A: What is DNS why there is DNS
Domain Name Systems (English: Domain Name System, abbreviation: DNS) is a service of the Internet. The internet was born early because the number of access to the Internet is very small, there is no dedicated DNS server to the entire Internet domain name, at that time only in our host file records the host and IP corresponding relationship, they every time to do a data update, But later access to the Internet host more and more, so that the host file records too much data, when the need to access a host when the query host file will be a waste of host resources (not only CPU and huge memory resources) things, so people put forward a hypothetical dedicated DNS server to provide domain name resolution service , so the DNS server is a distributed database that maps domain names and IP addresses to each other, making it easier for people to access the Internet, and DNS uses TCP and UDP port 53. So how does it work, and why is it listening at Port 53rd on both TCP and UDP?
Two: DNS authorization management mechanism
DNS is based on the C/S architecture, its main role is to provide domain name resolution, is to convert the domain name to IP (forward parsing), or IP conversion to a domain name (reverse parsing). What happens if all DNS parsing on the Internet is on a single machine? I think this machine must be unable to carry, what should I do? Therefore, the DNS service has an authorization management mechanism.
To understand authorization management, let's first introduce the domain name.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/34/wKioL1PflOzybJ3bAAC0uKx0KKM993.jpg "title=" Domain 1.png "alt=" Wkiol1pflozybj3baac0ukx0kkm993.jpg "/>
Root domain: Global domain names start from the root domain (and are often ignored)
First-level domain:
Organizational domains:. com,. org,. NET,. mil,. edu,. gov,
Country domains:. cn,. US,. UK,. JP,. TW,. HK,. IQ,. ir
Reverse domain:. in-addr.arpa
Secondary domain: Companies, organizations, individuals can apply
Host: Www,mail
The DNS authorization mechanism is the authorization management according to the domain partition.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/56/wKiom1Pg3ujiqZtaAAEXjRaqWkI086.jpg "title=" DNS access. png "alt=" wkiom1pg3ujiqztaaaexjraqwki086.jpg "/>
The WWW host under LLH wants to access the WWW host under 51cto, but the DNS server in the LLH domain does not have 51cto domain name resolution information.
1) At this time, the LLH domain DNS server began to access the root server, asked if there is 51cto.com resolution information, root server after the query said, you go to find. com server, he knows.
2) The DNS server in the LLH domain begins to query the. com server for a 51cto domain name resolution, and the. com server query says you go to the DNS server in the 51cto domain.
3) Then the DNS server in the LLH domain queries the DNS server within the 51cto domain, then the DNS server within the 51cto domain returns the queried host IP address to the DNS server in the LLH domain
4) The DNS server in the last LLH domain returns the www.51cto.com IP address to the www.llh.com host.
1-3 is an iterative process; 4 is a recursive process, so DNS resolution is a recursive iterative process.
Three: DNS server configuration
DNS Server installation package files for the bind,20 80 's, four graduate students of the Berkeley Computer Systems Research Group Douglas B Terry, Mark Painter, David W. Riggle and Zhou Songnin (Songnian Z HOU) [5] wrote the first version of Bind together and released it with 4.3BSD. -wikipedia
DNS Server Installation configuration process
1) Yum Install bind
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKioL1Pg4lOABp3fAAE5KnR_z_Y290.jpg "title=" 1bind installation files. png "alt=" wkiol1pg4loabp3faae5knr_z_y290.jpg "/>
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKiom1Pg4fDTnm5_AAFAQ5w5uMo839.jpg "title=" 2bind configuration file. png "alt=" wkiom1pg4fdtnm5_aafaq5w5umo839.jpg "/>
2) Modify the master configuration file
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKioL1Pg40-C_rYGAAJEqeA0w2E112.jpg "title=" 3 Modify the DNS master configuration file. png "alt=" wkiol1pg40-c_rygaajeqea0w2e112.jpg "/>
3) Open/etc/named.rfc1912.zones definition area to add new area information
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/57/wKioL1Pg5ZGC8cA9AADemRrxj58414.jpg "title=" 4 Create a Zone profile create a. png "alt=" wkiol1pg5zgc8ca9aademrrxj58414.jpg "/>
4) To customize the analysis library for each region, respectively
Edit Vim/var/named/llh.com.zone (the file name is the same as the name in the main profile forward parsing area)
Edit Vim/var/named/172.116.16.zone
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/57/wKiom1Pg5pTRufKBAAFdAyWZ5eM898.jpg "title=" 5. Forward parsing list. png "alt=" wkiom1pg5ptrufkbaafdaywz5em898.jpg "/>
NS records should have a corresponding DNS service address.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/57/wKiom1Pg5zqz2NLXAAEemp8dGBY882.jpg "title=" 6. Reverse parse list. png "alt=" wkiom1pg5zqz2nlxaaeemp8dgby882.jpg "/>
Reverse parse list does not have CNAME configuration information
After you create the parse library file, you need to change the file to the main genus Group, which belongs to the named group. Permission is 640
5) After the completion of the editing can be a complete test of this configuration. You can use the command named-checkconf.
