一、域名解析过程
DNS域名完整解析过程
1、查询本地 hosts文件 解析记录
2、查询客户端本地DNS缓存记录
3、访问DNS转发(缓存)服务器本地缓存记录
4、转发到权威服务器查询本地缓存记录
5、访问权威服务器解析记录
6、权威服务器迭代查询
6.1、访问子域权威服务器查询本地缓存记录
6.2、访问子域解析记录
7、访问根服务器解析记录
8、访问一级域名服务器解析记录
…….
二、DNS解析记录类型
1、DNS服务器类型
主DNS服务器
管理和维护所负责解析的域内解析库的服务器
从DNS服务器
从主服务器或从服务器复制(区域传输)解析库副本
缓存DNS服务器(转发器)
将客户端请求转发到指定的DNS服务器上,并将指定DNS服务器返回结果缓存到本地DNS缓存记录中,缓存DNS服务器自身不保存解析库数据,不使用自身进行域名解析。
2、解析结果类型
- 肯定答案:存在对应的查询结果
- 否定答案:请求的条目不存在等原因导致无法返回结果
- 权威答案:直接由存在此查询结果的DNS服务器(权威服务器)返回的结果
- 非权威答案:有其他非权威服务器返回的查询结果
3、资源记录RR(Resource Record)
区域解析库
有众多资源记录RR(Resource Record)组成
记录类型:SOA、A、AAAA、NS、CNAME、MX、TXT、PTR
- SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,且必须位于解析库的第一条
- A:IPv4 正向解析资源记录
- AAAA:IPv6正向解析资源记录
- NS:用于标注当前区域的DNS服务器
- CNAME:别名记录
- MX:邮件交换器
- TXT:对域名进行标识说明的一种方式,一般做验证记录会使用此项,如SPF(反垃圾邮件)记录,https验证 登
- PTR:
3.1、资源记录定义格式
name [TTL] IN rr_type value
使用@符号可引用当前区域名字
TTL 可以从全局继承
IN值可以通过继承上一条记录忽略不写
同一个名字可以通过多条记录定义多个值,此时DNS服务器会以轮询方式响应
同一个值也可能有多个不同定义的名字,通过多个名字指向同一个值进行定义,此时表示通过多个不同的名字找到同一台主机
3.2、SOA 记录
name:当前区域的名字
value:多个内容组成
当前主DNS服务器的FQDN,也可以使用当前区域的名字
当前区域的管理员邮箱,由于无法使用@符合,通常使用.替换,例如:root.janzen.com (root@janzen.com)
主从服务区域传输相关定义以及否定答案的统一TTL设置
@ IN SOA dns1.janzen.com root.janzen.com ( 1 ; 序列号 604800 ; 刷新时间 86400 ; 重试时间 2419200 ; 过期时间 604800 ) ; 否定答案的TTL值
3.3、A 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv4地址
dns1 A 10.0.0.20 dns2 A 10.0.0.21 gitlab.janzen.com. A 10.0.0.13 harbor A 10.0.0.9 harbor A 10.0.0.10
3.4、AAAA 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv6地址
3.5、NS 记录
name:当前区域的名字
value:当前区域某DNS服务器的名字
相邻的两个资源记录name相同时,后续的可以省略
对于NS记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
一个区域可以有多条NS记录
@ IN NS dns1
NS dns2
3.6、CNAME 记录
name:别名FQDN
value:真实的FQDN
dns IN CNAME dns1
3.7、MX 记录
name:当前区域的名字
value:当前区域某邮件服务器(smtp服务器)的名字
一个区域内,MX记录可以有多个,但每个记录的value后面都应该有一个(0-99)数字,表示此服务器的优先级
对于MX记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
@ IN MX 12 mail1
IN MX 10 mail2
mail1 IN A 10.0.0.31
mail2 IN A 10.0.0.32
3.8、TXT 记录
name:文本描述头
value:文本内容
_dnstxt TXT this is @ name server
3.9、PTR 记录
name:IP
value:FQDN
name的IP拥有固定写法,需要将IP反向书写,并添加特殊后缀 in-addr.arpa.
