DNS(Domain Name Service)它是應用層協定,C/S架構,預設工作在TCP和UDP的53号端口,伺服器軟體bind是由美國伯克利大學研發,它的主要作用是把網際網路域名解析成對應的ip位址,進而實作通路遠端主機的需求。以通路www.baidu.com為例來說說DNS的工作流程;首先浏覽器通路www.baidu.com,它會先去本機的/etc/hosts檔案中檢視有沒有www.baidu.com記錄,如果有,它就會拿着對應的ip去通路
1、簡述DNS伺服器原理,并搭建主-輔伺服器。
DNS伺服器的工作原理
DNS(Domain Name Service)它是應用層協定,C/S架構,預設工作在TCP和UDP的53号端口,伺服器軟體bind是由美國伯克利大學研發,它的主要作用是把網際網路域名解析成對應的ip位址,進而實作通路遠端主機的需求。以通路www.baidu.com為例來說說DNS的工作流程;首先浏覽器通路www.baidu.com,它會先去本機的/etc/hosts檔案中檢視有沒有www.baidu.com記錄,如果有,它就會拿着對應的ip去通路,如沒有那麼它就會去問我們主機上配置的DNS伺服器(比如小區DNS伺服器,各個網絡營運上的DNS伺服器),如果在主機指定的DNS伺服器上能夠查到對應的ip,DNS伺服器會把對應的ip告訴浏覽器,進而浏覽器拿着給定這個ip去通路;如果指定的DNS伺服器上沒有對應的ip記錄,那麼指定的DNS會去根伺服器問,說根伺服器,我要通路www.baidu.com這台主機,請問你那裡有它的ip記錄嗎?根檢視了資料庫檔案後告訴來查的DNS服務說 我這裡沒有,但是com是我的子域我有com域的ip位址,你去問下com這個域吧,接着我們指定的那個DNS伺服器又會拿着根給的com域的ip去問com,說com呀,我要通路www.baidu.com這台主機,請問你那裡有它的ip記錄嗎?com查了下自己的資料庫檔案說,我這裡沒有,但是baidu這個域是我的子域,我把baidu這個域的位址給你,你去問下它吧;我們指定的DNS伺服器又拿着com給的baidu.com的ip位址,去問baidu.com這個域,說我要通路www.baidu.com,請問你那裡有它的ip記錄嗎?baidu.com一聽,www.baidu.com不就是我本域的主機嗎,它立馬就告訴我們指定的DNS伺服器說,我這裡有www.baidu.com主機的位址,然後baidu.com就把對應的ip位址給了我們指定的DNS伺服器,這時DNS伺服器就把自己最後得到的ip位址在本機上緩存一份,然後把位址告訴我們浏覽器,浏覽器拿着這個位址直接去通路,這時浏覽器拿到IP位址後就可以正常的通路到www.baidu.com這台主機背景的web服務。這就是DNS工作的大概流程,簡單講就是我們要去通路某台主機(非ip位址通路),首先會去/etc/hosts檔案中查詢是否有對應的ip記錄,如果有,就拿着這個位址去通路,如果沒有就會去找我們指定的DNS伺服器問,如果指定的DNS伺服器沒有,它會幫着我們去根上問,去對應子域上問,問上一圈,如果還是沒有,那麼我們指定的DNS伺服器就會告訴我們說沒有你要通路的位址,如果有就告訴我們。
權威DNS主伺服器的搭建
1)安裝BIND包
[root@test ~]#yum install -y bind
已加載插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
base | 3.6 kB 00:00:00
dockerrepo | 2.9 kB 00:00:00
epel | 5.4 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
正在解決依賴關系
--> 正在檢查事務
---> 軟體包 bind.x86_64.32.9.11.4-9.P2.el7 将被 安裝
--> 正在處理依賴關系 bind-libs-lite(x86-64) = 32:9.11.4-9.P2.el7,它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在處理依賴關系 bind-libs(x86-64) = 32:9.11.4-9.P2.el7,它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在處理依賴關系 liblwres.so.160()(64bit),它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在處理依賴關系 libisccfg.so.160()(64bit),它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在處理依賴關系 libisccc.so.160()(64bit),它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在處理依賴關系 libisc.so.169()(64bit),它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在處理依賴關系 libdns.so.1102()(64bit),它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在處理依賴關系 libbind9.so.160()(64bit),它被軟體包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在檢查事務
---> 軟體包 bind-libs.x86_64.32.9.11.4-9.P2.el7 将被 安裝
--> 正在處理依賴關系 bind-license = 32:9.11.4-9.P2.el7,它被軟體包 32:bind-libs-9.11.4-9.P2.el7.x86_64 需要
---> 軟體包 bind-libs-lite.x86_64.32.9.9.4-74.el7_6.2 将被 更新
--> 正在處理依賴關系 libdns-export.so.100()(64bit),它被軟體包 12:dhclient-4.2.5-68.el7.centos.1.x86_64 需要
--> 正在處理依賴關系 libisc-export.so.95()(64bit),它被軟體包 12:dhclient-4.2.5-68.el7.centos.1.x86_64 需要
---> 軟體包 bind-libs-lite.x86_64.32.9.11.4-9.P2.el7 将被 更新
--> 正在檢查事務
---> 軟體包 bind-license.noarch.32.9.9.4-74.el7_6.2 将被 更新
---> 軟體包 bind-license.noarch.32.9.11.4-9.P2.el7 将被 更新
---> 軟體包 dhclient.x86_64.12.4.2.5-68.el7.centos.1 将被 更新
---> 軟體包 dhclient.x86_64.12.4.2.5-77.el7.centos 将被 更新
