One, the role of domain from DNS server
As we mentioned in our previous essay, there are generally three types of DNS servers, one is primary DNS server (primary DNS server), one is secondary DNS server (from DNS servers), and the other is caching DNS Server, we configure a domain DNS service is to configure it to a primary DNS server, then from the DNS server is mainly used to do?
Configure a domain from the server is generally for backup and load balancer use, such as in the production environment, we give a domain configuration of the primary DNS server crashed or malicious attack, then if not configured from the DNS server, our DNS server will not be able to provide DNS services, Can not resolve the domain name configured on the server, or the primary server access is particularly large, at this time we configure from the server to achieve the effect of load balancing, so we usually configure a primary DNS server, we also need to configure multiple slave DNS servers
We know that the files we configure for a domain are controlled by the primary DNS server, and our information from the server is captured from the primary server, and when the domain slave server starts, it fetches the domain's zone file from the Domain master server. So the steps we have to configure from the server are very simple.
Second, configure the domain from the DNS server
We have simulated two Linux hosts through the virtual machine, one is the primary DNS server that was configured yesterday, and the other one is used as a DNS server.
Before you can configure a domain from a DNS server, we first need to make some configuration on the primary DNS server:
(1) Open 53, 953 ports on the primary DNS server
Because our slave server is going through the network to crawl the zone file on the main server, so we have to add two rules in iptables, open the 53 and 953 ports of this machine, here for the convenience of the experiment, we will first empty the iptables
[[email protected] etc]# iptables-f[[email protected] etc]# iptables-lchain INPUT (policy ACCEPT) target prot opt sou Rce Destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT ( Policy ACCEPT) target prot opt source destination
(2) Set our SELinux to permissive
[[email protected] etc]# getenforce enforcing[[email protected] etc]# setenforce 0[[email protected] etc]# Getenforce Perm Issive
(3) Modify the main configuration file named.conf
Because we from the server to access the main server through the network to fetch the zone file, so we have to add the named.conf in the main configuration file from the server's IP address in, because we default to specify the native IP, so that only our native use of the bind service, So we need to write the IP address from the server, or not specify the IP address of open 53, 953 port, so that other hosts will be able to access the host's DNS service through the network
This is the named.conf file that was configured yesterday, we will remove the two lines of code listen-on port.
/* Sample named.conf bind DNS server ' named ' configuration file for the Red Hat BIND distribution. See the BIND Administrator ' s Reference Manual (ARM) for details, in: file:///usr/share/doc/bind-{version}/arm/ Bv9arm.html Also See the BIND Configuration GUI:/usr/bin/system-config-bind and its manual.*/options{ //Put fil Es that named was allowed to write in the data/directory: directory "/var/named"; "Working" directory //listen-on Port : {any;}; listen-on port 127.0.0.1;}; LISTEN-ON-V6 Port: (any ;}; LISTEN-ON-V6 Port : {: 1;};}; Zone "cnblogs.com" { type master; File "Cnblogs.com.zone";};
After modification:
[[email protected] etc]# vim named.conf/* Sample named.conf BIND DNS server ' named ' configuration file for the Red Hat BIN D distribution. See the BIND Administrator ' s Reference Manual (ARM) for details, in: file:///usr/share/doc/bind-{version}/arm/ Bv9arm.html Also See the BIND Configuration GUI:/usr/bin/system-config-bind and its manual.*/options{ //Put fil Es that named was allowed to write in the data/directory: directory "/var/named"; "Working" Directory};zone "cnblogs.com" { type master; File "Cnblogs.com.zone";};
(4) Turn on the bind service of our primary DNS server
[Email protected] etc]# service named startstarting named:named:already running [ OK ]
The configuration of the primary DNS server is basically like this, and then we configure the steps from the DNS server:
① First we also need to install the BIND service from the server , this block is omitted, the specific installation of the previous essay on Linux Learning in detail CentOS (34)-Configure the Domain master DNS server
② Adding information for the specified domain in the Bind master configuration file
We just need to add the following information to the named.conf configuration file:
Zone "cnblogs.com" {type slave;
Masters {192.168.198.129;};
File "Slaves/cnblogs.com.zone"
};
[[email protected] etc]# Cat named.conf/* Sample named.conf BIND DNS server ' named ' configuration file for the Red Hat BI ND distribution. See the BIND Administrator ' s Reference Manual (ARM) for details, in: file:///usr/share/doc/bind-{version}/arm/ Bv9arm.html Also See the BIND Configuration GUI:/usr/bin/system-config-bind and its manual.*/options{ Directory "/var/named"; "Working" Directory};zone "cnblogs.com" { type slave; Specifies that this is from the DNS server Masters {192.168.198.129;}; Because from the DNS server to crawl the zone file on the primary DNS server, here to specify the IP address of the primary DNS server, Note:the IP address to be enclosed in {}, and at the end, before and after the space file "slaves/ Cnblogs.com.zone "; Zone files that are fetched from the server by default are usually stored in the slaves directory.
