1. The DNS server address setting in the network card setting configuration file, 2. The system default DNS server address setting. 3. Hosts file designation
The effective order is:
1 hosts file—- 2 Network card configuration file DNS service address—3 /etc/resolv.conf

Query method
Recursion: The query between the client and the local DNS server is a recursive query. After the client sends a query request, it is in a waiting state. The local DNS queries the next DNS server as the client until the local DNS server returns a positive reply or a negative reply.
Brief note: I ask you, you ask him

Iteration: The root domain name server provides the top-level domain name server ip, and loacalnmserver continues to query the top-level domain name until it gets a real answer.
He doesn’t know, but he provides C he knows, and he continues to ask c

The request from the host to the local DNS is a recursive query.
The query from the local DNS to the root domain name server is usually iterative. Query,

Request process:

Client –>hosts file →> /etc/reslov.conf —–>>DNS Service Local Cache –> DNS Server ( recursion) –> Server Cache –> iteration –> Root
–> Top-level domain name DNS–>Second-level domain name DNS…

Server type
Primary name server (primary name server)
From the name server (secondary name server)
Cache-only serve

Main configuration
name.conf
acl　　 Define ip address
control　　 define the control channel used by rndc
include　　 include other files in the configuration file
key　　 define the authorized security key
logging　　 define the log content and location
options Define global configuration options and default values
server　　 Define the characteristics of remote services
zone　　 Define a zone

Operation:
yum -y install bind*
rndc: remote name domain controller , Is installed on the same host as bind by default, and can only connect to the named process through 127.0.0.1 to provide auxiliary management functions; 953/tcp
can also notify the server to synchronize information with rndc reload.
Manually notify a certain zone to come to synchronize information rndc notify magedu.com
Configuration file /etc/named.conf
Parse the database, that is, the storage location of zone file /var/named/ZONE_NAME.ZONE
Copy The system has files and modified them, pay attention to the owner and group permissions
cp -p localhost.loopbask
Define the zone in the main configuration file
vim /etc/named.conf
zone “example.com “IN {
type master ;
file “example.com.zone”;
};

vim /var/named/example.com.zone

$TTL 1D
$ORIGIN example.com.
@ IN SOA ns1.example.com. admin.example.com (
#.. You need to bring a dot when you write it completely,
20190419 ( Serial number [—–After changing the file, you must add one to the serial number, otherwise there is no way to synchronize from the server!!!—–])
1H; refresh time
5M; re Try time
7D; Expiration time
1D); TTL value of negative answer
IN NS ns1
IN NS ns2
IN MX 10 mx1
IN MX 20 mx2
ns1 IN A 192.168.36.73
ns2 IN A 192.168.36.73
mx1 IN A 192.168.36.73
mx2 IN A 192.168.36.73
webser1 IN A 192.168.36.73
webser2 IN A 192.168.36.73
www IN CNAME websrv

Explanation of resource records:
Regional analysis library: composed of many RRs:
Resource records: Resource Record, RR
Record types: A, AAAA , PTR, SOA, NS, CNAME, MX
SOA: Start Of Authority, start authorization record; there can be one and only one regional resolution library, and it must be located in the first record of the resolution library

? SOA (Start of Authorization Server): SOA? records specify a DNS server that provides authoritative information about an Internet domain, domain administrator’s email, domain serial number, and multiple timers related to refreshing the zone.
? NS (name server): NS? record maps a domain name to the authoritative list of DNS servers for that domain. The delegation depends on the ?NS? record.

A IPV4 address
AAAA v6 address
PTR IP —→ FQDN
NS: Name Server, dedicated to indicate the DNS server of the current zone
CNAME: Canonical Name, Alias ​​record
MX: Mail eXchanger, mail exchanger
TXT: A way to identify and describe domain names, this is generally used when verifying records, such as: SPF (anti-spam) records, https Verification, etc.
Example: _dnsauth TXT 2012011200000051qgs69bwoh4h6nht4n1h0lr038x

SOA record
 name: the name of the current area, such as "magedu.com."
 value: multiple parts
 (1) The FQDN of the primary DNS server of the current zone, you can also use the name of the current zone; 
 (2) The email address of the current zone administrator; but the @ symbol cannot be used in the address, generally replaced with. For example: admin.magedu.com
 (3) Master-slave service area transmission related definitions and unified TTL of negative answers

Note:

