DNS <>

Domain transfer vulnerability

Spatial structure of domain name

DNS Analytic process  

Various analytical records

DNS Installation and deployment of server

Master slave DNS Construction of server :

forward DNS Server configuration


DNS(Domain Name Service)  Domain name resolution service , That is, the domain name and ip Do the corresponding conversion , utilize TCP and UDP Of 53 Port No
DNS System function :

* Forward analysis : Find the corresponding ip address
* Reverse analysis : according to ip Address search corresponding domain name
DNS Classification of servers :

* Primary name server : To store the relevant settings in this area DNS The server , It stores the original data of regional documents
* Secondary name server : Copy data from other servers , The data is a replica and cannot be modified
* Master name server : Provides data replication oriented DNS The server
* Cache domain name server : Get domain names by querying like root or other servers ip The analytic relation of , Cache query results locally , Speed up duplicate search
Domain transfer vulnerability

Domain transfer : The backup server is the master server copy , And use the obtained data to update its own database .  Synchronize the database between the primary and secondary servers , Need to use “DNS Domain transfer ”.

Domain transfer vulnerability : Because DNS Improper server configuration , Causing anonymous users to exploit DNS Domain transfer protocol gets all the DNS record .

Harm of domain transfer vulnerability : Network topology leaked to potential attackers , Includes some less secure internal hosts , Such as test server . Direct acceleration , Facilitate the attacker's invasion process .

Testing process :
1) input nslookup Command to enter interactive shell; 2) server The command parameter sets the query to use DNS The server ; 3) ls The command lists all domain names in a domain ;
4) exit Command exit

Spatial structure of domain name

Root domain (.)

Top level domain ( Top level domain includes organization domain and country / Regional top level domain (net,edu,com,gov,mail,org,cn,uk.... )

   -- Organization top level domain (net,edu,com,gov,mail,org....)

   -- country / Regional top level domain (cn,uk...)

Secondary domain name (baidu,taobao...)

Third level domain name (www,mail...)

Organization top level domain name



government sector


commercial enterprise


Education sector


Civil society organizations


Network service organization


Military sector

National top level domain name





Hong Kong, China




DNS Analytic process  

DNS Domain name resolution process :

* Client access domain name , Check your host's DNS cache ( There is a time limit ), If the host cache has , Access the corresponding ip
* If the host computer DNS There is no cache , Check the host's hosts file , If so , Access the corresponding ip
* If hosts There is no document , The request is sent to the domain name server specified by the host .
* After the domain name server receives the request , Query local cache first , If there is such an entry , Then the domain name server will directly return the query results .
* If the record is not in the local cache , Then the domain name server sends the request to the root domain name server , The root domain name server returns a queried domain to the domain name server ( Subdomains of roots ) The address of the primary domain name server for .
* The local server sends a request to the primary domain name server returned in the previous step , The server accepting the request queries its own cache , If there is no such record , Then the address of the related subordinate domain name server is returned .
* Keep repeating the previous step , Until the corresponding access domain name is found ip address . then DNS The server matches the domain name ip Address sent to host , meanwhile DNS The server saves it locally .
therefore , priority :   local DNS cache > hosts file   > DNS The server
windows in hosts File storage path :  C:\Windows\System32\drivers\etc\hosts
Linux in hosts File storage path :       /etc/hosts

Various analytical records

type explain
A Host record , Record the corresponding ip
PTR Reverse address resolution record , record ip Corresponding domain name
CNAME Alias record
MX Mailbox exchange record
NS Server records
SOA Authoritative record
TXT Description for record
SRV Lists the servers that are providing a specific service
AAAA ipv6 Address record
A record
A (Address) Records are also called host records , Is used to specify the corresponding domain name IP Address record . Users can point the web server under the domain name to their own web server (web
server) upper . At the same time, you can also set the sub domain name of the domain name . Generally speaking A The record is the server's IP, Domain name binding A Record is telling DNS, When entering the domain name, it will guide you to set the DNS Of A Record the corresponding server . You can use the nslookup
-qt=a To see A record .

PTR record
be relative to A record ,PTR The record is IP Address to domain name

CNAME record
CNAME Records are also known as alias records , It allows you to map multiple records to the same computer . For example, you created the following records :

We visit a1(a2,a3) When , The DNS server will return a CNAME record , And point to, Then our local computer will send another request , request Analysis of , Then the domain name server will return Of IP address .

When we want to point to many domain names on a computer , use CNAME It's convenient , Just like the example above , If we change the server IP 了 , We just need to replace it
Of A Record it .
You can use the  nslookup -qt=cname  To see CNAME record .

MX record
MX Weight pairs of records mail Service is very important , When sending mail ,Mail The server resolves the domain name first , lookup mx record . Find the server with the least weight first ( For example, it is
10), If it can be connected , Then it will be sent ; If you can't connect mx Recorded as 10 Server for , Then send the email to the 20 Of mail Server .
There is an important concept here , weight 20 The server is configured as a temporary cache mail , When the weight 20 The server can be connected, and the weight is 10 Server time , Mail will still be sent with a weight of
10 Of Mail Server . of course , This mechanism needs to be Mail Configuration on the server .
You can use the nslookup  -qt=mx To see MX record .

