I BIND domain name service foundation
| In daily life, people are used to using domain names to access servers, but machines only recognize IP addresses. There is a many-to-one relationship between domain names and IP addresses. An IP address does not necessarily correspond to only one domain name, and a complete domain name can only correspond to one IP address. The conversion between them is called domain name resolution, Domain name resolution needs to be completed by a special domain name resolution server, and the whole process is automatic |
1) Definition of DNS
• DNS is the English abbreviation of "domain name system". As a distributed database that maps domain names and IP addresses to each other, it can make it easier for people to access the Internet
• DNS service uses TCP and UDP port 53. TCP port 53 is used to connect to DNS server and UDP port 53 is used to resolve DNS
• the length of each level of domain name is limited to 63 characters, and the total length of the domain name cannot exceed 253 characters
2) Domain name structure
http: / /www. sina. com. cn./
http: / / hostname Subdomain Secondary domain Top level domain root domain/
3) Role of DNS system
① Forward resolution: find the corresponding IP address according to the domain name
② Reverse resolution: find the corresponding domain name according to the IP address
③ Distributed data structure of DNS system
| The top layer of the tree structure is called the root domain, with "." Said that the corresponding server is called the root server, and the resolution right of the entire domain name space belongs to the root server, but the root server cannot bear a huge load, Use "delegation" "Mechanism: some top-level domains are set under the root domain, and then the resolution rights of different top-level domains are delegated to the corresponding top-level domain servers respectively. For example, the resolution rights of COM domain are delegated to the COM domain server, but in the future, all domain name resolution requests ending in com will be forwarded to the COM domain server. Similarly, in order to reduce the pressure of the top-level domain, several secondary domains are set under the root server The secondary domain has a tertiary domain or host |
Root domain
It is located at the top of the domain name space, usually with a "." express
Top level domain
General representative - a type of organization or country or region
Such as net (network provider) Com (industrial and commercial enterprises) org (group organization) edu (educational institution) gov (government department) CN (Chinese national domain name)
Secondary domain
It is used to indicate a specific organization within the top-level domain. The secondary domain name under the national top-level domain is uniformly managed by the national network department
Such as Cn secondary domain name set under the top-level domain name: com.cn,. net.cn,. edu.cn
Subdomain
The domains at all levels created under the secondary domain are collectively referred to as sub domains. Each organization or user can freely apply for registration of their own domain name
host
The host is located at the bottom of the domain name space, which is a specific computer
If WWW and mail are specific computer names, you can use www.sina.com com. cn… mail.sina.com.cn. This representation is called FQDN (fully qualified domain name), which is also the full name of the host in the domain name
4) DNS server type
1. Master domain name server: it is responsible for maintaining all domain name information in a region. It is the authoritative information source of all specific information, and the data can be modified. When building the master domain name server, you need to establish the address data file of the responsible area
2. Slave domain name server: when the master domain name server fails, shuts down or is overloaded, the slave domain name server provides domain name resolution service as a backup service. The resolution results provided from the domain name server are not determined by themselves, but from the main domain name server. When building a slave domain name server, you need to specify the location of the master domain name server so that the server can automatically synchronize the address database of the region
3. Caching domain name server: it only provides the caching function of domain name resolution results, which aims to improve the query speed and efficiency, but there is no domain name database. It obtains the result of each domain name server query from a remote server and puts it in the cache. It will respond to the same information in the future. The cached domain name server is not an authoritative server because all the information provided is indirect information. When building a cached domain name server, you must set the root domain or specify another DNS server as the resolution source
