前提:环境:一个作为宿主机的Linux;本文使用的是Redhat Enterprise Linux 5.8;
第一题DNS配置 1、用yum list all bind*查看bind的版本, 卸载上面的bind93.i386的版本,用rpm -e bind-libs bind-utils,然后安装bind97.i386的版本 用yum -y install bind97 bind97-utils bind97-libs 2、把原来的配置文件放到一边,用mv /etc/named.conf /etc/named.conf.origin;然后自己编译一个配置文件/etc/named.conf; vim /etc/named.conf options{ directory "/var/named"; };zone "." IN {
type hint; file "named.ca"; };zone "localhost" IN {
type master; file "localhost.zone"; };zone "0.0.127.in-addr.arpa" IN {
type master; file "127.0.0.zone"; };zone "magedu.com" IN {
type master; file "magedu.com.zone" };zone "100.16.172.in-addr.arpa" IN {
tyep master; file "172.16.100.zone"; }; 上面保存退出,用wq 3、用cd /var/named/命令进入到named目录中。 我需要创建的文件有 localhoset.zone;127.0.0.zone;magedu.com.zone;172.16.100.zone; 创建文件localhost.zone;用vim localhost.zone编译。内容如下: $TTL 86400 @ IN SOA localhost. admin.localhost. ( 2012101801 1H 5M 7D 1D )@ IN NS localhost.
localhost. IN A 127.0.0.1 然后保存退出; 创建文件127.0.0.zone;用vim 127.0.0.zone编译。内容如下: $TTL 86400 @ IN SOA localhost. admin.localhost. ( 2012101801 1H 5M 7D 1D )@ IN NS localhost.
1 IN PTR localhost. 然后保存退出;创建文件magedu.com.zone;用vim magedu.com.zone编译。内容如下:
$TTL 86400 $ORIGIN magedu.com @ IN SOA ns.magedu.com. admin.magedu.com. ( 2012101801 1H 5M 7D 1D )IN NS ns
IN NS ns2 IN MX 10 mail ns IN A 172.16.100.1 ns2 IN A 172.16.100.2 www IN A 172.16.100.1 ftp IN CNAME www pop3 IN A 172.16.100.2 IN A 172.16.100.3 ldap IN A 172.16.100.6 然后保存退出; 创建文件172.16.100.zone;用vim 172.16.100.zone编译。内容如下: $TTL 86400 $ORIGIN 100.16.172.in-addr.arpa. @ IN SOA ns.magedu.com. admin.magedu.com. ( 2012101801 1H 5M 7D 1D )IN NS ns.magedu.com.
IN NS ns2.magedu.com. 1 IN PTR ns.magedu.com. IN PTR . 2 IN PTR pop3.magedu.com. 3 IN PTR POP3.magedu.com. 6 IN PTR ldap.magedu.com. 保存退出。创建好四个文件后,修改权限和属组
修改权限:chmod 640 /etc/named.conf localhost.zone 127.0.0.zone 172.16.100.zone magedu.com.zone 修改属组:chown :named /etc/named.conf localhost.zone 127.0.0.zone 172.16.100.zone magedu.com.zone然后验证一下修改的是否正确,用ll查看
total 88 -rw-r----- 1 root named 321 Oct 18 17:04 127.0.0.zone -rw-r----- 1 root named 625 Oct 19 02:49 172.16.100.zone drwxrwx--- 2 named named 4096 Nov 17 2011 data drwxrwx--- 2 named named 4096 Nov 17 2011 dynamic -rw-r----- 1 root named 341 Oct 18 17:00 localhost.zone -rw-r----- 1 root named 642 Oct 18 20:36 magedu.com.zone -rw-r----- 1 root named 1892 Feb 18 2008 named.ca -rw-r----- 1 root named 152 Dec 15 2009 named.empty -rw-r----- 1 root named 152 Jun 21 2007 named.localhost -rw-r----- 1 root named 168 Dec 15 2009 named.loopback drwxrwx--- 2 named named 4096 Nov 17 2011 slaves然后检查语法:内容如下:
