DNS(Domain Name Service)它是应用层协议,C/S架构,默认工作在TCP和UDP的53号端口,服务器软件bind是由美国伯克利大学研发,它的主要作用是把互联网域名解析成对应的ip地址,从而实现访问远端主机的需求。以访问www.baidu.com为例来说说DNS的工作流程;首先浏览器访问www.baidu.com,它会先去本机的/etc/hosts文件中查看有没有www.baidu.com记录,如果有,它就会拿着对应的ip去访问

1、简述DNS服务器原理,并搭建主-辅服务器。

   DNS服务器的工作原理

  DNS(Domain Name Service)它是应用层协议,C/S架构,默认工作在TCP和UDP的53号端口,服务器软件bind是由美国伯克利大学研发,它的主要作用是把互联网域名解析成对应的ip地址,从而实现访问远端主机的需求。以访问www.baidu.com为例来说说DNS的工作流程;首先浏览器访问www.baidu.com,它会先去本机的/etc/hosts文件中查看有没有www.baidu.com记录,如果有,它就会拿着对应的ip去访问,如没有那么它就会去问我们主机上配置的DNS服务器(比如小区DNS服务器,各个网络运营上的DNS服务器),如果在主机指定的DNS服务器上能够查到对应的ip,DNS服务器会把对应的ip告诉浏览器,从而浏览器拿着给定这个ip去访问;如果指定的DNS服务器上没有对应的ip记录,那么指定的DNS会去根服务器问,说根服务器,我要访问www.baidu.com这台主机,请问你那里有它的ip记录吗?根查看了数据库文件后告诉来查的DNS服务说 我这里没有,但是com是我的子域我有com域的ip地址,你去问下com这个域吧,接着我们指定的那个DNS服务器又会拿着根给的com域的ip去问com,说com呀,我要访问www.baidu.com这台主机,请问你那里有它的ip记录吗?com查了下自己的数据库文件说,我这里没有,但是baidu这个域是我的子域,我把baidu这个域的地址给你,你去问下它吧;我们指定的DNS服务器又拿着com给的baidu.com的ip地址,去问baidu.com这个域,说我要访问www.baidu.com,请问你那里有它的ip记录吗?baidu.com一听,www.baidu.com不就是我本域的主机吗,它立马就告诉我们指定的DNS服务器说,我这里有www.baidu.com主机的地址,然后baidu.com就把对应的ip地址给了我们指定的DNS服务器,这时DNS服务器就把自己最后得到的ip地址在本机上缓存一份,然后把地址告诉我们浏览器,浏览器拿着这个地址直接去访问,这时浏览器拿到IP地址后就可以正常的访问到www.baidu.com这台主机后台的web服务。这就是DNS工作的大概流程,简单讲就是我们要去访问某台主机(非ip地址访问),首先会去/etc/hosts文件中查询是否有对应的ip记录,如果有,就拿着这个地址去访问,如果没有就会去找我们指定的DNS服务器问,如果指定的DNS服务器没有,它会帮着我们去根上问,去对应子域上问,问上一圈,如果还是没有,那么我们指定的DNS服务器就会告诉我们说没有你要访问的地址,如果有就告诉我们。

  权威DNS主服务器的搭建

  1)安装BIND包

[root@test ~]#yum install -y bind
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * extras: mirrors.aliyun.com
 * updates: mirrors.aliyun.com
base                                                                                                                 | 3.6 kB  00:00:00     
dockerrepo                                                                                                           | 2.9 kB  00:00:00     
epel                                                                                                                 | 5.4 kB  00:00:00     
extras                                                                                                               | 2.9 kB  00:00:00     
updates                                                                                                              | 2.9 kB  00:00:00     
正在解决依赖关系
--> 正在检查事务
---> 软件包 bind.x86_64.32.9.11.4-9.P2.el7 将被 安装
--> 正在处理依赖关系 bind-libs-lite(x86-64) = 32:9.11.4-9.P2.el7,它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在处理依赖关系 bind-libs(x86-64) = 32:9.11.4-9.P2.el7,它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在处理依赖关系 liblwres.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在处理依赖关系 libisccfg.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在处理依赖关系 libisccc.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在处理依赖关系 libisc.so.169()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在处理依赖关系 libdns.so.1102()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在处理依赖关系 libbind9.so.160()(64bit),它被软件包 32:bind-9.11.4-9.P2.el7.x86_64 需要
--> 正在检查事务
---> 软件包 bind-libs.x86_64.32.9.11.4-9.P2.el7 将被 安装
--> 正在处理依赖关系 bind-license = 32:9.11.4-9.P2.el7,它被软件包 32:bind-libs-9.11.4-9.P2.el7.x86_64 需要
---> 软件包 bind-libs-lite.x86_64.32.9.9.4-74.el7_6.2 将被 升级
--> 正在处理依赖关系 libdns-export.so.100()(64bit),它被软件包 12:dhclient-4.2.5-68.el7.centos.1.x86_64 需要
--> 正在处理依赖关系 libisc-export.so.95()(64bit),它被软件包 12:dhclient-4.2.5-68.el7.centos.1.x86_64 需要
---> 软件包 bind-libs-lite.x86_64.32.9.11.4-9.P2.el7 将被 更新
--> 正在检查事务
---> 软件包 bind-license.noarch.32.9.9.4-74.el7_6.2 将被 升级
---> 软件包 bind-license.noarch.32.9.11.4-9.P2.el7 将被 更新
---> 软件包 dhclient.x86_64.12.4.2.5-68.el7.centos.1 将被 升级
---> 软件包 dhclient.x86_64.12.4.2.5-77.el7.centos 将被 更新
--> 正在处理依赖关系 dhcp-libs(x86-64) = 12:4.2.5-77.el7.centos,它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在处理依赖关系 dhcp-common = 12:4.2.5-77.el7.centos,它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在处理依赖关系 libisc-export.so.169()(64bit),它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在处理依赖关系 libdns-export.so.1102()(64bit),它被软件包 12:dhclient-4.2.5-77.el7.centos.x86_64 需要
--> 正在检查事务
---> 软件包 bind-export-libs.x86_64.32.9.11.4-9.P2.el7 将被 安装
---> 软件包 dhcp-common.x86_64.12.4.2.5-68.el7.centos.1 将被 升级
---> 软件包 dhcp-common.x86_64.12.4.2.5-77.el7.centos 将被 更新
---> 软件包 dhcp-libs.x86_64.12.4.2.5-68.el7.centos.1 将被 升级
---> 软件包 dhcp-libs.x86_64.12.4.2.5-77.el7.centos 将被 更新
--> 解决依赖关系完成

