Rocky Linux-0090-教程-DNS-私有域名解析Bind-06

時間：2023-02-20 09:24:01 | 來源：建站知識

時間：2023-02-20 09:24:01 來源：建站知識

Rocky Linux-0090-教程-DNS-私有域名解析Bind-06：

0、背景

CentOS 8 已停止維護，Rocky Linux 是未來~

從本篇起翻譯一下 Rocky Linux 域名解析~

（1）本系列文章

格瑞圖：Rocky Linux-0001~0011-教程-自定義內(nèi)核

格瑞圖：Rocky Linux-0012~0024-教程-共同構建文檔

格瑞圖：Rocky Linux-0025~0034-教程-自動化

格瑞圖：Rocky Linux-0034~0043-教程-文件同步

格瑞圖：Rocky Linux-0044~0051-教程-內(nèi)容管理

格瑞圖：Rocky Linux-0053~0053-教程-通信服務

格瑞圖：Rocky Linux-0054~0082-教程-容器技術

格瑞圖：Rocky Linux-0083-0084-教程-數(shù)據(jù)庫

格瑞圖：Rocky Linux-0085-教程-DNS-私有域名解析Bind-01

格瑞圖：Rocky Linux-0086-教程-DNS-私有域名解析Bind-02

格瑞圖：Rocky Linux-0087-教程-DNS-私有域名解析Bind-03

格瑞圖：Rocky Linux-0088-教程-DNS-私有域名解析Bind-04

格瑞圖：Rocky Linux-0089-教程-DNS-私有域名解析Bind-05

A、八點六防火墻規(guī)則 - 8.6 Firewall Rules?

First, create a file in /etc called "firewall.conf" that will contain the following rules. This is a bare minimum rule set, and you may need to tweak this for your environment:

首先在 /e 目錄創(chuàng)建一個叫做 fw.c 的文件并包含下面的規(guī)則。這是一個最小化規(guī)則集，對于自己的環(huán)境按需調(diào)整：

#!/bin/sh##IPTABLES=/usr/sbin/iptables# Unless specified, the defaults for OUTPUT is ACCEPT# The default for FORWARD and INPUT is DROP#echo " clearing any existing rules and setting default policy.."iptables -F INPUTiptables -P INPUT DROPiptables -A INPUT -p tcp -m tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT# dns rulesiptables -A INPUT -p udp -m udp -s 192.168.1.0/24 --dport 53 -j ACCEPTiptables -A INPUT -i lo -j ACCEPTiptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p tcp -j REJECT --reject-with tcp-resetiptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable/usr/sbin/service iptables save

Let's evaluate the rules above:

這就解釋一下上面的規(guī)則：

The first "iptables" line flushes the rules that are currently loaded (-F).

首行將刷新當前加載的（-F）服務器規(guī)則。

Next, we are setting a default policy for the INPUT chain of DROP. This means, if the traffic is not explicitly allowed here, it is dropped.

接著設置了一個輸入鏈默認策略丟棄。意思是如果流量沒有顯式的在這里允許，將丟棄他。

Next, we have an SSH rule for our local network, so that we can get into the DNS server remotely.

然后為本地網(wǎng)絡設置愛死愛死愛去規(guī)則，這樣就可以遠程登錄迪恩愛思服務器。

Then we have our DNS allow rule, only for our local network. Note that DNS uses the UDP protocol (User Datagram Protocol).

然后設置迪恩愛思允許規(guī)則，僅對本地網(wǎng)絡有效。注意迪恩愛思使用用戶報文協(xié)議（UDP）。

Next we allow INPUT from the local interface.

接著允許本地接口入站流量。

Then if you have established a connection for something else, we are allowing related packets in as well.

然后如果已經(jīng)建立了連接，將允許與之相關的流量包。

And finally we reject everything else.

最后將拒絕其他所有流量。

The last line tells iptables to save the rules so that when the machine restarts, the rules will load as well.

