一、DNS的原理 DNS (Domain Name Server) 域名解析服务,他可以完成域名与IP地址的互换,可以通过IP地址解析到域名,也可以通过域名解析到IP地址,IP地址是平面结构,且不容易
一、DNS的原理
DNS (Domain Name Server) 域名解析服务,他可以完成域名与IP地址的互换,可以通过IP地址解析到域名,也可以通过域名解析到IP地址,IP地址是平面结构,且不容易记住,DNS是层次化的结构,便于记忆。
DNS的层次化
1)根域:根域位于层次结构的最顶部并用小句点“.”表示全球有十三个根服务器,一个主根服务器,十二个辅助根服务器。
2)顶级域:顶级域是按照组织类别或地理位置来划分的
.gov 政府组织
.com 商业组织
.net 网络中心
.org 非营利性组织
.edu 教育部门
.cn .uk .us 国家国别的代码,cn表示中国,uk表示英国,us表示美国
3)二级域:由国际域名组织为互联网中的个人或部门指定和登记的二级域
(如linuxidc.com,linuxidc.net)
DNS的查询方式
迭代查询:本地域名服务器向根域名服务器的查询通常是采用迭代查询。当根域名服 务器收到本地域名服务器的迭代查询请求报文时,要么给出所要查询的 IP 地址,要么告诉本地 域名服务器:“你下一步应当向哪一个域名服务器进行查询”。然后让本地域名服务器进行后续的查询
递归查询:主机向本地域名服务器的查询一般都是采用递归查询。如果主机所询问的本地域名服务器不知道被查询域名的 IP 地址,那么本地域名服务器就以 DNS 客户的份,向其他根域名服务器继续发出查询请求报文会给客户端一个准确的返回结果,无论是成功与否。
步骤1:当客户端在IE输入www.baidu.com,客户端去请求本地域服务器解析,此过程为发起递归查询。
步骤2:本地服务器接到查询请求后,查看区域文件,发现不是自己管制的区域,则发
送给根域进行解析。此过程为迭代查询。
步骤3:根域服务接收到 请求后,查看区域文件,回复请求的主机,去找.com域服务器。此
过程是迭代查询。
步骤4:本地域服务器,接收到根域服务器的回复后,去找.com域服务器,请求解析。此过
程序是迭代查询。
步骤5:.com服务器接收到请求之后,查看自己的区域文件,回复主机去找
baidu.com域服务,此过程是迭代查询。
步骤6:本地域服务器,接收到.com域服务器的回复后,去找baidu.com域服务器,
请求解析,此过程是迭代查询。
步骤7:baidu.com域服务器接收到请求后,查看自己的区域文件,发现是自己所管制
的区域,然后查看区域解析文件,把对应的IP地址发送给请求的服务器,此过
程是迭代查询。
步骤8:本地服务器接收到baidu.com域服务器的回复,把FQDN对应IP地址传送给客
户端,此过程为递归查询。
DNS的解析类型
FQDN:(Fully Qualified Domain Name)完全合格域名,由主机名+域名组成
(如www.linuxidc.com)
正向解决:FQDN----->IP,把完全合格域名,解析为IP地址
方向解析:IP-------->FQDN,把IP解析为完全合格域名。
Linux服务器实现DNS服务器的软件有bind、powerdns,此主要讲bind。
bind的相关软件包
bind:提供域名服务的主程序和相关文件
bind-libs:提供域名服务器所依赖的库文件
bind-utils:提供了对DNS服务的测试工具程序
rpm -qc 包名 查看包安装生成的文件清单
rpm -qi 包名 查看包的摘要信息
二、缓存服务器
DNS:域名解析服务
基于bind:Berkeley Internet Name Domain这个软件来构建的
powerdns等等
DNS:domain name service
域名:uplooking.com
主机名:www.uplooking.com(FQDN:full qualified domain name,完全限定域名)
DNS作用:名称解析,name resolving(背后有解析过程,数据库)
FQDN<====>IP
双向解析
172.16.0.1 www.uplooking.com
172.16.0.2 bbs.uplooking.com
/etc/hosts
ipaddr FQDN Aliases
192.168.1.1 www.uplooking.com www
由于网络的发展越来与多的主机加入到网络
这就形成一个名称管理机构
IANA:政府背景 IP,FQDN
ftp:hosts
ICANN:民间机构
1.周期任务
2.server
3.名称集中数据库转为分布式数据库
通过层级区分
china.sichuan.huanqiu.n3.6.uplooking
自顶向下结构
国外是从小到大
www.uplooking.com. (.默认可省略)
.根域
.net .com .org .edu 顶级域(TLD三类:组织域com,net,国家域cn,hk,jp,反向域ip-->FQDN)
ibm kernel
举例
a----->b----->c
a<-----b<-----c
这叫递归
a--->b
a<---b
a--->c
a<---c
这叫迭代
查询:
递归:只发出一次请求
迭代:发出多次请求
解析:
正向:FQDN-IP
反向:IP-FQDN
两段式:
对于ns是迭代
对于客户端是递归
DNS:分布式数据库
上级仅仅知道其直接下级
下级只知道根的位置
DNS服务器:本地客户端查询请求,递归
外部客户端请求:请求权威搭按(da an)
肯定和否定都会有缓存时间
外部客户端请求:非权威搭按
DNS服务器常见类型:
主/从
主DNS服务器:数据修改
辅助DNS服务器:请求数据同步
serial number:版本号
refresh:检查时间周期
retry:小于refresh时间
expire:过期时间
nag:否定的缓存时间
缓存dns服务器:
转发器:不缓存
数据库中,每一个条目称作一个资源记录resource record RR
资源记录定义的格式:
SOA:起始授权记录:
ZONE NAME TTL IN SOA FQDN ADMIN_MAIL(
serial number
refresh
retry
expire
nag
)
时间:H小时,M分钟,D天,W周,默认是秒
邮箱格式:admin.uplooking.com 因为@在此代表zone name
@|uplooking.com. 600 IN SOA ns1.uplooking.com. admin.uplooking.com(
20160904 ;最长不超过10位.分号是注释
1H
5M
1W
1D
)
TTL:可以省略,可全局定义
NAME [TTL] IN RRT VALUE
www.uplooking.com. IN A 1.1.1.1
1.1.1.1 IN PTR www.uplooking.com.
资源记录类型RRT:
当前DNS服务器这条记录扮演的角色
NS:Zone NAME---->FQDN
uplooking.com. 600 IN NS ns1.uplooking.com.
uplooking.com. 600 IN NS ns2.uplooking.com.
ns1.uplooking.com. 600 IN A 1.1.1.2
ns2.uplooking.com. 600 IN A 1.1.1.4
以上要成组出现
MX:Zone name---->FQDN
priority:0-99数字越小级别越高
NAME TTL IN MX pri VALUE
uplooking.com. 600 IN MX 10 mail.uplooking.com.
mail.uplooking.com. 600 IN A 1.1.1.3
A:address,FQDN--->IPV4
AAAA:FQDN--->IPV6
PTR:IP--->FQDN
CNAME:FQDN--->FQDN
www2.uplooking.com. IN CNAME www.uplooking.com.
域:Domain
区域:Zone
站在DNS的角度:域是一个逻辑概念,区域是一个物理概念
正向解析数据库(区域) 反向解析数据库(反向区域)
这两个统称为一个域
uplooking.com. 192.168.100.0/24
在.com里面获得授权
uplooking.com. IN NS ns.uplooking.com.
ns.uplooking.com. IN A 192.168.100.10
www 192.168.100.1
mail 192.168.100.2 MX
建立两个区域文件
正向:
uplooking.com. IN SOA
www.uplooking.com. IN A 192.168.100.12
简写
www IN A 192.168.100.12
反向:
100.168.192.in-addr.arpa. IN SOA
12.100.168.192.in-addr.arpa. IN PTR www.uplooking.com.
