Manual for successful DNS Configuration

Source: Internet
Author: User
Tags nameserver
Note on successful DNS configuration-Linux Enterprise Application-Linux server application information. See the following for details. > 1) create a domain name www.yaoshuyin123.com
2) IP address of the Local Domain Name Server: 192.168.0.101
3) function: You can access www.yaoshuyin123.com.
Aaa.yaoshuyin123.com
Bbb.yaoshuyin123.com
....
(Note: * A 192.168.0.101 Works)


1) Add the following content in/etc/named. conf:

Zone "yaoshuyin123.com" IN {
Type master;
File "yaoshuyin. zone ";
Allow-update {none ;};
};


2) create and edit/var/named/chroot/var/named/yaoshuyin. zone

$ TTL 86400
@ In soa www.yaoshuyin123.com. root.yaoshuyin123.com .(
200603212100; Serial
28800; Refresh
14400; Retry
3600000; Expire
86400; Minimum
)

In ns 192.168.0.101
Www A 192.168.0.101
* A 192.168.0.101


3) connect/var/named/chroot/var/named/yaoshuyin. zone to/var/named/yaoshuyin. zone.
[Note] You cannot directly put yaoshuyin. zone under the/var/named/directory; otherwise, the Operation will fail.
Error: named [5570]: zone yaoshuyin123.com/IN: loading master file yaoshuyin. zone: file not found

# Ln-s/var/named/chroot/var/named/yaoshuyin. zone/var/named/yaoshuyin. zone


4) restart the named service.
#/Etc/rc. d/init. d/named restart


5) Add the IP address 192.168.0.101 of the Domain Name Server in/etc/resolev. conf and put it in the first

As follows:

[Root @ localhost named] # cat/etc/resolv. conf
; Generated by/sbin/dhclient-script
Nameserver 192.168.0.101
Nameserver 192.168.0.1
Nameserver 202.106.0.20
Nameserver 202.106.0.20
Nameserver 202.106.46.151
Nameserver 202.106.46.151
Search localdomain


6) test Domain Name
[Root @ localhost named] # host www.yaoshuyin123.com
Www.yaoshuyin123.com has address 192.168.0.101


[Root @ localhost named] # nslookup
> Www.yaoshuyin123.com
Server: 192.168.0.101
Address: 192.168.0.101 #53

Name: www.yaoshuyin123.com
Address: 192.168.0.101
>


[Root @ localhost named] # ping www.yaoshuyin123.com
PING www.yaoshuyin123.com (192.168.0.101) 56 (84) bytes of data.
64 bytes from 192.168.0.101: icmp_seq = 0 ttl = 64 time = 0.072 MS

--- Www.yaoshuyin123.com ping statistics ---
4 packets transmitted, 4 bytes ed, 0% packet loss, time 3003 ms
Rtt min/avg/max/mdev = 0.072/0.076/0.078/0.002 MS, pipe 2


[Root @ localhost named] # ping aaa.yaoshuyin123.com
PING aaa.yaoshuyin123.com (192.168.0.101) 56 (84) bytes of data.
64 bytes from 192.168.0.101: icmp_seq = 0 ttl = 64 time = 0.065 MS

--- Aaa.yaoshuyin123.com ping statistics ---
3 packets transmitted, 3 bytes ed, 0% packet loss, time 2001 ms
Rtt min/avg/max/mdev = 0.065/0.076/0.088/0.011 MS, pipe 2




========================================================== ======================================
============================ DNS knowledge analysis ============ ==============
========================================================== ======================================


Among the many Internet servers, DNS is the foundation of all services. One of its primary responsibilities is to query the ing between host domain names and IP addresses. The DNS system manages domain names in a tree structure. The top of the DNS tree is an unknown root domain, which is represented. This domain is only used for locating and does not contain any information. It is managed and controlled by the NIC. Root is a layered domain tree structure. a dns domain is a branch in the DNS tree structure, which contains many authorized zones ), it is a collection of hosts and IP addresses managed by each authorization unit. what we usually call a domain is actually a zone. For example, to split the URL www.silly.com:


. Com domain

.Silly.com zone

Www is a specific host in the .silly.com region.


