I. dns theory: DNS: Domain Name Service (domain nsme service) role: Resolving Domain names to IP (forward parsing) or resolve IP to domain name (reverse resolution) The classification of DNS top-level domains: Organization domain:. com .net .org Country domain:. cn .tw .jp .. reverse domain: Resolves IP to domain name DNS record type: A: Forward parsing entry ptr: Reverse parse entry ns: A DNS server representing a domain MX: a mail server on behalf of a domain CNAME: alias SOA: Used to identify DNS servers within a domain note: Each NS record is added, You should add a record DNS server type for it: Primary DNS server: Master from DNS server: Slave root DNS server: Hintdns cache server: Most contacts in life are generally used as our default DNS (LOCALDNS). Default DNS server: A DNS server that can iterate over the Internet, DNS servers in the top-level domain do not iterate over our queries. All in general as long as the DNS cache server will iterate over the DNS query type for us: Iterative query (tcp:53) recursive query (udp:53) DNS query order: 1.DNS cache 2. Local Host file 3.DNS server IP and FQDN correspondence: (FQDN: Fully qualified domain name) ICANN: Name Assignment Agency, He and his subordinate agencies manage all domain names on the Internet one IP can have multiple domain names (one of the implementations of HTTP virtual hosts) a domain name can have multiple IPs (one of the principles of cluster load balancing implementation) from the role of DNS: 1. Implementing DNS Load Balancing 2. When the primary server fails, it can replace the primary server For subdomains and delegates: delegation: When the region is too large, it is not well maintained on a single server. You can assign some subdomains to the specified server for maintenance subdomains: Parsing files are stored in the parent domain delegate: there is a separate zone file Check tool (provided by the Bind-utils package) to check the DNS service Master profile for errors:named-checkconf Profile path Check DNS service forward file for error:named-checkzone domain name corresponding reverse parsing file two. dns configuration: # # #主根DNS server configuration: three. configuration file/etc/named.conf:dns Master profile/bind/named: Zone data file that hosts DNS in this directory/bind/named/named.root Zone declaration file that holds DNS # # #配置文件详解:named.conf Master profile in detail: options //Global Configuration Area directory // The default storage location for the zone data file Pid-file //pid file. A program that sends a signal to a running DNS server. dump-file //cache file storage path, named data file storage location. request-ixfr yes; //determines whether the local server is a secondary name server and sends a domain incremental transfer request to the primary domain name server. recursion yes; //allow all clients to be recursive (default) statistics-file // The file path of the statistic. memstatistics-file //the path name of the memory usage statistics file allow-transfer {none;}; //sets which host allows domain transfers to and from the local server and can be set in the Zone statement. The default is to allow domain transfers to and from all hosts. allow-query {any;}; //which customer service is allowed to use this DNS query information, can be an IP network segment, or any. The IP address of the LISTEN-ON PORT 53 { ANY; };  //DNS server or the IPv4 and port on which any, listens, (any: arbitrary, 53: UDP53 and tcp:53) Zone Area section explained:allow-transfer {none;}; //sets which host allows domain transfers to and from the local server and can be set at ZonE statement. The default is to allow domain transfers to and from all hosts. allow-update { none; };//whether to allow "from server" to update DNS information (none: Deny) Masterip : 192.168.1.1slaveip:192.168.1.2 Beijing localdns: 192.168.1.4 Shanxi localdns: 192.168.1.5GSLB Address: 192.168.1.41 Modify the master configuration named.conf file:[[email protected]~]# vim /etc/named.conf options {directory "/bind/named"; pid-file "/var/run/named/named.pid";d ump-file "/var/named/dump.named";request-ixfr yes;// save bandwidthrecursion yes;// please restrict thisallow-transfer {none;}; listen-on { any; };// listen on all ipv4 interfaceslisten-on-v6 { any; };// listen on all ipv6 interfaces };/************* zone info *************/// main zonezone "." in { //defines the root domain. Type masteThe r; //domain type .file "named.root"; //defines the root domain resolution file. allow-transfer { 192.168.1.2; };notify yes; // After the root DNS modifies a domain, the Notify message is sent to the server on the domain NS record. };# #主根DNS服务器区域声明文件配置:[[email protected]~]# vim /bind/named/named.root$origin . //authoritative resolution DNS server @1dinsoa@ root ( //domain name 2018070402 //serial number, every modification is added, otherwise from the root DNS out of sync 1h Refresh time, interval of data re- 15m //retry interval, retry interval after download failure. 1w //failure time, more than that time can not download the waiver. 5m ) //The lifetime of the record cannot be resolved. 1D can also represent 1 days: 518400innswe.yuan.net.jp //dns domain name (ns domain name server). we.yuan.net.jp 518400ina192.168.1.1 //the primary root DNS server. . 