Primary DNS Server Setup
build a domain name server that manages the hngd.com domain name on this machine
1. Ensure that the following bind domain name servers are installed
[[email protected] Master ~]# rpm-qa |grep ^bind
bind-chroot-9.8.2-0.17.rc1.el6.x86_64
bind-libs-9.8.2-0.17.rc1.el6.x86_64
bind-9.8.2-0.17.rc1.el6.x86_64
bind-utils-9.8.2-0.17.rc1.el6.x86_64
2. In the master profile, define the hngd.com forward zone and the reverse zone, and use named-checkconf to check if the syntax is correct after the definition is complete.
[[email protected] Master ~]# vim/etc/named.conf
Options {
listen-on Port 53 {192.168.100.20;}//Monitor network card with IP 192.168.100.20
listen-on-v6 port: 1;};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {any;};//allow any address to access
recursion yes;
dnssec-enable Yes;
dnssec-validation Yes;
dnssec-lookaside Auto;
/ * Path to ISC DLV key * /
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
Logging {
Channel Default_debug {
file "Data/named.run";
severity dynamic;
};
};
zone "." in {
type hint;
file "named.ca";
};
zone "hngd.com" in{//config domain hngd.com forward parsing
type master;
file "Hngd.zones";
allow-update {none;};//whether to allow client to update DNS configuration, none means not allowed
};
zone "100.168.192.in-addr.arpa" in{//Configure the reverse resolution of the domain name hngd.com
type master;
file "192.168.100.zone";
allow-update{none;};
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[[Email protected] Master ~]# named-checkconf/etc/named.conf//detection/etc/named.conf file There is no syntax error
[[Email protected] Master ~]#
3. In the/var/named directory to edit the positive and reverse parsing data files, note that the domain name must be '. ' End
[[Email protected] Master ~]# cat/var/named/hngd.zones//hngd.com forward parsing data file
$ORIGIN hngd.com. Declare which domain name the file belongs to
$TTL 1D
@IN SOAdns.hngd.com. Admin.hngd.com. (//need to leave a space before ' (')
2016032011
1D
1H
1W
3H
)
NSdns.hngd.com.//Name servers
MX5mail.hngd.com.//Mail server
Dnsin A192.168.100.20
Mailin A192.168.100.10
Wwwin A192.168.100.11
Bbsin cnamewww
[[Email protected] Master ~]# cat/var/named/192.168.100.zone//Reverse Parse file
$ORIGIN 100.168.192.in-addr.arpa.
$TTL 1D
@IN SOAdns.hngd.com. Admin.hngd.com. (
2016032011
1D
1H
1W
3H
)
NSdns.hngd.com.
In PTRdns.hngd.com.
10IN PTRmail.hngd.com.
11IN PTRwww.hngd.com.
4. Using Named-checkzone to detect the correctness of positive and inverse parsing data file syntax
[[Email protected] Master ~]# named-checkzone Hngd.com/var/named/hngd.zones
Zone hngd.com/in:loaded Serial 2016032011
Ok
[[Email protected] Master ~]# named-checkzone 100.168.192.in-addr.arpa/var/named/192.168.100.zone
Zone 100.168.192.in-addr.arpa/in:loaded Serial 2016032011
Ok
5. We have to change the name server under/etc/resolv.
[[Email protected] Master ~]# cat/etc/resolv.conf
; Generated By/sbin/dhclient-script
#nameserver 114.114.114.114
NameServer 192.168.100.20
6. Although restarting the named service will not be an error, if we go to view the/var/log/messages file will find the permissions problem, we need to change all the files in the/var/named directory of the owner and the group to Named,selinux remember to close
#/var/logmessages
Mar 20 14:20:20 Master named[3186]: none:0: Open:/etc/rndc.key:permission denied
Mar 20 14:20:20 Master named[3186]: couldn ' t add command channel 127.0.0.1#953:permission denied
[[Email protected] Master ~]# chown named:named/var/named/*
7. Now that it's okay, let's restart the named service and discover that the card is in Generating/etc/rndc.key: It's been a long time.
Workaround:
Execute the following command: Rndc-confgen-r/dev/urandom-a
Then restart the DNS service: Service named Start services started normally
8. Check if port 53rd is open
[[Email protected] Master ~]# lsof-i: 53
COMMAND PID USER FD TYPE DEVICE size/off NODE NAME
Named 3288 named 20u IPv4 17544 0t0 TCP localhost:domain (LISTEN)
Named 3288 named 21u IPv4 17546 0t0 TCP 10.0.6.77:domain (LISTEN)
Named 3288 named 22u IPv4 17548 0t0 TCP dns.hngd.com:domain (LISTEN)
Named 3288 named 23u IPv6 17550 0t0 TCP localhost:domain (LISTEN)
Named 3288 named 512u IPv4 17543 0t0 UDP localhost:domain
Named 3288 named 513u IPv4 17545 0t0 UDP 10.0.6.77:domain
Named 3288 named 514u IPv4 17547 0t0 UDP dns.hngd.com:domain
Named 3288 named 515u IPv6 17549 0t0 UDP localhost:domain
[[Email protected] Master ~]# netstat-anptlu |grep named//This command can also get the same effect
9. Using Nslookup to detect DNS
[[Email protected] Master ~]# nslookup
>www.hngd.com
server:192.168.100.20
address:192.168.100.20#53
Name:www.hngd.com
address:192.168.100.11
> 192.168.100.20
server:192.168.100.20
address:192.168.100.20#53
20.100.168.192.in-addr.arpaname = dns.hngd.com.
