1、简述DNS服务器原理,并搭建主-辅服务器。
DNS原理:
实现DNS从服务器,搭建DNS主从服务器架构,实现DNS服务冗余
实验环境:
需要四台主机
DNS主服务器:10.0.0.8
DNS从服务器: 10.0.0.17
web服务器:10.0.0.7
DNS客户端:10.0.0.18
主DNS服务端配置:10.0.0.8
****
yum install bind -y
vim /etc/named.conf
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#只允许从服务器进行区域传输
allow-transfer { 从服务器IP;};
vim /etc/named.rfc1912.zones
#加上这段
zone "magedu.org" {
type master;
file "magedu.org.zone";
};
cp -p /var/named/named.localhost /var/named/magedu.org.zone
#如果没有-p,需要改权限。chgrp named magedu.org.zone
vim /var/named/magedu.org.zone
$TTL 1D
@ IN SOA master admin.magedu.org. (
20211215 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
NS slave
master A 10.0.0.8
slave A 10.0.0.17
#检查配置文件,重要
named-checkconf
named-checkzone magedu.org /var/named/magedu.org.zone
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务
从DNS服务器配置
yum install bind -y
vim /etc/named.conf
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
#不允许其它主机进行区域传输
allow-transfer { none;};
vim /etc/named.rfc1912.zones
zone "magedu.org" {
type slave;
masters { 10.0.0.8;};
file "slaves/magedu.org.slave";
};
named-checkconf
systemctl start named #第一次启动服务
rndc reload #不是第一次启动服务
ls /var/named/slaves/magedu.org.slave #查看区域数据库文件是否生成
实现WEB服务:10.0.0.7
#安装http服务
yum install httpd
#配置主页面
echo www.magedu.org > /var/www/html/index.html
#启动服务
systemctl start httpd
客户端测试主从DNS服务架构:10.0.0.18
vim /etc/sysconfig/network-scripts/ifcfg-eth0
DNS1=10.0.0.8
DNS2=10.0.0.17
#验证从DNS服务器是否可以查询
dig www.magedu.org
curl www.magedu.org
结果截图:
![主从显示](https://img-blog.csdnimg.cn/f2c302fed4a14e948654244aea394256.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAcXFfMzYyNjk1NzE=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center)
#在主服务器上停止DNS服务
systemctl stop named
#验证从DNS服务器仍然可以查询
dig www.magedu.org
curl www.magedu.org
![主被停止,从服务器运行](https://img-blog.csdnimg.cn/0f7b6e41bedd4adeae621a4e82019cca.png?x-oss-process=image/watermark,type_d3F5LXplbmhlaQ,shadow_50,text_Q1NETiBAcXFfMzYyNjk1NzE=,size_20,color_FFFFFF,t_70,g_se,x_16#pic_center)
**
2、搭建并实现智能DNS。
**
**简化版,需要三台主机**
DNS主服务器和web服务器1: 10.0.0.8/24,172.16.0.8/16
DNS客户端1: 10.0.0.7/24 #代表来自beijing的客户
DNS客户端2: 172.16.0.7/16 #代表来自shanghai的客户
**DNS主服务器和web服务器:配置两个地址**
ip a a 172.16.0.8/16 dev ens33 label ens33:1
root@localhost named]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.8 netmask 255.255.255.0 broadcast 10.0.0.255
inet6 fe80::20c:29ff:fe2e:beb3 prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:2e:be:b3 txqueuelen 1000 (Ethernet)
RX packets 492345 bytes 669146441 (638.1 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 111962 bytes 7252917 (6.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ens33:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.0.8 netmask 255.255.0.0 broadcast 0.0.0.0
ether 00:0c:29:2e:be:b3 txqueuelen 1000 (Ethernet)
主DNS服务端配置文件实现view
yum install bind -y
vim /etc/named.conf
#在文件最前面加下面行
acl beijingnet {
10.0.0.0/24;
};
acl shanghainet {
172.16.0.0/16;
};
#注释掉下面两行
// listen-on port 53 { 127.0.0.1; };
// allow-query { localhost; };
# 创建view
view beijingview {
match-clients { beijingnet;};
include "/etc/named.rfc1912.zones.bj";
};
view shanghaiview {
match-clients { shanghainet;};
include "/etc/named.rfc1912.zones.sh";
};
include "/etc/named.root.key";
实现区域配置文件
