Bind9：配置 DNS 授权服务器和 DNS 缓存服务器

最新推荐文章于 2024-08-18 20:04:05 发布

xufengchao_coco

最新推荐文章于 2024-08-18 20:04:05 发布

阅读量6.4k

点赞数 5

分类专栏： Linux Bind9 文章标签： bind

本文链接：https://blog.csdn.net/xufuangchao/article/details/107558494

版权

Linux 同时被 2 个专栏收录

4 篇文章 0 订阅

订阅专栏

Bind9

1 篇文章 0 订阅

订阅专栏

文章目录

Bind9 安装
配置 DNS 授权服务器
配置 DNS 缓存服务器

Bind9: BIND 9.16.4-Debian (Stable Release) id:0849b42
System：Linux 5.6.0-kali1-amd64

Bind9 安装

安装 Bind9

apt-get update
apt-get install bind9 -y

Bind9 配置文件

# ls -l /etc/bind
总用量 56
-rw-r--r-- 1 root root 1991 6月  17 15:27 bind.keys
-rw-r--r-- 1 root root  237 6月  17 15:27 db.0
-rw-r--r-- 1 root root  271 6月  17 15:27 db.127
-rw-r--r-- 1 root root  237 6月  17 15:27 db.255
-rw-r--r-- 1 root root  353 6月  17 15:27 db.empty
-rw-r--r-- 1 root root  270 6月  17 15:27 db.local
-rw-r--r-- 1 root bind  463 6月  17 15:27 named.conf
-rw-r--r-- 1 root bind  654 7月  24 19:38 named.conf.default-zones
-rw-r--r-- 1 root bind  165 6月  17 15:27 named.conf.local
-rw-r--r-- 1 root bind  868 7月  24 19:55 named.conf.options
-rw-r----- 1 bind bind  100 7月  24 06:47 rndc.key
-rw-r--r-- 1 root root 1317 6月  17 15:27 zones.rfc1918

配置 DNS 授权服务器

配置 named.conf.options

添加 allow-query { any; };：允许进行普通查询的 IP 地址列表，默认允许所有；
配置dnssec-validation no;: 关闭 dnssec 验证；

options {
	directory "/var/cache/bind";

	allow-query { any; };

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation no;

	listen-on-v6 { any; };
};

添加正向解析 db.test.com

可以通过拷贝db.local后对其进行相应修改: cp db.local db.test.com；
修改@ IN SOA localhost. root.localhost. (行，修改为@ IN SOA test.com. root.test.com. (
@: test.com.域的缩写;
IN: Internet 类型；
SOA: Start of Authority, test.com.域primary主机为test.com., 此处也可以写成@;
root.test.com.: test.com.域管理员；
注意：域名是以 . 结尾的！！！
修改和添加 A 记录，db.test.com具体内容如下：

;
; BIND data file for test.com.
;
$TTL	604800
@	IN	SOA	test.com. root.test.com. (
			      2		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;

; A records
@	IN	NS	localhost.
@	IN	A	183.169.1.12
@	IN	AAAA	2183:169:1::12
testing.test.com.	IN	A	183.169.1.12
testing.test.com.	IN	AAAA	2183:169:1::12

添加反向解析 db.1.169.183

可以通过拷贝db.local后对其进行相应修改: cp db.127 db.1.169.183,修改结果如下：

;
; BIND reverse data file for 183.169.1
;
$TTL	604800
@	IN	SOA	test.com. admin.test.com. (
			      1		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL
;
@	IN	NS	test.com.
12	IN	PTR	test.com.

配置 named.conf.default-zones

添加zone “test.com” 和 “1.169.183.in-addr.arpa”;
由于是内部测试使用，一次将 zone .注掉了；

// prime the server with knowledge of the root servers
// zone "." {
//	type hint;
//	file "/usr/share/dns/root.hints";
//};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
	type master;
	file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
	type master;
	file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
	type master;
	file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
	type master;
	file "/etc/bind/db.255";
};

zone "test.com" {
	type master;
	file "/etc/bind/db.test.com";
};

zone "1.169.183.in-addr.arpa" {
	type master;
	file "/etc/bind/db.1.169.183";
};

启动 Bind9

systemctl start named
systemctl status named
● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2020-07-24 19:55:30 CST; 1h 27min ago
       Docs: man:named(8)
   Main PID: 193655 (named)
      Tasks: 8 (limit: 9505)
     Memory: 24.4M
     CGroup: /system.slice/named.service
             └─193655 /usr/sbin/named -f -u bind

7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:7fd::1#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:503:c27::2:30#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:500:2::c#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:7fd::1#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:500:200::b#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:500:2::c#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving './NS/IN': 2001:500:12::d0d#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:500:200::b#53
7月 24 19:56:05 kali81 named[193655]: network unreachable resolving 'quit/A/IN': 2001:500:12::d0d#53
7月 24 19:56:15 kali81 named[193655]: resolver priming query complete

查看结果

dig @localhost test.com A

; <<>> DiG 9.16.4-Debian <<>> @localhost test.com A
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53510
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b8c51a52d102fa78010000005f1ae0e9a82378128bc2f998 (good)
;; QUESTION SECTION:
;test.com.			IN	A

;; ANSWER SECTION:
test.com.		604800	IN	A	183.169.1.12

;; Query time: 4 msec
;; SERVER: ::1#53(::1)
;; WHEN: 五 7月 24 21:23:53 CST 2020
;; MSG SIZE  rcvd: 81

