From the DNS base to centos6.5, "playing" builds a support for forward and reverse resolution"

Source: Internet
Author: User
Tags ldap subdomain subdomain name dns forwarder

1. What is DNS?

(Domain Name System) domain name system.

In fact, the functions implemented by DNS are very simple and effective, so that users do not need to remember the IP addresses that frequently access the server, you can directly access the IP addresses of numeric strings in a format similar to that in pinyin. Suppose we use (for example) to use these numbers to access the Web server. After all, many people are still more likely to remember text or even pinyin letters. This is the DNS function.

Of course, it not only converts the pinyin letters you entered into the number string of the IP address, but also supports converting those numbers into the actual website you want to access, such as You can enter in a web browser to access Baidu, provided that you are a memory expert.

2. What do we mean by entering URL Information every day?

For example, we often use Sina as an example

In fact, there is a point at the end of the Information. Anatomy: WWW in front of represents the host name, And represents a domain. The combination of WWW and is a complete qualified domain name, also known as FQDN. It uses "." To separate the hierarchy membership ~. Like "I. Village Chief, county magistrate, Mayor. Layer 1 management layer.

3. DNS is also in the C/S architecture ~

S (server side): bind, while the server side is generally passively opened, waiting for client connection requests through listening on a socket.

Udp53 port and TCP port 53.

C (the client is generally composed of a shared library, which contains multiple library files. You can call the library to parse the name on the server side ).

Generally, DNS also requires storage because it records a lot of host and domain information. It usually uses three storage formats:

1. Text Files

2. Relational databases

3. LDAP (simple Directory Access Protocol) is often used. Usually, LDAP listens to port tcp389 because LDAP is fast. DNS servers for large sites are often used!

However, today, with the rapid development of the network, there should be more than 10 billion host names around the world. How many online accesses per second per day?

Imagine that each client request can open a process. How many processes can be opened by a computer every second every day? A shocking number, I believe that a general computer will crash very quickly, isn't it?

So we need multiple DNS servers ~ This is called distributed!

In fact, in the early days, the DNS server had a host file, similar to the "Roadmap" containing address resolution, and every process was connected to a shared library during communication, the process --> shared database query --> host file, and then the shared database is returned to the process. As time went on, DNS grew to the server stage. The client resolved the DNS address by accessing the server, and the client process accessed the server process through the socket interface to query the database files on the server, finally, the server process is returned to the client through the socket interface.

In fact, DNS is only a complementary step for network communication. It is a redundant step for communication with the target IP address host or server. The client process finally obtains the IP address resolved by DNS to communicate with the other party's IP address.

In fact, our client has a cache-like "file" locally, which records the accessed IP address or host name to avoid the next visit to the same site, go to the DNS server for redundant remote connections, but if the cache does not exist, go to the DNS server again.

With the development of the Internet, DNS began to adopt distributed hierarchical management. DNS has an emperor-like root. DNS is divided into sub-layers and sub-layers.


Root domian)

The root domain is divided into top-level domains)

A level-1 domain is called a level-2 domain: It is often used by companies, organizations, and individuals (with money ).

Generally, you can directly access the host in the second-level domain.

Our DNS tree structure is bottom-up.

Suppose we want to find

First find. Then find the com domain, find com, and then find Baidu by COM. Finally, Baidu locates at www. The DNS tree model does not know the upper layer. But it knows where the root is. When creating a DNS server, the location of the root is clearly indicated. There are 13 root servers in the world.

There are two search methods: recursive and iterative, and DNS search is recursive + iterative. Therefore, the local DNS server must be recursive to the local host, otherwise, the client cannot know the DNS resolved address. When the DNS server locally parses a request for a domain not resolved by the local machine, it goes out for iteration.

Let's talk about the happy topic and use an analogy to explain the DNS hierarchy.

DNS has the round training function. In fact, in the domain under the DNS server's jurisdiction, multiple hosts can be called the same host name.

A host name can correspond to multiple IP addresses, even if it is not in the same CIDR block. A single IP Address can also correspond to multiple IP addresses.

Region and region

Each domain has two aspects: forward resolution and reverse resolution.

Resolution requires a database to be parsed. At this time, forward resolution requires a database to be parsed, and reverse resolution also requires a database to be parsed. The preceding two database types can be used as the database type in a region.

