溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
實驗環境如下:
| 主機IP | 描述 |
|---|---|
| 192.168.5.181 | 內網DNS server,與網關為172.16.0.1,網關直連外網并提供DNS功能 |
| 192.168.5.182 | 內網客戶端 |
實驗步驟:
在192.168.5.181這臺機器上面安裝bind
yum install -y bind
編輯/etc/named.conf如下所示,修改allow-query 為 any 從而讓所有主機都有進行DNS查詢的權限;添加 forward only 和 forwarders { 172.16.0.1 },從而進行全局轉發,即凡是沒有在192.168.5.181上面通過zone定義的內容,都會轉給172.16.0.1進行解析;添加recursive 為 yes,支持遞歸查詢功能,由于是做實驗,因此將dnssec-enable和dnssec-validation這兩項丟改為no:
options {
// listen-on port 53 { 192.168.5.181; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forward only;
forwarders { 172.16.0.1; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";在/etc/named.rfc1912.zones里面定義兩個zone,一個zone用作正向解析另一個zone用作逆向解析,注意,你想解析的zone的名稱一定要滿足如下格式:將網絡位倒過來寫,并在其后面添加.in-addr.arpa后綴,例如,針對192.168.10網段的逆向解析,需要寫為10.168.192.in-addr.arpa:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
zone "5.168.192.in-addr.arpa" IN {
type master;
file "192.168.5.zone";
};由/etc/named.conf文件中,我們可以看到directory的值為/var/named,因此我們在/var/named里面分別創建tester.com.zone文件以及192.168.5.zone文件。注意!為了安全措施,需要將這兩個文件的所屬組修改為named,并且將這兩個文件的其他者的權限改為0:
cd /var/named chmod o= tester.com.zone 192.168.5.zone chown :named tester.com.zone 192.168.5.zone
編輯tester.com.zone文件如下所示:
TTL代表記錄在DNS客戶端或者代理(resolver)緩存的時間,默認單位為秒。這里定義為600秒。
SOA為起始授權記錄,一個區域解析庫有且只能有一個SOA記錄,而且必須放在第一條。
括號中的2017052201代表序列號,當主數據庫內容發生變化時,其版本號遞增
30m代表刷新時間間隔,從服務器每隔多久到主服務器上面檢查序列號更新情況
2m代表重試時間間隔,從服務器從主服務器請求同步解析失敗時,再次發起嘗試請求的時間間隔
1h代表過期時長為1小時,從服務器聯系不到主服務器時,多久之后放棄從主服務器同步數據
1h代表否定過期時長為1小時,當上游DNS返回“查詢不到該記錄”時,這個信息在本DNS上面保存的時間。
”@”符號引用了該區域的名稱,名稱定義在/etc/named.rfc1912.zones里面了,分別為test.com.和5.168.192.in-addr.arpa.
NS為域名服務記錄,標示了DNS的服務器自身的FQDN,可以有多個NS,其中一個為主DNS
A代表A記錄,即17.tester.com.的A地址為192.168.5.181
CNAME為別名記錄,即web.tester.com.是17.tester.com.的別名
$TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 192.168.5.181 web IN CNAME 17
編輯192.168.5.zone文件如下所示:
PTR表示指針類型,用于指向另一個域名空間,這里指向17.tester.com.
$TTL 1200 @ IN SOA tester.com. mail.tester.com. ( 2017052301 3h 20m 1w 1d ) @ IN NS 17.tester.com. 181 IN PTR 17.tester.com.
