Linux 24th Day: (September 22) Linux DNS

Source: Internet
Author: User
Tags domain registration dnssec mx record nslookup nslookup command subdomain top level domain fully qualified domain name

Linux 24th Day: (September 22) Linux DNS

Chapter Content
Name resolution
DNS Service
Implementing a master-slave server
Implementing subdomains
Implement view
Compiling the installation
Pressure test
DNS Error troubleshooting

DNS Service
Dns:domain Name Service, Protocol (c/S, 53/UDP, 53/TCP) Application layer protocol
Bind:bekerleyinternatname Domain, ISC (
Local name resolution configuration file: Hosts

DNS domain name
Root domain
First domain name: Top level Domain:tld
COM, edu, mil, gov, net, org, int,
Three categories: organization domain, country domain (. cn,. CA,. HK,. tw), reverse domain
Level two domain name
Level three domain name
Up to Level 127 domains
ICANN (the Internet Corporation for Assigned Names and Numbers) Internet name and digital address allocation agency, Responsible for the management of the internet's generic top-level domain (GTLD) and national and regional top-level domain name (CcTLD) systems and root server systems worldwide.

DNS resolution
DNS Query type:
Recursive query
Iterative queries
Name server: A host within the domain responsible for resolving names within the domain;
Root server: 13 groups of servers
Resolution Type:
Note: The forward and backward parsing is a two different namespaces, two different parse trees

DNS server type
Type of DNS server:
Primary DNS Server
From a DNS server
Caching DNS servers (forwarders)
Primary DNS server: A server that manages and maintains resolved libraries within a domain that is responsible for parsing
To resolve a library copy from a DNS server: Copy from the primary server or from the server (zone transfer)
serial number: Resolves the library version number, when the primary server resolves the library changes, its sequence increments the refresh interval: the time interval from the server requesting synchronization resolution from the primary server
Retry interval: When a request for synchronization from the server fails, try the time interval again
Expiration time: How long after the service is stopped when the primary server is not contacted from the server
Notification mechanism: When the primary server resolves the library, it proactively notifies the slave server

Zone transfer
Zone transfer:
Full transfer: Transfer the entire analytic library
Incremental transfer: Pass the part of the resolution library change
Domain:fully qualified Domain name forward: FQDN-to-IP
Reverse: IP-to-FQDN
Responsible for the forward and reverse parsing libraries for the local domain name:
Forward Zone
Reverse Region

DNS resolution
The process through which a complete query request passes:
Client-->hosts file-->dns Service Local Cache---DNS Server (recursion)--server Cache---Iteration (iteration)- ---top-level domain name dns--> two DNS ...
Analytic answer:
Affirmative answer:
Negative answer: The requested entry does not exist, etc. cause the result cannot be returned
Authoritative answer:
Non-authoritative answer:

Resource records
Zone Resolution Library: consists of a number of RRS:
Resource record: Resource record, RR
Record type: A, AAAA, PTR, SOA, NS, CNAME, MX
Soa:start of authority, starting authorization record; A zone resolution library has and can have only one SOA record, which must be in the first record of the parsing library
A:internet Address, role, FQDN-to-IP
Ptr:pointer,ip to FQDN
Ns:name server, dedicated to DNS servers that indicate the current zone
Cname:canonical name, alias record
Mx:mail EXchanger, mail exchanger
Format of resource record definition:
Syntax: name[ttl]in rr_type value
(1) TTL can be inherited from the global
(2) @ can be used to refer to the name of the current region
(3) The same name can define multiple different values through multiple records, at which time the DNS server responds with a polling method
(4) The same value may have several different definition names; it is defined by pointing to the same value by several different names; this only means that the same host can be found by multiple different names

SOA Records
Name: The names of the current region, such as ""
Value: Multi-Part composition
(1) The FQDN of the primary DNS server for the current zone, or the name of the current zone;
(2) The email address of the current regional administrator, but the address cannot use the @ symbol, which is generally used. Replace, for example
(3) Unified TTL for the definition of the master-slave service area transmission and the negative answer
For example: 86400 in SOA (
2015042201. Serial number
2H; Refresh Time
10M; retry time
1W; expiry time
1 D; The TTL value of the negative answer

NS Records
Name: Names of the current regions
Value: The name of a DNS server for the current zone, such as;
Note: An area can have more than one NS record;
For example:
(1) The name of the adjacent two resource records is the same, the subsequent can be omitted (2) for the NS record, any one NS record after the server name, should be followed by a record

MX record
Name: Names of the current regions
Value: Host name of a mail server (SMTP server) for the current zone
There can be multiple MX records in a region, but the value of each record should have a number (0-99), which indicates the priority of the server; the smaller the number, the higher the priority
For example: MX Ten
(1) For MX records, the server name behind any MX record should be followed by a record

A record
Name: The FQDN of a host, such as
Value: The host name corresponds to the IP address of the host;
For example: A A2.2.2.2 In A3.3.3.3 In A4.4.4.4
* In A A6.6.6.6
Avoid the wrong answer when the user writes wrong name, can resolve to a specific address through the pan domain name resolution

Other records
Name:ip, there is a specific format, the IP address is written in turn,, to write; and a specific suffix:, so the complete wording is:
For example: In PTR
If 1.2.3 is a network address, you can save
4 in PTR
Note: The network address and suffix can be omitted; The host address still needs to be written back.

