dslztx
0%

DNS系统实验

发表于 更新于 专题于 Disqus:

本文分别选取“BIND 9”和“Linux dig命令”作为DNS服务器实现软件和DNS客户端实现软件:

  • DNS服务器实现软件有:
    • BIND 9:全功能支持,即支持——根DNS服务器、顶级域DNS服务器、权威DNS服务器、递归DNS服务器、转发DNS服务器
    • PowerDNS:全功能支持,即支持——根DNS服务器、顶级域DNS服务器、权威DNS服务器、递归DNS服务器、转发DNS服务器
    • CoreDNS:原生支持——根DNS服务器、顶级域DNS服务器、权威DNS服务器;结合插件支持——递归DNS服务器、转发DNS服务器
    • 自实现
  • DNS客户端实现软件有:
    • Linux dig命令
    • Linux nslookup命令
    • BIND 9
    • PowerDNS
    • 自实现

一、搭建转发DNS服务器

1.1、实验环境

1、实验DNS服务器
实验DNS服务器IP地址192.168.31.181

在实验DNS服务器的配置文件“/etc/bind/named.conf.options”中增加以下配置,此时其作为转发DNS服务器。

1
2
3
4
5
6
forwarders {
    223.5.5.5;                       // 阿里巴巴公共DNS服务器
    8.8.8.8;                         // Google公共DNS服务器
};

forward only;                        // 仅转发

2、实验DNS客户端
实验DNS客户端IP地址192.168.31.143

1.2、实验

1、实验DNS客户端
执行dig @192.168.31.181 baidu.com +short命令,得到以下结果,表明实验转发DNS服务器正常工作。

1
2
3
111.63.65.247
111.63.65.103
110.242.74.102

2、实验DNS服务器
请求报文(转发DNS服务器->阿里巴巴公共DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
Internet Protocol Version 4, Src: 192.168.31.181, Dst: 223.5.5.5 
User Datagram Protocol, Src Port: 38583, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x1bb1
    Flags: 0x0110 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        baidu.com: type A, class IN
    Additional records
        <Root>: type OPT

响应报文(阿里巴巴公共DNS服务器->转发DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Internet Protocol Version 4, Src: 223.5.5.5, Dst: 192.168.31.181
User Datagram Protocol, Src Port: 53, Dst Port: 38583
Domain Name System (response)
    Transaction ID: 0x1bb1
    Flags: 0x8180 Standard query response, No error
    Questions: 1
    Answer RRs: 3
    Authority RRs: 0
    Additional RRs: 1
    Queries
        baidu.com: type A, class IN
    Answers
        baidu.com: type A, class IN, addr 111.63.65.247
        baidu.com: type A, class IN, addr 111.63.65.103
        baidu.com: type A, class IN, addr 110.242.74.102
    Additional records
        <Root>: type OPT

二、搭建递归DNS服务器

2.1、实验环境

1、实验DNS服务器
实验DNS服务器IP地址192.168.31.181
在实验DNS服务器的配置文件“/etc/bind/named.conf.options”中增加以下配置,此时其作为递归DNS服务器。

1
recursion yes;      // 允许递归查询。须注意:这是默认配置,这里为了实验进行显式配置

2、实验DNS客户端
实验DNS客户端IP地址192.168.31.143

2.2、实验

1、实验DNS客户端
执行dig @192.168.31.181 baidu.com +short命令,得到以下结果,表明实验递归DNS服务器正常工作。

1
2
3
4
111.63.65.247
124.237.177.164
111.63.65.103
110.242.74.102

2、实验DNS服务器
请求报文(递归DNS服务器->根DNS服务器:192.58.128.30是根DNS服务器j.root-servers.net对应的IP):

1
2
3
4
5
6
7
8
9
10
11
12
13
Internet Protocol Version 4, Src: 192.168.31.181, Dst: 192.58.128.30
User Datagram Protocol, Src Port: 33038, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0xbe86
    Flags: 0x0000 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        com: type NS, class IN
    Additional records
        <Root>: type OPT

