【教程】Linux DNS 服务器安装、配置及维护
本文涵盖了DNS基础知识、Linux DNS服务器的安装与配置,以及维护的相关知识。
域名系统DNS,是互联网上的命名系统,将易于记忆的机器名转换为IP地址。它本质上是命名系统,因为其设计在互联网中使用了多种“域”。
在DNS服务器的安装中,主要分为主DNS服务器、辅助DNS服务器与缓存DNS服务器。主DNS服务器负责权威解析,辅助DNS服务器作为备份,缓存DNS服务器用于减少查询次数。
配置主DNS服务器时,需要使用BIND DNS服务器,并且在/etc/named.conf文件中定义域名区域,如"likegeeks.com"。定义区域时,使用"zone"语句,并指定类型为主(master)或辅(slave),文件路径等信息。
为DNS服务器配置区域选择器,如"."区域,用于正向和反向查找。定义区域选择器后,可以引用包含DNS记录类型(SOA、NS、A、PTR、MX、CNAME、TXT等)的数据库文件。
理解每种记录类型,如SOA记录用于描述站点DNS条目,NS记录用于指定名称服务器,A记录用于主机名到IP地址映射,PTR记录用于反向名称解析,MX记录用于邮件交换,CNAME记录用于创建主机名别名,TXT记录用于存储任意信息等。
在配置文件中,$TTL条目用于设置记录的生存时间,通常默认值为合理。使用host命令检查DNS解析,或使用whois命令获取域名所有权信息。在维护DNS服务器时,可以使用rndc工具进行安全管理,包括查询状态、重新加载或重新配置服务。
DNS服务器与客户端解析器相互作用,客户端使用解析器配置文件(/etc/resolv.conf或基于Debian的/etc/resolvconf/resolv.conf.d/目录)获取本地DNS服务器地址,进行主机名到IP地址的解析。
综上所述,DNS服务器的安装、配置与维护涉及多个方面,从服务器类型的选择到配置文件的编写,再到解析器的配置与管理,需要综合理解DNS工作原理及其实现细节。
FQDN应如何理解?
一.DNS服务的信息说明:
A:正向记录
PTR:反向,ip到域名
host -l example.com:查看域中的所有主机
dig -t soa example.com:辅助dns
软件包: Bind
bind-chroot
caching-nameserver
DNS主配置目录:/var/named/chroot/
DNS主配置文件:/var/named/chroot/etc/named.conf
DNS A记录存放目录:/var/named/chroot/var/named
二.如何配置dns正向解析:
1.cp -p /var/named/chroot/etc/named.caching-nameserver.conf /var/
named/chroot/etc/named.conf
#用模板生成dns配置
文件
2. vi /var/named/chroot/etc/named.conf
#编辑配置文件
配置文件中要修改的内容如下:
在options中参数修改如下:
#全局设定
listen-on port 53 { localhost; };
#监听本地53端口
//
listen-on-v6 port 53 { ::1; };
#关闭ipv6选项
allow-query
{ localnets; };
#允许与本地直连的网络使用
dns
allow-query-cache { localnets; };
在view中的参数修改如下:
#局域生效
match-clients
{ localnets; };
#允许与本地直连的网络使用
dns
match-destinations { localnets; };
3.vi /var/named/chroot/etc/named.rfc1912.zones
加入内容如下:
zone "example.com" IN {
#指定要维护的域名
type master;
file "example.com.zone";
#指定A记录文件名
allow-update { none; };
};
4.编写A记录文件:
cd /var/named/chroot/var/named/
cp -p localhost.zone example.com.zone
#
A记录文件内容如下:
dns 服务器主机名
$TTL
86400
||
@
IN SOA station62.example.com
root.exampel.com (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station62.example.com
#指定dns主机
IN A
192.168.0.62
# 指定dns主机的ip
station62
IN A
192.168.0.62
#指定dns服务器的A记录
www
IN A
192.168.1.62
#要添加的A记录
vim named.rfc1912.zones
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
};
cd /var/named/chroot/var/named/
cp -p localhost.zone example.com.zone
cp -p named.local example.com.local
定义正向解析数据库文件:
vi
example.com.zone
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.41
www
IN A
192.168.0.42
www
IN A
192.168.0.43
bbs
IN CNAME
www
*
IN A
192.168.0.41
定义反向解析数据库
vim example.com.local
zone "0.168.192.in-addr.arpa" IN {
//反向解析
type master;
file "example.com.local";
allow-update { none; };
};
$TTL
86400
@
IN
SOA
station41.example.com. root.example.com. (
1997022700 ; Serial
28800
; Refresh
14400
; Retry
3600000
; Expire
86400 )
; Minimum
IN
NS
station41.example.com.
