1. 程式人生 > >RHEL7 DNS 服務 unbound 測試

RHEL7 DNS 服務 unbound 測試

-a nobody add 負載均衡 connect ces ner can disable

測試環境:

rhel1.rusky.com 192.168.100.1 RHEL7(輔DNS)
rhel2.rusky.com 192.168.100.2 RHEL7(主DNS)
rhdl3.rusky.com 192.168.100.3 RHEL6

一、搭建主DNS服務器

在安裝前先停止系統自帶的dnsmasq服務,因為該服務也用53端口,並且已經啟動。否則 unbound服務無法啟動。

[[email protected] ~]# netstat -antulp | grep 53
tcp        0      0 192.168.122.1:53        0.0.0.0
:* LISTEN 1403/dnsmasq udp 0 0 192.168.122.1:53 0.0.0.0:* 1403/dnsmasq udp 0 0 0.0.0.0:5353 0.0.0.0:* 678/avahi-daemon: r [[email protected] ~]# ps -ef | grep dnsmasq nobody 1403 1 0
16:12 ? 00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper root 1404 1403 0 16:12 ? 00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper root
2210 1642 0 16:32 pts/0 00:00:00 grep --color=auto dnsmasq [[email protected] ~]# kill -9 1403

然後執行#systemctl disable dnsmasq禁止開機啟動。

1、安裝 unbound服務

#yum install unbound -y

# netstat -antulp | grep unbound   --查看監聽端口53
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 10478/unbound 
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 10478/unbound 
tcp6 0 0 ::1:53 :::* LISTEN 10478/unbound 
tcp6 0 0 ::1:8953 :::* LISTEN 10478/unbound 
udp 0 0 0.0.0.0:28416 0.0.0.0:* 10478/unbound 
udp 0 0 127.0.0.1:53 0.0.0.0:* 10478/unbound 
udp6 0 0 ::1:53 :::* 10478/unbound

2、修改主配置文件

# vi /etc/unbound/unbound.conf 
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
username: ""

3、重啟unbound服務

# systemctl restart unbound
# netstat -antulp | grep unbound
tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 11234/unbound 
tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 11234/unbound 
tcp6 0 0 ::1:8953 :::* LISTEN 11234/unbound 
udp 0 0 0.0.0.0:16314 0.0.0.0:* 11234/unbound 
udp 0 0 0.0.0.0:53 0.0.0.0:* 11234/unbound

4、新增配置文件

# vi /etc/unbound/local.d/rusky.com.conf
local-zone:"rusky.com." static
local-data:"rusky.com. 86400 IN SOA ns.rusky.com. root.rusk.com. 120000 86400 3600 10800 86400"
local-data:"rusky.com. IN NS ns.rusky.com."
local-data:"rusky.com. IN MX 10 mail.rusky.com."
local-data:"rusky.com. IN MX 20 smtp.rusky.com."
local-data:"rusky.com. IN A 192.168.100.2"
local-data:"ns.rusky.com. IN A 192.168.100.2"
local-data:"mail.rusky.com. IN A 192.168.100.2"
local-data:"smtp.rusky.com. IN A 192.168.100.2"
local-data:"ftp.rusky.com. IN A 192.168.100.2"
local-data:"www.rusky.com. IN A 192.168.100.2"
local-data:"rhel1.rusky.com. IN A 192.168.100.1"
local-data:"rhel2.rusky.com. IN A 192.168.100.2"
local-data:"rhel3.rusky.com. IN A 192.168.100.3"

#lookback反向解析
local-data-ptr:"192.168.100.2 ns.rusky.com."
local-data-ptr:"192.168.100.2 mail.rusky.com."
local-data-ptr:"192.168.100.2 smtp.rusky.com."
local-data-ptr:"192.168.100.2 ftp.ns.rusky.com."
local-data-ptr:"192.168.100.2 www.ns.rusky.com."
local-data-ptr:"192.168.100.1 rhel1.rusky.com."
local-data-ptr:"192.168.100.2 rhel2.rusky.com."
local-data-ptr:"192.168.100.3 rhel3.rusky.com."

正向解析的時候還可以這樣:

local-data:"www.rusky.com. IN A 192.168.100.2"
local-data:"www.rusky.com. IN A 192.168.100.3"
local-data:"www.rusky.com. IN A 192.168.100.4"
local-data:"www.rusky.com. IN A 192.168.100.5"

一個域名指向多個主機IP,這樣每次解析都會指向不同的主機,實現一個簡單的負載均衡功能。

========================================================
說明:

local-zone:"rusky.com." static  //定義一個域
local-data:"rusky.com. 86400 IN SOA ns.rusky.com. root.rusk.com. 120000 86400 3600 10800 86400"   //主輔DNS服務器進行數據同步的控制參數
86400  //TTL資源記錄的生存時間。
IN   //表示標準DNS的internet類。
SOA //起始授權(Start Of Authority)記錄,每個區域都有一條SOA記錄,用於指定本區域內負責解析的DNS服務器中哪個是主授權服務器,以及管理區域的負責人的郵箱地址和主、輔授權DNS服務器之間實現數據同步的控制參數。
ns.rusky.com.   //定義域內主DNS服務器。ns.rusky.com不是主機名,ns表示所有的域名,比如mail.rusky.com,www.rusky.com,bbs.rusky.com等。
root.rusk.com.   //郵箱地址,不需要帶@符號
120000   //每次修改區域記錄時,都會增加序列號的值,它是輔授權DNS服務器更新數據的依據。
輔助DNS服務器跟主DNS服務器同步時才用到。當master服務器DNS信息有變化時,該值加1,而輔助DNS服務器檢查到該值有變化時,就會進行數據同步。這個數不是固定的。生產盡量設置6位數以上。
86400   //(1天) 刷新時間。每隔一天跟主DNS服務器同步一次數據。
輔授權DNS服務器根據此時間間隔周期性地檢查主授權DNS服務器的序列號是否改變,若有改變則更新自己的區域記錄(以秒為單位)
3600  //(1小時)重試延時。如果前一次同步失敗,則隔1小時候再去同步。
10800   //(3小時) 如果同步三次都失敗,則不再同步。
86400   //DNS緩存時間。因為前邊幾次都同步失敗了,所以86400秒後,輔助DNS服務器將失效。
MX 10
MX 20   //這兩行是優先級別,值越小,優先級越高。
(郵件交換(Mail Exchange)記錄,用於將屬於該區域的郵件域(即郵箱地址@後面的字符串)映射到郵件服務器的域名。

