DNS解析
1、简述DNS服务器原理,并搭建主-辅服务器。
原理:
1).当应用过程需要将一个主机域名映射为IP地址时,就会将将待转换的域名放在DNS请求中,以UDP报文方式发给本地域名服务器
2).本地的域名服务器查到域名后,将对应的IP地址放在应答报文中返回;
3).同时域名服务器还必须具有连向其他服务器的信息以支持不能解析时的转发;
4).若域名服务器不能回答该请求,则此域名服务器就暂成为DNS中的另一个客户,向根域名服务器发出请求解析,根域名服务器一定能找到下面的所有二级域名的域名服务器,这样以此类推,一直向下解析,直到查询到所请求的域名。
搭建主-辅服务器
实验环境:1.主服务器:Centos7.9 IP:192.168.31.78
2.辅服务器:kali 21 IP:192.168.31.228
3.测试机: ubuntu 20.04 IP:192.168.31.214
1).主服务器搭建
[root@Centos7 ~]# yum install bind -y
[root@Centos7 ~]# systemctl enable named.service --now
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@Centos7 ~]# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2021-09-06 01:07:27 CST; 6s ago
······
[root@Centos7 ~]# vim /etc/named.conf
options {
#监听所有IP端口
# listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
允许所有主机查询
# allow-query { localhost; };
1.1).创建DNS的数据库文件,写入各项资源记录
[root@Centos7 ~]# vim /var/named/gw.com.zone
$TTL 1D
@ IN SOA ns1 admin (
0
1D
1H
1W
3H )
NS ns1
NS ns2
ns1 A 192.168.31.78
ns2 A 192.168.31.228
ftp A 1.1.1.1
db A 2.2.2.2
www CNAME websrv
websrv A 192.168.31.228
websrv A 192.168.31.16
@ MX mailsrv
mailsrc A 3.3.3.3
1.2).建立区域和数据库文件的对应关系
zone "gw.con" IN {
type master;
file "gw.com.zone"
};
1.3).检查主配置文件 named-checkconf
[root@Centos7 ~]# named-checkconf
[root@Centos7 ~]# named-checkzone gw.zone /var/named/gw.com.zone
zone gw.zone/IN: loaded serial 0
OK
[root@Centos7 ~]# rndc reload
server reload successful
2).从服务器的搭建
┌──(gw㉿GW)-[~]
└─$ sudo apt-get install bind9
┌──(gw㉿GW)-[~]
└─$ sudo systemctl enable named.service --now
Synchronizing state of named.service with SysV service script with /lib/systemd/systemd-sysv-install.
Executing: /lib/systemd/systemd-sysv-install enable named
Created symlink /etc/systemd/system/bind9.service → /lib/systemd/system/named.service.
Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /lib/systemd/system/named.service.
┌──(root💀GW)-[~]
└─# vim /etc/bind/named.conf.options
listen-on { any; };
┌──(root💀GW)-[~]
└─# vim /etc/bind/zones.rfc1918
zone "gw.com" {type slave; masters{192.168.31.78;}; file "slaves/gw.com.slave"};
┌──(root💀GW)-[~]
└─# rndc reload
server reload successful
3).测试
gw@gw-computer:~$ dig www.gw.com @192.168.31.228
; <<>> DiG 9.16.1-Ubuntu <<>> www.gw.com @192.168.31.228
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48340
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; COOKIE: adb62883c40b336701000000613497fee64850a043563504 (good)
;; QUESTION SECTION:
;www.gw.com. IN A
;; ANSWER SECTION:
www.gw.com. 3600 IN A 192.185.17.108
;; Query time: 2476 msec
;; SERVER: 192.168.31.228#53(192.168.31.228)
;; WHEN: 日 9月 05 18:12:13 CST 2021
;; MSG SIZE rcvd: 83
2、搭建并实现智能DNS。
1).定义ACL列表,定义view功能模块
[root@Centos7 ~]# vim /etc/named.conf
acl test1net {
192.168.31.214;
};
acl test2net {
192.168.31.228;
};
acl test3net {
any;
};
view test1view {
match-clients { test1net; };
include "/etc/named.rfc1912.zones.t1";
};
view test2view {
match-clients { test2net; };
include "/etc/named.rfc1912.zones.t2";
};
view test3view {
match-clients { test3net; };
include "/etc/named.rfc1912.zones.t3";
};
2).定义zone文件
[root@Centos7 ~]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.t1
[root@Centos7 ~]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.t2
