CentOS7DNS相关实验
实验一:单节点正向解析+逆向解析+递归功能
实验环境如下:
公司主营业务:成都网站建设、网站建设、移动网站开发等业务。帮助企业客户真正实现互联网宣传,提高企业的竞争能力。创新互联建站是一支青春激扬、勤奋敬业、活力青春激扬、勤奋敬业、活力澎湃、和谐高效的团队。公司秉承以“开放、自由、严谨、自律”为核心的企业文化,感谢他们对我们的高要求,感谢他们从不同领域给我们带来的挑战,让我们激情的团队有机会用头脑与智慧不断的给客户带来惊喜。创新互联建站推出吉隆免费做网站回馈大家。
主机IP | 描述 |
---|---|
192.168.5.181 | 内网DNS server,与网关为172.16.0.1,网关直连外网并提供DNS功能 |
192.168.5.182 | 内网客户端 |
实验步骤:
在192.168.5.181这台机器上面安装bind
yum install -y bind
编辑/etc/named.conf如下所示,修改allow-query 为 any 从而让所有主机都有进行DNS查询的权限;添加 forward only 和 forwarders { 172.16.0.1 },从而进行全局转发,即凡是没有在192.168.5.181上面通过zone定义的内容,都会转给172.16.0.1进行解析;添加recursive 为 yes,支持递归查询功能,由于是做实验,因此将dnssec-enable和dnssec-validation这两项丢改为no:
options { // listen-on port 53 { 192.168.5.181; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; forward only; forwarders { 172.16.0.1; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
在/etc/named.rfc1912.zones里面定义两个zone,一个zone用作正向解析另一个zone用作逆向解析,注意,你想解析的zone的名称一定要满足如下格式:将网络位倒过来写,并在其后面添加.in-addr.arpa后缀,例如,针对192.168.10网段的逆向解析,需要写为10.168.192.in-addr.arpa:
...... ...... zone "tester.com" IN { type master; file "tester.com.zone"; }; zone "5.168.192.in-addr.arpa" IN { type master; file "192.168.5.zone"; };
由/etc/named.conf文件中,我们可以看到directory的值为/var/named,因此我们在/var/named里面分别创建tester.com.zone文件以及192.168.5.zone文件。注意!为了安全措施,需要将这两个文件的所属组修改为named,并且将这两个文件的其他者的权限改为0:
cd /var/named chmod o= tester.com.zone 192.168.5.zone chown :named tester.com.zone 192.168.5.zone
编辑tester.com.zone文件如下所示:
TTL代表记录在DNS客户端或者代理(resolver)缓存的时间,默认单位为秒。这里定义为600秒。
SOA为起始授权记录,一个区域解析库有且只能有一个SOA记录,而且必须放在第一条。
括号中的2017052201代表序列号,当主数据库内容发生变化时,其版本号递增
30m代表刷新时间间隔,从服务器每隔多久到主服务器上面检查序列号更新情况
2m代表重试时间间隔,从服务器从主服务器请求同步解析失败时,再次发起尝试请求的时间间隔
1h代表过期时长为1小时,从服务器联系不到主服务器时,多久之后放弃从主服务器同步数据
1h代表否定过期时长为1小时,当上游DNS返回“查询不到该记录”时,这个信息在本DNS上面保存的时间。
”@”符号引用了该区域的名称,名称定义在/etc/named.rfc1912.zones里面了,分别为test.com.和5.168.192.in-addr.arpa.
NS为域名服务记录,标示了DNS的服务器自身的FQDN,可以有多个NS,其中一个为主DNS
A代表A记录,即17.tester.com.的A地址为192.168.5.181
CNAME为别名记录,即web.tester.com.是17.tester.com.的别名
$TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 192.168.5.181 web IN CNAME 17
编辑192.168.5.zone文件如下所示:
PTR表示指针类型,用于指向另一个域名空间,这里指向17.tester.com.
$TTL 1200 @ IN SOA tester.com. mail.tester.com. ( 2017052301 3h 20m 1w 1d ) @ IN NS 17.tester.com. 181 IN PTR 17.tester.com.
