---------- 2018-12-25 ref: https://blog.xuite.net/beavisliu/blog/473760743-CentOS+7+DNS%E5%AE%89%E8%A3%9D 1.預設安裝應有bind-chroot,若無先安裝 yum -y install bind bind-chroot 2.將各設定檔放入應有位置,網域必需有正解檔,有架mail server必須有外網反解檔,其他可有可無 bind設定檔named.conf 在/etc dns網域正解檔 dns內網反解檔 dns外網反解檔 dns本地檔 四個檔放入/var/named內 系統裝好後預設會有 named.ca named.empty named.localhost named.loopback 也都在/var/named內,不需更動 3.調整named.conf vi /etc/named.conf listen-on port 53 調成any allow-query 調成any zone "localhost" MARK掉或刪掉 因為已有包含了,重復宣告執行bind會出現錯誤 將各個zone(正解zone 內網zone 外網zone 本地zone)寫進來,(ZONE的寫法請參考鳥哥或其它資料) 4.防火牆開放 TCP和UDP PORT 53進來 5.啟動named systemctl enable named-chroot.service systemctl restart named.service systemctl restart named-chroot.service 6.檢查錯誤與測試 nslookup tail -n 30 /var/log/messages | grep named 7.DNS檢查網站: https://rs.twnic.net.tw/cgi-bin/dns.cgi https://intodns.com/ http://dns.squish.net/ 8.若/var/log/messages出現底下類似這種 error (network unreachable) resolving 'XXXXXXXX/A/IN': 2400:cb00:2049:1::a29f:1c39#53 這是因為主機網卡介面沒有設定IPv6,可直接從named設定只使用IPv4即可避免 vi /etc/sysconfig/named OPTIONS="-4" 9.防堵dos ddos攻擊: 關閉遞迴查詢 //設定allowed-IP範圍 acl "allowed-IP" { 192.168.0.0/24; localhost; localnets; }; vi /etc/named.conf options { allow-query { any; }; allow-recursion { allowed-IP; }; }; 搭配fail2ban封鎖(使用fail2ban將大幅度增加CPU LOADING,若已限制recursion或已設好rate-limit,不使用較好) 若有安裝過bind-chroot,log檔會被鎖在chroot環境內,所以先作個軟連結過去 ln -s /var/named/chroot/var/log /var/log/named logging { channel default-log { file "/var/log/named/named_default.log" versions 10 size 200m; severity info; print-time yes; }; channel lamer-log { file"/var/log/named/named_lamer.log" versions 3 size 100m; severity info; print-severity yes; print-time yes; print-category yes; }; channel query-log { file "/var/log/named/named_query.log" versions 10 size 1000m; severity info; print-time yes; }; channel security-log { file"/var/log/named/named_security.log" versions 3 size 100m; severity dynamic; print-time yes; }; category lame-servers { lamer-log; }; category security{ security-log;}; category queries { query-log;}; category default { default-log;}; }; vi /etc/fail2ban/jail/conf [named-refused-udp] enabled = true filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=udp] logpath = /var/log/named/named_security.log bantime = 30000000 [named-refused-tcp] enabled = true filter = named-refused action = iptables-multiport[name=Named, port="domain,953", protocol=tcp] logpath =/var/log/named/named_security.log bantime = 30000000 10. bind9.1版之後都有支援rate-limit功能,可幫助抵檔DNS放大與反射攻擊 vi /etc/named.conf (在option掛弧內加入設定) options{ ....... rate-limit { ipv4-prefix-length 32; window 10; responses-per-second 20; errors-per-second 5; nxdomains-per-second 5; slip 2; }; .......... }; 11.