完整写法为:20.0.0.10.in-addr.arpa.
网络地址及后缀可以省略,主机地址依旧要反写
20.0.0.10.in-addr.arpa. IN PTR dns.janzen.com. #由于 10.0.0 为网络地址,可以省略 9 IN PTR harbor.janzen.com.
三、DNS工具介绍
dig 工具介绍
用于测试DNS解析结果
Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] (Use ixfr=version for type ixfr)
q-opt +[no]trace (Trace delegation down from root [+dnssec])
+[no]recurse (Recursive mode (+[no]rdflag))
#获取目标dns全部解析记录 dig -tAXFR janzen.com @10.0.0.21 #跟踪域名解析路径 dig +trace app3.janzen.com @10.0.0.21 #查询PTR记录 dig -x 10.0.0.21 #直接显示域名查询结果 dig +short app3.janzen.com @10.0.0.71
nslookup工具
nslookup [-option] [name | -] [server]
rndc DNS管理工具
Usage: rndc [-b address] [-c config] [-s server] [-p port] [-k key-file ] [-y key] [-r] [-V] command command is one of the following: addzone zone [class [view]] { zone-options } Add zone to given view. Requires allow-new-zones option. delzone [-clean] zone [class [view]] Removes zone from given view. dnstap -reopen Close, truncate and re-open the DNSTAP output file. dnstap -roll count Close, rename and re-open the DNSTAP output file(s). dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...] Dump cache(s) to the dump file (named_dump.db). flush Flushes all of the server's caches. flush [view] Flushes the server's cache for a view. flushname name [view] Flush the given name from the server's cache(s) flushtree name [view] Flush all names under the given name from the server's cache(s) freeze Suspend updates to all dynamic zones. freeze zone [class [view]] Suspend updates to a dynamic zone. halt Stop the server without saving pending updates. halt -p Stop the server without saving pending updates reporting process id. loadkeys zone [class [view]] Update keys without signing immediately. managed-keys refresh [class [view]] Check trust anchor for RFC 5011 key changes managed-keys status [class [view]] Display RFC 5011 managed keys information managed-keys sync [class [view]] Write RFC 5011 managed keys to disk modzone zone [class [view]] { zone-options } Modify a zone's configuration. Requires allow-new-zones option. notify zone [class [view]] Resend NOTIFY messages for the zone. notrace Set debugging level to 0. nta -dump List all negative trust anchors. nta [-lifetime duration] [-force] domain [view] Set a negative trust anchor, disabling DNSSEC validation for the given domain. Using -lifetime specifies the duration of the NTA, up to one week. Using -force prevents the NTA from expiring before its full lifetime, even if the domain can validate sooner. nta -remove domain [view] Remove a negative trust anchor, re-enabling validation for the given domain. querylog [ on | off ] Enable / disable query logging. reconfig Reload configuration file and new zones only. recursing Dump the queries that are currently recursing (named.recursing) refresh zone [class [view]] Schedule immediate maintenance for a zone. reload Reload configuration file and zones. reload zone [class [view]] Reload a single zone. retransfer zone [class [view]] Retransfer a single zone without checking serial number. scan Scan available network interfaces for changes. secroots [view ...] Write security roots to the secroots file. showzone zone [class [view]] Print a zone's configuration. sign zone [class [view]] Update zone keys, and sign as needed. signing -clear all zone [class [view]] Remove the private records for all keys that have finished signing the given zone. signing -clear / zone [class [view]] Remove the private record that indicating the given key has finished signing the given zone. signing -list zone [class [view]] List the private records showing the state of DNSSEC signing in the given zone. signing -nsec3param hash flags iterations salt