DNS服务管理
Domain Name Service,一套分布式的域名服务系统,即有多个DNS服务器遍布于世界。每个DNS服务器上存放着大量的机器域名和IP地址的映射,并且是动态更新。众多网络客户端程序都使用DNS协议来向DNS服务器查询目标主机的IP地址。////////zone "localhost.localdomain" IN {##正向解析区域文件的定义##指定服务器的类型,master或者slav
·
目录
2. 配置区域文件 /etc/named.rfc1912.zones
3. 创建正向区域数据文件 /var/named/c2505.com.zones
4. 创建反向区域数据文件 /var/named/236.168.192.in-addr.arpa.zones
2. 配置区域文件 /etc/named.rfc1912.zones
一、概述
概念
Domain Name Service,一套分布式的域名服务系统,即有多个DNS服务器遍布于世界。每个DNS服务器上存放着大量的机器域名和IP地址的映射,并且是动态更新。众多网络客户端程序都使用DNS协议来向DNS服务器查询目标主机的IP地址。
作用
正向解析:将已知的域名解析为IP地址 反向解析:将已知的IP地址解析为域名
监听端口
53/udp | 53/TCP
默认运行用户
named
二、 完全限定域名
FQDN(Fully Qualified Domain Name)
组成
主机名.三级域.二级域名.顶级域名.
案例:www.baidu.com.
域类型
| 类型 | 举例 |
|---|---|
| 根域 | . |
| 顶级域 | cn、hk、uk、org、edu、com、mil、gov、net |
| 二级域 | baidu、163、sina、sohu |
三、DNS解析过程
客户端如何解析域名(必须背会)
-
本地DNS缓存
-
本地hosts文件,在DNS服务器诞生之前,所有的主机之间都是通过hosts文件进行的。
-
指向的DNS服务器IP:
递归查询:直接给出解析结果,客户机与本地DNS服务器之间的查询。(所答即所问) 迭代查询:没有给出解析结果,本地DNS服务器与根等其他DNS服务器之间的查询。(所答非所问)
域名解析通过域名系统(DNS,Domain Name System) 实现,DNS 相当于互联网的 “电话簿”,存储着域名与 IP 地址的映射关系。
二、客户端解析域名的具体步骤
1. 检查本地缓存
客户端首先会在本地查找域名对应的 IP 地址缓存,避免重复查询网络,提高解析效率。
-
浏览器缓存:浏览器会临时存储近期访问过的域名解析结果,有效期由域名的 TTL(生存时间)决定。
-
操作系统缓存:操作系统(如 Windows、Linux)也会缓存 DNS 解析结果,可通过命令(如
ipconfig /displaydns)查看。 -
本地 HOSTS 文件:系统目录下的
hosts文件(如 Windows 的C:\Windows\System32\drivers\etc\hosts)可手动添加域名与 IP 的映射,优先级高于 DNS 服务器查询。
2. 向本地 DNS 服务器(递归解析)请求
若本地缓存中无结果,客户端会向本地 DNS 服务器(通常由 ISP 提供,如电信、联通的 DNS)发送解析请求,本地服务器执行 “递归查询”:
-
递归解析:本地服务器代替客户端向其他 DNS 服务器查询,直到获取结果后返回给客户端。
3. 本地 DNS 服务器的迭代查询过程
本地 DNS 服务器通过 “迭代查询” 逐步获取域名对应的 IP 地址,涉及以下层级的 DNS 服务器:
-
根域名服务器(Root DNS Server) 全球有 13 组根服务器(标识为 A~M),存储着顶级域名服务器的地址。本地服务器先向根服务器询问目标域名的顶级域名服务器地址。
-
顶级域名服务器(TLD Server) 负责管理顶级域名(如.com、.cn、.org 等),返回该域名对应的权威域名服务器地址。
-
权威域名服务器(Authoritative DNS Server) 存储着具体域名的 IP 地址映射,直接返回目标域名的 IP 地址给本地服务器。
4. 本地服务器返回结果给客户端
本地 DNS 服务器获取 IP 地址后,将结果缓存并返回给客户端,客户端即可通过该 IP 地址访问目标网站。
总结:域名解析的核心流程
客户端发起域名解析请求 → 检查本地缓存(浏览器/系统/hosts)→ 无结果则向本地DNS服务器请求 → 本地服务器通过根服务器→顶级域名服务器→权威服务器迭代查询(递归查询和迭代查询获取ip) → 获取IP地址后返回客户端 → 客户端缓存结果并访问目标服务器
四、域名服务器的分类
根据作用
1.根域名服务器:最高层次的域名服务器,也是最重要的域名服务器。所有的根域名服务器都知道所有的顶级域名服务器的域名和IP地址。 2.顶级域名服务器:负责管理该顶级域名注册的二级域名。 3.权限域名服务器:负责一个“区”的域名服务器。 4.本地域名服务器:本地域名服务器不属于域名服务器的层次结构,但是它对域名系统非常重要。当一个主机发出DNS查询请求时,这个查询请求报文就发送给本地域名服务器。
根据应用场景
主服务器(Primary Name server) 为客户端提供域名解析的主要区域,主DNS服务器宕机,会启用从DNS服务器提供服务。 辅助服务器(Second Name Server) 主服务器DNS长期无应答,从服务器也会停止提供服务,主从区域治安的同步采用周期性检查+通知的机制,从服务器周期性地检查主服务器上地记录情况,一旦发现修改就会同步,另外主服务器上如果又数据被修改了,会立即通知从服务器更新记录。 高速缓存服务器(Cache-only server) 缓存服务器是一种不负责域名数据维护,也不负责域名解析地DNS服务类型。它将用户经常使用到的域名与IP地址解析记录保存在主机本地中,来提升下次解析的效率。
