You are here
马哥 20_03 _DNS视图及日志系统 有大用
allow-recursion {}; allow-recursion { 192.168.1.0/24; }; #(用于定义客户端来源的)这样子就只给 这个网段的192.168.1.0/24 电脑递归
allow-query {}; 只允许某些人查询,互联网上的人都查询不了,访问不了了,所以用得不多
allow-transfer {}; 允许谁来传送(传输),对每一个区域生效 可以定义在下面的区域里面
axfr
ixfr
allow-query { 172.16.0.0/16;127.0.0.0/8;10.0.0.0/8; };
acl 访问控制列表 定义一下 172.16.0.0/16;127.0.0.0/8;10.0.0.0/8; 这些ip,放在前面,然后我们随时来使用就可以了
使用花括号(大括号)括起来,当然不用写在同一行当中,只要花括号成组出现的就行,里面把客户端地址都写在这儿,可以一行写一个
acl ACL_NAME {
172.16.0.0/16;
127.0.0.0/8;
};
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
allow-query { innet; };
这样的子的话 innet 可以被使用多次,修改的时候只需要修改一次
acl 可以定义多个
内置的两个常用的列表
none; 谁都没有
any; 所有的 任何的 任意的
bind97 Manual.pdf ;;;;;;;;; bind97的手册,是英文的,建议大家去看看 手册不是要一页一页的去看的,而是用到的时候,查询的东西, 比如某个知识点 想不到 想不明白,某个指令不会用,到这里查查,,,马哥讲的内容已经有bind97 Manual.pdf 这本书的1/2,,,1/3的内容了
DNS and BIND 5th(2006) 这是学习dns最精典的一本书,也是英文的 简单用法,高级用法,与安全相关的话题几乎都有所涉及 bind 9.3.2 的版本,安装bind 而不是bind97可能会遇到更少的问题
acl 必须要先定义,才能使用,因此一般而言对于我们的主配置文件来说,acl是写在最上面的,后面进行调用acl
acl 名称(ACL_NAME )中间有空格的话(这里名称为 innet ,没有空格),要用引号引起来
[root@localhost ~]# vim /etc/named.conf
acl innet {
192.168.1.0/24;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer
notify yes;
};
zone "." IN {
type hint;
file "named.ca";
#allow-transfer { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-transfer { none; };
};
zone "mageedu.com" IN {
type master;
file "mageedu.com.zone";
allow-transfer { 192.168.1.15; };
};
zone "1.168.192.in-addr.arpa" IN{
type master;
file "192.168.1.zone";
allow-transfer { 192.168.1.15; };
};
key "rndc-key" {
algorithm hmac-md5;
secret "Fc3ldG+QkyLiMNT1qH+wOA==";
};
controls {
inet 192.168.1.45 port 953
allow { 192.168.1.15; } keys { "rndc-key"; };
};
[root@localhost ~]# service named restart
Stopping named: [确定]
Starting named: [确定]
[root@localhost ~]#
看一下日志,好像没有发现有什么问题
[root@localhost ~]# tail /var/log/messages
Feb 12 20:36:58 localhost named[5513]: automatic empty zone: A.E.F.IP6.ARPA
Feb 12 20:36:58 localhost named[5513]: automatic empty zone: B.E.F.IP6.ARPA
Feb 12 20:36:58 localhost named[5513]: command channel listening on 192.168.1.45#953
Feb 12 20:36:58 localhost named[5513]: zone 0.0.127.in-addr.arpa/IN: loaded serial 0
Feb 12 20:36:58 localhost named[5513]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2013040105
Feb 12 20:36:58 localhost named[5513]: zone mageedu.com/IN: loaded serial 2013040206
Feb 12 20:36:58 localhost named[5513]: zone localhost/IN: loaded serial 0
Feb 12 20:36:58 localhost named[5513]: running
Feb 12 20:36:58 localhost named[5513]: zone mageedu.com/IN: sending notifies (serial 2013040206)
Feb 12 20:36:58 localhost named[5513]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2013040105)
[root@localhost ~]#
电信和联通各地是独立的网络 ,在某个机房里面,有个总接口,把这两个网络连起来(好像是在北京方中机房里面,把电信和联通连起来了)
总带宽是100G
电信和联通 网内交互快, 网间交互只一个管子,.速度慢
有人做过统计,用户最大耐心是3秒,超过5秒,用户会流失60%
智能DNS:我们的DNS服务器能够根据客户端来源所属的网络进行判断并且返回给一个我们事先定义好的IP地址(服务端地址),这种机制就称为智能DNS
dns在自己的服务器内部可以做视图 (view)
将数据文件切割成两部分,如果客户端来自于联通,就查找左边的文件,如果客户端来自于电信,就查找右边的文件,我们用了两个数据文件分别应对来自于不同网络的用户请求,
这样子就带来了判断客户端来源,如果客户端来自于联通,就查找左边的文件,如果客户端来自于电信,就查找右边的文件,
由此我们就可以把解析的结果一分为二,
split brain
当然不止分成两个,可以分成多个数据文件
比如对于全国来讲,我们可以按照各个地域进行区分,
浙江联通 浙江电信 上海联通 上海电信
可以根据地域和网络划分成70 个不同的网络模型都是可以的
有没有公司在各地70 个机房里都放服务器
像百度 淘宝 腾讯 都是这样子的放70 个服务器
当然它们放的不一定是源服务器 ,而是缓存服务器
web对象缓存
CDN: Content Delivery Network ( 内容分发网络 )
我们能缓存的通常都是静态内容(比如html 图像文件),只有动态内容才从原始服务器进行获取
而且动态内容里面的绝大部分也可以通过策略设定后也能够静态化,并且缓存到用户本地cdn,
一个比较重要的前提是要能够判断客户端来源,而且要根据客户端来源来返回一个离它最近的服务器地址
因此 智能DNS对于现代网络来讲是一个比较重要的功能,虽然它并非是必须的
cdn有自己的路由分发功能,这些高级话题,这里不多说
假设来自于 172.16.0.0/16 127.0.0.0/8这个网段的 都是电信返回
来自于其它的 都是联通返回
把 192.168.1.45 作为dns服务器
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:81:DB:A1
inet addr:192.168.1.45 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe81:dba1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:932 errors:0 dropped:0 overruns:0 frame:0
TX packets:76 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:82373 (80.4 KiB) TX bytes:11643 (11.3 KiB)
Interrupt:67 Base address:0x2000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:48 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11380 (11.1 KiB) TX bytes:11380 (11.1 KiB)
[root@localhost ~]#
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
[root@localhost ~]#
虚拟机 192.168.1.45 (作为dns服务器) 增加一个网卡 eth1
配置一下 另一个ip 172.16.0.1
[root@localhost ~]# ifconfig eth1 172.16.0.1/16
[root@localhost ~]# route del -net 0.0.0.0 删除默认网关
[root@localhost ~]# route add default gw 172.16.0.1 增加默认网关
[root@localhost ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
172.16.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 172.16.0.1 0.0.0.0 UG 0 0 0 eth1
[root@localhost ~]#
防火墙关掉
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -P OUTPUT ACCEPT
[root@localhost ~]# iptables -F
[root@localhost ~]#
把 192.168.1.15 作为客户端
先停掉named
[root@localhost ~]# service named stop
Stopping named: [确定]
[root@localhost ~]#
把 192.168.1.15 作为客户端 (按刚才的假设是 联通网)
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:0F:3A:5D
inet addr:192.168.1.15 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe0f:3a5d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1006 errors:0 dropped:0 overruns:0 frame:0
TX packets:86 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:92668 (90.4 KiB) TX bytes:11599 (11.3 KiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:40 errors:0 dropped:0 overruns:0 frame:0
TX packets:40 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:6474 (6.3 KiB) TX bytes:6474 (6.3 KiB)
[root@localhost ~]#
把 192.168.1.15 作为另一个客户端
停掉named
[root@localhost ~]# service named stop