zone [class [view]] Add NSEC3 chain to zone if already signed. Prime zone with NSEC3 chain if not yet signed. signing -nsec3param none zone [class [view]] Remove NSEC3 chains from zone. signing -serial zone [class [view]] Set the zones's serial to . stats Write server statistics to the statistics file. status Display status of the server. stop Save pending updates to master files and stop the server. stop -p Save pending updates to master files and stop the server reporting process id. sync [-clean] Dump changes to all dynamic zones to disk, and optionally remove their journal files. sync [-clean] zone [class [view]] Dump a single zone's changes to disk, and optionally remove its journal file. thaw Enable updates to all dynamic zones and reload them. thaw zone [class [view]] Enable updates to a frozen dynamic zone and reload it. trace Increment debugging level by one. trace level Change the debugging level. tsig-delete keyname [view] Delete a TKEY-negotiated TSIG key. tsig-list List all currently active TSIG keys, including both statically configured and TKEY-negotiated keys. validation [ yes | no | status ] [view] Enable / disable DNSSEC validation. zonestatus zone [class [view]] Display the current status of a zone. Version: 9.11.3-1ubuntu1.18-Ubuntu
四、DNS安装部署
1、Centos7 配置域名正向解析主服务器
1.1、yum安装bind服务,及DNS工具 bind-utils
yum install -y bind bind-utils
1.2、修改 named.conf 配置文件,禁用服务限制,引入区域配置文件
[root@node-centos7-70 ~]# vim /etc/named.conf options { # listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # allow-query { localhost; }; recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones"
1.3、创建 named.zones 区域配置文件
[root@node-centos7-70 ~]# vim /etc/named.zones
zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; };
1.4、创建 named.janzen.com 区域解析库文件
[root@node-centos7-70 etc]# vim /var/named/named.janzen.com ; ; BIND reverse data file for broadcast zone ; $TTL 604800 @ IN SOA janzen.com. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS dns1 IN NS dns2 IN MX 12 mail1 IN MX 10 mail2 dns IN CNAME dns1 dns1 IN A 10.0.0.20 dns2 IN A 10.0.0.21 gitlab IN A 10.0.0.13 harbor IN A 10.0.0.9 harbor IN A 10.0.0.10 www IN A 10.0.0.11 mail1 IN A 10.0.0.31 mail2 IN A 10.0.0.32 _dnstext IN TXT this is @ name server
1.5、修改文件权限
[root@node-centos7-70 etc]# chmod 640 {/etc/named.zones,/var/named/named.janzen.com} [root@node-centos7-70 etc]# chgrp named {/etc/named.zones,/var/named/named.janzen.com}
1.6、设置named服务开机自启动
[root@node-centos7-70 etc]# systemctl enable --now named
1.7、使用dig测试DNS服务
[root@node-centos7-70 etc]# dig dns.janzen.com @10.0.0.70 ; > DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 > dns.janzen.com @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 51429 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.janzen.com. IN A ;; ANSWER SECTION: dns.janzen.com. 604800 IN CNAME dns1.janzen.com. dns1.janzen.com. 604800 IN A 10.0.0.20 ;; AUTHORITY SECTION: janzen.com. 604800 IN NS dns2.janzen.com. janzen.com. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: dns2.janzen.com. 604800 IN A 10.0.0.21 ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:16:54 CST 2023 ;; MSG SIZE rcvd: 127 [root@node-centos7-70 etc]# dig janzen.com @10.0.0.70 mx ; > DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 > janzen.com @10.0.0.70 mx ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 2566 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;janzen.com. IN MX ;; ANSWER SECTION: janzen.com. 604800 IN MX 10 mail2.janzen.com. janzen.com. 604800 IN MX 12 mail1.janzen.com. ;; AUTHORITY SECTION: janzen.com. 604800 IN NS dns2.janzen.com. janzen.com. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: mail1.janzen.com. 604800 IN A 10.0.0.31 mail2.janzen.com. 604800 IN A 10.0.0.32 dns1.janzen.com. 604800 IN A 10.0.0.20 dns2.janzen.com. 604800 IN A 10.0.0.21 ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:18:09 CST 2023 ;; MSG SIZE rcvd: 185 [root@node-centos7-70 etc]# dig harbor.janzen.com @10.0.0.70 ; > DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 > harbor.janzen.com @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 33334 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;harbor.janzen.com. IN A ;; ANSWER SECTION: harbor.janzen.com. 604800 IN A 10.0.0.10 harbor.janzen.com. 604800 IN A 10.0.0.9 ;; AUTHORITY SECTION: janzen.com. 604800 IN NS dns1.janzen.com. janzen.com. 604800 IN NS dns2.janzen.com. ;; ADDITIONAL SECTION: dns1.janzen.com. 604800 IN A 10.0.0.20 dns2.janzen.com. 604800 IN A 10.0.0.21 ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:20:07 CST 2023 ;; MSG SIZE rcvd: 148
1.8、修改区域解析库文件内容,使用 rndc 重载配置
[root@node-centos7-70 etc]# vim /var/named/named.janzen.com $TTL 604800 @ IN SOA janzen.com. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS dns1 IN NS dns2 IN MX 12 mail1 IN MX 10 mail2 dns IN CNAME dns1 dns1 IN A 10.0.0.70 dns2 IN A 10.0.0.21 gitlab IN A 10.0.0.13 harbor IN A 10.0.0.9 harbor IN A 10.0.0.10 www IN A 10.0.0.11 mail1 IN A 10.0.0.31 mail2 IN A 10.0.0.32 _dnstext IN TXT this is @ name server
[root@node-centos7-70 etc]# rndc reload server reload successful
[root@node-centos7-70 etc]# dig dns.janzen.com @10.0.0.70 ; > DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 > dns.janzen.com @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 5247 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.janzen.com. IN A ;; ANSWER SECTION: dns.janzen.com. 604800 IN CNAME dns1.janzen.com. dns1.janzen.com. 604800 IN A 10.0.0.70 ;; AUTHORITY SECTION: janzen.com. 604800 IN NS dns2.janzen.com. janzen.com. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: dns2.janzen.com. 604800 IN A 10.0.0.21 ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:27:45 CST 2023 ;; MSG SIZE rcvd: 127
2、Ubuntu apt安装bind服务
1.1、apt安装bind9服务,及DNS工具 bind9utils
[root@Node-Ubuntu1804-20:~]# apt install -y bind9 bind9utils
1.2、修改 named.conf 配置文件,引入区域配置文件
[root@Node-Ubuntu1804-20:~]# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.zones";
1.3、创建 named.zones 区域配置文件
[root@Node-Ubuntu1804-20:~]# vim /etc/bind/named.zones zone janzen.com IN { type master; file "/etc/bind/db.janzen.com"; };
1.4、创建 db.janzen.com 区域解析库文件
[root@Node-Ubuntu1804-20:~]# vim /etc/bind/db.janzen.com $TTL 604800 @ IN SOA janzen.com. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS dns1 IN NS dns2 IN MX 12 mail1 IN MX 10 mail2 dns IN CNAME dns1 dns1 IN A 10.0.0.20 dns2 IN A 10.0.0.21 gitlab IN A 10.0.0.13 harbor IN A 10.0.0.9 harbor IN A 10.0.0.10 www IN A 10.0.0.11 mail1 IN A 10.0.0.31 mail2 IN A 10.0.0.32 _dnstext IN TXT this is @ name server
1.5、修改文件权限
[root@Node-Ubuntu1804-20:~]# chmod 640 /etc/bind/{named.zones,db.janzen.com} [root@Node-Ubuntu1804-20:~]# chgrp bind /etc/bind/{named.zones,db.janzen.com}
1.6、启动 bind9 服务
[root@Node-Ubuntu1804-20:~]# systemctl start bind9
1.7、使用dig测试DNS服务
[root@Ansible-Ubuntu1804-25:~]# dig dns.janzen.com @10.0.0.20 ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > dns.janzen.com @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 32150 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 95d843b6344528dfc99349d4646f3bbb5812908fa82e3d3f (good) ;; QUESTION SECTION: ;dns.janzen.com. IN A ;; ANSWER SECTION: dns.janzen.com. 604800 IN CNAME dns1.janzen.com. dns1.janzen.com. 604800 IN A 10.0.0.20 ;; AUTHORITY SECTION: janzen.com. 604800 IN NS dns1.janzen.com. janzen.com. 604800 IN NS dns2.janzen.com. ;; ADDITIONAL SECTION: dns2.janzen.com. 604800 IN A 10.0.0.21 ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:43:07 CST 2023 ;; MSG SIZE rcvd: 155
