目錄
- 一、簡介
-
- 1、簡介
- 2、結構
- 3、工作
- 二、主伺服器
-
- 1、簡介
- 2、安裝
- 3、參數
-
- ⑴配置檔案
- ⑵參數
-
- ❶主配置
- ❷區域配置
- ❸正向解析模闆檔案
- 4、指令
-
- ⑴糾錯指令
- ⑵nslookup
- 5、配置
-
- ⑴正向解析配置
-
- ❶安裝
- ❷配置主配置檔案
- ❸配置區域配置檔案
- ❹配置資料配置檔案
- ❺配置DNS
- ❻檢查解析記錄
- ⑵反向解析配置
-
- ❶配置區域檔案
- ❷配置資料檔案
- ❸檢查解析記錄
- 三、從伺服器
-
- 1、簡介
- 2、配置
-
- ⑴主伺服器配置
-
- ❶主配置
- ❷防火牆
- ⑵從伺服器
-
- ❶從伺服器
- ❷本機DNS
- ❸檢查解析記錄
- 四、TSIG加密傳輸
-
- 1、簡介
- 2、參數
- 3、配置
-
- ⑴主伺服器
-
- ❶清空從伺服器中的解析檔案
- ❷主伺服器中生成秘鑰
- ❸建立秘鑰驗證檔案
- ❹開啟秘鑰驗證功能
- ⑵從伺服器
-
- ❶清空DNS從伺服器同步目錄中所有的資料配置檔案
- ❷從伺服器支援秘鑰驗證
- ❸開啟秘鑰驗證功能
- ❹從伺服器驗證擷取解析
- 五、緩存伺服器
-
- 1、服務端
-
- ❶主配置檔案添加緩沖轉發參數
- ❷防火牆放行
- 2、用戶端
-
- ❶将用戶端的DNS改為緩沖伺服器的IP位址
- ❷檢查解析情況
- 六、分離解析技術
一、簡介
1、簡介
DNS(Domain Name System)域名解析服務
- 一項用于管理和解析域名與IP位址對應關系的技術
- 正向解析:将域名解析為IP位址
- 反向解析:将IP位址解析為域名
- 一個記錄域名與IP位址之間對應關系的分布式資料庫系統
DNS域名解析服務采用的目錄樹層次結構
2、結構
三種類型的DNS伺服器:
- 主伺服器:在特定區域内具有唯一性,負責維護該區域内的域名與IP位址之間的對應關系。
- 從伺服器:從主伺服器中獲得域名與IP位址的對應關系并進行維護,以防主伺服器當機等情況。
- 緩存伺服器:通過向其他域名解析伺服器查詢獲得域名與IP位址的對應關系,并将經常查詢的域名資訊儲存到伺服器本地,以此來提高重複查詢時的效率。
3、工作
使用者發起的域名查詢請求時,具有遞歸查詢和疊代查詢兩種方式。
- 遞歸查詢,是指DNS伺服器在收到使用者發起的請求時,必須向使用者傳回一個準确的查詢結果。如果DNS伺服器本地沒有存儲與之對應的資訊,則該伺服器需要詢問其他伺服器,并将傳回的查詢結果送出給使用者。
- 疊代查詢則是指,DNS伺服器在收到使用者發起的請求時,并不直接回複查詢結果,而是告訴另一台DNS伺服器的位址,使用者再向這台DNS伺服器送出請求,這樣依次反複,直到傳回查詢結果。
二、主伺服器
1、簡介
BIND(Berkeley Internet Name Domain,伯克利網際網路名稱域)服務是全球範圍内使用最廣泛、最安全可靠且高效的域名解析服務程式。
chroot(俗稱牢籠機制)擴充包,有效地限制bind服務程式僅能對自身的配置檔案進行操作,以確定整個伺服器的安全。
2、安裝
-
yum install bind-chroot
[[email protected] ~]# yum install bind-chroot
Installed:
bind-chroot-32:9.11.4-16.P2.el8.x86_64
bind-32:9.11.4-16.P2.el8.x86_64
Complete!
