Shulou(Shulou.com)06/01 Report--

This article shows you how to install the DNS server in the CentOS system, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

1. Concept

DNS (domain name resolution service Domain Name Server), uses port 53 of TCP&UDP (TCP between master and slave DNS, and UDP for client query). It can complete the exchange of domain name and IP address, can resolve to domain name through IP address, and can also resolve to IP address through domain name.

FQDN (fully qualified domain name Fully Qualified Domain Name), hierarchical tree structure. It is usually shown as: host name. Subdomain. Second-level domain. Top-level domain. Root domain. . For example, the website we usually visit: "www.linuxprobe.com" is FQDN.

The query method of DNS:

Iterative query: query between server and server. The query from the local domain name server to the root domain name server usually uses iterative query (repeated query). When the root domain name server receives the iterative query request message from the local domain name server, it either gives the IP address to be queried, or tells the local domain name server which domain name server should query next. Then let the local domain name server make subsequent queries.

Recursive query: a query between client and server. The query from the host to the local domain name server usually uses recursive query. If the local domain name server asked by the host does not know the IP address of the domain name being queried, then the local domain name server, as a DNS client, continues to send query request messages to other root domain name servers. Finally, the client will be given an accurate return result, whether it is successful or not.

DNS resolution type:

Forward resolution: from FQDN to IP address

Reverse resolution: from IP address resolution to FQDN

Name resolution method:

Hosts file (etc/hosts)

Dns

Broadcast

Parsing cache

Wins (in windows), etc.

2.DNS installation configuration

In RHEL5 and 6, DNS uses the bind package, while in RHEL/CentOS 7, it uses the unbound installation package, and the configuration file has been changed. Let's take a look:

2.1. Installation:

The code is as follows:

[root@linuxprobe ~] # yum-y install unbound

Loaded plugins: langpacks, product-id, subscription-manager

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Resolving Dependencies

-- > Running transaction check

-> Package unbound.x86_64 01.4.20-19.el7 will be installed

-- > Finished Dependency Resolution

-- start service--

The code is as follows:

[root@linuxprobe ~] # systemctl restart unbound / / start the DNS service

[root@linuxprobe ~] # systemctl enable unbound

Ln-s'/ usr/lib/systemd/system/unbound.service''/ etc/systemd/system/multi-user.target.wants/unbound.service'

/ / start the DNS service automatically next time the system restarts

2.2. Modify the configuration file

After unbound is installed, the default configuration file is / etc/unbound/unbound.conf.

2.2.1. Modify port listening address

Equivalent to: listen-on port 53 {any;} in the RHEL6 configuration file

-check the default listening address--

The code is as follows:

[root@linuxprobe ~] # netstat-tunlp | grep unbound

Tcp 0 0 127.0.0.1 53 0.0.0.0 * LISTEN 3333/unbound

Tcp 0 0127.0.0.1 8953 0.0.0.0 * LISTEN 3333/unbound

Tcp6 0 0:: 1:53: * LISTEN 3333/unbound

Tcp6 0 0:: 1 8953: * LISTEN 3333/unbound

Udp 0 0 127.0.0.1 53 0.0.0.0 * 3333/unbound

Udp6 0 0:: 1:53: * 3333/unbound

/ / listen on the local loopback address by default, that is, only you can access the DNS service, and other hosts cannot access the local DNS service.

-modify the listening address--

The code is as follows:

[root@linuxprobe ~] # vim / etc/unbound/unbound.conf

……

38 # interface: 0.0.0.0

39 interface: 0.0.0.0

……

/ / find the 38 lines, copy and remove the comment lines, and turn on the network-wide monitoring function.

-- restart the service to view--

The code is as follows:

[root@linuxprobe ~] # systemctl restart unbound

[root@linuxprobe ~] # netstat-tunlp | grep unbound

Tcp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

Tcp 0 0127.0.0.1 8953 0.0.0.0 * LISTEN 3461/unbound

Tcp6 0 0:: 1 8953: * LISTEN 3461/unbound

Udp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0

/ / now port 53 is listening to 0.0.0.0, that is, all network segments are listening.

2.2.2. Modify the scope of the allowed query

In RHEL6, there is a sentence in the DNS configuration file: allow-query {localhost;};. This sentence defines the range of hosts that are allowed to query native (iterative & recursive), and localhost means that only native queries can be made to the native. In the configuration, localhost is often changed to any, so that all hosts can query DNS locally. Therefore, in RHEL7, the same modification should be made, except that the content of the modification is different, as follows:

The code is as follows:

[root@linuxprobe ~] # vim / etc/unbound/unbound.conf

……

177 # access-control: 0.0.0.0/0 refuse

178 access-control: 0.0.0.0/0 allow

179 # access-control: 127.0.0.0/8 allow

……

Find line 177 of the configuration file / etc/unbound/unbound.conf, which defaults to the comment line, change the content to allow access, then save the exit, and restart the service.

