Table of Contents
DNS Master + Slavers
主要觀察Query time豪秒數
root@web:~#dig @163.26.119.1 www.google.com ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @163.26.119.1 www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27401 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 27 ................. ................. ;; Query time: 83 msec ;; SERVER: 163.26.119.1#53(163.26.119.1) ;; WHEN: 日 6月 05 17:22:50 CST 2017 ;; MSG SIZE rcvd: 870
Master :.1
root@web:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
120.116.1.2;
163.26.200.1;
8.8.8.8;
};
allow-query {
localhost;
163.26.119.0/24;
2001:288:7599::/64;
};
allow-transfer {
localhost;
163.26.119.0/26;
2001:288:7599::/64;
};
allow-recursion {
localhost;
163.26.119.0/24;
2001:288:7599::/64;
};
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Slave :.2
root@w1:~# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
forwarders {
120.116.1.2;
163.26.200.1;
8.8.8.8;
};
allow-query {
localhost;
163.26.119.0/24;
2001:288:7599::/64;
};
allow-transfer {localhost;};
allow-recursion {
localhost;
163.26.119.0/24;
2001:288:7599::/64;
};
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
root@w1:~# dig @163.26.119.2 www.tn.edu.tw AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @163.26.119.2 www.tn.edu.tw AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17280 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 0f3ec2b4e5152900545808d7610fa923f49f94c2ba413938 (good) ;; QUESTION SECTION: ;www.tn.edu.tw. IN AAAA ;; ANSWER SECTION: www.tn.edu.tw. 119 IN AAAA 2001:288:7400:1::10 ;; Query time: 533 msec ;; SERVER: 163.26.119.2#53(163.26.119.2) ;; WHEN: 日 6月 5 17:31:31 CST 2017 ;; MSG SIZE rcvd: 98
查詢 IPv6的時間比較奇怪,直接用forwarders 主機確認一下:
root@w1:~# dig @120.116.1.2 www.tn.edu.tw AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @120.116.1.2 www.tn.edu.tw AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53797 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.tn.edu.tw. IN AAAA ;; ANSWER SECTION: www.tn.edu.tw. 120 IN AAAA 2001:288:7400:1::10 ;; AUTHORITY SECTION: tn.edu.tw. 300 IN NS secdns.tn.edu.tw. tn.edu.tw. 300 IN NS tns.tn.edu.tw. ;; ADDITIONAL SECTION: tns.tn.edu.tw. 300 IN A 120.116.1.3 secdns.tn.edu.tw. 7200 IN A 163.26.1.26 tns.tn.edu.tw. 300 IN AAAA 2001:288:7400:1::3 secdns.tn.edu.tw. 7200 IN AAAA 2001:288:7200:1::26 ;; Query time: 2 msec ;; SERVER: 120.116.1.2#53(120.116.1.2) ;; WHEN: 日 6月 05 17:46:00 CST 2017 ;; MSG SIZE rcvd: 197
再確認一次slave dns-cache有沒有作用:
root@w1:~# dig @163.26.119.2 www.tn.edu.tw AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @163.26.119.2 www.tn.edu.tw AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6117 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 8228b64106775044ff53b5ae610fad8d0e81c32a08b70660 (good) ;; QUESTION SECTION: ;www.tn.edu.tw. IN AAAA ;; ANSWER SECTION: www.tn.edu.tw. 67 IN AAAA 2001:288:7400:1::10 ;; Query time: 11 msec ;; SERVER: 163.26.119.2#53(163.26.119.2) ;; WHEN: 日 6月 05 17:58:21 CST 2017 ;; MSG SIZE rcvd: 98
已正常運作!
