DNS高速缓存&分离解析

DNS高速缓存&分离解析

1. 高速缓存

主机	角色	系统	IP
client	客户端	redhat9.6	192.168.72.7
server	域名解析服务器	redhat9.6	192.168.72.18
cache	域名解析缓存服务器	redhat9.6	192.168.72.48

1.1 配置域名解析器

1、修改主机名

[root@lcoalhost ~]# hostnamectl hostname server

2、修改IP地址

[root@server ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.18/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@server ~]# nmcli c up ens160

3、安装软件

[root@server ~]# dnf install bind -y

4、修改主配置文件

[root@server ~]# vim /etc/named.conf
[root@server ~]# cat /etc/named.conf
options {
	listen-on port 53 { 192.168.72.18; }; //监听的IP，一般写本机IP地址
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { any; };	//指定允许查询的服务器

	recursion yes;

	dnssec-validation no; //关闭校验

	managed-keys-directory "/var/named/dynamic";
	geoip-directory "/usr/share/GeoIP";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

4、修改区域配置文件

[root@server ~]# vim /etc/named.rfc1912.zones
[root@server ~]# cat /etc/named.rfc1912.zones
zone "exam.com" IN {
	type master;
	file "exam.com.zone";
	allow-update { none; };
};

zone "72.168.192.in-addr.arpa" IN {
	type master;
	file "exam.com.arpa.zone";
	allow-update { none; };
};

5、编写正向解析区域数据文件

# 1. 进入区域数据存放目录
[root@server ~]# cd /var/named
[root@server named]# ls
data     example.com.arpa.zone  managed-keys.bind      named.ca     named.localhost  slaves
dynamic  example.com.zone       managed-keys.bind.jnl  named.empty  named.loopback

# 2. 复制模板文件
[root@server named]# cp -p named.localhost exam.com.zone

# 3. 编辑数据文件
[root@server named]# vim exam.com.zone
[root@server named]# cat exam.com.zone 
$TTL 1D
@	IN SOA	@ admin.exam.com. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	ns
ns	A	192.168.72.18
www	A	192.168.72.8
web	CNAME	www

6、编写反向区域数据文件

[root@server named]# cp -p named.loopback exam.com.arpa.zone
[root@server named]# vim exam.com.arpa.zone
[root@server named]# cat exam.com.arpa.zone 
$TTL 1D
@	IN SOA	@ admin.exam.com. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	ns
ns	A	192.168.72.18
8	PTR	www.exam.com.

7、启动服务

# 1. 验证配置文件的语法
[root@server named]# named-checkconf -z /etc/named.conf
zone exam.com/IN: loaded serial 0
zone 72.168.192.in-addr.arpa/IN: loaded serial 0
[root@server named]# named-checkzone exam.com /var/named/exam.com.zone 
zone exam.com/IN: loaded serial 0
OK

# 2. 启动服务
[root@server named]# systemctl start named

8、防火墙放行服务

[root@server named]# firewall-cmd --permanent --add-service=dns
success
[root@server named]# firewall-cmd --reload

1.2 配置客户端

1、修改主机名

[root@lcoalhost ~]# hostnamectl hostname client

2、修改IP地址

[root@client ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.7/24 ipv4.gateway 192.168.72.2 ipv4.dns 192.168.72.48 connection.autoconnect yes
[root@client ~]# nmcli c up ens160

3、安装测试工具

[root@client ~]# dnf install -y bind-utils

4、解析验证

[root@client ~]# dig -t A www.exam.com @192.168.72.18

; <<>> DiG 9.16.23-RH <<>> -t A www.exam.com @192.168.72.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10461
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: c5474d5b3fa7c2c001000000690eab6f453bae94fbcb7f0c (good)
;; QUESTION SECTION:
;www.exam.com.			IN	A

;; ANSWER SECTION:
www.exam.com.		86400	IN	A	192.168.72.8

;; Query time: 1 msec
;; SERVER: 192.168.72.18#53(192.168.72.18)
;; WHEN: Sat Nov 08 10:31:12 CST 2025
;; MSG SIZE  rcvd: 85


[root@client ~]# dig -x 192.168.72.8 @192.168.72.18

; <<>> DiG 9.16.23-RH <<>> -x 192.168.72.8 @192.168.72.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32784
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 56749646e7158c8401000000690eab87bde5965ad465847f (good)
;; QUESTION SECTION:
;8.72.168.192.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
8.72.168.192.in-addr.arpa. 86400 IN	PTR	www.exam.com.

