Linux DNS multi-service Setup

Source: Internet
Author: User
Tags domain server nslookup nslookup command subdomain


A: What is DNS why there is DNS

Domain Name Systems (English: Domain Name System, abbreviation: DNS) is a service of the Internet. The internet was born early because the number of access to the Internet is very small, there is no dedicated DNS server to the entire Internet domain name, at that time only in our host file records the host and IP corresponding relationship, they every time to do a data update, But later access to the Internet host more and more, so that the host file records too much data, when the need to access a host when the query host file will be a waste of host resources (not only CPU and huge memory resources) things, so people put forward a hypothetical dedicated DNS server to provide domain name resolution service , so the DNS server is a distributed database that maps domain names and IP addresses to each other, making it easier for people to access the Internet, and DNS uses TCP and UDP port 53. So how does it work, and why is it listening at Port 53rd on both TCP and UDP?

Two: DNS authorization management mechanism

DNS is based on the C/S architecture, its main role is to provide domain name resolution, is to convert the domain name to IP (forward parsing), or IP conversion to a domain name (reverse parsing). What happens if all DNS parsing on the Internet is on a single machine? I think this machine must be unable to carry, what should I do? Therefore, the DNS service has an authorization management mechanism.

To understand authorization management, let's first introduce the domain name.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/34/wKioL1PflOzybJ3bAAC0uKx0KKM993.jpg "title=" Domain 1.png "alt=" Wkiol1pflozybj3baac0ukx0kkm993.jpg "/>

Root domain: Global domain names start from the root domain (and are often ignored)

First-level domain:

Organizational domains:. com,. org,. NET,. mil,. edu,. gov,

Country domains:. cn,. US,. UK,. JP,. TW,. HK,. IQ,. ir

Reverse domain:. in-addr.arpa

Secondary domain: Companies, organizations, individuals can apply

Host: Www,mail


The DNS authorization mechanism is the authorization management according to the domain partition.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/56/wKiom1Pg3ujiqZtaAAEXjRaqWkI086.jpg "title=" DNS access. png "alt=" wkiom1pg3ujiqztaaaexjraqwki086.jpg "/>


The WWW host under LLH wants to access the WWW host under 51cto, but the DNS server in the LLH domain does not have 51cto domain name resolution information.

1) At this time, the LLH domain DNS server began to access the root server, asked if there is 51cto.com resolution information, root server after the query said, you go to find. com server, he knows.

2) The DNS server in the LLH domain begins to query the. com server for a 51cto domain name resolution, and the. com server query says you go to the DNS server in the 51cto domain.

3) Then the DNS server in the LLH domain queries the DNS server within the 51cto domain, then the DNS server within the 51cto domain returns the queried host IP address to the DNS server in the LLH domain

4) The DNS server in the last LLH domain returns the www.51cto.com IP address to the www.llh.com host.

1-3 is an iterative process; 4 is a recursive process, so DNS resolution is a recursive iterative process.

Three: DNS server configuration

DNS Server installation package files for the bind,20 80 's, four graduate students of the Berkeley Computer Systems Research Group Douglas B Terry, Mark Painter, David W. Riggle and Zhou Songnin (Songnian Z HOU) [5] wrote the first version of Bind together and released it with 4.3BSD. -wikipedia

DNS Server Installation configuration process

1) Yum Install bind

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKioL1Pg4lOABp3fAAE5KnR_z_Y290.jpg "title=" 1bind installation files. png "alt=" wkiol1pg4loabp3faae5knr_z_y290.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKiom1Pg4fDTnm5_AAFAQ5w5uMo839.jpg "title=" 2bind configuration file. png "alt=" wkiom1pg4fdtnm5_aafaq5w5umo839.jpg "/>

2) Modify the master configuration file

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKioL1Pg40-C_rYGAAJEqeA0w2E112.jpg "title=" 3 Modify the DNS master configuration file. png "alt=" wkiol1pg40-c_rygaajeqea0w2e112.jpg "/>

3) Open/etc/named.rfc1912.zones definition area to add new area information

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKioL1Pg5ZGC8cA9AADemRrxj58414.jpg "title=" 4 Create a Zone profile create a. png "alt=" wkiol1pg5zgc8ca9aademrrxj58414.jpg "/>

