DNS domain name resolution service
-
DNS domain name resolution service
- DNS Service
- Realization Principle of DNS
- Actual Project 1: Setting up a Domain Name Resolution Server DNS Positive and Negative Resolution in Enterprise
- Actual Project 2: Build two domain name resolution servers inside the enterprise to synchronize the main and auxiliary DNS
- Error Removal Record
- Configuration file parsing in detail
- summary
Course requirements
1. Set up a DNS server inside the enterprise for positive and negative DNS resolution
2. Build two domain name resolution servers to synchronize the main and auxiliary DNS in the enterprise
DNS Service
The full name is domain name server domain name resolution service.
Do we know that every networked computer has an IP address? What is the IP address for? IP addresses are used to communicate with other machines on the Internet.
But is the ip address hard to remember? One or two ip addresses may be fine, but aren't there just one or two pages we visit every day?
What do we remember? Www.baidu.com.www.sina.com. All we remember are characters, all domain names.
Like our phone number, it's hard to remember, so we put the phone number in our cell phone, give him a nickname or enter a person's name directly, right?
Then you can find the name directly when you call.
So the same is true of our system, which maps an ip address to a host name. There's a file in our system that's dedicated to correspondence.
This file is called / etc/hosts /. We can open it and have a look. A record line contains the host name and ip address. Of course, an ip address can correspond to more than one.
Host names, just like people have many nicknames.
So does this solve the problem? When we want to visit a website, we don't need to enter the ip address, but can enter the host name directly.
The machine will help us to do a parsing, the host name corresponding to the ip address for communication. It was okay to do that in the early days, but as the Internet grew stronger and stronger, this document
Not so practical. We need to configure a large number of corresponding relations on the machine, which is very time-consuming, very troublesome, and there are more than one machine to configure. For example, I
It's Baidu. I hope all the people in the world will visit my web page. So, do I need all the people in the world to add my ip address and hostname?
Correspondence relation. This is a very difficult thing to do, and the workload is too heavy. So we introduced a new mechanism.
Realization Principle of DNS
This mechanism works the same as the hosts file, but the implementation method is different. This mechanism is called DNS (Domain name server). Through dns, we can solve the problem of large-scale domain name resolution. How did that happen? That's the structure of dns.
We said before what kind of structure is our system, is it a hierarchical structure, and the way to embody this structure is directory? Is it? The same is true of Dns, which also adopts the way of hierarchical city management.
But unlike directories, our directories are a logical concept that helps us understand the file system. dns is a real management structure.
So let's see what's the highest point of the catalogue. Yeah, yeah, yeah, so for our dns, since it's a hierarchical management structure, it also needs to have a high point. What is the highest point?
We call it the root domain, and point represents the root domain. There are 13 root domains in the world. They are supreme, only 13 machines.
So below the root domain is the top-level domain. Usually we see this com as the top-level domain. There are org, cn, edu and so on. These are top-level domains. Manage secondary domains under top-level domains, and so on.
FQDN: Host name plus domain name, called fully qualified domain name, fqdn. Actually, there should be a point behind com that represents the root domain. But now we habitually omit it. It's like the State administers the province, the province administers the city, the city administers the county, and so on.
Complete domain name www.baidu.com.
There are 13 root domains in the world.
com Super Domain, First Domain
baidu secondary domain
www host name
~~~
Examples: Ways to find Sina.
- Let's see if local / etc/hosts are recorded.
- Find another person to ask, - > Find the DNS server to ask. The / etc/resolv.conf file specifies who to ask.
Of course, the order is determined by a document. This file is / etc/nsswitch.conf.
There's also one on Windows.
Online Neighbor > Attribute > Local Connection.
The two query modes of DNS may or may not be known to the DNS server.
There are two things to know:
- There is a local domain that can be parsed to
- If there is a cache locally and someone else has asked who sina is, the DNS server can return the result directly to the client.
If you don't know, you will go to your superior domain and return the feedback to the client by waiting for the feedback from the superior domain.
This is called recursive query.
Then another case is that DNS asks the superior domain, and then the superior domain feeds back the corresponding peer DNS server, and the client asks the new DNS server to find the corresponding IP address. This is called iterative query.
www.sina.com.
1) Find the root domain.
2) Find Super Domain.com
3) Find the secondary domain. sina
4) Successfully find www.
