Table of Contents
BIND installation and deployment
Forward analysis
Programming zone configuration file
Programming data configuration file
Change the DNS address parameters in the network card to the local IP address (127.0.0.1)
Reverse analysis
Programming zone configuration file
Programming data configuration file
Check the results. Change the DNS address parameter in the network card to the local address? Edit
Master-slave server deployment
Allow update requests from slaves in the master’s zone configuration file
Turn off the firewall on the main server or add rules to allow DNS protocol traffic to pass
Install the bind-chroot package on the slave server
Fill in the IP address of the master server and the area information to be captured in the slave server.
Check the analysis results
Encrypted transmission
Generate key in master server
Create key verification file in master server
Enable and load the key verification function of the bind service
Configure slave server
Create a key authentication file to support key authentication
Enable and load the key verification function of the slave server
DNS synchronizes domain name zone data from server
Perform parsing verification again? Edit
DNS caching server
Add cache forwarding parameters in the main configuration file of the bind service program
Separate analysis
Modify the main configuration file of the bind service
Programming zone configuration file
Create data configuration file
Change the DNS server addresses of different clients to corresponding addresses
BIND installation and deployment
Install bind service program
#Install bind service program plus chroot (commonly known as cage mechanism) expansion package yum install bind-chroot
In Linux, the name of the bind service program is named. Find the main configuration file of the service program in the directory and change the addresses in lines 11 and 19 to any, which means that all IP addresses of the server can provide DNS domain name resolution. Services and owners can make DNS requests to this server
vim /etc/named.conf
Forward analysis
Programming area configuration file
#Clear the original data of the file and only retain its own domain name resolution information vim /etc/named.rfc1912.zones #Replace the original content with the following content zone "g.com" IN { type master; file "g.com.zone"; allow-update { none; }; };
Programming Data Configuration File
#Switch directory cd /var/named Check the file ls -al named.localhost #Copy this forward parsing template file cp -a named.localhost g.com.zone #Revise vim g.com.zone #Modify to the following content $TTL 1D @ IN SOA g.com. admin.g.com. ( 0;serial 1D; refresh 1H; retry 1W; expire 3H ) ;minimum NS ns.g.com. ns IN A 172.20.10.3 www IN A 172.20.10.3 #Restart the named service program systemctl restart named systemctl enable named
Change the DNS address parameter in the network card to the local IP address (127.0.0.1)
#Modify network card parameters nmtui #Close the network to check whether it is successful nslookup
Reverse analysis
Programming area configuration file
vim /etc/named.rfc1912.zones #Add the following content zone "10.20.172.in-addr.arpa" IN { type master; file "172.20.10.arpa"; allow-update { none; }; };
Programming data configuration file
#Switch directory cd /var/named/ cp -a named.loopback 172.20.10.arpa vim 172.20.10.arpa #Add the following content $TTL 1D @ IN SOA g.com abmin.g.com. ( 0;serial 1D; refresh 1H; retry 1W; expire 3H ) ;minimum NS ns.g.com. ns A 172.20.10.3 3 PTR ns.g.com. 3 PTR www.g.com. 4 PTR bbs.g.com. #Restart service systemctl restart named
Verification results, the DNS address parameters in the network card are changed to the local address
Master-slave server deployment
Main clause name | Main clause | IP Address |
Main Server | Virtual Machine 1 | 172.20.10.3 |
Slave Server | Virtual Machine 2 |
172.20.10.4 |
Allow update requests from the slave server in the master server’s zone configuration file
vim /etc/named.rfc1912.zones
#Restart the service program systemctl restart named
Close the firewall on the main server or add rules so that DNS protocol traffic can be passed
#Close firewall systemctl stop firewalld
Install the bind-chroot software package on the slave server
dnf install bind-chroot #After installation, modify the configuration file so that the slave server can also provide DNS services to the outside world. vim /etc/named.conf #Modify to any
Fill in the IP address of the master server and the area information to be captured in the slave server
#Open configuration file vim /etc/named.rfc1912.zones #Replace all content inside with the following content zone "g.com" IN { type slave; masters { 172.20.10.3; }; file "slaves/g.com.zone"; }; zone "10.20.172.in-addr.arpa" IN { type slave; masters { 172.20.10.3; }; file "slaves/172.20.10.arpa"; }; #Restart service systemctl restart named
