Linux服务器教程之路6——DNS服务器的配置

引言：
大家不要忘记，计算机说到底都是数字电路的运算，随着计算机技术的飞速发展，所有的这些数字的运算都给抽离出来，给予人性化的表示。网络也是这样，所以都给换成了一些人性化的表示方法。其次怎样定位到每一个用户单元也具有他的规则。正如，我们到一个陌生地方寻找一个朋友一样，事先肯定会要先有一个地址。
现实中这个地址就是大家电话先联系好了，换一个例子来说，如果需要找一个企业的位置的话，那么就要先找到一个黄页，然后在上面搜索到该公司的联系方式，然后才进行约定时间会面。换到计算机网络中，所有的数据交流都是通过特定的信息载体来进行交换，为了降低寻找结果的困难与复杂性，因此很有必要制定出一个共同的规则问题。比如，在中国境内的位置，身在美国的公司就不需要自己来进行寻找，只需要将该地址委托给中国境内的统计层就足够了。
DNS服务器就是基于这样的一种替换与寻找方式。在现实中运用DNS服务器比比皆是，也可以运用到每一个小地区，如：公司的名字可以相同（但是注册商标就不能相同了），这点运用比较灵活。比如在一个企业内部网络，自己希望自定义自己的名称，你也可以给自己内部网络的的服务器的网址也定为http://www.microsoft.com,只要在企业内部只要输入这个地址，会立刻转到自己公司的主页。这点是属于私人应用，但是你不能注册为商标，因为毕竟你的公司不是微软，你只是起了个与他相同的名字而已。更加灵活的是，公司内部的网络可以任定义这些地址，但是当访问其他的地址时，并没有覆盖其他的地址，比如你输入http://www.google.com还会显示Google的地址。但是如果你不是在公司内部网络的话，那你就不能按这些来覆盖访问了，输入http://www.microsoft.com还是微软的地址，这也是设计到商标版权问题。
当前Unix/Linux下经常使用的DNS服务器为bind，目前的版本为bind9.3，链接网址
这里我推荐一个详细的入门教程给各位读者（教程连接地址），在此正式完成我的Linux服务器教程之路系列，以下为我从教程里面选出来的例子：

7. A real domain example

Where we list some real zone files

Users have suggested that I include a real example of a working domain as well as the tutorial example.

I use this example with permission from David Bullock of LAND-5. These files were current 24th of September 1996, and were then edited to fit BIND 8 restrictions and use extensions by me. So, what you see here differs a bit from what you find if you query LAND-5's name servers now.

7.1 /etc/named.conf (or /var/named/named.conf)

Here we find master zone sections for the two reverse zones needed: the 127.0.0 net, as well as LAND-5's

206.6.177

subnet, and a primary line for land-5's forward zone

land-5.com

. Also note that instead of stuffing the files in a directory called

pz

, as I do in this HOWTO, he puts them in a directory called

zone

.

// Boot file for LAND-5 name server

options {
directory "/var/named";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

zone "." {
type hint;
file "root.hints";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "zone/127.0.0";
};

zone "land-5.com" {
type master;
file "zone/land-5.com";
};

zone "177.6.206.in-addr.arpa" {
type master;
file "zone/206.6.177";
};

If you put this in your named.conf file to play with PLEASE put ``

notify no;

'' in the zone sections for the two

land-5

zones so as to avoid accidents.

7.2 /var/named/root.hints

Keep in mind that this file is dynamic, and the one listed here is old. You're better off using a new one as explained earlier.

; <<>> DiG 8.1 <<>> @A.ROOT-SERVERS.NET.
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;;      ., type = NS, class = IN