3、參數
⑴配置檔案
| 配置檔案 | 目錄 | 描述 |
|---|---|---|
| 主配置檔案 | /etc/named.conf | 定義bind服務程式的運作 |
| 區域配置檔案 | /etc/named.rfc1912.zones | 儲存域名和IP位址對應關系的所在位置 |
| 資料配置檔案目錄 | /var/named | 儲存域名和IP位址真實對應關系的資料配置檔案 |
⑵參數
❶主配置
- 主配置
vim /etc/named.conf
- 伺服器上的所有IP位址均可提供DNS域名解析服務
listen-on port 53 { any; };
- 允許所有人對本伺服器發送DNS查詢請求
allow-query { any; };
[[email protected] ~]# vim /etc/named.conf
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named (8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9
10 options {
11 //127.0.0.1---any
//伺服器上的所有IP位址均可提供DNS域名解析服務
12 listen-on port 53 { any; };
13 listen-on-v6 port 53 { ::1; };
14 directory "/var/named";
15 dump-file "/var/named/data/cache_dump.db";
16 statistics-file "/var/named/data/named_stats.txt";
17 memstatistics-file "/var/named/data/named_mem_stats.txt";
18 secroots-file "/var/named/data/named.secroots";
19 recursing-file "/var/named/data/named.recursing";
20 //localhost---any
//允許所有人對本伺服器發送DNS查詢請求
21 allow-query { any; };
22
23 /*
24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
25 - If you are building a RECURSIVE (caching) DNS server, yo u need to enable
26 recursion.
27 - If your recursive DNS server has a public IP address, yo u MUST enable access
28 control to limit queries to your legitimate users. Faili ng to do so will
29 cause your server to become part of large scale DNS ampl ification
30 attacks. Implementing BCP38 within your network would gr eatly
31 reduce such attack surface
32 */
33 recursion yes;
34
35 dnssec-enable yes;
36 dnssec-validation yes;
37
38 managed-keys-directory "/var/named/dynamic";
39
40 pid-file "/run/named/named.pid";
41 session-keyfile "/run/named/session.key";
42
43 /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
44 include "/etc/crypto-policies/back-ends/bind.config";
45 };
46
47 logging {
48 channel default_debug {
49 file "data/named.run";
50 severity dynamic;
51 };
52 };
53
54 zone "." IN {
55 type hint;
56 file "named.ca";
57 };
58
59 include "/etc/named.rfc1912.zones";
60 include "/etc/named.root.key";
61
❷區域配置
- 區域配置
vim /etc/named.rfc1912.zones
[[email protected] ~]# vim /etc/named.rfc1912.zones
1 // named.rfc1912.zones:
2 //
3 // Provided by Red Hat caching-nameserver package
4 //
5 // ISC BIND named zone configuration for zones recommended by
6 // RFC 1912 section 4.1 : localhost TLDs and address zones
7 // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default -local-zones-02.txt
8 // (c)2007 R W Franks
9 //
10 // See /usr/share/doc/bind*/sample/ for example named configuration files.
11 //
12 //正向解析
13 zone "localhost.localdomain" IN {
//服務類型
14 type master;
//域名與IP位址解析規則儲存位置
15 file "named.localhost";
//允許那些客戶機動态跟新解析資訊
16 allow-update { none; };
17 };
18
19 zone "localhost" IN {
20 type master;
21 file "named.localhost";
22 allow-update { none; };
23 };
24
25 zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 .0.ip6.arpa" IN {
26 type master;
27 file "named.loopback";
28 allow-update { none; };
29 };
30 //反向解析
31 zone "1.0.0.127.in-addr.arpa" IN {
32 type master;
33 file "named.loopback";
34 allow-update { none; };
35 };
36
37 zone "0.in-addr.arpa" IN {
38 type master;
39 file "named.empty";
40 allow-update { none; };
41 };
42
❸正向解析模闆檔案
[[email protected] named]# vim named.localhost
1 $TTL 1D//生存周期為1天
2 @ IN SOA @ rname.invalid. (
# //授權資訊開始 //DNS區域的位址 //域名管理者的郵箱
3 0; serial //更新序列号
4 1D; refresh//更新時間
5 1H; retry //重試延時
6 1W; expire //失效時間
7 H ); minimum//無效解析緩沖時間
8 NS @ //域名伺服器記錄
9 A 127.0.0.1 //位址記錄
10 AAAA ::1
4、指令
⑴糾錯指令
-
named-checkconf -z /etc/named.conf
⑵nslookup
- 從DNS伺服器中查詢域名與IP位址的解析記錄
5、配置
⑴正向解析配置
- 正向解析:将域名解析為IP
❶安裝
- 安裝服務
yum install bind-chroot
❷配置主配置檔案
- 主配置
vim /etc/named.conf
[[email protected] ~]# vim /etc/named.conf
12 listen-on port 53 { any; };
21 allow-query { any; };
❸配置區域配置檔案
- 區域配置
vim /etc/named.rfc1912.zones
[[email protected] ~]# vim /etc/named.rfc1912.zones
42 zone "test.com" IN {
43 type master;
44 file "test.com.zone";
45 allow-update { none; };
46 };
❹配置資料配置檔案
- 複制模闆
cp -a named.localhost test.com.zone
- 資料配置
vim test.com.zone
-
systemctl restart/enable named
[[email protected] ~]# cd /var/named/
[[email protected] named]# ls -al named.localhost
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
[[email protected] named]# cp -a named.localhost test.com.zone
[[email protected] named]# vim test.com.zone
1 $TTL 1D
2 @ IN SOA test.com root.test.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS ns.test.com.
