CentOS7系统网络配置基础
时间:2018-12-04 15:51 来源:linux.it.net.cn 作者:IT
网络管理命令
检查网络是否畅通及连接速速 ping
-c 指定发送包数
-i 指定ping包间隔时间(默认1s)
-s 指定包长度单位为 byte
显示接口状态 ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.23.130 netmask 255.255.255.0 broadcast 192.168.23.255
inet6 fe80::20c:29ff:fed7:9f88 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d7:9f:88 txqueuelen 1000 (Ethernet)
RX packets 38398 bytes 3959286 (3.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 42008 bytes 4427890 (4.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1348 bytes 111404 (108.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1348 bytes 111404 (108.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
设置/启用网卡IP地址 ifconfig eno16777736:0 192.168.100.100 netmask 255.255.255.0 up
ifconfig eno16777736:0 192.168.100.100/24 up
禁用某网络接口 ifconfig eno16777736:0 down
更改网卡MAC地址 ifconfig eno16777736:0 hw ether 00:0c:29:d7:90:88
注:上面的设置会在设备重启后失效
显示添加或修改路由表 route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.23.1 0.0.0.0 UG 100 0 0 eno16777736
192.168.23.0 0.0.0.0 255.255.255.0 U 100 0 0 eno16777736
添加一条路由:发往192.168.60.0网段的全部要经过网关192.168.19.1
route add -net 192.168.60.0 netmask 255.255.255.0 gw 192.168.19.1
删除一条路由
route del -net 192.168.60.0 netmask 255.255.255.0
复制文件到其他系统 scp
-P 指定远程连接端口
-r 递归地复制整个文件夹
将本地文件传送至远程主机192.168.3.100的/usr路径下
scp -P 12345 test.txt root@192.168.3.100:/usr
拉取远程主机文件到本地当前路径下
scp -P 12345 root@192.168.3.100:/etc/hosts ./
传送目录可以使用参数 -r
scp -r -P 12345 root@192.168.3.100:/usr/local ./
显示网络连接、路由表或接口状态 netstat
-a 显示所有连接中的Socket
-t 显示TCP端口情况
-u 显示UDP端口情况
//显示所有TCP端口情况
netstat -at
//显示所有UDP端口情况
netstat -au
//以数字形式n持续c显示所有a TCP和UDP tu的Socket情况
netstat -autnc
//持续显示路由表
netstat -rc
探测至目的地址的路由信息 traceroute
traceroute -n www.baidu.com
测试登录或控制远程主机
telnet IPaddress
下载网络文件 wget
普通下载 wget http://www.xxx.com/download/test.txt
-c 断点续传 wget -c http://www.xxx.com/download/test.txt
-i 批量下载 wget -i download.txt (download.txt文件中是一系列网址)
网络配置
配置linux的ip地址
/etc/sysconfig/network-scripts/ifcfg-eth0
设置主机名
/etc/hostname
设置默认网关
使用route
route add default gw 192.168.23.1
修改接口文件
/etc/sysconfig/network-scripts/ifcfg-eth0
添加:GATEWAY=192.168.23.1
注:修改了脚本文件需执行 service network restart 使其生效。
设置DNS服务器
/etc/resolv.conf
注:修改了脚本文件需执行 service network restart 使其生效。
Linux 高级网络配置工具
高级网络管理工具 iproute2
//命令语法如下
[root@local ~]# ip -help
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm |
netns | l2tp | tcp_metrics | token }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-h[uman-readable] | -iec |
-f[amily] { inet | inet6 | ipx | dnet | bridge | link } |
-4 | -6 | -I | -D | -B | -0 |
-l[oops] { maximum-addr-flush-attempts } |
-o[neline] | -t[imestamp] | -b[atch] [filename] |
-rc[vbuf] [size] | -n[etns] name | -a[ll] }
使用ip命令来查看网络配置
ip addr list
[root@local ~]# ip -s addr list //-s 显示详细信息
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
386202 4760 0 0 0 0
TX: bytes packets errors dropped carrier collsns
386202 4760 0 0 0 0
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d7:9f:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.130/24 brd 192.168.23.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fed7:9f88/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
