Linux 24th Day: (September 22) Linux DNS
Chapter Content
Name resolution
DNS Service
Implementing a master-slave server
Implementing subdomains
Implement view
Compiling the installation
Pressure test
DNS Error troubleshooting
DNS Service
Dns:domain Name Service, Protocol (c/S, 53/UDP, 53/TCP) Application layer protocol
Bind:bekerleyinternatname Domain, ISC (www.isc.org)
Local name resolution configuration file: Hosts
/etc/hosts
%windir%/system32/drivers/etc/hosts
1.1.1.1 www.magedu.com
2.2.2.2 www.apple.com
DNS domain name
Root domain
First domain name: Top level Domain:tld
COM, edu, mil, gov, net, org, int,
Three categories: organization domain, country domain (. cn,. CA,. HK,. tw), reverse domain
Level two domain name
Level three domain name
Up to Level 127 domains
ICANN (the Internet Corporation for Assigned Names and Numbers) Internet name and digital address allocation agency, Responsible for the management of the internet's generic top-level domain (GTLD) and national and regional top-level domain name (CcTLD) systems and root server systems worldwide.
DNS resolution
DNS Query type:
Recursive query
Iterative queries
Name server: A host within the domain responsible for resolving names within the domain;
Root server: 13 groups of servers
Resolution Type:
FQDN-To-IP
IP-To-FQDN
Note: The forward and backward parsing is a two different namespaces, two different parse trees
DNS server type
Type of DNS server:
Primary DNS Server
From a DNS server
Caching DNS servers (forwarders)
Primary DNS server: A server that manages and maintains resolved libraries within a domain that is responsible for parsing
To resolve a library copy from a DNS server: Copy from the primary server or from the server (zone transfer)
serial number: Resolves the library version number, when the primary server resolves the library changes, its sequence increments the refresh interval: the time interval from the server requesting synchronization resolution from the primary server
Retry interval: When a request for synchronization from the server fails, try the time interval again
Expiration time: How long after the service is stopped when the primary server is not contacted from the server
Notification mechanism: When the primary server resolves the library, it proactively notifies the slave server
Zone transfer
Zone transfer:
Full transfer: Transfer the entire analytic library
Incremental transfer: Pass the part of the resolution library change
Domain:fully qualified Domain name forward: FQDN-to-IP
Reverse: IP-to-FQDN
Responsible for the forward and reverse parsing libraries for the local domain name:
Forward Zone
Reverse Region
DNS resolution
The process through which a complete query request passes:
Client-->hosts file-->dns Service Local Cache---DNS Server (recursion)--server Cache---Iteration (iteration)- ---top-level domain name dns--> two DNS ...
Analytic answer:
Affirmative answer:
Negative answer: The requested entry does not exist, etc. cause the result cannot be returned
Authoritative answer:
Non-authoritative answer:
Resource records
Zone Resolution Library: consists of a number of RRS:
Resource record: Resource record, RR
Record type: A, AAAA, PTR, SOA, NS, CNAME, MX
Soa:start of authority, starting authorization record; A zone resolution library has and can have only one SOA record, which must be in the first record of the parsing library
A:internet Address, role, FQDN-to-IP
Aaaa:fqdn-IPv6
Ptr:pointer,ip to FQDN
Ns:name server, dedicated to DNS servers that indicate the current zone
Cname:canonical name, alias record
Mx:mail EXchanger, mail exchanger
Format of resource record definition:
Syntax: name[ttl]in rr_type value
Attention:
(1) TTL can be inherited from the global
(2) @ can be used to refer to the name of the current region
(3) The same name can define multiple different values through multiple records, at which time the DNS server responds with a polling method
(4) The same value may have several different definition names; it is defined by pointing to the same value by several different names; this only means that the same host can be found by multiple different names
SOA Records
Name: The names of the current region, such as "magedu.com."