9 ns IN A 192.168.10.10
10 www IN A 192.168.10.10
[[email protected] named]# systemctl restart named
[[email protected] named]# systemctl enable named
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
❺配置DNS
-
vim /etc/sysconfig/network-scripts/ifcfg-ens33
-
nmcli connection reload ens33
-
nmcli connection up ens33
[[email protected] named]# vim /etc/sysconfig/network-scripts/ifcfg-ens33
16 IPADDR=192.168.10.10
17 NETMASK=255.255.255.0
18 GATEWAY=192.168.10.1
19 DNS1=192.168.10.10
[[email protected] named]# nmcli connection up ens33
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/4)
❻檢查解析記錄
-
nslookup
[[email protected] named]# nslookup
> ns.test.com
Server: 192.168.10.10
Address: 192.168.10.10#53
Name: ns.test.com
Address: 192.168.10.100
> exit
⑵反向解析配置
- 将IP解析為域名
❶配置區域檔案
-
vim /etc/named.rfc1912.zones
[[email protected] named]# vim /etc/named.rfc1912.zones
47 zone "10.168.192.in-addr.arpa" IN {
48 type master;
49 file "192.168.10.arpa";
50 allow-update {none;};
51 };
❷配置資料檔案
-
cp -a named.loopback 192.168.10.arpa
-
vim 192.168.10.arpa
-
systemctl restart named
[[email protected] named]# cp -a named.loopback 192.168.10.arpa
[[email protected] named]# vim 192.168.10.arpa
1 $TTL 1D
2 @ IN SOA test.com. root.test.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS ns.test.com.
9 ns A 192.168.10.10
10 10 PTR ns.test.com.#解析192.168.10.10
11 10 PTR www.test.com.#解析192.168.10.10
12 20 PTR bbs.test.com.#解析192.168.10.20
[[email protected] named]# systemctl restart named
❸檢查解析記錄
-
nslookup
[[email protected] named]# nslookup
> 192.168.10.10
10.10.168.192.in-addr.arpa name = ns.test.com.
10.10.168.192.in-addr.arpa name = www.test.com.
> 192.168.10.20
20.10.168.192.in-addr.arpa name = bbs.test.com.
> exit
[[email protected] named]#
三、從伺服器
1、簡介
從伺服器
- 可以從主伺服器上擷取指定的區域資料檔案
- 具有備份解析記錄與負載均衡的作用
- 減輕主伺服器的負載壓力,提升使用者的查詢效率。
2、配置
| 伺服器 | 系統 | 位址 |
|---|---|---|
| 主伺服器 | centos8.3 | 192.168.137.100 |
| 從伺服器 | centos8.3 | 192.168.137.150 |
⑴主伺服器配置
❶主配置
-
vim /etc/named.rfc1912.zones
-
systemctl restart named
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type master;
file "test.com.zone";
allow-update { 192.168.137.150;};
};
zone "137.168.192.in-addr.arpa" IN {
type master;
file "192.168.137.arpa";
allow-update { 192.168.137.150;};
};
[[email protected] named]# systemctl restart named
❷防火牆
-
iptables -F
-
iptables-save
-
firewall-cmd --permanent --zone=public --add-service=dns
-
firewall-cmd --reload
[[email protected] named]# iptables -F
[[email protected] named]# iptables-save
[[email protected] named]# firewall-cmd --permanent --zone=public --add-service=dns
success
[[email protected] named]# firewall-cmd --reload
success
⑵從伺服器
❶從伺服器
- 安裝
yum install bind-chroot
- 主配置
vim /etc/named.conf
- 區域配置
vim /etc/named.rfc1912.zones
- 重新開機
systemctl restart named
[[email protected] ~]# yum install bind-chroot
已安裝:
bind-chroot-32:9.11.20-5.el8_3.1.x86_64
bind-32:9.11.20-5.el8_3.1.x86_64
完畢!
