龙空技术网

Linux8 搭建缓存DNS服务器

云贝教育 395

前言:

此刻各位老铁们对“linux缓存服务器”可能比较看重,朋友们都需要剖析一些“linux缓存服务器”的相关资讯。那么小编同时在网络上汇集了一些对于“linux缓存服务器””的相关知识,希望咱们能喜欢,各位老铁们一起来学习一下吧!

作者:泡杯长岛冰茶

1. 配置网络为静态

nmcli connection modify static-ens192 ipv4.dns 172.16.50.194 ipv4.address 172.16.50.194/24 ipv4.gateway 172.16.50.1 autoconnect yesnmcli connect reload;nmcli connection up static-ens192;

1.1. 客户端DNS配置

(本篇文章环境;服务端与客户端在同一台)

[root@localhost ~]# cat /etc/resolv.conf# Generated by NetworkManagernameserver 172.16.50.194

2.关闭防火墙与selinux

Systemc disable firewalld –nowsed -i s/^SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/configsetenforce 0

3.配置本地yum源

3.1 挂载系统镜像文件

# mount /dev/sr0 /mnt

3.2 配置yum文件

# cat  /etc/yum.repos.d/local_baseos.repo[local_BaseOS]name=local_baseOSbaseurl=[local_AppStream]name=local_AppStreambaseurl=

3.3 检查yum是否配置成功

yum clean all; yum repolist;

4. 安装配置unbound软件

yum install -y unbound.x86_64

4.1.查看unbound软件安装的位置

[root@localhost ~]# rpm -qc unbound/etc/sysconfig/unbound/etc/unbound/conf.d/example.com.conf/etc/unbound/keys.d/example.com.key/etc/unbound/local.d/block-example.com.conf/etc/unbound/unbound.conf

4.2.修配置文件

vim /etc/unbound/unbound.conf48:      interface: 0.0.0.0254:     access-control: 0.0.0.0/0 allow520:     domain-insecure: "*."868:forward-zone:869:    name: "."870:        forward-addr: 114.114.114.114

interface 表示监听的IP,4个0表示监听本机的所有IP.

access-control 客户端访问控制(4个0,表示所有客户端都可访问

domain-insecure 信任安全域

forward-zone 如果在本DNS解析不到主机记录,下一跳到下一个DNS

name: "." 转发所有的查询

forward-addr: 114.114.114.114 (本文下一跳指向114.114.114.114)

4.2.1 也可以在 /etc/unbound/conf.d/目录创建自定义配置文件

- /etc/unbound/local.d/ 定义主配置信息

-/etc/unbound/conf.d/ 定义主机资源信息

[root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.conf server:domain-insecure: "*."forward-zone:name: "."forward-addr: 114.114.114.114

4.3.检查语法是否有问题

[root@localhost ~]# unbound-checkconfunbound-checkconf: no errors in /etc/unbound/unbound.conf

4.4.生成私有的证书

[root@localhost ~]# unbound-control-setupsetup in directory /etc/unboundunbound_server.key existsunbound_control.key existscreate unbound_server.pem (self signed certificate)create unbound_control.pem (signed client certificate)Signature oksubject=CN = unbound-controlGetting CA Private KeySetup success. Certificates created. Enable in unbound.conf file to use

4.5. 启动unbound并开机自启动

[root@localhost ~]# systemctl enable unbound --now

4.6.查看端口监听状态

[root@localhost ~]# netstat -ntupl |grep :53 tcp        0      0 0.0.0.0:53              0.0.0.0:*               LISTEN      1091/unbound        udp        0      0 192.168.122.1:53        0.0.0.0:*                           1959/dnsmasq        udp        0      0 0.0.0.0:53              0.0.0.0:*                           1091/unbound        udp        0      0 0.0.0.0:53              0.0.0.0:*                           1091/unbound        udp        0      0 0.0.0.0:53              0.0.0.0:*                           1091/unbound        udp        0      0 0.0.0.0:53              0.0.0.0:*                           1091/unbound

注意: 这里可以看到里面多了一条192.168.122.1 IP,这个IP是虚拟网桥的IP,如果你的服务器无法启动unbound服务,必需禁用这个IP。udp 0 0 192.168.122.1:53 0.0.0.0:*

