Chinaunix首页 | 论坛 | 博客
  • 博客访问: 151670
  • 博文数量: 20
  • 博客积分: 2535
  • 博客等级: 少校
  • 技术积分: 410
  • 用 户 组: 普通用户
  • 注册时间: 2006-11-17 11:59
文章分类

全部博文(20)

文章存档

2009年(18)

2008年(2)

我的朋友

分类: LINUX

2009-04-28 15:45:41

域名系统:(Domain Name System)由于主机间传输数据需要知道对方的Ip地址,但IP地址通常不容易记忆,于是人们开始将容易记忆的主机名称和IP对应并写到文件里(/etc/hosts),随着计算机的增多,这种通过文件查询IP的效率变的越来越低下,hosts文件的同步更新也变的越来越难,于是出现了域名系统。DNS利用类似于树状目录的方式将主机名的管理分配到不同层次的DNS服务器中,通过分层管理,每台主机记忆的信息不会太多,而且相当容易修改,所以 DNS的主要功能就是将主机名称解析成IP地址。BIND(Berkeley Internet Name Domain)是最常用的实现DNS服务的软件。
FQDN(Fully Qualified Domain Name),FQDN=HostName + DomainName。

DNS 是由层级之分的,第二层的.tw是Domain Name,而gov、edu、com为Host Name。在第三层.edu.tw为Domain Name,ntu、ncku、nsysu为Host Name。aerosol.ev.ncku.edu.tw便是一个FQDN。
DNS的查询过程
这是一个简单的DNS层次架构,最上面的root称为根域,它管理的第二层域一般只有com、edu、gov、mil、org和以国家和地区分类的名称(cn、tw、nk、jp等),这两层称为顶级域(TLDs)。
每个上层的DNS主机所记录的信息其实只有其下层的主机名称,至于下下层的主机记录则直接授权给下层主机管理。


当你在浏览器输入时:
  1. 计算机首先查询本地是否缓存了此主机的IP地址,/etc/hosts文件里是否由此主机与IP的对应,如果都没有则会执行第二步。
  2. 计算机会依据设置(/etc/resolv.conf)所提供的IP去查询DNS Server。
  3. DNS Server首先查看自己是否缓存了aerosol.ev.ncku.edu.tw主机的IP地址,如果没有则向root查询。
  4. root主机只知道tw主机的IP,告诉DNS Server去tw主机查询。
  5. DNS Server到tw主机查询,tw只知道edu.tw的IP地址,告诉DNS Server去edu.tw主机查询。
  6. DNS Server到edu.tw主机查询,edu.tw主机只知道ncku.edu.tw主机的IP,告诉DNS Server去ncku.edu.tw主机查询。
  7. DNS Server到ncku.edu.tw主机查询,ncku.edu.tw主机只知道ev.ncku.edu.tw主机的IP地址,告诉DNS Server去ev.ncku.edu.tw主机查询。
  8. ev.ncku.edu.tw主机上有aerosol.ev.ncku.edu.tw主机的记录,将IP告诉DNS Server,DNS Server缓存此主机记录。
  9. DNS Server将此IP告诉Client,Client通过此Ip去访问此主机。

由此可知只要你的DNS是由上级DNS授权的,你的DNS就能够被查询到。DNS的修改不会立即在Internet上生效,因为别人的DNS可能缓存了你主机的记录,当TTL过期后方可生效。
DNS查询时先使用UDP这个较快的传输协议来查询数据,一旦没有办法得到完整的数据时,再次以TCP协议重新查询,所以DNS会同时启动TCP和UDP的53端口。

正向解析:由主机名称查询IP地址。
反向解析:由IP地址查询主机名称。
Domain(域):域是一个管辖范围。域下面可以由子域。子域可以授权给其他主机进行管理。
Zone:一个域的配置文件就是一个Zone。

每一个域都有一个配置文件,此配置文件名称在/etc/named.conf中定义。
如tech.net这个域的DNS配置文件必须有:
  • Hinet(root)的设置。
  • tech.net这个域的正向解析文件
  • localhost的正向解析文件
  • localhost的反向解析文件
tech.net这个域的反向解析文件可有可无。Zone的配置文件记录了主机名称与IP的对应。

DNS服务器架设准备

1.安装所需要的软件
[root@client ~]# rpm -qa |grep bind
bind-libs-9.3.3-10.el5
ypbind-1.19-8.el5
bind-utils-9.3.3-10.el5
bind-chroot-9.3.3-10.el5
bind-9.3.3-10.el5


bind -chroot:早期的BIND默认将程序启动在/var/named中,但是该程序可以在根目录到处转移,因此若BIND程序有问题,则该程序可能造成整个系统的危害。为了避免这个问题,所以我们将某个目录设定为BIND的根目录,由于是根目录所以BIND不能离开该目录。如果程序被攻击,最坏是破坏该目录的文件,CentOS默认将BIND锁定在/var/named/chroot。