依赖关系解决

============================================================================================================================================
 Package                              架构                       版本                                        源                        大小
============================================================================================================================================
正在安装:
 bind                                 x86_64                     32:9.11.4-9.P2.el7                          base                     2.3 M
为依赖而安装:
 bind-export-libs                     x86_64                     32:9.11.4-9.P2.el7                          base                     1.1 M
 bind-libs                            x86_64                     32:9.11.4-9.P2.el7                          base                     154 k
为依赖而更新:
 bind-libs-lite                       x86_64                     32:9.11.4-9.P2.el7                          base                     1.1 M
 bind-license                         noarch                     32:9.11.4-9.P2.el7                          base                      88 k
 dhclient                             x86_64                     12:4.2.5-77.el7.centos                      base                     285 k
 dhcp-common                          x86_64                     12:4.2.5-77.el7.centos                      base                     176 k
 dhcp-libs                            x86_64                     12:4.2.5-77.el7.centos                      base                     133 k

事务概要
============================================================================================================================================
安装  1 软件包 (+2 依赖软件包)
升级           ( 5 依赖软件包)

总下载量:5.3 M
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/8): bind-export-libs-9.11.4-9.P2.el7.x86_64.rpm                                                                   | 1.1 MB  00:00:00     
(2/8): bind-libs-9.11.4-9.P2.el7.x86_64.rpm                                                                          | 154 kB  00:00:00     
(3/8): bind-9.11.4-9.P2.el7.x86_64.rpm                                                                               | 2.3 MB  00:00:00     
(4/8): bind-libs-lite-9.11.4-9.P2.el7.x86_64.rpm                                                                     | 1.1 MB  00:00:00     
(5/8): dhclient-4.2.5-77.el7.centos.x86_64.rpm                                                                       | 285 kB  00:00:00     
(6/8): bind-license-9.11.4-9.P2.el7.noarch.rpm                                                                       |  88 kB  00:00:00     
(7/8): dhcp-common-4.2.5-77.el7.centos.x86_64.rpm                                                                    | 176 kB  00:00:00     
(8/8): dhcp-libs-4.2.5-77.el7.centos.x86_64.rpm                                                                      | 133 kB  00:00:00     
--------------------------------------------------------------------------------------------------------------------------------------------
总计                                                                                                        3.9 MB/s | 5.3 MB  00:00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  正在更新    : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64                                                                                1/13 
  正在更新    : 32:bind-license-9.11.4-9.P2.el7.noarch                                                                                 2/13 
  正在更新    : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64                                                                               3/13 
  正在安装    : 32:bind-libs-9.11.4-9.P2.el7.x86_64                                                                                    4/13 
  正在更新    : 12:dhcp-common-4.2.5-77.el7.centos.x86_64                                                                              5/13 
  正在安装    : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64                                                                             6/13 
  正在更新    : 12:dhclient-4.2.5-77.el7.centos.x86_64                                                                                 7/13 
  正在安装    : 32:bind-9.11.4-9.P2.el7.x86_64                                                                                         8/13 
  清理        : 12:dhclient-4.2.5-68.el7.centos.1.x86_64                                                                               9/13 
  清理        : 12:dhcp-common-4.2.5-68.el7.centos.1.x86_64                                                                           10/13 
  清理        : 32:bind-libs-lite-9.9.4-74.el7_6.2.x86_64                                                                             11/13 
  清理        : 32:bind-license-9.9.4-74.el7_6.2.noarch                                                                               12/13 
  清理        : 12:dhcp-libs-4.2.5-68.el7.centos.1.x86_64                                                                             13/13 
  验证中      : 12:dhcp-common-4.2.5-77.el7.centos.x86_64                                                                              1/13 
  验证中      : 32:bind-license-9.11.4-9.P2.el7.noarch                                                                                 2/13 
  验证中      : 32:bind-export-libs-9.11.4-9.P2.el7.x86_64                                                                             3/13 
  验证中      : 32:bind-libs-9.11.4-9.P2.el7.x86_64                                                                                    4/13 
  验证中      : 32:bind-libs-lite-9.11.4-9.P2.el7.x86_64                                                                               5/13 
  验证中      : 32:bind-9.11.4-9.P2.el7.x86_64                                                                                         6/13 
  验证中      : 12:dhclient-4.2.5-77.el7.centos.x86_64                                                                                 7/13 
  验证中      : 12:dhcp-libs-4.2.5-77.el7.centos.x86_64                                                                                8/13 
  验证中      : 12:dhcp-common-4.2.5-68.el7.centos.1.x86_64                                                                            9/13 
  验证中      : 12:dhclient-4.2.5-68.el7.centos.1.x86_64                                                                              10/13 
  验证中      : 32:bind-license-9.9.4-74.el7_6.2.noarch                                                                               11/13 
  验证中      : 32:bind-libs-lite-9.9.4-74.el7_6.2.x86_64                                                                             12/13 
  验证中      : 12:dhcp-libs-4.2.5-68.el7.centos.1.x86_64                                                                             13/13 

