Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

CentOS7 DNS related experiments

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/02 Report--

实验一:单节点正向解析+逆向解析+递归功能

实验环境如下:

主机IP描述192.168.5.181内网DNS server,与网关为172.16.0.1,网关直连外网并提供DNS功能192.168.5.182内网客户端

实验步骤:

在192.168.5.181这台机器上面安装bind

yum install -y bind

编辑/etc/named.conf如下所示,修改allow-query 为 any 从而让所有主机都有进行DNS查询的权限;添加 forward only 和 forwarders { 172.16.0.1 },从而进行全局转发,即凡是没有在192.168.5.181上面通过zone定义的内容,都会转给172.16.0.1进行解析;添加recursive 为 yes,支持递归查询功能,由于是做实验,因此将dnssec-enable和dnssec-validation这两项丢改为no:

options { // listen-on port 53 { 192.168.5.181; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; forward only; forwarders { 172.16.0.1; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";};logging { channel default_debug { file "data/named.run"; severity dynamic; };};zone "." IN { type hint; file "named.ca";};include "/etc/named.rfc1912.zones";include "/etc/named.root.key";

在/etc/named.rfc1912.zones里面定义两个zone,一个zone用作正向解析另一个zone用作逆向解析,注意,你想解析的zone的名称一定要满足如下格式:将网络位倒过来写,并在其后面添加.in-addr.arpa后缀,例如,针对192.168.10网段的逆向解析,需要写为10.168.192.in-addr.arpa:

............zone "tester.com" IN { type master; file "tester.com.zone";};zone "5.168.192.in-addr.arpa" IN { type master; file "192.168.5.zone";};

由/etc/named.conf文件中,我们可以看到directory的值为/var/named,因此我们在/var/named里面分别创建tester.com.zone文件以及192.168.5.zone文件。注意!为了安全措施,需要将这两个文件的所属组修改为named,并且将这两个文件的其他者的权限改为0:

cd /var/namedchmod o= tester.com.zone 192.168.5.zone chown :named tester.com.zone 192.168.5.zone

编辑tester.com.zone文件如下所示:

TTL代表记录在DNS客户端或者代理(resolver)缓存的时间,默认单位为秒。这里定义为600秒。

SOA为起始授权记录,一个区域解析库有且只能有一个SOA记录,而且必须放在第一条。

括号中的2017052201代表序列号,当主数据库内容发生变化时,其版本号递增

30m代表刷新时间间隔,从服务器每隔多久到主服务器上面检查序列号更新情况

2m代表重试时间间隔,从服务器从主服务器请求同步解析失败时,再次发起尝试请求的时间间隔

1h代表过期时长为1小时,从服务器联系不到主服务器时,多久之后放弃从主服务器同步数据

1h代表否定过期时长为1小时,当上游DNS返回"查询不到该记录"时,这个信息在本DNS上面保存的时间。

"@"符号引用了该区域的名称,名称定义在/etc/named.rfc1912.zones里面了,分别为test.com.和5.168.192.in-addr.arpa.

NS为域名服务记录,标示了DNS的服务器自身的FQDN,可以有多个NS,其中一个为主DNS

A代表A记录,即17.tester.com.的A地址为192.168.5.181

CNAME为别名记录,即web.tester.com.是17.tester.com.的别名

$TTL 600tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h )@ IN NS 17.tester.com.17 IN A 192.168.5.181web IN CNAME 17

编辑192.168.5.zone文件如下所示:

PTR表示指针类型,用于指向另一个域名空间,这里指向17.tester.com.

$TTL 1200@ IN SOA tester.com. mail.tester.com. ( 2017052301 3h 20m 1w 1d )@ IN NS 17.tester.com.181 IN PTR 17.tester.com.

保存之后,用systemctl start named.service命令重启服务,通过ss -tunl命令查看53端口是否处于监听状态:

$ systemctl start named.service$ ss -tunl | grep -E "\b53\b" | awk -F" " '{$NF=" "; print $0}'udp UNCONN 0 0 172.16.252.238:53 udp UNCONN 0 0 192.168.5.181:53 udp UNCONN 0 0 127.0.0.1:53 udp UNCONN 0 0 ::1:53 tcp LISTEN 0 10 172.16.252.238:53 tcp LISTEN 0 10 192.168.5.181:53 tcp LISTEN 0 10 127.0.0.1:53 tcp LISTEN 0 10 ::1:53

在192.168.5.182上面利用dig命令进行查询测试:

解析A记录:[root@centos7-front2 ~]# dig -t A www.baidu.com @192.168.5.181; DiG 9.9.4-RedHat-9.9.4-29.el7 -t A www.baidu.com @192.168.5.181;; global options: +cmd;; Got answer:;; ->>HEADERHEADERHEADERHEADERHEADERHEADER

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Service file server client client lab query node subdomain configuration test domain name content host representative region environment two command address vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Shulou Technology Linux Shulou Tech Info Redmi Xiaomi Huawei NVidia MySQL Shulou Information Microsoft macOS vpn Docker OPPO Reno Apple MariaDB Shulou Technology Linux Shulou Tech Info Redmi Xiaomi Huawei NVidia MySQL Shulou Information Microsoft macOS vpn Docker OPPO Reno Apple MariaDB

Share To

Related

Servers

More Servers >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report