【DNS】域名服务 Bind实现
一、域名解析过程DNS域名完整解析过程
1、查询本地 hosts文件 解析记录
2、查询客户端本地DNS缓存记录
3、访问DNS转发(缓存)服务器本地缓存记录
4、转发到权威服务器查询本地缓存记录
5、访问权威服务器解析记录
6、权威服务器迭代查询
6.1、访问子域权威服务器查询本地缓存记录
6.2、访问子域解析记录
7、访问根服务器解析记录
8、访问一级域名服务器解析记录
.......
二、DNS解析记录类型
1、DNS服务器类型
主DNS服务器
管理和维护所负责解析的域内解析库的服务器
从DNS服务器
从主服务器或从服务器复制(区域传输)解析库副本
缓存DNS服务器(转发器)
将客户端请求转发到指定的DNS服务器上,并将指定DNS服务器返回结果缓存到本地DNS缓存记录中,缓存DNS服务器自身不保存解析库数据,不使用自身进行域名解析。
2、解析结果类型
[*]肯定答案:存在对应的查询结果
[*]否定答案:请求的条目不存在等原因导致无法返回结果
[*]权威答案:直接由存在此查询结果的DNS服务器(权威服务器)返回的结果
[*]非权威答案:有其他非权威服务器返回的查询结果
3、资源记录RR(Resource Record)
区域解析库
有众多资源记录RR(Resource Record)组成
记录类型:SOA、A、AAAA、NS、CNAME、MX、TXT、PTR
[*]SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,且必须位于解析库的第一条
[*]A:IPv4 正向解析资源记录
[*]AAAA:IPv6正向解析资源记录
[*]NS:用于标注当前区域的DNS服务器
[*]CNAME:别名记录
[*]MX:邮件交换器
[*]TXT:对域名进行标识说明的一种方式,一般做验证记录会使用此项,如SPF(反垃圾邮件)记录,https验证 登
[*]PTR:
3.1、资源记录定义格式
name IN rr_type value使用@符号可引用当前区域名字
TTL 可以从全局继承
IN值可以通过继承上一条记录忽略不写
同一个名字可以通过多条记录定义多个值,此时DNS服务器会以轮询方式响应
同一个值也可能有多个不同定义的名字,通过多个名字指向同一个值进行定义,此时表示通过多个不同的名字找到同一台主机
3.2、SOA 记录
name:当前区域的名字
value:多个内容组成
当前主DNS服务器的FQDN,也可以使用当前区域的名字
当前区域的管理员邮箱,由于无法使用@符合,通常使用.替换,例如:root.janzen.com (root@janzen.com)
主从服务区域传输相关定义以及否定答案的统一TTL设置
@ IN SOA dns1.janzen.com root.janzen.com (
1 ; 序列号
604800 ; 刷新时间
86400 ; 重试时间
2419200 ; 过期时间
604800 ) ; 否定答案的TTL值
3.3、A 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv4地址
dns1 A 10.0.0.20
dns2 A 10.0.0.21
gitlab.janzen.com. A 10.0.0.13
harbor A 10.0.0.9
harbor A 10.0.0.10
3.4、AAAA 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv6地址
3.5、NS 记录
name:当前区域的名字
value:当前区域某DNS服务器的名字
相邻的两个资源记录name相同时,后续的可以省略
对于NS记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
一个区域可以有多条NS记录
@ IN NS dns1
NS dns2
3.6、CNAME 记录
name:别名FQDN
value:真实的FQDN
dns IN CNAME dns1
3.7、MX 记录
name:当前区域的名字
value:当前区域某邮件服务器(smtp服务器)的名字
一个区域内,MX记录可以有多个,但每个记录的value后面都应该有一个(0-99)数字,表示此服务器的优先级
对于MX记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
@ IN MX 12 mail1<br> IN MX 10 mail2<br>mail1 IN A 10.0.0.31<br>mail2 IN A 10.0.0.32
3.8、TXT 记录
name:文本描述头
value:文本内容
_dnstxt TXT this is @ name server
3.9、PTR 记录
name:IP
value:FQDN
name的IP拥有固定写法,需要将IP反向书写,并添加特殊后缀 in-addr.arpa.
完整写法为:20.0.0.10.in-addr.arpa.
网络地址及后缀可以省略,主机地址依旧要反写
20.0.0.10.in-addr.arpa. IN PTR dns.janzen.com.
#由于 10.0.0 为网络地址,可以省略
9 IN PTR harbor.janzen.com.
三、DNS工具介绍
dig 工具介绍
用于测试DNS解析结果
Usage:dig [@global-server] {q-opt}
Where:domain is in the Domain Name System
q-classis one of (in,hs,ch,...)
q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...)
