DNS of Linux Services (ii)

DNS and Bind (2)

Installation configuration for bind:

Bind:berkeley Internet Name Domain, isc.org

DNS: protocol

An implementation of BIND:DNS protocol

Named:bind process Name of the program running

Package:

Bind-libs: A library file used by the programs in bind and bind-utils packages;

Bind-utils:bind client assemblies, such as Dig, host, nslookup, etc.;

Bind: The DNS server program provided, and several commonly used test programs;

Bind-chroot: Optional, let named run in jail mode;

Bind

Master configuration file:/etc/named.conf

Or include in other documents;

/etc/named.iscdlv.key

/etc/named.rfc1912.zones

/etc/named.root.key

Parse the library file:

Under the/var/named/directory;

The general name is: Zone_name.zone

Note: (1) A DNS server can provide parsing for multiple regions at the same time;

(2) must have root zone parsing library file: named.ca;

(3) There should also be two zone resolution library files: the forward and backward analytic libraries of localhost and 127.0.0.1;

Forward: Named.localhost

Reverse: Named.loopback

Rndc:remote Name Domain Contoller

953/TCP, but the default listener is 127.0.0.1 address, so only local use is allowed;

After the BIND program is installed, the cache name server can be used by default, and the service can be started directly if there is no specific area for parsing.

CentOS 6:service named start

CentOS 7:systemctl Start Named.service

Master configuration file Format:

Global Configuration segment:

Options {...}

Log configuration section:

Logging {...}

Zone Configuration segment:

Zone {...}

Those areas that are parsed by the local machine, or the area that is forwarded;

Note: Each configuration statement must end with a semicolon;

Configuration of the cache name server:

Listen for addresses that can communicate with external hosts;

Listen-on Port 53;

Listen-on Port 53 {172.16.100.67;};

When learning, it is recommended to turn off DNSSEC

Dnssec-enable No;

Dnssec-validation No;

Dnssec-lookaside No;

Close only allow local queries:

allow-query {localhost;};

Check for configuration file syntax errors:

named-checkconf [/etc/named.conf]

Test tools:

Dig, host, nslookup, etc.

Dig command:

Dig [-t Rr_type] name [@SERVER] [query options]

Used to test the DNS system, so it does not query the Hosts file;

Query options:

+[no]trace: Trace parsing process;

+[no]recurse: Recursive parsing;

Note: Reverse parsing test

Dig-x IP

Simulate full zone transfer:

Dig-t AXFR DOMAIN [@server]

Host command:

Host [-t Rr_type] name Server_ip

nslookup command:

nslookup [-options] [name] [Server]

Interactive mode:

Nslookup>

Server IP: Queries the DNS server with the specified IP;

Set Q=rr_type: The type of resource record to query;

Name: names to query;

RNDC command: Named Service control command

RNDC status

RNDC Flush

The configuration resolves a forward zone:

Take the magedu.com domain as an example:

(1) Define the area

Implemented in the master configuration file or in the Master profile secondary configuration file;

Zone "Zone_name" in {

type {Master|slave|hint|forward};

File "Zone_name.zone";

};

Note: The name of the region is the name of the domain;

(2) Create a regional data file (the main record is a or AAAA record)

Create a regional data file under the/var/named directory;

Files are:/var/named/magedu.com.zone

$TTL 3600

$ORIGIN magedu.com.

@ in SOA ns1.magedu.com. Dnsadmin.magedu.com. (

2017010801

1H

10M

3D

1D)

In NS ns1

In MX ten MX1

In MX MX2

NS1 in A 172.16.100.67

MX1 in A 172.16.100.68

MX2 in A 172.16.100.69

www in A 172.16.100.67

Web in CNAME www

BBS in A 172.16.100.70

BBS in A 172.16.100.71

Permissions and group Modifications:

# CHGRP Named/var/named/magedu.com.zone

# chmod o=/var/named/magedu.com.zone

Check for syntax errors:

# Named-checkzone Zone_name Zone_file

# named-checkconf

(3) Let the server reload the configuration file and the zone data file

# RNDC Reload or

# Systemctl Reload Named.service

Configuration parsing a reverse zone

(1) Define the area

Implemented in the master configuration file or in the Master profile secondary configuration file;

Zone "Zone_name" in {

type {Master|slave|hint|forward};

File "Zone_name.zone";

};

Note: The name of the reverse region

The anti-write network segment address. In-addr.arpa

100.16.172.in-addr.arpa

(2) define the Zone resolution library file (the primary record is PTR)

Example, the region name is 100.16.172.in-addr.arpa;

$TTL 3600

$ORIGIN 100.16.172.in-addr.arpa.