保存之后,用systemctl start named.service
命令重启服务,通过ss -tunl
命令查看53端口是否处于监听状态:
$ systemctl start named.service $ ss -tunl | grep -E "\b53\b" | awk -F" " '{$NF=" "; print $0}' udp UNCONN 0 0 172.16.252.238:53 udp UNCONN 0 0 192.168.5.181:53 udp UNCONN 0 0 127.0.0.1:53 udp UNCONN 0 0 ::1:53 tcp LISTEN 0 10 172.16.252.238:53 tcp LISTEN 0 10 192.168.5.181:53 tcp LISTEN 0 10 127.0.0.1:53 tcp LISTEN 0 10 ::1:53
在192.168.5.182上面利用dig
命令进行查询测试:
解析A记录: [root@centos7-front2 ~]# dig -t A www.baidu.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 357 IN CNAME www.a.shifen.com. www.a.shifen.com. 168 IN A 61.135.169.125 www.a.shifen.com. 168 IN A 61.135.169.121 ;; AUTHORITY SECTION: a.shifen.com. 466 IN NS ns4.a.shifen.com. a.shifen.com. 466 IN NS ns2.a.shifen.com. a.shifen.com. 466 IN NS ns3.a.shifen.com. a.shifen.com. 466 IN NS ns1.a.shifen.com. a.shifen.com. 466 IN NS ns5.a.shifen.com. ;; ADDITIONAL SECTION: ns5.a.shifen.com. 466 IN A 119.75.222.17 ns1.a.shifen.com. 466 IN A 61.135.165.224 ns2.a.shifen.com. 466 IN A 180.149.133.241 ns3.a.shifen.com. 466 IN A 61.135.162.215 ns4.a.shifen.com. 466 IN A 115.239.210.176 ;; Query time: 4 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:43:09 CST 2017 ;; MSG SIZE rcvd: 271 ---------------------------------------------------------------------- 解析A记录: [root@centos7-front2 ~]# dig -t A 17.tester.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52596 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;17.tester.com. IN A ;; ANSWER SECTION: 17.tester.com. 600 IN A 192.168.5.181 ;; AUTHORITY SECTION: tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:44:11 CST 2017 ;; MSG SIZE rcvd: 72 ------------------------------------------------------------------------- 解析NS域名服务记录: [root@centos7-front2 ~]# dig -t NS 17.tester.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS 17.tester.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31428 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;17.tester.com. IN NS ;; AUTHORITY SECTION: tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600 ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:56:12 CST 2017 ;; MSG SIZE rcvd: 83 [root@centos7-front2 ~]# dig -t NS www.baidu.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS www.baidu.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56340 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN NS ;; ANSWER SECTION: www.baidu.com. 764 IN CNAME www.a.shifen.com. ;; AUTHORITY SECTION: a.shifen.com. 600 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1705230072 5 5 86400 3600 ;; Query time: 15 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:56:24 CST 2017 ;; MSG SIZE rcvd: 126 --------------------------------------------------------------------------- 反向解析: [root@centos7-front2 ~]# dig -x 192.168.5.181 @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.5.181 @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51386 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;181.5.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 181.5.168.192.in-addr.arpa. 1200 IN PTR 17.tester.com. ;; AUTHORITY SECTION: 5.168.192.in-addr.arpa. 1200 IN NS 17.tester.com. ;; ADDITIONAL SECTION: 17.tester.com. 600 IN A 192.168.5.181 ;; Query time: 0 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:59:14 CST 2017 ;; MSG SIZE rcvd: 112 [root@centos7-front2 ~]# dig -x 61.135.169.125 @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 61.135.169.125 @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55671 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;125.169.135.61.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 169.135.61.in-addr.arpa. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2012091801 300 600 2592000 7200 ;; Query time: 7 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:59:52 CST 2017 ;; MSG SIZE rcvd: 108
实验二:DNS主从配置
实验环境如下:
主机IP | 描述 |
---|---|
192.168.5.181 | 主DNS服务器,可连接外网 |
192.168.5.182 | 从DNS服务器,可连接外网 |
192.168.5.99 | 测试用的客户端,内网环境 |
