管理服务器DNS

1.使 serverb 成为 backend. 的主名称服务器，以及 192.168.0/24 和 fde2:6494:1e09:2::/64 的反向区域。

在 serverb 上安装BIND9。 根据以下规范配置BIND：

在任何接口上侦听 IPv4 和 IPv6 查询。允许 localhost、172.25.250.254 和 192.168.0.0/24 请求资源数据。禁用递归。删除 root(.) 提示节。为 /etc/named.backend.conf 添加一个包含语句。在 /etc/named.backend.conf 中配置区域指令以引用您的区域文件。 您可以从workstation上的 ~/dns-review/files/primary-named.backend.conf 复制此文件。将现有区域文件从workstation上的 ~/dns-review/files/zones 复制到 serverb 上的 /var/named 并确保 named 可以读取它们。

1.1 以学生身份登录到serverb，然后切换成为root用户。

[student@serverb ~]$ ssh serverbstudent@serverb's password: student[student@serverb ~]$ sudo -i[sudo] password for student: student

1.2 安装bind软件包

[root@serverb ~]# yum -y install bind

1.3 编辑 /etc/named.conf 以匹配以下内容：

...output omitted...options {listen-on port 53 {any; };listen-on-v6 port 53 {any; };directory "/var/named";dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";secroots-file "/var/named/data/named.secroots";recursing-file "/var/named/data/named.recursing";allow-query{localhost; 172.25.250.254; 192.168.0.0/24; };recursion no;...output omitted...include "/etc/named.rfc1912.zones";include "/etc/named.root.key";include "/etc/named.backend.conf";

1.4 创建 /etc/named.backend.conf 包含文件，用于标识 backend. 子域的正向和反向区域。

[root@serverb ~]# vim /etc/named.backend.confzone "backend." IN {type master;file "backend..zone";forwarders {};};zone "0.168.192.in-addr.arpa" IN {type master;file "192.168.0.zone";forwarders {};};zone "2.0.0.0.9.0.E.1.4.9.4.6.2.E.D.F.ip6.arpa" IN {type master;file "fde2.6494.1e09.2.zone";forwarders {};};

确保 /etc/named.backend.conf 文件对named组是可读的，而不是可写的。

[root@serverb ~]# chmod 640 /etc/named.backend.conf [root@serverb ~]# chgrp named /etc/named.backend.conf

1.5 将工作站上 ~/dns-review/files/zones 目录中的三个区域文件复制到 serverb 上的 /var/named。

/var/named/.zone

/var/named/192.168.0.zone

/var/named/ fde2.6494.1e09.2.zone

[root@serverb ~]# scp student@workstation:~/dns-review/files/zones/* /var/named/student@workstation's password: 192.168.0.zone 100% 801 405.2KB/s 00:00 backend..zone 100% 984 802.1KB/s 00:00 fde2.6494.1e09.2.zone 100% 813 731.4KB/s 00:00

区域文件的内容应与以下内容匹配：

/var/named/backend..zone

[root@serverb ~]# cat /var/named/backend..zone $TTL 300@ IN SOA serverb.backend.. root.serverb.backend.. (06 ;serial number1H;refresh secondary5m;retry refresh1w;expire zone1m ) ;cache time-to-live for negative answers; owner TTLCL type RDATA600IN NSserverbservera IN A 192.168.0.10serverb IN A 192.168.0.11serverc IN A 192.168.0.12serverd IN A 192.168.0.13servera IN AAAA fde2:6494:1e09:2::aserverb IN AAAA fde2:6494:1e09:2::bserverc IN AAAA fde2:6494:1e09:2::cserverd IN AAAA fde2:6494:1e09:2::d

/var/named/192.168.0.zone

[root@serverb ~]# cat /var/named/192.168.0.zone$TTL 300@ IN SOA serverb.backend.. root.serverb.backend.. (05 ;serial number1H ;refresh secondary5M ;retry refresh1W ;expire zone1M );cache time-to-live for negative answers; owner TTL CL type RDATA600 IN NSserverb.backend..10.0.168.192.IN-ADDR.ARPA.IN PTRservera.backend..11IN PTRserverb.backend..12IN PTRserverc.backend..13IN PTRserverd.backend..