配置 DNS 缓存服务器

Bind9 安装同上

配置 named.conf.options

添加allow-query { any; };;
添加allow-query-cache { any; };: 允许查询缓存的IP地址列表；
添加recursion yes;: 允许递归查询；
添加allow-recursion { any; };: 允许递归查询的IP地址列表；
添加forward only;: 允许转发；
forwarders { 183.162.1.101; };: 转发列表，183.162.1.101 为前面配置的授权服务器；
dnssec-validation no;: 关闭 dnssec；

options {
	directory "/var/cache/bind";

	allow-query { any; };
	allow-query-cache { any; };

	recursion yes;
	allow-recursion { any; };
	recursive-clients 25;

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable 
	// nameservers, you probably want to use them as forwarders.  
	// Uncomment the following block, and insert the addresses replacing 
	// the all-0's placeholder.

	forward only;
	forwarders {
		183.162.1.101;
	};

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation no;

	listen-on-v6 { any; };
};

启动 Bind9

systemctl start named
systemctl status named
● named.service - BIND Domain Name Server
     Loaded: loaded (/lib/systemd/system/named.service; disabled; vendor preset: disabled)
     Active: active (running) since Fri 2020-07-24 19:54:51 CST; 1h 44min ago
       Docs: man:named(8)
   Main PID: 17517 (named)
      Tasks: 8 (limit: 2335)
     Memory: 21.8M
     CGroup: /system.slice/named.service
             └─17517 /usr/sbin/named -f -u bind

7月 24 19:54:51 kali71 named[17517]: command channel listening on ::1#953
7月 24 19:54:51 kali71 named[17517]: dns_rdata_fromtext: managed-keys.bind:10: near eol: unexpected end of input
7月 24 19:54:51 kali71 named[17517]: managed-keys-zone: loading from master file managed-keys.bind failed: unexpected end of input
7月 24 19:54:51 kali71 named[17517]: managed-keys-zone: loaded serial 19
7月 24 19:54:51 kali71 named[17517]: zone 127.in-addr.arpa/IN: loaded serial 1
7月 24 19:54:51 kali71 named[17517]: zone 0.in-addr.arpa/IN: loaded serial 1
7月 24 19:54:51 kali71 named[17517]: zone localhost/IN: loaded serial 2
7月 24 19:54:51 kali71 named[17517]: zone 255.in-addr.arpa/IN: loaded serial 1
7月 24 19:54:51 kali71 named[17517]: all zones loaded
7月 24 19:54:51 kali71 named[17517]: running

验证

DNS 缓存服务器没有缓存

清楚 DNS 缓存服务器上的缓存: rndc flush;
不允许递归查询, 172.16.69.71 为刚配置的 DNS 缓存服务器；

➜  ~ dig @172.16.69.71 testing.test.com A +norecurse

; <<>> DiG 9.10.6 <<>> @172.16.69.71 testing.test.com A +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22621
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testing.test.com.		IN	A

;; AUTHORITY SECTION:
.			518400	IN	NS	A.ROOT-SERVERS.NET.
.			518400	IN	NS	C.ROOT-SERVERS.NET.
.			518400	IN	NS	F.ROOT-SERVERS.NET.
.			518400	IN	NS	E.ROOT-SERVERS.NET.
.			518400	IN	NS	L.ROOT-SERVERS.NET.
.			518400	IN	NS	K.ROOT-SERVERS.NET.
.			518400	IN	NS	I.ROOT-SERVERS.NET.
.			518400	IN	NS	G.ROOT-SERVERS.NET.
.			518400	IN	NS	J.ROOT-SERVERS.NET.
.			518400	IN	NS	B.ROOT-SERVERS.NET.
.			518400	IN	NS	D.ROOT-SERVERS.NET.
.			518400	IN	NS	M.ROOT-SERVERS.NET.
.			518400	IN	NS	H.ROOT-SERVERS.NET.

;; Query time: 2 msec
;; SERVER: 172.16.69.71#53(172.16.69.71)
;; WHEN: Fri Jul 24 13:33:15 CST 2020
;; MSG SIZE  rcvd: 268

执行上一步的同时在授权服务器上抓包, 缓存服务器没有向授权服务器进行递归查询；

tcpdump -i eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

允许递归查询

➜  ~ dig @172.16.69.71 testing.test.com A +recurse  

; <<>> DiG 9.10.6 <<>> @172.16.69.71 testing.test.com A +recurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41041
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testing.test.com.		IN	A

;; ANSWER SECTION:
testing.test.com.	604800	IN	A	183.169.1.12

;; Query time: 10 msec
;; SERVER: 172.16.69.71#53(172.16.69.71)
;; WHEN: Fri Jul 24 13:36:19 CST 2020
;; MSG SIZE  rcvd: 61

执行上一步的同时在授权服务器上抓包, 缓存服务器向授权服务器进行递归查询；

tcpdump -i eth1 port 53
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
21:50:18.248974 IP 183.169.1.12.40608 > kali81.domain: 14957+% [1au] A? testing.test.com. (57)
21:50:18.249512 IP kali81.domain > 183.169.1.12.40608: 14957* 1/0/1 A 183.169.1.12 (89)


^C
2 packets captured
2 packets received by filter
0 packets dropped by kernel

DNS 缓存服务器有缓存

不允许递归查询，DNS 缓存服务器会将缓存结果发送给客户端：

➜  ~ dig @172.16.69.71 testing.test.com A +norecurse

; <<>> DiG 9.10.6 <<>> @172.16.69.71 testing.test.com A +norecurse
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40560
;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;testing.test.com.		IN	A

;; ANSWER SECTION:
testing.test.com.	604797	IN	A	183.169.1.12

;; Query time: 17 msec
;; SERVER: 172.16.69.71#53(172.16.69.71)
;; WHEN: Fri Jul 24 13:40:49 CST 2020
;; MSG SIZE  rcvd: 61