實(shí)驗(yàn)一:?jiǎn)喂?jié)點(diǎn)正向解析+逆向解析+遞歸功能
實(shí)驗(yàn)環(huán)境如下:
公司主營(yíng)業(yè)務(wù):成都網(wǎng)站建設(shè)���、網(wǎng)站建設(shè)�����、移動(dòng)網(wǎng)站開(kāi)發(fā)等業(yè)務(wù)��。幫助企業(yè)客戶真正實(shí)現(xiàn)互聯(lián)網(wǎng)宣傳��,提高企業(yè)的競(jìng)爭(zhēng)能力����。創(chuàng)新互聯(lián)建站是一支青春激揚(yáng)��、勤奮敬業(yè)�、活力青春激揚(yáng)、勤奮敬業(yè)�����、活力澎湃��、和諧高效的團(tuán)隊(duì)�����。公司秉承以“開(kāi)放��、自由����、嚴(yán)謹(jǐn)����、自律”為核心的企業(yè)文化����,感謝他們對(duì)我們的高要求�,感謝他們從不同領(lǐng)域給我們帶來(lái)的挑戰(zhàn),讓我們激情的團(tuán)隊(duì)有機(jī)會(huì)用頭腦與智慧不斷的給客戶帶來(lái)驚喜��。創(chuàng)新互聯(lián)建站推出吉隆免費(fèi)做網(wǎng)站回饋大家�。
| 主機(jī)IP | 描述 |
|---|
| 192.168.5.181 | 內(nèi)網(wǎng)DNS server,與網(wǎng)關(guān)為172.16.0.1,網(wǎng)關(guān)直連外網(wǎng)并提供DNS功能 |
| 192.168.5.182 | 內(nèi)網(wǎng)客戶端 |
實(shí)驗(yàn)步驟:
在192.168.5.181這臺(tái)機(jī)器上面安裝bind
yum install -y bind
編輯/etc/named.conf如下所示�����,修改allow-query 為 any 從而讓所有主機(jī)都有進(jìn)行DNS查詢(xún)的權(quán)限�;添加 forward only 和 forwarders { 172.16.0.1 },從而進(jìn)行全局轉(zhuǎn)發(fā)�,即凡是沒(méi)有在192.168.5.181上面通過(guò)zone定義的內(nèi)容,都會(huì)轉(zhuǎn)給172.16.0.1進(jìn)行解析�;添加recursive 為 yes,支持遞歸查詢(xún)功能�,由于是做實(shí)驗(yàn)��,因此將dnssec-enable和dnssec-validation這兩項(xiàng)丟改為no:
options {
// listen-on port 53 { 192.168.5.181; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forward only;
forwarders { 172.16.0.1; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";在/etc/named.rfc1912.zones里面定義兩個(gè)zone����,一個(gè)zone用作正向解析另一個(gè)zone用作逆向解析��,注意���,你想解析的zone的名稱(chēng)一定要滿足如下格式:將網(wǎng)絡(luò)位倒過(guò)來(lái)寫(xiě)�,并在其后面添加.in-addr.arpa后綴�����,例如���,針對(duì)192.168.10網(wǎng)段的逆向解析����,需要寫(xiě)為10.168.192.in-addr.arpa:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
zone "5.168.192.in-addr.arpa" IN {
type master;
file "192.168.5.zone";
};由/etc/named.conf文件中����,我們可以看到directory的值為/var/named,因此我們?cè)?var/named里面分別創(chuàng)建tester.com.zone文件以及192.168.5.zone文件。注意���!為了安全措施����,需要將這兩個(gè)文件的所屬組修改為named�,并且將這兩個(gè)文件的其他者的權(quán)限改為0:
cd /var/named
chmod o= tester.com.zone 192.168.5.zone
chown :named tester.com.zone 192.168.5.zone
編輯tester.com.zone文件如下所示:
TTL代表記錄在DNS客戶端或者代理(resolver)緩存的時(shí)間,默認(rèn)單位為秒��。這里定義為600秒�。
SOA為起始授權(quán)記錄��,一個(gè)區(qū)域解析庫(kù)有且只能有一個(gè)SOA記錄��,而且必須放在第一條����。
括號(hào)中的2017052201代表序列號(hào),當(dāng)主數(shù)據(jù)庫(kù)內(nèi)容發(fā)生變化時(shí)�����,其版本號(hào)遞增
30m代表刷新時(shí)間間隔��,從服務(wù)器每隔多久到主服務(wù)器上面檢查序列號(hào)更新情況
2m代表重試時(shí)間間隔��,從服務(wù)器從主服務(wù)器請(qǐng)求同步解析失敗時(shí),再次發(fā)起嘗試請(qǐng)求的時(shí)間間隔
1h代表過(guò)期時(shí)長(zhǎng)為1小時(shí)�,從服務(wù)器聯(lián)系不到主服務(wù)器時(shí),多久之后放棄從主服務(wù)器同步數(shù)據(jù)
1h代表否定過(guò)期時(shí)長(zhǎng)為1小時(shí)�����,當(dāng)上游DNS返回“查詢(xún)不到該記錄”時(shí)�,這個(gè)信息在本DNS上面保存的時(shí)間。
”@”符號(hào)引用了該區(qū)域的名稱(chēng)�,名稱(chēng)定義在/etc/named.rfc1912.zones里面了,分別為test.com.和5.168.192.in-addr.arpa.