五、DNS服务器部署
使用的bind软件包进行安装实现DNS解析服务!!
安装bind包
####在线安装#### [root@localhost ~]# yum install -y bind ####本地安装#####
核心文件解析
####查看安装生成的核心文件### [root@localhost ~]# rpm -ql bind /etc/named.conf #服务主配置文件 /etc/named.rfc1912.zones #服务主配置的额外配置文件 /var/named #区域文件数据目录 /var/named/named.ca #可信的根域名服务器,不要擅自更改 /var/named/named.empty #区域文件的模版文件 /var/named/named.localhost #区域文件的本地接口模版文件 /var/named/named.loopback #区域文件回环接口的模版文件 /var/named/slaves #从服务器的区域数据存储目录 /var/log/named.log #服务日志文件
命令解析
#####核心命令解析###### /usr/sbin/named #主服务运行命令 /usr/sbin/named-checkconf #服务主配置语法检查命令 /usr/sbin/named-checkzone #区域文件配置语法检查命令 /usr/sbin/named-journalprint #打印named程序运行日志
配置文件详解
服务主配置文件
[root@localhost ~]# cat /etc/named.conf
// ##单行注释
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; }; ##定义IPv4监听端口及IP地址,改为指定接口的IP地址即可!
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #定义数据目录
dump-file "/var/named/data/cache_dump.db"; #定义缓存文件
statistics-file "/var/named/data/named_stats.txt"; #定义服务状态文件
memstatistics-file "/var/named/data/named_mem_stats.txt"; #定义服务占用内存的状态文件
recursing-file "/var/named/data/named.recursing"; #定义服务安全配置文件
secroots-file "/var/named/data/named.secroots"; #定义服务根文件
allow-query { localhost; }; #定义客户端访问ACL,所有主机访问:localhost改为any
/* ###多行注释 /* */
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid"; #定义服务的PID文件
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones"; #包含的额外配置文件
include "/etc/named.root.key";
定义的区域配置文件
[root@localhost ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN { ##正向解析区域文件的定义
type master; ##指定服务器的类型,master或者slave
file "named.localhost"; ##定义区域文件的文件路径及名称
allow-update { none; }; ##定义允许对该区域文件的更新ACL列表
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN { ##反向解析区域文件的定义 ,固定格式,必须:网络ID去0后反写.in-adr.arpa
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
解析记录说明
解析记录的类型
正向解析文件中:
A:IPv4正向解析记录
AAAA:IPV6正向解析记录
NS:DNS服务器解析记录
MX:邮件解析记录
CNAME:别名解析记录
反向解析文件中:
PTR:反向解析记录
六、配置主服务器单点架构
服务主文件配置
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.115.128; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
定义区域文件配置
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "jx.com" IN {
type master;
file "jx.com.zone";
allow-update { none; };
};
zone "115.168.192.in-addr.arpa" IN {
type master;
file "192.168.115.zone";
allow-update { none; };
};
正向解析文件配置
[root@localhost named]# cat jx.com.zone
$TTL 3H
@ IN SOA jx.com. root.jx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1.jx.com.
