Hướng dẫn cài đặt dns bind centos 7 năm 2024

DNS là tên viết tắt của Domain Name System hay còn gọi là dịch vụ phân giải tên miền, có tác dụng phân giải địa chỉ tên miền thành địa chỉ IP. Lấy ví dụ, khi bạn gõ anninhmang.edu.vn vào trình duyệt, DNS Server sẽ phân giải tên miền này thành địa chỉ IP tương ứng là 104.27.152.90. Trong thực tế, DNS giúp người dùng phổ thông không phải nhớ những dòng địa chỉ IP rối rắm, và được thay bằng những tên miền trực quan, dễ nhớ hơn rất nhiều.

Bài hướng dẫn chi tiết này sẽ giúp bạn cách cài đặt và cấu hình dịch vụ DNS trên nền tảng CentOS 7. Hướng dẫn này cũng có thể được áp dụng với hệ điều hành Red Hat Linux và Scientific Linux 7.

Cài đặt DNS Server :

Để chuẩn bị cho bài Lab này, người viết sử dụng 3 máy. Trong đó 1 máy dùng làm DNS Server chính, hay còn gọi là DNS Server Master, 1 máy dùng làm DNS Server phụ, còn gọi là DNS Server Slave, và máy còn lại dùng làm Client.

– Máy 1 : DNS Server Master :

• Hệ điều hành : CentOS 7
• Hostname : masterdns.anninhmang.edu.vn
• IP : 192.168.1.1/255.255.255.0

– Máy 2 : DNS Server Slave :

• Hệ điều hành : CentOS 7
• Hostname : secondarydns.anninhmang.edu.vn
• IP : 192.168.1.2/255.255.255.0

– Máy 3 : DNS Server Client :

• Hệ điều hành : CentOS 7
• Hostname : client.anninhmang.edu.vn
• IP : 192.168.1.3/255.255.255.0

Cài đặt DNS Server Master :

– Trước hết cần cài đặt gói bind vào máy :

yum install bind bind-utils –y

Cấu hình DNS Server :

– Tìm và Edit file ‘/etc/named.conf’

vi /etc/named.conf

– Thêm vào những dòng bôi đậm :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

– Tiến hành tạo Zone File :

Như bạn đã thấy ở trên file ‘/etc/named.conf’, chúng ta có thêm vào vài dòng trong đó có đề cập đến 2 file Forward và Reserve :

– Tạo vùng Forward Zone :

Tạo file forward.anninhmang trong thư mục ‘/var/named’ :

vi /var/named/forward.anninhmang

Thêm vào những dòng này :

$TTL 86400 @   IN  SOA     masterdns.anninhmang.edu.vn. root.anninhmang.edu.vn. ( 2011071001  ;Serial 3600        ;Refresh 1800        ;Retry 604800      ;Expire 86400       ;Minimum TTL ) @       IN  NS          masterdns.anninhmang.edu.vn. @       IN  NS          secondarydns.anninhmang.edu.vn. @       IN  A           192.168.1.1 @       IN  A           192.168.1.2 @       IN  A           192.168.1.3 masterdns       IN  A   192.168.1.1 secondarydns    IN  A   192.168.1.2 client          IN  A   192.168.1.3

– Tạo vùng Reserve Zone :

Tạo file reserve.anninhmang ở trong thư mục ‘/var/named’ :

vi /var/named/reverse.anninhmang

Thêm vào những dòng sau :

$TTL 86400 @   IN  SOA     masterdns.anninhmang.edu.vn. root.anninhmang.edu.vn. ( 2011071001  ;Serial 3600        ;Refresh 1800        ;Retry 604800      ;Expire 86400       ;Minimum TTL ) @       IN  NS          masterdns.anninhmang.edu.vn. @       IN  NS          secondarydns.anninhmang.edu.vn. @       IN  PTR         anninhmang.edu.vn. masterdns       IN  A   192.168.1.1 secondarydns    IN  A   192.168.1.2 client          IN  A   192.168.1.3 1     IN  PTR         masterdns.anninhmang.edu.vn. 2     IN  PTR         secondarydns.anninhmang.edu.vn. 3     IN  PTR         client.anninhmang.edu.vn.

