CentOS7--DNS
DNS-实验报告
一、master(173.16.16.5)
selinux firewall 状态
[root@ns1 ~]# getenforce
Disabled
[root@ns1 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
bind软件包
[root@ns1 ~]# rpm -qa | grep bind
bind-license-9.9.4-29.el7_2.3.noarch
bind-libs-9.9.4-29.el7_2.3.x86_64
rpcbind-0.2.0-33.el7_2.1.x86_64
bind-libs-lite-9.9.4-29.el7_2.3.x86_64
bind-9.9.4-29.el7_2.3.x86_64
bind-utils-9.9.4-29.el7_2.3.x86_64
主机名
[root@master ~]# hostnamectl set-hostname ns1.benet.com
[root@master ~]# bash
[root@ns1 ~]# hostname
ns1.benet.com
hosts
[root@ns1 ~]# vi /etc/hosts
[root@ns1 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
173.16.16.5 ns1.benet.com ns1
173.16.16.6 ns2.benet.com ns2
dns解析文件
[root@ns1 ~]# vi /etc/resolv.conf
[root@ns1 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 173.16.16.5
nameserver 173.16.16.6
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
ip地址
[root@ns1 ~]# ifconfig
docker0: flags=4099 mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:7d:c6:fb:fc txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777728: flags=4163 mtu 1500
inet 173.16.16.5 netmask 255.255.0.0 broadcast 173.16.255.255
inet6 fe80::20c:29ff:fec4:bc5d prefixlen 64 scopeid 0x20
ether 00:0c:29:c4:bc:5d txqueuelen 1000 (Ethernet)
RX packets 972 bytes 88779 (86.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 439 bytes 62629 (61.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 0 (Local Loopback)
RX packets 24 bytes 2036 (1.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 24 bytes 2036 (1.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
named.conf文件内容
[root@ns1 ~]# vi /etc/named.conf
[root@ns1 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "benet.com" IN {
type master;
file "benet.com.zone";
allow-transfer{ 173.16.16.6;};
};
zone "accp.com" IN {
type master;
file "accp.com.zone";
allow-transfer{173.16.16.6; };
};
zone "67.45.123.in-addr.arpa" IN {
type master;
file "123.45.67.arpa";
allow-transfer { 173.16.16.6;};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
benet.come.zone
[root@ns1 ~]# vim /var/named/benet.com.zone
[root@ns1 ~]# cat /var/named/benet.com.zone
$TTL 86400
@ IN SOA benet.com. admin.benet.com. (
2016072601;serial
4H;refresh
30M;retry
12H;expire
1D;min cache
)
@ IN NS ns1.benet.com.
IN NS ns2.benet.com.
IN MX 10 mail.benet.com.
ns1 IN A 173.16.16.5
ns2 IN A 173.16.16.6
mail IN A 123.45.67.89
www IN A 123.45.67.88
ftp IN A 123.45.67.90
* IN A 123.45.67.88
[root@ns1 ~]#
accp.com.zone
[root@ns1 ~]# vim /var/named/accp.com.zone
[root@ns1 ~]# cat /var/named/accp.com.zone
$TTL 86400
@ IN SOA accp.com. admin.accp.com. (
2016072601 ;serial
4H ;refresh
30M ;retry
12H ;expire
1D ;min cache
)
@ IN NS ns1.benet.com.
IN NS ns2.benet.com.
ns1 IN NS 173.16.16.5
ns2 IN NS 173.16.16.6
www IN A 58.109.87.65
forum IN A 58.109.87.66
[root@ns1 ~]#
反向解析文件
[root@ns1 ~]# vim /var/named/123.45.67.arpa
[root@ns1 ~]# cat /var/named/123.45.67.arpa
$TTL 86400
@ IN SOA benet.com. admin.benet.com. (
2016072601 ;serial
4H ;refresh
30M ;retry
12H ;expire
1D ;min cache
)
@ IN NS ns1.benet.com.
IN NS ns2.benet.com.
IN MX 10 mail.benet.com.
88 IN PTR www.benet.com.
89 IN PTR mail.benet.com.
90 IN PTR ftp.benet.com.
[root@ns1 ~]#
重启named
[root@ns1 ~]# systemctl restart named
[root@ns1 ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2016-07-27 06:54:55 CST; 15s ago
Process: 30862 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 30859 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 30865 (named)
CGroup: /system.slice/named.service
└─30865 /usr/sbin/named -u named
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'G.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'G.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'G.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'B.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'B.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'C.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'C.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'E.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'G.ROOT-SERVERS....#53
Jul 27 06:54:55 ns1.benet.com named[30865]: error (network unreachable) resolving 'B.ROOT-SERVERS....#53
Hint: Some lines were ellipsized, use -l to show in full.