dns1 A 192.168.115.128
www A 192.168.115.129
mail A 192.168.115.130
ftp A 192.168.115.131
ww CNAME www.jx.com.
mail MX 10 mail.jx.com.
反向解析文件配置
[root@localhost named]# cat 192.168.115.zone
$TTL 3H
@ IN SOA jx.com. root.jx.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ NS dns1.jx.com.
128 PTR dns1.jx.com.
129 PTR www.jx.com.
130 PTR mail.jx.com.
131 PTR ftp.jx.com.
启动服务
[root@localhost named]# systemctl start named
解析测试
###配置DNS服务器地址 [root@localhost named]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.115.128 ###安装nslookup [root@localhost named]# yum install -y bind-utils ###解析测试 [root@localhost named]# nslookup 192.168.115.128 #####或者 [root@localhost named]# dig www.jx.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.15 <<>> www.jx.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10364 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.jx.com. IN A ;; ANSWER SECTION: www.jx.com. 10800 IN A 192.168.115.129 ;; AUTHORITY SECTION: jx.com. 10800 IN NS dns1.jx.com. ;; ADDITIONAL SECTION: dns1.jx.com. 10800 IN A 192.168.115.128 ;; Query time: 0 msec ;; SERVER: 192.168.115.128#53(192.168.115.128) ;; WHEN: 二 1月 16 12:19:29 CST 2024 ;; MSG SIZE rcvd: 90
七、 配置DNS主从架构
主服务配置
服务主文件配置
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.115.128; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
定义区域文件配置
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "jx.com" IN {
type master;
file "jx.com.zone";
allow-update { none; };
allow-transfer { 192.168.115.132; };
};
zone "115.168.192.in-addr.arpa" IN {
type master;
file "192.168.115.zone";
allow-update { none; };
allow-transfer { 192.168.115.132; };
};
从服务器配置
从服务器主文件配置
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.115.132; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
定义区域文件配置
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "jx.com" IN {
type slave;
file "slaves/jx.com.zone";
masters { 192.168.115.128; }; ##主服务器地址
};
zone "115.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.115.zone";
masters { 192.168.115.128; };
};
启动服务
分别在master和slave中启动服务
[root@localhost named]# systemctl start named
解析测试
###客户端配置DNS服务器地址 [root@localhost named]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.115.128 nameserver 192.168.115.132 ###安装nslookup [root@localhost named]# yum install -y bind-utils ###解析测试 [root@localhost named]# nslookup 192.168.115.128 #####或者 [root@localhost named]# dig www.jx.com
故障模拟
###关闭master服务器的NDS服务后,使用客户端进行解析,观察解析结果### [root@localhost named]# systemctl stop named
八、DNS配置实验
主要步骤解析
准备工作:
网络与 IP 配置:
为服务器设置静态固定 IP 地址,DNS 服务器需稳定可访问的网络标识,避免因 IP 变动影响解析服务。可编辑网卡配置文件(如 /etc/sysconfig/network-scripts/ifcfg-ens33 ),设置 BOOTPROTO=static ,并指定 IPADDR、NETMASK、GATEWAY、DNS 等参数,之后重启网络服务(如 systemctl restart network )使配置生效。
系统环境与依赖:
-
关闭 SELinux:临时关闭可执行