已安装:
  bind.x86_64 32:9.11.4-9.P2.el7                                                                                                            

作为依赖被安装:
  bind-export-libs.x86_64 32:9.11.4-9.P2.el7                               bind-libs.x86_64 32:9.11.4-9.P2.el7                              

作为依赖被升级:
  bind-libs-lite.x86_64 32:9.11.4-9.P2.el7        bind-license.noarch 32:9.11.4-9.P2.el7        dhclient.x86_64 12:4.2.5-77.el7.centos      
  dhcp-common.x86_64 12:4.2.5-77.el7.centos       dhcp-libs.x86_64 12:4.2.5-77.el7.centos      

完毕!
[root@test ~]#

  2)查看bind包所有文件的位置

[root@test ~]#rpm -ql bind
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
……省略部分内容
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
[root@test ~]#

  说明:从上面查出来的信息看,大概可以了解bind的配置文件是/etc/named.conf

   3)修改配置文件,修改 listen-on port 53 { 127.0.0.1; };为listen-on port 53 { localhost; }; 和修改allow-query     { localhost; }; 为allow-query     { any; };

[root@test ~]#grep -v "^\//" /etc/named.conf

options {
        listen-on port 53 { localhost; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@test ~]#

  说明:也可以选择注释listen-on port 53 { 127.0.0.1; };和allow-query     { localhost; }; 这两行,这个配置文件的注释同C语言注释一样,用”//”来注释 

  4)增加区域数据库文件的配置,从上面的配置文件中我们主要到最后两个include 的指令,其中include “/etc/named.rfc1912.zones”; 就是定义区域数据库文件的内容

[root@test ~]#cat >> /etc/named.rfc1912.zones << EOF
> zone "test.com" IN {
>         type master;
>         file "test.com.zone";                                                                                                               
>     
> };
> EOF
[root@test ~]#tail -5 /etc/named.rfc1912.zones 
zone "test.com" IN {
        type master;
        file "test.com.zone";                                                                                                               
    
};
[root@test ~]#

  说明:以上配置是定义一个test.com的区域,其类型为master(主) ,区域数据库文件名为 “test.com.zone” ,这里需要注意这个文件名是相对域/var/named这个目录的,也就说区域数据库文件必须存放在/var/named这个目录下。这个工作目录的定义可从主配置文件中的directory 这个选项来指定或更改

  5)创建区域数据库文件

[root@test ~]#cat /var/named/test.com.zone
$TTL 1D
@ IN SOA dns1 admin ( 0 1D 1H 1W 3H );
     NS  dns1
dns1 A   192.168.0.99
www  A   1.1.1.1
blog A   2.2.2.2
[root@test ~]#

  说明:区域数据库文件的格式是name [TTL] IN rr_type value其中TTL可从全局继承,@可用于引用当前区域的名字,同一个名字可以通过多条记录定义多个不同的值;此时DNS服务器会以轮询方式响应。同一个值也可能有多个不同的定义名字;通过多个不同的名字指向同一个值进行定义;此仅表示通过多个不同的名字可以找到同一个主机;name: 当前区域的名字,例如“test.com”; value: 有多部分组成,1、 当前区域的主DNS服务器的FQDN,也可以使用当前区域的名字;2、当前区域管理员的邮箱地址;但地址中不能使用@符号,一般用.替换,例如admin.test.com.  3、主从服务区域传输相关定义以及否定的答案的统一的TTL;第一个数字表示序列号,第二个表示刷新时间,第三个表示主从服务器同步失败重试的时间间隔,第四个表示,从服务器同步失败后,多久数据文件内容过期,第五个表示缓存否定答案的TTL值。以上还需要注意的是名字没有以.结尾,默认会补上本域的名称

  6)检查主配置文件和区域数据库文件是否正确,然后在启动服务

[root@test ~]#named-checkconf 
[root@test ~]#named-checkzone test.com /var/named/test.com.zone 
zone test.com/IN: loaded serial 0
OK
[root@test ~]#systemctl start named
[root@test ~]#

  7)测试

[root@test ~]#dig www.test.com @192.168.0.99

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14227
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com.                  IN      A

;; ANSWER SECTION:
www.test.com.           86400   IN      A       1.1.1.1

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:29:46 CST 2019
;; MSG SIZE  rcvd: 92

[root@test ~]#dig blog.test.com @192.168.0.99    

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62941
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.test.com.                 IN      A

;; ANSWER SECTION:
blog.test.com.          86400   IN      A       2.2.2.2

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:29:57 CST 2019
;; MSG SIZE  rcvd: 93

[root@test ~]#

  说明:dig工具来自bind-utils这个包,这个包主要是测试工具,包括host工具,dig工具,nslookup工具等测试工具。从上面的测试数据看,正向主DNS服务是搭建成功的。

