DNS configuration and points of attention in various files

1 abbreviations

Look at the shorthand form: the simplest is

Concept: The second field of the zone statement is used to specify the domain name, which is the source of all data in the region's data file (origin)

Www.cui. In A 192.168.7.234

The shorthand method is www in A 192.168.7.234

In fact: www means cui. Host under this domain

The shorthand source is based on:

Zone "Cui" in {

type Master;

file "Db.cui";

};

In the RR, all names that do not end with ".", such as WWW, are automatically appended to the source "Cui" of the field behind the zone in the configuration file, so the combination is www.cui.

Similarly

234.7.168.192.in-addr.arpa. In PTR Www.cui.

Shorthand:

234 in PTR Www.cui.

2 notation of the @ symbol

If a domain name and source are the same, then changing the name can be expressed as "@" most commonly in the SOA record in the zone data file

can be written as

@ in SOA bind1.cui. Bind1.cui. (1h 3h 1h 1w 2h)

"Control query Transport for security"

1 Allow-query allowed address of the query

Only localhost is allowed by default

allow-query {localhost;};

Result: Non-native queries will not answer

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/80/46/wKiom1c8efORIZoQAAAeEs_MIMQ090.png "title=" Dns1.png "alt=" Wkiom1c8eforizoqaaaees_mimq090.png "/>

General change: Allow from all query, or have ACL control specific network

Allow-query {any};

2 Allow-transter {any;};

Function: Control zone transfer (master and slave

Allow zone transfers for those hosts to receive services

3 recursion Yes; Allow recursive queries

4 allow-recursion {any;} By default, specifies which hosts are allowed to recursively query through this server

5 Allow-query-cache {any;};

Find Cache

6 Network Listener interface is generally set to

Role: The server responds to the query's port number and interface (that is, the IP address)

listen-on port Youip;};

If: Set to Listen-on port, {any;}; Then all the ports will listen.

Application: If you do not want to listen on the IPV6 interface

Listen-on-v6 Port: {none;};

"RNDC Maintenance DNS Command"

1 managing DNS can be done by sending some signals on Linux

Such as:

Kill-hup ' Cat/var/run/named.pid '

RNDC provides more means to manage signals via channels (channel)

= = Overload:

Such as:

RNDC Reload

Reload the server configuration file and zone zone file

Equals

/etc/init.d/named reload = Kill Kill-hup ' Cat/var/run/named.pid '

Note: Also an overload of the specified zone RNDC reload zone

such as: Rndc Reload Zone

= = Restart Service

RNDC restart = =/etc/init.d/named restart

= = Status

RNDC Status = =/etc/init.d/named Status

= = Stop/start

Rndc stop =/etc/init.d/named stop = = Kill term ' cat/var/run/named.pid '

= = Empty Cache

RNDC Flush

Note: The difference between overloading and rebooting:

The most intuitive is that the reboot process PID will change, the overload will not change

Overload just re-read the configuration file, did not kill the program on restart

2 RNDC can control the premise:

/etc/rndc.key

Can be manually generated

Rndc-confgen-r/dev/urandom-a

Note: Control can be specified in named.conf by the controls option in the options, which is not required by default

3 RNDC Listening port is 953

650) this.width=650; "title=" 789337.png "alt=" 789337.png "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "/>

4 after modifying the zone file information in primary, make sure to add +1 to the serial number.

5 Error:

9 15:32:50 cui2 named[10634]: none:0: Open:/etc/rndc.key:permission denied

Workaround:

chmod +r/etc/rndc.key

"Those files and functions of the parser"

The 1 parser is the client program for DNS

Such as:

Telnet Shop-web01.beta will call the DNS resolver to resolve this Shop-web01.beta domain name

Ftp

Ping

Ssh

Scp

Wait, the program calls the DNS resolver program.

2 documents involved

Nsswitch.conf

/etc/resolve.conf

/etc/hosts

Hostname

3 phenomena

Why does the ping DPINDEX-WEB01 parser automatically parse this Dpindex-web01.beta

650) this.width=650; "title=" 956664.png "alt=" 956664.png "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "/>650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/80/46/wKiom1c8e_WQyzt5AACBHoQVlAw042.png "title=" Dns2.png " alt= "Wkiom1c8e_wqyzt5aacbhoqvlaw042.png"/>

4 Explanation nsswitch.conf File description

General purpose: One of the rows default

Hosts: files DNS

It means that when the parser resolves the domain name, it looks for the DNS name server under/etc/hosts.