};
③ to shut down SELinux from the server
Because we want to access the master server over the network, we also need to set our SELinux to permissive
[[email protected] etc]# getenforce enforcing[[email protected] etc]# setenforce 0[[email protected] etc]# Getenforce Perm Issive
" Note:" because we crawl files from the main server to slaves this directory is done by named This system user, so we have to ensure that slaves to have writable permissions , while Slaves belongs to the user, belongs to the group are named
[[email protected] named]# ls-l total dosage 32drwxr-xr-x. 2 root root 4096 June 6 22:52 data-rw-r--r--. 1 root root 56 June 6 22:52 my.external.zone.db-rw-r--r--. 1 root root 56 June 6 22:52 my.internal.zone.db-rw-r--r--. 1 root root 1892 June 6 22:52 named.ca-rw-r--r--. 1 root root 152 June 6 22:52 named.empty-rw-r--r--. 1 root root 152 June 6 22:52 named.localhost-rw-r--r--. 1 root root 168 June 6 22:52 named.loopbackdrwxr-xr-x. 2 root root 4096 June 6 22:52 slaves[[email protected] named]# chown named slaves/[[email protected] named]# CHG RP named Slaves/[[email protected] named]# ls-l total dosage 32drwxr-xr-x. 2 root root 4096 June 6 22:52 data-rw-r--r--. 1 root root 56 June 6 22:52 my.external.zone.db-rw-r--r--. 1 root root 56 June 6 22:52 my.internal.zone.db-rw-r--r--. 1 root root 1892 June 6 22:52 named.ca-rw-r--r--. 1 root root 152 June 6 22:52 named.empty-rw-r--r--. 1 root root 152 June 6 22:52 named.localhost-rw-r--r--. 1 root root 168 June 6 22: Named.loopbackdrwxr-xr-x. 2 named named 4096 June 6 22:52 Slaves
④ start our bind service from the server, or refresh our bind service configuration
[[Email protected] etc]# service named Startgenerating/etc/rndc.key: [OK] start named: [OK]
⑤ See if the zone configuration file for the domain is properly crawled into the/var/named/chroot/var/named/slaves/directory
[[email protected] slaves]# ls-l total usage 12-rw-r--r--. 1 named named 381 June 6 23:20 cnblogs.com.zone-rw-r--r--. 1 root root 56 June 6 22:52 My.ddns.inter Nal.zone.db-rw-r--r--. 1 root root 56 June 6 22:52 my.slave.internal.zone.db
We see that the Cnblogs.com.zone file has been crawled from the primary DNS server
[email protected] slaves]# cat Cnblogs.com.zone $ORIGIN. $TTL 86400 ; 1 daycnblogs.com in SOA cnblogs.com. R Name.invalid. ( 0 ; serial 86400 ; Refresh (1 day) 3600 ; retry (1 hour) 604800 ; Expire (1 week) 10800 ; minimum (3 hours) ) NS cnblogs.com. A 127.0.0.1 MX ten mail.cnblogs.com. AAAA :: 1$origin cnblogs.com.mail a 192.168.1.222www a 192.168.1.111
⑥ will point to the current host from the DNS server
This time our slave DNS server has been configured, we then modify the/etc/resolv.conf file and then point nameserver to the native
[Email protected] slaves]# vim/etc/resolv.confnameserver 127.0.0.1
⑦ through the host or dig command to verify that our DNS server is able to parse properly
Query the IP address of the www.cnblogs.com [[email protected] slaves]# dig www.cnblogs.com; <<>> DiG 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6 <<>> www.cnblogs.com; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:noerror, id:61233; FLAGS:QR AA Rd RA; Query:1, Answer:1, Authority:1, Additional:2; QUESTION section:;www.cnblogs.com. in A;; ANSWER SECTION:www.cnblogs.com. 86400 in A 192.168.1.111; Authority SECTION:cnblogs.com. 86400 in NS cnblogs.com.; ADDITIONAL SECTION:cnblogs.com. 86400 in A 127.0.0.1cnblogs.com. 86400 in AAAA:: 1;; Query