named-checkconf named-checkzone "magedu.com" magedu.com.zone named-checkzone "100.16.172.in-addr.arpa" 172.16.100.zone然后重启一下,用service named start
然后用 netstat -tunlp | grep 53 查看一下这就是简单的DNS服务器,只能用于玩,里面的IP都是假的,只是为了方便。
二、检验的命令
dig -t A dig -x 172.16.100.1 dig -t AXFR 100.16.172.in-addr.arpa dig -t AXFR magedu.com 三、主从配置及TSGT的实现方式magedu.com 的从服务器的地址是172.16.100.2
从服务器是从主服务器那里同步数据,所我们要先设置谁能同步;
仅允许谁同步用:allow-transfer{};命令来实现 编译vim /etc/named.conf这个文件 options { directory "/var/named"; };zone "." IN {
type hint; file "named.ca"; };zone "localhost"IN {
type master; file "localhost.zone"; allow-transfer { none; }; };zone "0.0.127.in-addr.arpa" IN {
type master; file "127.0.0.zone"; allow-transfer { none; }; };zone "magedu.com" IN {
type master; file "magedu.com.zone"; allow-transfer { 127.0.0.0/8;172.16.100.2; }; };zone "100.16.172.in-addr.arpa" IN {
type master; file "172.16.100.zone"; allow-transfer { none; }; }; 用dig -t AXFR magedu.com来检验一下结果不会传送的。 用dig -t AXFR magedu.com @127.0.0.1 检查一下就会让传送的。 这是因为传送对地址的要求很高的 这样的机制传送很不安全,你可以基于用密钥的认证现在来构建一个正向区域mageedu.com的从服务器
首先找好一台主机,修改这台主机的名字,打开vim /etc/sysconfig/network文件修改为ns2.magedu.com;再用命令hostname ns2.magedu.com用ifconfig查看IP地址,然后用setup修改IP地址。
输入setup-->回车-->选择Network configuration-->Edit Devices-->eth0(eth0)-Advanced-->IP:172.16.100.2;NETMASK:255.255.0.0;GATEWAY IP:172.16.0.1 --><New Device>-->EDIT DNS configuration-->Primary DNS 127.0.0.1-->保存退出 输入 service network restart 编译vim /etc/named.conf这个文件 options { directory "/var/named"; };zone "." IN {
type hint; file "named.ca"; };zone "localhost"IN {
type master; file "localhost.zone"; allow-transfer { none; }; };zone "0.0.127.in-addr.arpa" IN {
type master; file "127.0.0.zone"; allow-transfer { none; }; };zone "magedu.com" IN {
type slave; file "slaves/magedu.com.zone"; masters { 172.16.100.1;}; allow-transfer { none; }; };zone "100.16.172.in-addr.arpa" IN {
type slave; file "slaves/172.16.100.zone"; masters { 172.16.100.1; }; allow-transfer { none; }; };我需要创建的文件有 localhoset.zone;127.0.0.zone;magedu.com.zone;172.16.100.zone;
以及修改的东西,跟主服务器创建就一样了当这些都弄好了,在去主服务器上把:
编译vim /etc/named.conf这个文件 options { directory "/var/named"; };zone "." IN {
type hint; file "named.ca"; };zone "localhost"IN {
type master; file "localhost.zone"; allow-transfer { none; }; };zone "0.0.127.in-addr.arpa" IN {
type master; file "127.0.0.zone"; allow-transfer { none; }; };zone "magedu.com" IN {
