Documente Academic
Documente Profesional
Documente Cultură
DNS
Escenario
options {
listen-on port 53 { 127.0.0.1; 192.168.10.1; };# IP Servidor Master
# listen-on-v6 port 53 { ::1; }; # Se comenta esta linea
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query{ localhost; 192.168.10.0/24; }; # Dominio de broadcast
allow-transfer{ localhost; 192.168.10.2; }; # IP del servidor
# secundario
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access
control to limit queries to your legitimate users. Failing to do so
will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "informatica.local" IN {
type master;
file "forward.informatica";
allow-update { none; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "reverse.informatica";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Creamos los archivos de configuración de las zonas
$TTL 1d
@ IN SOA masterdns.informatica.local. root.informatica.local. (
2016070101 ;Serial
1h ;Refresh
30m ;Retry
1w ;Expire
1d ;Minimum TTL
)
@ IN NS masterdns.informatica.local.
@ IN NS secondarydns.informatica.local.
@ IN A 192.168.10.1
@ IN A 192.168.10.2
@ IN A 192.168.10.3
@ IN A 192.168.10.4
masterdns IN A 192.168.10.1
secondarydns IN A 192.168.10.2
client1 IN A 192.168.10.3
client2 IN A 192.168.10.4
10. Añadimos la regla en firewall permitiendo el servicio a través del puerto 53 TCP/UDP
Success
Success
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s3
UUID=d2e18740-73cd-46e1-8fb4-190e8ad1ba60
DEVICE=enp0s3
ONBOOT=no
IPADDR=192.168.10.1
PREFIX=24
DNS1=192.168.10.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
# Generated by NetworkManager
nameserver 192.168.10.1
Server: 192.168.10.1
Address: 192.168.10.1#53
Name: informatica.local
Address: 192.168.10.3
Name: informatica.local
Address: 192.168.10.2
Name: informatica.local
Address: 192.168.10.4
Name: informatica.local
Address: 192.168.10.1
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
# listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.10.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access
control to limit queries to your legitimate users. Failing to do so
will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "informatica.local" IN {
type slave;
file "slaves/informatica.fwd";
masters { 192.168.10.1; };
};
zone "10.168.192.in-addr.arpa" IN {
type slave;
file "slaves/informatica.rev";
masters { 192.168.10.1; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
informatica.fwd informatica.rev
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s3
UUID=d2e18740-73cd-46e1-8fb4-190e8ad1ba60
DEVICE=enp0s3
ONBOOT=no
IPADDR=192.168.10.2
PREFIX=24
DNS1=192.168.10.1
DNS2=192.168.10.2
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes
# Generated by NetworkManager
nameserver 192.168.10.1
nameserver 192.168.10.2
10. Añadimos la regla en firewall permitiendo el servicio a través del puerto 53 TCP/UDP
Server: 192.168.10.1
Address: 192.168.10.1#53
Name: informatica.local
Address: 192.168.10.2
Name: informatica.local
Address: 192.168.10.4
Name: informatica.local
Address: 192.168.10.3
Name: informatica.local
Address: 192.168.10.1
Cliente 1 (Client)
# Generated by NetworkManager
search informática.local
nameserver 192.168.10.1
nameserver 192.168.10.2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;masterdns.informatica.local. IN A
;; ANSWER SECTION:
masterdns.informatica.local. 86400 IN A 192.168.10.1
;; AUTHORITY SECTION:
informatica.local. 86400 IN NS secondarydns.informatica.local.
informatica.local. 86400 IN NS masterdns.informatica.local.
;; ADDITIONAL SECTION:
secondarydns.informatica.local. 86400 IN A 192.168.10.2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;secondarydns.informatica.local. IN A
;; ANSWER SECTION:
secondarydns.informatica.local. 86400 IN A 192.168.10.2
;; AUTHORITY SECTION:
informatica.local. 86400 IN NS masterdns.informatica.local.
informatica.local. 86400 IN NS secondarydns.informatica.local.
;; ADDITIONAL SECTION:
masterdns.informatica.local. 86400 IN A 192.168.10.1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;client1.informatica.local. IN A
;; ANSWER SECTION:
client1.informatica.local. 86400 IN A 192.168.10.3
;; AUTHORITY SECTION:
informatica.local. 86400 IN NS masterdns.informatica.local.
informatica.local. 86400 IN NS secondarydns.informatica.local.
;; ADDITIONAL SECTION:
masterdns.informatica.local. 86400 IN A 192.168.10.1
secondarydns.informatica.local. 86400 IN A 192.168.10.2
Server: 192.168.10.1
Address: 192.168.10.1#53
Name: informatica.local
Address: 192.168.10.3
Name: informatica.local
Address: 192.168.10.1
Name: informatica.local
Address: 192.168.10.2
Name: informatica.local
Address: 192.168.10.4
Cliente 2 (Client)
# Generated by NetworkManager
search informática.local
nameserver 192.168.10.1
nameserver 192.168.10.2
Escenario
@ IN MX 10 mail.informatica.local.
