玩转DNS服务器——Bind服务
合理的配置DNS的查询方式
实验环境:
虚拟机:VMware? Workstation 15 Pro
均使用NAT连接 网段为192.168.1.0/24
DNS 服务器 ---- Centos 7.4
内核版本 Kernel: Linux 3.10.0-693.el7.x86_64
IP地址:192.168.1.1/24
网关: 192.168.1.254
DNS: 192.168.1.1
客户端 ---- Centos 7.4
内核版本 Kernel: Linux 3.10.0-693.el7.x86_64
IP地址:192.168.1.2/24
网关: 192.168.1.254
DNS: 192.168.1.1
安装DNS服务
[root@localhost ~]#yum install bind -y //安装 Loaded plugins: fastestmirror, langpacks repo | 3.6 kB 00:00:00 Determining fastest mirrors Resolving Dependencies --> Running transaction check ---> Package bind.x86_64 32:9.9.4-50.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================= Package Arch Version Repository Size ======================================================================================= Installing: bind x86_64 32:9.9.4-50.el7 repo 1.8 M Transaction Summary ======================================================================================= Install 1 Package Total download size: 1.8 M Installed size: 4.3 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 32:bind-9.9.4-50.el7.x86_64 1/1 Verifying : 32:bind-9.9.4-50.el7.x86_64 1/1 Installed: bind.x86_64 32:9.9.4-50.el7 Complete! [root@localhost ~]#
编辑dns服务器配置文件
1 [root@localhost ~]# vim /etc/named.conf
2 //
3 // named.conf
4 //
5 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 6 // server as a caching only nameserver (as a localhost DNS resolver only).
7 //
8 // See /usr/share/doc/bind*/sample/ for example named configuration files.
9 //
10 // See the BIND Administrator's Reference Manual (ARM) for details about the
11 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
12
13 options {
14 listen-on port 53 { 127.0.0.1; }; //修改为listen-on port 53 { any; };
15 listen-on-v6 port 53 { ::1; }; //修改为linsten-on-v6 port 53 { any; };
16 directory "/var/named";
17 dump-file "/var/named/data/cache_dump.db";
18 statistics-file "/var/named/data/named_stats.txt";
19 memstatistics-file "/var/named/data/named_mem_stats.txt";
20 allow-query { localhost; }; //修改为allow-query { any; };
21
22 /*
23 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
24 - If you are building a RECURSIVE (caching) DNS server, you need to enable
25 recursion.
26 - If your recursive DNS server has a public IP address, you MUST enable access
27
28 control to limit queries to your legitimate users. Failing to do so will
29 cause your server to become part of large scale DNS amplification
30 attacks. Implementing BCP38 within your network would greatly
31 reduce such attack surface
32 */
33 recursion yes;
34
35 dnssec-enable yes;
36 dnssec-validation yes;
37
38 /* Path to ISC DLV key */
39 bindkeys-file "/etc/named.iscdlv.key";
40
41 managed-keys-directory "/var/named/dynamic";
42
43 pid-file "/run/named/named.pid"; 44 session-keyfile "/run/named/session.key";
45 };
46
47 logging {
48 channel default_debug {
49 file "data/named.run";
50 severity dynamic;
51 };
52 };
53
54 zone "." IN {
55 type hint;
56 file "named.ca";
57 };
58
59 include "/etc/named.rfc1912.zones";
60 include "/etc/named.root.key";
61
编辑DNS正反向区域
1 [root@localhost named]# vim /etc/named.rfc1912.zones 2 // named.rfc1912.zones: 3 // 4 // Provided by Red Hat caching-nameserver package 5 // 6 // ISC BIND named zone configuration for zones recommended by 7 // RFC 1912 section 4.1 : localhost TLDs and address zones 8 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsopdefault-local-zones-02.txt 9 // (c)2007 R W Franks 10 // 11 // See /usr/share/doc/bind*/sample/ for example named configuration files. 12 // 13 zone "localhost.localdomain" IN { 14 type master; 15 file "named.localhost"; 16 allow-update { none; }; 17 }; 18 19 zone "localhost" IN { 20 type master; 21 file "named.localhost"; 22 allow-update { none; }; 23 }; 24 25 26 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 27 type master; 28 file "named.loopback"; 29 allow-update { none; }; 30 }; 31 32 zone "1.0.0.127.in-addr.arpa" IN { 33 type master; 34 file "named.loopback"; 35 allow-update { none; }; 36 }; 37 38 zone "0.in-addr.arpa" IN { 39 type master; 40 file "named.empty"; 41 allow-update { none; }; 42 }; 43 44 //-------------------------------------------//在最底下添加下面两段 45 //第一段为正向解析 46 zone "netdj.net" IN { 47 type master; 48 file "netdj.net.zone"; 49 allow-update { none; }; 50 }; 51 52 //第二段为反向解析 53 zone "1.168.192.in-addr.arpa" IN { 54 type master; 55 file "1.168.192.zone"; 56 allow-update { none; }; 57 };
创建DNS正反向区域解析文件
[root@localhost ~]# cd /var/named/ [root@localhost named]# ls data dynamic named.ca named.empty named.localhost named.loopback slaves //复制模板创建正反向解析文件 [root@localhost named]# cp -p named.empty netdj.net.zone [root@localhost named]# cp -p named.empty 1.168.192.zone
编辑正向解析文件
