很多平台平台提供云解析功能,所谓的云解析就是一个DNS服务器,一般情况下,在域名的提供商购买一个域名之后,会指定一个NS记录,例如,在域名的提供商购买一下域名miner-k.com.需要设置云解析记录。NS记录的值指向云解析提供的域名地址(ns1.alidns.com、ns2.alidns.com)
购买域名常见的有两种场景:
- 在公司内部构建一个域环境,公司内部配置很多的主机
- 直接将域名设置为主机名。(只使用一台服务器)
基本知识
DNS:Domain name service 域名解析服务
FQDN:Full Qualified Domain Name,完全合格域名
TLD:Top level Domain 顶级域
组织域:.com、.org、.net、.cc
国家域:.cn、.tw、.hk、jp
反向域:IP —> FQDN
反向:IP —> FQDN
正向:FQDN —> IP
查询方式:
查询方式有两种:递归、迭代
递归:客户端向本地的DNS服务器查询,本地的DNS服务器没有记录需要向其他的域名服务器查询,并将查询到的结果返回该客户端
迭代:以查询www.qq.com.本地DNS服务器查询时,先向根(root)DNS服务器查询,根服务器告知本地的DNS服务器qq.com的NS、A记录。本地的DNS服务器向qq.com服务器查询www.qq.com对应的A记录
DNS服务器:
接受本地客户端查询(递归)
外部客户端请求:请求权威答案
肯定答案:TTL
否定答案:TTL
外部客户端请求:非权威答案
缓存DNS服务器:
注意:一个公司申请一个域名(qq.com),在com的DNS服务器上指定了qq.com的主机指定到一个IP地址,在公司用构建一个DNS服务器,可以分配不同的主机名给不同的服务器。例如:www.baidu.com、ftp.baidu.com、yunpan.baidu.com、tv.baidu.com等。
数据库中的每一条记录称为一个资源记录(Resource Record,RR)
资源记录的格式
| NAME(名称) | TTL(可省略有全局) | IN(internal互联网) | RRT(Resource Record Type 资源记录类型) | VALUE |
|---|---|---|---|---|
| 起始授权机构 | 默认设置为60分钟 | 互联网(IN) | SOA(start of authority设置主从服务器的同步,其实授权的对象) | 所有者名称、服务器的DNS名称、序列号、刷新间隔、重试时间、过期时间、最小TTL |
| 主机名 | 记录特定的TTL时间(如果存在),否则为区域TTL | 互联网(IN) | A (IPv4)、AAAA(IPv4)、PTR(反向解析) | 所有者名称、IP地址 |
| 名称服务器(Name Server) | 记录特定的TTL时间(如果存在),否则为区域TTL | 互联网(IN) | NS | 区域名称(Zone Name)、名称服务器的名称 |
| 邮件交换器 | 记录特定的TTL时间(如果存在),否则为区域TTL | 互联网(IN) | MX | 区域名称(Zone Name)、邮件交换服务器、DNS名称的首选值(优先级,0-99,数据越小,优先级越高) |
| 别名 | 记录特定的TTL时间(如果存在),否则为区域TTL | 互联网(IN) | CNAME(Canonical Name) | 所有者名称、主机的DNS名称 |
资源记录类型:
SOA(Start Of Authority):
ZONE NAME TTL IN SOA FQDN(主DNS的名称) ADMINISTRATOR_MAILBOX (
serial number
refresh
retry
expire
na ttl )
serial number :序列号
refresh: 刷新时间,间隔多长时间向主服务器检测一次
retry: 重试时间,当第一次检查主服务器失败之后间隔重试的时间(一定要比refresh小)
expire: 过期时间,从服务器连接不到主服务器的时间
nagative answer TTL:否定答案的缓存时间
时间单位:M(分钟)、H(小时)、D(天)、W(周),默认单位是秒
邮箱格式:admin@miner.com -写为-> admin.miner.com
miner.com. 600 IN SOA ns1.miner.com. admin.miner.com. (
2013040101
1H
5M
1W
1D )
NS(Name Server): ZONE NAME --> FQDN #miner.com的域名服务器时ns1.miner.com
miner.com. 600 IN NS ns1.miner.com.
miner.com. 600 IN NS ns2.miner.com.
ns1.miner.com. 600 IN A 1.1.1.2
ns2.miner.com. 600 IN A 1.1.1.5
MX(Mail eXchanger): ZONE NAME --> FQDN
ZONE NAME TTL IN MX pri VALUE
优先级:0-99,数字越小级别越高
miner.com. 600 IN MX 10 mail.miner.com.
mail.miner.com. 600 IN A 1.1.1.3
A(address): FQDN-->IPv4
AAAA:FQDN-->IPv6
PTR(pointer):IP-->FQDN
CNAME(Canonical NAME): FQDN-->FQDN # www2.miner.com是www.miner.com的别名
www2.miner.com. IN CNAME www.miner.com.