[[email protected] ~]# vim /etc/named.conf
listen-on port 53 { any; };
allow-query { any; };
[[email protected] ~]# vim /etc/named.rfc1912.zones
zone "test.com" IN {
type slave;
masters { 192.168.137.100; };
file "slaves/test.com.zone";
};
zone "137.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.137.100; };
file "slaves/192.168.137.arpa";
};
[[email protected] ~]# systemctl restart named
❷本機DNS
-
nmtui
-
nmcli connection reload ens33
-
nmcli connection up ens33
[[email protected] slaves]# nmtui
[[email protected] slaves]# nmcli connection reload ens33
[[email protected] slaves]# nmcli connection up ens33
❸檢查解析記錄
-
nslookup
[[email protected] slaves]# nslookup
> www.test.com
Server: 192.168.137.100
Address: 192.168.137.100#53
Name: www.test.com
Address: 192.168.137.100
> 192.168.137.100
100.137.168.192.in-addr.arpa name = www.test.com.
100.137.168.192.in-addr.arpa name = ns.test.com.
> exit
四、TSIG加密傳輸
1、簡介
TSIG(TSIG RFC 2845加密機制)主要是利用了密碼編碼的方式來保護區域資訊的傳輸(Zone Transfer)
2、參數
dnssec-keygen
作用:生成安全的DNS服務密鑰
格式:dnssec-keygen [參數]
| 參數 | 作用 |
|---|---|
| -a | 指定加密算法,包括RSAMD5(RSA)、RSASHA1、DSA、NSEC3RSASHA1、NSEC3DSA等 |
| -b | 密鑰長度(HMAC-MD5的密鑰長度在1~512位之間) |
| -n | 密鑰的類型(HOST表示與主機相關) |
3、配置
⑴主伺服器
❶清空從伺服器中的解析檔案
-
ls -al /var/named/slaves/
-
rm -rf /var/named/slaves/*
[[email protected] slaves]# ls -al /var/named/slaves/
總用量 8
drwxrwx---. 2 named named 51 3月 31 21:23 .
drwxrwx--T. 6 root named 141 3月 31 20:15 ..
-rw-r--r--. 1 named named 380 3月 31 21:23 192.168.137.arpa
-rw-r--r--. 1 named named 234 3月 31 21:23 test.com.zone
[[email protected] slaves]# rm -rf /var/named/slaves/*
❷主伺服器中生成秘鑰
- 生成一個主機名稱為master-slave的128位HMAC-MD5算法的密鑰檔案
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
-
ls -l Kmaster-slave.+157+18901.*
-
cat Kmaster-slave.+157+18901.private
[[email protected] ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+18901
[[email protected] ~]# ls -l Kmaster-slave.+157+18901.*
-rw-------. 1 root root 56 Mar 31 21:55 Kmaster-slave.+157+18901.key
-rw-------. 1 root root 165 Mar 31 21:55 Kmaster-slave.+157+18901.private
[[email protected] ~]# cat Kmaster-slave.+157+18901.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: W331hFvs+bPTsVhxfCv1Rg==
Bits: AAA=
Created: 20210331135515
Publish: 20210331135515
Activate: 20210331135515
❸建立秘鑰驗證檔案
-
cd /var/named/chroot/etc/
- 主伺服器建立秘鑰驗證檔案
vim transfer.key
- 設定所屬組
chown root:named transfer.key
- 設定權限
chmod 640 transfer.key
- 生成硬連結到/etc目錄
ln transfer.key /etc/transfer.key
[[email protected] ~]# cd /var/named/chroot/etc/
[[email protected] etc]# vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "W331hFvs+bPTsVhxfCv1Rg==";
};
#權限
[[email protected] etc]# chown root:named transfer.key
[[email protected] etc]# chmod 640 transfer.key
#硬連結
[[email protected] etc]# ln transfer.key /etc/transfer.key
❹開啟秘鑰驗證功能
- 開啟秘鑰驗證功能
vim /etc/named.conf
-
systemctl restart named
