web服务解析案例

题目

模拟一个基于 DNS（域名系统）和 Nginx 的 Web 服务架构。

整体是模拟从用户输入域名，经 DNS 解析找到 Web 服务器，再由 Web 服务器（Nginx）提供内容的完整 Web 服务流程。

主机规划

主机名	ip地址	软件	说明
dns	192.168.30.11	bind	用于dns解析
nginx	192.168.30.10	nginx	为用户提供web访问相关服务

架构图

请添加图片描述

配置DNS

改服务器名称&ip

（可改可不改）

[root@tomcat1 ~]# hostnamectl hostname dns
[root@tomcat1 ~]# exit

安装bind

[root@dns ~]# dnf install bind -y
Updating Subscription Management repositories.
Unable to read consumer identityThis system is not registered with an entitlement server. You can use subscription-manager to register.Last metadata expiration check: 1 day, 18:52:48 ago on Sun 14 Sep 2025 06:32:32 PM CST.
Dependencies resolved.
====================================================================================Package                Arch        Version                     Repository     Size
====================================================================================
Installing:bind                   x86_64      32:9.16.23-14.el9_3         appSteam      506 k
Installing dependencies:bind-dnssec-doc        noarch      32:9.16.23-14.el9_3         appSteam       48 kbind-libs              x86_64      32:9.16.23-14.el9_3         appSteam      1.2 Mbind-license           noarch      32:9.16.23-14.el9_3         appSteam       13 kfstrm                  x86_64      0.6.1-3.el9                 appSteam       30 klibmaxminddb           x86_64      1.5.2-3.el9                 appSteam       36 klibuv                  x86_64      1:1.42.0-1.el9              appSteam      153 kprotobuf-c             x86_64      1.3.3-13.el9                baseOS         37 kpython3-bind           noarch      32:9.16.23-14.el9_3         appSteam       71 kpython3-ply            noarch      3.11-14.el9                 baseOS        111 k
Installing weak dependencies:bind-dnssec-utils      x86_64      32:9.16.23-14.el9_3         appSteam      119 kbind-utils             x86_64      32:9.16.23-14.el9_3         appSteam      211 kTransaction Summary
====================================================================================
Install  12 PackagesTotal size: 2.5 M
Installed size: 7.2 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transactionPreparing        :                                                            1/1 Installing       : bind-license-32:9.16.23-14.el9_3.noarch                   1/12 Installing       : protobuf-c-1.3.3-13.el9.x86_64                            2/12 Installing       : libuv-1:1.42.0-1.el9.x86_64                               3/12 Installing       : libmaxminddb-1.5.2-3.el9.x86_64                           4/12 Installing       : fstrm-0.6.1-3.el9.x86_64                                  5/12 Installing       : bind-libs-32:9.16.23-14.el9_3.x86_64                      6/12 Installing       : bind-utils-32:9.16.23-14.el9_3.x86_64                     7/12 Installing       : bind-dnssec-doc-32:9.16.23-14.el9_3.noarch                8/12 Installing       : python3-ply-3.11-14.el9.noarch                            9/12 Installing       : python3-bind-32:9.16.23-14.el9_3.noarch                  10/12 Installing       : bind-dnssec-utils-32:9.16.23-14.el9_3.x86_64             11/12 Running scriptlet: bind-32:9.16.23-14.el9_3.x86_64                          12/12 Installing       : bind-32:9.16.23-14.el9_3.x86_64                          12/12 Running scriptlet: bind-32:9.16.23-14.el9_3.x86_64                          12/12 Verifying        : protobuf-c-1.3.3-13.el9.x86_64                            1/12 Verifying        : python3-ply-3.11-14.el9.noarch                            2/12 Verifying        : bind-32:9.16.23-14.el9_3.x86_64                           3/12 Verifying        : bind-dnssec-doc-32:9.16.23-14.el9_3.noarch                4/12 Verifying        : bind-dnssec-utils-32:9.16.23-14.el9_3.x86_64              5/12 Verifying        : bind-libs-32:9.16.23-14.el9_3.x86_64                      6/12 Verifying        : bind-license-32:9.16.23-14.el9_3.noarch                   7/12 Verifying        : bind-utils-32:9.16.23-14.el9_3.x86_64                     8/12 Verifying        : fstrm-0.6.1-3.el9.x86_64                                  9/12 Verifying        : libmaxminddb-1.5.2-3.el9.x86_64                          10/12 Verifying        : libuv-1:1.42.0-1.el9.x86_64                              11/12 Verifying        : python3-bind-32:9.16.23-14.el9_3.noarch                  12/12 
Installed products updated.Installed:bind-32:9.16.23-14.el9_3.x86_64                                                   bind-dnssec-doc-32:9.16.23-14.el9_3.noarch                                        bind-dnssec-utils-32:9.16.23-14.el9_3.x86_64                                      bind-libs-32:9.16.23-14.el9_3.x86_64                                              bind-license-32:9.16.23-14.el9_3.noarch                                           bind-utils-32:9.16.23-14.el9_3.x86_64                                             fstrm-0.6.1-3.el9.x86_64                                                          libmaxminddb-1.5.2-3.el9.x86_64                                                   libuv-1:1.42.0-1.el9.x86_64                                                       protobuf-c-1.3.3-13.el9.x86_64                                                    python3-bind-32:9.16.23-14.el9_3.noarch                                           python3-ply-3.11-14.el9.noarch                                                    Complete!