Actual Project 1: Setting up a Domain Name Resolution Server DNS Positive and Negative Resolution in Enterprise
1)stay rhel6 Upper configuration dns Domain Name Resolution Service, Resolution test.com Domain names are required as follows:
NS @
A 172.25.0.11
www A 172.25.0.10
MX 5 mail
mail A 172.25.0.10
ftp A 172.25.0.10
bbs CNAME ftp
~~~
2)Configuration Reverse Resolution 172.25.0.10 And 172.25.0.11;3)Requirement rhel6 and rhel7 The domain name resolution servers of these two servers are 172..25.0.11 This server.
Preparatory stage of experiment
- Draw a network topology
- Planning for software to be installed on different servers (os-software version)
- Start installation
- Configuration services
- Start up service
- Test Error Removal
Overview of detailed steps
| num | step | man |
|---|---|---|
| 1) | Installation software | bind bind-chroot |
| 2) | View Software Architecture | rpm -ql |
| Log/var/log/named.log | ||
| Data/var/named/ | ||
| Configuration/etc/named.conf | ||
| /etc/named.rfc1912.zones | ||
| 3) | Modify configuration files | |
| 4) | Start up service | |
| service daemon | ||
| named named | ||
| 4.1) | Eliminate errors | Look at the log |
| 5) | test | nslookup |
| 5.1) | Troubleshooting | Look at the log |
Network Topology
Planning Server Software
Start installation
[root@rhel6 ~]# yum install -y bind bind-chroot
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
server | 3.9 kB 00:00
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
---> Package bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
bind x86_64 32:9.8.2-0.17.rc1.el6_4.6 server 4.0 M
bind-chroot x86_64 32:9.8.2-0.17.rc1.el6_4.6 server 71 k
Transaction Summary
================================================================================
Install 2 Package(s)
Total download size: 4.0 M
Installed size: 7.3 M
Downloading Packages:
(1/2): bind-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm | 4.0 MB 00:00
(2/2): bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64.rpm | 71 kB 00:00
--------------------------------------------------------------------------------
Total 23 MB/s | 4.0 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64 1/2
Installing : 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64 2/2
Verifying : 32:bind-9.8.2-0.17.rc1.el6_4.6.x86_64 1/2
Verifying : 32:bind-chroot-9.8.2-0.17.rc1.el6_4.6.x86_64 2/2
Installed:
bind.x86_64 32:9.8.2-0.17.rc1.el6_4.6
bind-chroot.x86_64 32:9.8.2-0.17.rc1.el6_4.6
Complete!
[root@rhel6 ~]# rpm -ql bind
/etc/NetworkManager/dispatcher.d/13-named
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/portreserve/named
/etc/rc.d/init.d/named
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/usr/lib64/bind
/usr/sbin/arpaname
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
/usr/sbin/rndc-confgen
/usr/share/doc/bind-9.8.2
/usr/share/doc/bind-9.8.2/CHANGES
/usr/share/doc/bind-9.8.2/COPYRIGHT
/usr/share/doc/bind-9.8.2/Copyright
/usr/share/doc/bind-9.8.2/README
/usr/share/doc/bind-9.8.2/arm
/usr/share/doc/bind-9.8.2/arm/Bv9ARM-book.xml
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch01.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch02.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch03.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch04.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch05.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch06.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch07.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch08.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch09.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.ch10.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.html
/usr/share/doc/bind-9.8.2/arm/Bv9ARM.pdf
/usr/share/doc/bind-9.8.2/arm/Makefile
/usr/share/doc/bind-9.8.2/arm/Makefile.in
/usr/share/doc/bind-9.8.2/arm/README-SGML
/usr/share/doc/bind-9.8.2/arm/dnssec.xml
/usr/share/doc/bind-9.8.2/arm/isc-logo.eps
/usr/share/doc/bind-9.8.2/arm/isc-logo.pdf
/usr/share/doc/bind-9.8.2/arm/latex-fixup.pl
/usr/share/doc/bind-9.8.2/arm/libdns.xml
/usr/share/doc/bind-9.8.2/arm/man.arpaname.html
/usr/share/doc/bind-9.8.2/arm/man.ddns-confgen.html
/usr/share/doc/bind-9.8.2/arm/man.dig.html
/usr/share/doc/bind-9.8.2/arm/man.dnssec-dsfromkey.html
/usr/share/doc/bind-9.8.2/arm/man.dnssec-keyfromlabel.html
/usr/share/doc/bind-9.8.2/arm/man.dnssec-keygen.html
/usr/share/doc/bind-9.8.2/arm/man.dnssec-revoke.html
/usr/share/doc/bind-9.8.2/arm/man.dnssec-settime.html
/usr/share/doc/bind-9.8.2/arm/man.dnssec-signzone.html
/usr/share/doc/bind-9.8.2/arm/man.genrandom.html
/usr/share/doc/bind-9.8.2/arm/man.host.html
/usr/share/doc/bind-9.8.2/arm/man.isc-hmac-fixup.html
/usr/share/doc/bind-9.8.2/arm/man.named-checkconf.html
/usr/share/doc/bind-9.8.2/arm/man.named-checkzone.html
/usr/share/doc/bind-9.8.2/arm/man.named-journalprint.html
/usr/share/doc/bind-9.8.2/arm/man.named.html
/usr/share/doc/bind-9.8.2/arm/man.nsec3hash.html
/usr/share/doc/bind-9.8.2/arm/man.nsupdate.html
/usr/share/doc/bind-9.8.2/arm/man.rndc-confgen.html
/usr/share/doc/bind-9.8.2/arm/man.rndc.conf.html
/usr/share/doc/bind-9.8.2/arm/man.rndc.html
/usr/share/doc/bind-9.8.2/arm/managed-keys.xml
/usr/share/doc/bind-9.8.2/arm/pkcs11.xml
/usr/share/doc/bind-9.8.2/arm/releaseinfo.xml
/usr/share/doc/bind-9.8.2/draft