泛域名解析:
*.miner-k.com. IN A 1.1.1.3
所有的以miner-k.com 中的地址指向1.1.1.3
TXT
CHAOS
SRV
socket套接字:IP+端口
域:Domain
区域:Zone
域是逻辑概念、区域是物理概念,区域分为正向区域和反向区域(都有配置文件)。
部署环境
[root@miner_k ~]# cat /etc/redhat-release
CentOS release 6.9 (Final)
[root@miner_k ~]#
部署
BIND (Berkeley Internet Name Domain)
安装
[root@cxy-65 ~]# yum -y install bind bind-utils bind-libs
[root@cxy-65 ~]# rpm -qa | grep bind
bind-9.8.2-0.62.rc1.el6_9.4.x86_64 #主要安装包
bind-utils-9.8.2-0.62.rc1.el6_9.4.x86_64 #bind工具
rpcbind-0.2.0-13.el6_9.1.x86_64
bind-libs-9.8.2-0.62.rc1.el6_9.4.x86_64 #bind库文件配置文件
[root@miner_k ~]# rpm -qc bind-9.8.2-0.62.rc1.el6_9.4.x86_64
/etc/logrotate.d/named
/etc/named.conf #主配置文件
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf #Remote name domain controller 远程域名服务器控制器
/etc/rndc.key #密钥文件
/etc/sysconfig/named
/var/named/named.ca #13个根节点的IP地址
/var/named/named.empty
/var/named/named.localhost #本地主机名的正向解析
/var/named/named.loopback #本地主机名的反向解析
区域文件配置的格式:
区域:
zone "ZONE NAME" IN {
type {master|slave|hint|forward};
};
主区域:
file "区域数据文件"; #可以是相对路径,也可以是绝对路径
从区域:
file "区域数据文件";
masters { master1_ip; };
修改主配置文件/etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
};
zone "." IN { #根区域的配置
type hint;
file "named.ca";
};
zone "localhost" IN { #localhost的区域配置
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN { #127.0.0.1的反向解析区域配置
type master;
file "named.loopback";
};
acl 配置
格式:
acl string { address_match_element; ... };实例:
acl internet {
192.168.3.0/24;
10.0.0.0/24;
172.16.8.2;
};
options {
directory "/var/named";
allow-query-cache { internet;};
};
opetions 中的配置
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #区域配置文件的位置
allow-recursion { 192.168.1.0/24; }; #设置允许递归的网段。
recursion no; #no,不允许所用的客户端递归; yes,允许客户递归
allow-query { any; }; #指定查询的客户端
allow-transfer { 122.112.217.171/32; }; #在指定的主机上设置允许区域传送。
forward ( first | only ); #转发,first首先转发,only只转发
forwarders { 192.168.12.1;}; #如果此DNS解析不了转发到指定的IP地址的服务器上。
};配置文件的语法检查
# 查看配置文件的权限是否有640、属组是否为named
[root@miner-k etc]# ll /etc/named.conf
-rw-r----- 1 root named 300 Aug 14 10:58 /etc/named.conf
# 检查named.conf是否有语法问题
[root@miner-k ~]# named-checkconf
#检查区域配置文件是否有问题
[root@miner-k ~]# named-checkzone "localhost" /var/named/named.localhost
zone localhost/IN: loaded serial 0
OK
[root@miner-k ~]# named-checkzone "0.0.127.in-addr.apra" /var/named/named.lo
named.localhost named.loopback
[root@miner-k ~]# named-checkzone "0.0.127.in-addr.apra" /var/named/named.loopback
zone 0.0.127.in-addr.apra/IN: loaded serial 0
OK
端口
53/tcp
53/tcp
953/tcp rndc
通常DNS是以UDP这个较快速的数据传输协议来查询的,但是万一没有办法查询到完整的信息时,会再次以TCP这个协议重新查询。
实例
实例(场景一)
需求
在域名的供应商购买一个域名miner.com,本地部署一个DNS服务器,分别指定不同的不同的主机www.miner.com、ftp.miner.com、www2.miner.com是www的别名。
com的DNS部署(为了解结构原理)
设置主配置文件
[root@com ~]# vim /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
};
// 下面这部分是必须写的
zone "com" IN {
type master;
file "com.zone";
};
查看权限:
配置文件的权限是640,属组是named,
[root@com ~]# ll /etc/named.conf
-rw-r----- 1 root named 282 Aug 17 11:25 /etc/named.conf
设置区域配置文件:
[root@com ~]# vim /var/named/com.zone
$TTL 600
@ IN SOA ns1.com. admin.miner.com (
20170817
1D
1H
1W
3H
)
IN NS ns1.com.