--> 正在處理依賴關系 dhcp-libs(x86-64) = 12:4.2.5-77.el7.centos,它被軟體包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在處理依賴關系 dhcp-common = 12:4.2.5-77.el7.centos,它被軟體包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在處理依賴關系 libisc-export.so.169()(64bit),它被軟體包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在處理依賴關系 libdns-export.so.1102()(64bit),它被軟體包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在檢查事務
---> 軟體包 bind-export-libs.x86_64.32.9.11.4-9.P2.el7 将被 安裝
---> 軟體包 dhcp-common.x86_64.12.4.2.5-68.el7.centos.1 将被 更新
---> 軟體包 dhcp-common.x86_64.12.4.2.5-77.el7.centos 将被 更新
---> 軟體包 dhcp-libs.x86_64.12.4.2.5-68.el7.centos.1 将被 更新
---> 軟體包 dhcp-libs.x86_64.12.4.2.5-77.el7.centos 将被 更新
--> 解決依賴關系完成
依賴關系解決
============================================================================================================================================
Package 架構 版本 源 大小
============================================================================================================================================
正在安裝:
bind x86_64 32:9.11.4-9.P2.el7 base 2.3 M
為依賴而安裝:
bind-export-libs x86_64 32:9.11.4-9.P2.el7 base 1.1 M
bind-libs x86_64 32:9.11.4-9.P2.el7 base 154 k
為依賴而更新:
bind-libs-lite x86_64 32:9.11.4-9.P2.el7 base 1.1 M
bind-license noarch 32:9.11.4-9.P2.el7 base 88 k
dhclient x86_64 12:4.2.5-77.el7.centos base 285 k
dhcp-common x86_64 12:4.2.5-77.el7.centos base 176 k
dhcp-libs x86_64 12:4.2.5-77.el7.centos base 133 k
事務概要
============================================================================================================================================
安裝 1 軟體包 (+2 依賴軟體包)
更新 ( 5 依賴軟體包)
總下載下傳量:5.3 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/8): bind-export-libs-9.11.4-9.P2.el7.x86_64.rpm | 1.1 MB 00:00:00
(2/8): bind-libs-9.11.4-9.P2.el7.x86_64.rpm | 154 kB 00:00:00
(3/8): bind-9.11.4-9.P2.el7.x86_64.rpm | 2.3 MB 00:00:00
(4/8): bind-libs-lite-9.11.4-9.P2.el7.x86_64.rpm | 1.1 MB 00:00:00
(5/8): dhclient-4.2.5-77.el7.centos.x86_64.rpm | 285 kB 00:00:00
(6/8): bind-license-9.11.4-9.P2.el7.noarch.rpm | 88 kB 00:00:00
(7/8): dhcp-common-4.2.5-77.el7.centos.x86_64.rpm | 176 kB 00:00:00
(8/8): dhcp-libs-4.2.5-77.el7.centos.x86_64.rpm | 133 kB 00:00:00
--------------------------------------------------------------------------------------------------------------------------------------------
總計 3.9 MB/s | 5.3 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
正在更新 : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64 1/13
正在更新 : 32:bind-license-9.11.4-9.P2.el7.noarch 2/13
正在更新 : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64 3/13
正在安裝 : 32:bind-libs-9.11.4-9.P2.el7.x86_64 4/13
正在更新 : 12:dhcp-common-4.2.5-77.el7.centos.x86_64 5/13
正在安裝 : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64 6/13
正在更新 : 12:dhclient-4.2.5-77.el7.centos.x86_64 7/13
正在安裝 : 32:bind-9.11.4-9.P2.el7.x86_64 8/13
清理 : 12:dhclient-4.2.5-68.el7.centos.1.x86_64 9/13
清理 : 12:dhcp-common-4.2.5-68.el7.centos.1.x86_64 10/13
清理 : 32:bind-libs-lite-9.9.4-74.el7_6.2.x86_64 11/13
清理 : 32:bind-license-9.9.4-74.el7_6.2.noarch 12/13
清理 : 12:dhcp-libs-4.2.5-68.el7.centos.1.x86_64 13/13
驗證中 : 12:dhcp-common-4.2.5-77.el7.centos.x86_64 1/13