Khởi chạy dịch vụ DNS Server :

systemctl enable named systemctl start named

Cấu hình Firewall :

– Mở Port 53 trên Firewall để dịch vụ DNS có thể được thông qua :

firewall-cmd --permanent --add-port=53/tcp firewall-cmd --permanent --add-port=53/udp

– Restart lại Firewall để thay đổi có hiệu lực :

firewall-cmd –reload

– Cấu hình SELinux, Permissions, Ownership :

Chạy từng dòng lệnh theo thứ tự :

vi /etc/named.conf

0

– Tiến hành Test thử DNS Server để đảm bảo không có lỗi :

Chạy dòng lệnh để check DNS Server :

vi /etc/named.conf

1

Nếu dòng lệnh không có gì trả về, tức là bạn đã cấu hình đúng.

– Check Forward Zone bằng dòng lệnh :

vi /etc/named.conf

2

– Kết quả trả về :

vi /etc/named.conf

3

– Check Reserve Zone bằng dòng lệnh :

vi /etc/named.conf

4

– Kết quả trả về :

vi /etc/named.conf

3

– Tiến hành Add DNS Server vào file cấu hình card mạng :

vi /etc/named.conf

6

– Edit file /etc/resolv.conf,

vi /etc/named.conf

7

– Thêm vào địa chỉ IP của Name Server :

vi /etc/named.conf

8

Save và đóng file.

– Restart lại dịch vụ :

vi /etc/named.conf

9

– Test DNS Server :

Chạy dòng lệnh :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

0

– Kết quả trả về :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

1

– Chạy tiếp dòng lệnh :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

2

– Được kết quả trả về :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

3

Vậy là DNS Server đã sẳn sàng để sử dụng. Chúng ta chuyển qua bước cấu hình DNS Server Slave.

– Tại máy Secondary DNS, tiến hành chạy dòng lệnh để cài đặt gói bind :

yum install bind bind-utils –y

– Cấu hình Slave DNS Server:

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

5

– Khởi động dịch vụ DNS:

systemctl enable named systemctl start named

Bây giờ thì các vùng Forward và Reserve sẽ tự động đồng bộ từ DNS Master sang DNS Slave ở thư mục ‘/var/named/slaves/’:

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

7

– Kết quả trả về sẽ được như sau :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

8

– Cấu hình Card mạng để thêm vào máy chủ DNS :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

9

Thêm vào các dòng bôi đậm

vi /var/named/forward.anninhmang

0

– Mở và chỉnh sửa file /etc/resolv.conf

vi /etc/named.conf

7

– Thêm vào địa chỉ IP của Name Server :

vi /var/named/forward.anninhmang

2

Save và đóng file lại.

Cấu hình Firewall :

Cũng giống như máy DNS Master, bạn cần mở port 53 trên Firewall để DNS Service có thể đi qua :

vi /var/named/forward.anninhmang

3

– Restart Firewall bằng dòng lệnh :

vi /var/named/forward.anninhmang

4

Cấu hình SELinux, Permission, Ownership :

vi /etc/named.conf

0

– Tiến hành test DNS Server Master:

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

0

Kết quả trả về :

vi /var/named/forward.anninhmang

7

Kiểm tra tiếp DNS Server Slave

vi /var/named/forward.anninhmang

8

Kết quả trả về :

vi /var/named/forward.anninhmang

9

– Phân giải thử tên miền :

// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.1.1;}; ### Master DNS IP ### #    listen-on-v6 port 53 { ::1; }; directory     "/var/named"; dump-file     "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query     { localhost; 192.168.1.0/24;}; ### IP Range ### allow-transfer{ localhost; 192.168.1.2;};   ### Slave DNS IP ### /*

• If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
• If you are building a RECURSIVE (caching) DNS server, you need to enable recursion.
• If your recursive DNS server has a public IP address, you MUST enable access

  control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface

  / recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; / Path to ISC DLV key /

  bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; };

  *zone "anninhmang.edu.vn" IN { type master; file "forward.anninhmang"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "reverse.anninhmang"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

2

– Kết quả trả về :

$TTL 86400 @   IN  SOA     masterdns.anninhmang.edu.vn. root.anninhmang.edu.vn. ( 2011071001  ;Serial 3600        ;Refresh 1800        ;Retry 604800      ;Expire 86400       ;Minimum TTL ) @       IN  NS          masterdns.anninhmang.edu.vn. @       IN  NS          secondarydns.anninhmang.edu.vn. @       IN  A           192.168.1.1 @       IN  A           192.168.1.2 @       IN  A           192.168.1.3 masterdns       IN  A   192.168.1.1 secondarydns    IN  A   192.168.1.2 client          IN  A   192.168.1.3

1

– Cấu hình máy con Client :

Đối với tất cả các máy con, add thong tin địa chỉ IP của các máy DNS Server vào file ‘/etc/resolv.conf’