2.BIND的配置文件:
  • /etc/named.conf:主要规范主机的设置,Zone File的所在,权限的设置等。
  • /etc/sysconfig/named:由该文件控制是否启动chroot及额外参数。
  • /var/named/:数据库文件(zone文件)默认放在在此目录中。
  • /var/run/named/:named执行时默认将pid-file放在此目录中。

3.查看chroot所指定的目录:
[root@client ~]# cat /etc/sysconfig/named
ROOTDIR=/var/named/chroot

4.BIND的目录结构:
注意目录的权限设置。


单纯的Forward DNS主机设置(Cache-Only)
这种类型的DNS主机没有自己的数据库,仅用于帮助客户端向外部DNS主机请求数据,就像一个代理,通常设置在防火墙上。
由上图可知Cache-Only DNS主机需要知道root服务器的地址,所以Cache-Only的DNS必须有root的Zone文件。而Forwarding DNS不需要,只需要指定查询的DNS即可。

# Forwarding DNS Server设置
# 查看named.conf配置文件
[root@client etc]# cat /var/named/chroot/etc/named.conf

options
{
        /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
        query-source    port 53;
        query-source-v6 port 53;

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        forward only;    //设置仅转发
        Forwarders
        {
                192.168.0.1;   //设置转发到哪台DNS去查询数据

        };    //注意不要丢掉后面的分号(;)
};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :
 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

# 查看程序启动端口
[root@client etc]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 192.168.0.200:53            0.0.0.0:*                   LISTEN      9211/named         
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      9211/named               
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      9211/named                  
tcp        0      0 ::1:953                     :::*                        LISTEN      9211/named         
udp        0      0 0.0.0.0:53                  0.0.0.0:*                               9211/named         
udp        0      0 192.168.0.200:53            0.0.0.0:*                               9211/named  

# 查看启动日志
[root@client etc]# tail /var/log/messages
May  8 11:10:21 client named[9211]: starting BIND 9.3.3rc2 -u named -t /var/named/chroot
May  8 11:10:21 client named[9211]: found 1 CPU, using 1 worker thread
May  8 11:10:21 client named[9211]: loading configuration from '/etc/named.conf'
May  8 11:10:21 client named[9211]: listening on IPv4 interface lo, 127.0.0.1#53
May  8 11:10:21 client named[9211]: listening on IPv4 interface eth0, 192.168.0.200#53
May  8 11:10:21 client named[9211]: command channel listening on 127.0.0.1#953
May  8 11:10:21 client named[9211]: command channel listening on ::1#953
May  8 11:10:21 client named[9211]: running

# 将DNS指向刚设置的DNS服务器
[root@client etc]# cat /etc/resolv.conf
nameserver 192.168.0.200

# 测试能够解析google的域名
[root@client etc]# ping
PING www-china.l.google.com (64.233.189.99) 56(84) bytes of data.
64 bytes from hk-in-f99.google.com (64.233.189.99): icmp_seq=1 ttl=244 time=117 ms

Master/Slave架构的DNS设置
Master:这种类型的DNS本身还有域名的配置文件,这些配置文件就是设置正向解析和反向解析的数据库。
Slave:本身并没有域名的配置文件,需与Master相配合,定时从Master取得数据文件更新。当需要修改域的配置文件时只需要修改Master(记得将serial 序列号+1,然后重启BIND,Master便会通知Slave来更新数据。
Slave的更新过程:
  • 判断是否需要更新(1.1):可以在Slave上设置定时到Master去更新数据,Slave会向Master询问是否需要更新,通过比对 SerialNumber是否不同,当Master的SerialNumber大于slave的SerialNumber时Slave会更新它的数据库。
  • Master如果确认数据库以变更可以主动向Slave发送更新通知(1.2)。
  • 数据同步(2):Master传送数据库到Slave

Master DNS Server设置:
1.安装bind软件:
[root@linux ~]# yum -y install bind-chroot
[root@linux ~]# yum -y install bind
[root@linux ~]# rpm -qa |grep bind
bind-libs-9.3.3-10.el5
ypbind-1.19-8.el5
bind-utils-9.3.3-10.el5
bind-9.3.3-10.el5
bind-chroot-9.3.3-10.el5

