DNS domain name resolution service configuration (recommended tutorial)

catalogue

1, DNS

1.1 introduction to DNS Service

DNS (Domain Name System), as a distributed database mapping domain names and IP addresses on the Internet, can make it easier for users to access the Internet without remembering the IP strings that can be read directly by the machine. The process of obtaining the IP address corresponding to the host name through the host name is called domain name resolution (or host name resolution).

  • DNS protocol runs over UDP and TCP and uses port 53

  • UDP protocol is used for DNS resolution and query, and TCP protocol is used for master-slave transfer of regional database files

1.2 Internet domain name structure

General structure

  • Host name. Secondary domain name. Top level domain name. Root

  • www.wsescape.com.

management style

  • Internet top-level domain names are registered and managed by the Internet network association domain name registration query committee responsible for network address allocation

  • It also assigns a unique IP address to each host on the Internet

1.3 functions of DNS

Each IP address can have a host name. The host name consists of one or more strings separated by a decimal point. With the host name, don't memorize the IP address of each IP device, just remember the relatively intuitive and meaningful host name.

Two ways of mapping host name to IP address

  • static mapping

/etc/hosts file

There is a host to IP mapping relationship on each device, which is only used by this device

  • Dynamic mapping

/etc/resolv.conf file

It refers to configuring the mapping relationship between host and IP through DNS server

# cat /etc/hosts
127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

# cat /etc/resolv.conf
nameserver 172.16.242.2

Resolution method - FQDN(Full Qualified Domain Name)

  • Forward = = > FQDN -- > IP

  • Reverse = = > IP -- > FQDN

  • authority

  • Non authority

  • Parsing order

When resolving the domain name, first use the static domain name resolution method. If the static domain name resolution is unsuccessful, then use the dynamic domain name resolution method

The process of a complete query request

1.4 technical realization

DNS implements a hierarchical namespace by allowing a name server to delegate part of its name service, the well-known zone, to a sub server, which becomes a sub domain authorization mechanism

  • DNS also provides additional information, such as the system alias, contact information, and which host is acting as the mail hub for the system group or domain

  • Any computer network using IP can use DNS to implement its own private name system

Software to implement DNS

  • BIND

  • DJBDNS

  • MaraDNS

  • Name Server Daemon

  • PowerDNS

  • Dnsmasq

DNS query type

  • Iterative query

  • recursive query

1.5 type of DNS

(1)Primary DNS Server(Master)

The primary server of a domain saves the zone configuration file of the domain. All configuration and changes of the domain are made on the server. This essay also explains how to configure the primary DNS server of a domain.

(2)Secondary DNS Server(Slave)

The domain slave server is generally used as a redundant load. The slave server of a domain grabs the zone configuration file from the master server of the domain. The slave server will not change any information. The modification of the zone configuration file can only be carried out on the master DNS server. All modifications are synchronized with the master server.

(3)Caching only Server(Cache)

The DNS cache server does not have any zone configuration files. It only relies on the cache to provide services for clients. It is usually used for load balancing and accelerating access operations.

(4) Forwarding server

Only responsible for forwarding function

Annotation description

Primary DNS server

  • Maintain the resolution library server in the region responsible for resolution

  • The parsing library is managed and maintained manually or automatically

  • Notification mechanism

  • Once the master DNS server resolver changes, it will immediately notify the slave server

From DNS server

  • Copy (zone transfer) a resolution library from the master DNS server or another slave DNS server

  • Serial number: represents the version number of the parsing library. The premise is that the content of the parsing library of the main server changes and its sequence increases

  • Refresh time: the time interval between the slave server and the master server requesting synchronization of the resolution library

  • Retry time: the time interval between retries when the request from the server to synchronize the parsing library fails

  • Expiration duration: when the primary server cannot be contacted from the secondary server, how long will it take to give up from the server's point of view and stop providing services

  • Area transfer

  • Full transfer: transfer the entire parsing library

  • Incremental transfer: transfer the changed part of the parsing library

1.6 resource record type

Common resource record types in DNS system:

Host record (A record)

  • FQDN --> IP

  • A record is an important record for name resolution. It maps a specific host name to the IP address of the corresponding host

Pointer record (PTR record)

  • IP --> FQDN

  • Boot to a Canonical Name, which is most commonly used to run reverse DNS lookups

Start of authoritative record (SOA record)

  • An area resolution library has and can only have one SOA record, which must be the first record of the resolution library

Name server record (NS record)

  • A DNS server dedicated to the current zone

Alias record (CNAME record)

  • CNAME record is used to point an alias to an A record, so there is no need to create A new A record for A new name

MX record (MX record)

  • Guide the domain name to the list of Message Transfer Agents for the domain name

IPv6 host record (AAAA record)

  • FQDN --> IP

  • Corresponding to A record, it is used to map A specific host name to the IPv6 address of A host.

Service location record (SRV record)

  • It is used to define the location of the server providing specific services, such as host hostname, port and port

NAPTR record

  • It provides a regular expression way to map a domain name. A well-known application of NAPTR records is for ENUM queries.

1.7 resource record format

grammar

name [TTL] IN rr_type value

(1) TTL can be omitted if it inherits from the global. It is the cache duration
(2)IN stands for Internet
(3)rr_type indicates the resource record type
(4) @ can be used to reference the name of the current region
(5) The same name can define multiple different values through multiple records. At this time, the DNS server will respond in a polling manner
(6) The same value may also have multiple different definition names. Multiple different names point to the same value for definition. This only means that the same host can be found through multiple different names

SOA

Name: the name of the current region, such as wsescape.com

value: it is composed of multiple parts

  • (1) The FQDN of the primary DNS server of the current zone. You can also use the name of the current zone

  • (2) The e-mail address of the current regional administrator, but the @ symbol cannot be used in the address. It is generally replaced by. For example, linuxmail.wsescape.com

  • (3) The definition of master-slave service coordination attribute and the unified TTL of negative answer

#  86400 is the TTL value in seconds
#  The primary DNS server address is ns.wsescape.com
#  The email address is nsadmin.wsescape.com
#  The first edition is 2016052201, with identification version number
wsescape.com.86400INSOAns.nsadmin.wsescape.com.(
2016052201  ;serial number
2H          ;Refresh time, 2 hours
10M;Retry time, 10 minutes
1W;Expiration time, one week
1D;Negative answer TTL Value, one day
)

NS

Name: name of the current region

value: the name of a DNS server in the current zone, such as ns.wsescape.com

be careful

  • (1) When the name s of two adjacent resource records are the same, the subsequent ones can be omitted

  • (2) For NS records, the server name after any ns record should have an A record

#  One area can have multiple NS records
#  Both ns1.wsescape.com. And ns2.wsescape.com. Should have an A record later
wsescape.com.INNS  ns1.wsescape.com.
wsescape.com.INNS  ns2.wsescape.com.

MX

Name: name of the current region

value: the host name of a mail server (smtp server) in the current region

  • There can be multiple MX records in one area

  • However, the value of each record should be preceded by a number (0-99) indicating the priority of this server

  • The smaller the number, the higher the priority

be careful

  • (1) When the name s of two adjacent resource records are the same, the subsequent ones can be omitted

  • (2) For MX records, the server name after any MX record should have an A record

#  Both mx1.wsescape.com. And mx2.wsescape.com. Should have an A record later
wsescape.com.IN  MX  10  mx1.wsescape.com.
INMX  20  mx2.wsescape.com.