Value: Multi-Part composition
(1) The FQDN of the primary DNS server for the current zone, or the name of the current zone;
(2) The email address of the current regional administrator, but the address cannot use the @ symbol, which is generally used. Replace, for example linuxedu.magedu.com
(3) Unified TTL for the definition of the master-slave service area transmission and the negative answer
For example:
magedu.com. 86400 in SOA ns.magedu.com. Nsadmin.magedu.com. (
2015042201. Serial number
2H; Refresh Time
10M; retry time
1W; expiry time
1 D; The TTL value of the negative answer
)
NS Records
Name: Names of the current regions
Value: The name of a DNS server for the current zone, such as ns.magedu.com.;
Note: An area can have more than one NS record;
For example:
Magedu.com.INNS ns1.magedu.com.
Magedu.com.INNS ns2.magedu.com.
Attention:
(1) The name of the adjacent two resource records is the same, the subsequent can be omitted (2) for the NS record, any one NS record after the server name, should be followed by a record
MX record
Name: Names of the current regions
Value: Host name of a mail server (SMTP server) for the current zone
There can be multiple MX records in a region, but the value of each record should have a number (0-99), which indicates the priority of the server; the smaller the number, the higher the priority
For example:
Magedu.com.IN MX Ten mx1.magedu.com.
In MX mx2.magedu.com.
Attention:
(1) For MX records, the server name behind any MX record should be followed by a record
A record
Name: The FQDN of a host, such as www.magedu.com.
Value: The host name corresponds to the IP address of the host;
For example:
Www.magedu.com.IN A 1.1.1.1
Www.magedu.com.IN A2.2.2.2
Mx1.magedu.com. In A3.3.3.3
Mx2.magedu.com. In A4.4.4.4
Attention:
*.magedu.com. In A 5.5.5.5
Magedu.com.IN A6.6.6.6
Avoid the wrong answer when the user writes wrong name, can resolve to a specific address through the pan domain name resolution
Other records
Aaaa:
Name:fqdn
Value:ipv6
Ptr:
Name:ip, there is a specific format, the IP address is written in turn, 1.2.3.4, to write 4.3.2.1; and a specific suffix: in-addr.arpa., so the complete wording is: 4.3.2.1.in-addra.arpa.
Value:fqdn
For example:
4.3.2.1.in-addr.arpa. In PTR www.magedu.com
If 1.2.3 is a network address, you can save
4 in PTR www.magedu.com.
Note: The network address and suffix can be omitted; The host address still needs to be written back.
Alias record
CNAME:
Name: FQDN of the alias
Value: The FQDN of the real name;
For example:
www.magedu.com . In CNAME websrv.magedu.com.
Subdomain
Subdomain Authorization: The name server for each domain is authorized by its parent name server in the parse library
Similar to the root domain authorized TLD:
. com. In NS ns1.com.
. com. In nsns2.com.
Ns1.com. In A 2.2.2.1
Ns2.com. In A 2.2.2.2
Magedu.com. On the. COM name server, add a resource record to the resolution library:
Magedu.com. In NS ns1.magedu.com.
Magedu.com. In NS ns2.magedu.com.
Magedu.com. In NS ns3.magedu.com.
