文章目录
Bind9: BIND 9.16.4-Debian (Stable Release) id:0849b42
System:Linux 5.6.0-kali1-amd64
Bind9 安装
- 安装 Bind9
apt-get update
apt-get install bind9 -y
- Bind9 配置文件
# ls -l /etc/bind
总用量 56
-rw-r--r-- 1 root root 1991 6月 17 15:27 bind.keys
-rw-r--r-- 1 root root 237 6月 17 15:27 db.0
-rw-r--r-- 1 root root 271 6月 17 15:27 db.127
-rw-r--r-- 1 root root 237 6月 17 15:27 db.255
-rw-r--r-- 1 root root 353 6月 17 15:27 db.empty
-rw-r--r-- 1 root root 270 6月 17 15:27 db.local
-rw-r--r-- 1 root bind 463 6月 17 15:27 named.conf
-rw-r--r-- 1 root bind 654 7月 24 19:38 named.conf.default-zones
-rw-r--r-- 1 root bind 165 6月 17 15:27 named.conf.local
-rw-r--r-- 1 root bind 868 7月 24 19:55 named.conf.options
-rw-r----- 1 bind bind 100 7月 24 06:47 rndc.key
-rw-r--r-- 1 root root 1317 6月 17 15:27 zones.rfc1918
配置 DNS 授权服务器
配置 named.conf.options
- 添加
allow-query { any; };
:允许进行普通查询的 IP 地址列表,默认允许所有; - 配置
dnssec-validation no;
: 关闭 dnssec 验证;
options {
directory "/var/cache/bind";
allow-query { any; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
listen-on-v6 { any; };
};
添加正向解析 db.test.com
-
可以通过拷贝db.local后对其进行相应修改:
cp db.local db.test.com
; -
修改
@ IN SOA localhost. root.localhost. (
行,修改为@ IN SOA test.com. root.test.com. (
@
: test.com.域的缩写;
IN
: Internet 类型;
SOA
: Start of Authority, test.com.域primary主机为test.com., 此处也可以写成@;
root.test.com.
: test.com.域管理员;
注意:域名是以 . 结尾的!!! -
修改和添加 A 记录,
db.test.com
具体内容如下:
;
; BIND data file for test.com.
;
$TTL 604800
@ IN SOA test.com. root.test.com. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
; A records
@ IN NS localhost.
@ IN A 183.169.1.12
@ IN AAAA 2183:169:1::12
testing.test.com. IN A 183.169.1.12
testing.test.com. IN AAAA 2183:169:1::12
添加反向解析 db.1.169.183
- 可以通过拷贝db.local后对其进行相应修改:
cp db.127 db.1.169.183
,修改结果如下:
;
; BIND reverse data file for 183.169.1
;
$TTL 604800
@ IN SOA test.com. admin.test.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS test.com.
12 IN PTR test.com.
配置 named.conf.default-zones
- 添加zone “test.com” 和 “1.169.183.in-addr.arpa”;
- 由于是内部测试使用,一次将
zone .
注掉了;
// prime the server with knowledge of the root servers
// zone "." {
// type hint;
// file "/usr/share/dns/root.hints";
//};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "test.com" {
type master;
file "/etc/bind/db.test.com";
};
zone "1.169.183.in-addr.arpa" {
type master;
file "/etc/bind/db.1.169.183";
};
启动 Bind9
systemctl start named
systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-07-24 19:55:30 CST; 1h 27min ago
Docs: man:named(8)
Main PID: 193655 (named)
Tasks: 8 (limit: 9505)
Memory: 24.4M
CGroup: /system.slice/named.service
└─193655 /usr/sbin/named -f -u bind
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:7fd::1#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:503:c27::2:30#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:500:2::c#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:7fd::1#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:500:200::b#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:500:2::c#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:500:200::b#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:500:12::d0d#53
7月 24 19:56:15 kali81 named[193655]: resolver priming query complete
查看结果
dig @localhost test.com A
; <<>> DiG 9.16.4-Debian <<>> @localhost test.com A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53510
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b8c51a52d102fa78010000005f1ae0e9a82378128bc2f998 (good)
;; QUESTION SECTION:
;test.com. IN A
;; ANSWER SECTION:
test.com. 604800 IN A 183.169.1.12
;; Query time: 4 msec
;; SERVER: ::1#53(::1)
;; WHEN: 五 7月 24 21:23:53 CST 2020
;; MSG SIZE rcvd: 81