保存之后,用systemctl start named.service命令重啟服務,通過ss -tunl命令查看53端口是否處于監聽狀態:
$ systemctl start named.service
$ ss -tunl | grep -E "\b53\b" | awk -F" " '{$NF=" "; print $0}'
udp UNCONN 0 0 172.16.252.238:53
udp UNCONN 0 0 192.168.5.181:53
udp UNCONN 0 0 127.0.0.1:53
udp UNCONN 0 0 ::1:53
tcp LISTEN 0 10 172.16.252.238:53
tcp LISTEN 0 10 192.168.5.181:53
tcp LISTEN 0 10 127.0.0.1:53
tcp LISTEN 0 10 ::1:53在192.168.5.182上面利用dig命令進行查詢測試:
解析A記錄: [root@centos7-front2 ~]# dig -t A www.baidu.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64315 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN A ;; ANSWER SECTION: www.baidu.com. 357 IN CNAME www.a.shifen.com. www.a.shifen.com. 168 IN A 61.135.169.125 www.a.shifen.com. 168 IN A 61.135.169.121 ;; AUTHORITY SECTION: a.shifen.com. 466 IN NS ns4.a.shifen.com. a.shifen.com. 466 IN NS ns2.a.shifen.com. a.shifen.com. 466 IN NS ns3.a.shifen.com. a.shifen.com. 466 IN NS ns1.a.shifen.com. a.shifen.com. 466 IN NS ns5.a.shifen.com. ;; ADDITIONAL SECTION: ns5.a.shifen.com. 466 IN A 119.75.222.17 ns1.a.shifen.com. 466 IN A 61.135.165.224 ns2.a.shifen.com. 466 IN A 180.149.133.241 ns3.a.shifen.com. 466 IN A 61.135.162.215 ns4.a.shifen.com. 466 IN A 115.239.210.176 ;; Query time: 4 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:43:09 CST 2017 ;; MSG SIZE rcvd: 271 ---------------------------------------------------------------------- 解析A記錄: [root@centos7-front2 ~]# dig -t A 17.tester.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52596 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;17.tester.com. IN A ;; ANSWER SECTION: 17.tester.com. 600 IN A 192.168.5.181 ;; AUTHORITY SECTION: tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:44:11 CST 2017 ;; MSG SIZE rcvd: 72 ------------------------------------------------------------------------- 解析NS域名服務記錄: [root@centos7-front2 ~]# dig -t NS 17.tester.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS 17.tester.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31428 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;17.tester.com. IN NS ;; AUTHORITY SECTION: tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600 ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:56:12 CST 2017 ;; MSG SIZE rcvd: 83 [root@centos7-front2 ~]# dig -t NS www.baidu.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS www.baidu.com @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56340 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.baidu.com. IN NS ;; ANSWER SECTION: www.baidu.com. 764 IN CNAME www.a.shifen.com. ;; AUTHORITY SECTION: a.shifen.com. 600 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1705230072 5 5 86400 3600 ;; Query time: 15 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:56:24 CST 2017 ;; MSG SIZE rcvd: 126 --------------------------------------------------------------------------- 反向解析: [root@centos7-front2 ~]# dig -x 192.168.5.181 @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.5.181 @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51386 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;181.5.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 181.5.168.192.in-addr.arpa. 1200 IN PTR 17.tester.com. ;; AUTHORITY SECTION: 5.168.192.in-addr.arpa. 1200 IN NS 17.tester.com. ;; ADDITIONAL SECTION: 17.tester.com. 600 IN A 192.168.5.181 ;; Query time: 0 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:59:14 CST 2017 ;; MSG SIZE rcvd: 112 [root@centos7-front2 ~]# dig -x 61.135.169.125 @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 61.135.169.125 @192.168.5.181 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55671 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;125.169.135.61.in-addr.arpa. IN PTR ;; AUTHORITY SECTION: 169.135.61.in-addr.arpa. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2012091801 300 600 2592000 7200 ;; Query time: 7 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Wed May 24 13:59:52 CST 2017 ;; MSG SIZE rcvd: 108
實驗環境如下:
| 主機IP | 描述 |
|---|---|
| 192.168.5.181 | 主DNS服務器,可連接外網 |
| 192.168.5.182 | 從DNS服務器,可連接外網 |
| 192.168.5.99 | 測試用的客戶端,內網環境 |
