DNS服务器小结
前提:环境:一个作为宿主机的Linux;本文使用的是Redhat Enterprise Linux 5.8;
第一题DNS配置
1、用yum list all bind*查看bind的版本,
卸载上面的bind93.i386的版本,用rpm -e bind-libs bind-utils,然后安装bind97.i386的版本
用yum -y install bind97 bind97-utils bind97-libs
2、把原来的配置文件放到一边,用mv /etc/named.conf /etc/named.conf.origin;然后自己编译一个配置文件/etc/named.conf;
vim /etc/named.conf
options{
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone"
};
zone "100.16.172.in-addr.arpa" IN {
tyep master;
file "172.16.100.zone";
};
上面保存退出,用wq
3、用cd /var/named/命令进入到named目录中。
我需要创建的文件有 localhoset.zone;127.0.0.zone;magedu.com.zone;172.16.100.zone;
创建文件localhost.zone;用vim localhost.zone编译。内容如下:
$TTL 86400
@ IN SOA localhost. admin.localhost. (
2012101801
1H
5M
7D
1D )
@ IN NS localhost.
localhost. IN A 127.0.0.1
然后保存退出;
创建文件127.0.0.zone;用vim 127.0.0.zone编译。内容如下:
$TTL 86400
@ IN SOA localhost. admin.localhost. (
2012101801
1H
5M
7D
1D )
@ IN NS localhost.
1 IN PTR localhost.
然后保存退出;
创建文件magedu.com.zone;用vim magedu.com.zone编译。内容如下:
$TTL 86400
$ORIGIN magedu.com
@ IN SOA ns.magedu.com. admin.magedu.com. (
2012101801
1H
5M
7D
1D )
IN NS ns
IN NS ns2
IN MX 10 mail
ns IN A 172.16.100.1
ns2 IN A 172.16.100.2
www IN A 172.16.100.1
ftp IN CNAME www
pop3 IN A 172.16.100.2
IN A 172.16.100.3
ldap IN A 172.16.100.6
然后保存退出;
创建文件172.16.100.zone;用vim 172.16.100.zone编译。内容如下:
$TTL 86400
$ORIGIN 100.16.172.in-addr.arpa.
@ IN SOA ns.magedu.com. admin.magedu.com. (
2012101801
1H
5M
7D
1D )
IN NS ns.magedu.com.
IN NS ns2.magedu.com.
1 IN PTR ns.magedu.com.
IN PTR www.magedu.com.
2 IN PTR pop3.magedu.com.
3 IN PTR POP3.magedu.com.
6 IN PTR ldap.magedu.com.
保存退出。
创建好四个文件后,修改权限和属组
修改权限:chmod 640 /etc/named.conf localhost.zone 127.0.0.zone 172.16.100.zone magedu.com.zone
修改属组:chown :named /etc/named.conf localhost.zone 127.0.0.zone 172.16.100.zone magedu.com.zone
然后验证一下修改的是否正确,用ll查看
total 88
-rw-r----- 1 root named 321 Oct 18 17:04 127.0.0.zone
-rw-r----- 1 root named 625 Oct 19 02:49 172.16.100.zone
drwxrwx--- 2 named named 4096 Nov 17 2011 data
drwxrwx--- 2 named named 4096 Nov 17 2011 dynamic
-rw-r----- 1 root named 341 Oct 18 17:00 localhost.zone
-rw-r----- 1 root named 642 Oct 18 20:36 magedu.com.zone
-rw-r----- 1 root named 1892 Feb 18 2008 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
drwxrwx--- 2 named named 4096 Nov 17 2011 slaves
然后检查语法:内容如下:
named-checkconf
named-checkzone "magedu.com" magedu.com.zone
named-checkzone "100.16.172.in-addr.arpa" 172.16.100.zone
然后重启一下,用service named start
然后用 netstat -tunlp | grep 53 查看一下
这就是简单的DNS服务器,只能用于玩,里面的IP都是假的,只是为了方便。
二、检验的命令
dig -t A www.magedu.com
dig -x 172.16.100.1
dig -t AXFR 100.16.172.in-addr.arpa
dig -t AXFR magedu.com
三、主从配置及TSGT的实现方式
magedu.com 的从服务器的地址是172.16.100.2
从服务器是从主服务器那里同步数据,所我们要先设置谁能同步;
仅允许谁同步用:allow-transfer{};命令来实现
编译vim /etc/named.conf这个文件
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost"IN {
type master;
file "localhost.zone";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { none; };
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 127.0.0.0/8;172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { none; };