NS為域名服務(wù)記錄��,標(biāo)示了DNS的服務(wù)器自身的FQDN����,可以有多個(gè)NS,其中一個(gè)為主DNS
A代表A記錄�����,即17.tester.com.的A地址為192.168.5.181
CNAME為別名記錄�,即web.tester.com.是17.tester.com.的別名
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 192.168.5.181
web IN CNAME 17
編輯192.168.5.zone文件如下所示:
PTR表示指針類(lèi)型,用于指向另一個(gè)域名空間����,這里指向17.tester.com.
$TTL 1200
@ IN SOA tester.com. mail.tester.com. (
2017052301
3h
20m
1w
1d )
@ IN NS 17.tester.com.
181 IN PTR 17.tester.com.
保存之后�,用systemctl start named.service命令重啟服務(wù)���,通過(guò)ss -tunl命令查看53端口是否處于監(jiān)聽(tīng)狀態(tài):
$ systemctl start named.service
$ ss -tunl | grep -E "\b53\b" | awk -F" " '{$NF=" "; print $0}'
udp UNCONN 0 0 172.16.252.238:53
udp UNCONN 0 0 192.168.5.181:53
udp UNCONN 0 0 127.0.0.1:53
udp UNCONN 0 0 ::1:53
tcp LISTEN 0 10 172.16.252.238:53
tcp LISTEN 0 10 192.168.5.181:53
tcp LISTEN 0 10 127.0.0.1:53
tcp LISTEN 0 10 ::1:53在192.168.5.182上面利用dig命令進(jìn)行查詢(xún)測(cè)試:
解析A記錄:
[root@centos7-front2 ~]# dig -t A www.baidu.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64315
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 357 IN CNAME www.a.shifen.com.
www.a.shifen.com. 168 IN A 61.135.169.125
www.a.shifen.com. 168 IN A 61.135.169.121
;; AUTHORITY SECTION:
a.shifen.com. 466 IN NS ns4.a.shifen.com.
a.shifen.com. 466 IN NS ns2.a.shifen.com.
a.shifen.com. 466 IN NS ns3.a.shifen.com.
a.shifen.com. 466 IN NS ns1.a.shifen.com.
a.shifen.com. 466 IN NS ns5.a.shifen.com.
;; ADDITIONAL SECTION:
ns5.a.shifen.com. 466 IN A 119.75.222.17
ns1.a.shifen.com. 466 IN A 61.135.165.224
ns2.a.shifen.com. 466 IN A 180.149.133.241
ns3.a.shifen.com. 466 IN A 61.135.162.215
ns4.a.shifen.com. 466 IN A 115.239.210.176
;; Query time: 4 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:43:09 CST 2017
;; MSG SIZE rcvd: 271
----------------------------------------------------------------------
解析A記錄:
[root@centos7-front2 ~]# dig -t A 17.tester.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52596
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;17.tester.com. IN A
;; ANSWER SECTION:
17.tester.com. 600 IN A 192.168.5.181
;; AUTHORITY SECTION:
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:44:11 CST 2017
;; MSG SIZE rcvd: 72
-------------------------------------------------------------------------
解析NS域名服務(wù)記錄:
[root@centos7-front2 ~]# dig -t NS 17.tester.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS 17.tester.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31428
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;17.tester.com. IN NS
;; AUTHORITY SECTION:
tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:56:12 CST 2017
;; MSG SIZE rcvd: 83
[root@centos7-front2 ~]# dig -t NS www.baidu.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS www.baidu.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56340
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN NS
;; ANSWER SECTION:
www.baidu.com. 764 IN CNAME www.a.shifen.com.
