使用Bind提供域名解析服务

发表于 更新于 分类于
DNS域名系统,万维网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过域名,最终得到该域名对应的IP地址的过程叫做域名解析(或主机名解析)。DNS协议运行在UDP协议之上,使用端口号UDP53号端口作为数据通信端口(域名解析),使用TCP53号端口实现数据同步(主从同步)。

DNS 域名系统,万维网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。通过域名,最终得到该域名对应的IP地址的过程叫做域名解析(或主机名解析)。DNS协议运行在UDP协议之上,使用端口号UDP 53号端口作为数据通信端口(域名解析),使用TCP53号端口实现数据同步(主从同步)。

DNS工作过程:

1.客户机首先会查看本地的hosts文件,如果有记录则返回,无则继续.
2.客户端查看本地缓存,如果有记录则返回,无则继续.
3.客户端将请求转发给本地DNS服务器,请求解析.
4.本地DNS服务器,查看域名是否有记录,有则本地解析返回,否则进行下一步.
5.本地DNS服务器首先在缓存中查找,有则返回,无则进行下一步.
6.本地DNS服务器,向全球13个根域服务器发起DNS请求,根域返回对应的地址列表.
7.使用某一个域的IP地址,发起DNS请求,域返回kernel域服务器地址列表.
8.使用某一个kernel域IP地,发起DNS请求,kernel域返回本地DNS服务收到后,返回给客户机.

客户端(Web浏览器)访问网页的全过程:

1.首先客户端向DNS服务器请求解析域名.
2.DNS收到请求后相应,或者迭代或者递归,当查询到服务器IP后,返回给客户.
3.客户端取得IP地址后,向网页服务器发送请求.

DNS递归与迭代查询:

递归查询: 是客户端与服务器之间的查询过程,压力在服务器端
迭代查询: 是服务器与服务器之间的查询过程,压力在客户端

DNS的资源记录类型:

参数 说明 解释
SOA 起始授权机构 这里记录时间等信息
NS 名称服务器 只记录了完全合格域名(FQDN)
A 主机 正向解析(域名到IP的解析)
PTR 指针 反向解析(IP到域名的解析)
MX 邮件交换记录 指定邮件优先级
SRV 服务 列出提供特定服务的服务器
CNAME 别名 将多个名字映射到同一台计算机

安装Bind服务程序

编译安装Bind

[root@localhost ~]# wget ftp://ftp.isc.org/isc/bind9/9.6.1/bind-9.6.1.tar.gz
[root@localhost ~]# tar -xzvf bind-9.6.1.tar.gz 
[root@localhost ~]# cd bind-9.6.1/
[root@localhost ~]# ./configure  --enable-largefile --enable-threads --prefix=/usr/local/named
[root@localhost ~]# make && make install

Yum安装Bind

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

部署DNS实现解析

DNS正向解析是指根据域名(主机名),查找到对应的IP地址,也就是说,当用户输入一个域名后,Bind服务会自动进行查找,并将匹配到的IP地址返回给客户端,这也是最常用的DNS工作模式.

DNS反向解析的作用是,将用户提交的IP地址解析为对应的域名信息,它也可以针对某个IP进行反向解析,大致判断有多少个网站运行在上面.

以下实验,将配置一个DNS解析服务.(注意:192.168.1.20解析成lyshark.org 且 lyshark.org解析成192.168.1.20).

