当前TCP/IP网络中的设备之间进行通信,是利用和依赖于IP地址实现的。但数字形式的IP地址是很难记忆的。当网络设备众多,想要记住每个设备的IP地址,可以说是"不可能完成的任务"。那么如何解决这一难题呢?我们可以给每个网络设备起一个友好的名称,如:www.baidu.com,这种由文字组成的名称,显而易见要更容易记忆。但是计算机不会理解这种名称的,我们可以利用一种名字解析服务将名称转化成(解析)成IP地址。从而我们就可以利用名称来直接访问网络中设备了。除此之外还有一个重要功能,利用名称解析服务可以实现主机和IP的解耦,即:当主机IP变化时,只需要修改名称服务即可,用户仍可以通过原有的名称进行访问而不受影响。实现此服务的方法是多样的。如下面所述:
本地名称解析配置文件:
hosts
Linux: /etc/hosts
windows: %WINDIR%/system32/drivers/etc/hosts
#格式
183.2.172.177 www.baidu.com.
31.13.88.26 www.google.com.
DNS:Domain Name System 域名系统,应用层协议,是互联网的一项服务。它作为将域名和IP地址相互
映射的一个分布式数据库,能够使人更方便地访问互联网,基于C/S架构,服务器端:53/udp, 53/tcp
BIND:Bekerley Internet Name Domain,由 ISC (www.isc.org)提供的DNS软件实现DNS域名结构
根域: 全球根服务器节点只有13个,10个在美国,1个荷兰,1个瑞典,1个日本
一级域名:Top Level Domain: tld
三类:组织域、国家域(.cn, .ca, .hk, .tw)、反向域 com, edu, mil, gov, net, org, int,arpa
二级域名:baidu.com
三级域名:pic.baidu.com
最多可达到127级域名
ICANN(The Internet Corporation for Assigned Names and Numbers)互联网名称与数字地址分配机构,负责在全球范围内对互联网
根服务器的安全
2004年4月由于顶级域名.ly瘫痪,导致利比亚从互联网消失了3天
雪人计划
在与现有IPv4根服务器体系架构充分兼容基础上,"雪人计划"于2016年在美国、日本、印度、俄罗斯、德
国、法国等全球16个国家完成25台IPv6根服务器架设,其中1台主根和3台辅根部署在中国,事实上形成了13
台原有根加25台IPv6根的新格局
递归查询:一般客户机和本地DNS服务器之间属于递归查询,即当客户机向DNS服务器发出请求后,若DNS服务器本身不能解析,则会向另外的DNS服务器发出查询请求,得到最终的肯定或否定的结果后转交给客户机。此查询的源和目标保持不变,为了查询结果只需要发起一次查询
迭代查询:一般情况下(有例外)本地的DNS服务器向其它DNS服务器的查询属于迭代查询,如:若对方不能返回权威的结果,则它会向下一个DNS服务器(参考前一个DNS服务器返回的结果)再次发起进行查询,直到返回查询的结果为止。此查询的源不变,但查询的目标不断变化,为查询结果一般需要发起多次查询
Name Server,域内负责解析本域内的名称的DNS服务器
IPv4的根名称服务器:全球共13个负责解析根域的DNS服务器,美国10个,荷兰1,瑞典1,日本1
IPv6的根名称服务器:全球共25个,中国1主3从,美国1主2从
FQDN --> IP 正向解析
IP --> FQDN 反向解析
注意:正反向解析是两个不同的名称空间,是两棵不同的解析树
Client -->hosts文件 --> Client DNS Service Local Cache --> DNS Server (recursion递
归) --> DNS Server Cache -->DNS iteration(迭代) --> 根--> 顶级域名DNS-->二级域名DNS…
范例: Windows 客户端DNS缓存:
C:\Users\ASUS>ipconfig/displaydns | findstr www.bing.com
C:\Users\ASUS>ping www.bing.com
正在 Ping china.bing123.com [202.89.233.101] 具有 32 字节的数据:
来自 202.89.233.101 的回复: 字节=32 时间=41ms TTL=118
来自 202.89.233.101 的回复: 字节=32 时间=42ms TTL=118
来自 202.89.233.101 的回复: 字节=32 时间=41ms TTL=118
来自 202.89.233.101 的回复: 字节=32 时间=41ms TTL=118
202.89.233.101 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 41ms,最长 = 42ms,平均 = 41ms
C:\Users\ASUS>ipconfig/displaydns | findstr www.bing.com
C:\Users\ASUS>ipconfig/flushdns
Windows IP 配置
已成功刷新 DNS 解析缓存。
C:\Users\ASUS>
主DNS服务器
从DNS服务器
缓存DNS服务器(转发器)
管理和维护所负责解析的域内解析库的服务器