驗證中 : 32:bind-license-9.11.4-9.P2.el7.noarch 2/13
驗證中 : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64 3/13
驗證中 : 32:bind-libs-9.11.4-9.P2.el7.x86_64 4/13
驗證中 : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64 5/13
驗證中 : 32:bind-9.11.4-9.P2.el7.x86_64 6/13
驗證中 : 12:dhclient-4.2.5-77.el7.centos.x86_64 7/13
驗證中 : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64 8/13
驗證中 : 12:dhcp-common-4.2.5-68.el7.centos.1.x86_64 9/13
驗證中 : 12:dhclient-4.2.5-68.el7.centos.1.x86_64 10/13
驗證中 : 32:bind-license-9.9.4-74.el7_6.2.noarch 11/13
驗證中 : 32:bind-libs-lite-9.9.4-74.el7_6.2.x86_64 12/13
驗證中 : 12:dhcp-libs-4.2.5-68.el7.centos.1.x86_64 13/13
已安裝:
bind.x86_64 32:9.11.4-9.P2.el7
作為依賴被安裝:
bind-export-libs.x86_64 32:9.11.4-9.P2.el7 bind-libs.x86_64 32:9.11.4-9.P2.el7
作為依賴被更新:
bind-libs-lite.x86_64 32:9.11.4-9.P2.el7 bind-license.noarch 32:9.11.4-9.P2.el7 dhclient.x86_64 12:4.2.5-77.el7.centos
dhcp-common.x86_64 12:4.2.5-77.el7.centos dhcp-libs.x86_64 12:4.2.5-77.el7.centos
完畢!
[root@test ~]#
2)檢視bind包所有檔案的位置
[root@test ~]#rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
……省略部分内容
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
[root@test ~]#
說明:從上面查出來的資訊看,大概可以了解bind的配置檔案是/etc/named.conf
3)修改配置檔案,修改 listen-on port 53 { 127.0.0.1; };為listen-on port 53 { localhost; }; 和修改allow-query { localhost; }; 為allow-query { any; };
[root@test ~]#grep -v "^\//" /etc/named.conf
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@test ~]#
說明:也可以選擇注釋listen-on port 53 { 127.0.0.1; };和allow-query { localhost; }; 這兩行,這個配置檔案的注釋同C語言注釋一樣,用"//"來注釋
4)增加區域資料庫檔案的配置,從上面的配置檔案中我們主要到最後兩個include 的指令,其中include "/etc/named.rfc1912.zones"; 就是定義區域資料庫檔案的内容
[root@test ~]#cat >> /etc/named.rfc1912.zones << EOF
> zone "test.com" IN {
> type master;
> file "test.com.zone";
>
> };
> EOF
[root@test ~]#tail -5 /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
};
[root@test ~]#
說明:以上配置是定義一個test.com的區域,其類型為master(主) ,區域資料庫檔案名為 “test.com.zone” ,這裡需要注意這個檔案名是相對域/var/named這個目錄的,也就說區域資料庫檔案必須存放在/var/named這個目錄下。這個工作目錄的定義可從主配置檔案中的directory 這個選項來指定或更改
5)建立區域資料庫檔案
[root@test ~]#cat /var/named/test.com.zone
$TTL 1D
@ IN SOA dns1 admin ( 0 1D 1H 1W 3H );
NS dns1
dns1 A 192.168.0.99
www A 1.1.1.1
blog A 2.2.2.2
[root@test ~]#
說明:區域資料庫檔案的格式是name [TTL] IN rr_type value其中TTL可從全局繼承,@可用于引用目前區域的名字,同一個名字可以通過多條記錄定義多個不同的值;此時DNS伺服器會以輪詢方式響應。同一個值也可能有多個不同的定義名字;通過多個不同的名字指向同一個值進行定義;此僅表示通過多個不同的名字可以找到同一個主機;name: 目前區域的名字,例如“test.com”; value: 有多部分組成,1、 目前區域的主DNS伺服器的FQDN,也可以使用目前區域的名字;2、目前區域管理者的郵箱位址;但位址中不能使用@符号,一般用.替換,例如admin.test.com. 3、主從服務區域傳輸相關定義以及否定的答案的統一的TTL;第一個數字表示序列号,第二個表示重新整理時間,第三個表示主從伺服器同步失敗重試的時間間隔,第四個表示,從伺服器同步失敗後,多久資料檔案内容過期,第五個表示緩存否定答案的TTL值。以上還需要注意的是名字沒有以.結尾,預設會補上本域的名稱
6)檢查主配置檔案和區域資料庫檔案是否正确,然後在啟動服務
[root@test ~]#named-checkconf
[root@test ~]#named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 0
OK
[root@test ~]#systemctl start named
[root@test ~]#
7)測試
[root@test ~]#dig www.test.com @192.168.0.99
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14227
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:29:46 CST 2019
;; MSG SIZE rcvd: 92
[root@test ~]#dig blog.test.com @192.168.0.99
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62941