简写
12 IN PTR www.uplooking.com.
区域传送类型:
完全区域传送:axfr
增量区域传送:ixfr
区域类型:
主区域:master
从区域:slave
提示区域:hint定义根在什么地方的
转发区域:forward
实际配置
uplooking.com 192.168.100.0/24
ns:192.168.100.200
www:192.168.100.220 192.168.100.221
mail:192.168.100.223
ftp:192.168.100.224
bbs:www
DNS软件
BIND:Berkeley internet name domain
isc:www.isc.org
这个组织来维护dns和dhcp
[root@salt-master ~]# yum list |grep "^bind"
bind-libs.x86_64 32:9.8.2-0.47.rc1.el6 @iso
bind-utils.x86_64 32:9.8.2-0.47.rc1.el6 @iso
bind.x86_64 32:9.8.2-0.47.rc1.el6 iso
bind-chroot.x86_64 32:9.8.2-0.47.rc1.el6 iso
bind-devel.i686 32:9.8.2-0.47.rc1.el6 iso
bind-devel.x86_64 32:9.8.2-0.47.rc1.el6 iso
bind-dyndb-ldap.x86_64 2.3-8.el6 iso
bind-libs.i686 32:9.8.2-0.47.rc1.el6 iso
bind-sdb.x86_64 32:9.8.2-0.47.rc1.el6 iso
bind.x86_64:主软件
bind-libs.x86_64:主软件所依赖的库
bind-utils.x86_64:bind的工具包
yum install bind.x86_64 bind-utils.x86_64 bind-libs.x86_64
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/portreserve/named
/etc/rc.d/init.d/named
/etc/rndc.conf
/etc/rndc.key
bind:
/etc/named.conf
bind进程工作属性
区域的定义
/etc/rndc.key
/etc/rndc.conf
/etc/named.root.key
rndc:remote name domain controller
密钥文件
/var/named/
区域数据文件
/etc/init.d/named
启动脚本
安装bind-chroot.x86_64之后named会运行在虚拟目录中防止攻破之后出现的风险
有一个cache-nameserver在5.8的系统中需要安装实现缓存
在6中已经包含进去了
缓存--->主--->从
/var/named/named.ca
13个根节点地址
如果没有这个文件可以通过dig指令生成
查询根域的所有NS记录
[root@salt-master ~]# dig -t NS .
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t NS .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56422
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 150724 IN NS e.root-servers.net.
. 150724 IN NS h.root-servers.net.
. 150724 IN NS j.root-servers.net.
. 150724 IN NS k.root-servers.net.
. 150724 IN NS f.root-servers.net.
. 150724 IN NS d.root-servers.net.
. 150724 IN NS m.root-servers.net.
. 150724 IN NS a.root-servers.net.
. 150724 IN NS l.root-servers.net.
. 150724 IN NS b.root-servers.net.
. 150724 IN NS i.root-servers.net.
. 150724 IN NS g.root-servers.net.
. 150724 IN NS c.root-servers.net.
;; Query time: 44 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Sun Sep 4 18:54:56 2016
;; MSG SIZE rcvd: 228
前提是能访问互联网
使用e.root-servers.net 查询根域的NS吉林
[root@salt-master ~]# dig -t NS . @e.root-servers.net
监听的协议及端口
TCP/UDP:53
TCP:953,rndc
vim /etc/named.conf
全局选项
options {
listen-on port 53 { 0.0.0.0; }; #监听地址和端口
listen-on-v6 port 53 { ::1; };
directory "/var/named"; #数据文件目录
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };#允许谁访问
recursion yes;#是否递归
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
根区域:
主区域要定义file
从区域:file
masters { 主服务器地址; };
zone "ZONE NAME" IN {
type:{ master|slave|forward|hint };
};
现在我们开始最简单的named.conf文件配置
listen-on port 53 { any; };
allow-query { any; };
只修改这一个选线
[root@salt-master ~]# chown root.named /etc/named.conf
[root@salt-master ~]# chmod 640 /etc/named.conf
[root@salt-master ~]# named-checkconf 检查配置文件
[root@salt-master ~]# named-checkzone 检查zone文件
[root@salt-master ~]# named-checkzone "." /var/named/named.ca
zone ./IN: has 0 SOA records
zone ./IN: not loaded due to errors.
[root@salt-master ~]# named-checkzone "localhost" /var/named/named.lo
named.localhost named.loopback
[root@salt-master ~]# named-checkzone "localhost" /var/named/named.localhost
zone localhost/IN: loaded serial 0
OK
[root@salt-master ~]# named-checkzone "0.0.127.in-addr-arpa" /var/named/named.loopback
zone 0.0.127.in-addr-arpa/IN: loaded serial 0
OK
[root@salt-master named]# dig -t A www.uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.uplooking.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37881
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 6
;; QUESTION SECTION:
;www.uplooking.com. IN A
;; ANSWER SECTION:
www.uplooking.com. 3600 IN A 119.254.2.19
;; AUTHORITY SECTION:
uplooking.com. 172788 IN NS dns7.hichina.com.
uplooking.com. 172788 IN NS dns8.hichina.com.
;; ADDITIONAL SECTION:
dns7.hichina.com. 172788 IN A 140.205.228.12
dns7.hichina.com. 172788 IN A 42.120.221.12
dns7.hichina.com. 172788 IN A 140.205.81.12
dns8.hichina.com. 172788 IN A 42.120.221.22
dns8.hichina.com. 172788 IN A 140.205.81.22
dns8.hichina.com. 172788 IN A 140.205.228.22
;; Query time: 4090 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 19:46:20 2016
;; MSG SIZE rcvd: 193
[root@salt-master named]# dig -t NS .
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t NS .
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19893
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518370 IN NS g.root-servers.net.
. 518370 IN NS e.root-servers.net.
. 518370 IN NS d.root-servers.net.
. 518370 IN NS h.root-servers.net.
. 518370 IN NS k.root-servers.net.
. 518370 IN NS a.root-servers.net.
. 518370 IN NS c.root-servers.net.
. 518370 IN NS b.root-servers.net.
. 518370 IN NS i.root-servers.net.
. 518370 IN NS f.root-servers.net.
. 518370 IN NS l.root-servers.net.
. 518370 IN NS j.root-servers.net.
. 518370 IN NS m.root-servers.net.
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 19:46:33 2016
;; MSG SIZE rcvd: 228
dig -t RT NAME
dig -t NS uplooking.com
dig -t RT NAME @IP
添加zone配置
[root@salt-master named]# vim /etc/named.rfc1912.zones
zone "uplooking.com" IN {
type master;
file "uplooking.com.zone";
};
[root@salt-master named]# named-checkconf
[root@salt-master named]# named-checkzone "uplooking.com" /var/named/uplooking.com.zone
zone uplooking.com/IN: loaded serial 20140904
OK
重启
[root@salt-master named]# /etc/init.d/named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@salt-master named]# dig -t A www.uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.uplooking.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42987
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.uplooking.com. IN A
;; ANSWER SECTION:
www.uplooking.com. 600 IN A 192.168.1.221
www.uplooking.com. 600 IN A 192.168.1.220
;; AUTHORITY SECTION:
uplooking.com. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 0 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 19:49:17 2016
;; MSG SIZE rcvd: 101
可以看到www.uplooking.com解析的地址已经改变了
[root@salt-master named]# dig -t A www.uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t A www.uplooking.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11596
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.uplooking.com. IN A
;; ANSWER SECTION:
www.uplooking.com. 600 IN A 192.168.1.220
www.uplooking.com. 600 IN A 192.168.1.221
;; AUTHORITY SECTION:
uplooking.com. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 19:50:05 2016
;; MSG SIZE rcvd: 101
[root@salt-master named]# dig -t CNAME ftp.uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t CNAME ftp.uplooking.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38619
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;ftp.uplooking.com. IN CNAME
;; ANSWER SECTION:
ftp.uplooking.com. 600 IN CNAME www.uplooking.com.