[root@ns1 ~]#
正向测试
[root@ns1 ~]# dig www.benet.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> www.benet.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<反向测试
[root@ns1 ~]# dig 173.16.16.5
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> 173.16.16.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<二、slave(173.16.16.6)
hostname
[root@slave ~]# hostnamectl set-hostname ns2.benet.com
[root@slave ~]# bash
[root@ns2 ~]# hostname
ns2.benet.com
selinux firewall状态
[root@ns2 ~]# getenforce
Disabled
[root@ns2 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
slave bind信息
[root@slave ~]# rpm -qa | grep bind
bind-license-9.9.4-29.el7_2.3.noarch
bind-libs-9.9.4-29.el7_2.3.x86_64
rpcbind-0.2.0-33.el7_2.1.x86_64
bind-libs-lite-9.9.4-29.el7_2.3.x86_64
bind-9.9.4-29.el7_2.3.x86_64
bind-utils-9.9.4-29.el7_2.3.x86_64
hosts
[root@ns2 ~]# vi /etc/hosts
[root@ns2 ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
173.16.16.5 ns1.benet.com ns1
172.16.16.6 ns2.beent.com ns2
resolv.conf
[root@ns2 ~]# vi /etc/resolv.conf
[root@ns2 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 173.16.16.5
nameserver 173.16.16.6
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
从DNS IP地址
[root@ns2 ~]# ifconfig
docker0: flags=4099 mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 0.0.0.0
ether 02:42:cc:3f:5a:cc txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eno16777736: flags=4163 mtu 1500
inet 173.16.16.6 netmask 255.255.0.0 broadcast 173.16.255.255
inet6 fe80::20c:29ff:fe68:c48d prefixlen 64 scopeid 0x20
ether 00:0c:29:68:c4:8d txqueuelen 1000 (Ethernet)
RX packets 4477 bytes 2207357 (2.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1840 bytes 210619 (205.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73 mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 0 (Local Loopback)
RX packets 204 bytes 16404 (16.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 204 bytes 16404 (16.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@ns2 ~]#
从DNS主配置文件
[root@ns2 ~]# vim /etc/named.conf
[root@ns2 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "benet.com" IN {
type slave;
masters { 173.16.16.5;};
file "slaves/benet.com.zone";
};
zone "accp.com" IN {
type slave;
masters { 173.16.16.5;};
file "slaves/accp.com.zone";
};
zone "67.45.123.in-addr.arpa" IN {
type slave;
masters { 173.16.16.5;};
file "slaves/123.45.67.arpa";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@ns2 ~]#
slaves文件夹下的文件
[root@ns2 ~]# ls /var/named/slaves/
[root@ns2 ~]# systemctl reload named
Job for named.service invalid.
因为named没有启动
启动named
[root@ns2 ~]# systemctl start named
再次查看slaves文件夹
[root@ns2 ~]# ls /var/named/slaves/
123.45.67.arpa accp.com.zone benet.com.zone
正向解析测试
[root@ns2 ~]# dig www.benet.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> www.benet.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<反向测试
[root@ns2 ~]# dig 123.45.67.88
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> 123.45.67.88
;; global options: +cmd
;; Got answer:
;; ->>HEADER<三、clien(173.16.16.7)
selinux firewall状态
[root@client ~]# getenforce
Disabled
[root@client ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead)
hosts
[root@client ~]# vi /etc/hosts
[root@client ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
173.16.16.5 ns1.benet.com ns1
173.16.16.6 ns2.benet.com ns2
[root@client ~]#
将DNS服务器设为173.16.16.5,测试
[root@client ~]# vim /etc/resolv.conf
[root@client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 173.16.16.5
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
正向测试
[root@client ~]# dig www.benet.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> www.benet.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<反向测试
[root@client ~]# dig 123.45.67.89
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> 123.45.67.89
;; global options: +cmd
;; Got answer:
;; ->>HEADER<将首选DNS服务器设为173.16.16.6,测试域名解析
[root@client ~]# vim /etc/resolv.conf
[root@client ~]# systemctl restart network
[root@client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 173.16.16.6
# No nameservers found; try putting DNS servers into your
# ifcfg files in /etc/sysconfig/network-scripts like so:
#
# DNS1=xxx.xxx.xxx.xxx
# DNS2=xxx.xxx.xxx.xxx
# DOMAIN=lab.foo.com bar.foo.com
正向测试
[root@client ~]# dig www.benet.com
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> www.benet.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<方向测试
[root@client ~]# dig 123.45.67.88
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> 123.45.67.88
;; global options: +cmd
;; Got answer:
;; ->>HEADER<