ineternet dns架构的实现

互联网中dns的架构为下图所示

一、在www主机上部署httpd服务

1.启动httpd服务

[root@www ~]# service httpd startStarting httpd: httpd: apr_sockaddr_info_get() failed for wwwhttpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName ??????????????????????????????????????????????????????????[ ?OK ?]

2.为http主机创建一个zhuye

[root@centos6 ~]# echo "<h1>welcome to mylinuxops.com</h1>" > /var/www/html/index.html

3.测试

[root@www ~]# curl 192.168.73.2<h1>welcome to mylinuxops.com</h1>

二、配置mylinuxopsdns1

1.安装bind服务

[root@mylinuxopsdns1 ~]# yum install bind -y

2.启动服务应设置为开机启动

[root@mylinuxopsdns1 ~]# systemctl start named[root@mylinuxopsdns1 ~]# systemctl enable namedCreated symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改dns主配置文件

将监听地址和允许访问的主机注释

options {// ?????listen-on port 53 { 127.0.0.1; }; ???????listen-on-v6 port 53 { ::1; }; ???????directory ??????"/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????recursing-file ?"/var/named/data/named.recursing"; ???????secroots-file ??"/var/named/data/named.secroots";// ?????allow-query ????{ localhost; };

4.修改区域配置文件，添加区域记录

[root@mylinuxopsdns1 ~]# vim /etc/named.rfc1912.zones zone "mylinuxops.com" IN { ???????type master; ???????file "mylinuxops.com.zone";};

5.创建区域数据库文件

[root@mylinuxopsdns1 ~]# cp -p /var/named/{named.localhost,mylinuxops.com.zone}[root@mylinuxopsdns1 ~]# vim /var/named/mylinuxops.com.zone$TTL 1D@ ??????IN SOA ?master admin.mylinuxops.com ( ???????????????????????????????????????0 ??????; serial ???????????????????????????????????????1D ?????; refresh ???????????????????????????????????????1H ?????; retry ???????????????????????????????????????1W ?????; expire ???????????????????????????????????????3H ) ???; minimum ???????NS ?????master ???????NS ?????slavemaster ?A ??????192.168.73.10slave ??A ??????192.168.73.20www ????A ??????192.168.73.2

6.检查语法错误

[root@mylinuxopsdns1 ~]# named-checkconf [root@mylinuxopsdns1 ~]# named-checkzone mylinuxops.com /var/named/mylinuxops.com.zone zone mylinuxops.com/IN: loaded serial 0OK

7.重读配置文件

[root@mylinuxopsdns1 ~]# rndc reload

8.在client主机上测试

[root@client ~]# dig www.mylinuxops.com @192.168.73.10; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.mylinuxops.com @192.168.73.10;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24888;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1;; QUESTION SECTION:;www.mylinuxops.com. ???????IN ?A;; ANSWER SECTION:www.mylinuxops.com. 86400 ??IN ?A ??192.168.73.2;; AUTHORITY SECTION:mylinuxops.com. ????86400 ??IN ?NS ?master.mylinuxops.com.;; ADDITIONAL SECTION:master.mylinuxops.com. ?86400 ??IN ?A ??192.168.73.10;; Query time: 1 msec;; SERVER: 192.168.73.10#53(192.168.73.10);; WHEN: Fri Apr 19 04:23:08 2019;; MSG SIZE ?rcvd: 89

三、配置dns从服务器mylinuxopsdns2

1.安装bind服务

[root@mylinuxopsdns2 ~]# yum install bind -y

2.启动dns服务设置为开机自动启动

[root@mylinuxopsdns2 ~]# systemctl start named[root@mylinuxopsdns2 ~]# systemctl enable namedCreated symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改主配置文件

将端口行和允许访问的主机注释

[root@mylinuxopsdns2 ~]# vim /etc/named.conf options {// ?????listen-on port 53 { 127.0.0.1; }; ???????listen-on-v6 port 53 { ::1; }; ???????directory ??????"/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????recursing-file ?"/var/named/data/named.recursing"; ???????secroots-file ??"/var/named/data/named.secroots";// ?????allow-query ????{ localhost; };

4.修改区域配置文件

[root@mylinuxopsdns2 ~]# vim /etc/named.rfc1912.zones zone "mylinuxops.com" IN { ???????type slave; ???????masters {192.168.73.10;}; ???????file "slaves/mylinuxops.zone";};

