1.安裝DNS BIND伺服器。
[root@servera ~]# yum install bind -y 1.1 将BIND配置為域及其反向域的非遞歸、權威DNS伺服器。預設情況下,bind包為這些正向和反向查找配置區域和區域檔案。但是,預設情況下,named隻偵聽loopback接口上的連接配接,是以你需要修改它的配置:
- 讓伺服器偵聽所有localhost和servera.pvt.example.com的IPv4和IPv6接口。
- 允許從localhost和serverb.pvt.example.com(IP位址192.168.62.11和fc62:5265:6448:6174::b)主機查詢。
- 禁用遞歸。
由此産生的/etc/named.conf檔案内容如下所示:
options {
listen-on port 53 { 127.0.0.1; 192.168.62.10; };
listen-on-v6 port 53 { ::1; fc62:5265:6448:6174::a; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.62.11; fc62:5265:6448:6174::b; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key"; 1.2 将dns服務添加到防火牆政策中,然後啟動named服務。
[root@servera <sub>]# firewall-cmd --permanent --add-service=dns
[root@servera </sub>]# firewall-cmd --reload
[root@servera <sub>]# firewall-cmd --list-all | grep service
services: cockpit dhcpv6-client dns ssh
[root@servera </sub>]# systemctl enable --now named.service 1.3 确認serverb從servera獲得有效的DNS響應,IP位址用于正和反向本地主機查找,servera.pvt.example.com作為測試時要查詢的dns主機。
[root@servera ~]# host localhost.localdomain 192.168.62.10
Using domain server:
Name: 192.168.62.10
Address: 192.168.62.10#53
Aliases:
localhost.localdomain has address 127.0.0.1
localhost.localdomain has IPv6 address ::1 1.4 完成cr-network/files/zones目錄中提供的部分區域檔案,然後将其安裝到servera上的/var/named目錄中。
/var/named/pvt.example.com.zone正常查找區域檔案應具有以下内容:
[root@servera <sub>]# rpm -qc bind
/var/named/named.localhost
/var/named/named.loopback
[root@servera </sub>]# cp /var/named/named.localhost /var/named/pvt.example.com.zone
[root@servera ~]# vim /var/named/pvt.example.com.zone
$TTL 1D
@ IN SOA servera.pvt.example.com. dnslab.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
600 IN NS servera
servera IN A 192.168.62.10
serverb IN A 192.168.62.11
serverc IN A 192.168.62.12
serverd IN A 192.168.62.13
servera IN AAAA fc62:5265:6448:6174::a
serverb IN AAAA fc62:5265:6448:6174::b
serverc IN AAAA fc62:5265:6448:6174::c
serverd IN AAAA fc62:5265:6448:6174::d /var/named/192.168.62.zone的IPv4反向查找區域檔案應具有以下内容:
[root@servera <sub>]# rpm -qc bind
/var/named/named.localhost
/var/named/named.loopback
[root@servera </sub>]# cp /var/named/named.loopback /var/named/192.168.62.zone
[root@servera ~]# vim /var/named/192.168.62.zone
$TTL 1D
@ IN SOA servera.pvt.example.com. dnslab.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
600 IN NS servera.pvt.example.com.
10 IN PTR servera.pvt.example.com.
11 IN PTR serverb.pvt.example.com.
12 IN PTR serverc.pvt.example.com.
13 IN PTR serverd.pvt.example.com. /var/named/fc62.5265.6448.6174.zone的IPv6反向查找區域檔案應具有以下内容:
[root@servera ~]# cp /var/named/192.168.62.zone /var/named/fc62.5265.6448.6174.zone
$TTL 1D
@ IN SOA servera.pvt.example.com. dnslab.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
600 IN NS servera.pvt.example.com.
A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR servera.pvt.example.com.
B.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverb.pvt.example.com.
C.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverc.pvt.example.com.
D.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverd.pvt.example.com. 1.5 配置區域檔案的權限,使BIND可以讀取但不能修改它們:
[root@servera <sub>]# chgrp named /var/named/*.zone
[root@servera </sub>]# chmod 640 /var/named/*.zone
[root@servera ~]# ls -l /var/named/*.zone
-rw-r-----. 1 root named 327 May 21 16:23 /var/named/192.168.62.zone
-rw-r-----. 1 root named 443 May 21 16:35 /var/named/fc62.5265.6448.6174.zone
-rw-r-----. 1 root named 435 May 21 16:20 /var/named/pvt.example.com.zone 1.6 在BIND中配置新的區域檔案。完成cr-network/files/bind目錄中的named.pvt.conf檔案,然後将其安裝到servera的/etc/目錄中。
[student@workstation]$ vim /home/student/cr-network/files/bind/named.pvt.conf
zone "pvt.example.com" IN {
type master;
file "pvt.example.com.zone";
forwarders {};
};
zone "62.168.192.in-addr.arpa" IN {
type master;
file "192.168.62.zone";
forwarders {};
};
zone "4.7.1.6.8.4.4.6.5.6.2.5.2.6.C.F.ip6.arpa" IN {
type master;
file "fc62.5265.6448.6174.zone";
forwarders {};
};
[student@workstation <sub>]$ scp /home/student/cr-network/files/bind/named.pvt.conf root@servera:/etc/
Warning: Permanently added 'servera' (ECDSA) to the list of known hosts.
