标签:10.0 named NAT IP magedu centos7 DNS 原理 root
-
简述DNS服务器原理,并搭建主-辅服务器。
1. 客户端向DNS代理发起查询请求 2. DNS代理查询本地缓存,如果有结果则直接返回,否则向根域名服务器 . 发起查询请求 3. 根域名收到查询请求后发现自身不负责该域名解析,因此返回子域 .com 的地址 4. NDS代理向 .com 发起查询请求,但 .com 也不负责该域名解析,因此返回子域 magedu.com 的地址 5. DNS代理向 .magedu.com发起查询请求,成功拿到DNS解析结果 6. DNS代理将解析结果缓存在本地,并将解析结果返回给客户端 -
搭建并实现智能DNS。
-
环境准备
一共需要五台主机 DNS主服务器和web服务器1:10.0.0.8/24,172.16.0.8/16 (模拟除北京上海两地之外的缺省调度) web服务器2:10.0.0.7/24 (模拟北京的web服务) web服务器3:172.16.0.7/16 (模拟上海的web服务) DNS客户端1:10.0.0.6/24 (模拟北京的client) DNS客户端2:172.16.0.6/16 (模拟上海的client) 五台机器均关闭SElinux、关闭防火墙、时间同步 -
实现效果:北京上海两地的client发起curl www.magedu.org请求时,分别由各自的本地的web服务器进行响应。
-
DNS主服务器(也是web服务器)安装bind并配置view
[root@centos7 ~]# rpm -q bind || yum install -y bind bind-9.11.4-26.P2.el7_9.9.x86_64 [root@centos7 ~]# cat /etc/named.conf acl beijingnet { 10.0.0.0/24; }; acl shanghainet { 172.16.0.0/16; }; acl othernet { any; }; view beijingview { match-clients { beijingnet;}; include "/etc/named.rfc1912.zones.bj"; }; view shanghaiview { match-clients { shanghainet;}; include "/etc/named.rfc1912.zones.sh"; }; view otherview { match-clients { othernet;}; include "/etc/named.rfc1912.zones.other"; }; options { # listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; include "/etc/named.root.key"; -
创建区域配置文件并修改所属组
[root@centos7 ~]# cat /etc/named.rfc1912.zones.bj zone "." IN { type hint; file "named.ca"; }; zone "magedu.org" { type master; file "magedu.org.zone.bj"; }; [root@centos7 ~]# cat /etc/named.rfc1912.zones.sh zone "." IN { type hint; file "named.ca"; }; zone "magedu.org" { type master; file "magedu.org.zone.sh"; }; [root@centos7 ~]# cat /etc/named.rfc1912.zones.other zone "." IN { type hint; file "named.ca"; }; zone "magedu.org" { type master; file "magedu.org.zone.other"; }; [root@centos7 ~]# chgrp named /etc/named.rfc1912.zones.bj [root@centos7 ~]# chgrp named /etc/named.rfc1912.zones.sh [root@centos7 ~]# chgrp named /etc/named.rfc1912.zones.othe -
创建区域数据库文件并修改所属组
[root@centos7 ~]# cat /var/named/magedu.org.zone.bj $TTL 1D @ IN SOA master admin.magedu.org. ( 2019042214 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 10.0.0.8 websrv A 10.0.0.7 www CNAME websrv [root@centos7 ~]# cat /var/named/magedu.org.zone.sh $TTL 1D @ IN SOA master admin.magedu.org. ( 2019042214 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 10.0.0.8 websrv A 172.16.0.7 www CNAME websrv [root@centos7 ~]# cat /var/named/magedu.org.zone.other $TTL 1D @ IN SOA master admin.magedu.org. ( 2019042214 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS master master A 10.0.0.8 websrv A 127.0.0.1 www CNAME websrv [root@centos7 ~]# chgrp named /var/named/magedu.org.zone.bj [root@centos7 ~]# chgrp named /var/named/magedu.org.zone.sh [root@centos7 ~]# chgrp named /var/named/magedu.org.zone.other [root@centos7 ~]# systemctl start named #首次启动服务 [root@centos7 ~]# rndc reload #不停服务的状态下重载配置文件 -
在三个不同区域的搭建web服务
