當(dāng)前位置：首頁(yè) > 编程资源 > 编程问答 >内容正文

编程问答

企业dns 服务器的搭建

發(fā)布時(shí)間：2024/9/3 编程问答 27 豆豆

生活随笔收集整理的這篇文章主要介紹了企业dns 服务器的搭建小編覺(jué)得挺不錯(cuò)的,現(xiàn)在分享給大家,幫大家做個(gè)參考.

??????? dns服務(wù)器部署

一、關(guān)于dns的名詞解釋

dns:
domain name service(域名解析服務(wù))

#關(guān)于客戶(hù)端:#(172.25.254.201)
/etc/resolv.conf?? ?##dns指向文件
nameserver 172.25.254.101

#測(cè)試：
host www.baidu.com?? ?##地址解析命令
dig www.baidu.com?? ?##地址詳細(xì)解析信息命令

A記錄?? ??? ??? ?##ip地址叫做域名的Address 記錄
SOA?? ??? ??? ?##授權(quán)起始主機(jī)
dns頂級(jí)
.? 13
次級(jí)
.com .net .edu .org ....

baidu.com

#關(guān)于服務(wù)端#(172.25.254.101)
bind?? ??? ?##安裝包
named?? ??? ?##服務(wù)名稱(chēng)
/etc/named.conf?? ?##主配置文件
/var/named?? ?##數(shù)據(jù)目錄
端口?? ??? ?##53

關(guān)于報(bào)錯(cuò)信息：
1.no servers could be reached?? ?##服務(wù)無(wú)法訪問(wèn)（服務(wù)開(kāi)啟？火墻？網(wǎng)絡(luò)？端口？）
2.服務(wù)啟動(dòng)失敗?? ??? ??? ?##配置文件寫(xiě)錯(cuò) journalctl -xe查詢(xún)錯(cuò)誤
3.dig 查詢(xún)狀態(tài)

NOERROR	##表示查詢(xún)成功
REFUSED	##服務(wù)拒絕訪問(wèn)
SERVFAIL	?##查詢(xún)記錄失敗,（dns服務(wù)器無(wú)法到達(dá)上級(jí)，拒絕緩存）
NXDOMAIN	?##此域名A記錄在dns中不存在

二、dns服務(wù)的安裝與啟用

#安裝#

dnf install bind.x86_64 -y

#啟用#

systemctl enable --now named firewall-cmd --permanent --add-service=dns firewall-cmd --reload

vim /etc/named.conf 11 listen-on port 53 { any; }; ##在本地所有網(wǎng)絡(luò)接口上開(kāi)啟53端口 19 allow-query { any; }; ##允許查詢(xún)A記錄的客戶(hù)端列表 34 dnssec-validation no; ##禁用dns檢測(cè)使dns能夠緩存外部信息到本機(jī)systemctl restart namednetstat -antlupe | grep named 查詢(xún)端口

三、高速緩存dns

作用：在企業(yè)中的直連網(wǎng)絡(luò)下，每臺(tái)主機(jī)都去向外網(wǎng)獲取dns解析，會(huì)比較慢，可以設(shè)置內(nèi)網(wǎng)的一臺(tái)能上網(wǎng)的主機(jī)作為dns服務(wù)器，給直連的主機(jī)提供dns解析服務(wù)。

20 forwarders { 114.114.114.114; };

?四、dns的正向解析?? (做此實(shí)驗(yàn)的時(shí)候?qū)偛鸥咚倬彺孢€原)

vim /etc/named.rfc1912.zone

? (為了出錯(cuò)之后好排錯(cuò)所以此時(shí)復(fù)制一份以下內(nèi)容進(jìn)行編寫(xiě))

zone "westos.com" IN {?? ??? ?##維護(hù)的域名????????????????????????????????????
??????? type master;?? ??? ?##當(dāng)前服務(wù)器位主dns
??????? file "westos.com.zone";?? ?##域名A記錄文件
??????? allow-update { none; };?? ?##允許更新主機(jī)列表
};

cd /var/named/ cp -p named.localhost westos.com.zone

$TTL 1D?? ??? ?#TIME-TO-LIVE(dns地址保存時(shí)間長(zhǎng)度)
@?????? IN SOA? dns.westos.com. root.westos.com. (?? ?#SOA授權(quán)起始(Start of Authority)
??????????????????????????????????????? 0?????? ; serial?? ?#域名版本序列號(hào)
??????????????????????????????????????? 1D????? ; refresh?? ?#刷新時(shí)間（輔助dns）
??????????????????????????????????????? 1H????? ; retry?? ??? ?#重試時(shí)間（輔助dns）
??????????????????????????????????????? 1W????? ; expire?? ?#過(guò)期時(shí)間（輔助dns,查詢(xún)失敗過(guò)期停止對(duì)輔助域名的應(yīng)答）
??????????????????????????????????????? 3H )??? ; minimum?? ?#A記錄最短有效期
??????????????? NS????? dns.westos.com.
dns???????????? A?????? 172.25.254.101

