Cainiao also uses DNS to build a secure DNS Server

Source: Internet
Author: User

DNS is the basic service of the internet, and bind is the most popular open-source DNS software. Because it is very popular, it is very aggressive. Therefore, we need to build a secure DNS server. There are several measures to build a secure DNS Service (for basic bind compilation and installation and configuration, refer to: cainiao also uses DNS to configure the DNS Cache Server ):First, let the named run as a normal user# Useradd-s/bin/false bind create a user bind that is not allowed to log on to the system # chown bind/usr/local/named/dns/store the named. the directory ownership of the pid is granted to the bind user #/usr/local/named/sbin/rndc stop to stop the running named #/usr/local/named/sbin/named-4-u bind: The bind user has started named to view the system process: # ps-ef | grep namednamed has been run by the normal user bind.Second, run named in the chroot cage ModeThe so-called cage is to restrict the program to run in this directory and cannot access other directories, which greatly improves the security. # Useradd-s/bin/false bind: create a user bind that is not allowed to log on to the system # mkdir-p/chroot/named: access some device files when creating the cage directory named, read named configuration files and regional resource files. Their directories are as follows:/usr/local/named/etc stores named. conf configuration file/usr/local/named/dns stores named. pid file/usr/local/named/dns/zone file/dev several device files required for storing named Note: Except for/dev, these directories are default, other directories that store related files are manually specified when you install bind. Below, we need to create the corresponding directories under the/chroot/named directory # mkdir-p/chroot/named/dev # mkdir-p/chroot/named/usr/local/named/etc # mkdir-p/chroot/named/usr/local/named/dns/zone # chown bind/chroot/ named/usr/local/named/dns/store named. the ownership of the pid directory is granted to bind users # mknod/chroot/named/dev/random c 1 8 create a device file for named call # cp/usr/local/named/etc /* /chroot/named/usr/local/named/etc/copy named. conf and other basic configuration files to the corresponding directory # cp/usr/local/named/dns/*/chroot/named/usr/local/named/dns/copy named. pid to the corresponding cage directory # cp/usr/local/named/dns/zone/*/chroot/named/usr/local/named/dns/zone/copy the region file to the corresponding under the cage directory #/usr/local/named/sbin/rndc stop the running named process #/usr/local/named/sbin/named-4-u bind-t/ chroot/named/use the normal user bind to start the command to view the named process in the cage mode: # ps-ef | grep named check system logs to see if there is a problem with startup: # tail/var/log/messagesOct 24 22:41:52 localhost named [6932]: zone 0.0.127.in-addr. arpa/IN: loaded serial 1997022700
Oct 24 22:41:52 localhost named [6932]: zone 1.168.192.in-addr. arpa/IN: loaded serial 20031001
Oct 24 22:41:52 localhost named [6932]: zone xiaocui.com/IN: loaded serial 1053891162
Oct 24 22:41:52 localhost named [6932]: zone localhost/IN: loaded serial 42
Oct 24 22:41:52 localhost named [6932]: managed-keys-zone./IN: loaded serial 0
Oct 24 22:41:52 localhost named [6932]: running if you see something similar to the above, it indicates that the startup is successful and files in various regions are loaded successfully.Third, access user sources through ACL controlEdit the named. conf configuration file # vi/usr/local/named/etc/named. conf create an access control list acl my-network {
192.168.1.0/24;
}; After the definition, the options Tab allows users in the network defined by this ACL to query options {
Directory "/usr/local/named/dns/zone ";
Pid-file "/usr/local/named/dns/named. pid "; allow-recursion {my-network ;};}; after configuration, restart the named process or reload the configuration file, in this way, only the users in the specified CIDR Block in the ACL can use this DNS for query, and the rest will be rejected.Fourth, control the user's access range through view We have a DNS server. We hope this DNS server will only enable all DNS resolution for Intranet users and only provide some DNS query functions for external users. In this case, we need to use the view function. View can provide different query scopes for different users. The configuration is as follows: edit the named. conf configuration file # vi/usr/local/named/etc/named. conf first defines an intranet ACLacl my-network {
192.168.1.0/24;
}; Then define the view for internal users: Aview "A" {match-clients {my-network;}; specify the Local intranet recursion yes; allow recursive query of zone "xiaocui.com" {type master; file "xiaocui.com. zone. A "};}; defines A view for all users: Bview" B "{match-clients {any ;}; all users recursion yes; allow recursive query of zone "xiaocui.com" {type master; file "xiaocui.com. zone. B "};}; named configured. conf file, we also need to create the corresponding regional file in the region file storage directory. Vi/usr/local/named/dns/zone/xiaocui.com. zone. A region file for Intranet users $ TTL 86400
@ In soa xiaocui.com. root.xiaocui.com .(
1053891162; serial (d. adams)
3 H; refresh
15 M; retry
1 W; expiry
1D); minimum
In ns xiaocui.com.
In a 192.168.1.10
Www in a 192.168.1.100mail in a 192.168.1.101oa in a 192.168.1.102 open OAftp in a 192.168.1.103 to intranet users open ftpvi/usr/local/named/dns/zone/xiaocui.com. zone. b. region files for all users $ TTL 86400
@ In soa xiaocui.com. root.xiaocui.com .(
1053891162; serial (d. adams)
3 H; refresh
15 M; retry
1 W; expiry
1D); minimum
In ns xiaocui.com.
In a 192.168.1.10
After configuring www in a 192.168.1.100 mail in a 192.168.1.101, restart the named process or reload the configuration file. Intranet users can access oa.xiaocui.com and ftp.xiaocui.com. Internet users cannot access oa.xiaocui.com. If you achieve this, the configuration is successful.

This article is from the blog "the path to growth of Cui"

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.