2.配置/var/named/chroot/etc/named.conf(/etc/named.conf)配置文件

# 可以参考/usr/share/doc/bind-9.3.3/sample/etc/下面的配置文件(named.conf)和/usr/share/doc/bind-9.3.3/sample/var/named/下面的zone文件
[root@linux ~]# cp /usr/share/doc/bind-9.3.3/sample/etc/named.root.hints /var/named/chroot/etc/
[root@linux ~]# ls /var/named/chroot/etc/
localtime  named.conf  named.root.hints  rndc.key
[root@linux ~]# cat /var/named/chroot/etc/named.conf
options
{
        /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
        query-source    port 53;
        query-source-v6 port 53;

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        forwarders{192.168.0.1;};    //指定DNS转发服务器
        allow-query{any;};    //是否允许查询?允许所有主机查询
        allow-transfer{192.168.0.30;};
   //是否允许传送zone文件?只允许传送到Slave(192.168.0.30)

};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :

 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.root.hints";   //包含根域的zone文件

zone "localhost"  //定义localhost域的zone文件名
{
    type master;
    file "named.localhost";
};
zone "0.0.127.in-addr.arpa"   //定义127.0.0的反向解析文件
{
    type master;
    file "named.127.0.0";
};
zone "tech.net"   //定义tech.net域的zone文件名
{
    type master;
    file "named.tech.net";
};
zone "0.168.192.in-addr.arpa"   //定义192.168.0的反向解析文件
{
    type master;
    file "named.192.168.0";
};

3.配置zone文件
# 查看/var/named/chroot/var/named/下的zone文件
[root@linux ~]# cp /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/chroot/var/named/
[root@linux ~]# cp /usr/share/doc/bind-9.3.3/sample/var/named/named.local /var/named/chroot/var/named/named.127.0.0
[root@linux ~]# cp /usr/share/doc/bind-9.3.3/sample/var/named/localhost.zone /var/named/chroot/var/named/named.localhost
# 注意修改named.127.0.0和named.localhost的序列号
# 修改/var/named/chroot/var/named/目录文件及目录属性
[root@slave ~]# chown -R root.named /var/named/chroot/var/named/
[root@slave ~]# chown -R named.named /var/named/chroot/var/named/data
[root@slave ~]# chown -R named.named /var/named/chroot/var/named/slaves
[root@linux ~]# ls /var/named/chroot/var/named/
data  named.127.0.0  named.192.168.0  named.localhost  named.root named.tech.net  slaves
# localhost的解析文件
[root@linux ~]# cat /var/named/chroot/var/named/named.localhost
$TTL    86400     ;定义TTL值
@        IN SOA    @       root (   @代表zone的意思,在本例中代表localhost;SOA起始授权,代表Master/Slave相关的认证授权资料,SOA带有三个参数“[zone] IN SOA [主机名] [管理员E-mail][serial refresh retry expire ttl]“;此处的root是个缩写,它是一个e-mail地址,代表root.localhost.=root@localhost. 。因为此处的@有特殊含意(代表域名),所以此处用.代表@ 。域名后面的代表此域名是一个完整的主机名(FQDN),如果没有会在后面默认加上域名
                    2008050801        ; serial 序列号,更新数据后应该同步修改,给序列号+1
                    3H        ; refresh Slave服务器的更新时间间隔
                    15M        ; retry 当Slave更新失败,多久再重新试一次
                    1W        ; expiry 重复retry多少次后宣告失败,不再更试
                    1D )        ; minimum 可以视为TTL,尤其是你未设置$TTL时

;[zone]IN NS[主机名]NS后面一定是主机名,代表的意思是请向后面这台主机查询zone的信息
        IN NS        @
        IN A        127.0.0.1
        IN AAAA        ::1

# 127.0.0的反向解析文件
[root@linux ~]# cat /var/named/chroot/var/named/named.127.0.0
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (  root.localhost.=root@localhost. 。因为此处的@有特殊含意(代表域名),所以此处用.代表@ 。域名后面的代表此域名是一个完整的主机名(FQDN),如果没有会在后面默认加上域名
                                      2008050801 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.   ;这是一条反向解析记录(PTR)

# tech.net的解析文件
[root@linux ~]# cat /var/named/chroot/var/named/named.tech.net
$TTL    600    ;设置TTL为600s
@ IN SOA linux.tech.net. istone.linux.tech.net. (2008050801 28800 14400 720000 86400)  istone.linux.tech.net.=istone@liunx.tech.net.
@    IN    NS    linux.tech.net.
@    IN    NS    slave.tech.net.
linux    IN    A    192.168.0.20
slave    IN    A    192.168.0.30
@    IN    MX    10    linux   ;MX为Mail Exchanger的缩写,参数为“[hostname] IN MX [顺序/优先级] [主机名称]”,MX记录与Mail Server相关,如果没有Mail Server则可以省。MX后面接的数值越小优先级越高,后面的主机名称必须有A记录。如不知道怎么设置可直接设置成Mail Server主机。

