鳥哥的 Linux 私房菜 - DNS Server

Linux
firefox
| | | | | | | | | | | | |
DNS
800x600
2011/08/05
TCP/IP DNS
IP Internet DNS
zone master/slave DNS
19.1 DNS
19.1.1
19.1.2
19.1.3
19.1.4
19.1.5
19.1.6
IP /etc/hosts, DNS, FQDN

DNS IP TLD, , port
DNS
ISP DNS
DNS , , Zone
DNS hint, master/slave
19.2 Client
19.2.1 /etc/hosts, /etc/resolv.conf, /etc/nsswitch.conf
19.2.2 DNS host, nslookup, dig
19.2.3 whois
19.3 DNS cache only DNS
19.3.1 DNS
19.3.2 BIND chroot /etc/sysconfig/named chroot
19.3.3 cache-only DNS forwarding named.conf, messages
19.4 DNS
19.4.1
19.4.2
19.4.3
19.4.4
19.4.5
19.4.6
19.4.7
19.4.8
19.4.9
(Resource Record, RR) A, NS, SOA, CNAME, MX

RR PTR
DNS zone
/etc/named.conf
. (root)
DNS
19.5 DNS Slave DNS

19.5.1
19.5.2
19.5.3
19.5.4
master DNS
Slave DNS
DNS
DNS view
19.6 DNS
19.6.1
19.6.2
19.6.3
19.6.4
DNS
LAME Server
RNDC DNS
DNS ISP
19.7
19.8
19.9
19.10 http://phorum.vbird.org/viewtopic.php?p=115692
19.1 DNS
DNS IPv6 128bits IPv4 32bits
128bits IP DNS DNS

DNS
19.1.1 IP
TCP/IP IP IPv4 IPv4 32
12.34.56.78
Internet IP
/etc/hosts
IP Internet IP
IP
IP
/etc/hosts
IP
INTERNIC IP

19.1-1
4.2.1 /etc/hosts IP
... localhost 127.0.0.1
IP
DNS
/etc/hosts 90
/etc/hosts
IP Berkeley Internet Name Domain, BIND

(Domain Name System, DNS) DNS IP
DNS DNS
DNS IP
DNS
ISP
IPv4 128bits IPv6
128bits IP IP DNS
WWW DNS
IP DNS Internet
DNS
DNS FQDNHostname IP DNS
Zone
Tips:
DNS BIND
DNS
Bind
DNS
Fully Qualified Domain Name (FQDN)

DNS (hostname and domain name)
Fully Qualified Domain Name, FQDN
......
(domain)

1234567 1234567(1) 1234567
1234567 (2) (06)
06 domain name
DNS
DNS
(FQDN)
www www.google.com.tw, www.seednet.net,
www.hinet.net www
.google.com.tw, .seednet.net, .hinet.net
(/) DNS domain

name hostname WWW (www.ksu.edu.tw)
19.1-2 DNS (hostname & domain name)

.tw domain name com, edu, gov
edu.tw domain name ksu, ncku hostname

www domain name ksu.edu.tw
ksu.edu.tw domain name DNS
domain name hostname
Tips:
(.) domain name hostname

domain name hostname
DNS
www.dic domain name
ksu.edu.tw www.dic.ksu.edu.tw
19.1.2 DNS IP
FQDN domain name hostname DNS (1)
(2)
DNS
DNS TLD
DNS domain (ksu)
19.1-3 DNS
DNS . () DNS ( root)
(1)com, edu, gov, mil, org, .net (2)
Top Level Domains (TLDs)
(Generic TLDs, gTLD) .com, .org, .gov
(Country code TLDs, ccTLD) .tw, .uk, .jp, .cn
(gTLD) root
com
org
edu
gov
net
mil
.asia, .info, .jobs (1)

ccTLD ccTLD domain name
TLD TLD ISP

.tw IP
.tw root (.) ( 19.1-3 )
root
DNS .tw
ISP .idv.tw
DNS .tw
domain edu.tw ksu.edu.tw
edu.tw DNS

DNS
hostname
IP Client DNS server
DNS IP
DNS DNS
DNS
19.1-4 DNS
http://www.ksu.edu.tw ( Linux
/etc/resolv.conf ) DNS IP DNS
Hinet 168.95.1.1 DNShinet
1. .
DNS hinet
168.95.1.1
. (root) IP
2. . (root)
168.95.1.1 . www.ksu.edu.tw . .tw (
.tw . ) . IP .tw
.tw
3. .tw
168.95.1.1 .tw .edu.tw, .com.tw, gov.tw...
.edu.tw .tw 168.95.1.1
.edu.tw IP
4. .edu.tw
.edu.tw 168.95.1.1 .ksu.edu.tw .ksu.edu.tw
IP
5. .ksu.edu.tw
168.95.1.1 .ksu.edu.tw Bingo .ksu.edu.tw
IP ... 168.95.1.1 www.ksu.edu.tw IP
6.
IP 168.95.1.1 DNS www.ksu.edu.tw
168.95.1.1
DNS
client cache
DNS ( 24 )
.
DNS
DNS DNS
IP
IP DNS
DNS Internet
DNS
DNS
DNS IP
IP
domain name
2 ~ 3
()
IP DNS
idv.tw idv
idv .tw .tw
DNS DNS
DNS
dig . --> .tw --> .edu.tw --> .ksu.edu.tw --> www.ksu.edu.tw

DNS
dig (+trace)
[root@www ~]# dig +trace www.ksu.edu.tw

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>>+trace www.ksu.edu.tw
;; global options: printcmd
.
486278 IN
NS
a.root-servers.net.
.
486278 IN
NS
b.root-servers.net.
....()....
# . a ~ m.root-servers.net.
;; Received 500 bytes from 168.95.1.1#53(168.95.1.1) in 22 ms
tw.
172800 IN
NS
ns.twnic.net.
tw.
172800 IN
NS
a.dns.tw.
tw.
172800 IN
NS
b.dns.tw.
....()....
# .tw. a ~ h.dns.tw. ns.twnic.net.
;; Received 474 bytes from 192.33.4.12#53(c.root-servers.net) in 168 ms
edu.tw.
86400 IN
NS
a.twnic.net.tw.
edu.tw.
86400 IN
NS
b.twnic.net.tw.
# .edu.tw. 7
;; Received 395 bytes from 192.83.166.11#53(ns.twnic.net) in 22 ms
ksu.edu.tw.
86400 IN
NS
dns2.ksu.edu.tw.
ksu.edu.tw.
86400 IN
NS
dns3.twaren.net.
ksu.edu.tw.
86400 IN
NS
dns1.ksu.edu.tw.
;; Received 131 bytes from 192.83.166.9#53(a.twnic.net.tw) in 22 ms
www.ksu.edu.tw.
3600
IN
A
120.114.100.101
ksu.edu.tw.
3600
IN
NS
dns2.ksu.edu.tw.
ksu.edu.tw.
3600
IN
NS
dns1.ksu.edu.tw.
ksu.edu.tw.
3600
IN
NS
dns3.twaren.net.
;; Received 147 bytes from 120.114.150.1#53(dns2.ksu.edu.tw) in 14 ms
A (Address) 120.114.100.101
DNS dig +trace
(NS) ^_^ A NS
DNS
DNS port number

DNS port DNS
port 53 port Linux /etc/services
domain 53 port
DNS udp
tcp
DNS daemon ( named ) tcp udp port 53
tcp, udp port 53
19.1.3 DNS
DNS

FQDN () FQDN
ISP 19.1-4 www.ksu.edu.tw
IP .ksu.edu.tw
19.1-4 .ksu.edu.tw .edu.tw
.ksu.edu.tw .edu.tw
.ksu.edu.tw DNS .ksu.edu.tw