/var/named/fde2.6494.1e09.2.zone

[root@serverb ~]# cat /var/named/fde2.6494.1e09.2.zone $TTL 300@ IN SOA serverb.backend.. root.serverb.backend.. (05 ;serial number1H ;refresh secondary5M ;retry refresh1W ;expire zone1M );cache time-to-live for negative answers; owner TTLCL type RDATA600IN NSserverb.backend..A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTRservera.backend..B.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTRserverb.backend..C.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTRserverc.backend..D.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTRserverd.backend..

1.6 确保指定组可以读取而不是可写入区域文件。

[root@serverb ~]# chmod 640 /var/named/*.zone[root@serverb ~]# chgrp named /var/named/*.zone

1.7 将防火墙配置为允许 DNS 流量，然后在 serverb 上启用并启动named服务。

[root@serverb ~]# firewall-cmd --add-service=dns --permanent success[root@serverb ~]# firewall-cmd --reloadsuccess[root@serverb ~]# systemctl enable --now named[root@serverb ~]# firewall-cmd --list-all | grep serviceservices: cockpit dhcpv6-client dns ssh

2.配置满足以下要求的servera缓存名称服务器：

在servera上安装unbound软件包。

配置 unbound 以允许来自 172. 25.250.0/24 子网的查询，免除 区域的 DNSSEC 验证，并将所有查询转发到 172.25.250.254 。

启动并启用unbound并配置防火墙以允许服务器上的 DNS 流量。

2.1 在workstation上，使用 SSH以学生身份登录到 servera。 使用 sudo -i 切换到 root。

[student@workstation ~]$ ssh servera[student@servera ~]$ sudo -i[sudo] password for student: student

2.2 安装unbound。

[root@servera ~]# yum install unbound -y

2.3 配置 unbound 以允许来自 172.25.250.8/24 子网、来自 DNSSEC 验证的 区域的查询，并将所有查询转发到 172.25.250.254。

在 /etc/unbound/conf.d/server.conf 中创建以下文件，权限为 0644，归用户 root 和 unbound 组所有。

[root@servera ~]# vim /etc/unbound/conf.d/server.confserver:interface-automatic: yesaccess-control: 172.25.250.0/24 allowdomain-insecure: ""forward-zone:name: "."forward-addr: 172.25.250.254

2.4 生成私钥和服务器证书。

[root@servera ~]# unbound-control-setup setup in directory /etc/unboundgenerating unbound_server.keyGenerating RSA private key, 3072 bit long modulus (2 primes)..++++........++++e is 65537 (0x010001)generating unbound_control.keyGenerating RSA private key, 3072 bit long modulus (2 primes)..................................++++.................................++++e is 65537 (0x010001)create unbound_server.pem (self signed certificate)create unbound_control.pem (signed client certificate)Signature oksubject=CN = unbound-controlGetting CA Private KeySetup success. Certificates created. Enable in unbound.conf file to use

2.5 检查未绑定配置文件的语法。

[root@servera ~]# unbound-checkconf unbound-checkconf: no errors in /etc/unbound/unbound.conf

2.6 启动并启动unbound。

[root@servera ~]# systemctl enable --now unboundCreated symlink /etc/systemd/system/multi-user.target.wants/unbound.service → /usr/lib/systemd/system/unbound.service.

2.7 配置防火墙，允许servera的DNS流量。

[root@servera ~]# [root@servera ~]# firewall-cmd --permanent --add-service=dnssuccess[root@servera ~]# firewall-cmd --reloadsuccess[root@servera ~]# firewall-cmd --list-all | grep serviceservices: cockpit dhcpv6-client dns ssh

3.测试名称服务器的操作。

提交查询以确认来自servera上的缓存名称服务器和serverb上的权威主名称服务器的答案。

3.1 在 servera 上，从 地址查询 localhost.localdomain。 dig 命令失败，因为 unbound 被配置为仅允许来自 172.25.250.0/24 网络的查询，而 (127.0.0.1) 不是其中的成员。