[root@Ansible-Ubuntu1804-25:~]# dig janzen.com @10.0.0.20 mx ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > janzen.com @10.0.0.20 mx ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 11520 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2bd0379cc8f4ca918c8ed28e646f3c5c2d56e5c3704f4752 (good) ;; QUESTION SECTION: ;janzen.com. IN MX ;; ANSWER SECTION: janzen.com. 604800 IN MX 10 mail2.janzen.com. janzen.com. 604800 IN MX 12 mail1.janzen.com. ;; AUTHORITY SECTION: janzen.com. 604800 IN NS dns2.janzen.com. janzen.com. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: mail2.janzen.com. 604800 IN A 10.0.0.32 mail1.janzen.com. 604800 IN A 10.0.0.31 dns1.janzen.com. 604800 IN A 10.0.0.20 dns2.janzen.com. 604800 IN A 10.0.0.21 ;; Query time: 1 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:45:48 CST 2023 ;; MSG SIZE rcvd: 213
[root@Ansible-Ubuntu1804-25:~]# dig harbor.janzen.com @10.0.0.20 ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > harbor.janzen.com @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 45201 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 97efe511ca506c99495a4d4d646f3c70aac936a36fab58f2 (good) ;; QUESTION SECTION: ;harbor.janzen.com. IN A ;; ANSWER SECTION: harbor.janzen.com. 604800 IN A 10.0.0.9 harbor.janzen.com. 604800 IN A 10.0.0.10 ;; AUTHORITY SECTION: janzen.com. 604800 IN NS dns2.janzen.com. janzen.com. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: dns1.janzen.com. 604800 IN A 10.0.0.20 dns2.janzen.com. 604800 IN A 10.0.0.21 ;; Query time: 1 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:46:08 CST 2023 ;; MSG SIZE rcvd: 176
1.8、修改区域解析库文件内容,使用 rndc 重载配置
[root@Node-Ubuntu1804-20:~]# vim /etc/bind/db.janzen.com $TTL 604800 @ IN SOA janzen.com. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL @ IN NS dns1 IN NS dns2 IN NS dns3 IN MX 12 mail1 IN MX 10 mail2 dns IN CNAME dns1 dns1 IN A 10.0.0.20 dns2 IN A 10.0.0.21 dns3 IN A 10.0.0.70 gitlab IN A 10.0.0.13 harbor IN A 10.0.0.9 harbor IN A 10.0.0.10 www IN A 10.0.0.11 mail1 IN A 10.0.0.31 mail2 IN A 10.0.0.32 _dnstext IN TXT this is @ name server [root@Node-Ubuntu1804-20:~]# rndc reload janzen.com zone reload queued
[root@Ansible-Ubuntu1804-25:~]# dig ns janzen.com @10.0.0.20 ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > ns janzen.com @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 1374 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: f4619011881ac8168f1e6981646f3ce9f82e1484c3c43f22 (good) ;; QUESTION SECTION: ;janzen.com. IN NS ;; ANSWER SECTION: janzen.com. 604800 IN NS dns2.janzen.com. janzen.com. 604800 IN NS dns1.janzen.com. janzen.com. 604800 IN NS dns3.janzen.com. ;; ADDITIONAL SECTION: dns1.janzen.com. 604800 IN A 10.0.0.20 dns2.janzen.com. 604800 IN A 10.0.0.21 dns3.janzen.com. 604800 IN A 10.0.0.70 ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:48:09 CST 2023 ;; MSG SIZE rcvd: 172
五、DNS反向解析配置
1、Centos7 配置反向解析
1.1、在 named.zones 中添加反向解析区域记录
[root@node-centos7-70 etc]# vim /etc/named.zones zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; }; zone "0.0.10.in-addr.arpa" IN { type master; file "named.10.0.0"; };
1.2、创建 named.10.0.0 区域反向解析库
[root@node-centos7-70 etc]# vim /var/named/named.10.0.0 $TTL 604800 @ IN SOA janzen.com. root.localhost. ( 2 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL
NS dns1.janzen.com. 70 IN PTR dns1.janzen.com. 21 IN PTR dns2.janzen.com. 9 IN PTR harbor.janzen.com. 10 IN PTR harbor.janzen.com. 31 IN PTR mail1.janzen.com. 32 IN PTR mail2.janzen.com.