  8)在/etc/named.rfc1912.zones文件中添加反向区域文件的配置

[root@test ~]#tail -4 /etc/named.rfc1912.zones
zone "0.168.192.in-addr.arpa" {
        type master;
        file "192.168.0.zone";
};
[root@test ~]#

  说明:反向DNS的区域必须将IP地址倒着写,且后面必须是.in-addr.arpa结尾  里面的文件名称可任意填写,这里的文件名称也是必须放在/var/named这个目录下,同正向区域数据文件放在一个目录

  9)创建反向区域数据文件

[root@test ~]#cat /var/named/192.168.0.zone
$TTL 1D
@ IN SOA dns1 admin (0 3H 10M 1D 1H );
     NS  dns1
dns1 A   192.168.0.99
99   PTR dns1.test.com.
100  PTR www.test.com.
101  PTR blog.test.com.
[root@test ~]#

  说明:反向区域数据库文件同正向区域数据库文件格式相同,反向记录必须是PTR 类型其他同正向区域数据库文件类似,这里还需要注意一点的是,PTR后面的域名必须以.结尾,否则它会默认给你补本域的信息上去。

  10)检查区域文件,重新读取配置文件,时期反向区域数据库文件生效

[root@test ~]#named-checkzone 192.168.0.zone /var/named/192.168.0.zone 
zone 192.168.0.zone/IN: loaded serial 0
OK
[root@test ~]#rndc reload
server reload successful
[root@test ~]#

  11)测试反向解析

[root@test ~]#dig -x 192.168.0.99 @192.168.0.99

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.99 @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61308
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;99.0.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
99.0.168.192.in-addr.arpa. 86400 IN     PTR     dns1.test.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400   IN      NS      dns1.0.168.192.in-addr.arpa.

;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN   A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:58:39 CST 2019
;; MSG SIZE  rcvd: 116

[root@test ~]#dig -x 192.168.0.100 @192.168.0.99

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.100 @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23462
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;100.0.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
100.0.168.192.in-addr.arpa. 86400 IN    PTR     www.test.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400   IN      NS      dns1.0.168.192.in-addr.arpa.

;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN   A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:58:50 CST 2019
;; MSG SIZE  rcvd: 116

[root@test ~]#dig -x 192.168.0.101 @192.168.0.99

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> -x 192.168.0.101 @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17401
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;101.0.168.192.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
101.0.168.192.in-addr.arpa. 86400 IN    PTR     blog.test.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400   IN      NS      dns1.0.168.192.in-addr.arpa.

;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN   A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: 日 12月 29 23:58:58 CST 2019
;; MSG SIZE  rcvd: 117

[root@test ~]#

  说明:可看到我们分别把192.168.0.99、100、101这三个主机对应的主机名给解析出来了,这里不要同前面的正向区域数据库中的数据混淆,这个反向解析可把不同的ip解析成相同的名字,这个和正向解析本质上没有联系。它相当于是两个不同的域,互不干扰。

  到此dns主服务器就搭建完毕,接下来实现DNS从服务器

  1)在上面的实验上把主服务器上的配置文件中添加 allow_transfer { 192.168.0.151;};,并且在其数据库文件中添加从服务器的NS记录 以及A记录

[root@test ~]#grep "transfer" /etc/named.conf
        allow-transfer  { 192.168.0.151; };
[root@test ~]#cat /var/named/test.com.zone 
$TTL 1D
@ IN SOA dns1 admin ( 0 1D 1H 1W 3H );
     NS  dns1
     NS  dns2
dns1 A   192.168.0.99
dns2 A   192.168.0.151
www  A   1.1.1.1
blog A   2.2.2.2
[root@test ~]#cat /var/named/192.168.0.zone
$TTL 1D
@ IN SOA dns1 admin (0 3H 10M 1D 1H );
     NS  dns1
     NS  dns2
dns1 A   192.168.0.99
dns2 A   192.168.0.151
99   PTR dns1.test.com.
100  PTR www.test.com.
101  PTR blog.test.com.
[root@test ~]#

  2)在从服务器上安装bind包,并在其配置文件中配置 allow-transfer {none;}; 并注释listen-on port 53 { 127.0.0.1; };和allow-query     { localhost; };

[root@test-node1 ~]#yum install -y bind
[root@test-node1 ~]#cat /etc/named.conf
……省略部分内容
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
//      allow-query     { localhost; };
        allow-transfer { none; };
        recursion yes;
……省略部分内容

  3)在/etc/named.rfc1912.zonesz中配置区域数据文件信息

[root@test-node1 ~]#cat >> /etc/named.rfc1912.zones << EOF
> zone "test.com" {
>     type slave;
>     masters {192.168.0.99;};
>     file "slaves/test.com.zone";
> };
> EOF
[root@test-node1 ~]#cat >> /etc/named.rfc1912.zones << EOF
> zone "0.168.192.in-addr.arpa" {
>     type slave;
>     masters { 192.168.0.99; }; 
>     file "slaves/192.168.0.zone";
> };
> EOF
[root@test-node1 ~]#
[root@test-node1 ~]#tail /etc/named.rfc1912.zones
zone "test.com" {
    type slave;
    masters {192.168.0.99;};
    file "slaves/test.com.zone";
};
zone "0.168.192.in-addr.arpa" {
    type slave;
    masters { 192.168.0.99; };
    file "slaves/192.168.0.zone";
};
[root@test-node1 ~]#

  说明:在从服务器上需要写明区域的名称,类型配成slave,并指明masters ,后面的files 是同步文件的存放地,这个存放地需要named这个账号有写的权限,否则将无法完成同步