15477091 59902 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2019368 17809 0 0 0 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
添加新的网络地址: ip addr add 192.168.1.12/24 dev eth1
删除网络地址: ip addr del 192.168.1.12/24 dev eth1
显示路由信息: ip route list
网络数据采集与分析工具 tcpdump
-a:尝试将网络和广播地址转换成名称;
-c<数据包数目>:收到指定的数据包数目后,就停止进行倾倒操作;
-d:把编译过的数据包编码转换成可阅读的格式,并倾倒到标准输出;
-dd:把编译过的数据包编码转换成C语言的格式,并倾倒到标准输出; -ddd:把编译过的数据包编码转换成十进制数字的格式,并倾倒到标准输出;
-e:在每列倾倒资料上显示连接层级的文件头;
-f:用数字显示网际网络地址;
-F<表达文件>:指定内含表达方式的文件;
-i<网络界面>:使用指定的网络截面送出数据包;
-l:使用标准输出列的缓冲区;
-n:不把主机的网络地址转换成名字;
-N:不列出域名;
-O:不将数据包编码最佳化;
-p:不让网络界面进入混杂模式;
-q :快速输出,仅列出少数的传输协议信息;
-r<数据包文件>:从指定的文件读取数据包数据;
-s<数据包大小>:设置每个数据包的大小;
-S:用绝对而非相对数值列出TCP关联数;
-t:在每列倾倒资料上不显示时间戳记;
-tt: 在每列倾倒资料上显示未经格式化的时间戳记;
-T<数据包类型>:强制将表达方式所指定的数据包转译成设置的数据包类型;
-v:详细显示指令执行过程;
-vv:更详细显示指令执行过程;
-x:用十六进制字码列出数据包资料;
-w<数据包文件>:把数据包数据写入指定的文件。
//dst 目的地址
//src 源地址
//host 主机
//net 网络地址
//-s100 抓包长度为100个字节,默认68
//-n 不对IP地址或端口号进行到名字的转换
//-XX 以十六进制和ASCII码打印每个包的数据
[root@local ~]# tcpdump -i any tcp and dst host 192.168.23.130 and dst port 22 -XX -n -s100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 100 bytes
17:13:54.266279 IP 192.168.23.1.54679 > 192.168.23.130.ssh: Flags [.], ack 4146320238, win 16284, length 0
0x0000: 0000 0001 0006 0050 56c0 0008 0000 0800 .......PV.......
0x0010: 4500 0028 5799 4000 4006 3363 c0a8 1701 E..(W.@.@.3c....
0x0020: c0a8 1782 d597 0016 1092 04a6 f723 d36e .............#.n
0x0030: 5010 3f9c 0aec 0000 0000 0000 0000 0000 P.?.............
0x0040: 0000 0000 0000 0000 0000 0000 0000 ..............
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
动态主机配置协议 DHCP
/etc/dhcp/dhcpd.conf //参考 man dhcpd.conf配置
systemctl start dhcpd.service //启动服务端
//客户端网卡配置为自动获取IP
[root@localhost network-scripts]# pwd
/etc/sysconfig/network-scripts
[root@localhost network-scripts]# cat ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=408a5a74-5e01-4cc1-9c83-491b6cb6f7d3
DEVICE=eno16777736
ONBOOT=no
Linux 域名服务DNS
主机名配置
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.23.130 zx zx.com
1
2
cat /etc/sysconfig/network
# Created by anaconda
NETWORKING=yes
HOSTNAME=zx.com
1
2
3
DNS 服务器配置
cat /etc/resolv.conf
search zx.com
nameserver 192.168.23.130
nameserver 192.168.23.1
1
2
3
编辑DNS主配置文件 /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "zx.com" IN {
type master;
file "named.zx.com";
allow-update { none; };
};
zone "23.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.23.zone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
directory "/var/named"; 指定从 /var/named 下读取DNS数据文件
allow-query { any; }; 允许那些客户端可以访问DNS服务 any 为任意主机
zone 每一个zone就是定义了一个域的相关信息及指定named文件从哪些文件获取
检查语法 named-checkconf
创建 DNS 正向区域文件 /var/named/named.zx.com
$TTL 3600
@ IN SOA ns.zx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.zx.com.
zx.com. A 192.168.23.130
ns A 192.168.23.130
wc A 192.168.23.131
uc A 192.168.23.132
创建 DNS 反向区域文件 /var/named/named.192.168.23.zone
$TTL 3600
@ IN SOA ns.zx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.zx.com.