vim /etc/named.rfc1912.zones.bj
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.bj";
};
vim /etc/named.rfc1912.zones.sh
zone "." IN {
type hint;
file "named.ca";
};
zone "magedu.org" {
type master;
file "magedu.org.zone.sh";
};
chgrp named /etc/named.rfc1912.zones.bj
chgrp named /etc/named.rfc1912.zones.sh
创建区域数据库文件
vim /var/named/magedu.org.zone.bj
$TTL 1D
@ IN SOA master admin.magedu.org. (
20211215 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
www A 10.0.0.100
vim /var/named/magedu.org.zone.sh
$TTL 1D
@ IN SOA master admin.magedu.org. (
20211215 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS master
master A 10.0.0.8
www A 172.16.0.100
chgrp named /var/named/magedu.org.zone.bj
chgrp named /var/named/magedu.org.zone.sh
#重要,检查语法
[root@localhost named]# named-checkconf #主配置文件通过
[root@localhost named]#
[root@localhost named]# named-checkzone magedu.org.zones.bj /var/named/magedu.org.zone.sh
zone magedu.org.zones.bj/IN: loaded serial 20211215
OK
[root@localhost named]# named-checkzone magedu.org.zones.bj /var/named/magedu.org.zone.bj
zone magedu.org.zones.bj/IN: loaded serial 20211215
OK
[root@localhost named]# rndc relpad
rndc: 'relpad' failed: unknown command
[root@localhost named]# rndc reload
server reload successful
[root@localhost named]#
#主配置文件语法通过,数据库配置成功,重新加载服务成功
实现位于不同区域访问
[root@localhost ~]# host www.magedu.org 172.16.0.8 #上海客户端172.16.0.7/16,访问返回结果是就近的上海服务器www.magedu.org has address 172.16.0.100
Using domain server:
Name: 172.16.0.8
Address: 172.16.0.8#53
Aliases:
www.magedu.org has address 172.16.0.100
#北京客户端10.0.0.7/24,访问返回的结果是就近的北京服务器 www.magedu.org has address 10.0.0.100
[root@localhost network-scripts]# host www.magedu.org 10.0.0.8
Using domain server:
Name: 10.0.0.8
Address: 10.0.0.8#53
Aliases:
www.magedu.org has address 10.0.0.100
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
[root@localhost ~]# iptables -AINPUT -p tcp -m multiport --dports 80,22,21,23 -j ACCEPT
[root@localhost ~]# iptables -AINPUT -s 0.0.0.0/0 -j REJECT
[root@localhost ~]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,22,21,23
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
**
3、NAT原理总结
**
NAT: network address translation,支持PREROUTING,INPUT,OUTPUT,POSTROUTING四个链
NAT的实现分为下面类型:
SNAT:source NAT ,支持POSTROUTING, INPUT,让本地网络中的主机通过某一特定地址访问
外部网络,实现地址伪装,请求报文:修改源IP
DNAT:destination NAT 支持PREROUTING , OUTPUT,把本地网络中的主机上的某服务开放给
外部网络访问(发布服务和端口映射),但隐藏真实IP,请求报文:修改目标IP
PNAT: port nat,端口和IP都进行修改
4、iptables实现SNAT和DNAT,并对规则持久保存。
SNAT实现
跟上图配的ip有不同
#环境准备:
#防火墙:配置两块网卡,ens37仅主机模式,ens33为nat模式
[root@localhost ~]# ifconfig
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.8 netmask 255.255.255.0 broadcast 10.0.0.255
ens37: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.194.128 netmask 255.255.255.0 broadcast 192.168.194.255
#内网:网关指向防火墙
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.17 netmask 255.255.255.0 broadcast 10.0.0.255
#外网:仅主机模式
ens33: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.194.6 netmask 255.255.255.0 broadcast 192.168.194.255
#转发功能开启,重要
[root@firewall-host ~]#sysctl -a |grep net.ipv4.ip_forward
net.ipv4.ip_forward = 1
#查看准备环境的效果:
10.0.0.17内网不能ping外网192.168.194.6
[root@localhost ~]# ping 192.168.194.6
PING 192.168.194.6 (192.168.194.6) 56(84) bytes of data.
