码迷,mamicode.com
首页 > Web开发 > 详细

ineternet dns架构的实现

时间:2019-04-28 10:00:17      阅读:197      评论:0      收藏:0      [点我收藏+]

标签:failed   ESS   端口   network   load   .com   omd   manager   linu   

ineternet dns架构的实现

互联网中dns的架构为下图所示
技术图片

主机 OS IP
www centos6 192.168.73.2
client centos6 192.168.73.3
mylinuxopsdns1 centos7 192.168.73.10
mylinuxopsdns2 centos7 192.168.73.20
comdns centos7 192.168.73.30
rootdns centos7 192.168.73.40
ldns centos7 192.168.73.50

一、在www主机上部署httpd服务

1.启动httpd服务

[root@www ~]# service httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for www
httpd: Could not reliably determine the server‘s fully qualified domain name, using 127.0.0.1 for ServerName
                                                           [  OK  ]

2.为http主机创建一个zhuye

[root@centos6 ~]# echo "<h1>welcome to mylinuxops.com</h1>" > /var/www/html/index.html

3.测试

[root@www ~]# curl 192.168.73.2
<h1>welcome to mylinuxops.com</h1>

二、配置mylinuxopsdns1

1.安装bind服务

[root@mylinuxopsdns1 ~]# yum install bind -y

2.启动服务应设置为开机启动

[root@mylinuxopsdns1 ~]# systemctl start named
[root@mylinuxopsdns1 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改dns主配置文件

将监听地址和允许访问的主机注释

options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

4.修改区域配置文件,添加区域记录

[root@mylinuxopsdns1 ~]# vim /etc/named.rfc1912.zones 
zone "mylinuxops.com" IN {
        type master;
        file "mylinuxops.com.zone";
};

5.创建区域数据库文件

[root@mylinuxopsdns1 ~]# cp -p /var/named/{named.localhost,mylinuxops.com.zone}
[root@mylinuxopsdns1 ~]# vim /var/named/mylinuxops.com.zone
$TTL 1D
@       IN SOA  master admin.mylinuxops.com (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      master
        NS      slave
master  A       192.168.73.10
slave   A       192.168.73.20
www     A       192.168.73.2

6.检查语法错误

[root@mylinuxopsdns1 ~]# named-checkconf 
[root@mylinuxopsdns1 ~]# named-checkzone mylinuxops.com /var/named/mylinuxops.com.zone 
zone mylinuxops.com/IN: loaded serial 0
OK

7.重读配置文件

[root@mylinuxopsdns1 ~]# rndc reload

8.在client主机上测试

[root@client ~]# dig www.mylinuxops.com @192.168.73.10

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.mylinuxops.com @192.168.73.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24888
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.mylinuxops.com.        IN  A

;; ANSWER SECTION:
www.mylinuxops.com. 86400   IN  A   192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.     86400   IN  NS  master.mylinuxops.com.

;; ADDITIONAL SECTION:
master.mylinuxops.com.  86400   IN  A   192.168.73.10

;; Query time: 1 msec
;; SERVER: 192.168.73.10#53(192.168.73.10)
;; WHEN: Fri Apr 19 04:23:08 2019
;; MSG SIZE  rcvd: 89

三、配置dns从服务器mylinuxopsdns2

1.安装bind服务

[root@mylinuxopsdns2 ~]# yum install bind -y

2.启动dns服务设置为开机自动启动

[root@mylinuxopsdns2 ~]# systemctl start named
[root@mylinuxopsdns2 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改主配置文件

将端口行和允许访问的主机注释

[root@mylinuxopsdns2 ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

4.修改区域配置文件

[root@mylinuxopsdns2 ~]# vim /etc/named.rfc1912.zones 
zone "mylinuxops.com" IN {
        type slave;
        masters {192.168.73.10;};
        file "slaves/mylinuxops.zone";
};

5.检查语法错误

[root@mylinuxopsdns2 ~]# named-checkconf

6.重读配置文件

[root@mylinuxopsdns2 ~]# rndc reload

7.查看区域数据库文件是否已经被拉取到本地

[root@centos7 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 298 Apr 23 04:40 mylinuxops.zone

8.安全加固

由于主从dns服务器都没有对能拉取区域数据库的主机加以限制,这样是非常不安全的,所以需要对主机的安全行进行加固
8.1对从服务器主配置文件修改,添加allow-transfer

[root@mylinuxopsdns2 ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-transfer  {none;};
//      allow-query     { localhost; };

[root@mylinuxopsdns2 ~]# rndc reload
server reload successful

8.2对主服务器主配置文件修改,添加allow-transfer只允许从服务来拉取数据

[root@mylinuxopsdns1 ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-transfer  {192.168.73.20;};
//      allow-query     { localhost; };