响应报文(根DNS服务器->递归DNS服务器:获取顶级域DNS服务器域名和IP地址):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Internet Protocol Version 4, Src: 192.58.128.30, Dst: 192.168.31.181
User Datagram Protocol, Src Port: 53, Dst Port: 33038
Domain Name System (response)
    Transaction ID: 0xbe86
    Flags: 0x8000 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 15
    Additional RRs: 27
    Queries
        com: type NS, class IN
    Authoritative nameservers
        com: type NS, class IN, ns a.gtld-servers.net
        com: type NS, class IN, ns b.gtld-servers.net
        com: type NS, class IN, ns c.gtld-servers.net
        com: type NS, class IN, ns d.gtld-servers.net
        com: type NS, class IN, ns e.gtld-servers.net
        com: type NS, class IN, ns f.gtld-servers.net
        com: type NS, class IN, ns g.gtld-servers.net
        com: type NS, class IN, ns h.gtld-servers.net
        com: type NS, class IN, ns i.gtld-servers.net
        com: type NS, class IN, ns j.gtld-servers.net
        com: type NS, class IN, ns k.gtld-servers.net
        com: type NS, class IN, ns l.gtld-servers.net
        com: type NS, class IN, ns m.gtld-servers.net
        com: type DS, class IN
        com: type RRSIG, class IN
    Additional records
        a.gtld-servers.net: type A, class IN, addr 192.5.6.30
        b.gtld-servers.net: type A, class IN, addr 192.33.14.30
        c.gtld-servers.net: type A, class IN, addr 192.26.92.30
        d.gtld-servers.net: type A, class IN, addr 192.31.80.30
        e.gtld-servers.net: type A, class IN, addr 192.12.94.30
        f.gtld-servers.net: type A, class IN, addr 192.35.51.30
        g.gtld-servers.net: type A, class IN, addr 192.42.93.30
        h.gtld-servers.net: type A, class IN, addr 192.54.112.30
        i.gtld-servers.net: type A, class IN, addr 192.43.172.30
        j.gtld-servers.net: type A, class IN, addr 192.48.79.30
        k.gtld-servers.net: type A, class IN, addr 192.52.178.30
        l.gtld-servers.net: type A, class IN, addr 192.41.162.30
        m.gtld-servers.net: type A, class IN, addr 192.55.83.30
        a.gtld-servers.net: type AAAA, class IN, addr 2001:503:a83e::2:30
        b.gtld-servers.net: type AAAA, class IN, addr 2001:503:231d::2:30
        c.gtld-servers.net: type AAAA, class IN, addr 2001:503:83eb::30
        d.gtld-servers.net: type AAAA, class IN, addr 2001:500:856e::30
        e.gtld-servers.net: type AAAA, class IN, addr 2001:502:1ca1::30
        f.gtld-servers.net: type AAAA, class IN, addr 2001:503:d414::30
        g.gtld-servers.net: type AAAA, class IN, addr 2001:503:eea3::30
        h.gtld-servers.net: type AAAA, class IN, addr 2001:502:8cc::30
        i.gtld-servers.net: type AAAA, class IN, addr 2001:503:39c1::30
        j.gtld-servers.net: type AAAA, class IN, addr 2001:502:7094::30
        k.gtld-servers.net: type AAAA, class IN, addr 2001:503:d2d::30
        l.gtld-servers.net: type AAAA, class IN, addr 2001:500:d937::30
        m.gtld-servers.net: type AAAA, class IN, addr 2001:501:b1f9::30
        <Root>: type OPT

请求报文(递归DNS服务器->顶级域DNS服务器:192.41.162.30是顶级域DNS服务器l.gtld-servers.net对应的IP):

1
2
3
4
5
6
7
8
9
10
11
12
13
Internet Protocol Version 4, Src: 192.168.31.181, Dst: 192.41.162.30
User Datagram Protocol, Src Port: 41394, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0xfb67
    Flags: 0x0000 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        baidu.com: type A, class IN
    Additional records
        <Root>: type OPT

