Environment: centos 5.5, bind9, chroot, Webmin
DNS Overview
- Hosts in the computer network only know IP addresses, but people prefer to name computers (web sites) because the names are more intuitive and easy to remember.
- The original name service is implemented through/etc/hosts. You can record frequently accessed computer names (domain names or host names) and their IP addresses. Still in use
- DNS is a network protocol (system) that converts a domain name to an IP address. On the Internet, it has a large distributed database that records the names and IP addresses of servers worldwide (bidirectional ing)
- DNS is a distributed system with a tree structure. It consists of the root domain (Root), top domain (such as. com,. cn), and subdomains (job.gdut.edu.cn. The final DNS resolution record is the host name (leaf, node), and the host name is under a domain (branches, directories.
DNS classification (by function/role)
- Authoritative DNS
- Authoritative DNS is a server that is authorized to resolve a domain name at the upper level. At the same time, it can delegate resolution authorization to others. For example, the top-level server of COM can authorize ABC. the authoritative server of COM is ns. ABC. com, and NS. ABC. com can also grant permissions to ns. ddd. com, so ns. ddd. com becomes ABC. com is actually an authoritative server.
- Authoritative DNS actually saves records of domain name and IP ing. At ordinary times, the results of domain name resolution are obtained from authoritative DNS.
- Recursive DNS
- It is responsible for receiving users' queries on any domain name and returning the results to the user. For the procedure of recursive DNS, see section 3. Recursive DNS can cache results to avoid repeated upward queries.
- This type of DNS is the most commonly used. It is open to the public and is generally provided by network operators. You can use recursive DNS to provide services on your own. Recursive DNS must have reliable Internet connections.
- Recursive DNS generally only sets the root domain zone "." and stores the IP address list of the global root service in this zone.
- The latest root server address list can be obtained here: ftp://ftp.internic.net/domain/named.root
- Forwarding DNS
- It is responsible for accepting user queries, but does not perform standard recursive queries starting from the root server. It simply forwards the query request to other DNS (such as recursive DNS), the other DNS is responsible for the actual query, and finally returns the query results of other DNS to the user. It also provides the cache function.
- It is mainly used in the absence of direct Internet connections, but can be connected to a recursive DNS, then it is more appropriate to use forwarding DNS.
- The disadvantage is that recursive DNS directly affects the service quality.
Among the above three types of DNS, only authoritative DNS actually saves the name-IP record. In fact, a DNS may have the above three features at the same time, based entirely on the Administrator's configuration.
Domain name resolution process (how DNS servers work)
- The user's host myhost accesses a website, such as www.job.gdut.edu.cn.
- Myhost retrieves the IP address of the primary DNS server (mydns) set by/etc/resolv. conf.
- Myhost accesses mydns through an IP address and queries whether the DNS server has records in the domain job.gdut.edu.cn.
- If yes, check whether there is a record with the host name www under the domain and retrieve the IP address to myhost. The entire parsing process is complete.
- If no, the following processing procedure (forwarding DNS or recursive query DNS) may be performed based on the current DNS Server Configuration ):
- Mydns forwards the DNS request of myhost to the forwarder DNS server (Forward cache mode ). This is a simple proxy process. Whether domain name resolution is successful or not depends on forwarder DNS.
- Mydns further accesses the root domain, starting from the root domain and performing a level-1 and down recursive query on each subdomain. How does it access the root domain? Generally, DNS has a root domain zone ". ", this zone records the IP addresses of more than 10 root domain servers on the current Internet, and these 10 root domain servers are usually relatively fixed, their records can be downloaded from the Internet (ftp://ftp.internic.net/domain/named.root)
- Mydns accesses the "." server in the root domain and queries whether there are any ". cn" records in the database. Usually the root domain server ". root "said the old Conference:" Hey, I have one here. CN records, but it is a subdomain. I transferred all domain name resolution jobs in the "xxx.cn" form to it. Ask it, and I will give you its IP address"
- Mydns query subdomain ". CN. ", which usually contains Domain Name Records similar to" .com.cn "" .edu.cn "" .net.cn "" .org.cn ". By comparison, we want the network segment" .edu.cn, therefore, the subdomain server sends the IP address of its subordinate ".edu.cn" Domain Server (NS) to mydns.
- Mydns queries the DNS server of the subdomain ".edu.cn.", which stores all records in the form of "xxx.edu.cn. The server finds the "gdut.edu.cn" Domain Server (NS) in its database and sends its IP address to mydns.
- Mydns queries the DNS server of the subdomain "gdut.edu.cn.", which stores all records, such as "xxx.gdut.edu.cn. The server finds the "job.gdut.edu.cn" Domain Server (NS) in its database and sends its IP address to mydns.
- Mydns query subdomain "job.gdut.edu.cn. "the DNS server, which looked up in its database, was surprised to find that there was a record" www ", and it was the host name address (, terminal leaf), instead of the domain name (NS. Therefore, it sends the Host IP Address "www" to mydns.