ns1 IN A 127.0.0.1
miner-k IN A *.*.217.247 #此处可以使用NS记录,但是必须能就解析记录名称。此处的"*"是将真实IP地址遮挡了。
或者
miner-k IN NS ns2.alidns.com #如果是使用阿里的云解析可以设置为ns2.alidns.com或者ns1.alidns.com
miner.com的DNS部署
公司内网DNS服务器(正向)
主配置文件
# 编辑主配置文件
[root@miner ~]# vim /etc/named.conf
[root@miner ~]# cat /etc/named.conf
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.apra" IN {
type master;
file "named.loopback";
};
zone "miner-k.com" IN {
type master;
file "miner-k.com.zone";
};
#查看主配置文件的权限
[root@miner ~]# ll /etc/named.conf
-rw-r----- 1 root named 294 Aug 14 15:45 /etc/named.conf
[root@miner ~]# named-checkconf
配置区域配置文件
# 修改区域配置文件
[root@miner ~]# vim /var/named/miner-k.com.zone
[root@miner ~]# cat /var/named/miner-k.com.zone
$TTL 600
miner-k.com. IN SOA ns1.miner-k.com. admin.miner-k.com (
20170814
1H
5M
1W
5D)
#miner-k.com.中的最后一个"."是不可省略的,此处的值可以使用"@" 代替
#ns1.miner-k.com 是miner.com域的DNS服务器的名称,此处必须是名称
#admin.miner-k.com 是邮箱,本应该的有些地址为amdin@miner-k.com。但是在区域配置文件中"@"有特殊的含义,故只能用户"."代替。
IN NS ns1.miner-k.com. # 该记录和上一条记录相同故可以省略开头,设置为空格。最后的ns1.miner-k.com可以省略为ns1
ns1 IN A 10.0.1.53
www IN A 10.0.1.57
ftp IN CNAME www
#设置权限
[root@miner-k ~]# chmod 640 /var/named/miner-k.com.zone
[root@miner-k ~]# chown root:named /var/named/miner-k.com.zone
#检查语法
[root@miner-k ~]# named-checkzone "miner-k.com" /var/named/miner-k.com.zone
zone miner-k.com/IN: loaded serial 20170814
OK反向区域配置
在主配置文件中增加反向区域配置文件的内容
[root@miner-k ~]# tail -5 /etc/named.conf
zone "49.78.117.in-addr.arpa" IN {
type master;
file "117.78.49.zone";
};
设置反向区域配置文件
[root@miner-k ~]# cat /var/named/117.78.49.zone
$TTL 600
@ IN SOA ns1.miner-k.com. admin.miner-k.com (
20170817
1D
1H
1w
1M
)
IN NS ns1.miner-k.com. #此处的配置最后必须加".",否则会自动117.78.49.in-addr.apra
247 IN PTR ns1.miner-k.com.
247 IN PTR www.miner-k.com.设置区域配置文件的权限
[root@miner-k ~]# chmod 640 /var/named/117.78.49.zone
[root@miner-k ~]# chown root:named /var/named/117.78.49.zone
实例(场景二)
购买域名之后指向一个台服务器,这种配置比较简单,直接在域名提供商的解析中设置一条A记录即可。
主从复制
架构:
master IP:117.78.49.247
slave IP:122.112.217.171
主服务器的配置:
[root@master ~]# cat /etc/named.conf
options {
directory "/var/named";
allow-query { any; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.apra" IN {
type master;
file "named.loopback";
};
zone "miner-k.com" IN {
type master;
file "miner-k.com.zone";
};
zone "49.78.117.in-addr.arpa" IN {
type master;
file "117.78.49.zone";
};
在区域配置文件中指定从服务器的IP地址
[root@master ~]# cat /var/named/miner-k.com.zone
$TTL 600
@ IN SOA ns1.miner-k.com. admin.miner.com (
20170819
1H
5M
1W
3H
)
IN NS ns1.miner-k.com.
