DNS之三-----实现DNS的TCP/UDP功能及子域委派
验证TCP 和UDP的53端口作用:
将从服务器B的/var/named/slaves/目录下的文件删掉:
[root@centos7_1 slaves]# rm -rf /var/named/slaves/baidu.com.zone.slave 删除slaves目录下的文件
[root@centos7_1 slaves]# systemctl restart named 重启DNS服务
[root@centos7_1 slaves]# ls 还可以复制主服务器的文件
baidu.com.zone.slave
[root@ansible~]#iptables -A INPUT -p tcp --dport 53 -j REJECT 将目标tcp的53端口拒绝。
[root@centos7_1 slaves]# systemctl restart named 重启服务
[root@centos7_1 slaves]# ls 此时不能复制主服务器的文件
在客户端C上dig可以查询到当前的53信息内容,此时的内容是来自于UDP的53端口
[root@centos6network-scripts]#dig www.baidu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3449
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 86400 IN CNAME webs.baidu.com.
webs.baidu.com. 86400 IN A 66.66.66.66
;; AUTHORITY SECTION:
baidu.com. 86400 IN NS dns1.baidu.com.
baidu.com. 86400 IN NS dns2.baidu.com.
;; ADDITIONAL SECTION:
dns1.baidu.com. 86400 IN A 192.168.34.101
dns2.baidu.com. 86400 IN A 192.168.34.103
;; Query time: 10 msec
<strong>;; SERVER: 192.168.34.101#53(192.168.34.101)</strong>
;; WHEN: Thu Nov 7 11:14:25 2019
;; MSG SIZE rcvd: 136
总结:TCP 的53端口影响了主从复制、UDP的53端口是供查询
实现子域委派:子域和父域在同一台主机上(可以忽略不看)
(1)创建子域,在主服务器A(主域)上将beijing.baidu.com域写入到/etc/named.rfc1912.zones配置文件内:
[root@ansiblenamed]#vim /etc/named.rfc1912.zones
zone "baidu.com" {
type master;
file "baidu.com.zone";
};
zone "beijing.baidu.com" {
type master;
file "beijing.baidu.com.zone";
};
创建一个beijing.baidu.com区域库文件,配置完之后启动DNS,systemctl start named:
[root@ansible~]#cd /var/named
[root@ansiblenamed]#ls
192.168.34.zone beijing.baidu.com.zone dynamic named.empty named.loopback
baidu.com.zone data named.ca named.localhost slaves
[root@ansiblenamed]#vim beijing.baidu.com.zone
$TTL 1D
@ IN SOA dns1 admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
dns1 A 192.168.34.101 # 当前的IP地址指向顶级域的IP地址
www CNAME webs
webs A 88.88.88.88
[root@ansiblenamed]# chgrp named beijing.baidu.com.zone # 修改属组为named,保持权限一致
[root@ansiblenamed]# chmod 640 beijing.baidu.com.zone # 文件修改权限为640,防止文件内容被泄露
(2)在客户端C上dig查询配置好后的子域信息:
[root@centos6network-scripts]#dig www.baidu.com 查看主服务器的baidu.com域
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41274
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 86400 IN CNAME webs.baidu.com.
webs.baidu.com. 86400 IN A 66.66.66.66
;; AUTHORITY SECTION:
baidu.com. 86400 IN NS dns2.baidu.com.
baidu.com. 86400 IN NS dns1.baidu.com.
;; ADDITIONAL SECTION:
dns1.baidu.com. 86400 IN A 192.168.34.101
dns2.baidu.com. 86400 IN A 192.168.34.103
;; Query time: 0 msec
;; SERVER: 192.168.34.103#53(192.168.34.103)
;; WHEN: Thu Nov 7 11:57:45 2019
;; MSG SIZE rcvd: 136
[root@centos6network-scripts]#dig www.beijing.baidu.com 查看当前的子域内容
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.beijing.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59333
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.beijing.baidu.com. IN A
;; ANSWER SECTION:
www.beijing.baidu.com. 86400 IN CNAME webs.beijing.baidu.com.
webs.beijing.baidu.com. 86400 IN A 88.88.88.88
;; AUTHORITY SECTION:
beijing.baidu.com. 86400 IN NS dns1.beijing.baidu.com.
