DNS（二）

实现 Internet DNS 架构

架构图

实验环境

关闭SELinux、Firewalld。时间保持一致

主机名	IP	角色
client	192.168.28.146	DNS客户端，DNS地址为192.168.28.145
localdns	192.168.28.145	本地DNS服务器（只缓存）
forward	192.168.28.144	转发目标DNS服务器
rootdns	192.168.28.141	根DNS服务器
comdns	192.168.28.143	com域DNS服务器
master	192.168.28.158	wenzi.com域的主DNS服务器
slave	192.168.28.156	wenzi.com域的从DNS服务器
web	192.168.28.159	www.wenzi.com的web服务器

一、配置设备网络

将DNS客户端的dns指向本地DNS服务器（只缓存）

[root@client ~]# nmcli con mod "System ens33" ipv4.address 192.168.28.146/24 ipv4.method manual ipv4.gateway 192.168.28.2 ipv4.dns 192.168.28.145
[root@client ~]# nmcli con reload
[root@client ~]# nmcli con up "System ens33"
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@client ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.28.145

二、实现web服务

[root@web ~]# yum -y install httpd && systemctl enable --now httpd && echo 'This is www.wenzi.com' > /var/www/html/index.html

三、实现wenzi.com域的主DNS服务器

修改配置文件

[root@master ~]# vim /etc/named.conf
options {listen-on port 53 { 127.0.0.1; localhost; };    监听端口范围
...allow-query     { localhost; 192.168.28.0/24; };    允许查询范围allow-transfer  { 192.168.28.156; };    允许区域传输范围，即从DNS
...

定义 wenzi.com 区域

[root@master ~]# vim /etc/named.rfc1912.zones
zone "wenzi.com" IN {type master;file "wenzi.com.zone";
};
...

编译wenzi.com.zone文件

[root@master ~]# cd /var/named/
[root@master named]# ll
total 16
drwxrwx--- 2 named named   23 Oct 17 21:43 data
drwxrwx--- 2 named named   60 Oct 17 21:52 dynamic
-rw-r----- 1 root  named 2253 Aug 25  2021 named.ca
-rw-r----- 1 root  named  152 Aug 25  2021 named.empty
-rw-r----- 1 root  named  152 Aug 25  2021 named.localhost
-rw-r----- 1 root  named  168 Aug 25  2021 named.loopback
drwxrwx--- 2 named named    6 Aug 25  2021 slaves
[root@master named]# cp -a named.localhost wenzi.com.zone
[root@master named]# vim wenzi.com.zone
$TTL 1D
@       IN SOA  master admin.wenzi.com. (0       ; serial1D      ; refresh1H      ; retry1W      ; expire3H )    ; minimum@       IN NS   master.wenzi.com.
@       IN NS   slave.wenzi.com.master  IN A    192.168.28.158
slave   IN A    192.168.28.156
www     IN A    192.168.28.159

检查语法，重启服务

[root@master named]# named-checkconf
[root@master named]# named-checkzone wenzi.com  wenzi.com.zone
zone wenzi.com/IN: loaded serial 0
OK
[root@master named]# rndc reload
server reload successful

四、实现wenzi.com域的从DNS服务器

修改配置

[root@slave ~]# vim /etc/named.conf
options {listen-on port 53 { 127.0.0.1; localhost; };
...allow-query     { localhost; 192.168.28.0/24; };allow-transfer  { none; };    禁止其它设备进行区域传输
...

定义区域

[root@slave ~]# vim /etc/named.rfc1912.zones
zone "wenzi.com" {type slave;masters { 192.168.28.158; };file "slaves/wenzi.com.zone.slave";
};
...

校验语法，并重启服务，发现区域文件已同步

[root@slave ~]# named-checkconf
[root@slave ~]# rndc reload
server reload successful
[root@slave ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 310 Oct 17 22:31 wenzi.com.zone.slave

五、实现com域的主DNS服务器

修改配置

[root@comdns ~]# vim /etc/named.conf
options {listen-on port 53 { 127.0.0.1;localhost; };
...allow-query     { localhost; 192.168.28.0/24; };
...

