互联网DNS架构的实现

互联网中dns的架构为下图所示,当本地的DNS服务器无法解析域名时就会向互联网上的dns服务器去迭代查询,直到找到相应的服务器位置。

dns结构.png

以下为具体的实现方式

环境准备

主机 OS IP
www centos6 192.168.73.2
client centos6 192.168.73.3
mylinuxopsdns1 centos7 192.168.73.10
mylinuxopsdns2 centos7 192.168.73.20
comdns centos7 192.168.73.30
rootdns centos7 192.168.73.40
ldns centos7 192.168.73.50

一、在www主机上部署httpd服务

1.启动httpd服务

1
2
3
4
[root@www ~]# service httpd start
Starting httpd: httpd: apr_sockaddr_info_get() failed for www
httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
                                                           [  OK  ]

2.为http主机创建一个主页

1
[root@centos6 ~]# echo "<h1>welcome to mylinuxops.com</h1>" > /var/www/html/index.html

3.测试

1
2
[root@www ~]# curl 192.168.73.2
<h1>welcome to mylinuxops.com</h1>

二、配置mylinuxopsdns1

1.安装bind服务

1
[root@mylinuxopsdns1 ~]# yum install bind -y

2.启动服务应设置为开机启动

1
2
3
[root@mylinuxopsdns1 ~]# systemctl start named
[root@mylinuxopsdns1 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改dns主配置文件

将监听地址和允许访问的主机注释

1
2
3
4
5
6
7
8
9
10
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

4.修改区域配置文件,添加区域记录

1
2
3
4
5
[root@mylinuxopsdns1 ~]# vim /etc/named.rfc1912.zones 
zone "mylinuxops.com" IN {
        type master;
        file "mylinuxops.com.zone";
};

5.创建区域数据库文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@mylinuxopsdns1 ~]# cp -p /var/named/{named.localhost,mylinuxops.com.zone}
[root@mylinuxopsdns1 ~]# vim /var/named/mylinuxops.com.zone
$TTL 1D
@       IN SOA  master admin.mylinuxops.com (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      master
        NS      slave
master  A       192.168.73.10
slave   A       192.168.73.20
www     A       192.168.73.2

6.检查语法错误

1
2
3
4
[root@mylinuxopsdns1 ~]# named-checkconf 
[root@mylinuxopsdns1 ~]# named-checkzone mylinuxops.com /var/named/mylinuxops.com.zone 
zone mylinuxops.com/IN: loaded serial 0
OK

7.重读配置文件

1
[root@mylinuxopsdns1 ~]# rndc reload

8.在client主机上测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@client ~]# dig www.mylinuxops.com @192.168.73.10

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.mylinuxops.com @192.168.73.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24888
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.mylinuxops.com.		IN	A

;; ANSWER SECTION:
www.mylinuxops.com.	86400	IN	A	192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.		86400	IN	NS	master.mylinuxops.com.

;; ADDITIONAL SECTION:
master.mylinuxops.com.	86400	IN	A	192.168.73.10

;; Query time: 1 msec
;; SERVER: 192.168.73.10#53(192.168.73.10)
;; WHEN: Fri Apr 19 04:23:08 2019
;; MSG SIZE  rcvd: 89

三、配置dns从服务器mylinuxopsdns2

1.安装bind服务

1
[root@mylinuxopsdns2 ~]# yum install bind -y

2.启动dns服务设置为开机自动启动

1
2
3
[root@mylinuxopsdns2 ~]# systemctl start named
[root@mylinuxopsdns2 ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

3.修改主配置文件

将端口行和允许访问的主机注释

1
2
3
4
5
6
7
8
9
10
11
[root@mylinuxopsdns2 ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

4.修改区域配置文件

1
2
3
4
5
6
[root@mylinuxopsdns2 ~]# vim /etc/named.rfc1912.zones 
zone "mylinuxops.com" IN {
        type slave;
        masters {192.168.73.10;};
        file "slaves/mylinuxops.zone";
};

5.检查语法错误

1
[root@mylinuxopsdns2 ~]# named-checkconf

6.重读配置文件

1
[root@mylinuxopsdns2 ~]# rndc reload

7.查看区域数据库文件是否已经被拉取到本地

1
2
3
[root@centos7 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 298 Apr 23 04:40 mylinuxops.zone

8.安全加固

由于主从dns服务器都没有对能拉取区域数据库的主机加以限制,这样是非常不安全的,所以需要对主机的安全行进行加固

8.1对从服务器主配置文件修改,添加allow-transfer
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@mylinuxopsdns2 ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-transfer  {none;};
//      allow-query     { localhost; };


[root@mylinuxopsdns2 ~]# rndc reload
server reload successful
8.2对主服务器主配置文件修改,添加allow-transfer只允许从服务来拉取数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@mylinuxopsdns1 ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-transfer  {192.168.73.20;};
//      allow-query     { localhost; };