Master configuration file syntax check: named -checkconf
Parse library file syntax check: named-checkzone “magedu.com” /var/named/magedu.com.zone
Configuration effective: rndc reload or service named reload

Test command
dig [-t type] name [@SERVER] [query options]
dig is only used to test the dns system and will not query the hosts file for analysis.
Query options:

+ [no]trace: Trace the analysis process: dig +trace magedu.com
+[no]recurse: Perform a recursive analysis test
Reverse analysis: dig -x IP = dig –t ptr reverseip.in-addr. arpa
Analog zone transfer:
dig -t axfr ZONE_NAME @SERVER
dig -t axfr magedu.com @10.10.10.11
dig –t axfr 100.1. 10.in-addr.arpa @172.16.1.1
dig -t NS. @114.114.114.114
dig -t NS. @A.root-servers.net

host [-t type] name [SERVER]
host –t NS magedu.com 172.16.0.1
host –t soa magedu.com
host –t mx magedu.com
host –t axfr magedu.com< br> host 1.2.3.4

nslookup command: nslookup [-option] [name | -] [server]

Reverse resolution zone
Zone name: network address reversed .in-addr.arpa.
172.16.100. –> 100.16.172.in-addr.arpa.

(1) Define zone
zone “36.168.192.in- addr.arpa”{
type master ;
file “36.168.192.zone” ;
};

(2) Define the zone analysis library file Note: MX is not required, PTR record is primary

Area example
$TTL 1D
$ORIGIN 100.16.172.in-addr.arpa.
@ IN SOA ns1.magedu.com. admin.magedu. com. (
# ns1 If the full name needs attention. com.
2015042201
1H
5M
7D
1D )
IN NS ns1.magedu.com.
IN NS ns2.magedu.com.
11 IN PTR ns1.magedu.com.
11 IN PTR www.magedu.com.
12 IN PTR mx1.magedu.com.
12 IN PTR www.magedu.com.
13 IN PTR mx2.magedu.com.

Cache server

The cache server only needs the root zone resolution library file and does not contain any other zones Parse library files, such a server is called The cache server. Such a server only has the function of caching search results, that is to say, it does not have a configuration file for the positive and negative solution of the host name and IP, and its data source is provided entirely by external queries.
Configuration

recursion option
The recursion option determines whether the server can perform recursive queries. If it is only used as a dns cache server, this option must be yes.
Bind is installed by default as a cache service, and requests from the client are forwarded to the root,
# vi /etc/named.conf
options {
listen-in port 53 {any; };< br> directory “/var/named”;
allow-query {any; };
recursion yes;
};
Specify forwarding domain

options{??? 
 ?//Omit some settings????forward only;?
 ???forwarders{??????
 ??114.114.114.114;??????? ?8.8.8.8;??
? ?};
 }

The request obtained by the cache server is directly queried to the root domain, and the result is obtained and returned to the client, and the result is stored A certain period of time

forwarding server
The forwarding dns server does not even need the root zone resolution library, but forwards the client’s query request directly to the upper DNS server for processing, which means that it was originally sent to the root The query request of the server is directly thrown to the upper-level DNS server for processing

The realization of the DNS forwarding function is mainly to facilitate the priority sharing of DNS database resources and save query time without having to recursively query each time. Root, this saves time for bandwidth traffic.
first means that if the request cannot be responded to, the DNS will ask the root level one level, and only if it cannot respond, it will report that it cannot be resolved.
vi /etc/named.conf
options {
listen-on port 53 {any; };
directory “/var/named”;
allow-query {any; };
recursion yes;
forward only;
forwarders {8.8.8.8; 8.8.4.4; };
};
Forwarding server, divided into global forwarding and target area forwarding, if specified The query of the domain will be forwarded to the designated upper DNS
forward only:
means that this server is only used as a forwarding server, even if the root zone is set, it will not find the root, but will only hand the query to the upper DNS To deal with.
The IP behind forwarders means its upper DNS server

Slave server
Master-slave synchronization mode
Push: The master trigger condition, I have changed to notify you (use the version number as the update trigger condition )
Pull: From the trigger condition, polling to query at time intervals (compare database version number)
2015042201 version number
1H refresh time (polling time)
5M retry time
7D Expiration time
1D) The TTL value of the negative answer (the time value when there is no record
DNS master-slave replication is to copy the resolution library of the master DNS server to the slave DNS server, and then the slave server can perform positive Resolved to and from the reverse direction
The slave server queries the master server for updated data to ensure data consistency. This is zone transfer.
DNS zone transfer is the implementation method of DNS master-slave replication. DNS master-slave replication is DNS The manifestation of zone transfer.
There are two ways of DNS zone transfer

axfr: full zone transfer

ixfr: incremental zone transfer

When a new DNS server is added to the zone and configured as a slave DNS server, it will perform a full zone transfer and obtain a complete copy of the resource record on the primary DNS server; at the same time, in order to ensure data synchronization, the primary domain name server will also be updated when it is updated. The secondary domain name server will be notified in time to update (incremental zone transfer).

