採訪/編輯:
棒!城市編輯部
發佈時間:
2017-11-06 08:33
分享:
累積人次:
1204

CentOS 安裝、修改 DNS

前言:
以CentOS 7 為平台,環境假設為

DNS1 192.168.0.201 (Master)
DNS2 192.168.0.202 (Slave)
NTP 192.168.0.201
Yum 192.168.0.200

安裝:

 # yum update -y
 # yum install -y bind
設定兩台的named.conf:

 # vim /etc/named.conf
//
 // named.conf
 //
 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 // server as a caching only nameserver (as a localhost DNS resolver only).
 //
 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 //
 options {
 #listen-on port 53 { 127.0.0.1; };
 #listen-on-v6 port 53 { ::1; };
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 #allow-query { localhost; };
 allow-query { any; };
 allow-transfer { none; };
 /*
 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
 - If you are building a RECURSIVE (caching) DNS server, you need to enable
 recursion.
 - If your recursive DNS server has a public IP address, you MUST enable access
 control to limit queries to your legitimate users. Failing to do so will
 cause your server to become part of large scale DNS amplification
 attacks. Implementing BCP38 within your network would greatly
 reduce such attack surface
 */
 recursion yes;
 forward only;
 # 導向Public DNS
 forwarders{
 # google
 8.8.8.8;
 # HiNet
 168.95.1.1;
 };
 dnssec-enable yes;
 dnssec-validation yes;
 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";
 managed-keys-directory "/var/named/dynamic";
 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";
 };
 logging {
 channel default_debug {
 file "data/named.run";
 severity dynamic;
 };
 };
 zone "." IN {
 type hint;
 file "named.ca";
 };
 # 您的網域名稱
 zone "kenwu0310.local" {
 type master;
 # 指到你的檔案
 file "/etc/named/kenwu0310.local";
 # DNS slave 的 IP
 allow-transfer{ 192.168.0.202;};
 };
 # 反解設定,幾碼可自己決定
 zone "192.in-addr.arpa" IN {
 type master;
 # 指到你的檔案
 file "/etc/named/named.192";
 # DNS slave 的 IP
 allow-transfer{ 192.168.0.202;};
 };
 include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";
再來設定DNS slave,在此僅列出與Master的差異部份

zone "kenwu0310.local" {
    type slave;
    file "/etc/named/slave/kenwu0310.local";
    masters{ 192.168.0.201; };
};
zone "192.in-addr.arpa" IN {
    type slave;
    file "/etc/named/slave/named.192";
    masters{ 192.168.0.201; };
};
設定正解紀錄檔:
正反解紀錄檔僅需要在Master上面動作即可

# vim /etc/named/kenwu0310.local
# 快取時間為36000"秒"
$ttl 36000
@ IN SOA kenwu0310.local. ken.wu594088.gmail.com. (
# 更新紀錄,記得每次異動需要變更一下
2017022101
# 更新頻率
1H
# 失敗後等待多久才重新嘗試時間
15M
# 失效時間,也就是不在連線到Master更新
1W
# 快取時間,在TTL無效時才生效
1D )
@ IN NS dns1.kenwu0310.local.

dns1.kenwu0310.local. IN A 192.168.0.201
dns2.kenwu0310.local. IN A 192.168.0.202
ntp.kenwu0310.local. IN A 192.168.0.201
yum.kenwu0310.local. IN A 192.168.0.200
設定反解紀錄檔:

正反解紀錄檔僅需要在Master上面動作即可

# vim /etc/named/named.192
# 快取時間為36000"秒"
$ttl 36000
@ IN SOA kenwu0310.local. ken.wu594088.gmail.com. (
# 更新紀錄,記得每次異動需要變更一下
2017022101
# 更新頻率
1H
# 失敗後等待多久才重新嘗試時間
15M
# 失效時間,也就是不在連線到Master更新
1W
# 快取時間,在TTL無效時才生效
1D )
@ IN NS dns1.kenwu0310.local.