^_^ DNS
Internet DNS DNS
IP
1. DNS DNS
2. DNS
DNS ISP (1) DNS

(2) IP ISP IP DNS
ISP IP
DNS NS (NameServer)
A (Address)
IP (IP Address) A .vbird.org
ISP DNS dns.vbird.org NS A
19.1-5 A
godaddy .vbird.org dns.vbird.org (NS)
IP 140.116... A (IP
Address) ( 19.1-4 )
dns.vbird.org IP IP godaddy
dns.vbird.org dns.vbird.org
dns.vbird.org IPDNS
A
dns.vbird.org
dns.vbird.org IP
dns.vbird.org
dns.vbird.org IP godaddy
ISP DNS
ISP DNS
dns.vbird.org NS A IP
19.1.4 ISP DNS

19.1.3
DNS ISP ISP
DNS
hostname IP
domain name DNS
DNS port
DNS
DNS
Internet Server
Server DNS
Server Server
DNS
mail server
DNS Hostname
DNS
DNS
19.1.5 DNS , , Zone

19.1-4 .ksu.edu.tw DNS
(domain)
(zone) IP
IP DNS IP
IP
IP
(zone)
DNS *.ksu.edu.tw *.ksu.edu.tw
IP DNS .ksu.edu.tw
class C 120.114.140.0/24 254 IP
120.114.140.0/24 DNS
DNS zone
DNS
INTERNIC gTLD ccTLD
centos.vbird DNS
*.idv.tw
zone IP DNS
master/slave DNS zone
SOA (Start of Authority)

NS (NameServer) DNS
A (Address) IP ()
DNS zone
INTERNIC ISP ()
IP IP IP INTERNIC
ISP IP () IP
ISP ISP IP
class C IP ISP IP
ISP
zone NS SOA
PTR (PoinTeR)
DNS zone hint

zone zone
. 19.1-4 DNS
. . . zone . zone
hint DNS zone
DNS zone hint
zone vbird.org DNS zone
hint (root) . zone
vbird.org .vbird.org zone
vbird.org domain IP zone
IP
^_^
ADSL ISP
211.74.253.91 seednet IP
211-74-253-91.adsl.dynamic.seed.net.tw.

^_^
mail server
Internet mail server mail
server IP ISP hinet
http://hidomain.hinet.net/top1.html
19.1.6 DNS hint, master/slave

DNS ISP
DNS IP DNS
DNS
DNS DNS
DNS
. (root) hint Master

() Slave () Master/Slave DNS
Master/Slave
Master
DNS
DNS
DNS
slave DNS
Slave
DNS .ksu.edu.tw 3 DNS
DNS Master

Slave
Slave Master .ksu.edu.tw DNS
Master Master Slave
Master BIND
Slave
Tips:
Master/Slave Master
IP Master
Master/Slave
Master / Slave
DNS internet
Master Slave DNS DNS

DNS DNS DNS
IP
Master / Slave
Master/Slave Slave Master
Slave Master Master Slave

Master Master DNS

master slave
Slave Slave Master Master
Slave () Slave

master/slave
slave master
master () SOA

Master/Slave DNS (Master/Slave)
DNS
DNS
19.2 Client
DNS
DNS server
19.2.1
19.1.1 IP
DNS

/etc/hosts hostname IP
/etc/resolv.conf ISP DNS IP
/etc/nsswitch.conf /etc/hosts /etc/resolv.conf
Linux IP /etc/hosts
/etc/nsswitch.conf hosts
[root@www ~]# vim /etc/nsswitch.conf
hosts:
files dns
files /etc/hosts dns /etc/resolv.conf DNS

/etc/hosts IP /etc/hosts
DNS /etc/resolv.conf
hinet 168.95.1.1 DNS
[root@www ~]# vim /etc/resolv.conf
nameserver 168.95.1.1
DNS IP () DNS
( 139.175.10.20) DNS
DNS IP DNS
Tips:
3 DNS IP /etc/resolv.conf
DNS
DNS
timeout

DHCP IP /etc/resolv.conf

DHCP DHCP
DHCP
/etc/sysconfig/network-scripts/ifcfg-eth0 PEERDNS=no
CentOS 6.x NetworkManager

^_^
19.2.2 DNS host, nslookup, dig

DNS host nslookup dig
host
[root@www ~]# host [-a] FQDN [server]
[root@www ~]# host -l domain [server]
-a IPTTL
-l domain allow-transfer domain
server /etc/resolv.conf DNS

IP
# 1. linux.vbird.org IP
[root@www ~]# host linux.vbird.org
linux.vbird.org has address 140.116.44.180
<== IP
linux.vbird.org mail is handled by 10 linux.vbird.org. <== MX ()
# 2. linux.vbird.org
[root@www ~]# host -a linux.vbird.org
Trying "linux.vbird.org"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56213
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;linux.vbird.org.
IN
ANY
;; ANSWER SECTION:
linux.vbird.org.
145
IN
140.116.44.180
;; AUTHORITY SECTION:
vbird.org.
vbird.org.
145
145
IN
IN
NS
NS
dns.vbird.org.
dns2.vbird.org.
Received 86 bytes from 168.95.1.1#53 in 15 ms <== 168.95.1.1

# dig dig
# 3. 139.175.10.20 DNS
[root@www ~]# host linux.vbird.org 139.175.10.20
Using domain server:
Name: 139.175.10.20
Address: 139.175.10.20#53
Aliases:
linux.vbird.org has address 140.116.44.180
linux.vbird.org mail is handled by 10 linux.vbird.org.
DNS
DNS /etc/reslov.conf
IP
# 4. vbird.org
[root@www ~]# host -l vbird.org
; Transfer failed.
Host vbird.org not found: 9(NOTAUTH)
; Transfer failed. <==
vbird.org DNS
vbird.org vbird.org host -l
DNS
nslookup
[root@www ~]# nslookup [FQDN] [server]
[root@www ~]# nslookup
1. nslookup IP [server]
2. nslookup IP nslookup
nslookup
set type=any
set type=mx mx
# 1. mail.ksu.edu.tw IP
[root@www ~]# nslookup mail.ksu.edu.tw
Server:
168.95.1.1
Address:
168.95.1.1#53 <== DNS IP
Non-authoritative answer:
Name: mail.ksu.edu.tw
Address: 120.114.100.20
<== IP
nslookup hostname IP DNS IP

nslookup
[root@www ~]# nslookup <== nslookup
> 120.114.100.20
<==
> www.ksu.edu.tw
<==
#
> set type=any
<== A
> www.ksu.edu.tw
Server:
168.95.1.1
Address:
168.95.1.1#53
Non-authoritative answer:
Name: www.ksu.edu.tw
Address: 120.114.100.101 <==
Authoritative answers can be found from: <== DNS
ksu.edu.tw
nameserver = dns2.ksu.edu.tw.
ksu.edu.tw
nameserver = dns1.ksu.edu.tw.
dns1.ksu.edu.tw internet address = 120.114.50.1
dns2.ksu.edu.tw internet address = 120.114.150.1
> exit <==
nslookup set type=any

any mx zone
dig ()
[root@www ~]# dig [options] FQDN [@server]
@server /etc/resolv.conf DNS IP

options +trace, -t type -x
+trace . 19.1.2
-t type mx, ns, soa 19.4
-x
# 1. linux.vbird.org
[root@www ~]# dig linux.vbird.org
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> linux.vbird.org
;; global options: +cmd
;; Got answer:
;linux.vbird.org.
<==
IN
A
;; ANSWER SECTION:
linux.vbird.org.
<==
600
IN
A
vbird.org.
vbird.org.
<==
600
IN
NS
dns.vbird.org.
600
IN
NS
dns2.vbird.org.
;;
;;
;;
;;
140.116.44.180
Query time: 9 msec