IN NS wc.zx.com.
IN NS uc.zx.com.
130 IN PTR ns.zx.com.
131 IN PTR wc.zx.com.
132 IN PTR uc.zx.com.
检查语法 named-checkzone named.zx.com /var/named/named.zx.com
检查语法 named-checkzone named.192.168.23.zone /var/named/named.192.168.23.zone
重启 named 服务
systemctl start named
验证 DNS 服务
[root@zx named]# nslookup
> zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: zx.com
Address: 192.168.23.130
> ns.zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: ns.zx.com
Address: 192.168.23.130
> wc.zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: wc.zx.com
Address: 192.168.23.131
> uc.zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: uc.zx.com
Address: 192.168.23.132
> 192.168.23.130
Server: 192.168.23.130
Address: 192.168.23.130#53
130.23.168.192.in-addr.arpa name = ns.zx.com.
> 192.168.23.131
Server: 192.168.23.130
Address: 192.168.23.130#53
131.23.168.192.in-addr.arpa name = wc.zx.com.
> 192.168.23.132
Server: 192.168.23.130
Address: 192.168.23.130#53
132.23.168.192.in-addr.arpa name = uc.zx.com.
(责任编辑:IT)
网络管理命令
检查网络是否畅通及连接速速 ping
-c 指定发送包数
-i 指定ping包间隔时间(默认1s)
-s 指定包长度单位为 byte
显示接口状态 ifconfig
eno16777736: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.23.130 netmask 255.255.255.0 broadcast 192.168.23.255
inet6 fe80::20c:29ff:fed7:9f88 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:d7:9f:88 txqueuelen 1000 (Ethernet)
RX packets 38398 bytes 3959286 (3.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 42008 bytes 4427890 (4.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 1348 bytes 111404 (108.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1348 bytes 111404 (108.7 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
设置/启用网卡IP地址 ifconfig eno16777736:0 192.168.100.100 netmask 255.255.255.0 up
ifconfig eno16777736:0 192.168.100.100/24 up
禁用某网络接口 ifconfig eno16777736:0 down
更改网卡MAC地址 ifconfig eno16777736:0 hw ether 00:0c:29:d7:90:88
注:上面的设置会在设备重启后失效
显示添加或修改路由表 route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.23.1 0.0.0.0 UG 100 0 0 eno16777736
192.168.23.0 0.0.0.0 255.255.255.0 U 100 0 0 eno16777736
添加一条路由:发往192.168.60.0网段的全部要经过网关192.168.19.1
route add -net 192.168.60.0 netmask 255.255.255.0 gw 192.168.19.1
删除一条路由
route del -net 192.168.60.0 netmask 255.255.255.0
复制文件到其他系统 scp
-P 指定远程连接端口
-r 递归地复制整个文件夹
将本地文件传送至远程主机192.168.3.100的/usr路径下
scp -P 12345 test.txt root@192.168.3.100:/usr
拉取远程主机文件到本地当前路径下
scp -P 12345 root@192.168.3.100:/etc/hosts ./
传送目录可以使用参数 -r
scp -r -P 12345 root@192.168.3.100:/usr/local ./
显示网络连接、路由表或接口状态 netstat
-a 显示所有连接中的Socket
-t 显示TCP端口情况
-u 显示UDP端口情况
//显示所有TCP端口情况
netstat -at
//显示所有UDP端口情况
netstat -au
//以数字形式n持续c显示所有a TCP和UDP tu的Socket情况
netstat -autnc
//持续显示路由表
netstat -rc
探测至目的地址的路由信息 traceroute
traceroute -n www.baidu.com
测试登录或控制远程主机
telnet IPaddress
下载网络文件 wget
普通下载 wget http://www.xxx.com/download/test.txt