;; AUTHORITY SECTION:
a.shifen.com. 600 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1705230072 5 5 86400 3600
;; Query time: 15 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:56:24 CST 2017
;; MSG SIZE rcvd: 126
---------------------------------------------------------------------------
反向解析:
[root@centos7-front2 ~]# dig -x 192.168.5.181 @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.5.181 @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51386
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;181.5.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
181.5.168.192.in-addr.arpa. 1200 IN PTR 17.tester.com.
;; AUTHORITY SECTION:
5.168.192.in-addr.arpa. 1200 IN NS 17.tester.com.
;; ADDITIONAL SECTION:
17.tester.com. 600 IN A 192.168.5.181
;; Query time: 0 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:59:14 CST 2017
;; MSG SIZE rcvd: 112
[root@centos7-front2 ~]# dig -x 61.135.169.125 @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 61.135.169.125 @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55671
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;125.169.135.61.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
169.135.61.in-addr.arpa. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2012091801 300 600 2592000 7200
;; Query time: 7 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:59:52 CST 2017
;; MSG SIZE rcvd: 108
實(shí)驗(yàn)二:DNS主從配置
實(shí)驗(yàn)環(huán)境如下:
| 主機(jī)IP | 描述 |
|---|
| 192.168.5.181 | 主DNS服務(wù)器��,可連接外網(wǎng) |
| 192.168.5.182 | 從DNS服務(wù)器��,可連接外網(wǎng) |
| 192.168.5.99 | 測(cè)試用的客戶端�,內(nèi)網(wǎng)環(huán)境 |
主DNS服務(wù)器的配置和上面的實(shí)驗(yàn)單節(jié)點(diǎn)正向解析+逆向解析+遞歸功能基本上相同��,不過(guò)由于這里多添加了一臺(tái)從DNS服務(wù)器�,因此NS需要添加一條新的記錄。named.rfc1912.zones文件的配置內(nèi)容依然如下:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
zone "5.168.192.in-addr.arpa" IN {
type master;
file "192.168.5.zone";
};添加NS記錄之后的tester.com.zone文件如下所示:
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
@ IN NS 18.tester.com.
17 IN A 192.168.5.181
18 IN A 192.168.5.182
web IN CNAME 17
對(duì)于從服務(wù)器��,首先利用yum install -y bind bind-utils命令安裝bind�����,然后修改/etc/named.conf文件�,使得主從兩臺(tái)服務(wù)器的該文件一樣��。之后在/etc/named.rfc1912.zones文件里面編輯添加如下內(nèi)容���,指明type類(lèi)型為slave類(lèi)型����,zone配置文件的相對(duì)位置為slaves/,即實(shí)際位置為/var/named/slaves/ master主服務(wù)器節(jié)點(diǎn)的IP地址為192.168.5.181:
zone "tester.com" IN {
type slave;
file "slaves/tester.com.zone";
masters { 192.168.5.181; };
};
zone "5.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.5.zone";
masters { 192.168.5.181; };
};配置完成之后�����,先啟動(dòng)主服務(wù)器的dns服務(wù)����,之后再啟動(dòng)從服務(wù)器的dns服務(wù)。在從服務(wù)器的日志文件里面可以看到如下內(nèi)容�����,表明transfer已經(jīng)完成:
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: Transfer started.
May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: connected using 192.168.5.182#53834
May 24 05:36:02 centos7-front2 systemd: Started Berkeley Internet Name Domain (DNS).
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: transferred serial 2017052301
May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 6 records, 197 bytes, 0.001 secs (197000 bytes/sec)
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: sending notifies (serial 2017052301)
May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: Transfer started.
