zoukankan      html  css  js  c++  java
  • 使用unbound提供DNS域名解析服务

    使用unbound提供DNS域名解析服务

    # 作者:Eric
    # 微信:loveoracle11g
    
    
    # 先配yum仓库
    [root@server1 ~]# cd /etc/yum.repos.d/
    [root@server1 yum.repos.d]# ls
    [root@server1 yum.repos.d]# vim racooler.repo
    [racooler]
    name=rhel7
    baseurl=file:///media/cdrom
    enabled=1
    gpgcheck=0
    
    
    [root@server1 yum.repos.d]# mkdir -p /media/cdrom
    [root@server1 yum.repos.d]# mount /dev/cdrom /media/cdrom/
    mount: /dev/sr0 is write-protected, mounting read-only
    
    
    [root@server1 yum.repos.d]# yum repolist all 
    Loaded plugins: langpacks, product-id, subscription-manager
    This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
    racooler                                                           | 4.1 kB  00:00:00     
    (1/2): racooler/group_gz                                           | 134 kB  00:00:00     
    (2/2): racooler/primary_db                                         | 3.4 MB  00:00:00     
    repo id                                repo name                            status
    racooler                               rhel7                                enabled: 4,305
    repolist: 4,305
    [root@server1 yum.repos.d]#
    
    
    [root@server1 yum.repos.d]# yum clean 
    Loaded plugins: langpacks, product-id, subscription-manager
    This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
    Error: clean requires an option: headers, packages, metadata, dbcache, plugins, expire-cache, rpmdb, all
    [root@server1 yum.repos.d]#
    
    
    [root@server1 yum.repos.d]# yum list all | wc -l
    4405
    
    
    # DNS的查询方式
    迭代查询:服务器与服务器之间的查询。本地域名服务器向根域名服务器的查询通常是采用迭代查询(反复查询)。当根域名服务器收到本地域名服务器的迭代查询请求报文时,要么给出所要查询的IP地址,要么告诉本地域名服务器下一步应向那个域名服务器进行查询。然后让本地域名服务器进行后续的查询。
    递归查询:客户端与服务器之间的查询。主机向本地域名服务器的查询一般都是采用递归查询。如果主机所询问的本地域名服务器不知道被查询域名的 IP 地址,那么本地域名服务器就以 DNS 客户的身份,向其他根域名服务器继续发出查询请求报文。最后会给客户端一个准确的返回结果,无论是成功与否。
    
    # DNS解析类型
    正向解析:由域名解析到IP地址。
    反向解析:由IP地址解析到域名。
    
    # 名称解析方式
    hosts文件(etc/hosts)、dns、广播、解析缓存、dns、wins(windows中)等
    DNS安装配置:
    在RHEL5、6中dns都是用的是bind软件包,而在RHEL7用的是unbound安装包,配置文件也有了改变。
    
    
    [root@server1 ~]# yum -y install unbound*
    
    [root@server1 ~]# systemctl start unbound
    [root@server1 ~]# systemctl enable unbound
    ln -s '/usr/lib/systemd/system/unbound.service' '/etc/systemd/system/multi-user.target.wants/unbound.service'
    
    
    [root@server1 ~]# systemctl stop iptables
    [root@server1 ~]# systemctl disable iptables
    [root@server1 ~]# systemctl mask iptables
    ln -s '/dev/null' '/etc/systemd/system/iptables.service'
    
    
    [root@server1 ~]# systemctl stop ebtables
    [root@server1 ~]# systemctl disable ebtables
    [root@server1 ~]# systemctl mask ebtables
    ln -s '/dev/null' '/etc/systemd/system/ebtables.service'
    
    
    [root@server1 ~]# firewall-cmd --permanent --add-service=dns
    success
    [root@server1 ~]# firewall-cmd --reload
    success
    [root@server1 ~]# firewall-cmd --list-all
    public (default, active)
      interfaces: eno16777728
      sources: 
      services: dhcpv6-client dns ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules: 
    
    [root@server1 ~]#
    
    # DNS服务器上firewall开放DNS访问OK
    [root@server1 ~]# netstat -tunlp | grep unbound
    tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      2114/unbound        
    tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      2114/unbound        
    tcp6       0      0 ::1:8953                :::*                    LISTEN      2114/unbound        
    tcp6       0      0 ::1:53                  :::*                    LISTEN      2114/unbound        
    udp        0      0 127.0.0.1:53            0.0.0.0:*                           2114/unbound        
    udp6       0      0 ::1:53                  :::*                                2114/unbound        
    [root@server1 ~]#
    
