User Tools
сервис_dns
Table of Contents
Сервис DNS
Утилиты тестирования DNS
тип_запроса: A, PTR, NS, MX, AXFR
nslookup
$ nslookup >ya.ru $ nslookup mx.bmstu.ru $ nslookup 195.19.32.1 $ nslookup -q=NS bmstu.ru val@noc:~$ nslookup -q=AXFR bmstu.ru 195.19.32.2 $ nslookup -q=MX bmstu.ru 195.19.32.2 $ nslookup -q=SRV _xmpp-client._tcp.bmstu.ru $ nslookup -q=SRV _kerberos._udp.bmstu.ru $ nslookup -q=SRV _sip._udp.bmstu.ru
host имя [сервер]
$ host mx.bmstu.ru $ host 195.19.32.1 $ host -t NS bmstu.ru $ host -v -t NS . $ host -v -t NS ru. 192.33.4.12 $ host -v -t NS bmstu.ru. 194.190.124.17 $ host -t MX bmstu.ru 195.19.32.2 $ host -t AXFR bmstu.ru 195.19.32.2
dig
$ dig mx.bmstu.ru $ dig -x 195.19.32.1 $ dig NS bmstu.ru $ dig MX bmstu.ru @195.19.32.2 $ dig AXFR bmstu.ru @195.19.32.2
Настройка клиентов DNS
gate# cat /etc/resolv.conf
domain corpX.un nameserver 192.168.X.10
server# cat /etc/resolv.conf
domain corpX.un nameserver 127.0.0.1
Настройка сервера DNS
Настройка рекурсивного, кэширующего DNS сервера
Debian/Ubuntu
root@server:~# apt install bind9
CentOS
# yum install bind bind-utils -y # systemctl enable named
FreeBSD
[server:~] # pkg install bind99 [server:~] # cat /usr/local/etc/namedb/named.conf
options {
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
allow-recursion { any; };
};
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
[server:~] # named-checkconf [server:~] # service named rcvar [server:~] # cat /etc/rc.conf
... named_enable="YES" ...
[server:~] # service named start
Настройка сервера перенаправляющего запросы на DNS cервер провайдера
Debian/Ubuntu
root@server:~# cat /etc/bind/named.conf.options
options {
...
forwarders {
172.16.1.254;
};
...
// dnssec-validation auto;
...
};
root@server:~# named-checkconf root@server:~# service bind9 restart
FreeBSD
server# cat named.conf
options {
...
forwarders {
172.16.1.254;
};
...
};
...
[server:~] # named-checkconf [server:~] # service named restart
Настройка мастер сервера зоны corpX.un
Debian/Ubuntu
server# cat /etc/bind/corpX.un
$TTL 3h
corpX.un. SOA ns root.server 1 1d 12h 1w 3h
NS ns
; A 192.168.X.10
; MX 1 server
; MX 2 gate
ns A 192.168.X.10
server A 192.168.X.10
gate A 192.168.X.1
;test 1h IN A 192.168.X.10
;nfs CNAME server
;samba CNAME server
;ftp CNAME server
;www CNAME server
;user1 CNAME server
;mail CNAME server
;ntp CNAME gate
;proxy A 172.16.1.X
;$GENERATE 1-100 node$ A 192.168.X.$
;$GENERATE 1-9 node$ A 192.168.X.20$
;$GENERATE 10-54 node$ A 192.168.X.2$
;$GENERATE 1-9 kube$ A 192.168.X.22$
;_sip._udp SRV 0 0 5060 server
;_xmpp-client._tcp SRV 0 0 5222 server
;_kerberos._udp SRV 01 00 88 server
;_kerberos._tcp SRV 01 00 88 server
;_kerberos TXT CORPX.UN
server# named-checkzone corpX.un /etc/bind/corpX.un
Debian/Ubuntu
root@server:~# cat /etc/bind/named.conf.local
...
zone "corpX.un" {
type master;
file "/etc/bind/corpX.un";
};
root@server:~# named-checkconf -z root@server:~# rndc reload
Проверки Debian/Ubuntu
server# nslookup -q=A server.corpX.un
Настройка вторичного сервера зоны dns
Настройка списка авторитетных серверов на мастер сервере
server# cat /etc/bind/corpX.un
$TTL 3h
corpX.un. SOA ns root.server 1 1d 12h 1w 3h
NS ns
NS ns.isp.un.