> Set TYPE=MX
> 192.168.100.10
server:192.168.100.20
address:192.168.100.20#53
10.100.168.192.in-addr.arpaname = mail.hngd.com.
build from DNS domain name server
Building a secondary name server
The secondary name server can also provide domain name resolution functionality to the client, but unlike the primary domain name server, its data is not entered directly, but is copied from other servers (primary domain name server or other secondary name servers), only a copy, so the data in the secondary server cannot be modified.
setting up multiple secondary name servers in one region has the following advantages:
1. Provides fault-tolerant functionality. Service is provided by a secondary nameserver when the primary domain server fails
2. Share the burden of the primary domain server. In the case of many DNS clients, it is possible to reduce the burden of the primary domain server by assuming that the secondary domain name server completes the client query service.
3. Speed up your queries
configuration of the slave end
1. Configuration of the primary configuration file for the secondary name server
[Email protected] ~]# cat/etc/named.conf
Options {
Listen-on Port 53 {192.168.100.2;};
Listen-on-v6 Port 53 {:: 1;};
Directory "/var/named";
Dump-file "/var/named/data/cache_dump.db";
Statistics-file "/var/named/data/named_stats.txt";
Memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {any;};
recursion Yes;
Bindkeys-file "/etc/named.iscdlv.key";
Managed-keys-directory "/var/named/dynamic";
};
Logging {
Channel Default_debug {
File "Data/named.run";
Severity dynamic;
};
};
Zone "." in {
Type hint;
File "named.ca";
};
Zone "Hngd.com" in {
Type slave; Declaring from a domain name server
Masters {192.168.100.20;}; Indicates the primary server address
File "Slaves/hngd.zones"; Location of the zone file from the domain name server
};
Zone "100.168.192.in-addr.arpa" in {
Type slave;
Masters {192.168.100.20;};
File "Slaves/192.168.100.zone";
};
Include "/etc/named.rfc1912.zones";
Include "/etc/named.root.key";
2. Point the/etc/resolv.conf nameserver to 192.168.100.2
3. Turn off the firewall and SELinux
4. Restart the named service, and then review the/var/named/slaves to find the automatic generation of positive and reverse parsing data files
[Email protected] ~]# ls/var/named/slaves/
192.168.100.zone Hngd.zones
5. Test if DNS resolution is possible
[email protected] ~]# nslookupwww.hngd.com
server:192.168.100.2
address:192.168.100.2#53
Name:www.hngd.com
address:192.168.100.11
6. Now I'm going to do a test, I will be the primary domain server's positive and reverse data file update, the serial number plus 1, and add slave this domain name, as follows:
[[Email protected] Master ~]# cat/var/named/hngd.zones
$ORIGIN hngd.com.
$TTL 1D
@IN SOAdns.hngd.com. Admin.hngd.com. (
2016032012
1D
1H
1W
3H
)
NSdns.hngd.com.
NSslave.hngd.com.
MX5mail.hngd.com.
slaveINA192.168.100.2
dnsINA192.168.100.20
mailINA192.168.100.10
wwwINA192.168.100.11
Bbsincnamewww
[[Email protected] Master ~]# cat/var/named/192.168.100.zone
$ORIGIN 100.168.192.in-addr.arpa.
$TTL 1D
@IN SOAdns.hngd.com. Admin.hngd.com. (
2016032012
1D
1H
1W
3H
)
NSdns.hngd.com.
INPTRdns.hngd.com.
10IN PTRmail.hngd.com.
11INPTRwww.hngd.com.
2inptrslave.hngd.com.
7. Because the update time is too long, so I will directly from the domain name server under the positive and reverse parsing data files deleted, and then restart the named service, and then see that two files were also updated
[Email protected] ~]# cd/var/named/slaves/
[Email protected] slaves]# RM-RF *
[Email protected] slaves]# service named restart
Stop named:. Determine
Start named: [OK]
[[email protected] slaves]# ls
192.168.100.zone Hngd.zones
[email protected] slaves]# cat 192.168.100.zone
$ORIGIN.
$TTL 86400; 1 day
100.168.192.in-addr.arpa in SOAdns.hngd.com. Admin.hngd.com. (
2016032012; Serial
86400; Refresh (1 day)
3600; Retry (1 hour)
604800; Expire (1 week)
10800; Minimum (3 hours)
)
NSdns.hngd.com.