named.pvt.conf
[root@servera </sub>]# ls /etc/named.pvt.conf
/etc/named.pvt.conf 1.7 配置檔案權限,使BIND可以讀取但不能修改:
[root@servera <sub>]# chgrp named /etc/named.pvt.conf
[root@servera </sub>]# chmod 640 /etc/named.pvt.conf
[root@servera ~]# ls -l /etc/named.pvt.conf
-rw-r-----. 1 root named 307 May 21 16:48 /etc/named.pvt.conf 1.8 修改/etc/named.conf,使其包含pvt.example.com區域的配置檔案。生成的檔案應該以以下内容:
[root@servera ~]# vim /etc/named.conf
...output omitted...
include "/etc/named.pvt.conf";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key"; 1.9 重新啟動named服務。
[root@servera ~]# systemctl restart named 1.10 确認servera回答serverb的pvt.example.com的正向和反向查詢,而不是其他主機。測試時顯示指定servera.pvt.example.com的IP位址作為要查詢的DNS主機。
2.将serverb配置為緩存的dns名稱伺服器。從servera擷取pvt.example.com的應答,但查詢其他域的bastion.lab.example.com。緩存名稱伺服器隻能在其環回群組網絡接口上偵聽 DNS 查詢。僅允許 pvt.example.com 主機和 localhost 執行 DNS 查詢。
2.1 安裝unbound軟體包。
[root@serverb ~]# yum install unbound -y 2.2 編輯 /etc/unbound/unbound.conf 中的 server 子句以配置 unbound,如下所示:
- 監聽 192.168.62.11 和 fc62:5265:6448:6174:b 接口。
- 允許來自 192.168.62.0/24 和 fc62: 5265:6448:6174::/64 子網的查詢。
- 從 DNSSEC 驗證中移除 example.com 區域。
- 将所有正向和反向 pvt.example.com 查詢轉發到 192.168.62.10。
- 将所有其他查找轉發到 172. 25. 250. 254。
生成的檔案應包含以下指令:
[root@serverb ~]# vim /etc/unbound/unbound.conf
server:
...output omitted...
interface: 192.168.62.11
interface: fc62:5265:6448:6174::b
...output omitted...
access-control: 192.168.62.0/24 allow
access-control: fc62:5265:6448:6174::/64 allow
...output omitted...
domain-insecure: "example.com"
domain-insecure: "62.168.192.in-addr.arpa."
domain-insecure: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"
...output omitted...
local-zone: "25.172.in-addr.arpa." nodefault
local-zone: "62.168.192.in-addr.arpa." nodefault
local-zone: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa." nodefault
...output omitted...
stub-zone:
name: "pvt.example.com"
stub-addr: 192.168.62.10
stub-addr: fc62:5265:6448:6174::a
stub-zone:
name: "62.168.192.in-addr.arpa."
stub-addr: 192.168.62.10
stub-addr: fc62:5265:6448:6174::a
stub-zone:
name: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"
stub-addr: 192.168.62.10
stub-addr: fc62:5265:6448:6174::a
...output omitted...
forward-zone:
name: "."
forward-addr: 172.25.250.254
...output omitted... 2.3 生成私鑰和伺服器證書。
[root@serverb ~]# unbound-control-setup 2.4 驗證 Unbound 配置檔案的文法。
[root@serverb ~]# unbound-checkconf 2.5 配置防火牆以允許 DNS 流量。
[root@serverb <sub>]# firewall-cmd --add-service=dns
[root@serverb </sub>]# firewall-cmd --add-service=dns --permanent [root@serverb ~]# systemctl enable --now unbound [root@servera <sub>]# host serverb.pvt.example.com 192.168.62.10
Using domain server:
Name: 192.168.62.10
Address: 192.168.62.10#53
Aliases:
serverb.pvt.example.com has address 192.168.62.11
serverb.pvt.example.com has IPv6 address fc62:5265:6448:6174::b
[root@servera </sub>]# host serverc.pvt.example.com 192.168.62.10
Using domain server:
Name: 192.168.62.10
Address: 192.168.62.10#53
Aliases:
serverc.pvt.example.com has address 192.168.62.12
serverc.pvt.example.com has IPv6 address fc62:5265:6448:6174::c ![【網絡篇】第五篇——網絡套接字程式設計(一)(socket詳解)socket程式設計LINUX下socket程式的示範[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)