第六阶段
项目内容:
给公司从万网申请了个域名,Skylinux.com,现在公司在外地建立了子公司,建立一个子域bj.Skylinux.com,单独运维管理。
项目目的:
方便子公司的维护管理dns服务器,
环境:
子域服务器:
IP:192.168.1.101
Master服务器:
IP:192.168.1.100
步骤:
1、 第五阶段的全部环境
参照上面第五阶段的内容
2、 在master服务器端的设置
修改zone区域文件
[root@Dns_master named]# ls
cnc.Skylinux.com.zone localdomain.zone named.local
data localhost.rev named.rev
Kcnc.+157+07925.key localhost.zone named.zero
Kcnc.+157+07925.private named.broadcast slaves
Ktel.+157+54772.key named.ca tel.Skylinux.com.zone
Ktel.+157+54772.private named.ip6.local
[root@Dns_master named]# pwd
/var/named/chroot/var/named
[root@Dns_master named]# vi tel.Skylinux.com.zone
[root@Dns_master named]# cat tel.Skylinux.com.zone
$TTL 86400
@ IN SOA @ root (
201101010 ; serial (d. adams)
5 ; refresh
5 ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.Skylinux.com.
IN A 192.168.1.103
www IN A 192.168.0.100
www2 IN A 192.168.0.103
www3 IN A 192.168.0.103
www4 IN A 192.168.0.103
bj.Skylinux.com. IN NS dns.bj.Skylinux.com.
dns.bj.Skylinux.com. IN A 192.168.1.101
[root@Dns_master named]#
[root@Dns_master named]# vi cnc.Skylinux.com.zone
[root@Dns_master named]# cat cnc.Skylinux.com.zone
$TTL 86400
@ IN SOA @ root (
201101010 ; serial (d. adams)
5 ; refresh
5 ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.Skylinux.com.
IN A 192.168.1.103
www IN A 192.168.1.100
ftp IN A 192.168.1.102
bj.Skylinux.com. IN NS dns.bj.Skylinux.com.
dns.bj.Skylinux.com. IN A 192.168.1.101
[root@Dns_master named]#
3、 配置子域服务器
1)安装必要软件,bind、bind-chroot、caching-nameserver软件
2)将主配置文件的几个选项配置成any
3)声明域
[root@Dns_son etc]# tail -4 named.rfc1912.zones
zone "bj.Skylinux.com"{
type master;
file "bj.zone";
};
[root@Dns_son etc]#
4)建立区域文件
[root@Dns_son etc]# cd ../var/named/
[root@Dns_son named]# pwd
/var/named/chroot/var/named
[root@Dns_son named]# vi bj.zone
[root@Dns_son named]# cat bj.zone
$TTL 86400
@ IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS dns.bj.Skylinux.com.
IN A 192.168.1.101
www IN A 110.110.110.100
[root@Dns_son named]#
4、 重启服务
为了达到同步效果,将几台服务器同时重启
Master、slave、cache、son四台机器都重启
5、 测试
在cache服务器上模拟客户端测试
1)
[root@Dns_cache ~]# vi /etc/resolv.conf
[root@Dns_cache ~]# cat /etc/resolv.conf
nameserver 192.168.0.102
[root@Dns_cache ~]#
[root@Dns_cache etc]# vi named.caching-nameserver.conf
[root@Dns_cache etc]# cat named.caching-nameserver.conf |grep forward
forward only;
forwarders {192.168.0.100;};
[root@Dns_cache etc]#
[root@Dns_cache etc]# host www.bj.Skylinux.com
www.bj.Skylinux.com has address 110.110.110.100
[root@Dns_cache etc]#
2)
[root@Dns_cache ~]# vi /etc/resolv.conf
[root@Dns_cache ~]# cat /etc/resolv.conf
nameserver 192.168.1.102
[root@Dns_cache ~]#
[root@Dns_cache etc]# vi named.caching-nameserver.conf
[root@Dns_cache etc]# cat named.caching-nameserver.conf |grep forward
forward only;
forwarders {192.168.1.100;};
[root@Dns_cache etc]#
[root@Dns_cache etc]# host www.bj.Skylinux.com
www.bj.Skylinux.com has address 110.110.110.100
[root@Dns_cache etc]#
第七阶段
项目内容:
利用rndc远程控制DNS,使用cache服务器做为rndc的控制端,控制其他几台机器的配置文件加载,关闭以及打开关闭日志等功能
项目目的:
一方面方便管理大量的DNS服务器,使得操作更方便更高效
另一方面,提高了服务器的安全性,因为不需要在SSH登陆到目标主机上进行操纵,直接在控制端执行几条命令就可以了,而且是控制在chroot的目录下的,提高了安全性。
环境:
控制端:
IP:192.168.1.102
受控端:
