linux视频-教程专用dns and bind

DNSandBIND主讲：马永亮(马哥)

客服，1661815153博客：主站：BIND高级应用主讲：马永亮(马哥)

客服，1661815153博客：主站：BIND9编译安装

及压力测试主讲：马永亮(马哥)

客服，1661815153博客：主站：/etc/resolv.conf

ns.www...权威DNS服务器

ns主机名称,知本主义IP

名称解析hosts搜索键/etc/passwdnsswitchloginlogin:password:root0loginDNS树状结构，testst1ftp

nfsmailpopwww

正主正从反主反从dnspod,dns.lazone“.”zone“localhost”zone“27..”

主bindfile“.zone”10:059:459:48

opsdev

CDN

www,mail,ftptech.ns.tech.www.tech.mail.tech.fin.nswwwmailzone“”IN{typeforward;forwarders{};ddns:dynamicdns

/dev/random:熵池/dev/urandomClienthostsLocalDNScacheDNSServerServerCacheServerrootDNS服务器的类型：主DNS服务器辅助DNS服务器缓存DNS服务器转发器listen-on[portinteger]{address_match_element;...};querylogboolean;version(quoted_string|none);allow-recursion{address_match_element;...};allow-query{address_match_element;...};TheDomainNameSystemisadistributeddatabase.Allowslocalcontrolofthesegmentsoftheoveralldatabase,yetdataineachsegmentisavailableacrosstheentirenetworkthroughaclient/serverscheme.ProgramscallednameserversconstitutetheserverhalfofDNS'sclient/servermechanism.Nameserverscontaininformationaboutsomesegmentsofthedatabaseandmakethatinformationavailabletoclients,calledresolvers.Resolversareoftenjustlibraryroutinesthatcreatequeriesandsendthemacrossanetworktoanameserver.forwardonly;Ifyouuseforward-onlymode,youmusthaveforwardersconfigured.ForwardZonesTraditionally,usingforwardershasbeenanall-or-nothingproposition:eitheryouuseforwarderstoresolveeveryqueryyournameservercan'tansweritself,oryoudon'tuseforwardersatall.However,therearesomesituationsinwhichitwouldbenicetohavemorecontroloverforwarding.Forexample,maybeyou'dliketoresolvecertaindomainnamesusingaparticularforwarderbutresolveotherdomainnamesiteratively.BIND8.2introducedanewfeature,forwardzones,thatallowsyoutoconfigureyournameservertouseforwardersonlywhenlookingupcertaindomainnames.zone“"{typeforward;forwarders{54;};};There'sanothervarietyofforwardzone,inawaytheoppositeofthekindprevious.Theseallowyoutospecifywhichqueriesdon'tgetforwarded.Theseforwardzonesareconfiguredusingazonestatement,butnotoftypeforward.Instead,thesearenormalzonesmaster,slave,orstubwithaforwarderssubstatement.To"undo"theforwardingconfiguredintheoptionsstatement,wespecifyanemptylistofforwarders:AnExampleoptions{directory"/var/named";forwarders{;;};};zone“"{typeslave;masters{;};file"";forwarders{};};mysqlpostgresqlLDAPBDB,BerkeleyDB,sleepycatkey-valuepowerDNS,cache,30000

