|
|
实验一:单节点正向解析+逆向解析+递归功能
实验环境如下:
主机IP描述192.168.5.181内网DNS server,与网关为172.16.0.1,网关直连外网并提供DNS功能192.168.5.182内网客户端实验步骤:
在192.168.5.181这台机器上面安装bind
yum install -y bind编辑/etc/named.conf如下所示,修改allow-query 为 any 从而让所有主机都有进行DNS查询的权限;添加 forward only 和 forwarders { 172.16.0.1 },从而进行全局转发,即凡是没有在192.168.5.181上面通过zone定义的内容,都会转给172.16.0.1进行解析;添加recursive 为 yes,支持递归查询功能,由于是做实验,因此将dnssec-enable和dnssec-validation这两项丢改为no:
options {
// listen-on port 53 { 192.168.5.181; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forward only;
forwarders { 172.16.0.1; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";在/etc/named.rfc1912.zones里面定义两个zone,一个zone用作正向解析另一个zone用作逆向解析,注意,你想解析的zone的名称一定要满足如下格式:将网络位倒过来写,并在其后面添加.in-addr.arpa后缀,例如,针对192.168.10网段的逆向解析,需要写为10.168.192.in-addr.arpa:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
zone "5.168.192.in-addr.arpa" IN {
type master;
file "192.168.5.zone";
};由/etc/named.conf文件中,我们可以看到directory的值为/var/named,因此我们在/var/named里面分别创建tester.com.zone文件以及192.168.5.zone文件。注意!为了安全措施,需要将这两个文件的所属组修改为named,并且将这两个文件的其他者的权限改为0:
cd /var/named
chmod o= tester.com.zone 192.168.5.zone
chown :named tester.com.zone 192.168.5.zone编辑tester.com.zone文件如下所示:
TTL代表记录在DNS客户端或者代理(resolver)缓存的时间,默认单位为秒。这里定义为600秒。
SOA为起始授权记录,一个区域解析库有且只能有一个SOA记录,而且必须放在第一条。
括号中的2017052201代表序列号,当主数据库内容发生变化时,其版本号递增
30m代表刷新时间间隔,从服务器每隔多久到主服务器上面检查序列号更新情况
2m代表重试时间间隔,从服务器从主服务器请求同步解析失败时,再次发起尝试请求的时间间隔
1h代表过期时长为1小时,从服务器联系不到主服务器时,多久之后放弃从主服务器同步数据
1h代表否定过期时长为1小时,当上游DNS返回“查询不到该记录”时,这个信息在本DNS上面保存的时间。
”@”符号引用了该区域的名称,名称定义在/etc/named.rfc1912.zones里面了,分别为test.com.和5.168.192.in-addr.arpa.
NS为域名服务记录,标示了DNS的服务器自身的FQDN,可以有多个NS,其中一个为主DNS
A代表A记录,即17.tester.com.的A地址为192.168.5.181
CNAME为别名记录,即web.tester.com.是17.tester.com.的别名
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 192.168.5.181
web IN CNAME 17编辑192.168.5.zone文件如下所示:
PTR表示指针类型,用于指向另一个域名空间,这里指向17.tester.com.
$TTL 1200
@ IN SOA tester.com. mail.tester.com. (
2017052301
3h
20m
1w
1d )
@ IN NS 17.tester.com.
181 IN PTR 17.tester.com.保存之后,用systemctl start named.service命令重启服务,通过ss -tunl命令查看53端口是否处于监听状态:
$ systemctl start named.service
$ ss -tunl | grep -E "\b53\b" | awk -F" " '{$NF=" "; print $0}'
udp UNCONN 0 0 172.16.252.238:53
udp UNCONN 0 0 192.168.5.181:53
udp UNCONN 0 0 127.0.0.1:53
udp UNCONN 0 0 ::1:53
tcp LISTEN 0 10 172.16.252.238:53
tcp LISTEN 0 10 192.168.5.181:53
tcp LISTEN 0 10 127.0.0.1:53
tcp LISTEN 0 10 ::1:53在192.168.5.182上面利用dig命令进行查询测试:
解析A记录:
[root@centos7-front2 ~]# dig -t A www.baidu.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64315
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 5, ADDITIONAL: 6
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN A
;; ANSWER SECTION:
www.baidu.com. 357 IN CNAME www.a.shifen.com.
www.a.shifen.com. 168 IN A 61.135.169.125
www.a.shifen.com. 168 IN A 61.135.169.121
;; AUTHORITY SECTION:
a.shifen.com. 466 IN NS ns4.a.shifen.com.
a.shifen.com. 466 IN NS ns2.a.shifen.com.
a.shifen.com. 466 IN NS ns3.a.shifen.com.
a.shifen.com. 466 IN NS ns1.a.shifen.com.
a.shifen.com. 466 IN NS ns5.a.shifen.com.
