热门标签
热门文章
- 1【性能测试】ChaosTesting(混沌测试)&ChaosBlade(混沌实验工具)(三)-docker容器混沌实验_混沌测试工具命令
- 2Python地理空间分析指南(第2版)学习笔记分享——1.0第一章Python与地理空间分析
- 3星尘智能发布的双臂AI机器人,可帮着做家务
- 4[ 靶场环境片 ] kali-linux采用Docker 搭建 pikachu(特别详细)_kali pikachu安装教程
- 5【YOLOv10改进[Conv]】KAN系列 |使用KANConv改进C2f + 含全部代码和详细修改方式 + 手撕结构图
- 6PyCharm 2024.1:探索最新版本的创新与提升
- 7CRC算法
- 8Failed to read HTTP message: org.springframework.http.converter.HttpMessageNotReadableException: Re_failed to read message
- 9刷课必备!用Python实现网上自动做题_自动答题脚本
- 10深入浅出git-log之代码统计实战_git log
当前位置: article > 正文
【Linux】CentOS+UOS的Bind9内外网解析配置_bind9配置
作者:天景科技苑 | 2024-07-27 06:33:06
赞
踩
bind9配置
功能需求
内网客户端请求时,解析到服务器的内网地址
公网客户端解析时,解析到提供服务的公网地址
基本拓扑
注:主机之间路由可达,且路由上需配置NAT,使两台服务器可互相访问公网地址互联
安装服务
在两台服务器上安装bind9:
- [root@CentOS ~]# yum install bind -y
- [root@CentOS ~]#
- root@UOS:~# apt install bind9 -y
- root@UOS:~#
CentOS配置要求
为chinaskills.cn 域提供域名解析;
为www.chinaskills.cn、download.chinaskills.cn 和 mail.chinaskills.cn 提供解析;
启用内外网解析功能,当内网客户端请求解析的时候,解析到对应的内部服务器地址,当外部客户端请求解析的时候,请把解析结果解析 到提供服务的公有地址;
请将UOS作为上游DNS服务器,所有未知查询都由该服务器处理。
CentOS服务器配置
修改CentOS的bind配置文件
- 1 //
- 2 // named.conf
- 3 //
- 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
- 5 // server as a caching only nameserver (as a localhost DNS resolver only).
- 6 //
- 7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
- 8 //
- 9 // See the BIND Administrator's Reference Manual (ARM) for details about the
- 10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
- 11
- 12 options {
- 13 listen-on port 53 { any; };
- #修改监听任意地址
- 14 listen-on-v6 port 53 { ::1; };
- 15 directory "/var/named";
- 16 dump-file "/var/named/data/cache_dump.db";
- 17 statistics-file "/var/named/data/named_stats.txt";
- 18 memstatistics-file "/var/named/data/named_mem_stats.txt";
- 19 recursing-file "/var/named/data/named.recursing";
- 20 secroots-file "/var/named/data/named.secroots";
- 21 allow-query { any; };
- #修改允许任何主机查询
- 22 forwarders { 192.168.100.254; };
- #指定转发器
- 23
- 24 /*
- 25 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- 26 - If you are building a RECURSIVE (caching) DNS server, you need to enable
- 27 recursion.
- 28 - If your recursive DNS server has a public IP address, you MUST enable access
- 29 control to limit queries to your legitimate users. Failing to do so will
- 30 cause your server to become part of large scale DNS amplification
- 31 attacks. Implementing BCP38 within your network would greatly
- 32 reduce such attack surface
- 33 */
- 34 recursion yes;
- 35
- 36 dnssec-enable yes;
- 37 dnssec-validation yes;
- 38
- 39 /* Path to ISC DLV key */
- 40 bindkeys-file "/etc/named.root.key";
- 41
- 42 managed-keys-directory "/var/named/dynamic";
- 43
- 44 pid-file "/run/named/named.pid";
- 45 session-keyfile "/run/named/session.key";
- 46 };
- 47
- 48 logging {
- 49 channel default_debug {
- 50 file "data/named.run";
- 51 severity dynamic;
- 52 };
- 53 };
- 54
- 55 acl LAN {
- 56 127.0.0.0/8;
- 57 192.168.0.0/16;
- 58 };
- #创建ACL,匹配内网客户端网段
- 59
- 60 view LANDNS {
- #创建内网VIEW
- 61 match-clients { LAN; };
- #匹配上面的ACL,使用下面的配置
- 62 recursion yes;
- 63
- 64 zone "." IN {
- 65 type hint;
- 66 file "named.ca";
- 67 };
- 68
- 69
- 70 include "/etc/named.rfc1912.zones";
- 71 include "/etc/named.root.key";
- 72 include "/etc/named.lan.zones";
- #在新文件中创建内网客户端使用的区域
- 73 };
- #内网VIEW结束
- 74
- 75 view WANDNS {
- #创建公网VIEW
- 76 match-clients { any; };
- #匹配除内网的其他地址,bind配置文件从第一行到最后一行执行,内网ACL匹配失败才会匹配到这里
- 77 recursion no;
- 78 include "/etc/named.wan.zones";
- #在新文件中创建外网客户端使用的区域
- 79 };
创建内网区域配置文件
- vi /etc/named.lan.zones
- zone "chinaskills.cn" IN {
- type master;
- file "chinaskills.zone";
- allow-update { 192.168.100.254; };
- };
-
- zone "100.168.192.in-addr.arpa" IN {
- type master;
- file "192.168.100.zone";
- allow-update { none; };
- };
创建公网区域配置文件
- vi named.wan.zones
- zone "chinaskills.cn" IN {
- type master;
- file "chinaskills.wan.zone";
- allow-update { 192.168.100.254; };
- };
创建区域文件
- vi chinaskills.zone
- $TTL 1D
- @ IN SOA @ rname.invalid. (
- 0 ; serial
- 1D ; refresh
- 1H ; retry
- 1W ; expire
- 3H ) ; minimum
- NS @
- A 127.0.0.1
- www A 192.168.100.100
- download A 192.168.100.100
- mail A 192.168.100.100
- * A 81.6.63.100
- chinaskills.cn. MX 10 mail.chinaskills.cn.
