• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

Recommended Posts

DNS服务器软件:bind、powerdns、dnsmasq、未绑定、coredns

BIND相关程序包

绑定:服务器

绑定库:相关库

绑定实用程序:客户端

Bind-chroot:安全包,将与dns相关的文件放入/var/named/chroot/

BIND包相关文件

主绑定程序:/usr/sbin/named

脚本和单元名称:/etc/rc.d/init.d/named,/usr/lib/systemd/system/named . service

主配置文件:/etc/named.conf、/etc/named.rfc1912.zones、/etc/rndc.key

管理工具:/usr/sbin/rndc:远程命名域控制器,默认与bind安装在同一个主机上,只能通过127.0.0.1连接到命名进程,提供辅助管理功能;953/tcp

解析库文件:/var/named/ZONE_NAME。地带地区联防

主配置文件

全局配置:选项{ };

子系统配置:日志记录{ };

区域定义:定义{}中的区域“ZONE_NAME”可以由这台计算机解析的区域;

注意:

如果任何服务程序期望它被其他主机通过网络访问,它至少应该侦听一个可以与外部主机通信的IP地址。

缓存服务器的配置:只需监听外部地址。

Dnssec:建议关闭Dnssec并设置为NO。

主配置文件语法检查

命名的checkconf

解析库文件语法检查

named-check zone ' mage du . org '/var/named/mage du . org . zone # centos 8没有完整的命令

配置生效

#三种方式

#rndc重新加载

#systemctl重新加载名为

#名为reload的服务

实现DNS正向主从服务器

设备:服务器

Centos8地址10 . 0 . 0 . 88;Centos7地址10.0.0.77

客户

Centos7地址

域名:magedu.org

客户端DNS解析:主服务器断开连接,自动连接到“从服务器”进行解析。

主服务器配置

1.编辑配置文件/etc/named.conf。

[root @ centos 8-liyj ~]# vim/etc/named . conf

评论//图中蓝线

添加allow-transfer { 10 . 0 . 0 . 77;};#仅允许从服务器进行区域传送。

eseb4gemmci4328.png

修改

dnssec-启用是;#更改为否

dnssec-验证是;#更改为否

xdtgweb225q4329.png

ContractedBlock.gif

ExpandedBlockStart.gif

选项{

//监听端口53 { 127.0.0

.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; secroots-file "/var/named/data/named.secroots"; recursing-file "/var/named/data/named.recursing"; // allow-query { localhost; }; allow-transfer { 10.0.0.77; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable no; dnssec-validation no; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 配置文件

 

2、编辑/etc/named.rfc1912.zones

再最后添加以下内容
zone "magedu.org" IN {
        typer master;
        file "magedu.org.zone"; #文件目录,默认/var/named/
};                  #在named.conf文件中定义了directory  "/var/named";

ContractedBlock.gifExpandedBlockStart.gif
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and https://tools.ietf.org/html/rfc6303
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// Note: empty-zones-enable yes; option is default.
// If private ranges should be forwarded, add
// disable-empty-zone "."; into options
//
zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};
zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};
zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};
zone "magedu.org" IN {
        typer master;
        file "magedu.org.zone";
};
named.rfc1912.zones

 3、编辑DNS区域数据库文件

[root@centos8-liyj /etc/named]#cd /var/named/
[root@centos8-liyj /var/named]#ls
data  dynamic  named.ca  named.empty  named.localhost  named.loopback  slaves

3.1复制named.localhost文件格式,重新编辑

[root@centos8-liyj /var/named]#cp -p named.localhost magedu.org.zone    #-p   复制原格式权限    
[root@centos8-liyj /var/named]#ll                        或者手动修改:chgrp named magedu.org.zone
total 20
drwxrwx--- 2 named named    6 Aug 25  2021 data
drwxrwx--- 2 named named    6 Aug 25  2021 dynamic
-rw-r----- 1 root  named  152 Aug 25  2021 magedu.org.zone              #文件权限为640 ,强制 属主root,数组named
-rw-r----- 1 root  named 2253 Aug 25  2021 named.ca
-rw-r----- 1 root  named  152 Aug 25  2021 named.empty
-rw-r----- 1 root  named  152 Aug 25  2021 named.localhost
-rw-r----- 1 root  named  168 Aug 25  2021 named.loopback
drwxrwx--- 2 named named    6 Aug 25  2021 slaves
[root@centos8-liyj /var/named]#vim magedu.org.zone 

