image-20210102095234721

目的：

DNS服務(wù)器解析wangcloud.top 到webserver1 10.0.0.7

DNS服務(wù)器配合CDN解析www.wangcloud.top到webserver1和2上

DNS服務(wù)器解析 錯(cuò)誤主機(jī)名.wangcloud.top到webserver1 10.0.0.7上

步驟：

1.6.1 client10.0.0.9配置網(wǎng)卡，設(shè)置DNS為10.0.0.8 生效

client 10.0.0.9是ubuntu 所以按照ubuntu配置網(wǎng)卡

01:52:51 wang@9  ~]$ cat /etc/netplan/00-installer-config.yaml
# This is the network config written by 'subiquity'
network:
  ethernets:
    eth0:
      addresses:
      - 10.0.0.9/24
      gateway4: 10.0.0.2
      nameservers:
        search: [wangcloud.top]
        addresses:
        - 10.0.0.8
  version: 2
  renderer: networkd
  
  01:54:09 wang@9  ~]$ sudo netplan apply
  01:55:23 wang@9  ~]$ resolvectl status
Global
       LLMNR setting: no
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 2 (eth0)
      Current Scopes: DNS
DefaultRoute setting: yes
       LLMNR setting: yes
MulticastDNS setting: no
  DNSOverTLS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
  Current DNS Server: 10.0.0.8
         DNS Servers: 10.0.0.8
          DNS Domain: wangcloud.top

1.6.2 DNS server 10.0.0.8

1. 設(shè)置網(wǎng)卡，DNS為自己，生效，重啟

root@8  network-scripts]# cat ifcfg-eth0
DEVICE=eth0
NAME=eth0
BOOTPROTO=static
IPADDR=10.0.0.8
PREFIX=24
GATEWAY=10.0.0.2
DNS1=127.0.0.1
ONBOOT=yes

root@8  network-scripts]# nmcli connection reload
root@8  network-scripts]# nmcli connection up eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)

2. 下載bind 和bind-utils工具包 配置監(jiān)聽所有端口

root@8  ~]# yum -y install bind bind-utils
root@8  ~]# systemctl enable --now named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.

root@8  ~]# grep -Ev '^#|^$|^/' /etc/named.conf
options {
    listen-on port 53{ localhost;};
    #listen-on port 53 { 127.0.0.1;10.0.0.8;};  
    #此行修改，意思是開啟監(jiān)聽53端口的IP，0.0.0.0不行，寫成listen-on port 53{ localhost;};也可以，或者#注釋掉 默認(rèn)就是localhost
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    secroots-file   "/var/named/data/named.secroots";
    recursing-file  "/var/named/data/named.recursing";
    
    allow-query { any;};
    #allow-query     { localhost;10.0.0.7;};
    #此行意思是允許使用DNS解析的服務(wù)器IP,將此行注釋掉 默認(rèn)就是any
    
    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion yes;
    dnssec-enable yes;
    dnssec-validation yes;
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
    /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
    include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
    type hint;
    file "named.ca";
};
include "/etc/named.rfc1912.zones";
#上面的是域配置文件
include "/etc/named.root.key";

#查看配置文件是否生效
root@8  ~]# named-checkconf

#重啟服務(wù)生效
root@8  ~]# rndc reload
server reload successful

#查看端口
root@8  ~]# ss -lntu|grep ":53 "
udp     UNCONN   0        0               10.0.0.8:53             0.0.0.0:*
udp     UNCONN   0        0              127.0.0.1:53             0.0.0.0:*
udp     UNCONN   0        0                  [::1]:53                [::]:*
tcp     LISTEN   0        10              10.0.0.8:53             0.0.0.0:*
tcp     LISTEN   0        10             127.0.0.1:53             0.0.0.0:*
tcp     LISTEN   0        10                 [::1]:53                [::]:*

3. DNS server此時(shí)已經(jīng)可以為任何人解析域名了 并且自己也可以，測(cè)試

root@8  ~]# ping www.baidu.com -c1
PING www.a.shifen.com (110.242.68.4) 56(84) bytes of data.
64 bytes from 110.242.68.4 (110.242.68.4): icmp_seq=1 ttl=128 time=12.0 ms

--- www.a.shifen.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 12.032/12.032/12.032/0.000 ms

4. 準(zhǔn)備數(shù)據(jù)庫(kù)文件設(shè)置主wangcloud.top域的DNS服務(wù)

vim /etc/named.rfc1912.zones
#加上這段
zone "wangcloud.top" IN {
    type master;
    file "wangcloud.localhost";
};

root@8  ~]# cd /var/named/
#復(fù)制模版 保留文件屬組屬主權(quán)限
root@8  named]# cp -p named.localhost wangcloud.localhost
root@8  named]# ll wangcloud.localhost
-rw-r----- 1 root named 152 Aug 25 01:31 wangcloud.localhost

#準(zhǔn)備數(shù)據(jù)庫(kù)文件
cd /var/named
root@8  named]# cat wangcloud.localhost
$TTL 1D
@   IN SOA  ns1 wangcloud. (
                    20200102    ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum

@   NS  ns1
ns1 A  10.0.0.8
www CNAME websrv
websrv A 10.0.0.10
websrv A 10.0.0.7
* A 10.0.0.7
@ A 10.0.0.7

root@8  named]# named-checkzone wangcloud.top wangcloud.localhost
zone wangcloud.top/IN: loaded serial 20200102
OK
root@8  named]# named-checkconf
root@8  named]# rndc reload
server reload successful

1.6.3 webserver1 10.0.0.7 webserver2 10.0.0.10 設(shè)置網(wǎng)頁

#webserver1 10.0.0.7
root@7  ~]# yum -y install httpd
root@7  ~]# systemctl enable --now httpd
root@7  ~]# echo "wangcloud.top 10.0.0.7" > /var/www/html/index.html

#webserver1 10.0.0.10
root@10  ~]# yum -y install httpd
root@10  ~]# systemctl enable --now httpd
root@10  ~]# echo "wangcloud.top 10.0.0.10" > /var/www/html/index.html

1.6.4 client 10.0.0.9 測(cè)試域名

1. 訪問測(cè)試

#數(shù)據(jù)庫(kù)文件定義的規(guī)則
root@8  named]# cat wangcloud.localhost
$TTL 1D
@   IN SOA  ns1 wangcloud. (
                    20200102    ; serial
                    1D  ; refresh
                    1H  ; retry
                    1W  ; expire
                    3H )    ; minimum

@   NS  ns1
ns1 A  10.0.0.8
www CNAME websrv
websrv A 10.0.0.10
websrv A 10.0.0.7
* A 10.0.0.7
@ A 10.0.0.7
#可以看到 
# @也就是wangcloud.top 訪問轉(zhuǎn)發(fā)到10.0.0.7 web server1上
# www也就是www.wangcloud.top 訪問轉(zhuǎn)發(fā)到CDN上 策略是到websrv上 websrv分別A記錄到7和10上
# *也就是主機(jī)名輸錯(cuò) 域名還是wangcloud.top 訪問轉(zhuǎn)發(fā)到7上

03:17:33 wang@9  ~]$ curl wangcloud.top
wangcloud.top 10.0.0.7
#
03:23:13 wang@9  ~]$ curl www.wangcloud.top
wangcloud.top 10.0.0.10
# 請(qǐng)求一直轉(zhuǎn)發(fā)到10上，我們關(guān)閉10的服務(wù) 看到轉(zhuǎn)發(fā)到了7上。說明這是負(fù)載均衡的
root@10  ~]# systemctl stop httpd
03:23:45 wang@9  ~]$ curl www.wangcloud.top
wangcloud.top 10.0.0.7
root@10  ~]# systemctl start httpd
#
# 主機(jī)名瞎瞎訪問 轉(zhuǎn)發(fā)到7上
03:23:46 wang@9  ~]$ curl abc.wangcloud.top
wangcloud.top 10.0.0.7
03:25:47 wang@9  ~]$ curl mail.wangcloud.top
wangcloud.top 10.0.0.7

2. dig、host、nslookup工具測(cè)試域名

安裝工具包

ubuntu@2004  ~]$ dpkg -L bind9-dnsutils
/.
/usr
/usr/bin
/usr/bin/delv
/usr/bin/dig
/usr/bin/mdig
/usr/bin/nslookup
/usr/bin/nsupdate
/usr/share
/usr/share/doc
/usr/share/doc/bind9-dnsutils
/usr/share/doc/bind9-dnsutils/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/delv.1.gz
/usr/share/man/man1/dig.1.gz
/usr/share/man/man1/mdig.1.gz
/usr/share/man/man1/nslookup.1.gz
/usr/share/man/man1/nsupdate.1.gz
/usr/share/doc/bind9-dnsutils/NEWS.Debian.gz
/usr/share/doc/bind9-dnsutils/changelog.Debian.gz
ubuntu@2004  ~]$ dpkg -S /usr/bin/host
bind9-host: /usr/bin/host
ubuntu@2004  ~]$ dpkg -L bind9-host
/.
/usr
/usr/bin
/usr/bin/host
/usr/share
/usr/share/doc
/usr/share/doc/bind9-host
/usr/share/doc/bind9-host/copyright
/usr/share/man
/usr/share/man/man1
/usr/share/man/man1/host.1.gz
/usr/share/doc/bind9-host/NEWS.Debian.gz
/usr/share/doc/bind9-host/changelog.Debian.gz

dig測(cè)試域名

#測(cè)試 wangcloud.top
03:41:35 wang@9  ~]$ dig wangcloud.top

; <<>> DiG 9.16.6-Ubuntu <<>> wangcloud.top
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36332
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
#此處aa表示這是權(quán)威dns服務(wù)器返回的結(jié)果 即client配置的dns服務(wù)器就是擁有最終域名解析ip的權(quán)威DNS服務(wù)器

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4bd58c0a04b80e26bb6b8d365fefebb088bced9c717bba74 (good)
;; QUESTION SECTION:
;wangcloud.top.         IN  A

;; ANSWER SECTION:
wangcloud.top.      86400   IN  A   10.0.0.7

;; AUTHORITY SECTION:
wangcloud.top.      86400   IN  NS  ns1.wangcloud.top.

