1.使 serverb 成为 backend.lab.example.com 的主名称服务器,以及 192.168.0/24 和 fde2:6494:1e09:2::/64 的反向区域。
在 serverb 上安装BIND9。 根据以下规范配置BIND:
- 在任何接口上侦听 IPv4 和 IPv6 查询。
- 允许 localhost、172.25.250.254 和 192.168.0.0/24 请求资源数据。
- 禁用递归。
- 删除 root(.) 提示节。
- 为 /etc/named.backend.conf 添加一个包含语句。
- 在 /etc/named.backend.conf 中配置区域指令以引用您的区域文件。 您可以从workstation上的 ~/dns-review/files/primary-named.backend.conf 复制此文件。
- 将现有区域文件从workstation上的 ~/dns-review/files/zones 复制到 serverb 上的 /var/named 并确保 named 可以读取它们。
1.1 以学生身份登录到serverb,然后切换成为root用户。
[student@serverb ~]$ ssh serverb
student@serverb's password: student
[student@serverb ~]$ sudo -i
[sudo] password for student: student
1.2 安装bind软件包
[root@serverb ~]# yum -y install bind
1.3 编辑 /etc/named.conf 以匹配以下内容:
...output omitted...
options {
listen-on port 53 {
any; };
listen-on-v6 port 53 {
any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query {
localhost; 172.25.250.254; 192.168.0.0/24; };
recursion no;
...output omitted...
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named.backend.conf";
1.4 创建 /etc/named.backend.conf 包含文件,用于标识 backend.lab.example.com 子域的正向和反向区域。
[root@serverb ~]# vim /etc/named.backend.conf
zone "backend.lab.example.com" IN {
type master;
file "backend.lab.example.com.zone";
forwarders {
};
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
forwarders {
};
};
zone "2.0.0.0.9.0.E.1.4.9.4.6.2.E.D.F.ip6.arpa" IN {
type master;
file "fde2.6494.1e09.2.zone";
forwarders {
};
};
确保 /etc/named.backend.conf 文件对named组是可读的,而不是可写的。
[root@serverb ~]# chmod 640 /etc/named.backend.conf
[root@serverb ~]# chgrp named /etc/named.backend.conf
1.5 将工作站上 ~/dns-review/files/zones 目录中的三个区域文件复制到 serverb 上的 /var/named。
-
/var/named/backend.example.com.zone
-
/var/named/192.168.0.zone
-
/var/named/ fde2.6494.1e09.2.zone
[root@serverb ~]# scp student@workstation:~/dns-review/files/zones/* /var/named/
student@workstation's password:
192.168.0.zone 100% 801 405.2KB/s 00:00
backend.lab.example.com.zone 100% 984 802.1KB/s 00:00
fde2.6494.1e09.2.zone 100% 813 731.4KB/s 00:00
区域文件的内容应与以下内容匹配:
/var/named/backend.lab.example.com.zone
[root@serverb ~]# cat /var/named/backend.lab.example.com.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041806 ;serial number
1H ;refresh secondary
5m ;retry refresh
1w ;expire zone
1m ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb
servera IN A 192.168.0.10
serverb IN A 192.168.0.11
serverc IN A 192.168.0.12
serverd IN A 192.168.0.13
servera IN AAAA fde2:6494:1e09:2::a
serverb IN AAAA fde2:6494:1e09:2::b
serverc IN AAAA fde2:6494:1e09:2::c
serverd IN AAAA fde2:6494:1e09:2::d
/var/named/192.168.0.zone
[root@serverb ~]# cat /var/named/192.168.0.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041805 ;serial number
1H ;refresh secondary
5M ;retry refresh
1W ;expire zone
1M ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb.backend.lab.example.com.
10.0.168.192.IN-ADDR.ARPA. IN PTR servera.backend.lab.example.com.
11 IN PTR serverb.backend.lab.example.com.
12 IN PTR serverc.backend.lab.example.com.
13 IN PTR serverd.backend.lab.example.com.
/var/named/fde2.6494.1e09.2.zone
[root@serverb ~]# cat /var/named/fde2.6494.1e09.2.zone
$TTL 300
@ IN SOA serverb.backend.lab.example.com. root.serverb.backend.lab.example.com. (
2020041805 ;serial number
1H ;refresh secondary
5M ;retry refresh
1W ;expire zone
1M ) ;cache time-to-live for negative answers
; owner TTL CL type RDATA
600 IN NS serverb.backend.lab.example.com.
A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR servera.backend.lab.example.com.