;; AUTHORITY SECTION:
uplooking.com. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 19:50:39 2016
;; MSG SIZE rcvd: 87
[root@salt-master named]# dig -t NS uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t NS uplooking.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10849
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; QUESTION SECTION:
;uplooking.com. IN NS
;; ANSWER SECTION:
uplooking.com. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 19:50:52 2016
;; MSG SIZE rcvd: 65
[root@salt-master named]# dig -t MX uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t MX uplooking.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32944
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; QUESTION SECTION:
;uplooking.com. IN MX
;; ANSWER SECTION:
uplooking.com. 600 IN MX 10 mail.uplooking.com.
;; AUTHORITY SECTION:
uplooking.com. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
mail.uplooking.com. 600 IN A 192.168.1.223
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 19:51:08 2016
;; MSG SIZE rcvd: 102
以上基本完成DNS正向区域解析
dig -x ip 反向解析ip--->FQDN
host -t RT NAME
[root@salt-master named]# host -t A www.uplooking.com
www.uplooking.com has address 192.168.1.220
www.uplooking.com has address 192.168.1.221
[root@salt-master named]# host -t A www.uplooking.com
www.uplooking.com has address 192.168.1.221
www.uplooking.com has address 192.168.1.220
[root@salt-master named]# host -t NS uplooking.com
uplooking.com name server ns1.uplooking.com.
[root@salt-master named]# host -t MX uplooking.com
uplooking.com mail is handled by 10 mail.uplooking.com.
[root@salt-master named]# host -t SOA uplooking.com
uplooking.com has SOA record ns1.uplooking.com. admin.uplooking.com. 20140904 3600 300 172800 21600
[root@salt-master named]# nslookup
> server 192.168.1.200
Default server: 192.168.1.200
Address: 192.168.1.200#53
> set q=A
> www.uplooking.com
Server: 192.168.1.200
Address: 192.168.1.200#53
Name: www.uplooking.com
Address: 192.168.1.220
Name: www.uplooking.com
Address: 192.168.1.221
反向:
[root@salt-master named]# vim /etc/named.rfc1912.zones
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
};
[root@salt-master named]# vim /var/named/192.168.1.zone
$TTL 600
@|1.168.192.in-addr.arpa IN SOA ns1.uplooking.com. admin.uplooking.com. (
20140904
1H
5M
2D
6H
)
IN NS ns1.uplooking.com.
200 IN PTR ns1.uplooking.com.
220 IN PTR www.uplooking.com.
221 IN PTR www.uplooking.com.
[root@salt-master named]# dig -x 192.168.1.221
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.1.221
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65233
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;221.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
221.1.168.192.in-addr.arpa. 600 IN PTR www.uplooking.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 20:02:24 2016
;; MSG SIZE rcvd: 109
[root@salt-master named]# dig -x 192.168.1.220
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.1.220
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7815
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;220.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
220.1.168.192.in-addr.arpa. 600 IN PTR www.uplooking.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 0 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 20:02:27 2016
;; MSG SIZE rcvd: 109
[root@salt-master named]# dig -x 192.168.1.200.
dig: '.200.1.168.192.in-addr.arpa.' is not a legal name (unexpected end of input)
[root@salt-master named]# dig -x 192.168.1.200
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -x 192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37471
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;200.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
200.1.168.192.in-addr.arpa. 600 IN PTR ns1.uplooking.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 4 20:02:31 2016
;; MSG SIZE rcvd: 105
如果要让自己的dns服务器能够解析到除自己定义的主机名之外的话需要配置转发功能
[root@salt-master named]# vim /etc/named.conf
在options中
forwarders { 114.114.114.114; };
[root@salt-master named]# nslookup www.baidu.com
Server: 192.168.1.200
Address: 192.168.1.200#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 180.97.33.107
Name: www.a.shifen.com
Address: 180.97.33.108
泛域名解析:
[root@salt-master named]# vim uplooking.com.zone
$TTL 600
uplooking.com. IN SOA ns1.uplooking.com. admin.uplooking.com. (
20140904
1H
5M
2D
6H
)
uplooking.com. IN NS ns1.uplooking.com.
; IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.200
mail IN A 192.168.1.223
www IN A 192.168.1.220
www IN A 192.168.1.221
ftp IN CNAME www
;*.uplooking.com. IN A 192.168.1.220
* IN A 192.168.1.220
[root@salt-master named]# dig -t -A 43432fsdfsd4.uplooking.com
;; Warning, ignoring invalid type -A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t -A 43432fsdfsd4.uplooking.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42861
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;43432fsdfsd4.uplooking.com. IN A
;; ANSWER SECTION:
43432fsdfsd4.uplooking.com. 600 IN A 192.168.1.220
;; AUTHORITY SECTION:
uplooking.com. 600 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 600 IN A 192.168.1.200
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Tue Sep 6 19:33:28 2016
;; MSG SIZE rcvd: 94
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
recursion yes;开启递归
#allow-recursion { 192.168.1.0/24; };只给192.168.1.0/24网段递归
[root@salt-master ~]# dig +norecurse -t A www.sohu.com @192.168.1.200
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> +norecurse -t A www.sohu.com @192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48616
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0
;; QUESTION SECTION:
;www.sohu.com. IN A
;; AUTHORITY SECTION:
. 517990 IN NS d.root-servers.net.
. 517990 IN NS g.root-servers.net.
. 517990 IN NS c.root-servers.net.
. 517990 IN NS m.root-servers.net.
. 517990 IN NS k.root-servers.net.
. 517990 IN NS j.root-servers.net.
. 517990 IN NS i.root-servers.net.
. 517990 IN NS l.root-servers.net.
. 517990 IN NS f.root-servers.net.
. 517990 IN NS b.root-servers.net.
. 517990 IN NS h.root-servers.net.
. 517990 IN NS e.root-servers.net.
. 517990 IN NS a.root-servers.net.
;; Query time: 2 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Tue Sep 6 19:39:34 2016
;; MSG SIZE rcvd: 241
[root@salt-master ~]# dig +norecurse -t A www.sohu.com @a.root-servers.ne
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> +norecurse -t A www.sohu.com @a.root-servers.ne
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@salt-master ~]# dig +norecurse -t A www.sohu.com @dns.sohu.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> +norecurse -t A www.sohu.com @dns.sohu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7807
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; QUESTION SECTION:
;www.sohu.com. IN A
;; ANSWER SECTION:
www.sohu.com. 1800 IN CNAME gs.a.sohu.com.
;; AUTHORITY SECTION:
a.sohu.com. 43200 IN NS x.a.sohu.com.
a.sohu.com. 43200 IN NS k.a.sohu.com.
a.sohu.com. 43200 IN NS s.a.sohu.com.
a.sohu.com. 43200 IN NS w.a.sohu.com.
a.sohu.com. 43200 IN NS y.a.sohu.com.
