Linux下DNS服务器架设基础
本文写作时间:2002.9.29
OS: RedHat Linux 7.3
DNS: Bind 9.2.0
先来看看理论
如果还没有掌握DNS理论,那么先仔细阅读着一节。否则可以直接看下一节。
RFC文档:
- [1032] Domain administrators guide
- [1033] Domain administrators operations guide
- [1034] Domain names - concepts and facilities
- [1035] Domain names - implementation and specification
DNS概述
DNS有三个主要的部分,分别是域名空间、资源纪录和名字服务器。
名字空间(DOMAIN NAME SPACE)和资源纪录(RESOURCE RECORDS):
是树形结构的名字空间和与名字关联的数据的规范。通常域名空间树的每个节点和树叶都是一些信息的集合,查询操作试图从中获取特定的信息。A query names the domain name of interest and describes the type of resource information that is desired. For example, the Internet uses some of its domain names to identify hosts; queries for address resources return Internet host addresses.
名字服务(NAME SERVERS):
是用来管理域名的树形结构和信息的服务器程序。A name
server may cache structure or set information about any part
of the domain tree, but in general a particular name server
has complete information about a subset of the domain space,
and pointers to other name servers that can be used to lead to
information from any part of the domain tree. Name servers
know the parts of the domain tree for which they have complete
information; a name server is said to be an AUTHORITY for
these parts of the name space. Authoritative information is
organized into units called ZONEs, and these zones can be
automatically distributed to the name servers which provide
redundant service for the data in a zone.
- RESOLVERS are programs that extract information from name
servers in response to client requests. Resolvers must be
able to access at least one name server and use that name
server's information to answer a query directly, or pursue the
query using referrals to other name servers. A resolver will
typically be a system routine that is directly accessible to
user programs; hence no protocol is necessary between the
resolver and the user program.
域名空间和资源纪录
一个域名占据一个节点。每个节点上有一个资源信息的集合,这个集合是可空的。资源信息集合由资源记录构成。资源记录在集合中的顺序没有意义,and need not be preserved by name servers or resolvers or other parts of the DNS。
一条资源记录有以下要素:
- owner:资源记录所属的域名。
- type:是一个16位的编码值,用来说明在此条资源纪录中的资源的类型。资源类型包括:A、CNAME、HINFO、MX、NS、PTR和SOA。
- class:是一个16位的编码值,用来指明协议族。取值为IN和CH,分别表示Internet system和Chaos system。
- TTL:RR的生存期。是一个疫苗为单位的32位整数。
- RDATA:是一个依赖于type用来对资源进行描述的数据,有时也依赖于class。取值为A、CNAME、MX、NS、PTR和SOA。
区域-zone
域名服务器
BIND的配置运行
BIND的配置类型有:主服务器,辅助服务器,纯缓存服务器,以及秘密服务器。这里介绍的BIND域名服务器,以RedHat-7.3环境为准。
bind-9.2.0-8 RPM包中的文件,这里不包括文档:
- /etc/logrotate.d/named,logrotate 程序是一个日志文件管理工具,用来删除旧的日志文件,并创建新的日志文件。logrotate一般通过 cron 程序来执行。logrotate 程序还可以用于压缩日志文件,以及发送日志到指定的E-mail。更详细的内容清参阅logrotate的手册页。
- /etc/rc.d/init.d/named,启动或者停止域名服务的脚本。
- /etc/rndc.conf,域名服务控制工具rndc的配置文件。
- /etc/rndc.key,
- /etc/sysconfig/named,
- /usr/sbin/dns-keygen,
- /usr/sbin/dnssec-keygen,为安全域名服务生成密钥,关于安全域名服务参阅RFC 2535。
- /usr/sbin/dnssec-makekeyset,
- /usr/sbin/dnssec-signkey,
- /usr/sbin/dnssec-signzone,
- /usr/sbin/lwresd,轻量级解析守护程序。
- /usr/sbin/named,域名服务守护程序。
- /usr/sbin/named-bootconf,生成配置文件的脚本。
- /usr/sbin/named-checkconf,
- /usr/sbin/named-checkzone,
- /usr/sbin/rndc,域名服务的控制工具,用来取代ndc。
- /usr/sbin/rndc-confgen,
- /var/named,
- /var/run/named,
caching-nameserver-7.2-1 RPM软件包中的文件:
- /etc/named.conf
- /var/named/localhost.zone
- /var/named/named.ca,named.ca文件的作用是告诉服务器根域的域服务器的地址,这个文件很少变动。该文件可通过匿名ftp从ftp.rs.internic.net下载,在domain目录下,文件名为 named.root。
- /var/named/named.local
纯缓存服务器配置实例
纯缓存服务器运行域名服务器守护程序,但是本身并没有域名数据库。它每次接收到查询时先到缓存中查找,如果不成功再到远程的域名服务器上查找,同时把查找到的结果存入到缓存中。
相关的文件:
- /etc/named.conf
- /var/named/named.ca
- /var/named/named.local
下面是/etc/named.conf配置文件的例子:
options {
directory "/var/named";
forwarders {202.97.224.68;202.97.230.4;};
};zone '.' {
type hint;
file "named.ca";
};zone '0.0.127.in-addr.arpa' {
type master;
file "named.local";
};
forwarders告诉服务器,查询不成功时把查询转发到它所声明的IP地址。
配置文件/var/named/named.local的例子:
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; MinimumIN NS localhost.
