i.IT运维上分入门篇
a)【】
b)【】
c)【】
d)【】
e)【】
f)【】
g)【】
ii.IT运维上分初级篇
a)【】
b)【】
c)【】
d)【】
【正在更新】
e)【VMware虚拟化架构概述与兼容性查询】
f)【VMware虚拟化esxi安装】
g)【VMware虚拟化vCenter安装】
虚拟机 | 操作系统版本 | 角色 | ip 地址 | 域名 |
unbound | Redhat 8.4 | 缓存DNS服务器 | 172.16.50.194 | - |
BIND-dns1 | Redhat 8.4 | 权威主DNS服务器 | 172.16.50.195 | yunbee.net50.16.172与.in-addr.arpa |
BIND-dns2 | Redhat 8.4 | 权威备DNS服务器 | 172.16.50.196 | yunbee.net与50.16.172.in-addr.arpa |
BIND-dns3 | Redhat 8.4 | 权威DNS服务器 | 172.16.50.177 | ql.com与zj.yunbee.net |
[root@bind-dns1 ~]# ip a s |grep ens192|grep inet inet 172.16.50.195/24 brd 172.16.50.255 scope global noprefixroute ens192 [root@localhost ~]# hostnamectl set-hostname bind-dns1 [root@bind-dns1 ~]# systemctl disable firewalld --now sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config [root@bind-dns1 ~]# setenforce 0 setenforce: SELinux is disabled
[root@bind-dns1 ~]# mount /dev/sr0 /mnt/ mount: /mnt: WARNING: device write-protected, mounted read-only. [root@localhost ~]# cat /etc/yum.repos.d/local_baseos.repo [local_BaseOS] name=local_baseOS baseurl=file:///mnt/BaseOS gpgcheck=0 [local_AppStream] name=local_AppStream baseurl=file:///mnt/AppStream gpgcheck=0 [root@localhost ~]# yum install bind -y [root@bind-dns1 ~]# rpm -qc bind /etc/logrotate.d/named /etc/named.conf /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/sysconfig/named /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback
options { listen-on port 53 { 172.16.50.195; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; ## 定义主目录 dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; allow-query { any; }; include "/etc/named.rfc1912.zones"; //see /etc/named.rfc1912.zones include "/etc/named.root.key"; zone "yunbee.net" IN { type master; ## 声明为主dns file "yunbee.net.zone"; ##/var/named/yunbee.net.zone 定义一个正向查询 yunbee.net.zone文件 }; zone "50.16.172.in-addr.arpa" IN { type master; ## 声明为主dns file "yunbee.arpa.zone"; ##/var/named/yunbee.arpa.zone 定义一个反向查询 yunbee.net.zone文件 };
listen-on port 53 { 172.16.50.195; }; 监听在那个IP地址上
allow-query { any; }; 允许客户端访问查询的地址清单
也可以定义访问例表
acl group1 { 172.16.50.0/24; }; office1 假设这个是内外地址
acl group2 { 172.16.20.0/24; group1; }; office2 假设这个是内外地址
acl group3 { 221.0.0.0/8;; }; 假设这个是外地址
你可以定义访问传输控制 , 下面是语法 (如果dns服务器放置在公网IP上,一般用slave节点 ,配合acl访问控制,笔者没有试过,感兴趣的小伙伴可以试试)
view "office" {
match-clients { "group2"; };
zone "." IN {
type hint;
file "named.ca";
};
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone";
allow-transfer { group2; };
};
zone "50.16.172.in-addr.arpa" IN {
