BIND
Berkely Internet Name Domain
DNS Cache Polution
https://www.cloudflare.com/learning/dns/dns-cache-poisoning/
Root Servers
The authoritative name servers that serve the DNS root zone, commonly known as the “root servers”, are a network of hundreds of servers in many countries around the world. They are configured in the DNS root zone as 13 named authorities, as follows.
Root Server List
Installation Bind service program
BIND (Berkeley Internet Name Domain, the Berkeley Internet Name Domain) service is the most widely used worldwide, most secure and efficient DNS service program. DNS name resolution services as Internet infrastructure services, its heavy responsibilities can be imagined, it is recommended that you install deployed in a production environment bind together with a service program chroot (commonly known as cage mechanism) expansion packs, in order to effectively limit the bind service program only for their own configuration files operate, in order to ensure the security of the entire server.
[root@xlnx-lab05 ~]# yum -y install bind-chroot
Profiles
[root@xlnx-lab05 ~]# ls -l /etc/named*
-rw-r-----. 1 root named 1570 Mar 21 16:26 /etc/named.conf
-rw-r--r--. 1 root named 2389 Jan 29 2014 /etc/named.iscdlv.key
-rw-r-----. 1 root named 931 Jun 21 2007 /etc/named.rfc1912.zones
-rw-r--r--. 1 root named 487 Jul 19 2010 /etc/named.root.key
/etc/named:
total 0
DNS Master Configuration
[root@xlnx-lab05 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
DNS configuration file /etc/named.rfc1912.zones explained
The /etc/named.rfc1912.zones file is listed in the include section of the /etc/named.conf file. The /etc/named.rfc1912.zones file contains five zone sections.
Domains are grouped into zones and zones are configured through the use of zone files. The zone statement defines the characteristics of a zone, the location of its zone file, and zone- specific options, which override the global options statements. The following zones are defined in the /etc/named.rfc1912.zones file:
1. localhost.localdomain: Specifies that localhost.localdomain points to 127.0.0.1, preventing the local server from looking upstream for this information
2. localhost: Sets up the normal server on the local system
3. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa: Sets up IPv6 reverse name resolution
4. 1.0.0.127.in-addr.arpa: Sets up IPv4 reverse name resolution
5. 0.in-addr.arpa: Specifies that IP addresses that start with 0 have their reverse lookup handled by the local server, preventing the local server from looking upstream
[root@xlnx-lab05 ~]# cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "cnblogs.com" IN {
type master;
file "cnblogs.com.zone";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.arpa";
allow-update { none; };
};
[root@xlnx-lab05 ~]# cd /var/named/
[root@xlnx-lab05 named]# ls -l
total 32
drwxr-x---. 7 root named 4096 Mar 21 16:21 chroot
drwxrwx---. 2 named named 4096 Jan 29 2014 data
drwxrwx---. 2 named named 4096 Jan 29 2014 dynamic
-rw-r-----. 1 root named 2076 Jan 28 2013 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 4096 Jan 29 2014 slaves
[root@xlnx-lab05 named]# cp -a named.localhost cnblogs.com.zone
[root@xlnx-lab05 named]# cp -a named.loopback 192.168.1.arpa
[root@xlnx-lab05 named]# cat cnblogs.com.zone
$TTL 1D
@ IN SOA cnblogs.com. root.cnblogs.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.cnblogs.com.
ns IN A 192.168.1.5
www IN A 192.168.1.5
[root@xlnx-lab05 named]# cat 192.168.1.arpa
$TTL 1D
@ IN SOA cnblogs.com. root.cnblogs.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.cnblogs.com.
ns A 192.168.1.5
5 PTR www.cnblogs.com. #dot
[root@xlnx-lab05 named]# systemctl restart named
[root@xlnx-lab05 named]# systemctl enable named
ln -s '/usr/lib/systemd/system/named.service' '/etc/systemd/system/multi-user.target.wants/named.service'
[root@xlnx-lab05 ~]# systemctl restart network
[root@xlnx-lab05 ~]# ping -c 2 www.cnblogs.com
PING www.cnblogs.com (192.168.1.5) 56(84) bytes of data.