  4)在从服务器上检查配置文件,并启动服务

[root@test-node1 ~]#ll /var/named/slaves/
total 0
[root@test-node1 ~]#named-checkconf 
[root@test-node1 ~]#/etc/init.d/named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]
[root@test-node1 ~]#ll /var/named/slaves/
total 8
-rw-r--r-- 1 named named 449 Dec 30 00:35 192.168.0.zone
-rw-r--r-- 1 named named 336 Dec 30 00:35 test.com.zone
[root@test-node1 ~]#

  说明:启动服务后可看到/var/named/slaves/目录下把我们需要的区域数据库文件给同步过来了,接下来测试,在另一台主机上把DNS1设置成主DNS服务器地址,DNS2设置成从DNS服务器地址,然后在主挂掉的情况下,看下从DNS是否可工作

  5)测试

[root@ansible_centos6 ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 192.168.0.99
nameserver 192.168.0.151
[root@ansible_centos6 ~]# dig www.test.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22293
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.com.                  IN      A

;; ANSWER SECTION:
www.test.com.           86400   IN      A       1.1.1.1

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 4 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 00:46:46 2019
;; MSG SIZE  rcvd: 81

[root@ansible_centos6 ~]# dig -x 192.168.0.99

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48024
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;99.0.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
99.0.168.192.in-addr.arpa. 86400 IN     PTR     dns1.test.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400   IN      NS      dns1.0.168.192.in-addr.arpa.

;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN   A       192.168.0.99

;; Query time: 3 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 00:47:00 2019
;; MSG SIZE  rcvd: 105

[root@ansible_centos6 ~]# 

  说明:这是主DNS存活情况下的测试是可以正常解析

  主DNS挂掉的情况

[root@ansible_centos6 ~]# dig www.test.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21730
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.com.                  IN      A

;; ANSWER SECTION:
www.test.com.           86400   IN      A       1.1.1.1

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 1 msec
;; SERVER: 192.168.0.151#53(192.168.0.151)
;; WHEN: Mon Dec 30 00:50:43 2019
;; MSG SIZE  rcvd: 81

[root@ansible_centos6 ~]# dig -x 192.168.0.99

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6 <<>> -x 192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63933
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;99.0.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
99.0.168.192.in-addr.arpa. 86400 IN     PTR     dns1.test.com.

;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 86400   IN      NS      dns1.0.168.192.in-addr.arpa.

;; ADDITIONAL SECTION:
dns1.0.168.192.in-addr.arpa. 86400 IN   A       192.168.0.99

;; Query time: 1 msec
;; SERVER: 192.168.0.151#53(192.168.0.151)
;; WHEN: Mon Dec 30 00:50:55 2019
;; MSG SIZE  rcvd: 105

[root@ansible_centos6 ~]#

  说明:可看到主DNS服务器挂掉,从服务器是可以提供服务的,况且查询的内容同主的一模一样

2、搭建并实现智能DNS。

    1)在上面的实验环境中,更改配置文件

[root@test ~]#cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator\'s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl cdnet {
        192.168.0.0/24;
};
acl bjnet {
        172.16.1.0/24;
};
acl shnet {
        any;
};
options {
        listen-on port 53 { localhost; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { any; };
        allow-transfer  { 192.168.0.151; };
        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


include "/etc/named.root.key";
view  view_cd {
        match-clients {cdnet;};
        include "/etc/named.zone.cd";
        include "/etc/named.rfc1912.zones";
};
view view_bj {
        match-clients { bjnet; };
        include "/etc/named.zone.bj";
        include "/etc/named.rfc1912.zones";
};
view view_sh {
        match-clients { shnet; };
        include "/etc/named.zone.sh";
        include "/etc/named.rfc1912.zones";
};
[root@test ~]#

  说明:这个是主配置文件,主要添加了 3段acl和3段view 这里需要注意一点的是,一旦配置了view,所有的区域配置必须写在view中,所有我们还需要把根区域的配置文件到/etc/named.rfc1912.zones里 ,然后在view 里用include 把区域配置文件导入即可,借鉴上面的思想,我们也可以把不同地区的区域配置文件也用不同的文件给存起来,实现方便管理,然后也用include 指定导入到各自的view,这样就实现了 不同的网络客户端,访问不同的区域文件。最后我们还需要建立各自的区域数据库文件。

  2)把根区域配置文件放入到/etc/named.rfc1912.zones

[root@test ~]#cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package 
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
// 
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
        type hint;
        file "named.ca";
};
zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};



zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};


zone "0.168.192.in-addr.arpa" {
        type master;
        file "192.168.0.zone";
};
[root@test ~]#

  3)创建各自的区域配置文件

[root@test ~]#cat >> /etc/named.zone.cd << EOF
> zone "test.com" IN {
>     type master;
>     file "test.com.zone.cd";
> };
> EOF
[root@test ~]#cat >> /etc/named.zone.bj << EOF
> zone "test.com" IN {
>     type master;
>     file "test.com.zone.bj";
> };
> EOF
[root@test ~]#cat >> /etc/named.zone.sh << EOF
> zone "test.com" IN {
>     type master;
>     file "test.com.zone.sh";
> };
> EOF
[root@test ~]#cat /etc/named.zone.cd 
zone "test.com" IN {
    type master;
    file "test.com.zone.cd";
};
[root@test ~]#cat /etc/named.zone.bj
zone "test.com" IN {
    type master;
    file "test.com.zone.bj";
};
[root@test ~]#cat /etc/named.zone.sh
zone "test.com" IN {
    type master;
    file "test.com.zone.sh";
};
[root@test ~]#