The slave server only needs to define the zone without providing the analysis library file; the analysis library file should be placed in /var/named/slaves/ In the directory
The master server must allow zone transfer from the slave server
The master zone zone needs to be configured
The secondary domain name server address of example.com that allows domain transfer
allow-transfer {
192.168. 4.14; 192.168.5.53;
};

The time of the master and slave servers should be synchronized, which can be carried out through ntp;
The version of the bind program should be the same; otherwise, it should be high and low< br> Method of defining slave zone:

allow-transfer {none ;};

zone “ZONE_NAME” IN {
type slave;
masters {MASTER_IP;} ;
file “slaves/ZONE_NAME.zone”;
};

Full zone transfer configuration:
1. Primary server named.conf configuration: add n otify yes notify the slave server

2Edit Master server /etc/named.rfc.1912.zones add zone definition information
zone “example.com” IN {
type master;
file “example.named.zone” ;
};
zone “1.168.192.in-addr.arpa” IN {
type master ;
file “1.168.192.in.addr.zone” ;
}

 3. Add the analysis library file under /var/named/ and configure
When modifying the positive and negative solution database file of the master server, add the NS record and A record of the slave domain name server, and there must be a record in the database file Declare the number of DNS servers in this zone, otherwise the entry records cannot be queried. 
example.named.zone

< p>1.168.192.in.addr.zone
4, modify the slave server
vim /etc/resolv.conf
the IP of the nameserver master server
5, copy the configuration file of the master server to the local
#scp master server IP:/etc/named.rfc1912.zones /etc/
　 #scp master server ip:/etc/named.conf /etc/
modify the owner group of the copied file Permission
Modify configuration file type
allow-trans
zone “example.com” IN {
type slave;
mastes {main server ip; };
file “slaves/example .named.zone” ;
};
zone “1.168.192.in-addr.arpa” IN {
type slave ;
mastes {master server ip; };
file ” 1.168.192.in.addr.zone” ;
}
6. Restart the service
7. Check whether there is a successfully transferred zone file in the /var/named/slaves/ directory of the slave server

Incremental zone transfer
1, modify the forward analysis file of the main service, add the following A record (for testing), add 1 to the serial number and save and exit

2, reload the main DNS server, view the log
#systemctl reload named
# tail /var/log/messages
3, and then check the log of the slave server, you can see that the transmission has been successful.
4. Check the forward analysis file from the server, you can see that a piece of data has been synchronized.

Subdomain authorization

It is equivalent to slicing management, from top to bottom Authorization. Start from the root “.”.

The most important thing in DNS is the NS record. The person in charge in each NS is the SOA. Define an NS record and an A record on the parent domain to complete the subdomain authorization

Similar to root domain authorization tld:
.com. IN NS ns1.com.
.com. IN NS ns2.com.
ns1.com. IN A 2.2.2.1
ns2. com. IN A 2.2.2.2

magedu.com. On the .com name server, add resource records in the resolution library
magedu.com. IN NS ns1.magedu.com.
magedu.com. IN NS ns2.magedu.com.
magedu.com. IN NS ns3.magedu.com.
ns1.magedu.com. IN A 3.3.3.1
ns2.magedu.com. IN A 3.3.3.2
ns3.magedu.com. IN A 3.3.3.3

When the slave server is added to the subdomain, it cannot be used by the outside world. You need to add the NS record in the authorization server
tech .magedu.com. IN ?NS?dns.tech.magedu.com.
dns.tech.magedu.com. ?IN A 172.16.17.1
tech.magedu.com.IN ?NS?ns2.tech .magedu.com.
ns2.tech.magedu.com. ?IN A 172.16.17.2

There is no master-slave distinction in remote query, the master-slave server is only when the local management area transmits It makes sense.
When the user queries, the server returns information in a round-robin manner, which achieves load balancing.