5.检查语法错误

[root@mylinuxopsdns2 ~]# named-checkconf

6.重读配置文件

[root@mylinuxopsdns2 ~]# rndc reload

7.查看区域数据库文件是否已经被拉取到本地

[root@centos7 ~]# ll /var/named/slaves/total 4-rw-r--r-- 1 named named 298 Apr 23 04:40 mylinuxops.zone

8.安全加固

由于主从dns服务器都没有对能拉取区域数据库的主机加以限制，这样是非常不安全的，所以需要对主机的安全行进行加固
8.1对从服务器主配置文件修改，添加allow-transfer

[root@mylinuxopsdns2 ~]# vim /etc/named.conf options {// ?????listen-on port 53 { 127.0.0.1; }; ???????listen-on-v6 port 53 { ::1; }; ???????directory ??????"/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????recursing-file ?"/var/named/data/named.recursing"; ???????secroots-file ??"/var/named/data/named.secroots"; ???????allow-transfer ?{none;};// ?????allow-query ????{ localhost; };[root@mylinuxopsdns2 ~]# rndc reloadserver reload successful

8.2对主服务器主配置文件修改，添加allow-transfer只允许从服务来拉取数据

[root@mylinuxopsdns1 ~]# vim /etc/named.conf options {// ?????listen-on port 53 { 127.0.0.1; }; ???????listen-on-v6 port 53 { ::1; }; ???????directory ??????"/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????recursing-file ?"/var/named/data/named.recursing"; ???????secroots-file ??"/var/named/data/named.secroots"; ???????allow-transfer ?{192.168.73.20;};// ?????allow-query ????{ localhost; };[root@mylinuxopsdns1 ~]# rndc reloadserver reload successful

四、搭建com域dns服务器

1.安装dns服务

[root@comdns ~]# yum install bind -y

2.修改dns主配置文件

将监听的ip和允许访问的主机行注释

[root@comdns ~]# vim /etc/named.conf options {// ?????listen-on port 53 { 127.0.0.1; }; ???????listen-on-v6 port 53 { ::1; }; ???????directory ??????"/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????recursing-file ?"/var/named/data/named.recursing"; ???????secroots-file ??"/var/named/data/named.secroots";// ?????allow-query ????{ localhost; };

3.修改区域文件添加com域

[root@comdns ~]# vim /etc/named.rfc1912.zoneszone "com" IN { ???????type master; ???????file "com.zone";};

4.创建区域数据库文件

[root@comdns ~]# cp -p /var/named/{named.localhost,com.zone}[root@comdns ~]# vim /var/named/com.zone$TTL 1D@ ??????IN SOA ?master admin.mylinuxops.com. ?( ???????????????????????????????????????0 ??????; serial ???????????????????????????????????????1D ?????; refresh ???????????????????????????????????????1H ?????; retry ???????????????????????????????????????1W ?????; expire ???????????????????????????????????????3H ) ???; minimum ???????????????NS ?????mastermylinuxops ?????NS ?????ns1mylinuxops ?????NS ?????ns2master ?????????A ??????192.168.73.30ns1 ????????????A ??????192.168.73.10ns2 ????????????A ??????192.168.73.20

5.检查配置文件语法

[root@comdns ~]# named-checkconf [root@comdns ~]# named-checkzone com /var/named/com.zone zone com/IN: loaded serial 0OK

6.启动服务

[root@comdns ~]# systemctl restart named

7.测试

在client端进行测试

[root@clinet ~]# dig www.mylinuxops.com @192.168.73.30; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.30;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47115;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;www.mylinuxops.com. ???????IN ?A;; ANSWER SECTION:www.mylinuxops.com. 86400 ??IN ?A ??192.168.73.2;; AUTHORITY SECTION:mylinuxops.com. ????86400 ??IN ?NS ?ns2.com.mylinuxops.com. ????86400 ??IN ?NS ?ns1.com.;; ADDITIONAL SECTION:ns1.com. ???????86400 ??IN ?A ??192.168.73.10ns2.com. ???????86400 ??IN ?A ??192.168.73.20;; Query time: 6 msec;; SERVER: 192.168.73.30#53(192.168.73.30);; WHEN: Tue Apr 23 17:25:07 CST 2019;; MSG SIZE ?rcvd: 131