-c 断点续传 wget -c http://www.xxx.com/download/test.txt
-i 批量下载 wget -i download.txt (download.txt文件中是一系列网址)
网络配置
配置linux的ip地址
/etc/sysconfig/network-scripts/ifcfg-eth0
设置主机名
/etc/hostname
设置默认网关
使用route
route add default gw 192.168.23.1
修改接口文件
/etc/sysconfig/network-scripts/ifcfg-eth0
添加:GATEWAY=192.168.23.1
注:修改了脚本文件需执行 service network restart 使其生效。
设置DNS服务器
/etc/resolv.conf
注:修改了脚本文件需执行 service network restart 使其生效。
Linux 高级网络配置工具
高级网络管理工具 iproute2
//命令语法如下
[root@local ~]# ip -help
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
ip [ -force ] -batch filename
where OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm |
netns | l2tp | tcp_metrics | token }
OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
-h[uman-readable] | -iec |
-f[amily] { inet | inet6 | ipx | dnet | bridge | link } |
-4 | -6 | -I | -D | -B | -0 |
-l[oops] { maximum-addr-flush-attempts } |
-o[neline] | -t[imestamp] | -b[atch] [filename] |
-rc[vbuf] [size] | -n[etns] name | -a[ll] }
使用ip命令来查看网络配置
ip addr list
[root@local ~]# ip -s addr list //-s 显示详细信息
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
386202 4760 0 0 0 0
TX: bytes packets errors dropped carrier collsns
386202 4760 0 0 0 0
2: eno16777736: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:d7:9f:88 brd ff:ff:ff:ff:ff:ff
inet 192.168.23.130/24 brd 192.168.23.255 scope global eno16777736
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fed7:9f88/64 scope link
valid_lft forever preferred_lft forever
RX: bytes packets errors dropped overrun mcast
15477091 59902 0 0 0 0
TX: bytes packets errors dropped carrier collsns
2019368 17809 0 0 0 0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
添加新的网络地址: ip addr add 192.168.1.12/24 dev eth1
删除网络地址: ip addr del 192.168.1.12/24 dev eth1
显示路由信息: ip route list
网络数据采集与分析工具 tcpdump
-a:尝试将网络和广播地址转换成名称;
-c<数据包数目>:收到指定的数据包数目后,就停止进行倾倒操作;
-d:把编译过的数据包编码转换成可阅读的格式,并倾倒到标准输出;
-dd:把编译过的数据包编码转换成C语言的格式,并倾倒到标准输出; -ddd:把编译过的数据包编码转换成十进制数字的格式,并倾倒到标准输出;
-e:在每列倾倒资料上显示连接层级的文件头;
-f:用数字显示网际网络地址;
-F<表达文件>:指定内含表达方式的文件;
-i<网络界面>:使用指定的网络截面送出数据包;
-l:使用标准输出列的缓冲区;
-n:不把主机的网络地址转换成名字;
-N:不列出域名;
-O:不将数据包编码最佳化;
-p:不让网络界面进入混杂模式;
-q :快速输出,仅列出少数的传输协议信息;
-r<数据包文件>:从指定的文件读取数据包数据;
-s<数据包大小>:设置每个数据包的大小;
-S:用绝对而非相对数值列出TCP关联数;
-t:在每列倾倒资料上不显示时间戳记;
-tt: 在每列倾倒资料上显示未经格式化的时间戳记;
-T<数据包类型>:强制将表达方式所指定的数据包转译成设置的数据包类型;
-v:详细显示指令执行过程;
-vv:更详细显示指令执行过程;
-x:用十六进制字码列出数据包资料;
-w<数据包文件>:把数据包数据写入指定的文件。
//dst 目的地址
//src 源地址
//host 主机
//net 网络地址
//-s100 抓包长度为100个字节,默认68
//-n 不对IP地址或端口号进行到名字的转换
//-XX 以十六进制和ASCII码打印每个包的数据
[root@local ~]# tcpdump -i any tcp and dst host 192.168.23.130 and dst port 22 -XX -n -s100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 100 bytes
17:13:54.266279 IP 192.168.23.1.54679 > 192.168.23.130.ssh: Flags [.], ack 4146320238, win 16284, length 0
0x0000: 0000 0001 0006 0050 56c0 0008 0000 0800 .......PV.......