;; ADDITIONAL SECTION:
ns5.a.shifen.com. 466 IN A 119.75.222.17
ns1.a.shifen.com. 466 IN A 61.135.165.224
ns2.a.shifen.com. 466 IN A 180.149.133.241
ns3.a.shifen.com. 466 IN A 61.135.162.215
ns4.a.shifen.com. 466 IN A 115.239.210.176
;; Query time: 4 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:43:09 CST 2017
;; MSG SIZE rcvd: 271
----------------------------------------------------------------------
解析A记录:
[root@centos7-front2 ~]# dig -t A 17.tester.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52596
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;17.tester.com. IN A
;; ANSWER SECTION:
17.tester.com. 600 IN A 192.168.5.181
;; AUTHORITY SECTION:
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:44:11 CST 2017
;; MSG SIZE rcvd: 72
-------------------------------------------------------------------------
解析NS域名服务记录:
[root@centos7-front2 ~]# dig -t NS 17.tester.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS 17.tester.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31428
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;17.tester.com. IN NS
;; AUTHORITY SECTION:
tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:56:12 CST 2017
;; MSG SIZE rcvd: 83
[root@centos7-front2 ~]# dig -t NS www.baidu.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t NS www.baidu.com @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56340
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.baidu.com. IN NS
;; ANSWER SECTION:
www.baidu.com. 764 IN CNAME www.a.shifen.com.
;; AUTHORITY SECTION:
a.shifen.com. 600 IN SOA ns1.a.shifen.com. baidu_dns_master.baidu.com. 1705230072 5 5 86400 3600
;; Query time: 15 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:56:24 CST 2017
;; MSG SIZE rcvd: 126
---------------------------------------------------------------------------
反向解析:
[root@centos7-front2 ~]# dig -x 192.168.5.181 @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 192.168.5.181 @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51386
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;181.5.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
181.5.168.192.in-addr.arpa. 1200 IN PTR 17.tester.com.
;; AUTHORITY SECTION:
5.168.192.in-addr.arpa. 1200 IN NS 17.tester.com.
;; ADDITIONAL SECTION:
17.tester.com. 600 IN A 192.168.5.181
;; Query time: 0 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:59:14 CST 2017
;; MSG SIZE rcvd: 112
[root@centos7-front2 ~]# dig -x 61.135.169.125 @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -x 61.135.169.125 @192.168.5.181
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55671
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;125.169.135.61.in-addr.arpa. IN PTR
;; AUTHORITY SECTION:
169.135.61.in-addr.arpa. 7200 IN SOA dns.baidu.com. sa.baidu.com. 2012091801 300 600 2592000 7200
;; Query time: 7 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Wed May 24 13:59:52 CST 2017
;; MSG SIZE rcvd: 108实验二:DNS主从配置
实验环境如下:
主机IP描述192.168.5.181主DNS服务器,可连接外网192.168.5.182从DNS服务器,可连接外网192.168.5.99测试用的客户端,内网环境主DNS服务器的配置和上面的实验单节点正向解析+逆向解析+递归功能基本上相同,不过由于这里多添加了一台从DNS服务器,因此NS需要添加一条新的记录。named.rfc1912.zones文件的配置内容依然如下:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
zone "5.168.192.in-addr.arpa" IN {
type master;
file "192.168.5.zone";
};添加NS记录之后的tester.com.zone文件如下所示:
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
@ IN NS 18.tester.com.