[root@mylinuxopsdns1 ~]# rndc reload
server reload successful

四、搭建com域dns服务器

1.安装dns服务

1
[root@comdns ~]# yum install bind -y

2.修改dns主配置文件

将监听的ip和允许访问的主机行注释

1
2
3
4
5
6
7
8
9
10
11
[root@comdns ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };

3.修改区域文件添加com域

1
2
3
4
5
[root@comdns ~]# vim /etc/named.rfc1912.zones
zone "com" IN {
        type master;
        file "com.zone";
};

4.创建区域数据库文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@comdns ~]# cp -p /var/named/{named.localhost,com.zone}
[root@comdns ~]# vim /var/named/com.zone
$TTL 1D
@       IN SOA  master admin.mylinuxops.com.  (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
                NS      master
mylinuxops      NS      ns1
mylinuxops      NS      ns2
master          A       192.168.73.30
ns1             A       192.168.73.10
ns2             A       192.168.73.20

5.检查配置文件语法

1
2
3
4
[root@comdns ~]# named-checkconf 
[root@comdns ~]# named-checkzone com /var/named/com.zone 
zone com/IN: loaded serial 0
OK

6.启动服务

1
[root@comdns ~]# systemctl restart named

7.测试

在client端进行测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@clinet ~]# dig www.mylinuxops.com @192.168.73.30

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47115
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com.		IN	A

;; ANSWER SECTION:
www.mylinuxops.com.	86400	IN	A	192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.		86400	IN	NS	ns2.com.
mylinuxops.com.		86400	IN	NS	ns1.com.

;; ADDITIONAL SECTION:
ns1.com.		86400	IN	A	192.168.73.10
ns2.com.		86400	IN	A	192.168.73.20

;; Query time: 6 msec
;; SERVER: 192.168.73.30#53(192.168.73.30)
;; WHEN: Tue Apr 23 17:25:07 CST 2019
;; MSG SIZE  rcvd: 131

五、搭建root域上的dns服务

1.安装dns服务

1
[root@rootdns ~]# yum install bind -y

2.修改主配置文件

将监听地址和允许访问的主机行注释,修改最底下的根域

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[root@rootdns ~]# vim /etc/named.conf
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };
....
zone "." IN {
        type master;
        file "root.zone";
};

3.创建根域数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
[root@rootdns ~]# cp -p /var/named/{named.localhost,root.zone}
[root@rootdns ~]# vim /var/named/root.zone
$TTL 1D
@       IN SOA  ns1 admin.mylinuxops.com. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      ns1
com     NS      master
ns1     A       192.168.73.40
master  A       192.168.73.30

4.检查语法错误

1
2
3
4
[root@rootdns ~]# named-checkconf 
[root@rootdns ~]# named-checkzone . /var/named/root.zone 
zone ./IN: loaded serial 0
OK

5.启动dns服务

1
2
3
[root@rootdns ~]# systemctl start named
[root@rootdns ~]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

6.测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[root@localhost ~]# dig www.mylinuxops.com @192.168.73.40

; <<>> DiG 9.9.4-RedHat-9.9.4-72.el7 <<>> www.mylinuxops.com @192.168.73.40
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38921
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.mylinuxops.com.		IN	A

;; ANSWER SECTION:
www.mylinuxops.com.	86400	IN	A	192.168.73.2

;; AUTHORITY SECTION:
mylinuxops.com.		85104	IN	NS	ns1.com.
mylinuxops.com.		85104	IN	NS	ns2.com.

;; ADDITIONAL SECTION:
ns1.com.		85104	IN	A	192.168.73.10
ns2.com.		85104	IN	A	192.168.73.20

;; Query time: 2 msec
;; SERVER: 192.168.73.40#53(192.168.73.40)
;; WHEN: Tue Apr 23 17:59:09 CST 2019
;; MSG SIZE  rcvd: 131

六、配置本地DNS

1.安装dns服务

1
[root@ldns ~]# yum install bind -y

2.修改本地DNS的主配置文件

将监听地址和允许访问的主机注释,将dnssec相关的两项关闭

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@ldns ~]# vim /etc/named.conf 
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
//      allow-query     { localhost; };
....
        dnssec-enable no;
        dnssec-validation no;

3.修改本地的根数据文件

将根数据库文件指向rootdns所在的地址,其余的全部删除

1
2
3
[root@ldns ~]# vim /var/named/named.ca
.                       518400  IN      NS      a.root-servers.net.
a.root-servers.net.     3600000 IN      A       192.168.73.40

七、在client进行测试

1.配置client端的网卡将其dns指向本地的dns服务器

1
2
3
4
5
6
7
8
9
[root@client ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33 
TYPE=Ethernet
BOOTPROTO=static
NAME=ens33
DEVICE=ens33
ONBOOT=on
IPADDR=192.168.73.3
PREFIX=24
DNS1=192.168.73.50

2.重启服务

1
2
3
4
[root@localhost ~]# systemctl restart network
[root@localhost ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.73.50

3.测试访问www.mylinuxops.com

1
2
[root@localhost ~]# curl www.mylinuxops.com
<h1>welcome to mylinuxops.com</h1>