Parent domain resolution library file configuration

vi /var/named/frank.com.zone
$TTL 1D
frank.com. IN SOA master. frank.com. admin.frank.com. (
 201802002; serial number
 3H; refresh time
 10M; retry interval
 1W; expiration time
 1D ; TTL value of negative answer when it cannot be parsed
 )
frank.com. IN NS master.frank.com.
mf.frank.com. IN NS sub.mf.frank.com. 
master.frank.com. IN A 192.168.138.200
sub.mf.frank.com. IN A 192.168.138.201
frank.com. IN MX 10 mx1.frank.com.< br /> IN MX 20 mx2.frank.com.
mx1.frank.com. IN A 192.168.138.200
mx2.frank.com. IN A 192.168.138.200
www IN A 192.168 .138.200
master IN CNAME www.frank.com.
web IN CNAME www.frank.com.

Subdomain configuration (subserver

subdomain Zone Configuration
vi /etc/named.conf
…
zone “mf.frank.com” IN {
type m aster;
file “mf.frank.com.zone”;

If there is a parent domain request, then forward (delete this entry)
 
 zone "frank.com" IN {
 type forward; 
 forward only; 
 forwarders {192.168.138.200; };
 
 };

Subdomain zone analysis file

# vi /var/named/mf.frank.com.zone
$TTL 600
@ IN SOA sub.mf.frank.com. admin.sub.mf.frank.com . (
201802001
2H
15M
1W
1D )
@ IN NS sub.mf.frank.com.
sub IN A 192.168.138.201
www IN A 192.168.138.201
rndc reload

Smart dns
Create a view, the acl file of the target ip segment, if the ip meets the acl range, it will be queried according to the regional configuration file.

https://www.centos.bz/2012/02/cnc-chinanet-bind-intelligent-dns-deploy/

[ $( rpm -q bind)] && echo "bind installed"|| echo "has not installed "
 main () {
 echo "----------------------- ------"
 # zone configure 
 read -t 30 -p "name of main zone like xxxx.com :" zone 
 read -t 30 -p "ip of main zone" ip
 echo "U should modfy it after excute this "
 sed -ri.bk's/(listen-on port 53).*/\1 {any;}; / ;[email protected](allow-query ).*@\1 {any; };@ '/etc/named.conf
 cat >> /etc/named.conf <zone "$zone" IN {
type master ;
file "$zone.zone" ;
} ;
EOF
cat> /var/named/$zone.zone <\$TTL 1D
\$ORIGIN $zone.
@ IN SOA ns1.$zone admin.$zone (
 `date +%Y%m%d`
 1H
 5M
 7D
 1D )
 IN NS ns1
ns1 IN A $ip
73 I NA $ip
www IN CNAME 73

EOF
}
 
 recuser() {
 echo "should modfiy where like xxxxxx "< br /> cat >> /etc/named.conf <zone "xxxxx.in-addr.arpa" {
type master ;
file "xxxxx.zone" ;
};
EOF

cat> /var/named/xxxx.zoncat <$TTL 1D
$ORIGIN xxxxxx.in-addr.arpa .
@ IN SOA ns1.xxxxxx.com. admin.xxxxxx.com. (
 20190419
 1H
 5M
 7D
 1D
 )
 IN NS ns1.xxxxxx.com.
xx IN PTR xxxxxxx.com.
xx IN PTR xxxxxx.com.
}
EOF
} 
 main

About the authorization of domain name resolution

First, there are two related concepts:
Domain name authorization: Specify who is the authoritative DNS of the domain name, that is, by whom Responsible for resolving the domain name (completed by NS record operation).
Authoritative DNS: specifically refers to the DNS that has the authority to issue specific domain names; the original source of the domain name (domain name record) resolution results on the Internet.
Current status of domain name resolution authorization:
At present, the domain name resolution authorization on the Internet generally means that whoever sells the domain name authorizes the authoritative DNS of the domain name to whom it will provide the authoritative DNS of the domain name to complete the domain name resolution work, such as purchase By default, Xinnet’s authoritative DNS (nsx.xinnetdns.com, nsx.xinnet.cn) is responsible for the resolution of the sold domain names:

