BIND: Berkeley Internet Name Domain
该工具目前由ISC组织代为维护,站点:ISC.org
Bind是DNS协议的一种实现,其运行的进程名为named程序包:
- bind:提供的dns server程序、以及几个常用的测试程序;
- bind-libs:被bind和bind-utils包中的程序共同用到的库文件;
- bind-utils:bind客户端程序集,例如dig, host, nslookup等;
- bind-chroot:选装,为了安全目的,让named运行于jail模式(沙箱)下;
bind主配置文件
/etc/named.conf
包含进来其它文件:
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
<!-- wp:code -->
<pre class="wp-block-code"><code lang="apacheconf" class="language-apacheconf">options {
listen-on port 53 { 127.0.0.1; }; #设置监控能与外部主机通信的IP地址
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #指定区域数据文件的存放目录
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; }; #限制查询的来源为本地
recursion yes; #是否开启递归查询
dnssec-enable yes; #学习时建议关闭
dnssec-validation yes; #学习时建议关闭
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN { #根区域,包含着多个DNS顶级域信息
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones"; #把区域管理文件的内容包含进此文件
include "/etc/named.root.key";</code></pre>
<!-- /wp:code -->格式:
| 配置段 | 格式 |
|---|---|
| 全局配置段 | options { … } |
| 日志配置段 | logging { … } |
| 区域配置段 | zone { … } |
zone:那些由本机负责解析的区域,或转发的区域
注意:每个配置语句必须以分号结尾
缓存名称服务器的配置:
监听能与外部主机通信的地址
listen-on port 53;
listen-on port 53 { 172.16.100.67; };关闭仅允许本地查询://allow-query { localhost; };(单行注释)
检查配置文件语法错误:named-checkconf [/etc/named.conf]
解析库文件:/var/named/目录下
一般名字为:ZONE_NAME.zone
注意:
(1) 一台DNS服务器可同时为多个区域提供解析;
(2) 必须要有根区域解析库文件: named.ca;
正向:named.localhost
反向:named.loopback
rndc:remote name domain contoller,远程名称服务器控制工具
工作在953/tcp端口,但默认监听于127.0.0.1地址,因此仅允许本地使用;bind程序安装完成之后,默认即可做缓存名称服务器使用;如果没有专门负责解析的区域,直接即可启动服务;
- CentOS 6: service named start
- CentOS 7: systemctl start named.service
[root@promote ~]# systemctl status named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2019-05-13 17:44:41 CST; 15s ago
Process: 7837 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 7834 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 7839 (named)
CGroup: /system.slice/named.service
└─7839 /usr/sbin/named -u named -c /etc/named.conf
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 0.in-addr.arpa/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...al 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone localhost.localdomain/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: zone localhost/IN: loaded serial 0
May 13 17:44:41 promote.cache-dns.local named[7839]: all zones loaded
May 13 17:44:41 promote.cache-dns.local named[7839]: running
May 13 17:44:41 promote.cache-dns.local named[7839]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
May 13 17:44:41 promote.cache-dns.local named[7839]: network unreachable resolving './NS/IN': 2001:500:2::c#53
May 13 17:44:41 promote.cache-dns.local systemd[1]: Started Berkeley Internet Name Domain (DNS).
Hint: Some lines were ellipsized, use -l to show in full.查看其监听的端口:
[root@promote ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 7839/named
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6848/sshd
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 7839/named
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 7068/master
tcp6 0 0 ::1:53 :::* LISTEN 7839/named
tcp6 0 0 :::22 :::* LISTEN 6848/sshd
tcp6 0 0 ::1:953 :::* LISTEN 7839/named
tcp6 0 0 ::1:25 :::* LISTEN 7068/master
udp 0 0 127.0.0.1:53 0.0.0.0:* 7839/named
udp 0 0 0.0.0.0:68 0.0.0.0:* 6652/dhclient
udp6 0 0 ::1:53 :::* 7839/named 测试工具:
dig命令:
格式:dig [-t RR_TYPE] name [@SERVER] [query options]
用于测试dns系统,因此其不会查询hosts文件
若未安装dig命令,则使用yum install bind-utils -y安装
查询选项:
+[no]trace:跟踪解析过程
+[no]recurse:进行递归解析[root@promote ~]# dig -t A www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43204
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 8299 IN CNAME www.a.shifen.com.
www.a.shifen.com. 8299 IN A 111.13.100.91
www.a.shifen.com. 8299 IN A 111.13.100.92
;; Query time: 13 msec
;; SERVER: 221.131.143.69#53(221.131.143.69)
;; WHEN: Mon May 13 17:54:10 CST 2019
;; MSG SIZE rcvd: 101注意:反向解析测试
dig -x IP
[root@promote ~]# dig -x 121.51.36.46模拟完全区域传送:dig -t axfr DOMAIN [@server]
host命令:
格式:host [-t RR_TYPE] name SERVER_IP
[root@promote ~]# host -t A www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 111.13.100.92
www.a.shifen.com has address 111.13.100.91
[root@promote ~]# host -t NS baidu.com
baidu.com name server ns4.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns3.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns2.baidu.com.
[root@promote ~]# host -t MX baidu.com
baidu.com mail is handled by 15 mx.n.shifen.com.
baidu.com mail is handled by 20 mx1.baidu.com.
baidu.com mail is handled by 20 jpmx.baidu.com.
baidu.com mail is handled by 20 mx50.baidu.com.
baidu.com mail is handled by 10 mx.maillb.baidu.com.
nslookup命令:
格式:nslookup [-options] [name] [server]
交互式模式:
nslookup>
server IP:以指定的IP为DNS服务器进行查询
set q=RR_TYPE:要查询的资源记录类型
name:要查询的名称
[root@promote ~]# nslookup
> server 192.168.0.105
Default server: 192.168.0.105
Address: 192.168.0.105#53
> set q=A
> www.sohu.comrndc命令:
named服务控制命令
[root@promote ~]# rndc status
version: 9.9.4-RedHat-9.9.4-73.el7_6 <id:8f9657aa>
CPUs found: 8
worker threads: 8
UDP listeners per interface: 8
number of zones: 101
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running清空缓存rndc flush
No Comments