bind

13台根DNS服务器

名称管理单位地理位置IP地址
AINTERNIC.NET美国弗吉尼亚州198.41.0.4
B美国信息科学研究所美国加利福尼亚州128.9.0.107
CPSINet公司美国弗吉尼亚州192.33.4.12
D马里兰大学美国马里兰州128.8.10.90
E美国航空航天管理局美国加利福尼亚州192.203.230.10
F因特网软件联盟美国加利福尼亚州192.5.5.241
G美国国防部网络信息中心美国弗吉尼亚州192.112.36.4
H美国陆军研究所美国马里兰州128.63.2.53
IAutonomica公司瑞典斯德哥尔摩192.36.148.17
JVeriSign公司美国弗吉尼亚州192.58.128.30
KRIPE-NCC英国伦敦193.0.14.129
LIANA美国弗吉尼亚州199.7.83.42
MWIDE-Project日本东京202.12.27.33

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
yum install bind-chroot
Loaded plugins: langpacks, product-id, subscription-manager
………………省略部分输出信息………………
Installing:
 bind-chroot x86_64 32:9.9.4-14.el7 rhel 81 k
Installing for dependencies:
 bind x86_64 32:9.9.4-14.el7 rhel 1.8 M
Transaction Summary
===============================================================================
Install 1 Package (+1 Dependent package)
Total download size: 1.8 M
Installed size: 4.3 M
Is this ok [y/d/N]: y
Downloading packages:
-------------------------------------------------------------------------------
Total 28 MB/s | 1.8 MB 00:00 
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
 Installing : 32:bind-9.9.4-14.el7.x86_64 1/2 
 Installing : 32:bind-chroot-9.9.4-14.el7.x86_64 2/2 
 Verifying : 32:bind-9.9.4-14.el7.x86_64 1/2 
 Verifying : 32:bind-chroot-9.9.4-14.el7.x86_64 2/2 
Installed:
 bind-chroot.x86_64 32:9.9.4-14.el7 
Dependency Installed:
 bind.x86_64 32:9.9.4-14.el7 
Complete!

vim /etc/named.conf
 1 //
 2 // named.conf
 3 //
 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 5 // server as a caching only nameserver (as a localhost DNS resolver only).
 6 //
 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 8 //
 9 
 10 options {
 11 listen-on port 53 { any; };
 12 listen-on-v6 port 53 { ::1; };
 13 directory "/var/named";
 14 dump-file "/var/named/data/cache_dump.db";
 15 statistics-file "/var/named/data/named_stats.txt";
 16 memstatistics-file "/var/named/data/named_mem_stats.txt";
 17 allow-query { any; };
 18 
 19 /* 
 20 - If you are building an AUTHORITATIVE DNS server, do NOT enable re cursion.
 1,1 Top
 21 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
 22 recursion. 
 23 - If your recursive DNS server has a public IP address, you MUST en able access 
 24 control to limit queries to your legitimate users. Failing to do so will
 25 cause your server to become part of large scale DNS amplification 
 26 attacks. Implementing BCP38 within your network would greatly
 27 reduce such attack surface 
 28 */
 29 recursion yes;
 30 
 31 dnssec-enable yes;
 32 dnssec-validation yes;
 33 dnssec-lookaside auto;
 34 
 35 /* Path to ISC DLV key */
 36 bindkeys-file "/etc/named.iscdlv.key";
 37 
 38 managed-keys-directory "/var/named/dynamic";
 39 
 40 pid-file "/run/named/named.pid";
 41 session-keyfile "/run/named/session.key";
 42 };
 43 
 44 logging {
 45 channel default_debug {
 46 file "data/named.run";
 47 severity dynamic;
 48 };
 49 };
 50 
 51 zone "." IN {
 52 type hint;
 53 file "named.ca";
 54 };
 55 
 56 include "/etc/named.rfc1912.zones";
 57 include "/etc/named.root.key";

#正向解析
vim /etc/named.rfc1912.zones
zone "linuxprobe.com" IN {
type master;
file "linuxprobe.com.zone";
allow-update {none;};
};

cd /var/named/
ls -al named.localhost
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
cp -a named.localhost linuxprobe.com.zone

vim linuxprobe.com.zone
systemctl restart named

systemctl restart network
nslookup
> www.linuxprobe.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: www.linuxprobe.com
Address: 192.168.10.10
> bbs.linuxprobe.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: bbs.linuxprobe.com
Address: 192.168.10.20

#反向解析
vim /etc/named.rfc1912.zones
zone "linuxprobe.com" IN {
type master;
file "linuxprobe.com.zone";
allow-update {none;};
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "192.168.10.arpa";
};

cp -a named.loopback 192.168.10.arpa
vim 192.168.10.arpa
systemctl restart named

nslookup
 > 192.168.10.10
 Server: 127.0.0.1
 Address: 127.0.0.1#53
 10.10.168.192.in-addr.arpa name = ns.linuxprobe.com.
 10.10.168.192.in-addr.arpa name = www.linuxprobe.com.
 10.10.168.192.in-addr.arpa name = mail.linuxprobe.com.
 > 192.168.10.20
 Server: 127.0.0.1
 Address: 127.0.0.1#53
 20.10.168.192.in-addr.arpa name = bbs.linuxprobe.com.

