RHCE:DNS缓存服务器unbound配置域名的组成:
根域:
以.开始:
顶级域
TLD:Top linke Domain
.COM .CN .ORG
二级域:
163. Com
子域:
区域:
整个域或域的一部分
DNS的对应关系数据放在区域的文件中
全球13台根服务器
DNS查询过程:
本地client ->本地的dns 递归过程 请求--回复
本地dns->外网的DNS查询的过程 迭代过程 请求-没有回复,要自己去查找
配置缓存名称服务器:
Unbound将安装成一个DNS客户端,接受服务器的DNS查询,并将查询转发给上级DNS服务器
本地缓存服务器的配置,/etc/resolv.conf中的nameserver条目将配置指向unbound正在侦听的本地主机。Unbound配置将DNS请求转发到上游名称服务器并验证其响应
在本地存储查询结果,在TTL到期后从缓存中删除资源记录
客户端查询DNS的顺序:
/etc/hosts
/etc/resolv.cof
/etc/nsswitch.conf
安装软件:
Yum install -y unbound
启动unbound服务:
[root@server ~]# systemctl start unbound.service
[root@server ~]# systemctl status unboud.service
修改unbound配置文件
[root@server ~]# vim /etc/unbound/unbound.conf
修改以下配置文件:
Interface: 0.0.0.0#服务端侦听所有网络接口
access-control: 172.25.0.0/24 allow#指定允许那些客户端进行递归查询
将所有对unbound的查询转发到上级DNS服务器:172.25.254.254
forward-zone:
name: "."#表示转发所有的查询
forward-addr: 172.25.254.254
#foreard-host: host_name
#对特定的未签名的区域example.com绕过DNSSEC验证,不验证DNSSEC
Domain-insecure: example.com
查看特定签名区域信任定位符:
[root@foundation0 ~]# dig +dnssec DNSKEY sina.com.cn
检查unbound配置文件是否正确:
[root@server ~]# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
配置文件修改完成后重启服务:
[root@server unbound]# systemctl restart unbound.service
在防火墙上开放DNS服务:
[root@server ~]# firewall-cmd --permanent --add-service=dns
success
[root@server ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1 eth2
sources:
services: dhcpv6-client dns mountd nfs rpc-bind samba ssh
ports: 3260/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
转储和加载unbound服务:
查看unbound缓存在本地的DNS缓存项目
dump_cacheprint cache to stdout
load_cacheload cache from stdin
[root@server ~]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 63161 1 0 8 3
example.com.63161INA172.25.254.254
;rrset 63161 1 0 7 3
example.com.63161INNSclassroom.example.com.
;rrset 63161 1 0 3 3
classroom.example.com.63161INA172.25.254.254
END_RRSET_CACHE
START_MSG_CACHE
msg example.com. IN A 33152 1 63161 3 1 1 1
example.com. IN A 0
example.com. IN NS 0
classroom.example.com. IN A 0
END_MSG_CACHE
EOF
将缓存的文件导出到本地文件:
[root@server ~]# unbound-control dump_cache >unbound_dump_file
[root@server ~]# cat unbound_dump_file
START_RRSET_CACHE
;rrset 62947 1 0 8 3
example.com.62947INA172.25.254.254
;rrset 62947 1 0 7 3
example.com.62947INNSclassroom.example.com.
;rrset 62947 1 0 3 3
classroom.example.com.62947INA172.25.254.254
END_RRSET_CACHE
START_MSG_CACHE
msg example.com. IN A 33152 1 62947 3 1 1 1
example.com. IN A 0
example.com. IN NS 0
classroom.example.com. IN A 0
END_MSG_CACHE
EOF
修改过期的缓存条目,再将本地导出的文件导入到unbound运行配置中:
[root@server ~]# unbound-control load_cache <unbound_dump_file
Ok
清空unbound缓存:
flush <name>flushes common types for name from cache
types: A, AAAA, MX, PTR, NS,SOA, CNAME, DNAME, SRV, NAPTR
flush_type <name> <type>flush name, type from cache
flush_zone <name>flush everything at or under name
[root@server local.d]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 86397 1 0 7 3
example.com.86397INNSclassroom.example.com.