};
用dig -t AXFR magedu.com来检验一下结果不会传送的。
用dig -t AXFR magedu.com @127.0.0.1 检查一下就会让传送的。
这是因为传送对地址的要求很高的
这样的机制传送很不安全,你可以基于用密钥的认证
现在来构建一个正向区域mageedu.com的从服务器
首先找好一台主机,修改这台主机的名字,打开vim /etc/sysconfig/network文件修改为ns2.magedu.com;再用命令hostname ns2.magedu.com
用ifconfig查看IP地址,然后用setup修改IP地址。
输入setup-->回车-->选择Network configuration-->Edit Devices-->eth0(eth0)-Advanced-->IP:172.16.100.2;NETMASK:255.255.0.0;GATEWAY IP:172.16.0.1
--><New Device>-->EDIT DNS configuration-->Primary DNS 127.0.0.1-->保存退出
输入 service network restart
编译vim /etc/named.conf这个文件
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost"IN {
type master;
file "localhost.zone";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { none; };
};
zone "magedu.com" IN {
type slave;
file "slaves/magedu.com.zone";
masters { 172.16.100.1;};
allow-transfer { none; };
};
zone "100.16.172.in-addr.arpa" IN {
type slave;
file "slaves/172.16.100.zone";
masters { 172.16.100.1; };
allow-transfer { none; };
};
我需要创建的文件有 localhoset.zone;127.0.0.zone;magedu.com.zone;172.16.100.zone;
以及修改的东西,跟主服务器创建就一样了
当这些都弄好了,在去主服务器上把:
编译vim /etc/named.conf这个文件
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost"IN {
type master;
file "localhost.zone";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { none; };
};
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 127.0.0.0/8;172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 127.0.0.0/8; 172.16.100.2; };
};
然后再输入这个命令rndc reconfig结束,然后回到从服务器中
输入 dig -t AXFR magedu.com @127.0.0.1检验一下了。
这样就做了一个简单的主从服务器。
TSGT的实现方式:
使用dnssec-keygen命令可以生成密钥:
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns-ns2.magedu.com.
-a algorithm
如果不指定算法,默认使用RSASHA1;事实上,对于DNSSEC来说只能使用RSASHA1算法,对TSIG来说, HMAC-MD5是强制使用的算法.
-b keysize
使用不同的算法,其支持的密钥长度不同。RSA: 512-2048, DH:128-4096, HMAC:1-512
-n nametype
密钥的拥有者,即其使用级别;共有ZONE (DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (host (KEY)), USER (a user(KEY)) or OTHER (DNSKEY),默认是ZONE。
{name}
The name of the key is specified on the command line. 对DNSSEC来说,名字必须是密钥所服务的ZONE的名称;对于TSIG来说,这通常是通信双方的名字;
操作如下:
在从服务器中,进入/etc/named目录中。然后用dnssec-keygen -a hmac -md5 -b 128 -n HOST ns-ns2magedu.com
生成,然后会再named目录中生成两个文件*.key和*.private。然后用命令scp -p *.key和*.private主服务器中。然后cat *.private这个文件,然后把Key:后面的内容复制一下,打开这个文件
vim /etc/named.conf中在options后面添加一个段资源记录内容如下:
key "ns-ns2.magedu.com."{
algorithm hmac-md5;
secret "key后面的内容粘贴到这里"
};
server 172.16.100.2{
key { ns-ns2.magedu.com.; };
};
然后到主机的vim /etc/named.conf中同样的位置添加下面的内容:
key "ns-ns2.magedu.com."{
algorithm hmac-md5;
secret "key后面的内容粘贴到这里"
};
server 172.16.100.1{
key { ns-ns2.magedu.com.; };
};
然后在主服务器中打开vim /etc/named.conf文件中的下面内容修改一下为:
zone "magedu.com" IN {
type master;
file "magedu.com.zone";
allow-transfer { 127.0.0.0/8;key "ns-ns2.magedu.com."; };
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.100.zone";
allow-transfer { 127.0.0.0/8; key "ns-ns2.magedu.com."; };
}; };
然后编译下这个文件vim 172.16.100.zone内容如下:
$TTL 86400
$ORIGIN 100.16.172.in-addr.arpa.
