Environmental preparation:
Server (server): Linux CostOS 8.2, IP: 192.168.1.150
Client 1 (client): Linux CostOS 8.2, IP: 192.168.1.151
Tools: VMware Workstation 12.5, all set to local host mode Xshell 7
Configuration requirements
According to the domain name and corresponding IP address in this table, set up a DNS server so that it can provide forward and reverse resolution for the domain name of www.mzzz.net and the domain name of ftp.mzzz.net.
| domain name | IP address |
|---|---|
| www.mzzz.net | 192.168.1.152 |
| ftp.mzzz.net | 192.168.1.153 |
1. Install the bind service package
[root@mzzz ~]# dnf install bind
Last metadata expiration check: 0:55:35 ago on Wed 13 Jan 2021 12:50:26 PM CST.
Dependencies resolved.
=========================================================================================
Package Architecture Version Repository Size
=========================================================================================
Installing:
bind x86_64 32:9.11.13-3.el8 AppStream 2.1 M
Transaction Summary
=========================================================================================
Install 1 Package
Total size: 2.1 M
Installed size: 4.5 M
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Running scriptlet: bind-32:9.11.13-3.el8.x86_64 1/1
Installing : bind-32:9.11.13-3.el8.x86_64 1/1
Running scriptlet: bind-32:9.11.13-3.el8.x86_64 1/1
Verifying : bind-32:9.11.13-3.el8.x86_64 1/1
Installed products updated.
Installed:
bind-32:9.11.13-3.el8.x86_64
Complete!2. Modify the DNS main configuration file named.conf
The configuration of the bind service program is not simple, because in order to provide users with a sound DNS query service, the relevant domain name database must be saved locally, and if the correspondence between all domain names and IP addresses is written into a configuration file It is estimated that there are tens of millions of parameters, which is not conducive to the efficiency of program execution, nor is it convenient for future modification and maintenance. Therefore, there are the following three key files in the bind service program.
The main configuration file (/etc/named.conf): There are only 59 lines, and after removing the comment information and blank lines, the actual effective parameters are only about 25 lines. These parameters are used to define the operation of the bind service program.
Zone configuration file (/etc/named.rfc1912.zones): the location used to save the correspondence between domain names and IP addresses. Similar to a book’s catalog, it corresponds to the specific location of each domain and corresponding IP address. When you need to view or modify it, you can find relevant files based on this location.
Data configuration file directory (/var/named): This directory is used to save the data configuration file of the real correspondence between domain names and IP addresses.
In the Linux system, the name of the bind service program is named. First, you need to find the main configuration file of the service program in the /etc directory, and then modify the addresses on lines 11 and 19 to any, indicating that all IP addresses on the server can provide DNS domain name resolution services, and allow Everyone sends DNS query requests to this server. These two places must be modified accurately.
[root@mzzz ~]# vim /etc/named.conf
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9
10 options {
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 secroots-file "/var/named/data/named.secroots";
18 recursing-file "/var/named/data/named.recursing";
19 allow-query { any; };
20
21 /*
22 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
23 - If you are building a RECURSIVE (caching) DNS server, you need to enable
24 recursion.
25 - If your recursive DNS server has a public IP address, you MUST enable access
26 control to limit queries to your legitimate users. Failing to do so will
27 cause your server to become part of large scale DNS amplification
28 attacks. Implementing BCP38 within your network would greatly
29 reduce such attack surface
30 */
31 recursion yes;
32
33 dnssec-enable yes;
34 dnssec-validation yes;
35
36 managed-keys-directory "/var/named/dynamic";
37
38 pid-file "/run/named/named.pid";
39 session-keyfile "/run/named/session.key";
40
41 /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
42 include "/etc/crypto-policies/back-ends/bind.config";
43 };
44
45 logging {
46 channel default_debug {
47 file "data/named.run";
48 severity dynamic;
49 };
50 };
51
52 zone "." IN {
53 type hint;
54 file "named.ca";
55 };
56
57 include "/etc/named.rfc1912.zones";
58 include "/etc/named.root.key";
59
As mentioned earlier, the zone configuration file (/etc/named.rfc1912.zones) of the bind service program is used to save the location of the correspondence between domain names and IP addresses. In this file, the file location and service type saved by the domain name and IP address resolution rules are defined, but no specific domain name, IP address correspondence and other information are included. There are three types of services, namely hint (root zone), master (primary zone), slave (auxiliary zone), among which the commonly used master and slave refer to the master server and the slave server. The forward resolution parameters for resolving domain names to IP addresses and the reverse resolution parameters for resolving IP addresses to domain names are shown in 11-1 and 11-2, respectively.
zone "mzzz.net" IN {
type master; #服务类型
file "mzzz.net.zone"; #域名与IP地址解析规则保存的文件位置
allow-update {none;}; #允许那些客户机动态更新解析信息
}; 11-1: Forward analysis parameters
zone "1.168.192.in-addr.arpa" IN { #表示为192.168.1.0/24网段的反向解析区域
type master;
file "192.168.1.arpa";
allow-update {none;};
}; 11-2: Reverse analysis parameters
3. Forward analysis experiment
In the DNS domain name resolution service, forward resolution refers to finding the corresponding IP address based on the domain name (host name). In other words, when the user enters a domain name, the bind service program will automatically search it and return the matched IP address to the user. This is also the most commonly used DNS working mode.