6) Start DNS service named start
7) test if DNS is valid
Host command
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/5A/wKioL1Phf5zj6wsYAAGK5y3T41M278.jpg "title=" 8. The host command detects the test. png "alt=" wkiol1phf5zj6wsyaagk5y3t41m278.jpg "/>
nslookup command
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/5A/wKioL1PhgAahHlgKAAF2eBhu_Ks675.jpg "title=" 9. nslookup test. png "alt=" wkiol1phgaahhlgkaaf2ebhu_ks675.jpg "/>
Dig (Forward Test command) command
Command: dig-t A www.llh.com @172.16.16.3
Dig (Reverse test command) command
Command: Dig-x 172.116.16.5 @172.16.16.3
Four: DNS master-Slave synchronization
The DNS master-Slave synchronization service, from the server will periodically obtain the latest DNS resolution list from the primary server, and share a portion of the DNS resolution service, when the primary server is unable to provide services, from the server will continue to provide services for the primary server, but within the specified time if the primary server does not work, The service will also be stopped from the server. This is where the server plays a redundant role. The TCP protocol is used to ensure the integrity of the transmission data between master and slave.
1) in order to ensure that the master-slave real synchronization, the first step to synchronize time first.
2) Configure the master configuration file from the server
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/5C/wKioL1PhjPDwFKkHAAD_KQHB6ks963.jpg "title=" 14.1. Resolve the main configuration from the server Pro/con. png "alt=" wkiol1phjpdwfkkhaad_kqhb6ks963.jpg "/>
3) test whether the synchronization is successful
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/5D/wKioL1PhkXrSBBLjAAFlNJ2v5Lc782.jpg "title=" 15. The data that needs to be synchronized. png "alt=" wkiol1phkxrsbbljaaflnj2v5lc782.jpg "/>
Execute the RNDC reload command after the modification is complete
4) View the synced data.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/5D/wKiom1PhkRizHAjlAAGm9fCGazo987.jpg "title=" 16. Synchronized data. png "alt=" wkiom1phkrizhajlaagm9fcgazo987.jpg "/>
V: DNS security mechanism
to ensure our DNS security, we need to configure security policy information for our zone transfer, master-slave synchronization, require that no other DNS servers are allowed to synchronize from the server, and the primary DNS server allows only the specified servers to synchronize.