;; ADDITIONAL SECTION:
ns1.wangcloud.top.  86400   IN  A   10.0.0.8

;; Query time: 0 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sat Jan 02 03:42:40 UTC 2021
;; MSG SIZE  rcvd: 120


#測(cè)試www.wangcloud.top
03:41:28 wang@9  ~]$ dig www.wangcloud.top

; <<>> DiG 9.16.6-Ubuntu <<>> www.wangcloud.top
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29226
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 171ad9e13b631653bf8d959e5fefeb6fbeeca5bd2a84a82b (good)
;; QUESTION SECTION:
;www.wangcloud.top.     IN  A

;; ANSWER SECTION:
www.wangcloud.top.  86400   IN  CNAME   websrv.wangcloud.top.
websrv.wangcloud.top.   86400   IN  A   10.0.0.10
websrv.wangcloud.top.   86400   IN  A   10.0.0.7

;; AUTHORITY SECTION:
wangcloud.top.      86400   IN  NS  ns1.wangcloud.top.

;; ADDITIONAL SECTION:
ns1.wangcloud.top.  86400   IN  A   10.0.0.8

;; Query time: 0 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sat Jan 02 03:41:35 UTC 2021
;; MSG SIZE  rcvd: 161

#和百度對(duì)比
#測(cè)試百度
03:42:40 wang@9  ~]$ dig www.baidu.com

; <<>> DiG 9.16.6-Ubuntu <<>> www.baidu.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40431
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 829e2cea53145dd0d118be355fefec19daa6a99029009ba8 (good)
;; QUESTION SECTION:
;www.baidu.com.         IN  A

;; ANSWER SECTION:
www.baidu.com.      740 IN  CNAME   www.a.shifen.com.
www.a.shifen.com.   300 IN  A   110.242.68.4
www.a.shifen.com.   300 IN  A   110.242.68.3

;; AUTHORITY SECTION:
a.shifen.com.       740 IN  NS  ns1.a.shifen.com.
a.shifen.com.       740 IN  NS  ns5.a.shifen.com.
a.shifen.com.       740 IN  NS  ns3.a.shifen.com.
a.shifen.com.       740 IN  NS  ns2.a.shifen.com.
a.shifen.com.       740 IN  NS  ns4.a.shifen.com.

;; ADDITIONAL SECTION:
ns2.a.shifen.com.   740 IN  A   220.181.33.32
ns3.a.shifen.com.   740 IN  A   112.80.255.253
ns1.a.shifen.com.   740 IN  A   110.242.68.42
ns4.a.shifen.com.   740 IN  A   14.215.177.229
ns5.a.shifen.com.   740 IN  A   180.76.76.95

;; Query time: 28 msec
;; SERVER: 10.0.0.8#53(10.0.0.8)
;; WHEN: Sat Jan 02 03:44:25 UTC 2021
;; MSG SIZE  rcvd: 299

host測(cè)試域名

#測(cè)試wangcloud.top
03:33:38 wang@9  ~]$ host wangcloud.top
wangcloud.top has address 10.0.0.7
03:36:11 wang@9  ~]$ host www.wangcloud.top
www.wangcloud.top is an alias for websrv.wangcloud.top.
websrv.wangcloud.top has address 10.0.0.10
websrv.wangcloud.top has address 10.0.0.7

#和百度對(duì)比
#測(cè)試百度
03:36:48 wang@9  ~]$ host www.baidu.com
www.baidu.com is an alias for www.a.shifen.com.
www.a.shifen.com has address 110.242.68.4
www.a.shifen.com has address 110.242.68.3

nslookup測(cè)試域名

03:44:25 wang@9  ~]$ nslookup wangcloud.top
Server:     10.0.0.8
Address:    10.0.0.8#53

Name:   wangcloud.top
Address: 10.0.0.7

03:45:44 wang@9  ~]$ nslookup www.wangcloud.top
Server:     10.0.0.8
Address:    10.0.0.8#53

www.wangcloud.top   canonical name = websrv.wangcloud.top.
Name:   websrv.wangcloud.top
Address: 10.0.0.7
Name:   websrv.wangcloud.top
Address: 10.0.0.10

#對(duì)比百度
03:46:01 wang@9  ~]$ nslookup baidu.com
Server:     10.0.0.8
Address:    10.0.0.8#53

Non-authoritative answer:
Name:   baidu.com
Address: 39.156.69.79
Name:   baidu.com
Address: 220.181.38.148

03:46:26 wang@9  ~]$ nslookup www.baidu.com
Server:     10.0.0.8
Address:    10.0.0.8#53

Non-authoritative answer:
www.baidu.com   canonical name = www.a.shifen.com.
Name:   www.a.shifen.com
Address: 110.242.68.4
Name:   www.a.shifen.com
Address: 110.242.68.3