爱咋咋地
分类:
2010-05-31 17:30:46
本节中将介绍 下如何构建一个本地的服务器,可以用来解析公网域名以及基本的正,反向区域的基本配置,这个之前也整理过,但总觉得好多地方都不够完善,毕竟这是最基础的 网络服务,希望能在此有所补漏拾遗吧…
一:安装DNS服务器,实现基本的公网解析
[root@server1 ~]# yum grouplist |grep 'DNS' //使用包组方式安装DNS软件包
This system is not registered with RHN.
RHN support will be disabled.
DNS Name server
[root@server1 ~]# yum -y groupinstall
"DNS Name server1"
Running Transaction
Installing : bind
//DNS主程序软件包
Installing : bind-chroot
//chroot软件包,安装上该软件包后DNS服务器的工作目录会自动切换为/var/named/chroot
[root@server1 named]# cat /etc/sysconfig/named |grep chroot |grep -v
'^#'
ROOTDIR=/var/named/chroot
[root@server1 ~]# yum -y install caching-nameserver1
//缓存DNS服务器软件包,主要包含了一些配置文件
[root@server1 ~]# cd /var/named/chroot/etc/
[root@server1 etc]# cp named.caching-nameserver1.conf named.conf
//将其复制为namd.conf,该文件即为DNS服务器主配置文件
[root@server1 etc]# ln -s /var/named/chroot/etc/named.conf /etc/
//将其软链接到/etc目录下
[root@server1 etc]# grep -v '^//' named.conf |grep -v '//'
//修改配置文件如下
options {
listen-on port 53 { 192.168.100.254; };
//表示DNS服务器只监听在192.168.100.254这个网络接口上
directory "/var/named";
//DNS服务器工作目录,这里可不能写chroot下的目录哦
dump-file "/var/named/data/cache_dump.db";
//以下三行其实不重要,主要是定义一些缓存和静态文件的位置,可删除
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
//运行任何网段的IP进行查询,any是内置的访问对象,也可以指定具体的网段,可参考man
};
include "/etc/named.rfc1912.zones";
//include包含named.rfc1912.zones文件
[root@server1 etc]# head -20
named.rfc1912.zones |grep -v '^//' //该文件主要定义根域,localhost等的信息
zone "." IN {
type hint;
file "named.ca";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
[root@server1 etc]# chown named.named
named.conf //这步比较重要,DNS服务器默认是以named用户来启动的,若权限不对,启动服务将会出错
[root@server1 etc]# ping -c 2 //测试网络连通性
PING (203.208.37.104) 56(84) bytes of data.
64 bytes from bg-in-f104.1e100.net (203.208.37.104): icmp_seq=1 ttl=237
time=99.9 ms
64 bytes from bg-in-f104.1e100.net (203.208.37.104): icmp_seq=2 ttl=237
time=98.6 ms
[root@server1 etc]# service named
start //试启动服务
Starting named: [ OK ]
[root@server1 ~]# tail -f
/var/log/messages //监控日志
Mar 14 04:35:11 server1 named[8436]: starting BIND
9.3.6-P1-RedHat-9.3.6-4.P1.el5 -u named -t /var/named/chroot
Mar 14 04:35:11 server1 named[8436]: adjusted limit on open files from
1024 to 1048576
Mar 14 04:35:11 server1 named[8436]: found 2 CPUs, using 2 worker
threads
Mar 14 04:35:11 server1 named[8436]: using up to 4096 sockets
Mar 14 04:35:11 server1 named[8436]: loading configuration from
'/etc/named.conf' //载入配置文件
Mar 14 04:35:12 server1 named[8436]: using default UDP/IPv4 port range:
[1024, 65535]
Mar 14 04:35:12 server1 named[8436]: using default UDP/IPv6 port range:
[1024, 65535]
Mar 14 04:35:12 server1 named[8436]: listening on IPv4 interface eth1,
192.168.100.254#53 //监听IPV4,eth1上的53端口
Mar 14 04:35:12 server1 named[8436]: command channel listening on
127.0.0.1#953 //IPV4的本地回环接口的953端口,953主要用于rndc
Mar 14 04:35:12 server1 named[8436]: command channel listening on
::1#953 //同上,IPV6
Mar 14 04:35:12 server1 named[8436]: zone 0.in-addr.arpa/IN: loaded
serial 42
Mar 14 04:35:12 server1 named[8436]: zone 0.0.127.in-addr.arpa/IN:
loaded serial 1997022700
Mar 14 04:35:12 server1 named[8436]: zone 255.in-addr.arpa/IN: loaded
serial 42
Mar 14 04:35:12 server1 named[8436]: zone
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 1997022700
Mar 14 04:35:12 server1 named[8436]: zone localdomain/IN: loaded serial
42
Mar 14 04:35:12 server1 named[8436]: zone localhost/IN: loaded serial 42
Mar 14 04:35:12 server1 named[8436]:
running //正常运行
[root@server1 etc]# dig @192.168.100.254
//测试,后面的@192.168.100.254表示将DNS查询交给192.168.100.254
; <<>> DiG
9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45157
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
; IN A
;; ANSWER SECTION:
. 300 IN A
203.208.37.99
. 300 IN A
203.208.37.104
;; AUTHORITY SECTION:
g.cn. 21600 IN NS ns4.google.com.
g.cn. 21600 IN NS ns1.google.cn.
g.cn. 21600 IN NS ns1.google.com.
g.cn. 21600 IN NS ns2.google.com.
g.cn. 21600 IN NS ns3.google.com.