;[hostname] IN [type] [IP/name/text]
www    IN    CNAME    linux   ;的别名为linux.tech.net
ftp    IN    CNAME    linux
istone-desktop    IN    A    192.168.0.103
istone-desktop    IN    TXT    "The Ubuntu OS"  ;TXT记录是一个说明
istone-desktop    IN    HINFO    "Intel(R) Core(TM)2 CPU 6320  @ 1.86GHz""Ubuntu 8.04(Hardy Heron)"  ;HINFO后接两个参数,第一个硬件等级,第二个为操作系统
# 192.168.0的反向解析文件
[root@linux ~]# cat /var/named/chroot/var/named/named.192.168.0
$TTL    86400
@       IN      SOA     localhost. root.localhost.  (
                                      2008050801 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
        IN      NS      linux.tech.net.
20     IN      PTR    linux.tech.net.
30     IN      PTR    slave.tech.net.

4.启动DNS Server
[root@linux named]# /etc/init.d/named start
启动 named:                                               [确定]

5.查看启动情况
[root@linux named]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name  
tcp        0      0 192.168.0.20:53             0.0.0.0:*                   LISTEN      3959/named         
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      3959/named           
tcp        0      0 127.0.0.1:953               0.0.0.0:*                   LISTEN      3959/named         
udp        0      0 0.0.0.0:53                  0.0.0.0:*                               3959/named         
udp        0      0 192.168.0.20:53             0.0.0.0:*                               3959/named         
udp        0      0 127.0.0.1:53                0.0.0.0:*                               3959/named         
udp        0      0 :::53                       :::*                                    3959/named         

[root@linux named]# tail -n 20 /var/log/messages
<省略>
May  8 01:59:57 linux named[3959]: starting BIND 9.3.3rc2 -u named -t /var/named/chroot
May  8 01:59:57 linux named[3959]: found 1 CPU, using 1 worker thread
May  8 01:59:57 linux named[3959]: loading configuration from '/etc/named.conf'
May  8 01:59:57 linux named[3959]: listening on IPv4 interface lo, 127.0.0.1#53
May  8 01:59:57 linux named[3959]: listening on IPv4 interface eth0, 192.168.0.20#53
May  8 01:59:57 linux named[3959]: command channel listening on 127.0.0.1#953
May  8 01:59:57 linux named[3959]: command channel listening on ::1#953
May  8 01:59:57 linux named[3959]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2008050801
May  8 01:59:57 linux named[3959]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2008050801
May  8 01:59:57 linux named[3959]: zone localhost/IN: loaded serial 2008050801
May  8 01:59:57 linux named[3959]: zone tech.net/IN: loaded serial 2008050801
May  8 01:59:57 linux named[3959]: running
May  8 01:59:57 linux named[3959]: zone tech.net/IN: sending notifies (serial 2008050801)
May  8 01:59:57 linux named[3959]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 2008050801)
May  8 01:59:57 linux named[3959]: client 192.168.0.20#32770: received notify for zone '0.168.192.in-addr.arpa'

6.使用nslookup工具进行验证
[root@linux named]# nslookup 192.168.0.20
Server:        192.168.0.20
Address:    192.168.0.20#53

    canonical name = linux.tech.net.
Name:    linux.tech.net
Address: 192.168.0.20

[root@linux named]# nslookup istone-desktop.tech.net 192.168.0.20
Server:        192.168.0.20
Address:    192.168.0.20#53

Name:    istone-desktop.tech.net
Address: 192.168.0.103

Slave DNS Server设置:
1.安装bind软件:
[root@slave ~]# yum -y install bind-chroot
[root@slave ~]# yum -y install bind

2.配置/var/named/chroot/etc/named.conf配置文件
[root@slave ~]# cat /var/named/chroot/etc/named.conf
options
{
        /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
        query-source    port 53;
        query-source-v6 port 53;

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";
        forwarders{192.168.0.1;};
        allow-query{any;};

};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :

 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.root.hints";
zone "localhost"
{
    type master;
    file "named.localhost";
};
zone "0.0.127.in-addr.arpa"
{
    type master;
    file "named.127.0.0";
};
zone "tech.net"
{
    type slave;
    file "slaves/named.tech.net";
    masters{192.168.0.20;};
};
zone "0.168.192.in-addr.arpa"
{
    type slave;
    file "slaves/named.192.168.0";
    masters{192.168.0.20;};
};