SERVER: 168.95.1.1#53(168.95.1.1)
WHEN: Thu Aug 4 14:12:26 2011
MSG SIZE rcvd: 86
QUESTION() linux.vbird.org IP A
(Address)
ANSWER() QUESTION IP
AUTHORITY() linux.vbird.org DNS
dns.vbird.org dns2.vbird.org 600 19.1-4
() linux.vbird.org
600
# 2. linux.vbird.org SOA
[root@www ~]# dig -t soa linux.vbird.org
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> -t soa linux.vbird.org
;; Got answer:
;linux.vbird.org.
IN
vbird.org.
600
IN
2007091402 28800 7200 720000 86400
;; Query time: 17 msec
SOA
SOA
dns.vbird.org. root.dns.vbird.org.
;; SERVER: 168.95.1.1#53(168.95.1.1)
;; WHEN: Thu Aug 4 14:15:57 2011
;; MSG SIZE rcvd: 78
dig DNS
DNS
^_^ -t type DNS
# 3. 120.114.100.20
[root@www ~]# dig -x 120.114.100.20
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> -x 120.114.100.20
;; Got answer:
;20.100.114.120.in-addr.arpa.
IN
PTR
;; ANSWER SECTION:
20.100.114.120.in-addr.arpa. 3600 IN
20.100.114.120.in-addr.arpa. 3600 IN
20.100.114.120.in-addr.arpa. 3600 IN
PTR
PTR
PTR
mail-out-r2.ksu.edu.tw.
mail-smtp-proxy.ksu.edu.tw.
mail.ksu.edu.tw.
100.114.120.in-addr.arpa. 3600 IN
100.114.120.in-addr.arpa. 3600 IN
100.114.120.in-addr.arpa. 3600 IN
NS
NS
NS
dns1.ksu.edu.tw.
dns3.twaren.net.
dns2.ksu.edu.tw.
;; ADDITIONAL SECTION:
dns1.ksu.edu.tw.
3036
dns2.ksu.edu.tw.
2658
dns3.twaren.net.
449
A
A
A
120.114.50.1
120.114.150.1
211.79.61.47
;;
;;
;;
;;
IN
IN
IN
Query time: 29 msec

SERVER: 168.95.1.1#53(168.95.1.1)
WHEN: Thu Aug 4 14:17:58 2011
MSG SIZE rcvd: 245
120.114.100.20 20.100.114.120.inaddr.arpa.
in-addr.arpa.
19.2.3 whois
host -l
whois
CentOS 6.x whois jwhois whois
yum
whois
[root@www ~]# whois [domainname] <== domain hostname
[root@www ~]# whois centos.org
[Querying whois.publicinterestregistry.net]
[whois.publicinterestregistry.net]
# whois
Domain ID:D103409469-LROR
Domain Name:CENTOS.ORG
Created On:04-Dec-2003 12:28:30 UTC
Last Updated On:05-Dec-2010 01:23:25 UTC
Expiration Date:04-Dec-2011 12:28:30 UTC <==
Sponsoring Registrar:Key-Systems GmbH (R51-LROR)
Status:CLIENT TRANSFER PROHIBITED
Registrant ID:P-8686062
Registrant Name:CentOS Domain Administrator
Registrant Organization:The CentOS Project
Registrant Street1:Mechelsesteenweg 170
#
whois domain
whois
whois whois
^_^y
whois domain
[root@www ~]# whois vbird.idv.tw
[Querying whois.twnic.net]
[whois.twnic.net]
<== whois
Domain Name: vbird.idv.tw <== domain
Contact:
<==
Der-Min Tsai
vbird@pc510.ev.ncku.edu.tw
Record expires on 2018-09-17 (YYYY-MM-DD)
Record created on 2002-09-13 (YYYY-MM-DD)
Registration Service Provider: HINET
domain 2018/09/17 nslookup,

host, dig IP man command
19.3 DNS cache only DNS

DNS
DNS hint . (root) zone
DNS (Caching only DNS server)
19.3.1 DNS
.... @_@ DNS

DNS BIND (Berkeley Internet Name Domain, BIND)
rpm yum
[root@www ~]# rpm -qa | grep '^bind'
bind-libs-9.7.0-5.P2.el6_0.1.x86_64 <== bind
bind-utils-9.7.0-5.P2.el6_0.1.x86_64 <==
bind-9.7.0-5.P2.el6_0.1.x86_64
<== bind
bind-chroot-9.7.0-5.P2.el6_0.1.x86_64 <== bind
bind-chroot chroot change to root()

root bind /var/named
bind
bind bind
CentOS 6.x bind
/var/named/chroot
bind, bind-chroot DNS . (root)
zone file bind (CentOS 4.x, 5.x caching-nameserver
CentOS 6.x bind )
19.3.2 BIND chroot

BIND
BIND zone file
(zone file) IP
BIND /etc/named.conf zone file
zone file /etc/named.conf zone file /etc/named.conf
CentOS 6.x
/etc/named.conf
/etc/sysconfig/named chroot
/var/named/
/var/run/named named pid-file
/etc/sysconfig/named chroot
distributions bind
chroot chroot /etc/sysconfig/named
[root@www ~]# cat /etc/sysconfig/named

ROOTDIR=/var/named/chroot
named chroot
/var/named/chroot /var/named/chroot bind
/etc, /var/named, /var/run ... bind
/var/named/chroot/etc/named.conf
/var/named/chroot/var/named/zone_file1
/var/named/chroot/var/named/zone_file.....
/var/named/chroot/var/run/named/...
CentOS 6.x chroot
mount --bind ( /etc/init.d/named ) /var/named
mount --bind /var/named /var/named/chroot/var/named CentOS
6.x /var/named/chroot/ ^_^
Tips:
/etc/sysconfig/named /etc/init.d/named
/etc/init.d/named script
19.3.3 cache-only DNS forwarding

zone
zone file zone DNS
cache-only forwarding DNS

. zone file DNS DNS
cache-only () DNS server DNS server
IP
. DNS forwarding ()
. DNS forwarding
DNS . . DNS
cache only DNS ( . root zone file)
DNS . 19.1-4
forwarding DNS . zone file DNS
DNS DNS
19.3-1 forwarding DNS

forwarding DNS
. zone cache-only
DNS forwarding DNS
cache only forwarding . zone
DNS
cache-only DNS
Internet
port 53 DNS port
cache-only DNS
DNS Client
hostname <--> IP DNS Client IP
DNS IP IP cache only
DNS
cache-only DNS server

Linux cache-only DNS
zone ( . zone ) ( named.conf )
cache-only forwarders forwarding

forwarding cache-only DNS
1. /etc/named.conf
chroot CentOS 6.x
/etc/named.conf /var/named/chroot/etc/named.conf
zone
forwarding cache-only DNS
zone ( . )
//
;
[root@www ~]# cp /etc/named.conf /etc/named.conf.raw

[root@www ~]# vim /etc/named.conf
// /etc/named.rfc1912.zones
//
options {
listen-on port 53 { any; };
//
directory
"/var/named"; //
dump-file
"/var/named/data/cache_dump.db"; //
statistics-file
"/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query
{ any; };
//
recursion yes;
//
forward only;
//
forwarders {
//
168.95.1.1;
// DNS
139.175.10.20;
// seednet
};
}; //
named.conf
options options
{ } options
listen-on port 53 { any; };

localhost
DNS any
any
directory "/var/named";
zone file
/var/named/ chroot
/var/named/chroot/var/named/
dump-file, statistics-file, memstatistics-file
named

allow-query { any; };
DNS
localhost (
) DNS
forward only ;
DNS forward . zone file
. DNS cache only DNS

forwarders { 168.95.1.1; 139.175.10.20; } ;
forward only DNS forwarders (
s) DNS
DNS forwarder IP ;
cache only DNS server
2. named
named
DNS
# 1. DNS
[root@www ~]# /etc/init.d/named start
Starting named:
[ OK ]
[root@www ~]# chkconfig named on
# 2.
[root@www ~]# netstat -utlnp | grep named
Proto Recv-Q Send-Q Local Address
Foreign Address
tcp
0
0 192.168.100.254:53 0.0.0.0:*
tcp
0
0 192.168.1.100:53
0.0.0.0:*
tcp
0
0 127.0.0.1:53
0.0.0.0:*
tcp
0
0 127.0.0.1:953
0.0.0.0:*
tcp
0
0 ::1:953
:::*
udp
0
0 192.168.100.254:53 0.0.0.0:*
udp
0
0 192.168.1.100:53
0.0.0.0:*
udp
0
0 127.0.0.1:53
0.0.0.0:*
State
LISTEN
LISTEN
LISTEN
LISTEN
LISTEN
PID/Program name
3140/named
3140/named
3140/named
3140/named
3140/named
3140/named
3140/named
3140/named
DNS UDP/TCP port 53

port 953 named
(remote name daemon control, rndc)
rndc rndc UDP/TCP port 53
3. /var/log/messages ()
named /var/log/messages
[root@www ~]# tail -n 30 /var/log/messages | grep named