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.test.com. IN A
;; ANSWER SECTION:
blog.test.com. 86400 IN A 2.2.2.2
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:29:57 CST 2019
;; MSG SIZE rcvd: 93
[root@test ~]#
說明:dig工具來自bind-utils這個包,這個包主要是測試工具,包括host工具,dig工具,nslookup工具等測試工具。從上面的測試資料看,正向主DNS服務是搭建成功的。
8)在/etc/named.rfc1912.zones檔案中添加反向區域檔案的配置
[root@test ~]#tail -4 /etc/named.rfc1912.zones
zone "0.168.192.in-addr.arpa" {
type master;
file "192.168.0.zone";
};
[root@test ~]#
說明:反向DNS的區域必須将IP位址倒着寫,且後面必須是.in-addr.arpa結尾 裡面的檔案名稱可任意填寫,這裡的檔案名稱也是必須放在/var/named這個目錄下,同正向區域資料檔案放在一個目錄
9)建立反向區域資料檔案
[root@test ~]#cat /var/named/192.168.0.zone
$TTL 1D
@ IN SOA dns1 admin (0 3H 10M 1D 1H );
NS dns1
dns1 A 192.168.0.99
99 PTR dns1.test.com.
100 PTR www.test.com.
101 PTR blog.test.com.
[root@test ~]#
說明:反向區域資料庫檔案同正向區域資料庫檔案格式相同,反向記錄必須是PTR 類型其他同正向區域資料庫檔案類似,這裡還需要注意一點的是,PTR後面的域名必須以.結尾,否則它會預設給你補本域的資訊上去。
10)檢查區域檔案,重新讀取配置檔案,時期反向區域資料庫檔案生效
[root@test ~]#named-checkzone 192.168.0.zone /var/named/192.168.0.zone
zone 192.168.0.zone/IN: loaded serial 0
OK
[root@test ~]#rndc reload
server reload successful
[root@test ~]#
11)測試反向解析
[root@test ~]#dig -x 192.168.0.99 @192.168.0.99
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.99 @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61308
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;99.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
99.0.168.192.in-addr.arpa. 86400 IN PTR dns1.test.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa.
;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:58:39 CST 2019
;; MSG SIZE rcvd: 116
[root@test ~]#dig -x 192.168.0.100 @192.168.0.99
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.100 @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23462
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.0.168.192.in-addr.arpa. 86400 IN PTR www.test.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa.
;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:58:50 CST 2019
;; MSG SIZE rcvd: 116
[root@test ~]#dig -x 192.168.0.101 @192.168.0.99
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.101 @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17401
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;101.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
101.0.168.192.in-addr.arpa. 86400 IN PTR blog.test.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa.
;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:58:58 CST 2019
;; MSG SIZE rcvd: 117
[root@test ~]#
說明:可看到我們分别把192.168.0.99、100、101這三個主機對應的主機名給解析出來了,這裡不要同前面的正向區域資料庫中的資料混淆,這個反向解析可把不同的ip解析成相同的名字,這個和正向解析本質上沒有聯系。它相當于是兩個不同的域,互不幹擾。
到此dns主伺服器就搭建完畢,接下來實作DNS從伺服器
1)在上面的實驗上把主伺服器上的配置檔案中添加 allow_transfer { 192.168.0.151;};,并且在其資料庫檔案中添加從伺服器的NS記錄 以及A記錄
[root@test ~]#grep "transfer" /etc/named.conf
allow-transfer { 192.168.0.151; };
[root@test ~]#cat /var/named/test.com.zone
$TTL 1D
@ IN SOA dns1 admin ( 0 1D 1H 1W 3H );
NS dns1
NS dns2
dns1 A 192.168.0.99
dns2 A 192.168.0.151
www A 1.1.1.1
blog A 2.2.2.2
[root@test ~]#cat /var/named/192.168.0.zone
$TTL 1D
@ IN SOA dns1 admin (0 3H 10M 1D 1H );