Domain is a logical concept, while region is a physical concept. Domain parsing requires the implementation of regional files.

In the region resolution Library (physical concept), some libraries are privileged. In this region, each row has a resource record: RR. A type concept is used to mark the attributes parsed by this record.

1. SOA: Start Authorization Record, marking who is the boss in the region. A region file can only have one SOA.

2. NS: Who is the name server (key)

3. mx: used to mark who is a mail server in a domain. The mail server has a priority concept. 0-99. The higher the priority, the smaller the number.

4. A: FQDN-> resolve an IP address to an IP address, which can be understood as a poor public.

5. PTR: IP --> FQDN reverse resolution can reverse resolve IPv6

A And PTR cannot appear in the same region resolution library.

6. AAAA: IPv6 address FQDN ---> IPv6

7. cname: canonical name

What is a DNS server generally called

The authoritative DNS server in each domain is also called the primary NDS server.

The primary DNS server will have a secondary DNS server, while the data on the secondary DNS server will only be synchronized and copied from the primary DNS server. When it is working, the data in your region will be updated regularly, and the slave DNS can not only copy data from the master DNS server, but also from other slave DNS servers, in this way, if you set a slave DNS server in a region, you can share the burden on the primary DNS server and speed up DNS resolution!

Rndc: Remote Name Domain Controller

Remote domain name controller (dangerous)

Rndc reload: Reload the configuration file without exiting.

Rndc-confgen-r/dev/urandom>/etc/named/rndc. conf manually generate rndckey

In addition, I would like to share my experiences with rndc. After installing bind, I also generated the rndckey file, but when I used it, I showed connection fused. I would like to spend half a day, the DNS process is not enabled. You need to (in the C7 environment) systemctl start named. service


Cache DNS server: the server that is not responsible for normal address resolution. It does not have any data. It only helps the DNS client to query other DNS servers, then, the query results are stored in the cache to respond to query requests from various clients. It is only responsible for querying data and does not help you resolve the address.

Another DNS forwarding server works like this. If the DNS server specified by the client in the region fails to resolve the domain name, the DNS server will forward the request to the DNS forwarder to execute the domain name request to other DNS servers!

DNS servers in a region are cached, and the client itself is also cached. caching is very important to DNS. A DNS server can help resolve N domain names at the same time. That is to say, a DNS server can be's authoritative resolution server or's authoritative resolution server to provide resolution services for N domain names.


If you want to configure a DNS server at work in the future, you must register a domain name. In addition, as a DNS server in the production environment, several DNS servers will register several DNS servers with their superiors.

For the DNS server's DNS database file: The primary DNS server needs to be added, and the files are synchronized and copied from the DNS server, and cannot be modified manually.

Master-slave DNS Synchronization

Note that the synchronization file on the slave server is stored in/var/named/slaves/xxx. Zone.

NTP: Time Server

In the external environment built by DNS, there is generally an external accurate NTP time server.


The version of the slave DNS server must be higher than or equal to the version of the master DNS server.


Let's define a Slave region.

Format: in/etc/named. rfc1912.zones

Zone "zone_name" in {

Type slave;

File "Slave/ ";

Master {IP address of the primary DNS server; (IP address of other slave servers )};


Now we simulate an environment. Assume that there are two DNS servers in the domain, one is the primary DNS server, the other is, and the other is the slave DNS server,

Bind needs to be installed in the new environment, which must be in/etc/named. rfc1912.zones has records, but you do not need to generate a specific zone file by yourself. You only need to synchronize the records from the primary DNS server.

Add slave server

1. First add an NS record to the domain name registrar. This record must also be in the region resolution library of your parent domain. When the primary DNS server changes, it only notifies the NS server in the current DNS library file.

Note that serial must add 1 to the file added or deleted in the parsing database at any time.

The format is as follows:

First, check the bind version. Use Yum list all bind * or yum info bind to view the BIND version of the master/slave server.