;; Query time: 966 msec
;; server1: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 04:36:20 2010
;; MSG SIZE rcvd: 165
二:配置自己的正向和反向区域
[root@server1 etc]# tail -13 named.conf //在主配置文件中添加正,反向区域
include "/etc/named.rfc1912.zones";
zone "666.com" IN {
type master;
file "666.zone";
allow-update {none;};
};
zone "100.168.192.in-addr.arpa" IN {
type master;
file "192.168.100.zone";
allow-update {none;};
};
[root@server1 etc]# cd ../var/named/
//编辑正,反向区域的区域文件
[root@server1 named]# pwd
/var/named/chroot/var/named
[root@server1 named]# cp localhost.zone 666.zone
[root@server1 named]# cp named.local 192.168.100.zone
[root@server1 named]# chown named.named 666.zone 192.168.100.zone
//权限同样需要改
[root@server1 named]# cat 666.zone
//正向区域配置
$TTL 86400 //DNS查询过期时间
@ IN SOA 666.com.//服务器名 root.666.com.//管理员邮件地址 (
42 ; serial (d.
adams) //更新序列号,主要用于主从同步
3H ; refresh
//主从同步刷新时间
15M ; retry
//主从同步失败后的重试时间
1W ; expiry
//从服务器记录过期时间
1D ) ; minimum
//最小TTL值
@ IN
NS 666.com. //ns记录
@ IN MX 10 666.com. //mx记录
www IN A 192.168.100.254 //A记录
ftp IN CNAME www //别名记录
[root@server1 named]# cat
192.168.100.zone //反向区域配置
$TTL 86400
@ IN SOA 666.com. root.666.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
@ IN NS
666.com.
254 IN PTR 666.com.
200 IN PTR .
[root@server1 named]# service named
restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
[root@server1 named]# dig @192.168.100.254 //测试A记录
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61297
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
; IN A
;; ANSWER SECTION:
. 86400 IN A
192.168.100.254
;; AUTHORITY SECTION:
666.com. 86400 IN NS 666.com.
;; Query time: 6 msec
;; server1: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 04:58:42 2010
[root@server1 named]# dig @192.168.100.254 //测试别名记录
; <<>> DiG
9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> @192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4178
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;ftp.666.com. IN A
;; ANSWER SECTION:
. 86400 IN CNAME .
. 86400 IN A
192.168.100.254
;; AUTHORITY SECTION:
666.com. 86400 IN NS 666.com.
;; Query time: 4 msec
;; server1: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 04:59:30 2010
;; MSG SIZE rcvd: 77
[root@server1 named]# dig -x 192.168.100.254 @192.168.100.254 //测试反向域
; <<>> DiG
9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -x 192.168.100.254
@192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53186
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;254.100.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
254.100.168.192.in-addr.arpa. 86400 IN PTR 666.com.
;; AUTHORITY SECTION:
100.168.192.in-addr.arpa. 86400 IN NS 666.com.
;; Query time: 2 msec
;; server1: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 04:57:04 2010
;; MSG SIZE rcvd: 81
[root@server1 named]# dig -t mx 666.com @192.168.100.254 //测试邮件交换记录
; <<>> DiG
9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -t mx 666.com
@192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41222
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;666.com. IN MX
;; ANSWER SECTION:
666.com. 86400 IN MX 10 666.com.
;; AUTHORITY SECTION:
666.com. 86400 IN NS 666.com.
;; Query time: 2 msec
;; server1: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 04:57:51 2010
;; MSG SIZE rcvd: 55
[root@server1 named]# dig -t ns 666.com. @192.168.100.254 //测试NS记录
; <<>> DiG
9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>> -t ns 666.com.
@192.168.100.254
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20572
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;666.com. IN NS
;; ANSWER SECTION:
666.com. 86400 IN NS 666.com.
;; Query time: 2 msec
;; server1: 192.168.100.254#53(192.168.100.254)
;; WHEN: Sun Mar 14 05:31:58 2010
;; MSG SIZE rcvd: 39
[root@server1 named]# netstat -ntpl
|grep 53
tcp 0 0 192.168.100.254:53
0.0.0.0:* LISTEN 8887/named
tcp 0 0 127.0.0.1:953
0.0.0.0:* LISTEN 8887/named
tcp 0 0 ::1:953
:::* LISTEN 8887/named
[root@server1 named]# iptables -A
INPUT -p tcp --dport 53 -j ACCEPT //若服务器部署了防火墙,则需要允许tcp,udp的53端口
[root@server1 named]# iptables -A INPUT -p udp --dport 53 -j ACCEPT
[root@server1 ~]# chkconfig named on