重啟unbound服務。

# systemctl restart unbound

5、修改網卡DNS配置指向rhel2

修改三臺服務器的DNS都指向192.168.100.2

6、測試DNS解析

[[email protected] ~]# ping rhel2.rusky.com -c 2
PING rhel2.rusky.com (192.168.100.2) 56(84) bytes of data.
64 bytes from www.ns.rusky.com (192.168.100.2): icmp_seq=1 ttl=64 time=0.193 ms
64 bytes from www.ns.rusky.com (192.168.100.2): icmp_seq=2 ttl=64 time=0.350 ms

--- rhel2.rusky.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.193/0.271/0.350/0.080 ms
[[email protected] ~]# ping www.rusky.com -c 2
PING www.rusky.com (192.168.100.2) 56(84) bytes of data.
64 bytes from ftp.ns.rusky.com (192.168.100.2): icmp_seq=1 ttl=64 time=0.278 ms
64 bytes from ftp.ns.rusky.com (192.168.100.2): icmp_seq=2 ttl=64 time=0.357 ms

--- www.rusky.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.278/0.317/0.357/0.043 ms
[[email protected] ~]# nslookup
> mail.rusky.com
Server:         192.168.100.2
Address:        192.168.100.2#53

Name:   mail.rusky.com
Address: 192.168.100.2
> 192.168.100.3
Server:         192.168.100.2
Address:        192.168.100.2#53

3.100.168.192.in-addr.arpa      name = rhel3.rusky.com.
> rhel2.rusky.com
Server:         192.168.100.2
Address:        192.168.100.2#53

Name:   rhel2.rusky.com
Address: 192.168.100.2
> 192.168.100.1
Server:         192.168.100.2
Address:        192.168.100.2#53

1.100.168.192.in-addr.arpa      name = rhel1.rusky.com.
> 

二、搭建輔DNS服務器

同上,先停止並禁用dnsmasq服務,再安裝unbound服務,然後修改主配置文件的三個參數。

#yum install unbound -y

# vi /etc/unbound/unbound.conf
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
username: "“

然後新增配置文件rusky.com.conf,修改內容如下:

# vi /etc/unbound/local.d/rusky.com.conf

[[email protected] ~]# cat /etc/unbound/local.d/rusky.com.conf 
domain-insecure:"rusky.com."
forward-zone:
        name:"."
        forward-addr:"192.168.100.2"

說明:

當客戶機到192.168.100.1來請求DNS解析時,則轉發到192.168.100.2服務器進行解析,如果解析成功,則緩存一份到本地。以後其它機器再到192.168.100.2來請求DNS解析時,則不需要轉發了,直接使用本地緩存的數據。
再加上一句:
domain-insecure:"rusky.com"
表示不需要進行安全檢測。

同時,主DNS 192.168.100.2 服務器上的該配置文件裏也需要加上這行參數。
然後都重啟unbound服務。

測試:

rtt min/avg/max/mdev = 0.196/0.196/0.196/0.000 ms
[[email protected] ~]# hostname
rhel3.rusky.com
[[email protected] ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
search rusky.com
nameserver 192.168.100.1
[[email protected] ~]# ping rhel1.rusky.com
PING rhel1.rusky.com (192.168.100.1) 56(84) bytes of data.
64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.275 ms
^C
--- rhel1.rusky.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 713ms
rtt min/avg/max/mdev = 0.275/0.275/0.275/0.000 ms
[[email protected] ~]# ping www.rusky.com -c 2
PING www.rusky.com (192.168.100.2) 56(84) bytes of data.
64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=1.22 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=64 time=0.677 ms

--- www.rusky.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1003ms
rtt min/avg/max/mdev = 0.677/0.949/1.221/0.272 ms
[[email protected] ~]# nslookup
> rhel1.rusky.com
Server:         192.168.100.1
Address:        192.168.100.1#53

Non-authoritative answer:
Name:   rhel1.rusky.com
Address: 192.168.100.1
> 

停止rhel2上的unbound服務後,再到rhel3來測試DNS解析:

[[email protected] ~]# nslookup
> mail.rusky.com
Server:         192.168.100.1
Address:        192.168.100.1#53

** server cant find mail.rusky.com.rusky.com: SERVFAIL
> rhel2.rusky.com
;; connection timed out; trying next origin
Server:         192.168.100.1
Address:        192.168.100.1#53

** server cant find rhel2.rusky.com.rusky.com: SERVFAIL
> www.rusky.com
Server:         192.168.100.1
Address:        192.168.100.1#53

Non-authoritative answer:
Name:   www.rusky.com
Address: 192.168.100.2
> 

說明,當主DNS服務rhel2停止後,從rhel3服務器到rhel1進行DNS解析時,只能解析已緩存到本地的記錄。而之前未解析過的,也就是未緩存到rhel1的,則解析失敗。

RHEL7 DNS 服務 unbound 測試