1.3、重新加载服务
[root@node-centos7-70 etc]# rndc reload server reload successful
1.4、校验反向解析效果
[root@Node-Ubuntu1804-20:~]# dig -t ptr 9.0.0.10.in-addr.arpa. @10.0.0.70 ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > -t ptr 9.0.0.10.in-addr.arpa. @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 17291 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: d92a9b9a0cba6df1281d8d7a646f4fe3ba882373c080d21e (good) ;; QUESTION SECTION: ;9.0.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 9.0.0.10.in-addr.arpa. 604800 IN PTR harbor.janzen.com. ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: dns1.janzen.com. 604800 IN A 10.0.0.70 ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: Thu May 25 20:09:07 CST 2023 ;; MSG SIZE rcvd: 144 [root@Node-Ubuntu1804-20:~]# dig -t ptr 31.0.0.10.in-addr.arpa. @10.0.0.70 ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > -t ptr 31.0.0.10.in-addr.arpa. @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 40029 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 96c1482be18e12c7c27f80ae646f4fe90a240b78bb3e6e6c (good) ;; QUESTION SECTION: ;31.0.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 31.0.0.10.in-addr.arpa. 604800 IN PTR mail1.janzen.com. ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: dns1.janzen.com. 604800 IN A 10.0.0.70 ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: Thu May 25 20:09:13 CST 2023 ;; MSG SIZE rcvd: 144
2、Ubuntu 配置反向解析
2.1、在 named.zones 中添加反向解析区域记录
[root@Node-Ubuntu1804-20:~]# vim /etc/bind/named.zones zone janzen.com IN { type master; file "/etc/bind/db.janzen.com"; }; zone "0.0.10.in-addr.arpa" IN { type master; file "/etc/bind/db.10.0.0"; };
2.2、创建区域反向解析库
[root@Node-Ubuntu1804-20:~]# vim /etc/bind/db.10.0.0 $TTL 604800 @ IN SOA @ root.janzen.com. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL NS dns1.janzen.com. NS dns2.janzen.com. NS dns3.janzen.com. 20 IN PTR dns1.janzen.com. 21 IN PTR dns2.janzen.com. 70 IN PTR dns3.janzen.com. 9 IN PTR harbor.janzen.com. 10 IN PTR harbor.janzen.com. 31 IN PTR mail1.janzen.com. 32 IN PTR mail2.janzen.com. ~
2.3、重新加载服务
[root@Node-Ubuntu1804-20:~]# rndc reload server reload successful
2.4、验证反向解析结果
[root@Ansible-Ubuntu1804-25:~]# dig -t ptr 20.0.0.10.in-addr.arpa. @10.0.0.20 ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > -t ptr 20.0.0.10.in-addr.arpa. @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 30257 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 84ac957d868c866b33777194646f52bc2f65ef3bae2f140f (good) ;; QUESTION SECTION: ;20.0.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 20.0.0.10.in-addr.arpa. 604800 IN PTR dns1.janzen.com. ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa. 604800 IN NS dns1.janzen.com. 0.0.10.in-addr.arpa. 604800 IN NS dns3.janzen.com. 0.0.10.in-addr.arpa. 604800 IN NS dns2.janzen.com. ;; ADDITIONAL SECTION: dns1.janzen.com. 604800 IN A 10.0.0.20 dns2.janzen.com. 604800 IN A 10.0.0.21 dns3.janzen.com. 604800 IN A 10.0.0.70 ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 20:21:17 CST 2023 ;; MSG SIZE rcvd: 208 [root@Ansible-Ubuntu1804-25:~]# dig -t ptr 70.0.0.10.in-addr.arpa. @10.0.0.20 ; > DiG 9.11.3-1ubuntu1.18-Ubuntu > -t ptr 70.0.0.10.in-addr.arpa. @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADERid: 28274 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: cb50d5bc319d559d22178c59646f52c728e60ab6e3f06ad3 (good) ;; QUESTION SECTION: ;70.0.0.