  4)准备各自区域的数据库文件

[root@test ~]#cat /var/named/test.com.zone.cd 
$TTL 1D
@ IN SOA dns1 admin ( 0 2D 1H 3D 1D )
     NS  dns1
dns1  A  192.168.0.99
www   A  3.3.3.3
blog  A  4.4.4.4
[root@test ~]#cat /var/named/test.com.zone.bj
$TTL 1D
@ IN SOA dns1 admin ( 0 2D 1H 3D 1D )
     NS  dns1
dns1 A   192.168.0.99
www  A   5.5.5.5
blog A   6.6.6.6
[root@test ~]#cat /var/named/test.com.zone.sh
$TTL 1D
@  IN SOA dns1 admin ( 0 2D 1H 3D 1D )
      NS  dns1
dns1  A   192.168.0.99
www   A   7.7.7.7
blog  A   8.8.8.8
[root@test ~]#
[root@test ~]#ll /var/named/
总用量 36
-rw-r--r-- 1 root  root   188 12月 30 00:28 192.168.0.zone
drwxrwx--- 2 named named   23 12月 29 23:23 data
drwxrwx--- 2 named named   60 12月 30 01:01 dynamic
-rw-r----- 1 root  named 2253 4月   5 2018 named.ca
-rw-r----- 1 root  named  152 12月 15 2009 named.empty
-rw-r----- 1 root  named  152 6月  21 2007 named.localhost
-rw-r----- 1 root  named  168 12月 15 2009 named.loopback
drwxrwx--- 2 named named    6 8月   8 20:16 slaves
-rw-r--r-- 1 root  root   154 12月 30 00:10 test.com.zone
-rw-r--r-- 1 root  root   112 12月 30 21:33 test.com.zone.bj
-rw-r--r-- 1 root  root   112 12月 30 21:31 test.com.zone.cd
-rw-r--r-- 1 root  root   117 12月 30 21:35 test.com.zone.sh
[root@test ~]#find /var/named/ -name "test.com.zone*"
/var/named/test.com.zone
/var/named/test.com.zone.cd
/var/named/test.com.zone.bj
/var/named/test.com.zone.sh
[root@test ~]#find /var/named/ -name "test.com.zone*"|xargs chown root.named 
[root@test ~]#ll /var/named/
总用量 36
-rw-r--r-- 1 root  root   188 12月 30 00:28 192.168.0.zone
drwxrwx--- 2 named named   23 12月 29 23:23 data
drwxrwx--- 2 named named   60 12月 30 01:01 dynamic
-rw-r----- 1 root  named 2253 4月   5 2018 named.ca
-rw-r----- 1 root  named  152 12月 15 2009 named.empty
-rw-r----- 1 root  named  152 6月  21 2007 named.localhost
-rw-r----- 1 root  named  168 12月 15 2009 named.loopback
drwxrwx--- 2 named named    6 8月   8 20:16 slaves
-rw-r--r-- 1 root  named  154 12月 30 00:10 test.com.zone
-rw-r--r-- 1 root  named  112 12月 30 21:33 test.com.zone.bj
-rw-r--r-- 1 root  named  112 12月 30 21:31 test.com.zone.cd
-rw-r--r-- 1 root  named  117 12月 30 21:35 test.com.zone.sh
[root@test ~]#
[root@test ~]#find /var/named/ -name "test.com.zone*"|xargs chmod o-r
[root@test ~]#ll /var/named/
总用量 36
-rw-r--r-- 1 root  root   188 12月 30 00:28 192.168.0.zone
drwxrwx--- 2 named named   23 12月 29 23:23 data
drwxrwx--- 2 named named   60 12月 30 01:01 dynamic
-rw-r----- 1 root  named 2253 4月   5 2018 named.ca
-rw-r----- 1 root  named  152 12月 15 2009 named.empty
-rw-r----- 1 root  named  152 6月  21 2007 named.localhost
-rw-r----- 1 root  named  168 12月 15 2009 named.loopback
drwxrwx--- 2 named named    6 8月   8 20:16 slaves
-rw-r----- 1 root  named  154 12月 30 00:10 test.com.zone
-rw-r----- 1 root  named  112 12月 30 21:33 test.com.zone.bj
-rw-r----- 1 root  named  112 12月 30 21:31 test.com.zone.cd
-rw-r----- 1 root  named  117 12月 30 21:35 test.com.zone.sh
[root@test ~]#

  说明:通过上面的配置后,我们最终希望各自的地区的用户访问各自区域的数据文件,从而实现了不同区域的用户,获取不同ip地址信息。这里还是建议把新建的权限属组给改成named,虽然不改是可以的,但是权限比较大,应该只允许named有读权限就好了。

  5)检查配置文件,重启服务

[root@test ~]#named-checkconf 
[root@test ~]#named-checkzone test.com /var/named/test.com.zone.cd
zone test.com/IN: loaded serial 0
OK
[root@test ~]#named-checkzone test.com /var/named/test.com.zone.bj
zone test.com/IN: loaded serial 0
OK
[root@test ~]#named-checkzone test.com /var/named/test.com.zone.sh
zone test.com/IN: loaded serial 0
OK
[root@test ~]#rndc reload
server reload successful
[root@test ~]#