从主服务器或从服务器"复制"(区域传输)解析库副本
序列号:解析库版本号,主服务器解析库变化时,其序列递增
刷新时间间隔:从服务器从主服务器请求同步解析的时间间隔
重试时间间隔:从服务器请求同步失败时,再次尝试时间间隔
过期时长:从服务器联系不到主服务器时,多久后停止服务
通知机制:主服务器解析库发生变化时,会主动通知从服务器
完全传输:传送整个解析库
增量传输:传递解析库变化的那部分内容
正向:FQDN( Fully Qualified Domain Name) --> IP
反向: IP --> FQDN
正向区域
反向区域
肯定答案:存在对应的查询结果
否定答案:请求的条目不存在等原因导致无法返回结果
权威答案:直接由存有此查询结果的DNS服务器(权威服务器)返回的答案
非权威答案:由其它非权威服务器返回的查询答案
区域解析库:由众多资源记录RR(Resource Record)组成
记录类型:A, AAAA, PTR, SOA, NS, CNAME, MX
SOA:Start Of Authority,起始授权记录;一个区域解析库有且仅能有一个SOA记录,必须位于解析库的第一条记录
A:internet Address,作用,FQDN --> IP
AAAA:FQDN --> IPv6
PTR:PoinTeR,IP --> FQDN
NS:Name Server,专用于标明当前区域的DNS服务器
CNAME : Canonical Name,别名记录
MX:Mail eXchanger,邮件交换器
TXT:对域名进行标识和说明的一种方式,一般做验证记录时会使用此项,如:SPF(反垃圾邮件)记录,https验证等,如下示例:
_dnsauth TXT 2012011200000051qgs69bwoh4h6nht4n1h0lr038x
name [TTL] IN rr_type value
注意:
TTL可从全局继承
使用 "@" 符号可用于引用当前区域的域名
同一个名字可以通过多条记录定义多个不同的值;此时DNS服务器会以轮询方式响应
同一个值也可能有多个不同的定义名字;通过多个不同的名字指向同一个值进行定义;此仅表示通
过多个不同的名字可以找到同一个主机
name: 当前区域的名字,例如"baidu.com."
value: 有多部分组成
注意:
当前区域的主DNS服务器的FQDN,也可以使用当前区域的名字
当前区域管理员的邮箱地址;但地址中不能使用@符号,一般用.替换
例如:admin.baidu.com
主从服务区域传输相关定义以及否定的答案的统一的TTL
范例:
baidu.com. 86400 IN SOA ns.magedu. nsadmin.magedu. (
2015042201 ;序列号
2H ;刷新时间
10M ;重试时间
1W ;过期时间
1D ;否定答案的TTL值
)
name: 当前区域的名字
value: 当前区域的某DNS服务器的名字,例如: ns.baidu.com.
注意:
相邻的两个资源记录的name相同时,后续的可省略
对NS记录而言,任何一个ns记录后面的服务器名字,都应该在后续有一个A记录
一个区域可以有多个NS记录
范例:
baidu.com. IN NS ns1.baidu.com.
baidu.com. IN NS ns2.baidu.com.
name: 当前区域的名字
value: 当前区域的某邮件服务器(smtp服务器)的主机名
注意:
一个区域内,MX记录可有多个;但每个记录的value之前应该有一个数字(0-99),表示此服务器的优先级;数字越小优先级越高
对MX记录而言,任何一个MX记录后面的服务器名字,都应该在后续有一个A记录
范例:
baidu.com. IN MX 10 mx1.baidu.com.
IN MX 20 mx2.baidu.com.
mx1 A 10.0.0.100
mx2 A 10.0.0.200
name: 某主机的FQDN,例如:www.baidu.com.
value: 主机名对应主机的IP地址
避免用户写错名称时给错误答案,可通过泛域名解析进行解析至某特定地址
范例:
www.baidu.com. IN A 1.1.1.1
www.baidu.com. IN A 2.2.2.2
mx1.baidu.com. IN A 3.3.3.3
mx2.baidu.com. IN A 4.4.4.4
$GENERATE 1-254 HOST$ IN A 1.2.3.$
*.baidu.com. IN A 5.5.5.5
baidu.com. IN A 6.6.6.6
#注意:如果有和DNS的IP相同的多个同名的A记录,优先返回DNS的本机IP
name: FQDN
value: IPv6
name: IP,有特定格式,把IP地址反过来写,1.2.3.4,要写作4.3.2.1;而有特定后缀:inaddr.arpa.,所以完整写法为:4.3.2.1.in-addr.arpa.
value: FQDN
注意:网络地址及后缀可省略;主机地址依然需要反着写
例如:
4.3.2.1.in-addr.arpa. IN PTR www.baidu.com.
#如1.2.3为网络地址,可简写成:
4 IN PTR www.baidu.com
name: 别名的FQDN
value: 真正名字的FQDN
eg:
www.baidu.com. IN CNAME websrv.baidu.com.