ns1 IN A 127.0.0.1
@ IN NS ns2
ns2 IN A 122.112.217.171 # 从服务器IP地址必须写
www IN A 117.78.49.24
ftp IN A 117.78.49.24
pop IN A 117.78.49.24
从服务器的配置:
从服务器的配置和主服务器的配置相似,只是部分需要修改,故在配置从服务器时,只需要修改部分的配置即可。
从服务器需要同步主服务器的配置需要有完全区域传送的权限
[root@slave ~]# cat /etc/named.conf
options {
directory "/var/named";
allow-query { any; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "named.localhost";
};
zone "0.0.127.in-addr.apra" IN {
type master;
file "named.loopback";
};
zone "miner-k.com" IN {
type slave; #设置参数是slave,表示为从服务器
masters { 117.78.49.247; }; #设置主服务器的IP地址
file "slaves/miner-k.com.zone"; #设置从服务器的区域配置文件的存放位置。切记需要查看slaves目录的权限
};
zone "49.78.117.in-addr.arpa" IN {
type slave;
masters { 117.78.49.247; };
file "slaves/117.78.49.zone";
};
从服务器区域配置文件的目录权限
[root@slave ~]# ls -ld /var/named/slaves/
drwxrwx--- 2 named named 4096 Aug 17 22:20 /var/named/slaves/
查看是否有完全区域传送的权限
[root@slave ~]# dig -t axfr miner-k.com @117.78.49.247
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t axfr miner-k.com @117.78.49.247
;; global options: +cmd
miner-k.com. 600 IN SOA ns1.miner-k.com. admin.miner.com.miner-k.com. 20170817 3600 300 604800 10800
miner-k.com. 600 IN NS ns1.miner-k.com.
ns1.miner-k.com. 600 IN A 127.0.0.1
www.miner-k.com. 600 IN A 117.78.49.24
miner-k.com. 600 IN SOA ns1.miner-k.com. admin.miner.com.miner-k.com. 20170817 3600 300 604800 10800
;; Query time: 31 msec
;; SERVER: 117.78.49.247#53(117.78.49.247)
;; WHEN: Thu Aug 17 15:12:09 2017
;; XFR size: 5 records (messages 1, bytes 171)
测试
修改主服务器的区域配置文件
[root@master ~]# cat /var/named/miner-k.com.zone
$TTL 600
@ IN SOA ns1.miner-k.com. admin.miner.com (
20170820 #修改序列号,在以前的基础上加1
1H
5M
1W
3H
)
IN NS ns1.miner-k.com.
ns1 IN A 127.0.0.1
@ IN NS ns2
ns2 IN A 122.112.217.171
www IN A 117.78.49.24
ftp IN A 117.78.49.24
pop IN A 117.78.49.24
hello IN A 117.78.49.20 #增加一条记录
主服务器上查看日志
[root@master ~]# service named reload
Reloading named: [ OK ]
[root@master ~]# tailf /var/log/messages
Aug 17 22:45:12 ecs-8c70 named[13161]: reloading configuration succeeded
Aug 17 22:45:12 ecs-8c70 named[13161]: reloading zones succeeded
Aug 17 22:45:12 ecs-8c70 named[13161]: zone miner-k.com/IN: loaded serial 20170820
Aug 17 22:45:12 ecs-8c70 named[13161]: zone miner-k.com/IN: sending notifies (serial 20170820)
Aug 17 22:45:12 ecs-8c70 named[13161]: client 122.112.217.171#55585: transfer of 'miner-k.com/IN': AXFR-style IXFR started
Aug 17 22:45:12 ecs-8c70 named[13161]: client 122.112.217.171#55585: transfer of 'miner-k.com/IN': AXFR-style IXFR ended
rndc 配置
生成RNDC的配置文件
[root@ecs-8c70 ~]# rndc-confgen > /etc/rndc.conf
[root@ecs-8c70 ~]# cat /etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "5bNswdCUaehpdZiWoBtYzg==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "5bNswdCUaehpdZiWoBtYzg==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
将上面注释的部分复制到named.conf的配置文件中
[root@ecs-8c70 ~]# tail /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "5bNswdCUaehpdZiWoBtYzg==";
};
controls {
inet 127.0.0.1 port 953 #设置监听的地址
allow { 127.0.0.1; } keys { "rndc-key"; }; #允许控制named服务的地址
};
重新启动named服务
[root@ecs-8c70 ~]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
