SECTION:

up.com. 86400 IN SOA dns.up.com. root.dns.up.com. 2008022500 10800 900 604800 86400

;; Query time: 4 msec

;; SERVER: 10.0.4.5#53(10.0.4.5)

;; WHEN: Wed Jan 16 07:48:12 2008

;; MSG SIZE rcvd: 74

项目三:配置主/从DNS服务器(从DNS为纯缓存方式)

配置主DNS服务器

配置主控DNS配置文件:

[root@vm5: /var/named/chroot/etc]#touch named.conf

[root@vm5: /var/named/chroot/etc]#vim named.conf

acl slave_server {

10.0.4.51;

};

options {

directory "/var/named";

};

zone "up.com" IN {

type master;

file "up.com.db";

allow-transfer { slave_server; };

};

DNS数据文件目录下,建立DNS数据文件。

[root@vm5: /var/named/chroot/var/named]#touch up.com.db

[root@vm5: /var/named/chroot/var/named]#vim up.com.db

$TTL 86400

@ SOA dns.up.com. root.dns.up.com. ( 2008022500 修改日期(最长10位)

3H 刷新时间(小时)

15M 延迟15分钟,重试

1W 重试1周就不再重试了

1D ) 1天,同TTL 86400秒

NS dns.up.com.

dns.up.com. A 10.0.4.5

www.up.com. A 10.0.4.10

ftp.up.com. A 10.0.4.11

mail.up.com. MX 10 mail1.up.com.

mail1.up.com. A 10.0.4.12

web.up.com. CNAME www.up.com.

设置DNS服务器的IP地址。

[root@vm5: ~]#vim /etc/resolv.conf

nameserver 10.0.4.5

启动DNS服务,并进行测试,查看日志信息。

启动DNS服务:

[root@vm5: /var/named/chroot/var/named]#service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

配置从DNS服务器为纯缓存方式。

配置从DNS服务器的主控配置文件。

[root@vm51: /var/named/chroot/etc]#vim named.conf

options {

directory "/var/named";

forward only; 只缓存主DNS上的数据,在从DNS上的数据目录下不产生数据文件。

forwarders { 10.0.4.5; };

};

设置DNS服务器的IP地址。

[root@vm5: ~]#vim /etc/resolv.conf

nameserver 10.0.4.5

启动DNS服务,并进行测试,查看日志信息。

启动DNS服务:

[root@vm5: /var/named/chroot/var/named]#service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

测试从DNS服务器(纯缓存方式)

[root@vm51: /var/named/chroot/etc]#host www.up.com

www.up.com has address 10.0.4.10

项目四:DNS轮询实现

DNS数据文件目录下,写数据文件如下:

[root@vm5: /var/named/chroot/var/named]#vim up.com.db

$TTL 86400

@ SOA dns.up.com. root.dns.up.com. ( 2008022500

3H

15M

1W

1D )

NS dns.up.com.

dns.up.com. A 10.0.4.5

www.up.com. A 10.0.4.10

ftp.up.com. A 10.0.4.11

mail.up.com. MX 10 mail1.up.com.

mail1.up.com. A 10.0.4.12

web.up.com. CNAME www.up.com.

$TTL 10 用TTL值,调整权值。

www.up.com. A 10.0.4.20 实际工作中,此处并不是单台服务器,而是服务器集群

www.up.com. A 10.0.4.30

www.up.com. A 10.0.4.40

www.up.com. A 10.0.4.50

www.up.com. A 10.0.4.60

启动DNS服务器。

[root@vm5: /var/named/chroot/var/named]#service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

测试DNS轮询。

[root@vm5: /var/named/chroot/var/named]#ping www.up.com

PING www.up.com (10.0.4.10) 56(84) bytes of data.

--- www.up.com ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 1004ms

[root@vm5: /var/named/chroot/var/named]#ping www.up.com

PING www.up.com (10.0.4.60) 56(84) bytes of data.

--- www.up.com ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@vm5: /var/named/chroot/var/named]#ping www.up.com

PING www.up.com (10.0.4.50) 56(84) bytes of data.

--- www.up.com ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@vm5: /var/named/chroot/var/named]#ping www.up.com

PING www.up.com (10.0.4.40) 56(84) bytes of data.

--- www.up.com ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@vm5: /var/named/chroot/var/named]#ping www.up.com

PING www.up.com (10.0.4.30) 56(84) bytes of data.

--- www.up.com ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@vm5: /var/named/chroot/var/named]#ping www.up.com

PING www.up.com (10.0.4.20) 56(84) bytes of data.

--- www.up.com ping statistics ---

1 packets transmitted, 0 received, 100% packet loss, time 0ms

[root@vm5: /var/named/chroot/var/named]#ping www.up.com

PING www.up.com (10.0.4.10) 56(84) bytes of data.

--- www.up.com ping statistics ---

2 packets transmitted, 0 received, 100% packet loss, time 999ms

说明:REHL5中,轮询时,按数据文件的倒序进行平均地轮询。

项目五:DNS范解析。

DNS数据文件目录下,写数据文件如下:

[root@vm5: /var/named/chroot/var/named]#vim up.com.db

$TTL 86400

@ SOA dns.up.com. root.dns.up.com. ( 2008022500

3H

15M

1W

1D )

NS dns.up.com.

dns.up.com. A 10.0.4.5

www.up.com. A 10.0.4.10

ftp.up.com. A 10.0.4.11

mail.up.com. MX 10 mail1.up.com.

mail1.up.com. A 10.0.4.12

web.up.com. CNAME www.up.com.