每个域的名称服务器,都是通过其上级名称服务器在解析库进行授权,类似根域授权tld
glue record:粘合记录,父域授权子域的记录
eg:
.com. IN NS ns1.com.
.com. IN NS ns2.com.
ns1.com. IN A 2.2.2.1
ns2.com. IN A 2.2.2.2
#baidu.com. 在.com的名称服务器上,解析库中添加资源记录
baidu.com. IN NS ns1.baidu.com.
baidu.com. IN NS ns2.baidu.com.
baidu.com. IN NS ns3.baidu.com.
ns1.baidu.com. IN A 3.3.3.1
ns2.baidu.com. IN A 3.3.3.2
ns3.baidu.com. IN A 3.3.3.3
范例: whois 查询域名信息
[root@iZwz910xmy5i9jpu5g3vrwZ ~]# whois baidu.com
Domain Name: BAIDU.COM
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://markmonitor.com
Updated Date: 2025-04-08T00:48:16Z
Creation Date: 1999-10-11T11:05:17Z
Registry Expiry Date: 2028-10-11T11:05:17Z
Registrar: MarkMonitor Information Technology (Shanghai) Co., Ltd.
Registrar IANA ID: 3838
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2083895740
Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
Name Server: NS1.BAIDU.COM
Name Server: NS2.BAIDU.COM
Name Server: NS3.BAIDU.COM
Name Server: NS4.BAIDU.COM
Name Server: NS7.BAIDU.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2025-08-18T03:47:01Z <<<
For more information on Whois status codes, please visit https://icann.org/epp
NOTICE: The expiration date displayed in this record is the date the
registrar's sponsorship of the domain name registration in the registry is
currently set to expire. This date does not necessarily reflect the expiration
date of the domain name registrant's agreement with the sponsoring
registrar. Users may consult the sponsoring registrar's Whois database to
view the registrar's reported date of expiration for this registration.
TERMS OF USE: You are not authorized to access or query our Whois
database through the use of electronic processes that are high-volume and
automated except as reasonably necessary to register domain names or
modify existing registrations; the Data in VeriSign Global Registry
Services' ("VeriSign") Whois database is provided by VeriSign for
information purposes only, and to assist persons in obtaining information
about or related to a domain name registration record. VeriSign does not
guarantee its accuracy. By submitting a Whois query, you agree to abide
by the following terms of use: You agree that you may use this Data only
for lawful purposes and that under no circumstances will you use this Data
to: (1) allow, enable, or otherwise support the transmission of mass
unsolicited, commercial advertising or solicitations via e-mail, telephone,
or facsimile; or (2) enable high volume, automated, electronic processes
that apply to VeriSign (or its computer systems). The compilation,
repackaging, dissemination or other use of this Data is expressly
prohibited without the prior written consent of VeriSign. You agree not to
use electronic processes that are automated and high-volume to access or
query the Whois database except as reasonably necessary to register
domain names or modify existing registrations. VeriSign reserves the right
to restrict your access to the Whois database in its sole discretion to ensure
operational stability. VeriSign may restrict or terminate your access to the
Whois database for failure to abide by these terms of use. VeriSign
reserves the right to modify these terms at any time.
The Registry database contains ONLY .COM, .NET, .EDU domains and
Registrars.
Domain Name: baidu.com
Registry Domain ID: 11181110_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2025-04-08T01:08:58+0000
Creation Date: 1999-10-11T11:05:17+0000
Registrar Registration Expiration Date: 2028-10-11T11:05:17+0000
Registrar: MarkMonitor Information Technology (Shanghai) Co., Ltd.
Registrar IANA ID: 3838
Registrar Abuse Contact Email: abusecomplaints@markmonitor.com
Registrar Abuse Contact Phone: +1.2086851750
Domain Status: clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)
Domain Status: clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)
Domain Status: clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)
Domain Status: serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)
Domain Status: serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)
Domain Status: serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)
Registrant Organization: 北京百度网讯科技有限公司
Registrant Country: CN
Registrant Email: Select Request Email Form at https://domains.markmonitor.com/whois/baidu.com
Tech Email: Select Request Email Form at https://domains.markmonitor.com/whois/baidu.com
Name Server: ns4.baidu.com
Name Server: ns7.baidu.com
Name Server: ns2.baidu.com
Name Server: ns3.baidu.com
Name Server: ns1.baidu.com
DNSSEC: unsigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
>>> Last update of WHOIS database: 2025-08-18T03:47:17+0000 <<<
For more information on WHOIS status codes, please visit:
https://www.icann.org/resources/pages/epp-status-codes
If you wish to contact this domain’s Registrant or Technical
contact, and such email address is not visible above, you may do so via our web
form, pursuant to ICANN’s Temporary Specification. To verify that you are not a
robot, please enter your email address to receive a link to a page that
facilitates email communication with the relevant contact(s).