Ns1.magedu.com. In A 3.3.3.1
Ns2.magedu.com. In A 3.3.3.2
Ns3.magedu.com. In A 3.3.3.3
Glue record: Glue record, parent domain authorization subdomain records
Internet domain name
Domain registration:
Agent: WAN Network, new network; godaddy
After the registration is completed, you want to use dedicated services to resolve
Admin background: The server name that points to the NS record, and the server address that the a record points to
Bind installation
Installation configuration for bind:
DNS Service Package: Bind,unbound
Program Name: Named,unbound
Package: Yum List all bind*
Bind: Server
Bind-libs: Related libraries
Bind-utils: Client
Bind-chroot:/var/named/chroot/
Bind Server
Service script and Name:/etc/rc.d/init.d/named,unbound.service
Master configuration file:/etc/named.conf,/etc/named.rfc1912.zones,/etc/rndc.key,/etc/unbound/unbound.conf
Parse library file:/var/named/zone_name. ZONE
Attention:
(1) A physical server can provide resolution for multiple regions at the same time;
(2) must have a root zone file; named.ca
(3) There should be two (if included IPv6, should be more) implementation of the localhost and the local loopback address of the parsing library
Rndc:remote Name Domain controller,
The default is installed on the same host as Bind, and the named process can only be connected via 127.0.0.1
Provide auxiliary management function; 953/tcp
Configuration file
Master configuration file:
Global configuration: Options {};
Log subsystem configuration: logging {};
Region definition: Which zones can be resolved by this machine, which zone should be defined;
Zone "Zone_name" in {};
Note: If any service program expects it to be accessible through the network by another host, at a minimum, it should listen to an IP address that can communicate with an external host
Configuration of the cache name server:
The external address can be monitored;
DNSSEC: It is recommended to turn DNSSEC off, set to No
Configuring the Primary DNS server
Primary DNS name servers:
(1) Define a zone in the master configuration file
Zone "Zone_name" in {
type {Master|slave|hint|forward};
File "Zone_name.zone";
};
(2) define the Zone resolution library file
What's appearing:
macro definition;
resource records;
Master profile Syntax Check:
Named-checkconf
Parse library file Syntax check:
Named-checkzone "Magedu.com"/var/named/magedu.com.zone
Rndcstatus|reload;service named Reload
Main Area Example
$TTL 86400
$ORIGIN magedu.com.
@INSOAns1. magedu.com.admin.magedu.com (
2015042201
1H
5M
7D
1D)
INNSns1
INNSns2
Inmx 10MX1
Inmx 20MX2
ns1ina172.16.100.11
ns2ina172.16.100.12
mx1ina172.16.100.13
mx2ina172.16.100.14
websrvINA172.16.100.11
websrvINA172.16.100.12
Wwwincnamewebsrv
Test command Dig
Dig [-T type] name [@SERVER] [query options]
Dig is only used to test the DNS system and does not query the hosts file for parsing
Query options:
+[no]trace: Trace parsing process
+[no]recurse: Recursive parsing
Test Reverse resolution:
Dig-x IP @SERVER
Analog zone transfer:
Dig-t Axfrzone_name @SERVER
Dig-t axfrmagedu.com @172.16.100.11
Dig–t Axfr100.16.172.in-addr.arpa @172.16.1.1
Test command
Host [-T type] name [SERVER]
Host–t NS magedu.com @172.16.0.1
nslookup command:
Nslookup[-option] [name |-] [Server]
Interactive mode:
Nslookup>
Server IP: Indicates which DNS server to use for querying
Set Q=rr_type: Indicates the resource record type of the query
Name: Names to query
Reverse Region
Reverse zone:
Region name: Network address back-write. In-addr.arpa.
172.16.100-100.16.172.in-addr.arpa.
(1) Define the area
Zone "Zone_name" in {
type {Master|slave|forward};
File "network address. Zone"
};
(2) define the Zone resolution library file
Note: MX is not required, with PTR records as the primary
Example of a reverse region
$TTL 86400
$ORIGIN 100.16.172.in-addr.arpa.
@INSOAns1. magedu.com. Admin.magedu.com. (
2015042201
1H
5M
7D
1D)
INNSns1.magedu.com.
INNSns2.magedu.com.
11inptrns1.magedu.com.
11inptrwww.magedu.com.
12inptrmx1.magedu.com.
12inptrwww.magedu.com.
13inptrmx2.magedu.com.