    
    [root@server1 ~]# ss -tunlp | grep unbound
    tcp    UNCONN     0      0              127.0.0.1:53                    *:*      users:(("unbound",2114,5))
    tcp    UNCONN     0      0                    ::1:53                   :::*      users:(("unbound",2114,3))
    tcp    LISTEN     0      5              127.0.0.1:8953                  *:*      users:(("unbound",2114,8))
    tcp    LISTEN     0      5              127.0.0.1:53                    *:*      users:(("unbound",2114,6))
    tcp    LISTEN     0      5                    ::1:8953                 :::*      users:(("unbound",2114,7))
    tcp    LISTEN     0      5                    ::1:53                   :::*      users:(("unbound",2114,4))
    [root@server1 ~]#
    
    # 默认监听本地回环地址,也就是现在只有自己能访问DNS服务,其它主机不能访问本机的DNS服务。
    
    
    [root@server1 ~]# vim /etc/unbound/unbound.conf
    # 修改监听地址
    38         # interface: 0.0.0.0
    39         interface: 0.0.0.0
    
    # 让所有主机能够向本机查询DNS
    177         # access-control: 0.0.0.0/0 refuse
    178         access-control: 0.0.0.0/0 allow
    
    # 禁用服务用户
    # 每个服务都是有其专用的服务用户,DNS的服务用户为unbound,实际情况下服务用户的启用有可能有安全隐患,这里要即禁用服务用户。
    213         # username: "unbound"
    214         username: ""
    
    
    [root@server1 ~]# systemctl restart unbound
    
    [root@server1 ~]# netstat -tunlp | grep unbound
    tcp        0      0 127.0.0.1:8953          0.0.0.0:*               LISTEN      2814/unbound        
    tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      2814/unbound        
    tcp6       0      0 ::1:8953                :::*                    LISTEN      2814/unbound        
    udp        0      0 0.0.0.0:53              0.0.0.0:*                           2814/unbound        
    [root@server1 ~]#
    # 现在53号端口监听的是0.0.0.0,即所有网段都监听。
    
    
    # 创建解析文件
    [root@server1 ~]# hostname
    server1.example.com
    
    [root@server1 ~]# vim /etc/unbound/local.d/example.conf
    local-zone: "example.com." static
    local-data: "example.com. 86400 IN SOA ns.example.com. root 1 1D 1H 1W 1H"
    local-data: "ns.example.com. IN A 192.168.10.201"
    local-data: "www.example.com. IN A 192.168.10.201"
    local-data-ptr: "192.168.10.201 ns.example.com."
    local-data-ptr: "192.168.10.201 www.example.com."
    
    
    # 检查解析结果
    [root@server1 ~]# unbound-checkconf 
    unbound-checkconf: no errors in /etc/unbound/unbound.conf
    [root@server1 ~]# systemctl restart unbound
    [root@server1 ~]#
    
    
    [root@server1 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eno16777728
    TYPE=Ethernet
    BOOTPROTO=static
    DEFROUTE=yes
    IPV4_FAILURE_FATAL=no
    IPV6INIT=yes
    IPV6_AUTOCONF=yes
    IPV6_DEFROUTE=yes
    IPV6_FAILURE_FATAL=no
    NAME=eno16777728
    UUID=cbce3ee7-6d18-4fc1-9ad4-4d175aa4ddbc
    ONBOOT=yes
    IPADDR0=192.168.10.201
    PREFIX0=24
    GATEWAY0=192.168.10.1
    DNS1=192.168.10.201
    HWADDR=00:0C:29:FA:32:28
    IPV6_PEERDNS=yes
    IPV6_PEERROUTES=yes
    
    [root@server1 ~]# systemctl restart network
    
    [root@server1 ~]# nslookup 
    > 192.168.10.201
    Server:		192.168.10.201
    Address:	192.168.10.201#53
    
    201.10.168.192.in-addr.arpa	name = www.example.com.
    201.10.168.192.in-addr.arpa	name = ns.example.com.
    > www.example.com
    Server:		192.168.10.201
    Address:	192.168.10.201#53
    
    Name:	www.example.com
    Address: 192.168.10.201
    > exit
    
    [root@server1 ~]#
    
  • 相关阅读:
    十二招让你的电脑桌变得更舒适
    【看后请推荐】程序员接私单不传秘籍之一二合编:加料更新!一定要看!
    【看后请推荐】程序员接私单不传秘籍之二:单子从哪儿来?
    【看后请推荐】程序员接私单不传秘籍之一:准备工作
    【看完请推荐】记国庆前的一次码农受骗记
    优化MySQL,还是使用缓存?读一篇文章有感
    大数据下Limit使用(MySQL)
    类Unix平台程序调试
    STL学习笔记
    MFC学习笔记
  • 原文地址:https://www.cnblogs.com/zhouwanchun/p/10682443.html
Copyright © 2011-2022 走看看