Linux Advanced_Details of DNS Services and BIND

It's not easy to succeed. Double your efforts!

1 Name Resolution Introduction and DNS

Currently, communication between devices in TCP/IP networks is achieved by using and relying on IP addresses.But IP addresses in digital form are hard to remember.When there are so many network devices that you want to remember the IP address of each device, it can be said that "impossible tasks".So how do you solve this problem?We can give each network device a friendly name, such as:Www.magedu.orgThis text-based name is obviously easier to remember.But computers don't understand this name. We can use a name resolution service to convert names into (resolve) IP addresses.So we can use the name to directly access the devices in the network.In addition, there is an important function that can decouple the host from IP by name resolution service, that is, when the host IP changes, only the name service needs to be modified, and the user can still access it by the original name without affecting it.

There are many ways to implement this service.As described below:

Local name resolution profile: hosts

Linux: /etc/hosts
windows: %WINDIR%/system32/drivers/etc/hosts

DNS: Domain Name System Domain Name System, an application layer protocol, is a service of the Internet.As a distributed database that maps domain names and IP addresses to each other, it enables people to access the Internet more easily
Based on C/S architecture, server side: 53/udp, 53/tcp
BIND: Bekerley Internet Name Domain, by ISC ( DNS software provided to implement DNS domain name structure

  • Root Domain
  • First-level domain name: Top Level Domain: tld
    com, edu, mil, gov, net, org, int,arpa
    Three categories: organization domain, country domain (.cn,.Ca,.Hk,.Tw), reverse domain
  • Secondary domain
  • Tertiary domain
  • Up to 127 domain names

ICANN (The Internet Corporation for Assigned Names and Numbers) Internet Name and Digital Address Assignment Authority is responsible for the global management of Internet Common Top Domain Name (gTLD) and National and Regional Top Domain Name (ccTLD) systems, as well as root server systems

1.1 How DNS services work

1.2 DNS Query Type

  • Recursive Query: Final result, responsible to the end
  • Iterative Query: Best results, no responsibility

1.3 Name Server

Name Server, DNS server within the domain responsible for resolving names within the domain

Root name servers for IPv4: 13 DNS servers responsible for root domain resolution worldwide, 10 in the United States, 1 in the Netherlands, 1 in Sweden, 1 in Japan

Root name servers for IPv6: 25 servers in the world, 1 master 3 slave in China, 1 master 2 slave in the United States

1.4 Parse Type

  • FQDN --> IP Forward Resolution
  • IP --> FQDN Reverse Resolution
    Note: Forward and reverse resolution are two different namespaces and two different resolution trees

1.5 Complete Query Request Processes

Client -->hosts file --> Client DNS Service Local Cache --> DNS Server (recursion
//recursion) --> DNS Server Cache -->DNS iteration(iteration) --> root--> Top-level domain name DNS-->Secondary domain name

2 DNS service related concepts and technologies

2.1 Type of DNS Server

Primary DNS Server
From DNS Server
Cached DNS Server (Forwarder)

2.1.1 Primary DNS Server

Server that manages and maintains the intradomain parsing libraries that it is responsible for parsing

2.1.2 From DNS Server

"Copy" (Zone Transfer) Parse Library Copy from Primary Server or from Server

  • Sequence number: The parse library version number, which is incremented as the primary server parses the library changes
  • Refresh interval: The interval between requests for synchronous resolution from the server to the primary server
  • Retry interval: Retry interval when synchronization request from server fails
  • Length of expiration: When the primary server cannot be contacted from the server, how long to stop the service
  • Notification mechanism: the master server actively notifies the slave server when the resolution library changes

2.2 Area Transport

Full Transfer: Transfer the entire parsing library
Incremental Transport: Pass the part of the parse library change

2.3 Parsing Form

Forward: FQDN (Fully Qualified Domain Name) --> IP
Reverse: IP --> FQDN

2.4 Responsible for the forward and reverse resolution libraries of local domain names

Forward Zone
Reverse zone

2.5 Answer

Positive answer: there is a corresponding query result
Negative Answer: The requested entry does not exist, etc. Cause the result cannot be returned
Authoritative Answer: The answer returned directly by the DNS server (Authoritative Server) that hosts the results of this query
Non-Authoritative Answer: Query Answer Returned by Other Non-Authoritative Servers

2.6 Various resource records

Region parsing library: consists of many RR s:
Resource Records: Resource Record, RR
Record types: A, AAAA, PTR, SOA, NS, CNAME, MX

