RHEL7 DNS 服務 unbound 測試
測試環境:
rhel1.rusky.com | 192.168.100.1 | RHEL7(輔DNS) |
rhel2.rusky.com | 192.168.100.2 | RHEL7(主DNS) |
rhdl3.rusky.com | 192.168.100.3 | RHEL6 |
一、搭建主DNS服務器
在安裝前先停止系統自帶的dnsmasq服務,因為該服務也用53端口,並且已經啟動。否則 unbound服務無法啟動。
[[email protected] ~]# netstat -antulp | grep 53 tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1403/dnsmasq udp 0 0 192.168.122.1:53 0.0.0.0:* 1403/dnsmasq udp 0 0 0.0.0.0:5353 0.0.0.0:* 678/avahi-daemon: r [[email protected] ~]# ps -ef | grep dnsmasq nobody 1403 1 016:12 ? 00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper root 1404 1403 0 16:12 ? 00:00:00 /usr/sbin/dnsmasq --conf-file=/var/lib/libvirt/dnsmasq/default.conf --leasefile-ro --dhcp-script=/usr/libexec/libvirt_leaseshelper root2210 1642 0 16:32 pts/0 00:00:00 grep --color=auto dnsmasq [[email protected] ~]# kill -9 1403
然後執行#systemctl disable dnsmasq禁止開機啟動。
1、安裝 unbound服務
#yum install unbound -y # netstat -antulp | grep unbound --查看監聽端口53 tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 10478/unbound tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 10478/unbound tcp6 0 0 ::1:53 :::* LISTEN 10478/unbound tcp6 0 0 ::1:8953 :::* LISTEN 10478/unbound udp 0 0 0.0.0.0:28416 0.0.0.0:* 10478/unbound udp 0 0 127.0.0.1:53 0.0.0.0:* 10478/unbound udp6 0 0 ::1:53 :::* 10478/unbound
2、修改主配置文件
# vi /etc/unbound/unbound.conf interface: 0.0.0.0 access-control: 0.0.0.0/0 allow username: ""
3、重啟unbound服務
# systemctl restart unbound # netstat -antulp | grep unbound tcp 0 0 0.0.0.0:53 0.0.0.0:* LISTEN 11234/unbound tcp 0 0 127.0.0.1:8953 0.0.0.0:* LISTEN 11234/unbound tcp6 0 0 ::1:8953 :::* LISTEN 11234/unbound udp 0 0 0.0.0.0:16314 0.0.0.0:* 11234/unbound udp 0 0 0.0.0.0:53 0.0.0.0:* 11234/unbound
4、新增配置文件
# vi /etc/unbound/local.d/rusky.com.conf local-zone:"rusky.com." static local-data:"rusky.com. 86400 IN SOA ns.rusky.com. root.rusk.com. 120000 86400 3600 10800 86400" local-data:"rusky.com. IN NS ns.rusky.com." local-data:"rusky.com. IN MX 10 mail.rusky.com." local-data:"rusky.com. IN MX 20 smtp.rusky.com." local-data:"rusky.com. IN A 192.168.100.2" local-data:"ns.rusky.com. IN A 192.168.100.2" local-data:"mail.rusky.com. IN A 192.168.100.2" local-data:"smtp.rusky.com. IN A 192.168.100.2" local-data:"ftp.rusky.com. IN A 192.168.100.2" local-data:"www.rusky.com. IN A 192.168.100.2" local-data:"rhel1.rusky.com. IN A 192.168.100.1" local-data:"rhel2.rusky.com. IN A 192.168.100.2" local-data:"rhel3.rusky.com. IN A 192.168.100.3" #lookback反向解析 local-data-ptr:"192.168.100.2 ns.rusky.com." local-data-ptr:"192.168.100.2 mail.rusky.com." local-data-ptr:"192.168.100.2 smtp.rusky.com." local-data-ptr:"192.168.100.2 ftp.ns.rusky.com." local-data-ptr:"192.168.100.2 www.ns.rusky.com." local-data-ptr:"192.168.100.1 rhel1.rusky.com." local-data-ptr:"192.168.100.2 rhel2.rusky.com." local-data-ptr:"192.168.100.3 rhel3.rusky.com."