Web-based WHOIS:
https://domains.markmonitor.com/whois/contact/baidu.com
If you have a legitimate interest in viewing the non-public WHOIS details, send
your request and the reasons for your request to whoisrequest@markmonitor.com
and specify the domain name in the subject line. We will review that request and
may ask for supporting documentation and explanation.
The data in MarkMonitor’s WHOIS database is provided for information purposes,
and to assist persons in obtaining information about or related to a domain
name’s registration record. While MarkMonitor believes the data to be accurate,
the data is provided "as is" with no guarantee or warranties regarding its
accuracy.
By submitting a WHOIS query, you agree that you will use this data only for
lawful purposes and that, under no circumstances will you use this data to:
(1) allow, enable, or otherwise support the transmission by email, telephone,
or facsimile of mass, unsolicited, commercial advertising, or spam; or
(2) enable high volume, automated, or electronic processes that send queries,
data, or email to MarkMonitor (or its systems) or the domain name contacts (or
its systems).
MarkMonitor reserves the right to modify these terms at any time.
By submitting this query, you agree to abide by this policy.
MarkMonitor Domain Management(TM)
Protecting companies and consumers in a digital world.
Visit MarkMonitor at https://www.markmonitor.com
Contact us at +1.8007459229
In Europe, at +44.02032062220
可以从网站查询信息,查询链接
https://www.toolnb.com/domaininfo/wangxiaochun.com.html
DNS服务器软件:bind,powerdns,dnsmasq,unbound,coredns
yum list all bind*
bind:服务器
bind-libs:相关库
bind-utils: 客户端
bind-chroot: 安全包,将dns相关文件放至 /var/named/chroot/
yum -y install bind bind-utils
DNS客户端相关库
ldd which ping | grep libresolv.so
ldd which curl |grep libresolv.so
BIND主程序:/usr/sbin/named
服务脚本和Unit名称:/etc/rc.d/init.d/named,/usr/lib/systemd/system/named.service
主配置文件:/etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
管理工具:/usr/sbin/rndc:remote name domain controller,默认与bind安装在同一主机,且
只能通过127.0.0.1连接named进程,提供辅助性的管理功能;953/tcp
解析库文件:/var/named/ZONE_NAME.ZONE
注意:
(1) 一台物理服务器可同时为多个区域提供解析
(2) 必须要有根区域文件;named.ca
(3) 应该有两个(如果包括ipv6的,应该更多)实现localhost和本地回环地址的解析库
全局配置:options {};
日志子系统配置:logging {};
区域定义:本机能够为哪些zone进行解析,就要定义哪些zone
zone "ZONE_NAME" IN {};
注意:
任何服务程序如果期望其能够通过网络被其它主机访问,至少应该监听在一个能与外部主机通信的IP地址上
缓存名称服务器的配置:监听外部地址即可
dnssec: 建议关闭dnssec,设为no
在主配置文件中定义区域
vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; }
zone "ZONE_NAME" IN {
type {master|slave|hint|forward};
file "ZONE_NAME.zone";
};
定义区域解析库文件
内容包括 :
宏定义
资源记录
范例:区域数据库
$TTL 86400
$ORIGIN baidu.com.
@ IN SOA ns1.baidu.com. admin.baidu.com (
2015042201
1H
5M
7D
1D )
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 172.16.100.11
ns2 IN A 172.16.100.12
mx1 IN A 172.16.100.13
mx2 IN A 172.16.100.14
websrv IN A 172.16.100.11
websrv IN A 172.16.100.12
www IN CNAME websrv
范例:抓包观察查询过程
[root@centos8 ~]#tcpdump -i eth0 udp port 53 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:38.458363 IP 10.0.0.7.42201 > 10.0.0.8.53: 44928+ A? www.baidu.com. (31)
11:37:38.458896 IP 10.0.0.7.54285 > 10.0.0.8.53: 44928+ A? www.baidu.com. (31)
11:37:38.460038 IP 10.0.0.7.42053 > 10.0.0.8.53: 30536+ A?
www.baidu.com.wangxiaochun.com. (48)
11:37:38.460884 IP 10.0.0.7.37739 > 10.0.0.8.53: 30536+ A?
www.baidu.com.wangxiaochun.com. (48)
[root@centos7 ~]#telnet 10.0.0.8 53
Trying 10.0.0.8...
