Shulou(Shulou.com)06/01 Report--

DNS is an application layer protocol, which uses port 53 of UDP by default and port 53 of TCP by default.

DNS name resolution method:

Name-- > IP: forward resolution

In the first paragraph, this method is called recursive query, and the answer is returned to it after only one request is sent; in the second paragraph, it is an iterative query. To issue multiple requests, you need to query different domain names before returning the answer. This is the query type of DNS.

Generally, the internal network is recursive and the external network is iterative.

IP-- > name: reverse resolution

Each layer of server has its own database to store the network segment it is responsible for, which is separate from the forward parsed database.

The process that a complete query request goes through:

Client-- > hosts file-- > DNS Local Cache-- > DNS Server (recursion)-- > in two cases:

(1) the domain that you are responsible for parsing: directly query the database and return the answer

(2) not responsible for the resolution domain: Server Cache-- > iteration (iteration)

Primary-secondary DNS server:

Master DNS server: the server that maintains the domain database parsed by the server; both read and write operations can be performed

Slave DNS server: "copy" a parse library from the master DNS server or other DNS server; but only read

The program that implements the DNS service on the linux system is bind, install the bind program, and the process that runs after the installation of the bind program is called named

] # yum install bind

Main configuration file: / etc/named.conf, / etc/named.rfc1912.zones

Under the parsing library file / var/named/ directory, name it after the region: ZONE_NAME.zone

Forward parsing library file: / var/named/named.localhost

Reverse parsing library file: / var/named/named.loopback

Note: the root zone parsing library file named.ca, the forward parsing library file named.localhost, and the reverse parsing library file named.loopback are not provided by the program, but by the rpm package maker.

Configure the primary DNS server

Forward area:

Step 1: define the forward region zone

] # vim / etc/named.con

Modify the content:

Listen-on port 53 {127.0.0.1; 172.18.252.23;}

Dnssec-enable no

/ / allow-query {localhost;}

Add the local host address; change dnssec to no; to disable and only allow local queries to add / / comments:

] # vim / etc/named.rfc1912.zones

Add content:

Zone "magedu.com" IN {

Type master

File "magedu.com.zone"

}

Note: the magedu.com.zone zone database file specified by the file defined in the zone does not exist and needs to be created by yourself. If the relative path is defined in the file of the configuration file above, it will be created under the / var/named/ directory by default, and this directory does not exist by default.

Step 2: establish a forward region resolution database file (mainly recorded as An or AAAA records)

Generally, it is established under the / var/named directory by default, create and edit a forward zone database file for the magedu.com.zone region, create a forward zone database file, and name it magedu.com.zone.

Except for macro definition, regional database files are all resource records, and the first item must be a soa record.

] # vim / var/named/magedu.com.zone

$TTL 3600: in seconds

$ORIGIN magedu.com.

@ IN SOA ns1.magedu.com. 403868144.qq.com. (

2016041001

1H

10M

3D

1D)

IN NS ns1

IN NS ns2

IN MX 10 mx1

IN MX 20 mx2

Ns1 IN A 172.18.11.2

Ns2 IN A 172.18.11.3

Mx1 IN A 172.18.11.4

Mx2 IN A 172.18.11.5

Www IN A 172.18.11.2

Web IN CNAME www

Bbs IN A 172.18.11.2

Step 3: modify the permissions of the forward region database file to be unreadable, and the group is named.

] # chown: named magedu.com.zone

] # chmod o = magedu.com.zone

Step 4: grammar check

] # named-checkconf

] # named-checkzone magedu.com / var/named/magedu.com.zone

View area information

] # rndc status

Note: the forward zone domain name must be consistent with the forward zone domain name defined by zone in the / etc/named.rfc1912.zones file, but after the region name in zone. Can be omitted.

Step 5: have the server reload the configuration file and zone data file

] # rndc reload

Step 6: test whether the DNS server can parse

] # dig-t A www.magedu.com @ 172.18.250.131

] # host-t A bbs.magedu.com @ 172.18.11.2

] # dig-t NS magedu.com @ 172.18.11.2

] # host-t MX magedu.com @ 172.18.11.2

Configure the reverse area, and the configuration steps are the same as configuring the forward resolution area.

Step 1: define the reverse area

] # vim / etc/named.rfc1912.zones

Zone "11.18.172.in-addr.arpa" IN {

Type master

File "172.18.11.zone"

}

Step 2: define the reverse zone parsing library file (mainly recorded as PTR)

Generally, it is created under the / var/named directory by default; the reverse zone parsing library file is named 172.18.250.zone itself.

] # vim 172.18.11.zone

$TTL 3600

$ORIGIN 250.18.172.in-addr.arpa. Set to automatically fill in the contents of the complete IP

@ IN SOA ns1.magedu.com. 403868144.qq.com. (

2016041001

1H

10M

3D

12H)

IN NS ns1.magedu.com.