Stopping named: [确定]
[root@localhost ~]#
防火墙关掉
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -P OUTPUT ACCEPT
[root@localhost ~]# iptables -F
[root@localhost ~]#
把 另一个客户端 192.168.1.25 改为 172.16.10.2 作为客户端
最后设置后的 #ifconfig 和 # route -n 如下
# ping 192.168.0.55 (能ping通)
# setenforce 0 (关闭selinux)
# getenforce
Permissive
# service name stop (named停掉)
防火墙关掉
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -P OUTPUT ACCEPT
[root@localhost ~]# iptables -F
要想让它具有智能解析的功能,使用视图 view
几乎在 options 当中的所有指令,对于view来讲都可以使用(除了directory 指令以外,其它像 allow-query recursion 等太多的指令都可以使用 )
view VIEW_NAME{
};
一旦定义了 view , 所有的区域都必须定义在 view 视图中,因此所有的zone都必须定义在view里面
虚拟机 192.168.1.45 (作为dns服务器)
zone "." IN 应该定义在 只需要定义在需要递归的 view 当中
只给自己的内网客户端递归,跟内网本身没有关系的,我们通通不允许递归
[root@localhost ~]# man named.conf
match-clients: 判断哪些客户端,主要是用于匹配来自于什么地方的客户端的
把我们的网络定义三个视图
内网
电信
联通
来自于电信和联通的用户我们都不给它做递归,只要不递归,我们都不用给它提供根的解析
我们把服务器放在互联网上,哪怕连本地的客户端都不允许给它进行递归的时候,只让dns工作在互联网上的时候,连根区域我们都不用声明的,它们都可以工作起来,当然一般来讲我们应该提供根区域,那就意味着我们随便在任何一个视图中提供就可以了
每一个视图都要对应一个区域数据文件,只要你的这样一个区域给它在不同的视图中都提供了,我们就要给它不同的区域文件
虚拟机 192.168.1.45 (作为dns服务器)
[root@localhost ~]# cp /etc/named.conf /root/ ( 备份一下named.conf )
You have new mail in /var/spool/mail/root
[root@localhost ~]#
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer
notify yes;
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
};
[root@localhost ~]# named-checkconf
[root@localhost ~]# cd /var/named/
[root@localhost named]# vim telecom.mageedu.com.zone
$TTL 43200
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040201
1H
10M
7D
1D )
IN NS ns1
IN MX 10 mail # 这里10是等级
ns1 IN A 172.16.0.1
mail IN A 172.16.0.2
www IN A 172.16.0.1
[root@localhost named]# chgrp named telecom.mageedu.com.zone
[root@localhost named]# chmod 640 telecom.mageedu.com.zone
[root@localhost named]# cp -p telecom.mageedu.com.zone unicom.mageedu.com.zone (这样就不用改权取和所有者)
[root@localhost named]#
[root@localhost named]# ll
总计 44
-rw-r----- 1 root named 606 02-11 15:36 192.168.1.zone
drwxrwx--- 2 named named 4096 2013-07-29 data
drwxrwx--- 2 named named 4096 2013-07-29 dynamic
-rw-r----- 1 root named 817 02-11 18:51 mageedu.com.zone
-rw-r----- 1 root named 1892 2008-02-18 named.ca
-rw-r----- 1 root named 152 2009-12-15 named.empty
-rw-r----- 1 root named 152 2007-06-21 named.localhost
-rw-r----- 1 root named 168 2009-12-15 named.loopback
drwxrwx--- 2 named named 4096 2013-07-29 slaves
-rw-r----- 1 root named 183 02-14 22:52 telecom.mageedu.com.zone
-rw-r----- 1 root named 183 02-14 22:52 unicom.mageedu.com.zone
[root@localhost named]#
[root@localhost named]# vim unicom.mageedu.com.zone
$TTL 43200
@ IN SOA ns1.mageedu.com. admin.mageedu.com. (
2013040201
1H
10M
7D
1D )
IN NS ns1
IN MX 10 mail
ns1 IN A 172.16.0.1
mail IN A 192.168.0.45
www IN A 192.168.0.15
[root@localhost named]# service named restart
Stopping named: [确定]
Starting named: [确定]
[root@localhost named]#
客户端 192.168.1.15
[root@localhost ~]# ping 192.168.1.45 首先要确保能够连上这台主机
PING 192.168.1.45 (192.168.1.45) 56(84) bytes of data.
64 bytes from 192.168.1.45: icmp_seq=1 ttl=64 time=3.32 ms
64 bytes from 192.168.1.45: icmp_seq=2 ttl=64 time=0.281 ms
.......
[root@localhost ~]# dig -t A www.mageedu.com @192.168.1.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-21.P2.el5 <<>> -t A www.mageedu.com @192.168.1.45
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22376
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.15 # www的 ip 是 192.168.0.15
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.0.1 # 这是dns服务器
;; Query time: 4 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Mon Feb 18 16:32:54 2019
;; MSG SIZE rcvd: 83
[root@localhost ~]#
另一个客户端 172.16.0.2 (由 192.168.1.2改变而来)
# dig -t A www.mageedu.com @172.16.0.1 (假如不指@ip 就是指向了1)自己?还是指向了 2) /etc/resolv.conf 中指定的域名解析服务器?(应该是2 吧) ,不管怎么样,反正这里不能不指定@ip)
# www 的 ip 是 192.168.0.15?应该是 172.16.0.1 才对
# dns 服务器是 172.16.0.1
用 windows 解析下 试试看
(set q=A 其中 q 就是 query 的意思吧)
实现了将一个域名 解析为两种不同的样子(不同的ip),这种机制就叫做 view
一台dns服务器还可以为多个域名(多个域)提供解析的
虚拟机 dns 服务器 192.168.1.45
下面的能够实现 同时解析多个域,但有些域不想使用不同的结果(比如根据电信,联通区分)
[root@localhost named]# vim /etc/named.conf
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer #传送 transfer 就是用于主从服务器之间传送数据
notify yes;
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN { # 这个内容是下面的内容一样,实现了1)解析两个域名2)不根据客户端ip区分不同的解析
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN { # 这个内容是上面的内容一样,实现了1)解析两个域名2)不根据客户端ip区分不同的解析
type master;
file "a.net.zone";
};
};
[root@localhost named]# vim a.net.zone
$TTL 43200
@ IN SOA ns1.a.net. admin.a.net. (
2013040201
1H
10M
3D
1D )
IN NS ns1
ns1 IN A 172.16.0.1
www IN A 172.16.0.1
虚拟机 dns 服务器 192.168.1.45
[root@localhost named]# chgrp named a.net.zone
[root@localhost named]# chmod 640 a.net.zone
[root@localhost named]# service named restart
Stopping named: . [确定]
Starting named: [确定]
[root@localhost named]#
客户端 172.16.0.2 (由 192.168.0.25改变而来)
#结果是 172.16.0.1
客户端 192.168.0.15
[root@localhost ~]# dig -t A www.a.net @172.16.0.1 这个不行,难道应该是@192.168.0.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-21.P2.el5 <<>> -t A www.a.net @172.16.0.1
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@localhost ~]# dig -t A www.a.net @192.168.0.55 这个行
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-21.P2.el5 <<>> -t A www.a.net @192.168.0.55
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57184
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.a.net. IN A
;; ANSWER SECTION:
www.a.net. 43200 IN A 172.16.0.1 #结果是 172.16.0.1
;; AUTHORITY SECTION:
a.net. 43200 IN NS ns1.a.net.