[root@Centos7 ~]# cp -p /etc/named.rfc1912.zones /etc/named.rfc1912.zones.t3
[root@Centos7 ~]# vim /etc/named.rfc1912.zones.t1
#添加
zone "." IN {
type hint;
file "named.ca";
};
[root@Centos7 ~]# vim /etc/named.rfc1912.zones.t2
#添加
zone "." IN {
type hint;
file "named.ca";
};
[root@Centos7 ~]# vim /etc/named.rfc1912.zones.t3
#添加
zone "." IN {
type hint;
file "named.ca";
};
3).定义解析数据库
[root@Centos7 ~]# vim /var/named/gw.com.zone.t1
$TTL 1D
@ IN SOA ns1 admin (7 1h 10m 1D 1D)
NS ns1
NS ns2
t1 IN NS ns3
ns1 IN A 192.168.3.78
ns2 IN A 192.168.3.228
ns3 IN A 192.168.3.214
websrv IN A 192.168.3.215
www IN CNAME websrv
[root@Centos7 ~]# vim /var/named/gw.com.zone.t2
$TTL 1D
@ IN SOA ns1 admin (7 1h 10m 1D 1D)
NS ns1
NS ns2
t2 IN NS ns3
ns1 IN A 192.168.3.78
ns2 IN A 192.168.3.228
ns3 IN A 192.168.3.214
websrv IN A 192.168.3.217
www IN CNAME websrv
[root@Centos7 ~]# vim /var/named/gw.com.zone.t3
$TTL 1D
@IN SOA ns1 admin (7 1h 10m 1D 1D)
NS ns1
NS ns2
t3 IN NS ns3
ns1 IN A 192.168.3.78
ns2 IN A 192.168.3.228
ns3 IN A 192.168.3.214
websrv IN A 192.168.3.218
www IN CNAME websrv
[root@Centos7 ~]# named-checkconf
[root@Centos7 ~]# named-checkzone /etc/named.rfc1912.zones.t1 /var/named/gw.com.zone.t1
[root@Centos7 ~]# named-checkzone /etc/named.rfc1912.zones.t2 /var/named/gw.com.zone.t2
[root@Centos7 ~]# named-checkzone /etc/named.rfc1912.zones.t3 /var/named/gw.com.zone.t3
4).验证解析效果
[root@Centos7 ~]# dig www.gw.com @192.168.31.228
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.7 <<>> www.gw.com @192.168.31.228
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42736
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.gw.com. IN A
;; ANSWER SECTION:
www.gw.com. 3600 IN A 192.185.17.108
;; Query time: 248 msec
;; SERVER: 192.168.31.228#53(192.168.31.228)
;; WHEN: 一 9月 06 03:13:35 CST 2021
;; MSG SIZE rcvd: 55
3、使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝
gw@gw-computer:~/Desktop$ sudo iptables -I INPUT -p tcp -m multiport --dports 21,23,80,139,445 -j ACCEPT
gw@gw-computer:~/Desktop$ sudo iptables -A INPUT -j REJECT
gw@gw-computer:~/Desktop$ sudo iptables -vnL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,139,445
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 21,23,80,139,445
1740 741K REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 82 packets, 6742 bytes)
pkts bytes target prot opt in out source destination
4、NAT原理总结
修改IP数据包中的源或目的IP地址,只要目的是把私有地址转换成互联网上可路由的共有合法地址。
5、iptables实现SNAT和DNAT,并对规则持久保存。
实验环境:centos7.9
1).修改内核参数,实现数据转发功能
[root@Centos7 ~]# yum install iptables-services
[root@Centos7 ~]# vim /etc/sysctl.conf
net.ipv4.ip_forward=1
2).实现SNAT和DNAT
SNAT
[root@Centos7 ~]# iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -j SNAT --to-source 192.168.31.78
DNAT
[root@Centos7 ~]# iptables -t nat -A PREROUTING -d 192.168.31.78 -p tcp --dport 80 -j DNAT --to-destination 10.0.2.12:80
3).规则持久保存
[root@Centos7 ~]# cp /etc/sysconfig/iptables{,.bak}
[root@Centos7 ~]# /usr/libexec/iptables/iptables.init save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]
[root@Centos7 ~]# iptables-save > /etc/sysconfig/iptables
[root@Centos7 ~]# systemctl enable iptables.service
Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.
浙公网安备 33010602011771号