Step 1 : Edit the zone configuration file. There are already some irrelevant parsing parameters in this file by default, which are intended to give users a reference. We can add the following parameters to the bottom of the zone configuration file. Of course, we can also clear all the original information in the file, and only keep our own domain name resolution information:
[root@mzzz ~]# vim /etc/named.rfc1912.zones
zone "mzzz.net" IN {
type master;
file "mzzz.net.zone";
allow-update(none; };
};Step 2 : Edit the data configuration file. We can copy a forward-analyzed template file (named.localhost) from the /var/named directory, and then fill in the corresponding data of the domain name and IP address in the data configuration file and save it. Remember to add the -a parameter when copying, which can retain the original file owner, group, permission attributes and other information, so that the bind service program can read the file content smoothly:
[root@mzzz ~]# cd /var/named/
[root@mzzz named]# ls -al named.localhost
-rw-r-----. 1 root named 152 Apr 24 2020 named.localhost
[root@mzzz named]# cp -a named.localhost mzzz.net.zone
[root@mzzz named]# Edit the data configuration file. Remember to restart the named service program after saving and exiting the file to make the new parsed data take effect. Considering that there are many parameters in the forward parsing file, and they are relatively important, a brief description is given after each parameter.
[root@mzzz named]# vim mzzz.net.zone
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.150
www IN A 192.168.1.152
ftp IN A 192.168.1.153 [root@mzzz named]# systemctl restart namedStep 3 : analytical test results. In order to check the analysis results, you must first modify the DNS address parameters in the Linux system network card to the local IP address, so that you can use the DNS query service provided by this machine. The nslookup command is used to detect whether the DNS server can query the resolution records of the domain name and IP address, and then to more accurately verify whether the DNS server has been able to provide services to users.
[root@mzzz named]# nmcli c reloadStep 4 : Use 8 authenticate client CentOS test, the test time should modify the DNS IP address of the DNS server, a network restart after performing the test
[root@Client ~]# nmcli c reload
[root@Client ~]# nslookup
> www.mzzz.net
Server: 192.168.1.150
Address: 192.168.1.150#53
Name: www.mzzz.net
Address: 192.168.1.152
> ftp.mzzz.net
Server: 192.168.1.150
Address: 192.168.1.150#53
Name: ftp.mzzz.net
Address: 192.168.1.1534. Reverse analysis experiment
In the DNS domain name resolution service, the role of reverse resolution is to resolve the IP address submitted by the user into the corresponding domain name information. It is generally used to shield all domain names bound to an IP address as a whole. Spam sent by the domain name. It can also perform reverse analysis for an IP address to roughly determine how many websites are running on it. When purchasing a virtual host, you can use this feature to verify whether the virtual host provider has a serious oversell problem.
Step 1 : Edit the zone configuration file. When editing the file, in addition to not writing the wrong format, you also need to remember the name of the data configuration file defined here, because you will need to create a file with the same name in the /var/named directory later. Reverse resolution is to resolve the IP address into the domain name format, so when defining the zone (zone), the IP address should be reversed, for example, it was originally 192.168.1.0, and the reverse should be 1.168.192, and only the IP should be written. The network bit of the address is fine. Add the following parameters to the back of the forward analysis parameters.
[root@mzzz ~]# vim /etc/named.rfc1912.zones
zone 1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.arpa";
allow-update { none; };
};Step 2 : Edit the data configuration file. First copy a reverse analysis template file (named.loopback) from the /var/named directory, and then fill in the following parameters into the file. Among them, the IP address only needs to write the host bit, and finally restart the named service.
[root@mzzz named]# cp -a named.loopback 192.168.1.arpa
[root@mzzz named]# vim 192.168.1.arpa
[root@mzzz named]# systemctl restart named
[root@mzzz named]# $TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 192.168.1.150
152 PTR www.mzzz.net.
153 PTR ftp.mzzz.net.
AAAA ::1 Step 3 : analytical test results on the client. In the previous forward resolution experiment, the DNS address parameter in the system network card has been modified to the local IP address, so you can directly use the nslookup command to check the resolution result, and you can query the corresponding domain name information by entering the IP address. .
[root@Client ~]# nslookup
> 192.168.1.152
152.1.168.192.in-addr.arpa name = www.mzzz.net.
> 192.168.1.153
153.1.168.192.in-addr.arpa name = ftp.mzzz.net.