#部署从服务器
vim /etc/named.rfc1912.zones
zone "linuxprobe.com" IN {
type master;
file "linuxprobe.com.zone";
allow-update { 192.168.10.20; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "192.168.10.arpa";
allow-update { 192.168.10.20; };
};
systemctl restart named

vim /etc/named.rfc1912.zones
zone "linuxprobe.com" IN {
type slave;
masters { 192.168.10.10; };
file "slaves/linuxprobe.com.zone";
};
zone "10.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.10.10; };
file "slaves/192.168.10.arpa";
};
systemctl restart named

cd /var/named/slaves
ls 
192.168.10.arpa linuxprobe.com.zone

nslookup
> www.linuxprobe.com
Server: 192.168.10.20
Address: 192.168.10.20#53
Name: www.linuxprobe.com
Address: 192.168.10.10
> 192.168.10.10
Server: 192.168.10.20
Address: 192.168.10.20#53
10.10.168.192.in-addr.arpa name = www.linuxprobe.com.
10.10.168.192.in-addr.arpa name = ns.linuxprobe.com.
10.10.168.192.in-addr.arpa name = mail.linuxprobe.com.

#加密传输
ls -al /var/named/slaves/
total 12
drwxrwx---. 2 named named   54 Jun 7 16:02 .
drwxr-x---. 6 root  named 4096 Jun 7 15:58 ..
-rw-r--r--. 1 named named  432 Jun 7 16:02 192.168.10.arpa
-rw-r--r--. 1 named named  439 Jun 7 16:02 linuxprobe.com.zone

dnssec-keygen命令

参数作用
-a指定加密算法,包括RSAMD5(RSA)、RSASHA1、DSA、NSEC3RSASHA1、NSEC3DSA等
-b密钥长度(HMAC-MD5的密钥长度在1~512位之间)
-n密钥的类型(HOST表示与主机相关)

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave
Kmaster-slave.+157+46845

ls -al Kmaster-slave.+157+46845.*
-rw-------. 1 root root 56 Jun 7 16:06 Kmaster-slave.+157+46845.key
-rw-------. 1 root root 165 Jun 7 16:06 Kmaster-slave.+157+46845.private

cat Kmaster-slave.+157+46845.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: 1XEEL3tG5DNLOw+1WHfE3Q==
Bits: AAA=
Created: 20170607080621
Publish: 20170607080621
Activate: 20170607080621

cd /var/named/chroot/etc/
vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "1XEEL3tG5DNLOw+1WHfE3Q==";
};

chown root:named transfer.key
chmod 640 transfer.key
ln transfer.key /etc/transfer.key

vim /etc/named.conf
 1 //
 2 // named.conf
 3 //
 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 5 // server as a caching only nameserver (as a localhost DNS resolver only).
 6 //
 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 8 //
 9 include "/etc/transfer.key";
 10 options {
 11 listen-on port 53 { any; };
 12 listen-on-v6 port 53 { ::1; };
 13 directory "/var/named";
 14 dump-file "/var/named/data/cache_dump.db";
 15 statistics-file "/var/named/data/named_stats.txt";
 16 memstatistics-file "/var/named/data/named_mem_stats.txt";
 17 allow-query { any; };
 18 allow-transfer { key master-slave; };
………………省略部分输出信息………………
systemctl restart named

rm -rf /var/named/slaves/*
systemctl restart named
ls  /var/named/slaves/

cd /var/named/chroot/etc
vim transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "1XEEL3tG5DNLOw+1WHfE3Q==";
};

chown root:named transfer.key
chmod 640 transfer.key
ln transfer.key /etc/transfer.key