2.创建zone文件
[root@slave ~]# cp /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/chroot/var/named/
[root@slave ~]# cp /usr/share/doc/bind-9.3.3/sample/var/named/named.local /var/named/chroot/var/named/named.127.0.0
[root@slave ~]# cp /usr/share/doc/bind-9.3.3/sample/var/named/localhost.zone /var/named/chroot/var/named/named.localhost
# 注意修改named.127.0.0和named.localhost的序列号
# 修改/var/named/chroot/var/named/目录文件及目录属性
[root@slave ~]# chown -R root.named /var/named/chroot/var/named/
[root@slave ~]# chown -R named.named /var/named/chroot/var/named/data
[root@slave ~]# chown -R named.named /var/named/chroot/var/named/slaves
# Slave不需要创建named.tech.net和named.192.168.0 zone文件,他们是从Master上传送过来的。

3.启动DNS服务
[root@slave var]# /etc/init.d/named start
停止 named:                                               [确定]
启动 named:                                               [确定]

4.查看启动情况
[root@slave named]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name      
tcp        0      0 192.168.0.30:53             0.0.0.0:*                   LISTEN      4126/named         
tcp        0      0 127.0.0.1:53                0.0.0.0:*                   LISTEN      4126/named                    
tcp        0      0 ::1:953                     :::*                        LISTEN      4126/named         
udp        0      0 0.0.0.0:53                  0.0.0.0:*                               4126/named         
udp        0      0 192.168.0.30:53             0.0.0.0:*                               4126/named         
udp        0      0 127.0.0.1:53                0.0.0.0:*                               4126/named         
udp        0      0 :::53                       :::*                                    4126/named  

# 注意一定要看看启动日志,可能会因为目录权限问题导致传送zone文件失败

[root@slave var]# tail -n 20 /var/log/messages
<省略>
May  8 03:56:38 slave named[4126]: starting BIND 9.3.3rc2 -u named -t /var/named/chroot
May  8 03:56:38 slave named[4126]: found 1 CPU, using 1 worker thread
May  8 03:56:38 slave named[4126]: loading configuration from '/etc/named.conf'
May  8 03:56:38 slave named[4126]: listening on IPv4 interface lo, 127.0.0.1#53
May  8 03:56:38 slave named[4126]: listening on IPv4 interface eth0, 192.168.0.30#53
May  8 03:56:38 slave named[4126]: command channel listening on ::1#953
May  8 03:56:38 slave named[4126]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2008050801
May  8 03:56:38 slave named[4126]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2008050801
May  8 03:56:38 slave named[4126]: zone localhost/IN: loaded serial 2008050801
May  8 03:56:38 slave named[4126]: zone tech.net/IN: loaded serial 2008050801
May  8 03:56:38 slave named[4126]: running
May  8 03:56:38 slave named[4126]: zone tech.net/IN: sending notifies (serial 2008050801)
May  8 03:56:38 slave named[4126]: zone 0.168.192.in-addr.arpa/IN: sending notifies (serial 2008050801)
May  8 03:56:38 slave named[4126]: client 192.168.0.30#32770: received notify for zone 'tech.net'
May  8 03:56:38 slave named[4126]: zone tech.net/IN: refused notify from non-master: 192.168.0.30#32770
[root@slave var]# cd named/slaves/
[root@slave slaves]# ls
named.192.168.0  named.tech.net

5.使用nslookup工具进行验证
[root@slave named]# nslookup 192.168.0.30
Server:        192.168.0.30
Address:    192.168.0.30#53

    canonical name = linux.tech.net.
Name:    linux.tech.net
Address: 192.168.0.20

[root@slave named]# nslookup 192.168.0.30
Server:        192.168.0.30
Address:    192.168.0.30#53

Non-authoritative answer:    //使用转发功能获得google.com的IP
    canonical name =
canonical name = www-china.l.google.com.
Name:    www-china.l.google.com
Address: 64.233.189.99
Name:    www-china.l.google.com
Address: 64.233.189.104

利用RNDC指令管理DNS服务器
rndc命令用来管理DNS服务器,它使用named的953端口。
1.建立rndc key相关数据
[root@linux etc]# rndc-confgen
# Start of rndc.conf
key "rndckey" {
    algorithm hmac-md5;
    secret "kKRpI4aG4STupzjJST2UMA==";
};

options {
    default-key "rndckey";
    default-server 127.0.0.1;
    default-port 953;
};
# End of rndc.conf
# 将上面部分粘贴到/etc/rndc.conf


# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndckey" {
#     algorithm hmac-md5;
#     secret "kKRpI4aG4STupzjJST2UMA==";
# };
#
# controls {
#     inet 127.0.0.1 port 953
#         allow { 127.0.0.1; } keys { "rndckey"; };
# };