Enable the crontab command on the slave server to add tasks, as shown in figure

*/5 */usr/sbin/ntpdate &>/dev/null


Dig command

Dig-t a @ IP address of the DNS server

Forward resolution from host name to IP Address

Dig-x IP address @ IP address of the DNS server

Reverse resolution from IP address to host name

Dig-T axfr domain name (with spaces) @ IP address of the DNS server

Forward resolution of IP addresses in a domain


In fact, the BIND also has the ACL function. The ACL Access Control List access control list needs to be modified in the configuration file definition area, for example:/etc/named. modify the region file defined in rfc1912.zones. For example, if a file is transferred by region, by default, anyone can enable the DNS service to obtain the region library file of the primary DNS server. What are the consequences? Suppose there is a bad guy who directly synchronizes the regional files to make it worse. Therefore, we need to limit the region file by adding allow-transfer {IP address of the DNS server that can be transferred by you;} There are optional options, including none and any.

After setting up, do not forget to synchronize remote domain name control, that is, rndc reload, so that it can re-read the configuration file. Then,

[[Email protected] ~] # Dig-T axfr

; <> Dig 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <>-T axfr
; Global Options: + cmd
; Transfer failed.


Display transfer faild.

The above limits the transmission of the master-slave DNS server region. Suppose I want to restrict other malicious clients to do address resolution for me ??? You can also set it by modifying the configuration file and adding an allow-query {! The specified IP address;};, for example:

Zone "" in {
Type slave;
File "Slaves/ Zone ";
Masters { ;};
Allow-transfer { ;};
Allow-query {none ;};

Note that none is displayed in the last line. So I asked the primary DNS server to parse the website through me. You can see:

[[Email protected] ~] # Dig-t a @

; <> Dig 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <>-t a @
; Global Options: + cmd
; Got answer:
;-> Header <-opcode: Query, status: refused, ID: 37496
; Flags: qr rd ra; query: 1, answer: 0, authority: 0, additional: 0

; Question Section:
; In

It will not show the IP address, even if it is in the DNS's own region resolution library.

Rndc is very powerful and dangerous. In fact, we recommend that you enable rndc if you want to build a DNS server or only use it for internal communication. However, once you access the Internet, never do this, it will attract a lot of inexplicable guys to break it up.


Rndc actually sends keys for communication. In centos 6.5, rndc has an rndc under/etc. key file, which records the key information of rndc. This is a complete HMAC-based authentication.

Every time you use rndc to send information to the server, the server uses the same encryption method to compare the key. Once successful, the rndc can communicate securely.

Common rndc Commands include:

Rndc reload, rndc reconfig, rndc flush, and rndc status.



Next let's imagine how to add its subdomain in a domain? How to Create a subdomain?

Suppose: We have

As a result, the ops department and Dev department are available under, and the business volume of the company is large. The ops department and Dev Department are also affiliated with WWW department, that is,

What should we do?

In fact, to create a subdomain, you only need to make slight changes in the region resolution library of the parent domain, like this.

The subdomain name in NS subdomain name server. The above example is in NS

Of course, we also need to add an a record for it (only forward resolution here) and add In a to it (for example)

In fact, the DNS resolution process is like this. The parent domain knows the subdomain, but the subdomain does not know the parent domain. That is, if we are in, I want to find the host How can I find it?

Does WWW search for ops? No. But when we are at, it is clear that our domain name is, rather than, it will directly find the root server.

Then, find the. com domain through the root server, and then the. com domain tells you where the. mageedu domain is, and then find the. Ops domain. Finally, the ops domain will tell you where the IP address of the host is located. You can access the IP address through this location.

However, even though it works like this, don't forget that our DNS server also has a feature of forwarder, which allows the subdomain to look for the parent domain without any effort to go around the root ~ In addition, the DNS subdomain and parent domain can be in different network segments.


Let's create a subdomain first

1. edit/etc/named. conf first

2. edit/etc/named. rfc1912.zones again.

The format is as follows:

Zone "" in {
Type master;
File "ops. mageedu. Zone ";
Allow-transfer { ;};

3. After editing, add something in the region resolution library.

$ TTL 3600
$ Origin
@ In SOA .(
1 H
5 m
2 h)
@ In NS
NS in a
WWW in a (defined by blind)

Set rndc reload

However, there is a key step. If the DNS server of our subdomain has enabled the firewall, you must first disable the firewall using iptable-F. Otherwise, the DNS server of the subdomain cannot respond.

Then, we can test whether the domain's DNS server can parse hosts in the subdomain?