- Mydns caches the query results (www.job.gdut.edu.cn-IP ing) for the moment. It thought that it would be much easier for me to meet you next time (saving the complex Query Process ). The TTL parameter set by the "job.gdut.edu.cn" Domain Server specifies the cache duration because the ing may change.
- Mydns handed over the IP address of the Host "www.job.gdut.edu.cn" to myhost to complete resolution, oh yeah!
- Through this IP address, myhost can finally access www.job.gdut.edu.cn. This is an IP routing process. Although it is still complicated, it is not managed by DNS.
DNS concepts
- ZONE: refers to the space of a group of computers. It is a tree-like abstract concept. The domain can contain countless hosts and subdomains. For example, the root ". (Root)" is a domain, ". cn" is a domain, and ".edu.cn" is also a domain, but ".edu.cn" is a subdomain of ". cn.
- FQDN: fully qualified domain name, which is a fully qualified domain name. It refers to the full path composed of the Host Name and domain name, which uniquely identifies the name of a host on the Internet. For example, www.flyox.com, where flyox.com is a domain name and WWW is the host name under the domain. You can imagine that this host is used to provide web services.
- Forward resolution: Provides ing from domain name to IP Address
- Reverse resolution: Provides ing from IP address to Domain Name
- Delegate: Also known as authorization, that is, to delegate the resolution of all domain names in a subdomain (abc.com) under the current domain (such as. com) to another DNS server. This is the basis of the distributed structure of the DNS system. You can add an a record to an NS record. Note that delegation can only happen between upper and lower levels, and between the same level.
Master-slave DNS Server
- The master-slave structure is not required. Generally, only one master server is required. Adding one or more slave servers (slave, secondary servers) is to make the domain name resolution of the entire network more reliable.
- Both master and slave are independent DNS servers and must be configured separately. Only one or several zones are shared and can be configured only on the master node. After the slave is set, it will be automatically synchronized (specified by the SOA record ). The advantage is that you only need to set one place.
Forward-only (Cache-only) DNS server (forwarding DNS)
- This type of DNS host does not have its own database and does not query the root DNS server. It simply helps the client to request data from external DNS hosts. It is a simple "proxy" role that forwards DNS query requests to external DNS servers.
- Usually set on the firewall.
- Modify the configuration file "/etc/named. conf" and edit the options section to complete the DNS configuration for this type, as shown below:
// This settings is only for forwarding DNS server options {pid-file "/var/run/named. PID"; // set PID-file here! At this time, // please pay special attention to the owner of the path. // it must be a talent line for named! Forward only; // only forward is allowed! Forwarders {168.95.1.1; // here I use hinet DNS! 139.175.10.20; // This is the DNS of seednet! };};
BIND in the chroot environment
- For server security, bind9 provides an optional component by default: bind-chroot
- Chroot is to change the root to..., that is, to map the linux root directory to another directory, so that you do not need to directly operate the linux root directory for server configuration.
- The bind-chroot ing directory is specified by the configuration file "/etc/sysconfig/named. The default chroot value of BIND is "/var/name/chroot"
- The path of the configuration file in the chroot environment is relative to the configured chroot directory, and is not an absolute path. For example, the actual path of/etc/named. conf in the default environment is/var/name/chroot/etc/named. conf.
Bind-related configuration files
- File/etc/sysconfig/named: Specifies whether to enable chroot and its additional parameters.
- File/etc/named. conf: The main configuration file. You can set the BIND global parameters (options), the parameters of each domain (zone), and the path of the domain library file.
- Directory/var/named: This directory stores the file of each domain library, that is, the specific record file of the zone set by/etc/named. conf, including the forward and reverse domain
- Directory/var/run/named: When the named program is executed, the PID-file is stored in this directory by default.
Domain Name representation in the domain Library File
- Default zone name: Zone name defined in "@"-named. conf (for example, "bt.com ")
- Short Name: the host name or zone name is not followed by the decimal point ".", indicating that the BIND will automatically add the default zone name (such as ".bt.com.") during parsing and eventually become the FQDN
- Long Name: the complete name of the entire domain name, that is, FQDN, ending with ".", such as "file.bt.com.". Note that the last point in the FQDN indicates the root.
Record item (RR) Type
- NS: Name Server, indicating to query records in the specified ns. It is generally used to point to the local domain (default) and subdomain DNS server (re-recursive query), which is equivalent
- A: The host address. The final record to be queried is equivalent to the leaf of the tree.
- MX: Specifies the FQDN of the mail server used in the current domain for the mail sender to query the correct target mail system host.
- Cname: Set the host alias. It applies when multiple names direct to the same IP address. Once the IP address is changed, it only needs to be modified once.
- SRV: Service Location record. Set the default servers (addresses and ports) under the current domain name ). After setting, you can directly access various services through the current domain name without specifying a specific server host. Similar to MX.
