首页 > 代码库 > Linux云自动化运维第十四课
Linux云自动化运维第十四课
第三单元 高速缓存 DNS
一、DNS 总揽
1.权威名称服务器:存储并提供某区域 ( 整个 DNS 域或 DNS 域的一部分 ) 的实际数据。权威名称服务器的类型包括
1)Master : 包含原始区域数据。有时称作 “ 主要 ” 名称服务器
2)Slave : 备份服务器 , 通过区域传送从 Master 服务器获得的区域数据的副本。有时称作 “ 次要 ” 名称服务器
2.非权威 / 递归名称服务器:客户端通过其查找来自权威名称服务器的数据。递归名称服务器的类型包括
1)仅缓存名称服务器 : 仅用于查找 , 对于非重要数据之外的任何内容都不具有权威性
2)DNS 查找:客户端上的 Stub 解析器 将查询发送至 /etc/resolv.conf 中的名称服务器。如果名称服务器对于请求的信息具有权威性 , 会将权威答案发送至客户端。否则 , 如果名称服务器在其缓存中有请求的信息 , 则会将非权威答案发送至客户端。如果缓存只能该没有信息 , 名称服务器将搜索权威名称服务器以查找信息 , 从根区域开始 , 按照DNS 层次结构向下搜素 , 直至对于信息具有权威性的名称服务器 , 以此为客户端获得答案。在此情况中, 名 ch 称服务器将信息传递至客户端并在自己的缓存中保留一个副本 , 以备以后查找
二、DNS 资源记录
1.DNS 区域采用资源记录的形式存储信息。每条资源记录均具有一个类型 , 表明其保留的数据类型
–A : 名称至 IPv4 地址
–AAAA : 名称至 IPv6 地址
–CNAME : 名称至 ” 规范名称 “ ( 包含 A/AAAA 记录的另一个名称 )
–PTR : IPv4/IPv6 地址至名称
–MX : 用于名称的邮件交换器 ( 向何处发送其电子邮件 )
–NS : 域名的名称服务器
–SOA :” 授权起始 “ , DNS 区域的信息 ( 管理信息 )
三、DNS 排错
1.它显示来自 DNS 查找的详细信息 , 其中包括为什么查询失败 :
–NOERROR : 查询成功
–NXDOMAIN : DNS 服务器提示不存在这样的名称
–SERVFAIL : DNS 服务器停机或 DNSSEC 响应验证失败
–REFUSED : DNS 服务器拒绝回答 ( 也许是出于访问控制原因 )
四、dig 输出的部分内容
1.标题指出关于查询和答案的信息 , 其中包括响应状态和设置的任何特殊标记 ( aa 表示权威答案 , 等等 )
–QUESTION : 提出实际的 DNS 查询
–ANSWER : 响应 ( 如果有 )
–AUTHORITY : 负责域 / 区域的名称服务器
–ADDITIONAL : 提供的其他信息 , 通常是关于名称服务器
–底部的注释指出发送查询的递归名称服务器以及获得响应所花费的时间
五、缓存 DNS 服务器
1.BIND 是最广泛使用的开源名称服务器在 RHEL 中 , 通过 bind 软件包提供防火墙开启端口 53/TCP 和 53/UDP
2.BIND 的主配置文件是 /etc/named.conf
3./var/named 目录包含名称服务器所使用的其他数据文件
六、/etc/named.conf 的语法
1.// 或 # 至行末尾是注释 ; /* 与 */ 之间的文本也是注释 ( 可以跨越多行 )
2.指令以分号结束 (;)
3.许多指令认为地址匹配列表放在大括号中、以CIDR 表示法表示的 IP 地址或子网列表中 , 或者命名的 ACL 中 ( 例如 any; [ 所有主机 ] 和none; [ 无主机 ] )
4.文件以 options 块开始 , 其中包含控制 named如何运作的指令
5.zone 块控制 named 如何查对于其具有权威性的根名称服务器和区域
七、一些重要的 options 指令
1.listen-on 控制 named 侦听的 IPv4 地址
2.listen-on-v6 控制 named 侦听的 IPv6 地址
3.allow-query 控制哪些客户端可以向 DNS 服务器询问信息
4.forwarders 包含 DNS 查询将转发至的名称服务器的列表( 而不是直接联系外部名称服务器 ; 在设有防火 墙的情况中很有用 )
5.所有这些指令会将打括号中以分号分隔的元素视为地址匹配列表 . 如
–listen-on { any; };
–allow-query { 127.0.0.1; 10.0.0.0/8 };
八、配置名称服务器
1.安装 bind 软件包
–yum install -y bind
2.编辑 /etc/named.conf
-listen-on port 53 { any; };
-listen-on-v6 port 53 { any; };
-allow-query { any; };
-forwarders { 172.25.254.254; };
3.启动并启用 DNS 服务器
-systemctl start named
-systemctl enable named
4.从 desktopX 进行测试
–dig classroom.example.com
九、示例
1.DNS正向解析
[root@desktop ~]# yum install bind -y
[root@desktop ~]# systemctl start named
[root@desktop ~]# vim /etc/resolv.conf
[root@desktop ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search example.com
nameserver 172.25.254.142
[root@desktop ~]# vim /etc/named.conf
#listen-on port 53 { any; };
#allow-query { any; };
[root@desktop ~]# vim /etc/named.rfc1912.zones
#zone "westos.com" IN {
# type master;
# file "westos.com.zone";
# allow-update { none; };
#};
[root@desktop ~]# cd /var/named/
[root@desktop named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
[root@desktop named]# ls -l
total 16
drwxrwx---. 2 named named 22 Apr 14 01:14 data
drwxrwx---. 2 named named 58 Apr 14 01:14 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Jan 29 2014 slaves
[root@desktop named]# cp -p named.localhost westos.com.zone
[root@desktop named]# vim westos.com.zone
[root@desktop named]# cat westos.com.zone
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.142
www A 172.25.254.111
bbs A 172.25.254.222
[root@desktop named]# systemctl restart named
[root@desktop named]# dig www.westos.co
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60167
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.111
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.142
;; Query time: 0 msec
;; SERVER: 172.25.254.142#53(172.25.254.142)