vim /etc/named.conf
 1 //
 2 // named.conf
 3 //
 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 5 // server as a caching only nameserver (as a localhost DNS resolver only).
 6 //
 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 8 //
 9 include "/etc/transfer.key";
 10 options {
 11 listen-on port 53 { 127.0.0.1; };
 12 listen-on-v6 port 53 { ::1; };
 13 directory "/var/named";
 14 dump-file "/var/named/data/cache_dump.db";
 15 statistics-file "/var/named/data/named_stats.txt";
 16 memstatistics-file "/var/named/data/named_mem_stats.txt";
 17 allow-query { localhost; };
 18 
 19 /* 
 20 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 21 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
 22 recursion. 
 23 - If your recursive DNS server has a public IP address, you MUST enable access 
 24 control to limit queries to your legitimate users. Failing to do so will
 25 cause your server to become part of large scale DNS amplification 
 26 attacks. Implementing BCP38 within your network would greatly
 27 reduce such attack surface 
 28 */
 29 recursion yes;
 30 
 31 dnssec-enable yes;
 32 dnssec-validation yes;
 33 dnssec-lookaside auto;
 34 
 35 /* Path to ISC DLV key */
 36 bindkeys-file "/etc/named.iscdlv.key";
 37 
 38 managed-keys-directory "/var/named/dynamic";
 39 
 40 pid-file "/run/named/named.pid";
 41 session-keyfile "/run/named/session.key";
 42 };
 43 server 192.168.10.10
 44 {
 45 keys { master-slave; };
 46 }; 
 47 logging {
 48 channel default_debug {
 49 file "data/named.run";
 50 severity dynamic;
 51 };
 52 };
 53 
 54 zone "." IN {
 55 type hint;
 56 file "named.ca";
 57 };
 58 
 59 include "/etc/named.rfc1912.zones";
 60 include "/etc/named.root.key";

systemctl restart named
ls /var/named/slaves/
 192.168.10.arpa  linuxprobe.com.zone

#缓存服务器
vim /etc/named.conf
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9 options {
10 listen-on port 53 { any; };
11 listen-on-v6 port 53 { ::1; };
12 directory "/var/named";
13 dump-file "/var/named/data/cache_dump.db";
14 statistics-file "/var/named/data/named_stats.txt";
15 memstatistics-file "/var/named/data/named_mem_stats.txt";
16 allow-query { any; };
17 forwarders { 210.73.64.1; };
………………省略部分输出信息………………
systemctl restart named

nslookup
> www.linuxprobe.com
Server: 192.168.10.10
Address: 192.168.10.10#53

Non-authoritative answer:
Name: www.linuxprobe.com
Address: 113.207.76.73
Name: www.linuxprobe.com
Address: 116.211.121.154
> 8.8.8.8
Server: 192.168.10.10
Address: 192.168.10.10#53

Non-authoritative answer:
8.8.8.8.in-addr.arpa name = google-public-dns-a.google.com.
Authoritative answers can be found from:
in-addr.arpa nameserver = f.in-addr-servers.arpa.
in-addr.arpa nameserver = b.in-addr-servers.arpa.
in-addr.arpa nameserver = a.in-addr-servers.arpa.
in-addr.arpa nameserver = e.in-addr-servers.arpa.
in-addr.arpa nameserver = d.in-addr-servers.arpa.
in-addr.arpa nameserver = c.in-addr-servers.arpa.
a.in-addr-servers.arpa internet address = 199.212.0.73
a.in-addr-servers.arpa has AAAA address 2001:500:13::73
b.in-addr-servers.arpa internet address = 199.253.183.183
b.in-addr-servers.arpa has AAAA address 2001:500:87::87
c.in-addr-servers.arpa internet address = 196.216.169.10
c.in-addr-servers.arpa has AAAA address 2001:43f8:110::10
d.in-addr-servers.arpa internet address = 200.10.60.53
d.in-addr-servers.arpa has AAAA address 2001:13c7:7010::53
e.in-addr-servers.arpa internet address = 203.119.86.101
e.in-addr-servers.arpa has AAAA address 2001:dd8:6::101
f.in-addr-servers.arpa internet address = 193.0.9.1
f.in-addr-servers.arpa has AAAA address 2001:67c:e0::1

#分离解析技术
vim /etc/named.conf
………………省略部分输出信息………………
 44 logging {
 45 channel default_debug {
 46 file "data/named.run";
 47 severity dynamic;
 48 };
 49 };
 50 
 51 zone "." IN {
 52 type hint;
 53 file "named.ca";
 54 };
 55 
 56 include "/etc/named.rfc1912.zones";
 57 include "/etc/named.root.key";
 58
………………省略部分输出信息………………

vim /etc/named.rfc1912.zones
1 acl "china" { 122.71.115.0/24; };
2 acl "american" { 106.185.25.0/24;};
3 view "china"{
4 match-clients { "china"; };
5 zone "linuxprobe.com" {
6 type master;
7 file "linuxprobe.com.china";
8 };
9 };
10 view "american" {
11 match-clients { "american"; };
12 zone "linuxprobe.com" {
13 type master;
14 file "linuxprobe.com.american";
15 };
16 };

cd /var/named
cp -a named.localhost linuxprobe.com.china
cp -a named.localhost linuxprobe.com.american
vim linuxprobe.com.china

vim linuxprobe.com.American

#cmd
nslookup www.linuxprobe.com

Copyright ©2010-2022 比特日记 All Rights Reserved.

浙ICP备11005866号-12