Role of DNS systems
The role of the DNS system in the network is to maintain an address database, which records the relationship between various host domain names and IP addresses in order to provide forward or reverse address query services to clients.
- Forward Resolution: Find the corresponding IP address based on the host name (domain name)
- Reverse Resolution: Find the corresponding host domain name based on the IP address
DNS System Type
Cache Domain Name Server
- Also known as a cache server
- Get domain name - > IP address records by querying other domain name servers
- Cache domain name query results locally to improve the speed of repeated queries
Primary Domain Name Server
- Official server for a specific DNS zone, unique
- Responsible for maintaining mapped records of multiple domain names - > IP addresses in this area
From Domain Name Server
- Also known as a secondary domain name server
- The domain name it maintains - >IP address records originate from the primary domain name server
BIND Domain Name Service
BIND is not the only DNS program that can provide domain name services, but it is the most widely used and can run on most Linux hosts.
Install BIND software
[root@localhost ~]# Yum install bind-y //CentOS 7 connects to the network and can be installed directly using yum
BIND Server-side Program
- Main Executor: /usr/sbin/named
- Default listening port 53
- Main Profile
- /etc/named.conf
- Data file to save DNS parsing records
- /var/named/
Main Profile
- Global Configuration
- Set global parameters for DNS server
- Include listening address/port, default location of data file
- Configuration side using options {....};
options{
listen-on port 53 {local IP address} //Listening Address and Port
directory "/var/named"; //Default storage location for zone data files
allow-query {192.168.1.0/24;173.16.16.0/24; //Allow use of this DNS service segment
};-
Zone Configuration Section
-
Set up specific DNS zones where this server provides domain name resolution
-
Include domain name, server role, data file name, etc.
- Use zone'zone name'IN{..}; Configuration segment
-
Forward Resolution
zone "yun.com" IN { //Forward "yun.com" zone
type master; //Region type is primary region
file "yun.com.zone"; //The zone data file is "yun.com.zone"
allow-transfer {173.16.16.2}; //Address of server from which downloads are allowed
};
//Reverse Resolution
zone "16.16.173.in-addr.arpa" IN { //Reverse "173.16.16.0/24" region
type master;
file "173.16.16.arpa"; //Area data file is "173.16.16.arpa"
allow-update { none; };
};-
Zone Data Profile
Global TTL Configuration Item and SOA Recording SOA: Resource Start Record
$TTL 1D //Lifetime of valid parsing records @ IN SOA @ rname.invalid. ( //SOA tags, domain names, managed mailboxes 0 ; serial //Update the serial number, which can be an integer within 10 digits 1D ; refresh //Refresh time, interval between downloads of address data 1H ; retry //Retry delay, retry interval after download failure 1W ; expire //Failure time, fail to download after that time, discard 3H ) ; minimum //Lifetime of invalid parsed records
Domain Name Resolution Record
NS: Domain Name Server Record MX: Mail Exchange Record A: Address records, only used in the forward resolution area (Address) CNAME: Alias record (Canonical Name) "*" IN IP: Pan Domain Name Resolution PTR: Pointer record, only in reverse parsing region The first column of the record specifies the host address part of the IP address
DNS Profile
-
/etc/named.conf Major Profile Control System Global (include included)
-
/etc/named.rfc1912.zones zone profile controls a specific single zone
- /var/named/named.localhost zone data profile zone information
Set up DNS service
Forward Resolution Configuration
1. Install BIND software
[root@localhost ~]# yum install bind -y //Plugins loaded: fastestmirror, langpacks base | 3.6 kB 00:00:00 extras | 3.4 kB 00:00:00 updates | 3.4 kB 00:00:00 (1/4): base/7/x86_64/group_gz | 166 kB 00:00:00 (2/4): extras/7/x86_64/primary_db | 215 kB 00:00:00 ...//Omit some content... //Installed: bind.x86_64 32:9.9.4-74.el7_6.2 //Upgraded as a dependency: bind-libs.x86_64 32:9.9.4-74.el7_6.2 bind-libs-lite.x86_64 32:9.9.4-74.el7_6.2 bind-license.noarch 32:9.9.4-74.el7_6.2 bind-utils.x86_64 32:9.9.4-74.el7_6.2 //Complete!
2. View the location where the profile is stored so that we can edit it easily
[root@localhost named]# rpm -qc bind /etc/logrotate.d/named /etc/named.conf //Main Profile Location /etc/named.iscdlv.key /etc/named.rfc1912.zones //Zone Profile Location /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/sysconfig/named /var/named/named.ca /var/named/named.empty /var/named/named.localhost //Zone Data Profile /var/named/named.loopback
3. Change the main profile (here we will mainly modify the listening address and rights development)
[root@localhost named]# vim /etc/named.conf
...//Omit some content...
