本文已参与「新人创作礼」活动， 一起开启掘金创作之路。

1.实战案例: 实现DNS反向解析

[root@rocky8 ~]# dnf -y install bind
​
[root@rocky8 ~]# vim /etc/named.conf
options {
//  listen-on port 53 { 127.0.0.1; }; #注释掉这行
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
//  allow-query     { localhost; }; #注释掉这行
​
[root@rocky8 ~]# vim /etc/named.rfc1912.zones
zone "0.31.172.in-addr.arpa" {
    type master;
    file "172.31.0.zone";                                
};
​
[root@rocky8 ~]# cp -p /var/named/named.loopback /var/named/172.31.0.zone
[root@rocky8 ~]# vim /var/named/172.31.0.zone
$TTL 1D
@   IN SOA master admin.raymonds.cc. (
          1 ; serial
          1D ; refresh
          1H ; retry
          1W ; expire
          3H ) ; minimum
         NS  master
master   A   172.31.1.8                                 
100      PTR www.raymonds.cc.
200      PTR www.raymonds.vip.
​
[root@rocky8 ~]# named-checkzone 0.31.172.in-addr.arpa 172.31.0.zone
-bash: named-checkzone: command not found
​
[root@centos7 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=172.31.1.8
​
[root@centos7 ~]# nmcli conn reload
[root@centos7 ~]# nmcli conn up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@centos7 ~]# dig -t ptr 100.0.0.10.in-addr.arpa. @10.0.0.8
-bash: dig: command not found
[root@centos7 ~]# yum -y install bind-utils
​
[root@centos7 ~]# dig -t ptr 100.0.31.172.in-addr.arpa. @172.31.1.8
​
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t ptr 100.0.31.172.in-addr.arpa. @172.31.1.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3594
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
​
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;100.0.31.172.in-addr.arpa. IN  PTR
​
;; ANSWER SECTION:
100.0.31.172.in-addr.arpa. 86400 IN PTR www.raymonds.cc.
​
;; AUTHORITY SECTION:
0.31.172.in-addr.arpa.  86400   IN  NS  master.0.31.172.in-addr.arpa.
​
;; ADDITIONAL SECTION:
master.0.31.172.in-addr.arpa. 86400 IN  A   172.31.1.8
​
;; Query time: 0 msec
;; SERVER: 172.31.1.8#53(172.31.1.8)
;; WHEN: Sun Dec 05 19:07:34 CST 2021
;; MSG SIZE  rcvd: 120
​
[root@centos7 ~]# dig -x 172.31.0.100 @172.31.1.8
​
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -x 172.31.0.100 @172.31.1.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12703
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
​
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;100.0.31.172.in-addr.arpa. IN  PTR
​
;; ANSWER SECTION:
100.0.31.172.in-addr.arpa. 86400 IN PTR www.raymonds.cc.
​
;; AUTHORITY SECTION:
0.31.172.in-addr.arpa.  86400   IN  NS  master.0.31.172.in-addr.arpa.
​
;; ADDITIONAL SECTION:
master.0.31.172.in-addr.arpa. 86400 IN  A   172.31.1.8
​
;; Query time: 0 msec
;; SERVER: 172.31.1.8#53(172.31.1.8)
;; WHEN: Sun Dec 05 19:10:30 CST 2021
;; MSG SIZE  rcvd: 120
​
[root@centos7 ~]# host 172.31.0.100
100.0.31.172.in-addr.arpa domain name pointer www.raymonds.cc.
​
[root@centos7 ~]# nslookup 172.31.0.200
200.0.31.172.in-addr.arpa   name = www.raymonds.vip.
​
​
[root@centos7 ~]# nslookup 
> 172.31.0.100
100.0.31.172.in-addr.arpa   name = www.raymonds.cc.
> exit

2.实战案例: 实现DNS父域和子域服务

2.1 实验目的

搭建DNS父域和子域服务器

2.2 环境要求

需要七台主机
DNS父域服务器：172.31.1.8（主） ，172.31.1.18（从）
DNS子域服务器：172.31.1.28（主）， 172.31.1.38（从）
父域的web服务器：172.31.0.7，www.raymonds.cc
子域的web服务器：172.31.0.17,www.shenzhen.raymonds.cc
DNS客户端：172.31.0.27

