DNS介紹

• DNS是一個域名系統，在互聯網環境中為域名和IP地址相互映射的一個分布式數據庫 ， 能夠使用戶更方便的訪問互聯網，而不用去記住能夠被機器直接讀取的IP數串。類似于生活中的114服務，可以通過人名找到電話號碼，也可以通過電話號碼找到人名（生活中沒有那么準確的原因是人名有重名，而域名是全世界唯一的）。
• ONS協議運行在UDP協議之上，使用端口號53
• 應用場景：需要域名解析的地方

DNS查詢

DNS服務器部署

DNS安裝

yum -y install bind bind-chroot

• bind DNS主程序包
• bind-chroot DNS安全包，改變默認DNS根目錄，將DNS運行在監牢模式

DNS啟動

• 方法一：不使用chroot模式啟動DNS

開啟開機啟動
systemctl enable named
# Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.啟動DNS服務
systemctl start named

• 方法二：使用chroot模式DNS

將對應的文件移動到chroot根目錄
主配文件
cp -p /etc/named.conf /var/named/chroot/etc/
chgrp named /var/named/chroot/etc/named.conf
named-checkconf /var/named/chroot/etc/named.conf區域數據庫文件
cp /var/named/named.localhost /var/named/chroot/var/named/ayitula.com.zone
chgrp named /var/named/chroot/var/named/ayitula.com.zone
cp -p /var/named/named.*/var/named/chroot/var/named/啟動DNS服務
開機啟動
systemctl enable named-chroot.service
# Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.啟動服務
systemctl start named-chroot

DNS配置文件詳解

1. 默認情況下，如果不安裝named-chroot這個包，配置文件的路徑如下：
2. 配置文件：/etc/named.conf
3. 區域數據庫文件：/var/named/

1. 由于我們安裝了named-chroot這個用于改變默認DNS配置文件的路徑的包，所以相對應的配置文件的路徑也發生了變化。變化如下 ：
2. 配置文件：/var/named/chroot/etc/named.conf
3. 區域數據庫文件：/var/named/chroot/var/named/

域名解析

正向解析

案例：對yudan.com域名做解析，解析要求如下：www解析為A記錄IP地址為192.168.10.88，news做別名解析CNAME解析為www

• 修改主配文件 /var/named/chroot/etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions {listen-on port 53 { 192.168.10.110; };//listen-on-v6 port 53 { ::1; };directory 	"/var/named";//dump-file 	"/var/named/data/cache_dump.db";//statistics-file "/var/named/data/named_stats.txt";//memstatistics-file "/var/named/data/named_mem_stats.txt";//recursing-file  "/var/named/data/named.recursing";//secroots-file   "/var/named/data/named.secroots";allow-query     { any; };recursion yes;//dnssec-enable yes;//dnssec-validation yes;/* Path to ISC DLV key *///bindkeys-file "/etc/named.root.key";//managed-keys-directory "/var/named/dynamic";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";
};//logging {
//        channel default_debug {
//                file "data/named.run";
//                severity dynamic;
//        };
//};zone "." IN {type hint;file "named.ca";
};zone "yudan.com" IN {// hint master slave forwardtype master;file "yudan.com.zone";
}

• 切換到/var/named/chroot/var/named/目錄下

// 自己復制一個區域數據文件
cp named.localhost yudan.com.zone

• ?修改yudan.com.zone配置文件

$TTL 1D
yudan.com.	IN SOA	ns1.yudan.com. rname.invalid. (0	; serial1D	; refresh1H	; retry1W	; expire3H )	; minimumNS	ns1.yudan.com.
;A
;PTR
;Mx
;CNAME
ns1	A	192.168.10.110
www	A	192.168.10.88
news	CNAME	www

// 檢查主配文件
named-checkconf /var/named/chroot/etc/named.conf
// 檢查區域數據文件
named-checkzone yudan.com /var/named/chroot/var/named/yudan.com.zone

域名解析命令

• host：host采用非交互式解析
• nslookup：nslookup可以采用交互或非交互式解析
• dig：dig顯示詳細的解析流程

// host命令
[root@Server named]# host www.yudan.com
www.yudan.com has address 192.168.10.88
[root@Server named]# host news.yudan.com
news.yudan.com is an alias for www.yudan.com.
www.yudan.com has address 192.168.10.88// nslookup命令
[root@Server named]# nslookup www.yudan.com
Server:		192.168.10.110
Address:	192.168.10.110#53Name:	www.yudan.com
Address: 192.168.10.88// dig命令
[root@Server named]# dig www.yudan.com; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 <<>> www.yudan.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23645
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.yudan.com.			IN	A;; ANSWER SECTION:
www.yudan.com.		86400	IN	A	192.168.10.88;; AUTHORITY SECTION:
yudan.com.		86400	IN	NS	ns1.yudan.com.;; ADDITIONAL SECTION:
ns1.yudan.com.		86400	IN	A	192.168.10.110;; Query time: 0 msec
;; SERVER: 192.168.10.110#53(192.168.10.110)
;; WHEN: 日 4月 27 11:44:00 CST 2025
;; MSG SIZE  rcvd: 92