17 IN A 192.168.5.181
18 IN A 192.168.5.182
web IN CNAME 17对于从服务器,首先利用yum install -y bind bind-utils命令安装bind,然后修改/etc/named.conf文件,使得主从两台服务器的该文件一样。之后在/etc/named.rfc1912.zones文件里面编辑添加如下内容,指明type类型为slave类型,zone配置文件的相对位置为slaves/<FILE NAME>,即实际位置为/var/named/slaves/<FILE NAME> master主服务器节点的IP地址为192.168.5.181:
zone "tester.com" IN {
type slave;
file "slaves/tester.com.zone";
masters { 192.168.5.181; };
};
zone "5.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192.168.5.zone";
masters { 192.168.5.181; };
};配置完成之后,先启动主服务器的dns服务,之后再启动从服务器的dns服务。在从服务器的日志文件里面可以看到如下内容,表明transfer已经完成:
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: Transfer started.
May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: connected using 192.168.5.182#53834
May 24 05:36:02 centos7-front2 systemd: Started Berkeley Internet Name Domain (DNS).
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: transferred serial 2017052301
May 24 05:36:02 centos7-front2 named[3150]: transfer of '5.168.192.in-addr.arpa/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 6 records, 197 bytes, 0.001 secs (197000 bytes/sec)
May 24 05:36:02 centos7-front2 named[3150]: zone 5.168.192.in-addr.arpa/IN: sending notifies (serial 2017052301)
May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: Transfer started.
May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: connected using 192.168.5.182#33001
May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: transferred serial 2017052201
May 24 05:36:02 centos7-front2 named[3150]: transfer of 'tester.com/IN' from 192.168.5.181#53: Transfer completed: 1 messages, 7 records, 189 bytes, 0.003 secs (63000 bytes/sec)
May 24 05:36:02 centos7-front2 named[3150]: zone tester.com/IN: sending notifies (serial 2017052201)在从节点的/var/named/slaves目录下面多了两个文件,便是从主服务器上面同步而来的zone配置文件:
$ cd /var/named/slaves/
$ ls
192.168.5.zone tester.com.zone在客户端上面查询进行查询:
$ nslookup -type=A 17.tester.com 192.168.5.181
Server: 192.168.5.181
Address: 192.168.5.181#53
Name: 17.tester.com
Address: 192.168.5.181
$ nslookup -type=A 17.tester.com 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
Name: 17.tester.com
Address: 192.168.5.181
$ nslookup -type=NS tester.com 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
tester.com nameserver = 17.tester.com.
tester.com nameserver = 18.tester.com.
$ nslookup 192.168.5.181 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
181.5.168.192.in-addr.arpa name = 17.tester.com.
$ nslookup -type=NS baidu.com 192.168.5.181
Server: 192.168.5.181
Address: 192.168.5.181#53
Non-authoritative answer:
baidu.com nameserver = ns3.baidu.com.
baidu.com nameserver = ns2.baidu.com.
baidu.com nameserver = ns7.baidu.com.
baidu.com nameserver = ns4.baidu.com.
baidu.com nameserver = dns.baidu.com.
Authoritative answers can be found from:
ns3.baidu.com internet address = 220.181.37.10
ns4.baidu.com internet address = 220.181.38.10
ns2.baidu.com internet address = 61.135.165.235
ns7.baidu.com internet address = 119.75.219.82
dns.baidu.com internet address = 202.108.22.220
$ nslookup -type=A www.baidu.com 192.168.5.182
Server: 192.168.5.182
Address: 192.168.5.182#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 61.135.169.125
Name: www.a.shifen.com
Address: 61.135.169.121注意!!如果主服务器上面的zone配置发生了改变,需要手动将序列号加1,然后保存,再用rndc reload命令重载,这样才能够向从服务器发送消息通知,进而从服务器对zone配置文件进行增量同步!
实验三:DNS的子域授权
实验环境如下:
主机IP描述192.168.5.181父域DNS,域名tester.com.,可连接外网192.168.5.182子域DNS,域名ops.tester.com.可连接外网192.168.5.99测试客户端,内网环境实验目的:父域名tester.com.授权子域名ops.tester.com.,并利用客户端测试效果。
步骤:
在父域名节点上面配置/etc/named.conf,在option段里面编辑如下内容。其中注释listen on,目的是监听该节点的所有端口;allow-query为any,即允许所有客户端进行查询;forward first和forwarders的意义是,由于该节点能够联通外网,因此对于向该节点发出的查询请求,先转发到子域上面,如果子域找不到,再转发到外网,如果外网找不到,则再在本地解析。
......
......