telnet: connect to address 10.0.0.8: Connection refused
named-checkconf
named-checkzone "baidu.com" /var/named/baidu.com.zone
#三种方式
#rndc reload
#systemctl reload named
#service named reload
dig只用于测试dns系统,不会查询hosts文件进行解析
#命令格式:
dig [-t type] name [@SERVER] [query options]
query options:
+[no]trace:跟踪解析过程 : dig +trace magedu.org
+[no]recurse:进行递归解析
#示例:
#测试反向解析
dig -x IP = dig –t ptr reverseip.in-addr.arpa
#模拟区域传送
dig -t axfr ZONE_NAME @SERVER
dig -t axfr baidu.com @10.10.10.11
dig –t axfr 100.1.10.in-addr.arpa @172.16.1.1
dig -t NS . @114.114.114.114
dig -t NS . @a.root-servers.net
#格式:
host [-t type] name [SERVER]
eg:
host -t NS baidu.com 172.16.0.1
host -t soa baidu.com
host -t mx baidu.com
host -t axfr baidu.com
host 1.2.3.4
nslookup 可以支持交互和非交互式两种方式执行
命令格式:
nslookup [-option] [name | -] [server]
交互式模式:
nslookup>
server IP: 指明使用哪个DNS server进行查询
set q=RR_TYPE: 指明查询的资源记录类型
NAME: 要查询的名称
利用rndc工具可以实现管理DNS功能
rndc 监听端口: 953/tcp
命令格式:
rndc COMMAND
COMMAND:
status: 查看状态
reload: 重载主配置文件和区域解析库文件
reload zonename: 重载区域解析库文件
retransfer zonename: 手动启动区域传送,而不管序列号是否增加
notify zonename: 重新对区域传送发通知
reconfig: 重载主配置文件
querylog: 开启或关闭查询日志文件/var/log/message
trace: 递增debug一个级别
trace LEVEL: 指定使用的级别
notrace:将调试级别设置为 0
flush:清空DNS服务器的所有缓存记录
搭建DNS正向主服务器,实现web服务器基于FQDN的访问
需要三台主机
DNS服务端:10.0.0.8
web服务器:10.0.0.7
DNS客户端:10.0.0.6
4.6.3 前提准备
关闭SElinux
关闭防火墙
时间同步
yum install bind -y
vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
vim /etc/named.rfc1912.zones
#加上下面内容
zone "baidu.com" IN {
type master;
file "baidu.com.zone";
};
cp -p /var/named/named.localhost /var/named/baidu.com.zone
#如果没有加-p选项,需要修改所有者或权限。chgrp named baidu.com.zone
vim /var/named/baidu.com.zone
$TTL 1D
@ IN SOA master admin.baidu.com. (
2019042210 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
www A 10.0.0.7
named-checkconf
named-checkzone baidu.com /var/named/baidu.com.zone
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务
#安装http服务
yum install httpd
#配置主页面
echo www.baidu.com > /var/www/html/index.html
#启动服务
systemctl start httpd
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.0.0.8
#centos7 以上版执行现下面命令生效
nmcli con reload
nmcli con up eth0
#centos 6 执行下面命令生效
4.7 允许动态更新
动态更新:可以通过远程更新区域数据库的资源记录
实现动态更新,需要在指定的zone语句块中:
范例:
4.8 启用DNS客户端缓存功能
在高并发的服务器场景中,对DNS的服务器查询性能有较高的要求,如果在客户端启用DNS缓存功能,可以
大幅减轻DNS服务器的压力,同时也能提高DNS客户端名称解析速度
4.8.1 CentOS 启用DNS客户端缓存
CentOS 默认没有启用DNS客户端缓存,安装nscd(Name Service Cache Daemon,名称服务缓存守护进
程)包可以支持DNS缓存功能
减少DNS服务器压力,提高DNS查询速度
service network restart
#有以下记录,算是成功
cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 10.0.0.8
#测试网页,能显示就是成功
curl www.baidu.com
www.baidu.com
动态更新:可以通过远程更新区域数据库的资源记录
实现动态更新,需要在指定的zone语句块中:
Allow-update {any;};
范例:
chmod 770 /var/named
setsebool -P named_write_master_zones on #开启SELinux才需要执行此步
nsupdate
>server 127.0.0.1
>zone baidu.com
>update add ftp.baidu.com 88888 IN A 8.8.8.8
>send
>update delete www.baidu.com A
>send
#测试
dig ftp.baidu.com @127.0.0.1
ls -l /var/named/baidu.com.zone.jnl
cat /var/named/baidu.com.zone
在高并发的服务器场景中,对DNS的服务器查询性能有较高的要求,如果在客户端启用DNS缓存功能,可以大幅减轻DNS服务器的压力,同时也能提高DNS客户端名称解析速度
CentOS 默认没有启用DNS客户端缓存,安装nscd(Name Service Cache Daemon,名称服务缓存守护进程)包可以支持DNS缓存功能减少DNS服务器压力,提高DNS查询速度
#yum -y install nscd
#systemctl enable --now nscd
#查看缓存统计信息
#nscd -g
nscd configuration:
0 server debug level
4m 25s server runtime
5 current number of threads
32 maximum number of threads
0 number of times clients had to wait
no paranoia mode enabled
3600 restart internal
5 reload count
passwd cache:
yes cache is enabled
yes cache is persistent
yes cache is shared
211 suggested size
216064 total data pool size
1216 used data pool size
600 seconds time to live for positive entries
20 seconds time to live for negative entries
0 cache hits on positive entries
0 cache hits on negative entries
7 cache misses on positive entries
0 cache misses on negative entries
0% cache hit rate
14 current number of cached values
14 maximum number of cached values
0 maximum chain length searched
0 number of delays on rdlock
0 number of delays on wrlock
0 memory allocations failed
yes check /etc/passwd for changes
group cache:
yes cache is enabled