A

name: FQDN of a host, for example, www.wsescape.com

value: the host name corresponds to the IP address of the host;

be careful

  • Avoid giving wrong answers when users write wrong names. You can resolve to a specific address through pan domain name resolution

#  polling 
www.wsescape.com.IN  A1.1.1.1
www.wsescape.com.IN  A  1.1.1.2

#  A host has more than one name
mx1.wsescape.com.IN    A   1.1.1.3
mx2.wsescape.com.  IN  A   1.1.1.3

#  Avoid giving wrong answers when users write wrong names. You can resolve to a specific address through pan domain name resolution
*.wsescape.com.IN  A  1.1.1.4
wsescape.com.IN  A   1.1.1.4

AAAA

Similar to the A record, this only represents the IPv6 address

#  polling 
www.wsescape.com.IN  AAAA1.1.1.1
www.wsescape.com.IN  AAAA  1.1.1.2

#  A host has more than one name
mx1.wsescape.com.IN    AAAA   1.1.1.3
mx2.wsescape.com.  IN  AAAA   1.1.1.3

#  Avoid giving wrong answers when users write wrong names. You can resolve to a specific address through pan domain name resolution
*.wsescape.com.IN  AAAA  1.1.1.4
wsescape.com.IN  AAAA   1.1.1.4

PTR

Name: the name here represents the IP address

The IP address has a specific format. Write the IP address in reverse. If it is 1.2.3.4, you need to write 4.3.2.1

There is also a specific suffix in-addr.arpa. The complete writing method is 4.3.2.1.in-addra.arpa

Value: the value here is FQDN

be careful

  • The network address and suffix can be omitted, and the host address still needs to be written backwards

#  example
4.3.2.1.in-addr.arpa.INPTRwww.wsescape.com.

#  If 3.2.1 is a network address, the abbreviation becomes
4   IN  PTRwww.wsescape.com.

#  If 2.1 is a network address, the abbreviation becomes
4.3  IN  PTRwww.wsescape.com.

CNAME

name: FQDN of alias

value: FQDN of the official name

web.escapelife.com.IN  CNAME  www.escapelife.com.

1.8 personal use

Sub domain authorization refers to the name server of each domain, which is authorized in the resolution library through its parent name server

Similar to root domain authorization tld

.com.INNS     ns1.com.
.com.   IN    NSns2.com.
ns1.com.INA   2.2.2.1
ns2.com.      INA2.2.2.2

Take wsescape.com as an example

#  wsescape.com.   On the. Com name server, add resource records to the resolution library
wsescape.com.INNSns1.wsescape.com.
wsescape.com.INNSns2.wsescape.com.
wsescape.com.INNSns3.wsescape.com.
ns1.wsescape.com.INA  3.3.3.1
ns2.wsescape.com.INA  3.3.3.2
ns3.wsescape.com.INA  3.3.3.3

Domain name registration

  • agent

  • Wan Wang

  • New network

  • godaddy

Binding server

  • After the registration is completed, do you want to resolve it with a dedicated service?

  • Manage the background, the server name pointed to by NS record and the server address pointed to by A record

2. Common commands

2.1 dig command

dig is used to test the dns system, so the hosts file will not be queried for parsing

  • For inquiry   DNS   Flexible tools for domain name servers

  • Unless told to request a specific domain name server, dig will try  / Any servers listed in / etc/resolv.conf

  • When no command line parameters or options are specified, dig will execute NS query on. (root)

format

dig [-t type] name [@SERVER] [query options]

grammar

Type query

dig -t NS wsescape.com @172.16.242.178
dig -t MX wsescape.com @172.16.242.178
dig -t A www.baidu.com

Query options:

+[no]trace: Trace parsing process
+[no]recurse: Recursive parsing
 Test reverse parsing:
dig -x IP @SERVER
dig -x 172.16.100.11 @172.16.242.178

Analog area transfer:

dig -t axfr ZONE_NAME @SERVER
dig -t axfr wsescape.com @172.16.242.178

2.2 host command

The host command is a tool for querying DNS

  • It often converts the host name of the specified host name to an IP address

  • When no parameters are specified, it displays help information for the host command

format

host [-t type] name [SERVER]

grammar

-a is equivalent to - v -t
-C find SOA records on the domain name server that needs authentication
-l list all hosts in a domain
-i reverse lookup
-r does not use recursive processing
-v displays detailed processing information at run time
-4 query for IPv4
-6 query for IPv6
-T < type > specifies the type, including a, all, mx, ns, etc

Example display

[root@localhost ~]# host -t A www.wsescape.com 172.16.242.178
Using domain server:
Name: 172.16.242.178
Address: 172.16.242.178#53
Aliases:
www.wsescape.com has address 172.16.100.11
www.wsescape.com has address 172.16.100.12

[root@localhost ~]# host -t A www.wsescape.com 172.16.242.178
Using domain server:
Name: 172.16.242.178
Address: 172.16.242.178#53
Aliases:
www.wsescape.com has address 172.16.100.12
www.wsescape.com has address 172.16.100.11

[root@localhost ~]# host -t A www.wsescape.com 172.16.242.178
Using domain server:
Name: 172.16.242.178
Address: 172.16.242.178#53
Aliases:
www.wsescape.com has address 172.16.100.11
www.wsescape.com has address 172.16.100.12

[root@localhost ~]# host -t A www.wsescape.com 172.16.242.178
Using domain server:
Name: 172.16.242.178
Address: 172.16.242.178#53
Aliases:
www.wsescape.com has address 172.16.100.12
www.wsescape.com has address 172.16.100.11

2.3 nslookup command

nslookup   Command is used to find the program of domain name server. There are two modes: mutual and non mutual

format

nslookup [-option] [name | -] [server]

grammar

  • Non interactive mode

  • You can query directly

  • interactive mode

nslookup>
server IP: Indicate which to use DNS server Query;
set q=RR_TYPE: Indicates the resource record type to query;
NAME: Name to query;

Example display

[root@localhost ~]# nslookup
> server 172.16.242.178
Default server: 172.16.242.178
Address: 172.16.242.178#53
> set q=A
> www.wsescape.com
Server:172.16.242.178
Address:172.16.242.178#53

Name:www.wsescape.com
Address: 172.16.100.11
Name:www.wsescape.com
Address: 172.16.100.12
> set q=NS
> wsescape.com
Server:172.16.242.178
Address:172.16.242.178#53

wsescape.comnameserver = ns2.wsescape.com.
wsescape.comnameserver = ns1.wsescape.com.

