DNS搭建

环境

server1：bigpeng1 IP：172.25.1.101 GW：172.25.1.1 DNS：172.25.1.101

server2：bigpeng2 IP：172.25.1.102 GW：172.25.1.1 DNS：172.25.1.101

client：win10 IP：172.25.1.100 GW：172.25.1.1 DNS：172.25.1.101

主域名服务器(server1)：特定DNS区域的服务器，具有唯一性。负责维护该区域所有域名映射IP记录

从域名服务器(server2)：IP来源于主域名服务器

软件包：bind 服务名：named 端口：53

前提

网络配置完成、yum正常

安装软件bind.x86_64

[root@bigpeng1 ~]# yum install bind -y
[root@bigpeng1 ~]# rpm -qa | grep bind    #查看安装是否成功
bind-license-9.9.4-50.el7.noarch
bind-libs-9.9.4-50.el7.x86_64
bind-libs-lite-9.9.4-50.el7.x86_64
bind-9.9.4-50.el7.x86_64

一、单台DNS配置

修改主DNS服务器配置文件

[root@bigpeng1 ~]# vim /etc/named.conf
listen-on port 53 { 172.25.1.101; };                       #监听网卡及端口
directory       "/var/named";                              #DNS解析记录位置
dump-file       "/var/named/data/cache_dump.db";           #缓存备份文件
statistics-file "/var/named/data/named_stats.txt";         #状态备份文件
memstatistics-file "/var/named/data/named_mem_stats.txt";  #内存状态备份
allow-query     { any; };                                  #允许所有人访问
recursion yes;                                             #递归查询，删除是迭代查询zone "." IN {                                              #根DNS配置
type hint;                                                 #服务器类型：根DNS
file "named.ca";                                    #根DNS信息保存位置/var/named/named.ca
};
#包含子配置，把下列文件加载到主配置文件中
include "/etc/named.rfc1912.zones";                #声明DNS区域文件
include "/etc/named.root.key";                     #访问根DNS需要的秘钥

配置正反向区域文件

[root@bigpeng1 ~]# vim /etc/named.rfc1912.zones 
#在文档末尾添加如下内容
zone "bigpeng.com" IN {                   #正向解析域名type master;                      #类型：主DNSfile "bg.com.zone";               #主机名与IP对应关系配置文件allow-update { none; };           #区域传送
};zone "1.25.172.in-addr.arpa" IN {         #反向解析域名的IP地址type master;file "172.25.1.zone";allow-update { none; };
};

配置域名映射IP

[root@bigpeng1 ~]# cd /var/named/
[root@bigpeng1 named]# cp -p named.localhost bg.com.zone
[root@bigpeng1 named]# cp -p named.loopback 172.25.1.zone

域名→IP

[root@bigpeng1 named]# vim bg.com.zone $TTL 1D           #生存周期一天
@       IN SOA  bigpeng.com. rname.invalid. (0       ; serial    　#序列号1D      ; refresh     #每隔一天检查序列号更新1H      ; retry       #同步失败每隔一小时检查序列号更新1W      ; expire      #辅DNS与主DNS断开连接一周后不响应客户端解析3H )    ; minimum     #最小生存周期（缓存最大生存时间）NS      ns1.bigpeng.com.
ns1     A       172.25.1.101
ns2     A       172.25.1.102
www     A       172.25.1.103
# @代表域名，IN跳转指针，引出后面内容；SOA起始授权记录，引出后面参数；域名要在末尾加“.”

IP→域名

[root@bigpeng1 named]# vim 172.25.1.zone $TTL 1D
@       IN SOA  bigpeng.com. rname.invalid. (0       ; serial1D      ; refresh1H      ; retry1W      ; expire3H )    ; minimumNS      ns1.bigpeng.com.
101     PTR     ns1.bigpeng.com.
102     PTR     ns2.bigpeng.com.
103     PTR     www.bigpeng.com.