41
IN
PTR
example.com.
41
IN
PTR
station41.example.com.
/etc/init.d/named restart
acl的使用:
acl example { 192.168.0.0/24; } ;
options {
listen-on port 53 { example; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
blackhole {} ;
黑名单。
allow-query
{ example; };
allow-query-cache { example; };
};
/etc/init.d/named configuretest :dns配置文件检测
添加网关:
route add default gw 192.168.0.254
高速缓存:
在主dns中配置:
vi named.conf
options {
//
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source
port 53;
// query-source-v6 port 53;
forward only;
forwarders { 218.30.19.50; };
allow-query
{ example; };
allow-query-cache { example; };
};
辅助dns(从主dns复制数据):(应关闭iptables)
主dns:
/etc/named.rfc1912.zones
// allow-query
{ example; };
// allow-query-cache { example; };
zone "example.com" IN {
type master;
file "example.com.zone";
allow-update { none; };
allow-transfer { 192.168.0.4; };
};
辅dns: (/var/named/chroot/var/named/slaves目录下会有主机的dns文
件),此时该机的dns设为本机地址
options {
//
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source
port 53;
// query-source-v6 port 53;
//
allow-query
{ localhost; };
//
allow-query-cache { localhost; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
//
match-clients
{ localnets; };
//
match-destinations { localnets; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type slave;
masters { 192.168.0.41; };
file "slaves/example.com.zone";
};
};
不同的机器使用不同的dns:
主dns:named.conf
view localhost_resolver {
match-clients
{ localhost; };
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
file "example.com.zone";
};
};
view internal_resolver {
match-clients
{ 192.168.0.0/24; };
match-destinations { 192.168.0.0/24; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
file "example.com.internal";
};
example.com.zone:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.41
example.com.internal:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
42
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.49
此时辅机的dns设为主dns地址
dns文件同步:
主dns:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type master;
also-notify {192.168.0.4; };
file "example.com.zone";
};
};
example.com.zone:每次修改后应更改serial 值
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
2010042101
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.49
辅dns机:此时它的规则应设为主机可访问模式
view localhost_resolver {
//
match-clients
{ localnets; };
//
match-destinations { localnets; };
recursion yes;
include "/etc/named.rfc1912.zones";
zone "example.com" IN {
type slave;
masters { 192.168.0.41; };
file "slaves/example.com.zone";
};
};
(1) SOA资源记录
每个数据库文件按的开始处都包含了一个起始授权记录(Start of Authority
Record),简称SOA记录。SOA定义了域的全局参数,进行整个域的管 理设置。一个
区域文件只允许存在唯一的SOA记录。
(2) NS资源记录
名称服务器(NS)资源记录表示该区的授权服务器,它 们表示SOA资源记录中指定
的该区的主和辅助服务器,也表示了任何授权区的服务器。每个区在区根处至 少包含
一个NS记录。
(3) A资源记录
地址(A)资源记录把FQDN映射到IP地址,因而解析器能查询FQDN对应的IP地址。
(4) PTR资源记录
相对于A资源记录,指针(PTR)记录把IP地址映射到FQDN。
(5) CNAME资源记录
规范名字(CNAME)资源记录创建特定FQDN的别名。用户可以通过定义的CANME
记录中的别名来访问
(6) MX资源记录
邮件交换(MX)资源记录为DNS域名指定邮件交换服务器。邮件交换服务器是为
DNS域名处理或转发邮件的主机。处理邮 件指把邮件投递到目的地或转交另一不同类
型的邮件传送者。转发邮件指把邮件发送到最终目的服务器。
(7) 泛域名解析记录
除了在数据库文件中定义的资源记录以为,其他的所有域名都可以被DNS所解析出
来。
$TTL
86400
@
IN SOA station41.example.com.
root.example.com. (
221001
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
IN NS
station41.example.com.
