【DNS】域名服务 Bind实现
一、域名解析过程https://img2023.cnblogs.com/blog/2458577/202305/2458577-20230525101339322-1076261513.png
https://img2023.cnblogs.com/blog/2458577/202305/2458577-20230525114801766-1917591144.png
DNS域名完整解析过程
1、查询本地 hosts文件 解析记录
2、查询客户端本地DNS缓存记录
3、访问DNS转发(缓存)服务器本地缓存记录
4、转发到权威服务器查询本地缓存记录
5、访问权威服务器解析记录
6、权威服务器迭代查询
6.1、访问子域权威服务器查询本地缓存记录
6.2、访问子域解析记录
7、访问根服务器解析记录
8、访问一级域名服务器解析记录
.......
二、DNS解析记录类型
1、DNS服务器类型
主DNS服务器
管理和维护所负责解析的域内解析库的服务器
从DNS服务器
从主服务器或从服务器复制(区域传输)解析库副本
缓存DNS服务器(转发器)
将客户端请求转发到指定的DNS服务器上,并将指定DNS服务器返回结果缓存到本地DNS缓存记录中,缓存DNS服务器自身不保存解析库数据,不使用自身进行域名解析。
2、解析结果类型
[*]肯定答案:存在对应的查询结果
[*]否定答案:请求的条目不存在等原因导致无法返回结果
[*]权威答案:直接由存在此查询结果的DNS服务器(权威服务器)返回的结果
[*]非权威答案:有其他非权威服务器返回的查询结果
3、资源记录RR(Resource Record)
区域解析库
有众多资源记录RR(Resource Record)组成
记录类型:SOA、A、AAAA、NS、CNAME、MX、TXT、PTR
[*]SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,且必须位于解析库的第一条
[*]A:IPv4 正向解析资源记录
[*]AAAA:IPv6正向解析资源记录
[*]NS:用于标注当前区域的DNS服务器
[*]CNAME:别名记录
[*]MX:邮件交换器
[*]TXT:对域名进行标识说明的一种方式,一般做验证记录会使用此项,如SPF(反垃圾邮件)记录,https验证 登
[*]PTR:
3.1、资源记录定义格式
name IN rr_type value使用@符号可引用当前区域名字
TTL 可以从全局继承
IN值可以通过继承上一条记录忽略不写
同一个名字可以通过多条记录定义多个值,此时DNS服务器会以轮询方式响应
同一个值也可能有多个不同定义的名字,通过多个名字指向同一个值进行定义,此时表示通过多个不同的名字找到同一台主机
3.2、SOA 记录
name:当前区域的名字
value:多个内容组成
当前主DNS服务器的FQDN,也可以使用当前区域的名字
当前区域的管理员邮箱,由于无法使用@符合,通常使用.替换,例如:root.janzen.com (root@janzen.com)
主从服务区域传输相关定义以及否定答案的统一TTL设置
@ IN SOA dns1.janzen.com root.janzen.com ( 1 ; 序列号 604800 ; 刷新时间 86400 ; 重试时间 2419200 ; 过期时间 604800 ) ; 否定答案的TTL值
3.3、A 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv4地址
dns1 A 10.0.0.20dns2 A 10.0.0.21gitlab.janzen.com. A 10.0.0.13harbor A 10.0.0.9harbor A 10.0.0.10
3.4、AAAA 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv6地址
3.5、NS 记录
name:当前区域的名字
value:当前区域某DNS服务器的名字
相邻的两个资源记录name相同时,后续的可以省略
对于NS记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
一个区域可以有多条NS记录
@ IN NS dns1 NS dns2
3.6、CNAME 记录
name:别名FQDN
value:真实的FQDN
dns IN CNAME dns1
3.7、MX 记录
name:当前区域的名字
value:当前区域某邮件服务器(smtp服务器)的名字
一个区域内,MX记录可以有多个,但每个记录的value后面都应该有一个(0-99)数字,表示此服务器的优先级
对于MX记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
@ IN MX 12 mail1
IN MX 10 mail2
mail1 IN A 10.0.0.31
mail2 IN A 10.0.0.32
3.8、TXT 记录
name:文本描述头
value:文本内容
_dnstxt TXT this is @ name server
3.9、PTR 记录
name:IP
value:FQDN
name的IP拥有固定写法,需要将IP反向书写,并添加特殊后缀 in-addr.arpa.
完整写法为:20.0.0.10.in-addr.arpa.
网络地址及后缀可以省略,主机地址依旧要反写
20.0.0.10.in-addr.arpa. IN PTR dns.janzen.com.#由于 10.0.0 为网络地址,可以省略 9 IN PTR harbor.janzen.com.
