|
|
一、域名解析过程
DNS域名完整解析过程
1、查询本地 hosts文件 解析记录
2、查询客户端本地DNS缓存记录
3、访问DNS转发(缓存)服务器本地缓存记录
4、转发到权威服务器查询本地缓存记录
5、访问权威服务器解析记录
6、权威服务器迭代查询
6.1、访问子域权威服务器查询本地缓存记录
6.2、访问子域解析记录
7、访问根服务器解析记录
8、访问一级域名服务器解析记录
.......
二、DNS解析记录类型
1、DNS服务器类型
主DNS服务器
管理和维护所负责解析的域内解析库的服务器
从DNS服务器
从主服务器或从服务器复制(区域传输)解析库副本
缓存DNS服务器(转发器)
将客户端请求转发到指定的DNS服务器上,并将指定DNS服务器返回结果缓存到本地DNS缓存记录中,缓存DNS服务器自身不保存解析库数据,不使用自身进行域名解析。
2、解析结果类型
- 肯定答案:存在对应的查询结果
- 否定答案:请求的条目不存在等原因导致无法返回结果
- 权威答案:直接由存在此查询结果的DNS服务器(权威服务器)返回的结果
- 非权威答案:有其他非权威服务器返回的查询结果
3、资源记录RR(Resource Record)
区域解析库
有众多资源记录RR(Resource Record)组成
记录类型:SOA、A、AAAA、NS、CNAME、MX、TXT、PTR
- SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,且必须位于解析库的第一条
- A:IPv4 正向解析资源记录
- AAAA:IPv6正向解析资源记录
- NS:用于标注当前区域的DNS服务器
- CNAME:别名记录
- MX:邮件交换器
- TXT:对域名进行标识说明的一种方式,一般做验证记录会使用此项,如SPF(反垃圾邮件)记录,https验证 登
- PTR:
3.1、资源记录定义格式
- name [TTL] IN rr_type value
使用@符号可引用当前区域名字
TTL 可以从全局继承
IN值可以通过继承上一条记录忽略不写
同一个名字可以通过多条记录定义多个值,此时DNS服务器会以轮询方式响应
同一个值也可能有多个不同定义的名字,通过多个名字指向同一个值进行定义,此时表示通过多个不同的名字找到同一台主机
3.2、SOA 记录
name:当前区域的名字
value:多个内容组成
当前主DNS服务器的FQDN,也可以使用当前区域的名字
当前区域的管理员邮箱,由于无法使用@符合,通常使用.替换,例如:root.janzen.com (root@janzen.com)
主从服务区域传输相关定义以及否定答案的统一TTL设置
- @ IN SOA dns1.janzen.com root.janzen.com (
- 1 ; 序列号
- 604800 ; 刷新时间
- 86400 ; 重试时间
- 2419200 ; 过期时间
- 604800 ) ; 否定答案的TTL值
3.3、A 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv4地址
- dns1 A 10.0.0.20
- dns2 A 10.0.0.21
- gitlab.janzen.com. A 10.0.0.13
- harbor A 10.0.0.9
- harbor A 10.0.0.10
3.4、AAAA 记录
name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.
value:对应的IPv6地址
3.5、NS 记录
name:当前区域的名字
value:当前区域某DNS服务器的名字
相邻的两个资源记录name相同时,后续的可以省略
对于NS记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
一个区域可以有多条NS记录
3.6、CNAME 记录
name:别名FQDN
value:真实的FQDN
3.7、MX 记录
name:当前区域的名字
value:当前区域某邮件服务器(smtp服务器)的名字
一个区域内,MX记录可以有多个,但每个记录的value后面都应该有一个(0-99)数字,表示此服务器的优先级
对于MX记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录
- @ IN MX 12 mail1<br> IN MX 10 mail2<br>mail1 IN A 10.0.0.31<br>mail2 IN A 10.0.0.32
3.8、TXT 记录
name:文本描述头
value:文本内容
- _dnstxt TXT this is @ name server
3.9、PTR 记录
name:IP
value:FQDN
name的IP拥有固定写法,需要将IP反向书写,并添加特殊后缀 in-addr.arpa.
完整写法为:20.0.0.10.in-addr.arpa.