;; ADDITIONAL SECTION:
ns1.a.net. 43200 IN A 172.16.0.1
;; Query time: 11 msec
;; SERVER: 192.168.0.55#53(192.168.0.55)
;; WHEN: Mon Feb 18 20:20:03 2019
;; MSG SIZE rcvd: 77
[root@localhost ~]#
可以解析 不同的两个域,当然一千个域也是可以的
当dns服务启动起来以后,它会将数据文件直接载入内存,所以它的解析过程,查找过程都是在内存中完成的 比如我们新加了一个域,改改里面的内容,重启下服务器,就意味着将整个数据文件重新分析一遍,重新载入,如果我们的文件比较大,这个过程需要很长时间
后来人们就把 zone 的 (区域的) 定义,及里面的类型什么的 都不再写在配置文件里面,而写在数据库当中,放在表里面,我们的dns启动的时候,它会自动到表里面的内容全部抽取出来,存到内存里面去,而且新加的内容也不用每一次 (记住,哪一个域用到了,它去连续查数据库得到的结果,而不是直接载入内存的,)(好处是,随时改,随时生效,不用重新读取)(坏处是,每次读取都要去查数据库,内存中快,数据库慢很多,)(所以管理起来方便,但是速度要慢很多)(但是对有些公用服务器来讲,这还是比较常见的做法,)
互联网上两个著名的项目
有一个叫 dnspod (中国非常著名的免费的dns提供商)前段时间被腾讯收购了,
也就是说将来注册一个域名后,可以把域名服务器(域名解析)指向dnspod 服务器,然后在dnspod建立记录,它能实现智能解析的 不但能分网,而且能分省?分网(比如可以分成教育网,电信,联通,还能分成国外 这四种方式)(甚到一年付几百块的钱的话,它能够负责解析的更多,每一个全省各地的都能解析)(河南联通,河南电信,浙江联通,浙江电信,上海联通,上海电信)
(每一个域名要建70个区域,建立是在数据库中完成的,它是实时查找的)
(由于它的服务器架构得当,所以速度还是比较快的)
(免费的分的网的规模少一点,服务器可能慢一点)
(vip可能给你单独的服务器,速度会很快,不是说每一个域名是单独的,而是说里面域名少得多)
(免费的可能里面有40000个域名,收费的可能里面有5000个域名)
另一个叫 www.dns.la
排名第二的智能dns服务提供商,是马哥做的,这个项目是马哥做的,但是它不属于马哥
有vip和企业级的用户
它不提供域名注册,在其它地方注册域名,然后把dns服务器指过来
可以分为vip1 vip2 企业级用户等等 不同的级别收费不一样,解析速度也不同
大约有十几台服务器,位于全国很多的机房里面
服务器包括数据库等各种配置 还有dns的所有配置都是马哥一手做的
域名magedu.com也是用它来解析的,来实现智能解析的
利用Bind DLZ MySQL构建智能DNS
dlz 是一种能够将dns数据放在mysql数据库里面的一种机制
bind-sdb 也是一种能够将 dns 数据放在mysql数据库里面的一种机制
[root@localhost ~]# yum list all | grep bind (注意 不是bind97)
bind-sdb 也是一种能够将 dns 数据放在mysql数据库里面的一种机制,默认情况下,bind配置信息都是保存在它的配置文件和数据文件当中的,有了这个驱动之后,就能够实现将数据放在数据库当中了
让dns开启日志的功能
(在互联网上应用的时候,并不建议记录日志的.因为dns每秒钟接受到的查询的次数可能非常的多,而每一个都要记录的话,会导致系统速度过慢的,因为要产生大量的磁盘IO去写日志信息的,所以性能会变差的)
[root@localhost ~]# man named.conf
querylog {yes|no}
[root@localhost ~]# vim /etc/named.conf
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer
notify yes;
querylog yes; #开启记日记的功能
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
[root@localhost ~]# dig -t A www.mageedu.com @192.168.1.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t A www.mageedu.com @192.168.1.45
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13591
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.15
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.0.1
;; Query time: 0 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Fri Feb 15 02:01:46 2019
;; MSG SIZE rcvd: 83
[root@localhost ~]#
看下日志
[root@localhost ~]# tail /var/log/messages
Feb 15 02:00:23 localhost named[7708]: automatic empty zone: view unicom: B.E.F.IP6.ARPA
Feb 15 02:00:23 localhost named[7708]: command channel listening on 127.0.0.1#953
Feb 15 02:00:23 localhost named[7708]: command channel listening on ::1#953
Feb 15 02:00:23 localhost named[7708]: zone mageedu.com/IN/telecom: loaded serial 2013040201
Feb 15 02:00:23 localhost named[7708]: zone a.net/IN/telecom: loaded serial 2013040201
Feb 15 02:00:23 localhost named[7708]: zone mageedu.com/IN/unicom: loaded serial 2013040201
Feb 15 02:00:23 localhost named[7708]: zone a.net/IN/unicom: loaded serial 2013040201
Feb 15 02:00:23 localhost named[7708]: running
Feb 15 02:01:05 localhost named[7708]: client 192.168.1.45#56231: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
# 这个日志 记录了通过192.168.1.45 dig的 查询
Feb 15 02:01:46 localhost named[7708]: client 192.168.1.45#36325: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
# 这个日志 记录了通过192.168.1.45 dig的 查询
[root@localhost ~]#
dns了提供了非常具有弹性的日志系统,它能够让我们定义只记录哪些东西
flexible 灵活的 有弹性的
日志系统需要定义为两个子系统 channel category
channel 日志保存位置 (定义日志应该记录到哪里)
syslog: 发给syslog,由syslog来记录 一般是 /var/log/messages
file: 自定义保存日志信息的文件 (自己定义放在哪个位置) ,它也应该有日志级别吧
级别 critical error warning notice info debug[level] dynamic
debug (因为有debug 1 debug 2 debug 3 数字越大,记录得越详细)和 dynamic 是 channel独有的
默认是 info级别
category ( 类别的意思 )dns产生日志的子系统在什么地方 (dns日志中有查询的,有区域传送的 有错误发生时的相关功能 服务器启动,服务器停止的相关信息)(有的是查询相关 有的是区域传送相关) 可以理解为bind的子系统 指的是产生日志的日志源
一个category可以用于定义日志将会被发往哪个channel
一个category(日志类别产生的信息)可以被定向到多个 channel, 但是一个channel只能属于一个category(一个位置只能保存来自一个category的信息)(一般来讲是这样子的)
可以自己去定义category源的,可以通过category自定义日志来源
日志记录的channel的target(什么地方) 日记记录的地方有两种,一种叫syslog,一种叫file
severity 级别严重程度
channel 日志记录的方式
channel "channel名" { 日志方式 由谁来记录(哪个文件记录等) ; 级别等}
记录到自定义的file当中,还可以自己定义额外的保存信息的
print-severity 每记录一条日志信息的时候,把当前信息的级别也写下来
log the severity level of messages
print-category 每记录一条日志信息的时候,写下哪个 category 产生的信息
log the category of messages
print-time 每记录一条日志信息的时候,写下哪个 时间 产生的信息 ( 发往syslog的时候,syslog自己会记录时间,所以发往syslog的时候 就不需要print-time 了)
category虽然有所谓的日志源的,但是dns的日志源(bind的日志源)一共只有15个,除了这15个之外,是不能自定义的
我们能定义的category是意味着我们可以定义多个源或者多个日志的来源位置,把它们合并在一块的
default 默认 channel 为所有的category定义默认channel的,当然这里事实上是定义的category
general 普通日志信息
client
config 配置文件当中产生的问题
dispatch
dnssec
lame-servers
network 跟网络操作相关的
notify 跟通知相关的
queries 跟查询相关的内容 产生查询操作所产生的日志
resolver
security 接受或拒绝的查询请求
update
xfer-in ( transfer in ) 作为从服务器来讲,别人传进来的信息
xfer-out ( transfer out ) 作为主服务器来讲,传出去的信息
例子
loggin {
channel my_file { #my_file 自己定义的日志名称
file "log.msgs" versions 3 size 10k; #类型 file 文件名 log.msgs 日志文件大小10k,滚动只保留3个版本
severity dynamic; #severity严重程度,级别,日志级别,这里不叫priority
}
channel my_syslog { #my_syslog 自己定义的日志名称
syslog local0; # 类型 syslog ,在local0里面,syslog的配置文件中没有定义local0保存在什么地方,所以我们可以自己定义
severity info; # info 级别,包括这个级别以上的都会记录
}
category xfer-in { my_file; }; #从服务器传输进来的日志保存到 my_file 中 一个category中可以定义多个channel中的
category update { my_syslog; }; #动态更新的信息保存到 my_syslog 中
};
[root@localhost ~]# vim /etc/named.conf
acl innet {