...
server# named-checkzone corpX.un /etc/bind/corpX.un server# rndc reload
Настройка вторичного сервера
server# nslookup -q=AXFR compX.un ns.isp.un
root@server:~# cat /etc/bind/named.conf.local
...
zone "compX.un" {
type slave;
file "/var/cache/bind/compX.un";
masters {
172.16.1.254;
};
};
root@server:~# named-checkconf -z root@server:~# rndc reload root@server:~# ls /var/cache/bind/ root@server:~# named-compilezone -f raw -F text -o - compX.un /var/cache/bind/compX.un
Настройка сервера зоны un.
ns.un# cat un
...
ns.isp A 172.16.1.254
...
ns.corp1 A 192.168.1.10
...
ns.corp16 A 192.168.16.10
corp1 NS ns.corp1.un.
NS ns.isp.un.
...
corp16 NS ns.corp16.un.
NS ns.isp.un.
...
ns.un# cat named.conf
...
zone "corp1.un" IN {
type forward;
forwarders {
192.168.1.10;
172.16.1.254;
};
};
...
zone "corp16.un" IN {
type forward;
forwarders {
192.168.16.10;
172.16.1.254;
};
};
...
Настройка сервера зоны обратного преобразования X.168.192.IN-ADDR.ARPA
Debian/Ubuntu
server# cat /etc/bind/corpX.rev
$TTL 3h
@ SOA ns.corpX.un. root.server.corpX.un. 1 1d 12h 1w 3h
NS ns.corpX.un.
1 PTR gate.corpX.un.
10 PTR server.corpX.un.
server# named-checkzone X.168.192.IN-ADDR.ARPA /etc/bind/corpX.rev
Debian/Ubuntu
root@server:~# cat /etc/bind/named.conf.local
...
zone "X.168.192.IN-ADDR.ARPA" {
type master;
file "/etc/bind/corpX.rev";
};
root@server:~# named-checkconf -z root@server:~# service bind9 restart
Проверки FreeBSD/Debian/Ubuntu
server# nslookup -q=PTR 192.168.X.10 server# nslookup -q=A server.corpX.un
Настройка DNS view
Создание файла зоны corpX.un для внутренних и внешних пользователей
Debian/Ubuntu
server# cat /etc/bind/corpX.un
$TTL 3h
corpX.un. SOA ns root.server 1 1d 12h 1w 3h
NS ns
MX 1 server
A 192.168.X.10
ns A 192.168.X.10
server A 192.168.X.10
gate A 192.168.X.1
...
server# cat /etc/bind/corpX.un.out
$TTL 3h
corpX.un. SOA ns root.server 1 1d 12h 1w 3h
NS ns
NS ns.isp.un.
MX 1 server
A 172.16.1.X
ns A 172.16.1.X
server A 172.16.1.X
gate A 172.16.1.X
mail CNAME server
;...
Настройка сервера
Debian/Ubuntu
root@server:~# less /etc/bind/named.conf.local
zone "corpX.un" {
type master;
file "/etc/bind/corpX.un";
};
zone "X.168.192.IN-ADDR.ARPA" {
type master;
file "/etc/bind/corpX.rev";
};
root@server:~# cat /etc/bind/named.conf
include "/etc/bind/named.conf.options";
view "inside" {
match-clients {
192.168.X/24;
127/8;
};
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
};
view "outside" {
zone "corpX.un" {
type master;
file "/etc/bind/corpX.un.out";
};
};
root@server:~# service bind9 restart
Настройка поддержки динамических обновлений от DHCP сервера
FreeBSD
server# mv /usr/local/etc/namedb/master/corp* /usr/local/etc/namedb/dynamic/ server# scp /usr/local/etc/namedb/rndc.key gate:/usr/local/etc/ server# cat /usr/local/etc/namedb/named.conf
...
zone "corpX.un" {
allow-update { key "rndc-key"; };
file "/usr/local/etc/namedb/dynamic/corpX.un";
...
zone "X.168.192.IN-ADDR.ARPA" {
allow-update { key "rndc-key"; };
file "/usr/local/etc/namedb/dynamic/corpX.rev";
...