Primary server Security Configuration policy
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/44/5E/wKioL1Phk--xuhURAAF03jPG0Kk147.jpg "title=" 17.1. PNG "alt=" wkiol1phk--xuhuraaf03jpg0kk147.jpg "/>
From the server Security Configuration policy
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/44/5F/wKioL1PhlFbhviMHAAFSRnWyfxs034.jpg "title=" 18.1. PNG "alt=" wkiol1phlfbhvimhaafsrnwyfxs034.jpg "/>
Six: DNS subdomain authorization
subdomain Authorization, under the parent domain under the addition of subdomains, delegating a DNS server responsible for the DNS resolution of this subdomain
Example: ops.llh.com where LLH is the parent domain, OPS is a subdomain.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/61/wKioL1PhmrSSwrdTAACNfoh2gHw420.jpg "title=" Subdomain authorization topology map. png "alt=" wkiol1phmrsswrdtaacnfoh2ghw420.jpg "/>
1) Configuring the parent domain DNS resolution library
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/7D/wKioL1Ph0kXwXP0IAAEejQU9CTw950.jpg "title=" 19.1 Parent Domain resolution library. png "alt=" wkiol1ph0kxwxp0iaaeejqu9ctw950.jpg "/>
2) Configure the subdomain DNS configuration file on another DNS server (with forward parsing as an example)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/6B/wKioL1Phr2DSBZAtAACNp-BkGHI542.jpg "title=" 19. DNS child parent domain. png "alt=" wkiol1phr2dsbzataacnp-bkghi542.jpg "/>
3) Edit the Subdomain resolution Library
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/6B/wKiom1Phrr-SEMAeAADW8n_GLKs490.jpg "title=" 20 Subdomain resolution library. PNG "alt=" wkiom1phrr-semaeaadw8n_glks490.jpg "/>
4) test whether the subdomain and parent domain can be parsed
Seven: Configure subdomains for forwarders
The subdomain is a forwarder: forwards all non-native zone resolution addresses to the parent domain to resolve
Edit the/etc/named.conf configuration file for a subdomain
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/7C/wKiom1Ph0AmBHb5oAADMMZmZQb0953.jpg "title=" 21 subdomains are forwarders. png "alt=" wkiom1ph0ambhb5oaadmmzmzqb0953.jpg "/>
Querying parent domain and subdomain information
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/7D/wKiom1Ph00vQY9P6AAGp2dE4tkc142.jpg "title=" 22. Subdomain resolution. png "alt=" wkiom1ph00vqy9p6aagp2de4tkc142.jpg "/>
Eight: Configure the forwarding area
Forwarding zones: Specify which zones are to be searched by the parent domain server for parsing information, and others from the local to Internet root node level.
1) Configure the subdomain DNS zone profile (Configure the forward;forwarders in the above/etc/named.conf before logging off)
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/82/wKioL1Ph2wLjenm6AACz4lfUMwQ850.jpg "title=" 23. Forward zone child DNS configuration file. png "alt=" wkiol1ph2wljenm6aacz4lfumwq850.jpg "/>
Nine: Bind view
Depending on the source of the client, the same domain name can be resolved into different IP addresses, such as the IP resolution of the Unicom to the Unicom's computer room, the IP of the telecommunications to the telecommunications room.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/8B/wKiom1Ph6j3SzASrAABmqijf208136.jpg "title=" View view. png "alt=" wkiom1ph6j3szasraabmqijf208136.jpg "/>
172.16.0.0/16 Network Segment host resolution www.llh.com the resulting IP address is 172.16.16.4
192.168.1.0/24 Network Segment host resolution www.llh.com the resulting IP address is 172.16.116.5
1) Configure the address of the 172.16.0.0/16 resolution segment
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/44/8D/wKiom1Ph7POy88uiAAFWSycfpLA807.jpg "title=" 24view view. png "alt=" wkiom1ph7poy88uiaafwsycfpla807.jpg "/>
2) Configure the address of the 192.168.1.0/24 resolution segment.
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/8E/wKioL1Ph7kjzZWPLAADtA_Z2CJo596.jpg "title=" 25. View view. png "alt=" wkiol1ph7kjzzwplaadta_z2cjo596.jpg "/>
3) Reload the configuration file (after the configuration file is modified to take effect from a new load) RNDC reload
4) test with IP address Dan 172.16.0.0/16 host test Returns the result is
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/44/8E/wKiom1Ph7j-i2zXrAADXr7lZx9I010.jpg "title=" 26view test. png "alt=" wkiom1ph7j-i2zxraadxr7lzx9i010.jpg "/>
5) IP Address field 192.168.1.0/24 The results returned by the host test
650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/44/8F/wKioL1Ph75GiPP3eAADiwZyZfZ0539.jpg "title=" 27. View test. png "alt=" wkiol1ph75gipp3eaadiwzyzfz0539.jpg "/>
This article is from the "Slayer" blog, make sure to keep this source http://slayer.blog.51cto.com/4845839/1536492