#  Non interactive mode query
[root@rudder ~]# nslookup baidu.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   baidu.com
Address: 123.125.114.144
Name:   baidu.com
Address: 220.181.111.85
Name:   baidu.com
Address: 220.181.111.86

#  Non interactive mode query
[root@rudder ~]# nslookup
> www.baidu.com
Server:172.17.0.254
Address:172.17.0.254#53

Non-authoritative answer:     #The non authoritative answer indicates that it is read in the cache
www.baidu.comcanonical name = www.a.shifen.com.
Name:www.a.shifen.com
Address: 61.135.169.105       #Returns the first IP address
Name:www.a.shifen.com
Address: 61.135.169.125       #Returns the second IP address
> server 8.8.8.8              #Set the domain name server to   8.8.8.8
Default server: 8.8.8.8
Address: 8.8.8.8#53
> www.baidu.com               #Request Baidu's IP address again
Server:8.8.8.8
Address:8.8.8.8#53

Non-authoritative answer:
www.baidu.comcanonical name = www.a.shifen.com.
Name:www.a.shifen.com
Address: 220.181.111.147      #Different DNS obtains different IP addresses.

2.4 rndc command

The rndc client modifies the name of the server by establishing a socket connection to the server and listening on port 953 of TCP. However, due to security considerations, the rndc client and the server are installed on the same host.

Grammar 1

  • -b: source-address   use   source-address   Multiple instance settings are allowed as the source address of the connection server   IPv4   And   IPv6   source address

  • -C config file: use config file   As the default configuration file, / etc/rndc.conf   Substitution of

  • -K key file: use   key-file   As the default key file, / etc/rndc.key   Alternative to config file   Does not exist, / etc/rndc.key   The key in will be used to authenticate commands to the server

  • -S server: the name or address of the server that matches the server statement in the rndc configuration file. If the command line does not provide a server, the host named by the default server clause in the options statement in the rndc configuration file will be used

  • -p port: send command to TCP port to replace the default control channel port of BIND 9   nine hundred and fifty-three

  • -5: Open redundancy log

  • -y key_id: use the key in the configuration file_ id

Grammar 2

  • reload: reloads the main configuration file and the zone resolution library file

  • reload zone: reloads the zone resolution library file

  • refresh zone: arrange immediate maintenance of the area

  • retransfer zone: manually start the zone transfer process regardless of whether the serial number is increased or not

  • notify zone: send notification to the zone transfer again

  • reconfig: reload the main configuration file

  • status: write server statistics to the statistics file

  • querylog: enable or disable the query log. It is recommended to enable it during debugging. Otherwise, the log consumes too much performance

  • dumpdb: dumps the cache to a dump file (named_dump.db)

  • Stop: save pending updates to the master file and stop the server

  • halt: stops the server without saving pending updates

  • trace: increase the debugging level by one level. It is recommended to start it when debugging. Otherwise, the log consumes too much performance

  • trace level: change the debug level

  • notrace: set debug level to 0

  • flush: flushes all caches of the server

  • Status: displays the status of the server

  • Restart: restart the server

Example display

#  rndc tools can help us output system information
[root@localhost ~]# rndc status
version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 20
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running

#  rndc does not restart loading area files
[root@localhost ~]# rndc reload

3. Installation and configuration of bind

DNS service, package name bind, program name named.

3.1 package

Just install bind, bind LIBS, and bind utils

  • bind: main package

  • Bind LIBS: dependent library files, including 32-bit and 64 bit

  • Bind utils: provides client-side tools such as dig, host, nslookup, and nsupdate

  • Bind chroot: do not install the build. It is easy to be invaded

  • The bind chroot package is used to improve security. The DNS service configuration file / etc/named.conf   Wait, create a hard link and go to / var/named/chroot/etc/   Under the folder, and log in with the service account instead of root

  • Note that to modify the configuration file, you need to modify the file under / etc / so that it will be automatically synchronized to the link file under chroot

bind-sdb
bind-dyndb-ldap

The above two methods are to store the parsing library files in different databases

3.2 BIND configuration file

configuration file

  • The service startup script is in / etc/rc.d/init.d/named under CentOS6

  • The main configuration files / etc/named.conf, / etc/rndc.key, are the secret key sharing files of rndc, which provide authentication

  • What is rndc? The remote name controller is installed on the same host as bind by default, and can only connect to the named process through the local loopback address 127.0.0.1. It provides auxiliary management functions, such as viewing the resolution status. It works on the 953/tcp port by default, / etc/named.rfc1912.zones, and requests annotation documents

  • Parse library file / var/named/ZONE_NAME.ZONE, there are multiple resolution library files / var/named/named.ca in the / var/named / directory, pointing to the root DNS. The file does not need to be changed by the administrator, but the system comes with / var/named/named.local and local sub domain resolution, and reversely resolves the localhost to 127.0.0.1

  • be careful
    (1) A physical server can provide resolution for multiple regions at the same time
    (2) There must be a root zone file, which contains 13 root node addresses in named.ca and is generated by the dig command
    (3) There should be two (or more if ipv6 is included) parsing libraries that implement localhost and local loopback addresses

#   Under CentOS6
[root@localhost ~]# rpm -ql bind | less
/etc/NetworkManager/dispatcher.d/13-named
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/portreserve/named
/etc/rc.d/init.d/named
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/usr/lib64/bind
/usr/sbin/arpaname
......
# @ Indicates the zone name of the current zone, which is defined in the main configuration file / etc/named.conf
#  The value of TTL was not written because the macro $TTL was defined   1D, direct inheritance
#  rname.invalid. Indicates the email address of the administrator
#  The latter ones, such as NS and A, default because they inherit the former

[root@localhost named]# cat /var/named/named.localhost
$TTL 1D
@IN SOA@ rname.invalid. (
0; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS@
A127.0.0.1
AAAA::1

[root@localhost named]# cat /var/named/named.loopback
$TTL 1D
@IN SOA@ rname.invalid. (
0; serial
1D; refresh
1H; retry
1W; expire
3H ); minimum
NS@
A127.0.0.1
AAAA::1
PTRlocalhost.

Master profile

  • Global configuration: options {}

  • Logging subsystem configuration: logging {}

  • Region definition: define the zones for which this machine can resolve, such as zone "ZONE_NAME" IN {}

  • Note: if any service program is expected to be accessed by other hosts through the network, it should at least listen to an IP address that can communicate with external hosts

[root@localhost ~]# cat /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory"/var/named";
dump-file"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { localhost; };
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
type hint;
file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#  localhost.localdomain is the name of the region, that is@
[root@localhost ~]# cat /etc/named.rfc1912.zones
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};

zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};

3.3 cache name server configuration

After the bind is installed, it is actually a cache name server, which only needs a little configuration

  • Modify listen on port 53

  • Modify allow query

  • Modify recursion

(1) Installation

[root@localhost ~]#yum install bind

(2) Start

[root@localhost ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

(3) Check

#  For security, after bind is installed, it will only listen locally by default and will not provide external services
#  If any service program is expected to be accessed by other hosts through the network, it should at least listen to an 'IP' address that can communicate with external hosts
#  Just edit the master profile

[root@localhost ~]# ss -tunlp | grep :53
udp    UNCONN     0      0              127.0.0.1:53                    *:*      users:(("named",39822,512))
udp    UNCONN     0      0                    ::1:53                   :::*      users:(("named",39822,513))
tcp    LISTEN     0      3                    ::1:53                   :::*      users:(("named",39822,21))
tcp    LISTEN     0      3              127.0.0.1:53                    *:*      users:(("named",39822,20))

(4) Modification

#  Back up before modifying
#  There is no content before the comma. The default is the name of the previous one, followed by the copied content