  • SOA: Start Of Authority, start authorization record; a zone resolution library has and can only have one SOA record, which must be the first record in the resolution Library
  • A:internet Address, Role, FQDN --> IP
  • AAAA: FQDN --> IPv6
  • PTR: PoinTeR,IP --> FQDN
  • NS:Name Server, a DNS server dedicated to the current zone
  • CNAME:Canonical Name, Alias Record
  • MX:Mail eXchanger, Mail Exchange
  • TXT: A way of identifying and describing a domain name that is normally used when making verification records, such as SPF (anti-spam) records, https validation, etc. Examples include:
_dnsauth TXT 2012011200000051qgs69bwoh4h6nht4n1h0lr038x

2.6.1 Format of resource record definition

name 	[TTL] 	IN 		rr_type 	value

Be careful:

  1. TTL can inherit globally
  2. Use the'@'symbol to refer to the name of the current region
  3. Multiple different values can be defined by multiple records for the same name; the DNS server responds in a polling fashion
  4. The same value may have multiple different defining names; defined by multiple different names pointing to the same value; this only means that the same host can be found by multiple different names

Interview questions:

1. My site domain name needs to be changed, how can I make it work faster?
2. How much is it appropriate to change the TTL value?How does this work?

2.6.2 SOA Records

Name: The name of the current region, for example, """
value:has multiple components

Be careful:

  1. The FQDN of the primary DNS server for the current zone, or the name of the current zone
  2. The mailbox address of the current regional administrator; however, the @ sign cannot be used in the address, which is typically replaced by.
  3. Unified TTL for master-slave service area transfer related definitions and negative answers

Example:   86400   IN  SOA   (
		2015042201  ;serial number
		2H 			;Refresh time
		10M 		;retry
		1W 			;Expiration Time
		1D 			;Negative TTL value

2.6.3 NS Records

Name: The name of the current region
value: The name of a DNS server in the current zone, for

Be careful:

  1. Subsequent omissions occur when two adjacent resource records have the same name
  2. For NS records, any server name following an ns record should have an A record following it
  3. An area can have multiple NS records

Example: IN NS IN NS

2.6.4 MX Records

Name: The name of the current region
value: Host name of a mail server (smtp server) in the current zone

Be careful:

  1. Within an area, MX records can have more than one; however, there should be a number (0-99) before each record's value indicating the priority of this server; the smaller the number, the higher the priority
  2. For MX records, any server name following an MX record should have an A record following it

Example: IN 		MX  10
			IN 		MX  20

2.6.5 A Record

name: The FQDN of a host, for
value:Host name corresponds to the IP address of the host

Avoid giving incorrect answers when users write incorrect names, and resolve to a specific address through universal domain name resolution

Example: 		IN 		A 		IN 		A 		IN 		A 		IN 		A
$GENERATE 1-254 HOST$ 	IN 		A 	1.2.3.$
* 			IN 		A 			IN 		A

Example: Huawei Cloud

2.6 6 AAAA Records

name: FQDN
value: IPv6

2.6.7 PTR Records

name: IP, with a specific format, writes the IP address in reverse,, to; with a specific, so the complete writing is:
value: FQDN

Note: Network address and suffix can be omitted; host address still needs to be written in reverse

For example: IN PTR
#If 1.2.3 is a network address, it can be abbreviated as:
4   IN   PTR

2.6.8 CNAME Alias Record

name:FQDN of Alias
value: FQDN of the real name

For example: IN CNAME

2.7 Subdomain Authorization

Each domain's name server is authorized in the resolution library through its parent name server, similar to root domain authorization tld

Glue record: glue record, parent domain authorization child domain record


.com. 		IN 		NS
.com. 		IN 		NS 	IN 		A 	IN 		A
#Magedu.orgOn the name server, add resource records to the parse Library 		IN 	NS 		IN 	NS 		IN 	NS 	IN 	A 	IN 	A 	IN 	A

2.8 Internet Domain Name

  1. Domain name registration
    Agent: Wan Net, Xin Net, godaddy
  2. Once you've registered, you want to resolve it yourself with a dedicated service

Management Background: Server name to which NS records point, and server address to which A records point

Example: Ali Cloud DNS Management Background Interface

3 DNS software bind

DNS server software: bind, powerdns, unbound, coredns

3.1 BIND-related packages

yum list all bind*

  • bind: server
  • bind-libs: related libraries
  • bind-utils: client
  • bind-chroot: Security package, place dns related files in/var/named/chroot/