Aug 4 14:57:09 www named[3140]: starting BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 -u named
-t /var/named/chroot <== chroot

Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
Aug
4
4
4
4
4
4
4
4
4
4
4
4
4
4
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
14:57:09
www
www
www
www
www
www
www
www
www
www
www
www
www
www
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
named[3140]:
adjusted limit on open files from 1024 to 1048576

found 1 CPU, using 1 worker thread
using up to 4096 sockets
loading configuration from '/etc/named.conf'

using default UDP/IPv4 port range: [1024, 65535]
using default UDP/IPv6 port range: [1024, 65535]
listening on IPv4 interface lo, 127.0.0.1#53
listening on IPv4 interface eth0, 192.168.1.100#53
listening on IPv4 interface eth1, 192.168.100.254#53
generating session key for dynamic DNS
command channel listening on 127.0.0.1#953
command channel listening on ::1#953
the working directory is not writable
running
-t ... chroot
/etc/named.conf /var/named/etc/named.conf
(:10)
port 53 DNS
DNS
Tips:
/var/log/messages
couldn't add command channel 127.0.0.1#953: not found
rndc key
RNDC DNS
named.conf
4.
DNS dig www.google.com @127.0.0.1
google IP SERVER:
127.0.0.1#53(127.0.0.1) 19.2
Forwarders
forwarder
Forwarder
DNS forwarder forwarder
( 19.1-4 ) DNS
forwarder
forwarder forwarder DNS
.
Forwarder
DNS
cache only DNS
DNS
cache only server
DNS forwarder
19.4 DNS
DNS
1.
2.
3.
4.
5.
6.
DNS DNS DNS ()

bind chroot /etc/sysconfig/named
named /etc/named.conf
/etc/named.conf
DNS root (.) forwarders
named /var/log/messages
ISP
DNS DNS
centos.vbird DNS
DNS
19.4.1 (Resource Record, RR)

DNS IP zone

zone
(resource record, RR)

dig
www.ksu.edu.tw IP
[root@www ~]# dig www.ksu.edu.tw
....()....
;; ANSWER SECTION:
www.ksu.edu.tw.
2203
IN
120.114.100.101
ksu.edu.tw.
911
IN
NS
dns1.ksu.edu.tw.
....()....
# RR
A ksu.edu.tw NS
A IP NS
[domain] [ttl]
IN [[RR type] [RR data]]
[] [()] IN [[] []]
IN RR type RR data A
IP domain FQDN
(.) FQDN dig www.ksu.edu.tw
www.ksu.edu.tw.
ttl time to live DNS
DNS dig www.ksu.edu.tw
DNS
DNS . (root)
()
ttl RR ttl
RR RR
#
[domain]
IN
. IN
. IN
. IN
. IN
. IN
. IN
RR
[[RR type]
A
AAAA
NS
SOA
MX
CNAME
[RR data]]
IPv4 IP
IPv6 IP
.
()

.
DNS ksu.edu.tw (domain, zone) www.ksu.edu.tw

(FQDN) RR
A, AAAA IP
A RR IP RR
www.ksu.edu.tw A
[root@www ~]# dig [-t a] www.ksu.edu.tw
;; ANSWER SECTION:
www.ksu.edu.tw.
2987
IN
A
120.114.100.101
# FQDN.
ttl
IP
# RR
# [-t a]
domain A dig google.com

IP ksu.edu.tw IP
IP IPv6 aaaa
NS (zone)
www.ksu.edu.tw DNS NS
(NameServer) RR NS
domain ksu.edu.tw
[root@www ~]# dig -t ns ksu.edu.tw
;; ANSWER SECTION:
ksu.edu.tw.
1596
IN
NS dns1.ksu.edu.tw.
dns1.ksu.edu.tw.
577
IN
A 120.114.50.1
# NS IP
DNS DNS
NS IP NS
A NS ^_^
SOA
DNS master/slave
zone file SOA (Start Of Authority)
[root@www ~]# dig -t soa ksu.edu.tw

;; ANSWER SECTION:
ksu.edu.tw.
3600 IN
SOA
2010080369 1800 900 604800 86400
#
dns1.ksu.edu.tw.
abuse.mail.ksu.edu.tw.
SOA ksu.edu.tw SOA
1. Master DNS DNS master

dns1.ksu.edu.tw ksu.edu.tw DNS
2. email email
@ abuse@mail.ksu.edu.tw
abuse.mail.ksu.edu.tw
3. (Serial) slave
slave

YYYYMMDDNU 2010080369
2010/08/03 69 2 32
4294967296
4. (Refresh) slave master
DNS 1800 slave master slave
5. (Retry) slave master

slave master900
1800 slave master
900 1800
6. (Expire) slave
zone file 604800
900 604800 slave
7. (Minumum TTL) zone file RR TTL

SOA
Serial 2 32
Refresh >= Retry *2

Refresh + Retry < Expire
Expire >= Rrtry * 10
Expire >= 7Days
DNS RR DNS RR
Refresh
CNAME (alias)
A A
(CNAME) www.google.com
[root@www ~]# dig www.google.com
;; ANSWER SECTION:
www.google.com.
557697 IN
www.l.google.com.
298
IN
CNAME
A
www.l.google.com.
72.14.203.99
www.google.com www.1.google.com A

... (CNAME)

CNAME A IP IP
IP A
A CNAME IP A
CNAME
MX
MX Mail eXchanger () MX
email email server
[root@www ~]# dig -t mx ksu.edu.tw

;; ANSWER SECTION:
ksu.edu.tw.
3600
IN
MX
8 mx01.ksu.edu.tw.
mx01.ksu.edu.tw.
3600
120.114.100.28
IN
ksu.edu.tw mx01.ksu.edu.tw
mx01.ksu.edu.tw MX
mail server MX A
mx01.ksu.edu.tw A
mx01 8

google.com MX 5
19.4.2 RR
www.ksu.edu.tw.
.(root) > tw > edu
19.1-4
IP 120.114.100.101 120 > 114 > 100 > 101
DNS zone
IP .in-addr.arpa.
[root@www ~]# dig -x 120.114.100.101

;; ANSWER SECTION:
101.100.114.120.in-addr.arpa. 3600 IN PTR
www.ksu.edu.tw.
IP
PTR
PTR IP
zone IP .in-addr.arpa.
120.114.100.0/24 class C IP 100.114.120.in-addr.arpa. zone
PTR
FQDN (.)
100.114.120.in-addr.arpa.
www.100.114.120.in-addr.arpa.
Tips:
FQDN
^_^
19.4.3 DNS zone
DNS centos.vbird
IP 192.168.100.0/24 centos.vbird
192.168.100.0/24 DNS .(root) forwarders
.
1.
2.
3.
4.
named.conf ()
named.centos.vbird ( centos.vbird )
named.192.168.100 ( 192.168.100.0/24 )
named.ca ( bind . )
niki.vbird

DNS ^_^
( 3.2-1)
IP
RR
Linux (192.168.100.254)
master.centos.vbird (NS, A)
www.centos.vbird (A)
linux.centos.vbird (CNAME)
ftp.centos.vbird (CNAME)
forum.centos.vbird (CNAME)
www.centos.vbird (MX)
DNS master.centos.vbird
DNS
www.centos.vbird
CNAME
MX
Linux (192.168.100.10)
slave.centos.vbird (NS, A)
clientlinux.centos.vbird(A)
slave DNS
WinXP (192.168.1.101)
workstation.centos.vbird (A)
WinXP (192.168.100.20)
winxp.centos.vbird (A)
Windows XP
Win7 (192.168.100.30)
win7.centos.vbird (A)
Windows 7
IP IP
www.centos.vbird
IP
Tips:
DNS Internet