修改核心配置文件

修改模块初始为：

[root@dns ~]#vim /etc/named.confoptions {listen-on port 53 { 127.0.0.1; };listen-on-v6 port 53 { ::1; };directory       "/var/named";dump-file       "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file   "/var/named/data/named.secroots";recursing-file  "/var/named/data/named.recursing";allow-query     { localhost; };/* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.- If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so willcause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatlyreduce such attack surface */recursion yes;dnssec-validation yes;managed-keys-directory "/var/named/dynamic";geoip-directory "/usr/share/GeoIP";pid-file "/run/named/named.pid";session-keyfile "/run/named/session.key";/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */include "/etc/crypto-policies/back-ends/bind.config";
};zone "." IN {type hint;file "named.ca";
};

改后：

[root@dns ~]#vim /etc/named.conf
options {listen-on port 53 { 192.168.30.11; };directory       "/var/named";};zone "zlp.com" IN {type master;file "named.zlp";
};

检测语法：

[root@dns named]# named-checkconf

写区域数据文件

可以找模板，我们记不到

[root@dns named]# vim named.localhost $TTL 1D
@       IN SOA  @ rname.invalid. (0       ; serial1D      ; refresh1H      ; retry1W      ; expire3H )    ; minimumNS      @A       127.0.0.1AAAA    ::1

再创建我们自己的named.zlp，在模板上修改就轻松多了

[root@dns ~]# cd /var/named
[root@dns named]# ls
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves
[root@dns named]# vim named.zlp
$TTL 1D
@       IN	SOA	 @ admin.zlp.com. (0       ; serial1D      ; refresh1H      ; retry1W      ; expire3H )    ; minimumIN	NS	ns
ns	IN	A	192.168.30.11
www	IN 	A	192.168.30.10#检测语法
[root@dns named]# named-checkzone zlp.com  /var/named/named.zlp
zone zlp.com/IN: loaded serial 0
OK

启动服务

[root@dns ~]# systemctl start named
[root@dns ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; preset: disab>Active: active (running) since Tue 2025-09-16 13:50:24 CST; 10s agoProcess: 2048 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes>Process: 2052 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code>Main PID: 2053 (named)Tasks: 10 (limit: 12043)Memory: 33.2MCPU: 93msCGroup: /system.slice/named.service└─2053 /usr/sbin/named -u named -c /etc/named.confSep 16 13:50:24 dns named[2053]: network unreachable resolving './NS/IN': 2001:500:>
Sep 16 13:50:24 dns named[2053]: network unreachable resolving './DNSKEY/IN': 2001:>
Sep 16 13:50:24 dns named[2053]: network unreachable resolving './DNSKEY/IN': 2001:>
Sep 16 13:50:25 dns named[2053]: resolver priming query complete
Sep 16 13:50:25 dns named[2053]: checkhints: b.root-servers.net/A (170.247.170.2) m>
Sep 16 13:50:25 dns named[2053]: checkhints: b.root-servers.net/A (199.9.14.201) ex>
Sep 16 13:50:25 dns named[2053]: checkhints: b.root-servers.net/AAAA (2801:1b8:10::>
Sep 16 13:50:25 dns named[2053]: checkhints: b.root-servers.net/AAAA (2001:500:200:>
Sep 16 13:50:25 dns named[2053]: managed-keys-zone: Initializing automatic trust an>
Sep 16 13:50:25 dns named[2053]: managed-keys-zone: Initializing automatic trust an>