[[email protected] etc]# vim /etc/named.conf
include "/etc/transfer.key";//加載秘鑰檔案
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
allow-transfer { key master-slave; };//開啟秘鑰驗證
[[email protected] etc]# systemctl restart named
⑵從伺服器
❶清空DNS從伺服器同步目錄中所有的資料配置檔案
-
rm -rf /var/named/slaves/*
-
systemctl restart named
-
ls /var/named/slaves/
[[email protected] slaves]# rm -rf /var/named/slaves/*
[[email protected] slaves]# systemctl restart named
[[email protected] slaves]# ls /var/named/slaves/
❷從伺服器支援秘鑰驗證
- 從伺服器支援秘鑰驗證
vim transfer.key
- 設定所屬組
chown root:named transfer.key
- 設定權限
chmod 640 transfer.key
- 建立硬連結
ln transfer.key /etc/transfer.key
[[email protected] etc]# vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "W331hFvs+bPTsVhxfCv1Rg==";
};
[[email protected] etc]# chown root:named transfer.key
[[email protected] etc]# chmod 640 transfer.key
[[email protected] etc]# ln transfer.key /etc/transfer.key
❸開啟秘鑰驗證功能
- 開啟從伺服器驗證功能
vim /etc/named.conf
-
systemctl restart named
[[email protected] etc]# vim /etc/named.conf
#加載驗證
9 include "/etc/transfer.key";
#開啟驗證
51 server 192.168.137.100
52 {
53 keys { master-slave; };
54 };
[[email protected] etc]# systemctl restart named
❹從伺服器驗證擷取解析
- 同步資料
ls /var/named/slaves/
- 解析驗證
nslookup
[[email protected] etc]# ls /var/named/slaves/
192.168.137.arpa test.com.zone
[[email protected] etc]# nslookup
> www.test.com
Server: 192.168.137.100
Address: 192.168.137.100#53
Name: www.test.com
Address: 192.168.137.100
> 192.168.137.100
100.137.168.192.in-addr.arpa name = www.test.com.
100.137.168.192.in-addr.arpa name = ns.test.com.
> exit
五、緩存伺服器
| 服務 | PING |
|---|---|
| 外網 | www.test.com |
| ↓ | ↓ |
| 服務端外網 | 192.168.10.166 |
| ↓ | ↓ |
| 服務端内網 | 192.168.10.10 |
| ↓ | ↓ |
| 用戶端内網 | 192.168.10.20 |
DNS大全
DNS大全
1、服務端
❶主配置檔案添加緩沖轉發參數
-
vim /etc/named.conf
-
systemctl restart named
[[email protected] ~]# vim /etc/named.conf
19 allow-query { any; };
20 forwarders { 114.114.114.114; };
21 allow-transfer { key master-slave; };
[[email protected] ~]# systemctl restart named
❷防火牆放行
-
iptables -F
-
iptables-save
-
firewall-cmd --permanent --zone=public --add-service=dns
-
firewall-cmd --reload
[[email protected] ~]# iptables -F
[[email protected] ~]# iptables-save
[[email protected] ~]# firewall-cmd --permanent --zone=public --add-service=dns
Warning: ALREADY_ENABLED: dns
success
[[email protected] ~]# firewall-cmd --reload
success
2、用戶端
❶将用戶端的DNS改為緩沖伺服器的IP位址
[[email protected] ~]# nmtui
[[email protected] ~]# nmcli connection up ens33
連接配接已成功激活(D-Bus 活動路徑:/org/freedesktop/NetworkManager/ActiveConnection/6)
❷檢查解析情況
-
nslookup
[[email protected] ~]# nslookup
> www.test.com
Server: 192.168.10.10
Address: 192.168.10.10#53
Name: www.test.com
Address: 192.168.10.166
> exit
六、分離解析技術
| 服務 | PING |
|---|---|
| 服務端 | 國内122.71.115.10 |
| 服務端 | 美國56.23.52.10 |
| 國内用戶端 | 122.71.115.1 |
| 美國用戶端 | 56.23.52.1 |
DNS分離解析