Table of Contents
BIND installation and deployment
Forward analysis
Programming zone configuration file
Programming data configuration file
Change the DNS address parameters in the network card to the local IP address (127.0.0.1)
Reverse analysis
Programming zone configuration file
Programming data configuration file
Check the results. Change the DNS address parameter in the network card to the local address? Edit
Master-slave server deployment
Allow update requests from slaves in the master’s zone configuration file
Turn off the firewall on the main server or add rules to allow DNS protocol traffic to pass
Install the bind-chroot package on the slave server
Fill in the IP address of the master server and the area information to be captured in the slave server.
Check the analysis results
Encrypted transmission
Generate key in master server
Create key verification file in master server
Enable and load the key verification function of the bind service
Configure slave server
Create a key authentication file to support key authentication
Enable and load the key verification function of the slave server
DNS synchronizes domain name zone data from server
Perform parsing verification again? Edit
DNS caching server
Add cache forwarding parameters in the main configuration file of the bind service program
Separate analysis
Modify the main configuration file of the bind service
Programming zone configuration file
Create data configuration file
Change the DNS server addresses of different clients to corresponding addresses
BIND installation and deployment
Install bind service program
#Install bind service program plus chroot (commonly known as cage mechanism) expansion package yum install bind-chroot
In Linux, the name of the bind service program is named. Find the main configuration file of the service program in the directory and change the addresses in lines 11 and 19 to any, which means that all IP addresses of the server can provide DNS domain name resolution. Services and owners can make DNS requests to this server
vim /etc/named.conf
Forward analysis
Programming area configuration file
#Clear the original data of the file and only retain its own domain name resolution information
vim /etc/named.rfc1912.zones
#Replace the original content with the following content
zone "g.com" IN {
type master;
file "g.com.zone";
allow-update { none; };
};
Programming Data Configuration File
#Switch directory
cd /var/named
Check the file
ls -al named.localhost
#Copy this forward parsing template file
cp -a named.localhost g.com.zone
#Revise
vim g.com.zone
#Modify to the following content
$TTL 1D
@ IN SOA g.com. admin.g.com. (
0;serial
1D; refresh
1H; retry
1W; expire
3H ) ;minimum
NS ns.g.com.
ns IN A 172.20.10.3
www IN A 172.20.10.3
#Restart the named service program
systemctl restart named
systemctl enable named
Change the DNS address parameter in the network card to the local IP address (127.0.0.1)
#Modify network card parameters nmtui #Close the network to check whether it is successful nslookup
Reverse analysis
Programming area configuration file
vim /etc/named.rfc1912.zones
#Add the following content
zone "10.20.172.in-addr.arpa" IN {
type master;
file "172.20.10.arpa";
allow-update { none; };
};
Programming data configuration file
#Switch directory
cd /var/named/
cp -a named.loopback 172.20.10.arpa
vim 172.20.10.arpa
#Add the following content
$TTL 1D
@ IN SOA g.com abmin.g.com. (
0;serial
1D; refresh
1H; retry
1W; expire
3H ) ;minimum
NS ns.g.com.
ns A 172.20.10.3
3 PTR ns.g.com.
3 PTR www.g.com.
4 PTR bbs.g.com.
#Restart service
systemctl restart named
Verification results, the DNS address parameters in the network card are changed to the local address
Master-slave server deployment
| Main clause name | Main clause | IP Address |
| Main Server | Virtual Machine 1 | 172.20.10.3 |
| Slave Server | Virtual Machine 2 |
172.20.10.4 |
Allow update requests from the slave server in the master server’s zone configuration file
vim /etc/named.rfc1912.zones
#Restart the service program systemctl restart named
Close the firewall on the main server or add rules so that DNS protocol traffic can be passed
#Close firewall systemctl stop firewalld
Install the bind-chroot software package on the slave server
dnf install bind-chroot #After installation, modify the configuration file so that the slave server can also provide DNS services to the outside world. vim /etc/named.conf #Modify to any
Fill in the IP address of the master server and the area information to be captured in the slave server
#Open configuration file
vim /etc/named.rfc1912.zones
#Replace all content inside with the following content
zone "g.com" IN {
type slave;
masters { 172.20.10.3; };
file "slaves/g.com.zone";
};
zone "10.20.172.in-addr.arpa" IN {
type slave;
masters { 172.20.10.3; };
file "slaves/172.20.10.arpa";
};
#Restart service
systemctl restart named
Check analysis results
#Configure the network parameters of the slave server and change the DNS address parameters to 172.20.10.4 nmtui #Start viewing the parsing results nslookup
Encrypted transmission
This experiment still uses the above two servers
Generate key in master server
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-slave #View the generated key file ls -l Kmaster-slave. + 157 + 16153.* #View the value of the generated key and record it, that is, the bold text after the key cat Kmaster-slave. + 157 + 16153.private
Create a key verification file in the main server
#Switch directory
cd /var/named/chroot/etc
#open a file
vim transfer.key
#Add the following content, /BR2E/za4kqfXAlbg1K8Iw== is the value of the key, everyone is different
key "master-slave" {
algorithm hmac-md5;
secret "/BR2E/za4kqfXAlbg1K8Iw==";
};
#For security reasons, the group to which the file belongs needs to be changed to named.
