DNS subdomain authorization based on BIND tool and mutual parsing of subdomain parent domain

Source: Internet
Author: User
Tags dnssec domain server subdomain

Lab Notes:

test Machine 1:192.168.1.11 as the parent domain server

test Machine 2:192.168.1.12 as a subdomain server

Experimental steps:

1. On the lab machine 1 and edit the configuration file, configure it as a cache server, then add zones and add Zone resolution library files, and change the Zone resolution library file to complete the dig

[[email protected] ~]# yum install bind –y[[email protected] ~] #vim  /etc/named.confoptions {//      listen-on port 53 {  127.0.0.1; };//      listen-on-v6 port 53 { ::1;  };        directory        "/ Var/named ";        dump-file      "/var/ Named/data/cache_dump.db ";         statistics-file"/var/named/data/ Named_stats.txt ";         memstatistics-file"/var/named/data/named_mem_ Stats.txt ";//      allow-query     { localhost;  };        recursion yes;          dnssec-enable no;        dnssec-validation no;//       dnssec-lookaside auto;         /*  Path to isc dlv key *///      bindkeys-file "/etc/ Named.iscdlv.key ";  //      managed-keys-directory"/var/named/dynamic ";}; [[email protected] ~]# service named restartstopping named:.                                            [  OK  ]Starting named:                                 &nBsp;           [  ok  ][[email  protected] ~]# ss -tnlp |grep :53LISTEN     0      3              192.168.1.11:53                       *:*      users: (("named", 4970,21)) LISTEN      0     3                 127.0.0.1:53                       *:*       users: (("named", 4970,20)         [[email protected]~] # vim /etc/named.rfc1912.zones     &nbsp. Add Zone .......         zone  " Tanjie.com " IN {        type master;         file  "Tanjie.com.zone";};   [[email protected]~]# cd /var/named/[[email protected] named]# vim  tanjie.com.zone$TTL1D$ORIGIN tanjie.com.@       IN      SOA     ns1.tanjie.com.admin.tanjie.com.  (                          2015081601                         2H                         5m                         3D                         2d)         IN     NS       ns1        IN     NS       ns2ns1     IN     A        192.168.1.11ns2     in     a        192.168.1.18www     IN      A       192.168.1.11*        in     a       192.168.1.11 [[email protected] named]#  named-checkconf[[email protected] named]# named-checkzone  "Tanjie.com"  /var/named/ Tanjie.com.zonezonetanjie.com/in: loaded serial 2015081601ok[[email protected] named] # rndc reloadserverreload successful[[email protected] named]# chmod 640  tanjie.com.zone[[email protected]  named]# chown :named tanjie.com.zone


Our Parent domain server is complete, and the configured server is dig Test

[Email protected] named]# dig-t A ns2.tanjie.com @192.168.1.11 ...;                        QUESTION section:;ns2.tanjie.com. in A;;                ANSWER SECTION:ns2.tanjie.com. 86400 in A 192.168.1.18 ........ ..... Test findings can be resolved successfully, no problem!!!



2. subdomain Authorization, the following sub-domain authorization, in the primary server's Zone resolution library file to add the sub-domain will be granted:

[[email protected] named]# vim tanjie.com.zone...................................ops in NS ns1.opsops in NS NS2.OPSNS1 . opsin a 192.168.1.12ns2.opsin a 192.168.1.19[[email protected] named]# RNDC reloadserver Reload suc Cessful

3. on the subdomain server, configure the subdomain server, and proceed to Lab 2 . Add subdomain zone and add Subdomain Zone Resolution library file, complete and dig test