bbs??????????? A?????? 172.25.254.111
www????????????????? CNAME?? lee1.westos.com.?? ??? ?##規(guī)范域名
lee1 ???????? A?????? 172.25.254.111?? ??? ??? ????????????????? ##正向解析記錄

lee1 ???????? A?????? 172.25.254..222 ? ??? ????
westos.com.???? MX 1??? 172.25.254.101.?? ??? ??? ??????? ##郵件解析記錄

systemctl restart nameddig www.westos.com #查詢(xún)正向解析

?dns 的郵件解析

dnf install mailx postfix -y systemctl start postfix dig -t mx westos.com

?五、dns的反向解析

vim /etc/named.rfc1912.zones

注意：同樣為了好排錯(cuò)，所以此部分內(nèi)容也是復(fù)制之后在編輯

zone "254.25.172.in-addr.arpa" IN {+----------------+?????????
?? ?type master;
?? ?file "172.25.254.ptr";
?? ?allow-update { none; };
};

cd /var/named/ cp -p named.loopback 172.25.254.ptr vim 172.25.254.ptr

$TTL 1D
@?? ?IN SOA?? ?dns.westos.com. root.westos.com. (
?? ??? ??? ??? ??? ?0?? ?; serial
?? ??? ??? ??? ??? ?1D?? ?; refresh
?? ??? ??? ??? ??? ?1H?? ?; retry
?? ??? ??? ??? ??? ?1W?? ?; expire
?? ??? ??? ??? ??? ?3H )?? ?; minimum
?? ?NS?? ?dns.westos.com.
dns?? ?A??? 172.25.254.101
11?? ?PTR?? ?www.westos.com.
12?? ?PTR?? ?bbs.westos.com.
13?? ?PTR?? ?news.westos.com.

測(cè)試：

systemctl restart named dig -x 172.25.254.111

?六、dns的雙向解析

實(shí)驗(yàn)環(huán)境：客戶(hù)端2臺(tái) 1.1.1網(wǎng)段 172.25.254網(wǎng)段 ##ifconfig enp1s0 172.25.254.201 netmask 255.255.255.0服務(wù)端1臺(tái)2個(gè)網(wǎng)段的ip 1.1.1.101 172.25.254.101 ##ifconfig enp1s0 172.25.254.101 netmask 255.255.255.0在1.1.1網(wǎng)段的客戶(hù)主機(jī)中 vim /etc/resolv.conf nameserver 172.25.254.101在172.25.254網(wǎng)段的客戶(hù)主機(jī)中 vim /etc/resolv.conf nameserver 172.25.254.101

配置方式： cd /var/named/ cp -p westos.com.zone westos.com.inter vim westos.com.inter

$TTL 1D
@?????? IN SOA?? westos.com. root.westos.com. (
??????????????????????????????????????? 0?????? ; serial
??????????????????????????????????????? 1D????? ; refresh
??????????????????????????????????????? 1H????? ; retry
??????????????????????????????????????? 1W????? ; expire
??????????????????????????????????????? 3H )??? ; minimum
??????????????? NS????? dns.westos.com.
dns???????????? A?????? 1.1.1.101
bbs???????????? A?????? 1.1.1.111
www???????????? CNAME?? lee1.westos.com.
lee1??????????? A?????? 1.1.1.111
lee1??????????? A?????? 1.1.1.222
westos.com.???? MX 1??? 1.1.1.101.????? #mail exchanger

cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.inters vim /etc/named.rfc1912.inters

zone "westos.com" IN {
?? ?type master;
?? ?file "westos.com.inter";
?? ?allow-update { none; };
};

vim /etc/named.conf systemctl restart named

/*
zone "." IN {
??????? type hint;
??????? file "named.ca";
};

include "/etc/named.rfc1912.zones";
*/

view localnet {
??????? match-clients { 172.25.254.0/24; };
??????? zone "." IN {
??????????????? type hint;
??????????????? file "named.ca";
??????? };
??????? include "/etc/named.rfc1912.zones";
};

view internet {
??????? match-clients { any; };
??????? zone "." IN {
??????????????? type hint;
??????????????? file "named.ca";
??????? };
??????? include "/etc/named.rfc1912.inters";
};
include "/etc/named.root.key";

