题目要求
服务器IspSrv工作任务
2. DNS
安装BIND9;
配置为DNS根域服务器;
其他未知域名解析,统一解析为该本机IP;
创建正向区域“chinaskills.cn”;
类型为Slave;
主服务器为“AppSrv”;
启用chroot功能,限制bind9在/var/named/chroot/下运行;隐藏bind版本号,版本显示为“unknow”。
项目配置
安装软件包:
root@Ispsrv:~# apt -y install bind9 dnsutils
安装好之后在bind下面会出现这些目录代表含义:
root@Ispsrv:~# cd /etc/bind/
db.127 #反向区域数据库,用于将ip解析为对应的域名
db.local #正向区域数据库,用于将域名解析为对应的IP地址
named.conf.default-zones #默认区域
named.conf.local #用于定义解析域,也可以直接在named.conf中直接划定解析域
named.conf.options #配置文件,全局选项配置
named.conf #Bind的主配置文件,不包含DNS数据
定义解析域以及隐藏版本:
#先去named.conf.default-zones 文件内复制最后一个zone然后粘贴到named.conf.local
root@Ispsrv:~# cd /etc/bind/
root@Ispsrv:/etc/bind# vim named.conf.default-zones 进入复制
#保存退出然后进入
root@Ispsrv:/etc/bind# vim named.conf.local
#原内容root@Ispsrv:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";#添加后内容为:
root@Ispsrv:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone ".";
zone "chinaskills.cn";
};
-----------------------------------------------------------------------------
复制db.local文件:
root@Ispsrv:/etc/bind# cp -a db.local root.zone
root@Ispsrv:/etc/bind# vim root.zone
#原内容root@Ispsrv:/etc/bind# cat root.zone
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1#修改后内容为
root@Ispsrv:/etc/bind# cat root.zone
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
IN A 81.6.63.100
-----------------------------------------------------------------------------
添加version “[unknow]”:
root@Ispsrv:/etc/bind# vim named.conf.options
#原文件内容root@Ispsrv:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";// If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on-v6 { any; };
};
#修改后内容
root@Ispsrv:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
version "[unknow]";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113// If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. // forwarders { // 0.0.0.0; // }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== dnssec-validation auto; listen-on-v6 { any; };
};
-----------------------------------------------------------------------------
启用chroot功能:
#修改在/var/named下运行
root@Ispsrv:~# vim /etc/default/bind9
#原文件内容root@Ispsrv:~# cat /etc/default/bind9
run resolvconf?
RESOLVCONF=no
startup options for the server
OPTIONS="-u bind"
#修改后文件
root@Ispsrv:~# cat /etc/default/bind9
run resolvconf?
RESOLVCONF=no
startup options for the server
OPTIONS="-u bind -t /var/named/chroot"
-----------------------------------------------------------------------------
启用chroot
root@Ispsrv:# cd /
root@Ispsrv:# mkdir -p /var/named/chroot/{etc,dev,run/named,/var/cache/bind} #创建运行目录
root@Ispsrv:~# mknod /var/named/chroot/dev/null c 1 3
root@Ispsrv:~# mknod /var/named/chroot/dev/random c 1 8
root@Ispsrv:~# mknod /var/named/chroot/dev/urandom c 1 9
root@Ispsrv:~# chmod 660 /var/named/chroot/dev/{null,random,urandom} #修改权限
root@Ispsrv:~# cp /etc/bind /var/named/chroot/etc -r #将bind移动到chroot目录中
root@Ispsrv:~# ln -s /var/named/chroot/etc/bind /etc/bind #创建软连接
root@Ispsrv:~# chown bind:bind /var/named/chroot/etc/bind/rndc.key
root@Ispsrv:~# chown bind:bind /var/named/chroot/run/named
root@Ispsrv:~# chmod 775 /var/named/chroot/{var/cache/bind,/run/named}
root@Ispsrv:~# chgrp bind /var/named/chroot/{var/cache/bind,/run/named} #更改所有权
启用chroot还需要/usr/share/dns下的文件:
root@Ispsrv:~# mkdir -p /var/named/chroot/usr/share/dns #创建目录
root@Ispsrv:~# cp /usr/share/dns/* /var/named/chroot/usr/share/dns/ #复制文件
最后告诉rsyslog在正确位置监听绑定日志:
root@Ispsrv:~# echo "$AddUnixListenSocket /var/named/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf
重启rsyslog和bind9
root@Ispsrv:/# systemctl restart rsyslog
root@Ispsrv:/# systemctl restart bind9
如果需要修改配置文件需要去chroot目录修改并重启。
root@Ispsrv:/# rm /etc/bind -rf
root@Ispsrv:/# vim /var/named/chroot/etc/bind/named.conf.local
root@Ispsrv:/# ln -s /var/named/chroot/etc/bind /etc/bind
root@Ispsrv:/# systemctl restart bind9
设置好dns地址进行测试:
root@Ispsrv:/# vim /etc/resolv.conf
#添加如下内容即可
nameserver 81.6.63.100
测试主备需要把防火墙DNAT配置好(在Routersrv上面配置完成后即可测试)
root@skills-PC:~# nslookup www.chinaskills.cn
Server: 81.6.63.100
Address: 81.6.63.100#53Name: www.chinaskills.cn
Address: 192.168.100.100root@skills-PC:/etc/bind# nslookup any.any.any
Server: 81.6.63.100
Address: 81.6.63.100#53Name: any.any.any
Address: 81.6.63.100root@skills-PC:/var/named/chroot/etc/bind# nslookup -q=txt -class=CHAOS version.bind. localhost
Server: localhost
Address: 127.0.0.1#53version.bind text = "[unknow]"
root@skills-PC:/var/named/chroot/etc/bind#