三、DNS工具介绍
dig 工具介绍
用于测试DNS解析结果
Usage:dig [@global-server] {q-opt}Where:domain is in the Domain Name System q-classis one of (in,hs,ch,...) q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) (Use ixfr=version for type ixfr)
q-opt +trace (Trace delegation down from root [+dnssec])
+recurse (Recursive mode (+rdflag))#获取目标dns全部解析记录dig -tAXFR janzen.com @10.0.0.21#跟踪域名解析路径dig +trace app3.janzen.com @10.0.0.21#查询PTR记录dig -x 10.0.0.21#直接显示域名查询结果dig +short app3.janzen.com @10.0.0.71nslookup工具
nslookup [-option]
rndc DNS管理工具
Usage: rndc [-b address] [-c config] [-s server] [-p port] [-k key-file ] [-y key] [-r] [-V] commandcommand is one of the following:addzone zone ] { zone-options } Add zone to given view. Requires allow-new-zones option.delzone [-clean] zone ] Removes zone from given view.dnstap -reopen Close, truncate and re-open the DNSTAP output file.dnstap -roll count Close, rename and re-open the DNSTAP output file(s).dumpdb [-all|-cache|-zones|-adb|-bad|-fail] Dump cache(s) to the dump file (named_dump.db).flush Flushes all of the server's caches.flush Flushes the server's cache for a view.flushname name Flush the given name from the server's cache(s)flushtree name Flush all names under the given name from the server's cache(s)freeze Suspend updates to all dynamic zones.freeze zone ] Suspend updates to a dynamic zone.halt Stop the server without saving pending updates.halt -p Stop the server without saving pending updates reporting process id.loadkeys zone ] Update keys without signing immediately.managed-keys refresh ] Check trust anchor for RFC 5011 key changesmanaged-keys status ] Display RFC 5011 managed keys informationmanaged-keys sync ] Write RFC 5011 managed keys to diskmodzone zone ] { zone-options } Modify a zone's configuration. Requires allow-new-zones option.notify zone ] Resend NOTIFY messages for the zone.notrace Set debugging level to 0.nta -dump List all negative trust anchors.nta [-lifetime duration] [-force] domain Set a negative trust anchor, disabling DNSSEC validation for the given domain. Using -lifetime specifies the duration of the NTA, up to one week. Using -force prevents the NTA from expiring before its full lifetime, even if the domain can validate sooner.nta -remove domain Remove a negative trust anchor, re-enabling validation for the given domain.querylog [ on | off ] Enable / disable query logging.reconfig Reload configuration file and new zones only.recursing Dump the queries that are currently recursing (named.recursing)refresh zone ] Schedule immediate maintenance for a zone.reload Reload configuration file and zones.reload zone ] Reload a single zone.retransfer zone ] Retransfer a single zone without checking serial number.scan Scan available network interfaces for changes.secroots Write security roots to the secroots file.showzone zone ] Print a zone's configuration.sign zone ] Update zone keys, and sign as needed.signing -clear all zone ] Remove the private records for all keys that have finished signing the given zone.signing -clear / zone ] Remove the private record that indicating the given key has finished signing the given zone.signing -list zone ] List the private records showing the state of DNSSEC signing in the given zone.signing -nsec3param hash flags iterations salt zone ] Add NSEC3 chain to zone if already signed. Prime zone with NSEC3 chain if not yet signed.signing -nsec3param none zone ] Remove NSEC3 chains from zone.signing -serialzone ] Set the zones's serial to .stats Write server statistics to the statistics file.status Display status of the server.stop Save pending updates to master files and stop the server.stop -p Save pending updates to master files and stop the server reporting process id.sync [-clean] Dump changes to all dynamic zones to disk, and optionally remove their journal files.sync [-clean] zone ] Dump a single zone's changes to disk, and optionally remove its journal file.thaw Enable updates to all dynamic zones and reload them.thaw zone ] Enable updates to a frozen dynamic zone and reload it.trace Increment debugging level by one.trace level Change the debugging level.tsig-delete keyname Delete a TKEY-negotiated TSIG key.tsig-list List all currently active TSIG keys, including both statically configured and TKEY-negotiated keys.validation [ yes | no | status ] Enable / disable DNSSEC validation.zonestatus zone ] Display the current status of a zone.Version: 9.11.3-1ubuntu1.18-Ubuntu
四、DNS安装部署
1、Centos7 配置域名正向解析主服务器
1.1、yum安装bind服务,及DNS工具 bind-utils
yum install -y bind bind-utils
1.2、修改 named.conf 配置文件,禁用服务限制,引入区域配置文件
# vim /etc/named.conf options { # listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file"/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # allow-query { localhost; }; recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";};logging { channel default_debug { file "data/named.run"; severity dynamic; };};zone "." IN { type hint; file "named.ca";};include "/etc/named.rfc1912.zones";include "/etc/named.root.key";include "/etc/named.zones"
1.3、创建 named.zones 区域配置文件
# vim /etc/named.zones
zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; };
1.4、创建 named.janzen.com 区域解析库文件
# vim /var/named/named.janzen.com;; BIND reverse data file for broadcast zone;$TTL 604800@ IN SOA janzen.com. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL;@ IN NS dns1 IN NS dns2 IN MX 12 mail1 IN MX 10 mail2dns IN CNAME dns1dns1 IN A 10.0.0.20dns2 IN A 10.0.0.21gitlabIN A 10.0.0.13harborIN A 10.0.0.9harborIN A 10.0.0.10www IN A 10.0.0.11mail1 IN A 10.0.0.31mail2 IN A 10.0.0.32_dnstext IN TXT this is @ name server
1.5、修改文件权限
# chmod 640 {/etc/named.zones,/var/named/named.janzen.com}# chgrp named {/etc/named.zones,/var/named/named.janzen.com}
1.6、设置named服务开机自启动
# systemctl enable --now named
1.7、使用dig测试DNS服务
# dig dns.janzen.com @10.0.0.70;DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13dns.janzen.com @10.0.0.70;; global options: +cmd;; Got answer:;; ->>HEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADER
页:
[1]