2 IN PTR ns1.magedu.com.

3 IN PTR ns2.magedu.com.

4 IN PTR mx1.magedu.com.

5 IN PTR mx2.magedu.com.

2 IN PTR www.magedu.com.

2 IN PTR bbs.magedu.com.

2 IN PTR bbs.magedu.com.

Step 3: modify the permissions of the reverse zone database file to be unreadable, and the group is named

] # chgrp named 172.18.11.2.zone

] # chmod o = 172.18.11.2.zone

Step 4: check the grammar

] # named-checkconf

] # named-checkzone 11.18.172.in-addr.arpa / var/named/172.18.11.zone

Note: the reverse zone name must be the same as the reverse zone domain name defined by zone in the / etc/named.rfc1912.zones file, but after the region name in zone. Can be omitted.

Step 5: have the server reload the configuration file and zone data file

] # rndc reload

Step 6: test whether the DNS server can reverse parse

] # dig-x 172.18.11.2

The above configuration is the primary DNS server configuration process.

Configure the slave DNS server:

First configure the slave of the forward area, and then configure the slave of the reverse area.

Configure on the slave server:

Step 1: define from the area

] # vim / etc/named.conf

Listen-on port 53 {127.0.0.1; 172.18.252.23;}

Dnssec-enable no

/ / allow-query {localhost;}

Step 2: configure the DNS server from the server to the forward zone

] # vim / etc/named.rfc1912.zones

Zone "magedu.com" IN {

Type slave

File "slaves/magedu.com.zone"

Masters {172.18.11.2;}

}

Step 3: check the grammar

] # named-checkconf

Step 4: configure on the primary server

] # vim / var/named/magedu.com.zone

Ns2 IN A 172.18.11.3

Tip: add a ns record, such as NS2, which has nothing to do with the host name of the slave server, but NS2 must have an A record pointing to the IP address of the slave server host 172.18.11.3; this record must be available.

Step 5: check the syntax of the primary server zone file

] # named-checkzone magedu.com / var/named/magedu.com.zone

Step 6: reload the configuration file

] # rndc reload

Step 7: operate on the slave server and reload the configuration file

] # rndc reload

Test forward parsing from DNS server

] # dig-t A www.magedu.com @ 172.18.11.3

Verify that the database files can be synchronized from the server to forward parsing

Add a record of pop3 to the main server zone file and increment the serial number

2016041003: serial number increment

Pop3 IN A 172.18.11.6: add A record of pop3

] # rndc reload

Check from the server to see if you have received the updated zone database file

] # dig-t A pop3.magedu.com @ 172.18.11.3

Configure a DNS server whose slave server is a reverse zone

Step 1: add a reverse zone to the master configuration file on the slave server

] # vim / etc/named.rfc1912.zones

Zone "11.18.172.in-addr.arpa" IN {

Type slave

File "slaves/172.18.11.zone"

Masters {172.18.11.2;}

}

Step 2: check the main configuration file syntax

] # named-checkconf

Step 3: make sure that there is a NS record in the reverse zone database file of the main server, and there can also be a ptr record corresponding to ns

] # vim / var/named/172.18.11.zone

2016041002

IN NS ns2.magedu.com.

3 IN PTR ns2.magedu.com.

Step 4: check the syntax of the reverse zone file

] # named-checkzone 11.18.172.in-addr.arpa / var/named/172.18.11.zone

Step 5: overload

] # rndc reload

Step 6: reload from the server

] # rndc reload

Check whether to synchronize from the server to reverse parse the database file

] # ls / var/named/slaves

Test reverse parsing from DNS server

] # dig-x 172.18.11.2 @ 172.18.11.3

Subdomain authorization method:

Step 1: authorize child domains on the forward zone database file / var/named/magedu.com.zone on the primary DNS server of the parent domain

] # vim / var/named/magedu.com.zone

2016041004

Ops IN NS ns1.ops

Ns1.ops IN A 172.18.11.4

Step 2: overload

] # rndc reload

Operate on a sub-domain server (172.18.11.4)

Step 1: edit the main configuration file

] # vim / etc/named.conf

Listen-on port 53 {127.0.0.1; 172.18.11.4;}

Dnssec-enable no

/ / allow-query {localhost;}

Step 2: start the named program

] # systemctl start named.service

Step 3: configure the server of 172.18.11.4 as the master server of the ops.magedu.com subdomain

] # vim / etc/named.rfc1912.zones

Zone "ops.magedu.com" IN {

Type master

File "ops.magedu.com.zone"

}

Step 4: create the ops.magedu.com.zone forward zone database file specified in file under the var/named/ directory

] # vim var/named/ops.magedu.zone

$TTL 3600

$ORIGIN ops.magedu.com.

@ IN SOA ns1.ops.magedu.com. 403868144.qq.com. (

2016041101

1H

10M

1D

2H)

IN NS ns1

Ns1 IN A 172.18.11.4

Www IN A 172.18.11.4

Step 5: modify the file permissions of the forward region database to others without write permissions, and the group is named.