响应报文(顶级域DNS服务器->递归DNS服务器:获取权威DNS服务器域名和IP地址):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Internet Protocol Version 4, Src: 192.41.162.30, Dst: 192.168.31.181
User Datagram Protocol, Src Port: 53, Dst Port: 41394
Domain Name System (response)
    Transaction ID: 0xfb67
    Flags: 0x8000 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 9
    Additional RRs: 12
    Queries
        baidu.com: type A, class IN
    Authoritative nameservers
        baidu.com: type NS, class IN, ns ns2.baidu.com
        baidu.com: type NS, class IN, ns ns3.baidu.com
        baidu.com: type NS, class IN, ns ns4.baidu.com
        baidu.com: type NS, class IN, ns ns1.baidu.com
        baidu.com: type NS, class IN, ns ns7.baidu.com
        CK0POJMG874LJREF7EFN8430QVIT8BSM.com: type NSEC3, class IN
        CK0POJMG874LJREF7EFN8430QVIT8BSM.com: type RRSIG, class IN
        HPVV1UNKTCF9TD77I2AUR73709T975GH.com: type NSEC3, class IN
        HPVV1UNKTCF9TD77I2AUR73709T975GH.com: type RRSIG, class IN
    Additional records
        ns2.baidu.com: type A, class IN, addr 220.181.33.31
        ns2.baidu.com: type AAAA, class IN, addr 240e:940:603:4:0:ff:b01b:589a
        ns3.baidu.com: type A, class IN, addr 153.3.238.93
        ns3.baidu.com: type A, class IN, addr 36.155.132.78
        ns4.baidu.com: type A, class IN, addr 111.45.3.226
        ns4.baidu.com: type A, class IN, addr 14.215.178.80
        ns1.baidu.com: type A, class IN, addr 110.242.68.134
        ns1.baidu.com: type AAAA, class IN, addr 240e:bf:b801:1002:0:ff:b024:26de
        ns7.baidu.com: type A, class IN, addr 180.76.76.92
        ns7.baidu.com: type AAAA, class IN, addr 240e:940:603:4:0:ff:b01b:589a
        ns7.baidu.com: type AAAA, class IN, addr 240e:bf:b801:1002:0:ff:b024:26de
        <Root>: type OPT

请求报文(递归DNS服务器->权威DNS服务器:153.3.238.93是权威DNS服务器ns3.baidu.com对应的IP):

1
2
3
4
5
6
7
8
9
10
11
12
13
Internet Protocol Version 4, Src: 192.168.31.181, Dst: 153.3.238.93
User Datagram Protocol, Src Port: 39906, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x8cfe
    Flags: 0x0000 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        baidu.com: type A, class IN
    Additional records
        <Root>: type OPT

响应报文(权威DNS服务器->递归DNS服务器:获取最终IP地址):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Internet Protocol Version 4, Src: 153.3.238.93, Dst: 192.168.31.181
User Datagram Protocol, Src Port: 53, Dst Port: 39906
Domain Name System (response)
    Transaction ID: 0x8cfe
    Flags: 0x8400 Standard query response, No error
    Questions: 1
    Answer RRs: 4
    Authority RRs: 5
    Additional RRs: 12
    Queries
        baidu.com: type A, class IN
    Answers
        baidu.com: type A, class IN, addr 111.63.65.247
        baidu.com: type A, class IN, addr 124.237.177.164
        baidu.com: type A, class IN, addr 110.242.74.102
        baidu.com: type A, class IN, addr 111.63.65.103
    Authoritative nameservers
        baidu.com: type NS, class IN, ns ns7.baidu.com
        baidu.com: type NS, class IN, ns ns3.baidu.com
        baidu.com: type NS, class IN, ns ns2.baidu.com
        baidu.com: type NS, class IN, ns dns.baidu.com
        baidu.com: type NS, class IN, ns ns4.baidu.com
    Additional records
        dns.baidu.com: type A, class IN, addr 110.242.68.134
        ns2.baidu.com: type A, class IN, addr 220.181.33.31
        ns3.baidu.com: type A, class IN, addr 36.155.132.78
        ns3.baidu.com: type A, class IN, addr 153.3.238.93
        ns4.baidu.com: type A, class IN, addr 14.215.178.80
        ns4.baidu.com: type A, class IN, addr 111.45.3.226
        ns7.baidu.com: type A, class IN, addr 180.76.76.92
        dns.baidu.com: type AAAA, class IN, addr 240e:bf:b801:1002:0:ff:b024:26de
        ns2.baidu.com: type AAAA, class IN, addr 240e:940:603:4:0:ff:b01b:589a
        ns7.baidu.com: type AAAA, class IN, addr 240e:bf:b801:1002:0:ff:b024:26de
        ns7.baidu.com: type AAAA, class IN, addr 240e:940:603:4:0:ff:b01b:589a
        <Root>: type OPT

三、搭建4层DNS服务器(递归DNS服务器+支持一次A记录完整DNS迭代查询的3层DNS服务器)

3.1、实验环境

1、搭建支持一次A记录完整DNS迭代查询的3层DNS服务器
3个节点的情况如下:

  • bind9-55:IP地址为172.20.0.55,作为根DNS服务器
  • bind9-57:IP地址为172.20.0.57,作为顶级域DNS服务器
  • bind9-59:IP地址为172.20.0.59,作为权威DNS服务器

资源如下:

2、搭建1个递归DNS服务器
IP地址为172.20.0.1,节点配置如下。

新建“/etc/bind/root.hints.custom”,作为自定义根DNS服务器配置文件,具体内容如下

1
2
3
; 设置172.20.0.55作为根DNS服务器 
.       3600000 IN      NS      my-root-dns.
my-root-dns. 3600000 IN      A       172.20.0.55

更新“/etc/bind/named.conf.default-zones”,指向以上自定义的根DNS服务器配置文件。
具体是将 

1
2
3
4
zone "." {
    type hint;
    file "/usr/share/dns/root.hints";
};

改成

1
2
3
4
zone "." {
    type hint;
    file "/etc/bind/root.hints.custom";
};

“/etc/bind/named.conf.options”配置文件修改为如下:

1
2
3
4
5
6
7
8
9
10
11
12
options {
    directory "/var/cache/bind";

    ; 实验环境,关闭DNSSEC验证,否则会出现SERVFAIL错误
    dnssec-validation no;

    listen-on-v6 { any; };
   
    ; 监听54端口
    listen-on port 54 { any; };
    listen-on-v6 port 54 { any; };
};

3、实验DNS客户端
实验DNS客户端IP地址为172.20.0.1

3.2、实验

1、实验DNS客户端
执行dig @172.20.0.1 -p 54 www.example.com命令,得到以下结果,表明4层DNS服务器正常工作。

1
10.0.0.201

2、实验DNS服务器
请求报文(递归DNS服务器->根DNS服务器:根DNS服务器IP地址为172.20.0.55):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Internet Protocol Version 4, Src: 172.20.0.1, Dst: 172.20.0.55
User Datagram Protocol, Src Port: 51537, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x77c7
    Flags: 0x0010 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...1 .... = Non-authenticated data: Acceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        com: type NS, class IN
            Name: com
            [Name Length: 3]
            [Label Count: 1]
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 12
            Option: COOKIE
                Option Code: COOKIE (10)
                Option Length: 8
                Option Data: cf80c45664c2e85e
                Client Cookie: cf80c45664c2e85e
                Server Cookie: <MISSING>

响应报文(根DNS服务器->递归DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Internet Protocol Version 4, Src: 172.20.0.55, Dst: 172.20.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 51537
Domain Name System (response)
    Transaction ID: 0x77c7
    Flags: 0x8010 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...1 .... = Non-authenticated data: Acceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 2
    Queries
        com: type NS, class IN
            Name: com
            [Name Length: 3]
            [Label Count: 1]
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
    Authoritative nameservers
        com: type NS, class IN, ns ns1.com
            Name: com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: ns1.com
    Additional records
        ns1.com: type A, class IN, addr 172.20.0.57
            Name: ns1.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 172.20.0.57
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 28
            Option: COOKIE
                Option Code: COOKIE (10)
                Option Length: 24
                Option Data: cf80c45664c2e85e0100000069cb847d4da1067611c6917e
                Client Cookie: cf80c45664c2e85e
                Server Cookie: 0100000069cb847d4da1067611c6917e

请求报文(递归DNS服务器->顶级域DNS服务器:顶级域DNS服务器IP地址为172.20.0.57):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Internet Protocol Version 4, Src: 172.20.0.1, Dst: 172.20.0.57
User Datagram Protocol, Src Port: 38478, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x43c0
    Flags: 0x0010 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...1 .... = Non-authenticated data: Acceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        example.com: type NS, class IN
            Name: example.com
            [Name Length: 11]
            [Label Count: 2]
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 12
            Option: COOKIE
                Option Code: COOKIE (10)
                Option Length: 8
                Option Data: 89b245f4f755339d
                Client Cookie: 89b245f4f755339d
                Server Cookie: <MISSING>

响应报文(顶级域DNS服务器->递归DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
Internet Protocol Version 4, Src: 172.20.0.57, Dst: 172.20.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 38478
Domain Name System (response)
    Transaction ID: 0x43c0
    Flags: 0x8010 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...1 .... = Non-authenticated data: Acceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 2
    Queries
        example.com: type NS, class IN
            Name: example.com
            [Name Length: 11]
            [Label Count: 2]
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
    Authoritative nameservers
        example.com: type NS, class IN, ns ns1.example.com
            Name: example.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: ns1.example.com
    Additional records
        ns1.example.com: type A, class IN, addr 172.20.0.59
            Name: ns1.example.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 172.20.0.59
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 28
            Option: COOKIE
                Option Code: COOKIE (10)
                Option Length: 24
                Option Data: 89b245f4f755339d0100000069cb847d77488a5a7ea425ec
                Client Cookie: 89b245f4f755339d
                Server Cookie: 0100000069cb847d77488a5a7ea425ec