@ IN SOA ns.magedu.com. admin.magedu.com. (
2012101802
1H
5M
7D
1D )
IN NS ns.magedu.com.
IN NS ns2.magedu.com.
1 IN PTR ns.magedu.com.
IN PTR www.magedu.com.
2 IN PTR pop3.magedu.com.
2 IN PTR ns2.magedu.com.
3 IN PTR POP3.magedu.com.
6 IN PTR ldap.magedu.com.
保存退出。
然后输入命令rndc reload
然后在从服务器中输入命令: dig -x 172.16.100.2 @127.0.0.1
四题、子域授权的实现
在magedu.com中有两个子域是tech和fin;这个子域是tech.magedu.com.和fin.magedu.com.这两个IP是172.16.101.1和172.16.102.1
在正向区域里实现子域授权,操作如下:
编译主服务器中的正向区域里文件vim magedu.com.zone
$TTL 86400
$ORIGIN magedu.com
@ IN SOA ns.magedu.com. admin.magedu.com. (
2012101802
1H
5M
7D
1D )
IN NS ns
IN NS ns2
IN MX 10 mail
ns IN A 172.16.100.1
ns2 IN A 172.16.100.2
www IN A 172.16.100.1
ftp IN CNAME www
pop3 IN A 172.16.100.2
IN A 172.16.100.3
ldap IN A 172.16.100.6
tech.magedu.com. IN NS dns.tech.magedu.com.
tech.magedu.com. IN NS ns2.tech.magedu.com.
dns.tech.magedu.com. IN A 172.16.101.1
ns2.tech.magedu.com. IN A 172.16.101.2
fin.magedu.com. IN NS dns.fin.magedu.com.
dns.fin.magedu.com. IN A 172.16.102.1
然后保存退出;
然后输入命令同步一下,rndc notify magedu.com
然后回到子服务器查看一下输入命令:cat magedu.com.zone
然后在开一台虚拟机修改一下IP,修改操作如下;
用ifconfig查看IP地址,然后用setup修改IP地址。
输入setup-->回车-->选择Network configuration-->Edit Devices-->eth0(eth0)-Advanced-->IP:172.16.101.1;NETMASK:255.255.0.0;GATEWAY IP:172.16.0.1
--><New Device>-->EDIT DNS configuration-->Hostname dns.tech.magedu.com-->Primary DNS 172.16.101.1-->保存退出
输入 service network restart
然后输入hostname dns.tech.magedu.com命令修改主机名
然后在安装一遍第一题一样bind。
编译一下这个服务器的vim magedu.com.conf修改一下,内容如下:
options {
directory "/var/named";
forward only;
forwarders { 172.16.0.1; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost"IN {
type master;
file "localhost.zone";
allow-transfer { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { none; };
};
zone "tech.magedu.com" IN {
type master;
file "tech.magedu.com.zone";
};
zone "100.16.172.in-addr.arpa" IN {
type master;
file "172.16.101.zone";
};
zone "magedu.com" IN {
type forward;
forward only;
forwarders { 172.16.100.1; 172.16.100.2; };
};
zone "100.16.172.in-addr.arpa" IN {
type forward;
forward only;
forwarders { 172.16.100.1; 172.16.100.2; };
};
然后输入命令检查语法:named-checkconf
然后输入命令重启:service named restart
然后输入命令检查:dig -t A www.tech.magedu.com @127.0.0.1
dig -t A www.magedu.com @127.0.0.1
dig -x 172.16.100.1 @127.0.0.1
这样就实现了转发
五、编译安装BIND
先来配置编译环境所有用yum安装:内容如下:
yum -y groupinstall "Development Libraries" "Development Tools"
然后下载bind-9.92.tar.gz后卸载原来的bind-libs bind-utils;
用rpm -e bind-libs bind-utils命令
解压bind-9.9.2.tar.gz文件,用tar xf bind-9.9.2.tar.gz命令
用cd bind-9.9.2进入bind-9.9.2中
建立用户groupadd -r named
在创建 useradd -g named -r -s /sbin/nologin named
然后安装bind
用./configure --prefix=/usr/local/named --disable-openssl-version-check --sysconfdir=/etc/named
第二步:用make命令
第三步:用make install命令
先输入cd命令然后再输入cd /usr/local/named然后ls查看目录
在打开vim
增加一行在export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC的上面填加如下内容
PATH=$PATH:/usr/local/named/sbin:/usr/local/named/bin
然后保存退出;在重启一下
然后cd /etc/named/目录中
创建文件named.conf;用vim named.conf内容如下;
options {
