DNS服务
鸡汤: 别减肥了,你的丑不仅是因为你胖。
1. 介绍¶
DNS:域名系统(英文:Domain Name System)是一个域名系统,是万维网上作为域名和IP地址相互映射的一个分布式数据库,能够使用户更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。类似于生活中的114服务,可以通过人名找到电话号码,也可以通过电话号码找到人名(生活中没有那么准确的原因是人名有重名,而域名是全世界唯一的)。
DNS协议运行在UDP协议之上,使用端口号53
域名
域名是一个网站的逻辑地址,比如www.baidu.com,相比IP地址更加方便人类记忆,所以被广泛使用。
计算机的发展起源于上世纪60年代,最初只有美国的几所高校在使用,计算机之间通信需要知道对方的地址(IP地址),但是人们对IP地址的记忆又是不敏感的(就像生活中你能记住多少个好友的手机号码一样)。为了方便人类记忆,大学的科学家们把计算机的名字和对应的IP地址写入到计算机中的hosts文件,以此文件来做解析。
但是随着计算机和网络的发展出现了局域网,计算机的数量随之增加;后来为了解决方便通信问题,我们使用了wins服务器来进行计算机名和IP的注册服务,通过一个名称服务器来自动管理局域网中的计算机,并提供解析服务。人们在局域网中通过计算机名就能连接到了对应的计算机。该技术中要求计算机名称必须唯一,正是由于这个原因使得局域网中的计算机又不能太多。
微型计算机的出现和局域网的发展推动了广域网的发展,hosts文件只能针对极少的计算机网络,wins可以管理局域网的解析。到了广域网,人们就迫切需要一个新的服务做解析服务器,使解析方便、快速、高效的应对广域网环境。为了解决广域网解析问题,美国人研发出了DNS服务,以及成立了管理DNS相关的机构,并提出了域名命名规则。
域名管理机构,Internet 域名与地址管理机构(ICANN)是为承担域名系统管理,IP地址分配,协议参数配置,以及主服务器系统管理等职能而设立的非盈利机构. 现由IANA和其他实体与美国政府约定进行管理。
域名分国际域名和国内域名两种,对于国际域名而言,其命名规则是: 域名可以由(a-z、A-Z大小写等价)26个英文字母、数字(0-9)以及连接符“-”组成,但是域名的首位必须是字母或数字。对于域名的长度也有一定的限制:国际通用顶级域名长度不得超过26个字符,中国国家顶级域名长度不得超过20个字符
2. DNS的解析原理¶
目前,因特网的命名方法是层次树状结构的方法。采用这种命名方法,任何一个连接在因特网上的主机或设备,都有一个某一的层次结构的名字,即域名(domain name)。域是名字空间中一个可被管理的划分。域可以继续按层次划分为子域,如二级域、三级域等等。
| 名称 | 管理单位 | 地理位置 | IP地址 |
|---|---|---|---|
| A | INTERNIC.NET | 美国-弗吉尼亚州 | 198.41.0.4 |
| B | 美国信息科学研究所 | 美国-加利弗尼亚州 | 128.9.0.107 |
| C | PSINet公司 | 美国-弗吉尼亚州 | 192.33.4.12 |
| D | 马里兰大学 | 美国-马里兰州 | 128.8.10.90 |
| E | 美国航空航天管理局 | 美国加利弗尼亚州 | 192.203.230.10 |
| F | 因特网软件联盟 | 美国加利弗尼亚州 | 192.5.5.241 |
| G | 美国国防部网络信息中心 | 美国弗吉尼亚州 | 192.112.36.4 |
| H | 美国陆军研究所 | 美国-马里兰州 | 128.63.2.53 |
| I | Autonomica公司 | 瑞典-斯德哥尔摩 | 192.36.148.17 |
| J | VeriSign公司 | 美国-弗吉尼亚州 | 192.58.128.30 |
| K | RIPE NCC | 英国-伦敦 | 193.0.14.129 |
| L | IANA | 美国-弗吉尼亚州 | 199.7.83.42 |
| M | WIDE Project | 日本-东京 | 202.12.27.33 |
3. DNS查询¶
递归查询:一般客户机和服务器之间属递归查询,即当客户机向DNS服务器发出请求后,若DNS服务器本身不能解析,则会向另外的DNS服务器发出查询请求,得到结果后转交给客户机;如果主机所询问的本地域名服务器不知道被查询的域名的IP地址,那本地NDS就会扮演DNS客户的角色,去代理原客户去帮忙找根域名服务器发出请求,递归即递给服务器,所有操作都有服务器来完成。
迭代查询:一般DNS服务器之间属迭代查询,如:DNS1问DNS2,DNS2不知道会告诉DNS1一个DNS3的IP地址,让DNS1去问问DNS3知不知道,以此类推,就是迭代查询。
关于递归和迭代举个生活例子帮助大家理解:比如你问张老师一个问题,张老师告诉他答案这之间的叫递归查询。这期间也许张老师也不会,这时张老师问李老师,张老师去问崔老师,这之间的查询叫迭代查询!