IP:192.168.1.103
步骤:
1、受控端本地测试
1) 使用rndc-confgen命令生成rndc.key和rndc.conf
[root@Dns_slave slaves]# rndc-confgen |grep -v '^#'
key "rndckey" {
algorithm hmac-md5;
secret "qo92At7Wb046CFZwYEr0og==";
};
options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
[root@Dns_slave slaves]#
2)删除默认的rndc.key文件
[root@Dns_slave etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@Dns_slave etc]# rm -rf rndc.key
[root@Dns_slave etc]# pwd
/var/named/chroot/etc
[root@Dns_slave etc]#
[root@Dns_slave etc]# rm -rf /etc/rndc.key
[root@Dns_slave etc]#
3)将前面rndc-confgen命令生成的“key”一节中的内容写到rndc.key文件中
[root@Dns_slave etc]# pwd
/var/named/chroot/etc
[root@Dns_slave etc]# vi rndc.key
[root@Dns_slave etc]# cat rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "qo92At7Wb046CFZwYEr0og==";
};
[root@Dns_slave etc]#
4) 修改文件的权限
[root@Dns_slave etc]# chown named.named rndc.key
5)符号链接至/etc目录下
[root@Dns_slave etc]# ln -s /var/named/chroot/etc/rndc.key /etc/
5) 将前面rndc-confgen命令生成的全部内容写到rndc.conf文件中
[root@Dns_slave etc]# vi /etc/rndc.conf
[root@Dns_slave etc]# cat /etc/rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "qo92At7Wb046CFZwYEr0og==";
};
options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
[root@Dns_slave etc]#
6) 修改权限
[root@Dns_slave etc]# chown named.named /etc/rndc.conf
7)修改主配置文件
[root@Dns_slave etc]# vi named.caching-nameserver.conf
。。。。省略
key "rndckey" {
algorithm hmac-md5;
secret "qo92At7Wb046CFZwYEr0og==";
};
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; };
8)重启服务
[root@Dns_slave etc]# service named restart
停止 named: [确定]
启动 named: [确定]
[root@Dns_slave etc]# netstat -lnp |grep 953
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 8178/named
[root@Dns_slave etc]#
9)本地测试rndc
[root@Dns_slave etc]# rndc reload
server reload successful
1、 配置远程控制
1) 受控端的配置
生成新的rndckey和rndc.conf
[root@Dns_slave etc]# rndc-confgen |grep -v '^#'
key "rndckey" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};
[root@Dns_slave etc]#
将新生成的文件的“key”节写到/etc/rndc.key文件末尾,并将其改名为rndckey-new
[root@Dns_slave etc]# vi /etc/rndc.key
[root@Dns_slave etc]# cat /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "qo92At7Wb046CFZwYEr0og==";
};
key "rndckey-new" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
[root@Dns_slave etc]#
修改主配置文件
[root@Dns_slave etc]# vi named.caching-nameserver.conf
。。。省略
key "rndckey-new" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
controls {
inet 192.168.1.103 port 953 allow { 192.168.1.102; } keys { "rndckey-new"; };
};
##表示允许192.168.1.102这台主机通过192.168.1.103这个接口控制
重启服务
2)控制端的设置
将前面生成的文件的全部内容写到server的/etc/rndc.conf文件中,需要修改key的名称和default-server的IP
[root@Dns_cache etc]# vi /etc/rndc.conf
[root@Dns_cache etc]# cat /etc/rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
options {
default-key "rndckey-new";
default-server 192.168.1.103;
default-port 953;
};
[root@Dns_cache etc]#
修改权限
[root@Dns_cache etc]# chown named.named /etc/rndc.conf
3)查看rrndc的帮助
[root@Dns_cache etc]# rndc -h
rndc: illegal option -- h
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
reconfig Reload configuration file and new zones only.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
*restart Restart the server.