  6)测试

模拟成都的用户访问DNS

[qiuhom@test-node1 ~]$ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:24:81:68:ce:45 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.151/24 brd 192.168.0.255 scope global eth0
    inet6 fe80::224:81ff:fe68:ce45/64 scope link 
       valid_lft forever preferred_lft forever
[qiuhom@test-node1 ~]$
[qiuhom@test-node1 ~]$dig www.test.com @192.168.0.99

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> www.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51022
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.test.com.                  IN      A

;; ANSWER SECTION:
www.test.com.           86400   IN      A       3.3.3.3

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 2 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 22:20:02 2019
;; MSG SIZE  rcvd: 81

[qiuhom@test-node1 ~]$dig blog.test.com @192.168.0.99   

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.3 <<>> blog.test.com @192.168.0.99
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4979
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;blog.test.com.                 IN      A

;; ANSWER SECTION:
blog.test.com.          86400   IN      A       4.4.4.4

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 1 msec
;; SERVER: 192.168.0.99#53(192.168.0.99)
;; WHEN: Mon Dec 30 22:20:12 2019
;; MSG SIZE  rcvd: 82

[qiuhom@test-node1 ~]$

  说明:通过192.168.0.0/24主机访问的结果是指定view里指定的数据库文件的内容.

  模拟北京的用户访问DNS

[root@test ~]#ip a l
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp2s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:30:18:51:af:3c brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.99/24 brd 192.168.0.255 scope global noprefixroute enp2s0
       valid_lft forever preferred_lft forever
    inet 172.16.1.2/16 brd 172.16.255.255 scope global noprefixroute enp2s0:0
       valid_lft forever preferred_lft forever
    inet6 fe80::230:18ff:fe51:af3c/64 scope link 
       valid_lft forever preferred_lft forever
3: enp3s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 00:30:18:51:af:3d brd ff:ff:ff:ff:ff:ff
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:d6:07:f1:b0 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 scope global docker0
       valid_lft forever preferred_lft forever
[root@test ~]#dig www.test.com @172.16.1.2

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @172.16.1.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33773
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com.                  IN      A

;; ANSWER SECTION:
www.test.com.           86400   IN      A       5.5.5.5

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 172.16.1.2#53(172.16.1.2)
;; WHEN: 一 12月 30 22:24:07 CST 2019
;; MSG SIZE  rcvd: 92

[root@test ~]#dig blog.test.com @172.16.1.2   

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @172.16.1.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8001
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.test.com.                 IN      A

;; ANSWER SECTION:
blog.test.com.          86400   IN      A       6.6.6.6

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 172.16.1.2#53(172.16.1.2)
;; WHEN: 一 12月 30 22:24:18 CST 2019
;; MSG SIZE  rcvd: 93

[root@test ~]#

  模拟上海的用户访问DNS

[root@test ~]#dig www.test.com @127.0.0.1

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> www.test.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50994
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.test.com.                  IN      A

;; ANSWER SECTION:
www.test.com.           86400   IN      A       7.7.7.7

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 一 12月 30 22:25:52 CST 2019
;; MSG SIZE  rcvd: 92

[root@test ~]#dig blog.test.com @127.0.0.1   

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-9.P2.el7 <<>> blog.test.com @127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10062
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;blog.test.com.                 IN      A

;; ANSWER SECTION:
blog.test.com.          86400   IN      A       8.8.8.8

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      dns1.test.com.

;; ADDITIONAL SECTION:
dns1.test.com.          86400   IN      A       192.168.0.99

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 一 12月 30 22:25:58 CST 2019
;; MSG SIZE  rcvd: 93

[root@test ~]#

  说明:在本机使用127.0.0.1 去查,named会走回环地址去访问DNS,这个时候acl就会匹配到shnet ,从而访问view_sh说指定的区域数据库文件内容。这里要注意一点就是acl它默认是从上往下匹配,若匹配到就不往下匹配,所以127.0.0.1 既不属于192.168.0.0/24 这个网络,也不属于172.16.1.0/24这个网络,所以它会被any匹配到。

  到此智能DNS的搭建就完成了,事实上智能DNS的主要作用就是智能的区分不同来源的用户访问不同的区域文件,从而实现用户访问到的DNS是离自己最近的服务器,在互联网中的应用有CDN(内容分发网络),它的背后实现就是智能DNS。把不同的区域的用户通过智能DNS分别分向不同地区的DNS服务器上去,从而实现了用户访问网站的服务器是离自己最近的服务器,CDN实现了加快用户的访问同时还减轻了网站主服务器的压力和带宽。

3、编译安装Mariadb,并启动后可以正常登录

  1)准备源码包

[root@test ~]#rz
rz waiting to receive.
 zmodem trl+C ȡ

  100%   70172 KB 23390 KB/s 00:00:03       0 Errors..