setenforce 0;永久关闭需编辑/etc/selinux/config文件,将SELINUX=enforcing改为SELINUX=disabled,改后需重启系统生效,避免其对 DNS 服务安装、运行产生权限等干扰 。 -
配置软件源(YUM 源等):确保系统可正常下载、安装 DNS 相关软件包(如常用的 BIND 软件包)。可配置官方源或国内镜像源(如阿里云、华为云的 YUM 源),保证软件包获取稳定、完整。
-
关闭防火墙(或放通端口 )
-
服务器防火墙(
firewalld等 )没开放 53 端口(DNS 用 UDP/TCP 53 ),或 SELinux 限制了named服务,导致客户端查询被拒。 -
解决:
-
开放防火墙端口(以firewalld为例 ):
-
systemctl stop firewalld # 临时关闭 systemctl disable firewalld # 开机禁用
-
若需保留防火墙,放通 DNS 端口(UDP/TCP 53 ):
firewall-cmd --permanent --add-port=53/udp firewall-cmd --permanent --add-port=53/tcp firewall-cmd --reload
-
基础检查与准备:
-
检查网络连通性:通过
ping命令(如ping www.baidu.com)测试服务器能否正常连接外网,确保后续软件安装、依赖获取不受阻 。 -
规划域名与解析需求:明确要搭建的 DNS 服务需解析哪些域名(如正向解析域名到 IP、反向解析 IP 到域名),规划好区域(Zone)、记录(如 A 记录、PTR 记录 )等,方便后续配置。
实验规划准备
-
确定解析需求
-
想做 正向解析(域名→IP,如
www.test.com→192.168.1.100)还是 反向解析(IP→域名,如192.168.1.100→www.test.com),或 主从 DNS 同步。 -
规划域名(如
test.com)、区域(Zone )、资源记录(A 记录、PTR 记录等 )。
-
-
配置文件路径(Linux 示例 )
-
主配置:
/etc/named.conf(定义监听地址、允许查询网段等 ) -
区域配置:
/etc/named.rfc1912.zones(添加正向 / 反向区域 ) -
区域数据文件:
/var/named/目录下(如test.com.zone存 A 记录,1.168.192.in-addr.arpa.zone存 PTR 记录 )
-
客户端准备
-
指定 DNS 服务器
-
Linux:编辑
/etc/resolv.conf,添加:
nameserver 192.168.1.100 # DNS 服务器 IP,替换成实际地址
-
Windows:网卡 TCP/IPv4 设置→“使用下面的 DNS 服务器地址”,填 DNS 服务器 IP。
-
-
安装测试工具
-
Linux 装
bind-utils(含nslookup、dig),Windows 用nslookup(系统自带 ),用于验证解析结果。
-
配置步骤:
1、安装 DNS 服务器软件(bind)
-
检查是否已安装 BIND:在终端中执行命令
rpm -qa | grep "^bind"。如果已安装,会显示相关的 BIND 包,如bind-9.x.x、bind-utils等;若没有输出,则需要安装。 -
o yum install bind bind-utils -y
。BIND 提供域名解析的基础服务,支持正向 / 反向解析、主从同步等功能。如果安装错误,可使用命令sudo yum remove bind`移除后重新安装。(一般不用安装)
2、配置主文件 /etc/named.conf:
-
备份原始配置:执行
cp /etc/named.conf /etc/named.conf.bak,以防配置错误时可恢复原始设置。 -
修改主配置:使用文本编辑器(如
vi)打开文件,命令为vi /etc/named.conf。
3、定义正向和反向解析区域:
-
在
/etc/named.rfc1912.zones中添加区域:使用命令vi /etc/named.rfc1912.zones。 -
添加正向区域:例如,若要添加
infosecurity.com的正向区域, -
添加反向区域(假设 IP 段为
192.168.0.0/24,需根据实际情况修改)
创建正向解析文件:
-
创建正向区域文件:执行
vi /var/named/infosecurity.com.zone(文件名需与/etc/named.rfc1912.zones中定义的一致)。 -
内容示例(IP 需根据实际情况修改):
创建反向解析文件:
-
创建反向区域文件:执行
sudo vi /var/named/0.168.192.rev(文件名需与/etc/named.rfc1912.zones中定义的一致)。 -
内容示例(IP 需根据实际情况修改):
4、设置文件权限(可选):
-
如果需要设置权限,可执行以下命令修改文件属组和权限:
chown root:named /var/named/infosecurity.org.zone chown root:named /var/named/0.168.192.in-addr.zone chmod 640 /var/named/*.zone /var/named/*.rev
5、启动并验证 DNS 服务:
-
启动服务:使用命令
service named start或service named restart。 -
检查服务状态:执行
service named status,确认输出包含Active: active (running),表示服务已成功启动。
6、配置客户端 DNS:
-
修改
/etc/resolv.conf:可使用命令echo "nameserver 192.168.0.106" > /etc/resolv.conf(IP 需根据实际 DNS 服务器地址修改),若不行,也可使用sudo vi /etc/resolv.conf手动编辑添加 DNS 服务器地址。
实验
配置主文件 /etc/named.conf
[root@localhost named]# vim /etc/named.conf
options {
listen-on port 53 { 192.168.236.131; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