正向解析的時候還可以這樣:
local-data:"www.rusky.com. IN A 192.168.100.2" local-data:"www.rusky.com. IN A 192.168.100.3" local-data:"www.rusky.com. IN A 192.168.100.4" local-data:"www.rusky.com. IN A 192.168.100.5"
一個域名指向多個主機IP,這樣每次解析都會指向不同的主機,實現一個簡單的負載均衡功能。
========================================================
說明:
local-zone:"rusky.com." static //定義一個域 local-data:"rusky.com. 86400 IN SOA ns.rusky.com. root.rusk.com. 120000 86400 3600 10800 86400" //主輔DNS服務器進行數據同步的控制參數 86400 //TTL資源記錄的生存時間。 IN //表示標準DNS的internet類。 SOA //起始授權(Start Of Authority)記錄,每個區域都有一條SOA記錄,用於指定本區域內負責解析的DNS服務器中哪個是主授權服務器,以及管理區域的負責人的郵箱地址和主、輔授權DNS服務器之間實現數據同步的控制參數。 ns.rusky.com. //定義域內主DNS服務器。ns.rusky.com不是主機名,ns表示所有的域名,比如mail.rusky.com,www.rusky.com,bbs.rusky.com等。 root.rusk.com. //郵箱地址,不需要帶@符號 120000 //每次修改區域記錄時,都會增加序列號的值,它是輔授權DNS服務器更新數據的依據。 輔助DNS服務器跟主DNS服務器同步時才用到。當master服務器DNS信息有變化時,該值加1,而輔助DNS服務器檢查到該值有變化時,就會進行數據同步。這個數不是固定的。生產盡量設置6位數以上。 86400 //(1天) 刷新時間。每隔一天跟主DNS服務器同步一次數據。 輔授權DNS服務器根據此時間間隔周期性地檢查主授權DNS服務器的序列號是否改變,若有改變則更新自己的區域記錄(以秒為單位) 3600 //(1小時)重試延時。如果前一次同步失敗,則隔1小時候再去同步。 10800 //(3小時) 如果同步三次都失敗,則不再同步。 86400 //DNS緩存時間。因為前邊幾次都同步失敗了,所以86400秒後,輔助DNS服務器將失效。 MX 10 MX 20 //這兩行是優先級別,值越小,優先級越高。 (郵件交換(Mail Exchange)記錄,用於將屬於該區域的郵件域(即郵箱地址@後面的字符串)映射到郵件服務器的域名。 ) |
重啟unbound服務。
# systemctl restart unbound
5、修改網卡DNS配置指向rhel2
修改三臺服務器的DNS都指向192.168.100.2
6、測試DNS解析
[[email protected] ~]# ping rhel2.rusky.com -c 2 PING rhel2.rusky.com (192.168.100.2) 56(84) bytes of data. 64 bytes from www.ns.rusky.com (192.168.100.2): icmp_seq=1 ttl=64 time=0.193 ms 64 bytes from www.ns.rusky.com (192.168.100.2): icmp_seq=2 ttl=64 time=0.350 ms --- rhel2.rusky.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 0.193/0.271/0.350/0.080 ms [[email protected] ~]# ping www.rusky.com -c 2 PING www.rusky.com (192.168.100.2) 56(84) bytes of data. 64 bytes from ftp.ns.rusky.com (192.168.100.2): icmp_seq=1 ttl=64 time=0.278 ms 64 bytes from ftp.ns.rusky.com (192.168.100.2): icmp_seq=2 ttl=64 time=0.357 ms --- www.rusky.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1002ms rtt min/avg/max/mdev = 0.278/0.317/0.357/0.043 ms [[email protected] ~]# nslookup > mail.rusky.com Server: 192.168.100.2 Address: 192.168.100.2#53 Name: mail.rusky.com Address: 192.168.100.2 > 192.168.100.3 Server: 192.168.100.2 Address: 192.168.100.2#53 3.100.168.192.in-addr.arpa name = rhel3.rusky.com. > rhel2.rusky.com Server: 192.168.100.2 Address: 192.168.100.2#53 Name: rhel2.rusky.com Address: 192.168.100.2 > 192.168.100.1 Server: 192.168.100.2 Address: 192.168.100.2#53 1.100.168.192.in-addr.arpa name = rhel1.rusky.com. >