/usr/share/doc/bind-9.8.2/draft/draft-faltstrom-uri-06.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-6man-text-addr-representation-07.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-behave-address-format-07.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-behave-dns64-11.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-axfr-clarify-14.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-dns-tcp-requirements-03.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-dnssec-bis-updates-12.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-dnssec-registry-fixes-06.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-ecc-key-07.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-interop3597-02.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-rfc2671bis-edns0-05.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-rfc2672bis-dname-19.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-rfc3597-bis-02.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsop-bad-dns-res-05.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsop-dnssec-key-timing-02.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsop-dnssec-trust-history-01.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsop-inaddr-required-07.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsop-name-server-management-reqs-02.txt
/usr/share/doc/bind-9.8.2/draft/draft-ietf-dnsop-respsize-06.txt
/usr/share/doc/bind-9.8.2/draft/draft-kato-dnsop-local-zones-00.txt
/usr/share/doc/bind-9.8.2/draft/draft-kerr-ixfr-only-01.txt
/usr/share/doc/bind-9.8.2/draft/draft-mekking-dnsop-auto-cpsync-00.txt
/usr/share/doc/bind-9.8.2/draft/draft-yao-dnsext-bname-04.txt
/usr/share/doc/bind-9.8.2/draft/update
/usr/share/doc/bind-9.8.2/misc
/usr/share/doc/bind-9.8.2/misc/Makefile
/usr/share/doc/bind-9.8.2/misc/Makefile.in
/usr/share/doc/bind-9.8.2/misc/dnssec
/usr/share/doc/bind-9.8.2/misc/format-options.pl
/usr/share/doc/bind-9.8.2/misc/ipv6
/usr/share/doc/bind-9.8.2/misc/migration
/usr/share/doc/bind-9.8.2/misc/migration-4to9
/usr/share/doc/bind-9.8.2/misc/options
/usr/share/doc/bind-9.8.2/misc/rfc-compliance
/usr/share/doc/bind-9.8.2/misc/roadmap
/usr/share/doc/bind-9.8.2/misc/sdb
/usr/share/doc/bind-9.8.2/misc/sort-options.pl
/usr/share/doc/bind-9.8.2/named.conf.default
/usr/share/doc/bind-9.8.2/rfc
/usr/share/doc/bind-9.8.2/rfc/index.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1032.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1033.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1034.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1035.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1101.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1122.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1123.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1183.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1348.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1535.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1536.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1537.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1591.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1611.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1612.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1706.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1712.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1750.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1876.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1886.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1912.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1982.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1995.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc1996.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2052.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2104.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2119.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2133.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2136.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2137.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2163.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2168.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2181.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2230.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2308.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2317.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2373.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2374.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2375.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2418.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2535.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2536.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2537.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2538.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2539.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2540.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2541.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2553.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2671.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2672.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2673.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2782.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2825.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2826.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2845.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2874.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2915.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2929.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2930.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc2931.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3007.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3008.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3071.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3090.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3110.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3123.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3152.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3197.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3225.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3226.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3258.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3363.