[[Email protected] named] # Dig-t a

; <> Dig 9.9.4-RedHat-9.9.4-14.el7 <>-t a
; Global Options: + cmd
; Got answer:
;-> Header <-opcode: Query, status: noerror, ID: 41709
; Flags: QR AA Rd RA; query: 1, answer: 1, authority: 1, Additional: 2

; Opt pseudo section:
; Edns: Version: 0, flags:; UDP: 4096
; Question Section: In

; Answer section: 3600 in a

Successful. Note that there is an AA in flags, which indicates that this is resolved by the authoritative DNS server!

Let's take a look at how to resolve hosts on the subdomain DNS server from the parent domain DNS server,

[[Email protected] ~] # Dig-t a

; <> Dig 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <>-t a
; Global Options: + cmd
; Got answer:
;-> Header <-opcode: Query, status: noerror, ID: 11796
; Flags: qr rd ra; query: 1, answer: 1, authority: 1, Additional: 1

; Question Section: In

; Answer section: 2938 in a

You can check it out, and the flags here won't have AA. But what is our purpose ??

We want to resolve the host in the parent domain in the subdomain. Let's try. If you can.

[[Email protected] named] # Dig-t a

; <> Dig 9.9.4-RedHat-9.9.4-14.el7 <>-t a
; Global Options: + cmd
; Got answer:
;-> Header <-opcode: Query, status: servfail, ID: 64006
; Flags: qr rd ra; query: 1, answer: 0, authority: 0, additional: 1

; Opt pseudo section:
; Edns: Version: 0, flags:; UDP: 4096
; Question Section:
; In

It is not found later. It means it is still not possible. We have to find a solution. Do you still remember that DNS has a forwarder function? Yes, it can be edited.

Options {


Forward {only | First} forward points to the function on the surface, while only and first indicate only: if the primary DNS server to which I direct cannot find the correct answer, we will stop, think it finds

First indicates that if the primary DNS server cannot find the response, the DNS server of our subdomain will find the root for iteration.


Forwarders {IP (the IP address of the primary DNS to be recursive ;}

At the same time, we also need to add a recursive white list in our recursive DNS to respond, in the following format:

Allow-recursion {}

For example:

Forward only;
Forwarders { ;};

After editing, run named-checkconf to check whether the syntax is correct. OK is correct. Rndc reconfig.

So let's test and see how the results are.

[[Email protected] named] # Dig-t a

; <> Dig 9.9.4-RedHat-9.9.4-14.el7 <>-t a
; Global Options: + cmd
; Got answer:
;-> Header <-opcode: Query, status: noerror, ID: 43071
; Flags: qr rd Ra; Query: 1, answer: 1, authority: 2, additional: 3

; Opt pseudo section:
; Edns: Version: 0, flags:; UDP: 4096
; Question Section:
; In

; Answer section: 3600 in a

Check the result. The operation is successful!

Finally, let's take another question into consideration. Let's zoom in on the scenario just now. What if we want the forwarded DNS server to resolve the IP addresses in only one region?

Note !!! Edit/etc/named. rfc1912.zones on the DNS server side of our request, and then define the region to be resolved, as shown below:

Zone "" in {
Type forward;
Forward only;
Forwarders { ;};

Then, run rndc reconfig and Test

[[Email protected] named] # Dig-t a

; <> Dig 9.9.4-RedHat-9.9.4-14.el7 <>-t a
; Global Options: + cmd
; Got answer:
;-> Header <-opcode: Query, status: noerror, ID: 1691
; Flags: qr rd ra; query: 1, answer: 1, authority: 2, additional: 3

; Opt pseudo section:
; Edns: Version: 0, flags:; UDP: 4096
; Question Section:
; In

; Answer section: 2982 in a

Success! However, if we use the DNS server of the parent domain to forward resolution requests from other hosts, we cannot. Look, we use as an example.

[[Email protected] named] # Dig-t a

; <> Dig 9.9.4-RedHat-9.9.4-14.el7 <>-t a
; Global Options: + cmd
; Got answer:
;-> Header <-opcode: Query, status: servfail, ID: 31494
; Flags: qr rd ra; query: 1, answer: 0, authority: 0, additional: 1

; Opt pseudo section:
; Edns: Version: 0, flags:; UDP: 4096
; Question Section:
; In


It is unsuccessful. There is also a concept that is especially easy to mix, because we tested it on the centos virtual machine, centos6.5 own/etc/resolv. the DNS under conf has nothing to do with the DNS service you configured to enable !!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.