] # chmod o = ops.magedu.zone

] # chgrp named ops.magedu.zone

Step 6: grammar check

] # named-checkzone ops.magedu.com ops.magedu.com.zone

Step 7: overload

] # rndc reload

Step 8: test forward parsing

] # dig-t A www.ops.magedu.com @ 172.18.11.4

Define the forwarding zone on the sub-domain server:

Step 1: edit the main configuration file

] # vim / etc/named.rfc1912.zones

Zone "magedu.com" IN {

Type forward

Forward only

Forwaders {172.18.11.2; 172.18.11.3;}

}

Step 2: check the grammar

] # named-checkconf

Step 3: overload

] # rndc reload

Step 4: test

Resolve child domains on the parent domain server

] # dig-t A www.ops.magedu.com @ 172.18.11.2

Resolve the parent domain on the child domain service

] # dig-t A www.magedu.com @ 172.18.11.4

Define global forwarding on sub-domain servers:

Step 1: edit the main configuration file

] # vim / etc/named.conf

Edit in the options section:

Forward only

Forwarders {172.18.11.2;}

Step 2: overload

] # rndc reload

Step 3: test baidu

] # dig-t A www.baidu.com @ 172.18.11.4

Security-related configuration

On subdomain servers, it should only be set to allow delivery from the server zone

Configure on the master server: only slave server zone transfer is allowed; access control list allow-transfer

] # vim / etc/named.rfc1912.zones

Zone "magedu.com" IN {

Type master

File "magedu.com.zone"

Allow-transfer {slaves;}

}

Configure access control lists on the primary server:

Edit the / etc/named.conf configuration file and add the slaves access control list before the options section:

] # vim / etc/named.conf

Acl slaves {

172.18.11.3

127.0.0.1

}

Check the syntax:

] # named-checkconf

Overload:

] # rndc reload

Test on a non-slave server:

] # dig-t axfr magedu.com @ 172.18.11.2

The setting was successful.

Test zone transfer on the slave server:

] # dig-t axfr magedu.com @ 172.18.11.2

Test on the primary server:

] # dig-t axfr magedu.com @ 172.18.11.2

] # dig-t axfr magedu.com @ 127.0.0.1

Both show that the zone transfer failed; because the native address 172.18.11.2 is not defined in the access control list, it cannot be transmitted; and even if the address 127.0.0.1 is defined in the access control list, it cannot be transmitted because there is no listening address defined in the options segment.

Modify the master server configuration file / etc/named.conf

] # vim / etc/named.conf

Add listening 127.0.0.1:

Listen-on port 53 {127.0.0.1; 172.18.11.2;}

Restart the service:

] # systemctl restart named.service

It can be done.

Configure recursion in the access control list to allow recursion for local clients only

Modify the master server configuration file / etc/named.conf to add a recursive access control list

] # vim / etc/named.conf

Add:

Acl mynet {

127.0.0.0/8

}

Only local 127 network segments are allowed to do recursive queries

(change recursion yes; to:) allow-recursion {mynet;}

Overload:

] # rndc reload

Therefore, the use of other hosts for recursion is rejected, such as using sub-domain servers to recursively query baidu

] # dig-t A www.baidu.com @ 172.18.11.4

Recursive query failed

When you configure the file / etc/named.conf on the main server, add 172.18.11.4 to the recursive access control list to achieve recursion.

] # vim / etc/named.conf

Acl mynet {

172.18.11.4/16

127.0.0.0/8

}

Overload:

] # rndc reload

At this point, use the sub-domain server to recursively query baidu

] # dig-t A www.baidu.com @ 172.18.11.4

Successful recursion

For slave servers, you also need to modify the master configuration file / etc/named.rfc1912.zones to set access control lists for zone transfers and recursive queries

] # vim / etc/named.rfc1912.zones

Zone "magedu.com" IN {

Type slave

File "slaves/magedu.com.zone"

Masters {172.18.11.2;}

Allow-transfer {none;}

Allow-update {none;}; forbids process dynamic updates, which has nothing to do with zone transfer

}

Zone "11.18.172.in-addr.arpa" IN {

Type slave

File "slaves/172.18.11.zone"

Masters {172.18.11.2;}

Allow-transfer {none;}

Allow-update {none;}

}

Test on the subdomain server whether you can transfer the magedu.com domain by zone transfer from the server

] # dig-t axfr magedu.com @ 172.18.11.3

Display failed

] # dig-t axfr ops.magedu.com @ 172.18.11.4: the subdomain can transfer the area for itself, because the subdomain does not do access control

Normally, every domain name server, as long as there is no slave server, allow-transfer should be none, there is a slave server, allow-transfer should only point to the slave server; and each zone should be allow-update set to none, unless you use DDNS.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.