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot禁锢模块

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.编辑bind主配置文件,修改前面标有星号的参数

[root@localhost ~]# vim /etc/named.conf

options {
        ★listen-on port 53 { any; };					#侦听任何ipv4地址
        ★listen-on-v6 port 53 { ::any; };				#侦听任何ipv6地址
        directory       "/var/named";					#设置工作目录
        dump-file       "/var/named/data/cache_dump.db";		#设置缓存转存目录
        statistics-file "/var/named/data/named_stats.txt";		#记录统计信息文件
        memstatistics-file "/var/named/data/named_mem_stats.txt";	#记录内存使用情况
        ★allow-query     { any; };					#允许任何主机查询
        recursion yes;							#允许递归查询
        dnssec-enable yes;						#是否支持Dnssec
        dnssec-validation yes;						#Dnssec再次确认开关
        bindkeys-file "/etc/named.iscdlv.key";				#ISC DLV KEY 的路径
        managed-keys-directory "/var/named/dynamic";			#管理密钥路径
        pid-file "/run/named/named.pid";				#进程ID文件路径
        session-keyfile "/run/named/session.key";			#会话密钥文件
};

3.接着在bind的区域配置文件最底部,创建一个正向区域,和一个反向区域

[root@localhost ~]# vim /etc/named.rfc1912.zones

zone "lyshark.org" IN {					#正向区域名
	type master;					#区域类型(master/slave)
	file "lyshark.org.zone";			#区域文件名(/usr/named/lyshark.org.zone)
};
zone "1.168.192.in-addr.arpa" IN {                      #反向区域名(IP地址应反写)
        type master;                                    #区域类型(master/slave)
        file "lyshark.org.arpa";                        #区域文件名(/var/named/lyshark.org.aone)
};

4.拷贝默认区域配置模板,分别拷贝正向和反向模板

[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.org.zone    #复制正向模板
[root@localhost ~]# cp -a /var/named/named.loopback /var/named/lyshark.org.arpa     #复制反向模板

5.编辑正向模板的zone记录,修改正向解析

[root@localhost ~]# vim /var/named/lyshark.org.zone

$TTL 1D
@       IN 		SOA                dns.lyshark.org. 		rname.invalid. 	(
#区域名			#SOA标识	   #主域名服务器(FQDN)		#管理员邮件地址

                                        0       ; serial	#序列号
                                        1D      ; refresh	#刷新间隔
                                        1H      ; retry		#重试间隔
                                        1W      ; expire	#过期间隔
                                        3H )    ; minimum	#TTL


        	NS      dns.lyshark.org.					#名称服务器
dns     	A       127.0.0.1						#A记录解析自身(必须存在)
www     	A       192.168.1.20						#解析记录

6.编辑反向模板的zone记录,修改反向解析

[root@localhost ~]# vim /var/named/lyshark.org.arpa

$TTL 1D
@       IN 		SOA                dns.lyshark.org. 		rname.invalid. 	(
#区域名			#SOA标识	   #主域名服务器(FQDN)		#管理员邮件地址

                                        0       ; serial	#序列号
                                        1D      ; refresh	#刷新间隔
                                        1H      ; retry		#重试间隔
                                        1W      ; expire	#过期间隔
                                        3H )    ; minimum	#TTL


        	NS      dns.lyshark.org.					#名称服务器
20           	PTR     dns.lyshark.org.					#反向指针(IP最后位)

7.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named

8.在其他主机配置好网关,指向DNS服务器IP,通过nslookup测试查看效果,如果看到以下结果说明解析成功

Microsoft Windows [版本 10.0]
(c) 2018 Microsoft Corporation。保留所有权利。

C:\Users\administrator> nslookup 192.168.1.20
服务器:  dns.lyshark.org
Address:  192.168.1.20

名称:    dns.lyshark.org
Address:  192.168.1.20

C:\Users\administrator> nslookup www.lyshark.org
服务器:  dns.lyshark.org
Address:  192.168.1.20

名称:    www.lyshark.org
Address:  192.168.1.20

部署DNS主从同步

在DNS域名解析中,从服务器可以从主服务器上获取指定的区域数据文件,从而起到备份解析记录,与负载均衡的作用,因此通过部署从服务器,可以减轻主服务器负载压力,还可以提升用户的查询效率.