;; ADDITIONAL SECTION:
dns1.beijing.baidu.com. 86400 IN A 192.168.34.101
;; Query time: 4 msec
;; SERVER: 192.168.34.101#53(192.168.34.101)
;; WHEN: Thu Nov 7 11:57:54 2019
;; MSG SIZE rcvd: 109
实现子域委派:父域和子域在不同主机上
父域与子域委派架构图:
1、在主DNS服务器上配置一个shenzhen子域
(1)将主服务器A的配置文件/var/named/baidu.com.zone进行修改,添加一个shenzhen域:
[root@ansiblenamed]#vim /var/named/baidu.com.zone
$TTL 1D
@ IN SOA dns1 admin.baidu.com. (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
NS dns2
shenzhen NS dns3 # 添加一个shenzhen域
dns1 A 192.168.34.101
dns2 A 192.168.34.103
dhs3 A 192.168.34.102 # 将shenzhen域委派给192.168.7.102主机
www CNAME webs
webs A 66.66.66.66
(2)重启主服务器A的DNS服务:
[root@ansiblenamed]#rndc reload
server reload successful
注意:检查配置文件是否书写错误
在子域DNS服务器上安装DNS服务,并DNS配置相关文件
yum install bind
[root@centos102 ~]# vim /etc/named.conf
options {
// listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// allow-query { localhost; };
(4)修改子域DNS服务器的/etc/named.rfc1912.zones配置文件:
[root@centos102 ~]# vim /etc/named.rfc1912.zones
zone "shenzhen.baidu.com" {
type master;
file "shenzhen.baidu.com.zone";
};
(5)在子域DNS服务器上远程复制主服务器A的区域库文件,并将所属组属性进行修改:
[root@centos102 ~]# scp -p 192.168.34.103:/var/named/baidu.com.zone /var/named/shenzhen.baidu.com.zone
[root@centos102 named]# ll
total 32
drwxrwx--- 2 named named 4096 Mar 23 2017 data
drwxrwx--- 2 named named 4096 Mar 23 2017 dynamic
-rw-r----- 1 root named 3171 Jan 11 2016 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
-rw-r----- 1 root root 296 Nov 7 12:11 shenzhen.baidu.com.zone 此时的文件所属组属性有问题
drwxrwx--- 2 named named 4096 Mar 23 2017 slaves
[root@centos102 named]# chgrp named shenzhen.baidu.com.zone 修改当前的shenzhen.baidu.com.zone所属组属性
(6)修改子域DNS服务器当前的shenzhen.baidu.com.zone配置文件:
[root@centos7-2 named]# vim shenzhen.baidu.com.zone
$TTL 1D
@ IN SOA dns1 admin (
1 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
dns1 A 192.168.34.102
www CNAME webs
webs A 7.7.7.7
注意:需要检查配置文件和域文件是否有误。
named-checkconf 查看配置文件是否有误
named-checkzone baidu.com /var/named/baidu.com.zone 检查域文件是否有误
(7)启动(子域)DNS服务:
[root@centos7-2 named]# systemctl start named
3、在客户端上验证效果
此时,我们的客户端并没有配置执行shenzhen.baidu.com.zone子域的DNS IP地址,
在客户端执行dig查看当前的shenzhen.baidu.com.zone子域情况:
[root@centos6~]#cat /etc/resolv.conf # 查看当前的DNS指向的IP地址
# Generated by NetworkManager
search 10.localdomain
nameserver 192.168.34.101
nameserver 192.168.34.103
[root@centos6~]#dig www.shenzhen.baidu.com # 此时已经实现了迭代查询功能
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.shenzhen.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15796
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.shenzhen.baidu.com. IN A
;; ANSWER SECTION:
www.shenzhen.baidu.com. 86266 IN CNAME webs.shenzhen.baidu.com.
webs.shenzhen.baidu.com. 86266 IN A 7.7.7.7
;; AUTHORITY SECTION:
shenzhen.baidu.com. 86266 IN NS dns1.shenzhen.baidu.com.
;; ADDITIONAL SECTION:
dns1.shenzhen.baidu.com. 86266 IN A 192.168.34.102
;; Query time: 4 msec
;; SERVER: 192.168.34.101#53(192.168.34.101)
;; WHEN: Thu Nov 7 16:35:25 2019
;; MSG SIZE rcvd: 110
转载至https://www.cnblogs.com/struggle-1216/p/12582252.html