4. Forwarding domain name server: responsible for local query of all non local domain names. After receiving the query request, the forwarding domain name server will search in its cache. If it cannot be found, it will forward the request to the specified domain name server in turn until the search result is found. Otherwise, it will return the unmapped result
Note: DNS query methods are divided into recursive query and iterative query
II BIND software installation
BIND (Berkeley Internet Name Daemon)
• BIND is the most widely used DNS service
• Official Site: https://www.isc.org/
Related software packages
• bind-9.9.4-37.el7.x86_ 64.rpm
• bind-utils-9.9.4-37.el7.x86_64.rpm
• bind-libs-9.9.4-37.el7 .x86_ 64.rpm
• bind-chroot-9.9.4-37.el7.x8664.rpm
BIND server program
• main execution procedures: / usr/sbin/named
• default listening port: 53
• master profile
◆/etc/named.conf
• the data file that holds DNS resolution records is located in
◆/var/named/
BIND service control
• systemctl [status|startlstoplrestart] named.service
Configure forward resolution:
1. Mount, install the bind package, and check the path of the configuration file to be modified
rpm -qc bind #Query the path of bind software configuration file /etc/ named. conf #Master profile /etc/ named.rfc1912.zones #Zone profile /var/named/named.localhost #Area data profile
2. Modify the master configuration file
vim /etc/ named.conf
options {
listen-on port 53 { 192.168.80.10; }; #Listen to port 53. The IP address uses the local IP that provides the service, or any can be used to represent all
1isten-on-v6 port 53 { ::1; }; #ipv6 lines can be commented out or deleted if they are not used
directory "/var/named"; #Default storage location of area data files
dump-file "/var/named/data/ cache dump.db"; #Location of domain name cache database file
statistics-file "/var/ named/data/named_stats.txt"; #Location of status statistics file
memstatistics-file "/var/named/data/named_mem_stats. txt"; #Location of memory statistics file
allow-query { 192.168.80.0/24; 172.16.100.0/24; }; #The network segments that are allowed to use this DNS resolution service can also be represented by any
.....
}
zone "." IN { #Forward parsing ". Root region
type hint; #Type is root area
file "named.ca"; #The area data file is named Ca, which records the domain name and IP address of 13 root domain servers
};
include "/etc/named.rfc1912.zones"; #Contains all the configurations in the area configuration file
3. Modify the regional configuration file and add the forward regional configuration
vim /etc/named.rfc1912.zones #There are templates in the file, which can be modified after copying and pasting
zone "benet.com" IN { #Forward parsing "benet.com" area
type master; #Type main area
file "benet.com.zone"; #Specify the area data file as benet com. zone
allow-update { none; } ;
};
4. Configure forward area data file
cd /var/named/
cp -p named. localhost benet. com. zone#Keep the permission of the source file and the copy attribute of the owner
vim /var/ named/benet .com.zone
$TTL 1D#Lifetime of valid resolution records
@ IN SOA benet.com.admin.benet.com. ( #The "@" symbol indicates the current DNS zone domain name
0 ; serial #Update serial number, which can be an integer within 10 digits
1D ; refresh #Refresh time, interval between downloading address data again
1H ; retry #Retry delay, retry interval after download failure
1W ; expire #Expiration time. If you still cannot download after that time, you will give up
3H ) ; minimum #Lifetime of invalid resolution record
NS benet. com. #Records the name of the DNS server for the current zone
A 192.168.80.10 #Record host IP address
IN MX 10 mail.benet.com. #Mx is a mail exchange record. The higher the number, the lower the priority
www IN A 192. 168.80.10 #Record forward analysis www.benet.com Com corresponding IP
mail IN A 192. 168.80.11
ftp IN CNAME WWW #CNAME uses alias, and ftp is the alias of www
* IN A 192.168.80.100 #Pan domain name resolution, "*" represents any host name
#"@" here is a variable, the domain name of the current DNs zone
#The update serial number in the SOA record is used to synchronize the regional data of the master and slave servers. When the slave server judges the regional update, if it is found that the serial number in the master server is the same as that in the local regional data, it will not be downloaded
# "benet.com." this is a fully qualified domain name (FQDN), followed by a "." You can't miss it
#“admin. benet. ccm.” Indicates the administrator's mailbox. The "@" symbol here has other meanings, so it is replaced by "."