- 正向查找:将域名解析为IP
www.caimengzhi.com ---> 192.168.186.10
- 反向查找:将IP解析为域名
192.168.186.10 ---> www.caimengzhi.com
4. DNS服务器部署¶
本实验中使用过的机器为centos7.5_x86_64系统,计算机名称:master,IP地址192.168.186.10/24.请关闭防火墙和SELINUX。
4.1 DNS安装¶
DNS服务是由bind程序提供的,所以要实现DNS服务就需要安装bind程序包。
yum -y install bind bind-chroot bind-utils
bind-chroot和bind区别
bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行. 也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录, 只是系统中的一个子目录而已.这样做的目的是为了提高安全性. 因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里, 无法进一步提升,进入到系统的其他目录中。bind的默认启动方式就是chroot方式。
note
bind DNS主程序包 bind-chroot DNS安全包,改变默认DNS根目录,将DNS运行在监牢模式 说明:chroot监牢模式 监牢是一个软件机制,其功能是使得某个程序无法访问规定区域之外的资源,同样也为了增强安全性(LCTT 译注:chroot “监牢”, 所谓“监牢”就是指通过chroot机制来更改某个进程所能看到的根目录,即将某进程限制在指定目录中,保证该进程只能对该目录及其 子目录的文件进行操作,从而保证整个服务器的安全)。Bind Chroot DNS 服务器的默认“监牢”为 /var/named/chroot。
4.2 DNS启动¶
DNS的守护进程叫做named,DNS是以named用户身份来运行,named用户在安装包的时候会在系统中自动创建。
CentOS7下安装了bind-chroot之后,若要使用named-chroot.service,则需要关闭named.service。两者只能运行一个 方法一: 不使用chroot模式启动DNS 开启开机启动 [root@master ~]# systemctl enable named Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service. 启动DNS服务 [root@master ~]# systemctl start named 验证启动 [root@master named]# !net netstat -lnp|grep 53 tcp 0 0 192.168.186.10:53 0.0.0.0:* LISTEN 16037/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 16037/named tcp6 0 0 :::39053 :::* LISTEN 7901/java tcp6 0 0 ::1:953 :::* LISTEN 16037/named udp 0 0 192.168.186.10:53 0.0.0.0:* 16037/named unix 2 [ ACC ] STREAM LISTENING 35531 6781/master private/scache 方法二: 使用chroot模式DNS 将对应的文件移动到chroot根目录,主配文件 [root@master ~]# cp /etc/named.conf /var/named/chroot/etc/ [root@master ~]# chgrp named /var/named/chroot/etc/named.conf [root@master ~]# named-checkconf /var/named/chroot/etc/named.conf 区域数据库文件 [root@master ~]# cp /var/named/named.localhost /var/named/chroot/var/named/ayitula.com.zone [root@master ~]# chgrp named /var/named/chroot/var/named/ayitula.com.zone [root@master ~]# cp -p /var/named/named.* /var/named/chroot/var/named/ 启动DNS服务 开机启动 [root@master ~]# systemctl enable named-chroot.service Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service. 启动服务 [root@master ~]# systemctl start named-chroot 验证启动 [root@master named]# !net netstat -lnp|grep 53 tcp 0 0 192.168.186.10:53 0.0.0.0:* LISTEN 16037/named tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 16037/named tcp6 0 0 :::39053 :::* LISTEN 7901/java tcp6 0 0 ::1:953 :::* LISTEN 16037/named udp 0 0 192.168.186.10:53 0.0.0.0:* 16037/named unix 2 [ ACC ] STREAM LISTENING 35531 6781/master private/scache
推荐第二种方法
4.3 DNS配置文件¶
默认情况下,如果不安装named-chroot这个包,配置文件的路径如下:
- 配置文件:/etc/named.conf
- 区域数据库文件:/var/named/
由于我们安装了named-chroot这个用于改变默认DNS配置文件的路径的包,所以相对应的配置文件的路径也发生了变化。变化如下:
- 配置文件:/var/named/chroot/etc/named.conf
- 区域数据库文件:/var/named/chroot/var/named/
主配文件详解
/*
Sample named.conf BIND DNS server 'named' configuration file
for the Red Hat BIND distribution.