Example: Install bind software

[root@centos8 ~]#dnf -y install bind bind-utils

3.2 BIND package related files

  • BIND main program: /usr/sbin/named
  • Service script and Unit name: /etc/rc.d/init.d/named, /usr/lib/system d/system/Named.service
  • Main profile: /etc/named.conf, /etc/named.rfc1912.zones, /etc/rndc.key
  • Administrative tools: /usr/sbin/rndc:remote name domain controller, installed on the same host as bind by default, and can only connect to the name process through to provide ancillary management functions; 953/tcp
  • Parse library file: /var/named/ZONE_NAME.ZONE

Be careful:
(1) A physical server can provide resolution for multiple zones at the same time
(2) There must be a root zone file;
(3) There should be two (and more if ipv6 is included) resolution libraries for localhost and local loopback addresses

3.3 Main Profile

  • Global configuration: options {};
  • Log subsystem configuration: logging {};
  • zone Definition: Define which zones this machine can parse for
    zone "ZONE_NAME" IN {};

Be careful:

  • Any service program that expects it to be accessible by other hosts over the network should at least listen on an IP address that can communicate with an external host
  • Configuration of Cache Name Server: Listen for external addresses
  • dnssec: Recommend closing dnssec to no

4 Implement master DNS server

4.1 Master DNS Server Configuration

  1. Define zones in the main profile
vim /etc/named.conf
#Comment out the next two lines
// 	listen-on port 53 {; };
// 	allow-query 		{ localhost; };

zone "ZONE_NAME" IN {
	type {master|slave|hint|forward};
	file "";
  1. Define Zone Parsing Library File
    What appears
    Macro Definition
    resource record

Example: Regional databases

$TTL 86400
@ 	IN 	SOA (
		1D )
	IN  NS ns1
	IN  NS ns2
	IN  MX 10 mx1
	IN  MX 20 mx2
ns1 IN  A
ns2 IN  A
mx1 IN  A
mx2 IN  A
websrv  IN A
websrv  IN A
www IN  CNAME websrv


[root@centos8 ~]#tcpdump -i eth0 udp port 53 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:37:38.458363 IP > 44928+ A? (31)
11:37:38.458896 IP > 44928+ A? (31)
11:37:38.460038 IP > 30536+ A? (48)
11:37:38.460884 IP > 30536+ A? (48)

[root@centos7 ~]#telnet 53
telnet: connect to address Connection refused

4.2 Main Profile Syntax Check


4.3 Parse Library File Syntax Check

named-checkzone "" /var/named/

4.4 Configuration takes effect

rndc reload
systemctl reload named
service named reload

4.5 Test and Management Tools

4.5.1 dig command

dig is only used to test the dns system and will not query the hosts file for parsing

Command format:

dig [-t type] name [@SERVER] [query options]
query options: 
	+[no]trace: Track the parsing process : dig +trace
	+[no]recurse: Perform recursive resolution


#Test Reverse Resolution
dig -x IP = dig –t ptr
#Analog zone transfer
dig -t axfr ZONE_NAME @SERVER
dig -t axfr @
dig –t axfr @
dig -t NS . @
dig -t NS .

4.5.2 host command

Command format:

host [-t type] name [SERVER]


host -t NS
host -t soa
host -t mx
host -t axfr

4.5.3 nslookup command

nslookup can support both interactive and non-interactive execution

Full Order Format:

nslookup [-option] [name | -] [server]

Interactive mode:

server IP: Indicate which to use DNS server Query
set q=RR_TYPE: Indicates the resource record type of the query
NAME: Name to query

4.5.4 rndc command

Using rndc tools to manage DNS functions

rndc listening port: 953/tcp

Command format:

	status: View Status
	reload: Overload Master Profile and Region Resolution Library Files
	reload zonename: Overload Zone Parsing Library File
	retransfer zonename: Manually initiate zone transfer regardless of serial number increase
	notify zonename: Re-issue notifications for zone transfers
	reconfig: Overload Master Profile
	querylog: Open or close query log files/var/log/message
	trace: Incremental debug A Level
	trace LEVEL: Specify the level of use
	notrace: Set debug level to 0
	flush: empty DNS All cached records for the server

4.6 Allow dynamic updates

Dynamic updates: Resource records for regional databases can be updated remotely

To implement dynamic updates, you need to be in the specified zone statement block:

Allow-update {any;};


chmod 770 /var/named
setsebool -P named_write_master_zones on
>update add 88888 IN A
>update delete A
dig @
ls -l /var/named/
cat /var/named/

5 Implement Reverse Resolution Zone

Reverse zone: Reverse IP resolution to FQDN

Area name: Reverse network


172.16.100. -->

(1) Define areas

zone "ZONE_NAME" IN {
	type {master|slave|forward}file "network"

(2) Define region parsing library files
Note: No MX required, mainly PTR records


$TTL 86400
@ IN SOA (
				1D )
   IN NS

6 Implement slave server

There is only one master DNS server and there is a single point of failure. You can set up a backup server for the master DNS server, that is, a fault-tolerant mechanism to implement DNS services from the server.The slave server can automatically synchronize one-way data with the master server, so as with the master DNS server, it can also provide query services to the outside world, but the slave server does not provide data update services.