5 explaining the role of hostname and the local region

hostname If it is a host name. The form of a domain such as: Shop-web01.beta

Then the dot number (Beta) represents the local domain

With the local domain at the time of input, the parser will automatically supplement such as:

Ping Dpindex-web01

The parser will read into Dpindex-web01.beta and automatically add the local domain

Functions, such as tab, to reduce input

Note:

If the hostname host name does not have "." Then the domain will become root

If you want to add more "." In the local domain and host name, the parser is smart enough to handle it!

6 Interpreting individual directives in the/etc/resolve.conf file

Domain

Search

NameServer

Options

Domain also specifies the local domain, if present in resolve.conf, this directive

such as domain beta, it will overwrite the hostname computed domain.

The search directive is similar to domain

Just support multiple domains

NAMESERVER Specifies the name server to use

Such as:

NameServer 1.1.1.1

NameServer 2.2.2.2

NameServer 3.3.3.3

You can use more than one, when the first failure uses a second

The second is only used when the first query is over time or a network error!

Note that it is not the first query that does not have a result (normal return), so that the second name server is not used

Such as

The Options command sets some debug or timeout retries, etc.

Such as:

Options Attempts:4 Timeout:2 Ndots:2

Note:

Some of the features and versions are different, and the above is supported after the 8 release

Some of the other about too detailed to use, please refer to bind and DNS this authoritative book

"Parse Command"

1 nslookup is used primarily under Windows, Linux is easy to use

Nslookup domain name

Nslookup IP Reverse resolution

Analytic Analysis of information analysis:

Reference

Http://doc.okbase.net/1382972/archive/110141.html

Focus on:

The flags flag, if present, indicates that a flag is not set if it does not appear:

QR query, search flag, Representative is query operation

RD recursion desired, which represents a recursive (recursive) query operation that you want to perform

The RA recursive available is set in the return, and the server that represents the query supports recursive (recursive) query operations.

AA authoritative Answer authoritative reply, if the query results are provided by the domain name server that manages the domain name instead of the cache server, it is called an authoritative reply.

Authority authoritative domain name server record number, 5 means that the domain name has 5 authoritative domain name server, can be used for domain name resolution. Corresponds to the following authority section

ADDITIONAL Extra Records, 6 represents 6 extra records. Corresponds to the following ADDITIONAL section.

2 Dig command

Dig Domain Name

Configured by default using local DNS (/ETC/RESOLVE.CONF), to resolve

Default resolution A record

Options or parameters

Dig @dnsserver Domain Name

Specify the name server you specify to parse the domain

Such as:

Dig @localhost. Beta

DIG-T type domain name

Role: Specify record type

Such as:

Dig-t MX dianping.com

Dig-x IP

Role: To perform counter-analysis, generally work in the intranet

Such as:

Dig-x 192.168.213.86

Dig +trace Domain Name

Role: Forces the search results to be iterated from root

Such as:

Dig +trace

www.sina.com.cn

"Forward"

Forwarded to the specified name server to parse

Common configuration is, for a region itself can not resolve the forward configuration!

Such as:

For the beta and NH zones, the local localhost name server is unresolved, so it needs to be forwarded for this zone

Type forward;

Forward {192.168.211.116;};

650) this.width=650; "title=" 264567.png "alt=" 264567.png "src="/e/u261/themes/default/images/spacer.gif "style=" Background:url ("/e/u261/lang/zh-cn/images/localimage.png") no-repeat center;border:1px solid #ddd; "/>

Note: Of course, you can also do global forwarding, this name server completely only as a forwarding server!

Its working process: the default is forwarding priority (relative to the iteration root)

The process is: The local resolution domain name, if there is no local or cache, then it is like a forwarding server to initiate a query, if after a short period of time did not receive response responses, so long will be normal operation, began to iterate query!

Whether add forward-only; just a little difference and forwarding priority, just a little difference in speed!

Since the version is not the same, my bind version 9.8

Tail-f/var/log/messages

The default configuration file, only configure forward a region, you may not parse, will error

Validating @0x7f4f680616c0: Beta Soa:got insecure response; Parent indicates it should be secure

Solution:

Dnssec-enable No;

Dnssec-validation No;

Turn yes all to No

This article is from the "Tridewah operation and maintenance work Road" blog, please be sure to keep this source http://cuidehua.blog.51cto.com/5449828/1774913

DNS configuration and points of attention in various files