DNS server test
- After configuration, restart the named Service (# service named restart)
- View logs to verify that named works properly
- # Tail-N 15/var/log/messages | grep named
- No exception
- DNS Client commands
- Host-L [FQDN] [DNS-server]: Use the specified [DNS-server] to query the URL [FQDN]
- NSLookup [FQDN] [DNS-server]
- Dig [@ DNS-server] [FQDN] [+ trace]
- Whois [FQDN]
Subdomain name authorization Problems
- To enable hosts outside the domain to access the domain name, you need to obtain the authorization (delegate) from the top-level DNS)
- DNS authorization: The domain name resolution of the target domain (subdomain) is delegated to a DNS (level-1 transmission to authoritative DNS)
- Authoritative DNS: the DNS that actually saves the records of each domain name in the target domain
- To allow hosts on the Internet to access the DNS domain you set up, you must add the DNS to the Internet Domain Name System. You must first apply for a domain name and obtain authorization from the domain name server at the upper level, becomes the authoritative DNS of the domain name applied.
- After authorization, the upper-level DNS has a NS record pointing to your DNS server and a record pointing to your DNS address, such:
; This is the upper-level zone ". org. in NS ns.flyox.org .; delegate the resolution of the subdomain flyox.org to ns.flyox.org. in a 202.54.47.155; and inform ns.flyox.org that the address is 202.54.47.155 ;... other Domain Name Records
This is the configuration file for Zone "flyox.org" in your own DNS server (ns.flyox.org). The following is the authoritative record of the domain name flyox.org @ in NS ns.flyox.org .; this domain flyox.org is resolved by itself. This domain resolution cannot omit ns in a 202.54.47.155; ns.flyox.org server address go in NS ns1.go.flyox.org .; then, authorize the subdomain go.flyox.org ns1.go in a 236.75.110.5; ns1.go.flyox.org. WWW in a 202.54.47.156; www.flyox.org is 202.54.47.156 ;... other Domain Name Records
Note:
- NS, MX, cname, and other records can point to hosts outside the domain or to hosts in the local domain:
- When pointing to an out-of-domain host: Make sure that the external DNS can resolve the real IP address in the entire name system.
- When pointing to a host in the domain: a record is generally provided for the domain name
- When the NS points to an out-of-domain host/server, it authorizes the DNS to resolve the sub-domain name. Therefore, the DNS system is logically distributed tree, but the Domain Name of the DNS itself may not be in the same domain, such as the DNS server "l.gtld-servers.net" can resolve xxx.com Domain Name
- On the Internet, the top-level domain server stores the NS records of each domain name, and its DNS can be a host outside the current domain name. The same is true for Mx and cname records.
- Generally, if a user registers a top-level domain name (abc.com), the domain name Agent will provide a web Control Panel through which the user can modify top-level domains (such. com). By default, this NS record is directed to the DNS server of the domain name agent. If the user uses the DNS of the agent, the Panel can also modify the records in the abc.com domain, such as MX records and a certain number of a records. If the agent claims to support second-level domain names, you can also add NS records.
- Some domain name agents are small in size and limited to the company's strength. They may not pass ICANN certification, nor have their own DNS, nor have their own enterprise email server, nor have they had web virtual hosts, you can direct the NS record to the DNS of the partner, and then add the MX record to the enterprise email service provider through this DNS ...... Eventually achieve integration.
Empty domain name resolution and wildcard domain name resolution
- Empty Domain Name: the default host of the current domain. For example, many users are too lazy to enter the prefix "www ."
- Wildcard Domain Name: The domain name that cannot be matched in the current domain will point to this address
Assume that the current domain is flyox.org @ in a 202.54.47.156; the empty domain name flyox.org will be resolved to the Web server * in a 202.54.47.156; the wildcard domain name * .flyox.org will also be resolved to the Web server
Cname record usage considerations
- The name specified for NS and MX records must be resolved. If the name is in the current domain, a record must also be provided and cannot be a cname record.
- Empty domain name @ (such as bt.com) cannot use cname record, wildcard domain name * (such as xxx.bt.com) can use cname record
Simple Load Balancing using DNS
- DNS is often used as a low-cost Load Balancing solution (based on multiple a records with different IP addresses for the same domain name)
- DNS allocates different IP addresses through round robin. That is, when the client queries the IP address of the domain name, the first client gets the first IP address, and the second client gets the second IP address ......
- The same IP address is obtained after multiple queries on the same client, because the client also has DNS buffering. This mechanism can be verified after ipconfig/flushdns is used to clear the buffer.
Experiment: creating a DNS system and creating a DNS private Root
Please refer to "Creating a DNS system by yourself and creating a DNS private root: DNS Series 6" for a complete DNS experiment. This article uses Windows server as an example, but the configuration process is the same and the configuration file is similar.
Set up a ddns Server
- Ddns: Dynamic DNS, applicable to scenarios with public IP addresses but IP addresses change frequently, such as ADSL Broadband
- Implemented through bind update-Policy
- Server: generate a key pair, copy the public key to the key section of/etc/named. conf, and authorize the key to the zone of Dynamic DNS.
- Client: Use the generated public key and private key, and execute the command "NSUPDATE" on time (or after the IP address is changed) to update the new IP address to ddns.
Refer:
Laruence's Linux private kitchen-Server SETUP
About the DNS architecture: One of the DNS Series