1 IN PTR localhost;
配置文件/var/named/named.ca的例子:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC registration services
; under anonymous FTP as
; file /domain/named.root
; on server FTP.RS.INTERNIC.NET
; -OR- under Gopher at RS.INTERNIC.NET
; under menu InterNIC Registration Services (NSI)
; submenu InterNIC Registration Archives
; file named.root
;
; last update: Aug 22, 1997
; related version of root zone: 1997082200
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; temporarily housed at NSI (InterNIC)
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; temporarily housed at ISI (IANA)
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
以上是一个纯缓存服务器的配置方法,使用rndc或者直接启动named守护进程,纯缓存服务器就开始工作了。
主服务器配置实例
主服务器是给定域的所有信息的授权来源.它所装载的域信息来自于由域管理员所创建并在本地维护的磁盘文件。用"test.com"作为例子。
相关的文件:
- /etc/named.conf
- /var/named/named.ca
- /var/named/named.local
- /var/named/named.cy9.dq.cnpc.com.cn
- /var/named/named.10.61.132
创建或修改/etc/named.conf:
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "cy9.dq.cnpc.com.cn" {
type master;
file "named.cy9.dq.cnpc.com.cn";
};
zone "132.61.10.in-addr.arpa" {
type master;
file "named.10.61.132";
};
include "/etc/rndc.key";
文件中的zone 'test.com'段是声明这是用于test.com域的主服务器,用于该域的数据从/var/named/named.test.com文件中装载.文件中的zone '0.16.172.in-addr.arpa'段是指向映射IP地址172.16.0.* 到主机名的文件.用于该域的数据从/var/named/named.172.16.0文件中装载.
创建或修改/var/named/named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ; Minimum
);
NS lhpns.cy9.dq.cnpc.com.cn.
1 IN PTR localhost.
注意:在修改named.*文件时每次存盘时要注意增加Serial值。如使用绝对域名时千万别忘了后面带的'.'
资源记录中的@字符转变为当前的域test.com,IN表示资源记录使用TCP/IP地址,SOA表示管辖开始记录.ns.test.com. 是这个域的主DNS服务器的标准名称,在之后是联系的EMAIL地址,其中@字符必须用'.'代替.
创建/var/named/named.cy9.dq.cnpc.com.cn
@ IN SOA lhpns.cy9.dq.cnpc.com.cn. root.lhpns.cy9.dq.cnpc.com.cn. (
2000051500 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ; Minimum
);
NS lhpns
ns A 10.61.132.10
lhp A 10.61.132.6
cyk1 A 10.61.132.6
创建/var/named/named.10.61.132
@ IN SOA lhpns.cy9.dq.cnpc.com.cn. root.lhpns.cy9.dq.cnpc.com.cn. (
2000051500 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ; Minimum
);
NS lhpns
10 IN PTR ns.cy9.dq.cnpc.com.cn.
6 IN PTR cyk1.cy9.dq.cnpc.com.cn.
6 IN PTR lhp.cy9.dq.cnpc.com.cn.
辅服务器
辅服务器从主服务器上获取域信息的完整拷贝.也能以授权方式回答有关域的查询.我们用'test.com'作为例子。
相关的文件:
- /etc/named.conf
- /var/named/named.ca
- /var/named/named.local
创建或修改/etc/named.conf:
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a SM nameserver config
//
zone '.' {
type hint;
file "named.ca";
};
zone '0.0.127.in-addr.arpa' {
type master;
file "named.local";
};
//there are our slave zone files
zone "test.com" {
type slave;
file "named.test.com";
masters {172.16.0.1;};
};
zone '0.16.172.in-addr.arpa' {
type slave;
file 'named.172.16.0';
masters {172.16.0.1;};
};
在文件中'masters {172.16.0.1;};'其中的IP地址是你网络中主服务器的IP地址.
从主服务器上拷贝/var/named/named.ca和/var/named/named.local这两个文件.
实际运行的服务器可以是以上其中一种配置,也能同时包含多种配置.但所有的系统都应该运行解析器.