192.168.0.0/24;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer
notify yes;
querylog yes;
};
logging {
channel querylog {
file "/var/log/named/bind_query.log" versions 5 size 10M; #可能有权限问题,需要建 /var/log/named/ 目录 ,改属主属组
severity dynamic;
print-category yes;
print-time yes;
print-severity yes;
};
category queries { querylog; };
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
[root@localhost ~]# mkdir /var/log/named
[root@localhost ~]# chown named:named /var/log/named
[root@localhost ~]#
[root@localhost ~]# chmod 770 /var/log/named
[root@localhost ~]# named-checkconf
[root@localhost ~]# service named restart
Stopping named: . [确定]
Starting named: [确定]
[root@localhost ~]#
查询一下
[root@localhost ~]# dig -t A www.mageedu.com @192.168.1.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t A www.mageedu.com @192.16 8.1.45
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2764
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.15
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.0.1
;; Query time: 2 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Fri Feb 15 04:31:32 2019
;; MSG SIZE rcvd: 83
[root@localhost ~]#
进入到日志目录看看
[root@localhost ~]# cd /var/log/named/
[root@localhost named]# ls
bind_query.log
[root@localhost named]# tail bind_query.log
15-Feb-2019 04:30:56.982 queries: info: client 192.168.1.45#54459: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
15-Feb-2019 04:31:32.854 queries: info: client 192.168.1.45#50276: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
[root@localhost named]#
vim 末行模式下 :17 敲回车,就跳到第17行 跳行跳转行跳转到某一行
[root@localhost named]# vim /etc/named.conf
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer
notify yes;
querylog yes;
};
logging {
channel querylog {
file "/var/log/named/bind_query.log" versions 5 size 10M;
severity dynamic;
#print-category yes; #注释掉它
print-time yes;
#print-severity yes;#注释掉它
};
category queries { querylog; };
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
重启服务
[root@localhost named]# !se
service named restart
Stopping named: . [确定]
Starting named: [确定]
[root@localhost named]#
查询下试试
[root@localhost named]# dig -t A www.mageedu.com @192.168.1.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t A www.mageedu.com @192.168.1.45
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31106
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.15
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 172.16.0.1
;; Query time: 1 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Fri Feb 15 04:37:49 2019
;; MSG SIZE rcvd: 83
再查询下试试
[root@localhost named]# dig -t A www.a.net @192.168.1.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t A www.a.net @192.168.1.45
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57687
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;www.a.net. IN A
;; ANSWER SECTION:
www.a.net. 43200 IN A 172.16.0.1
;; AUTHORITY SECTION:
a.net. 43200 IN NS ns1.a.net.
;; ADDITIONAL SECTION:
ns1.a.net. 43200 IN A 172.16.0.1
;; Query time: 0 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Fri Feb 15 04:37:58 2019
;; MSG SIZE rcvd: 77
[root@localhost named]#
看日志 print-category 和 print-severity 都没有了
[root@localhost named]# !ta
tail bind_query.log
15-Feb-2019 04:30:56.982 queries: info: client 192.168.1.45#54459: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
15-Feb-2019 04:31:32.854 queries: info: client 192.168.1.45#50276: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
15-Feb-2019 04:37:49.290 client 192.168.1.45#37742: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
15-Feb-2019 04:37:58.993 client 192.168.1.45#53421: view unicom: query: www.a.net IN A + (192.168.1.45)
[root@localhost named]#
马哥 重启一次就会自动滚动一次,我为什么重启后没有滚动呢 (滚动就是又产生一个日志的意思)
难道是因为 马哥没有指定日志文件的大小,而我指定了 size
加传输日志看看
[root@localhost named]# vim /etc/named.conf
acl innet {
172.16.0.0/16;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer
notify yes;
querylog yes;
};
logging {
channel querylog {
file "/var/log/named/bind_query.log" versions 5 size 10M;
severity dynamic;
#print-category yes;
print-time yes;
#print-severity yes;
};
channel xfer_log {
file "/var/log/named/transfer.log" versions 3 size 10k;
severity debug 3;
print-time yes;
};
category queries { querylog; };
category xfer-out { xfer_log; }; # 传出去的通道里面去
};
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
[root@localhost named]# named-checkconf
[root@localhost named]# service named restart
Stopping named: [确定]
Starting named: [确定]
[root@localhost named]#
[root@localhost named]# ls
bind_query.log transfer.log
[root@localhost named]#
服务器上192.168.1.45 关闭防火墙
[root@localhost named]# iptables -P INPUT ACCEPT
[root@localhost named]#
[root@localhost named]# iptables -P OUTPUT ACCEPT
[root@localhost named]# iptables -F
在客户端(另一台 192.168.1.15)执行 axfr 上看看
从客户端上192.168.1.15 关闭防火墙
[root@localhost named]# iptables -P INPUT ACCEPT
[root@localhost named]#
[root@localhost named]# iptables -P OUTPUT ACCEPT
[root@localhost named]# iptables -F
[root@localhost ~]# dig -t axfr mageedu.com @192.168.1.45
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-21.P2.el5 <<>> -t axfr mageedu.com @192.168.1.45
;; global options: +cmd
mageedu.com. 43200 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040201 3600 600 604800 86400
mageedu.com. 43200 IN NS ns1.mageedu.com.
mageedu.com. 43200 IN MX 10 mail.mageedu.com.