IN A
192.168.0.41
station41
IN A
192.168.0.41
www
IN A
192.168.0.42
bbs
IN A
192.168.0.43
IN A
192.168.0.44
forum
IN A
192.168.0.45
web
IN CNAME
@
IN MX 10
192.168.0.44
注意:
重启服务:/etc/init.d/named restart ; rndc reload; (主机,辅机同时
重启)
访问权限:
match-clients
{ localnets; };
match-destinations { localnets; };
更改序列值:
$TTL
86400
@
IN SOA station41.example.com.
root.example.com.
(
2010042101
; serial (d. adams)
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
CNAME:
bbs
IN CNAME
www
泛域名解析记录,匹配所有记录:
*
IN A
www
Selinux:
不显示dns版本:
vi named.conf:
version "no version for you"
dig version.bind chaos txt @station41.example.com
Dns查询:客户机远程管理dns主机的dns记录
主机的named.conf
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
//
include "/etc/named.rfc1912.zones";
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
allow-update { 192.168.0.4; };
file "example.com.zone";
};
};
chmod 775 /var/named/chroot/var/named
客户机:
nsupdate
server 192.168.0.41
update delete www.example.com
send
update add www.example.com 0 A 192.168.0.44
使用key查询:
vi named.conf:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
//
allow-update { 192.168.0.4; };
update-policy { grant example.com. name www.example.com. A; };
file "example.com.zone";
};
};
include "/etc/example.com.key";
key的制作与处理(example.com.key):
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com. :生
成key文件
cp -p rndc.key example.com.key
vi example.com.key:
key "example.com." {
algorithm
hmac-md5;
secret
"H1Oqzvs7jtqsk5zJ/e9gEQ==";
};
copy key到远程主机:
scp Kexample.com.+157+00308.* 192.168.0.4:/home
远程主机修改dns记录:
nsupdate -k Kexample.com.+157+00308.private
server 192.168.0.41
update delete www.example.com
send
host -l example.com
Dns主机对客户机的授权处理:
update-policy { grant example.com. name www.example.com. A; };
此种方式规定辅助机只可对www.example.com记录进行delete或add操作;
update-policy { grant example.com. subdomain example.com. ANY;
};
此种方式是辅助机可对example.com域下的所有记录进行更改
(www.mail.bbs)
使用key在dns辅助机中进行dns数据库文件同步:
view localhost_resolver {
//
match-clients
{ localhost; };
//
match-destinations { localhost; };
recursion yes;
//
include "/etc/named.rfc1912.zones";
include "/etc/named.wx.zones";
zone "example.com" IN {
type master;
//
allow-update { 192.168.0.4; };
//
update-policy { grant example.com. subdomain example.com.
ANY; };
allow-transfer { key example.com.; };
also-notify {192.168.0.4; };
file "example.com.zone";
};
};
include "/etc/example.com.key";
key的制作与处理(example.com.key):
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST example.com. :生
成key文件
cp -p rndc.key example.com.key
vi example.com.key:
key "example.com." {
algorithm
hmac-md5;
secret
"H1Oqzvs7jtqsk5zJ/e9gEQ==";
};
copy key到远程主机:
scp example.com.key 192.168.0.4:/var/named/chroot/etc/
远程主机:
cd /var/named/chroot/etc/
chgrp named example.com.key
vi named.conf:
server 192.168.0.41 {
keys { example.com.; };
};
include "/etc/example.com.key";
注意:此时如果无法同步文件,应删除chroot/var/named/目录下的 *.jnl文件
configtest 检测语法。
