企业dns 服务器的搭建
??????? dns服務器部署
一、關于dns的名詞解釋
dns:
domain name service(域名解析服務)
#關于客戶端:#(172.25.254.201)
/etc/resolv.conf?? ?##dns指向文件
nameserver 172.25.254.101
#測試:
host www.baidu.com?? ?##地址解析命令
dig www.baidu.com?? ?##地址詳細解析信息命令
A記錄?? ??? ??? ?##ip地址叫做域名的Address 記錄
SOA?? ??? ??? ?##授權起始主機
dns頂級
.? 13
次級
.com .net .edu .org ....
baidu.com
#關于服務端#(172.25.254.101)
bind?? ??? ?##安裝包
named?? ??? ?##服務名稱
/etc/named.conf?? ?##主配置文件
/var/named?? ?##數據目錄
端口?? ??? ?##53
關于報錯信息:
1.no servers could be reached?? ?##服務無法訪問(服務開啟?火墻?網絡?端口?)
2.服務啟動失敗?? ??? ??? ?##配置文件寫錯 journalctl -xe查詢錯誤
3.dig 查詢狀態
| NOERROR | ##表示查詢成功 |
| REFUSED | ##服務拒絕訪問 |
| SERVFAIL | ?##查詢記錄失敗,(dns服務器無法到達上級,拒絕緩存) |
| NXDOMAIN | ?##此域名A記錄在dns中不存在 |
二、dns服務的安裝與啟用
#安裝#
dnf install bind.x86_64 -y#啟用#
systemctl enable --now named firewall-cmd --permanent --add-service=dns firewall-cmd --reload vim /etc/named.conf 11 listen-on port 53 { any; }; ##在本地所有網絡接口上開啟53端口 19 allow-query { any; }; ##允許查詢A記錄的客戶端列表 34 dnssec-validation no; ##禁用dns檢測使dns能夠緩存外部信息到本機systemctl restart namednetstat -antlupe | grep named 查詢端口?
?
三、高速緩存dns
作用:在企業中的直連網絡下,每臺主機都去向外網獲取dns解析,會比較慢,可以設置內網的一臺能上網的主機作為dns服務器,給直連的主機提供dns解析服務。
20 forwarders { 114.114.114.114; };?
?四、dns的正向解析?? (做此實驗的時候將剛才高速緩存還原)
vim /etc/named.rfc1912.zone? (為了出錯之后好排錯所以此時復制一份以下內容進行編寫)
zone "westos.com" IN {?? ??? ?##維護的域名????????????????????????????????????
??????? type master;?? ??? ?##當前服務器位主dns
??????? file "westos.com.zone";?? ?##域名A記錄文件
??????? allow-update { none; };?? ?##允許更新主機列表
};
$TTL 1D?? ??? ?#TIME-TO-LIVE(dns地址保存時間長度)
@?????? IN SOA? dns.westos.com. root.westos.com. (?? ?#SOA授權起始(Start of Authority)
??????????????????????????????????????? 0?????? ; serial?? ?#域名版本序列號
??????????????????????????????????????? 1D????? ; refresh?? ?#刷新時間(輔助dns)
??????????????????????????????????????? 1H????? ; retry?? ??? ?#重試時間(輔助dns)
??????????????????????????????????????? 1W????? ; expire?? ?#過期時間(輔助dns,查詢失敗過期停止對輔助域名的應答)
??????????????????????????????????????? 3H )??? ; minimum?? ?#A記錄最短有效期
??????????????? NS????? dns.westos.com.
dns???????????? A?????? 172.25.254.101
bbs??????????? A?????? 172.25.254.111
www????????????????? CNAME?? lee1.westos.com.?? ??? ?##規范域名
lee1 ???????? A?????? 172.25.254.111?? ??? ??? ????????????????? ##正向解析記錄
lee1 ???????? A?????? 172.25.254..222 ? ??? ????
westos.com.???? MX 1??? 172.25.254.101.?? ??? ??? ??????? ##郵件解析記錄
?
?
?dns 的郵件解析
dnf install mailx postfix -y systemctl start postfix dig -t mx westos.com?
?五、dns的反向解析
vim /etc/named.rfc1912.zones注意: 同樣為了好排錯,所以此部分內容也是復制之后在編輯
zone "254.25.172.in-addr.arpa" IN {+----------------+?????????
?? ?type master;
?? ?file "172.25.254.ptr";
?? ?allow-update { none; };
};
$TTL 1D
@?? ?IN SOA?? ?dns.westos.com. root.westos.com. (
?? ??? ??? ??? ??? ?0?? ?; serial
?? ??? ??? ??? ??? ?1D?? ?; refresh
?? ??? ??? ??? ??? ?1H?? ?; retry
?? ??? ??? ??? ??? ?1W?? ?; expire
?? ??? ??? ??? ??? ?3H )?? ?; minimum
?? ?NS?? ?dns.westos.com.
dns?? ?A??? 172.25.254.101
11?? ?PTR?? ?www.westos.com.