type master; file "magedu.com.zone"; allow-transfer { 127.0.0.0/8;172.16.100.2; }; };zone "100.16.172.in-addr.arpa" IN {
type master; file "172.16.100.zone"; allow-transfer { 127.0.0.0/8; 172.16.100.2; }; }; 然后再输入这个命令rndc reconfig结束,然后回到从服务器中 输入 dig -t AXFR magedu.com @127.0.0.1检验一下了。 这样就做了一个简单的主从服务器。 TSGT的实现方式: 使用dnssec-keygen命令可以生成密钥: dnssec-keygen -a HMAC-MD5 -b 128 -n HOST ns-ns2.magedu.com. -a algorithm 如果不指定算法,默认使用RSASHA1;事实上,对于DNSSEC来说只能使用RSASHA1算法,对TSIG来说, HMAC-MD5是强制使用的算法. -b keysize 使用不同的算法,其支持的密钥长度不同。RSA: 512-2048, DH:128-4096, HMAC:1-512 -n nametype 密钥的拥有者,即其使用级别;共有ZONE (DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (host (KEY)), USER (a user(KEY)) or OTHER (DNSKEY),默认是ZONE。 {name} The name of the key is specified on the command line. 对DNSSEC来说,名字必须是密钥所服务的ZONE的名称;对于TSIG来说,这通常是通信双方的名字; 操作如下: 在从服务器中,进入/etc/named目录中。然后用dnssec-keygen -a hmac -md5 -b 128 -n HOST ns-ns2magedu.com 生成,然后会再named目录中生成两个文件*.key和*.private。然后用命令scp -p *.key和*.private主服务器中。然后cat *.private这个文件,然后把Key:后面的内容复制一下,打开这个文件 vim /etc/named.conf中在options后面添加一个段资源记录内容如下: key "ns-ns2.magedu.com."{ algorithm hmac-md5; secret "key后面的内容粘贴到这里" }; server 172.16.100.2{ key { ns-ns2.magedu.com.; }; }; 然后到主机的vim /etc/named.conf中同样的位置添加下面的内容: key "ns-ns2.magedu.com."{ algorithm hmac-md5; secret "key后面的内容粘贴到这里" }; server 172.16.100.1{ key { ns-ns2.magedu.com.; }; }; 然后在主服务器中打开vim /etc/named.conf文件中的下面内容修改一下为: zone "magedu.com" IN { type master; file "magedu.com.zone"; allow-transfer { 127.0.0.0/8;key "ns-ns2.magedu.com."; }; };zone "100.16.172.in-addr.arpa" IN {
type master; file "172.16.100.zone"; allow-transfer { 127.0.0.0/8; key "ns-ns2.magedu.com."; }; }; }; 然后编译下这个文件vim 172.16.100.zone内容如下: $TTL 86400 $ORIGIN 100.16.172.in-addr.arpa. @ IN SOA ns.magedu.com. admin.magedu.com. ( 2012101802 1H 5M 7D 1D )IN NS ns.magedu.com.
IN NS ns2.magedu.com. 1 IN PTR ns.magedu.com. IN PTR . 2 IN PTR pop3.magedu.com. 2 IN PTR ns2.magedu.com. 3 IN PTR POP3.magedu.com. 6 IN PTR ldap.magedu.com. 保存退出。 然后输入命令rndc reload 然后在从服务器中输入命令: dig -x 172.16.100.2 @127.0.0.1四题、子域授权的实现
在magedu.com中有两个子域是tech和fin;这个子域是tech.magedu.com.和fin.magedu.com.这两个IP是172.16.101.1和172.16.102.1 在正向区域里实现子域授权,操作如下: 编译主服务器中的正向区域里文件vim magedu.com.zone $TTL 86400 $ORIGIN magedu.com @ IN SOA ns.magedu.com. admin.magedu.com. ( 2012101802 1H 5M 7D 1D )IN NS ns
IN NS ns2 IN MX 10 mail ns IN A 172.16.100.1 ns2 IN A 172.16.100.2 www IN A 172.16.100.1 ftp IN CNAME www pop3 IN A 172.16.100.2 IN A 172.16.100.3 ldap IN A 172.16.100.6tech.magedu.com. IN NS dns.tech.magedu.com.
