1.安装DNS BIND服务器。
[root@servera ~]# yum install bind -y1.1 将BIND配置为域及其反向域的非递归、权威DNS服务器。缺省情况下,bind包为这些正向和反向查找配置区域和区域文件。但是,默认情况下,named只侦听loopback接口上的连接,所以你需要修改它的配置:
- 让服务器侦听所有localhost和servera.pvt.example.com的IPv4和IPv6接口。
- 允许从localhost和serverb.pvt.example.com(IP地址192.168.62.11和fc62:5265:6448:6174::b)主机查询。
- 禁用递归。
由此产生的/etc/named.conf文件内容如下所示:
options {
listen-on port 53 { 127.0.0.1; 192.168.62.10; };
listen-on-v6 port 53 { ::1; fc62:5265:6448:6174::a; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { localhost; 192.168.62.11; fc62:5265:6448:6174::b; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";1.2 将dns服务添加到防火墙策略中,然后启动named服务。
[root@servera <sub>]# firewall-cmd --permanent --add-service=dns
[root@servera </sub>]# firewall-cmd --reload
[root@servera <sub>]# firewall-cmd --list-all | grep service
services: cockpit dhcpv6-client dns ssh
[root@servera </sub>]# systemctl enable --now named.service1.3 确认serverb从servera获得有效的DNS响应,IP地址用于正和反向本地主机查找,servera.pvt.example.com作为测试时要查询的dns主机。
[root@servera ~]# host localhost.localdomain 192.168.62.10
Using domain server:
Name: 192.168.62.10
Address: 192.168.62.10#53
Aliases:
localhost.localdomain has address 127.0.0.1
localhost.localdomain has IPv6 address ::11.4 完成cr-network/files/zones目录中提供的部分区域文件,然后将其安装到servera上的/var/named目录中。
/var/named/pvt.example.com.zone正常查找区域文件应具有以下内容:
[root@servera <sub>]# rpm -qc bind
/var/named/named.localhost
/var/named/named.loopback
[root@servera </sub>]# cp /var/named/named.localhost /var/named/pvt.example.com.zone
[root@servera ~]# vim /var/named/pvt.example.com.zone
$TTL 1D
@ IN SOA servera.pvt.example.com. dnslab.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
600 IN NS servera
servera IN A 192.168.62.10
serverb IN A 192.168.62.11
serverc IN A 192.168.62.12
serverd IN A 192.168.62.13
servera IN AAAA fc62:5265:6448:6174::a
serverb IN AAAA fc62:5265:6448:6174::b
serverc IN AAAA fc62:5265:6448:6174::c
serverd IN AAAA fc62:5265:6448:6174::d/var/named/192.168.62.zone的IPv4反向查找区域文件应具有以下内容:
[root@servera <sub>]# rpm -qc bind
/var/named/named.localhost
/var/named/named.loopback
[root@servera </sub>]# cp /var/named/named.loopback /var/named/192.168.62.zone
[root@servera ~]# vim /var/named/192.168.62.zone
$TTL 1D
@ IN SOA servera.pvt.example.com. dnslab.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
600 IN NS servera.pvt.example.com.
10 IN PTR servera.pvt.example.com.
11 IN PTR serverb.pvt.example.com.
12 IN PTR serverc.pvt.example.com.
13 IN PTR serverd.pvt.example.com./var/named/fc62.5265.6448.6174.zone的IPv6反向查找区域文件应具有以下内容:
[root@servera ~]# cp /var/named/192.168.62.zone /var/named/fc62.5265.6448.6174.zone
$TTL 1D
@ IN SOA servera.pvt.example.com. dnslab.example.com. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
600 IN NS servera.pvt.example.com.
A.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR servera.pvt.example.com.
B.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverb.pvt.example.com.
C.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverc.pvt.example.com.
D.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR serverd.pvt.example.com.1.5 配置区域文件的权限,使BIND可以读取但不能修改它们:
[root@servera <sub>]# chgrp named /var/named/*.zone
[root@servera </sub>]# chmod 640 /var/named/*.zone
[root@servera ~]# ls -l /var/named/*.zone
-rw-r-----. 1 root named 327 May 21 16:23 /var/named/192.168.62.zone
-rw-r-----. 1 root named 443 May 21 16:35 /var/named/fc62.5265.6448.6174.zone
-rw-r-----. 1 root named 435 May 21 16:20 /var/named/pvt.example.com.zone1.6 在BIND中配置新的区域文件。完成cr-network/files/bind目录中的named.pvt.conf文件,然后将其安装到servera的/etc/目录中。
[student@workstation]$ vim /home/student/cr-network/files/bind/named.pvt.conf
zone "pvt.example.com" IN {
type master;
file "pvt.example.com.zone";
forwarders {};
};
zone "62.168.192.in-addr.arpa" IN {
type master;
file "192.168.62.zone";
forwarders {};
};
zone "4.7.1.6.8.4.4.6.5.6.2.5.2.6.C.F.ip6.arpa" IN {
type master;
file "fc62.5265.6448.6174.zone";
forwarders {};
};
[student@workstation <sub>]$ scp /home/student/cr-network/files/bind/named.pvt.conf root@servera:/etc/
Warning: Permanently added 'servera' (ECDSA) to the list of known hosts.