$TTL 1D @ IN SOA ns1 admin.magedu.org. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns1            #主DNS
NS ns2            #从DNS ns1 A 10.0.0.88         #指向地址 ns2 A 10.0.0.77
[root@centos8-liyj /var/named]#systemctl start named      #第一次启动
[root@centos8-liyj /var/named]#rndc reload          #不是第一次启动,使用rndc reload 加载 配置文件,不会终端DNS服务
server reload successful
[root@centos8-liyj /var/named]#

主服务器DNS-dig测试

[root@centos8-liyj /var/named]#dig ns1.magedu.org
#本机设置了DNS地址,联通了外网,互联网上由 ns1.magedu.org域名。解析如下
ns1.magedu.org. 5 IN A 47.91.170.222 #解析出外网地址,
                                      vim /etc/sysconfig/network-scripts/ifcfg-eth0
                                      删除本机的DNS地址
[root@centos8-liyj /var/named]#cat /etc/sysconfig/network-scripts/ifcfg-eth0     #修改后,删除了DNS地址,重启网卡服务
DEVICE="eth0"
NAME="eth0"
BOOTPROTO="static"
IPADDR=10.0.0.88
PREFIX=24
GATEWAY=10.0.0.2
ONBOOT="yes"
ContractedBlock.gifExpandedBlockStart.gif
[root@centos8-liyj /var/named]#dig ns1.magedu.org
; <<>> DiG 9.11.26-RedHat-9.11.26-6.el8 <<>> ns1.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23788
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: a6b5b8d8778a6125c5397a2d626f938979def64920dcc8d5 (good)
;; QUESTION SECTION:
;ns1.magedu.org.            IN    A
;; ANSWER SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88
;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.
;; ADDITIONAL SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon May 02 16:17:13 CST 2022
;; MSG SIZE  rcvd: 135
dig域名测试正确

ykuqrqnwuhu4331.png

 

 

 从服务器配置

[root@centos7-liyj ~]#vim /etc/named.conf 
注释//

options {
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };

allow-transfer { none;};       #不允许其他主机进行区域传输

yes改为no

dnssec-enable no;
dnssec-validation no;

}

ContractedBlock.gifExpandedBlockStart.gif
options {
//    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory     "/var/named";
    dump-file     "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    recursing-file  "/var/named/data/named.recursing";
    secroots-file   "/var/named/data/named.secroots";
//    allow-query     { localhost; };
    allow-transfer { none; };
masterfile-format text;
    /* 
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable 
       recursion. 
     - If your recursive DNS server has a public IP address, you MUST enable access 
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification 
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface 
    */
    recursion yes;
    dnssec-enable no;
    dnssec-validation no;
    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.root.key";
    managed-keys-directory "/var/named/dynamic";
    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
    type hint;
    file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
配置文件
[root@centos7-liyj ~]#vim /etc/named.rfc1912.zones     添加以下内容
zone "magedu.org" { type slave; masters { 10.0.0.88;};  file "slaves/magedu.org.slave"; #文件目录 };
ContractedBlock.gifExpandedBlockStart.gif
zone "localhost.localdomain" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};
zone "localhost" IN {
    type master;
    file "named.localhost";
    allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
    type master;
    file "named.loopback";
    allow-update { none; };
};
zone "0.in-addr.arpa" IN {
    type master;
    file "named.empty";
    allow-update { none; };
};
zone "magedu.org" {
    type slave;
    masters { 10.0.0.88;};
    file "slaves/magedu.org.slave";
};
配置文件
systemctl start named          #第一次启动服务
rndc reload                    #不是第一次启动服务
ls /var/named/slaves/magedu.org.slave #查看区域数据库文件是否生成
[root@centos7-liyj ]#ll /var/named/slaves/
total 4
-rw-r--r-- 1 named named 264 May  2 17:06 magedu.org.slave
[root@centos7-liyj ]#cat /var/named/slaves/magedu.org.slave    #从服务器 自动生成文件 
boXQ                                    查看内容乱码,不允许从服务器看到配置
    mageduorg6ns1mageduorgadminmageduorgQ    :*0DQ 
                                                     mageduorgns1mageduorgns2mageduorg*Qns1mageduorg 
X*Qns2mageduorg 

 

解决乱码问题:

添加
masterfile-format text;
重启服务 systemctl restart named


ContractedBlock.gifExpandedBlockStart.gif
[root@centos7-liyj /var/named/slaves]#cat /var/named/slaves/magedu.org.slave 
$ORIGIN .
$TTL 86400    ; 1 day
magedu.org        IN SOA    ns1.magedu.org. admin.magedu.org. (
                0          ; serial
                86400      ; refresh (1 day)
                3600       ; retry (1 hour)
                604800     ; expire (1 week)
                10800      ; minimum (3 hours)
                )
            NS    ns1.magedu.org.
            NS    ns2.magedu.org.
$ORIGIN magedu.org.
ns1            A    10.0.0.88
ns2            A    10.0.0.77
从无服务器magedu.org.slave

 

DNS gid测试

首先修改 eth0 网卡配置,删除dns地址,添加dns=10.0.0.88

[root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE="eth0"
NAME="eth0"
BOOTPROTO="static"
IPADDR=10.0.0.77
PREFIX=24
GATEWAY=10.0.0.2
DNS3=10.0.0.88
ONBOOT="yes"

 

ContractedBlock.gifExpandedBlockStart.gif
[root@centos7-liyj /var/named/slaves]#dig ns2.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39354
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns2.magedu.org.            IN    A
;; ANSWER SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77
;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.
;; ADDITIONAL SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88
;; Query time: 0 msec
;; SERVER: 10.0.0.88#53(10.0.0.88)
;; WHEN: Mon May 02 17:53:49 CST 2022
;; MSG SIZE  rcvd: 107
域名解析

tlnb2hgf4mo4333.png

 

 客户端域名解析 

修改客户端DNS1 为  10.0.0.88  DNS2为10.0.0.77

[root@centos7-liyj ~]#vim /etc/sysconfig/network-scripts/ifcfg-eth0 
[root@centos7-liyj ~]#cat /etc/sysconfig/network-scripts/ifcfg-eth0 
DEVICE="eth0"
NAME="eth0"
BOOTPROTO="static"
IPADDR=10.0.0.7
PREFIX=24
GATEWAY=10.0.0.2
DNS1=10.0.0.77
DNS2=10.0.0.88
ONBOOT="yes"

测试,DNS主从服务器都在线

yum install -y bind-utils

ContractedBlock.gifExpandedBlockStart.gif
[root@centos7-liyj ~]#dig ns1.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26563
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns1.magedu.org.            IN    A
;; ANSWER SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88
;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.
;; ADDITIONAL SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77
;; Query time: 0 msec
;; SERVER: 10.0.0.88#53(10.0.0.88)
;; WHEN: Mon May 02 18:04:39 CST 2022
;; MSG SIZE  rcvd: 107
[root@centos7-liyj ~]#dig ns2.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7070
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;ns2.magedu.org.            IN    A
;; ANSWER SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77
;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns1.magedu.org.
magedu.org.        86400    IN    NS    ns2.magedu.org.
;; ADDITIONAL SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88
;; Query time: 0 msec
;; SERVER: 10.0.0.88#53(10.0.0.88)
;; WHEN: Mon May 02 18:04:47 CST 2022
;; MSG SIZE  rcvd: 107
域名解析

 

 

 DNS主服务器掉线

[root@centos8-liyj ~]#systemctl stop named
[root@centos8-liyj ~]#systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

客户端解析

ContractedBlock.gifExpandedBlockStart.gif
[root@centos7-liyj ~]#dig ns2.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns2.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57974
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns2.magedu.org.            IN    A
;; ANSWER SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77
;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns2.magedu.org.
magedu.org.        86400    IN    NS    ns1.magedu.org.
;; ADDITIONAL SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88
;; Query time: 1 msec
;; SERVER: 10.0.0.77#53(10.0.0.77)
;; WHEN: Mon May 02 18:11:26 CST 2022
;; MSG SIZE  rcvd: 107
[root@centos7-liyj ~]#dig ns1.magedu.org
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> ns1.magedu.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3739
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns1.magedu.org.            IN    A
;; ANSWER SECTION:
ns1.magedu.org.        86400    IN    A    10.0.0.88
;; AUTHORITY SECTION:
magedu.org.        86400    IN    NS    ns2.magedu.org.
magedu.org.        86400    IN    NS    ns1.magedu.org.
;; ADDITIONAL SECTION:
ns2.magedu.org.        86400    IN    A    10.0.0.77
;; Query time: 1 msec
;; SERVER: 10.0.0.77#53(10.0.0.77)
;; WHEN: Mon May 02 18:11:37 CST 2022
;; MSG SIZE  rcvd: 107
正常解析额

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now