;; ADDITIONAL SECTION:
k.a.sohu.com. 7200 IN A 211.95.75.9
s.a.sohu.com. 7200 IN A 101.227.172.21
w.a.sohu.com. 7200 IN A 221.179.180.22
x.a.sohu.com. 7200 IN A 14.18.240.43
y.a.sohu.com. 7200 IN A 220.181.26.169
y.a.sohu.com. 7200 IN AAAA 2408:80f0:4010::20
;; Query time: 40 msec
;; SERVER: 61.135.150.76#53(61.135.150.76)
;; WHEN: Tue Sep 6 19:40:39 2016
;; MSG SIZE rcvd: 237
[root@salt-master ~]# dig +trace -t A www.sohu.com @192.168.1.200
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> +trace -t A www.sohu.com @192.168.1.200
;; global options: +cmd
. 517791 IN NS d.root-servers.net.
. 517791 IN NS h.root-servers.net.
. 517791 IN NS m.root-servers.net.
. 517791 IN NS j.root-servers.net.
. 517791 IN NS e.root-servers.net.
. 517791 IN NS c.root-servers.net.
. 517791 IN NS i.root-servers.net.
. 517791 IN NS k.root-servers.net.
. 517791 IN NS l.root-servers.net.
. 517791 IN NS b.root-servers.net.
. 517791 IN NS a.root-servers.net.
. 517791 IN NS g.root-servers.net.
. 517791 IN NS f.root-servers.net.
;; Received 228 bytes from 192.168.1.200#53(192.168.1.200) in 882 ms
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
;; Received 490 bytes from 192.203.230.10#53(192.203.230.10) in 1173 ms
sohu.com. 172800 IN NS dns.sohu.com.
sohu.com. 172800 IN NS ns1.sohu.com.
sohu.com. 172800 IN NS ns2.sohu.com.
sohu.com. 172800 IN NS ns4.sohu.com.
sohu.com. 172800 IN NS ns5.sohu.com.
sohu.com. 172800 IN NS ns6.sohu.com.
;; Received 290 bytes from 192.35.51.30#53(192.35.51.30) in 557 ms
www.sohu.com. 1800 IN CNAME gs.a.sohu.com.
a.sohu.com. 43200 IN NS s.a.sohu.com.
a.sohu.com. 43200 IN NS w.a.sohu.com.
a.sohu.com. 43200 IN NS x.a.sohu.com.
a.sohu.com. 43200 IN NS y.a.sohu.com.
a.sohu.com. 43200 IN NS k.a.sohu.com.
;; Received 237 bytes from 101.227.172.19#53(101.227.172.19) in 83 ms
#非递归查询
[root@salt-master ~]# dig +trace +norecurse -t A www.sohu.com @192.168.1.200
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> +trace +norecurse -t A www.sohu.com @192.168.1.200
;; global options: +cmd
. 517687 IN NS h.root-servers.net.
. 517687 IN NS e.root-servers.net.
. 517687 IN NS l.root-servers.net.
. 517687 IN NS j.root-servers.net.
. 517687 IN NS m.root-servers.net.
. 517687 IN NS k.root-servers.net.
. 517687 IN NS c.root-servers.net.
. 517687 IN NS a.root-servers.net.
. 517687 IN NS d.root-servers.net.
. 517687 IN NS b.root-servers.net.
. 517687 IN NS g.root-servers.net.
. 517687 IN NS f.root-servers.net.
. 517687 IN NS i.root-servers.net.
;; Received 508 bytes from 192.168.1.200#53(192.168.1.200) in 14 ms
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
;; Received 502 bytes from 198.41.0.4#53(198.41.0.4) in 96 ms
sohu.com. 172800 IN NS dns.sohu.com.
sohu.com. 172800 IN NS ns1.sohu.com.
sohu.com. 172800 IN NS ns2.sohu.com.
sohu.com. 172800 IN NS ns4.sohu.com.
sohu.com. 172800 IN NS ns5.sohu.com.
sohu.com. 172800 IN NS ns6.sohu.com.
;; Received 290 bytes from 192.41.162.30#53(192.41.162.30) in 626 ms
www.sohu.com. 1800 IN CNAME gs.a.sohu.com.
a.sohu.com. 43200 IN NS x.a.sohu.com.
a.sohu.com. 43200 IN NS y.a.sohu.com.
a.sohu.com. 43200 IN NS k.a.sohu.com.
a.sohu.com. 43200 IN NS w.a.sohu.com.
a.sohu.com. 43200 IN NS s.a.sohu.com.
;; Received 237 bytes from 61.135.150.76#53(61.135.150.76) in 41 ms
axfr:完全区域传送
ixfr:增量区域传送
有主从结构的时候会有区域传送
完全区域传送
[root@salt-master ~]# dig -t axfr uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t axfr uplooking.com
;; global options: +cmd
uplooking.com. 600 IN SOA ns1.uplooking.com. admin.uplooking.com. 20140904 3600 300 172800 21600
uplooking.com. 600 IN NS ns1.uplooking.com.
uplooking.com. 600 IN MX 10 mail.uplooking.com.
*.uplooking.com. 600 IN A 192.168.1.220
ftp.uplooking.com. 600 IN CNAME www.uplooking.com.
mail.uplooking.com. 600 IN A 192.168.1.223
ns1.uplooking.com. 600 IN A 192.168.1.200
www.uplooking.com. 600 IN A 192.168.1.220
www.uplooking.com. 600 IN A 192.168.1.221
uplooking.com. 600 IN SOA ns1.uplooking.com. admin.uplooking.com. 20140904 3600 300 172800 21600
;; Query time: 2 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Tue Sep 6 19:50:09 2016
;; XFR size: 10 records (messages 1, bytes 252)
增量区域传送
修改serial number,增加一条a记录
$TTL 600
uplooking.com. IN SOA ns1.uplooking.com. admin.uplooking.com. (
2014090602
1H
5M
2D
6H
)
uplooking.com. IN NS ns1.uplooking.com.
; IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.200
mail IN A 192.168.1.223
pop IN A 192.168.1.220
www IN A 192.168.1.220
www IN A 192.168.1.221
ftp IN CNAME www
;*.uplooking.com. IN A 192.168.1.220
* IN A 192.168.1.220
[root@salt-master ~]# dig -t IXFR=2014090602 uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t IXFR=2014090602 uplooking.com
;; global options: +cmd
uplooking.com. 600 IN SOA ns1.uplooking.com. admin.uplooking.com. 2014090602 3600 300 172800 21600
;; Query time: 0 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Tue Sep 6 19:58:52 2016
;; XFR size: 1 records (messages 1, bytes 77)
在named.conf中设置允许传送
allow-transfer { 192.168.1.201; };
allow-transfer { none; };
[root@salt-master ~]# dig -t axfr uplooking.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t axfr uplooking.com
;; global options: +cmd
; Transfer failed.
在192.168.1.201上进行传送
[root@salt-minion ~]# dig -t axfr uplooking.com @192.168.1.200
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t axfr uplooking.com @192.168.1.200
;; global options: +cmd
uplooking.com. 600 IN SOA ns1.uplooking.com. admin.uplooking.com. 2014090602 3600 300 172800 21600
uplooking.com. 600 IN NS ns1.uplooking.com.
uplooking.com. 600 IN MX 10 mail.uplooking.com.