May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: connected using 192.168.5.182#33001
May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: transferred serial 2017052201
May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 7 records, 189 bytes, 0.003 secs (63000 bytes/sec)
May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: sending notifies (serial 2017052201)
在從節(jié)點(diǎn)的/var/named/slaves目錄下面多了兩個(gè)文件��,便是從主服務(wù)器上面同步而來(lái)的zone配置文件:
$ cd /var/named/slaves/
$ ls
192.168.5.zone tester.com.zone
在客戶端上面查詢(xún)進(jìn)行查詢(xún):
$ nslookup -type=A 17.tester.com 192.168.5.181
Server: 192.168.5.181
Address: 192.168.5.181#53
Name: 17.tester.com
Address: 192.168.5.181
$ nslookup -type=A 17.tester.com 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
Name: 17.tester.com
Address: 192.168.5.181
$ nslookup -type=NS tester.com 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
tester.com nameserver = 17.tester.com.
tester.com nameserver = 18.tester.com.
$ nslookup 192.168.5.181 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
181.5.168.192.in-addr.arpa name = 17.tester.com.
$ nslookup -type=NS baidu.com 192.168.5.181
Server: 192.168.5.181
Address: 192.168.5.181#53
Non-authoritative answer:
baidu.com nameserver = ns3.baidu.com.
baidu.com nameserver = ns2.baidu.com.
baidu.com nameserver = ns7.baidu.com.
baidu.com nameserver = ns4.baidu.com.
baidu.com nameserver = dns.baidu.com.
Authoritative answers can be found from:
ns3.baidu.com internet address = 220.181.37.10
ns4.baidu.com internet address = 220.181.38.10
ns2.baidu.com internet address = 61.135.165.235
ns7.baidu.com internet address = 119.75.219.82
dns.baidu.com internet address = 202.108.22.220
$ nslookup -type=A www.baidu.com 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 61.135.169.125
Name: www.a.shifen.com
Address: 61.135.169.121
注意?����?!如果主服務(wù)器上面的zone配置發(fā)生了改變,需要手動(dòng)將序列號(hào)加1���,然后保存���,再用rndc reload命令重載����,這樣才能夠向從服務(wù)器發(fā)送消息通知���,進(jìn)而從服務(wù)器對(duì)zone配置文件進(jìn)行增量同步��!
實(shí)驗(yàn)三:DNS的子域授權(quán)
實(shí)驗(yàn)環(huán)境如下:
| 主機(jī)IP | 描述 |
|---|
| 192.168.5.181 | 父域DNS����,域名tester.com.����,可連接外網(wǎng) |
| 192.168.5.182 | 子域DNS,域名ops.tester.com.可連接外網(wǎng) |
| 192.168.5.99 | 測(cè)試客戶端���,內(nèi)網(wǎng)環(huán)境 |
實(shí)驗(yàn)?zāi)康模?/strong>父域名tester.com.授權(quán)子域名ops.tester.com.,并利用客戶端測(cè)試效果����。
步驟:
在父域名節(jié)點(diǎn)上面配置/etc/named.conf����,在option段里面編輯如下內(nèi)容�。其中注釋listen on,目的是監(jiān)聽(tīng)該節(jié)點(diǎn)的所有端口�����;allow-query為any����,即允許所有客戶端進(jìn)行查詢(xún);forward first和forwarders的意義是��,由于該節(jié)點(diǎn)能夠聯(lián)通外網(wǎng)�����,因此對(duì)于向該節(jié)點(diǎn)發(fā)出的查詢(xún)請(qǐng)求�,先轉(zhuǎn)發(fā)到子域上面,如果子域找不到�����,再轉(zhuǎn)發(fā)到外網(wǎng)�,如果外網(wǎng)找不到��,則再在本地解析����。
......
......
// listen-on port 53 { 192.168.5.181; };
allow-query { any; };
forward first;
forwarders { 192.168.5.182; 20.20.20.1; };
......
......編輯/etc/named.rfc1912.zone文件如下:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
......
......編輯/var/named/tester.com.zone文件內(nèi)容如下���。授權(quán)一個(gè)子域ops.tester.com.域名解析節(jié)點(diǎn)為dns1.ops.tester.com.
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 192.168.5.181
ops.tester.com. IN NS dns1.ops.tester.com.
dns1.ops IN A 192.168.5.182
在子域節(jié)點(diǎn)上面��,配置/etc/named.conf文件如下所示:
......
......
// listen-on port 53 { 127.0.0.1; };
allow-query { any; };
forward only;
forwarders { 20.20.20.1; };
......
......子域節(jié)點(diǎn)的/etc/named.rfc1912.zone文件如下所示�����,其中第一個(gè)zone為父域所授權(quán)的ops.tester.com.第二個(gè)zone的目的是為了能夠讓子域服務(wù)器能夠?qū)⒏赣虻膠one抓發(fā)到服務(wù)解析���,而不用轉(zhuǎn)到根服務(wù)器:
......
