針對DNS學習後的一個模擬互聯網架構實驗
阿新 • • 發佈:2019-04-24
option scripts star restrict status 查看 -- The ice 互聯網DNS架構實驗
針對系統學習DNS後的一個實驗
- 架構圖
- 共7臺主機,聯合實現互聯網dns架構
- 1將客戶端dns服務器指向本地dns服務器
- 2將網站搭建好
root:~ # yum install httpd
root:~ # cd /var/www/html/
root:/var/www/html # echo 192.168.64.57,hello >index.html
root:/var/www/html # chmod a+r index.html
root:/var/www/html # service httpd restart
-
3客戶端測試
- 4配置主masterDNS
root:~ # yum install bind root:~ # vi /etc/named.conf // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; allow-transfer {192.168.64.47;}; root:~ # vi /etc/named.rfc1912.zones zone "qh.com" IN { type master; file "qh.com.zone"; }; root:~ # cd /var/named/ root:/var/named # vi qh.com.zone $TTL 1D @ IN SOA ns1 qh.mail.com. ( 1 1H 10M 1D 3H ) NS ns1 NS ns2 ns1 A 192.168.64.37 ns2 A 192.168.64.47 www A 192.168.64.57 root:/var/named # chgrp named qh.com.zone root:/var/named # chmod 640 qh.com.zone #### 語法檢查 root:/var/named # named-checkconf #### 啟動服務 root:/var/named # systemctl start named.service
- 5客戶端測試master服務器
- 6搭建從服務器
root:~ # yum install bind root:~ # vi /etc/named.conf // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; allow-transfer {none;}; root:~ # vi /etc/named.rfc1912.zones zone "qh.com" { type slave; masters {192.168.64.37;}; file "slaves/qh.com.slave"; }; root:/var/named/slaves # systemctl start named.service root:/var/named/slaves # rndc reload root:/var/named/slaves # ll total #已同步 -rw-r--r-- 1 named named 269 Apr 23 16:34 qh.com.slave
- 7測試從服務器
- 8配置com域服務器
root:~ # yum install bind root:~ # vi /etc/named.conf // listen-on port 53 { 127.0.0.1; }; // allow-query { localhost; }; allow-transfer {none;}; ------------------------------------------------ root:~ # vi /etc/named.rfc1912.zones zone "com" IN { type master; file "com.zone"; }; --------------------------------------------------------- root:~ # cd /var/named/ root:/var/named # vim com.zone $TTL 1D @ IN SOA NS1 qh.mail.com. (1 1D 1H 1W 3D ) NS ns1 qh NS qhns1 qh NS qhns2 ns1 A 192.168.64.27 qhns1 A 192.168.64.37 #主服務器 qhns2 A 192.168.64.47 #從服務器 root:/var/named # chgrp named com.zone root:/var/named # chmod g+w com.zone root:/var/named # systemctl start named.service root:/var/named # rndc reload server reload successful
- 9測試 (通過父域192.168.64.27測試)
- 10搭建根DNS
root:~ # yum install bind
root:~ # vi /etc/named.conf
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
zone "." IN {
type master; #改為master自己做根
file "root.zone";
};
root:~ # cd /var/named/
root:/var/named # vim root.zone
$TTL 1D
@ IN SOA ns1 qh.mail.com. (1 1D 1H 1W 3D )
NS ns1
com NS comns1
ns1 A 192.168.64.17
comns1 A 192.168.64.27
root:/var/named # chgrp named com.zone
root:/var/named # chmod g+w com.zone
root:/var/named # systemctl start named.service
- 11測試(通過主根服務器測試)
- 12配置本地dns服務器
root:~ # yum install bind
root:~ # vi /etc/named.conf
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
root:/etc/sysconfig/network-scripts # vi /var/named/named.ca #改為下面配置
. 518400 IN NS a.root-servers.net.
a.root-servers.net. 3600000 IN A 192.168.64.17
- 13清緩存
root:/var/named # rndc flush #清理所有dns緩存
- 14在本地dns修改安全配置
root:~ # vi /etc/named.conf
dnssec-enable no;
dnssec-validation no;
- 15測試
一些過程中可能遇到的錯誤
root:/var/named # systemctl start named.service
Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details.
一般可以通過systemctl status named.service -l 命令可以查看當前錯誤類型
#dig A example.com ; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> A example.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30523 ... SERVFAIL:The nameserver encountered a problem while processing the query. ? 可使用dig +trace排錯,可能是網絡和防火墻導致 NXDOMAIN:The queried name does not exist in the zone. ? 可能是CNAME對應的A記錄不存在導致 REFUSED:The nameserver refused the client‘s DNS request due to policy restrictions. ? 可能是DNS策略導致 ? NOERROR不代表沒有問題,也可以是過時的記錄 ?查看是否為權威記錄,flags:aa標記判斷 ?被刪除的記錄仍能返回結果,可能是因為*記錄存在 ?如:*.example.com. IN A 172.25.254.254 ?註意“.”的使用 ?避免CNAME指向CNAME記錄,可能產生回環 ?est.example.com. IN CNAME lab.example.com. ?lab.example.com. IN CNAME test.example.com. ?正確配置PTR記錄,許多服務依賴PTR,如sshd,MTA ?正確配置輪詢round-robin記錄
針對DNS學習後的一個模擬互聯網架構實驗