2.3 前提准备

关闭SElinux
关闭防火墙
时间同步

2.4 实现步骤

2.4.1 在父域DNS服务器上实现主raymonds.cc域的主和从DNS服务

#主DNS服务器
[root@rocky8 ~]# dnf -y install bind
​
[root@rocky8 ~]# vim /etc/named.conf
options {
//  listen-on port 53 { 127.0.0.1; }; #注释此行
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
//  allow-query     { localhost; }; #注释此行
    allow-transfer { 172.31.1.18;};  #添加此行，只允许从服务器进行区域传输
​
#关闭加密验证
    dnssec-enable no;
    dnssec-validation no
​
[root@rocky8 ~]# vim /etc/named.rfc1912.zones
#加上这段
zone "raymonds.cc" {
    type master;
    file "raymonds.cc.zone";                               
};
​
​
[root@rocky8 ~]# cp -p /var/named/named.localhost /var/named/raymonds.cc.zone
#如果没有-p，需要改权限。chgrp named raymonds.cc.zone
​
[root@rocky8 ~]# vim /var/named/raymonds.cc.zone
$TTL 1D
@   IN SOA  master admin.raymonds.cc. (
                    2   ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
            NS  master
            NS  slave
shenzhen    NS  shenzhen-master
shenzhen    NS  shenzhen-slave
master      A   172.31.1.8
slave       A   172.31.1.18 
shenzhen-master    A   172.31.1.28 
shenzhen-slave     A   172.31.1.38
​
www                A   172.31.0.7
​
​
[root@rocky8 ~]# systemctl enable --now named

#从DNS服务器
[root@rocky8-2 ~]# dnf -y install bind
​
[root@rocky8-2 ~]# vim /etc/named.conf
options {
//  listen-on port 53 { 127.0.0.1; }; #注释此行
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
//  allow-query     { localhost; }; #注释此行
    allow-transfer { none;};  #添加此行，不允许其它主机进行区域传输
​
#关闭加密验证
    dnssec-enable no;
    dnssec-validation no; 
​
[root@rocky8-2 ~]# vim /etc/named.rfc1912.zones 
zone "raymonds.cc" {
    type slave;                             
    masters { 172.31.1.8; }; #主服务器地址
    file "slaves/raymonds.cc.zone.slave";                               
};
​
[root@rocky8-2 ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
[root@rocky8-2 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 559 Dec  5 19:59 raymonds.cc.zone.slave

2.4.2 实现子域的主和从DNS服务器

#子域主服务器
[root@rocky8-3 ~]# dnf -y install bind
​
[root@rocky8-3 ~]# vim /etc/named.conf
options {
//  listen-on port 53 { 127.0.0.1; }; #注释此行
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
//  allow-query     { localhost; }; #注释此行
    allow-transfer { 172.31.1.38;}; #添加此行，只允许子域的从服务器进行区域传输
​
#关闭加密验证
    dnssec-enable no;
    dnssec-validation no; 
​
[root@rocky8-3 ~]# vim /etc/named.rfc1912.zones
zone "shenzhen.raymonds.cc" {
    type master;
    file "shenzhen.raymonds.cc.zone";     
};
​
[root@rocky8-3 ~]# cp -p /var/named/named.localhost /var/named/shenzhen.raymonds.cc.zone
#如果没有-p，需要改权限。chgrp named magedu.org.zone
​
[root@rocky8-3 ~]# vim /var/named/shenzhen.raymonds.cc.zone
$TTL 1D
@   IN SOA  shenzhen-master admin.raymonds.cc. (
                    5   ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum
            NS      shenzhen-master
            NS      shenzhen-slave
shenzhen-master    A       172.31.1.28
shenzhen-slave     A       172.31.1.38
​
www                A       172.31.0.17
​
[root@rocky8-3 ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.

#子域从服务器
[root@rocky8-4 ~]# dnf -y install bind
​
[root@rocky8-4 ~]# vim /etc/named.conf
options {
//  listen-on port 53 { 127.0.0.1; }; #注释此行
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
//  allow-query     { localhost; }; #注释此行
    allow-transfer { none;};  #添加此行，不允许其它主机进行区域传输
​
#关闭加密验证
    dnssec-enable no;
    dnssec-validation no;
​
[root@rocky8-4 ~]# vim /etc/named.rfc1912.zones
zone "shenzhen.raymonds.cc" {
    type slave;                             
    masters { 172.31.1.28; }; #子域主服务器地址
    file "slaves/shenzhen.raymonds.cc.zone.slave";                                
};
​
[root@rocky8-4 ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
​
[root@rocky8-4 ~]# ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 400 Dec  5 20:19 shenzhen.raymonds.cc.zone.slave