518400ina192.168.1.1.518400innsslave.we.yuan.net.jpslave.we.yuan.net.jp518400ina192.168.1.2 //from the root DNS server. . 518400ina192.168.1.2 //from the root DNS server.; GSLB address. ly.we.yuan.net.jp518400inns ns1.ly.we.yuan.net.jpns1.ly.we.yuan.net.jp 518400ina 192.168.1.41; The primary root and from the root DNS address. .518400innswe.we. 518400ina192.168.1.1. 518400ina192.168.1.1.518400innsslave.we.slave.we. 518400ina192.168.1.2. 518400INA192.168.1.2ly.we.518400INNSns3.ly.we.ns3.ly.we. 518400INA192.168.1.41; Shanxi sx.we.yuan.net.jp518400innsns5.sx.we.yuan.net.jpns5.sx.we.yuan.net.jp 518400ina192.168.1.5; Beijing bj.we.yuan.net.jp518400innsns6.bj.we.yuan.net.jpns6.bj.we.yuan.net.jp 518400ina192.168.1.4## #从根DNS服务器配置: #vim /etc/ named.confoptions {directory "/bind/named/slave";p id-file "/var/run/named/named.pid";d ump-file "/var/named/dump.named";// cache filerequest-ixfr yes;// save bandwidthrecursion yes;// please restrict thisallow-transfer {none;}; allow-query {any;}; listen-on { any; };// listen on all ipv4 interfaceslisten-on-v6 { any; };// listen on all ipv6 interfaces };/************* zone info *************/zone "." in {type slave;file "Slave.root.hint";masters { 192.168.1.1; }; //primary root DNS address notify yes;}; # #从根DNS服务器区域声明文件配置: #vim /bind/named/slave.root.hint $ORIGIN . $TTL 86400; 1 day //life cycle @in soa. root. (2018070402 ; serial3600 ; refresh (1 hour) 900 ; retry (15 minutes) 604800 ; expire (1 week) 300 ; minimum (5 minutes)) $TTL 518400; 6 days // Life cycle nswe.nswe.yuan.net.jpnsslave.we.nsslave.we.yuan.net.jpa192.168.1.2a192.168.1.1we.yuan.com.cna192.168.1.1$ origin we.yuan.net.jplynsns1.ly$origin ly.we.yuan.net.jpns1a192.168.1.41$origin we.yuan.net.jpslave a192.168.1.2; Shanxi Localdnssxnsns3.sx$origin sx.we.yuan.net.jpns3A192.168.1.5; Beijing localdns$origin we.yuan.net.jpbjnsns4.bj$origin bj.we.yuan.net.jpns4a192.168.1.4$origin .wea192.168.1.1$origin we.lynsns3.ly$origin ly.we.ns3a192.168.1.41$origin we.slavea192.168.1.2## #山西localDNS配置: #vim /etc/named.confoptions {directory "/var/named";allow-query { any; };listen-on port 53 { any; };// listen on all ipv4 interfacesrecursion yes; #dnssec-enable yes; #dnssec-validation yes; #dnssec-lookaside auto;}; zone "we.yuan.net.jp" IN { type forward; forwarders {192.168.1.2; };}; zone "sx.we.yuan.net.jp" IN { type master; file "Sx.we.yuan.net.jpzone";}; zone "1.168.192-in-addr.arpa" IN { type master; file "1.168.192.zone";}; # # # #vim /var/named/sx.we.yuan.net.jpzone$ttl 1d@ in soa dns root.tj.we.yuan.net.jp (0;serial1D;refresh  1H;RETRY 1W;EXPIRE 3H);minimum @ NSns5ns5 A 192.168.1.5test A 192.168.1.5#vim /var/named/1.168.192.zone$ttl 1d@ in SOA dns root.abc.sx.we.yuan.net.jp (0;serial1d;refresh 1h;retry 1w;expire 3H); minimum ns abc.sx.we.yuan.net.jp5 ptr abc.sx.we.yuan.net.jp## #北京localdns配置: #vim /etc/named.confoptions {listen-on port 53 { any; };listen-on-v6 port 53 { ::1;&nbsP;}; directory "/var/named";d ump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/ Named/data/named_mem_stats.txt "; allow-query { any; };recursion yes ; #dnssec-enable yes; #dnssec-validation yes; # dnssec-lookaside auto;};/ /dns log system, Syntax logging { channel default_debug { file " Data/named.run "; severity dynamic; };}; zone "bj.we.yuan.net.jp" IN {type master; file "Bj.we.yuan.net.jpzone";}; zone "1.168.192-in-addr.arpa"  IN&NBsp {type master;file "1.168.192.zone";}; zone "we.yuan.net.jp" IN { type forward; forwarders { 192.168.1.2; };}; #vim bj.we.yuan.net.jpzone$ORIGIN bj.we.yuan.net.jp@1DINSOA@ root ( 20090826043h15m1w1d ) 1d in ns@ in A192.168.1.4test in a192.168.1.4 ## #调试命令:named -g -u namednamed -g -u named -t configuration file (named.conf) directory -c Specify the profile path named.conf three. Forwarder configuration: 1. Forwarding is done on the server that needs to be forwarded, usually in the subdomain service to go on, will he forwarded to the parent domain Server zone declaration file configuration: 1. You can configure it in the global configuration in the Master profile, and the entire DNS server is configured in the global configuration for 2. In the Zone declaration The file declares the forwarding domain, here is the second method:zone "we.yuan.net.jp" in { // Forwarding the parsing request for we.yuan.net.jp to We.yuan.net.jp type forward;//server type forward first;//Specify a forwarding type forwarders { 192.168.1.2; };//forwarding to the specified domain}; Forwarding domain type: First: Forwards to the specified domain if the specified domain does not give a resolution to iterate over the query only: forward to the specified domain if the specified domain does not give a resolution return to the client unresolved results Master profile: Global option Modification:dnssec-enable no; dnssec-validation no; Delete:dnssec-lookaside auto; four. Aclacl concept: By writing instructions in the ACL, you can implement the same instruction reuse, similar to function functions (ACLs generally cooperate with intelligent DNS use) The DNS default has two Acl:any and noneacl writing principles: generally written at the front of the file, Because the ACL must first be declared, then called the syntax: acl acl name {instruction;
