简介

本章节主要介绍DNS

DNS解析原理域名查询(nslookup/dig/host)权威DNS服务器-bind正向域设置权威DNS服务器-bind反向域设置缓存DNS服务器-unbound缓存设置IPv6正向/反向区域设置

域名查询(nslookup/dig/host)

软件包bind-utils提供以下域名查询工具：

host：简单查询工具，用法：host 域名或IP地址 DNS服务器地址nslookup：交互式查询工具，用法：nslookup 域名或IP地址 DNS服务器地址dig：深度挖掘查询工具，用法：dig @DNS服务器地址 域名或IP地址 [-t 资源类型]

windows自带nslookup命令，用法和linux类似

命令示例[student@serverb ~]$ nslookup www.baidu.com 223.5.5.5Server: 223.5.5.5Address:223.5.5.5#53Non-authoritative answer:Name: www.baidu.comAddress: 14.215.177.38www.baidu.com canonical name = www.a.shifen.com.[student@serverb ~]$ nslookup 114.114.114.114 223.5.5.5114.114.114.114.in-addr.arpaname = public1.114dns.com.Authoritative answers can be found from:114.114.114.in-addr.arpanameserver = ns100.114dns.net.114.114.114.in-addr.arpanameserver = ns100.114dns.com.ns100.114dns.cominternet address = 114.114.118.118ns100.114dns.cominternet address = 60.215.138.254ns100.114dns.netinternet address = 58.217.249.158ns100.114dns.netinternet address = 114.114.119.119[student@serverb ~]$ host www.baidu.com 223.5.5.5Using domain server:Name: 223.5.5.5Address: 223.5.5.5#53Aliases:www.baidu.com has address 14.215.177.38www.baidu.com is an alias for www.a.shifen.com.www.baidu.com is an alias for www.a.shifen.com.[student@serverb ~]$ host223.5.5.5 114.114.114.114Using domain server:Name: 114.114.114.114Address: 114.114.114.114#53Aliases:5.5.5.223.in-addr.arpa domain name pointer public1.alidns.com.[student@serverb ~]$ dig www.baidu.com 223.5.5.5; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> www.baidu.com 223.5.5.5;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23558;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; MBZ: 0x0005, udp: 4096;; QUESTION SECTION:;www.baidu.com. INA;; ANSWER SECTION:www.baidu.com.5 INCNAME www.a.shifen.com.www.a.shifen.com. 5 INA 14.215.177.38www.a.shifen.com. 5 INA 14.215.177.39...

权威DNS服务器-bind正向域设置

BIND(Berkeley Internet Name Domain)伯克利互联网名称服务器软件安装包：bind配置文件：named.conf服务名：named

[root@servera ~]# yum -y install bind[root@servera ~]# man named.conf[root@servera ~]# rpm -qc bind/etc/logrotate.d/named/etc/named.conf/etc/named.rfc1912.zones/etc/named.root.key/etc/rndc.conf/etc/rndc.key/etc/sysconfig/named/var/named/named.ca/var/named/named.empty/var/named/named.localhost/var/named/named.loopback