include "rndc.key";
Ubuntu
server# mv /etc/bind/corp* /var/cache/bind/ server# chown -R bind /var/cache/bind/ server# scp /etc/bind/rndc.key gate:/etc/dhcp/ server# ssh gate "chown dhcpd /etc/dhcp/rndc.key" server# cat /etc/bind/named.conf
...
zone "corpX.un" {
...
allow-update { key "rndc-key"; };
};
...
zone "X.168.192.IN-ADDR.ARPA" {
...
allow-update { key "rndc-key"; };
};
...
include "/etc/bind/rndc.key";
Автоматическое обновление сертификатов LetsEncrypt для внутренних сайтов
Черновик 1
ns.domain1.mgtu.ru:~# vim /etc/bind/domain1.mgtu.ru
...
site4 A 195.19.40.59
*.site4 A 195.19.40.59
_acme-challenge.site4 NS ns
...
ns.domain1.mgtu.ru:~# rndc-confgen -a -A hmac-sha512 -k "certbot.site4" -c /etc/bind/certbot.site4.key
ns.domain1.mgtu.ru:~# chmod 640 /etc/bind/certbot.site4.key
ns.domain1.mgtu.ru:~# cat /etc/bind/named.conf
...
include "/etc/bind/certbot.site4.key";
...
ns.domain1.mgtu.ru:~# cat /etc/bind/named.conf.local
...
zone "_acme-challenge.site4.domain1.mgtu.ru" {
type master;
file "/var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru";
update-policy {
grant certbot.site4 name _acme-challenge.site4.domain1.mgtu.ru. txt;
};
};
...
ns.domain1.mgtu.ru:~# sudo -u bind vim /var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru
$TTL 30 ; 30 seconds
_acme-challenge.site4.domain1.mgtu.ru. IN SOA ns.domain1.mgtu.ru. noc.bmstu.ru. (
9 ; serial
86400 ; refresh (1 day)
43200 ; retry (12 hours)
604800 ; expire (1 week)
30 ; minimum (30 seconds)
)
NS ns.domain1.mgtu.ru.
ns.domain1.mgtu.ru:~# nsupdate -k /etc/bind/certbot.key
site4.domain1.mgtu.ru:~# apt install bind9-dnsutils
site4.domain1.mgtu.ru:~# nsupdate -k certbot.key
> server 127.0.0.1
> server 195.19.40.42
> zone _acme-challenge.site4.domain1.mgtu.ru
> update add _acme-challenge.site4.domain1.mgtu.ru. 30 IN TXT "your_txt_record_data 2"
> update del _acme-challenge.site4.domain1.mgtu.ru. 30 IN TXT "your_txt_record_data 2"
> send
site4.domain1.mgtu.ru:~# dig TXT _acme-challenge.site4.domain1.mgtu.ru
ns.domain1.mgtu.ru:~# ###rndc freeze _acme-challenge.site4.domain1.mgtu.ru.
ns.domain1.mgtu.ru:~# ###sudo -u bind vim /var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru
ns.domain1.mgtu.ru:~# ###rndc thaw _acme-challenge.site4.domain1.mgtu.ru.
site4.domain1.mgtu.ru:~# apt install python3-certbot-dns-rfc2136
site4.domain1.mgtu.ru:~# cat /etc/certbot-credentials.ini
dns_rfc2136_server = 195.19.40.42
dns_rfc2136_port = 53
dns_rfc2136_name = certbot.site4
dns_rfc2136_secret = QV8VQ+B8wv+nj/fE7DoqUmFLZWeNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNzFE8TjiwfnxO5MNg==
dns_rfc2136_algorithm = HMAC-SHA512
site4.domain1.mgtu.ru:~# chmod 640 /etc/certbot-credentials.ini
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/certbot-credentials.ini -d 'site4.domain1.mgtu.ru' -d '*.site4.domain1.mgtu.ru'
Черновик 2
rndc-confgen -a -A hmac-sha512 -k "certbot." -c /etc/bind/certbot.key
valtest:~# chmod 640 /etc/bind/certbot.key
more /etc/bind/certbot.key
valtest:~# cat /etc/bind/named.conf
...
include "/etc/bind/certbot.key";
sudo -u bind vim /var/lib/bind/_acme-challenge.valtest.bmstu.ru
valtest:~# cat /var/lib/bind/_acme-challenge.valtest.bmstu.ru
$TTL 300 ; 5 minutes
_acme-challenge.valtest.bmstu.ru. IN SOA valtest.bmstu.ru. val.bmstu.ru. (
2020050828 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
86400 ; expire (1 week)
86400 ; minimum (1 day)
)
NS valtest.bmstu.ru.