以下实验,将实现主服务器启动后,从服务器自动同步主服务器的数据,实现主从同步.(注意:主DNS=192.168.1.20 从DNS=192.168.1.30)

配置主DNS服务

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.编辑bind主配置文件,修改以下几行配置

[root@localhost ~]# vim /etc/named.conf

options {
        listen-on port 53 { any; };                                    #侦听任何ipv4地址
        listen-on-v6 port 53 { ::any; };                               #侦听任何ipv6地址
        allow-query     { any; };                                      #允许任何主机查询
        .....
}

3.接着创建区域名称,配置允许解析的IP地址.

[root@localhost ~]# vim /etc/named.rfc1912.zones

zone "lyshark.org" IN {                                 #正向区域名
        type master;                                    #区域类型(master/slave)
        file "lyshark.org.zone";                        #区域文件名(/usr/named/lyshark.org.zone)
        allow-update { 192.168.1.30; };                 #允许192.168.1.30过来缓存数据
};
zone "1.168.192.in-addr.arpa" IN {                      #反向区域名(IP地址应反写)
        type master;                                    #区域类型(master/slave)
        file "lyshark.org.arpa";                        #区域文件名(/var/named/lyshark.org.aone)
        allow-update { 192.168.1.30; };                 #允许192.168.1.30过来缓存数据

};

4.拷贝默认区域配置模板,分别拷贝正向和反向模板

[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.org.zone    #复制正向模板
[root@localhost ~]# cp -a /var/named/named.loopback /var/named/lyshark.org.arpa     #复制反向模板

5.编辑正向模板的zone记录,修改正向解析

[root@localhost ~]# vim /var/named/lyshark.org.zone

$TTL 1D
@       IN              SOA                dns.lyshark.org.             rname.invalid.  (
#区域名                    #SOA标识     #主域名服务器(FQDN)                #管理员邮件地址

                                        0       ; serial        #序列号
                                        1D      ; refresh       #刷新间隔
                                        1H      ; retry         #重试间隔
                                        1W      ; expire        #过期间隔
                                        3H )    ; minimum       #TTL


                NS      dns.lyshark.org.                                        #名称服务器
dns             A       127.0.0.1                                               #A记录解析自身(必须存在)
www             A       192.168.1.20                                            #解析记录

6.编辑反向模板的zone记录,修改反向解析

[root@localhost ~]# vim /var/named/lyshark.org.arpa

$TTL 1D
@       IN              SOA                dns.lyshark.org.             rname.invalid.  (
#区域名                    #SOA标识     #主域名服务器(FQDN)                #管理员邮件地址

                                        0       ; serial        #序列号
                                        1D      ; refresh       #刷新间隔
                                        1H      ; retry         #重试间隔
                                        1W      ; expire        #过期间隔
                                        3H )    ; minimum       #TTL


                NS      dns.lyshark.org.                                        #名称服务器
20              PTR     dns.lyshark.org.                                        #反向指针(IP最后位)

7.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named

配置从DNS服务

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.编辑bind主配置文件,修改以下几行配置

[root@localhost ~]# vim /etc/named.conf

options {
        listen-on port 53 { any; };                                    #侦听任何ipv4地址
        listen-on-v6 port 53 { ::any; };                               #侦听任何ipv6地址
        allow-query     { any; };                                      #允许任何主机查询
        .....
}

3.在从服务器中填写,需要同步的主服务器的IP地址,以及同步那个区域配置文件,其他无需修改,保存即可

[root@localhost ~]# vim /etc/named.rfc1912.zones

zone "lyshark.org" IN {                                 #正向区域名
        type slave;                                     #指定为从服务器
        masters { 192.168.1.20; };                      #指定主服务器IP
        file "slaves/lyshark.org.zone";                 #指定同步后的文件
        allow-update {  none;  };                       #不允许动态更新
};
zone "1.168.192.in-addr.arpa" IN {                      #反向区域名
        type slave;                                     #指定为从服务器
        masters { 192.168.1.20; };                      #指定主服务器IP
        file "slaves/lyshark.org.arpa";                 #指定同步后的文件
        allow-update {  none;  };                       #不允许动态更新
};

