DNS (domain name system): based on the C/S mode [domain name resolution] (https://cloud.tencent.com/product/cns?from=10680) service, listening on port 53/udp, 53/tcp, in which tcp is used for zone transfer, udp is used for resolution, in fact it is a Database, a distributed database for TCP/IP programs, is also an important network protocol. DNS stores information about IP addresses and corresponding hosts in the network, mail routing information, and other network application information. The service provided is used to convert hostnames and domain names into IP, just like a translator
DNS resolution is divided into two types
Recursion
Iteration
Recursive query:
The client initiates a request to the locally set DNS server, and then the DNS server responds to the request. If there is the query record in the local cache record, it will directly return. If not, the DNS server will go to the root name server, like the intermediary or proxy. The top-level name server, the authoritative name server sends a request. For example, the DNS server sends a request to the root name server and asks for the IP address corresponding to the domain name. The root name server will query whether there are records locally, and if there are any records, it will directly return to the DNS server, and then DNS The server tells the client the IP address that it is looking for. If the root is not known, it will continue to request from the DNS server and ask in turn until it finds the IP address corresponding to the domain name, and finally returns to the client
Iterative query:
The biggest difference from recursive query is that all the query process is done by the client itself, and there is no middleman to make the difference, and go directly to the root server, the top server. . . . Wait and ask in turn until there is a result.
Forward analysis
Name——> IP
Reverse analysis
IP ——> name
Root domain.
Top-level domain
Organization domain: .com .net .org .gov
Country domain: .iq .tw .hk .jp .cn
Secondary domain
The name applied by an individual or organization on the top-level domain, such as baidu.com. devilf.cc.
Subdomains
A record
Point the domain name to an IP address
AAAA record
Resolve the host name to a specified IPv6 IP
CNAME record
Alias resolution refers to the transfer of different domain names to one domain name record, and the unified resolution management of this domain name record, that is, the domain name currently resolved is a redirection of another domain name
NS record
Domain name service record, used to specify which DNS server to resolve the domain name, generally set to multiple, one is the main, the rest are auxiliary, and can only write the domain name form
MX record
Mail exchange record
TXT record
Refers to the description of a host name or domain name, usually used for SPF records (anti-spam)
PTR record
Reverse analysis, mainly used for IP —> FQDN, generally used for mail servers
| 1 | sudo apt install bind9 bind9utils bind9-doc |
|---|
Modify the main configuration file named.conf
| 1234 | include "/etc/bind/named.conf.options";include "/etc/bind/named.conf.local";include "/etc/bind/named.conf.default-zones";include "/etc/bind /named.conf.log”; #Add log record |
|---|
Modify the named.conf.local file
| 1 2 3 4 5 6 7 8 9101112131415161718192021 | # To add a zone, please refer to zones.rfc1918 for configuration writing. Here we mean to define a forward resolution $ cat named.conf.local//// Do any local configuration here//// Consider adding the 1918 zones here, if they are not used in your// organization//include "/etc/bind/zones.rfc1918";zone "tianchiapi.com" {#Specify domain name type master; file "/etc/bind/zone-internal-tianchiapi/db.dns ”; #Create the zone-internal-tianchiapi directory and specify the location of the zone record file forwarders {};};//If there are multiple domain names that need to be resolved, write zone "tianchitest1.com" {type master; file " /etc/bind/zone-internal-tianchiapi/test.dns"; forwarders {};}; |