12?? ?PTR?? ?bbs.westos.com.
13?? ?PTR?? ?news.westos.com.
測試:
systemctl restart named dig -x 172.25.254.111?六、dns的雙向解析
實驗環境: 客戶端2臺 1.1.1網段 172.25.254網段 ##ifconfig enp1s0 172.25.254.201 netmask 255.255.255.0服務端1臺2個網段的ip 1.1.1.101 172.25.254.101 ##ifconfig enp1s0 172.25.254.101 netmask 255.255.255.0在1.1.1網段的客戶主機中 vim /etc/resolv.conf nameserver 172.25.254.101在172.25.254網段的客戶主機中 vim /etc/resolv.conf nameserver 172.25.254.101?
?
?
配置方式: cd /var/named/ cp -p westos.com.zone westos.com.inter vim westos.com.inter?
$TTL 1D
@?????? IN SOA?? westos.com. root.westos.com. (
??????????????????????????????????????? 0?????? ; serial
??????????????????????????????????????? 1D????? ; refresh
??????????????????????????????????????? 1H????? ; retry
??????????????????????????????????????? 1W????? ; expire
??????????????????????????????????????? 3H )??? ; minimum
??????????????? NS????? dns.westos.com.
dns???????????? A?????? 1.1.1.101
bbs???????????? A?????? 1.1.1.111
www???????????? CNAME?? lee1.westos.com.
lee1??????????? A?????? 1.1.1.111
lee1??????????? A?????? 1.1.1.222
westos.com.???? MX 1??? 1.1.1.101.????? #mail exchanger
?
cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inters vim /etc/named.rfc1912.interszone "westos.com" IN {
?? ?type master;
?? ?file "westos.com.inter";
?? ?allow-update { none; };
};
/*
zone "." IN {
??????? type hint;
??????? file "named.ca";
};
include "/etc/named.rfc1912.zones";
*/
view localnet {
??????? match-clients { 172.25.254.0/24; };
??????? zone "." IN {
??????????????? type hint;
??????????????? file "named.ca";
??????? };
??????? include "/etc/named.rfc1912.zones";
};
view internet {
??????? match-clients { any; };
??????? zone "." IN {
??????????????? type hint;
??????????????? file "named.ca";
??????? };
??????? include "/etc/named.rfc1912.inters";
};
include "/etc/named.root.key";
測試:
分別在2個網段的主機中作同樣域名的地址解析
得到的A記錄不同
七、dns集群
###主dns:####
vim /etc/named.rfc1912.zones
zone "westos.com" IN {
??????? type master;
??????? file "westos.com.zone";
??????? allow-update { none; };
??????? also-notify { 172.25.254.201; };?? ??? ?##主動通知的輔助dns主機
};
$TTL 1D
@?????? IN SOA?? westos.com. root.westos.com. (
??????????????????????????????? 2020112201????? ; serial??? ##每次修改A記錄文件需要變更此參數的值
??????????????????????????????????????? 1D????? ; refresh????? ##
??????????????????????????????????????? 1H????? ; retry
??????????????????????????????????????? 1W????? ; expire
??????????????????????????????????????? 3H )??? ; minimum
??????????????? NS????? dns.westos.com.
dns???????????? A?????? 172.25.254.101
bbs???????????? A?????? 172.25.254.111
www???????????? CNAME?? lee1.westos.com.
lee1??????????? A?????? 172.25.254.111
lee1??????????? A?????? 172.25.254.222
westos.com.???? MX 1??? 172.25.254.101.
###slave dns####:
dnf install bind -y firewall-cmd --add-service=dns vim /etc/named.conf vim /etc/resolv.conf 172.25.254.201 (改成自己的dns)listen-on port 53 { any; };
allow-query???? { any; };
dnssec-validation no;
注意:為了好排錯,同樣是復制之后再進行編輯
zone "westos.com" IN {
??????? type slave;?? ??? ??? ?##dns狀態位輔助dns
??????? masters { 172.25.254.101; };?? ?##主dns
??????? file "slaves/westos.com.zone";?? ?##同步數據文件????