// listen-on port 53 { 192.168.5.181; };
allow-query { any; };
forward first;
forwarders { 192.168.5.182; 20.20.20.1; };
......
......编辑/etc/named.rfc1912.zone文件如下:
......
......
zone "tester.com" IN {
type master;
file "tester.com.zone";
};
......
......编辑/var/named/tester.com.zone文件内容如下。授权一个子域ops.tester.com.域名解析节点为dns1.ops.tester.com.
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 192.168.5.181
ops.tester.com. IN NS dns1.ops.tester.com.
dns1.ops IN A 192.168.5.182在子域节点上面,配置/etc/named.conf文件如下所示:
......
......
// listen-on port 53 { 127.0.0.1; };
allow-query { any; };
forward only;
forwarders { 20.20.20.1; };
......
......子域节点的/etc/named.rfc1912.zone文件如下所示,其中第一个zone为父域所授权的ops.tester.com.第二个zone的目的是为了能够让子域服务器能够将父域的zone抓发到服务解析,而不用转到根服务器:
......
......
zone "ops.tester.com" IN {
type master;
file "ops.tester.com.zone";
};
zone "tester.com" IN {
type forward;
forward only;
forwarders { 192.168.5.181; };
};
......
......子域节点的/var/named/ops.tester.com.zone文件如下所示,SOA后面跟上了解析该域的dns地址为dns1.ops.tester.com.,并且定义了一个该域下的A地址为kali
$TTL 600
@ IN SOA dns1.ops.tester.com. mail.ops.tester.com. (
2017052201
30m
2m
1h
1h )
IN NS dns1
dns1 IN A 192.168.5.182
kali IN A 192.168.5.99保存并在两个节点上使用rndc reload重载配置文件,在客户端上面使用nslookup进行测试结果如下所示:
从父域DNS上面对子域的域名服务记录进行查询,用以验证自语授权:
$ dig -t NS ops.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t NS ops.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;ops.tester.com. IN NS
ops.tester.com. 600 IN NS dns1.ops.tester.com.
dns1.ops.tester.com. 600 IN A 192.168.5.182
;; Query time: 3 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 14:29:51 HKT 2017
;; MSG SIZE rcvd: 78
从父域DNS上面对子域的A记录进行查询
$ dig -t A kali.ops.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A kali.ops.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;kali.ops.tester.com. IN A
kali.ops.tester.com. 600 IN A 192.168.5.99
ops.tester.com. 585 IN NS dns1.ops.tester.com.
dns1.ops.tester.com. 585 IN A 192.168.5.182
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 14:30:06 HKT 2017
;; MSG SIZE rcvd: 99
从父域的DNS上面对于外网A记录的查询,用以验证全局forward:
$ dig -t A www.baidu.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A www.baidu.com @192.168.5.181 +nocomments
;; global options: +cmd
;www.baidu.com. IN A
www.baidu.com. 600 IN CNAME www.a.shifen.com.
www.a.shifen.com. 600 IN A 119.75.218.70
www.a.shifen.com. 600 IN A 119.75.217.109
a.shifen.com. 851 IN NS ns4.a.shifen.com.
a.shifen.com. 851 IN NS ns2.a.shifen.com.
a.shifen.com. 851 IN NS ns3.a.shifen.com.
a.shifen.com. 851 IN NS ns5.a.shifen.com.
a.shifen.com. 851 IN NS ns1.a.shifen.com.