type master;
file "yunbee.arpa.zone.";
allow-transfer { group2; };
};
};
view "other-office" {
match-clients { "group3"; };
zone "." IN {
type hint;
file "named.ca";
};
zone "yunbee.net" IN {
type master;
file "yunbee.net.zone.bak";
allow-transfer { group3; };
};
};
[root@bind-dns1 named]# cp -a named.localhost yunbee.net.zone [root@bind-dns1 named]# ll total 24 drwxrwx---. 2 named named 6 Feb 15 2021 data drwxrwx---. 2 named named 6 Feb 15 2021 dynamic -rw-r-----. 1 root named 2253 Feb 15 2021 named.ca -rw-r-----. 1 root named 152 Feb 15 2021 named.empty -rw-r-----. 1 root named 152 Feb 15 2021 named.localhost -rw-r-----. 1 root named 168 Feb 15 2021 named.loopback drwxrwx---. 2 named named 6 Feb 15 2021 slaves -rw-r-----. 1 root named 168 Feb 15 2021 yunbee.arpa.zone -rw-r-----. 1 root named 152 Feb 15 2021 yunbee.net.zone
默认是缩写
cd /var/named; [root@bind-dns1 named]# vim yunbee.net.zone $TTL 1D ## 全局 (Time to live)缓存时间 @ IN SOA @ root.yunbee.net. ( 0 ; serial ##序号,每次修改时必需更新,且只能加大 1D ; refresh ##刷新时间 1H ; retry ##主从DNS连接失败时,重新尝试建立连接刷新 1W ; expire ##过期时间,重新尝试建立连接刷新到达这个值将不再尝试连接 3H ) ; minimum ## 查询失败的dns缓存 NS @ A 127.0.0.1 www A 172.16.50.30 www0 A 172.16.50.31 ftp CNAME www0
补全写法
[root@bind-dns1 named]# vim yunbee.net.zone $TTL 1D yunbee.net. IN SOA yunbee.net. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum yunbee.net. IN NS yunbee.net. yunbee.net. IN A 172.16.50.195 www.yunbee.net. IN A 172.16.50.30 www0.yunbee.net. IN A 172.16.50.31 ftp.yunbee.net. IN CNAME www0
简写
[root@bind-dns1 named]# cp -a named.loopback yunbee.arpa.zone [root@bind-dns1 named]# vim yunbee.arpa.zone $TTL 1D @ IN SOA @ root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 PTR localhost. 30 PTR www.yunbee.net. 31 PTR www0.yunbee.net. 30 PTR ftp.yunbee.net.
补全写法
$TTL 1D 50.16.172.in-addr.arpa. IN SOA 50.16.172.in-addr.arpa. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum 50.16.172.in-addr.arpa. IN NS 50.16.172.in-addr.arpa. 50.16.172.in-addr.arpa. IN A 172.16.50.195 195.50.16.172.in-addr.arpa. IN PTR 50.16.172.in-addr.arpa. 30.50.16.172.in-addr.arpa. IN PTR www.yunbee.net. 31.50.16.172.in-addr.arpa. IN PTR www0.yunbee.net. 30.50.16.172.in-addr.arpa. IN PTR ftp.yunbee.net.
常用写法
$TTL 1D 50.16.172.in-addr.arpa. IN SOA yunbee.net. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum 50.16.172.in-addr.arpa. IN NS yunbee.net. 30.50.16.172.in-addr.arpa. IN PTR www.yunbee.net. 31.50.16.172.in-addr.arpa. IN PTR www0.yunbee.net. 30.50.16.172.in-addr.arpa. IN PTR ftp.yunbee.net.
[root@bind-dns1 named]# named-checkconf /etc/named.conf [root@bind-dns1 named]# named-checkzone yunbee.net yunbee.net.zone zone yunbee.net/IN: loaded serial 0 OK [root@bind-dns1 named] # named-checkzone 50.16.172.in-addr.arpa yunbee.arpa.zone zone 50.16.172.in-addr.arpa/IN: loaded serial 0 OK [root@bind-dns1 named]# systemctl enable named --now Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service. [root@bind-dns1 named]# netstat -tupnl |grep 53 tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 3527/named tcp 0 0 172.16.50.195:53 0.0.0.0:* LISTEN 3527/named tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1892/dnsmasq tcp6 0 0 ::1:953 :::* LISTEN 3527/named tcp6 0 0 ::1:53 :::* LISTEN 3527/named
dig
dig查询DNS服务器。
查看www.baidu.com 解析的过程
dig -t A www.baidu.com +trace
host
host是一个DNS查找工具。
rndc
rndc控制BIND的操作。
rndc-confgen
rndc-confgen生成rndc.conf文件
named-checkconf
named-checkconf检查named.conf文件的语法。
named-checkzone
named-checkzone检查区域文件的合法性。
dig axfr @classroom.example.com example.com 下载example.com域里的信息 (allow-transfer 放开)
host -l example.com 下载example.com域里的信息 (allow-transfer 放开)
[root@bind-dns1 named]# dig www.yunbee.net @172.16.50.195 ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> www.yunbee.net @172.16.50.195 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14301 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 90796274012a6bfe8721ebd5613db035692b46030af15e94 (good) ;; QUESTION SECTION: ;www.yunbee.net. IN A ;; ANSWER SECTION: www.yunbee.net. 86400 IN A 172.16.50.30 ;; AUTHORITY SECTION: yunbee.net. 86400 IN NS yunbee.net. ;; ADDITIONAL SECTION: yunbee.net. 86400 IN A 172.16.50.195 ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Sun Sep 12 15:45:57 CST 2021 ;; MSG SIZE rcvd: 117 [root@bind-dns1 named]# dig -x 172.16.50.30 ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> -x 172.16.50.30 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14845 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 62f62f6fe747fd806770e97a613db08a5c92c7680172ae74 (good) ;; QUESTION SECTION: ;30.50.16.172.in-addr.arpa. IN PTR ;; ANSWER SECTION: 30.50.16.172.in-addr.arpa. 86400 IN PTR www.yunbee.net. 30.50.16.172.in-addr.arpa. 86400 IN PTR ftp.yunbee.net. ;; AUTHORITY SECTION: 50.16.172.in-addr.arpa. 86400 IN NS yunbee.net. ;; ADDITIONAL SECTION: yunbee.net. 86400 IN A 172.16.50.195 ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Sun Sep 12 15:47:22 CST 2021 ;; MSG SIZE rcvd: 158
[root@bind-dns1 named]# host -l yunbee.net yunbee.net name server yunbee.net. yunbee.net has address 172.16.50.195 www.yunbee.net has address 172.16.50.30 www0.yunbee.net has address 172.16.50.31
[root@bind-dns1 named]# dig axfr @172.16.50.195 yunbee.net ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> axfr @172.16.50.195 yunbee.net ; (1 server found) ;; global options: +cmd yunbee.net. 86400 IN SOA yunbee.net. root.yunbee.net. 0 86400 3600 604800 10800 yunbee.net. 86400 IN NS yunbee.net. yunbee.net. 86400 IN A 172.16.50.195 ftp.yunbee.net. 86400 IN CNAME www0.yunbee.net. www.yunbee.net. 86400 IN A 172.16.50.30 www0.yunbee.net. 86400 IN A 172.16.50.31 yunbee.net. 86400 IN SOA yunbee.net. root.yunbee.net. 0 86400 3600 604800 10800 ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Sun Sep 12 15:52:36 CST 2021 ;; XFR size: 7 records (messages 1, bytes 233)
[root@localhost ~]# mount /dev/sr0 /mnt/ mount: /mnt: WARNING: device write-protected, mounted read-only. [root@localhost ~]# yum install bind -y
