一、什么是cache-only DNS与forwarfding DNS服务器?
只需要.这个zone file的简单DNS服务器,称这种没有公开的DNS数据库的服务器为cache-only(仅高速缓存) DNS server。这个DNS server仅有缓存搜寻结果的功能,本身没有正向解析与反向解析的配置文件,是由对外的查询来提供他的数据源。
如果.都不想要,那就需要指定一个上层DNS服务器作为转发目标,将原本自己要查询的任务,丢给上层DNS服务器去处理,称之为forwarfding DNS服务器。
二、工作流程
cache-only DNS 先从自己的缓存以及.文件寻找,找不到则委托上层DNS服务器查询。
forwarfding DNS 即使缓存中具有,依然委托上层DNS服务器查询。
三、什么时候有搭建cache-only DNS的需求
针对Internet连接比较严格限制的环境,将port53挡在防火墙之外的环境中。在防火墙上加装cache-only,利用自己防火墙上的DNS服务帮client端解析hostname⬅➡IP。因为防火墙可以设置放行自己的DNS功能。而client端设置防火墙IP为DNS即可。所以,通常搭建cache-only DNS服务器大多是为了安全。
四、实验搭建过程
1、安装bind主程序
[root@liukai chroot]#yum -y install bind bind-chroot bind-utils2、备份修改主配置文件(修改配置主配置文件前要备份嗷)
cp /etc/named.conf /root/named.conf.bf
vim /etc/named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; }; //监听端口,可设置为any,代表全部接受
listen-on-v6 port 53 { ::1; }; //同上ipv6
directory "/var/named"; //数据库默认设置目录所在
dump-file "/var/named/data/cache_dump.db"; //统计信息
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; }; //指明允许那台主机提出询问;可不设置,any代表全部接受
forward only; //可暂时不设置,具体如下方
forwarders {
119.29.29.29; //腾讯DNS
8.8.8.8; //谷歌DNS
};
//以下暂时不需要设置
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
每个段落后都要以;为结尾!
每个段落后都要以;为结尾!
每个段落后都要以;为结尾!
forward only; 如果forwarders list 为非空,默认为first值,服务器首先请求 forwarders list ,如果 forwarders list 中的DNS主机不应答,该主机将自己去找应答,如果设置值为only,服务器将只会请求 forwarders中的DNS主机
3、设置开机启动,并启动named
[root@liukai ~]# chkconfig named on
[root@liukai ~]# service named start4、查看服务端口
[root@liukai ~]# netstat -tulnp | grep 53
tcp 0 0 0.0.0.0:5355 0.0.0.0:* LISTEN 767/systemd-resolve
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 2113730/named
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 2113730/named
tcp6 0 0 :::5355 :::* LISTEN 767/systemd-resolve
udp 0 0 127.0.0.1:53 0.0.0.0:* 2113730/named
udp 0 0 127.0.0.53:53 0.0.0.0:* 767/systemd-resolve
udp 0 0 0.0.0.0:5355 0.0.0.0:* 767/systemd-resolve
udp6 0 0 :::5355 :::* 767/systemd-resolve 可以看到同时启动了TCP和UDP的port 53
5、测试
[root@liukai ~]# dig www.baidu.com@127.0.0.1
; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> www.baidu.com@127.0.0.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 19489
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f80f14e7b97696415167e8845f7d7dd7fa3be96ca3c3ed04 (good)
;; QUESTION SECTION:
;www.baidu.com\@127.0.0.1. IN A
;; AUTHORITY SECTION:
. 10800 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2020100700 1800 900 604800 86400
;; Query time: 1253 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) //可以看到解析是成功的
;; WHEN: Wed Oct 07 16:35:35 CST 2020
;; MSG SIZE rcvd: 155
实验结束。