定义 com 区域

[root@comdns ~]# vim /etc/named.rfc1912.zones
zone "com" {type master;file "com.zone";
};

编写 com.zone 文件

[root@comdns ~]# cd /var/named/
[root@comdns named]# cp -a named.localhost  com.zone
$TTL 1D
@       IN SOA  master admin.wenzi.com.. (0       ; serial1D      ; refresh1H      ; retry1W      ; expire3H )    ; minimum@       IN NS   master
wenzi   IN NS   dnservermaster    wenzi.com.的主DNS服务器
wenzi   IN NS   dnserverslave     wenzi.com.的从DNS服务器master  IN A    192.168.28.143
dnservermaster  IN A    192.168.28.158    主DNS服务器映射地址
dnserverslave   IN A    192.168.28.156    从DNS服务器映射地址

 校验语法，并重启服务

[root@comdns named]# named-checkconf
[root@comdns named]# named-checkzone com com.zone
zone com/IN: loaded serial 0
OK
[root@comdns named]# rndc reload
server reload successful

六、实现根域的主DNS服务器

修改配置

[root@rootdns ~]# vim /etc/named.conf
options {listen-on port 53 { 127.0.0.1; localhost;  };
...allow-query     { localhost; 192.168.28.0/24; };
...

定义区域

[root@rootdns ~]# vim /etc/named.rfc1912.zones
zone "." IN {type master;file "root.zone";
};

编写区域文件

[root@rootdns named]# cp -a named.localhost root.zone
[root@rootdns named]# vim root.zone
$TTL 1D
@       IN SOA  master admin.wenzi.com. (0       ; serial1D      ; refresh1H      ; retry1W      ; expire3H )    ; minimumIN NS   master
com     IN NS   comdnsmaster  IN A    192.168.28.141
comdns  IN A    192.168.28.143

校验语法，重启服务

[root@rootdns named]# named-checkconf
[root@rootdns named]# named-checkzone . root.zone
zone ./IN: loaded serial 0
OK
[root@rootdns named]# rndc reload
server reload successful

七、实现转发目标的DNS服务器

修改配置

[root@forward ~]# vim /etc/named.conf
options {listen-on port 53 { 127.0.0.1; localhost; };
...allow-query     { localhost; 192.168.28.0/24; };
...

修改bind软件自带的根DNS服务器，实现将请求转发给自建DNS根服务器，而不是直接去互联网查找

[root@forward ~]# vim /var/named/named.ca
...
;; QUESTION SECTION:
;.                              IN      NS;; ANSWER SECTION:
.                       518400  IN      NS      a.root-servers.net.;; ADDITIONAL SECTION:
a.root-servers.net.     518400  IN      A       192.168.28.141
...

校验语法，重启服务

[root@forward ~]# named-checkconf
[root@forward ~]# rndc reload
server reload successful

八、实现本地只缓存DNS服务器

修改配置

options {listen-on port 53 { 127.0.0.1; localhost; };
...allow-query     { localhost; 192.168.28.0/24; };forward only;forwarders  { 192.168.28.144; };
...recursion yes;    启动dns递归查询dnssec-enable no;    不启用DNS安全拓展，通常关闭dnssec-validation no;    不验证dnssec数据有效性，通常关闭
...

 检查语法，重启服务

[root@localdns ~]# named-checkconf
[root@localdns ~]# rndc reload
server reload successful

九、客户端测试

[root@client ~]# host www.wenzi.com
www.wenzi.com has address 192.168.28.159[root@client ~]# dig www.wenzi.com; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.14 <<>> www.wenzi.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15173
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.wenzi.com.                 IN      A;; ANSWER SECTION:
www.wenzi.com.          85706   IN      A       192.168.28.159;; AUTHORITY SECTION:
wenzi.com.              85706   IN      NS      dnservermaster.com.
wenzi.com.              85706   IN      NS      dnserverslave.com.;; ADDITIONAL SECTION:
dnserverslave.com.      85706   IN      A       192.168.28.156
dnservermaster.com.     85706   IN      A       192.168.28.158;; Query time: 0 msec
;; SERVER: 192.168.28.145#53(192.168.28.145)
;; WHEN: Tue Oct 17 23:48:33 CST 2023
;; MSG SIZE  rcvd: 147[root@client ~]# curl www.wenzi.com
This is www.wenzi.com