}
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
定义正向和反向解析区域:在/etc/named.rfc1912.zones
[root@localhost named]# vim /etc/named.rfc1912.zones
zone "c2505.com" IN {
type master;
file "c2505.com.zones";
allow-update { none; };
};
zone "236.168.192.in-addr.arpa" IN {
type master;
file "236.168.192.in-addr.arpa.zones";
allow-update { none; };
};
在/var/named/创建正向解析文件:(注意复制时要注意保留文件权限-p)
[root@bogon named]# cp -p named.empty c2505.com.zones
在/var/named/创建反向解析文件:
[root@bogon named]# vim 236.168.192.in-addr.arpa.zones $TTL 3H @ IN SOA c2505.com. admin.c2505.com. ( 2025061701 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS dns1.c2505.com. 131 PTR dns1.c2505.com. 132 PTR mail.c2505.com.
测试解析:
# 正向查询 C:\Users\Administrator>nslookup dns1.c2505.com 192.168.236.131 服务器: dns1.c2505.com Address: 192.168.236.131 名称: dns1.c2505.com Address: 192.168.236.131 或 [root@bogon ~]# dig dns1.c2505.com @192.168.236.131 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> dns1.c2505.com @192.168.236.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11281 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns1.c2505.com. IN A ;; ANSWER SECTION: dns1.c2505.com. 10800 IN A 192.168.236.131 ;; AUTHORITY SECTION: c2505.com. 10800 IN NS dns1.c2505.com. ;; Query time: 0 msec ;; SERVER: 192.168.236.131#53(192.168.236.131) ;; WHEN: 二 6月 17 23:01:13 CST 2025 ;; MSG SIZE rcvd: 73 [root@bogon named]# nslookup mail.c2505.com 192.168.236.131 Server: 192.168.236.131 Address: 192.168.236.131#53 Name: mail.c2505.com Address: 192.168.236.132 或 [root@bogon ~]# dig mail.c2505.com @192.168.236.131 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> mail.c2505.com @192.168.236.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11924 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;mail.c2505.com. IN A ;; ANSWER SECTION: mail.c2505.com. 10800 IN A 192.168.236.132 ;; AUTHORITY SECTION: c2505.com. 10800 IN NS dns1.c2505.com. ;; ADDITIONAL SECTION: dns1.c2505.com. 10800 IN A 192.168.236.131 ;; Query time: 0 msec ;; SERVER: 192.168.236.131#53(192.168.236.131) ;; WHEN: 二 6月 17 23:04:24 CST 2025 ;; MSG SIZE rcvd: 94 dig 结果关键部分:(成功判断) dns1.c2505.com. 10800 IN A 192.168.236.131 mail.c2505.com. 10800 IN A 192.168.236.132
# 反向查询 [root@bogon named]# nslookup 192.168.236.131 192.168.236.131 131.236.168.192.in-addr.arpa name = dns1.c2505.com. 或 [root@bogon ~]# dig -x 192.168.236.131 @192.168.236.131 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> -x 192.168.236.131 @192.168.236.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17226 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;131.236.