yes cache is persistent
yes cache is shared
211 suggested size
216064 total data pool size
128 used data pool size
3600 seconds time to live for positive entries
60 seconds time to live for negative entries
0 cache hits on positive entries
0 cache hits on negative entries
1 cache misses on positive entries
0 cache misses on negative entries
0% cache hit rate
2 current number of cached values
2 maximum number of cached values
0 maximum chain length searched
0 number of delays on rdlock
0 number of delays on wrlock
0 memory allocations failed
yes check /etc/group for changes
hosts cache:
yes cache is enabled
yes cache is persistent
yes cache is shared
211 suggested size
216064 total data pool size
248 used data pool size
3600 seconds time to live for positive entries
20 seconds time to live for negative entries
0 cache hits on positive entries
0 cache hits on negative entries
2 cache misses on positive entries
1 cache misses on negative entries
0% cache hit rate
2 current number of cached values
2 maximum number of cached values
0 maximum chain length searched
0 number of delays on rdlock
0 number of delays on wrlock
0 memory allocations failed
yes check /etc/hosts for changes
services cache:
yes cache is enabled
yes cache is persistent
yes cache is shared
211 suggested size
216064 total data pool size
0 used data pool size
28800 seconds time to live for positive entries
20 seconds time to live for negative entries
0 cache hits on positive entries
0 cache hits on negative entries
0 cache misses on positive entries
0 cache misses on negative entries
0% cache hit rate
0 current number of cached values
0 maximum number of cached values
0 maximum chain length searched
0 number of delays on rdlock
0 number of delays on wrlock
0 memory allocations failed
yes check /etc/services for changes
netgroup cache:
yes cache is enabled
yes cache is persistent
yes cache is shared
211 suggested size
216064 total data pool size
0 used data pool size
28800 seconds time to live for positive entries
20 seconds time to live for negative entries
0 cache hits on positive entries
0 cache hits on negative entries
0 cache misses on positive entries
0 cache misses on negative entries
0% cache hit rate
0 current number of cached values
0 maximum number of cached values
4.8.2 Ubuntu 启用DNS客户端缓存
ubuntu 默认会启用DNS客户端缓存
0 maximum chain length searched
0 number of delays on rdlock
0 number of delays on wrlock
0 memory allocations failed
yes check /etc/netgroup for changes
#清除DNS客户端缓存
#nscd -i hosts
ubuntu 默认会启用DNS客户端缓存
[root@ubuntu1804 ~]#systemctl status systemd-resolved.service
● systemd-resolved.service - Network Name Resolution
Loaded: loaded (/lib/systemd/system/systemd-resolved.service; enabled; vendor
preset: enabled)
Active: active (running) since Thu 2020-12-31 19:52:58 CST; 3h 6min ago
Docs: man:systemd-resolved.service(8)
https://www.freedesktop.org/wiki/Software/systemd/resolved
https://www.freedesktop.org/wiki/Software/systemd/writing-networkconfiguration-managers
https://www.freedesktop.org/wiki/Software/systemd/writing-resolverclients
Main PID: 738 (systemd-resolve)
Status: "Processing requests..."
Tasks: 1 (limit: 2290)
CGroup: /system.slice/systemd-resolved.service
└─738 /lib/systemd/systemd-resolved
Dec 31 19:52:59 ubuntu1804.magedu.org systemd-resolved[738]: Using degraded
feature set (UDP) for DNS server 223.6.6.6.
Dec 31 21:08:51 ubuntu1804.magedu.org systemd-resolved[738]: Using degraded
feature set (UDP) for DNS server 10.0.0.8.
Dec 31 21:10:10 ubuntu1804.magedu.org systemd-resolved[738]: Using degraded
feature set (TCP) for DNS server 10.0.0.8.
Dec 31 21:49:51 ubuntu1804.magedu.org systemd-resolved[738]: Grace period over,
resuming full feature set (UDP+EDNS0) for DNS server 1
Dec 31 21:49:58 ubuntu1804.magedu.org systemd-resolved[738]: Server returned
error NXDOMAIN, mitigating potential DNS violation DVE-20
Dec 31 21:49:58 ubuntu1804.magedu.org systemd-resolved[738]: Server returned
error NXDOMAIN, mitigating potential DNS violation DVE-20
Dec 31 22:35:37 ubuntu1804.magedu.org systemd-resolved[738]: Flushed all caches.