# End of named.conf
# 将上面加红部分去掉注释后粘贴到/var/named/chroot/etc/named.conf

2.建立rndc.conf文件
[root@linux etc]# vi rndc.conf
# 将原来数据全部删除,加入上面新生成的数据
# Start of rndc.conf
key "rndckey" {
        algorithm hmac-md5;
        secret "kKRpI4aG4STupzjJST2UMA==";
};

options {
        default-key "rndckey";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf
# 为rndc.conf设置好权限
[root@linux etc]# chmod 640 /etc/rndc.conf
[root@linux etc]# chown root.named /etc/rndc.conf

3.修改named.conf
# 如果配置文件中有下列行:
include "/etc/rcdc.key";
#先将其删除,再加入下面行:
key "rndckey" {
        algorithm hmac-md5;
        secret "kKRpI4aG4STupzjJST2UMA==";
};

controls {
        inet 127.0.0.1 port 953
                allow { 127.0.0.1; } keys { "rndckey"; };
};

4.重启DNS服务
[root@linux etc]# /etc/init.d/named start
启动 named:                                               [确定]

5.rndc命令
[root@linux etc]# rndc
Usage: rndc [-c config] [-s server] [-p port]
        [-k key-file ] [-y key] [-V] command

command is one of the following:

  reload    Reload configuration file and zones.
  reload zone [class [view]]   Reload a single zone.
  refresh zone [class [view]]    Schedule immediate maintenance for a zone.
  retransfer zone [class [view]]     Retransfer a single zone without checking serial number.
  freeze zone [class [view]]      Suspend updates to a dynamic zone.
  thaw zone [class [view]]      Enable updates to a frozen dynamic zone and reload it.
  reconfig    Reload configuration file and new zones only.
  stats        Write server statistics to the statistics file.
  querylog    Toggle query logging.
  dumpdb [-all|-cache|-zones] [view ...]     Dump cache(s) to the dump file (named_dump.db).
  stop        Save pending updates to master files and stop the server.
  stop -p    Save pending updates to master files and stop the server reporting process id.
  halt        Stop the server without saving pending updates.
  halt -p    Stop the server without saving pending updates reporting process id.
  trace        Increment debugging level by one.
  trace level    Change the debugging level.
  notrace    Set debugging level to 0.
  flush     Flushes all of the server's caches.
  flush [view]    Flushes the server's cache for a view.
  flushname name [view]    Flush the given name from the server's cache(s)
  status    Display status of the server.
  recursing    Dump the queries that are currently recursing (named.recursing)
  *restart    Restart the server.


# 显示目前服务器状态

[root@linux etc]# rndc status
number of zones: 4    <==DNS管理的zone数量
debug level: 0    <==Debug级别
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF   <==是否将查询的数据记录下来
recursive clients: 0/1000
tcp clients: 0/100
server is up and running
# 将DNS的统计信息记录下来
[root@linux etc]# rndc stats
[root@linux etc]# cat /var/named/chroot/var/named/data/named_stats.txt
+++ Statistics Dump +++ (1210195631)
success 0
referral 0
nxrrset 0
nxdomain 0
recursion 0
failure 0
--- Statistics Dump --- (1210195631)
# 将缓存中的数据记录下来
[root@linux etc]# rndc dumpdb
[root@linux etc]# cat /var/named/chroot/var/named/data/cache_dump.db
;
; Start view _default
;
;
; Cache dump of view '_default'
;
$DATE 20080507213221
;
; Address database dump
;
; linux.tech.net [v4 TTL 29] [v4 success] [v6 unexpected]
;    192.168.0.20 [srtt 3] [flags 00000000]
; slave.tech.net [v4 TTL 29] [v4 success] [v6 unexpected]
;    192.168.0.30 [srtt 20] [flags 00000000]
;
; Unassociated entries
;
;
; Start view _bind
;
;
; Cache dump of view '_bind'
;
$DATE 20080507213221

客户端设置
相关配置文件
  • /etc/hosts  主机与IP的对应文件
  • /etc/resolv.conf  设置nameserver的IP地址
  • /etc/nsswitch.conf  此文件设置决定是先在Hosts文件中查询还是使用NameServer,默认先在Host中查询

DNS的查询命令:host,nslookup,dig
1.host
# 列出与主机相关的所有信息
# host -a [FQDN] [DNSServer]
[root@linux etc]# host -a 192.168.0.20
Trying ""
Using domain server:
Name: 192.168.0.20
Address: 192.168.0.20#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7972
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;.            IN    ANY   # 查询任何类型的记录

;; ANSWER SECTION:
.        600    IN    CNAME    linux.tech.net.

;; AUTHORITY SECTION:
tech.net.        600    IN    NS    linux.tech.net.
tech.net.        600    IN    NS    slave.tech.net.