- vi 192.168.100.zone
- $TTL 1D
- @ IN SOA @ rname.invalid. (
- 0 ; serial
- 1D ; refresh
- 1H ; retry
- 1W ; expire
- 3H ) ; minimum
- NS @
- A 127.0.0.1
- 100 PTR www.chinaskills.cn.
- 100 PTR download.chinaskills.cn.
- 100 PTR mail.chinaskills.cn.
- vi chinaskills.wan.zone
- $TTL 1D
- @ IN SOA @ rname.invalid. (
- 0 ; serial
- 1D ; refresh
- 1H ; retry
- 1W ; expire
- 3H ) ; minimum
- NS @
- A 127.0.0.1
- www A 81.6.63.254
- download A 81.6.63.254
- mail A 81.6.63.254
- * A 81.6.63.100
- chinaskills.cn. MX 10 mail.chinaskills.cn.
检查配置文件是否有错误
重启named服务
检测基本DNS功能
UOS配置要求
配置为DNS根域服务器;
其他未知域名解析,统一解析为该本机IP;
创建正向区域“chinaskills.cn”;
类型为Slave;
主服务器为“CentOS”;
UOS服务器配置
修改UOS的bind配置文件
- vi named.conf.options
- options {
- directory "/var/cache/bind";
-
- // If there is a firewall between you and nameservers you want
- // to talk to, you may need to fix the firewall to allow multiple
- // ports to talk. See http://www.kb.cert.org/vuls/id/800113
-
- // If your ISP provided one or more IP addresses for stable
- // nameservers, you probably want to use them as forwarders.
- // Uncomment the following block, and insert the addresses replacing
- // the all-0's placeholder.
-
- // forwarders {
- // 0.0.0.0;
- // };
-
- //========================================================================
- // If BIND logs error messages about the root key being expired,
- // you will need to update your keys. See https://www.isc.org/bind-keys
- //========================================================================
- dnssec-validation auto;
-
- listen-on-v6 { any; };
- listen-on port 53 { any; };
- #修改监听任意地址
- allow-query { any; };
- #修改允许任何主机查询
- };
- vi named.conf
- // This is the primary configuration file for the BIND DNS server named.
- //
- // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
- // structure of BIND configuration files in Debian, *BEFORE* you customize
- // this configuration file.
- //
- // If you are just adding zones, please do that in /etc/bind/named.conf.local
-
- include "/etc/bind/named.conf.options";
- include "/etc/bind/named.conf.local";
- include "/etc/bind/named.conf.lan.view";
- #定义内网VIEW
- include "/etc/bind/named.conf.wan.view";
- #定义公网VIEW
创建内网VIEW配置文件
- vi named.conf.lan.view
- acl LAN {
- 127.0.0.0/8;
- 192.168.0.0/16;
- };
- view LANDNS {
- match-clients { LAN; };
- recursion yes;
- include "/etc/bind/named.conf.default-zones";
- include "/etc/bind/named.conf.lan.zones";
- };
创建内网区域配置文件
- vi named.conf.lan.zones
- zone "chinaskills.cn" {
- type slave;
- file "/etc/bind/chinaskills.zone";
- masters "81.6.63.254"
- };
- zone "." {
- type master;
- file "/etc/bind/root.zone";
- };
创建公网配置文件
- vi named.conf.wan.view
- view WANDNS {
- match-clients { any; };
- recursion no;
- include "/etc/bind/named.conf.wan.zones";
- };
创建公网区域配置文件
- vi named.conf.wan.zones
- zone "chinaskills.cn" {
- type slave;
- file "/etc/bind/chinaskills.wan.zone";
- masters "81.6.63.254"
- };
- zone "." {
- type master;
- file "/etc/bind/root.zone";
- };
创建区域文件
- vi chinaskills.zone
- $TTL 1D
- @ IN SOA @ rname.invalid. (
- 0 ; serial
- 1D ; refresh
- 1H ; retry
- 1W ; expire
- 3H ) ; minimum
- NS @
- A 127.0.0.1
- www A 192.168.100.100
- download A 192.168.100.100
- mail A 192.168.100.100
- * A 81.6.63.100
- chinaskills.cn. MX 10 mail.chinaskills.cn.
- vi chinaskills.wan.zone
- $TTL 1D
- @ IN SOA @ rname.invalid. (
- 0 ; serial
- 1D ; refresh
- 1H ; retry
- 1W ; expire
- 3H ) ; minimum
- NS @
- A 127.0.0.1
- www A 81.6.63.254
- download A 81.6.63.254
- mail A 81.6.63.254
- * A 81.6.63.100
- chinaskills.cn. MX 10 mail.chinaskills.cn.
- vi root.zone
- $TTL 1D
- @ IN SOA @ rname.invalid. (
- 2 ; serial
- 1D ; refresh
- 1H ; retry
- 1W ; expire
- 3H ) ; minimum
- NS @
- A 127.0.0.1
- . NS ispsrv
- ispsrv A 81.6.63.100
检测配置文件是否有错误
重启bind9服务
检测基本DNS功能
进行测试
内网
公网
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/天景科技苑/article/detail/889072
推荐阅读
相关标签