64 bytes from www.cnblogs.com (192.168.1.5): icmp_seq=1 ttl=64 time=0.014 ms
64 bytes from www.cnblogs.com (192.168.1.5): icmp_seq=2 ttl=64 time=0.061 ms
--- www.cnblogs.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 0.014/0.037/0.061/0.024 ms
[root@xlnx-lab05 ~]# nslookup www.cnblogs.com
Server: 192.168.1.5
Address: 192.168.1.5#53
Name: www.cnblogs.com
Address: 192.168.1.5
[root@xlnx-lab05 ~]# nslookup 192.168.1.5
Server: 192.168.1.5
Address: 192.168.1.5#53
5.1.168.192.in-addr.arpa name = www.cnblogs.com.
DNS Slave Configuration
[root@xlnx-lab15 named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Slave Zone Configuration
[root@xlnx-lab15 ~]# cat /etc/named.rfc1912.zones
zone "cnblogs.com" IN {
type slave;
masters { 192.168.1.5; };
file "slaves/cnblogs.com.zone";
};
zone "1.168.192.in-addr.arpa" IN {
type slave;
masters { 192.168.1.5; };
file "slaves/192.168.1.arpa";
};
Master Zone Configuration
[root@xlnx-lab05 ~]# cat /etc/named.rfc1912.zones
zone "cnblogs.com" IN {
type master;
file "cnblogs.com.zone";
allow-update { 192.168.1.15; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.arpa";
allow-update { 192.168.1.15; };
};
Master
[root@xlnx-lab05 ~]# iptables -F
[root@xlnx-lab05 ~]# systemctl restart named
Slave
[root@xlnx-lab15 ~]# iptables -F
[root@xlnx-lab15 ~]# systemctl restart named
[root@xlnx-lab15 ~]# ls -l /var/named/slaves/
total 8
-rw-r--r--. 1 named named 301 Mar 22 16:45 192.168.1.arpa
-rw-r--r--. 1 named named 246 Mar 22 16:45 cnblogs.com.zone
[root@xlnx-lab15 ~]# nm-connection-editor #DNS
[root@xlnx-lab15 ~]# systemctl restart network
[root@xlnx-lab15 ~]# ping -c 2 www.cnblogs.com
PING www.cnblogs.com (192.168.1.5) 56(84) bytes of data.
64 bytes from www.cnblogs.com (192.168.1.5): icmp_seq=1 ttl=64 time=1.07 ms
64 bytes from www.cnblogs.com (192.168.1.5): icmp_seq=2 ttl=64 time=0.655 ms
--- www.cnblogs.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 0.655/0.862/1.070/0.209 ms
[root@xlnx-lab15 ~]# nslookup www.cnblogs.com
Server: 192.168.1.15
Address: 192.168.1.15#53
Name: www.cnblogs.com
Address: 192.168.1.5
[root@xlnx-lab15 ~]# nslookup 192.168.1.15
Server: 192.168.1.15
Address: 192.168.1.15#53
** server can't find 15.1.168.192.in-addr.arpa.: NXDOMAIN
[root@xlnx-lab15 ~]# nslookup 192.168.1.5
Server: 192.168.1.15
Address: 192.168.1.15#53
5.1.168.192.in-addr.arpa name = www.cnblogs.com.