;; ANSWER SECTION:
.                       6D IN NS        G.ROOT-SERVERS.NET.
.                       6D IN NS        J.ROOT-SERVERS.NET.
.                       6D IN NS        K.ROOT-SERVERS.NET.
.                       6D IN NS        L.ROOT-SERVERS.NET.
.                       6D IN NS        M.ROOT-SERVERS.NET.
.                       6D IN NS        A.ROOT-SERVERS.NET.
.                       6D IN NS        H.ROOT-SERVERS.NET.
.                       6D IN NS        B.ROOT-SERVERS.NET.
.                       6D IN NS        C.ROOT-SERVERS.NET.
.                       6D IN NS        D.ROOT-SERVERS.NET.
.                       6D IN NS        E.ROOT-SERVERS.NET.
.                       6D IN NS        I.ROOT-SERVERS.NET.
.                       6D IN NS        F.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4
J.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.10
K.ROOT-SERVERS.NET.     5w6d16h IN A    193.0.14.129
L.ROOT-SERVERS.NET.     5w6d16h IN A    198.32.64.12
M.ROOT-SERVERS.NET.     5w6d16h IN A    202.12.27.33
A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4
H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53
B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107
C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12
D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90
E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10
I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17
F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241

;; Total query time: 215 msec
;; FROM: roke.uio.no to SERVER: A.ROOT-SERVERS.NET.  198.41.0.4
;; WHEN: Sun Feb 15 01:22:51 1998
;; MSG SIZE  sent: 17  rcvd: 436

7.3 /var/named/zone/127.0.0

Just the basics, the obligatory SOA record, and a record that maps 127.0.0.1 to

localhost

. Both are required. No more should be in this file. It will probably never need to be updated, unless your nameserver or hostmaster address changes.

$TTL 3D
@               IN      SOA     land-5.com. root.land-5.com. (
199609203       ; Serial
28800   ; Refresh
7200    ; Retry
604800  ; Expire
86400)  ; Minimum TTL
NS      land-5.com.

1                       PTR     localhost.

If you look at a random BIND installation you will probably find that the

$TTL

line is missing as it is here. It was not used before, and only version 8.2 of BIND has started to warn about its absence. BIND 9 requires the

$TTL

.

7.4 /var/named/zone/land-5.com

Here we see the mandatory SOA record, the needed NS records. We can see that he has a secondary name server at

ns2.psi.net

. This is as it should be, always have a off site secondary server as backup. We can also see that he has a master host called

land-5

which takes care of many of the different Internet services, and that he's done it with CNAMEs (a alternative is using A records).

As you see from the SOA record, the zone file originates at

land-5.com

, the contact person is

root@land-5.com

.

hostmaster

is another oft used address for the contact person. The serial number is in the customary yyyymmdd format with todays serial number appended; this is probably the sixth version of zone file on the 20th of September 1996. Remember that the serial number must increase monotonically, here there is only one digit for todays serial#, so after 9 edits he has to wait until tomorrow before he can edit the file again. Consider using two digits.

$TTL 3D
@       IN      SOA     land-5.com. root.land-5.com. (
199609206       ; serial, todays date + todays serial #
8H              ; refresh, seconds
2H              ; retry, seconds
4W              ; expire, seconds
1D )            ; minimum, seconds
NS      land-5.com.
NS      ns2.psi.net.
MX      10 land-5.com.  ; Primary Mail Exchanger
TXT     "LAND-5 Corporation"

localhost       A       127.0.0.1

router          A       206.6.177.1

land-5.com.     A       206.6.177.2
ns              A       206.6.177.3
www             A       207.159.141.192

ftp             CNAME   land-5.com.
mail            CNAME   land-5.com.
news            CNAME   land-5.com.

funn            A       206.6.177.2

;
;       Workstations
;
ws-177200       A       206.6.177.200
MX      10 land-5.com.   ; Primary Mail Host
ws-177201       A       206.6.177.201
MX      10 land-5.com.   ; Primary Mail Host
ws-177202       A       206.6.177.202
MX      10 land-5.com.   ; Primary Mail Host
ws-177203       A       206.6.177.203
MX      10 land-5.com.   ; Primary Mail Host
ws-177204       A       206.6.177.204
MX      10 land-5.com.   ; Primary Mail Host
ws-177205       A       206.6.177.205
MX      10 land-5.com.   ; Primary Mail Host
; {Many repetitive definitions deleted - SNIP}
ws-177250       A       206.6.177.250
MX      10 land-5.com.   ; Primary Mail Host
ws-177251       A       206.6.177.251
MX      10 land-5.com.   ; Primary Mail Host
ws-177252       A       206.6.177.252
MX      10 land-5.com.   ; Primary Mail Host
ws-177253       A       206.6.177.253
MX      10 land-5.com.   ; Primary Mail Host
ws-177254       A       206.6.177.254
MX      10 land-5.com.   ; Primary Mail Host

If you examine land-5s nameserver you will find that the host names are of the form

ws_

number. As of late BIND 4 versions named started enforcing the restrictions on what characters may be used in host names. So that does not work with BIND 8 at all, and I substituted '-' (dash) for '_' (underline) for use in this HOWTO. But, as mentioned earlier, BIND 9 no longer enforces this restriction.