若不想看到一直被DNS DDOS攻擊造成LOG爆滿,確定該作的防護都做好了 是可以完全關掉記錄功能,連/var/log/messages都不會出來 vi /etc/named.conf category lame-servers { null; }; category security{ null;}; category queries { null;}; category default { null;}; ---------- 2018-05-20 ref: https://kenwu0310.wordpress.com/2017/02/21/centos-7-安裝-dns-domain-name-system/ https://kenwu0310.wordpress.com/2018/12/04/centos-7-安裝-dns-domain-name-system/ CentOS 7 安裝 DNS (Domain Name System) 2017-02-21 Ken Wu發表留言 前言: 以CentOS 7 為平台,環境假設為 DNS1 192.168.0.201 (Master) DNS2 192.168.0.202 (Slave) NTP 192.168.0.201 Yum 192.168.0.200 安裝: # yum update -y # yum install -y bind 設定兩台的named.conf: # vim /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { #listen-on port 53 { 127.0.0.1; }; #listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; #allow-query { localhost; }; allow-query { any; }; allow-transfer { none; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; forward only; # 導向Public DNS forwarders{ # google 8.8.8.8; # HiNet 168.95.1.1; }; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; # 您的網域名稱 zone "kenwu0310.local" { type master; # 指到你的檔案 file "/etc/named/kenwu0310.local"; # DNS slave 的 IP allow-transfer{ 192.168.0.202;}; }; # 反解設定,幾碼可自己決定 zone "192.in-addr.arpa" IN { type master; # 指到你的檔案 file "/etc/named/named.192"; # DNS slave 的 IP allow-transfer{ 192.168.0.202;}; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; 再來設定DNS slave,在此僅列出與Master的差異部份 zone "kenwu0310.local" { type slave; file "/etc/named/slave/kenwu0310.local"; masters{ 192.168.0.201; }; }; zone "192.in-addr.arpa" IN { type slave; file "/etc/named/slave/named.192"; masters{ 192.168.0.201; }; }; 設定正解紀錄檔: 正反解紀錄檔僅需要在Master上面動作即可 # vim /etc/named/kenwu0310.local # 快取時間為36000"秒" $ttl 36000 @ IN SOA kenwu0310.local. ken.wu594088.gmail.com. ( # 更新紀錄,記得每次異動需要變更一下 2017022101 # 更新頻率 1H # 失敗後等待多久才重新嘗試時間 15M # 失效時間,也就是不在連線到Master更新 1W # 快取時間,在TTL無效時才生效 1D ) @ IN NS dns1.kenwu0310.local. dns1.kenwu0310.local. IN A 192.168.0.201 dns2.kenwu0310.local. IN A 192.168.0.202 ntp.kenwu0310.local. IN A 192.168.0.201 yum.kenwu0310.local. IN A 192.168.0.200 設定反解紀錄檔: 正反解紀錄檔僅需要在Master上面動作即可 # vim /etc/named/named.192 # 快取時間為36000"秒" $ttl 36000 @ IN SOA kenwu0310.local. ken.wu594088.gmail.com. ( # 更新紀錄,記得每次異動需要變更一下 2017022101 # 更新頻率 1H # 失敗後等待多久才重新嘗試時間 15M # 失效時間,也就是不在連線到Master更新 1W # 快取時間,在TTL無效時才生效 1D ) @ IN NS dns1.kenwu0310.local. 201.0.168 IN PTR dns1.kenwu0310.local. 202.0.168 IN PTR dns2.kenwu0310.local. 201.0.168 IN PTR ntp.kenwu0310.local. 200.0.168 IN PTR yum.kenwu0310.local. 啟動DNS服務: # systemctl start named 設定開機啟動: # systemctl enable named 開啟防火牆: 僅192.168.0.0網段的能透過53/udp存取 # firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" port port="53" protocol="udp" accept' --permanen 心得: 我一直覺得內部DNS是相當重要的,不管是使用Linux建立還是利用AD 畢竟這關係著系統安全性,更能有效的控管公司網路環境 所以,我認為基礎的資訊環境下,建立內部DNS、NTP及LDAP都是首要的項目