named.pvt.conf
[root@servera </sub>]# ls /etc/named.pvt.conf
/etc/named.pvt.conf1.7 配置文件权限,使BIND可以读取但不能修改:
[root@servera <sub>]# chgrp named /etc/named.pvt.conf
[root@servera </sub>]# chmod 640 /etc/named.pvt.conf
[root@servera ~]# ls -l /etc/named.pvt.conf
-rw-r-----. 1 root named 307 May 21 16:48 /etc/named.pvt.conf1.8 修改/etc/named.conf,使其包含pvt.example.com区域的配置文件。生成的文件应该以以下内容:
[root@servera ~]# vim /etc/named.conf
...output omitted...
include "/etc/named.pvt.conf";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";1.9 重新启动named服务。
[root@servera ~]# systemctl restart named1.10 确认servera回答serverb的pvt.example.com的正向和反向查询,而不是其他主机。测试时显示指定servera.pvt.example.com的IP地址作为要查询的DNS主机。
2.将serverb配置为缓存的dns名称服务器。从servera获取pvt.example.com的应答,但查询其他域的bastion.lab.example.com。缓存名称服务器只能在其环回和组网络接口上侦听 DNS 查询。仅允许 pvt.example.com 主机和 localhost 执行 DNS 查询。
2.1 安装unbound软件包。
[root@serverb ~]# yum install unbound -y2.2 编辑 /etc/unbound/unbound.conf 中的 server 子句以配置 unbound,如下所示:
- 监听 192.168.62.11 和 fc62:5265:6448:6174:b 接口。
- 允许来自 192.168.62.0/24 和 fc62: 5265:6448:6174::/64 子网的查询。
- 从 DNSSEC 验证中移除 example.com 区域。
- 将所有正向和反向 pvt.example.com 查询转发到 192.168.62.10。
- 将所有其他查找转发到 172. 25. 250. 254。
生成的文件应包含以下指令:
[root@serverb ~]# vim /etc/unbound/unbound.conf
server:
...output omitted...
interface: 192.168.62.11
interface: fc62:5265:6448:6174::b
...output omitted...
access-control: 192.168.62.0/24 allow
access-control: fc62:5265:6448:6174::/64 allow
...output omitted...
domain-insecure: "example.com"
domain-insecure: "62.168.192.in-addr.arpa."
domain-insecure: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"
...output omitted...
local-zone: "25.172.in-addr.arpa." nodefault
local-zone: "62.168.192.in-addr.arpa." nodefault
local-zone: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa." nodefault
...output omitted...
stub-zone:
name: "pvt.example.com"
stub-addr: 192.168.62.10
stub-addr: fc62:5265:6448:6174::a
stub-zone:
name: "62.168.192.in-addr.arpa."
stub-addr: 192.168.62.10
stub-addr: fc62:5265:6448:6174::a
stub-zone:
name: "4.7.1.6.8.4.4.6.5.6.2.5.2.6.c.f.ip6.arpa"
stub-addr: 192.168.62.10
stub-addr: fc62:5265:6448:6174::a
...output omitted...
forward-zone:
name: "."
forward-addr: 172.25.250.254
...output omitted...2.3 生成私钥和服务器证书。
[root@serverb ~]# unbound-control-setup2.4 验证 Unbound 配置文件的语法。
[root@serverb ~]# unbound-checkconf2.5 配置防火墙以允许 DNS 流量。
[root@serverb <sub>]# firewall-cmd --add-service=dns
[root@serverb </sub>]# firewall-cmd --add-service=dns --permanent2.6 启动服务并设置开机自启。
[root@serverb ~]# systemctl enable --now unbound2.7 确认 serverb.pvt.example.com 将回答来自 serverc.pvt.example.com 的正向和反向 DNS 查询。
[root@servera <sub>]# host serverb.pvt.example.com 192.168.62.10
Using domain server:
Name: 192.168.62.10
Address: 192.168.62.10#53
Aliases:
serverb.pvt.example.com has address 192.168.62.11
serverb.pvt.example.com has IPv6 address fc62:5265:6448:6174::b
[root@servera </sub>]# host serverc.pvt.example.com 192.168.62.10
Using domain server:
Name: 192.168.62.10
Address: 192.168.62.10#53
Aliases:
serverc.pvt.example.com has address 192.168.62.12
serverc.pvt.example.com has IPv6 address fc62:5265:6448:6174::c