NS ns.bmstu.ru.
$TTL 60 ; 1 minute
TXT "127.0.0.8"
valtest:~# cat /etc/bind/named.conf.local
...
zone "_acme-challenge.valtest.bmstu.ru" {
type master;
file "/var/lib/bind/_acme-challenge.valtest.bmstu.ru";
allow-transfer {195.19.32.2;};
update-policy {
grant certbot. name _acme-challenge.valtest.bmstu.ru. txt;
};
};
valtest:~# nsupdate -k /etc/bind/certbot.key
> server 127.0.0.1
> zone _acme-challenge.valtest.bmstu.ru
> update add _acme-challenge.valtest.bmstu.ru. 300 IN TXT "your_txt_record_data 1"
> send
valtest:~# dig TXT _acme-challenge.valtest.bmstu.ru
root@ns:~# named-compilezone -f raw -F text -o - _acme-challenge.valtest.bmstu.ru /var/cache/bind/ru/_acme-challenge.valtest.bmstu
valtest:~# rndc sync _acme-challenge.valtest.bmstu.ru
valtest:~# rndc freeze _acme-challenge.valtest.bmstu.ru.
valtest:~# sudo -u bind vim /var/lib/bind/_acme-challenge.valtest.bmstu.ru
valtest:~# rndc thaw _acme-challenge.valtest.bmstu.ru.
valtest:~# ###cat /var/lib/bind/_acme-challenge.valtest.bmstu.ru
Nov 19 14:51:06 ns named[213146]: zone _acme-challenge.valtest.bmstu.ru/IN/common: refresh: unexpected rcode (SERVFAIL) from primary 195.19.40.42#53 (source 0.0.0.0#0)
apt-get install python3-certbot-dns-rfc2136
valtest:~# cat /etc/bind/certbot-credentials.ini
# Target DNS server
dns_rfc2136_server = 127.0.0.1
# Target DNS port
dns_rfc2136_port = 53
# TSIG key name
dns_rfc2136_name = certbot.
# TSIG key secret
dns_rfc2136_secret = Pba+bPbB8/fxhEl70BTgIz3ljrEPlq/msjkiaI7+X8gkQI7WwM6B4GQVifvkUIjd6TQFqc+x0rddefn1s8VgIA==
# TSIG key algorithm
dns_rfc2136_algorithm = HMAC-SHA512
chmod 640 /etc/bind/certbot-credentials.ini
certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/certbot-credentials.ini -d 'valtest.bmstu.ru' -d '*.valtest.bmstu.ru' --dry-run
Ограничение доступа к DNS серверу
Debian/Ubuntu
# cat /etc/bind/named.conf.options
options {
...
allow-recursion {192.168.X/24; 192.168.100+X/24; 127/8;};
...
};
# cat /etc/bind/named.conf.local
zone "corpX.un" {
...
allow-transfer {172.16.1.254;};
...
};
gate.isp.un$ nslookup -q=AXFR corpX.un 192.168.X.10
Мониторинг DNS сервера
Настройка
# cat named.conf
options {
...
dump-file "/tmp/named_dump.db";
statistics-file "/tmp/named.stats";
...
};
Просмотр кеша DNS сервера
# rndc dumpdb -cache # less /var/cache/bind/named_dump.db
Просмотр статистики обращений к DNS серверу
[server:~] # rndc stats [server:~] # cat /var/named/var/stats/named.stats success - число запросов, не вызвавших ошибок или возврата клиенту ссылки referral - число запросов, на которые сервер вернул клиенту ссылки nxrrset - несуществующих записей запрошенного типа для доменного имени nxdomain - несуществующих доменных имен recursion - число запросов, потребовавших рекурсивной обработки failure - число ошибок, кроме nxrrset и nxdomain
сервис_dns.txt · Last modified: 2025/11/27 09:25 by val
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