tech.magedu.com. IN NS ns2.tech.magedu.com. dns.tech.magedu.com. IN A 172.16.101.1 ns2.tech.magedu.com. IN A 172.16.101.2fin.magedu.com. IN NS dns.fin.magedu.com.
dns.fin.magedu.com. IN A 172.16.102.1 然后保存退出; 然后输入命令同步一下,rndc notify magedu.com 然后回到子服务器查看一下输入命令:cat magedu.com.zone 然后在开一台虚拟机修改一下IP,修改操作如下; 用ifconfig查看IP地址,然后用setup修改IP地址。 输入setup-->回车-->选择Network configuration-->Edit Devices-->eth0(eth0)-Advanced-->IP:172.16.101.1;NETMASK:255.255.0.0;GATEWAY IP:172.16.0.1 --><New Device>-->EDIT DNS configuration-->Hostname dns.tech.magedu.com-->Primary DNS 172.16.101.1-->保存退出 输入 service network restart 然后输入hostname dns.tech.magedu.com命令修改主机名 然后在安装一遍第一题一样bind。 编译一下这个服务器的vim magedu.com.conf修改一下,内容如下: options { directory "/var/named"; forward only; forwarders { 172.16.0.1; }; };zone "." IN {
type hint; file "named.ca"; };zone "localhost"IN {
type master; file "localhost.zone"; allow-transfer { none; }; };zone "0.0.127.in-addr.arpa" IN {
type master; file "127.0.0.zone"; allow-transfer { none; }; };zone "tech.magedu.com" IN {
type master; file "tech.magedu.com.zone"; };zone "100.16.172.in-addr.arpa" IN {
type master; file "172.16.101.zone"; }; zone "magedu.com" IN { type forward; forward only; forwarders { 172.16.100.1; 172.16.100.2; }; };zone "100.16.172.in-addr.arpa" IN {
type forward; forward only; forwarders { 172.16.100.1; 172.16.100.2; }; };然后输入命令检查语法:named-checkconf
然后输入命令重启:service named restart 然后输入命令检查:dig -t A @127.0.0.1 dig -t A @127.0.0.1 dig -x 172.16.100.1 @127.0.0.1 这样就实现了转发 五、编译安装BIND 先来配置编译环境所有用yum安装:内容如下: yum -y groupinstall "Development Libraries" "Development Tools" 然后下载bind-9.92.tar.gz后卸载原来的bind-libs bind-utils; 用rpm -e bind-libs bind-utils命令 解压bind-9.9.2.tar.gz文件,用tar xf bind-9.9.2.tar.gz命令 用cd bind-9.9.2进入bind-9.9.2中 建立用户groupadd -r named 在创建 useradd -g named -r -s /sbin/nologin named 然后安装bind 用./configure --prefix=/usr/local/named --disable-openssl-version-check --sysconfdir=/etc/named 第二步:用make命令 第三步:用make install命令 先输入cd命令然后再输入cd /usr/local/named然后ls查看目录 在打开vim 增加一行在export PATH USER LOGNAME MAIL HOSTNAME HISTSIZE INPUTRC的上面填加如下内容 PATH=$PATH:/usr/local/named/sbin:/usr/local/named/bin 然后保存退出;在重启一下 然后cd /etc/named/目录中 创建文件named.conf;用vim named.conf内容如下; options { directory "/var/named";};
zone "." IN {
type hint; file "named.root"; }; 保存退出 然后输入命令:dig -t NS .显示出根服务器的记录 然后创建一个目录:mkdir /var/named 然后把根服务器的记录保存到这目录中,用命令dig -t NS . > /var/named/named.root 修改一下几个文件的属组和权限 chown :named /etc/named/named.conf /var/named/named.root chmod 640 /etc/named/named.conf /var/named/named.root 检查语法是否有错误用named-checkconf 然后输入命令rndc-confgen > rndc.key 修改权限用chmod 640 rndc.key 打开rndc.key用catrndc.key命令 把它最后11行复制到主配置文件中vim named.conf中最后 rndc status检验 编译下这个文件,vim /etc/rc.d/init.d/named输入一下内容 #!/bin/bash # # named This shell script takes care of starting and stopping # named (BIND DNS server). # # chkconfig: - 66 34 # description: named (BIND) is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. # probe: true# Source function library.