|---|
Modify the named.conf.options file
| 1 2 3 4 5 6 7 8 910111213141516171819 | # This file is the global configuration of the DNS server $ cat named.conf.optionsoptions {directory "/var/cache/bind"; #data file location forwarders {#Set the IP address of the recursive name server for forwarding requests 114.114.114.114; 8.8.8.8 ; }; allow-query {any;}; recursion yes; #Enable recursive addressing allow-transfer {any; }; dnssec-enable no; dnssec-validation no; auth-nxdomain no; #RFC1035}; |
|---|
Modify the named.conf.log file
| 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960 | $ cat named.conf.loglogging {channel query_log {file "query.log" versions 3 size 1g; #versions indicates how many versions of the file are allowed to exist at the same time severity info; # log level print-time yes; #write in the log Entry time print-severity yes; #Set whether to write the message level in the log print-category yes; #Set whether to write the log category in the log}; category queries {query_log; }; channel update_log {file "update .log" versions 3 size 1g; severity debug; print-time yes; print-category yes; }; category update {update_log; }; channel client_log {file "client.log" versions 3 size 1g; severity debug; print-time yes; print-category yes; }; category client {client_log; }; channel network_log {file "network.log" versions 3 size 1g; severity debug; print-time yes; print-category yes; }; category network {network_log; }; channel resolver_log {file "resolver.log" versions 3 size 1g; severit y debug; print-time yes; print-category yes; }; category resolver {resolver_log; }; channel lame-servers_log {file "lame-servers.log" versions 3 size 1g; severity debug; print-time yes; print- category yes; }; category lame-servers {lame-servers_log; };}; |
|---|
Create a directory and set up resolution
sudo mkdir zone-internal-tianchiapi vim zone-internal-tianchiapi/db.dns $TTL 600 @ IN SOA ns1 root ( 3 ; Serial 3600 ; Refresh 86400 ; Retry 86400 ; Expire 86400 ) ; Negative Cache TTL
; @ IN NS ns1 @ IN NS ns2 ns1 IN A 10.1.1.11 test1-live IN A 10.1.1.61 test1-storage IN A 10.1.1.61 test1-admin IN A 10.1.1.61 test1-gateway IN A 10.1.1.61 test1-turbine IN A 10.1.1.61 test1-zipkin IN A 10.1.1.61 test1-eureka IN A 10.1.1.61 test1-video IN A 10.1.1.61 test1-file IN A 10.1.1.61 test1-image IN A 10.1.1.61 test1-kibana IN A 10.1.1.61 test1-live IN A 10.1.1.61
|123456|## Restart service|
|--------|--------|
sudo systemctl restart bind9
|1 2 3 4 5 6 7 8 91011121314|## Verify that the designated DNS server on another server is the IP address we just created, for example: ```cat /etc/resolv.confnameserver 10.1.1.13search tianchiapi.com|
|--------|--------|
|1 2 3 4 5 6 7 8 9101112131415161718192021222324| $ dig test1-gateway.tianchiapi.com; <<>> DiG 9.10.3-P4-Ubuntu <<>> test1-gateway.tianchiapi.com;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62031;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;test1-gateway.tianchiapi.com. IN A;; ANSWER SECTION:test1-gateway.tianchiapi.com. 600 IN A 10.1.1.61;; AUTHORITY SECTION:tianchiapi.com. 600 IN NS 10.1.1.11.;; Query time: 1 msec;; SERVER: 10.1.1.13#53(10.1.1.13);; WHEN: Sun Nov 25 14:57:28 CST 2018;; MSG SIZE rcvd: 96|
|--------|--------|
Through dig we can see A, NS and other records, we can also use dig +trace to see the query process