主DNS服務器的配置和上面的實驗單節點正向解析+逆向解析+遞歸功能基本上相同,不過由于這里多添加了一臺從DNS服務器,因此NS需要添加一條新的記錄。named.rfc1912.zones文件的配置內容依然如下:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
zone "5.168.192.in-addr.arpa" IN {
type master;
file "192.168.5.zone";
};添加NS記錄之后的tester.com.zone文件如下所示:
$TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. @ IN NS 18.tester.com. 17 IN A 192.168.5.181 18 IN A 192.168.5.182 web IN CNAME 17
對于從服務器,首先利用yum install -y bind bind-utils命令安裝bind,然后修改/etc/named.conf文件,使得主從兩臺服務器的該文件一樣。之后在/etc/named.rfc1912.zones文件里面編輯添加如下內容,指明type類型為slave類型,zone配置文件的相對位置為slaves/<FILE NAME>,即實際位置為/var/named/slaves/<FILE NAME> master主服務器節點的IP地址為192.168.5.181:
zone "tester.com" IN {
type slave;
file "slaves/tester.com.zone";
masters { 192.168.5.181; };
};
zone "5.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.5.zone";
masters { 192.168.5.181; };
};配置完成之后,先啟動主服務器的dns服務,之后再啟動從服務器的dns服務。在從服務器的日志文件里面可以看到如下內容,表明transfer已經完成:
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: Transfer started. May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: connected using 192.168.5.182#53834 May 24 05:36:02 centos7-front2 systemd: Started Berkeley Internet Name Domain (DNS). May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: transferred serial 2017052301 May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 6 records, 197 bytes, 0.001 secs (197000 bytes/sec) May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: sending notifies (serial 2017052301) May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: Transfer started. May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: connected using 192.168.5.182#33001 May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: transferred serial 2017052201 May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 7 records, 189 bytes, 0.003 secs (63000 bytes/sec) May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: sending notifies (serial 2017052201)
在從節點的/var/named/slaves目錄下面多了兩個文件,便是從主服務器上面同步而來的zone配置文件:
$ cd /var/named/slaves/ $ ls 192.168.5.zone tester.com.zone
在客戶端上面查詢進行查詢:
$ nslookup -type=A 17.tester.com 192.168.5.181 Server: 192.168.5.181 Address: 192.168.5.181#53 Name: 17.tester.com Address: 192.168.5.181 $ nslookup -type=A 17.tester.com 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 Name: 17.tester.com Address: 192.168.5.181 $ nslookup -type=NS tester.com 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 tester.com nameserver = 17.tester.com. tester.com nameserver = 18.tester.com. $ nslookup 192.168.5.181 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 181.5.168.192.in-addr.arpa name = 17.tester.com. $ nslookup -type=NS baidu.com 192.168.5.181 Server: 192.168.5.181 Address: 192.168.5.181#53 Non-authoritative answer: baidu.com nameserver = ns3.baidu.com. baidu.com nameserver = ns2.baidu.com. baidu.com nameserver = ns7.baidu.com. baidu.com nameserver = ns4.baidu.com. baidu.com nameserver = dns.baidu.com. Authoritative answers can be found from: ns3.baidu.com internet address = 220.181.37.10 ns4.baidu.com internet address = 220.181.38.10 ns2.baidu.com internet address = 61.135.165.235 ns7.baidu.com internet address = 119.75.219.82 dns.baidu.com internet address = 202.108.22.220 $ nslookup -type=A www.baidu.com 192.168.5.182 Server: 192.168.5.182 Address: 192.168.5.182#53 Non-authoritative answer: www.baidu.com canonical name = www.a.shifen.com. Name: www.a.shifen.com Address: 61.135.169.125 Name: www.a.shifen.com Address: 61.135.169.121
注意!!如果主服務器上面的zone配置發生了改變,需要手動將序列號加1,然后保存,再用rndc reload命令重載,這樣才能夠向從服務器發送消息通知,進而從服務器對zone配置文件進行增量同步!
實驗環境如下:
| 主機IP | 描述 |
|---|---|
| 192.168.5.181 | 父域DNS,域名tester.com.,可連接外網 |
| 192.168.5.182 | 子域DNS,域名ops.tester.com.可連接外網 |
| 192.168.5.99 | 測試客戶端,內網環境 |
實驗目的:父域名tester.com.授權子域名ops.tester.com.,并利用客戶端測試效果。
步驟:
在父域名節點上面配置/etc/named.conf,在option段里面編輯如下內容。其中注釋listen on,目的是監聽該節點的所有端口;allow-query為any,即允許所有客戶端進行查詢;forward first和forwarders的意義是,由于該節點能夠聯通外網,因此對于向該節點發出的查詢請求,先轉發到子域上面,如果子域找不到,再轉發到外網,如果外網找不到,則再在本地解析。
......
......
// listen-on port 53 { 192.168.5.181; };
allow-query { any; };
forward first;
forwarders { 192.168.5.182; 20.20.20.1; };
......