The most common DNS server software in Linux is BIND (Berkeley Internet Name Domain), which is constantly updated and improved. You can find the latest source code and document on http://www.isc.org/products/bind. The Red Hat Linux 7.3 comes with bind9.2.





§ Install the bind Software Package


First install the bind package

[Root @ rh73/mnt/cdrom/RedHat/RPMS] # rpm-ivh bind-9.2.0-8.i386.rpm

Preparing... ######################################## ### [100%]

1: bind ####################################### #### [100%]






§ Understand the bind configuration file/etc/named. conf


For future maintenance convenience, I plan to resolve some internal hosts locally, assuming that the local region is silly.com, I want to direct both the ns and firewall host names to the access server address 192.168.100.254:


Ns.silly.com 192.168.100.254

Firewall.silly.com 192.168.100.254


The DNS software package on Linux is bind, but the service process name is named. First, let's take a look at/etc/named. conf, which is the main configuration file of bind. the type of the Domain Name Server and the directory of the corresponding database file are defined here.



1) The file starts with the options setting section:

Options {

Directory "/var/named ";

/*

* If there is a firewall between you and nameservers you want

* To talk to, you might need to uncomment the query-source

* Directive below. Previous versions of BIND always asked

* Questions using port 53, but BIND 8.1 uses an unprivileged

* Port by default.

*/

// Query-source address * port 53;

};


A) directory
It indicates that the named data resource file is stored in the/var/named directory. That is to say, the named process searches for relevant files in this directory to obtain DNS data, and then directly stores the data files in this directory without the need to use absolute paths.



The following text indicates that if your DNS server is a version earlier than bind 8.1, and is separated from the client through the firewall, You Need To // query-source address * port 53; remove the preceding // (remove comments ). We use software version 9.2, so we do not need to change this setting.




B) controls


Controls {

Inet 127.0.0.1 allow {localhost;} keys {rndckey ;};

};

Controls and the final include "/etc/rndc of the file. key "; Is bind 9. the new feature of Version x is about DNS update and encryption during update. We cannot use it for the moment.






C)
Zone "." IN {

Type hint;

File "named. ca ";

};


This part defines the root region "." (root zone) in the DNS system, and its type is hint. Content in non-local regions that cannot be resolved by the local DNS will be set to the root region for query according to named. ca.





D)
Zone "localhost" IN {

Type master;

File "localhost. zone ";

Allow-update {none ;};

};


Zone "0.0.127.in-addr. arpa" IN {

Type master;

File "named. local ";

Allow-update {none ;};

};


These two sections Define the DNS resolution of the local name,
The first zone is the parsing of localhost. Its type is master, and the data file is/var/named/localhost. zone.
The second zone is the reverse resolution of the local region, that is, the domain name data is retrieved Based on the IP address.



Include "/etc/rndc. key ";



E) let's take a look at the content of localhost. zone:

[Root @ rh73/var/named] # cat localhost. zone

$ TTL 86400

$ ORIGIN localhost.

@ 1D in soa @ root (

42; serial (d. adams)

3 H; refresh

15 M; retry

1 W; expiry

1D); minimum



1D in ns @

1D in a 127.0.0.1



TTL (Time To Live) TTL indicates the Time when the resolution result is retained in the cache.
Set, in seconds. It is defined as 86400 seconds, that is, one day. Each DNS server has the function of caching non-local domain name information. TTL indicates the time when the resolution result is retained in the cache. You may notice that it may take a long time to access a website for the first time, and the next access will be faster. This is the role of the DNS Cache function, it reduces the time for second domain name resolution to IP addresses.





ORIGIN, indicating which domain the following host record belongs. @ Below is its replacement symbol.





@ Is the substitution character of ORIGIN, which refers to localhost.





1D (1day, one day, can also be written as a number in seconds, such as 86400) is a TTL value, you can not specify, if not specified, refer to the previously set TTL value, if it is not defined earlier, refer to the minium tll value to be introduced later. You can set TTL for each record separately, as long as the value to be set is placed before "IN.





The SOA (Start Of Authority) after IN refers to the type Of this row Of records, indicating that the Authorization Record Of the current region starts. Each data file can only have one SOA, which cannot be repeated and must be the first record in the zone in charge.






