Shulou(Shulou.com)06/02 Report--

Background introduction

As a basic service on the Internet, DNS service undertakes the function of converting the name requested by users into the corresponding IP or IP into names. DNS is actually the FQDN of all hosts on the Internet to "." It is divided into several areas, each of which is managed by a specific host. Take forward resolution as an example: when a user initiates a resolution request for a www.contoso.com name, the local DNS server will first query whether there is an IP of that name in the cache. If not, it can be divided into two situations:

When the client initiates a request to the local DNS server (1), if the local DNS server does not allow recursive query, he will immediately report to the client that he cannot find the IP (2) corresponding to the name. The query process at this time is called recursive query. If the local DNS server allows recursive queries, when he cannot find the IP corresponding to that name in the cache and the local zone resolution library file, he will first go to the root domain to query (3), the root domain will tell the local DNS server. Com domain IP (4), the local DNS server goes to the .com domain to query (5), and so on until the IP of the www.contoso.com host is obtained (10) The local DNS server will tell the client (2) the address, and the client again uses the obtained IP to access the www.contoso.com host (11), and the local DNS server records the name and the corresponding information of the IP in its own cache.

From the above, in addition to (2) is a recursive query, (3)-(10) are iterative queries, because allowing recursion will consume a lot of server resources, so many large DNS servers such as root domain servers are not allowed to do recursive queries, the way to open or close is defined in the bind configuration file / etc/named.conf.

When a user enters an address, such as www.contoso.com, if the local DNS server does not have a record of the address, it will find the root zone for resolution. To divide, there is actually a "." at the end of each FQDN, but the "." Can be omitted, and at the end of the "." On behalf of the root region, the complete FQDN of www.contoso.com is used for www.contoso.com.,DNS to look up the region one by one when parsing. There are a total of 13 root domain name resolution servers in the world, while the root zone. By default, it comes with the DNS service when you install it, and you can see the file in the root area of the record in the configuration file / etc/named.conf of bind.

Create a forward parsing DNS server

1. Use yum install bind-y to install the DNS service. The configuration file of DNS is segmented, in addition to the main configuration file / etc/named.conf, it can also be defined in the / etc/named.rfc912.zones file. By default, after the DNS service is installed, it only listens on its own 127.0.0.1 DNS 53 socket and does not provide any services. If you need to provide external services, you need to add your own IP address to the listening list and set allow-query to any. Allow anyone to access. Dnssec is a mechanism to prevent DNS from being contaminated. Beginners or testers recommend turning this option off, with / / as the comment character in the bind configuration file. Directory defines the directory where the zone parse library files are stored. Generally, the zone parse library file exists under the name XXXX.zone in the / var/name directory.

After completing the above modifications, you can restart the named service or use the rndc reload command to tell the named service to reread the configuration file. If the server can access the Internet, it is a cached DNS server.

two。 Create a parsing area. Add the zone to be parsed in the / etc/named.rfc912.zones file, where type defines the role of the DNS server in the contoso.com area, where the primary server is defined, file indicates the location of the zone resolution library file, and because the value of directory is set in the / etc/named.conf configuration file, a relative path can be used here, and the absolute path of the contoso.com.zone file is / var/named/contoso.com.zone.

3. Create a zone resolution library file. The zone resolution library file consists of a number of RR (Resource Record) values, and the format of the resource record is:

Domain_name [TTL] IN rr_type value

Domain_name: the name of the current zone, such as contoso.com. (ending "." Cannot be omitted), because the current zone name has been defined in the / etc/named.rfc912.zones configuration file, you can use @ to abbreviate it here

TTL: can be inherited globally, that is, it is defined using $TTL at the beginning of the zone resolution library file

Rr_type:SOA, A, CNAME, MX, NS, etc. A regional parse library has and can only have one SOA (Start Of Authority) record, and must be the first record of the parse library.

Value: it is composed of several parts. (1) the FQDN of the main DNS server in the current zone, or the name of the current zone (abbreviated to @). (2) the email address of the current regional administrator. Because @ has a special use in this file, the mailbox has been found everywhere. " To replace it.

In this file, if the same position of the next line is the same as the previous line, it can be omitted, and he will inherit the value of the corresponding position of the previous line, such as: the resource record type of NS; in addition, if it is not in the file with "." It automatically appends the region name to the value at the end, so it can be either ns2 or ns2.contoso.com. But if it is ns2. If it is the wrong number, he will think it is ns2. And contoso.com. Two different areas.

After you have created the zone resolution library file, you can use the named-checkcong and named-checkzone commands to check the configuration file and the zone resolution library file for syntax errors

After checking for correctness, use the dig command to test, where aa (authority answer) indicates that this is an authoritative answer, and only the answer from the DNS server responsible for this area is called the authoritative answer, and all other answers are non-authoritative answers, such as those cached by other DNS servers during recursion.

It is important to note that anyone can read the zone resolution library file created by the administrator, and there is a security risk. It is recommended to change the permission to 640 and change the group to named.

Create a reverse parsing DNS server

First of all, it should be noted that the reverse resolution region and the forward resolution region are two different regions, each has its own zone resolution library file, and the two regions can be on the same server. In most scenarios, positive and negative resolution regions are deployed on the same server, and positive and negative resolution regions are also deployed on the same server.

1. Create a parsing area. The resolution zone name of the reverse resolution domain is: network address reversal. In-addr.arpa, adding a reverse resolution region in the / etc/named.rfc1912.zone configuration file. For the parse region (zone), the end of the "." It can be omitted, while the name of the regional resolution library file (file) can be named at will.

two。 Create a reverse zone parsing library file called 172.16.10.zone in the / var/named/ directory. The reverse zone parsing library file does not require MX and A, as well as AAAA records; it is dominated by PTR records. The function of $ORIGIN is to complete the name, for example: 10 will be completed to 10.10.16.172.in-addr.arpa. (this variable can not be set, because the region name has been defined when creating the parsing region zone.) it is important to note that the value value here cannot be abbreviated, otherwise it will use 10.16.172.in-addr.arpa. Make it up.

3. Also use the chmod and chown commands to change the permissions and groupings of the / etc/72.16.10.zone zone resolution library files created. After checking with named-checkcong and named-checkzone, use dig-x 172.16.10.20 @ 172.16.10.10 or the host command to verify. Here, take host as an example.

Supplementary explanation

The dig command does not query the local host file

Rndc: remote name domain controller, installed on the same host as bind by default, and can only connect named processes through 127.0.0.1; provides auxiliary management functions to listen on port 953 of TCP

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.