4.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named

5.验证环节,如果在/var/named/slaves目录下出现了文件则说明同步成功啦

[root@localhost slaves]# pwd
/var/named/slaves
[root@localhost slaves]# ls -l
total 8
-rw-r--r--. 1 named named 251 Nov  6 04:12 lyshark.org.arpa
-rw-r--r--. 1 named named 249 Nov  6 04:12 lyshark.org.zone

部署DNS缓存服务

DNS缓存服务器(Caching DNS Server),是一种不负责域名数据维护的DNS服务器,简单来说,缓存服务器就是把用户经常使用到的,域名与IP地址的解析记录保存在本机,从而提升下次解析请求的效率.

以下实验,将配置一台主DNS服务,再配置一台缓存服务器,加快DNS的解析速度.(注意:主DNS=192.168.1.20 缓存DNS=192.168.1.30).

配置解析DNS

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.编辑bind主配置文件,修改以下几行配置

[root@localhost ~]# vim /etc/named.conf

options {
        listen-on port 53 { any; };                                    #侦听任何ipv4地址
        listen-on-v6 port 53 { ::any; };                               #侦听任何ipv6地址
        allow-query     { any; };                                      #允许任何主机查询
        .....
}

3.接着创建区域名称,配置允许解析的IP地址.

[root@localhost ~]# vim /etc/named.rfc1912.zones

zone "lyshark.com" IN {                                 #正向区域名
        type master;                                    #区域类型
        file "lyshark.com.zone";                        #区域文件名
};
zone "lyshark.org" IN {                                 #正向区域名
        type master;                                    #区域类型
        file "lyshark.org.zone";                        #区域文件名
};
zone "lyshark.net" IN {                                 #正向区域名
        type master;                                    #区域类型
        file "lyshark.net.zone";                        #区域文件名
};

4.拷贝默认区域配置模板,这里只做正向的拷贝即可

[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.com.zone
[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.org.zone
[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.net.zone

5.分别编辑正向模板的zone记录,修改正向解析,改为以下形式

[root@localhost named]# cat lyshark.com.zone
$TTL 1D
@       IN SOA  dns.lyshark.com. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.lyshark.com.
dns     A       127.0.0.1
www     A       192.168.1.20

[root@localhost named]# cat lyshark.org.zone
$TTL 1D
@       IN SOA  dns.lyshark.org. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.lyshark.org.
dns     A       127.0.0.1
www     A       192.168.1.20

[root@localhost named]# cat lyshark.net.zone
$TTL 1D
@       IN SOA  dns.lyshark.net. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.lyshark.net.
dns     A       127.0.0.1
www     A       192.168.1.20

6.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named

7.通过其他主机配置成本DNS地址,并测试,看到以下结果则说明成功

Microsoft Windows [版本 10.0]
(c) 2018 Microsoft Corporation。保留所有权利。

C:\Users\administrator> nslookup www.lyshark.com
服务器:  UnKnown
Address:  192.168.1.20

名称:    www.lyshark.com
Address:  192.168.1.20


C:\Users\administrator> nslookup www.lyshark.org
服务器:  UnKnown
Address:  192.168.1.20

名称:    www.lyshark.org
Address:  192.168.1.20


C:\Users\administrator> nslookup www.lyshark.net
服务器:  UnKnown
Address:  192.168.1.20

名称:    www.lyshark.net
Address:  192.168.1.20

配置缓存DNS

1.缓存DNS服务器,安装dnsmasq缓存工具

[root@localhost ~]# yum install -y dnsmasq
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package dnsmasq-2.76-5.el7.x86_64 already installed and latest version
Nothing to do