;; Query time: 0 msec
;; SERVER: 192.168.72.18#53(192.168.72.18)
;; WHEN: Sat Nov 08 10:31:37 CST 2025
;; MSG SIZE  rcvd: 108

1.3 配置缓存服务器

1、修改主机名

[root@lcoalhost ~]# hostnamectl hostname cache

2、修改IP地址

[root@cache ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.48/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@cache ~]# nmcli c up ens160

3、安装软件

[root@cache ~]# dnf install -y bind

4、修改主配置文件

[root@cache ~]# vim /etc/named.conf 
[root@cache ~]# cat /etc/named.conf 
options {
	listen-on port 53 { any; };
	directory 	"/var/named";
	allow-query     { any; };
	forwarders { 192.168.72.18; };

	recursion yes;

	dnssec-validation no;
};

5、启动服务

[root@cache ~]# systemctl start named

6、防火墙放行服务

[root@cache ~]# firewall-cmd --permanent --add-port=53/tcp --add-port=53/udp
success
[root@cache ~]# firewall-cmd --reload 
success

1.4 修改客户端

1、修改客户端的DNS

[root@client ~]# nmcli c modify ens160 ipv4.dns 192.168.72.48
[root@client ~]# nmcli c up ens160 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)

2、测试解析

[root@client ~]# dig -t A www.exam.com @192.168.72.48

; <<>> DiG 9.16.23-RH <<>> -t A www.exam.com @192.168.72.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54060
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: bd9d29d56e81686c01000000690eae4b87d476c70adfd7df (good)
;; QUESTION SECTION:
;www.exam.com.			IN	A

;; ANSWER SECTION:
www.exam.com.		86400	IN	A	192.168.72.8

;; Query time: 13 msec
;; SERVER: 192.168.72.48#53(192.168.72.48)
;; WHEN: Sat Nov 08 10:43:24 CST 2025
;; MSG SIZE  rcvd: 85

[root@client ~]# dig -t A www.exam.com @192.168.72.48

; <<>> DiG 9.16.23-RH <<>> -t A www.exam.com @192.168.72.48
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62714
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 220bee834226ff2501000000690eae4ff05f88554a6450a8 (good)
;; QUESTION SECTION:
;www.exam.com.			IN	A

;; ANSWER SECTION:
www.exam.com.		86396	IN	A	192.168.72.8

;; Query time: 0 msec
;; SERVER: 192.168.72.48#53(192.168.72.48)
;; WHEN: Sat Nov 08 10:43:28 CST 2025
;; MSG SIZE  rcvd: 85

2. 分离解析

主机名	角色	系统	IP
web1	外网Web服务器	redhat9.6	172.25.16.102
web2	内网Web服务器	redhat9.6	192.168.72.102
ns1	分离服务器	redhat9.6	192.168.72.101 172.25.16.101
client1	外网客户机	redhat9.6	172.25.16.106
client2	内网客户机	redhat9.6	192.168.72.106

2.1 环境准备

克隆5台服务器，并根据上表所示设置服务器的网络连接类型。web1、client1网络类型为仅主机模式。web2 和 client2 是 NAT 模式。ns1 服务有两块网卡，一块为仅主机模式，一块为 NAT 模式。

2.2 配置外网Web服务器

1、修改主机名

[root@localhost ~]# hostnamectl hostname web1

2、修改IP

[root@localhost ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 172.25.16.102/24 ipv4.dns 172.25.16.101 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160

3、安装nginx

[root@web1 ~]# dnf install nginx -y

4、修改首页

[root@web1 ~]# echo "$(hostname) - $(hostname -I)" > /usr/share/nginx/html/index.html

5、启动服务

[root@web1 ~]# systemctl start nginx

6、访问测试

[root@web1 ~]# curl localhost
web1 - 172.25.16.102

7、放行端口

[root@web1 ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@web1 ~]# firewall-cmd --reload
success

2.3 配置内网Web服务器

1、修改主机名

[root@localhost ~]# hostnamectl hostname web2

2、修改IP

[root@localhost ~]# nmcli c modify ens160 ipv4.method manual ipv4.addresses 192.168.72.102/24 ipv4.gateway 192.168.72.2 ipv4.dns 192.168.72.101 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160

3、安装nginx

[root@web2 ~]# dnf install nginx -y

4、修改首页

[root@web2 ~]# echo "$(hostname) - $(hostname -I)" > /usr/share/nginx/html/index.html

5、启动服务

[root@web2 ~]# systemctl start nginx

6、访问测试

[root@web2 ~]# curl localhost
web2 - 192.168.72.102

7、放行端口

[root@web2 ~]# firewall-cmd --permanent --add-port=80/tcp
success
[root@web2 ~]# firewall-cmd --reload
success

2.4 配置分离解析服务器

1、修改主机名

[root@localhost ~]# hostnamectl hostname ns1

2、修改外网IP

# 1. 查看连接名称
[root@localhost ~]# nmcli c show
NAME                UUID                                  TYPE      DEVICE 
ens160              102dfc24-9f7b-361b-8d11-405d00c1bfee  ethernet  ens160 
Wired connection 1  0ae80679-343b-38e7-a5da-adc8281548e2  ethernet  ens224 
lo                  42381583-4c98-4e59-ada6-229f46eca8b5  loopback  lo    