mail.mageedu.com. 43200 IN A 192.168.0.45
ns1.mageedu.com. 43200 IN A 172.16.0.1
www.mageedu.com. 43200 IN A 192.168.0.15
mageedu.com. 43200 IN SOA ns1.mageedu.com. admin.mageedu.com. 2013040201 3600 600 604800 86400
;; Query time: 9 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Wed Feb 20 15:47:08 2019
;; XFR size: 7 records (messages 1, bytes 198)
服务器上192.168.1.45
[root@localhost ~]#
[root@localhost named]# tail transfer.log 可以看到传输的日志信息
15-Feb-2019 05:14:08.101 client 192.168.1.15#59304: view unicom: transfer of 'mageedu.com/IN': AXFR started
15-Feb-2019 05:14:08.101 client 192.168.1.15#59304: view unicom: transfer of 'mageedu.com/IN': AXFR ended
[root@localhost named]#
一般来讲 传输日志应该开启, (跟更新相关的日志应该开启)
查询日志和安全日志最好不要开启,因为它们所面临的日志信息太多了
可以多定义几个channel ,多定义几个category
测试dns服务器的性能
有个软件dnstop可以测试 ,dns服务器并没有提供给我们,
dnstop 可以监控我们的dns服务器每秒钟能够接受多少个查询,而且对应哪个域名发起查询请求的,除此之外,我们的bind的源件码软件包中有一个命令叫 queryperf
queryperf: 能够对dns服务器做压力测试的
看看服务器每秒钟能够解析多少次域名请求
放在文件中,域名解析应该是非常快的,每秒钟响应1万个查询,应该是没有任何问题的;放在数据库中,看硬件性能,能解析七,八百个,应该是非常不错的了
[root@localhost named]# rpm -ql bind97 | grep perf 没有这个命令 queryperf
[root@localhost named]#
马哥 得到 bind-9.7.4.tar.gz
我得到 https://ftp.isc.org/isc/bind/9.7.4/
[root@localhost ~]# wget https://ftp.isc.org/isc/bind/9.7.4/bind-9.7.4.tar.gz
[root@localhost ~]# tar xf bind-9.7.4.tar.gz
[root@localhost ~]# cd bind-9.7.4
[root@localhost bind-9.7.4]# pwd
/root/bind-9.7.4
它知道安装,暂时不说,,,等到讲到智能dns的时候,再说如何源码定制安装它
[root@localhost bind-9.7.4]#
[root@localhost bind-9.7.4]# ls
acconfig.h COPYRIGHT make
aclocal.m4 doc Makefile.in
Atffile docutil mkinstalldirs
bin FAQ README
bind.keys FAQ.xml RELEASE-NOTES-BIND-9.7.4.html
CHANGES HISTORY RELEASE-NOTES-BIND-9.7.4.pdf
config.guess install-sh RELEASE-NOTES-BIND-9.7.4.txt
config.h.in isc-config.sh.1 release-notes.css
config.h.win32 isc-config.sh.docbook unit
config.sub isc-config.sh.html util
config.threads.in isc-config.sh.in version
configure lib win32utils
configure.in libtool.m4
contrib ltmain.sh
contrib 是别人贡献出来的源程序
[root@localhost bind-9.7.4]# cd contrib/
[root@localhost contrib]# pwd
/root/bind-9.7.4/contrib
[root@localhost contrib]# ls
dbus idn named-bootconf nslint-2.1a3 query-loc-0.4.0 sdb
dlz linux nanny pkcs11-keygen queryperf zkt
有个文件目录叫 queryperf, 还有个目录 dlz (所以bind97之后dlz功能已经自带了,只不过我们rpm包编译的时候没有把它编译进行而已) 我们以后使用 ./configure 的时候,使用 with dlz-mysql,它就能够实现基于dlz到mysql中去查询数据了
还有个目录 sdb,要使用sdb编译即可
要使用queryperf的话加上queryperf就可,我们的rpm没有编译,所以我们自己到 queryperf 目录里面去
[root@localhost contrib]# cd queryperf/
[root@localhost queryperf]#
[root@localhost queryperf]# yum install gcc make 安装gcc make (要编译安装就必须要先安装 gcc make )
Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Package gcc-4.1.2-54.el5.i386 already installed and latest version
Package 1:make-3.81-3.el5.i386 already installed and latest version
Nothing to do
提示已经装过 gcc make
[root@localhost queryperf]# pwd
/root/bind-9.7.4/contrib/queryperf
[root@localhost queryperf]# ls
config.h.in configure.in Makefile.in queryperf.c utils
configure input missing README
[root@localhost queryperf]#
[root@localhost queryperf]# ./configure
[root@localhost queryperf]# make (这里只需编译 不需安装)
gcc -DHAVE_CONFIG_H -c queryperf.c
gcc -DHAVE_CONFIG_H queryperf.o -lnsl -lresolv -lm -o queryperf
[root@localhost queryperf]# ls
config.h config.status input missing queryperf.o
config.h.in configure Makefile queryperf README
config.log configure.in Makefile.in queryperf.c utils
[root@localhost queryperf]#
不用安装 直接 拷贝 queryperf 一下就可以了
[root@localhost queryperf]# cp queryperf /bin
[root@localhost queryperf]# queryperf -h
[-d datafile] 指定 datafile 关键是要放一个文件,在这个文件里面要说明查询什么内容
[-s server_addr] 指定服务器地址是谁
[-p port] 指定端口,不指的话,省略
[-q num_queries] 指定查询多少次
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
Usage: queryperf [-d datafile] [-s server_addr] [-p port] [-q num_queries]
[-b bufsize] [-t timeout] [-n] [-l limit] [-f family] [-1]
[-i interval] [-r arraysize] [-u unit] [-H histfile]
[-T qps] [-e] [-D] [-c] [-v] [-h]
-d specifies the input data file (default: stdin)
-s sets the server to query (default: 127.0.0.1)
-p sets the port on which to query the server (default: 53)
-q specifies the maximum number of queries outstanding (default: 20)
-t specifies the timeout for query completion in seconds (default: 5)
-n causes configuration changes to be ignored
-l specifies how a limit for how long to run tests in seconds (no default)
-1 run through input only once (default: multiple iff limit given)
-b set input/output buffer size in kilobytes (default: 32 k)
-i specifies interval of intermediate outputs in seconds (default: 0=none)
-f specify address family of DNS transport, inet or inet6 (default: any)
-r set RTT statistics array size (default: 50000)
-u set RTT statistics time unit in usec (default: 100)
-H specifies RTT histogram data file (default: none)
-T specify the target qps (default: 0=unspecified)
-e enable EDNS 0
-D set the DNSSEC OK bit (implies EDNS)
-c print the number of packets with each rcode
-v verbose: report the RCODE of each response on stdout
-h print this usage
[root@localhost queryperf]#
到家目录下 随便创建个文件
[root@localhost queryperf]# cd
[root@localhost ~]# vim test
mageedu.com NS
mageedu.com MX
~
[root@localhost ~]# queryperf -d test -s 192.168.1.45
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.1.45)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 3 queries #给了3次查询
Queries completed: 3 queries #给了3次查询
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.000339 sec
RTT min: 0.000222 sec
RTT average: 0.000285 sec
RTT std deviation: 0.000047 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Fri Feb 15 06:36:29 2019
Finished at: Fri Feb 15 06:36:29 2019
Ran for: 0.000473 seconds
Queries per second: 6342.494715 qps #每秒钟完成多少查询
[root@localhost ~]#
[root@localhost ~]# cd /var/log/named/
[root@localhost named]# ls
bind_query.log transfer.log
[root@localhost named]# tail bind_query.log
15-Feb-2019 04:31:32.854 queries: info: client 192.168.1.45#50276: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
15-Feb-2019 04:37:49.290 client 192.168.1.45#37742: view unicom: query: www.mageedu.com IN A + (192.168.1.45)
15-Feb-2019 04:37:58.993 client 192.168.1.45#53421: view unicom: query: www.a.net IN A + (192.168.1.45)
15-Feb-2019 04:41:38.963 client 192.168.1.45#53999: view unicom: query: www.a.net IN A + (192.168.1.45)
15-Feb-2019 05:14:08.100 client 192.168.1.15#59304: view unicom: query: mageedu.com IN AXFR -T (192.168.1.45)
15-Feb-2019 05:44:28.298 client 192.168.1.45#51383: view unicom: query: ftp.isc.org IN AAAA + (192.168.1.45)
15-Feb-2019 05:44:28.473 client 192.168.1.45#58191: view unicom: query: ftp.isc.org IN A + (192.168.1.45)
15-Feb-2019 06:36:29.520 client 192.168.1.45#49993: view unicom: querygeedu.com IN A + (192.168.1.45)
15-Feb-2019 06:36:29.520 client 192.168.1.45#49993: view unicom: query: mageed: www.mau.com IN NS + (192.168.1.45)
15-Feb-2019 06:36:29.520 client 192.168.1.45#49993: view unicom: query: mageedu.com IN MX + (192.168.1.45)
A NS MX 都记录了
[root@localhost named]#
给 /root/test 再添加几个记录吧
[root@localhost named]# vim /root/test