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.144.133; }; //Modify the address to listen for your local address
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //Release permissions to allow any host to use DNS services
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
...//Omit some content...
pid-file "/run/named/named.pid"; //Do not change the location where process files are stored
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN { //Resolution of root domain server, do not change
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones"; //Do not change the data file information contained in the profile
include "/etc/named.root.key";
4. Modify the zone profile information contained in the master profile
[root@localhost named]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master; //Configuration template for forward parsing files
file "named.localhost";
allow-update { none; };
};
//Forward Resolution Zone Profile Location
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master; //Configuration template for ipv6 parsing file
file "named.loopback";
allow-update { none; };
};
//Reverse Resolution Zone Profile Location
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback"; //Configuration template for reverse parsing files
allow-update { none; };...//Omit some content...
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "kgc.com" IN { //Copy template, change region name
type master;
file "kgc.com.zone"; //Change Zone Data File Name
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
...//Omit some content... 5. Create a zone data file so that the zone file can read the data file
[root@localhost named]# Cd/var/named/ //Enter zone data file storage directory
[root@localhost named]# ls //View directory information
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# Cp-p named.localhost kgc.com.zone //Recursive copy, create kgc.com.zone file
[root@localhost named]# ls //See if kgc.com.zone file is created
data dynamic kgc.com.zone named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# vim kgc.com.zone //Edit Region Data File
$TTL 1D
@ IN SOA kgc.com. admin.kgc.com. ( //Change the domain name, manage the mailbox, the main back "."
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS kgc.com. //Change Domain Name Server Record Address
A 192.168.144.133 //Change Forward Resolution Entry Address
IN MX 10 mail.kgc.com. //Add Mail Exchange Record Address
www IN A 192.168.100.99 //Add a parsed address for the WW domain name
ftp IN A 192.168.100.88 //Add ftp domain name resolution address
smtp IN CNAME www //Add Alias Resolution Record
* IN A 8.8.8.8 //Add Generic Domain Name Resolution Address
~
~
: wq //Save Exit6. Turn off firewalls and enhance security functions to facilitate client access, and then start DNS services.
[root@localhost named]# systemctl stop firewalld.service //close firewall
[root@localhost named]# setenforce 0 //Turn off enhanced security is better
[root@localhost named]# systemctl start named //Start DNS Service
[root@localhost named]# systemctl status named //view service
● named.service - Berkeley Internet Name Domain (DNS) //DNS started normally
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Four 2019-09-05 17:36:31 CST; 11s ago
Process: 7425 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 7422 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7427 (named)
CGroup: /system.slice/named.service
└─7427 /usr/sbin/named -u named -c /etc/named.conf
9 Month 05 17:36:31 localhost.localdomain named[7427]: managed-keys-zone: loaded serial 0
9 Month 05 17:36:31 localhost.localdomain named[7427]: zone 0.in-addr.arpa/IN: loaded serial 0
9 Month 05 17:36:31 localhost.localdomain named[7427]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
9 Month 05 17:36:31 localhost.localdomain named[7427]: zone kgc.com/IN: loaded serial 0
9 Month 05 17:36:31 localhost.localdomain named[7427]: zone localhost.localdomain/IN: loaded serial 0
9 Month 05 17:36:31 localhost.localdomain named[7427]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...ial 0
9 Month 05 17:36:31 localhost.localdomain named[7427]: zone localhost/IN: loaded serial 0
9 Month 05 17:36:31 localhost.localdomain named[7427]: all zones loaded
9 Month 05 17:36:31 localhost.localdomain named[7427]: running
9 Month 05 17:36:31 localhost.localdomain systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.
[root@localhost named]# echo "nameserver 192.168.144.133" > /etc/resolv.conf
//Overwrite the Domain Name Resolution Address File information, because we set up our own DNS server to resolve our own address, so overwrite the Domain Name Resolution Address File directly here
[root@localhost named]# cat /etc/resolv.conf
nameserver 192.168.144.133 //To overwrite the original information7. Use host command to see if DNS resolution service is successfully set up
[root@localhost named]# host www.kgc.com //resolving domain name www.kgc.com www.kgc.com has address 192.168.100.99 //IP Address Resolved Successfully [root@localhost named]# host ftp.kgc.com //resolving domain name ftp.kgc.com ftp.kgc.com has address 192.168.100.88 //IP Address Resolved Successfully [root@localhost named]# host aaa.kgc.com//pan domain name resolution aaa.kgc.com has address 8.8.8.8 //IP Address Resolved Successfully [root@localhost named]# host smtp.kgc.com //alias resolution smtp.kgc.com is an alias for www.kgc.com. www.kgc.com has address 192.168.100.99 //IP Address Resolved Successfully
Reverse Resolution Configuration
1. Continue with the above configuration and enter the zone configuration file to change the zone configuration Reverse Resolution Zone Template
[root@localhost named]# vim /etc/named.rfc1912.zones
...//Omit some content...
