玩转DNS服务器——Bind服务


合理的配置DNS的查询方式

实验环境:

虚拟机:VMware? Workstation 15 Pro

均使用NAT连接   网段为192.168.1.0/24

DNS 服务器 ---- Centos 7.4

内核版本  Kernel: Linux 3.10.0-693.el7.x86_64

IP地址:192.168.1.1/24

网关: 192.168.1.254

DNS: 192.168.1.1

客户端 ---- Centos 7.4

内核版本  Kernel: Linux 3.10.0-693.el7.x86_64

IP地址:192.168.1.2/24

网关: 192.168.1.254

DNS: 192.168.1.1

安装DNS服务

[root@localhost ~]#yum install bind -y                //安装

Loaded plugins: fastestmirror, langpacks

repo                                                            | 3.6 kB  00:00:00    

Determining fastest mirrors

Resolving Dependencies

--> Running transaction check

---> Package bind.x86_64 32:9.9.4-50.el7 will be installed

--> Finished Dependency Resolution

 

Dependencies Resolved

 

=======================================================================================

 Package         Arch              Version                       Repository       Size

=======================================================================================

Installing:

 bind            x86_64            32:9.9.4-50.el7               repo            1.8 M

 

Transaction Summary

=======================================================================================

Install  1 Package

 

Total download size: 1.8 M

Installed size: 4.3 M

Downloading packages:

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

  Installing : 32:bind-9.9.4-50.el7.x86_64                                         1/1

  Verifying  : 32:bind-9.9.4-50.el7.x86_64                                         1/1

 

Installed:

  bind.x86_64 32:9.9.4-50.el7                                                         

 

Complete!

[root@localhost ~]#

编辑dns服务器配置文件

1 [root@localhost ~]# vim /etc/named.conf

2 //

3 // named.conf

4 //

5 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 6 // server as a caching only nameserver (as a localhost DNS resolver only).

7 //

8 // See /usr/share/doc/bind*/sample/ for example named configuration files.

9 //

10 // See the BIND Administrator's Reference Manual (ARM) for details about the

11 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

12

13 options {

14 listen-on port 53 { 127.0.0.1; }; //修改为listen-on port 53 { any; };

15 listen-on-v6 port 53 { ::1; }; //修改为linsten-on-v6 port 53 { any; };

16 directory "/var/named";

17 dump-file "/var/named/data/cache_dump.db";

18 statistics-file "/var/named/data/named_stats.txt";

19 memstatistics-file "/var/named/data/named_mem_stats.txt";

20 allow-query { localhost; }; //修改为allow-query { any; };

21

22 /*

23 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

24 - If you are building a RECURSIVE (caching) DNS server, you need to enable

25 recursion.

26 - If your recursive DNS server has a public IP address, you MUST enable access

27

28 control to limit queries to your legitimate users. Failing to do so will

29 cause your server to become part of large scale DNS amplification

30 attacks. Implementing BCP38 within your network would greatly

31 reduce such attack surface

32 */

33 recursion yes;

34

35 dnssec-enable yes;

36 dnssec-validation yes;

37

38 /* Path to ISC DLV key */

39 bindkeys-file "/etc/named.iscdlv.key";

40

41 managed-keys-directory "/var/named/dynamic";

42

43 pid-file "/run/named/named.pid"; 44 session-keyfile "/run/named/session.key";

45 };

46

47 logging {

48 channel default_debug {

49 file "data/named.run";

50 severity dynamic;

51 };

52 };

53

54 zone "." IN {

55 type hint;

56 file "named.ca";

57 };

58

59 include "/etc/named.rfc1912.zones";

60 include "/etc/named.root.key";

