在CentOS 8/Rhel 8上配置Master/Slave绑定DNS服务器
时间:2020-02-23 14:30:16 来源:igfitidea点击:
介绍
本教程将在CentOS 8/RHEL 8 Linux上配置绑定DNS服务器的步骤 - CentOS 8/Rhel 8上的CentOS 8/RHEL 8中所需的步骤。
域名系统是一个分层和分散的命名系统计算机,服务或者连接到Internet或者专用网络的其他资源。
(维基百科)。
它充当互联网的电话簿,因为它给出了每个计算机的地址,其中包含与它相关的FQDN。
作为TCP/IP参考模型DNS的应用层的一部分,DNS在世界各地的计算机的日常运行中非常重要。
我们将在CentOS8上安装权威绑定DNS主站和从站,并进行配置,如添加PTR,A/AAAA记录等。
在CentOS 8/RHEL 8上安装绑定DNS服务器8
运行以下命令以在CentOS 8/Rhel 8 Linux服务器上安装绑定DNS服务器包。
$dnf -y install bind bind-utils vim CentOS-8 - AppStream 1.3 kB/s | 4.3 kB 00:03 CentOS-8 - Base 1.2 kB/s | 3.9 kB 00:03 CentOS-8 - Extras 467 B/s | 1.5 kB 00:03 Dependencies resolved
在此设置中,我们将在实施模式下保持SELinux。
$getenforce Enforcing THE REASON FOR THIS IS THAT (Source: RedHat) SELinux helps mitigate the damage made by configuration mistakes. Domain Name System (DNS) servers often replicate information between each other in what is known as a zone transfer. Attackers can use zone transfers to update DNS servers with false information. When running the Berkeley Internet Name Domain (BIND) as a DNS server in Red Hat Enterprise Linux, even if an administrator forgets to limit which servers can perform a zone transfer, the default SELinux policy prevents zone files from being updated using zone transfers, by the BIND named daemon itself, and by other processes (Source: RedHat).
在CentOS 8/RHEL 8上配置绑定DNS权威服务器8
让我们配置我们的绑定DNS权威服务器。
打开配置文件/etc/named.conf。
我们的DNS服务器具有以下设置.theitroad.com区域(域名)192.168.154.0 - 托管子网192.168.154.94 IP的Slave Server192.168.154.88 - 主服务器的IP
这是named.conf配置文件。
$sudo vim /etc/named.conf
//
//named.conf
//
//Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
//server as a caching only nameserver (as a localhost DNS resolver only).
//
//See /usr/share/doc/bind*/sample/for example named configuration files.
//
options {
listen-on port 53 { any; }; ## Listen on any since it is an authoritative DNS Publicly available.
listen-on-v6 port 53 { any; }; ## You can also set the same for IPv6
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
## Since this will be an authoritative Nameserver, allow query from any host
allow-query { any; };
allow-transfer {192.168.154.94; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface.
*/
recursion no; ## Following Advice from above.
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */ include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
## Set your ZONE details as shown below for different domains. Set the forward and reverse details. You can set the names of files as you like
zone "theitroad.com" IN {
type master;
file "theitroad.forward";
allow-update { none; };
};
## Make sure you follow the rule for reverse zone (154.168.192.in-addr.arpa). [If your IP is 192.168.10.10, It will be 10.168.192.in-addr.arpa]
zone "154.168.192.in-addr.arpa" IN {
type master;
file "theitroad.reverse";
allow-update { none; };
};
主服务器192.168.154.88.
请注意,IP应该是一个公共之一,因为这是一个权威的DNS服务器。
创建区域文件
在我们在Named.conf中设置文件后,我们必须创建区域文件并将我们希望添加的所有记录放在诸如A/AAAA,MX,PTR等中。
在/var/named /目录中创建文件
$sudo vim /var/named/theitroad.forward
$TTL 86400
@ IN SOA dns1.theitroad.com. root.theitroad.com. (
# You can use any numerical values for serial number but it is recommended to use [YYYYMMDDnn]
2019112201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# Set your Name Servers here
IN NS dns1.theitroad.com.
