dns-06-Security Settings

dns-06-Security Settings

Experimental environment

ns1.magedu.com 172.18.71.101/24 centos-6.7-x86_64 Parent domain can connect to Internet ns1.dev.magedu.com 172.18.71.102/24 centos-7.2-x86_64 Child Domain cannot connect to Internet Localhost.localdomain 172.18.71.103/24 centos-7.2-x86_64 test machine

iptables and selinux is turned off.

Installationbind

[email protected] ~]# Yum install-y bind bind-libs bind-utils

/etc/named.conf , commenting out only allow native query requests and dnssec (which may affect experimental results) and add ip address.

Options {listen-on port 53 {127.0.0.1; 172.18.71.101;};    ...//allow-query {localhost;};    ...//dnssec-enable yes;    Dnssec-validation Yes;    Dnssec-lookaside Auto; ...};

Time synchronization

In general, multi-node collaboration is the first step to calibrate the time to synchronize time. In the networked state can be used to ntpdate unify the command to find the timing center calibration, can not be networked with date command manual calibration.

Security settings for recursive queries

First, a parent domain server and a subdomain server are configured with reference to dns-05-forwarding, and global forwarding is set in the subdomain to forward all non-intra-domain resolution requests to the parent domain server.

dig command test, which can be resolved at this time.

[[email protected] ~]# dig -t a www.baidu.com @172.18.71.102; << >> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com  @172.18.71.102;;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26725;;  flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0,  additional: 1;;  OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;;  QUESTION SECTION:;www.baidu.com.             IN    A;;  ANSWER SECTION:www.baidu.com.        1197     IN    CNAME    www.a.shifen.com.www.a.shifen.com.      296    in    a    61.135.169.121www.a.shifen.com.     296    IN    A     61.135.169.125;;  Query time: 1 msec;;  server: 172.18.71.102#53 (172.18.71.102);  WHEN:  Six  4 month  09 02:58:41 CST 2016;;  msg size  rcvd: 101

setting in the parent domain Server master configuration file /etc/named.conf does not allow recursive queries to any hosts.

Options {... allow-recursion {none;}; ...    };

Overloaded configuration Files

[Email protected] named]# RNDC reloadserver Reload Successful

Emptying the cache for parent and child domains

[[email protected] named]# RNDC flush

Once again, the discovery has not been resolved.

[[email protected] ~]# dig -t a www.baidu.com @172.18.71.102; << >> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com  @172.18.71.102;;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 23120;;  flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0,  additional: 1;;  OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;;  QUESTION SECTION:;www.baidu.com.             IN    A;;  Query time: 2 msec;;  server: 172.18.71.102#53 (172.18.71.102);  WHEN:  Six  4 month  09 03:01:25 CST 2016;;  msg size  rcvd: 42

In the parent domain Server master configuration file/etc/named.confAdds aACLListinternel_network, the subdomain serverIPAddress to join this list, and set only allow recursive queries to the hosts in this list.

Options {... allow-recursion {internal_network;    }; ...    };    ACL internal_network {172.18.71.102; 172.18.71.0/24;};

Overloaded configuration Files

[Email protected] named]# RNDC reloadserver Reload Successful

Test again, and you can parse it.

[[email protected] ~]# dig -t a www.baidu.com @172.18.71.102; << >> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> -t A www.baidu.com  @172.18.71.102;;  global options: +cmd;;  Got answer:;;  ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49036;;  flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0,  additional: 1;;  OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;;  QUESTION SECTION:;www.baidu.com.             IN    A;;  ANSWER SECTION:www.baidu.com.        1200     IN    CNAME    www.a.shifen.com.www.a.shifen.com.      300    in    a    61.135.169.125www.a.shifen.com.     300    IN    A     61.135.169.121;;  Query time: 2560 msec;;  server: 172.18.71.102#53 (172.18.71.102);  WHEN:  Six  4 month  09 03:08:43 CST 2016;;  msg size  rcvd: 101

Conclusion

The above settings allow you to restrict acl the hosts in the Access Control list () to initiate certain operations directives. Access control directives are:

Allow-query {};  A host of allowed queries; a whitelist; allow-transfer {}; Which hosts are allowed to do zone transfers; The default is to all hosts; should be configured to allow only from the server; allow-recursion {}; Which host is allowed to initiate recursive query requests to the current DNS server; should be configured to allow only internal networks and trusted hosts; allow-update {}; DDNS, allows dynamic update of the contents of the zone database file;

andaclIn addition to specifying a host or network, there are 4 built-in:none，any，local，localnet。 As a matter of factaclis not used for access control, it is just one or more host collections,in the view'smatch-clients {};can also be used in the.

This article is from the "knfprex3a29" blog, make sure to keep this source http://knfprex3a29.blog.51cto.com/9761463/1762191

dns-06-Security Settings