网络系统管理Linux环境——3.ISPSRV之DNS

题目要求

服务器IspSrv工作任务

2.  DNS

安装BIND9;

配置为DNS根域服务器;

其他未知域名解析,统一解析为该本机IP;

创建正向区域“chinaskills.cn”;

类型为Slave;

主服务器为“AppSrv”;

启用​​chroot​​功能,限制bind9在/var/named/chroot/下运行;隐藏bind版本号,版本显示为“unknow”。

项目配置

安装软件包:

代码语言:javascript
复制
root@Ispsrv:~# apt -y install bind9 dnsutils

安装好之后在bind下面会出现这些目录代表含义:

代码语言:javascript
复制
root@Ispsrv:~# cd /etc/bind/

db.127 #反向区域数据库,用于将ip解析为对应的域名
db.local #正向区域数据库,用于将域名解析为对应的IP地址
named.conf.default-zones #默认区域
named.conf.local #用于定义解析域,也可以直接在named.conf中直接划定解析域
named.conf.options #配置文件,全局选项配置
named.conf #Bind的主配置文件,不包含DNS数据

定义解析域以及隐藏版本:

代码语言:javascript
复制
#先去named.conf.default-zones 文件内复制最后一个zone然后粘贴到named.conf.local

root@Ispsrv:~# cd /etc/bind/
root@Ispsrv:/etc/bind# vim named.conf.default-zones 进入复制
#保存退出然后进入
root@Ispsrv:/etc/bind# vim named.conf.local
#原内容

root@Ispsrv:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

#添加后内容为:

root@Ispsrv:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone ".";
zone "chinaskills.cn";
};
-----------------------------------------------------------------------------

复制db.local文件:

代码语言:javascript
复制
root@Ispsrv:/etc/bind# cp -a db.local root.zone
root@Ispsrv:/etc/bind# vim root.zone
#原内容

root@Ispsrv:/etc/bind# cat root.zone
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1

#修改后内容为

root@Ispsrv:/etc/bind# cat root.zone
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.

  •   IN      A       81.6.63.100
    

-----------------------------------------------------------------------------

添加version “[unknow]”:

代码语言:javascript
复制
root@Ispsrv:/etc/bind# vim named.conf.options
#原文件内容

root@Ispsrv:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on-v6 { any; };

};

#修改后内容

root@Ispsrv:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
version "[unknow]";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on-v6 { any; };

};
-----------------------------------------------------------------------------

启用chroot功能:

代码语言:javascript
复制
#修改在/var/named下运行
root@Ispsrv:~# vim /etc/default/bind9
#原文件内容

root@Ispsrv:~# cat /etc/default/bind9

run resolvconf?

RESOLVCONF=no

startup options for the server

OPTIONS="-u bind"

#修改后文件

root@Ispsrv:~# cat /etc/default/bind9

run resolvconf?

RESOLVCONF=no

startup options for the server

OPTIONS="-u bind -t /var/named/chroot"
-----------------------------------------------------------------------------

启用chroot

代码语言:javascript
复制
root@Ispsrv:# cd /
root@Ispsrv:
# mkdir -p /var/named/chroot/{etc,dev,run/named,/var/cache/bind} #创建运行目录
root@Ispsrv:~# mknod /var/named/chroot/dev/null c 1 3
root@Ispsrv:~# mknod /var/named/chroot/dev/random c 1 8
root@Ispsrv:~# mknod /var/named/chroot/dev/urandom c 1 9
root@Ispsrv:~# chmod 660 /var/named/chroot/dev/{null,random,urandom} #修改权限
root@Ispsrv:~# cp /etc/bind /var/named/chroot/etc -r #将bind移动到chroot目录中
root@Ispsrv:~# ln -s /var/named/chroot/etc/bind /etc/bind #创建软连接
root@Ispsrv:~# chown bind:bind /var/named/chroot/etc/bind/rndc.key
root@Ispsrv:~# chown bind:bind /var/named/chroot/run/named
root@Ispsrv:~# chmod 775 /var/named/chroot/{var/cache/bind,/run/named}
root@Ispsrv:~# chgrp bind /var/named/chroot/{var/cache/bind,/run/named} #更改所有权

启用chroot还需要/usr/share/dns下的文件:

代码语言:javascript
复制
root@Ispsrv:~# mkdir -p /var/named/chroot/usr/share/dns      #创建目录
root@Ispsrv:~# cp /usr/share/dns/* /var/named/chroot/usr/share/dns/ #复制文件

最后告诉rsyslog在正确位置监听绑定日志:

代码语言:javascript
复制
root@Ispsrv:~# echo "$AddUnixListenSocket /var/named/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf

重启rsyslog和bind9

代码语言:javascript
复制
root@Ispsrv:/# systemctl restart rsyslog
root@Ispsrv:/# systemctl restart bind9

如果需要修改配置文件需要去chroot目录修改并重启。

代码语言:javascript
复制
root@Ispsrv:/# rm /etc/bind -rf
root@Ispsrv:/# vim /var/named/chroot/etc/bind/named.conf.local
root@Ispsrv:/# ln -s /var/named/chroot/etc/bind /etc/bind
root@Ispsrv:/# systemctl restart bind9

设置好dns地址进行测试:

代码语言:javascript
复制
root@Ispsrv:/# vim /etc/resolv.conf
#添加如下内容即可
nameserver 81.6.63.100

测试主备需要把防火墙DNAT配置好(在Routersrv上面配置完成后即可测试)

代码语言:javascript
复制
root@skills-PC:~# nslookup www.chinaskills.cn
Server: 81.6.63.100
Address: 81.6.63.100#53

Name: www.chinaskills.cn
Address: 192.168.100.100

root@skills-PC:/etc/bind# nslookup any.any.any
Server: 81.6.63.100
Address: 81.6.63.100#53

Name: any.any.any
Address: 81.6.63.100

root@skills-PC:/var/named/chroot/etc/bind# nslookup -q=txt -class=CHAOS version.bind. localhost
Server: localhost
Address: 127.0.0.1#53

version.bind text = "[unknow]"

root@skills-PC:/var/named/chroot/etc/bind#