$ORIGIN 100.168.192.in-addr.arpa.
10ptrmail.hngd.com.
11PTRwww.hngd.com.
2ptrslave.hngd.com.
20ptrdns.hngd.com.
[email protected] slaves]# cat Hngd.zones
$ORIGIN.
$TTL 86400; 1 day
Hngd.comin SOAdns.hngd.com. Admin.hngd.com. (
2016032012; Serial
86400; Refresh (1 day)
3600; Retry (1 hour)
604800; Expire (1 week)
10800; Minimum (3 hours)
)
NSdns.hngd.com.
NSslave.hngd.com.
MX5 mail.hngd.com.
$ORIGIN hngd.com.
Bbscnamewww
dnsA192.168.100.20
mailA192.168.100.10
slaveA192.168.100.2
wwwA192.168.100.11
Cache only DNS server
Configuring the Cache cache-only Server
The cache-only server is a very special DNS server that does not itself manage any zones, but DNS clients can still request queries from it. The cache-only server is similar to a proxy server, and it does not have its own domain name database, but instead forwards all queries to other DNS servers for processing. When the CACHE-ONLY server receives the query results, it also saves the results in the cache, in addition to returning to the client. When the next DNS client queries the same domain name data, it can find the answer from the cache and speed up the DNS client's query. If you set up a DNS server in a local area network, you can increase the query efficiency of the client DNS and reduce the traffic between the internal network and the external network.
The cache-only server is very simple to set up, only need to establish a good master configuration file named.conf. Setting up the Cache-only server's master profile/etc/named.conf also needs to set the options for the server, which is the same as setting the primary name server, which is no longer duplicated. The following examples explain the configuration.
case: Configuring a host with the current IP 192.168.100.254 as the cache name server
1. Establish the named.conf master configuration file
[Email protected] ~]# cat/etc/named.conf
Options {
Listen-on Port 53 {192.168.100.254;};
Directory "/var/named";
Dump-file "/var/named/data/cache_dump.db";
Statistics-file "/var/named/data/named_stats.txt";
Memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query {any;};
recursion Yes; Whether recursion is allowed
Forward only; forwarding only; forward first: Use forwarding, if the DNS host in the forwarders list does not answer, the host will go to find the answer
Forwarders {192.168.100.20;}; Forwards all incoming DNS requests to the 192.168.100.20 server
};
Logging {
Channel Default_debug {
File "Data/named.run";
Severity dynamic;
};
};
Zone "." in {
Type hint;
File "named.ca";
};
2. Using named-checkconf to detect named.conf syntax
[Email protected] ~]# named-checkconf/etc/named.conf
[Email protected] ~]#
3. Point the/etc/resolv.conf nameserver to the cache name server
[Email protected] ~]# cat/etc/resolv.conf
NameServer 192.168.100.254
4. Restart the named service
5. Now if the detection, will find that the domain name can not be resolved, the cause of this problem may be 192.168.100.20 firewall of the domain name server and SELinux not shutting down
6. After solving the above problems, we will check
[email protected] ~]# nslookup
> Server 192.168.100.254
Default server:192.168.100.254
address:192.168.100.254#53
>www.hngd.com
server:192.168.100.254
address:192.168.100.254#53
Non-authoritative Answer:
Name:www.hngd.com
address:192.168.100.11
>
The above cache name server is forwarding all the domain name resolution requests, of course, we can also forward for a domain name, such as:
Zone in "qq.com" {
Type master;
forwarders{192.168.100.20;};
}
We know that DNS will also enable port 53 for udp/tcp and is for all interfaces, so there is no specific part of the data above. However, how can there be port 953 and listen only to this machine? In fact, that is the remote control function of named, called Remote name Resolution Service control function (remotely name daemon control, RNDC). In the case of a preset, only the machine can be controlled against RNDC. We will discuss this RNDC in the following chapters, so we just need to know that UDP/TCP Port 53 has a boot.
(5) Test: If your DNS server has the ability to connect to the Internet, then through the "Dig www.baidu.com @127.0.0.1" The basic instructions to see if there is an IP to find Baidu, and display "server:127.0.0.1#53 (127.0.0.1) "The word, that means it should be successful!"
Questions:
When is there a need to erect cache-only DNS?
In some companies, in order to prevent employees from using the company's network resources to do their own things, so that the internet to make more stringent restrictions on online. Of course, even port 53 this DNS will use the port may also be blocked outside the firewall ~ this time, you can in the "Firewall of the machine, add a cache-only DNS service!" 』
What does that mean? It's simple! Is you use your own firewall host DNS service to help your client-side interpretation hostname <--> IP! Because the firewall host can set the release of its own DNS function, and client side set the firewall IP as the DNS server IP can! Ha ha! So you can get the hostname and IP translation! Therefore, most of the cache only DNS servers are usually built for system security.
address:192.168.100.20#53
10.100.168.192.in-addr.arpaname = mail.hngd.com.
DNS Server Setup (master, slave, Slow)