B.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverb.backend.lab.example.com.
C.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverc.backend.lab.example.com.
D.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverd.backend.lab.example.com.
1.6 确保指定组可以读取而不是可写入区域文件。
[root@serverb ~]# chmod 640 /var/named/*.zone
[root@serverb ~]# chgrp named /var/named/*.zone
1.7 将防火墙配置为允许 DNS 流量,然后在 serverb 上启用并启动named服务。
[root@serverb ~]# firewall-cmd --add-service=dns --permanent
success
[root@serverb ~]# firewall-cmd --reload
success
[root@serverb ~]# systemctl enable --now named
[root@serverb ~]# firewall-cmd --list-all | grep service
services: cockpit dhcpv6-client dns ssh
2.配置满足以下要求的servera缓存名称服务器:
-
在servera上安装unbound软件包。
-
配置 unbound 以允许来自 172. 25.250.0/24 子网的查询,免除 example.com 区域的 DNSSEC 验证,并将所有查询转发到 172.25.250.254 。
-
启动并启用unbound并配置防火墙以允许服务器上的 DNS 流量。
2.1 在workstation上,使用 SSH以学生身份登录到 servera。 使用 sudo -i 切换到 root。
[student@workstation ~]$ ssh servera
[student@servera ~]$ sudo -i
[sudo] password for student: student
2.2 安装unbound。
[root@servera ~]# yum install unbound -y
2.3 配置 unbound 以允许来自 172.25.250.8/24 子网、来自 DNSSEC 验证的 example.com 区域的查询,并将所有查询转发到 172.25.250.254。
在 /etc/unbound/conf.d/server.conf 中创建以下文件,权限为 0644,归用户 root 和 unbound 组所有。
[root@servera ~]# vim /etc/unbound/conf.d/server.conf
server:
interface-automatic: yes
access-control: 172.25.250.0/24 allow
domain-insecure: "example.com"
forward-zone:
name: "."
forward-addr: 172.25.250.254
2.4 生成私钥和服务器证书。
[root@servera ~]# unbound-control-setup
setup in directory /etc/unbound
generating unbound_server.key
Generating RSA private key, 3072 bit long modulus (2 primes)
..++++
........++++
e is 65537 (0x010001)
generating unbound_control.key
Generating RSA private key, 3072 bit long modulus (2 primes)
..................................++++
.................................++++
e is 65537 (0x010001)
create unbound_server.pem (self signed certificate)
create unbound_control.pem (signed client certificate)
Signature ok
subject=CN = unbound-control
Getting CA Private Key
Setup success. Certificates created. Enable in unbound.conf file to use
2.5 检查未绑定配置文件的语法。
[root@servera ~]# unbound-checkconf
unbound-checkconf: no errors in /etc/unbound/unbound.conf
2.6 启动并启动unbound。
[root@servera ~]# systemctl enable --now unbound
Created symlink /etc/systemd/system/multi-user.target.wants/unbound.service → /usr/lib/systemd/system/unbound.service.
2.7 配置防火墙,允许servera的DNS流量。
[root@servera ~]#
[root@servera ~]# firewall-cmd --permanent --add-service=dns
success
[root@servera ~]# firewall-cmd --reload
success
[root@servera ~]# firewall-cmd --list-all | grep service
services: cockpit dhcpv6-client dns ssh
3.测试名称服务器的操作。
提交查询以确认来自servera上的缓存名称服务器和serverb上的权威主名称服务器的答案。
3.1 在 servera 上,从 lab.example.com 地址查询 localhost.localdomain。 dig 命令失败,因为 unbound 被配置为仅允许来自 172.25.250.0/24 网络的查询,而 (127.0.0.1) 不是其中的成员。
[student@servera ~]# dig localhost.localdomain @172.25.250.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @172.25.250.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53384
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: f4324ebe0d3e7dc59458019a628b9b10ae42aa0018f23c27 (good)
;; QUESTION SECTION:
;localhost.localdomain. IN A
;; Query time: 1 msec
;; SERVER: 172.25.250.11#53(172.25.250.11)
;; WHEN: Mon May 23 14:32:48 GMT 2022
;; MSG SIZE rcvd: 78
3.2 从 backend.example.com 地址查询 localhost.localdomain。这会成功,因为 BIND允许来自该子网的所有查询。
[student@servera ~]# dig localhost.localdomain @192.168.0.11
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> localhost.localdomain @192.168.0.11
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44039
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 4081c2f5a37c99bb3ebf6e64628b9bd32b4e4b24bf8723b5 (good)
;; QUESTION SECTION:
;localhost.localdomain. IN A
;; ANSWER SECTION:
localhost.localdomain. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
localhost.localdomain. 86400 IN NS localhost.localdomain.