See the BIND Administrator's Reference Manual (ARM) for details about the
configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
*/
options
{
// Put files that named is allowed to write in the data/ directory:
#指定区域数据库文件的路径目录
directory "/var/named"; // "Working" directory
#CACHE文件路径,指定服务器在收到rndc dump命令时,转储数据到文件的路径。默认named_dump.db
dump-file "data/cache_dump.db";
#静态文件路径,指定服务器在收到rndc stats命令时,追加统计数据的文件路径。默认named.stats
statistics-file "data/named_stats.txt";
#内存静态文件路径,服务器在退出时,将内存统计写到文件的路径。默认named.memstats
memstatistics-file "data/named_mem_stats.txt";
# 指定服务器在通过rndc recursing命令指定转储当前递归请求到的文件路径。默认named.recursing
recursing-file "data/named.recursing";
#在收到rndc secroots指令后,服务器转储安全根的目的文件的路径名。默认named.secroots
secroots-file "data/named.secroots";
/*
Specify listenning interfaces. You can use list of addresses (';' is
delimiter) or keywords "any"/"none"
*/
#IPV4监听端口为53,允许任何人连接
//listen-on port 53 { any; };
#IPv4监听端口为53,只允许本机连接
listen-on port 53 { 127.0.0.1; };
#IPV6监听端口为53,允许任何人连接
//listen-on-v6 port 53 { any; };
#IPv6监听端口为53,只允许本机连接
listen-on-v6 port 53 { ::1; };
/*
访问控制
Access restrictions
两个重要选项
There are two important options:
allow-query { argument; };
- allow queries for authoritative data
允许查询来自权威数据
allow-query-cache { argument; };
- allow queries for non-authoritative data (mostly cached data)
允许查询来自非权威数据
You can use address, network address or keywords "any"/"localhost"/"none" as argument
大括号中可以使用IP地址、网段、或者关键字 any任何人 localhost本机 none任何人不允许
Examples:
allow-query { localhost; 10.0.0.1; 192.168.1.0/8; };
allow-query-cache { ::1; fe80::5c63:a8ff:fe2f:4526; 10.0.0.1; };
*/
#指定允许哪些主机可以进行普通的DNS查询,可以是关键字:any/localhost/none,也可以是IPV4,IPV6地址
allow-query { localhost; };
#指定允许哪些主机可以对缓存的访问
allow-query-cache { localhost; };
/* Enable/disable recursion - recursion yes/no;
递归查询开关
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
假如你建立的是一个权威DNS你不需要开启递归
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
假如你建立的是一个递归DNS,你需要开启递归服务
- If your recursive DNS server has a public IP address, you MUST enable access
如果你的递归DNS是具有公网IP,你必须要设置访问控制来限制对合法用户的查询.
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
否者你的DNS会被大规模的攻击
attacks. Implementing BCP38 within your network would greatly
在您的网络中实现BCP38将非常重要减少此类攻击面
reduce such attack surface
*/
#开启递归
recursion yes;
#Domain Name System Security Extensions (DNS安全扩展)
/* DNSSEC related options. See information about keys ("Trusted keys", bellow) */
/* Enable serving of DNSSEC related data - enable on both authoritative
and recursive servers DNSSEC aware servers */
#开启DNSSEC在权威或者递归服务器之间信任服务
dnssec-enable yes;
/* Enable DNSSEC validation on recursive servers */
#开启DNSSEC验证在递归服务器
dnssec-validation yes;
/* In RHEL-7 we use /run/named instead of default /var/run/named
so we have to configure paths properly. */
#PID文件路径
pid-file "/run/named/named.pid";
#session-keyfile文件路径
session-keyfile "/run/named/session.key";
#指定目录,其中保存着跟踪被管理DNSSEC密钥文件。默认为工作目录。
managed-keys-directory "/var/named/dynamic";
};
logging
{
#开启DNS日志记录
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
/*
##日志分为两种 告警和访问
logging {
channel warning {
file "data/dns_warning" versions 10 size 10m;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel general_dns {
file "data/dns_log" versions 10 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
#默认日志 warning
category default {
warning;
};
#访问日志级别 general_dns info
category queries {
general_dns;
};
};
*/
};
/*
通过Views指令配置智能查询DNS
Views let a name server answer a DNS query differently depending on who is asking.
By default, if named.conf contains no "view" clauses, all zones are in the
"default" view, which matches all clients.
Views are processed sequentially. The first match is used so the last view should
match "any" - it's fallback and the most restricted view.
If named.conf contains any "view" clause, then all zones MUST be in a view.
*/
#配置一个明称为localhost_resolver的智能访问视图
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
#允许使用该视图解析的客户端 localhost本机 any 任何机器 或者网段
match-clients { localhost; };
#允许递归
recursion yes;
# all views must contain the root hints zone:
#根域
zone "." IN {
#域类型为hint,还有master slave forward等类型
type hint;
#区域数据库文件路径
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
#包含子配置文件
include "/etc/named.rfc1912.zones";
};
#定义视图internal
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
recursion yes;
zone "." IN {
type hint;
file "/var/named/named.ca";
};
/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* not leak to the other nameservers:
*/
include "/etc/named.rfc1912.zones";
// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :
/*
NOTE for dynamic DNS zones and secondary zones:
DO NOT USE SAME FILES IN MULTIPLE VIEWS!
If you are using views and DDNS/secondary zones it is strongly
recommended to read FAQ on ISC site (www.isc.org), section
"Configuration and Setup Questions", questions
"How do I share a dynamic zone between multiple views?" and
"How can I make a server a slave for both an internal and an external
view at the same time?"
*/
zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "dynamic/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
#设置DDNS_key
#主从复制加密使用
key ddns_key
{
#加密方式 hmac-md5
algorithm hmac-md5;
secret "use /usr/sbin/dnssec-keygen to generate TSIG keys";
};
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not match any above view:
*/
match-clients { any; };
zone "." IN {
type hint;
file "/var/named/named.ca";
};
recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers
// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:
zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
};
/* Trusted keys
#定义信任的dnssec密钥。
This statement contains DNSSEC keys. If you want DNSSEC aware resolver you
have to configure at least one trusted key.
Note that no key written below is valid. Especially root key because root zone
is not signed yet.
