Linux中的DNS服务
1.安装部署DNS
****该实验涉及到配置文件的修改记得重启服务 systemctl restart named****
(在进行实验时,最好将selinux调整为disabled)
yum install bind.x86_64 -y
systemctl start named (若反映较慢,新开一个终端随便输入字符即可加速)
systemctl stop firewalld (因该实验需要多个虚拟机间进行通信,所以最好关掉防火墙)
主配置文件:/etc/named.conf
子配置文件:/etc/named.rfc1912.zones
数据目录:/var/named
2.高速缓存文件配置
vim /etc/name.d
11 any --开放网卡端口
17 any --允许所有人员访问
+18 forwarders {IP;}; --当自己不知道时问谁
在客户端中:
vim /etc/resolv.conf
nameserver 服务机ip
dig www.baidu.com ---dig:解析地址(stub解析器)
3.DNS的正向解析(服务端)
『1』vim /etc/named.rfc1912.zone
zone "iop.com" IN{
type master;
file "iop.com.zone";
allow-update {none;};
};
『2』cd /var/name
cp -p named.localhost iop.com.zone
vim iop.com.zone
$TTL 1D
@ IN SOA dns.iop.com. root.iop.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.iop.com.
dns A 172.25.254.140
www A 172.25.254.222
###在该文件中,@相当于之前文件中的 www.iop.com,同时若其他地址结尾没有" . ",则加上@的内容###
测试:在客户端 dig www.iop.com
4.DNS的反向解析(服务端)
『1』vim /etc/named.rfc1912.zones
zone "254.25.172.in-addr.arpa" IN {
type master;
file "ppp.com.ptr";
allow-update { none; };
};
『2』cd /var/named
cp named.loopback ppp.com.ptr -p
$TTL 1D
@ IN SOA dns.ppp.com. root.ppp.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.ppp.com.
dns A 172.25.254.140
199 PTR www.ppp.com.
测试:在客户端 dig -x 172.25.254.199
5.双向解析
(1)复制并编辑外网配置文件
『1』cp /etc/named.rfc1912.zones /etc/named.rfc1912.zone.inter -p
vim /etc/named.rfc1912.zone.inter
zone "iop.com" IN {
type master;
file "iop.com.inter";
allow-update {none;};
}
『2』cp iop.com.zone iop.com.inter -p
vim /var/named/iop.com.inter
1 $TTL 1D
2 @ IN SOA dns.iop.com. root.iop.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.iop.com.
9 dns A 1.1.1.140
10 www A 1.1.1.222
『3』vim /etc/named.conf
51 view localnet {
52 match-clients {172.25.254.240;}; ----对内网解析
53 zone "." IN {
54 type hint;
55 file "named.ca";
56 };
57 include "/etc/named.rfc1912.zones";
58 include "/etc/named.root.key";
59 };
60
61 view any {
62 match-clients {any;}; ----对外网解析
63 zone "." IN {
64 type hint;
65 file "named.ca";
66 };
67 include "/etc/named.rfc1912.zone.inter";
68 include "/etc/named.root.key";
69 };
测试:dig www.iop.com ----172.25.254.240 (允许访问内网)
dig www.iop.com ----172.25.254.140 (允许访问外网)
6.辅助DNS
(1)主dns的设定
vim /etc/named.rfc1912.zones.inter
43 zone "iop.com" IN {
44 type master;
45 file "iop.com.inter";
46 allow-update {none;};
47 also-notify{172.25.254.240;}; --更改后同步给172.25.254.240
48 };
注意:每次更改A记录文件后必须更改serial的数值,且数值最大为10位
(2)辅dns的设定
『1』安装
『2』启动
『3』关火墙
『4』vim /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
『5』vim /etc/named.rfc1912.zones
zone "iop.com" IN {
type slave;
masters {172.25.254.140;};
file "slaves/iop.com.inter";
allow-update {none;};
};
测试:主-1.1.1.222 辅-1.1.1.222
主-1.1.1.111 辅-1.1.1.111
7.dns的远程更新
(1)指定IP更新
『1』chmod g+w /var/named ----给named文件加权限
『2』vim /etc/named.rfc1912.zone.inter
43 zone "iop.com" IN {
44 type master;
45 file "iop.com.inter";
46 allow-update {172.25.254.240;};
47 also-notify{172.25.254.240;};
48 };
重启
远程主机240测试:
[[email protected] ~]# nsupdate
> server 172.25.254.140 --添加
> update add bbs.westos.com 86400 A 1.1.1.1
> send
> server 172.25.254.140 --删除
> update delete bbs.westos.com
> send
>
dig bbs. iop.com
###重启后更改的数据才会写进westos.com.inter中,未重启时保存在inter.jnl中###
(2)基于key的更新
『2』cp -p /etc/rndc.key /etc/iop.key
dnssec-****** -a HMAC-MD5(加密方式) -b 64(密码长度) -n HOST iop(名字) ----创建**公钥
cat Kwestos.+157+23244.key
『2』vim /etc/iop.key
1 key "iop" {
2 algorithm hmac-md5;
3 secret "建立的钥匙中的代码";
4 };
『3』vim /etc/named.conf
43 include "/etc/westos.key"; ----添加KEY认证
『4』vim /etc/named.rfc1912.zone.inter
43 zone "iop.com" IN {
44 type master;
45 file "iop.com.inter";
46 allow-update {key iop;};
47 also-notify{172.25.254.240;};
48 };
『5』scp Kwestos.+157+34872.* [email protected]:/mnt/ ----发送**
『6』在有key的主机中执行
nsupdate -k Kwestos.+157+23244.private
> server 172.25.254.140 --添加
> update add bbs.iop.com 86400 A 1.1.1.1
> send
> server 172.25.254.140 --删除
> update delete bbs.iop.com
> send
>
测试:dig bbs.iop.com
9、动态域名解析(ddns)
主机上
(1)yum install dhcp -y
(2)cp cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.con
(3)vim /etc/dhcp/dhcpd.conf
option domain-name "iop.com";
option domain-name-servers 172.25.254.140;
ddns-update-style none;
subnet 172.25.254.0 netmask 255.255.255.0 {
range 172.25.254.100 172.25.254.120;
option routers 172.25.254.140;
}
key "iop" {
algorithm hmac-md5;
secret "xCM6CpgaBksDLeFqykAJww==";
};
zone iop.com {
primary 127.0.0.1;
key iop;
p" {
algorithm hmac-md5;
secret "xCM6CpgaBksDLeFqykAJww==";
};
(4)vim /etc/named.rfc1912.zones
zone "iop.com" IN {
type master;
file "iop.com.zone";
allow-update { key iop; };
};
(5)hostnamectl set-hostname www.iop.com
辅机上:
设置网络为DHCP 模式:
vim /etc/sysconfig/network-scripts/ifcfg-Ethernet
systemctl restart network
dig www.iop.com