# 2. 修改连接名称，将Wired connection 1修改为ens224
[root@localhost ~]# nmcli c modify Wired\ connection\ 1 connection.id ens224
[root@localhost ~]# nmcli c show
NAME    UUID                                  TYPE      DEVICE 
ens160  102dfc24-9f7b-361b-8d11-405d00c1bfee  ethernet  ens160 
ens224  0ae80679-343b-38e7-a5da-adc8281548e2  ethernet  ens224 
lo      42381583-4c98-4e59-ada6-229f46eca8b5  loopback  lo     

# 3. 修改IP地址
[root@localhost ~]# nmcli c m ens224 ipv4.method manual ipv4.addresses 172.25.16.101/24 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens224 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)

# 4. 查看网卡信息
[root@localhost ~]# ifconfig ens224
ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.25.16.101  netmask 255.255.255.0  broadcast 172.25.16.255
        inet6 fe80::2d20:87a9:a9ac:1549  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:64:da:9f  txqueuelen 1000  (Ethernet)
        RX packets 55  bytes 6532 (6.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33  bytes 2958 (2.8 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

3、修改内网IP

[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.101/24 ipv4.gateway 192.168.72.2 ipv4.dns 223.5.5.5 connection.autoconnect yes
[root@localhost ~]# nmcli c up ens160 

4、安装软件

[root@ns1 ~]# dnf install bind -y

5、修改主配置文件

[root@ns1 ~]# vim /etc/named.conf
[root@ns1 ~]# cat /etc/named.conf 
options {
	listen-on port 53 { any; };  // { 172.25.16.101; 192.168.72.101; }   这里修改了
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	secroots-file	"/var/named/data/named.secroots";
	recursing-file	"/var/named/data/named.recursing";
	allow-query     { any; };	// 这里修改了

	recursion yes;

	dnssec-validation no;	// 这里修改了

	managed-keys-directory "/var/named/dynamic";
	geoip-directory "/usr/share/GeoIP";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";

	include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

6、修改区域配置文件

[root@ns1 ~]# vim /etc/named.rfc1912.zones
[root@ns1 ~]# cat /etc/named.rfc1912.zones
view "LAN" {
	match-clients { 192.168.72.0/24; };
	zone "exam.com" IN {
		type master;
		file "lan.exam.com.zone";
	};
	zone "." IN {
        type hint;
        file "named.ca";
	};
};

view "WAN" {
	match-clients { 172.25.16.0/24; };
	zone "exam.com" IN {
		type master;
		file "wan.exam.com.zone";
	};
	zone "." IN {
        type hint;
        file "named.ca";
	};
};

7、编写内网区域数据文件

[root@ns1 ~]# cd /var/named/
[root@ns1 named]# cp -p named.localhost lan.exam.com.zone
[root@ns1 named]# vim lan.exam.com.zone
[root@ns1 named]# cat lan.exam.com.zone 
$TTL 1D
@	IN SOA	exam.com. 	admin.exam.com. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	ns
ns	A	192.168.72.101
www	A	192.168.72.102

8、编写外网区域数据文件

[root@ns1 named]# cp -p lan.exam.com.zone wan.exam.com.zone
[root@ns1 named]# vim wan.exam.com.zone
[root@ns1 named]# cat wan.exam.com.zone
$TTL 1D
@	IN SOA	exam.com. 	admin.exam.com. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	ns
ns	A	172.25.16.101
www	A	172.25.16.102

9、启动服务器

[root@ns1 named]# systemctl start named

10、放行服务

[root@ns1 named]# firewall-cmd --permanent --add-service=dns
success
[root@ns1 named]# firewall-cmd --reload
success

2.5 配置外网客户端

1、修改主机名

2、修改IP和DNS

[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 172.25.16.106/24 ipv4.gateway 172.25.16.101 ipv4.dns 172.25.16.101 autoconnect yes
[root@localhost ~]# nmcli c up ens160

3、安装工具

[root@localhost ~]# dnf install -y bind-utils

4、验证

[root@localhost ~]# curl www.exam.com
web1 - 172.25.16.102

2.6 配置内网客户端

1、修改主机名

2、修改IP和DNS

[root@localhost ~]# nmcli c m ens160 ipv4.method manual ipv4.addresses 192.168.72.106/24 ipv4.gateway 192.168.72.101 ipv4.dns 192.168.72.101 autoconnect yes
[root@localhost ~]# nmcli c up ens160

3、安装工具

[root@localhost ~]# dnf install -y bind-utils

4、验证

[root@localhost ~]# curl www.exam.com
web2 - 192.168.72.102