[root@master-DNS ~]# cat /etc/named.conf
options {
listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
#公网的访问请求转发给223.5.5.5和119.29.29.29处理
forwarders { 223.5.5.5;119.29.29.29;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
#2个DNS安全策略设置为no
dnssec-enable no;
dnssec-validation no;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
#在/etc/named.rfc1912.zones指定内网测试域名读取/var/named/wang.org.zone 的配置
[root@master-DNS ~]# cat /etc/named.rfc1912.zones
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
#这里配置内网的测试域名wang.org
zone "wang.org" IN {
type master;
file "wang.org.zone";
};
#内网域名数据库配置
[root@master-DNS ~]# cat /var/named/wang.org.zone
$TTL 1D
@ IN SOA master admin (
3 ; seria #版本编号
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns1
NS dns2
dns1 A 192.168.100.139 #主DNS服务器节点
dns2 A 192.168.100.140 #备用DNS服务器节点
www A 192.168.100.137
dd.sh A 1.1.1.1
#检查语法,清除缓存,重载配置文件
[root@master-DNS ~]# named-checkconf
[root@master-DNS ~]# rndc flush
[root@master-DNS ~]# rndc reload
server reload successful
#客户端DNS配置
[root@m8 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.100.139
nameserver 192.168.100.140
#客户端访问内网域名测试www.wang.org,dd.sh.wang.org
#测试www.wang.org
[root@m8 ~]# dig www.wang.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> www.wang.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25240
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.wang.org. IN A
;; ANSWER SECTION:
www.wang.org. 86400 IN A 192.168.100.137
;; AUTHORITY SECTION:
wang.org. 86400 IN NS dns1.wang.org.
wang.org. 86400 IN NS dns2.wang.org.
;; ADDITIONAL SECTION:
dns1.wang.org. 86400 IN A 192.168.100.139
dns2.wang.org. 86400 IN A 192.168.100.140
;; Query time: 0 msec
;; SERVER: 192.168.100.139#53(192.168.100.139)
;; WHEN: Sat Apr 22 07:48:19 CST 2023
;; MSG SIZE rcvd: 127
#测试dd.sh.wang.org
[root@m8 ~]# dig dd.sh.wang.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> dd.sh.wang.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65272
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;dd.sh.wang.org. IN A
;; ANSWER SECTION:
dd.sh.wang.org. 86400 IN A 1.1.1.1
;; AUTHORITY SECTION:
wang.org. 86400 IN NS dns1.wang.org.
wang.org. 86400 IN NS dns2.wang.org.
;; ADDITIONAL SECTION:
dns1.wang.org. 86400 IN A 192.168.100.139
dns2.wang.org. 86400 IN A 192.168.100.140
;; Query time: 0 msec
;; SERVER: 192.168.100.139#53(192.168.100.139)
;; WHEN: Sat Apr 22 07:48:25 CST 2023
;; MSG SIZE rcvd: 129
#host命令测试
[root@m8 ~]# host dd.sh.wang.org
dd.sh.wang.org has address 1.1.1.1
[root@m8 ~]# host www.wang.org
www.wang.org has address 192.168.100.137
#客户端host马路测试公网域名
[root@m8 ~]# host www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 120.232.145.144
www.a.shifen.com has address 120.232.145.185
#dig命令测试公网
[root@m8 ~]# dig www.baidu.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.13 <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35771
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 27
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 79 IN CNAME www.a.shifen.com.
www.a.shifen.com. 79 IN A 120.232.145.144
www.a.shifen.com. 79 IN A 120.232.145.185
;; AUTHORITY SECTION:
. 518235 IN NS a.root-servers.net.
. 518235 IN NS m.root-servers.net.
. 518235 IN NS e.root-servers.net.
. 518235 IN NS l.root-servers.net.
. 518235 IN NS h.root-servers.net.
. 518235 IN NS j.root-servers.net.
. 518235 IN NS g.root-servers.net.
. 518235 IN NS f.root-servers.net.
. 518235 IN NS d.root-servers.net.
. 518235 IN NS k.root-servers.net.
. 518235 IN NS c.root-servers.net.
. 518235 IN NS i.root-servers.net.
. 518235 IN NS b.root-servers.net.
;; ADDITIONAL SECTION:
f.root-servers.net. 518235 IN A 192.5.5.241
m.root-servers.net. 518235 IN A 202.12.27.33
g.root-servers.net. 518235 IN A 192.112.36.4
b.root-servers.net. 518235 IN A 199.9.14.201
j.root-servers.net. 518235 IN A 192.58.128.30
i.root-servers.net. 518235 IN A 192.36.148.17
c.root-servers.net. 518235 IN A 192.33.4.12
d.root-servers.net. 518235 IN A 199.7.91.13
h.root-servers.net. 518235 IN A 198.97.190.53
a.root-servers.net. 518235 IN A 198.41.0.4
e.root-servers.net. 518235 IN A 192.203.230.10
k.root-servers.net. 518235 IN A 193.0.14.129
l.root-servers.net. 518235 IN A 199.7.83.42
f.root-servers.net. 518235 IN AAAA 2001:500:2f::f
m.root-servers.net. 518235 IN AAAA 2001:dc3::35
g.root-servers.net. 518235 IN AAAA 2001:500:12::d0d
b.root-servers.net. 518235 IN AAAA 2001:500:200::b
j.root-servers.net. 518235 IN AAAA 2001:503:c27::2:30
i.root-servers.net. 518235 IN AAAA 2001:7fe::53
c.root-servers.net. 518235 IN AAAA 2001:500:2::c
d.root-servers.net. 518235 IN AAAA 2001:500:2d::d
h.root-servers.net. 518235 IN AAAA 2001:500:1::53
a.root-servers.net. 518235 IN AAAA 2001:503:ba3e::2:30
e.root-servers.net. 518235 IN AAAA 2001:500:a8::e
k.root-servers.net. 518235 IN AAAA 2001:7fd::1
l.root-servers.net. 518235 IN AAAA 2001:500:9f::42
;; Query time: 0 msec
;; SERVER: 192.168.100.139#53(192.168.100.139)
;; WHEN: Sat Apr 22 07:50:19 CST 2023
;; MSG SIZE rcvd: 884