;rrset 86397 1 0 8 3
example.com.86397INA172.25.254.254
;rrset 86397 1 0 3 3
classroom.example.com.86397INA172.25.254.254
END_RRSET_CACHE
START_MSG_CACHE
msg example.com. IN A 33152 1 86397 3 1 1 1
example.com. IN A 0
example.com. IN NS 0
classroom.example.com. IN A 0
END_MSG_CACHE
EOF
清除START_MSG_CACHE和END_MSG_CACHE 之间的内容
[root@server local.d]# unbound-control flush classroom.example.com
ok
[root@server local.d]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 86384 1 0 7 3
example.com.86384INNSclassroom.example.com.
;rrset 86384 1 0 8 3
example.com.86384INA172.25.254.254
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
清除整个域的内容:
清除所有的记录:
[root@server ~]# unbound-control flush_zone example.com
ok removed 1 rrsets, 0 messages and 0 key entries
[root@server ~]# unbound-control dump_cache
START_RRSET_CACHE
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
实验:
在desktop服务器上,以server.example.com为递归查询DNS服务器,查询example.com的A记录对应的IP
[root@desktop /]# dig @172.25.0.11 A example.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> @172.25.0.11 A example.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47294
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;example.com.INA
;; ANSWER SECTION:
example.com.86250INA172.25.254.254
;; Query time: 2 msec
;; SERVER: 172.25.0.11#53(172.25.0.11)#这是本地的DNS服务器
;; WHEN: Fri Dec 15 17:47:09 CST 2017
;; MSG SIZE rcvd: 56
查看unbound本地缓存的记录:
[root@server unbound]# unbound-control dump_cache
START_RRSET_CACHE
;rrset 86146 1 0 3 3
classroom.example.com.86146INA172.25.254.254
;rrset 11 1 0 7 3
example.com.11INSOAclassroom.example.com. root.classroom.example.com. 2013091600 3600 300 604800 60
;rrset 86146 1 0 8 3
example.com.86146INA172.25.254.254
;rrset 86146 1 0 7 3
example.com.86146INNSclassroom.example.com.
END_RRSET_CACHE
START_MSG_CACHE
msg server.example.com. IN A 33155 1 11 3 0 1 0
example.com. IN SOA 4
msg example.com. IN A 33152 1 86146 3 1 1 1
example.com. IN A 0
example.com. IN NS 0
classroom.example.com. IN A 0
END_MSG_CACHE
EOF
从缓存中清除example.com的记录:
[root@server unbound]# unbound-control flush example.com
ok
[root@server unbound]# unbound-control dump_cache#与example.com相关的记录没有了
START_RRSET_CACHE
;rrset 86041 1 0 3 3
classroom.example.com.86041INA172.25.254.254
END_RRSET_CACHE
START_MSG_CACHE
END_MSG_CACHE
EOF
配置通过unbound来解析主域:
[root@server local.d]# pwd
/etc/unbound/local.d
[root@server local.d]# cat xmws.com.conf
local-zone: "xmws.com" static
local-data: "xmws.com. 86400 IN SOA ns.xmws.com root.xmws.com 1 1D 1H 1W 1H"
local-data: "xmws.com. IN NS ns.xmws.com."
local-data: "ns.xmws.com. IN A 172.25.0.11"
local-data: "www.xmws.com IN A 172.25.0.11"
local-data-ptr: "172.25.0.11 ns.xmws.com."
客户端查询:
[root@desktop ~]# dig @172.25.0.11 www.xmws.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> @172.25.0.11 www.xmws.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42187
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.xmws.com.INA
;; ANSWER SECTION:
www.xmws.com.3600INA172.25.0.11
;; Query time: 1 msec
;; SERVER: 172.25.0.11#53(172.25.0.11)
;; WHEN: Fri Dec 15 21:21:24 CST 2017
;; MSG SIZE rcvd: 57
[root@desktop ~]# dig @172.25.0.11 ns.xmws.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> @172.25.0.11 ns.xmws.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13463
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns.xmws.com.INA
;; ANSWER SECTION:
ns.xmws.com.3600INA172.25.0.11
;; Query time: 10 msec
;; SERVER: 172.25.0.11#53(172.25.0.11)
;; WHEN: Fri Dec 15 21:22:34 CST 2017
;; MSG SIZE rcvd: 56