4) To customize the analysis library for each region, respectively

Edit Vim/var/named/llh.com.zone (the file name is the same as the name in the main profile forward parsing area)

Edit Vim/var/named/172.116.16.zone

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/57/wKiom1Pg5pTRufKBAAFdAyWZ5eM898.jpg "title=" 5. Forward parsing list. png "alt=" wkiom1pg5ptrufkbaafdaywz5em898.jpg "/>

NS records should have a corresponding DNS service address.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/57/wKiom1Pg5zqz2NLXAAEemp8dGBY882.jpg "title=" 6. Reverse parse list. png "alt=" wkiom1pg5zqz2nlxaaeemp8dgby882.jpg "/>

Reverse parse list does not have CNAME configuration information

After you create the parse library file, you need to change the file to the main genus Group, which belongs to the named group. Permission is 640

5) After the completion of the editing can be a complete test of this configuration. You can use the command named-checkconf.

6) Start DNS service named start

7) test if DNS is valid

Host command

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/5A/wKioL1Phf5zj6wsYAAGK5y3T41M278.jpg "title=" 8. The host command detects the test. png "alt=" wkiol1phf5zj6wsyaagk5y3t41m278.jpg "/>

nslookup command

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/5A/wKioL1PhgAahHlgKAAF2eBhu_Ks675.jpg "title=" 9. nslookup test. png "alt=" wkiol1phgaahhlgkaaf2ebhu_ks675.jpg "/>

Dig (Forward Test command) command

Command: dig-t A www.llh.com @172.16.16.3


Dig (Reverse test command) command

Command: Dig-x 172.116.16.5 @172.16.16.3


Four: DNS master-Slave synchronization

The DNS master-Slave synchronization service, from the server will periodically obtain the latest DNS resolution list from the primary server, and share a portion of the DNS resolution service, when the primary server is unable to provide services, from the server will continue to provide services for the primary server, but within the specified time if the primary server does not work, The service will also be stopped from the server. This is where the server plays a redundant role. The TCP protocol is used to ensure the integrity of the transmission data between master and slave.

1) in order to ensure that the master-slave real synchronization, the first step to synchronize time first.

2) Configure the master configuration file from the server

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/5C/wKioL1PhjPDwFKkHAAD_KQHB6ks963.jpg "title=" 14.1. Resolve the main configuration from the server Pro/con. png "alt=" wkiol1phjpdwfkkhaad_kqhb6ks963.jpg "/>

3) test whether the synchronization is successful

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/5D/wKioL1PhkXrSBBLjAAFlNJ2v5Lc782.jpg "title=" 15. The data that needs to be synchronized. png "alt=" wkiol1phkxrsbbljaaflnj2v5lc782.jpg "/>

Execute the RNDC reload command after the modification is complete

4) View the synced data.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/5D/wKiom1PhkRizHAjlAAGm9fCGazo987.jpg "title=" 16. Synchronized data. png "alt=" wkiom1phkrizhajlaagm9fcgazo987.jpg "/>

V: DNS security mechanism

to ensure our DNS security, we need to configure security policy information for our zone transfer, master-slave synchronization, require that no other DNS servers are allowed to synchronize from the server, and the primary DNS server allows only the specified servers to synchronize.

Primary server Security Configuration policy

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/44/5E/wKioL1Phk--xuhURAAF03jPG0Kk147.jpg "title=" 17.1. PNG "alt=" wkiol1phk--xuhuraaf03jpg0kk147.jpg "/>

From the server Security Configuration policy

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/44/5F/wKioL1PhlFbhviMHAAFSRnWyfxs034.jpg "title=" 18.1. PNG "alt=" wkiol1phlfbhvimhaafsrnwyfxs034.jpg "/>

Six: DNS subdomain authorization

subdomain Authorization, under the parent domain under the addition of subdomains, delegating a DNS server responsible for the DNS resolution of this subdomain

Example: ops.llh.com where LLH is the parent domain, OPS is a subdomain.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/61/wKioL1PhmrSSwrdTAACNfoh2gHw420.jpg "title=" Subdomain authorization topology map. png "alt=" wkiol1phmrsswrdtaacnfoh2ghw420.jpg "/>