[root@localhost ~]# cp /etc/named.conf{,.bak}
[root@localhost ~]# ll /etc/named*
-rw-r-----. 1 root named  984 11 month 20 2015 /etc/named.conf
-rw-r-----. 1 root root   984 6 month  20 21:53 /etc/named.conf.bak
# // Indicates a single line comment, note ipv6
# /**/ Represents a multiline comment
#  When revising, it must be written in; There must be spaces at both ends of {}, otherwise it is a syntax error
#  directory is used to define the storage location of area resolution library files

#  It is recommended to turn off dnssec function
#  Change DNSSEC enable and DNSSEC validation to no and annotate the key file

#  Write the address that can communicate outside the network in listen on   port   After 53, if more than one can be added, it cannot be omitted
#  If listen on   port   53 comment or delete. The default is to listen in all
#  Change the allow query comment or to allow query   {   any;  };
#  Whether recursion is allowed must be yes

[root@localhost ~]# vim /etc/named.conf
options {
        listen-on port 53 { 172.16.242.178; 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.iscdlv.key";
//      managed-keys-directory "/var/named/dynamic";
};

(5) Restart effective

#  The configuration will not take effect until it is restarted
[root@localhost ~]# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

[root@localhost ~]# ss -tunlp | grep :53
udp    UNCONN     0      0         172.16.242.178:53                    *:*      users:(("named",40086,513))
udp    UNCONN     0      0              127.0.0.1:53                    *:*      users:(("named",40086,512))
udp    UNCONN     0      0                    ::1:53                   :::*      users:(("named",40086,514))
tcp    LISTEN     0      3                    ::1:53                   :::*      users:(("named",40086,22))
tcp    LISTEN     0      3         172.16.242.178:53                    *:*      users:(("named",40086,21))
tcp    LISTEN     0      3              127.0.0.1:53                    *:*      users:(("named",40086,20))

3.4 primary DNS name server configuration

The configuration of the primary DNS name server is to add a zone configuration file based on the cached DNS server

  • Add a zone record in / etc/named.rfc1912.zones

  • Add the zone file in / var/named /

(1) Define areas in the master profile

format

#  Master indicates master DNS
#  Slave means slave from DNS
#  hint represents the root
#  forward do forwarding
#  File uses the path defined by the main configuration file directory
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};

Modify configuration

#  Define the domain name in the / etc/named.rfc1912.zones file
#  Named checkconf is used to check for syntax errors
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "wsescape.com" IN {
        type master;
        file "wsescape.com.zone";
};

[root@localhost ~]# named-checkconf

(2) Definition area resolution library file

format

What appears:
Macro definition;
Resource records;

Modify configuration

#  Here, $TTL is used to define the value of TTL, 86400 is seconds, and 1D can be used instead
# $ ORIGIN is used to specify the suffix of the domain name. For example, ns and mx are default
# named-checkzone
#  Two WWS will be polled when accessing
#  The * in Pan domain name resolution means that no error will be reported no matter what the user enters
#  Or write*    IN    A    172.16.100.11, because CNAME cannot input ip address

[root@localhost ~]# cd /var/named/
[root@localhost named]# vim wsescape.com.zone
$TTL 86400
$ORIGIN wsescape.com.
@    IN    SOA    ns1.wsescape.com.    admin.wsescape.com (
2016042201
1H
5M
7D
1D )
 IN    NS        ns1
 IN    NS        ns2
 IN    MX 10     mx1
 IN    MX 20     mx2
ns1  IN    A172.16.100.11
ns2 IN    A172.16.100.12
mx1 IN    A172.16.100.13
mx2 IN    A172.16.100.14
www IN    A172.16.100.11
www IN    A172.16.100.12
ftp INCNAMEwww
*    IN CNAME   www

[root@localhost named]# named-checkzone "wsescape.com" /var/named/wsescape.com.zone
zone wsescape.com/IN: loaded serial 2016042201
OK

change permission

#  You can find out that the process is running as named
#  The owner of the / etc/named.conf file is root and the group is named
#  For security reasons, modify the permissions of the files you create

[root@localhost named]# ps -aux | grep named
named     40086  0.0  1.1 160072 11736 ?        Ssl  22:07   0:00 /usr/sbin/named -u named
root      40785  0.0  0.0 103324   864 pts/0    S+   23:19   0:00 grep named

[root@localhost named]# ll /etc/named.conf
-rw-r-----. 1 root named 1004 6 month  20 22:23 /etc/named.conf

[root@localhost named]# id named
uid=25(named) gid=25(named) group=25(named)

[root@localhost named]# ll
 Total dosage 32
drwxrwx---. 2 named named 4096 6 month  20 21:45 data
drwxrwx---. 2 named named 4096 6 month  20 21:45 dynamic
-rw-r-----. 1 root  named 3171 1 month  11 22:12 named.ca
-rw-r-----. 1 root  named  152 12 month 15 2009 named.empty
-rw-r-----. 1 root  named  152 6 month  21 2007 named.localhost
-rw-r-----. 1 root  named  168 12 month 15 2009 named.loopback
drwxrwx---. 2 named named 4096 5 month  11 07:07 slaves
-rw-r--r--. 1 root  root   408 6 month  20 22:53 wsescape.com.zone

[root@localhost named]# chmod 640 wsescape.com.zone
[root@localhost named]# chown :named wsescape.com.zone

[root@localhost named]# ll
 Total dosage 32
drwxrwx---. 2 named named 4096 6 month  20 21:45 data
drwxrwx---. 2 named named 4096 6 month  20 21:45 dynamic
-rw-r-----. 1 root  named 3171 1 month  11 22:12 named.ca
-rw-r-----. 1 root  named  152 12 month 15 2009 named.empty
-rw-r-----. 1 root  named  152 6 month  21 2007 named.localhost
-rw-r-----. 1 root  named  168 12 month 15 2009 named.loopback
drwxrwx---. 2 named named 4096 5 month  11 07:07 slaves
-rw-r-----. 1 root  named  408 6 month  20 22:53 wsescape.com.zone

Restart effective

[root@localhost ~]# service named restart
Stopping named: .                                          [  OK  ]
Starting named:                                            [  OK  ]

#  Use the dig command to help us verify the information
#  Because of the previous configuration, polling will be performed here
[root@localhost ~]# dig -t A wsescape.com @172.16.242.178

3.5 reverse area

Reverse parsing and forward parsing are independent systems, so they can be deployed on different or the same machines

  • A zone can only have one master server, either forward or reverse

  • A master server can have multiple slave servers

Determine the network address according to the host address defined in the configuration file

  • If they are all hosts within 172.16.100, the network address is 172.16.100

  • There are multiple addresses, such as 172.16.100.12, 172.16.200.121, etc., so the network address is 172.16

  • and so on

What is a reverse region

  • The unchanged part is used as the region name, and the changed part is used as the name when resolving

format

  • Area name: network address reverse writing. in-addr.arpa

  • For example, 172.16.100. = = > 100.16.172. In-addr.arpa

How to define a reverse region

(1) Define area

#  file is also a relative path, / var/named/
#  If multiple forward domains correspond to the same network, multiple regions have the same name, so the network address here can be defined at will, such as "network address 1.zone", "network address 2.zone", etc
#  If there is only one reverse region, you only need to write a reverse resolution library, which can be named "network address. zone"
zone "ZONE_NAME" IN {
type {master|slave|forward};
file "network address.zone";
};

