第九周学习作业
Posted 三石头
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了第九周学习作业相关的知识,希望对你有一定的参考价值。
1、简述DNS服务器原理,并搭建主-辅服务器。
DNS,全称Domain Name System,域名系统,是一个记录域名和Ip地址相互映射的一个系统,能够将用户访问互联网时使用的域名地址转换成对应的IP地址,而不用使用者去记住数量众多的IP地址。通过域名得到域名对应的IP地址的过程被称为域名解析。使用的端口为53。
DNS查询类型:
递归查询:一般客户机和本地DNS服务器之间属于递归查询,即当客户机向DNS服务器发出请求后,若DNS服务器本身不能解析,则会向另外的DNS服务器发出查询请求,得到最终的肯定或否定的结果转交给客户机。此查询的源和目标保持不变,为了查询结果只需要发起一次查询。
迭代查询:一般情况下(有例外)本地的DNS服务器向其他的DNS服务器的查询属于迭代查询,如:若对方不能返回权威的结果,则它会向下一个DNS服务器(参考前一台服务器返回的记过)再次发起查询,直到返回查询的结果为止。此查询的源不变,但查询的目标不断变化,为查询结果一般需要发起多次查询。
原理示意图
主辅DNS搭建
在Centos系统中与DNS服务相关的配置文件
/etc/named.conf主配置文件
/etc/named.rfc1912.zones区域管理文件
/var/named/目录下的区域数据库文件。
主配置文件/etc/named.conf和/etc/named.rfc1912.zones设置了DNS服务器能够管理哪些区域并且指定了这些区域对应的区域数据文件的存放路径和名称。
环境说明:
192.168.197.128 | Client |
192.168.197.129 | 主DNS |
192.168.197.130 | 辅助DNS |
dnf install bind -y #安装bind
dnf -y install bind-utils #安装bind工具包
主DNS配置文件
##修改named.conf
[root@dns-m ~]# vim /etc/named.conf
options
listen-on port 53 192.168.197.129; ; #监听本地地址
allow-query any; ; #允许任何人访问
allow-transfer 192.168.197.130; ; #除了辅DNS服务器,禁止其他人抓取全部DNS解析信息
##添加正向解析文件名和域名绑定
[root@dns-m ~]# vim /etc/named.rfc1912.zones
##正向解析
zone "test.com" IN
type master;
file "test.com.zone";
;
##反向解析
zone "197.168.192.in-addr.arpa" IN
type master;
file "192.168.197.zone";
;
##添加正向解析文件的指针
cd /var/named/
cp -p named.localhost test.com.zone 复制模板文件,如果不复制,需要把文件的使用者和组名改为一致即可
[root@dns-m ~]# vim /var/named/test.com.zone
$TTL 1D
$ORIGIN test.com. ;补一个后缀
@ IN SOA master.test.com. admin.test.com. (
2022012105 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ) ;否定答案的TTL值
NS master ;设置主DNS服务器记录
NS slave ;设置辅DNS服务器记录
master A 192.168.197.129 ;设置主DNS的IP
slave A 192.168.197.130 ;设置辅DNS的IP
www A 192.168.197.100
mail A 192.168.197.101
##添加反向解析文件名和域名绑定
$TTL 1D
@ IN SOA master.test.com. admin.test.com. (
2022012105 ;序列号
1D ;刷新时间
1H ;重试时间
1W ;过期时间
3H ) ;否定答案的TTL值
NS master.test.com.
NS slave.test.com.
100 PTR www.test.com.
101 PTR mail.test.com.
检查配置文件和区域配置文件语法
[root@dns-m named]# named-checkconf
[root@dns-m named]# named-checkzone test.com /var/named/test.com.zone
zone test.com/IN: loaded serial 2022012105
OK
[root@dns-m named]# named-checkzone 197.168.192.in-addr.arpa /var/named/192.168.197.zone
zone 197.168.192.in-addr.arpa/IN: loaded serial 2022012105
OK
##启动named服务,并设置开机启动
[root@dns-m named]# systemctl enable --now named.service
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
##重新加载配置文件
[root@dns-m named]# rndc reload
server reload successful
[root@dns-m named]#
##客户端测试
[root@centos79 ~]# dig -t A www.test.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t A www.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17098
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 192.168.197.100
;; AUTHORITY SECTION:
test.com. 86400 IN NS master.test.com.
test.com. 86400 IN NS slave.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 0 msec
;; SERVER: 192.168.197.129#53(192.168.197.129)
;; WHEN: Sat Jan 22 18:28:15 CST 2022
;; MSG SIZE rcvd: 130
[root@centos79 ~]# dig -t A mail.test.com
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t A mail.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39083
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mail.test.com. IN A
;; ANSWER SECTION:
mail.test.com. 86400 IN A 192.168.197.101
;; AUTHORITY SECTION:
test.com. 86400 IN NS master.test.com.
test.com. 86400 IN NS slave.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 0 msec
;; SERVER: 192.168.197.129#53(192.168.197.129)
;; WHEN: Sat Jan 22 18:28:22 CST 2022
;; MSG SIZE rcvd: 131
[root@centos79 ~]# dig -x 192.168.197.100
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -x 192.168.197.100
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8752
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;100.197.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.197.168.192.in-addr.arpa. 86400 IN PTR www.test.com.