192.168.100.254 *.yahoo.com
192.168.100.254
yahoo.com 192.168.100.254
19.4.4 /etc/named.conf
options 19.3.3
forwarders zone file zone
zone
options DNS (forward )
zone zone (domain name) zone file ( master/slave/hint)
DNS (key file)()

options {
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-query
{ any; };
recursion yes;
allow-transfer { none; }; // zone
};
zone "." IN {
type hint;
file "named.ca";
};
zone "centos.vbird" IN {
type master;
file "named.centos.vbird";
};
zone "100.168.192.in-addr.arpa" IN
type master;
file "named.192.168.100";
};
// zone
//
//
{
options allow-transfer
allow-transfer ( none; };
slave DNS master/slave DNS
slave DNS
none
zone
zone
type
zone . hint
master slave
file
zone file ( chroot )
zone
in-addr.arpa 19.4.2
named
zone file named.conf
19.4.5 . (root)
19.1-4 . . INTERNIC
13 . DNS
ftp://rs.internic.net/domain/named.root
CentOS 6.x bind named.ca
[root@www ~]# vim /var/named/named.ca

. <==
518400 IN
NS
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.
3600000 IN
A
198.41.0.4
# A.ROOT-SERVERS.NET. IP
. <==
518400 IN
NS
M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.
3600000 IN
A
202.12.27.33
M.ROOT-SERVERS.NET.
3600000 IN
AAAA
2001:dc3::35
# M A AAAA
NS, A, AAAA 19.4.1

IPv6 . AAAA IPv6
Internet
19.4.6
RR
(TTL) (ORIGIN)
master/slave (SOA)
IP (NS, A)
(A, MX, CNAME )
RR 19.4.1
domain
zone named.centos.vbird @
centos.vbird. named.192.168.100 @ 100.168.192.inaddr.arpa. ( named.conf zone )
(.) (FQDN)
hostname named.centos.vbird www.centos.vbird
FQDN www.centos.vbird.@ ==> www.centos.vbird.centos.vbird.
www.centos.vbird.
DNS
master.centos.vbird email vbird@www.centos.vbird
[root@www ~]# vim /var/named/named.centos.vbird

# NS, A, MX, SOA
$TTL
600
@
IN SOA master.centos.vbird. vbird.www.centos.vbird. (
2011080401 3H 15M 1W 1D ) ;
@
IN NS
master.centos.vbird. ; DNS
master.centos.vbird.
IN A
192.168.100.254
; DNS IP
@
IN MX 10 www.centos.vbird.
;
# 192.168.100.254
www.centos.vbird.
linux.centos.vbird.
ftp.centos.vbird.
forum.centos.vbird.
IN A
192.168.100.254
IN CNAME www.centos.vbird.
#
slave.centos.vbird.
IN A
192.168.100.10
clientlinux.centos.vbird. IN A
192.168.100.10
workstation.centos.vbird. IN A
192.168.1.101
winxp.centos.vbird.
IN A
192.168.100.20
win7
IN A
192.168.100.30 ;
$TTL, SOA, NS ( NS A)

19.4.1
$TTL
RR TTL
DNS TTL DNS
600
$ORIGIN
zone
zone named.conf zone zone
$ORIGIN
DNS (.)
. (FQDN) "hostname + domain name" .
"hostname" zone centos.vbird
(win7) FQDN zone
win7 win7.centos.vbird.
19.4.7
TTL, SOA, NS A PTR
zone zz.yy.xx.in-addr.arpa.
FQDN 19.4.2
192.168.100.0/24 DNS
[root@www ~]# vim /var/named/named.192.168.100
$TTL
600
@
2011080401 3H 15M 1W 1D )
@
IN NS master.centos.vbird.
254
IN PTR master.centos.vbird. ; A PTR
254
10
20
30
IN
IN
IN
IN
PTR
PTR
PTR
PTR
www.centos.vbird.
slave.centos.vbird.
winxp.centos.vbird.
win7.centos.vbird.
; IP
101
IN PTR dhcp101.centos.vbird. ; DHCP () IP
102
IN PTR dhcp102.centos.vbird.
....()....
200
IN PTR dhcp200.centos.vbird.
zone 100.168.192.in-addr.arpa. IP 192.168.100

IP 254 192.168.100.254
DHCP IP 192.168.100.{101~200}
19.4.8 DNS
DNS script
[root@www ~]# /etc/init.d/named start
[root@www ~]# chkconfig named on
<== restart
OK DNS
/var/log/messages

named[3511]: starting BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 -u named -t
/var/named/chroot
named[3511]: adjusted limit on open files from 1024 to 1048576
named[3511]: found 1 CPU, using 1 worker thread
named[3511]: using up to 4096 sockets
named[3511]: loading configuration from '/etc/named.conf'
named[3511]: using default UDP/IPv4 port range: [1024, 65535]
named[3511]: using default UDP/IPv6 port range: [1024, 65535]
named[3511]: listening on IPv4 interface lo, 127.0.0.1#53
named[3511]: listening on IPv4 interface eth0, 192.168.1.100#53
named[3511]: listening on IPv4 interface eth1, 192.168.100.254#53
named[3511]: command channel listening on 127.0.0.1#953
named[3511]: command channel listening on ::1#953
named[3511]: the working directory is not writable
named[3511]: zone 100.168.192.in-addr.arpa/IN: loaded serial 2011080401
named[3511]: zone centos.vbird/IN: loaded serial 2011080401
named[3511]: running
-t chroot_dir chroot
(configuration) /etc/named.conf zone (hint . )
(serial) :
OK
/var/log/messages
DNS
(.) MX
mail server
DNS client
/var/log/messages
named: /etc/named.conf:8: missing ';' before '}'
# /etc/named.conf 8
# (;)
dns_rdata_fromtext: named.centos.vbird:4: near eol: unexpected end of input
zone centos.vbird/IN: loading master file named.centos.vbird: unexpected end of input
_default/centos.vbird/IN: unexpected end of input

# named.centos.vbird 4 4 SOA
# SOA
dns_rdata_fromtext: named.centos.vbird:7: near 'www.centos.vbird.':
not a valid number
# 7 www.centos.vbird MX
#
...
netstat port 53

[root@www ~]# vim /usr/local/virus/iptables/iptables.rule
#
iptables -A INPUT -p UDP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT
iptables -A INPUT -p TCP -i $EXTIF --dport 53 --sport 1024:65534 -j ACCEPT

[root@www ~]# /usr/local/virus/iptables/iptables.rule
19.4.9
DNS
client
http://thednsreport.com/
DNS
zone DNS
DNS /etc/resolv.conf
[root@www ~]# vim /etc/resolv.conf
nameserver 192.168.100.254 <== IP
# 1. master.centos.vbird www.centos.vbird A
[root@www ~]# dig master.centos.vbird
;; ANSWER SECTION:
600
IN
A
192.168.100.254
[root@www ~]# dig www.centos.vbird
;; ANSWER SECTION:
www.centos.vbird.
600
IN
A
192.168.100.254
# 2. ftp.centos.vbird winxp A
[root@www ~]# dig ftp.centos.vbird
;; ANSWER SECTION:
ftp.centos.vbird.
600
IN
CNAME www.centos.vbird.
www.centos.vbird.
600
IN
A
192.168.100.254
[root@www ~]# dig winxp.centos.vbird
;; ANSWER SECTION:
winxp.centos.vbird.
600
IN
A
192.168.100.20
# 3. centos.vbird zone MX
[root@www ~]# dig -t mx centos.vbird
;; ANSWER SECTION:
centos.vbird.
600
IN
MX
10 www.centos.vbird.
# 4. 192.168.100.254 192.168.100.10
[root@www ~]# dig -x 192.168.100.254
;; ANSWER SECTION:
254.100.168.192.in-addr.arpa. 600 IN
PTR
www.centos.vbird.
254.100.168.192.in-addr.arpa. 600 IN
PTR
[root@www ~]# dig -x 192.168.100.10
;; ANSWER SECTION:
10.100.168.192.in-addr.arpa. 600 IN
PTR
slave.centos.vbird.
www.centos.vbird
IP
IP
1. zone RR
2. zone file (Serial) SOA ()
master/slave
3. named named
master/slave
19.5 DNS Slave DNS

