Bind detailed, master-slave DNS

If we want our website, For example, www.lee.com by others through the domain access, then we need to register with the agent---the domestic network, the new network, foreign dog father, etc., agents will help you to the root domain registration, if you visit the site is very small, agents from their own company's server pick a virtual host to help you resolve (earn your money). If you want to resolve through the DNS server in your own company, then we need to modify DNS to point to our own DNS servers, which are NS records and a records, in the host page that the agent provides to us. The root domain tells us where the. com is located (the root domain server is authorized by the subdomain to authenticate the. com server), and we need to have. COM servers licensed to the agent's DNS servers through subdomains

The implementation of DNS on Linux relies on the software of BIND, but the process of this software is called named

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/44/wKioL1X5EGvRczkLAAF1Amlpz5E895.jpg "style=" float: none; "title=" 294.png "alt=" Wkiol1x5egvrczklaaf1amlpz5e895.jpg "/>

The package we need is bind,bind-libs and bindutils.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/47/wKiom1X5DjXiV9uqAAIb1XYNrhI459.jpg "style=" float: none; "title=" 295.png "alt=" Wkiom1x5djxiv9uqaaib1xynrhi459.jpg "/>

Bind-utils provides us with a number of testing tools, such as the Dig,nslookup,host command

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/44/wKioL1X5EGvxnTskAACDtc5vd2U858.jpg "style=" float: none; "title=" 296.png "alt=" Wkiol1x5egvxntskaacdtc5vd2u858.jpg "/>

Bind also provides a security package, Bind-chroot, installed Bind-chroot, bind will be the DNS service ring in the/var/named/chroot directory, even if the hacker breached the DNS, will not affect the real system, Because the root directory of DNS was stripped from the root of our system.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/47/wKiom1X5DtOwuSF9AAFVsTCQS7s407.jpg "title=" 297. PNG "alt=" wkiom1x5dtowusf9aafvstcqs7s407.jpg "/>

Configuration files generated after bind is installed:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/47/wKiom1X5D5Xg4Y2XAACkL2Tly1o693.jpg "title=" 298. PNG "alt=" wkiom1x5d5xg4y2xaackl2tly1o693.jpg "/>

Service script:/etc/rc.d/init.d/named

Master configuration file:/etc/named.conf,/etc/named.rfc1912.zones,/etc/rndc.key

RNDC: The default is installed on the same host as bind, and can only be connected through the 127.0.0.1来 connection named process, providing accessible management functionality, using the tcp953 number port

Parse library file: the. zone file in the/var/named/directory (usually named), save the Local zone file----A DNS server can resolve multiple zones, so there will be multiple zone files, this directory should have a root zone file, That is, in the named.ca, the local positive and negative solution file is named.localhost and Named.loopback

Next we configure the master-slave DNS server, from the server to the primary server to request synchronization of data, to achieve the load sharing function

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/47/wKiom1X5E8DCB55sAABaoPjtOsw747.jpg "title=" 299. PNG "alt=" wkiom1x5e8dcb55saabaopjtosw747.jpg "/>

Configuration file curly braces should have spaces on both sides

192.168.3.132-----The named.conf file configuration for the primary DNS server

Option under:

listen-on specifies which port on which address to listen on

directory specifies the DNS server working directory, which is where zone files are placed

Allow-query specifies that the host of those network segments can be resolved through this DNS server query

recursion Specifies whether to allow hosts that are not managed in this DNS domain to be recursive to the root node query when querying to this DNS server

Logging under:

Specify where log files are stored

Severity specifying the security log level

Zone under:

Type specifies the DNS server types, here is the primary DNS server

File: Specify a location for zone file storage

Allow-transfer: Specifies that the zone file is transferred to those hosts when the master/slave synchronization is configured (configure this bar on the primary DNS server)

Masters: Specifies where the primary DNS server is at master-slave replication (this is configured from the DNS server)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/49/wKiom1X5HK7DnQpZAAFNJ__VTRk265.jpg "style=" float: none; "title=" 300.png "alt=" Wkiom1x5hk7dnqpzaafnj__vtrk265.jpg "/>

Positive solution zone File:/var/named/magedu/magedu.zone

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/49/wKiom1X5HV-T8EHPAACPeoBGpDs580.jpg "style=" float: none; "title=" 303.png "alt=" Wkiom1x5hv-t8ehpaacpeobgpds580.jpg "/>

If you use the pan-domain name resolution: (The general Domain name resolution and other theoretical parts please check the previous blog)---Simple is that the user entered the wrong domain name we help users redirect to a page, the host

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/4B/wKiom1X5QKSCDmORAAAdaQ-zPzE900.jpg "title=" 313. PNG "alt=" wkiom1x5qkscdmoraaadaq-zpze900.jpg "/>