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3364.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3425.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3445.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3467.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3490.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3491.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3492.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3493.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3513.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3596.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3597.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3645.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3655.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3658.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3755.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3757.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3833.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3845.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc3901.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4025.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4033.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4034.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4035.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4074.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4159.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4193.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4255.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4294.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4339.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4343.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4367.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4398.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4408.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4431.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4470.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4471.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4472.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4509.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4634.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4635.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4641.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4648.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4697.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4701.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4892.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4955.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc4956.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5001.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5011.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5155.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5205.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5452.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5507.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5625.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5702.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc5933.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc6303.txt.gz
/usr/share/doc/bind-9.8.2/rfc/rfc952.txt.gz
/usr/share/doc/bind-9.8.2/rfc1912.txt
/usr/share/doc/bind-9.8.2/sample
/usr/share/doc/bind-9.8.2/sample/etc
/usr/share/doc/bind-9.8.2/sample/etc/named.conf
/usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones
/usr/share/doc/bind-9.8.2/sample/var
/usr/share/doc/bind-9.8.2/sample/var/named
/usr/share/doc/bind-9.8.2/sample/var/named/data
/usr/share/doc/bind-9.8.2/sample/var/named/my.external.zone.db
/usr/share/doc/bind-9.8.2/sample/var/named/my.internal.zone.db
/usr/share/doc/bind-9.8.2/sample/var/named/named.ca
/usr/share/doc/bind-9.8.2/sample/var/named/named.empty
/usr/share/doc/bind-9.8.2/sample/var/named/named.localhost
/usr/share/doc/bind-9.8.2/sample/var/named/named.loopback
/usr/share/doc/bind-9.8.2/sample/var/named/slaves
/usr/share/doc/bind-9.8.2/sample/var/named/slaves/my.ddns.internal.zone.db
/usr/share/doc/bind-9.8.2/sample/var/named/slaves/my.slave.internal.zone.db
/usr/share/man/man1/arpaname.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man5/rndc.conf.5.gz
/usr/share/man/man8/ddns-confgen.8.gz
/usr/share/man/man8/dnssec-dsfromkey.8.gz
/usr/share/man/man8/dnssec-keyfromlabel.8.gz
/usr/share/man/man8/dnssec-keygen.8.gz
/usr/share/man/man8/dnssec-revoke.8.gz
/usr/share/man/man8/dnssec-settime.8.gz
/usr/share/man/man8/dnssec-signzone.8.gz
/usr/share/man/man8/genrandom.8.gz
/usr/share/man/man8/isc-hmac-fixup.8.gz
/usr/share/man/man8/lwresd.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named-compilezone.8.gz
/usr/share/man/man8/named-journalprint.8.gz
/usr/share/man/man8/named.8.gz
/usr/share/man/man8/nsec3hash.8.gz
/usr/share/man/man8/rndc-confgen.8.gz
/usr/share/man/man8/rndc.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
/var/run/named
[root@rhel6 ~]# rpm -ql bind-chroot
/var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/dev/zeroconfiguration file
/etc/named.conf
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };/etc/named.rfc1912.zones
# Positive analysis
# Domain name - > IP
zone "test.com" IN {
type master;
file "named.test";
allow-update { none; };
};
# Anti-analysis
# IP - > domain name
zone "0.25.172.in-addr.arpa" IN {
type master;
file "named.arpa.test";
allow-update { none; };
};/var/named/named.test
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
//Host name main record ip
NS @
A 172.25.0.11
www A 172.25.0.10
MX 5 mail
mail A 172.25.0.10
ftp A 172.25.0.10
bbs CNAME ftpNote the owner and group of the file and the ugo permissions of the file
named.arpa.test
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS test.com.