TSIG Encryption
Master Configuration
[root@xlnx-lab05 ~]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST master-salve
Kmaster-salve.+157+24579
[root@xlnx-lab05 ~]# ls -la Kmaster-salve.+157+24579.*
-rw-------. 1 root root 56 Mar 22 17:00 Kmaster-salve.+157+24579.key
-rw-------. 1 root root 165 Mar 22 17:00 Kmaster-salve.+157+24579.private
[root@xlnx-lab05 ~]# cat Kmaster-salve.+157+24579.key
master-salve. IN KEY 512 3 157 NwsYbRybWu+mBOozgpCAmg==
[root@xlnx-lab05 ~]# cat Kmaster-salve.+157+24579.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: NwsYbRybWu+mBOozgpCAmg==
Bits: AAA=
Created: 20200322090018
Publish: 20200322090018
Activate: 20200322090018
[root@xlnx-lab05 ~]# cd /var/named/chroot/etc/
[root@xlnx-lab05 etc]# ls -l
total 12
-rw-r--r--. 1 root root 405 Mar 22 15:26 localtime
drwxr-x---. 2 root named 4096 Jan 29 2014 named
drwxr-x---. 3 root named 4096 Mar 22 15:26 pki
[root@xlnx-lab05 etc]# vim transfer.key
[root@xlnx-lab05 etc]# cat transfer.key
key "master-slave" {
algorithm hmac-md5;
secret "NwsYbRybWu+mBOozgpCAmg==";
};
[root@xlnx-lab05 etc]# ls -l transfer.key
-rw-r--r--. 1 root root 79 Mar 22 17:16 transfer.key
[root@xlnx-lab05 etc]# chown root:named transfer.key
[root@xlnx-lab05 etc]# chmod 640 transfer.key
[root@xlnx-lab05 etc]# ln transfer.key /etc/
[root@xlnx-lab05 etc]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/transfer.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-transfer {key master-slave; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@xlnx-lab05 etc]# systemctl restart named
Slave Configuration
[root@xlnx-lab15 ~]# cd /var/named/slaves/
[root@xlnx-lab15 slaves]# ls -l
total 8
-rw-r--r--. 1 named named 301 Mar 22 17:14 192.168.1.arpa
-rw-r--r--. 1 named named 246 Mar 22 17:16 cnblogs.com.zone
[root@xlnx-lab15 slaves]# rm -rf *
[root@xlnx-lab15 slaves]# ls -l
total 0
[root@xlnx-lab15 slaves]# systemctl restart named
[root@xlnx-lab15 slaves]# ls -l
total 0
[root@xlnx-lab15 slaves]# scp -rp 192.168.1.5:/var/named/chroot/etc/transfer.key /var/named/chroot/etc/
[email protected]'s password:
transfer.key 100% 79 0.1KB/s 00:00
[root@xlnx-lab15 slaves]# ls -l /var/named/chroot/etc/
total 16
-rw-r--r--. 1 root root 405 Mar 22 16:22 localtime
drwxr-x---. 2 root named 4096 Jan 29 2014 named
drwxr-x---. 3 root named 4096 Mar 22 16:22 pki
-rw-r-----. 1 root root 79 Mar 22 17:16 transfer.key
[root@xlnx-lab15 slaves]# chown root:named /var/named/chroot/etc/transfer.key
[root@xlnx-lab15 slaves]# chmod 640 /var/named/chroot/etc/transfer.key
[root@xlnx-lab15 slaves]# ln /var/named/chroot/etc/transfer.key /etc/
[root@xlnx-lab15 slaves]# ls -l /etc/transfer.key
-rw-r-----. 2 root named 79 Mar 22 17:16 /etc/transfer.key
[root@xlnx-lab15 slaves]# vim /etc/named.conf
[root@xlnx-lab15 slaves]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/transfer.key";
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
server 192.168.1.5
{
keys { master-slave; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@xlnx-lab15 slaves]# ls -l
total 0
[root@xlnx-lab15 slaves]# systemctl restart named
[root@xlnx-lab15 slaves]# ls -l
total 8
-rw-r--r--. 1 named named 301 Mar 22 17:37 192.168.1.arpa
-rw-r--r--. 1 named named 246 Mar 22 17:37 cnblogs.com.zone
[root@xlnx-lab15 slaves]# nslookup
> www.cnblogs.com
Server: 192.168.1.15
Address: 192.168.1.15#53
Name: www.cnblogs.com
Address: 192.168.1.5
> 192.168.1.15
Server: 192.168.1.15
Address: 192.168.1.15#53
** server can't find 15.1.168.192.in-addr.arpa.: NXDOMAIN
> 192.168.1.5
Server: 192.168.1.15
Address: 192.168.1.15#53
5.1.168.192.in-addr.arpa name = www.cnblogs.com.