二、搭建輔DNS服務器
同上,先停止並禁用dnsmasq服務,再安裝unbound服務,然後修改主配置文件的三個參數。
#yum install unbound -y
# vi /etc/unbound/unbound.conf
interface: 0.0.0.0
access-control: 0.0.0.0/0 allow
username: "“
然後新增配置文件rusky.com.conf,修改內容如下:
# vi /etc/unbound/local.d/rusky.com.conf
[[email protected] ~]# cat /etc/unbound/local.d/rusky.com.conf domain-insecure:"rusky.com." forward-zone: name:"." forward-addr:"192.168.100.2"
說明:
當客戶機到192.168.100.1來請求DNS解析時,則轉發到192.168.100.2服務器進行解析,如果解析成功,則緩存一份到本地。以後其它機器再到192.168.100.2來請求DNS解析時,則不需要轉發了,直接使用本地緩存的數據。
再加上一句:
domain-insecure:"rusky.com"
表示不需要進行安全檢測。
同時,主DNS 192.168.100.2 服務器上的該配置文件裏也需要加上這行參數。
然後都重啟unbound服務。
測試:
rtt min/avg/max/mdev = 0.196/0.196/0.196/0.000 ms [[email protected] ~]# hostname rhel3.rusky.com [[email protected] ~]# cat /etc/resolv.conf # Generated by NetworkManager search rusky.com nameserver 192.168.100.1
[[email protected] ~]# ping rhel1.rusky.com PING rhel1.rusky.com (192.168.100.1) 56(84) bytes of data. 64 bytes from 192.168.100.1: icmp_seq=1 ttl=64 time=0.275 ms ^C --- rhel1.rusky.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 713ms rtt min/avg/max/mdev = 0.275/0.275/0.275/0.000 ms [[email protected] ~]# ping www.rusky.com -c 2 PING www.rusky.com (192.168.100.2) 56(84) bytes of data. 64 bytes from 192.168.100.2: icmp_seq=1 ttl=64 time=1.22 ms 64 bytes from 192.168.100.2: icmp_seq=2 ttl=64 time=0.677 ms --- www.rusky.com ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1003ms rtt min/avg/max/mdev = 0.677/0.949/1.221/0.272 ms [[email protected] ~]# nslookup > rhel1.rusky.com Server: 192.168.100.1 Address: 192.168.100.1#53 Non-authoritative answer: Name: rhel1.rusky.com Address: 192.168.100.1 >
停止rhel2上的unbound服務後,再到rhel3來測試DNS解析:
[[email protected] ~]# nslookup > mail.rusky.com Server: 192.168.100.1 Address: 192.168.100.1#53 ** server can‘t find mail.rusky.com.rusky.com: SERVFAIL > rhel2.rusky.com ;; connection timed out; trying next origin Server: 192.168.100.1 Address: 192.168.100.1#53 ** server can‘t find rhel2.rusky.com.rusky.com: SERVFAIL > www.rusky.com Server: 192.168.100.1 Address: 192.168.100.1#53 Non-authoritative answer: Name: www.rusky.com Address: 192.168.100.2 >
說明,當主DNS服務rhel2停止後,從rhel3服務器到rhel1進行DNS解析時,只能解析已緩存到本地的記錄。而之前未解析過的,也就是未緩存到rhel1的,則解析失敗。
RHEL7 DNS 服務 unbound 測試