DNSDNS
需求:
某公司在linux1[172.16.1.1]上使用bind为benet.com提供解析服务,考虑到服务器的冗余备份,在linux2[172.16.1.53]上使用bind为benet.com提供备份,即作为benet.com辅助区域;另外linux2上提供benet.com的子域hk.benet.com的解析服务。如果linux1收到accp.com的解析请求,则转发给61.187.191.3。如果linux1遇到其他无法解析的域名,则将解析请求转发给ISP DNS服务器202.103.96.68。
1、 ...
DNS
需求:
某公司在linux1[172.16.1.1]上使用bind为benet.com提供解析服务,考虑到服务器的冗余备份,在linux2[172.16.1.53]上使用bind为benet.com提供备份,即作为benet.com辅助区域;另外linux2上提供benet.com的子域hk.benet.com的解析服务。如果linux1收到accp.com的解析请求,则转发给61.187.191.3。如果linux1遇到其他无法解析的域名,则将解析请求转发给ISP DNS服务器202.103.96.68。
1、 先在linux1上实现benet.com解析服务
1.使用yum安装bind、chroot、caching-nameserver
yum -y install bind-9.3.6-16.P1.el5.i386.rpm bind-chroot-9.3.6-16.P1.el5.i386.rpm caching-nameserver-9.3.6-16.P1.el5.i386.rpm
Bind-9是DNS软件
Bind-chroot是将bind进程进行chroot功能的软体,chroot可以让某个服务或者进程访问的目录范围限制在某一目录下,从而保证该服务在受到攻击时不会调用到”/”这样的系统目录
Caching-nameserver可以生成named.conf等配置文件的
文件,方便配置
2.创建named服务的全局配置文件named.conf
cd /var/named/chroot/etc
cp -p named.caching-nameserver.conf named.conf
-p选项可以保证被复制的文件和目标文件的权限一致,这样named.conf文件会拥有named账户的权限,否则named服务将无法读取配置文件
3.创建named服务的主配置文件named.zones
cp -p named.rfc1912.zones named.zones
4.修改named.conf全局配置文件
vim named.conf
acl "dnsnet" {172.16.1.0/24;127.0.0.1;}; //建立ACL用来在配置文件中调用,方便重复配置
options {
listen-on port 53 { 172.16.1.1; }; //设置DNS侦听地址为172.16.1.1
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-query { "dnsnet"; }; //设置仅允许”dnsnet”中指定的网段进行DNS查询
allow-query-cache { "dnsnet"; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view benet.com_resolver {
match-clients { "dnsnet"; }; //凡匹配”dnsnet”网段的客户端将使用named.zones主配置文件进行查询
match-destinations { any; }; //允许查询任何目标
recursion yes;
include "/etc/named.zones"; //配置满足条件的客户端查询时使用的主配置文件
};
5.修改named.zones主配置文件
vim named.zones
zone "benet.com" IN {
type master;
file "benet.com.zone";
allow-update {none;};
};
zone "1.16.172.in-addr.arpa" IN {
type master;
file "1.16.172.local";
allow-update {none;};
};
6.创建区域配置文件benet.com.cn.zone和1.16.172.local
cd /var/named/chroot/var/named
cp -p named.zero benet.com.zone
cp -p named.local 1.16.172.local
7.修改benet.com.zone区域配置文件
vim benet.com.zone
$TTL 86400
@ IN SOA linux1.benet.com. root.benet.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS linux1.benet.com.
www IN A 172.16.1.80
mail IN A 172.16.1.25
@ IN MX 1 mail.benet.com.
8.修改1.16.172.local区域配置文件
vim 1.16.172.local
$TTL 86400
@ IN SOA linux1.benet.com. root.benet.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS linux1.benet.com.
1 IN PTR linux1.benet.com.
80 IN PTR www.benet.com.
25 IN PTR mail.benet.com.
9.修改linux1的DNS IP地址
vim /etc/resolv.conf
search benet.com
nameserver 172.16.1.1
10.重启named服务
service named restart
2、 在linux1上配置区域传输
1.查看本机rndc.key密钥
cd
/var/named/chroot/etc
cat
rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "63Do9hvXfK9ZTvHTHhu8xdzGKyV902WM1l8jhlHgEIp5qHXDZ8QeGbgGxe8j";
};
每台安装BIND的计算机都会自动随机生成rndc.key密钥文件,该文件中密钥字唯一标识了一台计算机
2.生成用于dns传输的密钥文件
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc.key
-a
示采用HMAC-MD5算法
-b表示产生128bit的密钥字
-n HOST rndc.key表示使用rndc.key文件中指定的主机来生成主机密钥对,包括一个公钥和一个私钥
3.确认生成公钥和私钥文件
ll
总计 32
-rw------- 1 root root 52 07-14 14:37 Krndc.key.+157+47727.key
-rw------- 1 root root 81 07-14 14:37 Krndc.key.+157+47727.private
-rw-r--r-- 1 root root 405 06-30 17:16 localtime
-rw-r----- 1 root named 1230 02-23 06:35 named.caching-nameserver.conf
-rw-r----- 1 root named 1255 07-14 13:49 named.conf
-rw-r----- 1 root named 955 02-23 06:35 named.rfc1912.zones
-rw-r----- 1 root named 469 07-14 13:53 named.zones
-rw-r----- 1 root named 113 07-14 12:50 rndc.key
4.查看用于DNS区域传输时的公钥
cat
Krndc.key.+157+47727.key
rndc.key. IN KEY 512 3 157 sTO3iXXUzGLQHwYBFHYfRw==
5.修改named.conf全局配置文件,在文件末尾加入如下内容
vim
named.conf
key dnskey {
algorithm hmac-md5;
secret "sTO3iXXUzGLQHwYBFHYfRw==";
};
6.修改named.zones主配置文件
vim
named.zones
zone "benet.com" IN {
type master;
file "benet.com.zone";
allow-update {key dnskey;};
};
zone "1.16.172.in-addr.arpa" IN {
type master;
file "1.16.172.local";
allow-update {key dnskey;};
};
7.重启named服务
service named restart
3、 在linux2上配置区域传输
1.使用yum安装bind、chroot、caching-nameserver
yum -y install bind-9.3.6-16.P1.el5.i386.rpm bind-chroot-9.3.6-16.P1.el5.i386.rpm caching-nameserver-9.3.6-16.P1.el5.i386.rpm
2.创建named服务的全局配置文件named.conf
cd /var/named/chroot/etc
cp -p named.caching-nameserver.conf named.conf
3.创建named服务的主配置文件named.zones
cp -p named.rfc1912.zones named.zones
4.修改named.conf全局配置文件
vim named.conf
acl "dnsnet" {127.0.0.1;172.16.1.0/24;};
options {
listen-on port 53 { 172.16.1.53; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
query-source port 53;
query-source-v6 port 53;
allow-query { "dnsnet"; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view hk.benet.com_resolver {
match-clients { "dnsnet"; };
match-destinations { any; };
recursion yes;
include "/etc/named.zones";
};
key dnskey {
algorithm hmac-md5;
secret "sTO3iXXUzGLQHwYBFHYfRw==";
};
5.修改named.zones主配置文件
vim named.zones
zone "benet.com" IN {
type slave;
file "slaves/benet.com.zone";
allow-update {none;};
masters {172.16.1.1;};
};
6.配置linux2的DNS IP地址
vim /etc/resolv.conf
search hk.benet.com
nameserver 172.16.1.53
7.重启named服务
service named restart
8.查看是否有benet.com的区域文件传输
cd
/var/named/chroot/var/named/slaves/
ll
总计 4
-rw-r--r-- 1 named named 358 07-14 16:54 benet.com.zone
4、 在linux1上配置子域
1.配置benet.com.zone主配置文件
cd
/var/named/chroot/var/named
vim benet.com.zone
$TTL 86400
@ IN SOA linux1.benet.com. root.benet.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS linux1.benet.com.
www IN A 172.16.1.80
mail IN A 172.16.1.25
@ IN MX 1 mail.benet.com.
hk.benet.com. IN NS dns.hk.benet.com.
dns.hk.benet.com. IN A 172.16.1.53
2.重启named服务
service named restart
5、 在linux2上配置hk.benet.com
1.配置named.zones主配置文件
cd
/var/named/chroot/etc
vim
named.zones
zone "benet.com" IN {
type slave;
file "slaves/benet.com.zone";
allow-update {none;};
masters {172.16.1.1;};
};
zone "hk.benet.com" IN {
type master;
file "hk.benet.com.zone";
allow-update {none;};
};
2.创建hk.benet.com.zone区域配置文件
cd
/var/named/chroot/var/named
cp
-p
named.zero
hk.benet.com.zone
vim
hk.benet.com.zone
$TTL 86400
@ IN SOA linux2.hk.benet.com. root.hk.benet.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS linux2.hk.benet.com.
www IN A 172.16.1.180
3.重启named服务
service named restart
6、 在linux1上配置转发
1.修改named.conf全局配置文件
cd /var/named/chroot/etc
vim named.conf
acl "dnsnet" {172.16.1.0/24;127.0.0.1;};
options {
listen-on port 53 { 172.16.1.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
allow-query { "dnsnet"; };
allow-query-cache { "dnsnet"; };
forwarders {202.103.96.68;};
forward first;
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view benet.com_resolver {
match-clients { "dnsnet"; };
match-destinations { any; };
recursion yes;
include "/etc/named.zones";
};
key dnskey {
algorithm hmac-md5;
secret "sTO3iXXUzGLQHwYBFHYfRw==";
};
2.修改named.zones主配置文件
vim named.zones
zone "benet.com" IN {
type master;
file "benet.com.zone";
allow-update {key dnskey;};
};
zone "1.16.172.in-addr.arpa" IN {
type master;
file "1.16.172.local";
allow-update {key dnskey;};
};
zone "accp.com" IN {
type forward;
forwarders {61.187.191.3;};
};
3.重启named服务
service named restart
7、 在linux1上测试
nslookup www.benet.com
Server: 172.16.1.1
Address: 172.16.1.1#53
Name: www.benet.com
Address: 172.16.1.80
nslookup
www.hk.benet.com
Server: 172.16.1.1
Address: 172.16.1.1#53
Non-authoritative answer:
Name: www.hk.benet.com
Address: 172.16.1.180
本文档为【DNS】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。