1 [root@localhost named]# vim netdj.net.zone 2 $TTL 3H 3 @ IN SOA @ rname.invalid. ( 4 0 ; serial 5 1D ; refresh 6 1H ; retry 7 1W ; expire 8 3H ) ; minimum 9 NS @ 10 A 127.0.0.1 11 dns A 192.168.1.1 //使用A记录将dns.netdj.net指向192.168.1.1 12 client A 192.168.1.2 //使用A记录将client.netdj.net指向192.168.1.2
编辑反向解析文件
1 [root@localhost named]# vim 1.168.192.zone 2 $TTL 3H 3 @ IN SOA @ rname.invalid. ( 4 0 ; serial 5 1D ; refresh 6 1H ; retry 7 1W ; expire 8 3H ) ; minimum 9 NS @ 10 A 127.0.0.1 11 1 PTR dns.netdj.net. //使用PTR记录将192.168.1.1指向dns.netdj.net 12 2 PTR client.netdj.net. //使用PTR记录将192.168.1.2指向client.netdj.net
重启服务
[root@localhost named]# systemctl restart named //重启服务 [root@localhost named]# systemctl enable named //开机自启动 Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
关闭防火墙、selinux
[root@localhost named]# systemctl stop firewalld.service [root@localhost named]# setenforce 0 //临时生效,重启后失效
服务端测试
[root@localhost named]# nslookup > dns.netdj.net Server: 192.168.1.1 Address: 192.168.1.1#53 Name: dns.netdj.net Address: 192.168.1.1 > client.netdj.net Server: 192.168.1.1 Address: 192.168.1.1#53 Name: client.netdj.net Address: 192.168.1.2 > exit [root@localhost named]#
客户端测试
[root@localhost ~]# nslookup > dns.netdj.net Server: 192.168.1.1 Address: 192.168.1.1#53 Name: dns.netdj.net Address: 192.168.1.1 > client.netdj.net Server: 192.168.1.1 Address: 192.168.1.1#53 Name: client.netdj.net Address: 192.168.1.2 > exit [root@localhost ~]#
DNS服务搭建完成!!
限制区域传送,可实现两个IP之间的区域传送。避免黑客的缓存投毒进而利用虚假IP地址替换域名系统表中的地址造成破坏。此外还可以防止注册劫持,DNS欺骗等攻击
1 [root@localhost named]# vim /etc/named.rfc1912.zones 2 // named.rfc1912.zones: 3 // 4 // Provided by Red Hat caching-nameserver package 5 // 6 // ISC BIND named zone configuration for zones recommended by 7 // RFC 1912 section 4.1 : localhost TLDs and address zones 8 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt 9 // (c)2007 R W Franks 10 // 11 // See /usr/share/doc/bind*/sample/ for example named configuration files. 12 // 13 14 zone "localhost.localdomain" IN { 15 type master; 16 file "named.localhost"; 17 allow-update { none; }; 18 }; 19 20 zone "localhost" IN { 21 type master; 22 file "named.localhost"; 23 allow-update { none; }; 24 }; 25 26 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { 27 type master; 28 file "named.loopback"; 29 allow-update { none; }; 30 }; 31 32 zone "1.0.0.127.in-addr.arpa" IN { 33 type master; 34 file "named.loopback"; 35 allow-update { none; }; 36 }; 37 38 zone "0.in-addr.arpa" IN { 39 type master; 40 file "named.empty"; 41 allow-update { none; }; 42 }; 43 44 zone "netdj.net" IN { 45 type master; 46 file "netdj.net.zone"; 47 allow-update { none; }; //修改为allow-transfer { 192.168.1.1;192.168.1.2; }; 48 }; 49 50 zone "1.168.192.in-addr.arpa" IN { 51 type master; 52 file "1.168.192.zone"; 53 allow-update { none; }; //修改为allow-transfer { 192.168.1.1;192.168.1.2; }; 54 };
修改DNS配置查询,可实现仅指定网段主机查询DNS信息。以保障DNS服务器不易被黑客发现并攻击。
1 [root@localhost named]# vim /etc/named.conf 2 // 3 // named.conf 4 // 5 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 6 // server as a caching only nameserver (as a localhost DNS resolver only). 7 // 8 // See /usr/share/doc/bind*/sample/ for example named configuration files. 9 // 10 // See the BIND Administrator's Reference Manual (ARM) for details about the 11 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html 12 13 options { 14 listen-on port 53 { any; }; 15 listen-on-v6 port 53 { any; }; 16 directory "/var/named"; 17 dump-file "/var/named/data/cache_dump.db"; 18 statistics-file "/var/named/data/named_stats.txt"; 19 memstatistics-file "/var/named/data/named_mem_stats.txt"; 20 allow-query { any; }; //修改为allow-query { 192.168.1.0/24; }; 21 22 23 /* 24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 25 - If you are building a RECURSIVE (caching) DNS server, you need to enable 26 recursion. 27 - If your recursive DNS server has a public IP address, you MUST enable access 28 29 control to limit queries to your legitimate users. Failing to do so will 30 cause your server to become part of large scale DNS amplification 31 attacks. Implementing BCP38 within your network would greatly 32 reduce such attack surface 33 */ 34 recursion yes; 35 36 dnssec-enable yes; 37 dnssec-validation yes; 38 39 /* Path to ISC DLV key */ 40 bindkeys-file "/etc/named.iscdlv.key"; 41 42 managed-keys-directory "/var/named/dynamic"; 43 44 pid-file "/run/named/named.pid"; 45 session-keyfile "/run/named/session.key"; 46 }; 47 48 logging { 49 channel default_debug { 50 file "data/named.run"; 51 severity dynamic; 52 }; 53 }; 54 55 zone "." IN { 56 type hint; 57 file "named.ca"; 58 }; 59 60 include "/etc/named.rfc1912.zones"; 61 include "/etc/named.root.key"; 62
本文由博主亲测有效,若有错误请评论指出谢谢
----------持续更新中