Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Bind 9.10 source code installation and new redirect type and $GENERATE instruction usage

2025-01-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Share

Shulou(Shulou.com)06/03 Report--

System platform: CentOS 6.6x86x64

Bind version: bind-9.10.2

Preparatory work

Download the bind source package and omit it.

Install the development kit and omit it.

Installation:

Decompress bind-9.10.2.tar.gz

# tar xvf bind-9.10.2.tar.gz#cd bind-9.10.2/#./configure-h#./configure-- prefix=/usr/local/bind-- mandir=/usr/share/-- sysconfdir=/etc/named/-- disable-ipv6-- disable-chroot-- enable-threads # make-j 2 & & make install#ln-s / usr/local/bind/bin/* / usr/bin/#ln-s / usr/local/bind/sbin/ * / usr/sbin/#groupadd-r named#useradd-r-g named-M-s / sbin/nologin named#mkdir / usr/local/bind/var/run/named#chown named:named / usr/local/bind/var/run/named#ll-d / usr/local/bind/var/run/named/# [- d / etc/named/] | | mkdir / etc/named#chown named:named / etc/named# [- d/var/ named] | | mkdir / var/named#chown named:named / var/named

Start configuring the base zone file

# dig-t NS. @ 61.139.2.69 > / var/named/named.ca#cd / var/named/# vim named.localhost$TTL 1D @ IN SOA @ rname.invalid (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1 # vim named.loopback$TTL 1D @ IN SOA @ rname.invalid. (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1 PTR localhost. # chown-R named.named / var/named/*

Named.conf main configuration file (there is a sample file providing named.conf in the bind installation source file, bin/tests/named.conf)

# rndc-confgen-r / dev/urandom > / etc/named/rndc.conf#cd / etc/named/#touch named.conf#vim rndc.conf command mode: 2Jing 11w > > named.conf#cat named.conf#vim named.confoptions {directory "/ var/named"; listen-on port 53 {any;}; allow-query {any;}; recursion yes;}; zone "." IN {type hint; file "named.ca";}; zone "localhost" IN {type master; file "named.localhost"; allow-update {none;};}; zone "0.0.127.in-addr.arpa" IN {type master; file "named.loopback"; allow-update {none;};} # Use with the following in named.conf,adjusting the allow list as needed: key "rndc-key" {algorithm hmac-md5; secret "8VWpbjeJ8mochoPghAN5SQQ =";}; # controls {inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {"rndc-key";}; # chown-R named.named / etc/named/*

Run named

# named-u named-g # named-u named# netstat-tunpl# tail / var/log/messages check the log and see if there is any error # iptables-t filter-I INPUT-p udp-- dport 53-j ACCEPT query the domain name on the remote computer to see if it can be queried normally

System service script for named

#! / bin/bash# named a network name service.# chkconfig: 345 357 description: a name server [- r / etc/rc.d/init.d/functions] & &. / etc/rc.d/init.d/functionsPidFile=/usr/local/bind/var/run/named/named.pidLockFile=/var/lock/subsys/namednamed=namedstart () {[- x / usr/local/bind/sbin/$named] | | exit 4 if [- f $LockFile]; then echo-n "$named is already running..." Failure echo exit 5 fi echo-n "Starting $named:" daemon-- pidfile "$PidFile" / usr/local/bind/sbin/$named-u named-4 RETVAL=$? Echo if [$RETVAL-eq 0]; then touch $LockFile return 0 else rm-f $LockFile $PidFile return 1 fi} stop () {if [!-f $LockFile]; then echo "$named is not started." Failure fi echo-n "Stopping $named:" killproc $named RETVAL=$? Echo [$RETVAL-eq 0] & & rm-f $LockFile return 0} restart () {stop sleep 1 start} reload () {echo-n "Reloading $named:" killproc $named-HUP RETVAL=$? Echo return $RETVAL} status () {if pidof $named > / dev/null & & [- f $PidFile]; then echo "$named is running..." Else echo "$named is stopped..." Fi} case $1 instart) start;; stop) stop;; restart) restart;; reload) reload;; status) status;; *) echo "Usage:named {start | stop | status | reload | restart}" exit 2dexesac

Redirect area Typ

This type of function is that if the domain name cannot be queried, the redirect returns a set IP instead of an empty result.

So you can use this feature to do some additional services.

Zone "." IN {type redirect; file "redirect.file";}; $TTL 3600 @ IN SOA ns.EXAMPLE.net. Mail.EXAMPLE.net. (0 000 0 0) @ IN NS ns.EXAMPLE.net*. IN A 8.8.8.8

test

Usage of $GENERATE instruction

The document is introduced as follows:

Syntax:

$GENERATE range lhs type rhs [comment]

The $GENERATE instruction is used to generate a sequence of resource records that have only one repetitive

Different. The $GENERATE instruction can be easily used to generate a collection of records to support the

Sub/24 reverse authorization: classless IN-ADDR.ARPA authorization.

$ORIGIN 0.0.192.IN-ADDR.ARPA.

$GENERATE 1-20 NS SERVER$.EXAMPLE.

$GENERATE 1-127$ CNAME $.0

Equivalent to:

0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.

0.0.0.192.IN-ADDR.ARPA NS SERVER2.EXAMPLE.

1.0.0.192.IN-ADDR.ARPA CNAME 1.0.0.0.192.IN-ADDR.ARPA

2.0.0.192.IN-ADDR.ARPA CNAME 2.0.0.0.192.IN-ADDR.ARPA

...

127.0.0.192.IN-ADDR.ARPA CNAME 127.0.0.0.192.IN-ADDR.ARPA

Actual test

$GENERATE 1-6 lh$ 3600 IN CNAME googlehosted.l is equivalent to; lh2 3600 IN CNAME googlehosted.l;lh3 3600 IN CNAME googlehosted.l;lh4 3600 IN CNAME googlehosted.l;lh5 3600 IN CNAME googlehosted.l;lh6 3600 IN CNAME googlehosted.l;lh7 3600 IN CNAME googlehosted.l

Query result

One of the parameters in the option option in named.conf:

Deny-answer-addresses usage.

Syntax:

Deny-answer-addresses {

Address_match_list

} [except-from {namelist}]

It is not difficult to understand literally, organize an address for the answer.

For example, we dig query a domain name fscdnuni-vip.115.com.

You can see that there are a lot of IP.

What if we add an IP to the deny option?

Deny-answer-addresses {58.252.100.82;}

We have added one of the IP to the deny-answer-addresses here.

# rndc reload# rndc flushname fscdnuni-vip.115.com

Check again:

Found that there was no reply.

Deny-answer-addresses {58.252.100.82;} except-from {"115.com";}

Add an optional parameter except-from (exception)

This is the function of deny-answer-addresses.

Address_match_list format can be a single IP address, can also be dead CIDR format network address segment.

If there is only one match between the reply IP address and the address_match_list address, then named will not return the query result to the client when it recurses or forwards the query, because it is understood that as long as an IP is not trusted, then the change query is not trusted.

The deny-answer-aliases option is supposed to be similar to the one above, but my test here doesn't seem to work.

Does anyone know how to use it?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 288

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Internet Technology

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report