*/
/*
trusted-keys {
// Root Key
"." 257 3 3 "BNY4wrWM1nCfJ+CXd0rVXyYmobt7sEEfK3clRbGaTwSJxrGkxJWoZu6I7PzJu/
E9gx4UC1zGAHlXKdE4zYIpRhaBKnvcC2U9mZhkdUpd1Vso/HAdjNe8LmMlnzY3
zy2Xy4klWOADTPzSv9eamj8V18PHGjBLaVtYvk/ln5ZApjYghf+6fElrmLkdaz
MQ2OCnACR817DF4BBa7UR/beDHyp5iWTXWSi6XmoJLbG9Scqc7l70KDqlvXR3M
/lUUVRbkeg1IPJSidmK3ZyCllh4XSKbje/45SKucHgnwU5jefMtq66gKodQj+M
iA21AfUVe7u99WzTLzY3qlxDhxYQQ20FQ97S+LKUTpQcq27R7AT3/V5hRQxScI
Nqwcz4jYqZD2fQdgxbcDTClU0CRBdiieyLMNzXG3";
// Key for forward zone
example.com. 257 3 5 "AwEAAaxPMcR2x0HbQV4WeZB6oEDX+r0QM65KbhTjrW1ZaARmPhEZZe
3Y9ifgEuq7vZ/zGZUdEGNWy+JZzus0lUptwgjGwhUS1558Hb4JKUbb
OTcM8pwXlj0EiX3oDFVmjHO444gLkBO UKUf/mC7HvfwYH/Be22GnC
lrinKJp1Og4ywzO9WglMk7jbfW33gUKvirTHr25GL7STQUzBb5Usxt
8lgnyTUHs1t3JwCY5hKZ6CqFxmAVZP20igTixin/1LcrgX/KMEGd/b
iuvF4qJCyduieHukuY3H4XMAcR+xia2 nIUPvm/oyWR8BW/hWdzOvn
SCThlHf3xiYleDbt/o1OTQ09A0=";
// Key for reverse zone.
2.0.192.IN-ADDRPA.NET. 257 3 5 "AQOnS4xn/IgOUpBPJ3bogzwcxOdNax071L18QqZnQQQA
VVr+iLhGTnNGp3HoWQLUIzKrJVZ3zggy3WwNT6kZo6c0
tszYqbtvchmgQC8CzKojM/W16i6MG/ea fGU3siaOdS0
yOI6BgPsw+YZdzlYMaIJGf4M4dyoKIhzdZyQ2bYQrjyQ
4LB0lC7aOnsMyYKHHYeRv PxjIQXmdqgOJGq+vsevG06
zW+1xgYJh9rCIfnm1GX/KMgxLPG2vXTD/RnLX+D3T3UL
7HJYHJhAZD5L59VvjSPsZJHeDCUyWYrvPZesZDIRvhDD
52SKvbheeTJUm6EhkzytNN2SN96QRk8j/iI8ib";
};
*/
区域数据库文件详解
正向解析
[root@baism ~]# cat named.localhost
;缓存时间
$TTL 1D
;@表示相应的域名
@ IN SOA @ rname.invalid. (
;解析的域名 类型 授权域 授权域名服务器 管理员邮箱
0 ; serial 序列号,每次更新该文件系列号都应该变大
1D ; refresh 刷新时间,即规定从域名服务器多长时间查询一个主服务器,以保证从服务器的数据是最新的
1H ; retry 重试时间,即当从服务试图在主服务器上查询更时,而连接失败了,则这个值规定了从服务多长时间后再试
1W ; expire 过期时间,从服务器在向主服务更新失败后多长时间后清除对应的记录
3H ) ; minimum 这个数据用来规定缓冲服务器不能与主服务联系上后多长时间清除相应的记录
NS @
;NS 名称服务器,表示这个主机为域名服务器
A 127.0.0.1
;主机头 A记录 IP
AAAA ::1
; AAAA 解析为IPV6地址
#反向解析
[root@baism ~]# cat named.loopback
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
PTR localhost
;IP 反向指针 域名
;PTR 反向指针 反解
| $TTL 1D | #生存周期为1天 | ||||
|---|---|---|---|---|---|
| @ | IN SOA | caimengzhi.com. | root.caimengzhi.com. | ( | |
| #授权信息开始: | #DNS区域的地址 | #域名管理员的邮箱(不要用@符号) | |||
| 0;serial | #更新序列号 | ||||
| 1D;refresh | #更新时间 | ||||
| 1H;retry | #重试延时 | ||||
| 1W;expire | #失效时间 | ||||
| 3H;)minimum | #无效解析记录的缓存时间 | ||||
| NS | ns.caimengzhi.com. | #域名服务器记录 | |||
| ns | IN A | 192.168.10.10 | #地址记录(ns.caimengzhi.com.) | ||
| IN MX 10 | mail.caimengzhi.com. | #邮箱交换记录 | |||
| IN A | 192.168.10.10 | #地址记录(mail.caimengzhi.com.) | |||
| www | IN A | 192.168.10.10 | #地址记录(www.caimengzhi.com.) | ||
| bbs | IN A | 192.168.10.20 | #地址记录(bbs.caimengzhi.com.) |
5. 部署一个正向解析¶
5.1 部署¶
要求
对caimengzhi.com域名做解析,解析要求如下: www 解析为A记录 IP地址为 192.168.186.10 news 做别名解析CNAME 解析为 www
- 主配置文件
在主配置文件最后添加
zone "caimengzhi.com" IN {
type master;
file "caimengzhi.com.zone";
};
主配置文件
[root@master named]# cat /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.186.10; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
//dump-file "/var/named/data/cache_dump.db";
//statistics-file "/var/named/data/named_stats.txt";
//memstatistics-file "/var/named/data/named_mem_stats.txt";
//recursing-file "/var/named/data/named.recursing";
//secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
//bindkeys-file "/etc/named.iscdlv.key";
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
//logging {
// channel default_debug {
// file "data/named.run";
// severity dynamic;
// };
//};
zone "." IN {
type hint;
file "named.ca";
};
//include "/etc/named.rfc1912.zones";
//include "/etc/named.root.key";
zone "caimengzhi.com" IN {
type master;
file "caimengzhi.com.zone";
};
- 区域数据库文件
区域数据库文件
[root@master named]# pwd
/var/named/chroot/var/named
[root@master named]# cat caimengzhi.com.zone
$TTL 1D
caimengzhi.com. IN SOA ns1.caimengzhi.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
;caimengzhi.com. 需要做解析的域名
;ns1.caimengzhi.com. 为ayitula.com.做解析的DNS 这里我们既是DNS也同时为自己域名做了解析
NS ns1.caimengzhi.com.