#  Because 172.16.242.178 and our other servers (172.16.100.12 / 172.16.100.11), it can only be written as "16.172.in-addr.arpa" and "172.16.zone"
#  Finally, add the following
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "16.172.in-addr.arpa" IN {
type master;
file "172.16.zone";
};

(2) Zone resolution library file

  • Mainly PTR records

  • MX and A and AAAA records are not required

# $ TTL represents the TTL value defined by the macro
# $ ORIGIN here represents the name of the reverse region
#  The reverse host name cannot be omitted
#  Here 11 and 12 will automatically add 16.172.in-addr.arpa
#  The alias record does not need inverse resolution, so ftp does not write inverse resolution
#  vim can be used here  - o   wsescape.com.zone   16.172.zone to edit the of two files at the same time

[root@localhost ~]# cd /var/named/
[root@localhost named]# vim 100.16.zone
$TTL 86400
$ORIGIN 16.172.in-addr.arpa.
@IN  SOAns1.wsescape.com. admin.wsescape.com. (
  2016042201
  1H
  5M
  7D
  1D )
IN  NSns1.wsescape.com.
IN    NSns2.wsescape.com.
11.100IN  PTRns1.wsescape.com.
11.100IN  PTRwww.wsescape.com.
12.100IN  PTRmx1.wsescape.com.
12.100IN  PTRwww.wsescape.com.
13.100IN  PTRmx2.wsescape.com.
#  Reverse parsing can also be written in this way if there is no $ORIGIN
[root@localhost named]# vim 100.16.zone
$TTL 86400
@IN  SOAns1.wsescape.com. admin.wsescape.com. (
  2016042201
  1H
  5M
  7D
  1D )
16.172.in-addr.arpa.IN  NSns1.wsescape.com.
IN    NSns2.wsescape.com.
11.100IN  PTRns1.wsescape.com.
11.100IN  PTRwww.wsescape.com.
12.100IN  PTRmx1.wsescape.com.
12.100IN  PTRwww.wsescape.com.
13.100IN  PTRmx2.wsescape.com.

(3) Modify permissions and restart

[root@localhost named]# chmod 640 16.172.zone
[root@localhost named]# chmod :named 16.172.zone

#  grammar
[root@localhost named]# named-checkconf
[root@localhost named]# named-checkzone "16.172.inaddr-addr" 16.172.zone
ok
[root@localhost named]# service named reload

#  testing
[root@localhost named]# host -t PRT 172.16.100.12 172.16.242.178
[root@localhost named]# dig -x 172.16.100.12 @172.16.242.178

3.6 configuration from DNS name server

Defining a slave DNS server is to modify the configuration based on the cache server

  • Add a zone record in / etc/named.rfc1912.zones

Master slave replication

(1) It should be a stand-alone name server
(2) There must be an NS record in the zone resolution library file of the master server pointing to the slave server
(3) The slave server only needs to define the region without providing the parsing library file; The parsing library file should be placed in the / var/named/slaves / directory
(4) The master server allows zone transfer from the server
(5) The time of master and slave servers should be synchronized through ntp
(6) The version of the bind program should be consistent; Otherwise, it should be from high to low

Define the method from the region

Forward slave format

#  The parsing file of the master server synchronized from the server will be placed in / var/named/slaves /
zone "ZONE_NAME" IN {
type slave;
masters { MASTER_IP; };
file "slaves/ZONE_NAME.zone";
};

Reverse slave server format

#  The parsing file of the master server synchronized from the server will be placed in / var/named/slaves /
zone "Reverse_Net_Addr.in-addr.arpa" IN {
type master;
file "SOMEFILE.zone";
};

(1) Instance of forward slave server

#  Note that the slave DNS server here needs to define NS records in the master DNS server
#  In this way, the slave DNS server can be notified to synchronize when the resolution database of the master DNS changes, otherwise it will not be synchronized

[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "wsescape.com" IN {
type slave;
masters { 172.16.242.178; };
file "slaves/wsescape.com.zone";
};

#  Restart the service to achieve results
[root@localhost ~]# rndc reload

#  You can view it through log
[root@localhost ~]# tail /var/log/messages

(2) Reverse slave server instance

#  Note that the slave DNS server here needs to define NS records in the master DNS server
#  In this way, the slave DNS server can be notified to synchronize when the resolution database of the master DNS changes, otherwise it will not be synchronized

[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "16.172.in-addr.arpa" IN {
type slave;
masters { 172.16.242.178; };
file "slaves/172.16.zone";
};

#  Restart the service to achieve results
[root@localhost ~]# rndc reload

#  You can view it through log
[root@localhost ~]# tail /var/log/messages

4. Sub domain authorization of advanced functions

4.1 characteristics of sub domain authorization

Subdomain authorization is actually the subdivision of a domain name when you have a domain name. For example, you have registered the domain name wsescape.com. Due to business relations, you need to separate the ops department and fin department and use your own DNS server respectively. At this time, you need to authorize the sub domain.

characteristic

  • Distributed database

  • The sub domain authorization of the forward resolution region is common, while the reverse is relatively difficult

4.2 sub domain authorization method

Forward analytic domain subdomain method

#  Define a sub region
#  Configure in the specified file under / var/named /, such as / var/named/wsescape.com.zone here
#  On the premise of authorizing wsescape.com, we define two sub domains, ops and fin

ops.wsescape.com.INNSns1.ops.wsescape.com.
ops.wsescape.com.INNSns2.ops.wsescape.com.
ns1.ops.wsescape.com.INA1.1.1.1
ns2.ops.wsescape.com.INA1.1.1.2

fin.wsescape.com.INNSns1.fin.wsescape.com.
fin.wsescape.com.INNSns2.fin.wsescape.com.
ns1.fin.wsescape.com.INA3.1.1.1
ns2.fin.wsescape.com.INA3.1.1.2

4.3 analysis method

Premise: if a sub domain is defined as OPS under wsescape.com, and a www service is created under ops.

External parsing

(1) When a host in www.test.org needs to access the WWW host under ops, it needs to go through the following stages:

  • First find root (.), root says you find com

  • Find com again. Com says you go to wsescape

  • Find wsescape again. Wsescape says you go to ops

  • Finally, ops returns the required information

Internal resolution

(1) When a host under wsescape.com needs to access the www host under ops, although the DNS host of wsescape.com does not give resolution, it knows the location of the sub domain, so it will immediately point to the DNS server of ops.
(2) When a host under ops needs to access the www host under wsescape.com, it needs to go through the following stages:

  • Find ops first. ops says you're looking for a root

  • Find another root (.), root said you go to com

  • Find com again. Com says you go to wsescape

  • Finally, wsescape returns the required information

We will find that this is a big circle. In order to avoid such a problem, we need to define a forwarding server.

