首页 > 系统相关 >网络系统管理Linux环境——3.ISPSRV之DNS

网络系统管理Linux环境——3.ISPSRV之DNS

时间:2023-03-19 14:31:58浏览次数:51  
标签:named ISPSRV Linux Ispsrv etc DNS bind var root

题目要求

服务器IspSrv工作任务

2.  DNS

安装BIND9;

配置为DNS根域服务器;

其他未知域名解析,统一解析为该本机IP;

创建正向区域“chinaskills.cn”;

类型为Slave;

主服务器为“AppSrv”;

启用chroot功能,限制bind9在/var/named/chroot/下运行;隐藏bind版本号,版本显示为“unknow”。

项目配置

安装软件包:

root@Ispsrv:~# apt -y install bind9 dnsutils

安装好之后在bind下面会出现这些目录代表含义:

root@Ispsrv:~# cd /etc/bind/

db.127 #反向区域数据库,用于将ip解析为对应的域名
db.local #正向区域数据库,用于将域名解析为对应的IP地址
named.conf.default-zones #默认区域
named.conf.local #用于定义解析域,也可以直接在named.conf中直接划定解析域
named.conf.options #配置文件,全局选项配置
named.conf #Bind的主配置文件,不包含DNS数据

定义解析域以及隐藏版本:

#先去named.conf.default-zones 文件内复制最后一个zone然后粘贴到named.conf.local

root@Ispsrv:~# cd /etc/bind/
root@Ispsrv:/etc/bind# vim named.conf.default-zones 进入复制
#保存退出然后进入
root@Ispsrv:/etc/bind# vim named.conf.local
#原内容
-----------------------------------------------------------------------------
root@Ispsrv:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
-----------------------------------------------------------------------------
#添加后内容为:
-----------------------------------------------------------------------------
root@Ispsrv:/etc/bind# cat named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "." {
type master;
file "/etc/bind/root.zone";
};
zone "chinaskills.cn" {
type slave;
file "/etc/bind/chinaskills.cn.zone";
masters { 81.6.63.254;};
};
-----------------------------------------------------------------------------

复制db.local文件:

root@Ispsrv:/etc/bind# cp -a db.local root.zone
root@Ispsrv:/etc/bind# vim root.zone
#原内容
-----------------------------------------------------------------------------
root@Ispsrv:/etc/bind# cat root.zone
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
-----------------------------------------------------------------------------
#修改后内容为
-----------------------------------------------------------------------------
root@Ispsrv:/etc/bind# cat root.zone
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
* IN A 81.6.63.100
-----------------------------------------------------------------------------

添加version “[unknow]”:

root@Ispsrv:/etc/bind# vim named.conf.options 
#原文件内容
-----------------------------------------------------------------------------
root@Ispsrv:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

listen-on-v6 { any; };
};
-----------------------------------------------------------------------------
#修改后内容
-----------------------------------------------------------------------------
root@Ispsrv:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
version "[unknow]";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;

listen-on-v6 { any; };
};
-----------------------------------------------------------------------------

启用chroot功能:

#修改在/var/named下运行
root@Ispsrv:~# vim /etc/default/bind9
#原文件内容
-----------------------------------------------------------------------------
root@Ispsrv:~# cat /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-u bind"
-----------------------------------------------------------------------------
#修改后文件
-----------------------------------------------------------------------------
root@Ispsrv:~# cat /etc/default/bind9
#
# run resolvconf?
RESOLVCONF=no

# startup options for the server
OPTIONS="-u bind -t /var/named/chroot"
-----------------------------------------------------------------------------

启用chroot

root@Ispsrv:~# cd /
root@Ispsrv:~# mkdir -p /var/named/chroot/{etc,dev,run/named,/var/cache/bind} #创建运行目录
root@Ispsrv:~# mknod /var/named/chroot/dev/null c 1 3
root@Ispsrv:~# mknod /var/named/chroot/dev/random c 1 8
root@Ispsrv:~# mknod /var/named/chroot/dev/urandom c 1 9
root@Ispsrv:~# chmod 660 /var/named/chroot/dev/{null,random,urandom} #修改权限
root@Ispsrv:~# cp /etc/bind /var/named/chroot/etc -r #将bind移动到chroot目录中
root@Ispsrv:~# ln -s /var/named/chroot/etc/bind /etc/bind #创建软连接
root@Ispsrv:~# chown bind:bind /var/named/chroot/etc/bind/rndc.key
root@Ispsrv:~# chown bind:bind /var/named/chroot/run/named
root@Ispsrv:~# chmod 775 /var/named/chroot/{var/cache/bind,/run/named}
root@Ispsrv:~# chgrp bind /var/named/chroot/{var/cache/bind,/run/named} #更改所有权

