DNS分离解析介绍
? 分离解析的域名服务器,实际上也还是主域名服务器,这里所说的分离解析,主要是指根据不同的客户端,提供不同的域名解析记录。来自不同地址的客户机请求解析同一域名时,为其提供不同的解析结果。
搭建DNS分离解析服务器
实验环境
使用VMware 15软件分别打开一台win 10虚拟机,一台win 7虚拟机和一台CentOS 7虚拟机
搭建实验拓扑图
在此次实验中我将把CentOS 7虚拟机作为网关来使用,并在CentOS 7系统搭建DNS服务器提供DNS解析服务,同时开启一台win 7、一台win 10客户机作为客户机,与CentOS 7进行网络连接,win 7模拟为广域网的客户机,win 10模拟为局域网的客户机,win 7与win 10作为不同网段中的客户机就要我们在CentOS 7系统中做双网卡的模式,来使两台客户机连接。并设定不同的IP地址:win 7IP地址为:12.0.0.12/24 、win 10IP地址为:192.168.100.100、CentOS 7中两个网卡中网关分别是:192.168.100.1/24、12.0.0.1/24。如下图:
实验目的:建立DNS分离解析服务器。
搭建实验环境
1、首先在CentOS 7中安装DNS服务,并建立双网卡,使网卡处于仅主机模式,并设置网关,win 7与win 10客户端网卡同样设置为 仅主机模式,使设备绑定在同一网络设备。
[[email protected] ~]# yum install bind -y
已加载插件:fastestmirror, langpacks
base | 3.6 kB 00:00
extras | 3.4 kB 00:00
updates | 3.4 kB 00:00
(1/4): extras/7/x86_64/primary_db | 215 kB 00:25
(2/4): base/7/x86_64/group_gz | 166 kB 00:25
已安装:
bind.x86_64 32:9.9.4-74.el7_6.2
...//省略部分内容...
作为依赖被升级:
bind-libs.x86_64 32:9.9.4-74.el7_6.2
bind-libs-lite.x86_64 32:9.9.4-74.el7_6.2
bind-license.noarch 32:9.9.4-74.el7_6.2
bind-utils.x86_64 32:9.9.4-74.el7_6.2
完毕!
2、配置CentOS 7系统网卡静态IP地址,两块网卡均配置为网关使用。
[[email protected] ~]# cd /etc/sysconfig/network-scripts/ //进入网卡配置文件目录
[[email protected] network-scripts]# ls //查看目录
ifcfg-ens33 ifdown-ppp ifup-ib ifup-Team
ifcfg-lo ifdown-routes ifup-ippp ifup-TeamPort
ifdown ifdown-sit ifup-ipv6 ifup-tunnel
ifdown-bnep ifdown-Team ifup-isdn ifup-wireless
ifdown-eth ifdown-TeamPort ifup-plip init.ipv6-global
ifdown-ib ifdown-tunnel ifup-plusb network-functions
ifdown-ippp ifup ifup-post network-functions-ipv6
ifdown-ipv6 ifup-aliases ifup-ppp
ifdown-isdn ifup-bnep ifup-routes //没有添加的网卡配置文件
ifdown-post ifup-eth ifup-sit
[[email protected] network-scripts]# ifconfig //查看网卡信息
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::a85a:c203:e2e:3f3c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5b:d3:a0 txqueuelen 1000 (Ethernet)
RX packets 32470 bytes 45131799 (43.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11167 bytes 710926 (694.2 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 //添加的网卡
ether 00:0c:29:5b:d3:aa txqueuelen 1000 (Ethernet)
RX packets 317 bytes 51515 (50.3 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 204 bytes 35976 (35.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
[[email protected] network-scripts]# vim ifcfg-ens33 //进入编辑网卡信息
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static //更改dhcp为static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens33
UUID=2ef6b862-5201-48c5-a450-23b3720ab3a0
DEVICE=ens33
ONBOOT=yes
IPADDR=192.168.100.1 //设值IP地址,作为局域网网关地址
NETMASK=255.255.255.0 //设置子网掩码
~
~
~
:wq //保存退出
[[email protected] network-scripts]# cp -p ifcfg-ens33 ifcfg-ens36 //复制ens33配置文件为ens36,为添加的网卡设置配置文件
[[email protected] network-scripts]# vim ifcfg-ens36 //进入编辑网卡配置文件
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=static
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=ens36 //更改33为36
DEVICE=ens36 //更改33为36
ONBOOT=yes
IPADDR=12.0.0.1 //更改IP地址外网网关
NETMASK=255.255.255.0
~ //注意,UUID条目要删除,不可有两个相同的UUID,删除让系统自动识别即可
~
:wq //保存退出
[[email protected] network-scripts]# service network restart //重启网络服务
Restarting network (via systemctl): [ 确定 ]
[[email protected] network-scripts]# ifconfig //查看网卡信息
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.1 netmask 255.255.255.0 broadcast 192.168.100.255 //获取IP地址
inet6 fe80::a85a:c203:e2e:3f3c prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5b:d3:a0 txqueuelen 1000 (Ethernet)
RX packets 32595 bytes 45170473 (43.0 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 11353 bytes 743789 (726.3 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens36: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 12.0.0.1 netmask 255.255.255.0 broadcast 12.0.0.255 //获取IP地址
inet6 fe80::f6eb:23e3:3afb:fef4 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:5b:d3:aa txqueuelen 1000 (Ethernet)
RX packets 456 bytes 94448 (92.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 372 bytes 64348 (62.8 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
3、分别设置win 10与win 7IP地址,使其与CentOS 7两块网卡连接。
在CentOS 7中配置DNS服务
1、进入DNS服务主配置文件,配置主配置文件信息。
[[email protected] network-scripts]# cd ~
[[email protected] ~]# vim /etc/named.conf //进入比编辑主配置文件
// See the BIND Administrator‘s Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
...//省略部分内容...