4.4 define forwarding server

be careful

(1) Turn off dnssec function

  • dnssec-enable no

  • dnssec-validation no

(2) The forwarded server needs to be able to do recursion for the requester, otherwise the forwarding request will not be carried out

(3) That is, Global Forwarding is defined, and regional forwarding is defined. If the priority can be accurately matched, it should be forwarded through the region first, and then through the global forwarding

Forwarding mode

(1) Global Forwarding

All requests for non local regions that are responsible for parsing are forwarded to the specified server

#  forward defines the forwarding mode
#  First means to forward it to the specified resolution server first, and then find the root server if there is no response, that is, recursively in the iteration first
#  Only means that the gold is forwarded to the specified parsing server, only recursively
#  Fowarders defines who to forward to

Options {
forward { first|only };
forwarders;
}

(2) Regional forwarding

Only forward the request for a specific region to a server, and you need to define your own region and region type

#  forward defines the forwarding mode
#  First means to forward it to the specified resolution server first, and then find the root server if there is no response, that is, recursively in the iteration first
#  Only means that the gold is forwarded to the specified parsing server, only recursively
#  Fowarders defines who to forward to

zone "ZONE_NAME" IN {
type forward;
forward { first|only };
forwarders;
}

4.5 child domain and parent domain configuration

Premise:

Parent domain IP address = = > 172.16.100.11
Sub domain IP address = = > 172.16.100.12
IP address that can access the Internet = = > 172.16.0.1

(1) Parent domain server configuration

#  An independent host. Configuring the parent domain here is to add a child domain based on the configuration of the master server
#  Note: the default is to listen to all
#  If it is found that the test cannot succeed, check the dnssec in / etc/named.conf and change it to no instead of commenting it out. Otherwise, the local client will not accept it
[root@localhost ~]# yum installl -y bind

[root@localhost ~]# vim /etc/named.conf
options {
//      listen-on port 53 { 172.16.242.178; 127.0.0.1; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.iscdlv.key";
//      managed-keys-directory "/var/named/dynamic";
};
[root@localhost ~]# service named start
[root@localhost ~]# ss -tunl | grep :53
udp    UNCONN     0      0              127.0.0.1:53                    *:*
udp    UNCONN     0      0                    ::1:53                   :::*
tcp    LISTEN     0      3                    ::1:53                   :::*
tcp    LISTEN     0      3              127.0.0.1:53                    *:*
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "wsescape.com" IN {
type master;
file "wsescape.com.zone";
};
#  Ops, ns2.ops and ns1.ops will automatically complete wsescape.com
#  The A record of ns2.ops is not defined here because we do not configure the host for ns2.ops
#  If the parent domain needs to find the child domain, it may run to our unconfigured machine, resulting in service resolution, so this is the reason why it is not defined

[root@localhost ~]# vim /var/named/wsescape.com.zone
$TTL 1D
$ORIGIN wsescape.com.
@    IN    SOA    ns1.wsescape.com.    admin.wsescape.com (
  2016042201
  1H
  5M
  7D
  1D )
   IN    NS   ns1
   IN    NS   ns2
ns1    IN    A    172.16.100.11
ns2    IN    A    172.16.100.18
www    IN A    172.16.100.11
*      IN    A    172.16.100.11
ops    IN    NS   ns1.ops
ops    IN    NS   ns2.ops
ns1.ops    IN    A    172.16.100.12
[root@localhost ~]# cd /var/named/

[root@localhost named]# chown :named wsescape.com.zone
[root@localhost named]# chmod 640 wsescape.com.zone
[root@localhost ~]# rndc reload
server reload successful

[root@localhost ~]# tail /var/log/messages

(2) Subdomain server configuration

#  Configuring a child domain server, that is, an independent host, is no different from the parent domain configuration
#  Note: the default is to listen to all
#  If it is found that the test cannot succeed, check the dnssec in / etc/named.conf and change it to no instead of commenting it out. Otherwise, the local client will not accept it
[root@localhost ~]# yum installl -y bind

[root@localhost ~]# vim /etc/named.conf
options {
//      listen-on port 53 { 172.16.242.178; 127.0.0.1; };
//      listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
        /* Path to ISC DLV key */
//      bindkeys-file "/etc/named.iscdlv.key";
//      managed-keys-directory "/var/named/dynamic";
};
[root@localhost ~]# service named start
[root@localhost ~]# ss -tunl | grep :53
udp    UNCONN     0      0              127.0.0.1:53                    *:*
udp    UNCONN     0      0                    ::1:53                   :::*
tcp    LISTEN     0      3                    ::1:53                   :::*
tcp    LISTEN     0      3              127.0.0.1:53                    *:*
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "ops.wsescape.com"  IN {
type master;
file "ops.wsescape.com.zone";
};
#  ns1 and ns2 will automatically complete ops.wsescape.com
#  The definition of ns2 is also omitted here because there is no machine here. If the parent domain needs to find the child domain
#  It may run to our unconfigured machine and cause service resolution, so this is the reason why there is no definition

[root@localhost ~]# vim /var/named/ops.wsescape.com.zone
$TTL 1D
$ORIGIN ops.wsescape.com.
@    IN    SOA    ns1.ops.wsescape.com.    admin.ops.wsescape.com (
  2016042201
  1H
  5M
  7D
  1D )
   IN    NS   ns1
   IN    NS   ns2
ns1    IN    A    172.16.100.12
www    IN A    172.16.100.20
*      IN    A    172.16.100.20
[root@localhost ~]# cd /var/named/

[root@localhost named]# chown :named wsescape.com.zone
[root@localhost named]# chmod 640 wsescape.com.zone
[root@localhost ~]# rndc reload
server reload successful

[root@localhost ~]# tail /var/log/messages

(3) Test configuration

#  Here, we will find the following problems

#  In the sub domain server, you can view ops information after executing the command
#  172.16.100.12 is a sub domain server
[root@localhost ~]# dig -t A www.ops.wsescape.com @172.16.100.12

#  In the child domain server, after executing the command, the information of the parent domain cannot be viewed without a network. In the case of a network, the information of the parent domain will be located according to the information returned by the root
[root@localhost ~]# dig -t A www.wsescape.com @172.16.100.12

#  In the parent domain server, you can view the information of the child domain ops after executing the command
#  The dig command performs a recursive operation by default, so you need to add + norecurse non recursive
#  172.16.100.11 is the parent domain server
[root@localhost ~]# dig -t A ops.wsescape.com @172.16.100.11 +norecurse
[root@localhost ~]# dig -t A www.ops.wsescape.com @172.16.100.11 +norecurse

4.6 define forwarding domain

be careful

  • If it is found that the test cannot succeed, check the dnssec in / etc/named.conf and change it to no instead of commenting it out. Otherwise, the local client will not accept it

  • If the test should be unable to resolve but still resolved, you may need to empty the cache rndc flush

Service configuration

(1) Global Forwarding

#  Configure in parent domain
#  Global Forwarding refers to forwarding to 172.16.0.1 for query
#  Edit / etc/named.conf on the parent domain server and add the following information in options
#  Since the above machines are not connected to the Internet, they can be parsed through 172.16.0.1

[root@localhost ~]# vim /etc/named.conf
Options {
forward first;
forwarders { 172.16.0.1; };
}