> exit
[root@xlnx-lab15 slaves]#
配置DNS缓存服务器
[root@xlnx-lab05 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
forwarders { 8.8.8.8; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Server IP
Client IP
分离解析技术
[root@xlnx-lab05 ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#zone "." IN {
# type hint;
# file "named.ca";
#};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
[root@xlnx-lab05 ~]# cat /etc/named.rfc1912.zones
acl "china" { 122.71.115.0/24; };
acl "america" { 106.185.25.0/24; };
view "china" {
match-clients {"china;"};
zone "cnblogs.com" {
type master;
file "cnblogs.com.china";
};
};
view "america" {
match-clients {"america;"};
zone "cnblogs.com" {
type master;
file "cnblogs.com.america";
};
};
[root@xlnx-lab05 ~]# cd /var/named/
[root@xlnx-lab05 named]# cp -a named.localhost named.cnblogs.com.china
[root@xlnx-lab05 named]# cp -a named.localhost named.cnblogs.com.america
[root@xlnx-lab05 ~]# cd /var/named/
[root@xlnx-lab05 named]# cp -a named.localhost cnblogs.com.china
[root@xlnx-lab05 named]# cp -a named.localhost cnblogs.com.america
[root@xlnx-lab05 named]# cat cnblogs.com.china
$TTL 1D
@ IN SOA www.cnblogs.com. root.cnblogs.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.cnblogs.com.
ns IN A 122.71.115.1
www IN A 122.71.115.1
[root@xlnx-lab05 named]# cat cnblogs.com.america
$TTL 1D
@ IN SOA www.cnblogs.com. root.cnblogs.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns.cnblogs.com.
ns IN A 106.185.25.1
www IN A 106.185.25.1
[PS. Linux and Windows NAT Network]
[root@xlnx-lab05 ~]# systemctl restart network
[root@xlnx-lab05 ~]# systemctl restart named
[root@xlnx-lab05 ~]# systemctl enable named
[root@xlnx-lab05 ~]# service iptables status
Redirecting to /bin/systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
Active: inactive (dead)
[root@xlnx-lab05 ~]# iptables -F
[root@xlnx-lab05 ~]# ip a s
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether 00:0c:29:ad:b8:84 brd ff:ff:ff:ff:ff:ff
inet 106.185.25.1/24 brd 106.185.25.255 scope global eth0
valid_lft forever preferred_lft forever
inet 122.71.115.1/24 brd 122.71.115.255 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::20c:29ff:fead:b884/64 scope link
valid_lft forever preferred_lft forever
America Windows Host
C:\Users\Xilong Jin>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : PC01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-0C-29-1F-43-7C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 106.185.25.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 106.185.25.1
DNS Servers . . . . . . . . . . . : 106.185.25.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\Xilong Jin>ping -n 2 www.cnblogs.com
Pinging www.cnblogs.com [106.185.25.1] with 32 bytes of data:
Reply from 106.185.25.1: bytes=32 time<1ms TTL=64
Reply from 106.185.25.1: bytes=32 time<1ms TTL=64
Ping statistics for 106.185.25.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
China Windows Host
C:\Users\Xilong Jin>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : PC01
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-0C-29-1F-43-7C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 122.71.115.8(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 122.71.115.1
DNS Servers . . . . . . . . . . . : 122.71.115.1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\Users\Xilong Jin>ping -n 2 www.cnblogs.com
Pinging www.cnblogs.com [122.71.115.1] with 32 bytes of data:
Reply from 122.71.115.1: bytes=32 time<1ms TTL=64
Reply from 122.71.115.1: bytes=32 time<1ms TTL=64
Ping statistics for 122.71.115.1:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms