【DNS】域名服务 Bind实现

  • 【DNS】域名服务 Bind实现已关闭评论
  • 211 次浏览
  • A+
所属分类:linux技术
摘要

  DNS域名完整解析过程1、查询本地 hosts文件 解析记录2、查询客户端本地DNS缓存记录


一、域名解析过程

【DNS】域名服务 Bind实现

 

【DNS】域名服务 Bind实现

 DNS域名完整解析过程

1、查询本地 hosts文件 解析记录

2、查询客户端本地DNS缓存记录

3、访问DNS转发(缓存)服务器本地缓存记录

4、转发到权威服务器查询本地缓存记录

5、访问权威服务器解析记录

6、权威服务器迭代查询

  6.1、访问子域权威服务器查询本地缓存记录

  6.2、访问子域解析记录

7、访问根服务器解析记录

8、访问一级域名服务器解析记录

.......

二、DNS解析记录类型

 1、DNS服务器类型

主DNS服务器

管理和维护所负责解析的域内解析库的服务器

从DNS服务器

从主服务器或从服务器复制(区域传输)解析库副本

缓存DNS服务器(转发器)

将客户端请求转发到指定的DNS服务器上,并将指定DNS服务器返回结果缓存到本地DNS缓存记录中,缓存DNS服务器自身不保存解析库数据,不使用自身进行域名解析。

 2、解析结果类型

  • 肯定答案:存在对应的查询结果
  • 否定答案:请求的条目不存在等原因导致无法返回结果
  • 权威答案:直接由存在此查询结果的DNS服务器(权威服务器)返回的结果
  • 非权威答案:有其他非权威服务器返回的查询结果

 3、资源记录RR(Resource Record)

区域解析库

  有众多资源记录RR(Resource Record)组成

记录类型:SOA、A、AAAA、NS、CNAME、MX、TXT、PTR

  • SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,且必须位于解析库的第一条
  • A:IPv4 正向解析资源记录
  • AAAA:IPv6正向解析资源记录
  • NS:用于标注当前区域的DNS服务器
  • CNAME:别名记录
  • MX:邮件交换器
  • TXT:对域名进行标识说明的一种方式,一般做验证记录会使用此项,如SPF(反垃圾邮件)记录,https验证 登
  • PTR:

3.1、资源记录定义格式

name    [TTL]    IN      rr_type      value

使用@符号可引用当前区域名字

TTL 可以从全局继承

IN值可以通过继承上一条记录忽略不写

同一个名字可以通过多条记录定义多个值,此时DNS服务器会以轮询方式响应

同一个值也可能有多个不同定义的名字,通过多个名字指向同一个值进行定义,此时表示通过多个不同的名字找到同一台主机

 

3.2、SOA 记录

name:当前区域的名字

value:多个内容组成

  当前主DNS服务器的FQDN,也可以使用当前区域的名字

  当前区域的管理员邮箱,由于无法使用@符合,通常使用.替换,例如:root.janzen.com (root@janzen.com)

  主从服务区域传输相关定义以及否定答案的统一TTL设置

@       IN      SOA     dns1.janzen.com  root.janzen.com (                          1          ; 序列号                          604800      ; 刷新时间                          86400       ; 重试时间                          2419200     ; 过期时间                          604800 )    ; 否定答案的TTL值

 

3.3、A 记录

name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.

value:对应的IPv4地址

dns1            A       10.0.0.20 dns2            A       10.0.0.21 gitlab.janzen.com.          A       10.0.0.13 harbor          A       10.0.0.9 harbor          A       10.0.0.10

 

3.4、AAAA 记录

name:主机的FQDN,可以.结尾代表完整名称,也可以简写末尾不加.

value:对应的IPv6地址

 

3.5、NS 记录

name:当前区域的名字

value:当前区域某DNS服务器的名字

  相邻的两个资源记录name相同时,后续的可以省略

  对于NS记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录

  一个区域可以有多条NS记录

@       IN      NS      dns1                 NS      dns2

 

3.6、CNAME 记录

name:别名FQDN

value:真实的FQDN

dns     IN      CNAME   dns1

 

3.7、MX 记录

name:当前区域的名字

value:当前区域某邮件服务器(smtp服务器)的名字

  一个区域内,MX记录可以有多个,但每个记录的value后面都应该有一个(0-99)数字,表示此服务器的优先级

  对于MX记录而言,每一条NS记录后面的名字,后续都应该有一条对应的A记录

@     IN      MX  12  mail1
    IN MX  10  mail2
mail1  IN  A  10.0.0.31
mail2  IN  A  10.0.0.32

 

3.8、TXT 记录

name:文本描述头

value:文本内容

_dnstxt        TXT     this is @ name server

 

 

3.9、PTR 记录

name:IP

value:FQDN

  name的IP拥有固定写法,需要将IP反向书写,并添加特殊后缀 in-addr.arpa.

  完整写法为:20.0.0.10.in-addr.arpa.

  网络地址及后缀可以省略,主机地址依旧要反写

20.0.0.10.in-addr.arpa.    IN    PTR    dns.janzen.com.  #由于 10.0.0 为网络地址,可以省略  9    IN    PTR    harbor.janzen.com.

 

三、DNS工具介绍 

dig 工具介绍

用于测试DNS解析结果

Usage:  dig [@global-server] [domain] [q-type] [q-class] {q-opt}  Where:  domain      is in the Domain Name System         q-class  is one of (in,hs,ch,...) [default: in]         q-type   is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a]                  (Use ixfr=version for type ixfr)
     
q-opt  +[no]trace (Trace delegation down from root [+dnssec])
          +[no]recurse (Recursive mode (+[no]rdflag))

#获取目标dns全部解析记录 dig -tAXFR janzen.com @10.0.0.21  #跟踪域名解析路径 dig +trace app3.janzen.com @10.0.0.21  #查询PTR记录 dig -x 10.0.0.21  #直接显示域名查询结果 dig +short app3.janzen.com @10.0.0.71

nslookup工具

nslookup [-option] [name | -] [server]

 

rndc DNS管理工具 

Usage: rndc [-b address] [-c config] [-s server] [-p port]     [-k key-file ] [-y key] [-r] [-V] command  command is one of the following:   addzone zone [class [view]] { zone-options }         Add zone to given view. Requires allow-new-zones option.   delzone [-clean] zone [class [view]]         Removes zone from given view.   dnstap -reopen         Close, truncate and re-open the DNSTAP output file.   dnstap -roll count         Close, rename and re-open the DNSTAP output file(s).   dumpdb [-all|-cache|-zones|-adb|-bad|-fail] [view ...]         Dump cache(s) to the dump file (named_dump.db).   flush     Flushes all of the server's caches.   flush [view]    Flushes the server's cache for a view.   flushname name [view]         Flush the given name from the server's cache(s)   flushtree name [view]         Flush all names under the given name from the server's cache(s)   freeze    Suspend updates to all dynamic zones.   freeze zone [class [view]]         Suspend updates to a dynamic zone.   halt        Stop the server without saving pending updates.   halt -p    Stop the server without saving pending updates reporting         process id.   loadkeys zone [class [view]]         Update keys without signing immediately.   managed-keys refresh [class [view]]         Check trust anchor for RFC 5011 key changes   managed-keys status [class [view]]         Display RFC 5011 managed keys information   managed-keys sync [class [view]]         Write RFC 5011 managed keys to disk   modzone zone [class [view]] { zone-options }         Modify a zone's configuration.         Requires allow-new-zones option.   notify zone [class [view]]         Resend NOTIFY messages for the zone.   notrace    Set debugging level to 0.   nta -dump         List all negative trust anchors.   nta [-lifetime duration] [-force] domain [view]         Set a negative trust anchor, disabling DNSSEC validation         for the given domain.         Using -lifetime specifies the duration of the NTA, up         to one week.         Using -force prevents the NTA from expiring before its         full lifetime, even if the domain can validate sooner.   nta -remove domain [view]         Remove a negative trust anchor, re-enabling validation         for the given domain.   querylog [ on | off ]         Enable / disable query logging.   reconfig    Reload configuration file and new zones only.   recursing    Dump the queries that are currently recursing (named.recursing)   refresh zone [class [view]]         Schedule immediate maintenance for a zone.   reload    Reload configuration file and zones.   reload zone [class [view]]         Reload a single zone.   retransfer zone [class [view]]         Retransfer a single zone without checking serial number.   scan        Scan available network interfaces for changes.   secroots [view ...]         Write security roots to the secroots file.   showzone zone [class [view]]         Print a zone's configuration.   sign zone [class [view]]         Update zone keys, and sign as needed.   signing -clear all zone [class [view]]         Remove the private records for all keys that have         finished signing the given zone.   signing -clear <keyid>/<algorithm> zone [class [view]]         Remove the private record that indicating the given key         has finished signing the given zone.   signing -list zone [class [view]]         List the private records showing the state of DNSSEC         signing in the given zone.   signing -nsec3param hash flags iterations salt zone [class [view]]         Add NSEC3 chain to zone if already signed.         Prime zone with NSEC3 chain if not yet signed.   signing -nsec3param none zone [class [view]]         Remove NSEC3 chains from zone.   signing -serial <value> zone [class [view]]         Set the zones's serial to <value>.   stats        Write server statistics to the statistics file.   status    Display status of the server.   stop        Save pending updates to master files and stop the server.   stop -p    Save pending updates to master files and stop the server         reporting process id.   sync [-clean]    Dump changes to all dynamic zones to disk, and optionally         remove their journal files.   sync [-clean] zone [class [view]]         Dump a single zone's changes to disk, and optionally         remove its journal file.   thaw        Enable updates to all dynamic zones and reload them.   thaw zone [class [view]]         Enable updates to a frozen dynamic zone and reload it.   trace        Increment debugging level by one.   trace level    Change the debugging level.   tsig-delete keyname [view]         Delete a TKEY-negotiated TSIG key.   tsig-list    List all currently active TSIG keys, including both statically         configured and TKEY-negotiated keys.   validation [ yes | no | status ] [view]         Enable / disable DNSSEC validation.   zonestatus zone [class [view]]         Display the current status of a zone.  Version: 9.11.3-1ubuntu1.18-Ubuntu

  

四、DNS安装部署

1、Centos7 配置域名正向解析主服务器

1.1、yum安装bind服务,及DNS工具 bind-utils

yum install -y bind bind-utils

  

1.2、修改 named.conf 配置文件,禁用服务限制,引入区域配置文件

[root@node-centos7-70 ~]# vim /etc/named.conf   options {     # listen-on port 53 { 127.0.0.1; };     listen-on-v6 port 53 { ::1; };     directory     "/var/named";     dump-file     "/var/named/data/cache_dump.db";     statistics-file "/var/named/data/named_stats.txt";     memstatistics-file "/var/named/data/named_mem_stats.txt";     recursing-file  "/var/named/data/named.recursing";     secroots-file   "/var/named/data/named.secroots";     # allow-query     { localhost; };      recursion yes;      dnssec-enable yes;     dnssec-validation yes;      /* Path to ISC DLV key */     bindkeys-file "/etc/named.root.key";      managed-keys-directory "/var/named/dynamic";      pid-file "/run/named/named.pid";     session-keyfile "/run/named/session.key"; };  logging {         channel default_debug {                 file "data/named.run";                 severity dynamic;         }; };  zone "." IN {     type hint;     file "named.ca"; };  include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones"

  

1.3、创建 named.zones 区域配置文件

[root@node-centos7-70 ~]# vim /etc/named.zones

zone
"janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; };

  

1.4、创建 named.janzen.com 区域解析库文件

[root@node-centos7-70 etc]# vim /var/named/named.janzen.com  ; ; BIND reverse data file for broadcast zone ; $TTL    604800 @       IN      SOA     janzen.com. root.localhost. (                               1         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL ; @       IN      NS      dns1         IN      NS      dns2         IN      MX  12  mail1         IN      MX  10  mail2 dns     IN      CNAME   dns1 dns1    IN      A       10.0.0.20 dns2    IN      A       10.0.0.21 gitlab  IN      A       10.0.0.13 harbor  IN      A       10.0.0.9 harbor  IN      A       10.0.0.10 www     IN      A       10.0.0.11 mail1   IN      A       10.0.0.31 mail2   IN      A       10.0.0.32 _dnstext IN     TXT     this is @ name server

  

1.5、修改文件权限

[root@node-centos7-70 etc]# chmod 640 {/etc/named.zones,/var/named/named.janzen.com} [root@node-centos7-70 etc]# chgrp named {/etc/named.zones,/var/named/named.janzen.com}

  

 1.6、设置named服务开机自启动

[root@node-centos7-70 etc]# systemctl enable --now named

  

1.7、使用dig测试DNS服务

[root@node-centos7-70 etc]# dig dns.janzen.com @10.0.0.70  ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> dns.janzen.com @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51429 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.janzen.com.            IN    A  ;; ANSWER SECTION: dns.janzen.com.        604800    IN    CNAME    dns1.janzen.com. dns1.janzen.com.    604800    IN    A    10.0.0.20  ;; AUTHORITY SECTION: janzen.com.        604800    IN    NS    dns2.janzen.com. janzen.com.        604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: dns2.janzen.com.    604800    IN    A    10.0.0.21  ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:16:54 CST 2023 ;; MSG SIZE  rcvd: 127  [root@node-centos7-70 etc]# dig janzen.com @10.0.0.70 mx  ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> janzen.com @10.0.0.70 mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2566 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;janzen.com.            IN    MX  ;; ANSWER SECTION: janzen.com.        604800    IN    MX    10 mail2.janzen.com. janzen.com.        604800    IN    MX    12 mail1.janzen.com.  ;; AUTHORITY SECTION: janzen.com.        604800    IN    NS    dns2.janzen.com. janzen.com.        604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: mail1.janzen.com.    604800    IN    A    10.0.0.31 mail2.janzen.com.    604800    IN    A    10.0.0.32 dns1.janzen.com.    604800    IN    A    10.0.0.20 dns2.janzen.com.    604800    IN    A    10.0.0.21  ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:18:09 CST 2023 ;; MSG SIZE  rcvd: 185  [root@node-centos7-70 etc]# dig harbor.janzen.com @10.0.0.70  ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> harbor.janzen.com @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33334 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;harbor.janzen.com.        IN    A  ;; ANSWER SECTION: harbor.janzen.com.    604800    IN    A    10.0.0.10 harbor.janzen.com.    604800    IN    A    10.0.0.9  ;; AUTHORITY SECTION: janzen.com.        604800    IN    NS    dns1.janzen.com. janzen.com.        604800    IN    NS    dns2.janzen.com.  ;; ADDITIONAL SECTION: dns1.janzen.com.    604800    IN    A    10.0.0.20 dns2.janzen.com.    604800    IN    A    10.0.0.21  ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:20:07 CST 2023 ;; MSG SIZE  rcvd: 148

  

1.8、修改区域解析库文件内容,使用 rndc 重载配置

[root@node-centos7-70 etc]# vim /var/named/named.janzen.com  $TTL    604800 @       IN      SOA     janzen.com. root.localhost. (                               2         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL @       IN      NS      dns1         IN      NS      dns2         IN      MX    12    mail1         IN      MX    10    mail2 dns     IN      CNAME   dns1 dns1    IN      A       10.0.0.70 dns2    IN      A       10.0.0.21 gitlab  IN      A       10.0.0.13 harbor  IN      A       10.0.0.9 harbor  IN      A       10.0.0.10 www     IN      A       10.0.0.11 mail1   IN      A       10.0.0.31 mail2   IN      A       10.0.0.32 _dnstext IN     TXT     this is @ name server 
[root@node
-centos7-70 etc]# rndc reload server reload successful

 

[root@node-centos7-70 etc]# dig dns.janzen.com @10.0.0.70  ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> dns.janzen.com @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5247 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns.janzen.com.            IN    A  ;; ANSWER SECTION: dns.janzen.com.        604800    IN    CNAME    dns1.janzen.com. dns1.janzen.com.    604800    IN    A    10.0.0.70  ;; AUTHORITY SECTION: janzen.com.        604800    IN    NS    dns2.janzen.com. janzen.com.        604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: dns2.janzen.com.    604800    IN    A    10.0.0.21  ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: 四 5月 25 18:27:45 CST 2023 ;; MSG SIZE  rcvd: 127

 

2、Ubuntu apt安装bind服务

 1.1、apt安装bind9服务,及DNS工具 bind9utils

[root@Node-Ubuntu1804-20:~]# apt install -y bind9 bind9utils 

  

1.2、修改 named.conf 配置文件,引入区域配置文件

[root@Node-Ubuntu1804-20:~]# cat /etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the  // structure of BIND configuration files in Debian, *BEFORE* you customize  // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local  include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.zones";

 

1.3、创建 named.zones 区域配置文件

[root@Node-Ubuntu1804-20:~]# vim /etc/bind/named.zones  zone janzen.com IN { type master; file "/etc/bind/db.janzen.com"; };

 

1.4、创建 db.janzen.com 区域解析库文件

[root@Node-Ubuntu1804-20:~]# vim /etc/bind/db.janzen.com  $TTL    604800                                                                                                                                   @       IN      SOA     janzen.com. root.localhost. (                               1         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL @       IN      NS      dns1         IN      NS      dns2         IN      MX      12      mail1         IN      MX      10      mail2 dns     IN      CNAME   dns1 dns1    IN      A       10.0.0.20 dns2    IN      A       10.0.0.21 gitlab  IN      A       10.0.0.13 harbor  IN      A       10.0.0.9 harbor  IN      A       10.0.0.10 www     IN      A       10.0.0.11 mail1   IN      A       10.0.0.31 mail2   IN      A       10.0.0.32 _dnstext IN     TXT     this is @ name server

 

1.5、修改文件权限

[root@Node-Ubuntu1804-20:~]# chmod 640 /etc/bind/{named.zones,db.janzen.com} [root@Node-Ubuntu1804-20:~]# chgrp bind /etc/bind/{named.zones,db.janzen.com}

 

1.6、启动 bind9 服务

[root@Node-Ubuntu1804-20:~]# systemctl start bind9

 

1.7、使用dig测试DNS服务

[root@Ansible-Ubuntu1804-25:~]# dig dns.janzen.com @10.0.0.20  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> dns.janzen.com @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32150 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 95d843b6344528dfc99349d4646f3bbb5812908fa82e3d3f (good) ;; QUESTION SECTION: ;dns.janzen.com.            IN    A  ;; ANSWER SECTION: dns.janzen.com.        604800    IN    CNAME    dns1.janzen.com. dns1.janzen.com.    604800    IN    A    10.0.0.20  ;; AUTHORITY SECTION: janzen.com.        604800    IN    NS    dns1.janzen.com. janzen.com.        604800    IN    NS    dns2.janzen.com.  ;; ADDITIONAL SECTION: dns2.janzen.com.    604800    IN    A    10.0.0.21  ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:43:07 CST 2023 ;; MSG SIZE  rcvd: 155

[root@Ansible-Ubuntu1804-25:~]# dig janzen.com @10.0.0.20 mx  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> janzen.com @10.0.0.20 mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11520 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 2bd0379cc8f4ca918c8ed28e646f3c5c2d56e5c3704f4752 (good) ;; QUESTION SECTION: ;janzen.com.            IN    MX  ;; ANSWER SECTION: janzen.com.        604800    IN    MX    10 mail2.janzen.com. janzen.com.        604800    IN    MX    12 mail1.janzen.com.  ;; AUTHORITY SECTION: janzen.com.        604800    IN    NS    dns2.janzen.com. janzen.com.        604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: mail2.janzen.com.    604800    IN    A    10.0.0.32 mail1.janzen.com.    604800    IN    A    10.0.0.31 dns1.janzen.com.    604800    IN    A    10.0.0.20 dns2.janzen.com.    604800    IN    A    10.0.0.21  ;; Query time: 1 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:45:48 CST 2023 ;; MSG SIZE  rcvd: 213

[root@Ansible-Ubuntu1804-25:~]# dig harbor.janzen.com @10.0.0.20  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> harbor.janzen.com @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45201 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 3  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 97efe511ca506c99495a4d4d646f3c70aac936a36fab58f2 (good) ;; QUESTION SECTION: ;harbor.janzen.com.        IN    A  ;; ANSWER SECTION: harbor.janzen.com.    604800    IN    A    10.0.0.9 harbor.janzen.com.    604800    IN    A    10.0.0.10  ;; AUTHORITY SECTION: janzen.com.        604800    IN    NS    dns2.janzen.com. janzen.com.        604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: dns1.janzen.com.    604800    IN    A    10.0.0.20 dns2.janzen.com.    604800    IN    A    10.0.0.21  ;; Query time: 1 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:46:08 CST 2023 ;; MSG SIZE  rcvd: 176

  

1.8、修改区域解析库文件内容,使用 rndc 重载配置

[root@Node-Ubuntu1804-20:~]# vim /etc/bind/db.janzen.com  $TTL    604800 @       IN      SOA     janzen.com. root.localhost. (                               2         ; Serial                                                                                                                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL @       IN      NS      dns1         IN      NS      dns2         IN      NS      dns3         IN      MX      12      mail1         IN      MX      10      mail2 dns     IN      CNAME   dns1 dns1    IN      A       10.0.0.20 dns2    IN      A       10.0.0.21 dns3    IN      A       10.0.0.70 gitlab  IN      A       10.0.0.13 harbor  IN      A       10.0.0.9 harbor  IN      A       10.0.0.10 www     IN      A       10.0.0.11 mail1   IN      A       10.0.0.31 mail2   IN      A       10.0.0.32 _dnstext IN     TXT     this is @ name server  [root@Node-Ubuntu1804-20:~]# rndc reload janzen.com zone reload queued

 

[root@Ansible-Ubuntu1804-25:~]# dig ns janzen.com @10.0.0.20  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> ns janzen.com @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1374 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 4  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: f4619011881ac8168f1e6981646f3ce9f82e1484c3c43f22 (good) ;; QUESTION SECTION: ;janzen.com.            IN    NS  ;; ANSWER SECTION: janzen.com.        604800    IN    NS    dns2.janzen.com. janzen.com.        604800    IN    NS    dns1.janzen.com. janzen.com.        604800    IN    NS    dns3.janzen.com.  ;; ADDITIONAL SECTION: dns1.janzen.com.    604800    IN    A    10.0.0.20 dns2.janzen.com.    604800    IN    A    10.0.0.21 dns3.janzen.com.    604800    IN    A    10.0.0.70  ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 18:48:09 CST 2023 ;; MSG SIZE  rcvd: 172

  

五、DNS反向解析配置

1、Centos7 配置反向解析

1.1、在 named.zones 中添加反向解析区域记录

[root@node-centos7-70 etc]# vim /etc/named.zones   zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; }; zone "0.0.10.in-addr.arpa" IN { type master; file "named.10.0.0"; };

  

1.2、创建 named.10.0.0 区域反向解析库

[root@node-centos7-70 etc]# vim /var/named/named.10.0.0  $TTL    604800 @       IN      SOA     janzen.com. root.localhost. (                               2         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL
                NS      dns1.janzen.com.
70 IN PTR dns1.janzen.com. 21 IN PTR dns2.janzen.com. 9 IN PTR harbor.janzen.com. 10 IN PTR harbor.janzen.com. 31 IN PTR mail1.janzen.com. 32 IN PTR mail2.janzen.com.

  

1.3、重新加载服务

[root@node-centos7-70 etc]# rndc reload server reload successful

  

1.4、校验反向解析效果

[root@Node-Ubuntu1804-20:~]# dig -t ptr 9.0.0.10.in-addr.arpa. @10.0.0.70  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> -t ptr 9.0.0.10.in-addr.arpa. @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17291 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: d92a9b9a0cba6df1281d8d7a646f4fe3ba882373c080d21e (good) ;; QUESTION SECTION: ;9.0.0.10.in-addr.arpa.        IN    PTR  ;; ANSWER SECTION: 9.0.0.10.in-addr.arpa.    604800    IN    PTR    harbor.janzen.com.  ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa.    604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: dns1.janzen.com.    604800    IN    A    10.0.0.70  ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: Thu May 25 20:09:07 CST 2023 ;; MSG SIZE  rcvd: 144  [root@Node-Ubuntu1804-20:~]# dig -t ptr 31.0.0.10.in-addr.arpa. @10.0.0.70  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> -t ptr 31.0.0.10.in-addr.arpa. @10.0.0.70 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40029 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 96c1482be18e12c7c27f80ae646f4fe90a240b78bb3e6e6c (good) ;; QUESTION SECTION: ;31.0.0.10.in-addr.arpa.        IN    PTR  ;; ANSWER SECTION: 31.0.0.10.in-addr.arpa.    604800    IN    PTR    mail1.janzen.com.  ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa.    604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: dns1.janzen.com.    604800    IN    A    10.0.0.70  ;; Query time: 0 msec ;; SERVER: 10.0.0.70#53(10.0.0.70) ;; WHEN: Thu May 25 20:09:13 CST 2023 ;; MSG SIZE  rcvd: 144

  

2、Ubuntu 配置反向解析

2.1、在 named.zones 中添加反向解析区域记录

[root@Node-Ubuntu1804-20:~]# vim /etc/bind/named.zones   zone janzen.com IN { type master; file "/etc/bind/db.janzen.com"; };                                                                             zone "0.0.10.in-addr.arpa" IN { type master; file "/etc/bind/db.10.0.0"; };

  

2.2、创建区域反向解析库

[root@Node-Ubuntu1804-20:~]# vim /etc/bind/db.10.0.0  $TTL    604800 @       IN      SOA     @ root.janzen.com. (                               1         ; Serial                          604800         ; Refresh                           86400         ; Retry                         2419200         ; Expire                          604800 )       ; Negative Cache TTL                 NS      dns1.janzen.com.                 NS      dns2.janzen.com.                 NS      dns3.janzen.com.                                                                                                         20      IN      PTR     dns1.janzen.com. 21      IN      PTR     dns2.janzen.com. 70      IN      PTR     dns3.janzen.com. 9       IN      PTR     harbor.janzen.com. 10      IN      PTR     harbor.janzen.com. 31      IN      PTR     mail1.janzen.com. 32      IN      PTR     mail2.janzen.com. ~                                                

  

2.3、重新加载服务

[root@Node-Ubuntu1804-20:~]# rndc reload server reload successful

  

2.4、验证反向解析结果

[root@Ansible-Ubuntu1804-25:~]# dig -t ptr 20.0.0.10.in-addr.arpa. @10.0.0.20  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> -t ptr 20.0.0.10.in-addr.arpa. @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30257 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 84ac957d868c866b33777194646f52bc2f65ef3bae2f140f (good) ;; QUESTION SECTION: ;20.0.0.10.in-addr.arpa.        IN    PTR  ;; ANSWER SECTION: 20.0.0.10.in-addr.arpa.    604800    IN    PTR    dns1.janzen.com.  ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa.    604800    IN    NS    dns1.janzen.com. 0.0.10.in-addr.arpa.    604800    IN    NS    dns3.janzen.com. 0.0.10.in-addr.arpa.    604800    IN    NS    dns2.janzen.com.  ;; ADDITIONAL SECTION: dns1.janzen.com.    604800    IN    A    10.0.0.20 dns2.janzen.com.    604800    IN    A    10.0.0.21 dns3.janzen.com.    604800    IN    A    10.0.0.70  ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 20:21:17 CST 2023 ;; MSG SIZE  rcvd: 208  [root@Ansible-Ubuntu1804-25:~]# dig -t ptr 70.0.0.10.in-addr.arpa. @10.0.0.20  ; <<>> DiG 9.11.3-1ubuntu1.18-Ubuntu <<>> -t ptr 70.0.0.10.in-addr.arpa. @10.0.0.20 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28274 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4  ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: cb50d5bc319d559d22178c59646f52c728e60ab6e3f06ad3 (good) ;; QUESTION SECTION: ;70.0.0.10.in-addr.arpa.        IN    PTR  ;; ANSWER SECTION: 70.0.0.10.in-addr.arpa.    604800    IN    PTR    dns3.janzen.com.  ;; AUTHORITY SECTION: 0.0.10.in-addr.arpa.    604800    IN    NS    dns2.janzen.com. 0.0.10.in-addr.arpa.    604800    IN    NS    dns3.janzen.com. 0.0.10.in-addr.arpa.    604800    IN    NS    dns1.janzen.com.  ;; ADDITIONAL SECTION: dns1.janzen.com.    604800    IN    A    10.0.0.20 dns2.janzen.com.    604800    IN    A    10.0.0.21 dns3.janzen.com.    604800    IN    A    10.0.0.70  ;; Query time: 0 msec ;; SERVER: 10.0.0.20#53(10.0.0.20) ;; WHEN: Thu May 25 20:21:27 CST 2023 ;; MSG SIZE  rcvd: 208

  

六、DNS主从架构部署

1、Centos7 主从架构配置

1.1、主服务器配置

[root@node-centos7-70 etc]# vim /etc/named.conf   // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html  options {     # listen-on port 53 { 127.0.0.1; };     listen-on-v6 port 53 { ::1; };     directory     "/var/named";     dump-file     "/var/named/data/cache_dump.db";     statistics-file "/var/named/data/named_stats.txt";     memstatistics-file "/var/named/data/named_mem_stats.txt";     recursing-file  "/var/named/data/named.recursing";     secroots-file   "/var/named/data/named.secroots";     # allow-query     { localhost; };     allow-transfer    { none; };      /*       - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.      - If you are building a RECURSIVE (caching) DNS server, you need to enable         recursion.       - If your recursive DNS server has a public IP address, you MUST enable access         control to limit queries to your legitimate users. Failing to do so will        cause your server to become part of large scale DNS amplification         attacks. Implementing BCP38 within your network would greatly        reduce such attack surface      */     recursion yes;      dnssec-enable yes;     dnssec-validation yes;      /* Path to ISC DLV key */     bindkeys-file "/etc/named.root.key";      managed-keys-directory "/var/named/dynamic";      pid-file "/run/named/named.pid";     session-keyfile "/run/named/session.key"; };  logging {         channel default_debug {                 file "data/named.run";                 severity dynamic;         }; };  zone "." IN {     type hint;     file "named.ca"; };  include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones";   [root@node-centos7-70 etc]# vim /etc/named.zones   zone "janzen.com" IN { type master; file "named.janzen.com"; allow-update { none; }; allow-transfer { 10.0.0.71; }; }; zone "0.0.10.in-addr.arpa" IN { type master; file "named.10.0.0"; };

 

1.2、从服务器配置

[root@node-centos7-71 ~]# vim /etc/named.conf  // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html  options {     # listen-on port 53 { 127.0.0.1; };     listen-on-v6 port 53 { ::1; };     directory     "/var/named";     dump-file     "/var/named/data/cache_dump.db";     statistics-file "/var/named/data/named_stats.txt";     memstatistics-file "/var/named/data/named_mem_stats.txt";     recursing-file  "/var/named/data/named.recursing";     secroots-file   "/var/named/data/named.secroots";     # allow-query     { localhost; };     allow-tranfer    { none; };      /*       - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.      - If you are building a RECURSIVE (caching) DNS server, you need to enable         recursion.       - If your recursive DNS server has a public IP address, you MUST enable access         control to limit queries to your legitimate users. Failing to do so will        cause your server to become part of large scale DNS amplification         attacks. Implementing BCP38 within your network would greatly        reduce such attack surface      */     recursion yes;      dnssec-enable yes;     dnssec-validation yes;      /* Path to ISC DLV key */     bindkeys-file "/etc/named.root.key";      managed-keys-directory "/var/named/dynamic";      pid-file "/run/named/named.pid";     session-keyfile "/run/named/session.key"; };  logging {         channel default_debug {                 file "data/named.run";                 severity dynamic;         }; };  zone "." IN {     type hint;     file "named.ca"; };  include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones";   [root@node-centos7-71 ~]# vim /etc/named.zones  zone "janzen.com" IN { type slave; file "slaves/named.janzen.com.slave"; masters { 10.0.0.70; } };

 

2、Ubuntu 主从架构配置

 2.1、主服务器配置

[root@Node-Ubuntu1804-20:~]# cat /etc/bind/named.conf | grep -v ^$ | grep -v ".*//" include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.zones";
[root@Node
-Ubuntu1804-20:~]# cat /etc/bind/named.conf.options | grep -v ^$ | grep -v ".*//" options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-transfer { none; }; };
[root@Node
-Ubuntu1804-20:~]# cat /etc/bind/named.zones zone janzen.com IN { type master; file "/etc/bind/db.janzen.com"; allow-transfer { 10.0.0.21; }; also-notify { 10.0.0.21; }; };

 

 2.2、从服务器配置

[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.conf | grep -v ^$ | grep -v ".*//" include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.zones";

[root@Node
-Ubuntu1804-21:~]# cat /etc/bind/named.conf.options | grep -v ^$ | grep -v ".*//" options { directory "/var/cache/bind"; dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-transfer { none; }; };
[root@Node
-Ubuntu1804-21:~]# cat /etc/bind/named.zones zone janzen.com IN { type slave; file "/etc/bind/db.janzen.com.slave"; masters { 10.0.0.20; }; };

 

 

七、DNS转发配置

1、Centos7 转发服务器配置

  1.1、全局转发

[root@node-centos7-71 ~]# cat /etc/named.conf | grep  -v ^$ | grep -v ".*//" options {     listen-on-v6 port 53 { ::1; };     directory     "/var/named";     dump-file     "/var/named/data/cache_dump.db";     statistics-file "/var/named/data/named_stats.txt";     memstatistics-file "/var/named/data/named_mem_stats.txt";     recursing-file  "/var/named/data/named.recursing";     secroots-file   "/var/named/data/named.secroots";     allow-transfer { none; };     forward first;     forwarders {10.0.0.70;};
/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; include "/etc/named.zones";

 

  1.2、指定域转发

[root@node-centos7-71 ~]# cat /etc/named.zones  zone janzen.cn IN { type forward; forward only; forwarders { 10.0.0.70; }; };

 

2、Ubuntu 转发服务器配置

 2.1、全局转发

[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.conf.options | grep -v ^$ | grep -v ".*//" options {     directory "/var/cache/bind";     forward first;     forwarders { 10.0.0.20; };     dnssec-validation auto;     auth-nxdomain no;    # conform to RFC1035     listen-on-v6 { any; };     allow-transfer { none; }; };

 

 2.2、指定域转发

[root@Node-Ubuntu1804-21:~]# cat /etc/bind/named.zones | grep -v ^$ | grep -v ".*//" zone janzen.cn IN { type forward; forward only; forwarders { 10.0.0.20; }; };