测试

能不能将Nginx ip调出

[root@dns ~]# dig -t A www.zlp.com @192.168.30.11; <<>> DiG 9.16.23-RH <<>> -t A www.zlp.com @192.168.30.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40508
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: 1a2ba8463985d47e0100000068c8fae89cc93c52d0eac7d5 (good)
;; QUESTION SECTION:
;www.zlp.com.			IN	A;; ANSWER SECTION:
www.zlp.com.		86400	IN	A	192.168.30.10 #可以;; Query time: 0 msec
;; SERVER: 192.168.30.11#53(192.168.30.11)
;; WHEN: Tue Sep 16 13:51:36 CST 2025
;; MSG SIZE  rcvd: 84

配置Nginx

改服务器名称&ip

#略

安装nginx

[root@nginx ~]# rpm -qa | grep nginx
nginx-filesystem-1.20.1-14.el9_2.1.noarch
nginx-core-1.20.1-14.el9_2.1.x86_64
nginx-1.20.1-14.el9_2.1.x86_64
#已经安装

配置nginx

[root@nginx ~]# cd /etc/nginx/conf.d/
[root@nginx conf.d]# ls
web.conf
[root@nginx conf.d]# vim web.conf 
[root@nginx conf.d]# rm web.conf 
rm: remove regular file 'web.conf'? y
#这个web.conf是上次nginx-tomcat案例时建的，可以删了
[root@nginx conf.d]# vim nginx.conf
#写好了可以检查语法
[root@nginx conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful#没问题
[root@nginx conf.d]# cat nginx.conf#内容
server {listen	80;server_name	www.zlp.com;root	/usr/share/nginx/html;#可以自己定义，主要这个文件存在就ok。多种定义方法，详见nginx章节
}

修改主页

（如果通了，我们能知道是nginx传回客户端的）

当curl www.zlp.com 时，返回该内容，说明客户端发送访问强求后，Nginx服务器已经通过我们自定义的dns服务器拿到nginx服务器里面的nginx IP，找到nginx并拿到这个首页（现实中是拿到zlp网页ip给客户端，客户端直接用ip拿到首页）

[root@nginx conf.d]# echo "welcome nginx,now successful" > /usr/share/nginx/html/index.html

测试域名

[root@nginx conf.d]# ping www.zlp.com -c 3
PING overdue.aliyun.com (170.33.12.185) 56(84) bytes of data.
64 bytes from 170.33.12.185 (170.33.12.185): icmp_seq=1 ttl=128 time=89.2 ms
64 bytes from 170.33.12.185 (170.33.12.185): icmp_seq=2 ttl=128 time=154 ms
64 bytes from 170.33.12.185 (170.33.12.185): icmp_seq=3 ttl=128 time=325 ms
#ping通了，但不是我们要的ip啊，why

问题：通了，但是返回一个未知ip

因为此时我们的dns服务器是默认的，而不是我们前面配置的，所以我们想要的网页ip压根不在默认dns服务器上

可以检验一下

[root@nginx ~]# nmcli d show ens160 | grep DNS
IP4.DNS[1]:                             223.5.5.5

修改Nginx主机上dns地址

默认是223.5.5.5，但是要用我们自己配置的dns服务器，才能找我们自己弄的网页，否则是外网的（就像我们测试的那样）

[root@nginx ~]# nmcli c modify ens160 ipv4.dns 192.168.30.11
[root@nginx ~]# nmcli c up ens160 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
[root@nginx ~]# nmcli d show ens160 | grep DNS
IP4.DNS[1]:                             192.168.30.11#修改过来了

访问服务（检验）

开启服务

[root@nginx ~]# systemctl start nginx

测试

[root@nginx ~]# curl www.zlp.com
welcome nginx,now successful#成功

web服务解析案例

题目

主机规划

架构图

配置DNS

改服务器名称&ip

安装bind

修改核心配置文件

写区域数据文件

启动服务

测试

配置Nginx

改服务器名称&ip

安装nginx

配置nginx

修改主页

测试域名

问题：通了，但是返回一个未知ip

修改Nginx主机上dns地址

访问服务（检验）

开启服务

测试

相关文章