最后一行告訴 it 保存這些規(guī)則，可以在機器重啟時，再次加載這些規(guī)則。

Once our firewall.conf file is created, we need to make it executable:

一旦創(chuàng)建了 fw.c，需要其可執(zhí)行：

chmod +x /etc/firewall.conf

Then run it:

然后運行他：

/etc/firewall.conf

And this is what you should get in return. If you get something else, take a look at your script for errors:

下面就是運行的輸出。如果不是這個，檢查腳本相關的錯誤信息：

clearing any existing rules and setting default policy..iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

（2）基于 fw 添加防火墻規(guī)則 - Adding The Firewall Rules - firewalld?

With firewalld, we are duplicating the rules highlighted in iptables above. We aren't making any other assumptions about the network or services that might be needed. We are turning on SSH access and DNS access for our LAN network only. For this, we will use the firewalld built-in zone, "trusted". We will also have to make some service changes to the "public" zone in order to limit SSH access to the LAN.

對于 fw 將復制上面 it 規(guī)則中高亮的部分。這里不對可能需要的網(wǎng)絡或服務做假設。僅為本地網(wǎng)絡開啟愛死愛死愛去和迪恩愛思訪問。這里使用 fw 內(nèi)置的受信區(qū)。同樣需要對公共區(qū)做些修改來限制愛死愛死愛去訪問局域網(wǎng)。

The first step is to add our LAN network to the "trusted" zone:

第一步是添加局域網(wǎng)至受信區(qū)：

firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanent

Next, we need to add our two services to the "trusted" zone:

接著添加兩個服務到受信區(qū)：

firewall-cmd --zone=trusted --add-service=ssh --permanentfirewall-cmd --zone=trusted --add-service=dns --permanent

Finally, we need to remove the SSH service from our "public" zone, which is on by default:

最后從公共區(qū)刪除愛死愛死愛去服務，這個默認是開啟的：

firewall-cmd --zone=public --remove-service=ssh --permanent

Next, reload the firewall and then list out the zones that we've made changes to:

接著重載防火墻并列出這個變更配置的受信區(qū)：

firewall-cmd --reloadfirewall-cmd --zone=trusted --list-all

Which should show that you have correctly added the services and the source network:

將會展示正確添加的服務和源網(wǎng)絡：

trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: sources: 192.168.1.0/24 services: dns ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

Listing out the "public" zone should show that SSH access is no-longer allowed:

列出公共區(qū)將展示愛死愛死愛去訪問將不再允許：

firewall-cmd --zone=public --list-allpublic target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

These rules should get you DNS resolution on your private DNS server from hosts on the 192.168.1.0/24 network. In addition, you should be able to SSH from any of those hosts into your private DNS server.

這些規(guī)則將允許來自 1.1.1.0/2 網(wǎng)絡的主機訪問私有迪恩愛思服務器進行域名解析。另外，將可以從這些主機愛死愛死愛去到私有迪恩愛思服務器。

B、結論 - Conclusions?

While using /etc/hosts on an individual workstation will get you access to a machine on your internal network, you can only use it on that one machine. By adding a private DNS server using bind, you can add hosts to the DNS and as long as the workstations have access to that private DNS server, they will be able to get to these local servers.

在個人工作站使用 /e/h 文件可以訪問內(nèi)部網(wǎng)絡機器，僅可以在單臺機器上使用。通過使用頒得添加一個私有迪恩愛思服務器，可以將主機添加到迪恩愛思，并且只要工作站可以訪問私有迪恩愛思服務器，就可以訪問本地服務器。

If you don't need machines to resolve on the Internet, but do need local access from several machines to local servers, then consider using a private DNS server instead.

如果不希望機器解析到互聯(lián)網(wǎng)，但是需要從本地一些機器訪問一些本地服務器，請考慮使用私有跌納斯服務器。

Last update: October 11, 2022
Author: Steven Spencer
Contributors: Ezequiel Bruni

最后更新：2022-10-11

作者：S2

貢獻者：EB

N、后記

Munnar, India

印度芒納

~