201.0.168 IN PTR dns1.kenwu0310.local.
202.0.168 IN PTR dns2.kenwu0310.local.
201.0.168 IN PTR ntp.kenwu0310.local.
200.0.168 IN PTR yum.kenwu0310.local.
啟動DNS服務:

# systemctl start named
設定開機啟動:

# systemctl enable named
開啟防火牆:
僅192.168.0.0網段的能透過53/udp存取

# firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" port port="53" protocol="udp" accept' --permanen
心得:
我一直覺得內部DNS是相當重要的,不管是使用Linux建立還是利用AD
畢竟這關係著系統安全性,更能有效的控管公司網路環境
所以,我認為基礎的資訊環境下,建立內部DNS、NTP及LDAP都是首要的項目

 

 

 


1.預設安裝應有bind-chroot,若無先安裝
yum -y install bind bind-chroot

2.將各設定檔放入應有位置,網域必需有正解檔,有架mail server必須有外網反解檔,其他可有可無
bind設定檔named.conf 在/etc

dns網域正解檔
dns內網反解檔
dns外網反解檔
dns本地檔
四個檔放入/var/named內

系統裝好後預設會有
named.ca
named.empty
named.localhost
named.loopback
也都在/var/named內,不需更動

3.調整named.conf
vi /etc/named.conf

listen-on port 53 調成any
allow-query 調成any

zone "localhost" MARK掉或刪掉
因為已有包含了,重復宣告執行bind會出現錯誤

將各個zone(正解zone 內網zone 外網zone 本地zone)寫進來,(ZONE的寫法請參考鳥哥或其它資料)


4.防火牆開放 TCP和UDP PORT 53進來

5.啟動named
systemctl enable named-chroot.service

systemctl restart named.service

systemctl restart named-chroot.service

6.檢查錯誤與測試

nslookup

tail -n 30 /var/log/messages | grep named

7.DNS檢查網站:
https://rs.twnic.net.tw/cgi-bin/dns.cgi
https://intodns.com/
http://dns.squish.net/

8.若/var/log/messages出現底下類似這種
error (network unreachable) resolving 'XXXXXXXX/A/IN': 2400:cb00:2049:1::a29f:1c39#53
這是因為主機網卡介面沒有設定IPv6,可直接從named設定只使用IPv4即可避免
vi /etc/sysconfig/named
OPTIONS="-4"

9.防堵dos ddos攻擊:
關閉遞迴查詢
//設定allowed-IP範圍
acl "allowed-IP" {
192.168.0.0/24;
localhost;
localnets;
};


vi /etc/named.conf

options {
allow-query { any; };
allow-recursion { allowed-IP; };
};


搭配fail2ban封鎖(使用fail2ban將大幅度增加CPU LOADING,若已限制recursion或已設好rate-limit,不使用較好)
若有安裝過bind-chroot,log檔會被鎖在chroot環境內,所以先作個軟連結過去
ln -s /var/named/chroot/var/log /var/log/named

logging
{
channel default-log {
file "/var/log/named/named_default.log" versions 10 size 200m;
severity info;
print-time yes;
};
channel lamer-log {
file"/var/log/named/named_lamer.log" versions 3 size 100m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
channel query-log {
file "/var/log/named/named_query.log" versions 10 size 1000m;
severity info;
print-time yes;
};
channel security-log {
file"/var/log/named/named_security.log" versions 3 size 100m;
severity dynamic;
print-time yes;
};
category lame-servers { lamer-log; };
category security{ security-log;};
category queries { query-log;};
category default { default-log;};
};


vi /etc/fail2ban/jail/conf
[named-refused-udp]

enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath = /var/log/named/named_security.log
bantime = 30000000

[named-refused-tcp]

enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath =/var/log/named/named_security.log
bantime = 30000000

10. bind9.1版之後都有支援rate-limit功能,可幫助抵檔DNS放大與反射攻擊
vi /etc/named.conf (在option掛弧內加入設定)
options{
.......
rate-limit {
ipv4-prefix-length 32;
window 10;
responses-per-second 20;
errors-per-second 5;
nxdomains-per-second 5;
slip 2;
};
..........
};

11.若不想看到一直被DNS DDOS攻擊造成LOG爆滿,確定該作的防護都做好了
是可以完全關掉記錄功能,連/var/log/messages都不會出來
vi /etc/named.conf
category lame-servers { null; };
category security{ null;};
category queries { null;};
category default { null;};