*.uplooking.com. 600 IN A 192.168.1.220
ftp.uplooking.com. 600 IN CNAME www.uplooking.com.
mail.uplooking.com. 600 IN A 192.168.1.223
ns1.uplooking.com. 600 IN A 192.168.1.200
pop.uplooking.com. 600 IN A 192.168.1.220
www.uplooking.com. 600 IN A 192.168.1.220
www.uplooking.com. 600 IN A 192.168.1.221
uplooking.com. 600 IN SOA ns1.uplooking.com. admin.uplooking.com. 2014090602 3600 300 172800 21600
;; Query time: 1 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Tue Sep 6 20:05:22 2016
;; XFR size: 11 records (messages 1, bytes 272)
下面进行主从DNS配置
主DNS配置:按照以上配置即可
从DNS配置:
几乎和主配置文件一样
master:named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer { 192.168.1.201; };
//allow-transfer { none; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
forwarders { 114.114.114.114; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
这里需要注意的是allow-transfer要打开从服务器才能拉取配置
slave:named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
#allow-transfer { 192.168.1.201; };
allow-transfer { none; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
forwarders { 114.114.114.114; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
这里我把从服务器的allow-transfer是关闭了的
[root@salt-master ~]# tail -f /var/log/messages
Sep 6 20:13:55 salt-master named[1908]: client 192.168.1.201#58857: zone transfer 'uplooking.com/AXFR/IN' denied
Sep 6 20:14:42 salt-master named[1908]: received control channel command 'reload'
Sep 6 20:14:42 salt-master named[1908]: loading configuration from '/etc/named.conf'
Sep 6 20:14:42 salt-master named[1908]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Sep 6 20:14:42 salt-master named[1908]: using default UDP/IPv4 port range: [1024, 65535]
Sep 6 20:14:42 salt-master named[1908]: using default UDP/IPv6 port range: [1024, 65535]
Sep 6 20:14:42 salt-master named[1908]: sizing zone task pool based on 8 zones
Sep 6 20:14:42 salt-master named[1908]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 6 20:14:42 salt-master named[1908]: reloading configuration succeeded
Sep 6 20:14:42 salt-master named[1908]: reloading zones succeeded
Sep 6 20:14:44 salt-master named[1908]: client 192.168.1.201#49304: transfer of 'uplooking.com/IN': AXFR started
Sep 6 20:14:44 salt-master named[1908]: client 192.168.1.201#49304: transfer of 'uplooking.com/IN': AXFR ended
Sep 6 20:14:47 salt-master named[1908]: client 192.168.1.201#60357: transfer of '1.168.192.in-addr.arpa/IN': AXFR started
Sep 6 20:14:47 salt-master named[1908]: client 192.168.1.201#60357: transfer of '1.168.192.in-addr.arpa/IN': AXFR ended
从日志可以看到已经传送完毕
[root@salt-minion ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 415 Sep 6 20:14 192.168.1.zone
-rw-r--r--. 1 named named 484 Sep 6 20:14 uplooking.com.zone
从服务器上也能看数据配置文件
在主服务器新加一条,并且添加从服务器的NS记录
$TTL 600
uplooking.com. IN SOA ns1.uplooking.com. admin.uplooking.com. (
2014090603
1H
5M
2D
6H
)
uplooking.com. IN NS ns1.uplooking.com.
uplooking.com. IN NS ns2.uplooking.com.
; IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.200
ns2 IN A 192.168.1.201
mail IN A 192.168.1.223
pop IN A 192.168.1.220
imap IN A 192.168.1.225
www IN A 192.168.1.220
www IN A 192.168.1.221
ftp IN CNAME www
;*.uplooking.com. IN A 192.168.1.220
* IN A 192.168.1.220
注意修改serial number
[root@salt-master ~]# /etc/init.d/named reload
Reloading named: [ OK ]
[root@salt-master ~]# !tai
tail -f /var/log/messages
Sep 6 20:20:00 salt-master named[1908]: received control channel command 'reload'
Sep 6 20:20:00 salt-master named[1908]: loading configuration from '/etc/named.conf'
Sep 6 20:20:00 salt-master named[1908]: reading built-in trusted keys from file '/etc/named.iscdlv.key'
Sep 6 20:20:00 salt-master named[1908]: using default UDP/IPv4 port range: [1024, 65535]
Sep 6 20:20:00 salt-master named[1908]: using default UDP/IPv6 port range: [1024, 65535]
Sep 6 20:20:00 salt-master named[1908]: sizing zone task pool based on 8 zones
Sep 6 20:20:00 salt-master named[1908]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Sep 6 20:20:00 salt-master named[1908]: reloading configuration succeeded
Sep 6 20:20:00 salt-master named[1908]: reloading zones succeeded
Sep 6 20:20:00 salt-master named[1908]: zone uplooking.com/IN: loaded serial 2014090603
可以看到传送完毕
[root@salt-minion ~]# !ta
tail -f /var/log/messages
Sep 6 20:14:48 salt-minion named[3330]: zone 1.168.192.in-addr.arpa/IN: Transfer started.
Sep 6 20:14:48 salt-minion named[3330]: transfer of '1.168.192.in-addr.arpa/IN' from 192.168.1.200#53: connected using 192.168.1.201#60357
Sep 6 20:14:48 salt-minion named[3330]: zone 1.168.192.in-addr.arpa/IN: transferred serial 20140904
Sep 6 20:14:48 salt-minion named[3330]: transfer of '1.168.192.in-addr.arpa/IN' from 192.168.1.200#53: Transfer completed: 1 messages, 6 records, 207 bytes, 0.002 secs (103500 bytes/sec)
Sep 6 20:24:41 salt-minion named[3330]: client 192.168.1.200#56395: received notify for zone 'uplooking.com'
Sep 6 20:24:41 salt-minion named[3330]: zone uplooking.com/IN: Transfer started.
Sep 6 20:24:41 salt-minion named[3330]: transfer of 'uplooking.com/IN' from 192.168.1.200#53: connected using 192.168.1.201#51708
Sep 6 20:24:41 salt-minion named[3330]: zone uplooking.com/IN: transferred serial 2014090603
Sep 6 20:24:41 salt-minion named[3330]: transfer of 'uplooking.com/IN' from 192.168.1.200#53: Transfer completed: 1 messages, 14 records, 327 bytes, 0.001 secs (327000 bytes/sec)
Sep 6 20:24:41 salt-minion named[3330]: zone uplooking.com/IN: sending notifies (serial 2014090603)
完成主从功能
测试反向解析
$TTL 600
@ IN SOA ns1.uplooking.com. admin.uplooking.com. (
2014090504
1H
5M
2D
6H
)
IN NS ns1.uplooking.com.
IN NS ns2.uplooking.com.
200 IN PTR ns1.uplooking.com.
201 IN PTR ns2.uplooking.com.
220 IN PTR www.uplooking.com.
221 IN PTR www.uplooking.com.
223 IN PTR yys.uplooking.com.
同样的也要加上ns记录,和serial number
rndc:dns远程控制工具
[root@salt-master ~]# rndc -h
Usage: rndc [-b address] [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze Suspend updates to all dynamic zones.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw Enable updates to all dynamic zones and reload them.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
notify zone [class [view]]
Resend NOTIFY messages for the zone.
reconfig Reload configuration file and new zones only.
sign zone [class [view]]
Update zone keys, and sign as needed.
loadkeys zone [class [view]]
Update keys without signing immediately.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
secroots [view ...]
Write security roots to the secroots file.
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
tsig-list List all currently active TSIG keys, including both statically
configured and TKEY-negotiated keys.
tsig-delete keyname [view]
Delete a TKEY-negotiated TSIG key.
validation newstate [view]
Enable / disable DNSSEC validation.
addzone ["file"] zone [class [view]] { zone-options }
Add zone to given view. Requires new-zone-file option.
delzone ["file"] zone [class [view]]
Removes zone from given view. Requires new-zone-file option.
*restart Restart the server.