主DNS服务器的配置和上面的实验单节点正向解析+逆向解析+递归功能基本上相同,不过由于这里多添加了一台从DNS服务器,因此NS需要添加一条新的记录。named.rfc1912.zones文件的配置内容依然如下:
...... ...... zone "tester.com" IN { type master; file "tester.com.zone"; }; zone "5.168.192.in-addr.arpa" IN { type master; file "192.168.5.zone"; };
添加NS记录之后的tester.com.zone文件如下所示:
$TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. @ IN NS 18.tester.com. 17 IN A 192.168.5.181 18 IN A 192.168.5.182 web IN CNAME 17
对于从服务器,首先利用yum install -y bind bind-utils
命令安装bind,然后修改/etc/named.conf文件,使得主从两台服务器的该文件一样。之后在/etc/named.rfc1912.zones文件里面编辑添加如下内容,指明type类型为slave类型,zone配置文件的相对位置为slaves/
zone "tester.com" IN { type slave; file "slaves/tester.com.zone"; masters { 192.168.5.181; }; }; zone "5.168.192.in-addr.arpa" IN { type slave; file "slaves/192.168.5.zone"; masters { 192.168.5.181; }; };
配置完成之后,先启动主服务器的dns服务,之后再启动从服务器的dns服务。在从服务器的日志文件里面可以看到如下内容,表明transfer已经完成:
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: Transfer started. May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: connected using 192.168.5.182#53834 May 24 05:36:02 centos7-front2 systemd: Started Berkeley Internet Name Domain (DNS). May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: transferred serial 2017052301 May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 6 records, 197 bytes, 0.001 secs (197000 bytes/sec) May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: sending notifies (serial 2017052301) May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: Transfer started. May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: connected using 192.168.5.182#33001 May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: transferred serial 2017052201 May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 7 records, 189 bytes, 0.003 secs (63000 bytes/sec) May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: sending notifies (serial 2017052201)
在从节点的/var/named/slaves目录下面多了两个文件,便是从主服务器上面同步而来的zone配置文件:
$ cd /var/named/slaves/ $ ls 192.168.5.zone tester.com.zone
在客户端上面查询进行查询:
$ nslookup -type=A 17.tester.com 192.168.5.181 Server: 192.168.5.181 Address: 192.168.5.181#53 Name: 17.tester.com Address: 192.168.5.181 $ nslookup -type=A 17.tester.com 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 Name: 17.tester.com Address: 192.168.5.181 $ nslookup -type=NS tester.com 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 tester.com nameserver = 17.tester.com. tester.com nameserver = 18.tester.com. $ nslookup 192.168.5.181 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 181.5.168.192.in-addr.arpa name = 17.tester.com. $ nslookup -type=NS baidu.com 192.168.5.181 Server: 192.168.5.181 Address: 192.168.5.181#53 Non-authoritative answer: baidu.com nameserver = ns3.baidu.com. baidu.com nameserver = ns2.baidu.com. baidu.com nameserver = ns7.baidu.com. baidu.com nameserver = ns4.baidu.com. baidu.com nameserver = dns.baidu.com. Authoritative answers can be found from: ns3.baidu.com internet address = 220.181.37.10 ns4.baidu.com internet address = 220.181.38.10 ns2.baidu.com internet address = 61.135.165.235 ns7.baidu.com internet address = 119.75.219.82 dns.baidu.com internet address = 202.108.22.220 $ nslookup -type=A www.baidu.com 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 61.135.169.125 Name: www.a.shifen.com Address: 61.135.169.121
注意!!如果主服务器上面的zone配置发生了改变,需要手动将序列号加1,然后保存,再用rndc reload
命令重载,这样才能够向从服务器发送消息通知,进而从服务器对zone配置文件进行增量同步!
实验三:DNS的子域授权
实验环境如下:
主机IP | 描述 |
---|---|
192.168.5.181 | 父域DNS,域名tester.com.,可连接外网 |
192.168.5.182 | 子域DNS,域名ops.tester.com.可连接外网 |
192.168.5.99 | 测试客户端,内网环境 |
实验目的:父域名tester.com.授权子域名ops.tester.com.,并利用客户端测试效果。
步骤:
在父域名节点上面配置/etc/named.conf,在option段里面编辑如下内容。其中注释listen on,目的是监听该节点的所有端口;allow-query为any,即允许所有客户端进行查询;forward first和forwarders的意义是,由于该节点能够联通外网,因此对于向该节点发出的查询请求,先转发到子域上面,如果子域找不到,再转发到外网,如果外网找不到,则再在本地解析。
...... ...... // listen-on port 53 { 192.168.5.181; }; allow-query { any; }; forward first; forwarders { 192.168.5.182; 20.20.20.1; }; ...... ......