NS dns1
NS dns2
dns1 A 192.168.0.99
dns2 A 192.168.0.151
99 PTR dns1.test.com.
100 PTR www.test.com.
101 PTR blog.test.com.
[root@test ~]# 2)在從伺服器上安裝bind包,并在其配置檔案中配置 allow-transfer {none;}; 并注釋listen-on port 53 { 127.0.0.1; };和allow-query { localhost; };
[root@test-node1 ~]#yum install -y bind
[root@test-node1 ~]#cat /etc/named.conf
……省略部分内容
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
allow-transfer { none; };
recursion yes;
……省略部分内容
3)在/etc/named.rfc1912.zonesz中配置區域資料檔案資訊
[root@test-node1 ~]#cat >> /etc/named.rfc1912.zones << EOF
> zone "test.com" {
> type slave;
> masters {192.168.0.99;};
> file "slaves/test.com.zone";
> };
> EOF
[root@test-node1 ~]#cat >> /etc/named.rfc1912.zones << EOF
> zone "0.168.192.in-addr.arpa" {
> type slave;
> masters { 192.168.0.99; };
> file "slaves/192.168.0.zone";
> };
> EOF
[root@test-node1 ~]#
[root@test-node1 ~]#tail /etc/named.rfc1912.zones
zone "test.com" {
type slave;
masters {192.168.0.99;};
file "slaves/test.com.zone";
};
zone "0.168.192.in-addr.arpa" {
type slave;
masters { 192.168.0.99; };
file "slaves/192.168.0.zone";
};
[root@test-node1 ~]# 說明:在從伺服器上需要寫明區域的名稱,類型配成slave,并指明masters ,後面的files 是同步檔案的存放地,這個存放地需要named這個賬号有寫的權限,否則将無法完成同步
4)在從伺服器上檢查配置檔案,并啟動服務
[root@test-node1 ~]#ll /var/named/slaves/
total 0
[root@test-node1 ~]#named-checkconf
[root@test-node1 ~]#/etc/init.d/named start
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
[root@test-node1 ~]#ll /var/named/slaves/
total 8
-rw-r--r-- 1 named named 449 Dec 30 00:35 192.168.0.zone
-rw-r--r-- 1 named named 336 Dec 30 00:35 test.com.zone
[root@test-node1 ~]#
說明:啟動服務後可看到/var/named/slaves/目錄下把我們需要的區域資料庫檔案給同步過來了,接下來測試,在另一台主機上把DNS1設定成主DNS伺服器位址,DNS2設定成從DNS伺服器位址,然後在主挂掉的情況下,看下從DNS是否可工作
5)測試
[root@ansible_centos6 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.0.99
nameserver 192.168.0.151
[root@ansible_centos6 ~]# dig www.test.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22293
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 4 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 00:46:46 2019
;; MSG SIZE rcvd: 81
[root@ansible_centos6 ~]# dig -x 192.168.0.99
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48024
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;99.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
99.0.168.192.in-addr.arpa. 86400 IN PTR dns1.test.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa.
;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99
;; Query time: 3 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 00:47:00 2019
;; MSG SIZE rcvd: 105
[root@ansible_centos6 ~]#
說明:這是主DNS存活情況下的測試是可以正常解析
主DNS挂掉的情況
[root@ansible_centos6 ~]# dig www.test.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21730
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 1 msec
;; SERVER: 192.168.0.151#53(192.168.0.151)
;; WHEN: Mon Dec 30 00:50:43 2019
;; MSG SIZE rcvd: 81
[root@ansible_centos6 ~]# dig -x 192.168.0.99
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63933
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;99.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
99.0.168.192.in-addr.arpa. 86400 IN PTR dns1.test.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400 IN NS dns1.0.168.192.in-addr.arpa.
;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN A 192.168.0.99
;; Query time: 1 msec
;; SERVER: 192.168.0.151#53(192.168.0.151)
;; WHEN: Mon Dec 30 00:50:55 2019
;; MSG SIZE rcvd: 105
[root@ansible_centos6 ~]#
說明:可看到主DNS伺服器挂掉,從伺服器是可以提供服務的,況且查詢的内容同主的一模一樣
2、搭建并實作智能DNS。
1)在上面的實驗環境中,更改配置檔案
[root@test ~]#cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl cdnet {
192.168.0.0/24;
};
acl bjnet {
172.16.1.0/24;
};
acl shnet {
any;
};
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
allow-transfer { 192.168.0.151; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
include "/etc/named.root.key";
view view_cd {
match-clients {cdnet;};
include "/etc/named.zone.cd";
include "/etc/named.rfc1912.zones";
};
view view_bj {
match-clients { bjnet; };
include "/etc/named.zone.bj";
include "/etc/named.rfc1912.zones";
};
view view_sh {
match-clients { shnet; };