2.打开dnsmasq的主配置文件,在配置文件底部写入要缓存的条目

[root@localhost ~]# vim /etc/dnsmasq.conf

# Include all files in /etc/dnsmasq.d except RPM backup files
conf-dir=/etc/dnsmasq.d,.rpmnew,.rpmsave,.rpmorig

server=192.168.1.20                             #主DNS服务器IP地址
cache-size=100                                  #缓存数据的条数

domain=lyshark.com                              #需要解析的域名(如果解析多条应全部写上)
domain=lyshark.org
domain=lyshark.net

3.重启dnsmasq服务,并设置开机自启动

[root@localhost ~]# systemctl restart dnsmasq
[root@localhost ~]# systemctl enable dnsmasq

4.验证环节,将其他主机的网关,配置成缓存服务器的IP,并测试效果

Microsoft Windows [版本 10.0]
(c) 2018 Microsoft Corporation。保留所有权利。

C:\Users\administrator>nslookup www.lyshark.com
服务器:  UnKnown
Address:  192.168.1.30

非权威应答:
名称:    www.lyshark.com
Address:  192.168.1.20

C:\Users\administrator>nslookup www.lyshark.org
服务器:  UnKnown
Address:  192.168.1.30

非权威应答:
名称:    www.lyshark.org
Address:  192.168.1.20

C:\Users\administrator>nslookup www.lyshark.net
服务器:  UnKnown
Address:  192.168.1.30

非权威应答:
名称:    www.lyshark.net
Address:  192.168.1.20

部署DNS加密同步

在如今的互联网中,绝大多数DNS服务器,都是靠Bind提供服务的,bind服务也为用户提供了一种加密措施,来保证数据在两台DNS服务器同步过程中的安全性,即TSIG加密机制,保证了DNS服务器之间区域数据传输的安全性,下面我们就开始配置一个加密的DNS服务器吧.

配置加密主DNS

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot禁锢模块

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.在主服务器中通过以下命令生成一个名称为master-slave的128位HMAC-MD5算法的名称为master-slave的密钥文件,并记住Kmaster-slave.+157+24095.private里面的key后期要用到这个钥匙同步数据

[root@localhost ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+24095
[root@localhost ~]# ls -l
total 12
-rw-------. 1 root root   56 Nov  6 08:50 Kmaster-slave.+157+24095.key
-rw-------. 1 root root  165 Nov  6 08:50 Kmaster-slave.+157+24095.private

[root@localhost ~]# cat Kmaster-slave.+157+24095.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: fj0q+jO5kwHCapwt/dKMJA==              #记住这个Key
Bits: AAA=
Created: 20181106135031
Publish: 20181106135031
Activate: 20181106135031

3.在主服务器中创建密钥验证文件,并把刚刚创建的key写入到tansfer.key传输文件里面,并配置好相应的权限

[root@localhost ~]# vim /var/named/chroot/etc/transfer.key
[root@localhost ~]# cat /var/named/chroot/etc/transfer.key
key "master-slave" {                           #写上刚刚的密钥名称
        algorithm hmac-md5;                    #指定加密算法
        secret "fj0q+jO5kwHCapwt/dKMJA==";     #写上上面的key
};

[root@localhost ~]# chown root:named /var/named/chroot/etc/transfer.key
[root@localhost ~]# chmod 640 /var/named/chroot/etc/transfer.key
[root@localhost ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key

4.修改主DNS服务器的/etc/named.conf主配置文件,开启加密验证

[root@localhost ~]# vim /etc/named.conf

  1 //
  2 // named.conf
  3 //
  4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
  5 // server as a caching only nameserver (as a localhost DNS resolver only).
  6 //
  7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
  8 //
  9 // See the BIND Administrator s Reference Manual (ARM) for details about the
 10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
 11
 12 include "/etc/transfer.key";                                  #添加本行,导入密钥
 13
 14 options {
 15         listen-on port 53 { any; };                           #改为any允许
 16         listen-on-v6 port 53 { ::1; };
 17         directory       "/var/named";
 18         dump-file       "/var/named/data/cache_dump.db";
 19         statistics-file "/var/named/data/named_stats.txt";
 20         memstatistics-file "/var/named/data/named_mem_stats.txt";
 21         allow-query     { any; };                             #改为any
 22         allow-transfer { key master-slave; };                 #添加本行,允许加载key
 23         /*

