什么是DNS?
DNS 是域名系统 (Domain Name System) 的缩写,靠它把你要访问的网址找到然后把信息送到你电脑上。
参考资料:https://baike.baidu.com/item/dns/427444
项目实施:
硬件要求:两台或以上物理机/虚拟机(一台作为主master,一台作为从slave)
OS环境:REHL /CentOS 5.0、5.5、5.9、6.4、7、7.5
软件:bind、bind-chroot
方案:master配置好一切,slave只需要配置主配置named.conf
作用:
1.访问控制(不同IP段,访问结果是不一样的)
2.slave分担master压力,不同地域配置slave服务器,能够快速的响应客户端的请求
3.如果master挂掉,slave会马上接管master的服务请求
比如甲和乙是不同网段,甲访问www.carlow.com得到的是A网页
而乙访问www.carlow.com得到的却是B网页
软件介绍:
BIND服务器的软件包是bind,为了加强其安全性,最好安装bind-chroot软件包。使用了chroot机制之后,BIND会将“/var/named/chroot”认作是根目录。这样,即使BIND出现漏洞被非法入侵,入侵者获得的目录只是“/var/named/chroot”目录,而无法进入到系统的其它目录,从而加强了系统的安全性。
安装软件(master和slave都需要安装)
1.第一种安装方式 yum
# yum -y install bind bind-chroot //使用yum安装很方便,替我们解决了依赖关系
2.第二种安装方式 rpm //不会配置yum的请使用rpm方式安装
# rpm -ivh bind-9.3.6-4.P1.el5_4.2.i386.rpm
# rpm -ivh bind-chroot-9.3.6-4.P1.el5_4.2.i386.rpm
一.配置master
1.生成密钥
# cd /var/named/chroot/etc/ //要在这个目录下生成密钥
# dnssec-keygen --help //相关帮助
Usage:
dnssec-keygen -a alg -b bits -n type [options] name
Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
Required options:
-a algorithm: RSA | RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5
-b key size, in bits:
RSAMD5: [512..4096]
RSASHA1: [512..4096]
DH: [128..4096]
DSA: [512..1024] and divisible by 64
HMAC-MD5: [1..512]
-n nametype: ZONE | HOST | ENTITY | USER | OTHER
name: owner of the key
Other options:
-c <class> (default: IN)
-e use large exponent (RSAMD5/RSASHA1 only)
-f keyflag: KSK
-g <generator> use specified generator (DH only)
-t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
-p <protocol>: default: 3 [dnssec]
-s <strength> strength value this key signs DNS records with (default: 0)
-r <randomdev>: a file containing random data
-v <verbose level>
-k : generate a TYPE=KEY key
Output:
K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private
# dnssec-keygen -a hmac-md5 -b 128 -n host 7k //生成密钥
K7k.+157+29709
# cat K7k.+157+29709.key //查看密钥
7k. IN KEY 512 3 157 DnNjNXxpHlNg8csb6V4dYA== //记好或复制密钥
2.配置named.conf
# vim /var/named/chroot/etc/named.conf
options {
directory "/var/named";
};
key 7k { //定义密钥的名字为“7K”
algorithm hmac-md5; //定义密钥的算法为“hmac_md5”
secret "DnNjNXxpHlNg8csb6V4dYA==";
};
acl ab_client { //定义访问控制列表名为“ab_client”
192.168.1.41; //定义访问控制的IP
192.168.2.0/24;
};
view "ab" { //定义视图名为“ab”
match-clients { ab_client; }; //选择控制列表
recursion yes; //是否允许客户端缓存数据:yes允许,no不允许
zone "carlow.com.zone" { //完全自定义zone文件名
type master; //类型:master
file "carlow.com.zone";
allow-transfer { key 7k; }; //只有拿到密钥才能同步
};
};
view "all" {
match-clients { any; }; //必须是"any"
recursion yes;
zone "carlow.com" {
type master;
file "carlow.com.all";
allow-transfer { key 7k; };
};
};
3.区配置
# pwd
/var/named/chroot/var/named
# cp /usr/share/doc/bind-9.3.6/sample/var/named/localhost.zone carlow.com.zone
# cp carlow.com.zone carlow.com.all
# vim carlow.com.zone
$TTL 86400
@ IN SOA ns.carlow.com. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.carlow.com.
ns IN A 192.168.1.46 //服务器的IP;ns即nameserver
www IN A 192.168.1.48 //www.carlow.com 的IP地址为 192.168.1.48
study IN A 192.168.1.49 //study.carlow.com 的IP地址为 192.168.1.49
# vim carlow.com.all
$TTL 86400
@ IN SOA ns.carlow.com. root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns.carlow.com.
ns IN A 192.168.1.46
www IN A 192.168.1.100
study IN A 192.168.1.200
master配置完成
3.开启服务
#service named start
Starting named: [ OK ]
二.配置slave
# pwd
/var/named/chroot/etc
# vim named.conf
options {
directory "/var/named/slaves";
};
key 7k {
algorithm hmac-md5;
secret "DnNjNXxpHlNg8csb6V4dYA=="; //密钥
};
acl ab_client {
192.168.1.41;
192.168.2.0/24;
};
view "ab" {
match-clients { ab_client; };
recursion yes;
zone "carlow.com.zone" {
type slave;
file "carlow.com.zone";
masters { 192.168.1.46 key 7k; }; //指定master的IP和密钥
};
};
view "all" {
match-clients { any; };
recursion yes;
zone "carlow.com.all" {
type slave;
file "carlow.com.all";
masters { 192.168.1.46 key 7k; };
};
};
slave配置完成
开启服务
# pwd
/var/named/chroot/var/named/slaves
# /etc/init.d/named start
Starting named: [ OK ]
# ls
carlow.com.all carlow.com.zone //看到master的区配置文件,表示成功
client端测试
一.网段一IP 192.168.1.41
1.指定dns服务器IP
# vim /etc/resolv.conf
search domain.org
nameserver 192.168.1.46 //亦可是slave的IP
2.测试
# nslookup www.carlow.com //nslookup命令查询域名IP
Server: 192.168.1.46
Address: 192.168.1.46#53
Name: www.carlow.com
Address: 192.168.1.48
# nslookup study.carlow.com
Server: 192.168.1.46
Address: 192.168.1.46#53
Name: study.carlow.com
Address: 192.168.1.49
二.网段二IP 192.168.2.49
1.指定dns服务器,同上
2.测试
# nslookup www.carlow.com
Server: 192.168.1.46
Address: 192.168.1.46#53
Name: www.carlow.com
Address: 192.168.1.100
# nslookup study.carlow.com
Server: 192.168.1.46
Address: 192.168.1.46#53
Name: study.carlow.com
Address: 192.168.1.200
效果
不同网段所访问的同一个地址(www.carlow.com)得到的结果是不一样的.
应用
*利用该技术,大到可以管控电信客户与网通客户浏览内容,小到公司可以建一个内网DNS服务器,即使员工和老板访问同一个网址,得到的界面也是不一样的,无须担心公司内部机密泄露
声明:
本文由carlow_chu原创,仅供学习交流,未经许可,严禁转载
本人原创百度文库地址:
https://wenku.baidu.com/view/b0fbab4827d3240c8447efb9