include "/etc/named.zone.sh";
include "/etc/named.rfc1912.zones";
};
[root@test ~]# 說明:這個是主配置檔案,主要添加了 3段acl和3段view 這裡需要注意一點的是,一旦配置了view,所有的區域配置必須寫在view中,所有我們還需要把根區域的配置檔案到/etc/named.rfc1912.zones裡 ,然後在view 裡用include 把區域配置檔案導入即可,借鑒上面的思想,我們也可以把不同地區的區域配置檔案也用不同的檔案給存起來,實作友善管理,然後也用include 指定導入到各自的view,這樣就實作了 不同的網絡用戶端,通路不同的區域檔案。最後我們還需要建立各自的區域資料庫檔案。
2)把根區域配置檔案放入到/etc/named.rfc1912.zones
[root@test ~]#cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" {
type master;
file "192.168.0.zone";
};
[root@test ~]#
3)建立各自的區域配置檔案
[root@test ~]#cat >> /etc/named.zone.cd << EOF
> zone "test.com" IN {
> type master;
> file "test.com.zone.cd";
> };
> EOF
[root@test ~]#cat >> /etc/named.zone.bj << EOF
> zone "test.com" IN {
> type master;
> file "test.com.zone.bj";
> };
> EOF
[root@test ~]#cat >> /etc/named.zone.sh << EOF
> zone "test.com" IN {
> type master;
> file "test.com.zone.sh";
> };
> EOF
[root@test ~]#cat /etc/named.zone.cd
zone "test.com" IN {
type master;
file "test.com.zone.cd";
};
[root@test ~]#cat /etc/named.zone.bj
zone "test.com" IN {
type master;
file "test.com.zone.bj";
};
[root@test ~]#cat /etc/named.zone.sh
zone "test.com" IN {
type master;
file "test.com.zone.sh";
};
[root@test ~]#
4)準備各自區域的資料庫檔案
[root@test ~]#cat /var/named/test.com.zone.cd
$TTL 1D
@ IN SOA dns1 admin ( 0 2D 1H 3D 1D )
NS dns1
dns1 A 192.168.0.99
www A 3.3.3.3
blog A 4.4.4.4
[root@test ~]#cat /var/named/test.com.zone.bj
$TTL 1D
@ IN SOA dns1 admin ( 0 2D 1H 3D 1D )
NS dns1
dns1 A 192.168.0.99
www A 5.5.5.5
blog A 6.6.6.6
[root@test ~]#cat /var/named/test.com.zone.sh
$TTL 1D
@ IN SOA dns1 admin ( 0 2D 1H 3D 1D )
NS dns1
dns1 A 192.168.0.99
www A 7.7.7.7
blog A 8.8.8.8
[root@test ~]#
[root@test ~]#ll /var/named/
總用量 36
-rw-r--r-- 1 root root 188 12月 30 00:28 192.168.0.zone
drwxrwx--- 2 named named 23 12月 29 23:23 data
drwxrwx--- 2 named named 60 12月 30 01:01 dynamic
-rw-r----- 1 root named 2253 4月 5 2018 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
drwxrwx--- 2 named named 6 8月 8 20:16 slaves
-rw-r--r-- 1 root root 154 12月 30 00:10 test.com.zone
-rw-r--r-- 1 root root 112 12月 30 21:33 test.com.zone.bj
-rw-r--r-- 1 root root 112 12月 30 21:31 test.com.zone.cd
-rw-r--r-- 1 root root 117 12月 30 21:35 test.com.zone.sh
[root@test ~]#find /var/named/ -name "test.com.zone*"
/var/named/test.com.zone
/var/named/test.com.zone.cd
/var/named/test.com.zone.bj
/var/named/test.com.zone.sh
[root@test ~]#find /var/named/ -name "test.com.zone*"|xargs chown root.named
[root@test ~]#ll /var/named/
總用量 36
-rw-r--r-- 1 root root 188 12月 30 00:28 192.168.0.zone
drwxrwx--- 2 named named 23 12月 29 23:23 data
drwxrwx--- 2 named named 60 12月 30 01:01 dynamic
-rw-r----- 1 root named 2253 4月 5 2018 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
drwxrwx--- 2 named named 6 8月 8 20:16 slaves
-rw-r--r-- 1 root named 154 12月 30 00:10 test.com.zone
-rw-r--r-- 1 root named 112 12月 30 21:33 test.com.zone.bj
-rw-r--r-- 1 root named 112 12月 30 21:31 test.com.zone.cd
-rw-r--r-- 1 root named 117 12月 30 21:35 test.com.zone.sh
[root@test ~]#
[root@test ~]#find /var/named/ -name "test.com.zone*"|xargs chmod o-r
[root@test ~]#ll /var/named/
總用量 36
-rw-r--r-- 1 root root 188 12月 30 00:28 192.168.0.zone
drwxrwx--- 2 named named 23 12月 29 23:23 data
drwxrwx--- 2 named named 60 12月 30 01:01 dynamic
-rw-r----- 1 root named 2253 4月 5 2018 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
drwxrwx--- 2 named named 6 8月 8 20:16 slaves
-rw-r----- 1 root named 154 12月 30 00:10 test.com.zone
-rw-r----- 1 root named 112 12月 30 21:33 test.com.zone.bj
-rw-r----- 1 root named 112 12月 30 21:31 test.com.zone.cd
-rw-r----- 1 root named 117 12月 30 21:35 test.com.zone.sh
[root@test ~]# 說明:通過上面的配置後,我們最終希望各自的地區的使用者通路各自區域的資料檔案,進而實作了不同區域的使用者,擷取不同ip位址資訊。這裡還是建議把建立的權限屬組給改成named,雖然不改是可以的,但是權限比較大,應該隻允許named有讀權限就好了。
5)檢查配置檔案,重新開機服務
[root@test ~]#named-checkconf
[root@test ~]#named-checkzone test.com /var/named/test.com.zone.cd
zone test.com/IN: loaded serial 0
OK
[root@test ~]#named-checkzone test.com /var/named/test.com.zone.bj
zone test.com/IN: loaded serial 0
OK
[root@test ~]#named-checkzone test.com /var/named/test.com.zone.sh