#10.0.0.17内网能ping通防火墙192.168.194.128
[root@localhost ~]# ping 192.168.194.128
PING 192.168.194.128 (192.168.194.128) 56(84) bytes of data.
64 bytes from 192.168.194.128: icmp_seq=1 ttl=64 time=0.306 ms
#防火墙能上外网
[root@localhost ~]# curl 192.168.194.6
i am the outside web
192.168.194.6
#外网能ping防火墙
[root@localhost ~]# ping 192.168.194.128
PING 192.168.194.128 (192.168.194.128) 56(84) bytes of data.
64 bytes from 192.168.194.128: icmp_seq=1 ttl=64 time=0.370 ms
#针对拨号网络和专线静态公共IP
[root@firewall ~]#iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE
#内网可以访问外网
[root@localhost ~]# curl 192.168.194.6
i am the outside web
192.168.194.6
#外网不可以访问内网
[root@localhost ~]# ping 10.0.0.17
connect: Network is unreachable
#在外网服务器查看到是firewalld的地址在访问
[root@localhost ~]# tail -n1 /var/log/httpd/access_log
192.168.194.128 - - [17/Dec/2021:23:07:23 -0800] "GET / HTTP/1.1" 200 35 "-" "curl/7.29.0"
#查看转换状态信息
[root@localhost ~]# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 76 TIME_WAIT src=10.0.0.17 dst=192.168.194.6 sport=60144 dport=80 src=192.168.194.6 dst=192.168.194.128 sport=80 dport=60144 [ASSURED] mark=0 secctx=system_u:object_r:unlabeled_t:s0 zone=0 use=2
**
DNAT实现
**
#环境沿用SNAT,但是暂时关闭主机10.0.0.17和添加内网主机10.0.0.18
#外网能ping通防火墙
[root@localhost ~]# ping 192.168.194.128
PING 192.168.194.128 (192.168.194.128) 56(84) bytes of data.
#外网不能访问firewalld的httpd服务,因为firewall没安装
[root@localhost ~]# curl 192.168.194.128
curl: (7) Failed connect to 192.168.194.128:80; Connection refused
#防火墙添加规则
[root@localhost ~]# iptables -t nat -A PREROUTING -d 192.168.194.128 -p tcp --dport 80 -j DNAT --to-destination 10.0.0.18:8080
#防火墙访问转发到内网的8080端口
[root@localhost ~]# curl 192.168.194.128
i am the inside web
10.0.0.18
#内网主机能够看到请求是从外网来的ip
[root@localhost conf]# tail -n1 /var/log/httpd/access_log
192.168.194.6 - - [18/Dec/2021:00:12:13 -0800] "GET / HTTP/1.1" 200 30 "-" "curl/7.29.0"
持久化保存规则
[root@centos8 ~]#yum -y install iptables-services
[root@centos8 ~]#cp /etc/sysconfig/iptables{,.bak}
#保存现在的规则到文件中方法1
[root@centos8 ~]#/usr/libexec/iptables/iptables.init save
#保存现在的规则到文件中方法2
iptables-save > /etc/sysconfig/iptables
#设置开机启动和停用firewalld.service nftables.service
[root@localhost sysconfig]# systemctl mask firewalld.service nftables.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null.
Created symlink /etc/systemd/system/nftables.service → /dev/null.
[root@localhost sysconfig]# systemctl enable iptables.service
Created symlink /etc/systemd/system/multi-user.target.wants/iptables.service → /usr/lib/systemd/system/iptables.service.
[root@localhost sysconfig]#