......編輯/etc/named.rfc1912.zone文件如下:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
......
......編輯/var/named/tester.com.zone文件內容如下。授權一個子域ops.tester.com.域名解析節點為dns1.ops.tester.com.
$TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 192.168.5.181 ops.tester.com. IN NS dns1.ops.tester.com. dns1.ops IN A 192.168.5.182
在子域節點上面,配置/etc/named.conf文件如下所示:
......
......
// listen-on port 53 { 127.0.0.1; };
allow-query { any; };
forward only;
forwarders { 20.20.20.1; };
......
......子域節點的/etc/named.rfc1912.zone文件如下所示,其中第一個zone為父域所授權的ops.tester.com.第二個zone的目的是為了能夠讓子域服務器能夠將父域的zone抓發到服務解析,而不用轉到根服務器:
......
......
zone "ops.tester.com" IN {
type master;
file "ops.tester.com.zone";
};
zone "tester.com" IN {
type forward;
forward only;
forwarders { 192.168.5.181; };
};
......
......子域節點的/var/named/ops.tester.com.zone文件如下所示,SOA后面跟上了解析該域的dns地址為dns1.ops.tester.com.,并且定義了一個該域下的A地址為kali
$TTL 600 @ IN SOA dns1.ops.tester.com. mail.ops.tester.com. ( 2017052201 30m 2m 1h 1h ) IN NS dns1 dns1 IN A 192.168.5.182 kali IN A 192.168.5.99
保存并在兩個節點上使用rndc reload重載配置文件,在客戶端上面使用nslookup進行測試結果如下所示:
從父域DNS上面對子域的域名服務記錄進行查詢,用以驗證自語授權: $ dig -t NS ops.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t NS ops.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;ops.tester.com. IN NS ops.tester.com. 600 IN NS dns1.ops.tester.com. dns1.ops.tester.com. 600 IN A 192.168.5.182 ;; Query time: 3 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 14:29:51 HKT 2017 ;; MSG SIZE rcvd: 78 從父域DNS上面對子域的A記錄進行查詢 $ dig -t A kali.ops.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A kali.ops.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;kali.ops.tester.com. IN A kali.ops.tester.com. 600 IN A 192.168.5.99 ops.tester.com. 585 IN NS dns1.ops.tester.com. dns1.ops.tester.com. 585 IN A 192.168.5.182 ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 14:30:06 HKT 2017 ;; MSG SIZE rcvd: 99 從父域的DNS上面對于外網A記錄的查詢,用以驗證全局forward: $ dig -t A www.baidu.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A www.baidu.com @192.168.5.181 +nocomments ;; global options: +cmd ;www.baidu.com. IN A www.baidu.com. 600 IN CNAME www.a.shifen.com. www.a.shifen.com. 600 IN A 119.75.218.70 www.a.shifen.com. 600 IN A 119.75.217.109 a.shifen.com. 851 IN NS ns4.a.shifen.com. a.shifen.com. 851 IN NS ns2.a.shifen.com. a.shifen.com. 851 IN NS ns3.a.shifen.com. a.shifen.com. 851 IN NS ns5.a.shifen.com. a.shifen.com. 851 IN NS ns1.a.shifen.com. ns2.a.shifen.com. 33 IN A 180.149.133.241 ns4.a.shifen.com. 33 IN A 115.239.210.176 ns5.a.shifen.com. 151 IN A 119.75.222.17 ns3.a.shifen.com. 32 IN A 61.135.162.215 ns1.a.shifen.com. 299 IN A 61.135.165.224 ;; Query time: 21 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 14:30:23 HKT 2017 ;; MSG SIZE rcvd: 271 從子域對父域的A記錄進行查詢,用以驗證zone的forward $ dig -t A 17.tester.com @192.168.5.182 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.182 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 192.168.5.181 tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.182#53(192.168.5.182) ;; WHEN: Fri May 26 14:30:43 HKT 2017 ;; MSG SIZE rcvd: 72
實驗環境:
| 主機IP | 描述 |
|---|---|
| 192.168.5.181 | 主DNS服務器,和外網聯通 |
| 192.168.5.182 | 客戶端1 |
| 192.168.5.99 | 客戶端2 |
基于上述實驗一的情況下,添加acl再進行實驗