Time:2 msec;; server:127.0.0.1#53 (127.0.0.1); When:thu June 6 23:29:16 2013;; MSG SIZE rcvd:107//Query cnblogs.com The mail records for this domain [[email protected] slaves]# dig-t mx cnblogs.com; <<>> DiG 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6 <<>>-t mx cnblogs.com;; Global options: +cmd;; Got answer:;; ->>header< <-Opcode:query, Status:noerror, id:3328; FLAGS:QR AA Rd RA; Query:1, Answer:1, Authority:1, Additional:3; QUESTION section:;cnblogs.com. in MX;; ANSWER SECTION:cnblogs.com. 86400 in MX ten mail.cnblogs.com.; Authority SECTION:cnblogs.com. 86400 in NS cnblogs.com.; ADDITIONAL SECTION:mail.cnblogs.com. 86400 in A 192.168.1.222cnblogs.com. 86400 in A 127.0.0.1cnblogs.com. 86400 in AAAA:: 1;; Query Time:2 msec;; server:127.0.0.1#53 (127.0.0.1); When:thu June 6 23:30:04 2013;; MSG SIZE rcvd:124//Query the IP address of the mail.cnblogs.com [[email protected] slaves]# dig mail.cnblogs.com; <<>> DiG 9.8.2rc1-redhat-9.8.2-0.17.rc1.el6 <<>> mail.cnblogs.com; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:noerror, id:47353; FLAGS:QR AA Rd RA; Query:1, Answer:1, Authority:1, Additional:2; QUESTION section:;mail.cnblogs.com. IN A;; ANSWER SECTION:mail.cnblogs.com. 86400 in A 192.168.1.222; Authority SECTION:cnblogs.com. 86400 in NS cnblogs.com.; ADDITIONAL SECTION:cnblogs.com. 86400 in A 127.0.0.1cnblogs.com. 86400 in AAAA:: 1;; Query time:1 msec;; server:127.0.0.1#53 (127.0.0.1); When:thu June 6 23:30:36 2013;; MSG SIZE rcvd:108
We see that our domain names are able to parse successfully, indicating that our configuration from the DNS server was successful
This time our client can point to our primary server, or to our slave server, when the primary server fails, from the server will take over the primary server to work, to provide DNS services
Third, configure the cache DNS server
In the above and in the previous essay we explained how to configure a primary DNS server, and from a DNS server, but a DNS server can be neither a master server for a domain, nor a slave server for a domain, and a DNS server can contain no domain configuration information. It recursively resolves all incoming DNS queries, returns the parsed results to our query client, and caches the query results so that the server is called Caching DNS server
Usually we configure a cache DNS server in a LAN to speed up network access
We can also configure an upstream DNS server address on the cache server, the cache server can provide the client with an upstream DNS server address, simply by adding the following line statement in the named.conf master configuration file:
Forwarders {218.30.19.40;};
[[email protected] etc]# vim named.conf/* Sample named.conf BIND DNS server ' named ' configuration file for the Red Hat BIN D distribution. See the BIND Administrator ' s Reference Manual (ARM) for details, in: file:///usr/share/doc/bind-{version}/arm/ Bv9arm.html Also See the BIND Configuration GUI:/usr/bin/system-config-bind and its manual.*/options{ Directory "/var/named"; "Working" directory forwarders }; Generally upstream DNS server to be more stable, better performance forwarders forward options are written in the option};zone "cnblogs.com" { type slave; Masters {192.168.198.129;}; File "Slaves/cnblogs.com.zone";};
We can also use the following options to have the cache server forward all DNS queries to the forwarders server:
Forward only;
Configure domains from DNS servers and cache DNS servers