[root@localhost ~]# ip a s virbr0   virbr0:  mtu 1500 qdisc noqueue state DOWN group default qlen 1000     link/ether 52:54:00:f3:16:9d brd ff:ff:ff:ff:ff:ff     inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0        valid_lft forever preferred_lft forever

下面是关闭网桥的命令

[root@localhost ~]# ifconfig  virbr0 down;nmcli device disconnect virbr0;

4.7. 检查外网能解析

[root@localhost ~]# dig   ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>>  ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60041 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1   ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.                 IN      A   ;; ANSWER SECTION: .          1200    IN      CNAME   . .       300     IN      A       112.80.248.76 .       300     IN      A       112.80.248.75   ;; Query time: 815 msec ;; SERVER: 172.16.50.194#53(172.16.50.194) ;; WHEN: Mon Aug 30 19:59:38 CST 2021 ;; MSG SIZE  rcvd: 101

4.8. 查看是否创建缓存

[root@localhost ~]# unbound-control   dump_cache |grep  .  1192    IN      CNAME   . msg . IN A 32896 1 293 3 2 1 5 . IN CNAME 0

4.9. 清理zone缓存

unbound-control flush_zone baidu.com

4.10. 添加一个主机资源记录

注意:上文中可以看到 '; 解析出来的地址是 112.80.248.76,清除缓存之后,下文添加 主机记录为10.10.10.10,检查它的解析是否会改变,如果改变为10.10.10.10说明成功

vim /etc/unbound/unbound.conf  #interface: 0.0.0.0            ########下面记录必需在配置文件server关键字下  local-data: ". 10800 IN A 10.10.10.10"             ##正向解析 local-data-ptr: "10.10.10.10 ;                     ##反向解析

4.10.1 也可在 /etc/unbound/local.d/定义一个配置文件把主机记录添加进去

[root@localhost local.d]# readlink -f yunbee.com.conf  /etc/unbound/local.d/yunbee.com.conf[root@localhost local.d]# ls -l-rw-r--r--. 1 root unbound 359 Dec  2  2020 block-example.com.conf-rw-r--r--. 1 root unbound 410 Sep  1 21:36 yunbee.com.conf[root@localhost local.d]# cat /etc/unbound/local.d/yunbee.com.conflocal-data: ". 3600 IN A 10.10.10.10"local-data-ptr: "10.10.10.10 ;

4.11. 查看添加的主机解析状态

[root@localhost ~]# nslookup  Server:         172.16.50.194 Address:        172.16.50.194#53   Name:    Address: 10.10.10.10

4.12 unbound搭建权威域名服务器(不推荐unbound搭建权威域名服务器)

a)定义一个访问控制文件在/etc/unbound/conf.d/目录

[root@localhost local.d]# readlink -f ../conf.d/yunbee.com.conf/etc/unbound/conf.d/yunbee.com.conf[root@localhost local.d]# cat /etc/unbound/conf.d/yunbee.com.confserver:domain-insecure: "."forward-zone:name: "."forward-addr: 114.114.114.114

b) 定义一个zone文件在/etc/unbound/conf.d/目录

[root@localhost local.d]# readlink -f yunbee.com.conf /etc/unbound/local.d/yunbee.com.conf[root@localhost local.d]# cat yunbee.com.conf local-zone: "yunbee.com." staticlocal-data: "yunbee.com. 10800 IN NS yunbee.com."local-data: "yunbee.com. 10800 IN SOA yunbee.com. root.yunbee.com. 1 3600 1200 604800 10800"local-data: "ns.yunbee.com. 3600 IN A 172.16.50.194"local-data: ". 3600 IN A 10.10.10.10"local-data: "www1.baidu.com. 3600 IN A 10.10.10.11"local-data: ". 3600 IN A 127.254.254.254"

dns小技巧,假设管理员想禁止某些员工在线看小电影,这里就可以做一条解析,把小电影的网址指向环回地址127.254.254.254,例如你想禁止公司员工访问 就可添加下面这一条 ,注意的是IP还是能访问的.

local-data: ". 10800 IN A 127.254.254.254"

本篇完

*禁止转载,可转发(转发文章请注明出处)

TDPUB数+社区

标签: #linux缓存服务器