@ in SOA ns1.magedu.com. Nsadmin.magedu.com. (

2017010801

1H

10M

3D

12H)

In NS ns1.magedu.com.

In PTR ns1.magedu.com.

In PTR mx1.magedu.com.

Mx2.magedu.com in PTR.

In PTR bbs.magedu.com.

In PTR bbs.magedu.com.

In PTR www.magedu.com.

Permissions and group Modifications:

# CHGRP Named/var/named/172.16.100.zone

# chmod o=/var/named/172.16.100.zone

Check for syntax errors:

# Named-checkzone Zone_name Zone_file

# named-checkconf

(3) Let the server reload the configuration file and the zone data file

# RNDC Reload or

# Systemctl Reload Named.service

Master-Slave Server:

Note: From the server is the concept of the zone level;

Configure one from the zone:

On Slave

(1) Define the area

Define one from the region;

Zone "Zone_name" in {

Type slave;

File "Slaves/zone_name.zone";

Masters {master_ip;};

};

Configuration file Syntax check: named-checkconf

(2) Overload configuration

RNDC Reload

Systemctl Reload Named.service

On Master

(1) Ensure that the zone data files are configured for each NS record from the service, and that the forward zone file requires a record of each NS record from the server, and that the address of this A is the true slave IP address;

Note: Time to synchronize;

Ntpdate order;

Subdomain Authorization:

Methods for authorizing subdomains in a positive resolution zone:

Ops.magedu.com. In NS ns1.ops.magedu.com.

Ops.magedu.com. In NS ns2.ops.magedu.com.

Ns1.ops.magedu.com. In A IP. AD. DR. Ess

Ns2.ops.magedu.com. In A IP. AD. DR. Ess

Definition forwarding:

Note: The forwarded server must allow recursion for the current service;

(1) Zone forwarding: Forwarding only the resolution request to a specific region;

Zone "Zone_name" in {

Type forward;

Forward {first|only};

forwarders {server_ip;};

};

First: Forwarding, when the transponder does not respond, the self-iterative query;

Only: Forward only;

(2) Global forwarding: For any local not defined by Zone Zone query request, all to a transponder;

Options {

... ...

Forward {Only|first};

forwarders {server_ip;};

.. ...

};

Security-related configuration in bind:

ACL: Access control list; Merges one or more addresses into a named collection, which is followed by this name to achieve uniform invocation of all hosts within the set;

ACL Acl_name {

ip

Net/prelen;

};

Example:

ACL MyNet {

172.16.0.0/16;

127.0.0.0/8;

};

Bind has four built-in ACLs

None: no host;

Any: arbitrary host;

Local: the machine;

LocalNet: The network where the IP is located;

Access Control directives:

Allow-query {}; Allow queries of the host; white list;

Allow-transfer {}; Which hosts are allowed to do zone transfers; The default is to all hosts; should be configured to allow only from the server;

allow-recursion {}; Which host is allowed to initiate a recursive query request to the current DNS server;

allow-update {}; DDNS, allows dynamic update of the contents of the zone database file;

Bind view:

View:

View View_name {

Zone

Zone

Zone

}

View Internal {

match-clients {172.16.0.0/8;};

Zone "Magedu.com" in {

Type master;

File "Magedu.com/internal";

};

};

View External {

match-clients {any;};

Zone "Magecdu.com" in {

Type master;

File Magedu.com/external ";

};

};

Homework: whois command; register a domain name;

Blog assignment: Forward parsing area, reverse parsing zone, master/slave, subdomain, basic security control;

DNS of Linux Services (ii)