If you do not understand, please look at the picture:
Note: needs to open dns,tcp53 and UDP53 ports in the firewall. if it is a Shanxi Localdns server, using a GSLB load balancer, a part of Shanxi's domain name is forwarded to GSLB, then you must configure a record in the primary root DNS server to point to the GSLB address. Beijing from the root of the DNS server needs and Beijing Localdns and Shanxi localdns interoperability, can ping pass. Conclusion: in Beijing Localdns server can be resolved to the domain name of Shanxi. In Shanxi Localdns can be resolved to Beijing Localdns domain name. parsing with nslookup and dig commands. The nslookup test.sx.we.yuan.net.jp command returns the address of the 192.168.1.5. The nslookup test.bj.we.yuan.net.jp command returns the address of the 192.168.1.4. linux with rndc flush command empty DNS cache. dig command output detailed: #dig Www.baidu.com the meanings of the:; <<>> dig 9.3.6-p1-redhat-9.3.6-20.p1.el5_8.6 << are explained below. >> baidu.com;; The version number of the global options: printcmddig program, and the partial output of the domain name dig to be queried tells us some version information about it (version 9.2.3) and global settings options, if +nocmd is the first parameter under the command line, then this part of the output can be added +noCMD way to query out;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54864;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, Additional: 0 here, Dig tells us some technical information returned from DNS, this information can be used to control the display with the option +[no]comments, but be careful, disable the comments may also turn off some other options. opcode operation code, query, represents the query Operation status State, NoError, represents no error id number, 54864,16bit number, in the DNS protocol, by number matching return and query. flags flag, if it appears to indicate that there is a flag, if not appear on the flag is not set: qr query, Query flag, Representative is the query operation rd recursion The desired, represents a recursive (recursive) query operation ra recursive available is set in return, and the server that represents the query supports recursion ( Recursive) query operation. aa Authoritative Answer authoritative reply, if the query results are provided by the domain name server that manages the domain name instead of the cache server, it is called an authoritative reply. QUERY number of queries, 1 for 1 queries, corresponding to the number of records in the following question section ANSWER results, 4 for 4 results, corresponding to the following answer Number of records in section authority authoritative domain name server record number, 0 means that the domain name has 0 authoritative domain name server, can be used for domain name resolution. additional Extra records, 0 stands for 0 Extra records.; questioN section:;baidu.com. ina in this query section, dig shows the output of our query, the default query is to query a record, you can display or prohibit the use of these +[no]question query parts, From left to right part of the meaning: 1, to query the domain name, here is baidu.com. Represents the root domain name, com top-level domain name, Baidu level two domain Name 2, class, to query the category of information, in the category for the IP protocol, ie, the Internet. There are other categories, such as chaos, because it is now the Internet, so the other basic use. 3, type, the record type to query, a record (address), the representative to query IPv4 addresses. AAAA record, representative to query IPv6 address.; ANSWER SECTION:baidu.com. 600IN A 123.125.114.144baidu.com. 600IN A 180.149.132.47baidu.com. 600in a 111.13.101.208baidu.com. 600in a 220.181.57.217 Finally, we get the results of our query. The baidu.com address is 123.125.114.144, but you can use +[no]answer to preserve or not preserve these options. Response part, the response is a record, a record from left to right part of the meaning: 1, the corresponding domain name, here is baidu.com. Represents the root domain, COM top-level domain name, Baidu level two domain name 2, ttl,time ro live, cache time, unit seconds. 600, which represents the cache name server, which can be saved in the cache for 76 seconds. 3, class, to query the category of information, in the category for the IP protocol, that is, the Internet. There are other categories, such as chaos, because it is now the Internet, so the other basic use. 4, type, the record type to query, a record, represents the IPv4 address to query. AAAA record, which represents the IPv6 address to query. 5, the domain name corresponding IP address.; query time: 2 msec query time-consuming;; server: 192.168.132.1#53 (192.168.132.1) query the server address and port used;; when: mon&nbSp jul 18 16:31:03 2016 time of inquiry;; The size of the msg size rcvd: 91 response. Received (rcve, recieved) 91 bytes
The above is for testing purposes only and depends on the production environment. Only for personal work experience Summary, if there are errors, I hope you can correct the mistakes of Bo friends. Thank you, Bo friends.
DNS Service details for Linux