;A 域名机械为IP
;PTR IP解析为域名
;MX 邮件标记
;CNAME 别名
ns1 A 192.168.186.10
www A 192.168.186.200
news CNAME www
- 检查
[root@master named]# chgrp named caimengzhi.com.zone [root@master named]# named-checkconf /var/named/chroot/etc/named.conf [root@master named]# named-checkzone caimengzhi.com. /var/named/chroot/var/named/caimengzhi.com.zone zone caimengzhi.com/IN: loaded serial 0 OK [root@master named]# systemctl restart named-chroot [root@master named]# systemctl status named-chroot
5.2 配置dns client¶
我这里使用本地作为客户端,也就是服务器端客户端在一起。要修改dns指向server端
[root@master named]# cat /etc/resolv.conf # Generated by NetworkManager nameserver 192.168.186.10 #nameserver 114.114.114.114 #nameserver 223.5.5.5
5.3 正向解析测试¶
提供三种测试方法
- host
- nslookup
- dig
[root@master named]# nslookup www.caimengzhi.com Server: 192.168.186.10 Address: 192.168.186.10#53 Name: www.caimengzhi.com Address: 192.168.186.200 [root@master named]# nslookup news.caimengzhi.com Server: 192.168.186.10 Address: 192.168.186.10#53 news.caimengzhi.com canonical name = www.caimengzhi.com. Name: www.caimengzhi.com Address: 192.168.186.200 [root@master named]# [root@master named]# dig www.caimengzhi.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.caimengzhi.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63685 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.caimengzhi.com. IN A ;; ANSWER SECTION: www.caimengzhi.com. 86400 IN A 192.168.186.200 ;; AUTHORITY SECTION: caimengzhi.com. 86400 IN NS ns1.caimengzhi.com. ;; ADDITIONAL SECTION: ns1.caimengzhi.com. 86400 IN A 192.168.186.10 ;; Query time: 0 msec ;; SERVER: 192.168.186.10#53(192.168.186.10) ;; WHEN: Tue Sep 17 15:55:15 CST 2019 ;; MSG SIZE rcvd: 97 [root@master named]# dig news.caimengzhi.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> news.caimengzhi.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3512 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;news.caimengzhi.com. IN A ;; ANSWER SECTION: news.caimengzhi.com. 86400 IN CNAME www.caimengzhi.com. www.caimengzhi.com. 86400 IN A 192.168.186.200 ;; AUTHORITY SECTION: caimengzhi.com. 86400 IN NS ns1.caimengzhi.com. ;; ADDITIONAL SECTION: ns1.caimengzhi.com. 86400 IN A 192.168.186.10 ;; Query time: 0 msec ;; SERVER: 192.168.186.10#53(192.168.186.10) ;; WHEN: Tue Sep 17 15:55:20 CST 2019 ;; MSG SIZE rcvd: 116
6. 部署一个反向解析¶
6.1 部署¶
要求
对www.caimengzhi.com做反向解析,其对应的IP地址为192.168.186.10
- 主配置文件
在主配置文件最后添加
zone "186.168.192.in-addr.arpa" IN {
//类型为master
type master;
//区域数据库文件名称
file "192.168.186.arpa";
};
主配置文件
[root@master named]# cat /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 192.168.186.10; };
//listen-on-v6 port 53 { ::1; };
directory "/var/named";
//dump-file "/var/named/data/cache_dump.db";
//statistics-file "/var/named/data/named_stats.txt";
//memstatistics-file "/var/named/data/named_mem_stats.txt";
//recursing-file "/var/named/data/named.recursing";
//secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
//bindkeys-file "/etc/named.iscdlv.key";
//managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
//logging {
// channel default_debug {
// file "data/named.run";
// severity dynamic;
// };
//};
zone "." IN {
type hint;
file "named.ca";
};
//include "/etc/named.rfc1912.zones";
//include "/etc/named.root.key";
//定义一个主域
//注意每行都要;结尾
zone "caimengzhi.com" IN {
////类型为master
type master;
////区域数据库文件名称
file "caimengzhi.com.zone";
};
//定义一个反向解析
//此处需要倒写网段
zone "186.168.192.in-addr.arpa" IN {
//类型为master
type master;
//区域数据库文件名称
file "192.168.186.arpa";
};
- 区域数据库文件
区域数据库文件
[root@master named]# pwd
/var/named/chroot/var/named
[root@master named]# ls
192.168.186.arpa caimengzhi.com.zone caimengzhi.com.zone.bak named.ca named.empty named.localhost named.loopback
[root@master named]# cat 192.168.186.arpa
$TTL 1D
186.168.192.in-addr.arpa. IN SOA ns1.caimengzhi.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1.caimengzhi.com.
10 PTR www.caimengzhi.com.
- 检查
[root@master named]# chgrp named 192.168.186.arpa [root@master named]# named-checkconf /var/named/chroot/etc/named.conf [root@master named]# named-checkzone 186.168.192.in-addr.arpa /var/named/chroot/var/named/192.168.186.arpa zone 186.168.192.in-addr.arpa/IN: loaded serial 0 OK [root@master named]# systemctl restart named-chroot [root@master named]# systemctl status named-chroot
6.2 反向解析测试¶
提供三种测试方法
- host
- nslookup
- dig
[root@master named]# nslookup 192.168.186.10 Server: 192.168.186.10 Address: 192.168.186.10#53 10.186.168.192.in-addr.arpa name = www.caimengzhi.com. [root@master named]# ls 192.168.186.arpa caimengzhi.com.zone.bak named.empty named.loopback caimengzhi.com.zone named.ca named.localhost [root@master named]# nslookup 192.168.186.10 Server: 192.168.186.10 Address: 192.168.186.10#53 10.186.168.192.in-addr.arpa name = www.caimengzhi.com. [root@master named]# host 192.168.186.10 10.186.168.192.in-addr.arpa domain name pointer www.caimengzhi.com. [root@master named]# dig 192.168.186.10 ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> 192.168.186.10 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56559 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;192.168.186.10. IN A ;; AUTHORITY SECTION: . 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019091700 1800 900 604800 86400 ;; Query time: 224 msec ;; SERVER: 192.168.186.10#53(192.168.186.10) ;; WHEN: Tue Sep 17 16:17:12 CST 2019 ;; MSG SIZE rcvd: 118
一般不做反向解析,只做正向解析
| $TTL 1D | #生存周期为1天 | ||||
|---|---|---|---|---|---|
| @ | IN SOA | caimenzhi.com. | root.caimenzhi.com. | ( | |
| #授权信息开始: | #DNS区域的地址 | #域名管理员的邮箱(不要用@符号) | |||
| 0;serial | #更新序列号 | ||||
| 1D;refresh | #更新时间 | ||||
| 1H;retry | #重试延时 | ||||
| 1W;expire | #失效时间 | ||||
| 3H;)minimum | #无效解析记录的缓存时间 | ||||
| NS | ns.caimenzhi.com. | #域名服务器记录 | |||
| ns | IN A | 192.168.10.10 | #地址记录(ns.caimenzhi.com.) | ||
| IN MX 10 | mail.caimenzhi.com. | #邮箱交换记录 | |||
| IN A | 192.168.10.10 | #地址记录(mail.caimenzhi.com.) | |||
| www | IN A | 192.168.10.10 | #地址记录(www.caimenzhi.com.) | ||
| bbs | IN A | 192.168.10.20 | #地址记录(bbs.caimenzhi.com.) |
7. DNS 主从¶
7.1 环境¶
| ip | hostname | role |
|---|---|---|
| 192.168.186.10 | master | DNS master |
| 192.168.186.11 | slave1 | DNS slave |
DNS slave机器上要安装bind-utils
DNS服务器在网络中为全世界的服务器提供了域名解析服务,扮演着至关重要的角色。网络中的某台DNS一旦宕机,就会造成部分域名无法解析,用户无法顺利访问到对应的服务器。但是我们学习的过程中也发现了,我们的DNS部署在单台服务器上,如果出现单点故障,我们应该如何应对呢?我们可以通过部署多台相同解析的DNS来解决单点故障,就算一台DNS服务器出现问题,也不会影响解析服务。怎么部署呢?如何保障多台之间的解析一致?这就是我们要讨论的问题了。我们来学习辅助DNS吧!
辅助DNS是从主DNS拉取区域数据库文件的的,当主DNS解析的域名对应的区域数据库文件发生变化,辅助就会去找主DNS拉取新的区域数据库文件,保证和主的解析一致,而且是自动的不需要人为干预的,确保了主从DNS的区域数据库文件的一致性。
按照图例,为主DNS(192.168.186.10)部署一台辅助DNS(192.168.186.11),实现数据同步。
在开始之前,先在从上测试主DNS确保正常
[root@slave1 ~]# cat /etc/resolv.conf nameserver 192.168.186.10 [root@slave1 ~]# nslookup www.caimengzhi.com Server: 192.168.186.10 Address: 192.168.186.10#53 Name: www.caimengzhi.com Address: 192.168.186.200 [root@slave1 ~]# nslookup news.caimengzhi.com Server: 192.168.186.10 Address: 192.168.186.10#53 news.caimengzhi.com canonical name = www.caimengzhi.com. Name: www.caimengzhi.com Address: 192.168.186.200
正常解析了。说明主DNS服务正常。
7.2 软件包安装¶
[root@slave1 ~]# yum -y install bind bind-chroot bind-utils
7.3 设置主配文件¶
把主DNS上的配置文件拷贝过来。需要改一个文件,也就是主DNS配置文件,配置为自己的IP。
[root@slave1 ~]# scp root@master:/var/named/chroot/etc/named.conf /var/named/chroot/etc/
named.conf 100% 2208 1.4MB/s 00:00
[root@slave1 ~]# ll /var/named/chroot/etc/named
total 0
[root@slave1 ~]# ll /var/named/chroot/etc/named.conf
-rw-r----- 1 root root 2208 Sep 12 00:39 /var/named/chroot/etc/named.conf
[root@slave1 ~]# chgrp named /var/named/chroot/etc/named.conf
[root@slave1 ~]# ll /var/named/chroot/etc/named.conf
-rw-r----- 1 root named 2208 Sep 12 00:39 /var/named/chroot/etc/named.conf
[root@slave1 ~]# egrep -v '//|^$' /var/named/chroot/etc/named.conf
options {
listen-on port 53 { 192.168.186.11; };
directory "/var/named";
allow-query { any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
masterfile-format text;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "caimengzhi.com" IN {
type slave;
file "caimengzhi.com.zone";
masters {192.168.186.10; };
};
zone "186.168.192.in-addr.arpa" IN {
type slave;
file "192.168.186.arpa";
masters {192.168.186.10; };
};
masterfile-format text; 从主DNS拷贝过来数据,不加密 listen-on port 53 { 192.168.186.11; }; 改成自己的也就是slave的IP
解释
type slave; 身份是slave
从主DNS也就是IP 是192.168.186.10的上获取到186.168.192.in-addr.arpa对应域所有信息,写入到本地192.168.186.arpa
file "192.168.186.arpa";
masters {192.168.186.10; };
7.4 启动服务¶
重启服务之前
[root@slave1 etc]# ls /var/named/chroot/var/named/ # 没有数据
[root@slave1 etc]# systemctl restart named-chroot
[root@slave1 etc]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
Active: active (running) since Thu 2019-09-12 00:51:38 CST; 5s ago
Process: 10300 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code
=exited, status=0/SUCCESS) Process: 10297 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/n
amed-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 10303 (named)
CGroup: /system.slice/named-chroot.service
└─10303 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
[root@slave1 etc]# ls /var/named/chroot/var/named/ # 重启后数据来了
192.168.186.arpa chroot dynamic named.empty named.loopback
caimengzhi.com.zone data named.ca named.localhost slaves
7.5 验证¶
[root@slave1 etc]# nslookup news.caimengzhi.com Server: 192.168.186.11 Address: 192.168.186.11#53 news.caimengzhi.com canonical name = www.caimengzhi.com. Name: www.caimengzhi.com Address: 192.168.186.200 [root@slave1 etc]# nslookup > server 192.168.186.11 Default server: 192.168.186.11 Address: 192.168.186.11#53 > www.caimengzhi.com Server: 192.168.186.11 Address: 192.168.186.11#53 Name: www.caimengzhi.com Address: 192.168.186.200 > news.caimengzhi.com Server: 192.168.186.11 Address: 192.168.186.11#53 news.caimengzhi.com canonical name = www.caimengzhi.com. Name: www.caimengzhi.com Address: 192.168.186.200 > [root@slave1 etc]# dig www.caimengzhi.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> www.caimengzhi.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16393 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.caimengzhi.com. IN A ;; ANSWER SECTION: www.caimengzhi.com. 86400 IN A 192.168.186.200 ;; AUTHORITY SECTION: caimengzhi.com. 86400 IN NS ns1.caimengzhi.com. ;; ADDITIONAL SECTION: ns1.caimengzhi.com. 86400 IN A 192.168.186.10 ;; Query time: 0 msec ;; SERVER: 192.168.186.11#53(192.168.186.11) ;; WHEN: Thu Sep 12 00:58:10 CST 2019 ;; MSG SIZE rcvd: 97 [root@slave1 etc]# dig news.caimengzhi.com ; <<>> DiG 9.9.4-RedHat-9.9.4-74.el7_6.2 <<>> news.caimengzhi.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36096 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;news.caimengzhi.com. IN A ;; ANSWER SECTION: news.caimengzhi.com. 86400 IN CNAME www.caimengzhi.com. www.caimengzhi.com. 86400 IN A 192.168.186.200 ;; AUTHORITY SECTION: caimengzhi.com. 86400 IN NS ns1.caimengzhi.com. ;; ADDITIONAL SECTION: ns1.caimengzhi.com. 86400 IN A 192.168.186.10 ;; Query time: 1 msec ;; SERVER: 192.168.186.11#53(192.168.186.11) ;; WHEN: Thu Sep 12 00:58:14 CST 2019 ;; MSG SIZE rcvd: 116
7.6 测试主从¶
修改主。添加sport A 192.168.186.100
[root@master named]# pwd
/var/named/chroot/var/named
[root@master named]# cat caimengzhi.com.zone
$TTL 1D
caimengzhi.com. IN SOA ns1.caimengzhi.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
;caimengzhi.com. 需要做解析的域名
;ns1.caimengzhi.com. 为ayitula.com.做解析的DNS 这里我们既是DNS也同时为自己域名做了解析
NS ns1.caimengzhi.com.