使用rndc命令测试
格式:
[root@ecs-8c70 ~]# rndc -h
Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command查看服务器的状态
[root@ecs-8c70 ~]# rndc -c /etc/rndc.conf status
version: 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4
CPUs found: 1
worker threads: 1
number of zones: 20
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
手动发送通知
[root@ecs-8c70 ~]# rndc -c /etc/rndc.conf notify "miner-k.com"
zone notify queued
[root@ecs-8c70 ~]# tail /var/log/messages
Aug 17 23:20:15 ecs-8c70 named[21620]: zone miner-k.com/IN: sending notifies (serial 20170820)清空缓存
[root@ecs-8c70 ~]# rndc -c /etc/rndc.conf flush停止named服务
[root@ecs-8c70 ~]# rndc -c /etc/rndc.conf stop子域转发
父域:miner-k.com 122.112.217.171
子域:market.miner-k.com 117.78.49.247
父域配置:
设置主配置文件
[root@centos6-8 ~]# cat /etc/named.conf
options {
directory "/var/named";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "miner-k.com" IN {
type master;
file "miner-k.com.zone";
};
设置区域配置文件
[root@centos6-8 ~]# cat /var/named/miner-k.com.zone
$TTL 600
@ IN SOA ns1.miner-k.com. admin.miner-k.com (
20170820
1D
1H
1w
1H
)
IN NS ns1
ns1 IN A 122.112.217.171
www IN A 122.112.217.171
market IN NS ns2
ns2 IN A 122.112.217.171
查看区域配置文件的权限
[root@centos6-8 ~]# ls -ld /var/named/miner-k.com.zone
-rw-r-----. 1 root named 204 Aug 20 19:51 /var/named/miner-k.com.zone启动服务
[root@cxy-65 ~]# service named restart
Stopping named: [ OK ]
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]子域DNS配置
设置配置文件
[root@cxy-65 ~]# cat /etc/named.conf
[root@cxy-65 ~]# cat /etc/named.conf
options {
directory "/var/named";
allow-query-cache { any;}; #必须设置该参数否则无法转发
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "market.miner-k.com" IN {
type master;
file "market.miner-k.com.zone";
};
zone "miner-k.com" IN { #在指定的区域做转发
type forward;
forward first;
forwarders { 122.112.217.171; };
};
[root@cxy-65 ~]# cat /var/named/market.miner-k.com.zone
$TTL 600
@ IN SOA ns1 rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1
A 127.0.0.1
ns1 A 117.78.49.247
www A 117.78.49.247
设置权限,重新启动服务
[root@cxy-65 ~]# chown root:named /var/named/market.miner-k.com.zone
[root@cxy-65 ~]# chmod 640 /var/named/market.miner-k.com.zone
[root@cxy-65 ~]# service named restart
Stopping named: [ OK ]
Generating /etc/rndc.key: [ OK ]
Starting named: [ OK ]
常见错误
日志中的错误提示:query (cache) ‘www.miner-k.com/A/IN’ denied
解决方法:
在named.conf中加入`allow-query-cache { any;};`
日志中的错误提示:network unreachable resolving ‘www.baidu.com/A/IN’:2001:5023:c27::2:30#53
解决方法:
在named.conf中设置`recursion no;`
客户端工具
dig (domain information groper)
查找对应的区域的NS记录(-t NS)
[root@miner_k named]# dig -t NS .
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32144
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 262805 IN NS c.root-servers.net.
. 262805 IN NS a.root-servers.net.
. 262805 IN NS e.root-servers.net.
. 262805 IN NS g.root-servers.net.
. 262805 IN NS b.root-servers.net.
. 262805 IN NS f.root-servers.net.
. 262805 IN NS j.root-servers.net.
. 262805 IN NS k.root-servers.net.
. 262805 IN NS h.root-servers.net.
. 262805 IN NS d.root-servers.net.
. 262805 IN NS l.root-servers.net.
. 262805 IN NS i.root-servers.net.
