zoukankan      html  css  js  c++  java

  • linux服务九——内网建DNS服务器

    1、系统环境说明

    [root@10e0e0e17 ~]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)
[root@10e0e0e17 ~]# uname -r 
3.10.0-957.el7.x86_64
[root@10e0e0e17 ~]#  sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31
[root@10e0e0e17 ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2020-10-16 06:06:56 CST; 16min ago
     Docs: man:firewalld(1)
  Process: 6494 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
 Main PID: 6494 (code=exited, status=0/SUCCESS)

Oct 15 22:18:33 10e0e0e17 systemd[1]: Starting firewalld - dynamic firewall daemon...
Oct 15 22:18:35 10e0e0e17 systemd[1]: Started firewalld - dynamic firewall daemon.
Oct 16 06:06:55 10e0e0e17 systemd[1]: Stopping firewalld - dynamic firewall daemon...
Oct 16 06:06:56 10e0e0e17 systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@10e0e0e17 ~]# hostname  -I
10.0.0.17

     2、安装bind

    [root@10e0e0e17 ~]#  yum install bind*  -y 
[root@10e0e0e17 ~]# rpm -ql bind 
# 文件说明
[root@clsn6 ~]# rpm -ql bind 
/etc/named.conf  # 主配置文件
/etc/named.rfc1912.zones  # 区域解析库文件 
/var/log/named.log #日志文件
/var/named #服务根目录

    3、修改配置文件

    备份named.conf并修改

    cp -p /etc/named.conf{,.bak}

    修改配置文件

    options {
        listen-on port 53 { 10.0.0.17; };#修改10.0.0.17
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; any;};#修改any;

    检查配置是否正确

    [root@10e0e0e17 ~]# named-checkconf /etc/named.conf

    4、启动服务

    [root@10e0e0e17 ~]# systemctl start named
[root@10e0e0e17 ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2020-10-16 06:39:54 CST; 29s ago
  Process: 8064 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 8062 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 8066 (named)
   CGroup: /system.slice/named.service
           └─8066 /usr/sbin/named -u named -c /etc/named.conf

Oct 16 06:40:02 10e0e0e17 named[8066]: validating ./NS: verify failed due to bad signature (keyid=26116): RRSIG validity period has not begun
Oct 16 06:40:02 10e0e0e17 named[8066]: validating ./NS: no valid signature found
Oct 16 06:40:02 10e0e0e17 named[8066]: RRSIG validity period has not begun resolving './NS/IN': 198.41.0.4#53
Oct 16 06:40:02 10e0e0e17 named[8066]: validating ./NS: verify failed due to bad signature (keyid=26116): RRSIG validity period has not begun
Oct 16 06:40:02 10e0e0e17 named[8066]: validating ./NS: no valid signature found
Oct 16 06:40:02 10e0e0e17 named[8066]: RRSIG validity period has not begun resolving './NS/IN': 192.36.148.17#53
Oct 16 06:40:03 10e0e0e17 named[8066]: validating ./NS: verify failed due to bad signature (keyid=26116): RRSIG validity period has not begun
Oct 16 06:40:03 10e0e0e17 named[8066]: validating ./NS: no valid signature found
Oct 16 06:40:03 10e0e0e17 named[8066]: RRSIG validity period has not begun resolving './NS/IN': 198.97.190.53#53
Oct 16 06:40:04 10e0e0e17 named[8066]: resolver priming query complete

    检查端口

    [root@10e0e0e17 ~]# ss -lntup|grep 53
udp    UNCONN     0      0      10.0.0.17:53                    *:*                   users:(("named",pid=8066,fd=512))
udp    UNCONN     0      0       ::1:53                   :::*                   users:(("named",pid=8066,fd=513))
tcp    LISTEN     0      10     10.0.0.17:53                    *:*                   users:(("named",pid=8066,fd=21))
tcp    LISTEN     0      128    127.0.0.1:953                   *:*                   users:(("named",pid=8066,fd=23))
tcp    LISTEN     0      10      ::1:53                   :::*                   users:(("named",pid=8066,fd=22))
tcp    LISTEN     0      128     ::1:953                  :::*                   users:(("named",pid=8066,fd=24))

    测试DNS服务器

    [root@10e0e0e17 ~]# dig yhh.com @10.0.0.17

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> yhh.com @10.0.0.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 57052
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;yhh.com.            IN    A

;; Query time: 4117 msec
;; SERVER: 10.0.0.17#53(10.0.0.17)
;; WHEN: Fri Oct 16 06:50:09 CST 2020
;; MSG SIZE  rcvd: 36