;A 域名机械为IP
;PTR IP解析为域名
;MX 邮件标记
;CNAME 别名
ns1 A 192.168.186.10
www A 192.168.186.200
news CNAME www
sport A 192.168.186.100
[root@master named]# named-checkzone caimengzhi.com. caimengzhi.com.zone
zone caimengzhi.com/IN: loaded serial 0
OK
从新加载区域数据库文件,类似nginx-reload,要是不从就重启dns
[root@master named]# rndc reload
server reload successful
[root@master named]# systemctl restart named-chroot
[root@master named]# nslookup sport.caimengzhi.com
Server: 192.168.186.10
Address: 192.168.186.10#53
Name: sport.caimengzhi.com
Address: 192.168.186.100
[root@slave1 etc]# nslookup sport.caimengzhi.com Server: 192.168.186.11 Address: 192.168.186.11#53 Name: sport.caimengzhi.com Address: 192.168.186.100
8. 智能DNS¶
在我们访问WEB的时候,发现有的网站打开的速度非常快,有的网站打开的非常慢,这是为什么呢?原因就是很多公司为了提升用户的体验,自己的网站使用了CDN内容加速服务,让你直接在你本地城市的服务器上拿数据并展示给你看。什么是CDN我们暂且理解为本地缓存服务器就好,那么你是怎么准确知道你本地的缓存服务器的呢!因为很多CDN公司的DNS使用了智能解析服务,根据你的源IP判断你属于哪个城市,让后再把本地的缓存服务器解析给你,你就会直接去找该服务器拿数据了。
智能解析原理:
在DNS中植入全世界的IP库以及IP对应的地域,当用户来请求解析时,DNS会根据其源IP来定位他属于哪个区域,然后去找这个区域的view视图查询对应的域名的区域数据库文件做解析。从而使得不同地域的用户解析不同。
部署一台DNS智能解析服务器,对caimengzhi.com域名做智能解析:
- 上海的用户解析IP为 1.1.1.1
- 北京的用户解析IP为 2.2.2.2
- 其他用户解析为 3.3.3.3
8.1 智能DNS搭建¶
a、设置主配文件
定义IP库,DNS根据IP库判断源IP属于哪个区域
根据地域定义视图,将该区域的客户端的解析请求都由该视图中的zone来解析
[root@master named]# cat /var/named/chroot/etc/named.conf
options {
listen-on port 53 { any; };
directory "/var/named";
};
//定义IP库
acl shanghai {
192.168.186.10;
};
acl beijing {
1.2.3.4;
};
//定义视图,通过IP匹配后,通过不同的区域数据库文件进行解析
view sh {
match-clients { shanghai; };
zone "." IN {
type hint;
file "named.ca";
};
zone "caimengzhi.com" IN {
type master;
file "caimengzhi.com.zone.sh";
};
};
view bj {
match-clients { beijing; };
zone "." IN {
type hint;
file "named.ca";
};
zone "caimengzhi.com" IN {
type master;
file "caimengzhi.com.zone.bj";
};
};
view other {
match-clients { any; };
zone "." IN {
type hint;
file "named.ca";
};
zone "caimengzhi.com" IN {
type master;
file "caimengzhi.com.zone.any";
};
};
b、根据主配文件设置不同的区域数据库文件
[root@master named]# pwd
/var/named/chroot/var/named
[root@master named]# cat caimengzhi.com.zone.sh
$TTL 1D
@ IN SOA ayitula.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS www.caimengzhi.com.
www A 1.1.1.1
[root@master named]# cat caimengzhi.com.zone.bj
$TTL 1D
@ IN SOA ayitula.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS www.caimengzhi.com.
www A 2.2.2.2
[root@master named]# cat caimengzhi.com.zone.any
$TTL 1D
@ IN SOA ayitula.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS www.caimengzhi.com.
www A 3.3.3.3
8.2 智能DNS测试¶
- 上海测试
[root@master named]# systemctl restart named-chroot [root@master named]# nslookup www.caimengzhi.com Server: 192.168.186.10 Address: 192.168.186.10#53 Name: www.caimengzhi.com Address: 1.1.1.1
- 北京测试
测试beijing,修改主配置文件 acl作用域
//定义IP库
acl shanghai {
192.168.186.1;
};
acl beijing {
192.168.186.10;
};
[root@master named]# systemctl restart named-chroot [root@master named]# nslookup www.caimengzhi.com Server: 192.168.186.10 Address: 192.168.186.10#53 Name: www.caimengzhi.com Address: 2.2.2.2
- 其他地方测试
//定义IP库
acl shanghai {
192.168.186.1;
};
acl beijing {
192.168.186.110;
};
只有不把本地的ip写到定义的IP库中,只有本机访问的时候匹配到any
[root@master named]# systemctl restart named-chroot [root@master named]# nslookup www.caimengzhi.com Server: 192.168.186.10 Address: 192.168.186.10#53 Name: www.caimengzhi.com Address: 3.3.3.3