linux下DNS配置详解之(二)
实验环境 VMware 6.5.2 + RedHat enterprise 5
实验目的 从安全的角度配置dns (增加chroot rpm包)以及用同一个ip解析两个不同的域名
首先禁掉防火墙,
配 ip
[root@localhost ~]# vi /etc/resolv.conf
; generated by /sbin/dhclient-script
search router
nameserver 192.168.0.5
修改一下DNS
下一步: 安装所需的DNS 软件包今天我们装个稍微复杂点的
[root@localhost ~]# cd /mnt
[root@localhost mnt]# ls
cdrom hgfs
[root@localhost mnt]# cd
[root@localhost ~]# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@localhost ~]# cd /mnt/cdrom
[root@localhost cdrom]# ls
Cluster README-te.html RELEASE-NOTES-U1-en
ClusterStorage README-zh_CN.html RELEASE-NOTES-U1-en.html
EULA README-zh_TW.html RELEASE-NOTES-U1-es.html
eula.en_US RELEASE-NOTES-as.html RELEASE-NOTES-U1-fr.html
GPL RELEASE-NOTES-bn.html RELEASE-NOTES-U1-gu.html
images RELEASE-NOTES-de.html RELEASE-NOTES-U1-hi.html
isolinux RELEASE-NOTES-en RELEASE-NOTES-U1-it.html
README-as.html RELEASE-NOTES-en.html RELEASE-NOTES-U1-ja.html
README-bn.html RELEASE-NOTES-es.html RELEASE-NOTES-U1-kn.html
README-de.html RELEASE-NOTES-fr.html RELEASE-NOTES-U1-ko.html
README-en RELEASE-NOTES-gu.html RELEASE-NOTES-U1-ml.html
README-en.html RELEASE-NOTES-hi.html RELEASE-NOTES-U1-mr.html
README-es.html RELEASE-NOTES-it.html RELEASE-NOTES-U1-or.html
README-fr.html RELEASE-NOTES-ja.html RELEASE-NOTES-U1-pa.html
README-gu.html RELEASE-NOTES-kn.html RELEASE-NOTES-U1-pt_BR.html
README-hi.html RELEASE-NOTES-ko.html RELEASE-NOTES-U1-ru.html
README-it.html RELEASE-NOTES-ml.html RELEASE-NOTES-U1-si.html
README-ja.html RELEASE-NOTES-mr.html RELEASE-NOTES-U1-ta.html
README-kn.html RELEASE-NOTES-or.html RELEASE-NOTES-U1-te.html
README-ko.html RELEASE-NOTES-pa.html RELEASE-NOTES-U1-zh_CN.html
README-ml.html RELEASE-NOTES-pt_BR.html RELEASE-NOTES-U1-zh_TW.html
README-mr.html RELEASE-NOTES-ru.html RELEASE-NOTES-zh_CN.html
README-or.html RELEASE-NOTES-si.html RELEASE-NOTES-zh_TW.html
README-pa.html RELEASE-NOTES-ta.html RPM-GPG-KEY-redhat-beta
README-pt_BR.html RELEASE-NOTES-te.html RPM-GPG-KEY-redhat-release
README-ru.html RELEASE-NOTES-U1-as.html Server
README-si.html RELEASE-NOTES-U1-bn.html TRANS.TBL
README-ta.html RELEASE-NOTES-U1-de.html VT
[root@localhost cdrom]# cd Server
[root@localhost Server]# rpm -ivh bind-
bind-9.3.3-10.el5.i386.rpm
bind-chroot-9.3.3-10.el5.i386.rpm
bind-devel-9.3.3-10.el5.i386.rpm
bind-libbind-devel-9.3.3-10.el5.i386.rpm
bind-libs-9.3.3-10.el5.i386.rpm
bind-sdb-9.3.3-10.el5.i386.rpm
bind-utils-9.3.3-10.el5.i386.rpm
[root@localhost Server]# rpm -ivh bind-9.3.3-10.el5.i386.rpm
warning: bind-9.3.3-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:bind ########################################### [100%]
[root@localhost Server]# rpm -ivh util-linux-2.13-0.45.el5.i386.rpm
warning: util-linux-2.13-0.45.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
package util-linux-2.13-0.45.el5 is already installed
[root@localhost Server]# rpm -ivh cach
cachefilesd-0.8-2.el5.i386.rpm
caching-nameserver-9.3.3-10.el5.i386.rpm
[root@localhost Server]# rpm -ivh cach
cachefilesd-0.8-2.el5.i386.rpm
caching-nameserver-9.3.3-10.el5.i386.rpm
[root@localhost Server]# rpm -ivh caching-nameserver-9.3.3-10.el5.i386.rpm
warning: caching-nameserver-9.3.3-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:caching-nameserver ########################################### [100%]
[root@localhost Server]# rpm -ivh bind-chroot-9.3.3-10.el5.i386.rpm
warning: bind-chroot-9.3.3-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:bind-chroot ########################################### [100%]
[root@localhost Server]#
解释一下,,这里 装了四个包,而上次只装了三个包,这个bing-chroot-9.3.3-10.el5.i386.rpm
这个包的作用就是增加了他的安全性,这也是2.6内核的新功能,当然你说不装他可不可以,当然可以,装完以后有什么区别呢
以前我们的配置文件的保存位置是下面的几个地方
/etc/named.conf
/var/named/named.ca 这是根域文件
/var/named/localhost.zone 正向区域文件
/var/named/named.local 反向区域文件
而装完这个包之后,我们的配置文件的存放位置发生了变化
变成更深一级的目录
如/var/named/chroot/etc/named.conf
依次类推其他文件的存放位置
~
[root@localhost Server]# cd /var/named/chroot/etc
[root@localhost etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@localhost etc]# vi named.conf
修改如下
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "sina.com" IN {
type master;
file "sina.zone";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "sina.local";
allow-update { none; };
};
include "/etc/rndc.key";
保存退出
修改正向区域文件
[root@localhost etc]# cd /var/named/chroot/var/named
[root@localhost named]# ls
data localhost.zone named.ca named.local slaves
localdomain.zone named.broadcast named.ip6.local named.zero
[root@localhost named]# cp named.local sina.local
[root@localhost named]# cp named.local sina.zone
[root@localhost named]# vi sina.zone
修改后如下
$TTL 86400
@ IN SOA sina.com. root.sina.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS sina.com.