After SOA, the authorization host and administrator mailbox in this region are specified. Here are @ (localhost.) and root @ localhost respectively. If the root is fully written, it should be root. localhost. Here, replace "." with "@". The SOA authorization host name must have A record in the DNS system.





SOA settings are five groups of numbers enclosed in "()". They are mainly set as the data used to synchronize DNS data with the slave server:


Serial: The format is usually "year, month, day + number of modifications ". This value is compared When slave is about to synchronize data. If the value here is "Greater" than the value on the other side, update the value. Otherwise, ignore the value. Serial cannot exceed 10 digits.

Refresh: This shows how often slave synchronizes data (whether to synchronize depends on the comparison result of Serial ).

Retry: How long does it take for slave to Retry after an update failure.

Expire: this is the record expiration time. When slave fails to get in touch with the master, the retry will be abandoned here, and the data here will also be identified as expired (expired ).

Minimum: this is the Minimum preset TTL value. If "$ TTL" is not defined before, this value prevails.



The preceding numbers are in seconds. Can they be H (hour), D (day )? W (week) is used as the unit, for example, 3 H and 259200 are the same. No matter what unit is used, follow the following rules:

Expire> = refresh + retry

Expire> = 10 * retry


Note: In the SOA record, the left parenthesis () in the symbol "()" must be written in the same line as the SOA!





The last two lines indicate that the Name Server (NS) in charge of the localhost record is localhost, And the IP Address of localhost is 127.0.0.1.





In/etc/named. conf, the named. local file is set to "0.0.0.127.in-addr. arpa" zone. Its content is as follows:

[Root @ rh73/var/named] # cat named. local

$ TTL 86400

@ In soa localhost. root. localhost .(

1997022700; Serial

28800; Refresh

14400; Retry

3600000; Expire

86400); Minimum

In ns localhost.



In ptr localhost.


Let's take A look at the last line "1 in ptr localhost.". This record type is PTR (Pointer), which is usually used IN reverse resolution to direct the IP address to the Host Name (opposite to the record ). In the preceding settings, we know that the host name corresponding to 127.0.0.1 is localhost. During reverse query, the IP address should be written in 1.0.0.127.in-addr. arpa, since the ORIGIN (@) Here is "0.0.127-in-addr.arpa. ", so when writing the PTR record, you only need to write 1, and 0.0.127-in-addr will be automatically added later. arpa.


§ Resolve hosts in the local region


After learning about the above content, let's take a look at how to perform local domain name resolution. What we need to do is:


Add two zone settings in/etc/named. conf:


Zone "silly.com" IN {

Type master;

File "silly. zone ";

Allow-update {none ;};

};


Zone "100.168.192.in-addr. arpa" IN {

Type master;

File "named. silly ";

Allow-update {none ;};

};


Set the data file under/var/named:

[Root @ rh73/var/named] # cat silly. zone

$ TTL 86400

$ ORIGIN silly.com.

@ In soa ns.silly.com. root.silly.com .(

1997022700; Serial

28800; Refresh

14400; Retry

3600000; Expire

86400); Minimum

In ns ns.silly.com.



Ns in a 192.168.100.254

Firewall in cname ns



The CNAME record is used to define the alias of a host domain name. This record type can be easily set when multiple host names direct to the same address.


Set reverse resolution zone:

[Root @ rh73/var/named] # cat named. silly

$ TTL 86400

@ In soa ns.silly.com. root.silly.com .(

1997022700; Serial

28800; Refresh

14400; Retry

3600000; Expire

86400); Minimum

In ns ns.silly.com.



254 in ptr ns.silly.com.





§ Forward resolution requests


To improve the query efficiency of our DNS server, we will take the following measures: forward non-local domain resolution requests to the DNS provided by our ISP.


This function is implemented by the forwarder option. The so-called forwarder is when a NS host encounters a query request for a zone (slave zone also belongs to the scope of the local server) that is not in charge of the local server, instead of directly querying the root zone, the request is forwarded to the specified forwarder (one or more) host for query. If you do not understand the DNS query mode, it is difficult to understand the meaning and benefits of this forwarder.