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 70.0.0.10.in-addr.arpa. 604800 IN PTR dns3.janzen.com. ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa. 604800 IN NS dns2.janzen.com. 0.0.10.in-addr.arpa. 604800 IN NS dns3.janzen.com. 0.0.10.in-addr.arpa. 604800 IN NS dns1.janzen.com. ;; ADDITIONAL SECTION: dns1.janzen.com. 604800 IN A 10.0.0.20 dns2.janzen.com. 604800 IN A 10.0.0.21 dns3.janzen.com. 604800 IN A 10.0.0.70 ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 20:21:27 CST 2023 ;; MSG SIZE rcvd: 208
六、DNS主从架构部署
1、Centos7 主从架构配置
1.1、主服务器配置
[root@node-centos7-70 etc]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { # listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # allow-query { localhost; }; allow-transfer { none; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones"; [root@node-centos7-70 etc]# vim /etc/named.zones zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; allow-transfer { 10.0.0.71; }; }; zone "0.0.10.in-addr.arpa" IN { type master; file "named.10.0.0"; };
1.2、从服务器配置
[root@node-centos7-71 ~]# vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { # listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # allow-query { localhost; }; allow-tranfer { none; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones"; [root@node-centos7-71 ~]# vim /etc/named.zones zone "janzen.com" IN { type slave; file "slaves/named.janzen.com.slave"; masters { 10.0.0.70; } };
2、Ubuntu 主从架构配置
2.1、主服务器配置
[root@Node-Ubuntu1804-20:~]# cat /etc/bind/named.conf | grep -v ^$ | grep -v ".*//" include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.zones";
[root@Node-Ubuntu1804-20:~]# cat /etc/bind/named.conf.options | grep -v ^$ | grep -v ".*//" options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-transfer { none; }; };
[root@Node-Ubuntu1804-20:~]# cat /etc/bind/named.zones zone janzen.com IN { type master; file "/etc/bind/db.janzen.com"; allow-transfer { 10.0.0.21; }; also-notify { 10.0.0.21; }; };
2.2、从服务器配置
[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.conf | grep -v ^$ | grep -v ".*//" include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.zones";
[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.conf.options | grep -v ^$ | grep -v ".*//" options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-transfer { none; }; };
[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.zones zone janzen.com IN { type slave; file "/etc/bind/db.janzen.com.slave"; masters { 10.0.0.20; }; };
七、DNS转发配置
1、Centos7 转发服务器配置
1.1、全局转发
[root@node-centos7-71 ~]# cat /etc/named.conf | grep -v ^$ | grep -v ".*//" options { listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-transfer { none; }; forward first; forwarders {10.0.0.70;};
/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones";
1.2、指定域转发
[root@node-centos7-71 ~]# cat /etc/named.zones zone janzen.cn IN { type forward; forward only; forwarders { 10.0.0.70; }; };
2、Ubuntu 转发服务器配置
2.1、全局转发
[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.conf.options | grep -v ^$ | grep -v ".*//" options { directory "/var/cache/bind"; forward first; forwarders { 10.0.0.20; }; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-transfer { none; }; };
2.2、指定域转发
[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.zones | grep -v ^$ | grep -v ".*//" zone janzen.cn IN { type forward; forward only; forwarders { 10.0.0.20; }; };