请求报文(递归DNS服务器->权威DNS服务器:权威DNS服务器IP地址为172.20.0.59):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
Internet Protocol Version 4, Src: 172.20.0.1, Dst: 172.20.0.59
User Datagram Protocol, Src Port: 53176, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x331d
    Flags: 0x0010 Standard query
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...1 .... = Non-authenticated data: Acceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        www.example.com: type A, class IN
            Name: www.example.com
            [Name Length: 15]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Additional records
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 12
            Option: COOKIE
                Option Code: COOKIE (10)
                Option Length: 8
                Option Data: b13ea9ab1bd79f70
                Client Cookie: b13ea9ab1bd79f70
                Server Cookie: <MISSING>

响应报文(权威DNS服务器->递归DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Internet Protocol Version 4, Src: 172.20.0.59, Dst: 172.20.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 53176
Domain Name System (response)
    Transaction ID: 0x331d
    Flags: 0x8410 Standard query response, No error
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .1.. .... .... = Authoritative: Server is an authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...0 .... .... = Recursion desired: Don't do query recursively
        .... .... 0... .... = Recursion available: Server can't do recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server
        .... .... ...1 .... = Non-authenticated data: Acceptable
        .... .... .... 0000 = Reply code: No error (0)
    Questions: 1
    Answer RRs: 1
    Authority RRs: 1
    Additional RRs: 2
    Queries
        www.example.com: type A, class IN
            Name: www.example.com
            [Name Length: 15]
            [Label Count: 3]
            Type: A (Host Address) (1)
            Class: IN (0x0001)
    Answers
        www.example.com: type A, class IN, addr 10.0.0.201
            Name: www.example.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 10.0.0.201
    Authoritative nameservers
        example.com: type NS, class IN, ns ns1.example.com
            Name: example.com
            Type: NS (authoritative Name Server) (2)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 6
            Name Server: ns1.example.com
    Additional records
        ns1.example.com: type A, class IN, addr 172.20.0.59
            Name: ns1.example.com
            Type: A (Host Address) (1)
            Class: IN (0x0001)
            Time to live: 86400 (1 day)
            Data length: 4
            Address: 172.20.0.59
        <Root>: type OPT
            Name: <Root>
            Type: OPT (41)
            UDP payload size: 1232
            Higher bits in extended RCODE: 0x00
            EDNS0 version: 0
            Z: 0x8000
                1... .... .... .... = DO bit: Accepts DNSSEC security RRs
                .000 0000 0000 0000 = Reserved: 0x0000
            Data length: 28
            Option: COOKIE
                Option Code: COOKIE (10)
                Option Length: 24
                Option Data: b13ea9ab1bd79f700100000069cb847d5023aa7a6c02edd4
                Client Cookie: b13ea9ab1bd79f70
                Server Cookie: 0100000069cb847d5023aa7a6c02edd4

四、搭建4层DNS服务器(递归DNS服务器+支持一次PTR记录完整DNS迭代查询的3层DNS服务器)

4.1、实验环境

1、搭建支持一次PTR记录完整DNS迭代查询的3层DNS服务器
3个节点的情况如下:

  • bind9-55:IP地址为172.20.0.55,作为根DNS服务器
  • bind9-57:IP地址为172.20.0.57,作为顶级域DNS服务器
  • bind9-59:IP地址为172.20.0.59,作为权威DNS服务器

资源如下:

2、搭建1个递归DNS服务器
IP地址为172.20.0.1,节点配置如下。

新建“/etc/bind/root.hints.custom”,作为自定义根DNS服务器配置文件,具体内容如下

1
2
3
; 设置172.20.0.55作为根DNS服务器 
.       3600000 IN      NS      my-root-dns.
my-root-dns. 3600000 IN      A       172.20.0.55

更新“/etc/bind/named.conf.default-zones”,指向以上自定义的根DNS服务器配置文件。
具体是将 

1
2
3
4
zone "." {
    type hint;
    file "/usr/share/dns/root.hints";
};