;; WHEN: Fri Apr 14 01:20:15 EDT 2017
;; MSG SIZE rcvd: 93
[root@desktop named]# dig bbs.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> bbs.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37503
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.westos.com. IN A
;; ANSWER SECTION:
bbs.westos.com. 86400 IN A 172.25.254.222
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.142
;; Query time: 0 msec
;; SERVER: 172.25.254.142#53(172.25.254.142)
;; WHEN: Fri Apr 14 01:20:23 EDT 2017
;; MSG SIZE rcvd: 93
2.反向解析
[root@desktop named]# vim /etc/named.rfc1912.zones
#zone "254.25.172.in-addr.arpa" IN {
# type master;
# file "westos.com.ptr";
# allow-update { none; };
#};
[root@desktop named]# ls -l
total 20
drwxrwx---. 2 named named 22 Apr 14 01:14 data
drwxrwx---. 2 named named 30 Apr 14 01:20 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Jan 29 2014 slaves
-rw-r-----. 1 root named 221 Apr 14 01:19 westos.com.zone
[root@desktop named]# cp -p westos.com.zone westos.com.ptr
[root@desktop named]# vim westos.com.ptr
[root@desktop named]# cat westos.com.ptr
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.142
111 PTR www.westos.com.
222 PTR bbs.westos.com.
[root@desktop named]# systemctl restart named
[root@desktop named]# dig -x 172.25.254.111
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41239
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;111.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 IN PTR www.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.142
;; Query time: 0 msec
;; SERVER: 172.25.254.142#53(172.25.254.142)
;; WHEN: Fri Apr 14 01:25:16 EDT 2017
;; MSG SIZE rcvd: 118
[root@desktop named]# dig -x 172.25.254.222
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3899
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
222.254.25.172.in-addr.arpa. 86400 IN PTR bbs.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.142
;; Query time: 0 msec
;; SERVER: 172.25.254.142#53(172.25.254.142)
;; WHEN: Fri Apr 14 01:25:20 EDT 2017
;; MSG SIZE rcvd: 118
3.加密
#服务端
[root@desktop mnt]# dnssec-keygen -a HMAC-MD5 -b 256 -n HOST westos
Kwestos.+157+12181
[root@desktop mnt]# ls
Kwestos.+157+12181.key Kwestos.+157+12181.private westos.com.zone
[root@desktop mnt]# vim /etc/named.conf
[root@desktop mnt]# cat Kwestos.+157+12181.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: hhPLGsYGZMBAtilU7Jf3g8FGKpWFJB7K1OXCJKwYjO4=
Bits: AAA=
Created: 20170414071220
Publish: 20170414071220
Activate: 20170414071220
[root@desktop mnt]# cp /etc/rndc.key /etc/westos.key -p
[root@desktop mnt]# vim /etc/westos.key
[root@desktop named]# cat /etc/westos.key
key "westos" {
algorithm hmac-md5;
secret "hhPLGsYGZMBAtilU7Jf3g8FGKpWFJB7K1OXCJKwYjO4=";
};
[root@desktop mnt]# vim /etc/named.conf
#include "/etc/westos.key";
[root@desktop mnt]# vim /etc/named.rfc1912.zones
#zone "westos.com" IN {
# type master;
# file "westos.com.zone";
# allow-update {key westos;};
# allow-transfer {172.25.254.242;};
# also-notify {172.25.254.242;};
#};
[root@desktop mnt]# systemctl restart named
[root@desktop mnt]# ls
Kwestos.+157+12181.key Kwestos.+157+12181.private westos.com.zone
[root@desktop mnt]# scp Kwestos.+157+12181.* root@172.25.254.242:/mnt/
root@172.25.254.242‘s password:
Kwestos.+157+12181.key 100% 70 0.1KB/s 00:00
Kwestos.+157+12181.private 100% 185 0.2KB/s 00:00
#客户端
[root@hhh ~]# cd /mnt/
[root@hhh mnt]# ls
Kwestos.+157+12181.key Kwestos.+157+12181.private
[root@hhh mnt]# nsupdate -k Kwestos.+157+12181.private
> server 172.25.254.142
> update add yyy.westos.com 86400 A 172.25.254.190
> send
> quit
#服务端