11 PTR test.com.
10 PTR www.test.com.
10 PTR mail.test.com.
10 PTR ftp.test.com.
10 PTR bbs.test.com.Note: NS must replace @ with domain name test.com. The domain name must write the complete domain name, with the root domain.
Service startup
- rhel6 service named start
- rhel7 systemctl start named
Closing of Firewall
- rhel6 service iptables stop
- rhel7 systemctl stop firewalld
If the service fails to start, try executing the following statement rndc-confgen-a-r/etc/named.conf
test
- / etc/hosts system administrator writes manually
- / etc/resolv.conf-"Specifies which domain name resolution server nameserver to find 172.25.0.11
- Through the nslookup command
[root@rhel6 named]# nslookup
> www.test.com
Server: 172.25.0.11
Address: 172.25.0.11#53
Name: www.test.com
Address: 172.25.0.10
> mail.test.com
Server: 172.25.0.11
Address: 172.25.0.11#53
Name: mail.test.com
Address: 172.25.0.10
> ftp.test.com
Server: 172.25.0.11
Address: 172.25.0.11#53
Name: ftp.test.com
Address: 172.25.0.10
> test.com
Server: 172.25.0.11
Address: 172.25.0.11#53
Name: test.com
Address: 172.25.0.11
> bbs.test.com
Server: 172.25.0.11
Address: 172.25.0.11#53
bbs.test.com canonical name = ftp.test.com.
Name: ftp.test.com
Address: 172.25.0.10
> 172.25.0.10
Server: 172.25.0.11
Address: 172.25.0.11#53
10.0.25.172.in-addr.arpa name = bbs.test.com.
10.0.25.172.in-addr.arpa name = www.test.com.
10.0.25.172.in-addr.arpa name = mail.test.com.
10.0.25.172.in-addr.arpa name = ftp.test.com.
> 172.25.0.11
Server: 172.25.0.11
Address: 172.25.0.11#53
11.0.25.172.in-addr.arpa name = test.com.
> exitActual Project 2: Build two domain name resolution servers inside the enterprise to synchronize the main and auxiliary DNS
Master-assistant synchronization: If tens of thousands of clients visit the DNS server at the same time, the server will be under great pressure.
At this point, I may need another person to help me share the pressure, or if there is something wrong with the main server, I can have another one.
When someone else works directly on top of me, an auxiliary server can be used.
Obviously, the secondary server needs the same configuration as the primary server, and the data written in the configuration is basically the same. For us
As far as DNS server is concerned, its data file is not fixed, and the corresponding IP and host name may change frequently.
At that time, I hope that when I can modify a file on the host, the files on the slave machine can also be automatically modified.
Keep the two machines in full synchronization.
At this time, there is a configuration method called primary and secondary synchronization.
Preparatory stage of experiment
- Network Topology
- Planning software installation bind bind-chroot
-
Modify configuration files
Master server/etc/named.rfc1912.zones allows transmission to slaves
/ Change the serial number of var/named/named.test from 0 to date / Change the serial number of var/named/named.arpa.test from 0 to dateSlave server/etc/named.conf any
/etc/named.rfc1912.zones slave;masters;file
Start slave service
- View slave buffer / var/named/slaves/
- Watch out for firewall closure
- Client Testing Service
Specific steps
Network Topology
Planning software installation
Main server:
[root@rhel6 named]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "named.test";
allow-update { none; };
allow-transfer { 172.25.0.10; }; ===>Allowed slave 172.25.0.10 To read
};
zone "0.25.172.in-addr.arpa" IN {
type master;
file "named.arpa.test";
allow-update { none; };
allow-transfer { 172.25.0.10; }; ===>Allowed slave 172.25.0.10 To read
};
[root@rhel6 named]# pwd
/var/named
[root@rhel6 named]# ll
total 40
drwxr-x---. 6 root named 4096 Aug 2 10:30 chroot
drwxrwx---. 2 named named 4096 Aug 2 11:03 data
drwxrwx---. 2 named named 4096 Aug 2 15:06 dynamic
-rw-r-----. 1 root named 271 Aug 2 13:59 named.arpa.test
-rw-r-----. 1 root named 1892 Feb 18 2008 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
-rw-r-----. 1 root named 224 Aug 2 11:34 named.test
drwxrwx---. 2 named named 4096 Aug 14 2013 slaves
[root@rhel6 named]# vim named.test
$TTL 1D
@ IN SOA @ rname.invalid. (
20160802 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 172.25.0.11
www A 172.25.0.10
MX 5 mail
mail A 172.25.0.10
ftp A 172.25.0.10
bbs CNAME ftp
~
[root@rhel6 named]# vim named.arpa.test
$TTL 1D
@ IN SOA @ rname.invalid. (
20160802 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS test.com.