};
驗證:
八、dns的更新
dns基于ip地址的更新:
在dns中設定:
vim /etc/named.rfc1912.zones
zone "westos.com" IN {
??????? type master;
??????? file "westos.com.zone";
??????? allow-update { 172.25.254.201; };?? ??? ?##允許指定客戶端更新westos域
??????? also-notify { 172.25.254.201; };
};
測試:
在172.25.254.201
[root@node2 ~]# nsupdate
> server 172.25.254.101
> update add hello.westos.com 86400 A 172.25.254.111 ?? ##新曾A記錄
> send
> update delete hello.westos.com?? ??? ??? ?##刪除A記錄
> send
測試:
dns基于key更新的方式:
[root@node1 mnt]# dnssec-keygen -a HMAC-SHA256 -b 128 -n HOST westos Kwestos.+163+11625 [root@node1 mnt]# ls Kwestos.+163+11625.key Kwestos.+163+11625.private [root@node1 mnt]# cp -p /etc/rndc.key /etc/westos.key [root@node1 mnt]# cat Kwestos.+163+11625.key westos. IN KEY 512 3 163 do5PjldBXK6WIohfhtIIZQ== [root@node1 mnt]# vim /etc/westos.keykey "westos" {
??????? algorithm hmac-sha256;
??????? secret "do5PjldBXK6WIohfhtIIZQ==";
};
將剛才生成的公鑰和私鑰傳給測試的客戶機
[root@node1 mnt]# scp Kwestos.+163+11667.* root@172.25.254.201:/mnt The authenticity of host '172.25.254.201 (172.25.254.201)' can't be established. ECDSA key fingerprint is SHA256:Z7nIjVS0zBFK8xGDwjAegodMOk0lyUIF0+GBN13Mrv0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.25.254.201' (ECDSA) to the list of known hosts. root@172.25.254.201's password: Kwestos.+163+11667.key 100% 50 70.8KB/s 00:00 Kwestos.+163+11667.private 100% 168 259.2KB/s 00:00 vim /etc/named.conf 44 include "/etc/wesots.key";?
vim /etc/named.rfc1912.zones systemctl restart namedzone "westos.com" IN {
??????? type master;
??????? file "westos.com.zone";
??????? allow-update { key westos; };
??????? also-notify { 172.25.254.201; };
};
驗證:
nsupdate -k /mnt/Kwestos.+163+26695.private > server 172.25.254.101 > update add hello.westos.com 86400 A 192.168.0.111 > send > quit九、ddns(dhcp+dns)
DDNS是動態域名服務的縮寫,是指域名系統中的一種自動更新名稱服務器內容的技術,DDNS是將用戶的動態IP地址映射到一個固定的域名解析服務上,用戶每次連接網絡的時候客戶端程序就會通過信息傳遞把該主機的動態ip地址傳送給位于服務上主機上的服務器程序,服務器程序負責提供DNS服務并實現動態域名解析。
主機名固定,IP不固定
解析www,域名對應的IP是死的,不適用于動態網絡,
如何讓解析隨IP變:
因為dhcp每次分配的IP都不同
IP dhcp服務知道是哪個IP
分配IP的時候告訴dns,把解析指向他
本實驗的環境是基于上步實驗(key 更新)
?服務端主機:
dnf instsall dhcp-server -y cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf vim /etc/dhcpd/dhcpd.conf systemctl restart dhcpd# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
option domain-name "westos.com";
option domain-name-servers 172.25.254.101;
default-lease-time 600;
max-lease-time 7200;
# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;
# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;
# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;
# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.
# This is a very basic subnet declaration.
subnet 172.25.254.0 netmask 255.255.255.0 {
? range 172.25.254.46 172.25.254.50;
? option routers 172.25.254.101;
}
key westos {
???????? algorithm hmac-sha256;
???????? secret B/16D8XGtviAKrYPB9zanw==;
?????? };
zone westos.com. {
???????? primary 172.25.254.101;
???????? key westos;
?????? }
這部分內容可以通過man 5 dhcp.conf 查看
vim /var/named/westos.com.zone systemctl restart named?
$TTL 1D
@?????? IN SOA? westos.com. root.westos.com. (
??????????????????????????????? 2020112303????? ; serial
??????????????????????????????????????? 1D????? ; refresh
??????????????????????????????????????? 1H????? ; retry
??????????????????????????????????????? 1W????? ; expire
??????????????????????????????????????? 3H )??? ; minimum
??????? NS????? dns.westos.com.
dns???? A?????? 172.25.254.101
客戶端測試主機:
設定測試主機網絡工作方式為dhcp 設定主機名稱jjj.westos.com?
?重啟網絡
nmcli connection reload nmcli connection up enp1s0?
設置客戶端 主機名:
hostnamectl set-hostname jjj.westos.com nmcli connection reload nmcli connection up enp1s0 dig jjj.westos.com測試:
dig jjj.westos.com
可以得到正確解析
為了保證實驗的準確性:進行二次測試
修改dhcp的地址池,使得客戶端ip改變
服務端:
vim /etc/dhcp/dhcpd.conf systemctl restart dhcpd客戶端:
hostname set-hostname yyy.westos.com 設置客戶端主機名 nmcli connection reload 重啟網絡 nmcli connection up enp1s0 dig yyy.westos.com?
?
ddsn實驗總結:
(1)本實驗基于key 更新實驗環境;
(2)為保證dhcp服務有效,要關掉其他的dhcp服務;
(3)編輯完配置文件一定要重啟服務!!!
(4)服務端和客戶端火墻都要關閉 或者將服務添加到火墻里;
(5)兩邊的selinux也都要關閉。
總結
以上是生活随笔為你收集整理的企业dns 服务器的搭建的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: Linux 中内核级加强型火墙的管理
- 下一篇: 网络文件系统(samba、nfs、isc