语法检查

[root@bigpeng1 named]# named-checkconf /etc/named.conf
[root@bigpeng1 named]# named-checkzone bigpeng.com /var/named/bg.com.zone 
zone bigpeng.com/IN: loaded serial 0
OK
[root@bigpeng1 named]# named-checkzone 1.25.172.in-addr.arpa /var/named/172.25.1.zone 
zone 1.25.172.in-addr.arpa/IN: loaded serial 0
OK

打开53端口

[root@bigpeng1 named]# firewall-cmd --permanent --add-service=dns
success
[root@bigpeng1 named]# firewall-cmd --reload
success

开启服务

[root@bigpeng1 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@bigpeng1 ~]# systemctl start named

使用client测试

（能正常完成解析）

二、dns主备

主服务器允许区域传送到从服务器上

[root@bigpeng1 named]# vim /etc/named.rfc1912.zones 
zone "0.in-addr.arpa" IN {type master;file "named.empty";allow-update { 172.25.1.102; };
};zone "bigpeng.com" IN {type master;file "bg.com.zone";allow-update { 172.25.1.102; };
};

加载配置文件

[root@bigpeng1 named]# systemctl reload named

备份服务器配置

安装软件

[root@bigpeng2 ~]# yum install -y bind

修改配置文件

[root@bigpeng2 ~]# vim /etc/named.conf
options {listen-on port 53 { 172.25.1.102; };listen-on-v6 port 53 { ::1; };directory       "/var/named";dump-file       "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query     { any; };

[root@bigpeng2 ~]# vim /etc/named.rfc1912.zones
zone "bigpeng.com" IN {type slave;file "slaves/bg.com.zone";masters { 172.25.1.101;};
};zone "1.25.172.in-addr.arpa" IN {type slave;file "slaves/172.25.1.zone";masters { 172.25.1.101;};
};

打开dns端口

[root@bigpeng2 ~]# firewall-cmd --permanent --add-service=dns
success
[root@bigpeng2 ~]# firewall-cmd --reload
success

启动dns服务

[root@bigpeng2 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@bigpeng2 ~]# systemctl start named

主服务器会向从服务器传送区域配置文件

[root@bigpeng2 ~]# ls /var/named/slaves/
172.25.1.zone  bg.com.zone

测试

三、dns缓存

主服务器增加ns记录

重载

[root@bigpeng1 named]# systemctl reload named

安装软件

[root@bigpeng3 ~]# yum install -y bind bind-devel bind-chroot

修改配置文件

[root@bigpeng3 ~]# vim /etc/named.conf
options {listen-on port 53 { 172.25.1.103; };listen-on-v6 port 53 { ::1; };directory       "/var/named";dump-file       "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query     { any; };forward only;forwarders { 172.25.1.101;172.25.1.102; };

[root@bigpeng3 ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@bigpeng3 ~]# firewall-cmd --reload
success
[root@bigpeng3 ~]# systemctl start named

测试

将dns安全关闭即可

[root@bigpeng3 ~]# vim /etc/named.conf35 //      dnssec-enable yes;36 //      dnssec-validation yes;37         dnssec-enable no;38         dnssec-validation no;[root@bigpeng3 ~]# systemctl reload named

四、dns转发

添加主DNS服务器和辅助DNS服务器配置文件。(虚拟机能够访问网站)

[root@bigpeng1 ~]# vim /etc/named.confforward first;forwarders { 114.114.114.114; };[root@bigpeng1 ~]# systemctl restart named

将主服务器的dns地址指向114.114.114.114

[root@bigpeng1 ~]# nmcli con show eth1 | grep DNS
IP4.DNS[1]:                             114.114.114.114

主服务器上测试连通性

[root@bigpeng1 ~]# ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
64 bytes from 114.114.114.114: icmp_seq=1 ttl=128 time=59.1 ms
64 bytes from 114.114.114.114: icmp_seq=2 ttl=128 time=57.5 ms
^C
--- 114.114.114.114 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 57.522/58.314/59.107/0.828 ms
[root@bigpeng1 ~]# ping www.qq.com
PING ins-r23tsuuf.ias.tencent-cloud.net (112.53.42.114) 56(84) bytes of data.
64 bytes from 112.53.42.114 (112.53.42.114): icmp_seq=2 ttl=128 time=51.4 ms
64 bytes from 112.53.42.114 (112.53.42.114): icmp_seq=3 ttl=128 time=47.0 ms
64 bytes from 112.53.42.114 (112.53.42.114): icmp_seq=4 ttl=128 time=51.3 ms
^C
--- ins-r23tsuuf.ias.tencent-cloud.net ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3009ms
rtt min/avg/max/mdev = 47.011/49.919/51.444/2.073 ms