;; AUTHORITY SECTION:
197.168.192.in-addr.arpa. 86400 IN NS slave.test.com.
197.168.192.in-addr.arpa. 86400 IN NS master.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 0 msec
;; SERVER: 192.168.197.129#53(192.168.197.129)
;; WHEN: Sat Jan 22 18:45:55 CST 2022
;; MSG SIZE rcvd: 156
[root@centos79 ~]# nslookup
> www.test.com
Server: 192.168.197.129
Address: 192.168.197.129#53
Name: www.test.com
Address: 192.168.197.100
> mail.test.com
Server: 192.168.197.129
Address: 192.168.197.129#53
Name: mail.test.com
Address: 192.168.197.101
>
> 192.168.197.100
100.197.168.192.in-addr.arpa name = www.test.com.
辅助DNS服务器配置
[root@dns-s ~]# vim /etc/named.conf
listen-on port 53 192.168.197.130; ;
allow-query any; ;
allow-transfer none; ; #不允许其它主机进行区域传输
zone "test.com" IN
type slave;
masters 192.168.197.129; ; #配置主DNS地址
file "slaves/test.com.slave"; #配置备DNS存放的正向文件名字
;
zone "197.168.192.in-addr.arpa" IN
type slave;
masters 192.168.197.129; ; #配置主DNS地址
file "slaves/192.168.197.slave"; #配置备DNS存放的正向文件名字
;
##配置文件检查
[root@dns-s ~]# named-checkconf
##启动服务并开机启动
[root@dns-s ~]# systemctl enable --now named.service
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service.
##重新加载配置文件
[root@dns-s ~]# rndc reload
server reload successful
##查看是否同步主服务器文件
[root@dns-s ~]# ll /var/named/slaves/
total 8
-rw-r--r--. 1 named named 407 Jan 22 18:36 192.168.197.slave
-rw-r--r--. 1 named named 382 Jan 22 18:36 test.com.slave
##客户端测试
[root@centos79 ~]# dig -t A www.test.com @192.168.197.130
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -t A www.test.com @192.168.197.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39186
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.test.com. IN A
;; ANSWER SECTION:
www.test.com. 86400 IN A 192.168.197.100
;; AUTHORITY SECTION:
test.com. 86400 IN NS slave.test.com.
test.com. 86400 IN NS master.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 1 msec
;; SERVER: 192.168.197.130#53(192.168.197.130)
;; WHEN: Sat Jan 22 18:49:10 CST 2022
;; MSG SIZE rcvd: 130
[root@centos79 ~]# dig -x 192.168.197.100 @192.168.197.130
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.8 <<>> -x 192.168.197.100 @192.168.197.130
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11350
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;100.197.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
100.197.168.192.in-addr.arpa. 86400 IN PTR www.test.com.
;; AUTHORITY SECTION:
197.168.192.in-addr.arpa. 86400 IN NS master.test.com.
197.168.192.in-addr.arpa. 86400 IN NS slave.test.com.
;; ADDITIONAL SECTION:
master.test.com. 86400 IN A 192.168.197.129
slave.test.com. 86400 IN A 192.168.197.130
;; Query time: 1 msec
;; SERVER: 192.168.197.130#53(192.168.197.130)
;; WHEN: Sat Jan 22 18:49:34 CST 2022
;; MSG SIZE rcvd: 156
[root@centos79 ~]# nslookup
> www.test.com
Server: 192.168.197.130
Address: 192.168.197.130#53
Name: www.test.com
Address: 192.168.197.100
> 192.168.197.101
101.197.168.192.in-addr.arpa name = mail.test.com.
>
2、搭建并实现智能DNS。
使用acl和view模拟智能DNS的实现
环境说明:
192.168.197.10 代表北京客户端 可以解析IP10.10.10.10
192.168.197.20 代表天津客户端 可以解析IP20.20.20.20
##在/etc/named.conf顶端添加acl
acl bj_net
192.168.197.10;
;
acl tj-net
192.168.197.20;
;
#注意:
# 由于一旦启用了view,所有的zone都只能定义在view中,所以要/etc/named.conf的
#zone "." IN
# type hint;
# file "named.ca";
#;
#转移到/etc/named.rfc1912.zones中
##配置指向不同的数据库文件
[root@dns-m named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.bj
[root@dns-m named]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.tj
[root@dns-m named]2021-2022-1 20211416 《信息安全专业导论》第九周学习总结2017-2018-2 20179205《网络攻防技术与实践》第九周作业