[[Email protected] ~]# yum install bind –y[[email protected]~]# vim  /etc/named.confoptions{//      listen-on port 53 {  127.0.0.1; };//      listen-on-v6 port 53 { ::1; } ;        directory        "/var/ Named ";        dump-file      "/var/ Named/data/cache_dump.db ";         statistics-file"/var/named/data/ Named_stats.txt ";         memstatistics-file"/var/named/data/named_mem_ Stats.txt ";//      allow-query     { localhost;  };        recursion yes;          dnssec-enable no;        dnssec-validation no;//       dnssec-lookaside auto;         /* path  to isc dlv key *///      bindkeys-file "/etc/ Named.iscdlv.key ";  //      managed-keys-directory"/var/named/dynamic ";}; .....  [[email protected]~]# vim /etc/named.rfc1912.zoneszone "Ops.tanjie.com"  IN {         type master;         file  "Ops.tanjie.com.zone";};    Create a Zone resolution library file for a subdomain [[email protected]~]# vim /var/named/ops.tanjie.com.zone$ttl1d$ originops.tanjie.com.@       in     soa      ns1.ops.tanjie.com.     admin.ops.tanjie.com.  (                          2015081601                         1H                         5m                          3D                         3D)          IN     NS      ns1         in     ns      ns2ns1      in     a       192.168.1.12   # This must be consistent with the subdomain defined by the parent domain ns2     in     a        192.168.1.19      #这里必须与父域定义的子域保持一致www       in     a       192.168.1.20*        IN     A        192.168.1.20[[email protected]~]# named-checkconf[[email protected]~]# named-checkzone   "Ops.tanjie.com"  /var/named/ops.tanjie.com.zonezoneops.tanjie.com/IN: loaded serial  2015081601ok[[email protected]~]# chmod 640 /var/named/ops.tanjie.com.zone[[email  Protected]~]# chown :named /var/named/ops.tanjie.com.zone[[email protected]~]# rndc  reloadserverreload successful TestParsing [[email protected]~]# dig -t a www.ops.tanjie.com @192.168.1.12........................;; question section:;www.ops.tanjie.com.              IN     A ;; answer section:www.ops.tanjie.com.     86400        in     a      192.168.1.20 ..... ......... Sub-domains can parse the subdomain itself ..... ..... [[email protected]~]# dig -t a www.tanjie.com @192.168.1.12 ...] the subdomain cannot resolve the parent domain ................    and then again on the parent domain server and the test machine 1, found that the parent domain can parse the subdomain, as follows [[email protected]]# dig -t a  www.ops.tanjie.com @192.168.1.11 ;; question section:;www.ops.tanjie.com.              IN     A ;; Answer section:www.ops.tanjie.com.     86141       in     a      192.168.1.20  ;; authority section:ops.tanjie.com.                 86141       in     ns     ns2.ops.tanjie.com.ops.tanjie.com.                 86141       IN      NS    ns1.ops.tanjie.com. ;; additional section:ns1.ops.tanjie.com.       86141        IN     A       192.168.1.12ns2.ops.tanjie.com.       86141        IN     A      192.168.1.19&NBSP, ............ 


4. to resolve the problem that the subdomain can resolve the parent domain, we need to define the /etc/named.rfc1912.zone of the repeater in Lab 2. Defines the area tanjie.com, which actsonly as a forwarder, i.e. all requests to the tanje.com Zone are forwarded to forwarders :

[[Email protected]~]# vim /etc/named.rfc1912.zoneszone "tanjie.com"  IN {         type forward;        forward  only;        forwarders { 192.168.1.11; };}; [[email protected]~]# rndc reloadserverreload successful  the dig test for the parent domain under the subdomain resolution: [Email  protected]~]# dig -t A www.tanjie.com @192.168.1.12......................;; question section:;www.tanjie.com.                      IN     A ;; answer section:www.tanjie.com.              86400       IN     A       192.168.1.11 ;; Authority section:tanjie.com.               86400        IN     NS     ns2.tanjie.com.tanjie.com.                86400       IN     NS     ns1.tanjie.com. ;; additional section:ns2.tanjie.com.                 86400       in     a       192.168.1.18ns1.tanjie.com.                 86400       IN      A      192.168.1.11 ;; query time: 55 msec;; SERVER: 192.168.1.12#53 (192.168.1.12);  WHEN:Thu Aug 13 12:43:21 2015;; msg size  rcvd: 116

You can find that the subdomain resolves the parent domain success!!!!



Here our subdomain authorization, subdomain resolution parent domain, parent domain resolution subdomain is complete!

DNS subdomain authorization based on BIND tool and mutual parsing of subdomain parent domain

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.