客户端dns指向172.25.1.103

五、dns视图

dns视图配置可以更好的控制客户端的查询结果，提高网络质量

[root@bigpeng1 named]# vim /etc/named.conf12   options {13         listen-on port 53 { 172.25.1.101;10.10.10.101; };53 acl case1 { 172.25.1.0/24; };54 acl case2 { 10.10.10.0/24; };55 view "bg" {56         match-clients {case1;};57         zone "bigpeng.com" IN {58                 type master;59                 file "bg.com.zone";60                 allow-update { 172.25.1.102; };61         };62 63         zone "1.25.172.in-addr.arpa" IN {64                 type master;65                 file "172.25.1.zone";66                 allow-update { 172.25.1.102; };67         };68 69         zone "." IN {        #将区域写在view或将其删除70                 type hint;71                 file "named.ca";72         };73 };74 75 view "rr" {76         match-clients {case2;};77         zone "rr.com" IN {78                 type master;79                 file "rr.com.zone";80                 allow-update { 172.25.1.102; };81         };82 83         zone "10.10.10.in-addr.arpa" IN {84                 type master;85                 file "10.10.10.zone";86                 allow-update { 172.25.1.102; };87         };88 };

配置正反向区域文件

[root@bigpeng1 named]# tail bg.com.zone rr.com.zone 
==> bg.com.zone <==1H	; retry1W	; expire3H )	; minimumNS	ns1.bigpeng.com.NS	ns2.bigpeng.com.NS	ns3.bigpeng.com.
ns1	A	172.25.1.101
ns2	A	172.25.1.102
ns3	A	172.25.1.103
www	A	172.25.1.103==> rr.com.zone <==1H	; retry1W	; expire3H )	; minimumNS	ns1.rr.com.NS	ns2.rr.com.NS	ns3.rr.com.
ns1	A	10.10.10.101
ns2	A	10.10.10.102
ns3	A	10.10.10.103
www	A	10.10.10.103

[root@bigpeng1 named]# tail 172.25.1.zone 10.10.10.zone 
==> 172.25.1.zone <==1H	; retry1W	; expire3H )	; minimumNS	ns1.bigpeng.com.NS	ns2.bigpeng.com.NS	ns3.bigpeng.com.
101	PTR	ns1.bigpeng.com.
102	PTR	ns2.bigpeng.com.
103	PTR	ns3.bigpeng.com.
103	PTR	www.bigpeng.com.==> 10.10.10.zone <==1H	; retry1W	; expire3H )	; minimumNS	ns1.rr.com.NS	ns2.rr.com.NS	ns3.rr.com.
101	PTR	ns1.rr.com.
102	PTR	ns2.rr.com.
103	PTR	ns3.rr.com.
103	PTR	www.rr.com.

重启服务进行测试

[root@bigpeng1 named]# ip a| grep globalinet 172.25.1.101/24 brd 172.25.1.255 scope global ens33inet 10.10.10.101/24 brd 10.10.10.255 scope global ens37[root@bigpeng1 named]# nmcli con show eth1 | grep DNS
IP4.DNS[1]:                             172.25.1.101
IP4.DNS[2]:                             10.10.10.101[root@bigpeng1 named]# netstat -antp | grep 53
tcp        0      0 10.10.10.101:53         0.0.0.0:*               LISTEN      4039/named          
tcp        0      0 172.25.1.101:53         0.0.0.0:*               LISTEN      4039/named          
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      4039/named          
tcp6       0      0 ::1:53                  :::*                    LISTEN      4039/named          
tcp6       0      0 ::1:953                 :::*                    LISTEN      4039/named[root@bigpeng1 named]# dig @172.25.1.101 www.bigpeng.com +short
172.25.1.103
[root@bigpeng1 named]# dig @10.10.10.101 www.rr.com +short
10.10.10.103