Reber's Blog

只会一点点编程、只会一点点渗透


搭建 DNS 服务器

环境: ubuntu-16.04.7-server-amd64.iso

安装系统时选上 dns 服务,或者 apt install bind9 安装

0x01 配置前

  • 涉及到的几个配置文件
/etc/bind/named.conf,主配置文件,通过 include 关键字加载其他仨配置文件
/etc/bind/named.conf.options,转发器配置文件
/etc/bind/named.conf.local,用户配置文件,一般存放 DNS 记录
/etc/bind/named.default-zones,默认区域文件
/etc/bind/aaa.com.zone,正向解析文件
/etc/bind/aaa.com.arpa,反向解析文件
  • 备份
cp /etc/bind/named.config.local /etc/bind/named.config.local.bak
cp /etc/bind/named.config.options /etc/bind/named.config.options.bak

0x02 配置 named.conf.options

first 先转发给 forwarders 列表进行查询,查询不到再查本地

only 先查本地,查不到再转发

reber@ubuntu:/etc/bind$ cat named.conf.options
acl ktlab {
        localhost;
        10.11.11.0/24;
        192.168.3.0/24;
};

options {
        directory "/var/cache/bind";

        listen-on { 10.11.11.8; };
        listen-on-v6 { none; };

        recursion yes; # 允许递归查询

        allow-query { ktlab; };
        allow-transfer { none; }; # 禁止 transfer

        # 关闭 DNS 安全,使可解析公网域名
        dnssec-enable no;
        dnssec-validation no;

        forward only;
        forwarders { # 将不是本地解析或者本地没有缓存的解析记录进行转发
                114.114.114.114;
                119.29.29.29;
                223.5.5.5;
        };

        auth-nxdomain no;    # conform to RFC1035
};

0x03 配置 named.conf.local

reber@ubuntu:/etc/bind$ cat named.conf.local
zone "aaa.com" {
        type master;
        file "/etc/bind/aaa.com.zone";
};

zone "11.11.10.in-addr.arpa" {
        type master;
        file "/etc/bind/aaa.com.arpa";
};

0x04 配置正反向文件

reber@ubuntu:/etc/bind$ sudo cp db.empty aaa.com.zone
reber@ubuntu:/etc/bind$ sudo vim aaa.com.zone
reber@ubuntu:/etc/bind$ cat aaa.com.zone
; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL    86400
@       IN      SOA     aaa.com. root.aaa.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                          86400 )       ; Negative Cache TTL
;
@       IN      NS      aaa.com.

aaa.com. IN      A       10.11.11.8
vm.aaa.com.      IN      A       10.11.11.3
vpn.aaa.com.     IN      A       10.11.11.4
nessus.aaa.com.  IN      A       10.11.11.10
oa.aaa.com.      IN      A       10.11.11.17
git.aaa.com.     IN      A       10.11.11.24
reber@ubuntu:/etc/bind$ sudo cp db.0 aaa.com.arpa
reber@ubuntu:/etc/bind$ sudo vim aaa.com.arpa
reber@ubuntu:/etc/bind$ cat aaa.com.arpa
;
; BIND reverse data file for broadcast zone
;
$TTL    604800
@       IN      SOA     aaa.com. root.aaa.com. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      aaa.com.

26      IN      PTR     aaa.com.
3       IN      PTR     vm.aaa.com.
4       IN      PTR     vpn.aaa.com.
10      IN      PTR     nessus.aaa.com.
17      IN      PTR     oa.aaa.com.
24      IN      PTR     git.aaa.com.

0x05 检查配置

reber@ubuntu:/etc/bind$ sudo named-checkconf
reber@ubuntu:/etc/bind$ sudo named-checkzone aaa.com aaa.com.zone
zone aaa.com/IN: loaded serial 1
OK

0x06 重启 dns 服务器

sudo systemctl restart bind9.service

0x07 验证

➜ nslookup
> server 10.11.11.8
Default server: 10.11.11.8
Address: 10.11.11.8#53
>
> server
Default server: 10.11.11.8
Address: 10.11.11.8#53
>
> vpn.aaa.com
Server:		10.11.11.8
Address:	10.11.11.8#53

Name:	vpn.aaa.com
Address: 10.11.11.4
> 10.11.11.4
Server:		10.11.11.8
Address:	10.11.11.8#53

4.11.11.10.in-addr.arpa	name = vpn.aaa.com.
>
> www.baidu.com
Server:		10.11.11.8
Address:	10.11.11.8#53

Non-authoritative answer:
www.baidu.com	canonical name = www.a.shifen.com.
Name:	www.a.shifen.com
Address: 182.61.200.7
Name:	www.a.shifen.com
Address: 182.61.200.6