1) Configuring the parent domain DNS resolution library

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/7D/wKioL1Ph0kXwXP0IAAEejQU9CTw950.jpg "title=" 19.1 Parent Domain resolution library. png "alt=" wkiol1ph0kxwxp0iaaeejqu9ctw950.jpg "/>


2) Configure the subdomain DNS configuration file on another DNS server (with forward parsing as an example)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/6B/wKioL1Phr2DSBZAtAACNp-BkGHI542.jpg "title=" 19. DNS child parent domain. png "alt=" wkiol1phr2dsbzataacnp-bkghi542.jpg "/>

3) Edit the Subdomain resolution Library

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/6B/wKiom1Phrr-SEMAeAADW8n_GLKs490.jpg "title=" 20 Subdomain resolution library. PNG "alt=" wkiom1phrr-semaeaadw8n_glks490.jpg "/>

4) test whether the subdomain and parent domain can be parsed

Seven: Configure subdomains for forwarders

The subdomain is a forwarder: forwards all non-native zone resolution addresses to the parent domain to resolve

Edit the/etc/named.conf configuration file for a subdomain

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/7C/wKiom1Ph0AmBHb5oAADMMZmZQb0953.jpg "title=" 21 subdomains are forwarders. png "alt=" wkiom1ph0ambhb5oaadmmzmzqb0953.jpg "/>

Querying parent domain and subdomain information

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/7D/wKiom1Ph00vQY9P6AAGp2dE4tkc142.jpg "title=" 22. Subdomain resolution. png "alt=" wkiom1ph00vqy9p6aagp2de4tkc142.jpg "/>

Eight: Configure the forwarding area

Forwarding zones: Specify which zones are to be searched by the parent domain server for parsing information, and others from the local to Internet root node level.

1) Configure the subdomain DNS zone profile (Configure the forward;forwarders in the above/etc/named.conf before logging off)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/82/wKioL1Ph2wLjenm6AACz4lfUMwQ850.jpg "title=" 23. Forward zone child DNS configuration file. png "alt=" wkiol1ph2wljenm6aacz4lfumwq850.jpg "/>

Nine: Bind view

Depending on the source of the client, the same domain name can be resolved into different IP addresses, such as the IP resolution of the Unicom to the Unicom's computer room, the IP of the telecommunications to the telecommunications room.


650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/8B/wKiom1Ph6j3SzASrAABmqijf208136.jpg "title=" View view. png "alt=" wkiom1ph6j3szasraabmqijf208136.jpg "/>

172.16.0.0/16 Network Segment host resolution www.llh.com the resulting IP address is 172.16.16.4

192.168.1.0/24 Network Segment host resolution www.llh.com the resulting IP address is 172.16.116.5

1) Configure the address of the 172.16.0.0/16 resolution segment

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/8D/wKiom1Ph7POy88uiAAFWSycfpLA807.jpg "title=" 24view view. png "alt=" wkiom1ph7poy88uiaafwsycfpla807.jpg "/>

2) Configure the address of the 192.168.1.0/24 resolution segment.

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/8E/wKioL1Ph7kjzZWPLAADtA_Z2CJo596.jpg "title=" 25. View view. png "alt=" wkiol1ph7kjzzwplaadta_z2cjo596.jpg "/>

3) Reload the configuration file (after the configuration file is modified to take effect from a new load) RNDC reload

4) test with IP address Dan 172.16.0.0/16 host test Returns the result is

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/8E/wKiom1Ph7j-i2zXrAADXr7lZx9I010.jpg "title=" 26view test. png "alt=" wkiom1ph7j-i2zxraadxr7lzx9i010.jpg "/>

5) IP Address field 192.168.1.0/24 The results returned by the host test

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/8F/wKioL1Ph75GiPP3eAADiwZyZfZ0539.jpg "title=" 27. View test. png "alt=" wkiol1ph75gipp3eaadiwzyzfz0539.jpg "/>



This article is from the "Slayer" blog, make sure to keep this source http://slayer.blog.51cto.com/4845839/1536492

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.