配置 DNS 缓存服务器
Bind9 安装同上
配置 named.conf.options
- 添加
allow-query { any; };
; - 添加
allow-query-cache { any; };
: 允许查询缓存的IP地址列表; - 添加
recursion yes;
: 允许递归查询; - 添加
allow-recursion { any; };
: 允许递归查询的IP地址列表; - 添加
forward only;
: 允许转发; forwarders { 183.162.1.101; };
: 转发列表,183.162.1.101 为前面配置的授权服务器;dnssec-validation no;
: 关闭 dnssec;
options {
directory "/var/cache/bind";
allow-query { any; };
allow-query-cache { any; };
recursion yes;
allow-recursion { any; };
recursive-clients 25;
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forward only;
forwarders {
183.162.1.101;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation no;
listen-on-v6 { any; };
};
启动 Bind9
systemctl start named
systemctl status named
● named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running) since Fri 2020-07-24 19:54:51 CST; 1h 44min ago
Docs: man:named(8)
Main PID: 17517 (named)
Tasks: 8 (limit: 2335)
Memory: 21.8M
CGroup: /system.slice/named.service
└─17517 /usr/sbin/named -f -u bind
7月 24 19:54:51 kali71 named[17517]: command channel listening on ::1#953
7月 24 19:54:51 kali71 named[17517]: dns_rdata_fromtext: managed-keys.bind:10: near eol: unexpected end of input
7月 24 19:54:51 kali71 named[17517]: managed-keys-zone: loading from master file managed-keys.bind failed: unexpected end of input
7月 24 19:54:51 kali71 named[17517]: managed-keys-zone: loaded serial 19
7月 24 19:54:51 kali71 named[17517]: zone 127.in-addr.arpa/IN: loaded serial 1
7月 24 19:54:51 kali71 named[17517]: zone 0.in-addr.arpa/IN: loaded serial 1
7月 24 19:54:51 kali71 named[17517]: zone localhost/IN: loaded serial 2
7月 24 19:54:51 kali71 named[17517]: zone 255.in-addr.arpa/IN: loaded serial 1
7月 24 19:54:51 kali71 named[17517]: all zones loaded
7月 24 19:54:51 kali71 named[17517]: running
验证
DNS 缓存服务器没有缓存
- 清楚 DNS 缓存服务器上的缓存:
rndc flush
; - 不允许递归查询, 172.16.69.71 为 刚配置的 DNS 缓存服务器;
➜ ~ dig @172.16.69.71 testing.test.com A +norecurse
; <<>> DiG 9.10.6 <<>> @172.16.69.71 testing.test.com A +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22621
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testing.test.com. IN A
;; AUTHORITY SECTION:
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
;; Query time: 2 msec
;; SERVER: 172.16.69.71#53(172.16.69.71)
;; WHEN: Fri Jul 24 13:33:15 CST 2020
;; MSG SIZE rcvd: 268
- 执行上一步的同时在授权服务器上抓包, 缓存服务器没有向授权服务器进行递归查询;
tcpdump -i eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
- 允许递归查询
➜ ~ dig @172.16.69.71 testing.test.com A +recurse
; <<>> DiG 9.10.6 <<>> @172.16.69.71 testing.test.com A +recurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41041
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testing.test.com. IN A
;; ANSWER SECTION:
testing.test.com. 604800 IN A 183.169.1.12
;; Query time: 10 msec
;; SERVER: 172.16.69.71#53(172.16.69.71)
;; WHEN: Fri Jul 24 13:36:19 CST 2020
;; MSG SIZE rcvd: 61
- 执行上一步的同时在授权服务器上抓包, 缓存服务器向授权服务器进行递归查询;
tcpdump -i eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:50:18.248974 IP 183.169.1.12.40608 > kali81.domain: 14957+% [1au] A? testing.test.com. (57)
21:50:18.249512 IP kali81.domain > 183.169.1.12.40608: 14957* 1/0/1 A 183.169.1.12 (89)
^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel
DNS 缓存服务器有缓存
- 不允许递归查询,DNS 缓存服务器会将缓存结果发送给客户端:
➜ ~ dig @172.16.69.71 testing.test.com A +norecurse
; <<>> DiG 9.10.6 <<>> @172.16.69.71 testing.test.com A +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40560
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testing.test.com. IN A
;; ANSWER SECTION:
testing.test.com. 604797 IN A 183.169.1.12
;; Query time: 17 msec
;; SERVER: 172.16.69.71#53(172.16.69.71)
;; WHEN: Fri Jul 24 13:40:49 CST 2020
;; MSG SIZE rcvd: 61