www IN A 192.168.0.5
~
保存退出 修改反向区域文件
[root@localhost named]# vi sina.local
修改如下
$TTL 86400
@ IN SOA sina.com. root.sina.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS sina.com.
5 IN PTR
保存退出
修改属组
[root@localhost named]# ll
总计 88
drwxrwx--- 2 named named 4096 2004-08-25 data
-rw-r----- 1 root named 198 2007-07-19 localdomain.zone
-rw-r----- 1 root named 195 2007-07-19 localhost.zone
-rw-r----- 1 root named 427 2007-07-19 named.broadcast
-rw-r----- 1 root named 2518 2007-07-19 named.ca
-rw-r----- 1 root named 424 2007-07-19 named.ip6.local
-rw-r----- 1 root named 426 2007-07-19 named.local
-rw-r----- 1 root named 427 2007-07-19 named.zero
-rw-r----- 1 root root 415 04-25 19:48 sina.local
-rw-r----- 1 root root 413 04-25 19:43 sina.zone
drwxrwx--- 2 named named 4096 2004-07-27 slaves
[root@localhost named]# chgrp named sina.local
[root@localhost named]# chgrp named sina.zone
[root@localhost named]#
重启服务
[root@localhost named]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@localhost named]# service named restart
Stopping named: [FAILED]
Starting named: [ OK ]
[root@localhost named]#
测试网络
[root@localhost named]# nslookup
Server: 127.0.0.1
Address: 127.0.0.1#53
Name:
Address: 192.168.0.5
正向成功
[root@localhost named]# nslookup 192.168.0.5
Server: 127.0.0.1
Address: 127.0.0.1#53
5.0.168.192.in-addr.arpa name =
[root@localhost named]#
反向成功ok
设想一下,怎么样用同一个ip解析sina 和sohu呢 (千万别把windows中的别名CNAME 记录用到这里)
[root@localhost named]# vi /var/named/chroot/etc/named.conf
修改此文件,关键部分显示结果如下
zone "sina.com" IN {
type master;
file "sina.zone";
allow-update { none; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "sina.local";
allow-update { none; };
};
zone "sohu.com" IN {
type master;
file "sohu.zone";
allow-update { none; };
};
include "/etc/rndc.key";
保存退出
[root@localhost named]# cd /var/named/chroot/var/named
[root@localhost named]# ls
data named.broadcast named.local sina.zone
localdomain.zone named.ca named.zero slaves
localhost.zone named.ip6.local sina.local
[root@localhost named]# cp sina.zone sohu.zone
[root@localhost named]# vi sohu.zone
修改sohu的正向区域文件如下
$TTL 86400
@ IN SOA sohu.com. root.sohu.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS sohu.com.
www IN A 192.168.0.5
保存退出
[root@localhost named]# vi sina.local
修改sina的反响区域文件
~ $TTL 86400
@ IN SOA sina.com. root.sina.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS sina.com.
5 IN PTR
5 IN PTR
~
保存退出
[root@localhost named]# ll
总计 96
drwxrwx--- 2 named named 4096 2004-08-25 data
-rw-r----- 1 root named 198 2007-07-19 localdomain.zone
-rw-r----- 1 root named 195 2007-07-19 localhost.zone
-rw-r----- 1 root named 427 2007-07-19 named.broadcast
-rw-r----- 1 root named 2518 2007-07-19 named.ca
-rw-r----- 1 root named 424 2007-07-19 named.ip6.local
-rw-r----- 1 root named 426 2007-07-19 named.local
-rw-r----- 1 root named 427 2007-07-19 named.zero
-rw-r----- 1 root named 438 04-25 20:22 sina.local
-rw-r----- 1 root named 413 04-25 19:43 sina.zone
drwxrwx--- 2 named named 4096 2004-07-27 slaves
-rw-r----- 1 root root 413 04-25 20:20 sohu.zone
[root@localhost named]# chgrp named sohu.zone
[root@localhost named]#
修改sohu的属组
重启服务
[root@localhost named]# service named restart
Stopping named: [ OK ]
Starting named: [ OK ]
[root@localhost named]# nslookup
Server: 127.0.0.1
Address: 127.0.0.1#53
Name:
Address: 192.168.0.5
[root@localhost named]# nslookup 192.168.0.5
Server: 127.0.0.1
Address: 127.0.0.1#53
5.0.168.192.in-addr.arpa name =
5.0.168.192.in-addr.arpa name =
[root@localhost named]#
ok 看来实验很成功
由于之前的一片我觉得讲的比较细致了,所以这一片就是泛泛的过了一遍,增加了点难度
http://yuzeying.blog.51cto.com/644976/153342
