dns-05-forwarding

dns-05-forwarding

Experimental environment

ns1.magedu.com 172.18.71.101/24 centos-6.7-x86_64 Parent domain can connect to Internet ns1.dev.magedu.com 172.18.71.102/24 centos-7.2-x86_64 Child Domain cannot connect to Internet Localhost.localdomain 172.18.71.103/24 centos-7.2-x86_64 test machine

iptables and selinux is turned off.

Installationbind

[email protected] ~]# Yum install-y bind bind-libs bind-utils

/etc/named.conf , commenting out only allow native query requests and dnssec (which may affect experimental results) and add ip address.

Options {listen-on port 53 {127.0.0.1; 172.18.71.101;};    ...//allow-query {localhost;};    ...//dnssec-enable yes;    Dnssec-validation Yes;    Dnssec-lookaside Auto; ...};

Time synchronization

In general, multi-node collaboration is the first step to calibrate the time to synchronize time. In the networked state can be used to ntpdate unify the command to find the timing center calibration, can not be networked with date command manual calibration.

Configure forwarding

First, refer to dns-04-subdomain authorization to configure a parent domain server and a subdomain server.

Now the requirement is to use the subdomain server to resolve the parent domain domain name, do not let the subdomain server to the layer of recursive query, but directly to the parent domain server to complete the resolution. The implementation method is forward, but there are two different ways, one is zone forwarding, one is global forwarding.

1. Zone forwarding

Increased on the subdomain servermagedu.comDefinition of a zone. Over hereforwardThere are two types of methods:firstOronly。firstis to try forwarding first, if the parent domain server does not respond and then iterates over the query itself, andonlyis only forwarded. Can be selected according to the actual situation, generallyfirstis more flexible, but it's not necessary if your server is not connected to the Internet at allfirstThe

[Email protected] ~]# Vim/etc/named.rfc1912.zones...zone "magedu.com" in {type forward;    Forward first; Forwarders {172.18.171.101;};};

Check the syntax of the master configuration file

[Email protected] named]# named-checkconf

Start the service

[Email protected] ~]# Systemctl start named

dig test, the way the subdomain server resolves the parent domain domain name through zone forwarding can get results.

[[email protected] ~]# dig -t a www.magedu.com @172.18.71.102; < <>> dig 9.9.4-redhat-9.9.4-29.el7 <<>> -t a www.magedu.com  @172.18.71.102;;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24093;;  flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1,  additional: 1;;  OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;;  QUESTION SECTION:;www.magedu.com.             IN    A;;  ANSWER SECTION:www.magedu.com.        85317     IN    A    172.18.71.101www.magedu.com.         85317    in    a     172.18.71.102;;  AUTHORITY SECTION:magedu.com.        86343     IN    NS    ns1.magedu.com.;;  Query time: 1 msec;;  server: 172.18.71.102#53 (172.18.71.102);  WHEN:  Five  4 month  08 23:04:56 CST 2016;;  msg size  rcvd: 93

[Email protected] ~]# dig-t A www.baidu.com @172.18.71.102; <<>> DiG 9.9.4-redhat-9.9.4-29.el7 <<>>-t A www.baidu.com @172.18.71.102;; Global options: +cmd;; Got answer:;; ->>header<<-opcode:query, Status:servfail, id:38245; Flags:qr Rd RA; Query:1, answer:0, authority:0, additional:1; OPT pseudosection:; edns:version:0, Flags:; udp:4096;;            QUESTION section:;www.baidu.com. in A;; Query Time:8 msec;; server:172.18.71.102#53 (172.18.71.102); When: 54 months 23:51:02 CST 2016;; MSG SIZE rcvd:42

2. Global forwarding

Global forwarding is not defined as a forwarding area, but is defined directly in the master configuration file /etc/named.conf .

Options {... forward only;    Forwarders {172.18.71.101;}; ...};

Check the syntax of the master configuration file

[Email protected] named]# named-checkconf

Start the service

[Email protected] ~]# Systemctl start named

Using the test on the test machine dig , the subdomain server resolves the parent domain domain name through the global forwarding method to get the result.

[[email protected] ~]# dig -t a www.magedu.com @172.18.71.102; < <>> dig 9.9.4-redhat-9.9.4-29.el7 <<>> -t a www.magedu.com  @172.18.71.102;;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43069;;  flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1,  additional: 1;;  OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;;  QUESTION SECTION:;www.magedu.com.             IN    A;;  ANSWER SECTION:www.magedu.com.        83773     IN    A    172.18.71.101www.magedu.com.         83773    in    a     172.18.71.102;;  AUTHORITY SECTION:magedu.com.        84799     IN    NS    ns1.magedu.com.;;  Query time: 1 msec;;  server: 172.18.71.102#53 (172.18.71.102);  WHEN:  Five  4 month  08 23:30:41 CST 2016;;  msg size  rcvd: 93

[[email protected] ~]# dig -t a www.baidu.com @172.18.71.102; << >> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com  @172.18.71.102;;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12108;;  flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0,  additional: 1;;  OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;;  QUESTION SECTION:;www.baidu.com.             IN    A;;  ANSWER SECTION:www.baidu.com.        50     IN    CNAME    www.a.shifen.com.www.a.shifen.com.     299    in    a    61.135.169.125www.a.shifen.com.     299    IN    A     61.135.169.121;;  Query time: 845 msec;;  server: 172.18.71.102#53 (172.18.71.102);  WHEN:  Five  4 month  08 23:53:45 CST 2016;;  msg size  rcvd: 101

Conclusion

Zone forwarding means that many parsing requests require the subdomain server to iterate through the query itself, and global forwarding means that the majority of the pressure is transferred to the parent domain server, so choosing zone forwarding or global forwarding needs to be determined according to the actual situation.
At the same time, there is also a problem, if our server does not make any security settings, allowing recursive query requests to any host, there will be someone else will resolve the request forwarded to our server situation. Being taken advantage of is small, affect business affairs big, this is we do not want to see. Refer to dns-06-security settings

This article is from the "knfprex3a29" blog, make sure to keep this source http://knfprex3a29.blog.51cto.com/9761463/1762190

dns-05-forwarding