測(cè)試：
分別在2個(gè)網(wǎng)段的主機(jī)中作同樣域名的地址解析
得到的A記錄不同

七、dns集群

###主dns：####

vim /etc/named.rfc1912.zones

zone "westos.com" IN {
??????? type master;
??????? file "westos.com.zone";
??????? allow-update { none; };
??????? also-notify { 172.25.254.201; };?? ??? ?##主動(dòng)通知的輔助dns主機(jī)
};

vim /var/named/westos.com.zone

$TTL 1D
@?????? IN SOA?? westos.com. root.westos.com. (
??????????????????????????????? 2020112201????? ; serial??? ##每次修改A記錄文件需要變更此參數(shù)的值
??????????????????????????????????????? 1D????? ; refresh????? ##
??????????????????????????????????????? 1H????? ; retry
??????????????????????????????????????? 1W????? ; expire
??????????????????????????????????????? 3H )??? ; minimum
??????????????? NS????? dns.westos.com.
dns???????????? A?????? 172.25.254.101
bbs???????????? A?????? 172.25.254.111
www???????????? CNAME?? lee1.westos.com.
lee1??????????? A?????? 172.25.254.111
lee1??????????? A?????? 172.25.254.222
westos.com.???? MX 1??? 172.25.254.101.

###slave dns####：

dnf install bind -y firewall-cmd --add-service=dns vim /etc/named.conf vim /etc/resolv.conf 172.25.254.201 (改成自己的dns)

listen-on port 53 { any; };
allow-query???? { any; };
dnssec-validation no;

vim /etc/named.rfc1912.zonesystemctl restart named

注意：為了好排錯(cuò)，同樣是復(fù)制之后再進(jìn)行編輯

zone "westos.com" IN {
??????? type slave;?? ??? ??? ?##dns狀態(tài)位輔助dns
??????? masters { 172.25.254.101; };?? ?##主dns
??????? file "slaves/westos.com.zone";?? ?##同步數(shù)據(jù)文件????
};

驗(yàn)證：

八、dns的更新

dns基于ip地址的更新：
在dns中設(shè)定：
vim /etc/named.rfc1912.zones

zone "westos.com" IN {
??????? type master;
??????? file "westos.com.zone";
??????? allow-update { 172.25.254.201; };?? ??? ?##允許指定客戶(hù)端更新westos域
??????? also-notify { 172.25.254.201; };
};
測(cè)試：
在172.25.254.201
[root@node2 ~]# nsupdate
> server 172.25.254.101
> update add hello.westos.com 86400 A 172.25.254.111 ?? ##新曾A記錄
> send
> update delete hello.westos.com?? ??? ??? ?##刪除A記錄
> send

測(cè)試：

dns基于key更新的方式:

[root@node1 mnt]# dnssec-keygen -a HMAC-SHA256 -b 128 -n HOST westos Kwestos.+163+11625 [root@node1 mnt]# ls Kwestos.+163+11625.key Kwestos.+163+11625.private [root@node1 mnt]# cp -p /etc/rndc.key /etc/westos.key [root@node1 mnt]# cat Kwestos.+163+11625.key westos. IN KEY 512 3 163 do5PjldBXK6WIohfhtIIZQ== [root@node1 mnt]# vim /etc/westos.key

key "westos" {
??????? algorithm hmac-sha256;
??????? secret "do5PjldBXK6WIohfhtIIZQ==";
};

將剛才生成的公鑰和私鑰傳給測(cè)試的客戶(hù)機(jī)

[root@node1 mnt]# scp Kwestos.+163+11667.* root@172.25.254.201:/mnt The authenticity of host '172.25.254.201 (172.25.254.201)' can't be established. ECDSA key fingerprint is SHA256:Z7nIjVS0zBFK8xGDwjAegodMOk0lyUIF0+GBN13Mrv0. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '172.25.254.201' (ECDSA) to the list of known hosts. root@172.25.254.201's password: Kwestos.+163+11667.key 100% 50 70.8KB/s 00:00 Kwestos.+163+11667.private 100% 168 259.2KB/s 00:00 vim /etc/named.conf 44 include "/etc/wesots.key";

vim /etc/named.rfc1912.zones systemctl restart named

zone "westos.com" IN {
??????? type master;
??????? file "westos.com.zone";
??????? allow-update { key westos; };
??????? also-notify { 172.25.254.201; };
};

驗(yàn)證：

nsupdate -k /mnt/Kwestos.+163+26695.private > server 172.25.254.101 > update add hello.westos.com 86400 A 192.168.0.111 > send > quit

九、ddns（dhcp+dns）

DDNS是動(dòng)態(tài)域名服務(wù)的縮寫(xiě)，是指域名系統(tǒng)中的一種自動(dòng)更新名稱(chēng)服務(wù)器內(nèi)容的技術(shù)，DDNS是將用戶(hù)的動(dòng)態(tài)IP地址映射到一個(gè)固定的域名解析服務(wù)上，用戶(hù)每次連接網(wǎng)絡(luò)的時(shí)候客戶(hù)端程序就會(huì)通過(guò)信息傳遞把該主機(jī)的動(dòng)態(tài)ip地址傳送給位于服務(wù)上主機(jī)上的服務(wù)器程序，服務(wù)器程序負(fù)責(zé)提供DNS服務(wù)并實(shí)現(xiàn)動(dòng)態(tài)域名解析。