[root@bind-dns1 ~]# ip a s |grep ens192|grep inet inet 172.16.50.196/24 brd 172.16.50.255 scope global noprefixroute ens192 [root@localhost ~]# hostnamectl set-hostname bind-dns2 [root@bind-dns1 ~]# systemctl disable firewalld --now sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config [root@bind-dns1 ~]# setenforce 0 setenforce: SELinux is disabled
[root@localhost ~]# vim /etc/named.conf zone "yunbee.net" IN { type master; file "yunbee.net.zone"; allow-transfer { 172.16.50.196; }; ## 备DNS IP also-notify { 172.16.50.196; }; ##备DNS IP }; zone "50.16.172.in-addr.arpa" IN { type master; file "yunbee.arpa.zone"; allow-transfer { 172.16.50.196; }; ##备DNS IP also-notify { 172.16.50.196; }; ##备DNS IP };
[root@localhost ~]# sed -i 's/127.0.0.1;/172.16.50.196;/' /etc/named.conf [root@localhost ~]# sed -i 's/localhost;/any;/' /etc/named.conf [root@localhost ~]# vim /etc/named.conf include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "yunbee.net" IN { type slave; file "yunbee.net.zone"; masters { 172.16.50.195; }; #主DNS IP also-notify { 172.16.50.195; }; #主DNS IP }; zone "50.16.172.in-addr.arpa" IN { type slave; file "yunbee.arpa.zone"; masters { 172.16.50.195; }; #主DNS IP also-notify { 172.16.50.195; }; #主DNS IP }; systemctl enable named --now [root@localhost ~]# netstat -tunpl |grep :53 tcp 0 0 172.16.50.196:53 0.0.0.0:* LISTEN 32966/named tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1897/dnsmasq udp 0 0 172.16.50.196:53 0.0.0.0:* 32966/named udp 0 0 192.168.122.1:53 0.0.0.0:* 1897/dnsmasq udp 0 0 0.0.0.0:5353 0.0.0.0:* 1009/avahi-daemon: [root@bind-dns2 ~]# cd /var/named/ [root@bind-dns2 named]# ll total 24 drwxrwx--- 2 named named 23 Sep 12 16:11 data drwxrwx--- 2 named named 60 Sep 12 16:11 dynamic -rw-r----- 1 root named 2253 Feb 15 2021 named.ca -rw-r----- 1 root named 152 Feb 15 2021 named.empty -rw-r----- 1 root named 152 Feb 15 2021 named.localhost -rw-r----- 1 root named 168 Feb 15 2021 named.loopback drwxrwx--- 2 named named 6 Feb 15 2021 slaves -rw-r--r-- 1 named named 326 Sep 12 16:11 yunbee.arpa.zone -rw-r--r-- 1 named named 331 Sep 12 16:11 yunbee.net.zone [root@bind-dns2 named]# nslookup www.yunbee.net Server: 172.16.50.196 Address: 172.16.50.196#53 Name: www.yunbee.net Address: 172.16.50.30
[root@cache-dns ~]# cat /etc/unbound/conf.d/yunbee.com.conf server: interface: 172.16.50.194 access-control: 0.0.0.0/0 allow domain-insecure: "com." domain-insecure: "cn." domain-insecure: "net." forward-zone: name: "." forward-addr: 172.16.50.196
在企业里面一般采用多套bind做权威DNS,客户端采用unbound服务器,笔者环境当前客户端连接也是unbound DNS服务器。
C:\Users\Administrator>ping www.baidu.com 正在 Ping www.a.shifen.com [14.215.177.39] 具有 32 字节的数据: 来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51 来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51 来自 14.215.177.39 的回复: 字节=32 时间=26ms TTL=51 14.215.177.39 的 Ping 统计信息: 数据包: 已发送 = 3,已接收 = 3,丢失 = 0 (0% 丢失), 往返行程的估计时间(以毫秒为单位): 最短 = 26ms,最长 = 26ms,平均 = 26ms C:\Users\Administrator>nslookup www0.yunbee.net 服务器: UnKnown Address: 172.16.50.194 非权威应答: 名称: www0.yunbee.net Address: 172.16.50.31172
vim /etc/named.conf zone "yunbee.net" IN { type master; file "yunbee.net.zone"; allow-transfer { 172.16.50.196; }; also-notify { 172.16.50.196; }; }; zone "50.16.172.in-addr.arpa" IN { type master; file "yunbee.arpa.zone"; allow-transfer { 172.16.50.196; }; also-notify { 172.16.50.196; }; }; /////////////////////// 可以将ql.com 这个域的查询转发到 172.16.50.177 zone "ql.com" IN { type forward; forwarders { 172.16.50.177; }; }; [root@bind-dns3 named]# vim /etc/named.conf zone "ql.com" IN { type master; file "ql.com.zone"; }; zone "20.16.172.in-addr.arpa" IN { type master; file "ql.arpa.zone"; }; zone "50.16.172.in-addr.arpa" IN { type master; file "ql.arpa.50.zone"; }; [root@bind-dns3 named]# cat ql.com.zone $TTL 1D @ IN SOA @ root.ql.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 127.0.0.1 vcenter A 172.16.20.210 www A 172.16.20.200 www0 A 172.16.20.199 host1 A 172.16.50.50 host2 A 172.16.50.51 host3 A 172.16.50.52 [root@bind-dns1 ~]# hostname bind-dns1 [root@bind-dns1 ~]# nslookup www.ql.com Server: 172.16.50.195 Address: 172.16.50.195#53 Non-authoritative answer: Name: www.ql.com Address: 172.16.20.200 [root@bind-dns1 ~]# nslookup host1.ql.com Server: 172.16.50.195 Address: 172.16.50.195#53 Non-authoritative answer: Name: host1.ql.com Address: 172.16.50.50
zj.yunbee.net -->172.16.50.177
[root@bind-dns3 named]# hostname bind-dns3 [root@bind-dns3 named]# ip a s |grep ens192|grep inet inet 172.16.50.177/24 brd 172.16.50.255 scope global noprefixroute ens192 [root@bind-dns3 named]# [root@bind-dns3 named]# tail -30 /etc/named.conf include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; zone "zj.yunbee.net" IN { type master; file "zj.yunbee.net.zone"; }; [root@bind-dns3 named]# cat zj.yunbee.net.zone $TTL 1D @ IN SOA @ root.zj.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS @ A 172.16.50.177 qlhost1 A 172.16.20.10 qlhost2 A 172.16.20.11 qlhost3 A 172.16.20.99 [root@bind-dns1 named]# hostname bind-dns1 [root@bind-dns1 named]# ip a s |grep ens192|grep inet inet 172.16.50.195/24 brd 172.16.50.255 scope [root@bind-dns1 named]# cat yunbee.net.zone $TTL 1D yunbee.net. IN SOA yunbee.net. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum yunbee.net. IN NS yunbee.net. yunbee.net. IN A 172.16.50.195 www.yunbee.net. IN A 172.16.50.30 www0.yunbee.net. IN A 172.16.50.31 ftp.yunbee.net. IN CNAME www0 zj.yunbee.net. IN NS zj.yunbee.net. zj.yunbee.net. IN A 172.16.50.177 [root@bind-dns1 named]# hostname bind-dns1 [root@bind-dns1 named]# ip a s |grep ens192|grep inet inet 172.16.50.195/24 brd 172.16.50.255 scope global noprefixroute ens192 [root@bind-dns1 named]# [root@bind-dns1 named]# cat yunbee.net.zone $TTL 1D yunbee.net. IN SOA yunbee.net. root.yunbee.net. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum yunbee.net. IN NS yunbee.net. yunbee.net. IN A 172.16.50.195 www.yunbee.net. IN A 172.16.50.30 www0.yunbee.net. IN A 172.16.50.31 ftp.yunbee.net. IN CNAME www0 zj.yunbee.net. IN NS zj.yunbee.net. zj.yunbee.net. IN A 172.16.50.177 [root@bind-dns1 named]# nslookup qlhost1.zj.yunbee.net Server: 172.16.50.195 Address: 172.16.50.195#53 Non-authoritative answer: Name: qlhost1.zj.yunbee.net Address: 172.16.20.10 [root@bind-dns1 named]# dig -t A qlhost1.zj.yunbee.net @172.16.50.195 ; <<>> DiG 9.11.26-RedHat-9.11.26-3.el8 <<>> -t A qlhost1.zj.yunbee.net @172.16.50.195 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9141 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: bb7387e025885a188f05e654613ec6dc7b348ab522ba7c99 (good) ;; QUESTION SECTION: ;qlhost1.zj.yunbee.net. IN A ;; ANSWER SECTION: qlhost1.zj.yunbee.net. 85890 IN A 172.16.20.10 ;; AUTHORITY SECTION: zj.yunbee.net. 86400 IN NS zj.yunbee.net. ;; Query time: 0 msec ;; SERVER: 172.16.50.195#53(172.16.50.195) ;; WHEN: Mon Sep 13 11:34:52 CST 2021 ;; MSG SIZE rcvd: 108
本篇完
点击加载更多