61

编辑DNS正反向区域

 1 [root@localhost named]# vim /etc/named.rfc1912.zones
 2 // named.rfc1912.zones:
 3 //
 4 // Provided by Red Hat caching-nameserver package
 5 //
 6 // ISC BIND named zone configuration for zones recommended by
 7 // RFC 1912 section 4.1 : localhost TLDs and address zones
 8 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsopdefault-local-zones-02.txt
 9 // (c)2007 R W Franks
10 //
11 // See /usr/share/doc/bind*/sample/ for example named configuration files.
12 //
13 zone "localhost.localdomain" IN {
14         type master;
15         file "named.localhost";
16         allow-update { none; };
17 };
18  
19 zone "localhost" IN {
20         type master;
21         file "named.localhost";
22         allow-update { none; };
23 };
24 
25 
26 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
27         type master;
28         file "named.loopback";
29         allow-update { none; };
30 };
31 
32 zone "1.0.0.127.in-addr.arpa" IN {
33         type master;
34         file "named.loopback";
35         allow-update { none; };
36 };
37 
38 zone "0.in-addr.arpa" IN {
39         type master;
40         file "named.empty";
41         allow-update { none; };
42 };
43 
44 //-------------------------------------------//在最底下添加下面两段
45 //第一段为正向解析 
46 zone "netdj.net" IN {
47         type master;
48         file "netdj.net.zone";
49         allow-update { none; };
50 };
51 
52 //第二段为反向解析
53 zone "1.168.192.in-addr.arpa" IN {
54         type master;
55         file "1.168.192.zone";
56         allow-update { none; };
57 };

创建DNS正反向区域解析文件

[root@localhost ~]# cd /var/named/
[root@localhost named]# ls
data dynamic named.ca named.empty named.localhost named.loopback slaves
//复制模板创建正反向解析文件
[root@localhost named]# cp -p named.empty netdj.net.zone
[root@localhost named]# cp -p named.empty 1.168.192.zone

编辑正向解析文件

 1 [root@localhost named]# vim netdj.net.zone 
 2 $TTL 3H
 3 @       IN SOA  @ rname.invalid. (
 4                                         0       ; serial
 5                                         1D      ; refresh
 6                                         1H      ; retry
 7                                         1W      ; expire
 8                                         3H )    ; minimum
 9         NS      @
10         A       127.0.0.1
11 dns     A       192.168.1.1         //使用A记录将dns.netdj.net指向192.168.1.1
12 client  A       192.168.1.2         //使用A记录将client.netdj.net指向192.168.1.2

编辑反向解析文件

 1 [root@localhost named]# vim 1.168.192.zone
 2 $TTL 3H
 3 @       IN SOA  @ rname.invalid. (
 4                                         0       ; serial
 5                                         1D      ; refresh
 6                                         1H      ; retry
 7                                         1W      ; expire
 8                                         3H )    ; minimum
 9         NS      @
10         A       127.0.0.1
11 1       PTR     dns.netdj.net.         //使用PTR记录将192.168.1.1指向dns.netdj.net
12 2       PTR     client.netdj.net.      //使用PTR记录将192.168.1.2指向client.netdj.net

重启服务

[root@localhost named]# systemctl restart named //重启服务
[root@localhost named]# systemctl enable named //开机自启动
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

关闭防火墙、selinux

[root@localhost named]# systemctl stop firewalld.service 
[root@localhost named]# setenforce 0 //临时生效,重启后失效

服务端测试

[root@localhost named]# nslookup 
> dns.netdj.net
Server: 192.168.1.1
Address: 192.168.1.1#53

Name: dns.netdj.net
Address: 192.168.1.1
> client.netdj.net
Server: 192.168.1.1
Address: 192.168.1.1#53

Name: client.netdj.net
Address: 192.168.1.2
> exit

[root@localhost named]# 

客户端测试

[root@localhost ~]# nslookup
> dns.netdj.net
Server: 192.168.1.1
Address: 192.168.1.1#53

Name: dns.netdj.net
Address: 192.168.1.1
> client.netdj.net
Server: 192.168.1.1
Address: 192.168.1.1#53

Name: client.netdj.net
Address: 192.168.1.2
> exit

[root@localhost ~]#

DNS服务搭建完成!!