11 PTR test.com.
10 PTR www.test.com.
10 PTR mail.test.com.
10 PTR ftp.test.com.
10 PTR bbs.test.com.
[root@rhel6 named]# service named restart
Stopping named: . [ OK ]
Starting named: [ OK ]
[root@rhel6 named]# service iptables stop
iptables: Firewall is not running.
[root@rhel6 named]# getenforce
Enforcingfrom server
[root@rhel7 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
domain example.com
search example.com
nameserver 172.25.254.254
[root@rhel7 ~]# yum install -y bind*
[root@rhel7 ~]# vim /etc/named.conf
[root@rhel7 ~]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type slave; <== Define type as slave slave
masters { 172.25.0.11; }; <== Tell the computer my master master Who is it
file "slaves/uploooking.com.zone"; <== Tell the computer zone Where is the database address?,Slaves have a special catalogue
allow-update { none; };
};
zone "0.25.172.in-addr.arpa" IN {
type slave;
masters { 172.25.0.11; };
file "slaves/arpa.test.zone";
allow-update { none; };
};Service startup and shutdown
[root@rhel7 ~]# systemctl stop firewalld
[root@rhel7 ~]# getenforce
Enforcing
[root@rhel7 ~]# systemctl start named
[root@rhel7 ~]# ll /var/named/slaves
total 8
-rw-r--r--. 1 named named 381 Aug 2 03:54 arpa.test.zone
-rw-r--r--. 1 named named 463 Aug 2 03:54 uploooking.com.zonetest
Client rhel7
[root@rhel7 ~]# vim /etc/resolv.conf
nameserver 172.25.0.11
[root@rhel7 ~]# nslookup
> www.test.com
Server: 172.25.0.11
Address: 172.25.0.11#53
Name: www.test.com
Address: 172.25.0.10
> 172.25.0.10
Server: 172.25.0.11
Address: 172.25.0.11#53
10.0.25.172.in-addr.arpa name = www.test.com.
10.0.25.172.in-addr.arpa name = mail.test.com.
10.0.25.172.in-addr.arpa name = ftp.test.com.
10.0.25.172.in-addr.arpa name = bbs.test.com.
> 172.25.0.11
Server: 172.25.0.11
Address: 172.25.0.11#53
11.0.25.172.in-addr.arpa name = test.com.
> exit
[root@rhel7 ~]# vim /etc/resolv.conf
nameserver 172.25.0.10
[root@rhel7 ~]# nslookup
> www.test.com
Server: 172.25.0.10
Address: 172.25.0.10#53
Name: www.test.com
Address: 172.25.0.10
> 172.25.0.11
Server: 172.25.0.10
Address: 172.25.0.10#53
11.0.25.172.in-addr.arpa name = test.com.
> 172.25.0.10
Server: 172.25.0.10
Address: 172.25.0.10#53
10.0.25.172.in-addr.arpa name = bbs.test.com.
10.0.25.172.in-addr.arpa name = www.test.com.
10.0.25.172.in-addr.arpa name = ftp.test.com.
10.0.25.172.in-addr.arpa name = mail.test.com.
> exitError Removal Record
1. Service can't start
[root@rhel7 ~]# systemctl start named
Job for named.service failed. See 'systemctl status named.service' and 'journalctl -xn' for details.
[root@rhel7 ~]# systemctl status named.service
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: failed (Result: exit-code) since Tue 2016-08-02 04:19:20 EDT; 23s ago
Process: 2297 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=1/FAILURE)
Aug 02 04:19:20 rhel7 systemd[1]: Starting Berkeley Internet Name Domain (DNS)...