0x0010: 4500 0028 5799 4000 4006 3363 c0a8 1701 E..(W.@.@.3c....
0x0020: c0a8 1782 d597 0016 1092 04a6 f723 d36e .............#.n
0x0030: 5010 3f9c 0aec 0000 0000 0000 0000 0000 P.?.............
0x0040: 0000 0000 0000 0000 0000 0000 0000 ..............
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
动态主机配置协议 DHCP
/etc/dhcp/dhcpd.conf //参考 man dhcpd.conf配置
systemctl start dhcpd.service //启动服务端
//客户端网卡配置为自动获取IP
[root@localhost network-scripts]# pwd
/etc/sysconfig/network-scripts
[root@localhost network-scripts]# cat ifcfg-eno16777736
TYPE=Ethernet
BOOTPROTO=dhcp
DEFROUTE=yes
PEERDNS=yes
PEERROUTES=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
IPV6_FAILURE_FATAL=no
NAME=eno16777736
UUID=408a5a74-5e01-4cc1-9c83-491b6cb6f7d3
DEVICE=eno16777736
ONBOOT=no
Linux 域名服务DNS
主机名配置
cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
192.168.23.130 zx zx.com
1
2
cat /etc/sysconfig/network
# Created by anaconda
NETWORKING=yes
HOSTNAME=zx.com
1
2
3
DNS 服务器配置
cat /etc/resolv.conf
search zx.com
nameserver 192.168.23.130
nameserver 192.168.23.1
1
2
3
编辑DNS主配置文件 /etc/named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "zx.com" IN {
type master;
file "named.zx.com";
allow-update { none; };
};
zone "23.168.192.in-addr.arpa" IN {
type master;
file "named.192.168.23.zone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
directory "/var/named"; 指定从 /var/named 下读取DNS数据文件
allow-query { any; }; 允许那些客户端可以访问DNS服务 any 为任意主机
zone 每一个zone就是定义了一个域的相关信息及指定named文件从哪些文件获取
检查语法 named-checkconf
创建 DNS 正向区域文件 /var/named/named.zx.com
$TTL 3600
@ IN SOA ns.zx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.zx.com.
zx.com. A 192.168.23.130
ns A 192.168.23.130
wc A 192.168.23.131
uc A 192.168.23.132
创建 DNS 反向区域文件 /var/named/named.192.168.23.zone
$TTL 3600
@ IN SOA ns.zx.com. rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns.zx.com.
IN NS wc.zx.com.
IN NS uc.zx.com.
130 IN PTR ns.zx.com.
131 IN PTR wc.zx.com.
132 IN PTR uc.zx.com.
检查语法 named-checkzone named.zx.com /var/named/named.zx.com
检查语法 named-checkzone named.192.168.23.zone /var/named/named.192.168.23.zone
重启 named 服务
systemctl start named
验证 DNS 服务
[root@zx named]# nslookup
> zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: zx.com
Address: 192.168.23.130
> ns.zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: ns.zx.com
Address: 192.168.23.130
> wc.zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: wc.zx.com
Address: 192.168.23.131
> uc.zx.com
Server: 192.168.23.130
Address: 192.168.23.130#53
Name: uc.zx.com
Address: 192.168.23.132
> 192.168.23.130
Server: 192.168.23.130
Address: 192.168.23.130#53
130.23.168.192.in-addr.arpa name = ns.zx.com.
> 192.168.23.131
Server: 192.168.23.130
Address: 192.168.23.130#53
131.23.168.192.in-addr.arpa name = wc.zx.com.
> 192.168.23.132
Server: 192.168.23.130
Address: 192.168.23.130#53
132.23.168.192.in-addr.arpa name = uc.zx.com.
(责任编辑:IT) |