限制区域传送,可实现两个IP之间的区域传送。避免黑客的缓存投毒进而利用虚假IP地址替换域名系统表中的地址造成破坏。此外还可以防止注册劫持,DNS欺骗等攻击

 1 [root@localhost named]# vim /etc/named.rfc1912.zones 
 2 // named.rfc1912.zones:
 3 //
 4 // Provided by Red Hat caching-nameserver package
 5 //
 6 // ISC BIND named zone configuration for zones recommended by
 7 // RFC 1912 section 4.1 : localhost TLDs and address zones
 8 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
 9 // (c)2007 R W Franks
10 //
11 // See /usr/share/doc/bind*/sample/ for example named configuration files.
12 //
13 
14 zone "localhost.localdomain" IN {
15     type master;
16     file "named.localhost";
17     allow-update { none; };
18 };
19 
20 zone "localhost" IN {
21     type master;
22     file "named.localhost";
23     allow-update { none; };
24 };
25 
26 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
27     type master;
28     file "named.loopback";
29     allow-update { none; };
30 };
31 
32 zone "1.0.0.127.in-addr.arpa" IN {
33     type master;
34     file "named.loopback";
35     allow-update { none; };
36 };
37 
38 zone "0.in-addr.arpa" IN {
39     type master;
40     file "named.empty";
41     allow-update { none; };
42 };
43 
44 zone "netdj.net" IN {
45     type master;
46     file "netdj.net.zone";
47     allow-update { none; };     //修改为allow-transfer { 192.168.1.1;192.168.1.2; };
48 };
49 
50 zone "1.168.192.in-addr.arpa" IN {
51     type master;
52     file "1.168.192.zone";
53     allow-update { none; };     //修改为allow-transfer { 192.168.1.1;192.168.1.2; };
54 };

修改DNS配置查询,可实现仅指定网段主机查询DNS信息。以保障DNS服务器不易被黑客发现并攻击。

 1 [root@localhost named]# vim /etc/named.conf 
 2 //
 3 // named.conf
 4 //
 5 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 6 // server as a caching only nameserver (as a localhost DNS resolver only).
 7 //
 8 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 9 //
10 // See the BIND Administrator's Reference Manual (ARM) for details about the
11 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
12 
13 options {
14         listen-on port 53 { any; };
15         listen-on-v6 port 53 { any; };
16         directory       "/var/named";
17         dump-file       "/var/named/data/cache_dump.db";
18         statistics-file "/var/named/data/named_stats.txt";
19         memstatistics-file "/var/named/data/named_mem_stats.txt";
20         allow-query     { any; };      //修改为allow-query     { 192.168.1.0/24; };
21 
22 
23         /* 
24          - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
25          - If you are building a RECURSIVE (caching) DNS server, you need to enable 
26            recursion. 
27          - If your recursive DNS server has a public IP address, you MUST enable access
28  
29            control to limit queries to your legitimate users. Failing to do so will
30            cause your server to become part of large scale DNS amplification 
31            attacks. Implementing BCP38 within your network would greatly
32            reduce such attack surface 
33         */
34         recursion yes;
35 
36         dnssec-enable yes;
37         dnssec-validation yes;
38 
39         /* Path to ISC DLV key */
40         bindkeys-file "/etc/named.iscdlv.key";
41 
42         managed-keys-directory "/var/named/dynamic";
43 
44         pid-file "/run/named/named.pid";
45         session-keyfile "/run/named/session.key";
46 };
47 
48 logging {
49         channel default_debug {
50                 file "data/named.run";
51                 severity dynamic;
52         };
53 };
54 
55 zone "." IN {
56         type hint;
57         file "named.ca";
58 };
59 
60 include "/etc/named.rfc1912.zones";
61 include "/etc/named.root.key";
62                                 

本文由博主亲测有效,若有错误请评论指出谢谢

----------持续更新中