. 262805 IN NS m.root-servers.net.
;; Query time: 30 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Mon Aug 14 10:09:04 2017
;; MSG SIZE rcvd: 228查找对应域名的A记录(-t A)
[root@centos7-2 ~]# dig -t NS miner.com @117.78.49.247
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -t NS miner.com @117.78.49.247
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@centos7-2 ~]# dig -t A www.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -t A www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35965
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 721 IN CNAME www.a.shifen.com.
www.a.shifen.com. 232 IN A 61.135.169.121
www.a.shifen.com. 232 IN A 61.135.169.125
;; Query time: 8 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Mon Aug 14 15:17:15 CST 2017
;; MSG SIZE rcvd: 101
指定对应的域服务器(@)
[root@centos7-2 ~]# dig -t A www.baidu.com @dns.baidu.com
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -t A www.baidu.com @dns.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62864
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
;; AUTHORITY SECTION:
a.shifen.com. 1200 IN NS ns1.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns5.a.shifen.com.
a.shifen.com. 1200 IN NS ns2.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
;; ADDITIONAL SECTION:
ns1.a.shifen.com. 1200 IN A 61.135.165.224
ns2.a.shifen.com. 1200 IN A 180.149.133.241
ns3.a.shifen.com. 1200 IN A 61.135.162.215
ns4.a.shifen.com. 1200 IN A 115.239.210.176
ns5.a.shifen.com. 1200 IN A 119.75.222.17
;; Query time: 24 msec
;; SERVER: 202.108.22.220#53(202.108.22.220)
;; WHEN: Mon Aug 14 15:18:11 CST 2017
;; MSG SIZE rcvd: 239
反向查找(-x)
[root@centos7-2 ~]# dig -x 119.75.222.17
; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7_3.1 <<>> -x 119.75.222.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 14843
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;17.222.75.119.in-addr.arpa. IN PTR
;; Query time: 168 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Mon Aug 14 15:22:19 CST 2017
;; MSG SIZE rcvd: 44
不做递归查找(+norecurse)
[root@com ~]# dig +norecurse -t A www.sohu.com @117.78.49.247
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> +norecurse -t A www.sohu.com @117.78.49.247
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38949
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 11
;; QUESTION SECTION:
;www.sohu.com. IN A
;; AUTHORITY SECTION:
com. 172678 IN NS j.gtld-servers.net.
com. 172678 IN NS f.gtld-servers.net.
....
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172678 IN A 192.5.6.30
a.gtld-servers.net. 172678 IN AAAA 2001:503:a83e::2:30
....
;; Query time: 29 msec
;; SERVER: 117.78.49.247#53(117.78.49.247)
;; WHEN: Thu Aug 17 14:47:30 2017
;; MSG SIZE rcvd: 490
追踪DNS解析的路径(+trace)
[root@com ~]# dig +trace -t A www.baidu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> +trace -t A www.baidu.com
;; global options: +cmd
. 505169 IN NS b.root-servers.net.
. 505169 IN NS m.root-servers.net.
......
;; Received 228 bytes from 114.114.114.114#53(114.114.114.114) in 5115 ms
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
......
;; Received 491 bytes from 192.112.36.4#53(192.112.36.4) in 454 ms
baidu.com. 172800 IN NS dns.baidu.com.
baidu.com. 172800 IN NS ns2.baidu.com.
.......
;; Received 201 bytes from 192.43.172.30#53(192.43.172.30) in 15459 ms
www.baidu.com. 1200 IN CNAME www.a.shifen.com.
a.shifen.com. 1200 IN NS ns3.a.shifen.com.
a.shifen.com. 1200 IN NS ns4.a.shifen.com.
.......
;; Received 228 bytes from 220.181.37.10#53(220.181.37.10) in 27 ms
完全区域传送(-t axfr)
得到指定域中的所有数据
[root@com ~]# dig -t axfr miner-k.com @117.78.49.247
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t axfr miner-k.com @117.78.49.247
;; global options: +cmd
miner-k.com. 600 IN SOA ns1.miner-k.com. admin.miner.com.miner-k.com. 20170817 3600 300 604800 10800
miner-k.com. 600 IN NS ns1.miner-k.com.