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 131.236.168.192.in-addr.arpa. 10800 IN PTR dns1.c2505.com. ;; AUTHORITY SECTION: 236.168.192.in-addr.arpa. 10800 IN NS dns1.c2505.com. ;; ADDITIONAL SECTION: dns1.c2505.com. 10800 IN A 192.168.236.131 ;; Query time: 0 msec ;; SERVER: 192.168.236.131#53(192.168.236.131) ;; WHEN: 二 6月 17 23:06:25 CST 2025 ;; MSG SIZE rcvd: 115 [root@bogon named]# nslookup 192.168.236.132 192.168.236.131 132.236.168.192.in-addr.arpa name = mail.c2505.com. 或 [root@bogon ~]# dig -x 192.168.236.132 @192.168.236.131 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> -x 192.168.236.132 @192.168.236.131 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5797 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;132.236.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 132.236.168.192.in-addr.arpa. 10800 IN PTR mail.c2505.com. ;; AUTHORITY SECTION: 236.168.192.in-addr.arpa. 10800 IN NS dns1.c2505.com. ;; ADDITIONAL SECTION: dns1.c2505.com. 10800 IN A 192.168.236.131 ;; Query time: 0 msec ;; SERVER: 192.168.236.131#53(192.168.236.131) ;; WHEN: 二 6月 17 23:07:16 CST 2025 ;; MSG SIZE rcvd: 120
主从dns服务配置
更改主:区域配置文件(如/etc/named.rfc1912.zones ):在正向 / 反向解析区域定义中,添加允许从服务器获取区域数据的配置(配置主从区域)
环境准备
-
服务器规划:
-
主 DNS 服务器:IP
192.168.236.131,主机名dns1.c2505.com -
从 DNS 服务器:IP
192.168.236.132,主机名dns2.c2505.com -
客户端:IP
192.168.236.0/24网段内的任意主机
-
-
关闭防火墙和 SELinux:
# 临时关闭 systemctl stop firewalld setenforce 0 # 永久关闭(可选) systemctl disable firewalld sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
主 DNS 服务器配置(192.168.236.131)
1. 修改主配置文件 /etc/named.conf
[root@bogon named]# Vim /etc/named.conf
options {
listen-on port 53 { 192.168.236.131; }; # 监听主服务器IP
directory "/var/named";
allow-query { any; }; # 允许所有客户端查询
allow-transfer { 192.168.236.132; }; # 允许从服务器同步
recursion yes;
};
# 根区域配置
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2. 配置区域文件 /etc/named.rfc1912.zones
[root@bogon named]# Vim /etc/named.rfc1912.zones
# 正向区域
zone "c2505.com" IN {
type master;
file "c2505.com.zones";
allow-transfer { 192.168.236.132; }; # 仅允许从服务器同步
};
# 反向区域
zone "236.168.192.in-addr.arpa" IN {
type master;
file "236.168.192.in-addr.arpa.zones";
allow-transfer { 192.168.236.132; };
};
3. 创建正向区域数据文件 /var/named/c2505.com.zones
[root@bogon named]# Vim /var/named/c2505.com.zones $TTL 3H @ IN SOA dns1.c2505.com. admin.c2505.com. ( 2025061801 ; serial(每次修改后递增) 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS dns1.c2505.com. @ NS dns2.c2505.com. # 从服务器 dns1 A 192.168.236.131 dns2 A 192.168.236.132 mail A 192.168.236.134 mail MX 10 mail.c2505.com.
4. 创建反向区域数据文件 /var/named/236.168.192.in-addr.arpa.zones
[root@bogon named]# Vim /var/named/236.168.192.in-addr.arpa.zones $TTL 3H @ IN SOA dns1.c2505.com. admin.c2505.com. ( 2025061801 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS dns1.c2505.com. @ NS dns2.c2505.com. 131 PTR dns1.c2505.com. 132 PTR dns2.c2505.com. 133 PTR mail.c2505.com.