directory "/var/named";
};
zone "." IN {
type hint;
file "named.root";
};
保存退出
然后输入命令:dig -t NS .显示出根服务器的记录
然后创建一个目录:mkdir /var/named
然后把根服务器的记录保存到这目录中,用命令dig -t NS . > /var/named/named.root
修改一下几个文件的属组和权限
chown :named /etc/named/named.conf /var/named/named.root
chmod 640 /etc/named/named.conf /var/named/named.root
检查语法是否有错误用named-checkconf
然后输入命令rndc-confgen > rndc.key
修改权限用chmod 640 rndc.key
打开rndc.key用catrndc.key命令
把它最后11行复制到主配置文件中vim named.conf中最后
rndc status检验
编译下这个文件,vim /etc/rc.d/init.d/named输入一下内容
#!/bin/bash
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: - 66 34
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network
# Don't kill named during clean-up
NAMED_SHUTDOWN_TIMEOUT=${NAMED_SHUTDOWN_TIMEOUT:-100}
RETVAL=0
named='named'
prog=$named
named_conf='/etc/named/named.conf';
ROOTDIR='/usr/local/named';
start() {
[ -x /usr/local/named/sbin/$named ] || exit 5
# Start daemons.
echo -n $"Starting $named: "
if [ -n "`/sbin/pidof -o %PPID $named`" ]; then
echo -n $"$named: already running"
failure
echo
return 1
fi
ckcf_options='-z'; # enable named-checkzone for each zone (9.3.1+) !
conf_ok=0;
if [ -x /usr/local/named/sbin/named-checkconf ] && [ -x /usr/local/named/sbin/named-checkzone ] && /usr/local/named/sbin/named-checkconf $ckcf_options ${named_conf} >/dev/null 2>&1; then
conf_ok=1;
else
RETVAL=$?;
fi
if [ $conf_ok -eq 1 ]; then
daemon /usr/local/named/sbin/$named -u named
RETVAL=$?;
if [ $RETVAL -eq 0 ]; then
rm -f /var/run/named.pid 2> /dev/null
ln -s $ROOTDIR/var/run/named/named.pid /var/run/named.pid;
fi;
if [ -n "`/sbin/pidof -o %PPID $named`" ]; then
# Verify that named actually started
if [ ! -e $ROOTDIR/var/run/named/named.pid ]; then
# If there is not a file containing the PID of the now running named daemon then create it (JM 2006-10-04)
echo `/sbin/pidof -o %PPID $named` > $ROOTDIR/var/run/named/named.pid;
fi;
fi;
else
named_err="`/usr/local/named/sbin/named-checkconf $ckcf_options $named_conf 2>&1`";
echo
echo $"Error in named configuration"':';
echo "$named_err";
failure
echo
if [ -x /usr/bin/logger ]; then
echo "$named_err" | /usr/bin/logger -pdaemon.error -tnamed
fi;
return 7;
fi;
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
return $RETVAL
}
stop() {
# Stop daemons.
echo -n $"Stopping $named: "
/usr/local/named/sbin/rndc stop >/dev/null 2>&1
RETVAL=$?
[ "$RETVAL" -eq 0 ] || killproc "$named" -TERM >/dev/null 2>&1
timeout=0
while /sbin/pidof -o %PPID "$named" >/dev/null; do
if [ $timeout -ge $NAMED_SHUTDOWN_TIMEOUT ]; then
RETVAL=1
break
else
sleep 2 && echo -n "."
timeout=$((timeout+2))
fi;
done
if [ $RETVAL -eq 0 ]; then
rm -f /var/lock/subsys/named
rm -f /var/run/named.pid
fi;
# if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then
# if egrep -q '^/proc[[:space:]]+'${ROOTDIR}'/proc' /proc/mounts; then
# umount ${ROOTDIR}/proc >/dev/null 2>&1
# fi
# fi;
if [ $RETVAL -eq 0 ]; then
success
else
failure
fi;
echo
return $RETVAL
}
rhstatus() {
/usr/local/named/sbin/rndc status
status /usr/local/named/sbin/$named
return $?