Check analysis results
#Configure the network parameters of the slave server and change the DNS address parameters to 172.20.10.4 nmtui #Start viewing the parsing results nslookup
Encrypted transmission
This experiment still uses the above two servers
Generate key in master server
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave #View the generated key file ls -l Kmaster-slave. + 157 + 16153.* #View the value of the generated key and record it, that is, the bold text after the key cat Kmaster-slave. + 157 + 16153.private
Create a key verification file in the main server
#Switch directory cd /var/named/chroot/etc #open a file vim transfer.key #Add the following content, /BR2E/za4kqfXAlbg1K8Iw== is the value of the key, everyone is different key "master-slave" { algorithm hmac-md5; secret "/BR2E/za4kqfXAlbg1K8Iw=="; }; #For security reasons, the group to which the file belongs needs to be changed to named. chown root:named transfer.key #Set the file permissions to be smaller chmod 640 transfer.key #Set a hard link to the file and point to /etc ln transfer.key /etc/transfer.key
Enable and load the key verification function of the bind service
#Load the key verification file in the main configuration file of the main server, and then set it vim /etc/named.conf #Add the following two lines, as shown in the figure include "/etc/transfer.key"; allow-transfer { key master-slave; }; #Then restart the service systemctl restart named
Configure slave server
#Clear all data configuration files in the synchronization directory rm -rf /var/named/slaves/* Restart the bind service program systemctl restart named ls /var/named/slaves/
Create a key certification file to support key verification
#Switch directory cd /var/named/chroot/etc/ #Configuration file content vim transfer.key #Copy the following content, which is the same as the main server content key "master-slave" { algorithm hmac-md5; secret "/BR2E/za4kqfXAlbg1K8Iw=="; }; #Set permissions and hard links chown root:named transfer.key chmod 640 transfer.key ln transfer.key /etc/transfer.key
Enable and load the key verification function of the slave server
vim /etc/named.conf #Enter the following content, the position is as shown in the figure below, the position is line 9, line 51 include "/etc/transfer.key"; server 172.20.10.3 { keys { master-slave; }; };
DNS synchronizes domain name zone data from the server
#Restart bind service program systemctl restart named #You can find that the data configuration file can be successfully synchronized again. ls /var/named/slaves/
Perform parsing and verification again
DNS cache server
Host name | Main clause | IP Address |
Cache Server | Virtual Machine 1 |
NIC 1: Bridged NIC Network card 2: Only the host IP is 172.20.10.10 |
Client | Virtual Machine 2 | Only the host IP is 172.20.10.20 |
Add cache forwarding parameters in the main configuration file of the bind service program
vim /etc/named.conf #Add a line of parameters "forwarders { upper-level DNS server address; };" at about line 20, forwarders { 210.42.249.131; }; #Restart the DNS service systemctl restart named #Remember to turn off the firewall systemctl stop firewalld
Set the DNS server address parameters of the client host
Separate analysis
Host name | IP address |
Server | 192.168.10.1 122.71.115.1 |
Client | 192.168.10.20 |
Client 2 | 122.71.115.20 |
Modify the main configuration file of the bind service
vim /etc/named.conf #Change the allowed hosts in lines 11 and 19 to any, and delete the root domain information in lines 52~55
Programming area configuration file
vim /etc/named.rfc1912.zones #Add the following content acl "china" { 192.168.10.0/24; }; acl "america" { 122.71.115.0/24; }; view "china"{ match-clients { "china"; }; zone "g.com" { type master; file "g.com.china"; }; }; view "america"{ match-clients { "america"; }; zone "g.com" { type master; file "g.com.america"; }; };
Create data configuration file
cd /var/named cp -a named.localhost g.com.china cp -a named.localhost g.com.america vim g.com.china #Enter the following content $TTL 1D @ IN SOA g.com. rname.invalid. ( 0;serial 1D; refresh 1H; retry 1W; expire 3H ) ;minimum NS ns.g.com. ns IN A 192.168.10.150 www IN A 192.168.10.222 #Open another vim g.com.america #Enter the following content $TTL 1D @ IN SOA g.com. rname.invalid. ( 0;serial 1D; refresh 1H; retry 1W; expire 3H ) ;minimum NS ns.g.com. ns IN A 122.71.115.188 www IN A 122.71.115.144 #Restart service systemctl restart named
Change the DNS server addresses of different clients to the corresponding addresses
Client with IP 192.168.10.20:
Client with IP 122.71.115.20:
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. CS entry skill treeLinux introductionFirst introduction to Linux 38136 people are learning the system