[root@mylinuxopsdns1 ~]# rndc reload
server reload successful

四、搭建com域dns服务器

1.安装dns服务

[root@comdns ~]# yum install bind -y

2.修改dns主配置文件

将监听的ip和允许访问的主机行注释

[root@comdns ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

3.修改区域文件添加com域

[root@comdns ~]# vim /etc/named.rfc1912.zones
zone "com" IN {
        type master;
        file "com.zone";
};

4.创建区域数据库文件

[root@comdns ~]# cp -p /var/named/{named.localhost,com.zone}
[root@comdns ~]# vim /var/named/com.zone
$TTL 1D
@       IN SOA  master admin.mylinuxops.com.  (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                NS      master
mylinuxops      NS      ns1
mylinuxops      NS      ns2
master          A       192.168.73.30
ns1             A       192.168.73.10
ns2             A       192.168.73.20

5.检查配置文件语法

[root@comdns ~]# named-checkconf 
[root@comdns ~]# named-checkzone com /var/named/com.zone 
zone com/IN: loaded serial 0
OK

6.启动服务

[root@comdns ~]# systemctl restart named

7.测试

在client端进行测试

[root@clinet ~]# dig www.mylinuxops.com @192.168.73.30

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com.        IN  A

;; ANSWER SECTION:
www.mylinuxops.com. 86400   IN  A   192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.     86400   IN  NS  ns2.com.
mylinuxops.com.     86400   IN  NS  ns1.com.

;; ADDITIONAL SECTION:
ns1.com.        86400   IN  A   192.168.73.10
ns2.com.        86400   IN  A   192.168.73.20

;; Query time: 6 msec
;; SERVER: 192.168.73.30#53(192.168.73.30)
;; WHEN: Tue Apr 23 17:25:07 CST 2019
;; MSG SIZE  rcvd: 131

五、搭建root域上的dns服务

1.安装dns服务

[root@rootdns ~]# yum install bind -y

2.修改主配置文件

将监听地址和允许访问的主机行注释,修改最底下的根域

[root@rootdns ~]# vim /etc/named.conf
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };
....
zone "." IN {
        type master;
        file "root.zone";
};

3.创建根域数据库

[root@rootdns ~]# cp -p /var/named/{named.localhost,root.zone}
[root@rootdns ~]# vim /var/named/root.zone
$TTL 1D
@       IN SOA  ns1 admin.mylinuxops.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1
com     NS      master
ns1     A       192.168.73.40
master  A       192.168.73.30

4.检查语法错误

[root@rootdns ~]# named-checkconf 
[root@rootdns ~]# named-checkzone . /var/named/root.zone 
zone ./IN: loaded serial 0
OK

5.启动dns服务

[root@rootdns ~]# systemctl start named
[root@rootdns ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

6.测试

[root@localhost ~]# dig www.mylinuxops.com @192.168.73.40

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com.        IN  A

;; ANSWER SECTION:
www.mylinuxops.com. 86400   IN  A   192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.     85104   IN  NS  ns1.com.
mylinuxops.com.     85104   IN  NS  ns2.com.

;; ADDITIONAL SECTION:
ns1.com.        85104   IN  A   192.168.73.10
ns2.com.        85104   IN  A   192.168.73.20

;; Query time: 2 msec
;; SERVER: 192.168.73.40#53(192.168.73.40)
;; WHEN: Tue Apr 23 17:59:09 CST 2019
;; MSG SIZE  rcvd: 131

六、配置本地DNS

1.安装dns服务

[root@ldns ~]# yum install bind -y

2.修改本地DNS的主配置文件

将监听地址和允许访问的主机注释,将dnssec相关的两项关闭

[root@ldns ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };
....
        dnssec-enable no;
        dnssec-validation no;

3.修改本地的根数据文件

将根数据库文件指向rootdns所在的地址,其余的全部删除

[root@ldns ~]# vim /var/named/named.ca
.                       518400  IN      NS      a.root-servers.net.
a.root-servers.net.     3600000 IN      A       192.168.73.40

七、在client进行测试

1.配置client端的网卡将其dns指向本地的dns服务器

[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=on
IPADDR=192.168.73.3
PREFIX=24
DNS1=192.168.73.50

2.重启服务

[root@localhost ~]# systemctl restart network
[root@localhost ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.73.50

3.测试访问www.mylinuxops.com

[root@localhost ~]# curl www.mylinuxops.com
<h1>welcome to mylinuxops.com</h1>

ineternet dns架构的实现

标签:failed   ESS   端口   network   load   .com   omd   manager   linu   

原文地址:https://blog.51cto.com/11886307/2385725

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!