;; ADDITIONAL SECTION:
linux.tech.net.        600    IN    A    192.168.0.20
slave.tech.net.        600    IN    A    192.168.0.30

Received 116 bytes from 192.168.0.20#53 in 4 ms

2.nslookup [FQDN] [DNSServer]

[root@linux etc]# nslookup
> server 192.168.0.20  # 设置DNS Server
Default server: 192.168.0.20
Address: 192.168.0.20#53
> set type=any  # 设置记录类型为所有
> linux.tech.net
Server:        192.168.0.20
Address:    192.168.0.20#53

Name:    linux.tech.net
Address: 192.168.0.20
> 192.168.0.30   # 反向解析
Server:        192.168.0.20
Address:    192.168.0.20#53

30.0.168.192.in-addr.arpa    name = slave.tech.net.
> istone-desktop.tech.net
Server:        192.168.0.20
Address:    192.168.0.20#53

Name:    istone-desktop.tech.net
Address: 192.168.0.103
istone-desktop.tech.net    text = "The Ubuntu OS"
istone-desktop.tech.net    hinfo = "Intel(R) Core(TM)2 CPU 6320  @ 1.86GHz" "Ubuntu 8.04(Hardy Heron)"

set type=a  # 设置记录类型为A记录
> istone-desktop.tech.net
Server:        192.168.0.20
Address:    192.168.0.20#53

Name:    istone-desktop.tech.net
Address: 192.168.0.103
> exit

3.dig [@Server] [FQDN] [type]
[root@linux etc]# dig @192.168.0.20 istone-desktop.tech.net

; <<>> DiG 9.3.3rc2 <<>> @192.168.0.20 istone-desktop.tech.net
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17870
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:   <==显示查询的内容
;istone-desktop.tech.net.    IN    A   # 默认只查询A记录

;; ANSWER SECTION:    <==显示查询返回的结果
istone-desktop.tech.net. 600    IN    A    192.168.0.103

;; AUTHORITY SECTION:  <==显示授权服务器
tech.net.        600    IN    NS    linux.tech.net.
tech.net.        600    IN    NS    slave.tech.net.

;; ADDITIONAL SECTION:  <==显示授权服务器的IP地址
linux.tech.net.        600    IN    A    192.168.0.20
slave.tech.net.        600    IN    A    192.168.0.30

;; Query time: 2 msec
;; SERVER: 192.168.0.20#53(192.168.0.20)
;; WHEN: Thu May  8 06:07:26 2008
;; MSG SIZE  rcvd: 129

# 查询MX记录
[root@linux etc]# dig @192.168.0.20 tech.net mx

; <<>> DiG 9.3.3rc2 <<>> @192.168.0.20 tech.net mx
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44604
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;tech.net.            IN    MX

;; ANSWER SECTION:
tech.net.        600    IN    MX    10 linux.tech.net.

;; AUTHORITY SECTION:
tech.net.        600    IN    NS    slave.tech.net.
tech.net.        600    IN    NS    linux.tech.net.

;; ADDITIONAL SECTION:
linux.tech.net.        600    IN    A    192.168.0.20
slave.tech.net.        600    IN    A    192.168.0.30

;; Query time: 6 msec
;; SERVER: 192.168.0.20#53(192.168.0.20)
;; WHEN: Thu May  8 06:17:19 2008
;; MSG SIZE  rcvd: 114

4.whois查询最初注册这个Domain的信息
# whois [Domain]
[root@linux etc]# whois somode.com
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]

Whois Server Version 2.0

Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to
for detailed information.

   Domain Name: SOMODE.COM
   Registrar: WEB COMMERCE COMMUNICATIONS LIMITED DBA WEBNIC.CC
   Whois Server: whois.webnic.cc
   Referral URL:
   Name Server: DNS1.SOMODE.COM
   Name Server: DNS2.SOMODE.COM
   Status: clientDeleteProhibited
   Status: clientTransferProhibited
   Status: clientUpdateProhibited
   Updated Date: 14-apr-2008
   Creation Date: 14-apr-2006
   Expiration Date: 14-apr-2009


DNS服务器进阶

架设根据来源IP返回不同结果的DNS服务器

BIND9引入了一项被称为视图(view)的新功能,该功能可以根据不同的来源IP返回不同的结果。
view的语法:
view "view_name"
{
    match-clients { 192.168.0.0/24; };     //允许访问此视图的客户端列表,只有IP地址与此列表匹配才能看到此视图内指定的配置,如果有多个view匹配,则使用第一个匹配的view。
    recursion no;          //是否允许递归查询
    zone "domain"    //定义区域文件
    {
        type master;
        file "named.domain";
        allow-transfer { 192.168.0.30; };   //允许传送的IP(一般为Slave DNS Server)
    };
};

下面是一个假设的实例:

Master DNS Server:192.168.0.20
Slave DNS Server :eth0 192.168.0.30
                            eth0:0 192.168.0.40