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
:1,$y vim 末行模式 从第一行到最后一行复制一下
vim 也可以 gg 到最开始 然后 yG 也是复制全部
vim 也可以 %y 也是复制全部
[root@localhost named]# vim /root/test
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
....下面n多
复制到最后有5000多行
[root@localhost ~]# queryperf -d test -s 192.168.1.45
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.1.45)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 5488 queries
Queries completed: 5488 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.005450 sec
RTT min: 0.000388 sec
RTT average: 0.000872 sec
RTT std deviation: 0.000221 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Fri Feb 15 06:48:36 2019
Finished at: Fri Feb 15 06:48:36 2019
Ran for: 0.243261 seconds
Queries per second: 22560.130888 qps
现在看到 速度 每秒 22560.130888
[root@localhost ~]#
[root@localhost ~]# wc -l /var/log/named/bind_query.log # 我这边看到5499行
5499 /var/log/named/bind_query.log
[root@localhost ~]#
[root@localhost named]# vim /root/test
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
mageedu.com NS
mageedu.com MX
mail.mageedu.com A
ns1.mageedu.com A
pop.mageedu.com A
imap.mageedu.com A
....下面n多
复制到最后有20多万行
执行 queryperf 进行压力测试
[root@localhost ~]# queryperf -d test -s 192.168.0.55
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.0.55)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 229376 queries
Queries completed: 229376 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.178752 sec
RTT min: 0.000041 sec
RTT average: 0.005222 sec
RTT std deviation: 0.005204 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sat Feb 23 18:33:46 2019
Finished at: Sat Feb 23 18:34:48 2019
Ran for: 61.460626 seconds
Queries per second: 3732.080438 qps
[root@localhost ~]#
另一窗口打开top
# top ( 发现 此时 named进程 cpu 占用太高 有多个cpu,可能会超出100% )
(当然这是本机压力测试,换台机器会慢很多,因为本机是客户端,本地是服务器端,网络带宽没考虑
假如通过网络带宽,通过交换机来实现的话,那速度太慢了
通过局域网内其它机器来看看
服务器端 192.168.0.55
关掉防火墙
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -P OUTPUT ACCEPT
[root@localhost ~]# iptables -F
[root@localhost ~]# scp test 192.168.0.15:/root
root@192.168.0.15's password:
test 100% 3872KB 3.8MB/s 00:01
[root@localhost ~]#
[root@localhost ~]# scp /bin/queryperf 192.168.0.15:/bin
root@192.168.0.15's password:
queryperf 100% 39KB 39.0KB/s 00:00
[root@localhost ~]#
到客户端 192.168.0.15上
关掉防火墙
[root@localhost ~]# iptables -P INPUT ACCEPT
[root@localhost ~]# iptables -P OUTPUT ACCEPT
[root@localhost ~]# iptables -F
[root@localhost ~]# queryperf -d test -s 192.168.0.55
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.0.55)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 229376 queries
Queries completed: 229376 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.374202 sec
RTT min: 0.000031 sec
RTT average: 0.009481 sec
RTT std deviation: 0.009898 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sat Feb 23 18:48:53 2019
Finished at: Sat Feb 23 18:51:57 2019
Ran for: 184.397267 seconds
Queries per second: 1243.922992 qps
[root@localhost ~]#
服务器端 192.168.0.55上
# top
服务器端 192.168.0.55上
[root@localhost ~]# wc -l /var/log/named/bind_query.log
39218 /var/log/named/bind_query.log
[root@localhost ~]#
[root@localhost ~]# ls -lh /var/log/named/bind_query.log
-rw-r--r-- 1 named named 4.2M 02-23 19:09 /var/log/named/bind_query.log
[root@localhost ~]#
看看另一个工具 dnstop
马哥的做法 下载 dnstop
我的做法 下载 dnstop
https://slackbuilds.org/repository/14.0/network/dnstop/
里面有 http://dns.measurement-factory.com/tools/dnstop/src/dnstop-20110502.tar.gz
[root@localhost ~]# wget http://dns.measurement-factory.com/tools/dnstop/src/dnstop-20110502.tar.gz
--2019-02-23 19:21:18-- http://dns.measurement-factory.com/tools/dnstop/src/dnstop-20110502.tar.gz
正在解析主机 dns.measurement-factory.com... 209.169.10.130
Connecting to dns.measurement-factory.com|209.169.10.130|:80... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:73083 (71K) [application/x-tar]
Saving to: `dnstop-20110502.tar.gz'
100%[======================================>] 73,083 38.6K/s in 1.8s
2019-02-23 19:21:22 (38.6 KB/s) - `dnstop-20110502.tar.gz' saved [73083/73083]
[root@localhost ~]#
[root@localhost ~]# tar xf dnstop-20110502.tar.gz
[root@localhost ~]# cd dnstop-20110502
[root@localhost dnstop-20110502]# ls
CHANGES dnstop.8 hashtbl.h inX_addr.h lookup3.c
config.h.in dnstop.c install-sh known_tlds.h Makefile.in
configure hashtbl.c inX_addr.c LICENSE
[root@localhost dnstop-20110502]# pwd
/root/dnstop-20110502
[root@localhost dnstop-20110502]#
配置 编译 安装 源程序
[root@localhost dnstop-20110502]# ./configure
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for initscr in -lncurses... yes
checking for pcap_open_live in -lpcap... no
checking for main in -lsocket... no
checking for main in -lnsl... yes
checking for main in -lresolv... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdint.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/param.h usability... yes
checking sys/param.h presence... yes
checking for sys/param.h... yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking endian.h usability... yes
checking endian.h presence... yes
checking for endian.h... yes
checking arpa/nameser_compat.h usability... yes
checking arpa/nameser_compat.h presence... yes
checking for arpa/nameser_compat.h... yes
checking for net/if_arp.h... yes
checking for net/if.h... yes
checking for netinet/if_ether.h... yes
checking for net/if_ppp.h... yes
checking for an ANSI C-conforming const... yes
checking for off_t... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint8_t... yes
checking for struct bpf_timeval... no
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking return type of signal handlers... void
checking whether lstat dereferences a symlink specified with a trailing slash... yes
checking whether stat accepts an empty string... no
checking for memset... yes
checking for select... yes
checking for strchr... yes
checking for strdup... yes
checking for strrchr... yes
checking for strstr... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[root@localhost dnstop-20110502]#
[root@localhost dnstop-20110502]# make (编译时有太多的错)
gcc -g -O2 -DUSE_IPV6=1 -c dnstop.c
dnstop.c:21:18: 错误:pcap.h:没有那个文件或目录
dnstop.c:127: 错误:expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token
dnstop.c:908: 警告:‘struct pcap_pkthdr’ 在形参表内部声明
dnstop.c:908: 警告:它的作用域仅限于此定义或声明,这可能并不是您想要的
dnstop.c: In function ‘handle_pcap’:
dnstop.c:910: 错误:提领指向不完全类型的指针
dnstop.c:912: 错误:提领指向不完全类型的指针
dnstop.c:914: 错误:提领指向不完全类型的指针
dnstop.c: 在顶层:
dnstop.c:1711: 错误:expected ‘)’ before ‘*’ token
dnstop.c:1727: 错误:expected ‘)’ before ‘*’ token
dnstop.c: In function ‘main’:
dnstop.c:1744: 错误:‘PCAP_ERRBUF_SIZE’ 未声明 (在此函数内第一次使用)
dnstop.c:1744: 错误:(即使在一个函数内多次出现,每个未声明的标识符在其
dnstop.c:1744: 错误:所在的函数内只报告一次。)
dnstop.c:1750: 错误:‘fp’ 的存储大小未知
dnstop.c:1842: 错误:‘pcap’ 未声明 (在此函数内第一次使用)
dnstop.c:1879: 错误:‘DLT_EN10MB’ 未声明 (在此函数内第一次使用)
dnstop.c:1904: 错误:‘DLT_NULL’ 未声明 (在此函数内第一次使用)
make: *** [dnstop.o] 错误 1
[root@localhost dnstop-20110502]#
以上的错,是因为没有装一个软件包 pcap-devel
[root@localhost dnstop-20110502]# yum install pcap-devel
Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
No package pcap-devel available.