[root@test ~]#ls mariadb-10.2.19.tar.gz 
mariadb-10.2.19.tar.gz
[root@test ~]#

  2)安装依赖环境包

[root@test ~]# yum install bison bison-devel zlib-devel libcurl-devel libarchive-devel boost-devel gcc gcc-c++ cmake ncurses-devel gnutls-devel libxml2-devel openssl-devel libevent-devel libaio-devel -y

  3)创建系统账号,并解压源码

[root@test ~]# useradd -r -s /sbin/nologin -d /app/mysql/ mysql
[root@test ~]# getent passwd mysql
mariadb:x:989:983::/app/mysql/:/sbin/nologin
[root@test ~]# tar xf mariadb-10.2.19.tar.gz 
[root@test ~]# cd mariadb-10.2.19/
[root@test mariadb-10.2.19]# 

  4)cmake 编译并指定编译选项

cmake . \
-DCMAKE_INSTALL_PREFIX=/app/mysql \
-DMYSQL_DATADIR=/data/mysql/ \
-DSYSCONFDIR=/etc/mysql \
-DMYSQL_USER=mysql \
-DWITH_INNOBASE_STORAGE_ENGINE=1 \
-DWITH_ARCHIVE_STORAGE_ENGINE=1 \
-DWITH_BLACKHOLE_STORAGE_ENGINE=1 \
-DWITH_PARTITION_STORAGE_ENGINE=1 \
-DWITHOUT_MROONGA_STORAGE_ENGINE=1 \
-DWITH_DEBUG=0 \
-DWITH_READLINE=1 \
-DWITH_SSL=system \
-DWITH_ZLIB=system \
-DWITH_LIBWRAP=0 \
-DENABLED_LOCAL_INFILE=1 \
-DMYSQL_UNIX_ADDR=/data/mysql/mysql.sock \
-DDEFAULT_CHARSET=utf8 \
-DDEFAULT_COLLATION=utf8_general_ci

  说明:如果出错需要删除 CMakeCache.txt 然后重新在用cmake指定编译选项生成makefile文件,在编译

  5)上面cmake没有错误的情况下,在执行make && make install 

……省略部分内容
-- Looking for krb5_free_unparsed_name
-- Looking for krb5_free_unparsed_name - found
-- Looking for event.h
-- Looking for event.h - found
-- Configuring done
-- Generating done
-- Build files have been written to: /root/mariadb-10.2.19
[root@test mariadb-10.2.19]#  make -j 4 && make install 

  说明:make -j 表示指定多少线程来编译,-j 4 表示用4个线程同时来编译,这是一种多线程的编译方式

  6)准备path环境

[root@test ~]# echo \'PATH=/app/mysql/bin:$PATH\' > /etc/profile.d/mysql.sh
[root@test ~]# cat /etc/profile.d/mysql.sh
PATH=/app/mysql/bin:$PATH
[root@test ~]# . /etc/profile.d/mysql.sh
[root@test ~]#

  7)生成数据库文件

[root@test ~]# cd /app/mysql/
[root@test mysql]# scripts/mysql_install_db --datadir=/data/mysql/ --user=mysql
Installing MariaDB/MySQL system tables in \'/data/mysql/\' ...
OK

To start mysqld at boot time you have to copy
support-files/mysql.server to the right place for your system


PLEASE REMEMBER TO SET A PASSWORD FOR THE MariaDB root USER !
To do so, start the server, then issue the following commands:

\'./bin/mysqladmin\' -u root password \'new-password\'
\'./bin/mysqladmin\' -u root -h test password \'new-password\'

Alternatively you can run:
\'./bin/mysql_secure_installation\'

which will also give you the option of removing the test
databases and anonymous user created by default.  This is
strongly recommended for production servers.

See the MariaDB Knowledgebase at http://mariadb.com/kb or the
MySQL manual for more instructions.

You can start the MariaDB daemon with:
cd \'.\' ; ./bin/mysqld_safe --datadir=\'/data/mysql/\'

You can test the MariaDB daemon with mysql-test-run.pl
cd \'./mysql-test\' ; perl mysql-test-run.pl

Please report any problems at http://mariadb.org/jira

The latest information about MariaDB is available at http://mariadb.org/.
You can find additional information about the MySQL part at:
http://dev.mysql.com
Consider joining MariaDB\'s strong and vibrant community:
https://mariadb.org/get-involved/

[root@test mysql]# 

  8)准备配置文件

[root@test mysql]# cp /app/mysql/support-files/my-huge.cnf /etc/my.cnf
[root@test mysql]# 

  9)准备启动脚本

[root@test mysql]# cp /app/mysql/support-files/mysql.server /etc/init.d/mysqld
[root@test mysql]# 

  10)启动服务 ,登录数据库

[root@test mysql]# chkconfig --list

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overridden by native
      systemd configuration.

      If you want to list systemd services use \'systemctl list-unit-files\'.
      To see services enabled on particular target use
      \'systemctl list-dependencies [target]\'.

netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@test mysql]# chkconfig --add mysqld
[root@test mysql]# chkconfig --list

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overridden by native
      systemd configuration.

      If you want to list systemd services use \'systemctl list-unit-files\'.
      To see services enabled on particular target use
      \'systemctl list-dependencies [target]\'.

mysqld          0:off   1:off   2:on    3:on    4:on    5:on    6:off
netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
[root@test mysql]# service mysqld start
Starting mysqld (via systemctl):                           [  OK  ]
[root@test mysql]# ss -ntl
State       Recv-Q Send-Q                    Local Address:Port                                   Peer Address:Port              
LISTEN      0      128                                   *:22                                                *:*                  
LISTEN      0      100                           127.0.0.1:25                                                *:*                  
LISTEN      0      128                                  :::22                                               :::*                  
LISTEN      0      100                                 ::1:25                                               :::*                  
LISTEN      0      80                                   :::3306                                             :::*                  
[root@test mysql]# mysql
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 10
Server version: 10.2.19-MariaDB-log Source distribution

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type \'help;\' or \'\h\' for help. Type \'\c\' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| test               |
+--------------------+
4 rows in set (0.00 sec)

MariaDB [(none)]> 

  到此编译安装mariadb数据库就完成了。

版权声明:本文为qiuhom-1874原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/qiuhom-1874/p/12111497.html