Network Security Learning -- DNS deployment and security

Keywords: Windows security Cyber Security

DNS

DNS(Domain Name Service): provides a domain name resolution server for clients

Domain name composition

Overview of domain name composition

Host name. Domain name is called fully qualified domain name (FQDN). There can be multiple hosts under a domain name. The domain name is unique in the world, and the host name. Domain name must be unique in the world.
Take the "Sina. Com. CN" domain name as an example. When naming the host, the general administrator will name it according to the functions of the host. For example, if the website is WWW, the blog is blog and the forum is bbs, the corresponding FQDN is www.sina.com.cn, blog.sina.com.cn and mail.sina.com.cn. For so many fqdns, you only need to apply for one domain name, sina.com.cn

Domain name composition

tree structure

Root domain: [.]
Top level domain:

  • National top-level domain: cn,jp,hk,us
  • Business top level domain
    • edu: Educational Institutions
    • org: civil society organizations
    • net: non-profit organization
    • gov: government agencies
    • mil: military organization
      Primary domain name
      Secondary domain name

Listening port

TCP 53
UDP 53

DNS resolution type

By query method
  • Recursive query: between client and local DNS server
  • Iterative query: the resolution process between the local DNS server and other DNS servers such as the root

There are 13 root domain servers worldwide

By query content
  • Forward resolution: resolve IP addresses for known domain names
  • Reverse resolution: resolve the domain name when the IP address is known

DNS setup

  1. Install DNS Service
C:\Documents and Settings\Administrator>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:23             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    10.1.1.3:139           0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:4500           *:*
  UDP    10.1.1.3:67            *:*
  UDP    10.1.1.3:68            *:*
  UDP    10.1.1.3:123           *:*
  UDP    10.1.1.3:137           *:*
  UDP    10.1.1.3:138           *:*
  UDP    10.1.1.3:2535          *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1025         *:*
  #After DNS service is installed, port TCP and udp53 are turned on
  C:\Documents and Settings\Administrator>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:23             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:53             0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1026           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING
  TCP    10.1.1.3:139           0.0.0.0:0              LISTENING
  UDP    0.0.0.0:445            *:*
  UDP    0.0.0.0:500            *:*
  UDP    0.0.0.0:1029           *:*
  UDP    0.0.0.0:4500           *:*
  UDP    10.1.1.3:53            *:*
  UDP    10.1.1.3:67            *:*
  UDP    10.1.1.3:68            *:*
  UDP    10.1.1.3:123           *:*
  UDP    10.1.1.3:137           *:*
  UDP    10.1.1.3:138           *:*
  UDP    10.1.1.3:2535          *:*
  UDP    127.0.0.1:53           *:*
  UDP    127.0.0.1:123          *:*
  UDP    127.0.0.1:1025         *:*
  UDP    127.0.0.1:1028         *:*
  1. After DNS installation, open the DNS configuration window in start - > management tools - > DNS
  2. Right click "New Area" on "forward query area" to create a new area
  3. Area type select primary area
  4. Area name enter the area name to be resolved. This paper takes baidu.com as an example
  5. Generate area resolution file
  6. Dynamic update select not to allow dynamic updates
  7. After the area is established, it is displayed as follows
  8. Right click – new host, add host
  9. Enter the host name and the corresponding IP address
  10. In the network configuration of another virtual machine, DNS selects the DNS server address just configured
#Check whether domain name resolution is normal
C:\Documents and Settings\Administrator>nslookup www.baidu.com
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 10.1.1.3: Timed out
Server:  UnKnown
Address:  10.1.1.3

Name:    www.baidu.com
Address:  1.1.1.1
#Clear DNS cache
C:\Documents and Settings\Administrator>ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.
#View DNS cache information
C:\Documents and Settings\Administrator>ipconfig /displaydns

Windows IP Configuration

    1.0.0.127.in-addr.arpa
    ----------------------------------------
    Record Name . . . . . : 1.0.0.127.in-addr.arpa.
    Record Type . . . . . : 12
    Time To Live  . . . . : 604043
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    PTR Record  . . . . . : localhost


    localhost
    ----------------------------------------
    Record Name . . . . . : localhost
    Record Type . . . . . : 1
    Time To Live  . . . . : 604043
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 127.0.0.1
  1. When solving the problem of Can't find server name for address 10.1.1.3: Timed out in nslookup, you need to create A host record (A record) on the DNS server, name any one, and use the IP of the DNS server.
  2. Right click the reverse lookup zone of the DNS server, add the zone, and enter the network name of the DNS server
  3. The system automatically creates a zone file
  4. New pointer for reverse parsing
  5. Enter the DNS IP address and select the newly created dns1 host name


  6. After selection, perform dns resolution test
#If DNS resolution is performed again, no error message will appear
C:\Documents and Settings\Administrator>nslookup www.baidu.com
Server:  dns1.baidu.com
Address:  10.1.1.3

Name:    www.baidu.com
Address:  1.1.1.1

alias

  1. In the forward lookup zone of the DNS server, right-click to create a new alias (CNAME) record
  2. Enter the alias and FQDN of the target host
  3. After setting the alias, DNS records can be resolved through the alias
C:\Documents and Settings\Administrator>nslookup tye.baidu.com
Server:  dns1.baidu.com
Address:  10.1.1.3

Name:    www.baidu.com
Address:  1.1.1.1
Aliases:  tye.baidu.com

Secondary DNS

  1. Install the DNS service on the second server
  2. Install the DNS service on the second server
  3. Open the DNS configuration window through start - > Administrative Tools - > DNS
  4. Right click "forward search area" and select "New Area". Next, select "auxiliary area" in the area type
  5. Zone name enter the zone name to resolve
  6. Add IP for primary DNS
  7. The type is auxiliary area
  8. After configuration, the resolution records are copied directly from the primary DNS server.

Posted by rosy on Mon, 29 Nov 2021 16:46:29 -0800