[[email protected] root]#dig @a. gtld-servers.net xinnet.com ns
;; ANSWER SECTION:
xinnet.com. 172800 IN NS ns.xinnet.cn.
xinnet.com. 172800 IN NS ns.xinnetdns.com.< br> xinnet.com. 172800 IN NS ns2.xinnet.cn.
xinnet.com. 172800 IN NS ns2.xinnetdns.com.
How domain name resolution authorization is realized:
Domain name resolution authorization is a tree A top-down hierarchical system, the simplified diagram is as follows:
xxa.jpg

First, “.” DNS puts COM/NET/CN/ORG/TV and other domain names as suffixes Different authorizations are given to different DNSs to facilitate separate management. For example, the COM/NET domain name is authorized to the following authoritative DNS.
It is not difficult to imagine here that if you want to modify the authorized DNS of COM/NET, you must go to the “.” DNS to complete the operation.
[[email Protected] root]#dig com. ns
;; ANSWER SECTION:
com. 96045 IN NS d.gtld-servers.net.
com. 96045 IN NS g.gtld -servers.net.
com. 96045 IN NS b.gtld-servers.net.
com. 96045 IN NS k.gtld-servers.net.
com. 96045 IN NS f.gtld-servers .net.
com. 96045 IN NS l.gtld-servers.net.
com. 96045 IN NS j.gtld-servers.net.
com. 96045 IN NS a.gtld-servers.net .
com. 96045 IN NS i.gtld-servers.net.
com. 96045 IN NS m.gtld-servers.net.
com. 96045 IN NS e.gtld-servers.net.< br> com. 96045 IN NS h.gtld-servers.net.
com. 96045 IN NS c.gtld-servers.net.
For the same reason, to specify or modify the authoritative DNS of ABC.COM, go Operate on top-level DNS. Generally speaking, the general domain name owner has no right to log in to the top-level DNS to operate. The records on the top-level DNS can only be operated indirectly through the dedicated interface of the domain name provider (such as Xinwang, Wanwang, etc.) (located on the domain name management platform of the domain name provider).
Take ABC.COM as an example to briefly explain how to specify your own authoritative DNS. Assuming that ABC.COM is purchased on Xinnet, the default authoritative DNS for this domain name is nsx.xinnetdns.com and nsx.xinnet.cn. At this time, modify the default authoritative DNS. First log in to Xinnet’s domain name management backstage, and find the page to modify the domain name DNS to complete the operation (the detailed process is here: http://www.2cto.com/net/201210/161851.html). After the operation is completed, verify whether the modification is successful:
[[emailprotected] root]#dig @a.gtld-servers.net abc.com ns
;; ANSWER SECTION:
abc.com. 172800 IN NS ns1.ai-dns.com.
abc.com. 172800 IN NS ns2.ai-dns.com.
abc.com. 172800 IN NS ns3.ai-dns.com.
here We have authorized ABC.COM to nsx.ai-dns.com.
Regarding the re-authorization of domain name authoritative DNS:
Taking ABC.COM as an example, re-authorization refers to re-designating the authoritative DNS of the domain name on nsx.ai-dns.com. There are several meanings of re-authorization. :

1. Expand the number of existing authoritative DNS. For example, there are three DNSs in ns1, ns2, and ns3.ai-dns.com. Now if you want to increase to 4, you can use the original 3 Add the NS record of
   ns4 in the ZONE file of abc.com on DNS.
   Original ZONE content:
   $TTL 2d
   $ORIGIN abc.com.
   @ 3600 IN SOA ns1.ai-dns.com. root.ai-dns.com.(
   2288091841 1h 600 1w 900 )
   @ 2d IN NS ns1.ai-dns.com.
   @ 2d IN NS ns2.ai-dns.com.
   @ 2d IN NS ns3.ai-dns.com .
   After adding the NS record of ns4, it is:
   $TTL 2d
   $ORIGIN abc.com.
   @ 3600 IN SOA ns1.ai-dns.com. root.ai-dns.com. (
   2288091841 1h 600 1w 900 )
   @ 2d IN NS ns1.ai-dns.com.
   @ 2d IN NS ns2.ai-dns.com.
   @ 2d IN NS ns3.ai -dns.com.
   @ 2d IN NS ns4.ai-dns.com.
   Of course, the operation of adding NS4 can also be done on the top-level DNS, so I won’t repeat it.
2. Reauthorize the authoritative DNS to other DNS, such as reauthorizing the original authoritative DNS (nsx.ai-dns.com) to others (nsx.ddd.com). The operation process is the same as above and will not be repeated here.
   Potential problems that may exist in reauthorization:
   Reauthorization undoubtedly makes domain name resolution and authorization more flexible, but there are the following potential risks. When the original authorized authoritative DNS (that is, the authoritative DNS defined in the top-level DNS) fails, then the re-authorized D
   NS will not work, causing the domain name to be unresolved (this is the top-down process of domain name resolution) This feature determines). At the same time, it also increases security risks.
   Additional Part 1: Use WHOIS with caution to view authoritative DNS for domain names.
   The Whois database of domain names is controlled by domain name sellers, that is, each domain name seller has its own WHOIS server, which is used to store the domain name information sold by itself, such as domain name owner, contact method, expiration time And other content. The current authoritative DNS information of the domain name displayed in the WHOIS information may not be synchronized with the actual authoritative DNS information of the domain name in a timely manner, resulting in wrong judgments.
   Additional Part 2: How is the “.” root DNS authorized?
   Because the “.” root DNS is at the top of the domain name resolution system, it cannot be authorized according to the usual methods. So far, the authorization method is to store all “.” DNS lists in a text file (authorize to yourself), the name is usually root.hint and the content is as follows (some excerpts):
   . 3600000 IN NS A.ROOT -SERVERS.NET.
   A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
   . 3600000 NS B.ROOT-SERVERS.NET.
   B.ROOT-SERVERS.NET. 3600000 A 192.228. 79.201