DNS
DNS ISP domain name DNS
DNS Master/Slave DNS
Slave DNS
DNS DNS
DNS IP
Master DNS DNS slave
slave DNS master DNS
master/slave DNS zone file /etc/named.conf
DNS
19.5.1 master DNS

19.4.3 slave DNS
slave DNS zone transfer master.centos.vbird
centos.vbird 100.168.192.in-addr.arpa zone slave DNS
master.centos.vbird named slave.centos.vbird zone transfer
Slave DNS server 192.168.100.10 ( zone file )
master.centos.vbird named.conf zone file
named.conf IP zone (allow-transfer) zone file
NS
# 1. named.conf zone allow-transfer
........
type master;
allow-transfer { 192.168.100.10; }; // slave IP
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.100";
allow-transfer { 192.168.100.10; }; // slave IP
};
NS NS
slave.centos.vbird IP 192.168.100.10
# 2. zone file NS A() PTR()

$TTL
600
@
2011080402 3H 15M 1W 1D )
@
IN NS
@
IN NS
slave.centos.vbird.
IN A
192.168.100.254
slave.centos.vbird.
IN A
192.168.100.10
@
....()....
[root@www ~]# vim /var/named/named.192.168.100
$TTL
600
@
2011080402 3H 15M 1W 1D )
@
IN NS master.centos.vbird.
@
IN NS slave.centos.vbird.
254
IN PTR master.centos.vbird.
10
IN PTR slave.centos.vbird.
....()....
# zone file 8/4
# 2 restart
[root@www ~]# /etc/init.d/named restart
starting BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 -u named -t /var/named/chroot
....()....
zone 100.168.192.in-addr.arpa/IN: loaded serial 2011080402
zone centos.vbird/IN: loaded serial 2011080402
zone 100.168.192.in-addr.arpa/IN: sending notifies (serial 2011080402)
zone centos.vbird/IN: sending notifies (serial 2011080402)
named messages
sending notifies () slave DNS
master DNS
Slave
19.5.2 Slave DNS

Slave DNS DNS bind, bind-chroot
19.3.1 yum named.conf
Master/Slave named.conf
zone type master zone filename zone file
master named zone file zone file
# 1. named.conf
[root@clientlinux ~]# vim /etc/named.conf
....( master.centos.vbird )....
type slave;
file "slaves/named.centos.vbird";
masters { 192.168.100.254; };
};
type slave;
file "slaves/named.192.168.100";
masters { 192.168.100.254; };
};
# 2. zone file
[root@clientlinux ~]# ll -d /var/named/slaves
drwxrwx---. 2 named named 4096 2011-06-25 11:48 /var/named/slaves
# named
[root@clientlinux ~]# ll -dZ /var/named/slaves
drwxrwx---. named named system_u:object_r:named_cache_t:s0 /var/named/slaves
# SELinux
CentOS /var/named/slaves/
slave zone file file
masters s zone file named.ca .
type slave master
named
[root@clientlinux ~]# /etc/init.d/named start
[root@clientlinux ~]# chkconfig named on
[root@clientlinux ~]# tail -n 30 /var/log/messages | grep named
starting BIND 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 -u named -t /var/named/chroot
loading configuration from '/etc/named.conf'
....()....
running
zone 100.168.192.in-addr.arpa/IN: Transfer started.
zone 100.168.192.in-addr.arpa/IN: transferred serial 2011080402
zone centos.vbird/IN: Transfer started.
zone centos.vbird/IN: transferred serial 2011080402 <==
#
[root@clientlinux ~]# ll /var/named/slaves
-rw-r--r--. 1 named named 3707 2011-08-05 14:12 named.192.168.100
-rw-r--r--. 1 named named 605 2011-08-05 14:12 named.centos.vbird
# zone file
[root@clientlinux ~]# dig master.centos.vbird @127.0.0.1
[root@clientlinux ~]# dig -x 192.168.100.254 @127.0.0.1
# A PTR
zone file master DNS

named slave DNS
slave DNS
zone centos.vbird/IN: Transfer started.
transfer of 'centos.vbird/IN' from 192.168.100.254#53: connected using
192.168.100.10#58187
dumping master file: tmp-a1bYfCd3i3: open: permission denied
transfer of 'centos.vbird/IN' from 192.168.100.254#53: failed while receiving
responses: permission denied
transfer of 'centos.vbird/IN' from 192.168.100.254#53: end of transfer
named DNS
centos.vbird master slave
master slave domain
19.5.3 DNS
Master/Slave DNS DNS
DNS
DNS
IP
subdomain ()
DNS
master centos.vbird zone
ISP domain name domain niki.centos.vbird
DNS master.centos.vbird centos.vbird zone file

NS DNS IP (A) zone file
DNS DNS DNS
zone DNS IP zone
zone file
niki.centos.vbird dns.niki.centos.vbird IP
192.168.100.200
DNS zone file NS A

DNS master DNS (www.centos.vbird )
named.centos.vbird slave DNS

@
2011080501 3H 15M 1W 1D )
# SOA ()
niki.centos.vbird.
IN NS
dns.niki.centos.vbird.
dns.niki.centos.vbird. IN A
192.168.100.200
Aug 5 14:22:36 www named[9564]: zone centos.vbird/IN: loaded serial 2011080501
#
[root@www ~]# dig dns.niki.centos.vbird @127.0.0.1
# A
DNS zone file zone file NS

dig dns.niki.centos.vbird A
192.168.100.200 niki.centos.vbird 192.168.100.200
niki.centos.vbird zone 192.168.100.200
DNS
DNS zone
DNS 19.4
# 1. named.conf zone named.niki.centos.vbird
[root@niki ~]# vim /etc/named.conf
....()....
zone "niki.centos.vbird" IN {
type master;
file "named.niki.centos.vbird";
};
# 2. named.niki.centos.vbird
[root@niki ~]# vim /var/named/named.niki.centos.vbird
$TTL 600
@
IN SOA dns.niki.centos.vbird. root.niki.centos.vbird. (
2011080501 3H 15M 1W 1D )
@
IN NS
dns.niki.centos.vbird.
dns
IN A
192.168.100.200
www
IN A
192.168.100.200
@
IN MX 10 www.niki.centos.vbird.
@
IN A
192.168.100.200
# hostname FQDN
# 3.
[root@niki ~]# /etc/init.d/named restart
[root@niki ~]# tail -n 30 /var/log/messages | grep named
....()....
zone niki.centos.vbird/IN: loaded serial 2011080501
....()....
#
[root@niki ~]# dig www.niki.centos.vbird @192.168.100.254
#
19.5.4 DNS view

master.centos.vbird
192.168.100.254/24 () 192.168.1.100/24 () master.centos.vbird
IP 192.168.100.254 NAT
192.168.100.254 192.168.1.100 NAT
master.centos.vbird 192.168.1.100 192.168.100.254
view
view zone
10.0.0.1 (192.168.100.0/24)
zone file zone
view
intranet 192.168.100.0/24
internet 192.168.100.0/24
intranet zone file zone filenameinternet zone filename
inter
www.centos.vbird IP 192.168.100.254
www.centos.vbird IP 192.168.1.100

options {
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-query
{ any; };
recursion yes;
allow-transfer { none; };
};
acl intranet { 192.168.100.0/24; };
<== intranet IP
acl internet { ! 192.168.100.0/24; any; }; <== (!)
view "lan" {
<==
match-clients { "intranet"; }; <== zone
zone "." IN {
type hint;
file "named.ca";
};
type master;
allow-transfer { 192.168.100.10; };
};
type master;
file "named.192.168.100";
allow-transfer { 192.168.100.10; };
};
};
view "wan" {
<==
match-clients { "internet"; }; <== internet
zone "." IN {
type hint;
file "named.ca";
};
type master;
file "named.centos.vbird.inter"; <==
};
// IP IP
};
named.centos.vbird.inter
[root@www ~]# cd /var/named
[root@www named]# cp -a named.centos.vbird named.centos.vbird.inter
[root@www named]# vim named.centos.vbird.inter
$TTL
600
@
2011080503 3H 15M 1W 1D )
@
IN NS
IN A
192.168.1.100
@
www.centos.vbird.
IN A
linux.centos.vbird.
IN CNAME
ftp.centos.vbird.
IN CNAME
forum.centos.vbird.
IN CNAME
workstation.centos.vbird. IN A
[root@www named]#
[root@www named]#
[root@www named]#
www.centos.vbird.
# IP
192.168.1.100
www.centos.vbird.
www.centos.vbird.
www.centos.vbird.
192.168.1.101
/etc/init.d/named restart
tail -n 30 /var/log/messages
dig www.centos.vbird @192.168.100.254
600
IN
A
192.168.100.254
192.168.100.0/24
[root@wwww named]# dig www.centos.vbird @192.168.1.100