5.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named

配置加密从DNS

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot禁锢模块

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.进入从DNS服务器,在相应目录下创建密钥文件,文件内容与主DNS服务器应相同,并赋予相应权限

[root@localhost ~]# vim /var/named/chroot/etc/transfer.key
[root@localhost ~]# cat /var/named/chroot/etc/transfer.key
key "master-slave" {                         #内容必须和主DNS保持一致
        algorithm hmac-md5;
        secret "fj0q+jO5kwHCapwt/dKMJA==";
};

[root@localhost ~]# chown root:named /var/named/chroot/etc/transfer.key
[root@localhost ~]# chmod 640 /var/named/chroot/etc/transfer.key
[root@localhost ~]# ln /var/named/chroot/etc/transfer.key /etc/transfer.key

4.修改从DNS服务器的/etc/named.conf主配置文件,开启加密验证,并指定服务器IP地址

  1 //
  2 // named.conf
  3 //
  4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
  5 // server as a caching only nameserver (as a localhost DNS resolver only).
  6 //
  7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
  8 //
  9 // See the BIND Administrator s Reference Manual (ARM) for details about the
 10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
 11
 12 include "/etc/transfer.key";            #导入密钥对
 13
 14 options {
 15         listen-on port 53 { any; };
 16         listen-on-v6 port 53 { ::1; };
 17         directory       "/var/named";
 18         dump-file       "/var/named/data/cache_dump.db";
 19         statistics-file "/var/named/data/named_stats.txt";
 20         memstatistics-file "/var/named/data/named_mem_stats.txt";
 21         allow-query     { any; };
 22
 23         /*
.....
 46
 47 server 192.168.1.20 {                  #指定主服务器IP
 48         keys { master-slave; };        #指定密钥对
 49 };
 50
 51 logging {
 52         channel default_debug {
 53                 file "data/named.run";
 54                 severity dynamic;
 55         };
 56 };

5.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named

部署DNS分离解析

通常利用DNS的分离解析来达到针对不同的客户端访问网站时,分别解析到不同的主机,以达到负载均衡的目的.
举例来说明,中国的访客和美国的访客,同时访问一个网站,如果是美国的访客我们将其解析到美国的机房,如果是中国的访客我们将其解析到中国的机房,从而实现了快速上网,快速访问资源的目的,这一点有点类似于CND内容分发网络.

以下实验,将配置一台主DNS服务,通过使用view视图实现分离解析,中国的用户自动访问到中国的主机,美国的用户自动访问到美国的主机,由于没有合适的资源这里只做演示,(注意:假设(IP=10.10.10.0/24是中国区域),(IP=20.20.20.0/24是美国区域),(中国用户解析到IP=59.110.167.239),(美国用户解析到IP=55.125.212.110)).

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.修改主配置文件,把第13行和19行改为any,由于分离解析功能与DNS根域冲突,所以还要屏蔽掉(51-57)行的根域区域.

[root@localhost ~]# vim /etc/named.conf

 12 options {
 13         listen-on port 53 { any; };
 14         listen-on-v6 port 53 { ::1; };
 15         directory       "/var/named";
 16         dump-file       "/var/named/data/cache_dump.db";
 17         statistics-file "/var/named/data/named_stats.txt";
 18         memstatistics-file "/var/named/data/named_mem_stats.txt";
 19         allow-query     { any; };
.....
 52 #zone "." IN {                       #此处应屏蔽掉,防止冲突
 53 #       type hint;
 54 #       file "named.ca";
 55 #};
 56
 57 include "/etc/named.rfc1912.zones";