From the server
1, should be a separate name server
2, the primary server's Zone resolution library file must have an NS record point from the server
3, from the server only need to define the zone, without providing parsing library files; The parse library file should be placed in the/var/named/slaves/directory
4. The primary server must allow zone transfers from the server
5, the master and slave server time should be synchronized, can be done through NTP;
6. The version of the BIND program should be consistent; otherwise, it should be from high, primary low
Define the method from the zone:
Zone "Zone_name" in {
Type slave;
Masters {master_ip;};
File "Slaves/zone_name.zone";
};
RNDC command
RNDC:
Rndc--> RNDC (953/TCP)
Rndccommand
COMMAND:
Reload: Overloading the master and Zone resolution library files
Reload Zone: Overload zone resolution library file
Retransfer Zone: Manually start the zone transfer process, regardless of whether the serial number is increased
Notify zone: Send notification to zone transfer again
Reconfig: Overloading the master configuration file
QueryLog: Turn query log file on or off/var/log/message
Trace: Increments the debug one level
Trace level: Specify levels to use
Notrace: Set the debug level to 0
Flush: Empties all cache records for the DNS server
Subdomain
Subdomain Authorization: Distributed database
Forward parsing Zone Subdomain method:
Define a sub-region:
Ops.magedu.com. In NS ns1.ops.magedu.com.
Ops.magedu.com. In NSns2.ops.magedu.com.
Ns1.ops.magedu.com. In A 1.1.1.1
Ns2.ops.magedu.com. In A 1.1.1.2
Fin.magedu.com. In NS ns1.fin.magedu.com.
Fin.magedu.com. In NS ns2.fin.magedu.com.
Ns1.fin.magedu.com. In A 3.1.1.1
Ns2.fin.magedu.com. In A 3.1.1.2
Note: Turn off DNSSEC functionality:
Dnssec-enable No;
Dnssec-validation No;
Forwarding Server
Note: The forwarded server needs to be able to do recursion for the requestor, otherwise the forwarding request will not proceed
(1) Global forwarding: to the non-native responsible for resolving the area of the request, the full transfer to the specified server
Options {
Forward first|only;
fowwarders{IP;};
};
(2) Specific zone forwarding: forwarding only requests to a specific region, higher than global forwarding priority
Zone "Zone_name" in {
Type forward;
Forward first|only;
forwarders {IP;};
};
Note: Turn off DNSSEC functionality:
Dnssec-enable No;
Dnssec-validation No;
ACL in bind
The underlying security-related configuration in bind:
ACL: Merges one or more addresses into a collection and invokes it through a uniform name
Format:
aclacl_name{
ip
Net/prelen;
......
};
Example:
aclmynet{
172.16.0.0/16;
10.10.10.10;
};
Bind has four built-in ACLs:
None: No host
Any: Any host
localhost: native
LocalNet: The network address that is obtained after the IP-to-mask operation of this machine
Note: can only be defined first, then used; so it's generally defined in the configuration file, in front of the options
Access control
Instructions for access control:
Allow-query {}: The host that allows the query; white list;
Allow-transfer {}: host allowed zone transfer; whitelist
Allow-recursion {}: Allow recursive hosts, recommended for global use
Allow-update {}: Allow updates to content in a zone database
Bind view
View: Views, a BIND server can define multiple views, one or more zones can be defined in each view
Each view is used to match a set of clients;
Multiple view may need to parse the same area, but use different zones to parse the library file
Format:
View View_name {
match-clients {};
};
Attention:
(1) Once view is enabled, all zones can only be defined in the view