(Use ixfr=version for type ixfr)<br> q-opt +trace (Trace delegation down from root [+dnssec]) <br> +recurse (Recursive mode (+rdflag))#获取目标dns全部解析记录
dig -tAXFR janzen.com @10.0.0.21
#跟踪域名解析路径
dig +trace app3.janzen.com @10.0.0.21
#查询PTR记录
dig -x 10.0.0.21
#直接显示域名查询结果
dig +short app3.janzen.com @10.0.0.71nslookup工具
nslookup [-option]
rndc DNS管理工具
Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-r] [-V] command
command is one of the following:
addzone zone ] { zone-options }
Add zone to given view. Requires allow-new-zones option.
delzone [-clean] zone ]
Removes zone from given view.
dnstap -reopen
Close, truncate and re-open the DNSTAP output file.
dnstap -roll count
Close, rename and re-open the DNSTAP output file(s).
dumpdb [-all|-cache|-zones|-adb|-bad|-fail]
Dump cache(s) to the dump file (named_dump.db).
flush Flushes all of the server's caches.
flush Flushes the server's cache for a view.
flushname name
Flush the given name from the server's cache(s)
flushtree name
Flush all names under the given name from the server's cache(s)
freeze Suspend updates to all dynamic zones.
freeze zone ]
Suspend updates to a dynamic zone.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
loadkeys zone ]
Update keys without signing immediately.
managed-keys refresh ]
Check trust anchor for RFC 5011 key changes
managed-keys status ]
Display RFC 5011 managed keys information
managed-keys sync ]
Write RFC 5011 managed keys to disk
modzone zone ] { zone-options }
Modify a zone's configuration.
Requires allow-new-zones option.
notify zone ]
Resend NOTIFY messages for the zone.
notrace Set debugging level to 0.
nta -dump
List all negative trust anchors.
nta [-lifetime duration] [-force] domain
Set a negative trust anchor, disabling DNSSEC validation
for the given domain.
Using -lifetime specifies the duration of the NTA, up
to one week.
Using -force prevents the NTA from expiring before its
full lifetime, even if the domain can validate sooner.
nta -remove domain
Remove a negative trust anchor, re-enabling validation
for the given domain.
querylog [ on | off ]
Enable / disable query logging.
reconfig Reload configuration file and new zones only.
recursing Dump the queries that are currently recursing (named.recursing)
refresh zone ]
Schedule immediate maintenance for a zone.
reload Reload configuration file and zones.
reload zone ]
Reload a single zone.
retransfer zone ]
Retransfer a single zone without checking serial number.
scan Scan available network interfaces for changes.
secroots
Write security roots to the secroots file.
showzone zone ]
Print a zone's configuration.
sign zone ]
Update zone keys, and sign as needed.
signing -clear all zone ]
Remove the private records for all keys that have
finished signing the given zone.
signing -clear <keyid>/<algorithm> zone ]
Remove the private record that indicating the given key
has finished signing the given zone.
signing -list zone ]
List the private records showing the state of DNSSEC
signing in the given zone.
signing -nsec3param hash flags iterations salt zone ]
Add NSEC3 chain to zone if already signed.
Prime zone with NSEC3 chain if not yet signed.
signing -nsec3param none zone ]
Remove NSEC3 chains from zone.
signing -serial <value> zone ]
Set the zones's serial to <value>.
stats Write server statistics to the statistics file.
status Display status of the server.
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
sync [-clean] Dump changes to all dynamic zones to disk, and optionally
remove their journal files.
sync [-clean] zone ]
Dump a single zone's changes to disk, and optionally
remove its journal file.
thaw Enable updates to all dynamic zones and reload them.
thaw zone ]
Enable updates to a frozen dynamic zone and reload it.
trace Increment debugging level by one.
trace level Change the debugging level.
tsig-delete keyname
Delete a TKEY-negotiated TSIG key.
tsig-list List all currently active TSIG keys, including both statically
configured and TKEY-negotiated keys.
validation [ yes | no | status ]
Enable / disable DNSSEC validation.
zonestatus zone ]
Display the current status of a zone.
Version: 9.11.3-1ubuntu1.18-Ubuntu
四、DNS安装部署
1、Centos7 配置域名正向解析主服务器
1.1、yum安装bind服务,及DNS工具 bind-utils
yum install -y bind bind-utils
1.2、修改 named.conf 配置文件,禁用服务限制,引入区域配置文件
# vim /etc/named.conf
options {
# listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file"/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
# allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.zones"
1.3、创建 named.zones 区域配置文件
# vim /etc/named.zones<br><br>zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; };
1.4、创建 named.janzen.com 区域解析库文件
# vim /var/named/named.janzen.com
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA janzen.com. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS dns1
IN NS dns2
IN MX 12 mail1
IN MX 10 mail2
dns IN CNAME dns1
dns1 IN A 10.0.0.20
dns2 IN A 10.0.0.21
gitlabIN A 10.0.0.13
harborIN A 10.0.0.9
harborIN A 10.0.0.10
www IN A 10.0.0.11
mail1 IN A 10.0.0.31
mail2 IN A 10.0.0.32
_dnstext IN TXT this is @ name server
1.5、修改文件权限
# chmod 640 {/etc/named.zones,/var/named/named.janzen.com}
# chgrp named {/etc/named.zones,/var/named/named.janzen.com}
1.6、设置named服务开机自启动
# systemctl enable --now named
1.7、使用dig测试DNS服务
# dig dns.janzen.com @10.0.0.70;DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13dns.janzen.com @10.0.0.70;; global options: +cmd;; Got answer:;; ->>HEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADER
页:
[1]