主配置文件/etc/named.conf，设置DNS全局参数、管理哪些区域（用哪一个地址库）、安全控制、……

vim /etc/named.confoptions {listen-on port 53 { 本机的IPv4监听地址; };listen-on-v6 port 53 { 本机的IPv6监听地址; };directory "/var/named"; //指定地址库文件的默认存放目录allow-query { 客户机的网段或IP地址; };recursion yes; //是否允许提供递归查询服务dnssec-enable yes; //启用DNS安全dnssec-validation yes; //启用DNS安全校验};zone "区域名" IN {type master; //设置区域类型（master、hint、slave、forward）file 地址库文件名或者绝对路径; }；include xxxx文件; //需要在主配置文件中包含xxxx文件DNS服务器配置文件[root@servera ~]# cat /etc/named.confoptions {listen-on port 53 { any; };listen-on-v6 port 53 { any; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file "/var/named/data/named.secroots";recursing-file"/var/named/data/named.recursing";allow-query { any; };recursion no;dnssec-enable yes;dnssec-validation yes;managed-keys-directory "/var/named/dynamic";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";include "/etc/crypto-policies/back-ends/bind.config";};logging {channel default_debug {file "data/named.run";severity dynamic;};};zone "." IN {type hint;file "named.ca";};zone "lab.example.com" IN {type master;file "lab.example.com.zone";};};include "/etc/named.rfc1912.zones";include "/etc/named.root.key";[root@servera ~]# named-checkconf //检查配置文件是否正确地址库文件 /var/named/*，设置具体的地址记录（域名->IP地址）[root@servera ~]# ls -l /var/named/drr---. 2 named named 23 Jun8 10:16 datadrr---. 2 named named 60 Jun9 11:21 dynamic-rw-r-----. 1 rootnamed328 Jun8 10:20 lab.example.com.zone-rw-r-----. 1 rootnamed 2253 Apr52018 named.ca-rw-r-----. 1 rootnamed152 Dec 152009 named.empty-rw-r-----. 1 rootnamed152 Jun 212007 named.localhost-rw-r-----. 1 rootnamed168 Dec 152009 named.loopbackdrr---. 2 named named6 Aug 192019 slavesTTL：Time To Live，存活时间（DNS解析记录的有效期）SOA：Start Of Authority，授权记录的开始（管理的区域的信息，以及提供给从DNS服务器用的一些参数）模板文件[root@servera ~]# cat /var/named/named.localhost$TTL 1D#有效记录的生存时间（缓存DNS的缓存记录）@ IN SOA@ rname.invalid. (0 ; serial#序列号（主从同步时用到）1D; refresh #刷新时间1H; retry #重试时间1W; expire#过期时间3H ); minimum #无效的记录生存时间@ NS当前区域的DNS服务器的域名.A IPv4地址AAAAIPv6地址新建区域文件（named.conf中自己定义的zone-file名称相同）[root@servera ~]# cp -p /var/named/{named.localhost,lab.example.com.zone}

-p: 保留源文件的属性（文件需要named用户的权限）

区域配置文件[root@servera ~]# cat /var/named/lab.example.com.zone$TTL 1D@ IN SOA@ admin.lab.example.com. (0 ; serial1D; refresh1H; retry1W; expire3H ); minimumlab.example.com.NSserveraservera A 172.25.250.10serverb A 172.25.250.11serverc A 172.25.250.12serverd A 172.25.250.13workstation A 172.25.250.9# 检查区域文件格式[root@servera ~]# named-checkzone lab.example.com /var/named/lab.example.com.zonezone lab.example.com/IN: loaded serial 0OK配置服务生效[root@servera ~]# firewall-cmd --permanent --add-service=dnssuccess[root@servera ~]# firewall-cmd --reloadsuccess测试servera服务[student@workstation ~]$ nslookup serverb.lab.example.com serveraServer: serveraAddress:172.25.250.10#53Name: serverb.lab.example.comAddress: 172.25.250.11

权威DNS服务器-bind反向域设置

针对网段172.25.250/24，对应的反向区域的名称 250.25.172.in-addr.arpa，需要在主配置文件中加上对应zone配置

修改主配置文件[root@servera ~]# vim /etc/named.conf .. .. #前面内容不变zone "250.25.172.in-addr.arpa" IN { //注意反向区域名中网段的倒序写法 type master; file "172.25.250.zone"; #文件名自定义};创建zone文件（与主配置文件zone-file同名）反向记录配置要点IP主机位 PTR 完整的域名.后面的.不能省略[root@servera ~]# cp -p /var/named/{named.localhost,250.25.172.zone}[root@servera ~]# cat /var/named/250.25.172.zone$TTL 1D@ IN SOA@ admin.lab.example.com. (0 ; serial1D; refresh1H; retry1W; expire3H ); minimum@ NSservera.lab.example.com.10PTR servera.lab.example.com.11PTR serverb.lab.example.com.12PTR serverc.lab.example.com.13PTR serverd.lab.example.com.9 PTR workstation.lab.example.com.[root@servera ~]# named-checkzone 250.25.172.zone /var/named/250.25.172.zonezone 250.25.172.zone/IN: loaded serial 0OK配置服务生效[root@servera ~]# systemctl restart named测试[root@serverb ~]# host 172.25.250.13 serveraUsing domain server:Name: serveraAddress: 172.25.250.10#53Aliases:13.250.25.172.in-addr.arpa domain name pointer serverd.lab.example.com.