* == not yet implemented
Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2
[root@Dns_cache etc]#
测试
1) 重载client端DNS配置文件
控制端:
rndc reload ##重载client端DNS配置文件
[root@Dns_cache etc]# rndc reload
server reload successful
[root@Dns_cache etc]#
[root@Dns_cache etc]# rndc querylog on
开启解析日志记录功能,开启后默认解析日志保存在client服务器的/var/log/messages文件中,开启此项功能会降低服务器性能
[root@Dns_cache etc]# rndc stop
远程关闭client上的DNS服务
此时受控端可以监控日志:
[root@Dns_slave etc]# tail -f /var/log/messages
Sep 7 16:34:45 Dns_slave named[8961]: shutting down: flushing changes
Sep 7 16:34:45 Dns_slave named[8961]: stopping command channel on 192.168.1.103#953
Sep 7 16:34:45 Dns_slave named[8961]: no longer listening on ::1#53
Sep 7 16:34:45 Dns_slave named[8961]: no longer listening on 127.0.0.1#53
Sep 7 16:34:45 Dns_slave named[8961]: no longer listening on 192.168.100.202#53
Sep 7 16:34:45 Dns_slave named[8961]: no longer listening on 192.168.1.103#53
Sep 7 16:34:45 Dns_slave named[8961]: no longer listening on 192.168.0.103#53
Sep 7 16:34:45 Dns_slave named[8961]: exiting
2、 配置一台控制端控制多台服务器
控制端:192.168.1.102(cache机器)
受控端:192.168.1.103(slave机器)、192.168.1.101(son机器)、192.168.1.100(master机器)
我们为了方便查看,只用了一套密钥
key "rndckey" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
受控端:
1.103:刚才已经配置过了,就不再说了
1.101:参照1.103的配置如下
[root@Dns_son etc]# pwd
/var/named/chroot/etc
[root@Dns_son etc]#
[root@Dns_son etc]# rm -rf rndc.key
[root@Dns_son etc]# rm -rf /etc/rndc.key
[root@Dns_son etc]# vi rndc.key
[root@Dns_son etc]# cat rndc.key
key "rndckey-new" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
[root@Dns_son etc]# chown named:named rndc.key
[root@Dns_son etc]# ln -s rndc.key /etc/rndc.key
[root@Dns_son etc]# vi named.caching-nameserver.conf
key "rndckey-new" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
controls {
inet 192.168.1.101 port 953 allow { 192.168.1.102; } keys { "rndckey-new"; };
};
重启服务
1.100:同上格式配置,就不再说了
控制端的配置只需修改下面的配置文件
[root@Dns_cache etc]# vi /etc/rndc.conf
[root@Dns_cache etc]# cat /etc/rndc.conf
key "rndckey-new" {
algorithm hmac-md5;
secret "azgaa5JNrHA1tR4sm5wp1A==";
};
options {
default-key "rndckey-new";
default-server 192.168.1.103;
default-port 953;
};
server 192.168.1.101 {
key "rndckey-new";
};
server 192.168.1.100 {
key "rndckey-new";
};
测试:
在控制端
[root@Dns_cache etc]# date
2011年 09月 07日 星期三 17:32:57 CST
[root@Dns_cache etc]# rndc -s 192.168.1.103 reload
rndc: connect failed: 192.168.1.103#953: connection refused
[root@Dns_cache etc]# date
2011年 09月 07日 星期三 17:33:38 CST
[root@Dns_cache etc]# rndc -s 192.168.1.103 reload
server reload successful
[root@Dns_cache etc]# rndc -s 192.168.1.101 reload
server reload successful
[root@Dns_cache etc]# rndc -s 192.168.1.100 reload
server reload successful
[root@Dns_cache etc]#
注:为什么我习惯性的敲一下date命令看系统时间呢,是因为rndc对时间的要求很严格,必须保证控制端和受控端的系统时间间隔在1~2分钟左右,如果时间相差台太远,rndc执行的时候就会报错。
怎么解决呢?
临时的改变方法是用下面的办法
date -s 09/07/2011 #月/日/年
date -s 17:10 #时/分
想要彻底保证一直,需要配置时间服务器等同步时间的机制