1.預設安裝應有bind-chroot,若無先安裝
yum -y install bind bind-chroot
2.將各設定檔放入應有位置,網域必需有正解檔,有架mail server必須有外網反解檔,其他可有可無
bind設定檔named.conf 在/etc
dns網域正解檔
dns內網反解檔
dns外網反解檔
dns本地檔
四個檔放入/var/named內
系統裝好後預設會有
named.ca
named.empty
named.localhost
named.loopback
也都在/var/named內,不需更動
3.調整named.conf
vi /etc/named.conf
listen-on port 53 調成any
allow-query 調成any
zone "localhost" MARK掉或刪掉
因為已有包含了,重復宣告執行bind會出現錯誤
將各個zone(正解zone 內網zone 外網zone 本地zone)寫進來,(ZONE的寫法請參考鳥哥或其它資料)
4.防火牆開放 TCP和UDP PORT 53進來
5.啟動named
systemctl enable named.service
systemctl enable named-chroot.service
systemctl restart named.service
systemctl restart named-chroot.service
6.檢查錯誤與測試
nslookup
tail -n 30 /var/log/messages | grep named
7.DNS檢查網站:
https://rs.twnic.net.tw/cgi-bin/dns.cgi
https://intodns.com/
http://dns.squish.net/
8.若/var/log/messages出現底下類似這種
error (network unreachable) resolving 'XXXXXXXX/A/IN': 2400:cb00:2049:1::a29f:1c39#53
這是因為主機網卡介面沒有設定IPv6,可直接從named設定只使用IPv4即可避免
vi /etc/sysconfig/named
OPTIONS="-4"
9.防堵dos ddos攻擊:
關閉遞迴查詢
//設定allowed-IP範圍
acl "allowed-IP" {
192.168.0.0/24;
localhost;
localnets;
};
vi /etc/named.conf
options {
allow-query { any; };
allow-recursion { allowed-IP; };
};
搭配fail2ban封鎖(使用fail2ban將大幅度增加CPU LOADING,若已限制recursion或已設好rate-limit,不使用較好)
若有安裝過bind-chroot,log檔會被鎖在chroot環境內,所以先作個軟連結過去
ln -s /var/named/chroot/var/log /var/log/named
logging
{
channel default-log {
file "/var/log/named/named_default.log" versions 10 size 200m;
severity info;
print-time yes;
};
channel lamer-log {
file"/var/log/named/named_lamer.log" versions 3 size 100m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
channel query-log {
file "/var/log/named/named_query.log" versions 10 size 1000m;
severity info;
print-time yes;
};
channel security-log {
file"/var/log/named/named_security.log" versions 3 size 100m;
severity dynamic;
print-time yes;
};
category lame-servers { lamer-log; };
category security{ security-log;};
category queries { query-log;};
category default { default-log;};
};
vi /etc/fail2ban/jail/conf
[named-refused-udp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=udp]
logpath = /var/log/named/named_security.log
bantime = 30000000
[named-refused-tcp]
enabled = true
filter = named-refused
action = iptables-multiport[name=Named, port="domain,953", protocol=tcp]
logpath =/var/log/named/named_security.log
bantime = 30000000
10. bind9.1版之後都有支援rate-limit功能,可幫助抵檔DNS放大與反射攻擊
vi /etc/named.conf (在option掛弧內加入設定)
options{
.......
rate-limit {
ipv4-prefix-length 32;
window 10;
responses-per-second 20;
errors-per-second 5;
nxdomains-per-second 5;
slip 2;
};
..........
};
11.若不想看到一直被DNS DDOS攻擊造成LOG爆滿,確定該作的防護都做好了
是可以完全關掉記錄功能,連/var/log/messages都不會出來
vi /etc/named.conf
category lame-servers { null; };
category security{ null;};
category queries { null;};
category default { null;};
沒有留言:
張貼留言