搭建 DNS 服务器
环境: ubuntu-16.04.7-server-amd64.iso
安装系统时选上 dns 服务,或者 apt install bind9 安装
0x01 配置前
- 涉及到的几个配置文件
/etc/bind/named.conf,主配置文件,通过 include 关键字加载其他仨配置文件
/etc/bind/named.conf.options,转发器配置文件
/etc/bind/named.conf.local,用户配置文件,一般存放 DNS 记录
/etc/bind/named.default-zones,默认区域文件
/etc/bind/aaa.com.zone,正向解析文件
/etc/bind/aaa.com.arpa,反向解析文件
- 备份
cp /etc/bind/named.config.local /etc/bind/named.config.local.bak
cp /etc/bind/named.config.options /etc/bind/named.config.options.bak
0x02 配置 named.conf.options
first 先转发给 forwarders 列表进行查询,查询不到再查本地
only 先查本地,查不到再转发
reber@ubuntu:/etc/bind$ cat named.conf.options
acl ktlab {
localhost;
10.11.11.0/24;
192.168.3.0/24;
};
options {
directory "/var/cache/bind";
listen-on { 10.11.11.8; };
listen-on-v6 { none; };
recursion yes; # 允许递归查询
allow-query { ktlab; };
allow-transfer { none; }; # 禁止 transfer
# 关闭 DNS 安全,使可解析公网域名
dnssec-enable no;
dnssec-validation no;
forward only;
forwarders { # 将不是本地解析或者本地没有缓存的解析记录进行转发
114.114.114.114;
119.29.29.29;
223.5.5.5;
};
auth-nxdomain no; # conform to RFC1035
};
0x03 配置 named.conf.local
reber@ubuntu:/etc/bind$ cat named.conf.local
zone "aaa.com" {
type master;
file "/etc/bind/aaa.com.zone";
};
zone "11.11.10.in-addr.arpa" {
type master;
file "/etc/bind/aaa.com.arpa";
};
0x04 配置正反向文件
reber@ubuntu:/etc/bind$ sudo cp db.empty aaa.com.zone
reber@ubuntu:/etc/bind$ sudo vim aaa.com.zone
reber@ubuntu:/etc/bind$ cat aaa.com.zone
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL 86400
@ IN SOA aaa.com. root.aaa.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
86400 ) ; Negative Cache TTL
;
@ IN NS aaa.com.
aaa.com. IN A 10.11.11.8
vm.aaa.com. IN A 10.11.11.3
vpn.aaa.com. IN A 10.11.11.4
nessus.aaa.com. IN A 10.11.11.10
oa.aaa.com. IN A 10.11.11.17
git.aaa.com. IN A 10.11.11.24
reber@ubuntu:/etc/bind$ sudo cp db.0 aaa.com.arpa
reber@ubuntu:/etc/bind$ sudo vim aaa.com.arpa
reber@ubuntu:/etc/bind$ cat aaa.com.arpa
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA aaa.com. root.aaa.com. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS aaa.com.
26 IN PTR aaa.com.
3 IN PTR vm.aaa.com.
4 IN PTR vpn.aaa.com.
10 IN PTR nessus.aaa.com.
17 IN PTR oa.aaa.com.
24 IN PTR git.aaa.com.
0x05 检查配置
reber@ubuntu:/etc/bind$ sudo named-checkconf
reber@ubuntu:/etc/bind$ sudo named-checkzone aaa.com aaa.com.zone
zone aaa.com/IN: loaded serial 1
OK
0x06 重启 dns 服务器
sudo systemctl restart bind9.service
0x07 验证
➜ nslookup
> server 10.11.11.8
Default server: 10.11.11.8
Address: 10.11.11.8#53
>
> server
Default server: 10.11.11.8
Address: 10.11.11.8#53
>
> vpn.aaa.com
Server: 10.11.11.8
Address: 10.11.11.8#53
Name: vpn.aaa.com
Address: 10.11.11.4
> 10.11.11.4
Server: 10.11.11.8
Address: 10.11.11.8#53
4.11.11.10.in-addr.arpa name = vpn.aaa.com.
>
> www.baidu.com
Server: 10.11.11.8
Address: 10.11.11.8#53
Non-authoritative answer:
www.baidu.com canonical name = www.a.shifen.com.
Name: www.a.shifen.com
Address: 182.61.200.7
Name: www.a.shifen.com
Address: 182.61.200.6