主機(jī)名固定，IP不固定
解析www,域名對(duì)應(yīng)的IP是死的，不適用于動(dòng)態(tài)網(wǎng)絡(luò)，
如何讓解析隨IP變：
因?yàn)閐hcp每次分配的IP都不同
IP dhcp服務(wù)知道是哪個(gè)IP
分配IP的時(shí)候告訴dns，把解析指向他

本實(shí)驗(yàn)的環(huán)境是基于上步實(shí)驗(yàn)（key 更新）

?服務(wù)端主機(jī)：

dnf instsall dhcp-server -y cp /usr/share/doc/dhcp-server/dhcpd.conf.example /etc/dhcp/dhcpd.conf vim /etc/dhcpd/dhcpd.conf systemctl restart dhcpd

# dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#

# option definitions common to all supported networks...
option domain-name "westos.com";
option domain-name-servers 172.25.254.101;

default-lease-time 600;
max-lease-time 7200;

# Use this to enble / disable dynamic dns updates globally.
ddns-update-style interim;

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
#authoritative;

# Use this to send dhcp log messages to a different log file (you also
# have to hack syslog.conf to complete the redirection).
log-facility local7;

# No service will be given on this subnet, but declaring it helps the
# DHCP server to understand the network topology.

# This is a very basic subnet declaration.

subnet 172.25.254.0 netmask 255.255.255.0 {
? range 172.25.254.46 172.25.254.50;
? option routers 172.25.254.101;
}

key westos {
???????? algorithm hmac-sha256;
???????? secret B/16D8XGtviAKrYPB9zanw==;
?????? };

zone westos.com. {
???????? primary 172.25.254.101;
???????? key westos;
?????? }

這部分內(nèi)容可以通過(guò)man 5 dhcp.conf 查看

vim /var/named/westos.com.zone systemctl restart named

$TTL 1D
@?????? IN SOA? westos.com. root.westos.com. (
??????????????????????????????? 2020112303????? ; serial
??????????????????????????????????????? 1D????? ; refresh
??????????????????????????????????????? 1H????? ; retry
??????????????????????????????????????? 1W????? ; expire
??????????????????????????????????????? 3H )??? ; minimum
??????? NS????? dns.westos.com.
dns???? A?????? 172.25.254.101

客戶(hù)端測(cè)試主機(jī)：

設(shè)定測(cè)試主機(jī)網(wǎng)絡(luò)工作方式為dhcp 設(shè)定主機(jī)名稱(chēng)jjj.westos.com

?重啟網(wǎng)絡(luò)

nmcli connection reload nmcli connection up enp1s0

設(shè)置客戶(hù)端主機(jī)名：

hostnamectl set-hostname jjj.westos.com nmcli connection reload nmcli connection up enp1s0 dig jjj.westos.com

測(cè)試：

dig jjj.westos.com

可以得到正確解析

為了保證實(shí)驗(yàn)的準(zhǔn)確性：進(jìn)行二次測(cè)試

修改dhcp的地址池，使得客戶(hù)端ip改變

服務(wù)端：

vim /etc/dhcp/dhcpd.conf systemctl restart dhcpd

客戶(hù)端：

hostname set-hostname yyy.westos.com 設(shè)置客戶(hù)端主機(jī)名 nmcli connection reload 重啟網(wǎng)絡(luò) nmcli connection up enp1s0 dig yyy.westos.com

ddsn實(shí)驗(yàn)總結(jié)：

（1）本實(shí)驗(yàn)基于key 更新實(shí)驗(yàn)環(huán)境；

（2）為保證dhcp服務(wù)有效，要關(guān)掉其他的dhcp服務(wù)；

（3）編輯完配置文件一定要重啟服務(wù)！！！

（4）服務(wù)端和客戶(hù)端火墻都要關(guān)閉或者將服務(wù)添加到火墻里；

（5）兩邊的selinux也都要關(guān)閉。

總結(jié)

以上是生活随笔為你收集整理的企业dns 服务器的搭建的全部?jī)?nèi)容，希望文章能夠幫你解決所遇到的問(wèn)題。

如果覺(jué)得生活随笔網(wǎng)站內(nèi)容還不錯(cuò)，歡迎將生活随笔推薦給好友。

上一篇： Linux 中内核级加强型火墙的管理
下一篇：网络文件系统(samba、nfs、isc