options {
listen-on port 53 { any; }; //更改为监听所有网卡,因为我们添加了另一块网卡,这样所有网卡就都可以通过来解析域名
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; //更改为所有地址,这样所有网段就都可以使用DNS服务
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
...//省略部分内容...
:wq //保存退出
2、更改DNS服务区域配置文件
[email protected] ~]# vim /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//删除此处下所有条目,并在此处开始编写内容
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
...//省略部分内容...
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
view "lan" { //设置对内局域网用户的区域结构
match-{ 192.168.100.0/24; }; //匹配条目来自局域网的客户端IP地址
zone "kgc.com" IN { //设置域名信息
type master; //区域类型为主区域
file "kgc.com.lan"; // 区域数据文件为“kgc.com.lan”
};
zone "." IN { //配置根域名解析(可以从主配置文件named.conf中复制即可)
type hint;
file "named.ca";
};
};
view "wan" { //设置面向广域网用户的区域结构
match-clients { 12.0.0.0/24; }; //匹配条目来自广域网的客户端IP地址
zone "kgc.com" IN {
type master;
file "kgc.com.wan"; // 区域数据文件为“kgc.com.wan”
};
};
~
~
~
:wq //保存退出
3、配置DNS服务区域数据文件(注意配置文件内容的书写格式)
[[email protected] ~]# cd /var/named //进入区域配置文件存放目录
[[email protected] named]# cp -p named.localhost kgc.com.lan //复制named.localhost为kgc.com.lan
[[email protected] named]# vim kgc.com.lan //进入编辑区域数据文件信息
$TTL 1D
@ IN SOA kgc.com. admin.kgc.com. ( //更改域名、管理邮箱
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS kgc.com. //更改域名服务器记录地址
A 192.168.100.1 //更改正向解析条目地址
www IN A 192.168.100.88 //添加www域名的解析地址
smtp IN A 192.168.100.99 //添加主机名解析地址
~
~
~
:wq //保存退出
[[email protected] named]# cp -p kgc.com.lan kgc.com.wan //复制kgc.com.lan为kgc.com.wan
[[email protected] named]# vim kgc.com.wan //进入编辑区域数据文件信息
$TTL 1D
@ IN SOA kgc.com. admin.kgc.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS kgc.com.
A 12.0.0.1 //更改解析地址为12.0.0.1即可
www IN A 12.0.0.1
smtp IN A 12.0.0.1
~
~
~
:wq //保存退出
启动并验证服务
1、启动DNS服务,并关闭防火墙与安全功能
[[email protected] named]# systemctl start named //启动DNS服务
[[email protected] named]# systemctl status named //查看服务启动情况
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since 日 2019-09-08 15:32:06 CST; 17s ago //服务成功启动
Process: 23372 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 23368 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 23374 (named)
CGroup: /system.slice/named.service
└─23374 /usr/sbin/named -u named -c /etc/named.conf
...//省略部分内容...
[[email protected] named]# systemctl stop firewalld.service //关闭防火墙
[[email protected] named]# setenforce 0 //关闭增强性安全功能
2、在win 7客户端中验证解析地址,看是否为我们设定的IP地址
C:\Users\Administrator>nslookup www.kgc.com //查看解析域名
服务器: UnKnown
Address: 12.0.0.1
名称: www.kgc.com
Address: 12.0.0.1 //成功解析地址
C:\Users\Administrator>nslookup smtp.kgc.com //主机名解析
服务器: UnKnown
Address: 12.0.0.1
名称: smtp.kgc.com
Address: 12.0.0.1 //成功解析地址
3、在win 10客户端中验证解析地址,看是否为我们设定的IP地址
C:\Users\Sun>nslookup www.kgc.com //查看解析域名
服务器: UnKnown
Address: 192.168.100.1
名称: www.kgc.com
Address: 192.168.100.88 //成功解析地址
C:\Users\Sun>nslookup smtp.kgc.com //主机名解析
服务器: UnKnown
Address: 192.168.100.1
名称: smtp.kgc.com
Address: 192.168.100.99 //成功解析地址
通过上面的实验成功搭建DNS的分离解析服务,希望对大家有所帮助!!!
原文地址:https://blog.51cto.com/14473285/2436556