网络地址及后缀可以省略,主机地址依旧要反写
- 20.0.0.10.in-addr.arpa. IN PTR dns.janzen.com.
- #由于 10.0.0 为网络地址,可以省略
- 9 IN PTR harbor.janzen.com.
三、DNS工具介绍
dig 工具介绍
用于测试DNS解析结果- Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt}
- Where: domain is in the Domain Name System
- q-class is one of (in,hs,ch,...) [default: in]
- q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]
- (Use ixfr=version for type ixfr)<br> q-opt +[no]trace (Trace delegation down from root [+dnssec]) <br> +[no]recurse (Recursive mode (+[no]rdflag))
- #获取目标dns全部解析记录
- dig -tAXFR janzen.com @10.0.0.21
- #跟踪域名解析路径
- dig +trace app3.janzen.com @10.0.0.21
- #查询PTR记录
- dig -x 10.0.0.21
- #直接显示域名查询结果
- dig +short app3.janzen.com @10.0.0.71
- nslookup [-option] [name | -] [server]
rndc DNS管理工具
- Usage: rndc [-b address] [-c config] [-s server] [-p port]
- [-k key-file ] [-y key] [-r] [-V] command
- command is one of the following:
- addzone zone [class [view]] { zone-options }
- Add zone to given view. Requires allow-new-zones option.
- delzone [-clean] zone [class [view]]
- Removes zone from given view.
- dnstap -reopen
- Close, truncate and re-open the DNSTAP output file.
- dnstap -roll count
- Close, rename and re-open the DNSTAP output file(s).
- dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]
- Dump cache(s) to the dump file (named_dump.db).
- flush Flushes all of the server's caches.
- flush [view] Flushes the server's cache for a view.
- flushname name [view]
- Flush the given name from the server's cache(s)
- flushtree name [view]
- Flush all names under the given name from the server's cache(s)
- freeze Suspend updates to all dynamic zones.
- freeze zone [class [view]]
- Suspend updates to a dynamic zone.
- halt Stop the server without saving pending updates.
- halt -p Stop the server without saving pending updates reporting
- process id.
- loadkeys zone [class [view]]
- Update keys without signing immediately.
- managed-keys refresh [class [view]]
- Check trust anchor for RFC 5011 key changes
- managed-keys status [class [view]]
- Display RFC 5011 managed keys information
- managed-keys sync [class [view]]
- Write RFC 5011 managed keys to disk
- modzone zone [class [view]] { zone-options }
- Modify a zone's configuration.
- Requires allow-new-zones option.
- notify zone [class [view]]
- Resend NOTIFY messages for the zone.
- notrace Set debugging level to 0.
- nta -dump
- List all negative trust anchors.
- nta [-lifetime duration] [-force] domain [view]
- Set a negative trust anchor, disabling DNSSEC validation
- for the given domain.
- Using -lifetime specifies the duration of the NTA, up
- to one week.
- Using -force prevents the NTA from expiring before its
- full lifetime, even if the domain can validate sooner.
- nta -remove domain [view]
- Remove a negative trust anchor, re-enabling validation
- for the given domain.
- querylog [ on | off ]
- Enable / disable query logging.
- reconfig Reload configuration file and new zones only.
- recursing Dump the queries that are currently recursing (named.recursing)
- refresh zone [class [view]]
- Schedule immediate maintenance for a zone.
- reload Reload configuration file and zones.
- reload zone [class [view]]
- Reload a single zone.
- retransfer zone [class [view]]
- Retransfer a single zone without checking serial number.
- scan Scan available network interfaces for changes.
- secroots [view ...]
- Write security roots to the secroots file.
- showzone zone [class [view]]
- Print a zone's configuration.
- sign zone [class [view]]
- Update zone keys, and sign as needed.
- signing -clear all zone [class [view]]
- Remove the private records for all keys that have
- finished signing the given zone.
- signing -clear <keyid>/<algorithm> zone [class [view]]
- Remove the private record that indicating the given key
- has finished signing the given zone.
- signing -list zone [class [view]]
- List the private records showing the state of DNSSEC
- signing in the given zone.
- signing -nsec3param hash flags iterations salt zone [class [view]]
- Add NSEC3 chain to zone if already signed.