[root@localhost ~]# rndc reload
server reload successful

[root@localhost ~]# tail /val/log/messages

#  Tests in the parent domain can
[root@localhost ~]# dig -t A www.baidu.com @172.16.100.11

(2) Regional forwarding

#  Configure in subdomain
#  Region forwarding is to forward queries in the wsescape.com domain to 172.16.100.11 for query
#  On the subdomain server, edit / etc/named.rfc1912.zones and add a zone

[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "wsescape.com"  IN  {
type forword;
forward only;
forwarders { 172.16.100.11; };
};

[root@localhost ~]# rndc reload
server reload successful

[root@localhost ~]# tail /val/log/messages

#  The test in the subdomain can be successful
[root@localhost ~]# dig -t A www.wsescape.com @172.16.100.12

(3) Test configuration

#  Test in parent domain, successful
[root@localhost ~]# dig -t A www.ops.wsescape.com @172.16.100.11
[root@localhost ~]# dig -t A www.baidu.com @172.16.100.11

#  Test in the child domain. The child domain knows where the parent domain is. Success
#  It still cannot be resolved in the subdomain because the defined region wsescape.com is specified to be resolved
#  If global forwarding is defined and regional forwarding is defined in the sub domain, the priority that can be accurately matched shall be forwarded through the region first, and then through the global forwarding

[root@localhost ~]# dig -t A www.wsescape.com @172.16.100.12
#  Subdomain resolution failed
[root@localhost ~]# dig -t A www.baidu.com @172.16.100.12

5. view of advanced functions

5.1 basic safety related configuration in bind

(1) acl mechanism

  • Merge one or more addresses into a set and call through a unified name

  • It can only be defined before use. It is generally defined in front of options in the configuration file

(2) acl format

#  acl means keyword, acl_name means custom name
#  IP represents a single IP address, and net represents a network, which means that both a single IP and a network can be defined
acl acl_name {
ip;
ip;
net/prelen;
};

(3) Four built-in ACLS

Because these four are built-in ACLS, we cannot use these names when we define them ourselves, otherwise misuse will occur.

  • None = = > no host

  • Any = = > any host

  • Local = = > local

  • Localnet = = > the network address obtained by the operation of the local IP with the mask

(4) Access control instructions

The following instructions can be used in / etc/named.conf to indicate global effectiveness, or in / etc/named.rfc1912.zones to indicate local effectiveness in a separate zone. At the same time, {} can contain defined ACLS or host IP addresses, including built-in and our own definitions.

  • Allow query {} = = > hosts allowed to query, i.e. white list

  • Allow transfer {} = = > hosts that allow zone transfer, i.e. white list

  • Allow recursion {} = = > hosts that allow recursion

  • Allow update {} = = > it is allowed to update the content in the regional database. It is recommended to set it to none

(5) Demo example

#  The acl defined here can be used in the option in the main configuration file / etc/named.conf and in ` / etc/named.rfc1912.zones'
#  Define your own acl
acl mynet {
172.16.1.100;
172.16.0.0/16;
}
#  Used in option in / etc/named.conf
[root@localhost ~]# vim /etc/named.conf
acl mynet {
172.16.1.100;
172.16.0.0/16;
}
options {
//      listen-on port 53 { 172.16.242.178; 127.0.0.1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { mynet; };
        recursion yes;
        dnssec-enable no;
        dnssec-validation no;
};
...
#  Used in ` / etc/named.rfc1912.zones'
[root@localhost ~]# vim /etc/named.rfc1912.zones
zone "wsescape.com"  IN {
type master;
file "wsescape.com.zone";
allow-query { mynet; };
};
...

5.2 BIND view

Purpose: it is mainly applicable to the classification of users and improve the efficiency of website access.

  • For example, specify different access methods to access the website according to the internal and external network

  • For example, according to the type of operator, different users access the specified server to access the website

  • Actually   BIND view implements distributed caching, which is similar to CDN

Analytical process

  • After a user request is received, first judge the source of the user, and then match it with each view's own user section series table one by one from top to bottom. Finally, determine the view system parsing function and return the specified area parsing library file

  • Generally, view1 is used to match the first network, view2 is used to match the second network, and view3 is used to match other networks to ensure that there are no omissions

(1) View

  • A bind server can define multiple views, and each view can define one or more zone areas

  • Each view is used to match a set of requested clients

  • The same region may need to be parsed in multiple view s, but different regions are used to parse library files

(2) Format

  • The view is matched one by one from top to bottom

  • Most of the instructions used in option can be used in view

view VIEW_NAME {
match-clients {  };
}

(3) Attention

  • (1) Once view is enabled, all zone s can only be defined in view, and no exceptions are allowed

  • (2) It is only necessary to define the root region in the view of the customer that matches the recursive request

  • (3) When the client request arrives, the list of clients served by each view is checked from top to bottom

(4) Experimental demonstration

Users from 172.16 network and accessing www.wsescape.com use 172.16.100.11 DNS server to specify the address of WWW server

Users who are not from the 172.16 network and visit www.wsescape.com will use the DNS server public network 2.2.2.1 to specify the address of the WWW server

#  In the host of 172.16.100.11
#  Define acl and delete the root zone defined in / etc/named.conf
[root@localhost ~]# vim /etc/named.conf

#  Delete the following root zone
zone  "."  IN  {
type hint;
file "named.ca";
};

#  Add acl
acl mynet  {
172.16.0.0/16;
127.0.0.0/8;
};
#  In the host of 172.16.100.11
#  Move the root to / etc/named.rfc1912.zones and include all zones in the view
#  And add internal access configuration
[root@localhost ~]# vim /etc/named.rfc1912.zones

#  Add a view to restrict access by mynet users and allow recursion
view  internal  {
match-chlients { mynet; };
allow-recursion { mynet; };

#  Add root
zone  "."  IN  {
type hint;
file "named.ca";
};

#  Due to the previous settings, there is wsescape.com and the wsescape.com.zone file is configured here
zone  "wsescape.com"  IN  {
type master;
file "wsescape.com.zone";
}
...
};
#  In the host of 172.16.100.11
#  If we add 192.168.0.0/24 network in / etc/named.conf, it can be parsed in 192.168.0.13, which is not added here
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named restart

#  On the 172.16.100.11 host, it succeeded
[root@localhost ~]# dig -t A www.wsescape.com @172.16.100.11

#  If configured, it succeeds on the 192.168.0.13 host
[root@localhost ~]# dig -t A www.wsescape.com @172.16.100.11
#  In the host of 172.16.100.11
#  In / etc/named.rfc1912.zones, add the external access configuration
#  There is no recursion for unmatched hosts, so the root domain is not added in external

[root@localhost ~]# vim /etc/named.rfc1912.zones
view external {
match-clents { any; };
zone "wsescape.com"  IN  {
type master;
file "wsescape.com.external";
allow-update { none; };
};
};
[root@localhost ~]# cd /var/named/

#  Archive replication
[root@localhost named]# cp -a wsescape.com.zone wsescape.com.external

#  2.2.2.1 here refers to the public DNS server of wsescape.com website
[root@localhost named]# vim wsescape.com.external
$TTL 1D
$ORIGIN wsescape.com.
@    IN    SOA    ns1.wsescape.com.    admin.wsescape.com (
  2016042201
  1H
  5M
  7D
  1D )
   IN    NS   ns1
   IN    NS   ns2
ns1    IN    A    172.16.100.11
ns2    IN    A    172.16.100.18
www    IN A    2.2.2.1
*      IN    A    2.2.2.1
[root@localhost ~]# service named restart
#  On the 172.16.100.11 host, success comes from 172.16.100.11
[root@localhost ~]# dig -t A www.wsescape.com @172.16.100.11