改成

1
2
3
4
zone "." {
    type hint;
    file "/etc/bind/root.hints.custom";
};

“/etc/bind/named.conf.options”配置文件修改为如下:

1
2
3
4
5
6
7
8
9
10
11
12
options {
    directory "/var/cache/bind";

    ; 实验环境,关闭DNSSEC验证,否则会出现SERVFAIL错误
    dnssec-validation no;

    listen-on-v6 { any; };
   
    ; 监听54端口
    listen-on port 54 { any; };
    listen-on-v6 port 54 { any; };
};

3、实验DNS客户端
实验DNS客户端IP地址为172.20.0.1

4.2、实验

1、实验DNS客户端
执行dig -x 1.2.3.4 PTR @172.20.0.1 -p 54 +short命令,得到以下结果,表明4层DNS服务器正常工作。

1
host.example.com.

2、实验DNS服务器
请求报文(递归DNS服务器->根DNS服务器:根DNS服务器IP地址为172.20.0.55):

1
2
3
4
5
6
7
8
9
10
11
12
13
Internet Protocol Version 4, Src: 172.20.0.1, Dst: 172.20.0.55
User Datagram Protocol, Src Port: 47378, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x055f
    Flags: 0x0010 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        arpa: type NS, class IN
    Additional records
        <Root>: type OPT

响应报文(根DNS服务器->递归DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Internet Protocol Version 4, Src: 172.20.0.55, Dst: 172.20.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 47378
Domain Name System (response)
    Transaction ID: 0x055f
    Flags: 0x8010 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 2
    Queries
        arpa: type NS, class IN
    Authoritative nameservers
        arpa: type NS, class IN, ns ns1.arpa
    Additional records
        ns1.arpa: type A, class IN, addr 172.20.0.57
        <Root>: type OPT

请求报文(递归DNS服务器->顶级域DNS服务器:顶级域DNS服务器IP地址为172.20.0.57):

1
2
3
4
5
6
7
8
9
10
11
12
13
Internet Protocol Version 4, Src: 172.20.0.1, Dst: 172.20.0.57
User Datagram Protocol, Src Port: 33182, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0xc754
    Flags: 0x0010 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        in-addr.arpa: type NS, class IN
    Additional records
        <Root>: type OPT

响应报文(顶级域DNS服务器->递归DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Internet Protocol Version 4, Src: 172.20.0.57, Dst: 172.20.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 33182
Domain Name System (response)
    Transaction ID: 0xc754
    Flags: 0x8010 Standard query response, No error
    Questions: 1
    Answer RRs: 0
    Authority RRs: 1
    Additional RRs: 2
    Queries
        in-addr.arpa: type NS, class IN
    Authoritative nameservers
        in-addr.arpa: type NS, class IN, ns ns1.in-addr.arpa
    Additional records
        ns1.in-addr.arpa: type A, class IN, addr 172.20.0.59
        <Root>: type OPT

请求报文(递归DNS服务器->权威DNS服务器:权威DNS服务器IP地址为172.20.0.59):

1
2
3
4
5
6
7
8
9
10
11
12
13
Internet Protocol Version 4, Src: 172.20.0.1, Dst: 172.20.0.59
User Datagram Protocol, Src Port: 53287, Dst Port: 53
Domain Name System (query)
    Transaction ID: 0x5db8
    Flags: 0x0010 Standard query
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 1
    Queries
        4.3.2.1.in-addr.arpa: type PTR, class IN
    Additional records
        <Root>: type OPT

响应报文(权威DNS服务器->递归DNS服务器):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Internet Protocol Version 4, Src: 172.20.0.59, Dst: 172.20.0.1
User Datagram Protocol, Src Port: 53, Dst Port: 53287
Domain Name System (response)
    Transaction ID: 0x5db8
    Flags: 0x8410 Standard query response, No error
    Questions: 1
    Answer RRs: 1
    Authority RRs: 1
    Additional RRs: 2
    Queries
        4.3.2.1.in-addr.arpa: type PTR, class IN
    Answers
        4.3.2.1.in-addr.arpa: type PTR, class IN, host.example.com
    Authoritative nameservers
        in-addr.arpa: type NS, class IN, ns ns1.in-addr.arpa
    Additional records
        ns1.in-addr.arpa: type A, class IN, addr 172.20.0.59
        <Root>: type OPT
您的支持将鼓励我继续分享!