zone test.com/IN: loaded serial 0
OK
[root@test ~]#rndc reload
server reload successful
[root@test ~]# 6)測試
模拟成都的使用者通路DNS
[qiuhom@test-node1 ~]$ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:24:81:68:ce:45 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.151/24 brd 192.168.0.255 scope global eth0
inet6 fe80::224:81ff:fe68:ce45/64 scope link
valid_lft forever preferred_lft forever
[qiuhom@test-node1 ~]$
[qiuhom@test-node1 ~]$dig www.test.com @192.168.0.99
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> www.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51022
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 3.3.3.3
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 2 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 22:20:02 2019
;; MSG SIZE rcvd: 81
[qiuhom@test-node1 ~]$dig blog.test.com @192.168.0.99
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> blog.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4979
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;blog.test.com. IN A
;; ANSWER SECTION:
blog.test.com. 86400 IN A 4.4.4.4
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 1 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 22:20:12 2019
;; MSG SIZE rcvd: 82
[qiuhom@test-node1 ~]$
說明:通過192.168.0.0/24主機通路的結果是指定view裡指定的資料庫檔案的内容.
模拟北京的使用者通路DNS
[root@test ~]#ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:30:18:51:af:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.0.99/24 brd 192.168.0.255 scope global noprefixroute enp2s0
valid_lft forever preferred_lft forever
inet 172.16.1.2/16 brd 172.16.255.255 scope global noprefixroute enp2s0:0
valid_lft forever preferred_lft forever
inet6 fe80::230:18ff:fe51:af3c/64 scope link
valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
link/ether 00:30:18:51:af:3d brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:d6:07:f1:b0 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 scope global docker0
valid_lft forever preferred_lft forever
[root@test ~]#dig www.test.com @172.16.1.2
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @172.16.1.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33773
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 5.5.5.5
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 172.16.1.2#53(172.16.1.2)
;; WHEN: 一 12月 30 22:24:07 CST 2019
;; MSG SIZE rcvd: 92
[root@test ~]#dig blog.test.com @172.16.1.2
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @172.16.1.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8001
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.test.com. IN A
;; ANSWER SECTION:
blog.test.com. 86400 IN A 6.6.6.6
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 172.16.1.2#53(172.16.1.2)
;; WHEN: 一 12月 30 22:24:18 CST 2019
;; MSG SIZE rcvd: 93
[root@test ~]#
模拟上海的使用者通路DNS
[root@test ~]#dig www.test.com @127.0.0.1
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50994
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 7.7.7.7
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 一 12月 30 22:25:52 CST 2019
;; MSG SIZE rcvd: 92
[root@test ~]#dig blog.test.com @127.0.0.1
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10062
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.test.com. IN A
;; ANSWER SECTION:
blog.test.com. 86400 IN A 8.8.8.8
;; AUTHORITY SECTION:
test.com. 86400 IN NS dns1.test.com.
;; ADDITIONAL SECTION:
dns1.test.com. 86400 IN A 192.168.0.99
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 一 12月 30 22:25:58 CST 2019
;; MSG SIZE rcvd: 93
[root@test ~]#
說明:在本機使用127.0.0.1 去查,named會走回環位址去通路DNS,這個時候acl就會比對到shnet ,進而通路view_sh說指定的區域資料庫檔案内容。這裡要注意一點就是acl它預設是從上往下比對,若比對到就不往下比對,是以127.0.0.1 既不屬于192.168.0.0/24 這個網絡,也不屬于172.16.1.0/24這個網絡,是以它會被any比對到。
到此智能DNS的搭建就完成了,事實上智能DNS的主要作用就是智能的區分不同來源的使用者通路不同的區域檔案,進而實作使用者通路到的DNS是離自己最近的伺服器,在網際網路中的應用有CDN(内容分發網絡),它的背後實作就是智能DNS。把不同的區域的使用者通過智能DNS分别分向不同地區的DNS伺服器上去,進而實作了使用者通路網站的伺服器是離自己最近的伺服器,CDN實作了加快使用者的通路同時還減輕了網站主伺服器的壓力和帶寬。
3、編譯安裝Mariadb,并啟動後可以正常登入
1)準備源碼包
[root@test ~]#rz
rz waiting to receive.
zmodem trl+C ȡ
100% 70172 KB 23390 KB/s 00:00:03 0 Errors..