www.centos.vbird.
600
IN
A
192.168.1.100
# IP 192.168.100.0/24
DNS
DNS IP
view
IP
IP http://www.iana.org/numbers/
IP
http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.xml
IP
http://rms.twnic.net.tw/twnic/User/Member/Search/main7.jsp?Order=inet_aton%28Startip%29
acl view
acl asia { 1.0.0.0/8; 14.0.0.0/8; 27.0.0.0/8; 36.0.0.0/8; 39.0.0.0/8;
42.0.0.0/0; 49.0.0.0/8; 58.0.0.0/8; 59.0.0.0/8; 60.0.0.0/8;
61.0.0.0/8; 101.0.0.0/8; 103.0.0.0/8; 106.0.0.0/8; 110.0.0.0/8;
111.0.0.0/8; 112.0.0.0/8; 113.0.0.0/8; 114.0.0.0/8; 115.0.0.0/8;
116.0.0.0/8; 117.0.0.0/8; 118.0.0.0/8; 119.0.0.0/8; 120.0.0.0/8;
121.0.0.0/8; 122.0.0.0/8; 123.0.0.0/8; 124.0.0.0/8; 125.0.0.0/8;
126.0.0.0/8; 175.0.0.0/8; 180.0.0.0/8; 182.0.0.0/8; 183.0.0.0/8;
202.0.0.0/8; 203.0.0.0/8; 210.0.0.0/8; 211.0.0.0/8; 218.0.0.0/8;
219.0.0.0/8; 220.0.0.0/8; 221.0.0.0/8; 222.0.0.0/8; 223.0.0.0/8;
139.175.0.0/16; 140.0.0.0/8;150.116.0.0/16;150.117.0.0/16;
163.0.0.0/8; 168.95.0.0/16;192.0.0.0/8;
};
acl nonasia { ! "asia"; any; };
asia nonasia view zone zone

file
19.6 DNS
DNS
DNS rndc DNS
19.6.1 DNS
DNS DNS
DNS domain vbird.idv.tw

ISP DNS
1. domain name ...

DNS server ISP
http://www.twnic.net/index3.php
TWNIC domain ISP
ISP Hinet vbird.idv.tw
Hinet
1.
http://domain.hinet.net
2.

3.
(1)
vbird.tw (2)

19.6-1 Hinet domain
4. DNS
ISP host IP ()
DNS mail server DNS
19.6-1 (3) DNS
DNS hostname IP IP
IP
19.6-2 Hinet domain

2. DNS (19.4)
DNS domain name DNS

ISP
3.
DNS
http://thednsreport.com/
DNS Internet
^_^
19.6.2 LAME Server

/var/log/messages
[root@www ~]# more /var/log/messages
1 Oct 5 05:02:30 test named[432]: lame server resolving '68.206.244.205.
in-addr.arpa' (in '206.244.205.in-addr.arpa'?): 205.244.200.3#53
( CentOS 6.x
/usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch06.html ) DNS DNS
DNS
lame server
DNS
DNS DNS
Linux
/var/log/messages
lame server
/var/log/messages BIND
/etc/named.conf
# 1. /etc/named.conf
//
logging {
category lame-servers { null; };
};
# 2. bind
logging lame server

(null) named /var/log/messages
named lame server
19.6.3 RNDC DNS

DNS /var/log/messages
command channel listening on 127.0.0.1#953
port 953 named rndc rndc

BIND version 9 DNS
DNS zone DNS DNS
rndc DNS
rndc (rndc key) named.conf
DNS DNS rndc distributions
rndc key
couldn't add command channel 127.0.0.1#953: not found
DNS rndc key rndc key

named.conf bind
# 1. rndc key
[root@www ~]# rndc-confgen
# Start of rndc.conf <== # /etc/rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "UUqxyIwui+22CobCYFj5kg==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
#
#
#
#
#
#
#
#
#
#
#
#
#
#
key controls named.conf #

Use with the following in named.conf, adjusting the allow list as needed:
key "rndc-key" {
algorithm hmac-md5;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
End of named.conf
rndc-confgen key
# 2. rndc.key
[root@www ~]# vim /etc/rndc.key
#
key "rndc-key" {
algorithm hmac-md5;
};
# 3. named.conf
#
key "rndc-key" {
algorithm hmac-md5;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };

};
rndc key DNS port 953 rndc

rndc
[root@www ~]# rndc
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload
Reload configuration file and zones.
stats
Write server statistics to the statistics file.
dumpdb
Dump cache(s) to the dump file (named_dump.db).
flush
Flushes all of the server's caches.
status
Display status of the server.
#
# DNS
[root@www ~]# rndc status
version: 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1
CPUs found: 1
worker threads: 1
number of zones: 27
<== DNS zone
debug level: 0
<== debug debug
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
<== debug debug
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
<== debug debug
# DNS
[root@www ~]# rndc stats
# /var/named/data
[root@www ~]# cat /var/named/data/named_stats.txt
+++ Statistics Dump +++ (1312528012)
....()....
++ Zone Maintenance Statistics ++
2 IPv4 notifies sent
++ Resolver Statistics ++
....()....
++ Cache DB RRsets ++
[View: lan (Cache: lan)]
[View: wan (Cache: wan)]
[View: _bind (Cache: _bind)]
[View: _meta (Cache: _meta)]
++ Socket I/O Statistics ++
5 UDP/IPv4 sockets opened
4 TCP/IPv4 sockets opened
2 UDP/IPv4 sockets closed
1 TCP/IPv4 sockets closed
2 TCP/IPv4 connections accepted
++ Per Zone Query Statistics ++
--- Statistics Dump --- (1312528012)
#
[root@www ~]# rndc dumpdb

# stats cache
# /var/named/data/cache_dump.db
rndc
rndc: connection to remote host closed
This may indicate that the remote server is using an older version of
the command protocol, this host is not authorized to connect,
or the key is invalid.
/etc/rndc.key /etc/rndc.conf rndc-confgen

rndc key named
named ^_^
19.6.4 DNS ISP

DNS (Dynamic DNS, DDNS)
ADSL Internet IP ISP IP
DNS Internet
IP
Internet IP http://www.noip.org
DNS Internet zone
IP DDNS
DDNS zone file
BIND 9 update-policy
key 1) DDNS Client
Key ( ) 2) Client Key
BIND 9 nsupdate DDNS Zone file

1. DDNS Server
Linux IP Web
web.centos.vbird
named.conf centos.vbird zone
[root@www ~]# dnssec-keygen -a [] -b [] -n []
-a [type] RSAMD5, RSA, DSA, DH