. /etc/rc.d/init.d/functions# Source networking configuration.
[ -r /etc/sysconfig/network ] && . /etc/sysconfig/network# Don't kill named during clean-up
NAMED_SHUTDOWN_TIMEOUT=${NAMED_SHUTDOWN_TIMEOUT:-100}RETVAL=0
named='named' prog=$namednamed_conf='/etc/named/named.conf';
ROOTDIR='/usr/local/named';
start() {
[ -x /usr/local/named/sbin/$named ] || exit 5
# Start daemons.
echo -n $"Starting $named: " if [ -n "`/sbin/pidof -o %PPID $named`" ]; then echo -n $"$named: already running" failure echo return 1 fickcf_options='-z'; # enable named-checkzone for each zone (9.3.1+) !
conf_ok=0;
if [ -x /usr/local/named/sbin/named-checkconf ] && [ -x /usr/local/named/sbin/named-checkzone ] && /usr/local/named/sbin/named-checkconf $ckcf_options ${named_conf} >/dev/null 2>&1; then conf_ok=1; else RETVAL=$?; fi if [ $conf_ok -eq 1 ]; then daemon /usr/local/named/sbin/$named -u named RETVAL=$?; if [ $RETVAL -eq 0 ]; then rm -f /var/run/named.pid 2> /dev/null ln -s $ROOTDIR/var/run/named/named.pid /var/run/named.pid; fi; if [ -n "`/sbin/pidof -o %PPID $named`" ]; then # Verify that named actually started if [ ! -e $ROOTDIR/var/run/named/named.pid ]; then # If there is not a file containing the PID of the now running named daemon then create it (JM 2006-10-04) echo `/sbin/pidof -o %PPID $named` > $ROOTDIR/var/run/named/named.pid; fi; fi; else named_err="`/usr/local/named/sbin/named-checkconf $ckcf_options $named_conf 2>&1`"; echo echo $"Error in named configuration"':'; echo "$named_err"; failure echo if [ -x /usr/bin/logger ]; then echo "$named_err" | /usr/bin/logger -pdaemon.error -tnamed fi; return 7; fi; [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named echo return $RETVAL } stop() { # Stop daemons. echo -n $"Stopping $named: " /usr/local/named/sbin/rndc stop >/dev/null 2>&1 RETVAL=$? [ "$RETVAL" -eq 0 ] || killproc "$named" -TERM >/dev/null 2>&1timeout=0
while /sbin/pidof -o %PPID "$named" >/dev/null; do if [ $timeout -ge $NAMED_SHUTDOWN_TIMEOUT ]; then RETVAL=1 break else sleep 2 && echo -n "." timeout=$((timeout+2)) fi; done if [ $RETVAL -eq 0 ]; then rm -f /var/lock/subsys/named rm -f /var/run/named.pid fi; # if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then # if egrep -q '^/proc[[:space:]]+'${ROOTDIR}'/proc' /proc/mounts; then # umount ${ROOTDIR}/proc >/dev/null 2>&1 # fi # fi; if [ $RETVAL -eq 0 ]; then success else failure fi; echo return $RETVAL } rhstatus() { /usr/local/named/sbin/rndc status status /usr/local/named/sbin/$named return $? } restart() { stop # wait a couple of seconds for the named to finish closing down sleep 2 start } reload() { echo -n $"Reloading $named: " p=`/sbin/pidof -o %PPID $named` RETVAL=$? if [ "$RETVAL" -eq 0 ]; then /usr/local/named/sbin/rndc reload >/dev/null 2>&1 || /bin/kill -HUP $p; RETVAL=$? fi [ "$RETVAL" -eq 0 ] && success $"$named reload" || failure $"$named reload" echo return $RETVAL } probe() { # named knows how to reload intelligently; we don't want linuxconf # to offer to restart every time /usr/local/named/sbin/rndc reload >/dev/null 2>&1 || echo start return $? } checkconfig() { ckcf_options='-z'; # enable named-checkzone for each zone (9.3.1+) ! if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then OPTIONS="${OPTIONS} -t ${ROOTDIR}" ckcf_options="$ckcf_options -t ${ROOTDIR}"; fi; if [ -x /usr/local/named/sbin/named-checkconf ] && [ -x /usr/local/named/sbin/named-checkzone ] && /usr/local/named/sbin/named-checkconf $ckcf_options ${named_conf} | cat ; then return 0; else return 1; fi }# See how we were called.