;; ADDITIONAL SECTION:
localhost.localdomain. 86400 IN AAAA ::1
;; Query time: 1 msec
;; SERVER: 192.168.0.11#53(192.168.0.11)
;; WHEN: Mon May 23 14:36:03 GMT 2022
;; MSG SIZE rcvd: 136
3.3 使用serverb上的student,确认servera上的缓存名称服务器回答正向查找。servera上的缓存名称服务器缓存来自后端网络的条目,但仅回答来自classroom网络范围172.25.250.0/24 的查询。
查找 serverd.backend.lab.example.com 的 IP 地址。 使用classroom网络内servera的地址 172.25.250.10。
[student@serverb ~]$ dig serverd.backend.lab.example.com @172.25.250.10
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> serverd.backend.lab.example.com @172.25.250.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21912
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;serverd.backend.lab.example.com. IN A
;; ANSWER SECTION:
serverd.backend.lab.example.com. 300 IN A 192.168.0.13
;; Query time: 4 msec
;; SERVER: 172.25.250.10#53(172.25.250.10)
;; WHEN: Mon May 23 14:43:23 GMT 2022
;; MSG SIZE rcvd: 76
3.4 确认 IPv4 反向 DNS 查找适用于 192.168.0.0/24 范围内的主机。
[student@serverb ~]$ dig -x 192.168.0.13 @localhost
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> -x 192.168.0.13 @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38780
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: c0a3f62a0b4543594fb72455628b9e296ca3a7ed3664bd52 (good)
;; QUESTION SECTION:
;13.0.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
13.0.168.192.in-addr.arpa. 300 IN PTR serverd.backend.lab.example.com.
;; AUTHORITY SECTION:
0.168.192.in-addr.arpa. 600 IN NS serverb.backend.lab.example.com.
;; ADDITIONAL SECTION:
serverb.backend.lab.example.com. 300 IN AAAA fde2:6494:1e09:2::b
serverb.backend.lab.example.com. 300 IN A 192.168.0.11
;; Query time: 1 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 23 14:46:01 GMT 2022
;; MSG SIZE rcvd: 193
3.5 确认 IPv6 反向 DNS 查找适用于 fde2:6494:1e09:2::0/64 范围内的主机。
[student@serverb ~]$ dig -x fde2:6494:1e09:2::d @localhost
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el8 <<>> -x fde2:6494:1e09:2::d @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39808
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 16351321647818d15a115212628b9f0094c0042393c4ef4c (good)
;; QUESTION SECTION:
;d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.9.0.e.1.4.9.4.6.2.e.d.f.ip6.arpa. IN PTR
;; ANSWER SECTION:
D.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.9.0.E.1.4.9.4.6.2.E.D.F.ip6.arpa. 300 IN PTR serverd.backend.lab.example.com.
;; AUTHORITY SECTION:
2.0.0.0.9.0.E.1.4.9.4.6.2.E.D.F.ip6.arpa. 600 IN NS serverb.backend.lab.example.com.
;; ADDITIONAL SECTION:
serverb.backend.lab.example.com. 300 IN AAAA fde2:6494:1e09:2::b
serverb.backend.lab.example.com. 300 IN A 192.168.0.11
;; Query time: 0 msec
;; SERVER: ::1#53(::1)
;; WHEN: Mon May 23 14:49:36 GMT 2022
;; MSG SIZE rcvd: 304
文章评论