DNS之四---實現DNS的轉發功能
實現DNS服務轉發:
實現原理:
原理:上海與重慶都要訪問www.magedu.com網址,先在本地的緩存DNS服務器尋找,如果有,就可以訪問,如果沒有,根域將DNS服務器的緩存放入到北京,將北京作為一個轉發DNS服務器(作為期望的DNS轉發服務器),上海和重慶直接指向北京尋找答案,節約了廣域上的網絡帶寬,提高訪問速度。
環境准備:
主DNS服務器: 192.168.34.101
DNS轉發服務器: 192.168.34.102
客戶端地址: 192.168.34.103
first用法:客戶端發請求,本地DNS無法解析,就先轉發到指定的DNS服務器上,然后轉發到的DNS服務器上無法解析,本地的DNS服務器就親自去根服務器上尋找。
only用法:客戶端發起請求在A服務器上找,A服務器轉發到B的服務器上,B服務器返回最終的結果,如果B服務器沒有,不會去詢問根。
1、在DNS轉發服務器上配置
創建一個轉發的DNS服務器,將/etc/named.rfc1912.zones配置文件進行修改,創建一個wang.com域
[root@centos7-1~]#vim /etc/named.rfc1912.zones
zone "wang.com" {
type master;
file "wang.com.zone";
};
在/var/named/目錄下創建一個wang.com.zone配置文件:
# vim /var/named/www.wang.com.zone
$TTL 1D
@ IN SOA dns1 admin ( 1 1H 1M 1D 3H )
NS dns1
dns1 A 192.168.34.102
www A 6.6.6.6
注意將 wang.com.zone配置文件的所屬組改為named,權限改為640
[root@centos7-1named]#ll
total 32
-rw-r--r-- 1 root root 230 Nov 6 22:53 192.168.34.zone
-rw-r----- 1 root named 296 Nov 7 15:35 baidu.com.zone
drwxrwx--- 2 named named 23 Oct 31 2018 data
drwxrwx--- 2 named named 31 Nov 7 16:21 dynamic
-rw-r----- 1 root named 2281 May 22 2017 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
-rw-r----- 1 root named 198 Nov 7 15:59 shenzhen.baidu.com.zone
drwxrwx--- 2 named named 6 Oct 31 2018 slaves
-rw-r--r-- 1 root root 94 Nov 7 20:33 wang.com.zone
[root@centos7-1named]#chgrp named wang.com.zone
[root@centos7-1named]#chmod 640 wang.com.zone
配置完之后重新加載DNS服務:
dndc reload
2、在主DNS服務器上配置
在主服務器A上修改相應的配置文件,/etc/named.conf
[root@ansible~]#vim /etc/named.conf
options {
// listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { any; };
allow-transfer { 192.168.34.103; }; # 主從復制的DNS服務器IP地址,這里配置DNS轉發功能,此選項暫時不看<br>
forward only ; # 將轉發服務器的IP地址寫到主服務器上面,保證只轉發此IP地址
forwarders {192.168.34.102;}; # 配置轉發的DNS服務器IP地址
dnssec-enable no; # 將此兩個功能關掉
dnssec-validation no; # 關掉此功能
配置完之后重新加載DNS服務:
rndc reload 重新加載DNS服務
3、在客戶端上驗證轉發效果:
最后在客戶端上驗證轉發功能:
[root@centos6~]#dig www.wang.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.wang.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41040
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.wang.com. IN A
<strong>;; ANSWER SECTION:
www.wang.com. 86063 IN A 6.6.6.6</strong>
;; AUTHORITY SECTION:
wang.com. 86063 IN NS dns1.wang.com.
;; ADDITIONAL SECTION:
dns1.wang.com. 86063 IN A 192.168.34.102
;; Query time: 2 msec
;; SERVER: 192.168.34.101#53(192.168.34.101)
;; WHEN: Thu Nov 7 20:54:11 2019
;; MSG SIZE rcvd: 81
查看當前沒有配置的域名,此時客戶端發起請求,A服務器上沒有,就會轉發到服務器B IP地址為103機器上,此時B服務器如果有網絡,就會在網上尋找答案
[root@centos6~]#dig www.wange.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.wange.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28947
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.wange.com. IN A
;; ANSWER SECTION:
<strong>www.wange.com. 7200 IN A 93.90.145.101 # 此時IP地址103在網上返回的答案</strong>
;; Query time: 2356 msec
;; SERVER: 192.168.34.101#53(192.168.34.101)
;; WHEN: Thu Nov 7 21:36:54 2019
;; MSG SIZE rcvd: 47
第二種方式服務器轉發方式:
first用法:當客戶端去訪問服務器A時,此時A不知道結果會轉發給B,B不知道結果,此時A會自己去詢問根去反饋結果:
(1)在服務器A上寫配置文件/etc/named.conf,將端口轉發給服務器B(103IP地址)
[root@ansible~]#vim /etc/named.conf
options {
// listen-on port 53 { localhost; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
// allow-query { any; };
allow-transfer { 192.168.34.103; }; # 允許轉發的DNS服務器訪問
forward first ; # 改為first 選項
forwarders {192.168.34.103;};
重新加載A服務器的DNS服務:
# rndc reload
(2)將服務器B的網絡斷掉,此時B無法訪問網絡。
(3)在客戶端進行訪問當前的一個未知的網址,A主機如果不知道,先會轉發給B服務器,B服務器不知道結果,A服務器主動去網上尋找答案:
[root@centos6~]#dig www.wange.com
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>> www.wange.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52394
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 10
;; QUESTION SECTION:
;www.wange.com. IN A
;; ANSWER SECTION:
www.wange.com. 7200 IN A 93.90.145.101 # 此時轉發查詢到的結果。
;; AUTHORITY SECTION:
wange.com. 172755 IN NS ns01.crystone.se.
wange.com. 172755 IN NS ns05.crystone.se.
wange.com. 172755 IN NS ns03.crystone.se.
wange.com. 172755 IN NS ns04.crystone.se.
wange.com. 172755 IN NS ns02.crystone.se.
;; ADDITIONAL SECTION:
ns01.crystone.se. 884 IN A 194.58.193.60
ns01.crystone.se. 884 IN AAAA 2a01:3f1:460::53
ns02.crystone.se. 86382 IN A 185.42.137.108
ns02.crystone.se. 884 IN AAAA 2a01:3f0:400::60
ns03.crystone.se. 884 IN A 194.58.193.124
ns03.crystone.se. 86382 IN AAAA 2a01:3f1:460:1::53
ns04.crystone.se. 884 IN A 185.42.137.126
ns04.crystone.se. 884 IN AAAA 2a01:3f0:400::190
ns05.crystone.se. 884 IN A 93.90.145.25
ns05.crystone.se. 884 IN AAAA 2a06:1003:1:1::5d5a:9119
;; Query time: 2247 msec
;; SERVER: 192.168.34.101#53(192.168.34.101)
;; WHEN: Thu Nov 7 21:50:10 2019
;; MSG SIZE rcvd: 373
轉載至https://www.cnblogs.com/struggle-1216/p/12582269.html