#  On the 192.168.0.13 host, success comes from 2.2.2.1
[root@localhost ~]# dig -t A www.wsescape.com @172.16.100.1

6. Compile and install BIND for advanced functions

#  Minimize the installation of the machine
[root@localhost ~]# yum  groupinstall "Development Tools" "Server Platform Development"
#  Go to the official website isc.org to download the installation package, bind-9.10.1-P1.tar.gz
#  bind9 is very different from bind10, and bind10 is still in the testing stage
#  Create named users and groups
#  It is installed in the same directory, / usr/local/bind9, and the system files are placed in / etc/named/
#  Disable IPv6 function, disable chroot function, and start multi-core work

#  Problems that may occur when compiling and installing bind manually
#  (1) There is no configuration file in / etc/named / or it is empty. You need to create it yourself
#  (2) There is no region resolution library file, that is, / var/named, so there are no 13 root nodes and you need to create them yourself
#  (3) There is no rndc configuration file. You need to create it yourself
#  (4) No startup script, no / etc/init.d/named file
#  Since the custom is installed in / usr/local/bind9, tools such as dig and host cannot be called directly, and a full path is required
[root@localhost ~]# tar xf bind-9.10.1-P1.tar.gz
[root@localhost ~]# cd bind-9.10.1-P1
[root@localhost ~]# groupadd -r -g 53 named
[root@localhost ~]# useradd -r -u 53 -g 53 named
[root@localhost ~]# ./configure --prefix=/usr/local/bind9 --sysconfdir=/etc/named/ --disable-ipv6 --disable-chroot --enable-threads
[root@localhost ~]# make
[root@localhost ~]# make install
#  By adding environment variables, you can call related commands
[root@localhost ~]# vim /etc/profile.d/named.sh
export PATH=/usr/local/bind9/bin:/usr/local/bind9/sbin:$PATH
[root@localhost ~]# . /etc/profile.d/named.sh

#  Export library file
[root@localhost ~]# vim /etc/ld.so.conf.d/named.conf
/usr/loacl/bind9/lib

#  Reload the storage file
[root@localhost ~]# ldconfig -v

#  If there is a header file, export the header file
[root@localhost ~]# ln -sv /usr/local/bind9/include /usr/include/named

#  Then you can use / usr/include/named to access the header file in / usr/local/bind9 /
[root@localhost ~]# ls /usr/include/named

#  There is a help file for share under / usr/local/bind9 /. Add MANPATH and put it into man
[root@localhost ~]# vim /etc/man.conf
MANPATH /usr/local/bind9/share/man
#  Add the main configuration file. Here, just add the directory
[root@localhost ~]# vim /etc/named/named.conf
option  {
directory "/var/named"
};

zone  "."  IN  {
type hint;
file "named.ca";
};

zone  "localhost"  IN  {
type master;
file "localhost.zone";
allow-update { none; };
};

zone  "0.0.127.in-addr.arpa"  IN  {
type master;
file "named.local";
allow-update { none; };
};

[root@localhost ~]# mkdir /var/named/{named.ca, localhost.zone, named.local}
#  Use the dig command to generate 13 root nodes. 172.16.0.1 is the gateway address, which can help us connect to the Internet address and obtain 13 root nodes
[root@localhost ~]# dig -t NS . @172.16.0.1 > /var/named/named.ca
[root@localhost ~]# vim /var/named/localhost.zone
$TTL 1D
@    IN    SOA    localhost.    admin.localhost. (
  2016042201
  1H
  5M
  7D
  1D )
   IN    NS   localhost.
localhost.    IN    A    172.0.0.1

[root@localhost ~]# vim /var/named/named.local
$TTL 1D
@    IN    SOA    localhost.    admin.localhost. (
  2016042201
  1H
  5M
  7D
  1D )
   IN    NS   localhost.
1    IN    PRT    localhost.

[root@localhost ~]# cd /var/named/
[root@localhost named]# chmod 640 ./*
[root@localhost named]# chown :named *
[root@localhost named]# chmod 640 /etc/named/named.conf
#  View help documentation
[root@localhost ~]# man named

#  Start named service and debug
[root@localhost ~]# named -u named -f -g -d 3

#  Start the named service without debugging
[root@localhost ~]# named -u named

#  Check to see if it starts
[root@localhost ~]# ss -tunl named | grep :53

#  Close named service
[root@localhost ~]# killall named
#  Add resolution area
[root@localhost ~]# vim /etc/named/named.conf
zone  "wsescape.com"  IN  {
type master;
file "wsescape.com.zone";
allow-update { none; };
};

[root@localhost ~]# vim /var/named/wsescape.com.zone
$TTL 1D
$ORIGIN wsescape.com.
@    IN    SOA    ns.wsescape.com.    admin.wsescape.com. (
  2016042201
  1H
  5M
  7D
  1D )
   IN    NS   ns
ns     IN    A    172.16.100.11
www    IN    A    172.16.100.11

[root@localhost named]# chmod 640 wsescape.com.zone
[root@localhost named]# chown :named wsescape.com.zone

#  start-up
[root@localhost named]# named -u named

#  Normal parsing
[root@localhost named]# dig -t A www.wsescape.com @172.16.100.11
#  When we use rndc   When reload, we will be prompted that there is no configuration file
#  To make rndc available, use rndc conf Gen to generate the configuration file
#  If a blockage occurs using rndc confgen, you can use rndc confgen  - r  / dev/urandom to generate random numbers
# use rndc-confgen The generated file will#Start and#Put the configuration files between ends in / etc/named/rndc.conf, and then put the subsequent contents in / etc/named/named.conf according to the prompt
[root@localhost ~]# rndc-confgen
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "ZeE7NXZTprjARrGN/KRANQ==";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#algorithm hmac-md5;
#secret "ZeE7NXZTprjARrGN/KRANQ==";
# };
#
# controls {
#inet 127.0.0.1 port 953
#allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

#  Now rndc   reload is ready to use
[root@localhost ~]# rndc reload
#  After that, you only need to provide a script to start and close the service like a service. It's not difficult
#  Compile and install. There is a contrib directory under the bind-9.10.1-P1 source code directory
#  It contains the third-party contribution to supplement and enhance the function of bind
#  There is a directory called scripts, which contains some scripts that we can refer to

#  There is also a directory called queryperf to evaluate query performance. For pressure testing, you need to compile and install it before you can use it
#  To compile and install queryperf, you only need to execute. / configure and make in its directory
#  A queryperf executable file will be generated. You can use it directly by performing the following operations
[root@localhost queryperf]# cp queryperf /usr/local/bind9/bin/

#  When testing, you need to specify a test file, such as test
[root@localhost ~]# vim test
www.wsescape.com A
wsescape.com NS

[root@localhost ~]# queryperf -d test -s 172.16.100.11

Author: Escape

Tags: DNS network

Posted on Mon, 20 Sep 2021 20:40:43 -0400 by dammitjanet