chown root:named transfer.key
#Set the file permissions to be smaller
chmod 640 transfer.key
#Set a hard link to the file and point to /etc
ln transfer.key /etc/transfer.key
Enable and load the key verification function of the bind service
#Load the key verification file in the main configuration file of the main server, and then set it
vim /etc/named.conf
#Add the following two lines, as shown in the figure
include "/etc/transfer.key";
allow-transfer { key master-slave; };
#Then restart the service
systemctl restart named
Configure slave server
#Clear all data configuration files in the synchronization directory rm -rf /var/named/slaves/* Restart the bind service program systemctl restart named ls /var/named/slaves/
Create a key certification file to support key verification
#Switch directory
cd /var/named/chroot/etc/
#Configuration file content
vim transfer.key
#Copy the following content, which is the same as the main server content
key "master-slave" {
algorithm hmac-md5;
secret "/BR2E/za4kqfXAlbg1K8Iw==";
};
#Set permissions and hard links
chown root:named transfer.key
chmod 640 transfer.key
ln transfer.key /etc/transfer.key
Enable and load the key verification function of the slave server
vim /etc/named.conf
#Enter the following content, the position is as shown in the figure below, the position is line 9, line 51
include "/etc/transfer.key";
server 172.20.10.3
{
keys { master-slave; };
};
DNS synchronizes domain name zone data from the server
#Restart bind service program systemctl restart named #You can find that the data configuration file can be successfully synchronized again. ls /var/named/slaves/
Perform parsing and verification again
DNS cache server
| Host name | Main clause | IP Address |
| Cache Server | Virtual Machine 1 |
NIC 1: Bridged NIC Network card 2: Only the host IP is 172.20.10.10 |
| Client | Virtual Machine 2 | Only the host IP is 172.20.10.20 |
Add cache forwarding parameters in the main configuration file of the bind service program
vim /etc/named.conf
#Add a line of parameters "forwarders { upper-level DNS server address; };" at about line 20,
forwarders { 210.42.249.131; };
#Restart the DNS service
systemctl restart named
#Remember to turn off the firewall
systemctl stop firewalld
Set the DNS server address parameters of the client host
Separate analysis
| Host name | IP address |
| Server | 192.168.10.1 122.71.115.1 |
| Client | 192.168.10.20 |
| Client 2 | 122.71.115.20 |
Modify the main configuration file of the bind service
vim /etc/named.conf #Change the allowed hosts in lines 11 and 19 to any, and delete the root domain information in lines 52~55
Programming area configuration file
vim /etc/named.rfc1912.zones
#Add the following content
acl "china" { 192.168.10.0/24; };
acl "america" { 122.71.115.0/24; };
view "china"{
match-clients { "china"; };
zone "g.com" {
type master;
file "g.com.china";
};
};
view "america"{
match-clients { "america"; };
zone "g.com" {
type master;
file "g.com.america";
};
};
Create data configuration file
cd /var/named
cp -a named.localhost g.com.china
cp -a named.localhost g.com.america
vim g.com.china
#Enter the following content
$TTL 1D
@ IN SOA g.com. rname.invalid. (
0;serial
1D; refresh
1H; retry
1W; expire
3H ) ;minimum
NS ns.g.com.
ns IN A 192.168.10.150
www IN A 192.168.10.222
#Open another
vim g.com.america
#Enter the following content
$TTL 1D
@ IN SOA g.com. rname.invalid. (
0;serial
1D; refresh
1H; retry
1W; expire
3H ) ;minimum
NS ns.g.com.
ns IN A 122.71.115.188
www IN A 122.71.115.144
#Restart service
systemctl restart named
Change the DNS server addresses of different clients to the corresponding addresses
Client with IP 192.168.10.20:
Client with IP 122.71.115.20:
The knowledge points of the article match the official knowledge files, and you can further learn relevant knowledge. CS entry skill treeLinux introductionFirst introduction to Linux 38136 people are learning the system