5. Start the service and turn off the firewall
systemctl start named systemctl stop firewalld setenforce 0 #If the service fails to start, you can check the log file to troubleshoot the error tail -f /var/log/messages #If the service starts stuck, you can execute the following command to solve it rndc-confgen -r /dev/urandom -a
6. Add the DNS server address in the domain name resolution configuration file of the client
vi /etc/resolv.conf #The modification will take effect immediately nameserver 192.168.80.10 or vi /etc/sysconfig/network-scripts/ifcfg-ens33 #The network card needs to be restarted after modification DNS1=192.168.80.10 systemctl restart network
give an example
Install package:
Edit Master profile:
To edit a zone profile:
Copy area data profile:
Edit area data profile:
Test:
Configure reverse resolution:
1. Mount, install the bind package, and check the path of the configuration file to be modified
rpm -qc bind #Query the path of bind software configuration file /etc/ named. conf #Master profile /etc/ named.rfc1912.zones #Zone profile /var/named/named.localhost #Area data profile
2. Modify the master configuration file
vim /etc/ named.conf
options {
listen-on port 53 { 192.168.80.10; }; #Listen to port 53. The IP address uses the local IP that provides the service, or any can be used to represent all
1isten-on-v6 port 53 { ::1; }; #ipv6 lines can be commented out or deleted if they are not used
directory "/var/named"; #Default storage location of area data files
dump-file "/var/named/data/ cache dump.db"; #Location of domain name cache database file
statistics-file "/var/ named/data/named_stats.txt"; #Location of status statistics file
memstatistics-file "/var/named/data/named_mem_stats. txt"; #Location of memory statistics file
allow-query { 192.168.80.0/24; 172.16.100.0/24; }; #The network segments that are allowed to use this DNS resolution service can also be represented by any
.....
}
zone "." IN { #Forward parsing ". Root region
type hint; #Type is root area
file "named.ca"; #The area data file is named Ca, which records the domain name and IP address of 13 root domain servers
};
include "/etc/named.rfc1912.zones"; #Contains all the configurations in the area configuration file
3. Modify the area configuration file and add the reverse area configuration
vim /etc/named.rfc1912.zones #There are templates in the file, which can be modified after copying and pasting
zone "80.168.192.in-addr.arpa" IN { ●The address of reverse resolution is written backwards, representing resolution 192.168.116 Address of segment
type master;
file "benet. com. zone. local"; ●The specified area data file is benet.com.zone.local
allow-update { none; } ;
};
4. Configure reverse area data file
cd /var/ named/
cp -p named. localhost benet .com.zone.local
vim /var/named/benet.com.zone.local
$TTL 1D
@ IN SOA benet.com.admin.benet.com. ( #The "@" here represents the address of 192.168.116
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS benet. com.
A 192.168.80. 10
200 IN PTR WWW.benet.com.
100 IN PTR mail.benet.com.
#PTR is a reverse pointer, and the result of reverse parsing 192.168.80.200 address is www.benet com.
give an example
Note: the previous configuration is forward parsing. The installation package has been installed and configured in the main configuration file. There is no need to change the main configuration file here. You can configure it directly in the regional configuration file
Modify the area configuration file and add the reverse area configuration:
To configure a reverse zone data file:
Test:
Configure master-slave domain name server:
1. Modify the regional configuration file of the primary domain name server, and modify the forward and reverse regional configuration
vim /etc/named.rfc1912.zones
zone "benet.com" IN {
type master; ●Type main area
file "benet.com.zone";
allow-transfer { 192.168.80.11; } ; ●It is allowed to download forward area data from the server. Here, add the data from the server IP address
};
zone "80.168.192.in-addr.arpa" IN {
type master;
file "benet. com. zone. local";
allow-transfer { 192.168.80.11; } ;
};
2. Modify the master configuration file of the slave domain name server (open a new server)
yum install -y bind
vim /etc/named.conf
options {
listen-on port 53 { 192.168.80.11; } ; ●Listen to port 53, ip Use the local address where the service is provided IP Either or any On behalf of all
# listen-on-v6 port 53 { : :1; } ;
directory "/var/named" ;