5. 设置文件权限
chown named:named /var/named/c2505.com.zones chown named:named /var/named/236.168.192.in-addr.arpa.zones chmod 640 /var/named/*.zones
6. 重启服务
systemctl restart named systemctl enable named #机时自动启动
从 DNS 服务器配置(192.168.236.132)
1. 修改主配置文件 /etc/named.conf
[root@bogon named]# Vim /etc/named.conf
options {
listen-on port 53 { 192.168.236.132; }; # 监听从服务器IP
directory "/var/named";
allow-query { any; };
recursion yes;
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
2. 配置区域文件 /etc/named.rfc1912.zones
[root@bogon named]# Vim /etc/named.rfc1912.zones
# 正向区域(从主服务器同步)
zone "c2505.com" IN {
type slave;
file "slaves/c2505.com.zones"; # 数据自动同步到slaves目录
masters { 192.168.236.131; }; # 主服务器IP
};
# 反向区域(从主服务器同步)
zone "236.168.192.in-addr.arpa" IN {
type slave;
file "slaves/236.168.192.in-addr.arpa.zones";
masters { 192.168.236.131; };
};
3. 创建同步目录并设置权限
mkdir -p /var/named/slaves chown named:named /var/named/slaves(如果不是修改)
4. 检查配置并重启服务
systemctl restart named systemctl enable named
验证:
验证主从同步
-
检查从服务器同步的文件:
[root@bogon ~]# ls -l /var/named/slaves/ 总用量 8 -rw-r--r-- 1 named named 406 6月 18 10:33 236.168.192.in-addr.arpa.zones -rw-r--r-- 1 named named 409 6月 18 10:35 c2505.com.zones
2.对比主从服务器区域文件内容
# 主服务器查看:cat /var/named/c2505.com.zones [root@localhost named]# cat /var/named/c2505.com.zones $TTL 3H @ IN SOA c2505.com. admin.c2505.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS dns1.c2505.com. @ NS dns2.c2505.com. dns1 A 192.168.236.131 dns01 CNAME dns1.c2505.com. dns2 A 192.168.236.132 mail A 192.168.236.133 mail MX 10 mail.c2505.com. # 从服务器查看:cat /var/named/slaves/c2505.com.zones [root@bogon ~]# cat /var/named/slaves/c2505.com.zones hR%�Q*0 c2505com0c2505comadminc2505comQ� :�*0C*0 ␌2505␌⎺└␍┼⎽1␌2505␌⎺└␍┼⎽2␌2505␌⎺└7*0␍┼⎽01␌2505␌⎺└␍┼⎽1␌2505␌⎺└**0␍┼⎽1␌2505␌⎺└���**0␍┼⎽2␌2505␌⎺└���8*0mailc2505com mailc2505com**0mailc2505com���[root@bogon ~]# WindWindWindWindWindWindWindWindWindWindWindWindWindWindWindWind
验证主从同步机制
-
修改主服务器区域文件
$TTL 3H @ IN SOA c2505.com. admin.c2505.com. ( 10 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ NS dns1.c2505.com. @ NS dns2.c2505.com. dns1 A 192.168.236.131 dns2 A 192.168.236.132 mail A 192.168.236.133 mail MX 10 mail.c2505.com. www A 192.168.236.134 ~
访问从文件: [root@bogon slaves]# dig www.c2505.com @192.168.236.132 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> www.c2505.com @192.168.236.132 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17374 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.c2505.com. IN A ;; ANSWER SECTION: www.c2505.com. 10800 IN A 192.168.236.134 ;; AUTHORITY SECTION: c2505.com. 10800 IN NS dns1.c2505.com. c2505.com. 10800 IN NS dns2.c2505.com. ;; ADDITIONAL SECTION: dns1.c2505.com. 10800 IN A 192.168.236.131 dns2.c2505.com. 10800 IN A 192.168.236.132 ;; Query time: 0 msec ;; SERVER: 192.168.236.132#53(192.168.236.132) ;; WHEN: 三 6月 18 11:44:50 CST 2025 ;; MSG SIZE rcvd: 128
腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。
更多推荐
6
0- 0
已为社区贡献1条内容
所有评论(0)