编辑/etc/named.rfc1912.zone文件如下:
...... ...... zone "tester.com" IN { type master; file "tester.com.zone"; }; ...... ......
编辑/var/named/tester.com.zone文件内容如下。授权一个子域ops.tester.com.域名解析节点为dns1.ops.tester.com.
$TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 192.168.5.181 ops.tester.com. IN NS dns1.ops.tester.com. dns1.ops IN A 192.168.5.182
在子域节点上面,配置/etc/named.conf文件如下所示:
...... ...... // listen-on port 53 { 127.0.0.1; }; allow-query { any; }; forward only; forwarders { 20.20.20.1; }; ...... ......
子域节点的/etc/named.rfc1912.zone文件如下所示,其中第一个zone为父域所授权的ops.tester.com.第二个zone的目的是为了能够让子域服务器能够将父域的zone抓发到服务解析,而不用转到根服务器:
...... ...... zone "ops.tester.com" IN { type master; file "ops.tester.com.zone"; }; zone "tester.com" IN { type forward; forward only; forwarders { 192.168.5.181; }; }; ...... ......
子域节点的/var/named/ops.tester.com.zone文件如下所示,SOA后面跟上了解析该域的dns地址为dns1.ops.tester.com.,并且定义了一个该域下的A地址为kali
$TTL 600 @ IN SOA dns1.ops.tester.com. mail.ops.tester.com. ( 2017052201 30m 2m 1h 1h ) IN NS dns1 dns1 IN A 192.168.5.182 kali IN A 192.168.5.99
保存并在两个节点上使用rndc reload
重载配置文件,在客户端上面使用nslookup进行测试结果如下所示:
从父域DNS上面对子域的域名服务记录进行查询,用以验证自语授权: $ dig -t NS ops.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t NS ops.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;ops.tester.com. IN NS ops.tester.com. 600 IN NS dns1.ops.tester.com. dns1.ops.tester.com. 600 IN A 192.168.5.182 ;; Query time: 3 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 14:29:51 HKT 2017 ;; MSG SIZE rcvd: 78 从父域DNS上面对子域的A记录进行查询 $ dig -t A kali.ops.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A kali.ops.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;kali.ops.tester.com. IN A kali.ops.tester.com. 600 IN A 192.168.5.99 ops.tester.com. 585 IN NS dns1.ops.tester.com. dns1.ops.tester.com. 585 IN A 192.168.5.182 ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 14:30:06 HKT 2017 ;; MSG SIZE rcvd: 99 从父域的DNS上面对于外网A记录的查询,用以验证全局forward: $ dig -t A www.baidu.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A www.baidu.com @192.168.5.181 +nocomments ;; global options: +cmd ;www.baidu.com. IN A www.baidu.com. 600 IN CNAME www.a.shifen.com. www.a.shifen.com. 600 IN A 119.75.218.70 www.a.shifen.com. 600 IN A 119.75.217.109 a.shifen.com. 851 IN NS ns4.a.shifen.com. a.shifen.com. 851 IN NS ns2.a.shifen.com. a.shifen.com. 851 IN NS ns3.a.shifen.com. a.shifen.com. 851 IN NS ns5.a.shifen.com. a.shifen.com. 851 IN NS ns1.a.shifen.com. ns2.a.shifen.com. 33 IN A 180.149.133.241 ns4.a.shifen.com. 33 IN A 115.239.210.176 ns5.a.shifen.com. 151 IN A 119.75.222.17 ns3.a.shifen.com. 32 IN A 61.135.162.215 ns1.a.shifen.com. 299 IN A 61.135.165.224 ;; Query time: 21 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 14:30:23 HKT 2017 ;; MSG SIZE rcvd: 271 从子域对父域的A记录进行查询,用以验证zone的forward $ dig -t A 17.tester.com @192.168.5.182 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.182 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 192.168.5.181 tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.182#53(192.168.5.182) ;; WHEN: Fri May 26 14:30:43 HKT 2017 ;; MSG SIZE rcvd: 72
实验四:DNS的基本ACL控制