[root@test ~]#ls mariadb-10.2.19.tar.gz
mariadb-10.2.19.tar.gz
[root@test ~]#
2)安裝依賴環境包
[root@test ~]# yum install bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel gcc gcc-c++ cmake ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel -y
3)建立系統賬号,并解壓源碼
[root@test ~]# useradd -r -s /sbin/nologin -d /app/mysql/ mysql
[root@test ~]# getent passwd mysql
mariadb:x:989:983::/app/mysql/:/sbin/nologin
[root@test ~]# tar xf mariadb-10.2.19.tar.gz
[root@test ~]# cd mariadb-10.2.19/
[root@test mariadb-10.2.19]#
4)cmake 編譯并指定編譯選項
cmake . \
-DCMAKE_INSTALL_PREFIX=/app/mysql \
-DMYSQL_DATADIR=/data/mysql/ \
-DSYSCONFDIR=/etc/mysql \
-DMYSQL_USER=mysql \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITHOUT_MROONGA_STORAGE_ENGINE=1 \
-DWITH_DEBUG=0 \
-DWITH_READLINE=1 \
-DWITH_SSL=system \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci 說明:如果出錯需要删除 CMakeCache.txt 然後重新在用cmake指定編譯選項生成makefile檔案,在編譯
5)上面cmake沒有錯誤的情況下,在執行make && make install
……省略部分内容
-- Looking for krb5_free_unparsed_name
-- Looking for krb5_free_unparsed_name - found
-- Looking for event.h
-- Looking for event.h - found
-- Configuring done
-- Generating done
-- Build files have been written to: /root/mariadb-10.2.19
[root@test mariadb-10.2.19]# make -j 4 && make install 說明:make -j 表示指定多少線程來編譯,-j 4 表示用4個線程同時來編譯,這是一種多線程的編譯方式
6)準備path環境
[root@test ~]# echo 'PATH=/app/mysql/bin:$PATH' > /etc/profile.d/mysql.sh
[root@test ~]# cat /etc/profile.d/mysql.sh
PATH=/app/mysql/bin:$PATH
[root@test ~]# . /etc/profile.d/mysql.sh
[root@test ~]# 7)生成資料庫檔案
[root@test ~]# cd /app/mysql/
[root@test mysql]# scripts/mysql_install_db --datadir=/data/mysql/ --user=mysql
Installing MariaDB/MySQL system tables in '/data/mysql/' ...
OK
To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system
PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:
'./bin/mysqladmin' -u root password 'new-password'
'./bin/mysqladmin' -u root -h test password 'new-password'
Alternatively you can run:
'./bin/mysql_secure_installation'
which will also give you the option of removing the test
databases and anonymous user created by default. This is
strongly recommended for production servers.
See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.
You can start the MariaDB daemon with:
cd '.' ; ./bin/mysqld_safe --datadir='/data/mysql/'
You can test the MariaDB daemon with mysql-test-run.pl
cd './mysql-test' ; perl mysql-test-run.pl
Please report any problems at http://mariadb.org/jira
The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
[root@test mysql]# 8)準備配置檔案
[root@test mysql]# cp /app/mysql/support-files/my-huge.cnf /etc/my.cnf
[root@test mysql]# 9)準備啟動腳本
[root@test mysql]# cp /app/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@test mysql]# 10)啟動服務 ,登入資料庫
[root@test mysql]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@test mysql]# chkconfig --add mysqld
[root@test mysql]# chkconfig --list
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
mysqld 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@test mysql]# service mysqld start
Starting mysqld (via systemctl): [ OK ]
[root@test mysql]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
LISTEN 0 80 :::3306 :::*
[root@test mysql]# mysql
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.2.19-MariaDB-log Source distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| test |
+--------------------+
4 rows in set (0.00 sec)
MariaDB [(none)]>
到此編譯安裝mariadb資料庫就完成了。
作者:Linux-1874
出處:https://www.cnblogs.com/qiuhom-1874/
本文版權歸作者和部落格園共有,歡迎轉載,但未經作者同意必須保留此段聲明,且在文章頁面明顯位置給出原文連接配接,否則保留追究法律責任的權利.
![【原創】IP攝像頭技術縱覽(六)---通過internet通路攝像頭【原創】IP攝像頭技術縱覽(六)—通過internet通路攝像頭[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)