反向解析

案例：對www.yudan.com做反向解析，其對應的lP地址為192.168.10.88

• 配置主配文件named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions {listen-on port 53 { 192.168.10.110; };//listen-on-v6 port 53 { ::1; };directory 	"/var/named";//dump-file 	"/var/named/data/cache_dump.db";//statistics-file "/var/named/data/named_stats.txt";//memstatistics-file "/var/named/data/named_mem_stats.txt";//recursing-file  "/var/named/data/named.recursing";//secroots-file   "/var/named/data/named.secroots";allow-query     { any; };recursion yes;//dnssec-enable yes;//dnssec-validation yes;/* Path to ISC DLV key *///bindkeys-file "/etc/named.root.key";//managed-keys-directory "/var/named/dynamic";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";
};//logging {
//        channel default_debug {
//                file "data/named.run";
//                severity dynamic;
//        };
//};zone "." IN {type hint;file "named.ca";
};zone "yudan.com" IN {// hint master slave forwardtype master;file "yudan.com.zone";
};// 反向解析IP地址
zone "10.168.192.in-addr.arpa" IN {type master;file "192.168.10.arpa";
};

• 配置區域數據庫文件192.168.10.arpa

$TTL 1D
10.168.192.in-addr.arpa.	IN SOA	ns1.yudan.com. rname.invalid. (0	; serial1D	; refresh1H	; retry1W	; expire3H )	; minimumNS	ns1.yudan.com.
88	PTR	www.yudan.com.

主從同步

DNS主從

• 主配置文件不會同步
• 同步的是區域數據庫文件

更改slave節點的主配文件

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions {listen-on port 53 { 192.168.10.120; };//listen-on-v6 port 53 { ::1; };directory 	"/var/named";//dump-file 	"/var/named/data/cache_dump.db";//statistics-file "/var/named/data/named_stats.txt";//memstatistics-file "/var/named/data/named_mem_stats.txt";//recursing-file  "/var/named/data/named.recursing";//secroots-file   "/var/named/data/named.secroots";allow-query     { any; };recursion yes;//dnssec-enable yes;//dnssec-validation yes;/* Path to ISC DLV key *///bindkeys-file "/etc/named.root.key";//managed-keys-directory "/var/named/dynamic";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";
};//logging {
//        channel default_debug {
//                file "data/named.run";
//                severity dynamic;
//        };
//};zone "." IN {type hint;file "named.ca";
};zone "yudan.com" IN {// hint master slave forwardtype slave;file "yudan.com.zone";masters { 192.168.10.110; };
};zone "10.168.192.in-addr.arpa" IN {type slave;file "192.168.10.arpa";masters { 192.168.10.110; };
};

?智能解析

在我們訪問WEB的時候，發現有的網站打開的速度非常快，有的網站打開的非常慢，這是為什么呢？原因就是很多公司為了提升用戶的體驗，自己的網站使用了CDN內容加速服務，讓你直接在你本地城市的服務器上拿數據并展示給你看。什么是CDN我們暫且理解為本地緩存服務器就好，那么你是怎么準確知道你本地的緩存服務器的呢！因為很多CDN公司的DNS使用了智能解析服務，根據你的源IP判斷你屬于哪個城市，讓后再把本地的緩存服務器解析給你，你就會直接去找該服務器拿數據了。
?

在DNS中植入全世界的IP庫以及IP對應的地域，當用戶來請求解析時，DNS會根據其源IP來定位他屬于哪個區域，然后去找這個區域的view視圖查詢對應的域名的區域數據庫文件做解析。從而使得不同地域的用戶解析不同。

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions {listen-on port 53 { 192.168.10.110; };//listen-on-v6 port 53 { ::1; };directory     "/var/named";//dump-file     "/var/named/data/cache_dump.db";//statistics-file "/var/named/data/named_stats.txt";//memstatistics-file "/var/named/data/named_mem_stats.txt";//recursing-file  "/var/named/data/named.recursing";//secroots-file   "/var/named/data/named.secroots";allow-query     { any; };recursion yes;//dnssec-enable yes;//dnssec-validation yes;/* Path to ISC DLV key *///bindkeys-file "/etc/named.root.key";//managed-keys-directory "/var/named/dynamic";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";masterfile-format text;
};//logging {
//        channel default_debug {
//                file "data/named.run";
//                severity dynamic;
//        };
//};acl bj {192.168.10.110;
};acl sh {1.2.2.2;
};view beijing {match-clients { bj; };zone "." IN {type hint;file "named.ca";};zone "yudan.com" IN {// hint master slave forwardtype master;file "yudan.com.zone.bj";};
};  // 閉合 beijing viewview shanghai {match-clients { sh; };zone "." IN {type hint;file "named.ca";};zone "yudan.com" IN {// hint master slave forwardtype master;file "yudan.com.zone.sh";};
};  // 閉合 shanghai viewview other {match-clients { bj; };zone "." IN {type hint;file "named.ca";};zone "yudan.com" IN {// hint master slave forwardtype master;file "yudan.com.zone.ot";};
};  // 閉合 other view

?