启用chroot还需要/usr/share/dns下的文件:

root@Ispsrv:~# mkdir -p /var/named/chroot/usr/share/dns      #创建目录
root@Ispsrv:~# cp /usr/share/dns/* /var/named/chroot/usr/share/dns/ #复制文件

最后告诉rsyslog在正确位置监听绑定日志:

root@Ispsrv:~# echo "\$AddUnixListenSocket /var/named/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf

重启rsyslog和bind9

root@Ispsrv:/# systemctl restart rsyslog
root@Ispsrv:/# systemctl restart bind9

如果需要修改配置文件需要去chroot目录修改并重启。

root@Ispsrv:/# rm /etc/bind -rf
root@Ispsrv:/# vim /var/named/chroot/etc/bind/named.conf.local
root@Ispsrv:/# ln -s /var/named/chroot/etc/bind /etc/bind
root@Ispsrv:/# systemctl restart bind9

设置好dns地址进行测试:

root@Ispsrv:/# vim /etc/resolv.conf  
#添加如下内容即可
nameserver 81.6.63.100

测试主备需要把防火墙DNAT配置好(在Routersrv上面配置完成后即可测试)

root@skills-PC:~# nslookup www.chinaskills.cn    
Server: 81.6.63.100
Address: 81.6.63.100#53

Name: www.chinaskills.cn
Address: 192.168.100.100

root@skills-PC:/etc/bind# nslookup any.any.any
Server: 81.6.63.100
Address: 81.6.63.100#53

Name: any.any.any
Address: 81.6.63.100

root@skills-PC:/var/named/chroot/etc/bind# nslookup -q=txt -class=CHAOS version.bind. localhost
Server: localhost
Address: 127.0.0.1#53

version.bind text = "[unknow]"

root@skills-PC:/var/named/chroot/etc/bind#


标签:named,ISPSRV,Linux,Ispsrv,etc,DNS,bind,var,root
From: https://blog.51cto.com/lyx888/6131206

相关文章

  • 网络系统管理Linux环境——1.基础配置
    一、  项目任务描述你作为一个Linux的技术工程师,被指派去构建一个公司的内部网络,要为员工提供便捷、安全稳定内外网络服务。你必须在规定的时间内完成要求的任务,并进行充......
  • 网络系统管理Linux环境——2.ISPSRV之DHCP
    题目要求服务器IspSrv工作任务1. DHCP为OutsideCli客户端网络分配地址,地址池范围:81.6.63.110-81.6.63.190/24;域名解析服务器:按照实际需求配置DNS服务器地址选项;网关:按照实......
  • 【问题解决】Linux 下 VSCode IntelliSense 对 C 语言读写锁类型报错的问题
    如图下图所示,当我们想要使用C语言读写锁类型时,IntelliSense会提示如下未定义的错误:IntelliSense提示错误但是,如果忽略这些错误,直接`gcc-o`程序又没有问题。通......
  • Linux提权(一)
    第103天查找可利用漏洞及漏洞版本一个综合类探针:traitor一个自动化提权:BeRoot(gtfobins&lolbas)两个信息收集:LinEnumlinuxprivchecker两个漏洞探针:linux-exploit-sug......
  • Linux常用命令
    Linux常用命令关机:shutdownsync#将数据由内存同步到硬盘中shutdown#关机指令,你可以manshutdown来看一下帮助文档。例如你可以运行如下命令关机:shutdown-h10......
  • Linux(CentOS)安装 Vim编辑器
    vim的介绍1、vim是一个功能强大的全屏幕文本编辑器,是linux/unix上最常用的文本编辑器2、它的作用是建立、编辑、显示文本文件3、vim没有菜单,只有命令安装VIM编辑器我......
  • Linux 6.3 对EXT4文件系统写入性能改进补丁
    EXT4(第四代扩展文件系统)是 ​​Linux​ 系统下的日志文件系统,目前该系统已趋于稳定,但在Linux6.3合并窗口中再获得了一些直接I/O性能改进补丁,改进了写入速度。EXT4(......
  • Linux 远程数据同步工具详解(rsync)
    一、简介1认识Rsync(remotesynchronize)是一个远程数据同步工具,可通过LAN/WAN快速同步多台主机间的文件。Rsync使用所谓的“Rsync算法”来使本地和远程两个主机之间的文......
  • Linux 常用命令
    1工具​为方便在Windows系统下操作Linux命令,本文使用Git工具,讲解Linux的常用命令,Git下载→Git-Downloads。安装好Git后,在任意目录空白处右键,在弹出菜......
  • Linux开机提示“welcome to emergency mode! ”进入救援模式解决办法
    一、centos开机启动进入救援模式:welcometoemergencymode! 根据系统提示:journalctl-xb查看系统报错、journalctl-p4查看报错级别为4警报没有找到相关文件,检查开......