HMAC-MD5 HMAC-MD5
-b 512 HMAC-MD5
-n HOST
ZONE ZONE
HOST
[root@www ~]# cd /etc/named
[root@www named]# dnssec-keygen -a HMAC-MD5 -b 512 -n HOST web
Kweb.+157+36124
[root@www named]# ls -l
-rw-------. 1 root root 112 Aug 5 15:22 Kweb.+157+36124.key
-rw-------. 1 root root 229 Aug 5 15:22 Kweb.+157+36124.private
#
[root@www named]# cat Kweb.+157+36124.key <==

web. IN KEY 512 3 157 xZmUo8ozG8f2OSg/cqH8Bqxk59Ho8....3s9IjUxpFB4Q==
#
/etc/named.conf web.centos.vbird
named.conf
// Key
key "web" {
algorithm hmac-md5;
secret "xZmUo8ozG8f2OSg/cqH8Bqxk59Ho8....3s9IjUxpFB4Q==";
};
// zone
type master;
allow-transfer { 192.168.100.10; };
update-policy {
grant web name web.centos.vbird. A;
};
};
[root@www
[root@www
[root@www
[root@www
~]#
~]#
~]#
~]#
chmod g+w /var/named

chown named /var/named/named.centos.vbird
/etc/init.d/named restart
setsebool -P named_write_master_zones=1
grant web name web.centos.vbird. A; grant key

web key zone (centos.vbird) web.centos.vbird A
IP grant [key_name] name [hostname]
key
named /var/named/
DNS /var/log/messages
DDNS
2. Client
DDNS Client Server
Kweb.+157+36124.key Kweb.+157+36124.private SSH sftp
web.centos.vbird /usr/local/ddns
[root@web ~]# cd /usr/local/ddns
[root@web ddns]# nsupdate -k Kweb.+157+36124.key
> server 192.168.100.254
> update delete web.centos.vbird
<==
> update add web.centos.vbird 600 A 192.168.100.200 <==
> send
> [ctrl]+D
update add web.centos.vbird 600 A 192.168.100.200

ttl 600 A 192.168.100.200 nsupdate -k
Server key
DNS /var/named/ named.centos.vbird.jnl
/var/named/named.centos.vbird
Client script
[root@web ~]# vim /usr/local/ddns/ddns_update.sh

#!/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
export PATH
# 0. keyin your parameters
basedir="/usr/local/ddns"
keyfile="$basedir"/"Kweb.+157+36124.key"
ttl=600
outif="eth0"
hostname="web.centos.vbird"
servername="192.168.100.254"
#
#
#
#
#
#
ttl
ISP
ISP
# Get your new IP

newip=`ifconfig "$outif" | grep 'inet addr' | \
awk '{print $2}' | sed -e "s/addr\://"`
checkip=`echo $newip | grep "^[0-9]"`
if [ "$checkip" == "" ]; then
echo "$0: The interface can't connect internet...."
exit 1
fi
# create the temporal file
tmpfile=$basedir/tmp.txt
cd $basedir
echo "server $servername"
echo "update delete $hostname A "
echo "update add
$hostname $ttl A $newip"
echo "send"
>
>>
>>
>>
$tmpfile
$tmpfile
$tmpfile
$tmpfile
# send your IP to server

nsupdate -k $keyfile -v $tmpfile
/etc/crontab
http://linux.vbird.org/linux_server/0350dns/ddns_update.sh
BIND 9 IP ISP domain
name IP
nsupdate IP IP
19.7
Internet hostname
domain name Fully Qualified Domain Name (FQDN)
IP /etc/hosts DNS
Unix Like BIND DNS

DNS BIND named
DNS RR (Resource Record)
DNS hostname IP IP hostname zone
bind 9 named chroot

Slave zone file zone file Master master
slave allow-transfer
DNS root(.)
(record)SOA, A, MX, NS, CNAME, TXT HINFO
SOA, PTR
DNS host, nslookup, dig, whois

named daemon /var/log/messages daemon
19.8
DNS
Hostname IP Internet IP
Unix Like DNS daemon

DNS
Unix Like BIND DNS daemon named daemon
Internet
/etc/hosts hosts
[IP] [] [(aliase)]
127.0.0.1 localhost localhost.localdomain
IP HOSTNAME
(forward)(reverse)(loopback)
hostname IP A, NS, SOA, MX, CNAME IP
Hostname SOA, NS PTR localhost 127.0.0.1
DNS /etc/named.conf hint
rs.internic.net root (.) zone IP DNS Server

root
client HOSTNAME IP
/etc/nsswitch.conf /etc/hosts DNS
/etc/hosts
/etc/resolv.conf DNS resolver ()
Client HOSTNAME
nslookup
dig
whois DNS
host
named
/var/log/messages
19.9
1 (gTLD, ccTLD) http://www.whois365.com/tw/listtld
http://icannwiki.org/GTLD_and_ccTLD
BIND http://www.isc.org/products/BIND/
Study Area http://www.study-area.org/linux/servers/linux_dns.htm
http://turtle.ee.ncku.edu.tw/~tung/dns/dnsintro.html
lame server http://linux.cvf.net/lame_server.html
DDNS http://www.study-area.org/tips/ddns.htm
Hinet http://hidomain.hinet.net/top1.html
DNS http://www.dnsreport.com/
DNS view
http://www.study-area.org/tips/bind9_view.htm
Red Hat
http://www.redhat.com/magazine/026dec06/features/dns/?sc_cid=bcm_edmsept_007
NIC http://dns-learning.twnic.net.tw/bind/toc.html
bind view http://www.l-penguin.idv.tw/article/dns.htm
IP http://rms.twnic.net.tw/twnic/User/Member/Search/main7.jsp?Order=inet_aton%28Startip%29
2002/12/10
2003/03/10 LPI
2003/09/10 slave DNS
2003/10/08 lame server
2004/10/29 rndckey
2004/10/30 Master/Slave
2004/10/31 DNS
2005/07/19 SOA
2006/10/17
2006/10/20
2007/06/25 Forwarding cache-only
2011/04/26 CentOS 4.x
2011/05/10 view
2011/08/04 CentOS 5.x
2011/08/05 script
2002/12/10
| | | | | | | | | | | | |
firefox 1024x768
http://linux.vbird.org is designed by VBird during 2001-2011. ksu.edu

鳥哥的 Linux 私房菜 - DNS Server

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

鳥哥的 Linux 私房菜 - DNS Server

Uploaded by

Copyright:

Available Formats

Linux

IP /etc/hosts, DNS, FQDN

19.3 DNS cache only DNS

(Resource Record, RR) A, NS, SOA, CNAME, MX

19.5 DNS Slave DNS

Fully Qualified Domain Name (FQDN)

(/) DNS domain

19.1-2 DNS (hostname & domain name)

edu.tw domain name ksu, ncku hostname

(.) domain name hostname

.asia, .info, .jobs (1)

TLD TLD ISP

dig . --> .tw --> .edu.tw --> .ksu.edu.tw --> www.ksu.edu.tw

[root@www ~]# dig +trace www.ksu.edu.tw

DNS port number

DNS ISP (1) DNS

19.1.4 ISP DNS

19.1.5 DNS , , Zone

SOA (Start of Authority)

DNS zone hint

19.1.6 DNS hint, master/slave

. (root) hint Master

Master Master DNS

files /etc/hosts dns /etc/resolv.conf DNS

CentOS 6.x NetworkManager

19.2.2 DNS host, nslookup, dig

server /etc/resolv.conf DNS

Received 86 bytes from 168.95.1.1#53 in 15 ms <== 168.95.1.1

linux.vbird.org mail is handled by 10 linux.vbird.org.

nslookup hostname IP DNS IP

nslookup set type=any

@server /etc/resolv.conf DNS IP

Query time: 9 msec

Query time: 29 msec

domain 2018/09/17 nslookup,

19.3 DNS cache only DNS

.... @_@ DNS

bind-chroot chroot change to root()

19.3.2 BIND chroot

[root@www ~]# cat /etc/sysconfig/named

19.3.3 cache-only DNS forwarding

cache-only forwarding DNS

19.3-1 forwarding DNS

cache-only DNS server

cache-only forwarders forwarding

[root@www ~]# cp /etc/named.conf /etc/named.conf.raw

listen-on port 53 { any; };

. DNS cache only DNS

cache only DNS server

DNS UDP/TCP port 53

[root@www ~]# tail -n 30 /var/log/messages | grep named

-t /var/named/chroot <== chroot

adjusted limit on open files from 1024 to 1048576

loading configuration from '/etc/named.conf'

DNS DNS DNS ()

19.4.1 (Resource Record, RR)

(resource record, RR)

DNS ksu.edu.tw (domain, zone) www.ksu.edu.tw

domain A dig google.com

[root@www ~]# dig -t soa ksu.edu.tw

SOA ksu.edu.tw SOA

1. Master DNS DNS master

5. (Retry) slave master