上面AUTHORITY: 0是因為第1次發出ask而呈現無授權,多dig幾次就會正常:
root@w1:~# dig @163.26.119.2 www.tn.edu.tw AAAA ; <<>> DiG 9.11.5-P4-5.1+deb10u5-Debian <<>> @163.26.119.2 www.tn.edu.tw AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20497 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 27 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 5ed160b145906e95a7275e82611017f9df4bc8a2bf6a7c42 (good) ;; QUESTION SECTION: ;www.tn.edu.tw. IN AAAA ;; ANSWER SECTION: www.tn.edu.tw. 31 IN AAAA 2001:288:7400:1::10 ;; AUTHORITY SECTION: . 43063 IN NS e.root-servers.net. . 43063 IN NS l.root-servers.net. . 43063 IN NS k.root-servers.net. . 43063 IN NS h.root-servers.net. . 43063 IN NS j.root-servers.net. . 43063 IN NS g.root-servers.net. . 43063 IN NS a.root-servers.net. . 43063 IN NS f.root-servers.net. . 43063 IN NS c.root-servers.net. . 43063 IN NS d.root-servers.net. . 43063 IN NS m.root-servers.net. . 43063 IN NS b.root-servers.net. . 43063 IN NS i.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 336916 IN A 198.41.0.4 b.root-servers.net. 509913 IN A 199.9.14.201 c.root-servers.net. 509913 IN A 192.33.4.12 d.root-servers.net. 509913 IN A 199.7.91.13 e.root-servers.net. 509913 IN A 192.203.230.10 f.root-servers.net. 509913 IN A 192.5.5.241 g.root-servers.net. 509913 IN A 192.112.36.4 h.root-servers.net. 509913 IN A 198.97.190.53 i.root-servers.net. 509913 IN A 192.36.148.17 j.root-servers.net. 509913 IN A 192.58.128.30 k.root-servers.net. 509913 IN A 193.0.14.129 l.root-servers.net. 509913 IN A 199.7.83.42 m.root-servers.net. 509913 IN A 202.12.27.33 a.root-servers.net. 509913 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 509913 IN AAAA 2001:500:200::b c.root-servers.net. 509913 IN AAAA 2001:500:2::c d.root-servers.net. 509913 IN AAAA 2001:500:2d::d e.root-servers.net. 509913 IN AAAA 2001:500:a8::e f.root-servers.net. 509913 IN AAAA 2001:500:2f::f g.root-servers.net. 509913 IN AAAA 2001:500:12::d0d h.root-servers.net. 509913 IN AAAA 2001:500:1::53 i.root-servers.net. 509913 IN AAAA 2001:7fe::53 j.root-servers.net. 509913 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 509913 IN AAAA 2001:7fd::1 l.root-servers.net. 509913 IN AAAA 2001:500:9f::42 m.root-servers.net. 509913 IN AAAA 2001:dc3::35 ;; Query time: 0 msec ;; SERVER: 163.26.119.2#53(163.26.119.2) ;; WHEN: 一 6月 05 18:14:25 CST 2017 ;; MSG SIZE rcvd: 881
這次結果 AUTHORITY: 13 , Query time: 0 msec ,refresh部分,新版bind9不需要在zone指定notify,而是slave主動refresh,slave named.local這樣寫即可自動update:
zone "stps.tn.edu.tw" {
type slave;
masters { 163.26.119.1; };
file "/etc/bind/slaves/db.stps.tn.edu.tw";
};
zone "119.26.163.in-addr.arpa" {
type slave;
masters { 163.26.119.1; };
file "/etc/bind/slaves/db.163.26.119";
};
zone "9.9.5.7.8.8.2.0.1.0.0.2.ip6.arpa." {
type slave;
masters { 163.26.119.1; };
file "/etc/bind/slaves/2001.288.7599.rev";
};
環境不需要NAT,只需要DHCP
isc-dhcp-server
# A configuration for an internal subnet.
subnet 163.26.119.0 netmask 255.255.255.0 {
range dynamic-bootp 163.26.119.121 163.26.119.199;
option domain-name-servers 163.26.119.2 , 163.26.200.1;
option domain-name "stps.tn.edu.tw";
option routers 163.26.119.254;
option broadcast-address 163.26.119.255;
default-lease-time 432000;
max-lease-time 864000;
}
# fix Ubun thin AP mac
host ubnt1 {
hardware ethernet 04:18:d6:e0:ef:1a;
fixed-address 163.26.119.200;}
host ubnt2 {
hardware ethernet 04:18:d6:e0:ef:18;
fixed-address 163.26.119.201;}
# fix anothers
.......
.......
About dhcp log
與/var/log/auth切開,在/etc/rsyslog.conf insert:
auth,authpriv.* /var/log/auth.log local7.* /var/log/dhcpd.log *.*;auth,authpriv,local7.none -/var/log/syslog
dhcp status
isc-dhcp-server.service - LSB: DHCP server
Loaded: loaded (/etc/init.d/isc-dhcp-server; generated)
Active: active (running) since Sat 2017-04-31 18:16:09 CST; 3 weeks 2 days ago
Docs: man:systemd-sysv-generator(8)
Process: 653 ExecStart=/etc/init.d/isc-dhcp-server start (code=exited, status=0/SUCCESS)
Tasks: 1 (limit: 4915)
Memory: 9.0M
CGroup: /system.slice/isc-dhcp-server.service
└─794 /usr/sbin/dhcpd -4 -q -cf /etc/dhcp/dhcpd.conf eno1
Static IP section
依職務list逐台設定,或加大dhcp range一概用dhcp,
或切割dynamic-bootp,或使用多網段vLan…
結論
做DNS只是DHCP附屬操作,以目前高速教育網路,校內DNS是多餘