The above zone file does not add the NS records from DNS, and a records, so when the primary DNS restarts, the default does not notify from DNS to update its own data, so the compliance practice is:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/48/wKioL1X5Q16TQaheAACy6JyPSEI638.jpg "title=" 320. PNG "alt=" wkiol1x5q16tqaheaacy6jypsei638.jpg "/>

Anti-Solution zone file:/var/named/magedu/100.16.172.arpa

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/48/wKioL1X5R6DgDfa3AACG1cay7a4777.jpg "title=" 321. PNG "alt=" wkiol1x5r6dgdfa3aacg1cay7a4777.jpg "/>

192.168.3.132----from DNS server named.conf configuration

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/46/wKioL1X5HuXAOAm5AAEt6g9_Iqc757.jpg "style=" float: none; "title=" 301.png "alt=" Wkiol1x5huxaoam5aaet6g9_iqc757.jpg "/>

After reboot, check port 53rd is monitored by DNS:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/49/wKiom1X5HK-ywqROAACh2HH6l4E171.jpg "style=" float: none; "title=" 302.png "alt=" Wkiom1x5hk-ywqroaach2hh6l4e171.jpg "/>

View the synchronization success from the DNS server/var/named/slaves directory:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/46/wKioL1X5IPXz8by6AAA1zru7YEc704.jpg "style=" float: none; "title=" 306.png "alt=" Wkiol1x5ipxz8by6aaa1zru7yec704.jpg "/>

View Log discovery prompts for master-slave replication success:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/73/49/wKiom1X5Hr-DwPScAAFkiLko_EA322.jpg "style=" float: none; "title=" 307.png "alt=" Wkiom1x5hr-dwpscaafkilko_ea322.jpg "/>

Let's test it out:

Positive solution: DIG-T Specifies the resource record type at the time of the positive solution and specifies which DNS server to resolve with. Dig does not query the hosts file and queries the DNS server directly

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/46/wKioL1X5JQqB6wQTAAF-D8K0_9U451.jpg "style=" float: none; "title=" 308.png "alt=" Wkiol1x5jqqb6wqtaaf-d8k0_9u451.jpg "/>

Anti-Solution: With the-x option

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/49/wKiom1X5ItTjcMcXAAG3w2LyemM790.jpg "style=" float: none; "title=" 309.png "alt=" Wkiom1x5ittjcmcxaag3w2lyemm790.jpg "/>

Dig command other uses see Man manual, here's an example: +trace Trace Route

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/4A/wKiom1X5JouSC1UZAAFScRRn0Uw199.jpg "title=" 312. PNG "alt=" wkiom1x5jousc1uzaafscrrn0uw199.jpg "/>

Analog area full-scale transfer: Forward:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/4B/wKiom1X5OoOjOStKAAGyxAleYOY103.jpg "style=" float: none; "title=" 316.png "alt=" Wkiom1x5ooojostkaagyxaleyoy103.jpg "/>

Reverse:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/48/wKioL1X5PLmy9euPAAGZh88ziRo315.jpg "style=" float: none; "title=" 317.png "alt=" Wkiol1x5plmy9eupaagzh88ziro315.jpg "/>

Querying with the host command

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/4B/wKiom1X5MiGRospqAAB_zwPq8fc696.jpg "title=" 314. PNG "alt=" wkiom1x5migrospqaab_zwpq8fc696.jpg "/>

Use nslookup query:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/73/48/wKioL1X5NMWRdM9MAACedRHgG3A126.jpg "title=" 315. PNG "alt=" wkiol1x5nmwrdm9maacedrhgg3a126.jpg "/>

There are two commands that can be used to check the syntax of the name.conf file and the zone file for errors

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/73/46/wKioL1X5JQuyxmQ8AAAgUdw4Kks222.jpg "style=" float: none; "title=" 310.png "alt=" Wkiol1x5jquyxmq8aaagudw4kks222.jpg "/>

Use the RNDC command to view DNS server status information: Using the RNDC reload can be implemented without restarting the named service read configuration file, modify the zone file can use this command to take effect without restarting.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/73/49/wKiom1X5I43hFtI1AACjM487P5Y628.jpg "title=" 311. PNG "alt=" wkiom1x5i43hfti1aacjm487p5y628.jpg "/>

Note: The/var/named directory permission is 640, the following file for security should also be changed to 640, the zone file created by default belongs to the root of the owner, should be the owner of the owners and owners to change to named users, placed named service because no permissions can not read the zone file.

Reminder: The master-slave server time should be synchronized, and the BIND version is best consistent!

This article is from the "After Tomorrow" blog, please be sure to keep this source http://leeyan.blog.51cto.com/8379003/1695385

Bind detailed, master-slave DNS