Alias record
Name: FQDN of the alias
Value: The FQDN of the real name;
For example: . In CNAME

Subdomain Authorization: The name server for each domain is authorized by its parent name server in the parse library
Similar to the root domain authorized TLD:
. com. In NS
. com. In In A In A On the. COM name server, add a resource record to the resolution library: In NS In NS In NS In A In A In A
Glue record: Glue record, parent domain authorization subdomain records

Internet domain name
Domain registration:
Agent: WAN Network, new network; godaddy
After the registration is completed, you want to use dedicated services to resolve
Admin background: The server name that points to the NS record, and the server address that the a record points to

Bind installation
Installation configuration for bind:
DNS Service Package: Bind,unbound
Program Name: Named,unbound
Package: Yum List all bind*
Bind: Server
Bind-libs: Related libraries
Bind-utils: Client

Bind Server
Service script and Name:/etc/rc.d/init.d/named,unbound.service
Master configuration file:/etc/named.conf,/etc/named.rfc1912.zones,/etc/rndc.key,/etc/unbound/unbound.conf
Parse library file:/var/named/zone_name. ZONE
(1) A physical server can provide resolution for multiple regions at the same time;
(2) must have a root zone file;
(3) There should be two (if included IPv6, should be more) implementation of the localhost and the local loopback address of the parsing library
Rndc:remote Name Domain controller,
The default is installed on the same host as Bind, and the named process can only be connected via
Provide auxiliary management function; 953/tcp

Configuration file
Master configuration file:
Global configuration: Options {};
Log subsystem configuration: logging {};
Region definition: Which zones can be resolved by this machine, which zone should be defined;
Zone "Zone_name" in {};
Note: If any service program expects it to be accessible through the network by another host, at a minimum, it should listen to an IP address that can communicate with an external host
Configuration of the cache name server:
The external address can be monitored;
DNSSEC: It is recommended to turn DNSSEC off, set to No

Configuring the Primary DNS server
Primary DNS name servers:
(1) Define a zone in the master configuration file
Zone "Zone_name" in {
type {Master|slave|hint|forward};
File "";
(2) define the Zone resolution library file
What's appearing:
macro definition;
resource records;
Master profile Syntax Check:
Parse library file Syntax check:
Named-checkzone ""/var/named/
Rndcstatus|reload;service named Reload

Main Area Example
$TTL 86400
@INSOAns1. (
Inmx 10MX1
Inmx 20MX2

Test command Dig
Dig [-T type] name [@SERVER] [query options]
Dig is only used to test the DNS system and does not query the hosts file for parsing
Query options:
+[no]trace: Trace parsing process
+[no]recurse: Recursive parsing
Test Reverse resolution:
Analog zone transfer:
Dig-t Axfrzone_name @SERVER
Dig-t @
Dig–t @

Test command
Host [-T type] name [SERVER]
Host–t NS @
nslookup command:
Nslookup[-option] [name |-] [Server]
Interactive mode:
Server IP: Indicates which DNS server to use for querying
Set Q=rr_type: Indicates the resource record type of the query
Name: Names to query

Reverse Region
Reverse zone:
Region name: Network address back-write.
(1) Define the area
Zone "Zone_name" in {
type {Master|slave|forward};
File "network address. Zone"
(2) define the Zone resolution library file
Note: MX is not required, with PTR records as the primary

Example of a reverse region
$TTL 86400
@INSOAns1. (

From the server
1, should be a separate name server
2, the primary server's Zone resolution library file must have an NS record point from the server
3, from the server only need to define the zone, without providing parsing library files; The parse library file should be placed in the/var/named/slaves/directory
4. The primary server must allow zone transfers from the server
5, the master and slave server time should be synchronized, can be done through NTP;
6. The version of the BIND program should be consistent; otherwise, it should be from high, primary low
Define the method from the zone:
Zone "Zone_name" in {
Type slave;
Masters {master_ip;};
File "Slaves/";

RNDC command
Rndc--> RNDC (953/TCP)
Reload: Overloading the master and Zone resolution library files
Reload Zone: Overload zone resolution library file
Retransfer Zone: Manually start the zone transfer process, regardless of whether the serial number is increased
Notify zone: Send notification to zone transfer again
Reconfig: Overloading the master configuration file
QueryLog: Turn query log file on or off/var/log/message
Trace: Increments the debug one level
Trace level: Specify levels to use
Notrace: Set the debug level to 0
Flush: Empties all cache records for the DNS server