五、搭建root域上的dns服务

1.安装dns服务

[root@rootdns ~]# yum install bind -y

2.修改主配置文件

将监听地址和允许访问的主机行注释，修改最底下的根域

[root@rootdns ~]# vim /etc/named.confoptions {// ?????listen-on port 53 { 127.0.0.1; }; ???????listen-on-v6 port 53 { ::1; }; ???????directory ??????"/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????recursing-file ?"/var/named/data/named.recursing"; ???????secroots-file ??"/var/named/data/named.secroots";// ?????allow-query ????{ localhost; };....zone "." IN { ???????type master; ???????file "root.zone";};

3.创建根域数据库

[root@rootdns ~]# cp -p /var/named/{named.localhost,root.zone}[root@rootdns ~]# vim /var/named/root.zone$TTL 1D@ ??????IN SOA ?ns1 admin.mylinuxops.com. ( ???????????????????????????????????????0 ??????; serial ???????????????????????????????????????1D ?????; refresh ???????????????????????????????????????1H ?????; retry ???????????????????????????????????????1W ?????; expire ???????????????????????????????????????3H ) ???; minimum ???????NS ?????ns1com ????NS ?????masterns1 ????A ??????192.168.73.40master ?A ??????192.168.73.30

4.检查语法错误

[root@rootdns ~]# named-checkconf [root@rootdns ~]# named-checkzone . /var/named/root.zone zone ./IN: loaded serial 0OK

5.启动dns服务

[root@rootdns ~]# systemctl start named[root@rootdns ~]# systemctl enable namedCreated symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

6.测试

[root@localhost ~]# dig www.mylinuxops.com @192.168.73.40; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.40;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38921;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;www.mylinuxops.com. ???????IN ?A;; ANSWER SECTION:www.mylinuxops.com. 86400 ??IN ?A ??192.168.73.2;; AUTHORITY SECTION:mylinuxops.com. ????85104 ??IN ?NS ?ns1.com.mylinuxops.com. ????85104 ??IN ?NS ?ns2.com.;; ADDITIONAL SECTION:ns1.com. ???????85104 ??IN ?A ??192.168.73.10ns2.com. ???????85104 ??IN ?A ??192.168.73.20;; Query time: 2 msec;; SERVER: 192.168.73.40#53(192.168.73.40);; WHEN: Tue Apr 23 17:59:09 CST 2019;; MSG SIZE ?rcvd: 131

六、配置本地DNS

1.安装dns服务

[root@ldns ~]# yum install bind -y

2.修改本地DNS的主配置文件

将监听地址和允许访问的主机注释，将dnssec相关的两项关闭

[root@ldns ~]# vim /etc/named.conf options {// ?????listen-on port 53 { 127.0.0.1; }; ???????listen-on-v6 port 53 { ::1; }; ???????directory ??????"/var/named"; ???????dump-file ??????"/var/named/data/cache_dump.db"; ???????statistics-file "/var/named/data/named_stats.txt"; ???????memstatistics-file "/var/named/data/named_mem_stats.txt"; ???????recursing-file ?"/var/named/data/named.recursing"; ???????secroots-file ??"/var/named/data/named.secroots";// ?????allow-query ????{ localhost; };.... ???????dnssec-enable no; ???????dnssec-validation no;

3.修改本地的根数据文件

将根数据库文件指向rootdns所在的地址，其余的全部删除

[root@ldns ~]# vim /var/named/named.ca. ??????????????????????518400 ?IN ?????NS ?????a.root-servers.net.a.root-servers.net. ????3600000 IN ?????A ??????192.168.73.40

七、在client进行测试

1.配置client端的网卡将其dns指向本地的dns服务器

[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 TYPE=EthernetBOOTPROTO=staticNAME=ens33DEVICE=ens33ONBOOT=onIPADDR=192.168.73.3PREFIX=24DNS1=192.168.73.50

2.重启服务

[root@localhost ~]# systemctl restart network[root@localhost ~]# cat /etc/resolv.conf # Generated by NetworkManagernameserver 192.168.73.50

3.测试访问www.mylinuxops.com

[root@localhost ~]# curl www.mylinuxops.com<h1>welcome to mylinuxops.com</h1>

ineternet dns架构的实现

原文地址：https://blog.51cto.com/11886307/2385725