|1 2 3 4 5 6 7 8 91011121314151617181920212223242526272829303132333435363738| $ dig +trace www.devilf.cc; <<>> DiG 9.10.3-P4-Ubuntu <<>> +trace www.devilf.cc;; global options: +cmd. 18143 IN NS e.root-servers.net.. 18143 IN NS g.root-servers.net.. 18143 IN NS k.root-servers.net.. 18143 IN NS m.root-servers.net.. 18143 IN NS d.root-servers.net.. 18143 IN NS i.root-servers.net.. 18143 IN NS c.root-servers.net.. 18143 IN NS h.root-servers.net.. 18143 IN NS l.root-servers.net.. 18143 IN NS f.root-servers.net.. 18143 IN NS b.root-servers.net.. 18143 IN NS a.root-servers.net.. 18143 IN NS j.root-servers.net.;; Received 850 bytes from 10.1.1.13#53(10.1.1.13) in 1 mscc. 172800 IN NS ac1.nstld.com.cc. 172800 IN NS ac2.nstld.com.cc. 172800 IN NS ac3.nstld.com.cc. 172800 IN NS ac4.nstld.com.cc. 86400 IN DS 519 8 1 7285EF05E1B4E679D4F072EEA9B00953E01F3AE2cc. 86400 IN DS 519 8 2 E1EC6495ABD34562E6F433DEE201E6C6A52CB10AF69C04D675DA692D 2D566897cc. 86400 IN RRSIG DS 8 1 86400 20181208050000 20181125040000 2134 . K30W90xWPofSP+kgBIBCMDncJ7ewr9k504cL+nrFrq/A0VjLAGTxGHRe M+K0hG1xBV+0ZhLpaAVy++rZECpn9XEOpoqf7EXJtbT2R27X36IrzvvB z4Hsp/AEMYaMmU665PkEftdk3RgA5u156UH8LeG0gGuhTn9AmaYEuYiY gg54FSa1nw/7e2fho0KWxGzZIE8gEPnXVuk30s+0tbJ2qi/Gu4x75pmV 49Rro/xNRNZUtrXfvWNOneKwiK1S0TndbGlGydibBjRKETyg1Iob6uu6 tlTDu20NhsWHEFyAW0e4xC+7A+NdxZLn6PbCmB1MCM6Wxj2oug8Tq8QL WxjC3A==;; Received 670 bytes from 198.97.190.53#53(h.root-servers.net) in 271 msdevilf.cc. 172800 IN NS dns29.hichina.com.devilf.cc. 172800 IN NS dns30.hichina.com.RQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN NSEC3 1 1 0 - RR9VRBALT8EOD9SAK335LVITNSQII5FL NS SOA RRSIG DNSKEY NSEC3PARAMRQGAP5UF6Q1NGVCKFNO8RANVDN5ILRIN.cc. 86400 IN RRSIG NSEC3 8 2 86400 20181201140301 20181124140301 349 cc. slpKbVNxyTgp7EM1F0hkdSW53W3pul2lgxj55a4mixDncbST6kWyDrIo NWPzFl1zrFbq7HKXFfWZcCiZyJ9ZGw74oAeUSWUAfph44UUYY5CSXdlU 2ItzDNvv5mJV9Klu9IF5UqO8ebTQzeY9V835OoCTnx7rt5fs2iAc7xFE pcE=BL6MKB1NQG0IVOHTRSFV88164C1K8BPB.cc. 86400 IN NSEC3 1 1 0 - BLDPDNVR5GT167DKC1R82138PE3U59QI NS DS RRSIGBL6MKB1NQG0IVOHTRSFV88164C1K8BPB.cc. 86400 IN RRSIG NSEC3 8 2 86400 20181201083817 20181124083817 349 cc. N8wcEys1fVypSVlZnQGh7fpcvYLKwC0x7RFiHm9XXZ/aFkJkWhl6hiT3 GnLeKIGNf3C7odEUz2fLsY6+0nJwkoW16zSbKtvcyLv5xK7VJteSKRyo AzD1LP8BgA3bs1hjGuUeDo9aNAG6dJjpoTO1jPpiFEKbVSB/JgrN6OcL Zss=;; Received 576 bytes from 192.42.176.30#53(ac4.nstld.com) in 284 mswww.devilf.cc. 600 IN CNAME www.devilf.cc.w.kunlunar.com.;; Received 84 bytes from 140.205.81.19#53(dns29.hichina.com) in 29 ms|
|--------|--------|
As you can see, first go to find 13 root servers, and then the root server tells 10.1.1.13 to ask it to ask the .com top-level domain name server, and then ask the authoritative domain name server tianchiapi.com., and finally return the corresponding IP.
View the service log method of bind
|1 2 3 4 5 6 7 8 9101112| $ cd /var/cache/bind$ ll -h-rw-r--r-- 1 bind bind 528 Nov 25 10:23 client.log-rw-r--r-- 1 bind bind 1.7K Nov 25 15:01 lame-servers.log-rw-r--r-- 1 bind bind 221 Jul 17 15:31 managed-keys.bind-rw-r--r-- 1 bind bind 609 Nov 25 14:04 network.log-rw-r--r-- 1 bind bind 830M Nov 25 15:10 query.log-rw-r--r-- 1 bind bind 1.1G Nov 25 15:02 query.log.0-rw-r--r-- 1 bind bind 1.1G Nov 25 14:53 query.log.1-rw-r--r-- 1 bind bind 1.1G Nov 25 14:45 query.log.2-rw-r--r-- 1 bind bind 3.6M Nov 25 15:10 resolver.log-rw-r--r-- 1 bind bind 0 Nov 25 10:04 update.log|
|--------|--------|
|1| sudo systemctl -u bind9 -b debug -f|
|--------|--------|
Note:
Category names available in BIND 9 (category_name) has: The category indicates that the client handles client requests. config configuration file analysis and processing. database Messages related to the BIND internal database, used to store area data and cache records. default matches all categories for which channels are not explicitly specified. dnssec processes DNSSEC signed responses. general includes all BIND messages that are not clearly classified. lame-servers An incorrect authorization is found, that is, a broken server. network network operation. The notify area updates the notification message. Queries query log resolver name resolution, including recursive query information from the resolver. security approved/Non-approved request. update Dynamic update event. xfer-in The zone transfer from the remote name server to the local name server. xfer-out The zone transfer from the local name server to the remote name server.
| 1 2 3 4 5 6 7 8 9101112131415161718192021222324252627282930313233 | < p> |
|---|
Recommended Posts