3.编辑区域配置文件,把区域配置文件原有内容清空,然后根据以下格式写入内容

[root@localhost ~]# vim /etc/named.rfc1912.zones

  4 //
  5 // ISC BIND named zone configuration for zones recommended by
  6 // RFC 1912 section 4.1 : localhost TLDs and address zones
  7 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
  8 // (c)2007 R W Franks
  9 //
 10 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 11 //
 12
 13 acl "china" { 10.10.10.0/24; };                  #假设,这个网段属于中国区域
 14 acl "american" { 20.20.20.0/24; };               #假设,这个网段属于美国区域
 15
 16 view "china" {
 17
 18         match-clients { "china"; };
 19         zone "lyshark.org" {
 20                 type master;
 21                 file "lyshark.org.china";
 22         };
 23 };
 24
 25 view "american" {
 26
 27         match-clients { "american"; };
 28         zone "lyshark.org" {
 29                 type master;
 30                 file "lyshark.org.american";
 31         };
 32 };

4.建立对应的区域配置文件,分别拷贝两个模板.

[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.org.china
[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.org.american

5.分别修改两个配置模板,china解析成=59.110.167.239,american解析成=55.125.212.110

[root@localhost ~]# cat /var/named/lyshark.org.china
$TTL 1D
@       IN SOA  lyshark.org. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns.lyshark.org.
ns      A       127.0.0.1
www     A       59.110.167.239                             #中国用户解析到 59.110.167.239

[root@localhost ~]# cat /var/named/lyshark.org.american
$TTL 1D
@       IN SOA  lyshark.org. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns.lyshark.org.
ns      A       127.0.0.1
www     A       55.125.212.110                            #美国用户解析到 55.125.212.110

6.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named

部署DNS负载均衡

在日常的生产环境中,其实DNS也是可以作为一个负载均衡器使用的,下面我们将介绍通过配置DNS域名失效时间的方式,来实现一个负载调度器.

以下实验,将配置一台主DNS服务,并实现负载均衡.(注意:请自行搭建3个Http服务,IP1=192.168.1.10,IP2=192.168.1.20,iP3=192.168.1.30)

1.首先通过yum仓库,安装bind域名解析系统,和bind-chroot

[root@localhost ~]# yum install -y bind bind-chroot bind-libs
Loaded plugins: product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager.
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-chroot-9.9.4-61.el7.x86_64 already installed and latest version
Package 32:bind-libs-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.编辑bind主配置文件,修改以下几行配置

[root@localhost ~]# vim /etc/named.conf

options {
        listen-on port 53 { any; };                                    #侦听任何ipv4地址
        listen-on-v6 port 53 { ::any; };                               #侦听任何ipv6地址
        allow-query     { any; };                                      #允许任何主机查询
        .....
}

3.接着创建区域名称,在配置文件底部

[root@localhost ~]# vim /etc/named.rfc1912.zones

....
zone "lyshark.org" IN {                                 #正向区域名
        type master;                                    #区域类型
        file "lyshark.org.zone";                        #区域文件名
};

4.拷贝默认区域配置模板,只拷贝正向区域即可

[root@localhost ~]# cp -a /var/named/named.localhost /var/named/lyshark.org.zone    #复制正向模板

5.编辑正向模板的zone记录,修改正向解析,在正向解析记录的基础上简单修改即可实现

[root@localhost ~]# vim /var/named/lyshark.org.zone

$TTL 1D
@       IN SOA  dns.lyshark.org. rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      dns.lyshark.org.
dns     A       127.0.0.1


www.lyshark.org.  1 IN  A       192.168.1.10            #web1的IP地址
www.lyshark.org.  2 IN  A       192.168.1.20            #web2的IP地址
www.lyshark.org.  3 IN  A       192.168.1.30            #web3的IP地址

6.重启bind服务,并设置成开机自启动

[root@localhost ~]# systemctl restart named
[root@localhost ~]# systemctl enable named