We know that when the DNS server receives a query request from the client host, it first checks whether the query belongs to the local jurisdiction. Otherwise, it will switch to the root zone for further query, finally, tell the client the query result. During this process, the DNS server also stores the query results in the cache. As long as the TTL in the cache does not expire, you can directly return the result to the client next time you encounter the same query, instead of repeating the previous Query Process. If forwarder is specified on the DNS server, if no record is found in the cache, the DNS will not query it from the root, but send the same request (forwarding) to the forwarder, and then wait for the query result, that is to say, forwarder is responsible for the effort-consuming action to query down. However, no matter whether the result is directly queried or sent back by forwarder, the DNS server will save a copy of data in the cache. In this way, the same query will be much faster in the future, which will improve the query efficiency for the clients served by DNS.


The benefits of the forwarder mechanism are not only the efficiency improvement mentioned above, but also the overall network traffic (especially external traffic. For example, if your internal network requires 10 DNS servers to provide services, you only need to set up DNS services on a computer that can communicate directly with the outside world, then direct the forwarder of other internal DNS to the server. This may have required 10 root queries. In the forwarders mechanism, only one query is required. Together with the lower-layer round-trip queries, the total number of external queries saved is more. In addition, with the benefits of caching, the DNS traffic reduced by forwarder is very significant.


In fact, at the beginning of this chapter, we mentioned how to centrally manage the internal LAN User Domain name resolution problem. The solution is to set the forwarder of the local DNS to the DNS of the ISP, local Area Network users set the local DNS addresses. During external domain name resolution, our DNS forwards the resolution request to the ISP's DNS; because DNS on the ISP also has a cache relationship, setting the query can also increase the speed.


After a long time, let's see how to configure it. The specific setting is simple: Add the following line in the options section of named. conf:


Forwarders {211.136.17.107; 202.102.152.3 ;};


After the settings are completed, all queries outside the region will be directly forwarded to the DNS server specified by forwarders.





§ Test DNS


After all the settings are complete, restart the named process to make the settings take effect:


[Root @ rh73/var/named] #/etc/rc. d/init. d/named restart


Now, test whether the settings are correct:


Set the DNS client for a Linux host


[Root @ rh73 ~] # Vi/etc/resolv. conf


In fact, we have set this file when installing and setting Nic parameters in the system. The content may be:


Nameserver 202.102.152.3

Nameserver 202.102.134.68


Now remove the two lines (or comment them out, add "#" at the beginning of the line), and then write:


Nameserver 192.168.100.254


Use the DNS server 192.168.100.254 we just set.


In Linux, we can use ping, nslookup, dig, host, and other commands to test whether DNS works normally. These gadgets are simple. Take host as an example:


[Root @ rh73 ~] # Host ns.silly.com

Ns.silly.com has address 192.168.100.254


[Root @ rh73 ~] # Host firewall.silly.com

Firewall.silly.com is an alias for ns.silly.com.

Ns.silly.com has address 192.168.100.254


[Root @ rh73 ~] # Host china.com

China.com has address 61.151.243.8


The IP addresses of the local and Internet domain names can be resolved normally to meet our design requirements. Of course, configuring a complete DNS server is far from enough. For more information, see other materials.





§ How to become a public DNS


The content related to silly.com resolved by the Domain Name Server we configured here is only valid within us. If you want to make silly.com a domain name on the Internet, in addition, it is unrealistic for others to parse the data on your DNS server and set DNS to your server address with one notification. According to the working principle of DNS, you should register in the superior Domain Name Server com of silly.com, so that other domain name servers in the domain name space can access the data of the Domain Name Server.





[Tips]

When setting options of named. conf, we can use the following useful options to enhance the security of the system:

Version "Hello World ";

When someone else wants to detect the version of our DNS server, the other party will get Hello World :)


Listen-on {192.168.100.254 ;};

If the DNS service runs on a server with multiple NICs, It listens to the service on all Nic interfaces by default. This option tells the DNS service to listen only on specified excuses.


If you do not want some hosts or networks to use our DNS service, you can configure the acl and set Blackhole in the options section:

Acl denied {

192.168.100.50;

192.168.100.51;

192.168.1.0/24.

};



Blackhole {denied ;};


After this setting, hosts of 192.168.100.50, 192.168.100.51, and 192.168.1.0/24 cannot use this DNS server.
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.