Dec 31 22:35:42 ubuntu1804.magedu.org systemd-resolved[738]: Using degraded
feature set (UDP) for DNS server 10.0.0.18.
Dec 31 22:35:43 ubuntu1804.magedu.org systemd-resolved[738]: Using degraded
feature set (TCP) for DNS server 10.0.0.18.
Dec 31 22:42:54 ubuntu1804.magedu.org systemd-resolved[738]: Grace period over,
resuming full feature set (UDP+EDNS0) for DNS server
[root@ubuntu1804 ~]#systemd-resolve --help
systemd-resolve [OPTIONS...] HOSTNAME|ADDRESS...
systemd-resolve [OPTIONS...] --service [[NAME] TYPE] DOMAIN
systemd-resolve [OPTIONS...] --openpgp EMAIL@DOMAIN...
systemd-resolve [OPTIONS...] --statistics
systemd-resolve [OPTIONS...] --reset-statistics
Resolve domain names, IPv4 and IPv6 addresses, DNS records, and services.
-h --help Show this help
--version Show package version
--no-pager Do not pipe output into a pager
-4 Resolve IPv4 addresses
-6 Resolve IPv6 addresses
-i --interface=INTERFACE Look on interface
-p --protocol=PROTO|help Look via protocol
-t --type=TYPE|help Query RR with DNS type
-c --class=CLASS|help Query RR with DNS class
--service Resolve service (SRV)
--service-address=BOOL Resolve address for services (default: yes)
--service-txt=BOOL Resolve TXT records for services (default: yes)
--openpgp Query OpenPGP public key
--tlsa Query TLS public key
--cname=BOOL Follow CNAME redirects (default: yes)
--search=BOOL Use search domains for single-label names
(default: yes)
--raw[=payload|packet] Dump the answer as binary data
--legend=BOOL Print headers and additional info (default: yes)
--statistics Show resolver statistics
--reset-statistics Reset resolver statistics
--status Show link and server status
--flush-caches Flush all local DNS caches
--reset-server-features
Forget learnt DNS server feature levels
--set-dns=SERVER Set per-interface DNS server address
--set-domain=DOMAIN Set per-interface search domain
--set-llmnr=MODE Set per-interface LLMNR mode
--set-mdns=MODE Set per-interface MulticastDNS mode
--set-dnssec=MODE Set per-interface DNSSEC mode
--set-nta=DOMAIN Set per-interface DNSSEC NTA
--revert Revert per-interface configuration
[root@ubuntu1804 ~]#systemd-resolve --statistics
DNSSEC supported by current servers: no
Transactions
Current Transactions: 0
Total Transactions: 53
Cache
Current Cache Size: 1
Cache Hits: 2
Cache Misses: 52
DNSSEC Verdicts
Secure: 0
Insecure: 0
Bogus: 0
Indeterminate: 0
#清空缓存
[root@ubuntu1804 ~]#systemd-resolve --flush-caches
[root@ubuntu1804 ~]#systemd-resolve --statistics
5 实现反向解析区域
5.1 反向解析配置
反向区域:即将IP反向解析为FQDN
区域名称:网络地址反写.in-addr.arpa.
示例:
(1) 定义区域
(2) 定义区域解析库文件
注意:不需要MX,以PTR记录为主
范例:
DNSSEC supported by current servers: no
Transactions
Current Transactions: 0
Total Transactions: 53
Cache
Current Cache Size: 0
Cache Hits: 2
Cache Misses: 52
DNSSEC Verdicts
Secure: 0
Insecure: 0
Bogus: 0
Indeterminate: 0
反向区域:即将IP反向解析为FQDN
区域名称:网络地址反写.in-addr.arpa.
示例:
172.16.100. --> 100.16.172.in-addr.arpa.
(1) 定义区域
zone "ZONE_NAME" IN {
type {master|slave|forward};
file "网络地址.zone"
};
(2) 定义区域解析库文件
注意:不需要MX,以PTR记录为主
范例:
$TTL 86400
$ORIGIN 16.172.in-addr.arpa.
@ IN SOA ns1.baidu.com. admin.baidu.com. (
2015042201
1H
5M
7D
1D )
IN NS ns1.baidu.com.
1.2 IN PTR www.baidu.com.
3.4 IN PTR mx1.baidu.com.
#实现以下解析
172.16.2.1 www.baidu.com.
172.16.4.3 mx1.baidu.com.
[root@centos8 ~]#cat /etc/named.conf
options {
......
listen-on port 53 { localhost; };
......
allow-query { any; };
......