2.2.3. Create a parsing file

In RHEL/CentOS 5 and 6 systems, the parsing files of DNS are divided into forward parsing files and reverse parsing files, and there are template files for parsing files. However, in RHEL7, the forward and backward resolution files are merged into one, and there is no template file, so you need to create your own. The path can be viewed in the main configuration file:

The code is as follows:

[root@linuxprobe ~] # vim / etc/unbound/unbound.conf

……

453 # You can add locally served data with

454 # local-zone: "local." Static

455 # local-data: "mycomputer.local. IN A 192.0.2.51"

/ / forward parsing can refer to syntax.

456 # local-data: 'mytext.local TXT "content of text record'

457 #

458 # You can override certain queries with

459 # local-data: "adserver.example.com A 127.0.0.1"

460 #

461 # You can redirect a domain to a fixed address with

462 # (this makes example.com, www.example.com, etc, all go to 192.0.2.3)

463 # local-zone: "example.com" redirect

464 # local-data: "example.com A 192.0.2.3"

465 #

# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".

467 # You can also add PTR records using local-data directly, but then

468 # you need to do the reverse notation yourself.

469 # local-data-ptr: "192.0.2.3 www.example.com"

/ / reverse parsing reference syntax

four hundred and seventy

471 include: / etc/unbound/local.d/*.conf

four hundred and seventy two

473 # service clients over SSL (on the TCP sockets), with plain DNS inside

……

-- check the native FQDN--

The code is as follows:

[root@linuxprobe ~] # hostname

Linuxprobe.example.com

/ / therefore, the domain name is example.com

-- create a parsing file--

The code is as follows:

[root@linuxprobe ~] # vim / etc/unbound/local.d/example.conf

Local-zone: "example.com." Static

Local-data: "example.com. 86400 IN SOA ns.example.com. Root 1 1D 1H 1W 1H"

Local-data: "ns.example.com. IN A 192.168.10.10"

Local-data: "linuxprobe.example.com. IN A 192.168.10.10"

Local-data-ptr: "192.168.10.10 ns.example.com."

Local-data-ptr: "192.168.10.10 linuxprobe.example.com."

-check the parsed file on RHEL6 for comparison-

The code is as follows:

[root@linuxprobe ~] # vim / var/named/named.localhost

$TTL 1D

@ IN SOA @ rname.invalid. (

0; serial

1D; refresh

1H; retry

1W; expire

3H); minimum

NS @

A 127.0.0.1

AAAA:: 1

2.3. Disable service users

Each service has its own dedicated service user, and the service user of DNS is unbound. In fact, the enabling of service users may have security risks. Here, service users should be disabled.

The code is as follows:

[root@linuxprobe ~] # vim / etc/unbound/unbound.conf

211 # if given, user privileges are dropped (after binding port)

212 # and the given username is assumed. Default is user "unbound".

213 # If you give "" no privileges are dropped.

# username: "unbound"

215 username: ""

two hundred and sixteen

217 # the working directory. The relative files in this config

As above, find line 214 of the configuration file, delete unbound, and delete it as: username "".

2.4. Verification

The code is as follows:

[root@linuxprobe ~] # unbound-checkconf

Unbound-checkconf: no errors in / etc/unbound/unbound.conf

Verify that there are no configuration problems, and then restart the service.

The code is as follows:

[root@linuxprobe ~] # systemctl restart unbound

Dns authentication:

-modify native DNS

The code is as follows:

[root@linuxprobe ~] # vim / etc/sysconfig/network-scripts/ifcfg-eth0

HWADDR=00:0C:29:70:

TYPE=Ethernet

IPADDR= "192.168.10.10"

PREFIX= "24"

DNS1=192.168.10.10

NAME=eth0

ONBOOT=no

[root@linuxprobe ~] # systemctl restart network

-nslookup verification

The code is as follows:

[root@linuxprobe ~] # nslookup

Linuxprobe.example.com.

192.168.10.10

Ok dns set successfully

PS: turn off the firewall

In this experiment, we shut down the three major firewalls of linux. Remote host authentication may fail when the firewall is not turned off, and you need to open the DNS service on the DNS server firewall. Let's take the firewall firewall as an example and modify it:

The code is as follows:

[root@linuxprobe ~] # systemctl stop iptables

[root@linuxprobe ~] # systemctl stop ebtables

[root@linuxprobe ~] # systemctl disable iptables

[root@linuxprobe ~] # systemctl disable ebtables

[root@linuxprobe] # firewall-cmd-- add-service=dns-- permanent

Success

[root@linuxprobe] # firewall-cmd-- reload

Success

[root@linuxprobe] # firewall-cmd-- list-all

Public (default, active)

Interfaces: eth0

Sources:

Services: dhcpv6-client dns ssh

Ports:

Masquerade: no

Forward-ports:

Icmp-blocks:

Rich rules:

/ / Firewall opens DNS access to ok on DNS server

The above content is how to install DNS server in CentOS system. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.