    5.搭建自己的域,让当前的DNS解析www.yhh.com域

    [root@10e0e0e17 ~]# vim /etc/named.rfc1912.zones
zone "yhh.com" IN { # hengxia.top是域名
type master; # 表示权威DNS,即第一个
file "yhh.com.zone"; # 域数据库,默认位于/var/named/下面,只需告知文件名yhh.com.zone是库文件名
};

    以/var/named目录下的named.localhost为模板,创建yhh.com.zone文件,创建区域数据库

    [root@10e0e0e17 ~]# cd /var/named/
[root@10e0e0e17 named]# ls
chroot  chroot_sdb  data  dynamic  dyndb-ldap  named.ca  named.empty  named.localhost  named.loopback  slaves
[root@10e0e0e17 named]# cp -av named.localhost yhh.com.zone
‘named.localhost’ -> ‘yhh.com.zone’

    源文件说明

    [root@10e0e0e17 named]# cat yhh.com.zone   # 解析区域数据库格式,存放名字与IP的对应关系
$TTL 1D   # 统一定义TTL(过期时间、缓存时间)
@    IN SOA    @ rname.invalid. (   # SOA记录 IN internet技术 IN第一条要写,后面可以省略,可继承第一条IN  rname.invalid.  资源的类型  
                    0    ; serial
                    1D    ; refresh
                    1H    ; retry
                    1W    ; expire
                    3H )    ; minimum
    NS    @    # 代表当前配置域
    A    127.0.0.1     # A记录 名字 到 IP   对应IPv4地址
    AAAA    ::1   # A记录 名字 到 IP   对应IPv6地址

    修改配置文件

    $TTL 1D
@       IN SOA  @ yhh.top. (
                                        30      ; serial
                                        1M      ; refresh
                                        1M      ; retry
                                        1M      ; expire
                                        3M )    ; minimum
        NS      @
www     A       10.0.0.15
yan     A       10.0.0.15
@       A       10.0.0.15

    检查配置文件

    [root@10e0e0e17 named]# named-checkconf  # 检查配置文件是否正确
# 检查区域配置是否正确
[root@10e0e0e17 named]# named-checkzone yhh.com /var/named/yhh.com.zone 
zone yhh.com/IN: loaded serial 30
OK
    [root@10e0e0e17 named]# rndc reload     #重新载入不成功可以重启服务!
    server reload successful

    6、验证测试

    方法一

    [root@iso-all ~]# nslookup - 10.0.0.17
> yhh.top
Server:        10.0.0.17
Address:    10.0.0.17#53

** server can't find yhh.top: SERVFAIL

    方法二

    [root@10e0e0e17 named]# dig yhh.com 10.0.0.17

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.6 <<>> yhh.com 10.0.0.17
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15101
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;yhh.com.            IN    A

;; ANSWER SECTION:
yhh.com.        38    IN    A    178.62.56.142

;; Query time: 26 msec
;; SERVER: 114.114.114.114#53(114.114.114.114)
;; WHEN: Fri Oct 16 08:15:17 CST 2020
;; MSG SIZE  rcvd: 52

;; connection timed out; no servers could be reached

    方法三

    root@iso-all ~]# ping www.yhh.com 
PING www.yhh.com (10.0.0.15) 56(84) bytes of data.
64 bytes from iso-all (10.0.0.15): icmp_seq=1 ttl=64 time=0.031 ms
64 bytes from iso-all (10.0.0.15): icmp_seq=2 ttl=64 time=0.080 ms
64 bytes from iso-all (10.0.0.15): icmp_seq=3 ttl=64 time=0.091 ms
64 bytes from iso-all (10.0.0.15): icmp_seq=4 ttl=64 time=0.063 ms
  • 相关阅读:
    阿里安全归零实验室招聘各路大牛!offer好说!
    露脸!钉钉通过SOC2隐私性原则审计,安全和隐私保护达超一流国际标准
    BAT齐聚阿里安全-ASRC生态大会:呼吁联合共建网络安全白色产业链
    v3-4_-vict-、-vinc-胜利,征服
    Grammar01 语法七要素之一_词类
    Grammar00_英语学习铁律
    SpokenEnglish01_ When's it due?
    SpringBoot31 重识Spring01-环境搭建、Actuator监控、属性配置、多环境配置
    Shrio04 自定义Realm
    Shrio03 Authenticator、配置多个Realm、SecurityManager认证策略
  • 原文地址:https://www.cnblogs.com/huihuangyan/p/13845470.html
Copyright © 2011-2022 走看看