case "$1" in start) start ;; stop) stop ;; status) rhstatus ;; restart) restart ;; condrestart) [ -e /var/lock/subsys/named ] && restart; ;; reload) reload ;; probe) probe ;; checkconfig|configtest|check|test) checkconfig ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|reload|configtest|probe}" exit 2 esacexit $?
然后保存退出 然后输入命令 chmod +x /etc/rc.d/init.d/named bash -n /etc/rc.d/init.d/named chkconfig --add named chkconfig --list named chkconfig named on 然后用下面的命令检验 service named start service named restart 第六、日志功能实现 实现这样的一个日志,定义一个channel,要求使用file来记录日志,滚动数目为10,每个最大为10M 级别为dynamic 要求记录额外信息 定义一个类别,记录查询日志信息至前面的channel中去 实现这个操作如下: 在主服务器中,打开vim /etc/named.conf文件 在options之后添加一段记录内容如下: logging { channel query_log { file "/var/log/bind.queries.log" versions 10 size 10M; serverity dynamic; print-category yes; print-severity yes; print-time yes; }; category queries { query_log; }; }; 然后检查语法,named-checkconf 然后输入 cd /var/log touch bind.queries.log chown -R named:named bind.queries.log chmod 640 bid.queries.log 然后输入命令重启service named restart 然后输入命令验证一下:dig -t A @172.0.0.1
第七queryperf和dnstop
dnstop - displays various tables of DNS traffic on your network 1.描述 dnstop用来收集并示本地端DNS的状况,必须用root执行. 2.安裝 路径 /usr/local/bin/dnstop 3.语法 dnstop [-aps] [-b expression] [-i address] [device] [savefile] 4.参数 -a 来源不明的位址(anonymize addresses) -b expression BPF filter expression -i address 忽略所选择的位址. -p Do not put the interface into promiscuous mode.(杂乱模式 -s 收集second-level领域的统计资料. savefile 一个网络相关讯息存档ex:tcpdump. device 网络装置名称(如:ed0 或是 fxp0) 当dnstop正在执行时,有几个命令可以供操作: s 切换到显示查询来源地址的页面 d 切换到显示查询目的地址的页面 t 切换到显示查询型态(query types)的页面 1 显示TLD页面(显示最后一个领域) 2 显示SLD頁面(显示最后两个领域,需以-s参数启动dnstop) ^R ctrl+R 重置计数器. ^X ctrl+X 离开程序queryperf是个测试工具
1、工作目录在bind-9.2.2/contrib/queryperf
2、安装路径bind-9.2.2/contrib/queryperf然后./configure接着make然后就能用了 3、测试用命令queryperf –d test –s DNS “-d”后面跟的是前面建立的测试文件的文件名:test “-s”后面跟的是需要进行测试的服务器