全局情況下,在/etc/named.conf添加acl,使得客戶端1能夠進行查詢,但是客戶端2不能夠進行查詢:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl client1 {
192.168.5.182/32;
};針對于局部zone的情況下,也可以在/etc/named.rfc1912.zone文件里面的tester.com這個zone里面添加allow query { client1; };,也可以在/etc/named.conf的全局option段里面將allow query { any };修改為allow query { client1 };
添加完畢,rndc reload之后,分別在兩臺客戶端上面測試:
客戶端1上面測試,可以進行查詢: $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 192.168.5.181 tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 19:02:00 CST 2017 ;; MSG SIZE rcvd: 72 客戶端2上面測試,發現無法進行查詢: $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 19:03:01 HKT 2017 ;; MSG SIZE rcvd: 42
將allow-query換為allow-transfer,即允許區域傳送的選項,再進行測試:
客戶端1的區域傳送成功 $ dig -t axfr tester.com @192.168.5.181 ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t axfr tester.com @192.168.5.181 ;; global options: +cmd tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600 tester.com. 600 IN NS 17.tester.com. 17.tester.com. 600 IN A 192.168.5.181 ops.tester.com. 600 IN NS dns1.ops.tester.com. dns1.ops.tester.com. 600 IN A 192.168.5.182 tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600 ;; Query time: 2 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 19:14:39 CST 2017 ;; XFR size: 6 records (messages 1, bytes 177) 客戶端2的區域傳送失敗 $ dig -t axfr tester.com @192.168.5.181 ; <<>> DiG 9.10.3-P4-Debian <<>> -t axfr tester.com @192.168.5.181 ;; global options: +cmd ; Transfer failed.
常用的訪問控制指令還有allow-recursion和allow-update分別是允許DNS主機進行遞歸查詢的ACL以及允許動態更新區域數據庫文件的ACL。
實驗環境:
| 主機IP | 描述 |
|---|---|
| 192.168.5.181 | 主DNS服務器,和外網聯通 |
| 192.168.5.182 | 客戶端1 |
| 192.168.5.99 | 客戶端2 |
實驗目的:讓客戶端1解析17.tester.com得到的ip地址為1.1.1.1,讓客戶端2解析17.tester.com得到的ip地址為2.2.2.2
編輯主DNS服務器上面的/etc/named.conf文件,和實驗一中的相同。
將/etc/named.conf文件中的如下內容刪掉,否則會報錯:
zone "." IN {
type hint;
file "named.ca";
};編輯/etc/named.rfc1912.zone文件如下所示,將系統定義的zone用view client1包起來,再新建一個view client2。client1視圖匹配192.168.5.182并定義tester.com.的區域解析文件為client1.zone;client2視圖匹配192.168.5.99并定義tester.com.的區域解析文件為client2.zone:
view client1 {
match-clients { 192.168.5.182/32; };
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "tester.com" IN {
type master;
file "client1.zone";
};
};
view client2 {
match-clients { 192.168.5.99/32; };
zone "tester.com" IN {
type master;
file "client2.zone";
};
};編輯client1和client2的解析文件如下所示:
$ cat /var/named/client1.zone $TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 1.1.1.1 $ cat /var/named/client2.zone $TTL 600 tester.com. IN SOA tester.com. mail.tester.com. ( 2017052201 30m 2m 1h 1h ) @ IN NS 17.tester.com. 17 IN A 2.2.2.2
用rndc reload命令重載之后,分別在兩個客戶端上面測試效果:
客戶端1上解析為1.1.1.1 $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 1.1.1.1 tester.com. 600 IN NS 17.tester.com. ;; Query time: 1 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 20:29:48 CST 2017 ;; MSG SIZE rcvd: 72 客戶端2上解析為2.2.2.2 $ dig -t A 17.tester.com @192.168.5.181 +nocomments ; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments ;; global options: +cmd ;17.tester.com. IN A 17.tester.com. 600 IN A 2.2.2.2 tester.com. 600 IN NS 17.tester.com. ;; Query time: 0 msec ;; SERVER: 192.168.5.181#53(192.168.5.181) ;; WHEN: Fri May 26 20:23:32 HKT 2017 ;; MSG SIZE rcvd: 7
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