}
restart() {
stop
# wait a couple of seconds for the named to finish closing down
sleep 2
start
}
reload() {
echo -n $"Reloading $named: "
p=`/sbin/pidof -o %PPID $named`
RETVAL=$?
if [ "$RETVAL" -eq 0 ]; then
/usr/local/named/sbin/rndc reload >/dev/null 2>&1 || /bin/kill -HUP $p;
RETVAL=$?
fi
[ "$RETVAL" -eq 0 ] && success $"$named reload" || failure $"$named reload"
echo
return $RETVAL
}
probe() {
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/named/sbin/rndc reload >/dev/null 2>&1 || echo start
return $?
}
checkconfig() {
ckcf_options='-z'; # enable named-checkzone for each zone (9.3.1+) !
if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then
OPTIONS="${OPTIONS} -t ${ROOTDIR}"
ckcf_options="$ckcf_options -t ${ROOTDIR}";
fi;
if [ -x /usr/local/named/sbin/named-checkconf ] && [ -x /usr/local/named/sbin/named-checkzone ] && /usr/local/named/sbin/named-checkconf $ckcf_options ${named_conf} | cat ; then
return 0;
else
return 1;
fi
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
rhstatus
;;
restart)
restart
;;
condrestart)
[ -e /var/lock/subsys/named ] && restart;
;;
reload)
reload
;;
probe)
probe
;;
checkconfig|configtest|check|test)
checkconfig
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|configtest|probe}"
exit 2
esac
exit $?
然后保存退出
然后输入命令
chmod +x /etc/rc.d/init.d/named
bash -n /etc/rc.d/init.d/named
chkconfig --add named
chkconfig --list named
chkconfig named on
然后用下面的命令检验
service named start
service named restart
第六、日志功能实现
实现这样的一个日志,定义一个channel,要求使用file来记录日志,滚动数目为10,每个最大为10M
级别为dynamic
要求记录额外信息
定义一个类别,记录查询日志信息至前面的channel中去
实现这个操作如下:
在主服务器中,打开vim /etc/named.conf文件
在options之后添加一段记录内容如下:
logging {
channel query_log {
file "/var/log/bind.queries.log" versions 10 size 10M;
serverity dynamic;
print-category yes;
print-severity yes;
print-time yes;
};
category queries { query_log; };
};
然后检查语法,named-checkconf
然后输入
cd /var/log
touch bind.queries.log
chown -R named:named bind.queries.log
chmod 640 bid.queries.log
然后输入命令重启service named restart
然后输入命令验证一下:dig -t A www.magedu.com @172.0.0.1
第七queryperf和dnstop
dnstop - displays various tables of DNS traffic on your network
1.描述
dnstop用来收集并示本地端DNS的状况,必须用root执行.
2.安�b 路径 /usr/local/bin/dnstop
3.语法
dnstop [-aps] [-b expression] [-i address] [device] [savefile]
4.参数
-a 来源不明的位址(anonymize addresses)
-b expression BPF filter expression
-i address 忽略所选择的位址.
-p Do not put the interface into promiscuous mode.(杂乱模式
-s 收集second-level领域的统计资料.
savefile 一个网络相关讯息存档ex:tcpdump.
device 网络装置名称(如:ed0 或是 fxp0)
当dnstop正在执行时,有几个命令可以供操作:
s 切换到显示查询来源地址的页面
d 切换到显示查询目的地址的页面
t 切换到显示查询型态(query types)的页面
1 显示TLD页面(显示最后一个领域)
2 显示SLD�面(显示最后两个领域,需以-s参数启动dnstop)
^R ctrl+R 重置计数器.
^X ctrl+X 离开程序
queryperf是个测试工具
1、工作目录在bind-9.2.2/contrib/queryperf
2、安装路径bind-9.2.2/contrib/queryperf然后./configure接着make然后就能用了
3、测试用命令queryperf –d test –s DNS
“-d”后面跟的是前面建立的测试文件的文件名:test
“-s”后面跟的是需要进行测试的服务器
本文出自 “傲剑” 博客,转载请与作者联系!