* == not yet implemented
Version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6
rndc-confgen #rndc配置文件生成器
单独执行不加参数会卡住
因为rndc-confgen命令默认会去/dev/random和/dev/urandom读取随机数生成密钥,第一顺序是/dev/random。
#/dev/random:从熵池中取随机数,如果熵池中的随机数被用尽,则阻塞相关进程
#/dev/urandom:从熵池中取随机数,如果熵池中的随机数被用尽,则用软件生成伪随机数
我们尽量使用/dev/urandom来生成随机数密钥,我们将其结果输入一个rndc配置文件保存:
[root@salt-master ~]# rndc-confgen -r/dev/urandom >/etc/rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "iAau/k8/9DFd73AhBmPVVA==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "iAau/k8/9DFd73AhBmPVVA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
:.,$-1w >> /etc/named.conf
定位key这一行
[root@salt-master ~]# rndc -c /etc/rndc.conf status
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not synchronized, or
* the key is invalid.
检查会报错
要把默认的rndc.key删除掉
重启检查
[root@salt-master ~]# rndc -c /etc/rndc.conf status
version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
手动通知uplooking这个域
[root@salt-master ~]# rndc -c /etc/rndc.conf notify "uplooking.com"
zone notify queued
[root@salt-master ~]# !tai
tail -f /var/log/messages
Sep 7 00:27:06 salt-master named[2265]: error (insecurity proof failed) resolving './NS/IN': 114.114.114.114#53
Sep 7 00:27:06 salt-master named[2265]: validating @0x7fc4704677d0: . SOA: got insecure response; parent indicates it should be secure
Sep 7 00:27:06 salt-master named[2265]: error (no valid RRSIG) resolving 'salt-master/DS/IN': 114.114.114.114#53
Sep 7 00:27:07 salt-master named[2265]: validating @0x7fc470464b20: . DNSKEY: got insecure response; parent indicates it should be secure
Sep 7 00:27:07 salt-master named[2265]: error (insecurity proof failed) resolving './DNSKEY/IN': 114.114.114.114#53
Sep 7 00:27:07 salt-master named[2265]: error (network unreachable) resolving './DNSKEY/IN': 2001:500:1::53#53
Sep 7 00:27:07 salt-master named[2265]: error (network unreachable) resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Sep 7 00:27:07 salt-master named[2265]: error (insecurity proof failed) resolving 'salt-master/AAAA/IN': 114.114.114.114#53
Sep 7 00:28:03 salt-master named[2265]: received control channel command 'notify uplooking.com'
Sep 7 00:28:03 salt-master named[2265]: zone uplooking.com/IN: sending notifies (serial 2014090604
[root@salt-master ~]# rndc -c /etc/rndc.conf flush
[root@salt-master ~]# rndc -c /etc/rndc.conf stop
[root@salt-master ~]# /etc/init.d/named status
rndc: connect failed: 127.0.0.1#953: connection refused
named dead but subsys locked
[root@salt-master ~]# /etc/init.d/named start
Starting named: [ OK ]
要控制远程DNS服务器
在远程DNS的named.conf中修改
key "rndc-key" {
algorithm hmac-md5;
secret "iAau/k8/9DFd73AhBmPVVA==";
};
controls {
inet 192.168.1.200 port 953
allow { 192.168.1.201; } keys { "rndc-key"; };
然后把本地测试rndc.conf文件上传到远程服务器上进行修改
[root@salt-minion ~]# vim rndc.conf
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "iAau/k8/9DFd73AhBmPVVA==";
};
options {
default-key "rndc-key";
default-server 192.168.1.200;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "iAau/k8/9DFd73AhBmPVVA==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
[root@salt-minion ~]# rndc -c rndc.conf status
version: 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6
CPUs found: 1
worker threads: 1
number of zones: 21
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
DNS子域授权:
www.uplooking.com
www.uplooking.com/fin
www.uplooking.com/market
www.fin.uplooking.com
www.market.uplooking.com
sub_zone_name IN NS NSSERVER_SUB_ZONE_NAME
uplooking.com. IN NS ns1.uplooking.com.
ns1.uplooking.com. IN A 192.168.1.200
fin.uplooking.com. IN NS ns1.fin.uplooking.com.
fin.uplooking.com. IN NS ns2.fin.uplooking.com.
ns1.fin.uplooking.com. IN A 192.168.100.100
ns2.fin.uplooking.com. IN A 192.168.100.101
market.uplooking.com. IN NS ns1.market.uplooking.com.
market.uplooking.com. IN NS ns2.market.uplooking.com.
ns1.market.uplooking.com. IN NS 192.168.100.200
ns2.market.uplooking.com. IN NS 192.168.100.201
注意每个子域只能有一台DNS服务器
实际演示:
在父域上uplooking.com.zone文件中
$TTL 600
uplooking.com. IN SOA ns1.uplooking.com. admin.uplooking.com. (
2014090606
1H
5M
2D
6H
)
uplooking.com. IN NS ns1.uplooking.com.
uplooking.com. IN NS ns2.uplooking.com.
; IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.200
ns2 IN A 192.168.1.201
mail IN A 192.168.1.223
pop IN A 192.168.1.220
yys IN A 192.168.1.223
hello IN A 192.168.1.224
imap IN A 192.168.1.225
www IN A 192.168.1.220
www IN A 192.168.1.221
ftp IN CNAME www
;*.uplooking.com. IN A 192.168.1.220
* IN A 192.168.1.220
fin IN NS ns1.fin
ns1.fin IN A 192.168.100.100
market IN NS ns1.market
ns1.market IN A 192.168.100.200
[root@salt-master ~]# dig -t -NS fin.uplooking.com @192.168.1.200
;; Warning, ignoring invalid type -NS
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t -NS fin.uplooking.com @192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41296
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;fin.uplooking.com. IN A
;; Query time: 57 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Wed Sep 7 00:54:24 2016
;; MSG SIZE rcvd: 35
需要子域服务器真实存在
子域安装和正常DNS安装一样
需要声明
zone "fin.uplooking.com" IN {
type master;
file "fin.uplooking.com.zone";
};
fin.uplooking.com.zone
$TTL 600
@ IN SOA ns1.fin.uplooking.com. admin.uplooking.com. (
2014090601
1H
5M
2D
6H
)
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.100.100
mail IN A 192.168.1.223
pop IN A 192.168.1.220
这样上面的命令就可以正常解析了
注意需要跟子域做转发
forward {only只给转发|first转发未能解析并提交根域}
forward first;
forwarders { 192.168.1.200; };
也可以单独域转发
zone "uplooking.com" IN {
type forward;
forward first;
forwarders { 192.168.1.200; };
};
这样就只对uplooking.com进行转发
DNS 视图(acl)
acl acl_name {
172.16.0.0/16;
127.0.0.0/8;
};
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
allow-query { innet; };
none;
any;
解析
www.uplooking.com
分成两类:电信:电信客户返回电信地址
联通:联通客户返回联通地址
电信地址:192.168.1.0/24
联通地址:192.168.128.0/24
view View_name {
};
一旦定义视图 那么所有区域都必须定义在视图当中
根区域只需要定义在需要递归的区域中
实际操作:
1.注释named.rfc1912.zones
#include "/etc/named.rfc1912.zones";
2.创建acl
acl telecom {
192.168.1.200;
192.168.1.201;
127.0.0.0/8;
};
acl unicom {
192.168.128.128;
};
3.创建视图view
view telecom {
match-clients { telecom; };
recursion yes;
zone "uplooking.com" IN {
type master;
file "telecom.uplooking.com.zone";
};
zone "." IN {
type hint;
file "named.ca";
};
};
view unicom {
match-clients { any; };
recursion no;
zone "uplooking.com" IN {
type master;
file "unicom.uplooking.com.zone";
};
};
4.编辑zone文件
[root@salt-master named]# vim telecom.uplooking.com.zone
$TTL 43200
@ IN SOA ns1.uplooking.com. admin.uplooking.com (
2016091101
1H
10M
7D
1D )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.200
mail IN A 192.168.1.2
www IN A 192.168.1.3
[root@salt-master named]# vim unicom.uplooking.com.zone
$TTL 43200