2.4.3 在父域和子域的web服务器上安装httpd服务

#父域的web服务器利用上面案例
[root@centos7 ~]# yum -y install httpd;systemctl enable --now httpd;echo www.raymonds.cc > /var/www/html/index.html
​
#在子域的web服务器上安装http服务
[root@centos7-2 ~]# yum -y install httpd;systemctl enable --now httpd;echo www.shenzhen.raymonds.cc > /var/www/html/index.html

2.4.4 客户端测试

[root@centos7-3 ~]# vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=172.31.1.8                           
DNS2=172.31.1.18
​
[root@centos7-3 ~]# nmcli conn reload
[root@centos7-3 ~]# nmcli conn up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
[root@centos7-3 ~]# cat /etc/resolv.conf 
# Generated by NetworkManager
nameserver 172.31.1.8
nameserver 172.31.1.18
[root@centos7-3 ~]# dig www.raymonds.cc
-bash: dig: command not found
[root@centos7-3 ~]# yum -y install bind-utils
​
[root@centos7-3 ~]# dig www.raymonds.cc
​
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> www.raymonds.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58212
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
​
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.raymonds.cc.       IN  A
​
;; ANSWER SECTION:
www.raymonds.cc.    86400   IN  A   172.31.0.7
​
;; AUTHORITY SECTION:
raymonds.cc.        86400   IN  NS  master.raymonds.cc.
raymonds.cc.        86400   IN  NS  slave.raymonds.cc.
​
;; ADDITIONAL SECTION:
master.raymonds.cc. 86400   IN  A   172.31.1.8
slave.raymonds.cc.  86400   IN  A   172.31.1.18
​
;; Query time: 0 msec
;; SERVER: 172.31.1.8#53(172.31.1.8)
;; WHEN: Sun Dec 05 20:26:31 CST 2021
;; MSG SIZE  rcvd: 133
​
[root@centos7-3 ~]# curl www.raymonds.cc
www.raymonds.cc
​
[root@rocky8-2 ~]# tcpdump -i eth0 port 53 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:04:00.008387 IP 172.31.0.27.32977 > 172.31.1.8.53: 12232+ A? www.raymonds.cc. (33)
21:04:00.008433 IP 172.31.0.27.32977 > 172.31.1.8.53: 23512+ AAAA? www.raymonds.cc. (33)
21:04:00.009069 IP 172.31.1.8.53 > 172.31.0.27.32977: 12232* 1/2/2 A 172.31.0.7 (122)
21:04:00.009124 IP 172.31.1.8.53 > 172.31.0.27.32977: 23512* 0/1/0 (82)
#抓包可以看到域名通过8查询到的
​
[root@rocky8 ~]# systemctl stop named
​
[root@centos7-3 ~]# dig www.raymonds.cc
​
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> www.raymonds.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27708
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
​
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.raymonds.cc.       IN  A
​
;; ANSWER SECTION:
www.raymonds.cc.    86400   IN  A   172.31.0.7
​
;; AUTHORITY SECTION:
raymonds.cc.        86400   IN  NS  slave.raymonds.cc.
raymonds.cc.        86400   IN  NS  master.raymonds.cc.
​
;; ADDITIONAL SECTION:
master.raymonds.cc. 86400   IN  A   172.31.1.8
slave.raymonds.cc.  86400   IN  A   172.31.1.18
​
;; Query time: 2 msec
;; SERVER: 172.31.1.18#53(172.31.1.18)
;; WHEN: Sun Dec 05 21:40:00 CST 2021
;; MSG SIZE  rcvd: 133
​
[root@rocky8-2 ~]# tcpdump -i eth0 port 53 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:39:59.520904 IP 172.31.0.27.56341 > 172.31.1.8.53: 27708+ [1au] A? www.raymonds.cc. (44)
21:40:00.521523 IP 172.31.0.27.34424 > 172.31.1.18.53: 27708+ [1au] A? www.raymonds.cc. (44)
