實現DNS服務轉發:
實現原理:
原理:上海與重慶都要訪問www.magedu.com網址,先在本地的緩存DNS服務器尋找,如果有,就可以訪問,如果沒有,根域將DNS服務器的緩存放入到北京,將北京作為一個轉發DNS服務器(作為期望的DNS轉發服務器),上海和重慶直接指向北京尋找答案,節約了廣域上的網絡帶寬,提高訪問速度。
環境准備:
主DNS服務器: 192.168.34.101 DNS轉發服務器: 192.168.34.102 客戶端地址: 192.168.34.103
first用法:客戶端發請求,本地DNS無法解析,就先轉發到指定的DNS服務器上,然后轉發到的DNS服務器上無法解析,本地的DNS服務器就親自去根服務器上尋找。
only用法:客戶端發起請求在A服務器上找,A服務器轉發到B的服務器上,B服務器返回最終的結果,如果B服務器沒有,不會去詢問根。
1、在DNS轉發服務器上配置
創建一個轉發的DNS服務器,將/etc/named.rfc1912.zones配置文件進行修改,創建一個wang.com域
[root@centos7-1~]#vim /etc/named.rfc1912.zones
zone "wang.com" {
type master;
file "wang.com.zone";
};
在/var/named/目錄下創建一個wang.com.zone配置文件:
# vim /var/named/www.wang.com.zone $TTL 1D @ IN SOA dns1 admin ( 1 1H 1M 1D 3H ) NS dns1 dns1 A 192.168.34.102 www A 6.6.6.6
注意將 wang.com.zone配置文件的所屬組改為named,權限改為640
[root@centos7-1named]#ll total 32 -rw-r--r-- 1 root root 230 Nov 6 22:53 192.168.34.zone -rw-r----- 1 root named 296 Nov 7 15:35 baidu.com.zone drwxrwx--- 2 named named 23 Oct 31 2018 data drwxrwx--- 2 named named 31 Nov 7 16:21 dynamic -rw-r----- 1 root named 2281 May 22 2017 named.ca -rw-r----- 1 root named 152 Dec 15 2009 named.empty -rw-r----- 1 root named 152 Jun 21 2007 named.localhost -rw-r----- 1 root named 168 Dec 15 2009 named.loopback -rw-r----- 1 root named 198 Nov 7 15:59 shenzhen.baidu.com.zone drwxrwx--- 2 named named 6 Oct 31 2018 slaves -rw-r--r-- 1 root root 94 Nov 7 20:33 wang.com.zone [root@centos7-1named]#chgrp named wang.com.zone [root@centos7-1named]#chmod 640 wang.com.zone
配置完之后重新加載DNS服務:
dndc reload
2、在主DNS服務器上配置
在主服務器A上修改相應的配置文件,/etc/named.conf
[root@ansible~]#vim /etc/named.conf
options {
// listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { any; };
allow-transfer { 192.168.34.103; }; # 主從復制的DNS服務器IP地址,這里配置DNS轉發功能,此選項暫時不看
forward only ; # 將轉發服務器的IP地址寫到主服務器上面,保證只轉發此IP地址
forwarders {192.168.34.102;}; # 配置轉發的DNS服務器IP地址
dnssec-enable no; # 將此兩個功能關掉
dnssec-validation no; # 關掉此功能
配置完之后重新加載DNS服務:
rndc reload 重新加載DNS服務
3、在客戶端上驗證轉發效果:
最后在客戶端上驗證轉發功能:
[root@centos6~]#dig www.wang.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.wang.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41040 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.wang.com. IN A ;; ANSWER SECTION: www.wang.com. 86063 IN A 6.6.6.6 ;; AUTHORITY SECTION: wang.com. 86063 IN NS dns1.wang.com. ;; ADDITIONAL SECTION: dns1.wang.com. 86063 IN A 192.168.34.102 ;; Query time: 2 msec ;; SERVER: 192.168.34.101#53(192.168.34.101) ;; WHEN: Thu Nov 7 20:54:11 2019 ;; MSG SIZE rcvd: 81
查看當前沒有配置的域名,此時客戶端發起請求,A服務器上沒有,就會轉發到服務器B IP地址為103機器上,此時B服務器如果有網絡,就會在網上尋找答案
[root@centos6~]#dig www.wange.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.wange.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28947 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.wange.com. IN A ;; ANSWER SECTION: www.wange.com. 7200 IN A 93.90.145.101 # 此時IP地址103在網上返回的答案 ;; Query time: 2356 msec ;; SERVER: 192.168.34.101#53(192.168.34.101) ;; WHEN: Thu Nov 7 21:36:54 2019 ;; MSG SIZE rcvd: 47
第二種方式服務器轉發方式:
first用法:當客戶端去訪問服務器A時,此時A不知道結果會轉發給B,B不知道結果,此時A會自己去詢問根去反饋結果:
(1)在服務器A上寫配置文件/etc/named.conf,將端口轉發給服務器B(103IP地址)
[root@ansible~]#vim /etc/named.conf
options {
// listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { any; };
allow-transfer { 192.168.34.103; }; # 允許轉發的DNS服務器訪問
forward first ; # 改為first 選項
forwarders {192.168.34.103;};
重新加載A服務器的DNS服務:
# rndc reload
(2)將服務器B的網絡斷掉,此時B無法訪問網絡。
(3)在客戶端進行訪問當前的一個未知的網址,A主機如果不知道,先會轉發給B服務器,B服務器不知道結果,A服務器主動去網上尋找答案:
[root@centos6~]#dig www.wange.com ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.wange.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52394 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 10 ;; QUESTION SECTION: ;www.wange.com. IN A ;; ANSWER SECTION: www.wange.com. 7200 IN A 93.90.145.101 # 此時轉發查詢到的結果。 ;; AUTHORITY SECTION: wange.com. 172755 IN NS ns01.crystone.se. wange.com. 172755 IN NS ns05.crystone.se. wange.com. 172755 IN NS ns03.crystone.se. wange.com. 172755 IN NS ns04.crystone.se. wange.com. 172755 IN NS ns02.crystone.se. ;; ADDITIONAL SECTION: ns01.crystone.se. 884 IN A 194.58.193.60 ns01.crystone.se. 884 IN AAAA 2a01:3f1:460::53 ns02.crystone.se. 86382 IN A 185.42.137.108 ns02.crystone.se. 884 IN AAAA 2a01:3f0:400::60 ns03.crystone.se. 884 IN A 194.58.193.124 ns03.crystone.se. 86382 IN AAAA 2a01:3f1:460:1::53 ns04.crystone.se. 884 IN A 185.42.137.126 ns04.crystone.se. 884 IN AAAA 2a01:3f0:400::190 ns05.crystone.se. 884 IN A 93.90.145.25 ns05.crystone.se. 884 IN AAAA 2a06:1003:1:1::5d5a:9119 ;; Query time: 2247 msec ;; SERVER: 192.168.34.101#53(192.168.34.101) ;; WHEN: Thu Nov 7 21:50:10 2019 ;; MSG SIZE rcvd: 373