Others

1. Authoritative DNS:
Authoritative DNS is a server that is authorized to resolve domain names by the upper level. At the same time, it The resolution authorization can be delegated to others. For example, the top-level COM server can authorize the authoritative server of ABC.COM as NS.ABC.COM, and NS.ABC.COM can also delegate the authorization to NS.DDD.COM, so that NS. .DDD.COM becomes the de facto authoritative server of ABC.COM. Usually the results of our domain name resolution come from authoritative DNS

2. Recursive DNS:
Responsible for accepting user queries for any domain name and returning the results to users. For the working process of recursive DNS, please refer to the second section of this article. Recursive DNS can cache the results to avoid repeated upward queries. We usually use this type of DNS the most. It is open to the public and is generally provided by network operators. Everyone can provide services by themselves with recursive DNS. Recursive DNS must have a reliable Internet connection before it can be used.
3. Forward DNS:
Responsible for accepting user queries and returning results to users. But this result is not obtained according to the standard domain name resolution process, but directly forwards the result of the recursive DNS to the user. It also has a cache function. It is mainly used when there is no direct Internet connection, but it can be connected to a recursive DNS. In this case, forwarding DNS is more appropriate. Its shortcomings are: directly affected by recursive DNS, poor service quality.

On the Internet, domain name resolution authorization generally means that whoever sells the domain name authorizes the authoritative DNS of the domain name to whom and provides the authoritative DNS of the domain name to complete the domain name resolution work

Domain name resolution authorization It is a tree-like, top-down hierarchical system, the schematic diagram is as follows
< /p>

Specify or modify the authoritative DNS of ABC.COM to operate on the top-level DNS. Generally speaking, the general domain name owner has no right to log in to the top-level DNS to operate. The records on the top-level DNS can only be operated indirectly through the dedicated interface of the domain name provider (such as Xinwang, Wanwang, etc.) (located on the domain name management platform of the domain name provider).

dig @a.gtld-servers .net abc.com ns
Reauthorization of authoritative DNS for domain name
Add NS record again in zone zone, this operation is performed on top-level DNS
Reauthorize authoritative DNS to other DNS, such as the original authority DNS (nsx.ai-dns.com) is re-authorized to others (nsx.ddd.com), that is, the SOA record of the domain configuration file of the top-level domain name server is modified. (Modify the authorized dns at the network domain name service provider, provided that the necessary records have been added at another network service provider)

Smart dns

1. Netcom The user requests the local DNS to resolve WWW.ABC.COM.
2. The authoritative DNS from the local DNS to ABC.COM (the authoritative DNS here must be a smart DNS).
3. Smart DNS matches in its own ACL based on the IP address of the requester (here is the local DNS), and then returns the matching result to the local DNS.
4. The local DNS tells the user the result and caches the result.
5. The user visits the website server on the Netcom line

Special attention;

1. The basis for intelligent DNS to determine the source of the user is “local DNS “Instead of the user’s own IP address.
2. Extending from the above, if a telecom user uses Netcom DNS, it will be matched to Netcom’s analytical results through smart DNS.
3. Under normal circumstances, local DNS will not personally request resolution from smart DNS. This is determined by the network topology of the local DNS.