6.1 DNS slave server

  1. Should be a stand-alone name server
  2. There must be an NS record in the master server's zone resolution library file pointing to the slave server
  3. From the server, you only need to define zones, not provide parse library files; the parse library files should be placed in the / var/named/slaves/directory
  4. Primary server must allow zone transfer from server
  5. Master-Slave server time should be synchronized, via ntp
  6. The version of the bind program should be consistent; otherwise, it should be from high to low

6.2 Define From Region


zone "ZONE_NAME" IN {
	type slave;
	masters { MASTER_IP; };
	file "slaves/";

7 Implement subdomains

7.1 Subdomain Delegation Authorization

Delegate subdomains to other hosts for management to implement distributed DNS databases

Forward Resolution Region Subdomain Method

Example: Define two subdomain areas 		IN NS 		IN NS 		IN NS 		IN NS 	IN A 	IN A 	IN A 	IN A

7.2 Example: Implementing DNS parent and child domain services

7.2.1 Experimental Purpose

Set up DNS parent and child domain servers

7.2.2 Environmental Requirements

Five Hosts Required
 DNS parent domain server:
 DNS Subdomain Server:
 web server for parent domain:,
 Subdomain web server:,
 DNS Client:

7.2.3 Preparations

Close SElinux
 Close Firewall
 time synchronization

7.2.3 Implementation Steps

yum install bind -y

vim /etc/named.conf
#Comment out the next two lines
// listen-on port 53 {; };
// allow-query { localhost; };

#Zone transfer is only allowed from the server
allow-transfer { from server IP;};
dnssec-enable no;
dnssec-validation no;
vim /etc/named.rfc1912.zones

#Add this paragraph
zone "" {
	type master;
	file "";

cp -p /var/named/named.localhost /var/named/
#If there is no-p, you need to change permissions.Chgrp

vim /var/named/
@ IN SOA master (
				1 ; serial
				1D ; refresh
				1H ; retry
				1W ; expire
				3H ) ; minimum
			NS master
shanghai 	NS shanghains
master 		A
shanghains  A

websrv 		A
www 		CNAME websrv

systemctl start named #First Start Service
rndc reload 		  #This is not the first time a service has been started Implement Master on Parent Domain DNS ServerMagedu.orgDomain's primary DNS service

yum install bind -y

vim /etc/named.conf
#Comment out the next two lines
// listen-on port 53 {; };
// allow-query { localhost; };
allow-transfer { none;};

vim /etc/named.rfc1912.zones

zone "" {
	type master;
	file "";

cp -p /var/named/named.localhost /var/named/
#If there is no-p, you need to change permissions.Chgrp

vim /var/named/

@ IN SOA master (
				2019042214 ; serial
				1D ; refresh
				1H ; retry
				1W ; expire
				3H ) ; minimum
			NS master
master 		A
websrv 		A
www 		CNAME websrv

systemctl start named 	#First Start Service
rndc reload	 			#This is not the first time a service has been started Implementing DNS Servers for Subdomains

#The parent domain's web server leverages the above case (omitted)
#Install http services on a subdomain web server
yum install httpd
#Configure Home Page
echo > /var/www/html/index.html
#Start Services
systemctl start httpd Install httpd services on web servers in parent and child domains

dig Client Test

8 Implement DNS Forwarding (Caching) Server

8.1 DNS Forwarding

DNS forwarding allows users'DNS requests to be forwarded to the specified DNS service instead of the default root DNS server, and caches the returned results of the specified server queries for efficiency.