ns1.miner-k.com. 600 IN A 127.0.0.1
www.miner-k.com. 600 IN A 117.78.49.24
miner-k.com. 600 IN SOA ns1.miner-k.com. admin.miner.com.miner-k.com. 20170817 3600 300 604800 10800
;; Query time: 31 msec
;; SERVER: 117.78.49.247#53(117.78.49.247)
;; WHEN: Thu Aug 17 15:12:09 2017
;; XFR size: 5 records (messages 1, bytes 171)
增量区域传送(-t ixfr)
[root@com ~]# dig -t ixfr=20170818 miner-k.com @117.78.49.247
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t ixfr=20170818 miner-k.com @117.78.49.247
;; global options: +cmd
miner-k.com. 600 IN SOA ns1.miner-k.com. admin.miner.com.miner-k.com. 20170819 3600 300 604800 10800
miner-k.com. 600 IN NS ns1.miner-k.com.
ftp.miner-k.com. 600 IN A 117.78.49.24
ns1.miner-k.com. 600 IN A 127.0.0.1
pop.miner-k.com. 600 IN A 117.78.49.24
www.miner-k.com. 600 IN A 117.78.49.24
miner-k.com. 600 IN SOA ns1.miner-k.com. admin.miner.com.miner-k.com. 20170819 3600 300 604800 10800
;; Query time: 31 msec
;; SERVER: 117.78.49.247#53(117.78.49.247)
;; WHEN: Thu Aug 17 15:20:40 2017
;; XFR size: 7 records (messages 1, bytes 211)
host命令
[root@centos7-2 ~]# host -t NS baidu.com
baidu.com name server ns2.baidu.com.
baidu.com name server ns7.baidu.com.
baidu.com name server ns3.baidu.com.
baidu.com name server dns.baidu.com.
baidu.com name server ns4.baidu.com.nslookup
[root@centos7-2 ~]# nslookup
> server 114.114.115.115 #设置DNS地址
Default server: 114.114.115.115
Address: 114.114.115.115#53
> set q=A #设置A记录
> www.baidu.com #查询www.baidu.com的A记录
Server: 114.114.115.115
Address: 114.114.115.115#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 61.135.169.125
Name: www.a.shifen.com
Address: 61.135.169.121
反向解析查询
[root@centos6-8 ~]# nslookup
> server 10.0.1.53
Default server: 10.0.1.53
Address: 10.0.1.53#53
> set q=PTR
> 10.0.1.57
Server: 10.0.1.53
Address: 10.0.1.53#53
57.1.0.10.in-addr.arpa name = www.miner.com.
queryperf DNS压力测试
使用bind包中自带的工具,安装queryperf
[root@miner-k ~]#wget https://www.isc.org/downloads/file/bind-9-10-6
[root@miner-k ~]#tar -xvf bind-9-10-6
[root@miner-k ~]#cd bind-9.10.6/
[root@miner-k bind-9.10.6]# cd contrib/
[root@miner-k contrib]# cd queryperf/
[root@miner-k queryperf]# ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
..........
[root@miner-k queryperf]# make
gcc -DHAVE_CONFIG_H -c queryperf.c
gcc -DHAVE_CONFIG_H queryperf.o -lnsl -lresolv -lm -o queryperf
[root@miner-k queryperf]# mv queryperf /bin/
测试DNS的解析情况
[root@miner-k ~]# vim querytxt
baidu.com A
www.baidu.com A
baidu.com NS
baidu.com A
baidu.com A
baidu.com A
baidu.com A
baidu.com A
baidu.com A
baidu.com A
.......
[root@miner-k ~]# queryperf -d querytxt -s 114.114.114.114
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 114.114.114.114)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 540 queries
Queries completed: 540 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.029657 sec
RTT min: 0.027262 sec
RTT average: 0.027699 sec
RTT std deviation: 0.000401 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sat Oct 14 20:49:22 2017
Finished at: Sat Oct 14 20:49:22 2017
Ran for: 0.751673 seconds
Queries per second: 718.397495 qps
在bind启动时,会将文件中的数据全部读入内存中,故查询指定的DNS记录时,查询速率比较快。
常见错误
提示:no servers could be reached
[root@cxy-65 ~]# dig -t NS market.miner-k.com @117.78.36.1
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4 <<>> -t NS market.miner-k.com @117.78.36.1
;; global options: +cmd
;; connection timed out; no servers could be reached原因:没有找到对应的服务器,
解决方法:1.查看named的状态是否开启
2.检查53端口是否开放
3.关闭防火墙之类的限制
扫一扫
2232
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