Aug 02 04:19:20 rhel7 named-checkconf[2297]: /etc/named.rfc1912.zones:51: missing ';' before '}'
Aug 02 04:19:20 rhel7 systemd[1]: named.service: control process exited, code=exited status=1
Aug 02 04:19:20 rhel7 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Aug 02 04:19:20 rhel7 systemd[1]: Unit named.service entered failed state.ps: When the service fails to start, the error message says that we can view it through the following two commands: system CTL status named. service or journalctl -xn
At this point, we can execute any of the following commands, you can see the detailed error information.
Aug 02 04:19:20 rhel7 named-checkconf[2297]: /etc/named.rfc1912.zones:51: missing ';' before '}'
This log tells us that in line 51 of the configuration file / etc/named.rfc1912.zones,'}'is one less';'. So we can modify the configuration file according to the prompt in the log.
2. Service can't start
[root@rhel7 ~]# systemctl status named
named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: failed (Result: exit-code) since Tue 2016-08-02 04:50:39 EDT; 1min 42s ago
Process: 6541 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=1/FAILURE)
Aug 02 04:50:39 rhel7 named-checkconf[6541]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0
Aug 02 04:50:39 rhel7 named-checkconf[6541]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Aug 02 04:50:39 rhel7 named-checkconf[6541]: zone 0.in-addr.arpa/IN: loaded serial 0
Aug 02 04:50:39 rhel7 named-checkconf[6541]: zone test.com/IN: loaded serial 20160802
Aug 02 04:50:39 rhel7 named-checkconf[6541]: zone 19.25.172.in-addr.arpa/IN: loading from master file nam...ound
Aug 02 04:50:39 rhel7 named-checkconf[6541]: zone 19.25.172.in-addr.arpa/IN: not loaded due to errors.
Aug 02 04:50:39 rhel7 named-checkconf[6541]: _default/19.25.172.in-addr.arpa/IN: file not found
Aug 02 04:50:39 rhel7 systemd[1]: named.service: control process exited, code=exited status=1
Aug 02 04:50:39 rhel7 systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Aug 02 04:50:39 rhel7 systemd[1]: Unit named.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.
[root@rhel7 ~]# tail -n 15 /etc/named.rfc1912.zones
};
zone "test.com" IN {
type master;
file "named.test";
allow-update { none; };
allow-transfer { 172.25.19.10;};
};
zone "19.25.172.in-addr.arpa" IN {
type master;
file "named.test.arpa";
allow-update { none; };
allow-transfer { 172.25.19.10; };
};
[root@rhel7 ~]# ll /var/named/named*
-rw-r-----. 1 root named 330 Aug 2 04:50 /var/named/named.arpa.test
-rw-r-----. 1 root named 2076 Jan 28 2013 /var/named/named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 /var/named/named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 /var/named/named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 /var/named/named.loopback
-rw-r-----. 1 root named 295 Aug 2 04:50 /var/named/named.testps: The problem is that the data file names specified in the data file name and configuration file are inconsistent.
file "named.test.arpa";
/var/named/named.arpa.test
3. There is only one primary and secondary synchronous buffer file
[root@rhel7 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 386 Jan 1 02:46 test123.zoops: The reason is that there is a configuration problem in / etc/named.rfc1912.zones, and the directory for the specified buffer is written one s less.
zone \"test.com\" IN {
type slave;
masters { 172.25.33.11; };
file \"slave/test.zone\";
allow-update { none; };
};4. Primary and secondary synchronization places slave data files in non-slaves directories
Configuration files from the server are not placed in the slaves directory, but in other directories, synchronization is unsuccessful.
Investigation of the causes from three points
* Configuration file
* UGO permissions
* selinux permissions
Because of the selinux problem, we installed a tool called setroubleshoot to help us analyze it.
Yum search setroubleshoot
Yum -y install setroubleshoot
Sealert -a audit.logSee information about Boolean values and security context:
- 1) Set Boolean value setsebool-P named_write_master_zones 1
- 2) Set up the security context by using man named_selinux or by looking at the security context of the slaves directory
Change according to the security context of slaves.
Chcon -t named_zone_t test
Chcon -u system_u -r object_r testThen open selinux, delete the synchronized files from the directory under test, restart the service, and see if they are synchronized.
Synchronization was successful.
5. If the service is started too slowly
You can use / usr/sbin/rndc-confgen -a -r /etc/named.conf
This is a bug generated by secret key encryption
6. Writing of sequential batch configurations: (a brief understanding)
$GENERATE 1-100 stu$ A 172.25.0.$
$GENERATE 1-200 $ PTR foundation$.ilt.example.com7. Viewing slave data files
Version 7 cannot be viewed: because the configuration files generated by slaves are data-type.
