网络系统管理Linux环境——3.ISPSRV之DNS

发布于

题目要求

服务器IspSrv工作任务

2.  DNS

安装BIND9;

配置为DNS根域服务器;

其他未知域名解析,统一解析为该本机IP;

创建正向区域“chinaskills.cn”;

类型为Slave;

主服务器为“AppSrv”;

启用​​chroot​​功能,限制bind9在/var/named/chroot/下运行;隐藏bind版本号,版本显示为“unknow”。

项目配置

安装软件包:

代码语言:javascript
复制
root@Ispsrv:~# apt -y install bind9 dnsutils

安装好之后在bind下面会出现这些目录代表含义:

代码语言:javascript
复制
root@Ispsrv:~# cd /etc/bind/

db.127                 #反向区域数据库,用于将ip解析为对应的域名

db.local             #正向区域数据库,用于将域名解析为对应的IP地址

named.conf.default-zones     #默认区域

named.conf.local          #用于定义解析域,也可以直接在named.conf中直接划定解析域

named.conf.options        #配置文件,全局选项配置

named.conf           #Bind的主配置文件,不包含DNS数据

定义解析域以及隐藏版本:

代码语言:javascript
复制
#先去named.conf.default-zones 文件内复制最后一个zone然后粘贴到named.conf.local


root@Ispsrv:~# cd /etc/bind/

root@Ispsrv:/etc/bind# vim named.conf.default-zones  进入复制

#保存退出然后进入

root@Ispsrv:/etc/bind# vim named.conf.local

#原内容


root@Ispsrv:/etc/bind# cat named.conf.local

//

// Do any local configuration here

//


// Consider adding the 1918 zones here, if they are not used in your

// organization

//include "/etc/bind/zones.rfc1918";


#添加后内容为:


root@Ispsrv:/etc/bind# cat named.conf.local

//

// Do any local configuration here

//


// Consider adding the 1918 zones here, if they are not used in your

// organization

//include "/etc/bind/zones.rfc1918";


zone ".";

zone "chinaskills.cn";

};

-----------------------------------------------------------------------------

复制db.local文件:

代码语言:javascript
复制
root@Ispsrv:/etc/bind# cp -a db.local root.zone

root@Ispsrv:/etc/bind# vim root.zone

#原内容

root@Ispsrv:/etc/bind# cat root.zone

;

; BIND data file for local loopback interface

;

$TTL    604800

@       IN      SOA     localhost. root.localhost. (

2         ; Serial

604800         ; Refresh

86400         ; Retry

2419200         ; Expire

604800 )       ; Negative Cache TTL

;

@       IN      NS      localhost.

@       IN      A       127.0.0.1

@       IN      AAAA    ::1


#修改后内容为


root@Ispsrv:/etc/bind# cat root.zone

$TTL    604800

@       IN      SOA     localhost. root.localhost. (

2         ; Serial

604800         ; Refresh

86400         ; Retry

2419200         ; Expire

604800 )       ; Negative Cache TTL

;

@       IN      NS      localhost.


    

  • 

      IN      A       81.6.63.100

    

    • 



-----------------------------------------------------------------------------

添加version “[unknow]”:

代码语言:javascript
复制
root@Ispsrv:/etc/bind# vim named.conf.options

#原文件内容

root@Ispsrv:/etc/bind# cat named.conf.options

options {

directory "/var/cache/bind";


    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on-v6 { any; };



};


#修改后内容


root@Ispsrv:/etc/bind# cat named.conf.options

options {

directory "/var/cache/bind";

version "[unknow]";

// If there is a firewall between you and nameservers you want

// to talk to, you may need to fix the firewall to allow multiple

// ports to talk.  See http://www.kb.cert.org/vuls/id/800113


    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

    // forwarders {
    //      0.0.0.0;
    // };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on-v6 { any; };



};

-----------------------------------------------------------------------------

启用chroot功能:

代码语言:javascript
复制
#修改在/var/named下运行

root@Ispsrv:~# vim /etc/default/bind9

#原文件内容

root@Ispsrv:~# cat /etc/default/bind9




run resolvconf?


RESOLVCONF=no


startup options for the server


OPTIONS="-u bind"


#修改后文件


root@Ispsrv:~# cat /etc/default/bind9




run resolvconf?


RESOLVCONF=no


startup options for the server


OPTIONS="-u bind -t /var/named/chroot"

-----------------------------------------------------------------------------

启用chroot

代码语言:javascript
复制
root@Ispsrv:# cd /

root@Ispsrv:# mkdir -p /var/named/chroot/{etc,dev,run/named,/var/cache/bind}  #创建运行目录

root@Ispsrv:~# mknod /var/named/chroot/dev/null c 1 3

root@Ispsrv:~# mknod /var/named/chroot/dev/random c 1 8

root@Ispsrv:~# mknod /var/named/chroot/dev/urandom c 1 9

root@Ispsrv:~# chmod 660 /var/named/chroot/dev/{null,random,urandom} #修改权限

root@Ispsrv:~# cp /etc/bind /var/named/chroot/etc -r #将bind移动到chroot目录中

root@Ispsrv:~# ln -s /var/named/chroot/etc/bind /etc/bind   #创建软连接

root@Ispsrv:~# chown bind:bind /var/named/chroot/etc/bind/rndc.key

root@Ispsrv:~# chown bind:bind /var/named/chroot/run/named

root@Ispsrv:~# chmod 775 /var/named/chroot/{var/cache/bind,/run/named}

root@Ispsrv:~# chgrp bind /var/named/chroot/{var/cache/bind,/run/named} #更改所有权

启用chroot还需要/usr/share/dns下的文件:

代码语言:javascript
复制
root@Ispsrv:~# mkdir -p /var/named/chroot/usr/share/dns      #创建目录

root@Ispsrv:~# cp /usr/share/dns/* /var/named/chroot/usr/share/dns/  #复制文件

最后告诉rsyslog在正确位置监听绑定日志:

代码语言:javascript
复制
root@Ispsrv:~# echo "$AddUnixListenSocket /var/named/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf

重启rsyslog和bind9

代码语言:javascript
复制
root@Ispsrv:/# systemctl restart rsyslog

root@Ispsrv:/# systemctl restart bind9

如果需要修改配置文件需要去chroot目录修改并重启。

代码语言:javascript
复制
root@Ispsrv:/# rm /etc/bind -rf

root@Ispsrv:/# vim /var/named/chroot/etc/bind/named.conf.local

root@Ispsrv:/# ln -s /var/named/chroot/etc/bind /etc/bind

root@Ispsrv:/# systemctl restart bind9

设置好dns地址进行测试:

代码语言:javascript
复制
root@Ispsrv:/# vim /etc/resolv.conf

#添加如下内容即可

nameserver 81.6.63.100

测试主备需要把防火墙DNAT配置好(在Routersrv上面配置完成后即可测试)

代码语言:javascript
复制
root@skills-PC:~# nslookup www.chinaskills.cn

Server:         81.6.63.100

Address:        81.6.63.100#53


Name:   www.chinaskills.cn

Address: 192.168.100.100


root@skills-PC:/etc/bind# nslookup any.any.any

Server:         81.6.63.100

Address:        81.6.63.100#53


Name:   any.any.any

Address: 81.6.63.100


root@skills-PC:/var/named/chroot/etc/bind# nslookup -q=txt -class=CHAOS version.bind. localhost

Server:         localhost

Address:        127.0.0.1#53


version.bind    text = "[unknow]"


root@skills-PC:/var/named/chroot/etc/bind#

#linux#dns#bind#root#管理