Be careful:

  1. The forwarded server needs to be able to recurse for the requester, otherwise forwarding requests will not occur
  2. Turn off dnssec functionality in the global configuration block
dnssec-enable no;
dnssec-validation no;

8.2 Forwarding Method

8.2.1 Global Forwarding:

Forward all requests for resolving zones that are not local to the specified server
In the global configuration block:

Options {
		forward first|only;
		forwarders { ip;};

8.2.2 Zone-specific forwarding

Forward requests to specific regions only, higher priority than Global Forwarding

zone "ZONE_NAME" IN {
	type forward;
	forward first|only;
	forwarders { ip;};

First: Forward to the specified DNS server first. If the query request cannot be resolved, the server then goes to the root server to query

only: Forward to the specified DNS server first. If the query request cannot be resolved, the server will no longer go to the root server for queries

9 Implement Intelligent DNS

9.1 GSLB

GSLB: Global Server Load Balance Global Load Balance

GSLB is a comprehensive judgment of servers and links to determine where servers will serve and to ensure the quality of service for a remote server cluster.

The primary purpose of GSLB is to direct user requests across the network to the nearest node (or region)

GSLB is divided into DNS-based implementation, redirection-based implementation and routing protocol-based implementation, the most common of which is DNS-based resolution.

Example: Query VIP for DN services using hosting

[root@centos6 ~]#dig

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44153
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 0

; IN A

;; ANSWER SECTION: 180 IN CNAME hosting service 60 IN A

;; AUTHORITY SECTION: 172800 IN NS 172800 IN NS 172800 IN NS 172800 IN NS 172800 IN NS

;; Query time: 1290 msec
;; WHEN: Wed Feb 12 18:05:17 2020
;; MSG SIZE rcvd: 200

9.2 CDN (Content Delivery Network) Content Distribution Network

How 9.2.1 CDN works

  1. User Input to BrowserWww.a.comThis domain name, the first time the browser finds that there is no local DNS cache, requests it from the DNS server of the website
  2. The DNS domain name resolver for the website sets up CNAME and points, the request points to the smart DNS load balancing system in the CDN network
  3. The Intelligent DNS Load Balancing System resolves domain names and returns IP nodes with the fastest response to users.
  4. Users make requests to this IP node (CDN server)
  5. Since this is the first visit, the CDN server resolves the original web site IP of this domain name through the Cache internal private DNS, makes a request to the original site server, and caches the content on the CDN server
  6. Request results sent to user

9.2.2 CDN Service Provider

  • Service providers: Ali, Tencent, Blue Flood, Internet accommodation, Emperor Lian, etc.
  • Smart DNS:

9.3 Smart DNS Related Technologies

ACL in 9.3.1 bind
ACL: Merges one or more addresses into a set and calls them by a uniform name

Note: You can only define before you use it; therefore, it is generally defined in the configuration file, ahead of options


acl acl_name {


acl beijingnet {;;

9.3.2 bind has four built-in ACLS

  • none does not have a host
  • any host
  • localhost native machine
  • localnet Local IP Network Address after Operation with Mask
    9.3.3 Access Control Directives:
  • allow-query {}: host to allow queries; whitelist
  • allow-transfer {}: host that allows zone transfer; whitelist
  • allow-recursion {}: Hosts that allow recursion are recommended for global use
  • allow-update {}: Allows updates to the contents of regional databases

9.3.4 view View View: View, which implements correspondence between ACL s and regional databases for smart DNS

  • A bind server can define multiple views, and each view can define one or more zone s
  • Each view is used to match a set of clients
  • Multiple view s may need to parse the same region, but use different regions to parse library files

Be careful:

  • Once view is enabled, all zone s can only be defined in view
  • Define the root zone only in the view where the client allowing recursive requests is located
  • When a client request arrives, check the list of clients served by each view from top to bottom view format

view VIEW_NAME {
		match-clients { beijingnet; };
		zone "" {
			type master;
			file "";
		include "/etc/named.rfc1912.zones";

view VIEW_NAME {
		match-clients { shanghainet; };
		zone "" {
			type master;
			file "";
		include "/etc/named.rfc1912.zones";

10 DNS troubleshooting


dig A

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30523

SERVFAIL:The nameserver encountered a problem while processing the query.
You can use dig +trace to troubleshoot errors, possibly due to network and firewall

NXDOMAIN: The queried name does not exist in the zone.
Perhaps CNAME's corresponding A record does not exist as a result

REFUSED: The nameserver refused the client's DNS request due to policy restrictions.
Possibly due to DNS policy


dig A
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30523
SERVFAIL:The nameserver encountered a problem while processing the query.

You can use dig +trace to troubleshoot errors, possibly due to network and firewall

NXDOMAIN: The queried name does not exist in the zone.
Perhaps CNAME's corresponding A record does not exist as a result
REFUSED: The nameserver refused the client's DNS request due to policy restrictions.
Possibly due to DNS policy

Tags: DNS network vim yum

Posted on Sat, 06 Jun 2020 21:31:22 -0700 by beboni