Nothing to do
[root@localhost dnstop-20110502]#
(说明刚刚的错不是因为 pcap-devel 没装) 看样子 不叫 pcap-devel
[root@localhost dnstop-20110502]# yum list all | grep cap
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
libcap.i386 1.10-26 installed
libcap-devel.i386 1.10-26 installed
libpcap.i386 14:0.9.4-15.el5 installed
libtermcap.i386 2.0.8-46.1 installed
libtermcap-devel.i386 2.0.8-46.1 installed
mailcap.noarch 2.1.23-1.fc6 installed
termcap.noarch 1:5.5-1.20060701.1 installed
libpcap-devel.i386 14:0.9.4-15.el5 development
openscap.i386 0.9.11-1.el5 development
openscap-devel.i386 0.9.11-1.el5 development
openscap-extra-probes.i386 0.9.11-1.el5 development
openscap-python.i386 0.9.11-1.el5 development
openscap-utils.i386 0.9.11-1.el5 development
[root@localhost dnstop-20110502]#
看样子叫 libcap-devel
[root@localhost dnstop-20110502]# yum -y install libcap-devel
Loaded plugins: product-id, security, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use su bscription-manager to register.
Setting up Install Process
Package libcap-devel-1.10-26.i386 already installed and latest version
Nothing to do
提示已经安装 (说明刚刚的错不是因为 libcap-devel 没装)
[root@localhost dnstop-20110502]#
还是不对 ,看样子叫 libpcap-devel ( pcap-->packet cap 这是一个补包工具 抓包工具)
[root@localhost dnstop-20110502]# yum -y install libpcap-devel
[root@localhost dnstop-20110502]# make clean (清理一下)
rm -f dnstop dnstop.o hashtbl.o inX_addr.o lookup3.o dnstop.core dnstop.c~
[root@localhost dnstop-20110502]#
[root@localhost dnstop-20110502]# ./configure
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for a BSD-compatible install... /usr/bin/install -c
checking for initscr in -lncurses... yes
checking for pcap_open_live in -lpcap... yes
checking for main in -lsocket... no
checking for main in -lnsl... yes
checking for main in -lresolv... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking netdb.h usability... yes
checking netdb.h presence... yes
checking for netdb.h... yes
checking netinet/in.h usability... yes
checking netinet/in.h presence... yes
checking for netinet/in.h... yes
checking for stdint.h... (cached) yes
checking for stdlib.h... (cached) yes
checking for string.h... (cached) yes
checking sys/param.h usability... yes
checking sys/param.h presence... yes
checking for sys/param.h... yes
checking sys/socket.h usability... yes
checking sys/socket.h presence... yes
checking for sys/socket.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking endian.h usability... yes
checking endian.h presence... yes
checking for endian.h... yes
checking arpa/nameser_compat.h usability... yes
checking arpa/nameser_compat.h presence... yes
checking for arpa/nameser_compat.h... yes
checking for net/if_arp.h... yes
checking for net/if.h... yes
checking for netinet/if_ether.h... yes
checking for net/if_ppp.h... yes
checking for an ANSI C-conforming const... yes
checking for off_t... yes
checking for size_t... yes
checking whether time.h and sys/time.h may both be included... yes
checking for uint16_t... yes
checking for uint32_t... yes
checking for uint8_t... yes
checking for struct bpf_timeval... no
checking for stdlib.h... (cached) yes
checking for GNU libc compatible malloc... yes
checking sys/select.h usability... yes
checking sys/select.h presence... yes
checking for sys/select.h... yes
checking for sys/socket.h... (cached) yes
checking types of arguments for select... int,fd_set *,struct timeval *
checking return type of signal handlers... void
checking whether lstat dereferences a symlink specified with a trailing slash... yes
checking whether stat accepts an empty string... no
checking for memset... yes
checking for select... yes
checking for strchr... yes
checking for strdup... yes
checking for strrchr... yes
checking for strstr... yes
configure: creating ./config.status
config.status: creating Makefile
config.status: creating config.h
[root@localhost dnstop-20110502]#
[root@localhost dnstop-20110502]# make (此时没错了)
gcc -g -O2 -DUSE_IPV6=1 -c dnstop.c
gcc -g -O2 -DUSE_IPV6=1 -c -o hashtbl.o hashtbl.c
gcc -g -O2 -DUSE_IPV6=1 -c -o inX_addr.o inX_addr.c
gcc -g -O2 -DUSE_IPV6=1 -c -o lookup3.o lookup3.c
gcc -g -O2 -DUSE_IPV6=1 -o dnstop dnstop.o hashtbl.o inX_addr.o lookup3.o -lresolv -lnsl -lpcap -lncurses
[root@localhost dnstop-20110502]#
安装
[root@localhost dnstop-20110502]# make install
install -m 755 dnstop /usr/local/bin
install -m 644 dnstop.8 /usr/local/share/man/man8
[root@localhost dnstop-20110502]#
[root@localhost dnstop-20110502]# man dnstop (man 一下它,看它的用法)
-4 表示抓取 ipv4的包
-6 表示抓取 ipv6的包
-i (inet)(address)表示在哪个网卡的ip上抓包?好像是不对
-r 表示多长时间
device 指定设备
DNSTOP(8) BSD System Manager’s Manual DNSTOP(8)
NAME
dnstop - displays various tables of DNS traffic on your network
SYNOPSIS
dnstop [-46apsQR] [-b expression] [-i address] [-f filter] [-r interval]
[device] [savefile]
DESCRIPTION
dnstop is a small tool to listen on device or to parse the file savefile and
collect and print statistics on the local network’s DNS traffic. You must have
read access to /dev/bpf*.
COMMAND LINE OPTIONS
The options are as follows:
-4 count only messages with IPv4 addresses
-6 count only messages with IPv6 addresses
-Q count only DNS query messages
-R count only DNS reply messages
-a anonymize addresses
-b expression
BPF filter expression
(default: udp port 53)
-i address
ignore select addresses
-p Do not put the interface into promiscuous mode.
-r Redraw interval (seconds).
-l level
keep counts on names up to level domain name levels.
For example, with -l 2 (the default), dnstop will keep two
tables: one with top-level domain names, and another with second-
level domain names. Increasing the level provides more details,
but also requires more memory and CPU.