Subdomain Authorization: Distributed database
Forward parsing Zone Subdomain method:
Define a sub-region: In NS In In A In A In NS In NS In A In A
Note: Turn off DNSSEC functionality:
Dnssec-enable No;
Dnssec-validation No;

Forwarding Server
Note: The forwarded server needs to be able to do recursion for the requestor, otherwise the forwarding request will not proceed
(1) Global forwarding: to the non-native responsible for resolving the area of the request, the full transfer to the specified server
Options {
Forward first|only;
(2) Specific zone forwarding: forwarding only requests to a specific region, higher than global forwarding priority
Zone "Zone_name" in {
Type forward;
Forward first|only;
forwarders {IP;};
Note: Turn off DNSSEC functionality:
Dnssec-enable No;
Dnssec-validation No;

ACL in bind
The underlying security-related configuration in bind:
ACL: Merges one or more addresses into a collection and invokes it through a uniform name
Bind has four built-in ACLs:
None: No host
Any: Any host
localhost: native
LocalNet: The network address that is obtained after the IP-to-mask operation of this machine
Note: can only be defined first, then used; so it's generally defined in the configuration file, in front of the options

Access control
Instructions for access control:
Allow-query {}: The host that allows the query; white list;
Allow-transfer {}: host allowed zone transfer; whitelist
Allow-recursion {}: Allow recursive hosts, recommended for global use
Allow-update {}: Allow updates to content in a zone database

Bind view
View: Views, a BIND server can define multiple views, one or more zones can be defined in each view
Each view is used to match a set of clients;
Multiple view may need to parse the same area, but use different zones to parse the library file
View View_name {
match-clients {};
(1) Once view is enabled, all zones can only be defined in the view
(2) Define the root zone only in the view where the client that allows the recursive request
(3) When a client request arrives, the list of clients serviced by each view is checked from top to bottom
Cdn:content Delivery Network
Smart DNS:

compile install bind
Download bind:
Compiling install bind
# tar xvfbind-9.11.0a3.tar.gz
# cd bind-9.11.0a3/
# Groupadd-r-G-Named
# useradd-r- U 53-g named
#/configure--PREFIX=/USR/LOCAL/BIND9--sysconfdir=/etc/named/--disable-ipv6-- Disable-chroot--enable-threads
# Make
# make install
environment variable:
Export path=/ Usr/local/bind9/bin:
/usr/local/bind9/sbin/: $PATH
Library and header file
/usr/local /bind9/lib
Man help
Man named.conf

Options {
Directory "/var/named/"
Zone "." in {
Type hint;
File "";
Zone "localhost" in {
Type master;
File "Named.localhost";
allow-update {none;};
Zone "" in {
Type master;
File "Named.loopback";
allow-update {none;};

Regional database
Dig [email protected] >/var/named/
$TTL 1d
@ in SOA localhost. Admin.localhost. (
In NS localhost.
localhost. In A

$TTL 1d
@ in SOA localhost. Admin.localhost. (
In NS localhost.
In PTR localhost.

Compile and install bind
Set permissions
chmod 640/var/named/*
chmod 640/etc/named/named.conf
Starting services and testing
Mans named
Named-u named-f-g-d 3 front-end Level 3 mode operation
Named-u named background run
Killall named
Named-u named
Support RNDC
RNDC reload reading the wrong tips
Rndc-confgen-r/dev/urandom >/etc/named/rndc.conf Generate key
tail/etc/named/rndc.conf >>/etc/named/named.conf
Killall-sighup named
RNDC status

Pressure test
Compiling stress test Tools
CP Queryperf/usr/local/bind9/bin
Pressure test
Vim Test.txt A NS MX A A
queryperf-d test.txt-s
Turn on log function
RNDC QueryLog
RNDC status
queryperf-d test.txt-s

#dig A
; <<>> dig9.9.4-redhat-9.9.4-14.el7 <<>> A
;; Global options: +cmd
;; Got Answer:
;; ->>header<<-opcode:query, Status:noerror, id:30523
Servfail:thenameserverencountered a problem while processing the query.
Dig +trace can be used for troubleshooting, possibly network and firewall causes
Nxdomain:the queried name does not exist in the zone.
May be the CNAME corresponding to a record does not exist cause
Refused:the nameserverrefused The client ' s DNS request due to policy restrictions.
The DNS policy may be causing

DNS Error troubleshooting
NoError doesn't mean there's no problem, it could be an outdated record.
See if it is an authoritative record, flags:aa tag judgment
The deleted record can still return the result, possibly because the * record exists
such as: * INA172.25.254.254
Note "." The use
Avoid CNAME pointing to CNAME records, potentially generating loopback In CNAME In CNAME
PTR records are properly configured, and many services rely on PTR, such as Sshd,mta
Correctly configure polling Round-robin records

Linux 24th Day: (September 22) Linux DNS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.