IN NS dns2.theitroad.com.
# define Name Server's IP address
IN A 192.168.154.88
# Set your Mail Exchanger (MX) Server here
IN MX 10 dns1.theitroad.com.
# Set each IP address of a hostname. Sample A records.
dns1 IN A 192.168.154.88
dns2 IN A 192.168.154.94
mail1 IN A 192.168.154.97
为我们在named.conf配置文件中定义的相同域创建相应的反向记录。
$sudo vim /var/named/theitroad.reverse
$TTL 86400
@ IN SOA dns1.theitroad.com. root.theitroad.com. (
2019112201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
# Set Name Server
IN NS dns1.theitroad.com.
## Set each IP address of a hostname. Sample PTR records.
88 IN PTR dns1.theitroad.com.
94 IN PTR dns2.theitroad.com.
97 IN PTR mail1.theitroad.com.
更改主服务器上的DNS设置
使我们的新DNS服务器作为默认名称服务器。
打开文件/etc/resolv.conf并添加下面的行。
确保替换IP以匹配环境。
$sudo vim /etc/resolv.conf nameserver 192.168.154.88
允许防火墙上的DNS服务
配置防火墙以允许DNS服务。
sudo firewall-cmd --add-service=dns --permanent sudo firewall-cmd --reload
检查配置是否正常,启动和启用绑定:
sudo named-checkconf sudo systemctl start named sudo systemctl enable named
我们完成了主机绑定DNS服务器。
让我们继续配置我们的从服务器。
配置从站DNS服务器 - 192.168.154.94
在从服务器上,安装绑定和绑定实用程序:
sudo dnf -y install bind bind-utils vim
配置从服务器。
打开/etc/named.conf和相应编辑
$sudo vim /etc/named.conf
//
//named.conf
//Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
//server as a caching only nameserver (as a localhost DNS resolver only).
//See /usr/share/doc/bind*/sample/for example named configuration files.
//See the BIND Administrator's Reference Manual (ARM) for details about the
//configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; }; ## Allows hosts to query Slave DNS
allow-transfer { none; }; ## Disable zone transfer
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
## Since this is a slave, lets allow recursion.
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
## Let us create zone definitions for both forward and reverse dns lookups.
# The files will be created automatically on the slave.
zone "theitroad.com" IN {
type slave;
file "slaves/theitroad.forward";
masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};
zone "154.168.192.in-addr.arpa" IN {
type slave;
file "slaves/theitroad.reverse";
masters { 192.168.154.88; }; ## Master server it is receiving DNS Records from
};
从服务器上更改DNS设置
使我们的新DNS服务器(主服务器和从站)作为默认名称服务器。
打开文件/etc/resolv.conf并添加下面的行。
确保替换IPS以匹配环境
$sudo vim /etc/resolv.conf nameserver 192.168.154.88 nameserver 192.168.154.94
检查配置是否正常,启动和启用绑定:
sudo named-checkconf sudo systemctl start named sudo systemctl enable named
check/var /命名/slaves目录是区域文件已从主传输
$ll /var/named/slaves/ total 12 -rw-r--r-- 1 named named 480 Nov 23 14:16 theitroad.forward -rw-r--r-- 1 named named 492 Nov 23 14:45 theitroad.reverse
证明我们的DNS工作
测试如果我们的DNS服务器解析。
我们将使用Windows机器来测试我们的绑定DNS服务器。
更改Windows的网络详细信息,如下所示。
让DNS反映新DNS服务器。
打开PowerShell或者命令提示符,执行NSLookup并测试我们的DNS服务。
我们的绑定DNS工作!!如果我们正在进行Linux客户端计算机,请编辑/etc/hosts文件以更改DNS配置设置。