@ IN A 192.168.10.100
mail IN A 192.168.10.100
@ IN MX 10 mail.informatica.local.
mail IN A 192.168.10.100
4. Agregamos el puerto por defecto de SMTP el 25, POP 110 e IMAP 143 al Firewall
5. Instalamos Postfix
Usando telnet
Trying ::1...
Connected to localhost.
Escape character is '^]'.
220 mail.informatica.local ESMTP Postfix
ehlo localhost # Escribir esta linea
250-mail.informatica.local
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
mail from:<user1> # El usuario que envia el correo
250 2.1.0 Ok
rcpt to:<user1> # El usuario que recibe el correo
250 2.1.5 Ok
data # Para entrar a escribir el cuerpo del correo
354 End data with <CR><LF>.<CR><LF>
Mensaje de prueba # El cuerpo del correo
. # Para finalizer el correo
250 2.0.0 Ok: queued as E2B522032F93
quit # Para salir
221 2.0.0 Bye
Connection closed by foreign host.
1469380254.Vfd00I315cb1M394920.mail.informatica.local
Return-Path: <root@informatica.local>
X-Original-To: user1@informatica.local
Delivered-To: user1@informatica.local
Received: by mail.informatica.local (Postfix, from userid 0)
id 688F72420178; Sun, 24 Jul 2016 18:22:01 -0500 (ECT)
Date: Sun, 24 Jul 2016 18:22:01 -0500
To: user1@informatica.local
Subject: Prueba
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20160724232201.688F72420178@mail.informatica.local>
From: root@informatica.local (root)
Mensaje de prueba
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
+OK Dovecot ready.
user user1 ## Ingrese el usuario al que se envió el correo
+OK
pass SO-xavier. ## La contraseña del usuario
+OK Logged in.
list ## Lista los mensaje que tiene el usuario
+OK 1 messages:
1 579
retr 1 ## Para ver el correo
+OK 579 octets
Return-Path: <root@informatica.local>
X-Original-To: test@informatica.local
Delivered-To: test@informatica.local
Received: by mail.informatica.local (Postfix, from userid 0)
id 51B8221E3FF8; Sun, 24 Jul 2016 13:51:43 -0500 (ECT)
Date: Sun, 24 Jul 2016 13:51:43 -0500
To: test@informatica.local
Subject: Prueba
User-Agent: Heirloom mailx 12.5 7/5/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20160724185143.51B8221E3FF8@mail.informatica.local>
From: root@informatica.local (root)
Mensaje de prueba
.
quit ## Para salir
+OK Logging out.
Connection closed by foreign host.
20. Para finalizar verificamos que tenemos conexión con el servidor DNS
Cliente 1 (Client)
search informática.local
nameserver 192.168.10.1
Server: 192.168.10.1
Address: 192.168.10.1#53
Escenario
- Servidor LDAP
o IP = 10.3.0.40/16
o Hostname = ldap.informatica.local
- Cliente
o IP = 10.3.1.1 /16
Servidor LDAP:
New password:
Re-enter new password:
{SSHA}eFLAVB+svk7HOjsLNwTs3czRrIvZx3JT
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}eFLAVB+svk7HOjsLNwTs3czRrIvZx3JT
10. Creamos otro archivo ldapdomain.ldif para agregar los datos de nuestro dominio
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by
dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read by dn.base="cn=Manager,dc=informatica,dc=local" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=informatica,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=informatica,dc=local
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}eFLAVB+svk7HOjsLNwTs3czRrIvZx3JT
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=informatica,dc=local" write by anonymous auth by self write
by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=Manager,dc=mydomain,dc=com" write by * read
12. Creamos otro archivo ldapdomain.ldif para crear el dominio base de LDAP
dn: dc=informatica,dc=local
objectClass: top
objectClass: dcObject
objectclass: organization
o: informatica local
dc: informatica
dn: cn=Manager,dc=informatica,dc=local
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=informatica,dc=local
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=informatica,dc=local
objectClass: organizationalUnit
ou: Group
dn: cn=Manager,ou=Group,dc=informatica,dc=local
objectClass: top
objectClass: posixGroup
gidNumber: 1001
ldapuser1:x:1001:
dn: uid=ldapuser1,ou=People,dc=informatica,dc=local
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: ldapuser1
uid: ldapuser1
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/ldapuser1
userPassword: {SSHA}O4aumDM8Bml0cvdhSkk9dS2/dVtywNcn
loginShell: /bin/bash
gecos: ldapuser1
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
18. Agregamos la excepción del servicio de LDAP al firewall junto con el puerto 389/tcp
y lo reiniciamos
Cliente:
Bibliografía:
- https://www.unixmen.com/setting-dns-server-centos-7/
- https://www.digitalocean.com/community/tutorials/how-to-
configure-bind-as-a-private-network-dns-server-on-centos-7