- Prime zone with NSEC3 chain if not yet signed.
- signing -nsec3param none zone [class [view]]
- Remove NSEC3 chains from zone.
- signing -serial <value> zone [class [view]]
- Set the zones's serial to <value>.
- stats Write server statistics to the statistics file.
- status Display status of the server.
- stop Save pending updates to master files and stop the server.
- stop -p Save pending updates to master files and stop the server
- reporting process id.
- sync [-clean] Dump changes to all dynamic zones to disk, and optionally
- remove their journal files.
- sync [-clean] zone [class [view]]
- Dump a single zone's changes to disk, and optionally
- remove its journal file.
- thaw Enable updates to all dynamic zones and reload them.
- thaw zone [class [view]]
- Enable updates to a frozen dynamic zone and reload it.
- trace Increment debugging level by one.
- trace level Change the debugging level.
- tsig-delete keyname [view]
- Delete a TKEY-negotiated TSIG key.
- tsig-list List all currently active TSIG keys, including both statically
- configured and TKEY-negotiated keys.
- validation [ yes | no | status ] [view]
- Enable / disable DNSSEC validation.
- zonestatus zone [class [view]]
- Display the current status of a zone.
- Version: 9.11.3-1ubuntu1.18-Ubuntu
四、DNS安装部署
1、Centos7 配置域名正向解析主服务器
1.1、yum安装bind服务,及DNS工具 bind-utils
- yum install -y bind bind-utils
1.2、修改 named.conf 配置文件,禁用服务限制,引入区域配置文件
- [root@node-centos7-70 ~]# vim /etc/named.conf
- options {
- # listen-on port 53 { 127.0.0.1; };
- listen-on-v6 port 53 { ::1; };
- directory "/var/named";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- recursing-file "/var/named/data/named.recursing";
- secroots-file "/var/named/data/named.secroots";
- # allow-query { localhost; };
- recursion yes;
- dnssec-enable yes;
- dnssec-validation yes;
- /* Path to ISC DLV key */
- bindkeys-file "/etc/named.root.key";
- managed-keys-directory "/var/named/dynamic";
- pid-file "/run/named/named.pid";
- session-keyfile "/run/named/session.key";
- };
- logging {
- channel default_debug {
- file "data/named.run";
- severity dynamic;
- };
- };
- zone "." IN {
- type hint;
- file "named.ca";
- };
- include "/etc/named.rfc1912.zones";
- include "/etc/named.root.key";
- include "/etc/named.zones"
1.3、创建 named.zones 区域配置文件
- [root@node-centos7-70 ~]# vim /etc/named.zones<br><br>zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; };
1.4、创建 named.janzen.com 区域解析库文件
- [root@node-centos7-70 etc]# vim /var/named/named.janzen.com
- ;
- ; BIND reverse data file for broadcast zone
- ;
- $TTL 604800
- @ IN SOA janzen.com. root.localhost. (
- 1 ; Serial
- 604800 ; Refresh
- 86400 ; Retry
- 2419200 ; Expire
- 604800 ) ; Negative Cache TTL
- ;
- @ IN NS dns1
- IN NS dns2
- IN MX 12 mail1
- IN MX 10 mail2
- dns IN CNAME dns1
- dns1 IN A 10.0.0.20
- dns2 IN A 10.0.0.21
- gitlab IN A 10.0.0.13
- harbor IN A 10.0.0.9
- harbor IN A 10.0.0.10
- www IN A 10.0.0.11
- mail1 IN A 10.0.0.31
- mail2 IN A 10.0.0.32
- _dnstext IN TXT this is @ name server
1.5、修改文件权限
- [root@node-centos7-70 etc]# chmod 640 {/etc/named.zones,/var/named/named.janzen.com}
- [root@node-centos7-70 etc]# chgrp named {/etc/named.zones,/var/named/named.janzen.com}
1.6、设置named服务开机自启动
- [root@node-centos7-70 etc]# systemctl enable --now named
1.7、使用dig测试DNS服务
[code][root@node-centos7-70 etc]# dig dns.janzen.com @10.0.0.70; DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 dns.janzen.com @10.0.0.70;; global options: +cmd;; Got answer:;; ->>HEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADERHEADER |
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
x
|