zone "kgc.com" IN {
type master;
file "kgc.com.zone";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback"; //Copy this template
allow-update { none; };
};
zone "100.168.192.in-addr.arpa" IN { //Change area address, reverse fill
type master;
file "yun.com.local"; //Change Zone Data File Name
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
...//Omit some content...2. Enter the zone data file storage directory to create the zone data file, which is consistent with the zone data file name given in the zone file, and enter the change zone data file
[root@localhost named]# Cd/var/named/ //enter directory
[root@localhost named]# ls //View
data dynamic kgc.com.zone named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# Cp-p kgc.com.zone yun.com.local//recursive replication
[root@localhost named]# vim yun.com.local //Enter editing data information
$TTL 1D
@ IN SOA yun.com. admin.yun.com. ( //Change kgc to yun here
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS yun.com. //Change kgc to yun here
A 192.168.144.133
99 IN PTR www.yun.com. //Change to Direction Resolution Address
88 IN PTR ftp.yun.com. //Change to Direction Resolution Address
...//Omit some content...3. Restart DNS service and check if reverse resolution was successfully created
[root@localhost named]# systemctl restart named //restart service [root@localhost named]# host 192.168.100.99 //Resolve IP Address 99.100.168.192.in-addr.arpa domain name pointer www.yun.com. //Domain name successfully resolved [root@localhost named]# host 192.168.100.88//Resolve IP Address 88.100.168.192.in-addr.arpa domain name pointer ftp.yun.com. //Domain name successfully resolved
Configure From Domain Name Server
1. We have successfully created the master server above. At this time, we re-open a CentOS 7 system to act as a DNS slave server, view the IP address of the slave server, and turn off the firewall and enhanced security features to make this server easier for clients to connect to the master server.
[root@localhost ~]# ifconfig //View network card information
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.144.135 netmask 255.255.255.0 broadcast 192.168.144.255
inet6 fe80::a85a:c203:e2e:3f3c prefixlen 64 scopeid 0x20<link>
inet6 fe80::ad78:663f:1f02:22e4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:75:9f:c8 txqueuelen 1000 (Ethernet)
RX packets 1049 bytes 1282518 (1.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
...//Omit some content...
[root@localhost ~]# systemctl stop firewalld.service //close firewall
[root@localhost ~]# setenforce 0 //Turn off enhanced security features2. Install BIND software from the server and change DNS profile information
[root@localhost ~]# Yum install bind-y //install DNS service software BIND
//Plugins loaded: fastestmirror, langpacks
base | 3.6 kB 00:00:00
extras | 3.4 kB 00:00:00
updates | 3.4 kB 00:00:00
(1/4): base/7/x86_64/group_gz | 166 kB 00:00:00
(2/4): extras/7/x86_64/primary_db | 215 kB 00:00:00
...//Omit some content...
[root@localhost ~]# Vim/etc/named.conf //Enter Edit Master Profile
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.144.135; }; //Change listening address to local address
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //Release permissions to allow any host to use DNS services
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
...//Omit some content...
[root@localhost ~]# vim /etc/named.rfc1912.zones //Modify Zone Profile
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost"; //Copy this template
allow-update { none; };
};
zone "kgc.com" IN { //Paste and update the domain name to be the same as the primary server
type slave; //Set type to slave
file "slaves/kgc.com.zone"; //Zone Data File Address We will synchronize from the master server to the slaves directory
masters { 192.168.144.133; }; //Delete the original entry and change to an address pointing to the primary server
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
...//Omit some content...
[root@localhost ~]# Cd/var/named//Enter zone data file storage directory
[root@localhost named]# ls //Check to see if there is a slaves command in the directory
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@localhost named]# ls slaves/ // Go into the directory to see if there is anything
[root@localhost named]# //Nothing yet3. Return to the master server, change the configuration file to synchronize the master server with the slave server, and restart the DNS service when finished
[root@localhost named]# Vim/etc/named.rfc1912.zones //Edit Master Service Area Profile
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "kgc.com" IN {
type master;
file "kgc.com.zone";
allow-transfer { 192.168.144.135; }; //Change here to point to the address from the server
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
...//Omit some content...
[root@localhost named]# systemctl restart named //Restart DNS service4. Return to the slave server, start the DNS service, check if there are synchronized zone data files in the slaves directory, and edit the contents to overwrite the domain name resolution address file information as the main service.
[root@localhost named]# systemctl restart named //Start DNS Service [root@localhost named]# ls slaves/ kgc.com.zone [root@localhost named]# echo "nameserver 192.168.144.135" > /etc/resolv.conf [root@localhost named]# cat /etc/resolv.conf nameserver 192.168.144.135
5. Resolve the domain name from the service to see if the resolving results are the same, and if the same means that the master-slave server we set up was successful.
[root@localhost named]# host www.kgc.com //resolving domain name www.kgc.com www.kgc.com has address 192.168.100.99 //Resolve Address Same as Primary Server [root@localhost named]# host ftp.kgc.com //resolving domain name ftp.kgc.com ftp.kgc.com has address 192.168.100.88 //Resolve Address Same as Primary Server [root@localhost named]# host aaa.kgc.com //anti-domain name resolution aaa.kgc.com has address 8.8.8.8 //Resolve Address Same as Primary Server [root@localhost named]# host smtp.kgc.com //alias resolution smtp.kgc.com is an alias for www.kgc.com. www.kgc.com has address 192.168.100.99 //Resolve Address Same as Primary Server