[root@desktop named]# dig yyy.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> yyy.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52580
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yyy.westos.com. IN A
;; ANSWER SECTION:
yyy.westos.com. 86400 IN A 172.25.254.190
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.142
;; Query time: 0 msec
;; SERVER: 172.25.254.142#53(172.25.254.142)
;; WHEN: Fri Apr 14 05:34:11 EDT 2017
;; MSG SIZE rcvd: 93
#客户端
[root@hhh mnt]# nsupdate -k Kwestos.+157+12181.private
> server 172.25.254.142
> update delete yyy.westos.com
> send
> quit
#服务端
[root@desktop named]# dig yyy.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> yyy.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 39859
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yyy.westos.com. IN A
;; AUTHORITY SECTION:
westos.com. 10800 IN SOA dns.westos.com. root.westos.com.westos.com. 2017041408 86400 3600 604800 10800
;; Query time: 0 msec
;; SERVER: 172.25.254.142#53(172.25.254.142)
;; WHEN: Fri Apr 14 05:37:36 EDT 2017
;; MSG SIZE rcvd: 99
[root@desktop named]#
4.DHCPD自动解析
###服务端
[root@desktop named]# yum install dhcp -y
[root@desktop named]# cp /usr/share/doc/dhcp-4.2.5/dhcpd.conf.example /etc/dhcp/dhcpd.conf
cp: overwrite ‘/etc/dhcp/dhcpd.conf’? y
[root@desktop named]# vim /etc/dhcp/dhcpd.conf
#option domain-name "westos.com";
#option domain-name-servers 172.25.254.142;
#subnet 172.25.254.0 netmask 255.255.255.0 {
# range 172.25.254.41 172.25.254.50;
# option routers 172.25.254.254;
#}
[root@desktop named]# systemctl restart dhcpd
[root@desktop named]# vim /etc/dhcp/dhcpd.conf
#ddns-update-style interim;
[root@desktop named]# systemctl restart dhcpd
[root@desktop named]# vim /etc/dhcp/dhcpd.conf
#key westos {
# algorithm hmac-md5;
# secret #hhPLGsYGZMBAtilU7Jf3g8FGKpWFJB7K1OXCJKwYjO4=;
#};
#zone westos.com.{
# primary 127.0.0.1;
# key westos;
#}
[root@desktop named]# systemctl restart dhcpd.service
[root@desktop named]# vim /etc/dhcp/dhcpd.conf
[root@desktop named]# systemctl restart named
[root@desktop named]# systemctl restart dhcpd.service
###客户端
[root@hhh ~]# hostnamectl set-hostname server.westos.com
[root@hhh ~]# hostname
server.westos.com
[root@hhh ~]# vim /etc/sysconfig/network-scripts/ifcfg-Ethernet_connection_1
[root@hhh ~]# cat /etc/sysconfig/network-scripts/ifcfg-Ethernet_connection_1
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
NAME="Ethernet connection 1"
UUID=d78cbfc3-e8aa-487d-84df-41788a8ff892
ONBOOT=yes
PEERDNS=yes
PEERROUTES=yes
[root@hhh ~]# systemctl restart network
[root@hhh ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.25.254.41 netmask 255.255.255.0 broadcast 172.25.254.255
inet6 fe80::5054:ff:fe00:2a0b prefixlen 64 scopeid 0x20<link>
ether 52:54:00:00:2a:0b txqueuelen 1000 (Ethernet)
RX packets 6519 bytes 3169691 (3.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2478 bytes 299400 (292.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1575 bytes 136754 (133.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1575 bytes 136754 (133.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[root@hhh ~]# dig server.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> server.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36128
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;server.westos.com. IN A
;; ANSWER SECTION:
server.westos.com. 300 IN A 172.25.254.41
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.142
;; Query time: 1 msec
;; SERVER: 172.25.254.142#53(172.25.254.142)
;; WHEN: Fri Apr 14 05:12:55 EDT 2017
;; MSG SIZE rcvd: 96
Linux云自动化运维第十四课