}
[root@centos8 ~]#vim /etc/named.rfc1912.zones
zone "0.0.10.in-addr.arpa" {
type master;
file "10.0.0.zone";
};
[root@centos8 ~]#cd /var/named
[root@centos8 named]#cp -p named.loopback 10.0.0.zone
[root@centos8 named]#cat 10.0.0.zone
$TTL 1D
@ IN SOA ns1 admin.magedu.org. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.magedu.org.
100 PTR www.magedu.org.
200 PTR app.wange.org.
[root@centos8 named]#named-checkzone 0.0.10.in-addr.arpa 10.0.0.zone
zone 0.0.10.in-addr.arpa/IN: loaded serial 0
OK
[root@centos6 ~]#dig -t ptr 100.0.0.10.in-addr.arpa. @10.0.0.8
; <<>> DiG 9.11.13-RedHat-9.11.13-3.el8 <<>> -t ptr 100.0.0.10.in-addr.arpa.
@10.0.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46393
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: a9b985772abbae6d4bcd7aa55f1b8af3efe9c3e53640b037 (good)
;; QUESTION SECTION:
;100.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.0.0.10.in-addr.arpa. 86400 IN PTR www.magedu.org.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 86400 IN NS ns1.magedu.org.
;; ADDITIONAL SECTION:
ns1.magedu.org. 86400 IN A 10.0.0.7
;; Query time: 0 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sat Jul 25 09:29:23 CST 2020
;; MSG SIZE rcvd: 142
[root@centos6 ~]#dig -x 10.0.0.100 @10.0.0.8
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> -x 10.0.0.100 @10.0.0.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37893
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;100.0.0.10.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.0.0.10.in-addr.arpa. 86400 IN PTR www.magedu.org.
;; AUTHORITY SECTION:
0.0.10.in-addr.arpa. 86400 IN NS ns1.magedu.org.
;; ADDITIONAL SECTION:
ns1.magedu.org. 86400 IN A 10.0.0.7
;; Query time: 1 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sat Jul 25 09:30:46 2020
;; MSG SIZE rcvd: 103
[root@centos6 ~]#host 10.0.0.100
100.0.0.10.in-addr.arpa domain name pointer www.magedu.org.
[root@centos6 ~]#nslookup 10.0.0.200
Server: 10.0.0.8
Address: 10.0.0.8#53
200.0.0.10.in-addr.arpa name = app.wange.org.
[root@centos6 ~]#nslookup
> 10.0.0.100
Server: 10.0.0.8
Address: 10.0.0.8#53
100.0.0.10.in-addr.arpa name = www.magedu.org.
> exit
C:\Users\wang>ping -a 10.0.0.100
6 实现从服务器
正在 Ping www.magedu.org [10.0.0.100] 具有 32 字节的数据:
请求超时。
10.0.0.100 的 Ping 统计信息:
数据包: 已发送 = 1,已接收 = 0,丢失 = 1 (100% 丢失),
Control-C
^C
C:\Users\wang>ping -a 10.0.0.200
正在 Ping app.wange.org [10.0.0.200] 具有 32 字节的数据:
docker-compose.yml
version: '3'
services:
bind9:
image: ubuntu/bind9:latest
container_name: bind9
user: "100:101"
environment:
- TZ=UTC
ports:
- "53:53/tcp"
- "53:53/udp"
volumes:
- ./data/bind:/etc/bind
- ./data/cache:/var/cache/bind
- ./data/logs:/var/log/named
restart: unless-stopped
先不挂载卷,直接启动容器,用docker cp 拷贝容器默认的配置到宿主机,再挂在卷进行映射
docker cp bind9:/etc/bind/* ~/bind
named.conf named 主配置文件
named.conf.options named 配置项options
named.conf.local 引入自定义域 zones.dns.anthill.ink
zones.dns.anthill.ink 自定义域,指向域数据库文件 db.dns.anthill.ink
db.dns.anthill.ink 域数据库文件
named.conf
[root@iZwz910xmy5i9jpu5g3vrwZ bind]# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian for information on the
// structure of BIND configuration files in Debian, BEFORE you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local"; //引入本地配置文件
include "/etc/bind/named.conf.default-zones";
named.conf.local
[root@iZwz910xmy5i9jpu5g3vrwZ bind]# cat named.conf.local
//include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.123rst.com";
include "/etc/bind/zones.dns.anthill.ink";
zones.dns.anthill.ink
[root@iZwz910xmy5i9jpu5g3vrwZ bind]# cat zones.dns.anthill.ink
zone "dns.anthill.ink" IN {
type master;
file "/etc/bind/db.dns.anthill.ink";
};
db.dns.anthill.ink
[root@iZwz910xmy5i9jpu5g3vrwZ bind]# cat db.dns.anthill.ink
$TTL 604800
@ IN SOA dns.anthill.ink. admin.dns.anthill.ink. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN A 120.24.77.93
@ IN NS ns1
ns1 IN A 120.24.77.93