Domain name migration

Domain name migration is to modify the authoritative DNS of the domain name, that is, to migrate the original authoritative DNS of the domain name ABC.COM from A to B. The most common form in actual work is to transfer the domain name to another DNS service provider for resolution

The correct process:

1. First go to B and add your domain name, including SOA, NS, A, CNAME, MX records, etc. Then use tools such as dig/nslookup to verify whether the record you just added is effective, such as verifying the A record WWW.ABC.COM: dig @B WWW.ABC.COM A
2. Go to the original domain name registrar to modify The authoritative DNS of the domain name is B, that is, the NS record of the modified domain name is B. Note that other records on the original authoritative DNS of the domain name should be kept for a period of time and should not be deleted immediately. Then verify whether the modification just took effect on the top-level domain DNS of the domain name. For example, verify the current authoritative DNS of ABC.COM: dig @a.gtld-servers.net ABC.COM NS
   Third, the transition period of domain name transfer:
   Domain name resolution during the transfer of domain name authoritative DNS from A to B The right has changed. It will take some time for recursive DNS around the world to know about this change, because all DNSs have cached the previous state of the domain name, and it takes time to update to the latest state

The transition period is long Confirmation:
We conduct a trace query on the domain name to understand the TTL value of the NS record of the domain name. Such as querying CN domain names.

dig xxx.cn ns +trace

xxx.cn. 21600 IN NS ns.xxx.cn.
xxx.cn. 21600 IN NS ns.xxx.com.
;; Received 83 bytes from 203.119.25.1#53(A.DNS.cn) in 46 ms
xxx.cn. 21600 IN NS ns.xxx .cn.
xxx.cn. 21600 IN NS ns.xxx.com.
;; Received 83 bytes from 129.44.79.4#53(ns.xxx.cn) in 78 ms
The above authoritative DNS and If the TTL value of the NS record in the top-level domain DNS is the same, the transition period is 21600 seconds.

In special circumstances, if the TTL value of the domain name’s NS record defined in the original authoritative DNS of the domain name is the same as that defined in the top-level domain DNS The value is different. At this time, the TTL on the original authoritative DNS is a valid value. Such as 163.cn:

dig 163.cn ns +trace

163.cn. 21600 IN NS ns1.newfavor. net.

163.cn. 21600 IN NS ns2.newfavor.net.

;; Received 72 bytes from 203.119.28.1#53(D.DNS.cn) in 62 ms

163.cn. 10800 IN NS dns1.amway.com.

163.cn. 10800 IN NS ns2.newfavor.net.

163.cn . 10800 IN NS ns1.newfavor.net.

;; Received 174 bytes from 61.145.126.88#53(ns1.newfavor.net) in 93 ms

You can see the domain name The TTL of the NS record on the top-level domain is 21600, and it is redefined as 10800 on the authoritative DNS, then the TTL on the original authoritative DNS is a valid value at this time.

In actual work, for the sake of safety, we take the larger of the two as the final reference value.
Here are the TTL values ​​of NS records of several domains:
COM. TTL = 172800 (48 hours)
NET. TTL = 172800 (48 hours)
ORG. TTL = 86400 (24 hours) )
CN. TTL = 21600 (6 hours)

zone zone, the file is saved on authoritative DNS
@ 3600 IN SOA ns1.ddd.com. root.ddd.com.< /p>

is the SOA record part of the domain name, where @ stands for the domain name itself. ns1.ddd.com represents the primary authoritative DNS of the domain name. root.ddd.com indicates the main authority DN

Named startup error troubleshooting

named -gc /var/named/etc/named.conf

Configuration operation And execution log

named.conf configuration log:

logging {

channel warning

{ file "log/ named.log" versions 3 size 2048k;

severity warning;

print-category yes;

print-severity yes;
 
print-time yes;

};

channel query

{ file "log/query.log" versions 3 size 2048k ;

severity info;

print-category yes;

print-severity yes;

print-time yes ;

};

category default {warning; };

category queries {query; };

} ;

Record the named running log and the daily query log in the named.log and query.log files respectively

The security risks of the server, including the operating system, running software and the server itself Physical security issues, etc. The general principle of improving server security is “one more and one less.” One is to be a diligent administrator, pay more attention to software bug announcements and update the software in time. One is to run as few non-essential programs as possible, and open network ports to the Internet as little as possible.