dump-file "/ var/ named/ data/ cache_dump.db";
statistics-file "/var/ named/ data/named_stats.txt";
memstatistics-file "/var/ named/data/ named_mem_stats.txt";
allow-query { any; }; ●Permission to use this DNS The network segment of the resolution service is also available any On behalf of all
3. Modify the domain name server region configuration file and add positive and negative region configuration
vim /etc/named.rfc1912.zones
zone "benet. com" IN {
type slave; ●Type is slave area
masters { 192.168.80.10; } ; ●Specifies the name of the primary server IP address
file "slaves/benet. com. zone"; ●Save the downloaded area data file to slaves/Under the directory
};
zone "80.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.80.10; } ;
file "slaves/benet.com.zone.local";
};
4. Both the master and slave restart the service and check whether the regional data file has been downloaded successfully
systemctl. restart named
ls -1 /var/ named/ slaves/
5. Add the DNs server address in the domain name resolution configuration file of the client
echo "nameserver 192.168.80.11" >> /etc/ resolv . conf
give an example
1. Start a new virtual machine, mount and install the software package bind
2. Modify the regional configuration file of the primary domain name server, and modify the forward and reverse regional configuration
3. Modify the master configuration file of the slave domain name server (open a new server)
Test:
Configure detach resolution:
| The separated domain name server is actually the primary domain name server, which mainly refers to providing different domain name resolution records according to different clients. For example, when clients from different network segment address areas of Intranet and extranet request to resolve the same domain name, they will provide different resolution results and get different IP addresses |
Configure the gateway server to set up DNS separation and resolution
Set up DNS separation and resolution in the gateway server to enable the LAN host to resolve www.benet.com COM is 192.168.80.200, and the Internet host resolves www.benet.com COM is 12.0.0.100
1. Configure dual network cards for the gateway server
Add another network card in the shutdown state and restart the system
ifconfig ens37 12.0.0.1/24 ifconfig
2. Install bind package
yum install -y bind
3. Modify the master configuration file
vim /etc/named.conf
options {
listen-on port 53 { any; } ; #Monitor native or any
#listen-on-v6 port 53 { : :1; } ;
directory " /var/ named" ;
dump-file " /var/named/data/cache_dump.db";
statistics-file " /var/named/data/named_stats.txt" ;
memstatistics-file "/var/named/data/named_mem_stats. txt";
recursing-file " /var/named/data/named.recursing";
secroots-file " /var/named/data/named.secroots";
allow- query { any; }; #Allow all hosts to resolve
.....
};
include "/etc/named.rfc1912.zones";
4. Modify area configuration file
vim /etc/named.rfc1912.zones
view "lan" { #Define intranet view, which represents container segmentation
match-clients { 192.168.116.0/24; } ; #Match intranet segment
zone "benet.com" IN { #Set the region to resolve
type master;
file "benet.com.zone.lan"; #Data profile
};
zone "." IN { #You can cut the root domain configuration from the main configuration file, dd+p
type hint; #hint is the root zone type
file "named.ca";
};
};
view "wan" { #Define extranet view
match-clients { any; } ; #Match any address except intranet segment
zone "benet.com" IN {
type master;
file "benet. com. zone.wan";
};
};
#Note: once view is enabled, all zones must be under view, so the default zone for self-test should also be placed under view or deleted
5. Modify the regional data configuration
cd /var/named
cp -p named.localhost benet.com.zone.lan
cp -P named.localhost benet.com.zone.wan
vim benet.com.zone.lan
$TTL 1D
@ IN SOA benet.com.admin.benet.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS benet.com.
A 192.168.80.10
www IN A 192.168.80.100. #The intranet host parses www.benet.com The address of COM is 192.168.80.100
vim benet.com.zone.wan
STTL 1D
@ IN SOA benet.com.admin.benet.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS benet . com.
A 12.0.0.1
www IN A 12.0.0.100
#The Internet host parses www.benet.com Com address to get 12.0.0.100
give an example
Note: the intranet is 192.168.116.90; The external network is 12.0.0.1
Note: once view is enabled, all zones must be in view, so the default zone for self-test should also be placed in view or deleted