RUN TIME OPTIONS
While running, the following options are available to alter the display:
交互式模式 s d 1 2 3 4 ...... 只显示 什么什么的
s display the source address table
d display the destination address table
t display the breakdown of query types seen
r display the breakdown of response codes seen
o display the breakdown of opcodes seen
1 show 1st level query names
2 show 2nd level query names
3 show 3rd level query names
4 show 4th level query names
5 show 5th level query names
6 show 6th level query names
7 show 7th level query names
以上是 取的 man dnstop 的部分内容
[root@localhost dnstop-20110502]# dnstop -4 -i eth0
有错误 -i 后面跟的是 网卡的ip地址
usage: dnstop [opts] netdevice|savefile
-4 Count IPv4 packets
-6 Count IPv6 packets
-Q Count queries
-R Count responses
-a Anonymize IP Addrs
-b expr BPF program code
-i addr Ignore this source IP address
-n name Count only messages in this domain
-p Don't put interface in promiscuous mode
-P Print "progress" messages in non-interactive mode
-r Redraw interval, in seconds
-l N Enable domain stats up to N components
-f filter-name
Available filters:
unknown-tlds
A-for-A
rfc1918-ptr
refused
[root@localhost dnstop-20110502]#
[root@localhost dnstop-20110502]# dnstop -4 -i 192.168.0.55
还是有错
usage: dnstop [opts] netdevice|savefile
-4 Count IPv4 packets
-6 Count IPv6 packets
-Q Count queries
-R Count responses
-a Anonymize IP Addrs
-b expr BPF program code
-i addr Ignore this source IP address
-n name Count only messages in this domain
-p Don't put interface in promiscuous mode
-P Print "progress" messages in non-interactive mode
-r Redraw interval, in seconds
-l N Enable domain stats up to N components
-f filter-name
Available filters:
unknown-tlds
A-for-A
rfc1918-ptr
refused
[root@localhost dnstop-20110502]#
-Q Count queries 指定统计查询数
-R Count responses指定统计响应数
[root@localhost dnstop-20110502]# dnstop -4 -i 192.168.0.55 -R -Q
仍然有错
usage: dnstop [opts] netdevice|savefile
-4 Count IPv4 packets
-6 Count IPv6 packets
-Q Count queries
-R Count responses
-a Anonymize IP Addrs
-b expr BPF program code
-i addr Ignore this source IP address
-n name Count only messages in this domain
-p Don't put interface in promiscuous mode
-P Print "progress" messages in non-interactive mode
-r Redraw interval, in seconds
-l N Enable domain stats up to N components
-f filter-name
Available filters:
unknown-tlds
A-for-A
rfc1918-ptr
refused
服务器上 192.168.0.55
[root@localhost dnstop-20110502]# dnstop -4 -R -Q eth0
(-4 表示ipv4 -R 记录响应数 -Q 记录查询数 eth0 这一个网卡上 )
(eth0 配置的网卡在 数据文件中 有定义这个网卡对应的ip
)
终于不报错了
客户端上 192.168.0.15
[root@localhost ~]# dig -t A www.mageedu.com @192.168.0.55
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-21.P2.el5 <<>> -t A www.mageedu.com @192.168.0.55
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15843
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;www.mageedu.com. IN A
;; ANSWER SECTION:
www.mageedu.com. 43200 IN A 192.168.0.55
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 192.168.0.55
;; Query time: 24 msec
;; SERVER: 192.168.0.55#53(192.168.0.55)
;; WHEN: Sat Feb 23 20:03:53 2019
;; MSG SIZE rcvd: 83
[root@localhost ~]#
服务器上 192.168.0.55
看到信息
服务器上 192.168.0.55
查询一次 (好像 dnstop 不统计 本ip 即 192.168.0.55 的dns请求,所以好像 下面的命令 查询的话 ,dnstop 好像统计不到)
[root@localhost cdrom]# dig -t A mageedu.com @192.168.0.55
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-17.P2.el5_9.2 <<>> -t A mageedu.com @192.168.0.55
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34450
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;mageedu.com. IN A
;; ANSWER SECTION:
mageedu.com. 43200 IN A 192.168.0.55
;; AUTHORITY SECTION:
mageedu.com. 43200 IN NS ns1.mageedu.com.
;; ADDITIONAL SECTION:
ns1.mageedu.com. 43200 IN A 192.168.0.55
;; Query time: 3 msec
;; SERVER: 192.168.0.55#53(192.168.0.55)
;; WHEN: Sat Feb 23 20:06:10 2019
;; MSG SIZE rcvd: 79
客户端上 192.168.0.15
[root@localhost ~]# queryperf -d test -s 192.168.0.55
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.0.55)
服务器上 192.168.0.55
看到信息
交互式
输 2 的话,它会记录下 以二级域名为分隔段,统计每个域名的查询次数
客户端 192.168.0.15 第二次压力测试 为什么此时竟然一大堆超时,是因为响应速度太慢了吗,抓包工具可能会阻断很多的网络响应,所以我们不能随便抓包,事实上是有影响的
# queryperf -d test -s 192.168.0.55
每秒 1130 次
关闭服务器上的日志功能,看看响应是不是变大呢
192.168.0.55
[root@localhost ~]# vim /etc/named.conf
[root@localhost ~]# vim /etc/named.conf
acl innet {
192.168.0.0/24;
127.0.0.0/8;
};
options {
directory "/var/named";
#recursion no;
allow-recursion { innet; };# 这里注释去掉
#allow-transfer
notify yes;
querylog yes; # 这个要不注掉 或者 改成 no 呢? 才能彻底禁用日志功能?
};
/*
logging {
channel querylog {
file "/var/log/named/bind_query.log" versions 5 size 10M;
severity dynamic;
#print-category yes;
print-time yes;
#print-severity yes;
};
channel xfer_log {
file "/var/log/named/transfer.log" versions 3 size 10k;
severity debug 3;
print-time yes;
};
category queries { querylog; };
category xfer-out { xfer_log; }; # 传出去的通道里面去
};
# 注释掉日志功能,下面/* */表示多行注释
*/
view telecom {
match-clients { innet; };
zone "mageedu.com" IN {
type master;
file "telecom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
view unicom {
match-clients { any; };
zone "mageedu.com" IN {
type master;
file "unicom.mageedu.com.zone";
};
zone "a.net" IN {
type master;
file "a.net.zone";
};
};
[root@localhost ~]# service named restart (重启服务)
Stopping named: . [确定]
Starting named: [确定]
[root@localhost ~]#
[root@localhost ~]# queryperf -d test -s 192.168.0.55
DNS Query Performance Testing Tool
Version: $Id: queryperf.c,v 1.12 2007-09-05 07:36:04 marka Exp $
[Status] Processing input data
[Status] Sending queries (beginning with 192.168.0.55)
[Status] Testing complete
Statistics:
Parse input file: once
Ended due to: reaching end of file
Queries sent: 229376 queries
Queries completed: 229376 queries
Queries lost: 0 queries
Queries delayed(?): 0 queries
RTT max: 0.898411 sec
RTT min: 0.001618 sec
RTT average: 0.071288 sec
RTT std deviation: 0.029212 sec
RTT out of range: 0 queries
Percentage completed: 100.00%
Percentage lost: 0.00%
Started at: Sat Feb 23 20:35:49 2019
Finished at: Sat Feb 23 20:49:32 2019
Ran for: 822.965357 seconds
Queries per second: 278.718901 qps
为什么去掉日志后,反而变少了(难道是默认的日志起作用吗 ? 是因为 querylog yes 没有去掉,从而产生默认日志 /var/log/messages 吗? 经检测,确实是这样子的 ) 只有每秒278(此时没有超时,但是启用了日志后,有服务器忙不过来 ,有超时) 而马哥的却是 每秒 变多了
马哥说日志对dns服务器的性能影响非常大,尤其是查询日志,因为查询日志非常多
马哥说他公司dns每秒钟需要查询5万多次,可马哥的压力测试(去掉日志后)只有每秒2万多
[root@localhost ~]#
所以queryperf 可以做压力测试,可以简单的测试dns服务器性能的,我们的测试看上去很快,但是这是本机测试(虚拟机之间事实上只在一台电脑上,并没有通过网络),真实情况下,网络之间测试的话,会发现速度很慢,因为交换机的性能有限,网络带宽有限