转自一论坛网友的帖子
linux安装dns,rndc-confgen没反应
前几天,一位朋友问我安装linux 的时候有没有遇到执行rndc-confgen没反应的情况,我还真没有遇到过,朋友很急,我就让他把SSH 发过来,我连过去帮他看了一下,执行rndc-confgen就卡住了,不懂了只能ctrl+c 中断操作,后来我看了下rndc-confgen �Chelp 看到randomfile,我印象这个是个生成器,应该跟他有关系,google 后果然没错在官网上看到:
在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)
start typing:
rndc-confgen: generate key: out of entropy
大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能
好了废话不多说了,看我是怎么给他解决的吧
测试域名: www.nginxs.com
shell $>wget http://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz
shell $> tar zxvf bind-9.6.1-P3.tar.gz
shell $> cd bind-9.6.1-P3
shell $> ./configure �Cprefix=/usr/local/named �Cenable-epoll�Cenable-openssl-version-check �Cenable-threads �Cdisable-ipv6 �Cenable-largefile
shell $> make
shell $> make install
shell $> cd /usr/local/named/etc
###问题就出在这里了,没反映,google##
shell $> ../sbin/rndc-confgen > rndc.conf
在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)
start typing:
rndc-confgen: generate key: out of entropy
大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能
###新建一个 random 文件随即输入一串数字“记得要长~~
shell $> vim random
asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl
###查看 rndc-confgen 帮助
shell $> ../sbin/rndc-confgen �Chelp
rndc-confgen: invalid argument �C
Usage:
rndc-confgen [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-rrandomfile] [-s addr] [-t chrootdir] [-u user]
-a: generatejust the key clause and write it to keyfile (/usr/local/named/etc/rndc.key)
-b bits: from 1 through 512, default 128;total length of the secret
-c keyfile: specify an alternate key file (requires -a)
-k keyname: the name as it will be used in named.confand rndc.conf
-p port: the port named will listen on andrndc will connect to
-r randomfile: a file containing random data
-s addr: the address to which rndc shouldconnect
-t chrootdir: write a keyfile in chrootdir as well (requires -a)
-u user: set the keyfile owner to “user”(requires -a)
shell $> ../sbin/rndc-confgen -r random > rndc.key
ok 问题解决了,接下来我们配置 我们的 域名服务器吧
#### 从 rndc.key文件中提取 named.conf用的 key 生成 named.conf 文件,当然你也可以复制rndc.key 没被注释的内容到 named.conf
shell $> tail -10 rndc.key | head -9 | sed ‘s/# //g’ > named.conf
shell $> cat named.conf
key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
#### dig 命令直接生成 named.root 文件,这个文件是很标准的东东,
#### 有了它,本地 dns 不能解的就上总部去问
shell $> dig > named.root
配置 named.conf
shell $> vim named.conf
key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
options {
// Relative to the chroot directory,if any
directory “/usr/local/named/etc”;
pid-file “/usr/local/named/var/run/named/pid”;
dump-file “/usr/local/named/var/dump/named_dump.db”;
statistics-file“/usr/local/named/var/stats/named.stats”;
listen-on { 192.168.6.44; };
forwarders {
202.106.0.20;
};
};
zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};
zone “ludy.com” {
type master;
file “dynamic/www.nginxs.com”;
};
创建 域名解析文件
shell $> mkdir dynamic
shell $> vim dynamic/www.nginxs.com
$TTL 86400
$ORIGIN ludy.com.
@ IN SOA nginxs.com. root.nginxs.com. (
2009072901 ;
68400 ;
86400 ;
3600000; ;
36000 ) ;
IN NS ns.nginxs.com.
IN MX 10 mail.nginxs.com.
www IN A 192.168.6.44
mail IN A 192.168.6.44
ns IN A 192.168.6.44
因为我不需要反向解析“所以我不需要设置了“然后启动 debug模式看看有错误吗。
shell $> ../sbin/named -g
27-Jan-2010 02:48:57.508 starting BIND 9.6.1-P3 -g
27-Jan-2010 02:48:57.508 built with ‘�Cprefix=/usr/local/named’ ‘�Cenable-epoll’‘�Cenable-openssl-version-check’ ‘�Cenable-threads’ ‘�Cdisable-ipv6′‘�Cenable-largefile’
27-Jan-2010 02:48:57.508 adjusted limit on open files from 1024 to 1048576
27-Jan-2010 02:48:57.508 found 1 CPU, using 1 worker thread
27-Jan-2010 02:48:57.510 using up to 4096 sockets
27-Jan-2010 02:48:57.519 loading configuration from ‘/usr/local/named/etc/named.conf’
27-Jan-2010 02:48:57.521 using default UDP/IPv4 port range: [1024, 65535]
27-Jan-2010 02:48:57.522 using default UDP/IPv6 port range: [1024, 65535]
27-Jan-2010 02:48:57.526 listening on IPv4 interface eth0, 192.168.6.105#53
27-Jan-2010 02:48:57.532 automatic empty zone: 0.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 127.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 254.169.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 2.0.192.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone:0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: D.F.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: 8.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: 9.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: A.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: B.E.F.IP6.ARPA
27-Jan-2010 02:48:57.545 command channel listening on 127.0.0.1#953
27-Jan-2010 02:48:57.546 ignoring config file logging statement due to -goption
27-Jan-2010 02:48:57.550 zone nginxs.com/IN: loaded serial 2009072901
27-Jan-2010 02:48:57.552 running
27-Jan-2010 02:48:57.553 zone ludy.com/IN: sending notifies (serial 2009072901)
OK了。
现在 DNS 服务器还不是很安全,因为你的DNS是暴露在公网的,如果你只想做域名解析服务的话,就不用户查询关掉
shell $> vim named.conf
key “rndc-key” {
algorithm hmac-md5;
secret “bMXdKGcP5tqUFUnG7CTzmw==”;
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “rndc-key”; };
};
acl “trusted”{
192.168.6.0/24;
}
options {
// Relative to the chroot directory,if any
directory “/usr/local/named/etc”;
pid-file “/usr/local/named/var/run/named/pid”;
dump-file “/usr/local/named/var/dump/named_dump.db”;
statistics-file“/usr/local/named/var/stats/named.stats”;
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
listen-on { 192.168.6.105; };
forwarders {
202.106.0.20;
};
};
zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};
zone “ludy.com” {
type master;
file “dynamic/www.nginxs.com”;
};
我个人感觉上allow-query-cache在未设置allow-recursion的情况下可以取代allow-recursion的功能, 有继承关系。如果想禁止用户的递归查询请求,还需要将 allow-query-cache 选项关闭,否则用户仍然可能在 cache 中查到数据 上面我建立acl规则来指定用户来使用你的DNS服务器。
下来我们在 192.168.6.0/24 网段找个机器测试下吧如图所视:
查询 www.nginxs.com
# nslookup www.nginxs.com