May 24, 2021 That's what Linux should learn
BinD (Berkeley Internet Name Domain, Berkeley Internet Name Domain) services are the most widely used, secure, and efficient domain name resolution services worldwide. DNS domain name resolution service as an Internet infrastructure service, its responsibility is predictable, so it is recommended that you install the deployment of bind service program in the production environment with chroot (commonly known as cage mechanism) extension package, in order to effectively limit the bind service program can only operate on their own configuration files to ensure the security of the entire server.
Install 1 Package (+1 Dependent package)
Total download size: 1.8 M
Installed size: 4.3 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------
Total 28 MB/s | 1.8 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-9.9.4-14.el7.x86_64 1/2
Installing : 32:bind-chroot-9.9.4-14.el7.x86_64 2/2
Verifying : 32:bind-9.9.4-14.el7.x86_64 1/2
Verifying : 32:bind-chroot-9.9.4-14.el7.x86_64 2/2
Installed:
bind-chroot.x86_64 32:9.9.4-14.el7
Dependency Installed:
bind.x86_64 32:9.9.4-14.el7
Complete!
The configuration of the bind service program is not simple, because in order to provide users with a sound DNS query service, to save the relevant domain name database locally, and if all domain names and IP addresses are written to a profile, it is estimated that there are tens of millions of parameters, which is not conducive to the efficiency of the program, nor is it convenient for future modification and maintenance. So there are three of the more critical files in the bind service program.
Main profile (/etc/named.conf): There are only 58 lines, and after removing the comment information and empty lines, there are only about 30 lines of parameters that are actually valid to define the operation of the bind service program.
Zone profile (/etc/named.rfc1912.zones): The location used to hold the relationship between the domain name and the IP address. A catalog similar to a book, corresponding to the specific location where each domain and the corresponding IP address are located, according to which files can be found when you need to view or modify it.
Data Profile Directory (/var/named): The directory is used to hold data profiles for the true correspondence between the domain name and the IP address.
In Linux systems, the name of the bind service provider is named. F irst you need to find the main profile of the service program in the /etc directory, and then modify the addresses on lines 11 and 17 to any, indicating that all IP addresses on the server can provide DNS domain name resolution services and allow everyone to send DNS query requests to the server. These two places must be modified accurately.
[root@linuxprobe ~]# vim /etc/named.conf 1 // 2 // named.conf 3 // 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 5 // server as a caching only nameserver (as a localhost DNS resolver only). 6 // 7 // See /usr/share/doc/bind /sample/ for example named configuration files. 8 // 9 10 options { 11 listen-on port 53 { any; }; 12 listen-on-v6 port 53 { ::1; }; 13 directory "/var/named"; 14 dump-file "/var/named/data/cache_dump.db"; 15 statistics-file "/var/named/data/named_stats.txt"; 16 memstatistics-file "/var/named/data/named_mem_stats.txt"; 17 allow-query { any; }; 18 19 / 20 - If you are building an AUTHORITATIVE DNS server, do NOT enable re cursion. 1,1 Top 21 - If you are building a RECURSIVE (caching) DNS server, you need to enable 22 recursion. 23 - If your recursive DNS server has a public IP address, you MUST en able access 24 control to limit queries to your legitimate users. Failing to do so will 25 cause your server to become part of large scale DNS amplification 26 attacks. I mplementing BCP38 within your network would greatly 27 reduce such attack surface 28 / 29 recursion yes; 3 0 31 dnssec-enable yes; 3 2 dnssec-validation yes; 3 3 dnssec-lookaside auto; 3 4 35 / Path to ISC DLV key */ 36 bindkeys-file "/etc/named.iscdlv.key"; 3 7 38 managed-keys-directory "/var/named/dynamic"; 3 9 40 pid-file "/run/named/named.pid"; 4 1 session-keyfile "/run/named/session.key"; 4 2 }; 4 3 44 logging { 45 channel default_debug { 46 file "data/named.run"; 4 7 severity dynamic; 4 8 }; 4 9 }; 5 0 51 zone "." I N { 52 type hint; 5 3 file "named.ca"; 5 4 }; 5 5 56 include "/etc/named.rfc1912.zones"; 5 7 include "/etc/named.root.key"; A s mentioned earlier, the regional profile of the bind service provider (/etc/named.rfc1912.zones) is used to preserve the location of the relationship between the domain name and the IP address. I n this file, the domain name and IP address resolution rules to save the file location and service type and other content, but does not contain specific domain name, IP address correspondence and other information. T here are three types of services: hint (root region), master (primary region), and slave (slave region), where the commonly used master and slave refer to the primary and slave servers. The positive resolution parameters for resolving the domain name to the IP address and the reverse resolution parameters for the IP address to the domain name are shown in Figures 13-3 and 13-4, respectively.
Figure 13-3 is a positive resolution of parameters
Figure 13-4 reverse-resolves the parameters
The main, zone, and data profiles of the bind service program are modified separately in the following lab. If you encounter a bind service program startup failure in your experiment, which you believe is due to a parameter write error, you can execute the named-checkconf command and the named-checkzone command to check for syntax or parameter errors in the main and data profiles, respectively.
Have a problem? Ask bold questions!
Because readers have different hardware or operation errors may lead to experimental configuration errors, please be patient and take a closer look at the operation steps, do not be discouraged
Linux technical exchange please add Group A: 560843 (full), Group B: 340829 (recommended), Group C: 463590 (recommended), click here to view the national group.
This group features: through password verification to ensure that each group member is "Linux should learn" readers, more targeted, from time to time free to receive customized gifts.