TXT record  
TXT A record usually sets a description for a record , For example, you built a new one Of TXT record ,TXT Record content "this is a test TXT
record.", And then you use it nslookup -qt=txt , You can see it "this is a test TXT record" Words of .

except ,TXT It can also be used to verify all domain names , For example, your domain name is used Google A service for ,Google You will be asked to build one TXT record , then Google Verify that you have administrative rights for this domain name .
You can use the nslookup -qt=txt  To see TXT record

Here's what I'm talking about TXT record , We're going to talk TXT In the record SPF 了.SPF yes Sender Policy Framework
Abbreviation for , A kind of IP Address authentication technology of e-mail sender identity .
The receiving party will check the domain name first SPF record , To determine the sender's IP Is the address included in the SPF In the record , If , Think it's the right email , Otherwise, it will be considered as a forged email to be returned .
    SPF It can prevent people from faking you to send emails , Is an anti forgery mail solution . When you define your domain name SPF After recording ,
The email will be sent according to your SPF Record to confirm the connection IP Is the address included in the SPF In the record , If , It's the right email , Otherwise, it is considered as a forged email . 
Set the correct SPF Record can improve the success rate of sending foreign mail by mail system , It can also prevent others from fake your domain name to send email to some extent .

MX The function of the record is to indicate to the sender which mail servers there are for a certain domain name .SPF The role of MX contrary , It shows the recipient , Which mail servers are authenticated by a certain domain name and can send mail .

It can be seen from the definition ,SPF The main function of anti spam is anti spam , Mainly for those senders forged domain name spam .

AAAA record
AAAA Record is a direction IPv6 Record of address .
have access to nslookup -qt=aaaa To see AAAA record .
NS record
NS Records are domain name server records , Used to specify which server the domain name is resolved by .
have access to nslookup -qt=ns To see .

TTL value
TTL=time to
live, Indicates that the resolution record is in DNS Cache time in the server . For example, when we request parsing When ,DNS The server found no such record , It's going to be next NS The server makes a request , After getting the record , The record is in DNS Save on server TTL The length of time for . When we send a request to parse again
When ,DNS The server directly returns the previous record , Don't ask NS The server .TTL Is the length of time in seconds , It is generally 3600 second

SOA record

Defines the authoritative name server in the domain

SRV record

Lists the servers that are providing a specific service

DNS Installation and deployment of server

Package required by the program :  bind (DNS Server package )
,bind-utils(DNS test tools , contain dig,host,nslookup etc. ),bind-chroot( send BIND Security enhancement tools running in the specified directory ),caching-nameserver( Cache DNS Basic configuration file of the server , It is recommended to install it )
Directory of executable file : /usr/sbin/named (Rhel7)     /etc/init.d/named (Rhel6)
Directory of configuration file :  /etc/named.conf
Directory of zone configuration file :/var/named/

* install DNS program : yum  -y  install  bind*
* Modify master profile :/etc/named.conf
* Add and modify zone profiles   /var/named/
* Modify file permissions : chown   named:named   /var/named/
* Open service , And verify      systemct  start  named  ;    nslookup
Modify master profile : /etc/named.conf
options { listen-on port 53 { any; }; // Modify line listen-on-v6 port 53 { ::1; };
directory "/var/named"; dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt"; memstatistics-file
"/var/named/data/named_mem_stats.txt"; allow-query { any; }; // Modify line } zone "."
IN { // System defined root domain server , It has to be type hint; file ""; }; zone "" IN{
// Custom , Add forward resolution type master; // Master slave DNS file "";
// Specifies the zone profile name , stay /var/named/ Under the table of contents }; zone "" IN{
// Custom , Add reverse resolution type master; file ""; }; zone "" IN {
// Add resolution to another domain name type master; file "" }
stay /var/named/  Directory respectively  and  file , And the configuration is as follows
// File configuration $TTL 1D @ IN SOA ( // @ On behalf of the machine 0
; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS MX
10 // mailbox www IN A // This must be written in the first item !! web IN A root IN A * IN A
// Add a default match , When none of the configuration files match , Match this item ftp IN CNAME www // to Add an alias
1 IN PTR // Add reverse resolution record The resolution is 2 IN PTR // File configuration $TTL 1D @ IN SOA (
0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS MX
10 www IN A web IN A
  Master slave DNS Construction of server :

main DNS The server is based on the above configuration , In the main profile  /etc/named.conf  Add the following line , It means transfer is allowed
allow-transfer {; }; // allow from DNS Server's ip address
And then from DNS The server writes which domain name to synchronize zone, We only synchronize here  This domain name  , The file path for synchronization is by default   /var/named/slaves 
zone "" IN { type slave; file "slaves/"; // Specify profile directory
masters {; }; // Designated master DNS IP }; zone "" IN{
type slave; file "slaves/"; masters{; }; };
Restart after configuration  named  service : systemctl restart  named  , Then synchronize the domain profile :  rndc  reload

forward DNS Server configuration

forward DNS The server is when you send a DNS Server request DNS When parsing , He put DNS The request was forwarded to another DNS Server

forward DNS The server also requires installation bind package : yum  -y  install  bind*

Then modify the main configuration file :/etc/named.conf
option{ listen-on port 53 { any; }; # modify allow-query { any; }; # modify forwarders
{; }; # You are assigned to DNS Which request is forwarded to DNS The server }
Related articles :DNS The use of domain name detection tools whois,dnsmap,DIG,Layer