@ IN SOA ns1.uplooking.com. admin.uplooking.com (
2016091101
1H
10M
7D
1D )
IN NS ns1
IN MX 10 mail
ns1 IN A 192.168.1.200
mail IN A 192.168.128.2
www IN A 192.168.128.3
记得named属组和640权限
重启服务
验证:
[root@slat-proxy ~]# ifconfig eth0
eth0 Link encap:Ethernet HWaddr 00:0C:29:C1:37:79
inet addr:192.168.128.128 Bcast:192.168.128.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fec1:3779/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:9329 errors:0 dropped:0 overruns:0 frame:0
TX packets:4842 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:8788838 (8.3 MiB) TX bytes:365517 (356.9 KiB)
[root@slat-proxy ~]# dig -t -A www.uplooking.com @192.168.1.200
;; Warning, ignoring invalid type -A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t -A www.uplooking.com @192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38242
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.uplooking.com. IN A
;; ANSWER SECTION:
www.uplooking.com. 43200 IN A 192.168.128.2
;; AUTHORITY SECTION:
uplooking.com. 43200 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 43200 IN A 192.168.1.200
;; Query time: 3 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 11 13:42:42 2016
;; MSG SIZE rcvd: 86
[root@salt-minion ~]# ifconfig eth1
eth1 Link encap:Ethernet HWaddr 00:0C:29:38:1E:F7
inet addr:192.168.1.201 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe38:1ef7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4731 errors:0 dropped:0 overruns:0 frame:0
TX packets:2074 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:508190 (496.2 KiB) TX bytes:458643 (447.8 KiB)
[root@salt-minion ~]# dig -t -A www.uplooking.com @192.168.1.200
;; Warning, ignoring invalid type -A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t -A www.uplooking.com @192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57280
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.uplooking.com. IN A
;; ANSWER SECTION:
www.uplooking.com. 43200 IN A 192.168.1.3
;; AUTHORITY SECTION:
uplooking.com. 43200 IN NS ns1.uplooking.com.
;; ADDITIONAL SECTION:
ns1.uplooking.com. 43200 IN A 192.168.1.200
;; Query time: 2 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 11 12:37:47 2016
;; MSG SIZE rcvd: 85
[root@salt-minion ~]# dig -t -A www.163.com @192.168.1.200
;; Warning, ignoring invalid type -A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t -A www.163.com @192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32728
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 13, ADDITIONAL: 1
;; QUESTION SECTION:
;www.163.com. IN A
;; ANSWER SECTION:
www.163.com. 258 IN CNAME www.163.com.cloudcdn.net.
www.163.com.cloudcdn.net. 3253 IN CNAME www.163.com.cloudglb.com.
www.163.com.cloudglb.com. 2395 IN CNAME c01.i05.cmbsh.lv3.cloudglb.com.
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 183.213.22.33
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 223.94.95.114
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 223.94.95.135
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 223.94.95.119
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 223.94.95.136
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 183.213.22.36
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 183.213.22.34
c01.i05.cmbsh.lv3.cloudglb.com. 30 IN A 183.213.22.35
;; AUTHORITY SECTION:
com. 172794 IN NS a.gtld-servers.net.
com. 172794 IN NS b.gtld-servers.net.
com. 172794 IN NS e.gtld-servers.net.
com. 172794 IN NS d.gtld-servers.net.
com. 172794 IN NS m.gtld-servers.net.
com. 172794 IN NS c.gtld-servers.net.
com. 172794 IN NS i.gtld-servers.net.
com. 172794 IN NS g.gtld-servers.net.
com. 172794 IN NS l.gtld-servers.net.
com. 172794 IN NS h.gtld-servers.net.
com. 172794 IN NS j.gtld-servers.net.
com. 172794 IN NS f.gtld-servers.net.
com. 172794 IN NS k.gtld-servers.net.
;; ADDITIONAL SECTION:
a.gtld-servers.net. 172794 IN A 192.5.6.30
;; Query time: 3296 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 11 12:42:01 2016
;; MSG SIZE rcvd: 499
[root@slat-proxy ~]# dig -t -A www.163.com @192.168.1.200
;; Warning, ignoring invalid type -A
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6 <<>> -t -A www.163.com @192.168.1.200
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 41976
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.163.com. IN A
;; Query time: 2 msec
;; SERVER: 192.168.1.200#53(192.168.1.200)
;; WHEN: Sun Sep 11 13:47:37 2016
;; MSG SIZE rcvd: 29
通过以上可以看到不同地址解析到不同的服务器,并且指定递归也完成
DNS日志:
在实际生产当中不建议打开日志记录
channel:
日志记录位置
syslog
file
category:
定义日志来源
查询
区域传送
logging {
channel file {
file "log,msg" versions 3 size 10k;
severity dynamic;
};
channel syslog {
syslog local0;
severity info;
};
category xfer-in { file; };
category update { syslog; };
};
一般查询和安全日志不要开启
更新相关的可以开启
实际操作:
[root@salt-master ~]# vim /etc/named.conf
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
channel query_log {
file "/var/log/named/bind_query.log" versions 5 size 10M;
severity dynamic;
print-category yes;
print-time yes;
print-severity yes;
};
channel xfer_log {
file "/var/log/named/transfer_query.log" versions 5 size 10M;
severity debug 3;
print-time yes;
};
category queries { query_log; };
category xfer-out { xfer_log; };
};
[root@salt-master named]# tail -f transfer_query.log
11-Sep-2016 13:22:32.839 client 192.168.1.201#52681: view telecom: bad zone transfer request: 'www.uplooking.com/IN': non-authoritative zone (NOTAUTH)
11-Sep-2016 13:22:32.840 client 192.168.1.201#52681: view telecom: zone transfer setup failed
11-Sep-2016 13:22:43.425 client 192.168.1.201#57020: view telecom: transfer of 'uplooking.com/IN': AXFR started
11-Sep-2016 13:22:43.425 client 192.168.1.201#57020: view telecom: transfer of 'uplooking.com/IN': AXFR ended
^C
[root@salt-master named]# tail -f bind_query.log
11-Sep-2016 13:18:11.256 queries: info: client 192.168.1.103#49776: view unicom: query: mail.uplooking.com IN A + (192.168.1.200)
11-Sep-2016 13:18:56.650 queries: info: client 192.168.1.201#44372: view telecom: query: www.uplooking.com IN A + (192.168.1.200)
11-Sep-2016 13:19:16.481 queries: info: client 192.168.1.103#50973: view unicom: query: mail.uplooking.com IN A + (192.168.1.200)
11-Sep-2016 13:22:10.353 queries: info: client 192.168.1.201#51069: view telecom: query: www.uplooking.com IN A + (192.168.1.200)
11-Sep-2016 13:22:32.839 queries: info: client 192.168.1.201#52681: view telecom: query: www.uplooking.com IN AXFR -T (192.168.1.200)
11-Sep-2016 13:22:43.425 queries: info: client 192.168.1.201#57020: view telecom: query: uplooking.com IN AXFR -T (192.168.1.200)
DNS服务器性能测试:
queryperf:压力测试
下载bind源码包
[root@salt-master bind-9.10.4-P2]# cd contrib/
[root@salt-master contrib]#
[root@salt-master contrib]# ll
total 48
drwxrwxr-x. 2 10132 wheel 4096 Sep 11 13:32 dane