#分别在三台主机上安装http服务 #在web服务器1:10.0.0.8/24实现 yum install httpd echo www.magedu.org in Other > /var/www/html/index.html systemctl start httpd #在web服务器2:10.0.0.7/16 echo www.magedu.org in Beijing > /var/www/html/index.html systemctl start httpd #在web服务器3:172.16.0.7/16 yum install httpd echo www.magedu.org in Shanghai > /var/www/html/index.html systemctl start httpd -
三台client分别进行访问测试(注意配置域名解析服务器)
-
-
使用iptable实现: 放行ssh,telnet, ftp, web服务80端口,其他端口服务全部拒绝。
- iptables数据包流向
- 添加防火墙策略
#防火墙初始无任何规则 [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination #服务涉及端口:ftp(20,21),ssh(22),telnet(23),web(80) #添加两条规则(注意次序),此处不建议修改防火墙缺省规则为黑名单来实现————不够灵活,使用起来不方便 [root@centos7 ~]# iptables -A INPUT -p tcp -m multiport --dports 20:23,80 -j ACCEPT #放行相应端口 [root@centos7 ~]# iptables -A INPUT -j REJECT #上一条规则未匹配到的端口全部拒绝 [root@centos7 ~]# iptables -vnL Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 146 8636 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 20:23,80 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 38 packets, 2960 bytes) pkts bytes target prot opt in out source destination [root@centos7 ~]# ping localhost PING localhost (127.0.0.1) 56(84) bytes of data. - 验证结果————ssh,httpd服务均正常,ping命令失效
- iptables数据包流向
-
NAT原理总结(转载于:https://www.cnblogs.com/derrick/p/4052401.html?utm_source=tuicool&utm_medium=referral#undefined)
-
NAT: network address translation
-
NAT有三种类型:静态NAT(Static NAT)、动态地址NAT(Pooled NAT)、网络地址端口转换NAPT(Port-Level NAT)
NAT的基本工作原理是,当私有网主机和公共网主机通信的IP包经过NAT网关时,将IP包中的源IP或目的IP在私有IP和NAT的公共IP之间进行转换。
-
如下图所示,NAT网关有2个网络端口,其中公共网络端口的IP地址是统一分配的公共 IP,为202.20.65.5;私有网络端口的IP地址是保留地址为192.168.1.1。私有网中的主机192.168.1.2向公共网中的主机202.20.65.4发送了1个IP包(Dst=202.20.65.4,Src=192.168.1.2)。
-
当IP包经过NAT网关时,NAT Gateway会将IP包的源IP转换为NAT Gateway的公共IP并转发到公共网,此时IP包(Dst=202.20.65.4,Src=202.20.65.5)中已经不含任何私有网IP的信息。由于IP包的源IP已经被转换成NAT Gateway的公共IP,Web Server发出的响应IP包(Dst= 202.20.65.5,Src=202.20.65.4)将被发送到NAT Gateway。
-
这时,NAT Gateway会将IP包的目的IP转换成私有网中主机的IP,然后将IP包(Des=192.168.1.2,Src=202.20.65.4)转发到私有网。对于通信双方而言,这种地址的转换过程是完全透明的。转换示意图如下
-
如果内网主机发出的请求包未经过NAT,那么当Web Server收到请求包,回复的响应包中的目的地址就是私有网络IP地址,在Internet上无法正确送达,导致连接失败
-
-
iptables实现SNAT和DNAT(注意要关闭相应VMnet的DHCP服务,否则使手动配置的IP失效),并对规则持久保存。
- 每台主机需要提前关闭firewalld和selinux
- 网络拓扑(10.0.0.0/24为内网环境,192.168.0.0/24为外网环境)
- 未配置SNAT和DNAT是两边网络不互通
- 主要配置(firewall)
[root@firewall ~]# cat /etc/sysctl.conf net.ipv4.ip_forward=1 [root@firewall ~]# sysctl -p net.ipv4.ip_forward = 1 [root@firewall ~]# hostname -I 192.168.0.8 10.0.0.8 #启动SNAT功能 [root@firewall ~]# iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -j MASQUERADE #启用DNAT功能,将访问10.0.0.8的请求映射到10.0.0.7:80(该机器提前装好httpd并执行echo DNAT is successfull > /var/www/html/index.html) [root@firewall ~]# iptables -vnL -t nat Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DNAT tcp -- * * 0.0.0.0/0 10.0.0.8 tcp dpt:80 to:192.168.100.7 Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 336 MASQUERADE all -- * * 10.0.0.0/24 0.0.0.0/0 - 内网(10.0.0.0/24)可以ping通外网(192.168.0.0/24)
- 由于未提前在10.0.0.6安装curl,且10.0.0.7也未安装httpd。因此没有DNAT的结果验证。读者应提前安装相应软件,而后在10.0.0.6执行curl 10.0.0.8验证结果。
标签:10.0,named,NAT,IP,magedu,centos7,DNS,原理,root 来源: https://www.cnblogs.com/peen/p/16210089.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。