Another thing to note is that the workstations don't have individual names, but rather a prefix followed by the two last parts of the IP numbers. Using such a convention can simplify maintenance significantly, but can be a bit impersonal, and, in fact, be a source of irritation among your customers.

We also see that

funn.land-5.com

is an alias for

land-5.com

, but using an A record, not a CNAME record.

7.5 /var/named/zone/206.6.177

I'll comment on this file below

$TTL 3D
@               IN      SOA     land-5.com. root.land-5.com. (
199609206       ; Serial
28800   ; Refresh
7200    ; Retry
604800  ; Expire
86400)  ; Minimum TTL
NS      land-5.com.
NS      ns2.psi.net.
;
;       Servers
;
1       PTR     router.land-5.com.
2       PTR     land-5.com.
2       PTR     funn.land-5.com.
;
;       Workstations
;
200     PTR     ws-177200.land-5.com.
201     PTR     ws-177201.land-5.com.
202     PTR     ws-177202.land-5.com.
203     PTR     ws-177203.land-5.com.
204     PTR     ws-177204.land-5.com.
205     PTR     ws-177205.land-5.com.
; {Many repetitive definitions deleted - SNIP}
250     PTR     ws-177250.land-5.com.
251     PTR     ws-177251.land-5.com.
252     PTR     ws-177252.land-5.com.
253     PTR     ws-177253.land-5.com.
254     PTR     ws-177254.land-5.com.

The reverse zone is the bit of the setup that seems to cause the most grief. It is used to find the host name if you have the IP number of a machine. Example: you are an FTP server and accept connections from FTP clients. As you are a Norwegian FTP server you want to accept more connections from clients in Norway and other Scandinavian countries and less from the rest of the world. When you get a connection from a client the C library is able to tell you the IP number of the connecting machine because the IP number of the client is contained in all the packets that are passed over the network. Now you can call a function called gethostbyaddr that looks up the name of a host given the IP number. Gethostbyaddr will ask a DNS server, which will then traverse the DNS looking for the machine. Supposing the client connection is from ws-177200.land-5.com. The IP number the C library provides to the FTP server is 206.6.177.200. To find out the name of that machine we need to find

200.177.6.206.in-addr.arpa

. The DNS server will first find the

arpa.

servers, then find

in-addr.arpa.

servers, following the reverse trail through 206, then 6 and at last finding the server for the

177.6.206.in-addr.arpa

zone at LAND-5. From which it will finally get the answer that for

200.177.6.206.in-addr.arpa

we have a ``

PTR ws-177200.land-5.com

'' record, meaning that the name that goes with

206.6.177.200

is

ws-177200.land-5.com

.

The FTP server prioritizes connections from the Scandinavian countries, i.e.,

*.no

,

*.se

,

*.dk

, the name

ws-177200.land-5.com

clearly does not match any of those, and the server will put the connection in a connection class with less bandwidth and fewer clients allowed. If there was no reverse mapping of

206.2.177.200

through the

in-addr.arpa

zone the server would have been unable to find the name at all and would have to settle to comparing

206.2.177.200

with

*.no

,

*.se

and

*.dk

, none of which will match at all, it may even deny the connection for lack of classification.

Some people will tell you that reverse lookup mappings are only important for servers, or not important at all. Not so: Many ftp, news, IRC and even some http (WWW) servers will not accept connections from machines of which they are not able to find the name. So reverse mappings for machines are in fact mandatory.

感谢你的阅读！
对这篇文章有什么疑问的话，请联系作者。作者联系地址： Sidney.J.Yellow@gmail.com