$GENERATE 1-250 stu$.up.com. A 10.0.4.$ 设置范解析

$TTL 10

www.up.com. A 10.0.4.20

www.up.com. A 10.0.4.30

www.up.com. A 10.0.4.40

www.up.com. A 10.0.4.50

www.up.com. A 10.0.4.60

启动DNS服务器。

[root@vm5: /var/named/chroot/var/named]#service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

测试DNS范解析。

[root@vm5: /var/named/chroot/var/named]#ping stu5.up.com -c 1

PING stu5.up.com (10.0.4.5) 56(84) bytes of data.

64 bytes from vm5.sohu.com (10.0.4.5): icmp_seq=1 ttl=64 time=0.002 ms

--- stu5.up.com ping statistics ---

1 packets transmitted, 1 received, 0% packet loss, time 0ms

rtt min/avg/max/mdev = 0.002/0.002/0.002/0.000 ms

项目六:DNS服务器,常用“字段”练习。

例:

说明:DNS服务器IP10.0.4.51192.168.0.51

telcom.conf 文件内容为:电信的网段。

cnc.conf 文件内容为:网通的网段。

这两个文件存在/var/named/chroot/etc/目录下。

要实现:在电信网段内的IP访问电信的DNS,在网通网段内的IP访问网通的DNS。

配置DNS主控配置文件。

[root@vm51: /var/named/chroot/etc]#vim named.conf

include "/etc/telcom.conf"; 包含电信的网段

include "/etc/cnc.conf"; 包含网通的网段

options {

directory "/var/named";

};

view telcom { view:视图

//this view is for telcom ip:192.168.0.0/24;

match-clients { telcom; }; 客户端

match-destinations { telcom; }; 目标网络。目标:哪些人能查我的DNS。

客户端、目标网络填写的“内容相同”。

recursion yes; 开启迭代

zone "up.com" {

type master;

file "telcom_up.com.db";

};

};

view cnc {

//this view is for cnc ip:10.0.4.0/26;

match-clients { cnc; };

match-destinations { cnc; };

recursion yes;

zone "up.com" {

type master;

file "cnc_up.com.db";

};

};

创建telcom.confcnc.conf文件。

[root@vm51: /var/named/chroot/etc]#vim telcom.conf

acl telcom {

192.168.0.0/24;

192.168.1.0/24;

192.168.2.0/24;

192.168.3.0/24;

};

[root@vm51: /var/named/chroot/etc]#vim cnc.conf

acl cnc {

10.0.4.128/26;

10.0.4.64/26;

10.0.4.192/26;

10.0.4.0/26;

};

/var/named/chroot/var/named/目录下,创建telcom_up.com.dbcnc_up.com.db这两个数据文件。

[root@vm51: /var/named/chroot/var/named]#vim telcom_up.com.db

$TTL 86400

@ SOA dns.up.com. root.dns.up.com. ( 2008022500

3H

15M

1W

1D )

NS dns.up.com.

dns.up.com. A 192.168.0.51

www.up.com. A 192.168.0.10

ftp.up.com. A 192.168.0.11

mail.up.com. MX 10 mail1.up.com.

mail1.up.com. A 192.168.0.12

web.up.com. CNAME www.up.com.

$GENERATE 1-250 stu$.up.com. A 192.168.0.$

$TTL 10

www.up.com. A 192.168.0.20

www.up.com. A 192.168.0.30

www.up.com. A 192.168.0.40

www.up.com. A 192.168.0.50

www.up.com. A 192.168.0.60

[root@vm51: /var/named/chroot/var/named]#vim cnc_up.com.db

$TTL 86400

@ SOA dns.up.com. root.dns.up.com. ( 2008022500

3H

15M

1W

1D )

NS dns.up.com.

dns.up.com. A 10.0.4.51

www.up.com. A 10.0.4.10

ftp.up.com. A 10.0.4.11

mail.up.com. MX 10 mail1.up.com.

mail1.up.com. A 10.0.4.12

web.up.com. CNAME www.up.com.

$GENERATE 1-250 stu$.up.com. A 10.0.4.$

$TTL 10

www.up.com. A 10.0.4.20

www.up.com. A 10.0.4.30

www.up.com. A 10.0.4.40

www.up.com. A 10.0.4.50

www.up.com. A 10.0.4.60

启动DNS服务器。

[root@vm51: /var/named/chroot/var/named]#service named restart

Stopping named: [ OK ]

Starting named: [ OK ]

分别测试电信、网通DNS

测试电信:

[root@vm51: /var/named/chroot/etc]#vim /etc/resolv.conf

; generated by /sbin/dhclient-script

search domain.org

#nameserver 10.0.4.51

nameserver 192.168.0.51

[root@vm51: /var/named/chroot/etc]#host www.up.com

www.up.com has address 192.168.0.10

www.up.com has address 192.168.0.20

www.up.com has address 192.168.0.30

www.up.com has address 192.168.0.40

www.up.com has address 192.168.0.50

www.up.com has address 192.168.0.60

[root@vm51: /var/named/chroot/etc]#host mail.up.com

mail.up.com mail is handled by 10 mail1.up.com.

测试网通:

[root@vm51: /var/named/chroot/etc]#vim /etc/resolv.conf

; generated by /sbin/dhclient-script

search domain.org

nameserver 10.0.4.51

#nameserver 192.168.0.51

[root@vm51: /var/named/chroot/etc]#host web.up.com

web.up.com is an alias for www.up.com.

www.up.com has address 10.0.4.60

www.up.com has address 10.0.4.10

www.up.com has address 10.0.4.20

www.up.com has address 10.0.4.30

www.up.com has address 10.0.4.40

www.up.com has address 10.0.4.50

[root@vm51: /var/named/chroot/etc]#host ftp.up.com

ftp.up.com has address 10.0.4.11