x86armDNS0.2540.73客户端不同，结果不同DNSWeb

100G

.zonewww..zone2www.主DNSweb从DNSweb/www/htdocsmysqld1、:,，phpwind（V1），phpmyadmin(V2)2、SSL,https://3、DNS，自已名称解析服务，主、从架构4、要能实现web健康状态检查,5s进行一次检查5、ab对服务器压力测试ViewViewsallowyoutopresentonenameserverconfigurationtoonecommunityofhostsandadifferentconfigurationtoanothercommunity.Theviewstatementmustcomeafteranyoptionsstatement,thoughnotnecessarilyrightafterit.Youcanselectwhichhosts"see"aparticularviewusingthematch-clientsviewsubstatement,whichtakesanaddressmatchlistasanargument.Ifyoudon'tspecifyacommunityofhostswithmatch-clients,theviewappliestoallhosts.JustbesureyoudefinetheACLoutsidetheviewbecauseyoucan'tuseaclstatementsinsideviews.Whatcanyouputinsideaviewstatement?Almostanything(well,exceptforaclstatements).Anyconfigurationoptionyouspecifywithinaviewoverridesthelike-namedglobaloption(e.g.,oneintheoptionsstatement)forhoststhatmatchmatch-clients.AvoidingaBogusNameserverInyourtermasnameserveradministrator,youmightfindsomeremotenameserverthatrespondswithbadinformationold,incorrect,badlyformatted,orevendeliberatelydeceptive.Youcanattempttofindanadministratortofixtheproblem.Oryoucansaveyourselfsomegriefandconfigureyournameservernottoaskquestionsofthisserver,whichispossiblewithBIND8,andBIND9.1.0andlater.Hereistheconfigurationfilestatement:server{bogusyes;};Ifyoutellyournameservertostoptalkingtoaserverthatistheonlyserverforazone,don'texpecttobeabletolookupnamesinthatzone.Hopefully,thereareotherserversforthatzonethatcanprovidegoodinformation.options{blackhole{10/8;172.16/12;192.168/16;};};MonitoringwithloggingBINDhasaveryflexibleandconfigurableloggingsystemchanneldefineswhereloginformationshouldgoCanusecustomchanneloruseroneoffourpredefinedchannelscategorydefineswhatshouldbeloggedAlllogmessagesaredividedintooneoffifteencategories.Acategorydirectivewillbeusedtodeterminetowhichchannelslogmessagesshouldbedirected.MessagesinonecategorymaybedirectedtomultiplechannelschannelchanneldefinestargetforlogsCansyslogtoanyfacilityoruseafileChannelsallowyoutofilterbymessageseveritySimilartosyslogseveritycriticalerrorwarningnoticeinfodebug[level]dynamicdebuganddynamicareuniquetoBINDdefaultisinfoAdditionaloptionsforverboseoutputprint-severitylogtheseveritylevelofmessagesprint-categorylogthecategoryofmessagesprint-timelogthedateandtimeofmessagesNote:syslog()alreadyrecordsthisinformationFourpredefinedchannelsare:channel“default_syslog”{syslogdaemon;severityinfo;}channel“default_debug”{file“named.run”;severitydynamic;}channel“default_stderr”{stderr;severityinfo;};channel“null”{null;};categorycategorystatementassociatesacategorywithachannelforloggingFifteencategoriestochoosefromdefaultDefinesdefaultchannelforcategoriesgeneralCatch-allcategoryforunclassifiedmessagesclientClientrequestproblemsconfigConfigurationfileproblemsdispatchDispatchofinboundpacketstointernalservermodulesdnssecDNSSECandTSIGlame-serversProblemsduetoremoteservermisconfigurationnetworkRelatedtonetworkoperationsnotifyNOTIFYannouncementsqueriesQueryprocessingresolverRecursivequeryprocessingsecurityAcceptedordeniedrequestsupdateDynamicupdatesxfer-inZonetransfersreceivedbytheserverxfer-outZonetransferssentbytheserverAnexamplelogging{channelmy_file{file"log.msgs"versions3size10k;severitydynamic;};channelmy_syslog{sysloglocal0;severityinfo;};categoryxfer-in{my_file;};categoryupdate{my_syslog;};};TheloggingStatement定义一个channel，要求使用file来记录日志，滚动数目为10，每个最大为10M级别为dynamic要求记录额外信息；定义一个类别，记录查询日志信息至前面的channel中去logging{channel“query_log”{file“/var/log/bind9/query.log”versions10size10M;severitydynamic;print-categoryyes;print-severityyes;print-timeyes;};categoryqueries{query_log;};};channelerror_log{file/var/log/bind9/error.logversions10size1M;severityerror;print-severityyes;print-categoryyes;print-timeyes;};categorydefault{error_log;};rndcrndc-confgen>/etc/rndc.confreloadReloadsthenameserver.Sendthiscommandtoaprimarynameserveraftermodifyingitsconfigurationfileoroneormoreofitszonedatafiles.Youcanalsospecifyoneormoredomainnamesofzonesasargumentstoreload;ifyoudo,thenameserverwillreloadonlythesezones.stopCausesthenameservertoexit,writingdynamiczonestotheirzonedatafiles.freezezoneSuspendsdynamicupdatestothespecifiedzone.thawzoneResumesdynamicupdatestothespecifiedzone.reconfig[-noexpired]Tellsthenameservertocheckitsconfigurationfilefornewordeletedzones.Sendthiscommandtoanameserverifyou'veaddedordeletedzonesbuthaven'tchangedanyexistingzones'data.Specifyingthe-noexpiredflagtellsthenameservernottobotheryouwitherrormessagesaboutzonesthathaveexpired.flushFlushes(empties)thenameserver'scache.TSIGTransactionSIGnaturesUsessharedsecretsandaone-wayhashfunctiontoauthenticateDNSmessages,particularlyresponsesandupdates.Berelativelysimpletoconfigure,light-weightforresolversandnameserverstouse,andflexibleenoughtosecureDNSmessages(includingzonetransfers)anddynamicupdates.dnssec-keygen-aHAC-MD5-b128-n\HOST.BeforeusingTSIGforauthentication,weneedtoconfigureoneormoreTSIGkeysoneitherendofthetransaction.Forexample:key“keyname”{algorithmhmac-md5;secret“skrKc4Twy/cIgIykQu7JZA==”;};ThekeytoconfiguringournameserverswithTSIGkeysistheserverstatement'skeyssubstatement,whichtellsanameservertosignqueriesandzonetransferrequestssenttoaparticularremotenameserver.Sytax:server(ipv4_address){keys{somekey;};};channel->syslog,file,stderr,nullcategory->类别，DNS服务器产生服务器信息的类别，bind-chrootbindjail/var/named/chroot/etc//var/named/chroot/var/named/data实践项目所使用的网络拓扑结构DMZGWsshEx_ClientDNS-S&In_Client

DNS-P&

telnet,http,vsftpDNAT

内网主机名字：