drwxrwxr-x. 6 10132 wheel 4096 Sep 11 13:32 dlz
drwxrwxr-x. 4 10132 wheel 4096 Sep 11 13:32 dnsperf-2.1.0.0-1
drwxrwxr-x. 3 10132 wheel 4096 Sep 11 13:32 idn
drwxrwxr-x. 3 10132 wheel 4096 Sep 11 13:32 nslint-3.0a2
drwxrwxr-x. 2 10132 wheel 4096 Sep 11 13:32 perftcpdns
drwxrwxr-x. 2 10132 wheel 4096 Sep 11 13:32 query-loc-0.4.0
drwxrwxr-x. 5 10132 wheel 4096 Sep 11 13:32 queryperf
-rw-rw-r--. 1 10132 wheel 1858 Jul 14 07:58 README
drwxrwxr-x. 2 10132 wheel 4096 Sep 11 13:32 scripts
drwxrwxr-x. 9 10132 wheel 4096 Sep 11 13:32 sdb
drwxrwxr-x. 5 10132 wheel 4096 Jul 14 08:49 zkt-1.1.3
[root@salt-master contrib]# cd queryperf/
[root@salt-master queryperf]# ll
total 204
-rw-rw-r--. 1 10132 wheel 1041 Jul 14 07:58 config.h.in
-rwxrwxr-x. 1 10132 wheel 122615 Jul 14 07:58 configure
-rw-rw-r--. 1 10132 wheel 2184 Jul 14 07:58 configure.in
drwxrwxr-x. 2 10132 wheel 4096 Sep 11 13:32 input
-rw-rw-r--. 1 10132 wheel 603 Jul 14 07:58 Makefile.in
drwxrwxr-x. 2 10132 wheel 4096 Sep 11 13:32 missing
-rw-rw-r--. 1 10132 wheel 53908 Jul 14 07:58 queryperf.c
-rw-rw-r--. 1 10132 wheel 2977 Jul 14 07:58 README
drwxrwxr-x. 2 10132 wheel 4096 Jul 14 07:58 utils
[root@salt-master queryperf]# ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for library containing res_mkquery... no
checking for library containing __res_mkquery... -lresolv
checking for library containing res_9_mkquery... no
checking for socket in -lsocket... no
checking for inet_ntoa in -lnsl... yes
checking for gethostbyname2... yes
checking for getaddrinfo... yes
checking for getnameinfo... yes
checking for socklen_t... yes
checking for sa_len... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[root@salt-master queryperf]# make
gcc -DHAVE_CONFIG_H -c queryperf.c
gcc -DHAVE_CONFIG_H queryperf.o -lnsl -lresolv -lm -o queryperf
[root@salt-master queryperf]# cp queryperf /bin/
[root@salt-master queryperf]# cd
[root@salt-master ~]# queryperf -h
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $
Usage: queryperf [-d datafile] [-s server_addr] [-p port] [-q num_queries]
[-b bufsize] [-t timeout] [-n] [-l limit] [-f family] [-1]
[-i interval] [-r arraysize] [-u unit] [-H histfile]
[-T qps] [-e] [-D] [-R] [-c] [-v] [-h]
-d specifies the input data file (default: stdin)
-s sets the server to query (default: 127.0.0.1)
-p sets the port on which to query the server (default: 53)
-q specifies the maximum number of queries outstanding (default: 20)
-t specifies the timeout for query completion in seconds (default: 5)
-n causes configuration changes to be ignored
-l specifies how a limit for how long to run tests in seconds (no default)
-1 run through input only once (default: multiple iff limit given)
-b set input/output buffer size in kilobytes (default: 32 k)
-i specifies interval of intermediate outputs in seconds (default: 0=none)
-f specify address family of DNS transport, inet or inet6 (default: any)
-r set RTT statistics array size (default: 50000)
-u set RTT statistics time unit in usec (default: 100)
-H specifies RTT histogram data file (default: none)
-T specify the target qps (default: 0=unspecified)
-e enable EDNS 0
-D set the DNSSEC OK bit (implies EDNS)
-R disable recursion
-c print the number of packets with each rcode
-v verbose: report the RCODE of each response on stdout
-h print this usage
安装queryperf工具
[root@salt-master ~]# vim uplooking.com
www.uplooking.com A
uplooking.com NS
uplooking.com MX
[root@salt-master ~]# queryperf -d uplooking.com -s 192.168.1.200
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.1.200)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 3 queries
Queries completed: 3 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.000697 sec
RTT min: 0.000016 sec
RTT average: 0.000439 sec
RTT std deviation: 0.000283 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sun Sep 11 13:37:47 2016
Finished at: Sun Sep 11 13:37:47 2016
Ran for: 0.000721 seconds
Queries per second: 4160.887656 qps
把uplooking.com里面的记录多复制几次
[root@salt-master ~]# queryperf -d uplooking.com -s 192.168.1.200
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.1.200)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 9240 queries
Queries completed: 9240 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.004667 sec
RTT min: 0.000021 sec
RTT average: 0.001028 sec
RTT std deviation: 0.000256 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sun Sep 11 13:40:56 2016
Finished at: Sun Sep 11 13:40:56 2016
Ran for: 0.479259 seconds
Queries per second: 19279.763134 qps
现在uplooking.com文件有14W行的记录左右
服务端测试:
[root@salt-master ~]# queryperf -d uplooking.com -s 192.168.1.200
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.1.200)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 147840 queries
Queries completed: 147840 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.005063 sec
RTT min: 0.000070 sec
RTT average: 0.001081 sec
RTT std deviation: 0.000198 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sun Sep 11 13:42:42 2016
Finished at: Sun Sep 11 13:42:50 2016
Ran for: 8.026720 seconds
Queries per second: 18418.482269 qps
客户端测试:
[root@salt-minion ~]# queryperf -d uplooking.com -s 192.168.1.200
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007/09/05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.1.200)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 147840 queries
Queries completed: 147840 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.020516 sec
RTT min: 0.000139 sec
RTT average: 0.001235 sec
RTT std deviation: 0.000398 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sun Sep 11 13:44:04 2016
Finished at: Sun Sep 11 13:44:13 2016
Ran for: 9.351866 seconds
Queries per second: 15808.609747 qp
可以看到还是4000每秒的差距 所以测试的时候需要考虑网络带宽服务器硬件性能等等
dnstop:
yum install libcap-devel libpcap-devel
源码安装三部曲
[root@salt-master ~]# dnstop -h
dnstop: invalid option -- 'h'
usage: dnstop [opts] netdevice|savefile
-4 Count IPv4 packets
-6 Count IPv6 packets
-Q Count queries
-R Count responses
-a Anonymize IP Addrs
-b expr BPF program code
-i addr Ignore this source IP address
-n name Count only messages in this domain
-p Don't put interface in promiscuous mode
-P Print "progress" messages in non-interactive mode
-r Redraw interval, in seconds
-l N Enable domain stats up to N components
-X Don't tabulate the "source + query name" stats
-f filter-name
Available filters:
unknown-tlds
A-for-A
rfc1918-ptr
refused
qtype-any
[root@salt-master ~]# dnstop -4 -R -Q eth0
Queries: 0 new, 147774 total Sun Sep 11 13:59:11 2016
Replies: 0 new, 147772 total
Query Name Count % cum%
------------- --------- ------ ------
uplooking.com 147771 100.0 100.0
salt-minion 1 0.0 100.0
qq.com 1 0.0 100.0
salt-master 1 0.0 100.0