......
zone "ops.tester.com" IN {
type master;
file "ops.tester.com.zone";
};
zone "tester.com" IN {
type forward;
forward only;
forwarders { 192.168.5.181; };
};
......
......子域節(jié)點(diǎn)的/var/named/ops.tester.com.zone文件如下所示,SOA后面跟上了解析該域的dns地址為dns1.ops.tester.com.�,并且定義了一個(gè)該域下的A地址為kali
$TTL 600
@ IN SOA dns1.ops.tester.com. mail.ops.tester.com. (
2017052201
30m
2m
1h
1h )
IN NS dns1
dns1 IN A 192.168.5.182
kali IN A 192.168.5.99
保存并在兩個(gè)節(jié)點(diǎn)上使用rndc reload重載配置文件,在客戶端上面使用nslookup進(jìn)行測(cè)試結(jié)果如下所示:
從父域DNS上面對(duì)子域的域名服務(wù)記錄進(jìn)行查詢(xún)�,用以驗(yàn)證自語(yǔ)授權(quán):
$ dig -t NS ops.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t NS ops.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;ops.tester.com. IN NS
ops.tester.com. 600 IN NS dns1.ops.tester.com.
dns1.ops.tester.com. 600 IN A 192.168.5.182
;; Query time: 3 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 14:29:51 HKT 2017
;; MSG SIZE rcvd: 78
從父域DNS上面對(duì)子域的A記錄進(jìn)行查詢(xún)
$ dig -t A kali.ops.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A kali.ops.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;kali.ops.tester.com. IN A
kali.ops.tester.com. 600 IN A 192.168.5.99
ops.tester.com. 585 IN NS dns1.ops.tester.com.
dns1.ops.tester.com. 585 IN A 192.168.5.182
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 14:30:06 HKT 2017
;; MSG SIZE rcvd: 99
從父域的DNS上面對(duì)于外網(wǎng)A記錄的查詢(xún),用以驗(yàn)證全局forward:
$ dig -t A www.baidu.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A www.baidu.com @192.168.5.181 +nocomments
;; global options: +cmd
;www.baidu.com. IN A
www.baidu.com. 600 IN CNAME www.a.shifen.com.
www.a.shifen.com. 600 IN A 119.75.218.70
www.a.shifen.com. 600 IN A 119.75.217.109
a.shifen.com. 851 IN NS ns4.a.shifen.com.
a.shifen.com. 851 IN NS ns2.a.shifen.com.
a.shifen.com. 851 IN NS ns3.a.shifen.com.
a.shifen.com. 851 IN NS ns5.a.shifen.com.
a.shifen.com. 851 IN NS ns1.a.shifen.com.
ns2.a.shifen.com. 33 IN A 180.149.133.241
ns4.a.shifen.com. 33 IN A 115.239.210.176
ns5.a.shifen.com. 151 IN A 119.75.222.17
ns3.a.shifen.com. 32 IN A 61.135.162.215
ns1.a.shifen.com. 299 IN A 61.135.165.224
;; Query time: 21 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 14:30:23 HKT 2017
;; MSG SIZE rcvd: 271
從子域?qū)Ω赣虻腁記錄進(jìn)行查詢(xún)�,用以驗(yàn)證zone的forward
$ dig -t A 17.tester.com @192.168.5.182 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.182 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 192.168.5.181
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.182#53(192.168.5.182)
;; WHEN: Fri May 26 14:30:43 HKT 2017
;; MSG SIZE rcvd: 72
實(shí)驗(yàn)四:DNS的基本ACL控制
實(shí)驗(yàn)環(huán)境:
| 主機(jī)IP | 描述 |
|---|
| 192.168.5.181 | 主DNS服務(wù)器,和外網(wǎng)聯(lián)通 |
| 192.168.5.182 | 客戶端1 |
| 192.168.5.99 | 客戶端2 |
基于上述實(shí)驗(yàn)一的情況下���,添加acl再進(jìn)行實(shí)驗(yàn)
全局情況下�,在/etc/named.conf添加acl�����,使得客戶端1能夠進(jìn)行查詢(xún)���,但是客戶端2不能夠進(jìn)行查詢(xún):
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl client1 {
192.168.5.182/32;
};針對(duì)于局部zone的情況下���,也可以在/etc/named.rfc1912.zone文件里面的tester.com這個(gè)zone里面添加allow query { client1; };,也可以在/etc/named.conf的全局option段里面將allow query { any };修改為allow query { client1 };
添加完畢��,rndc reload之后�,分別在兩臺(tái)客戶端上面測(cè)試:
客戶端1上面測(cè)試,可以進(jìn)行查詢(xún):
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 192.168.5.181
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 19:02:00 CST 2017
;; MSG SIZE rcvd: 72
客戶端2上面測(cè)試�,發(fā)現(xiàn)無(wú)法進(jìn)行查詢(xún):
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 19:03:01 HKT 2017
;; MSG SIZE rcvd: 42
將allow-query換為allow-transfer,即允許區(qū)域傳送的選項(xiàng)��,再進(jìn)行測(cè)試:
客戶端1的區(qū)域傳送成功
$ dig -t axfr tester.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t axfr tester.com @192.168.5.181
;; global options: +cmd
tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600
tester.com. 600 IN NS 17.tester.com.