[student@servera ~]# dig localhost.localdomain @172.25.250.11; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @172.25.250.11;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53384;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096; COOKIE: f4324ebe0d3e7dc59458019a628b9b10ae42aa0018f23c27 (good);; QUESTION SECTION:;localhost.localdomain.INA;; Query time: 1 msec;; SERVER: 172.25.250.11#53(172.25.250.11);; WHEN: Mon May 23 14:32:48 GMT ;; MSG SIZE rcvd: 78

3.2 从 地址查询 localhost.localdomain。这会成功，因为 BIND允许来自该子网的所有查询。

[student@servera ~]# dig localhost.localdomain @192.168.0.11; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @192.168.0.11;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44039;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096; COOKIE: 4081c2f5a37c99bb3ebf6e64628b9bd32b4e4b24bf8723b5 (good);; QUESTION SECTION:;localhost.localdomain.INA;; ANSWER SECTION:localhost.localdomain.86400INA127.0.0.1;; AUTHORITY SECTION:localhost.localdomain.86400INNSlocalhost.localdomain.;; ADDITIONAL SECTION:localhost.localdomain.86400INAAAA::1;; Query time: 1 msec;; SERVER: 192.168.0.11#53(192.168.0.11);; WHEN: Mon May 23 14:36:03 GMT ;; MSG SIZE rcvd: 136

3.3 使用serverb上的student，确认servera上的缓存名称服务器回答正向查找。servera上的缓存名称服务器缓存来自后端网络的条目，但仅回答来自classroom网络范围172.25.250.0/24 的查询。

查找 serverd.backend. 的 IP 地址。 使用classroom网络内servera的地址 172.25.250.10。

[student@serverb ~]$ dig serverd.backend. @172.25.250.10; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> serverd.backend. @172.25.250.10;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21912;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;serverd.backend.. INA;; ANSWER SECTION:serverd.backend.. 300 INA192.168.0.13;; Query time: 4 msec;; SERVER: 172.25.250.10#53(172.25.250.10);; WHEN: Mon May 23 14:43:23 GMT ;; MSG SIZE rcvd: 76

3.4 确认 IPv4 反向 DNS 查找适用于 192.168.0.0/24 范围内的主机。

[student@serverb ~]$ dig -x 192.168.0.13 @localhost; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> -x 192.168.0.13 @localhost;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38780;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096; COOKIE: c0a3f62a0b4543594fb72455628b9e296ca3a7ed3664bd52 (good);; QUESTION SECTION:;13.0.168.192.in-addr.arpa.INPTR;; ANSWER SECTION:13.0.168.192.in-addr.arpa. 300INPTRserverd.backend..;; AUTHORITY SECTION:0.168.192.in-addr.arpa.600INNSserverb.backend..;; ADDITIONAL SECTION:serverb.backend.. 300 INAAAAfde2:6494:1e09:2::bserverb.backend.. 300 INA192.168.0.11;; Query time: 1 msec;; SERVER: ::1#53(::1);; WHEN: Mon May 23 14:46:01 GMT ;; MSG SIZE rcvd: 193

3.5 确认 IPv6 反向 DNS 查找适用于 fde2:6494:1e09:2::0/64 范围内的主机。

[student@serverb ~]$ dig -x fde2:6494:1e09:2::d @localhost; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> -x fde2:6494:1e09:2::d @localhost;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39808;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3;; WARNING: recursion requested but not available;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096; COOKIE: 16351321647818d15a115212628b9f0094c0042393c4ef4c (good);; QUESTION SECTION:;d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.9.0.e.1.4.9.4.6.2.e.d.f.ip6.arpa. IN PTR;; ANSWER SECTION:D.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.9.0.E.1.4.9.4.6.2.E.D.F.ip6.arpa. 300 IN PTR serverd.backend..;; AUTHORITY SECTION:2.0.0.0.9.0.E.1.4.9.4.6.2.E.D.F.ip6.arpa. 600 IN NS serverb.backend..;; ADDITIONAL SECTION:serverb.backend.. 300 INAAAAfde2:6494:1e09:2::bserverb.backend.. 300 INA192.168.0.11;; Query time: 0 msec;; SERVER: ::1#53(::1);; WHEN: Mon May 23 14:49:36 GMT ;; MSG SIZE rcvd: 304

如果觉得《管理服务器DNS》对你有帮助，请点赞、收藏，并留下你的观点哦！