ns2.a.shifen.com. 33 IN A 180.149.133.241
ns4.a.shifen.com. 33 IN A 115.239.210.176
ns5.a.shifen.com. 151 IN A 119.75.222.17
ns3.a.shifen.com. 32 IN A 61.135.162.215
ns1.a.shifen.com. 299 IN A 61.135.165.224
;; Query time: 21 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 14:30:23 HKT 2017
;; MSG SIZE rcvd: 271
从子域对父域的A记录进行查询,用以验证zone的forward
$ dig -t A 17.tester.com @192.168.5.182 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.182 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 192.168.5.181
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.182#53(192.168.5.182)
;; WHEN: Fri May 26 14:30:43 HKT 2017
;; MSG SIZE rcvd: 72实验四:DNS的基本ACL控制
实验环境:
主机IP描述192.168.5.181主DNS服务器,和外网联通192.168.5.182客户端1192.168.5.99客户端2基于上述实验一的情况下,添加acl再进行实验
全局情况下,在/etc/named.conf添加acl,使得客户端1能够进行查询,但是客户端2不能够进行查询:
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl client1 {
192.168.5.182/32;
};针对于局部zone的情况下,也可以在/etc/named.rfc1912.zone文件里面的tester.com这个zone里面添加allow query { client1; };,也可以在/etc/named.conf的全局option段里面将allow query { any };修改为allow query { client1 };
添加完毕,rndc reload之后,分别在两台客户端上面测试:
客户端1上面测试,可以进行查询:
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 192.168.5.181
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 19:02:00 CST 2017
;; MSG SIZE rcvd: 72
客户端2上面测试,发现无法进行查询:
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 19:03:01 HKT 2017
;; MSG SIZE rcvd: 42将allow-query换为allow-transfer,即允许区域传送的选项,再进行测试:
客户端1的区域传送成功
$ dig -t axfr tester.com @192.168.5.181
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t axfr tester.com @192.168.5.181
;; global options: +cmd
tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600
tester.com. 600 IN NS 17.tester.com.
17.tester.com. 600 IN A 192.168.5.181
ops.tester.com. 600 IN NS dns1.ops.tester.com.
dns1.ops.tester.com. 600 IN A 192.168.5.182
tester.com. 600 IN SOA tester.com. mail.tester.com. 2017052201 1800 120 3600 3600
;; Query time: 2 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 19:14:39 CST 2017
;; XFR size: 6 records (messages 1, bytes 177)
客户端2的区域传送失败
$ dig -t axfr tester.com @192.168.5.181
; <<>> DiG 9.10.3-P4-Debian <<>> -t axfr tester.com @192.168.5.181
;; global options: +cmd
; Transfer failed.常用的访问控制指令还有allow-recursion和allow-update分别是允许DNS主机进行递归查询的ACL以及允许动态更新区域数据库文件的ACL。
实验五:DNS的视图view
实验环境:
主机IP描述192.168.5.181主DNS服务器,和外网联通192.168.5.182客户端1192.168.5.99客户端2实验目的:让客户端1解析17.tester.com得到的ip地址为1.1.1.1,让客户端2解析17.tester.com得到的ip地址为2.2.2.2
编辑主DNS服务器上面的/etc/named.conf文件,和实验一中的相同。
将/etc/named.conf文件中的如下内容删掉,否则会报错:
zone "." IN {
type hint;
file "named.ca";
};编辑/etc/named.rfc1912.zone文件如下所示,将系统定义的zone用view client1包起来,再新建一个view client2。client1视图匹配192.168.5.182并定义tester.com.的区域解析文件为client1.zone;client2视图匹配192.168.5.99并定义tester.com.的区域解析文件为client2.zone:
view client1 {
match-clients { 192.168.5.182/32; };
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
zone "tester.com" IN {
type master;
file "client1.zone";
};
};
view client2 {
match-clients { 192.168.5.99/32; };
zone "tester.com" IN {
type master;
file "client2.zone";
};
};编辑client1和client2的解析文件如下所示:
$ cat /var/named/client1.zone
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 1.1.1.1
$ cat /var/named/client2.zone
$TTL 600
tester.com. IN SOA tester.com. mail.tester.com. (
2017052201
30m
2m
1h
1h )
@ IN NS 17.tester.com.
17 IN A 2.2.2.2用rndc reload命令重载之后,分别在两个客户端上面测试效果:
客户端1上解析为1.1.1.1
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 1.1.1.1
tester.com. 600 IN NS 17.tester.com.
;; Query time: 1 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 20:29:48 CST 2017
;; MSG SIZE rcvd: 72
客户端2上解析为2.2.2.2
$ dig -t A 17.tester.com @192.168.5.181 +nocomments
; <<>> DiG 9.10.3-P4-Debian <<>> -t A 17.tester.com @192.168.5.181 +nocomments
;; global options: +cmd
;17.tester.com. IN A
17.tester.com. 600 IN A 2.2.2.2
tester.com. 600 IN NS 17.tester.com.
;; Query time: 0 msec
;; SERVER: 192.168.5.181#53(192.168.5.181)
;; WHEN: Fri May 26 20:23:32 HKT 2017
;; MSG SIZE rcvd: 7 |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-4-22 13:20:29
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