17.tester.com. 600 IN A 192.168.5.181
ops.tester.com. 600 IN NS dns1.ops.tester.com.
dns1.ops.tester.com. 600 IN A 192.168.5.182
tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600
;; Query time: 2 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 19:14:39 CST 2017
;; XFR size: 6 records (messages 1, bytes 177)
客戶端2的區(qū)域傳送失敗
$ dig -t axfr tester.com @192.168.5.181
; <<>> DiG 9.10.3-P4-Debian <<>> -t axfr tester.com @192.168.5.181
;; global options: +cmd
; Transfer failed.
常用的訪問(wèn)控制指令還有allow-recursion和allow-update分別是允許DNS主機(jī)進(jìn)行遞歸查詢(xún)的ACL以及允許動(dòng)態(tài)更新區(qū)域數(shù)據(jù)庫(kù)文件的ACL�。
實(shí)驗(yàn)五:DNS的視圖view
實(shí)驗(yàn)環(huán)境:
| 主機(jī)IP | 描述 |
|---|
| 192.168.5.181 | 主DNS服務(wù)器,和外網(wǎng)聯(lián)通 |
| 192.168.5.182 | 客戶端1 |
| 192.168.5.99 | 客戶端2 |
實(shí)驗(yàn)?zāi)康模?/strong>讓客戶端1解析17.tester.com得到的ip地址為1.1.1.1��,讓客戶端2解析17.tester.com得到的ip地址為2.2.2.2
編輯主DNS服務(wù)器上面的/etc/named.conf文件,和實(shí)驗(yàn)一中的相同�����。
將/etc/named.conf文件中的如下內(nèi)容刪掉,否則會(huì)報(bào)錯(cuò):
zone "." IN {
type hint;
file "named.ca";
};編輯/etc/named.rfc1912.zone文件如下所示�����,將系統(tǒng)定義的zone用view client1包起來(lái)�����,再新建一個(gè)view client2��。client1視圖匹配192.168.5.182并定義tester.com.的區(qū)域解析文件為client1.zone��;client2視圖匹配192.168.5.99并定義tester.com.的區(qū)域解析文件為client2.zone:
view client1 {
match-clients { 192.168.5.182/32; };
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "tester.com" IN {
type master;
file "client1.zone";
};
};
view client2 {
match-clients { 192.168.5.99/32; };
zone "tester.com" IN {
type master;
file "client2.zone";
};
};編輯client1和client2的解析文件如下所示:
$ cat /var/named/client1.zone
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 1.1.1.1
$ cat /var/named/client2.zone
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 2.2.2.2
用rndc reload命令重載之后�,分別在兩個(gè)客戶端上面測(cè)試效果:
客戶端1上解析為1.1.1.1
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 1.1.1.1
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 20:29:48 CST 2017
;; MSG SIZE rcvd: 72
客戶端2上解析為2.2.2.2
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 2.2.2.2
tester.com. 600 IN NS 17.tester.com.
;; Query time: 0 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 20:23:32 HKT 2017
;; MSG SIZE rcvd: 7
新聞標(biāo)題:CentOS7DNS相關(guān)實(shí)驗(yàn)
分享網(wǎng)址:
http://weahome.cn/article/gcisjd.html
重慶分公司
重慶分公司