(2) Define the root zone only in the view where the client that allows the recursive request
(3) When a client request arrives, the list of clients serviced by each view is checked from top to bottom
Cdn:content Delivery Network
Smart DNS:
Dnspod
Dns.la
compile install bind
Download bind:
isc.org:
bind-9.8
bind-9.9
BIND-10
Compiling install bind
# tar xvfbind-9.11.0a3.tar.gz
# cd bind-9.11.0a3/
# Groupadd-r-G-Named
# useradd-r- U 53-g named
#/configure--PREFIX=/USR/LOCAL/BIND9--sysconfdir=/etc/named/--disable-ipv6-- Disable-chroot--enable-threads
# Make
# make install
environment variable:
vim/etc/profile.d/named.sh
Export path=/ Usr/local/bind9/bin:
/usr/local/bind9/sbin/: $PATH
Library and header file
vim/etc/ld.so.conf.d/named.conf
/usr/local /bind9/lib
Ldconfig–v
ls-sv/usr/local/bind9/include/usr/include/named
Man help
Vim/etc/man.config
Manpath/usr/local/bind9/share/man
Man named.conf
Vim/etc/named/named.conf
Options {
Directory "/var/named/"
};
Zone "." in {
Type hint;
File "named.ca";
};
Zone "localhost" in {
Type master;
File "Named.localhost";
allow-update {none;};
};
Zone "1.0.0.127.in-addr.arpa" in {
Type master;
File "Named.loopback";
allow-update {none;};
};
Regional database
Mkdir/var/named
Named-checkconf
Dig [email protected] >/var/named/named.ca
Vim/var/named/named.localhost
$TTL 1d
@ in SOA localhost. Admin.localhost. (
2016061801
1h
5m
7d
1d)
In NS localhost.
localhost. In A 127.0.0.1
Vim/var/named/named.local
$TTL 1d
@ in SOA localhost. Admin.localhost. (
2016061801
1h
5m
7d
1d)
In NS localhost.
In PTR localhost.
Compile and install bind
Set permissions
chmod 640/var/named/*
chmod 640/etc/named/named.conf
chown:named/var/named/*
Chown:named/etc/named/named.conf
Starting services and testing
Mans named
Named-u named-f-g-d 3 front-end Level 3 mode operation
Named-u named background run
Killall named
Ss-uln
Tail/var/log/message
Named-u named
Support RNDC
RNDC reload reading the wrong tips
Rndc-confgen-r/dev/urandom >/etc/named/rndc.conf Generate key
tail/etc/named/rndc.conf >>/etc/named/named.conf
Killall-sighup named
RNDC status
Pressure test
/root/bind-xxx/contrib/scripts
Compiling stress test Tools
Cd/root/bind-xxx/contrib/queryperf
./configure
Make
CP Queryperf/usr/local/bind9/bin
Queryperf-h
Pressure test
Vim Test.txt
www.magedu.com A
Magedu.com NS
Magedu.com MX
Pop3.magedu.com A
Web.magedu.com A
queryperf-d test.txt-s 127.0.0.1
Turn on log function
RNDC QueryLog
RNDC status
queryperf-d test.txt-s 127.0.0.1
Wc-l/var/log/message
#dig A example.com
; <<>> dig9.9.4-redhat-9.9.4-14.el7 <<>> A example.com
;; Global options: +cmd
;; Got Answer:
;; ->>header<<-opcode:query, Status:noerror, id:30523
...
Servfail:thenameserverencountered a problem while processing the query.
Dig +trace can be used for troubleshooting, possibly network and firewall causes
Nxdomain:the queried name does not exist in the zone.
May be the CNAME corresponding to a record does not exist cause
Refused:the nameserverrefused The client ' s DNS request due to policy restrictions.
The DNS policy may be causing
DNS Error troubleshooting
NoError doesn't mean there's no problem, it could be an outdated record.
See if it is an authoritative record, flags:aa tag judgment
The deleted record can still return the result, possibly because the * record exists
such as: *.example.com. INA172.25.254.254
Note "." The use
Avoid CNAME pointing to CNAME records, potentially generating loopback
Test.example.com. In CNAME lab.example.com.
Lab.example.com. In CNAME test.example.com.
PTR records are properly configured, and many services rely on PTR, such as Sshd,mta
Correctly configure polling Round-robin records
Linux 24th Day: (September 22) Linux DNS