6 version can be viewed: the old version can be viewed.
Configuration file parsing in detail
Main configuration file / etc/named.conf
Options Global configuration rows
options { //Global configuration options for servers and some default settings
listen-on port 53 { any; }; //The default listening port is port 53, which can also be written as {127.0.0.1; 192.168.139.46;}
listen-on-v6 port 53 { ::1; }; //ip6 support
directory "/var/named"; //Regional File Storage Directory
dump-file "/var/named/data/cache_dump.db"; //Cached directory
statistics-file "/var/named/data/named_stats.txt"; // Status information file
memstatistics-file "/var/named/data/named_mem_stats.txt"; //Memory information file
pid-file "/var/run/named/named.pid"; //pid with name
forwarders { 168.95.1.1; 139.175.10.20; }; // If the domain name server cannot resolve, the request is sent to 168.95.1.1; 139.175.10.20 for resolution.
allow-query { any; }; //Designate a host that allows queries, of course, so that all computers can check it.
allow-transfer { none; }; //Specify the host that allows the receiving area to transmit requests, which means that the definition of auxiliary dns, such as the ip of auxiliary DNS is 192.168.139.5, can be defined as {192.168.139.5;}, otherwise the primary and secondary DNS can not be synchronized, of course, the acl mentioned below can also be used in {}.
// those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
Dnssec At the beginning are some encrypted files.
Xxxx.key It's some secret key files.
};
logging { //Specify the content of server log records and the source of log information
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN { //In this file, a zone keyword is used to define a domain, and a zone keyword is used to define a domain.
type hint;
/*Here there are three type s: master,slave and hint.
master:Representation defines the primary domain name server
slave :Representation defines an auxiliary domain name server
hint:Representation is the root domain name server in the Internet
*/
Include "/etc/named.rfc1912.conf"
Include "/etc/named.root.key" //The two include fields represent reading the / etc/named.rfc1912.conf and / etc/named.root.key files at the same time when reading this configuration file. Here we focus on the first file, which is a file dedicated to defining domains.
}allow-query-cache primary and secondary synchronization:
- Version 6 must be added or errors will be reported
- Version 7 is not required
The primary and secondary synchronization of recursion must be yes, which will prevent new records from entering the buffer after being turned off.
named.rfc1912.conf
Zone "domain name "IN {
File ;Domain corresponding data file
Allow-update ;Need to update
}Be careful
- All statements end with a semicolon to represent the terminator
- Brackets must appear in pairs
- The file points to the data file that writes the relative path relative to the dirctory configuration field of the main configuration file, that is, relative to the / var / name directory.
Configuration of Slve Requirements in Master-Auxiliary Synchronization
Zone "domain name" IN {
Type slave;
Masters { 172.25.0.11;} ;
File "slaves/test.com.zone";
}Data file / var/named/named.localhost
TTL // stands for cycle, cache time, DNS will do the cache itself, 1D stands for one day, cache time is one day.
SOA//Record - > Starting Authorization Record @ Represents Inheritance Domain Name
IN SOA @ User Name. Domain Name{
0;serial // serial number; usually write the date of the modification date, from the server according to the serial number to determine whether the file has been modified.
1D; refresh // How often to synchronize
1H; retry // reset time, when synchronization is unsuccessful, how often do synchronization again
1W; expire // / When repeated synchronization is unsuccessful, how long does it take to stop synchronizing?
3H; minimun // minimum cache time, usually error cache. Suppose someone keeps asking me about a wrong domain name, then I will cache the wrong domain name.
When people ask me again, I stop searching and feed back the results to him.
Here we change the serial column to the current date.
}
NS stands for forward records, and parsing is also divided into forward parsing and reverse parsing. Forward parsing is to know the host name and search for IP address. Let's look at the forward analysis first.
@ Representatives of inherited domain names
NS @
A 127.0.0.1
This sentence means that my domain name is localhost, which points to 127.0.0.1.
If you don't write @ and write it as a domain name, you should write it as test.com.Com followed by a point that represents the meaning of the root domain.summary
Mastering Practical Projects 