实验环境:
主机IP | 描述 |
---|---|
192.168.5.181 | 主DNS服务器,和外网联通 |
192.168.5.182 | 客户端1 |
192.168.5.99 | 客户端2 |
基于上述实验一的情况下,添加acl再进行实验
全局情况下,在/etc/named.conf添加acl,使得客户端1能够进行查询,但是客户端2不能够进行查询:
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl client1 { 192.168.5.182/32; };
针对于局部zone的情况下,也可以在/etc/named.rfc1912.zone文件里面的tester.com这个zone里面添加allow query { client1; };
,也可以在/etc/named.conf的全局option段里面将allow query { any };
修改为allow query { client1 };
添加完毕,rndc reload
之后,分别在两台客户端上面测试:
客户端1上面测试,可以进行查询: $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 192.168.5.181 tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 19:02:00 CST 2017 ;; MSG SIZE rcvd: 72 客户端2上面测试,发现无法进行查询: $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 19:03:01 HKT 2017 ;; MSG SIZE rcvd: 42
将allow-query换为allow-transfer,即允许区域传送的选项,再进行测试:
客户端1的区域传送成功 $ dig -t axfr tester.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t axfr tester.com @192.168.5.181 ;; global options: +cmd tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600 tester.com. 600 IN NS 17.tester.com. 17.tester.com. 600 IN A 192.168.5.181 ops.tester.com. 600 IN NS dns1.ops.tester.com. dns1.ops.tester.com. 600 IN A 192.168.5.182 tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600 ;; Query time: 2 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 19:14:39 CST 2017 ;; XFR size: 6 records (messages 1, bytes 177) 客户端2的区域传送失败 $ dig -t axfr tester.com @192.168.5.181 ; <<>> DiG 9.10.3-P4-Debian <<>> -t axfr tester.com @192.168.5.181 ;; global options: +cmd ; Transfer failed.
常用的访问控制指令还有allow-recursion
和allow-update
分别是允许DNS主机进行递归查询的ACL以及允许动态更新区域数据库文件的ACL。
实验五:DNS的视图view
实验环境:
主机IP | 描述 |
---|---|
192.168.5.181 | 主DNS服务器,和外网联通 |
192.168.5.182 | 客户端1 |
192.168.5.99 | 客户端2 |
实验目的:让客户端1解析17.tester.com得到的ip地址为1.1.1.1,让客户端2解析17.tester.com得到的ip地址为2.2.2.2
编辑主DNS服务器上面的/etc/named.conf文件,和实验一中的相同。
将/etc/named.conf文件中的如下内容删掉,否则会报错:
zone "." IN { type hint; file "named.ca"; };
编辑/etc/named.rfc1912.zone文件如下所示,将系统定义的zone用view client1包起来,再新建一个view client2。client1视图匹配192.168.5.182并定义tester.com.的区域解析文件为client1.zone;client2视图匹配192.168.5.99并定义tester.com.的区域解析文件为client2.zone:
view client1 { match-clients { 192.168.5.182/32; }; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "tester.com" IN { type master; file "client1.zone"; }; }; view client2 { match-clients { 192.168.5.99/32; }; zone "tester.com" IN { type master; file "client2.zone"; }; };
编辑client1和client2的解析文件如下所示:
$ cat /var/named/client1.zone $TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 1.1.1.1 $ cat /var/named/client2.zone $TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 2.2.2.2
用rndc reload
命令重载之后,分别在两个客户端上面测试效果:
客户端1上解析为1.1.1.1 $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 1.1.1.1 tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 20:29:48 CST 2017 ;; MSG SIZE rcvd: 72 客户端2上解析为2.2.2.2 $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 2.2.2.2 tester.com. 600 IN NS 17.tester.com. ;; Query time: 0 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 20:23:32 HKT 2017 ;; MSG SIZE rcvd: 7
分享标题:CentOS7DNS相关实验
文章起源:http://scyanting.com/article/gcisjd.html