21:40:00.522757 IP 172.31.1.18.53 > 172.31.0.27.34424: 27708* 1/2/3 A 172.31.0.7 (133)
#停掉主DNS，可以看到域名通过18查询到的
​
[root@centos7-3 ~]# dig www.shenzhen.raymonds.cc
​
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> www.shenzhen.raymonds.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6305
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
​
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.shenzhen.raymonds.cc.  IN  A
​
;; ANSWER SECTION:
www.shenzhen.raymonds.cc. 86400 IN  A   172.31.0.17
​
;; AUTHORITY SECTION:
shenzhen.raymonds.cc.   86400   IN  NS  shenzhen.raymonds.cc.
​
;; Query time: 2 msec
;; SERVER: 172.31.1.8#53(172.31.1.8)
;; WHEN: Sun Dec 05 20:26:56 CST 2021
;; MSG SIZE  rcvd: 83
​
[root@centos7-3 ~]# curl www.shenzhen.raymonds.cc
www.shenzhen.raymonds.cc
​
[root@rocky8-2 ~]# tcpdump -i eth0 port 53 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:44:19.034393 IP 172.31.0.27.50194 > 172.31.1.8.53: 20185+ A? www.shenzhen.raymonds.cc. (42)
20:44:19.034415 IP 172.31.0.27.50194 > 172.31.1.8.53: 54505+ AAAA? www.shenzhen.raymonds.cc. (42)
20:44:19.035065 IP 172.31.1.8.53163 > 172.31.1.28.53: 60254% [1au] A? www.shenzhen.raymonds.cc. (65)
20:44:19.035142 IP 172.31.1.8.52753 > 172.31.1.28.53: 32306% [1au] AAAA? www.shenzhen.raymonds.cc. (65)
20:44:19.035898 IP 172.31.1.28.53 > 172.31.1.8.53163: 60254* 1/0/1 A 172.31.0.17 (97)
20:44:19.035979 IP 172.31.1.28.53 > 172.31.1.8.52753: 32306* 0/1/1 (130)
20:44:19.036205 IP 172.31.1.8.53 > 172.31.0.27.50194: 20185 1/1/0 A 172.31.0.17 (72)
20:44:19.036433 IP 172.31.1.8.53 > 172.31.0.27.50194: 54505 0/1/0 (91)
^C
8 packets captured
8 packets received by filter
0 packets dropped by kernel
#抓包可以看到子域是通过8找到28，28查到发给8，8在转发给27
​
[root@rocky8-3 ~]# systemctl stop named
​
[root@rocky8 ~]# rndc flush
​
[root@centos7-3 ~]# dig www.shenzhen.raymonds.cc
​
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> www.shenzhen.raymonds.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11392
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
​
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.shenzhen.raymonds.cc.  IN  A
​
;; ANSWER SECTION:
www.shenzhen.raymonds.cc. 86400 IN  A   172.31.0.17
​
;; AUTHORITY SECTION:
shenzhen.raymonds.cc.   86400   IN  NS  shenzhen-master.raymonds.cc.
shenzhen.raymonds.cc.   86400   IN  NS  shenzhen-slave.raymonds.cc.
​
;; ADDITIONAL SECTION:
shenzhen-master.raymonds.cc. 86400 IN   A   172.31.1.28
shenzhen-slave.raymonds.cc. 86400 IN    A   172.31.1.38
​
;; Query time: 1 msec
;; SERVER: 172.31.1.8#53(172.31.1.8)
;; WHEN: Sun Dec 05 21:28:12 CST 2021
;; MSG SIZE  rcvd: 160
#停止子域主DNS照样可以查询
​
[root@rocky8-2 ~]# tcpdump -i eth0 port 53 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:29:03.367075 IP 172.31.0.27.42090 > 172.31.1.8.53: 15310+ [1au] A? www.shenzhen.raymonds.cc. (53)
21:29:03.367655 IP 172.31.1.8.34864 > 172.31.1.28.53: 47484% [1au] A? www.shenzhen.raymonds.cc. (65)
21:29:03.368026 IP 172.31.1.8.40183 > 172.31.1.38.53: 31333% [1au] A? www.shenzhen.raymonds.cc. (65)
21:29:03.368334 IP 172.31.1.38.53 > 172.31.1.8.40183: 31333* 1/0/1 A 172.31.0.17 (97)
21:29:03.368583 IP 172.31.1.8.53 > 172.31.0.27.42090: 15310 1/2/3 A 172.31.0.17 (160)
#抓包可以看到子域是通过8找到38，38查到发给8，8在转发给27