Master DNS Server目录及权限:


Slave DNS Server目录及权限:
Master DNS Server named.conf配置文件:

[root@linux ~]# cat /var/named/chroot/etc/named.conf
options
{
        /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
        query-source    port 53;
        query-source-v6 port 53;

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :

 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

key "rndckey" {
     algorithm hmac-md5;
     secret "kKRpI4aG4STupzjJST2UMA==";
};
 
controls {
     inet 127.0.0.1 port 953
         allow { 127.0.0.1; } keys { "rndckey"; };
};

// 解析localhost域,只匹配127.0.0.1
// 本视图里面用到的文件可以参考复制/usr/share/doc/bind-9.3.3/sample/下的实例文件
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
    match-clients         { localhost; };
    match-destinations    { localhost; };
    recursion yes;
    # all views must contain the root hints zone:
    include "/etc/named.root.hints";

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
     * ONLY be served to localhost clients:
     */
    include "/etc/named.rfc1912.zones";
};

include "/etc/acl.conf";

view "CNC"
{
    match-clients        { !192.168.0.40;CNC; };    // 过滤Slave DNS Server的eth0:0口的查询,允许CNC这个acl里面的地址查询这个view
    recursion no;
    // all views must contain the root hints zone:
    include "/etc/named.root.hints";

    zone "tech.net"
    {
        type master;
        file "cnc.tech.net";
        allow-transfer{192.168.0.30;};
    };

};
view "other"
{
        match-clients           { any; };
        recursion no;
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";

        zone "tech.net"
        {
                type master;
                file "tel.tech.net";
        allow-transfer{192.168.0.40;};
        };

};

[root@linux ~]# cat /var/named/chroot/etc/acl.conf
acl "CNC"
{
    192.168.0.0/24;    // 实际情况下,在此可以加入网通的地址
};


Slave DNS Server named.conf配置文件:

[root@slave ~]# cat /var/named/chroot/etc/named.conf
options
{
        /* make named use port 53 for the source of all queries, to allow
         * firewalls to block all ports except 53:
         */
        query-source    port 53;
        query-source-v6 port 53;

        // Put files that named is allowed to write in the data/ directory:
        directory "/var/named"; // the default
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

};
logging
{
/*      If you want to enable debugging, eg. using the 'rndc trace' command,
 *      named will try to write the 'named.run' file in the $directory (/var/named).
 *      By default, SELinux policy does not allow named to modify the /var/named directory,
 *      so put the default debug log file in data/ :

 */
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

key "rndckey" {
     algorithm hmac-md5;
     secret "kKRpI4aG4STupzjJST2UMA==";
};
 
controls {
     inet 127.0.0.1 port 953
         allow { 127.0.0.1; } keys { "rndckey"; };
};

// 解析localhost域,只匹配127.0.0.1
// 本视图里面用到的文件可以参考复制/usr/share/doc/bind-9.3.3/sample/下的实例文件
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
 * If all you want is a caching-only nameserver, then you need only define this view:
 */
    match-clients         { localhost; };
    match-destinations    { localhost; };
    recursion yes;
    # all views must contain the root hints zone:
    include "/etc/named.root.hints";

        /* these are zones that contain definitions for all the localhost
         * names and addresses, as recommended in RFC1912 - these names should
     * ONLY be served to localhost clients:
     */
    include "/etc/named.rfc1912.zones";
};

include "/etc/acl.conf";

view "CNC"
{
    match-clients        { !192.168.0.40;CNC; };
    recursion no;
    // all views must contain the root hints zone:
    include "/etc/named.root.hints";

    zone "tech.net"
    {
        type slave;
        masters { 192.168.0.20; };
        transfer-source 192.168.0.30;
     // 去匹配主DNS上CNC这个view,传输cnc.tech.net这个zone文件
        file "slaves/cnc.tech.net";
        allow-transfer { none; };
    };

};
view "other"
{
        match-clients           { any; };
        recursion no;
        // all views must contain the root hints zone:
        include "/etc/named.root.hints";

        zone "tech.net"
        {
                type slave;
                masters { 192.168.0.20; };
                transfer-source 192.168.0.40;
   // 去匹配主DNS上other这个view,这样tel.tech.net的zone文件才能顺利传输过来,这就是为什么在主DNS的CNC view中明确禁止192.168.0.40这个IP的地址的原因。
                file "slaves/tel.tech.net";
                allow-transfer{ none; };
        };

};


动态DNS(DDNS)的架设请参考鸟哥的私房菜--

上面的设置在CentOS 5下测试通过。

参考资料:

鸟哥的私房菜-- :

BIND9 view下的Master/Slave架设方案:




阅读(2753) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~