本节将详细介绍DNS服务器的rndc配置,实现使用rndc开启DNS的解析日志和刷
新缓存,重载配置文件和关闭DNS服务器,一旦配置好了rndc,这些操作都可以在本地和远程服务器上进行。DNS服务目前算是比较安全的服务,不但进程
的属主改成named用户,而且还运行在一个chroot环境中,将来关闭DNS服务还可能需要使用rndc来控制,这也可能是将来的服务器设计潮流。
rndc是远程DNS服务器进程控制的英文简写,rndc的工作机制使用了/etc/rndc.key和/etc/rndc.conf两个配置文
件,rndc.key文件为锁头,尽管它的名字为key;
rndc.conf则是打开rndc.key锁头的对应钥匙;这两个文件可以使用rndc-confgen命令来生成,该命令采用的是对称加密算法;下面
来演示下配置,演示中将使用server来控制client端的DNS服务器,rndc的控制端也可以不是dns服务器…
一:配置client端127.0.0.1上的rndc
[root@client ~]# rndc-confgen |grep -v '^#'
//使用rndc-confgen命令生成rndc.key和rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};
options {
default-key "rndckey";
default-client 127.0.0.1;
default-port 953;
};
[root@client ~]# rm -rf /etc/rndc.key //删除默认的rndc.key文件
[root@client ~]# cd /var/named/chroot/etc/
[root@client etc]# cat rndc.key
//将前面rndc-confgen命令生成的“key”一节中的内容写到rndc.key文件中
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};
[root@client etc]# chown named.named rndc.key
//修改文件属主属组主为named
[root@client etc]# ln -s /var/named/chroot/etc/rndc.key /etc/
//符号链接至/etc目录下
[root@client etc]# cat /etc/rndc.conf
//将前面rndc-confgen命令生成的全部内容写到rndc.key文件中
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};
options {
default-key "rndckey";
default-client 127.0.0.1;
default-port 953;
};
[root@client etc]# chown named.named /etc/rndc.conf //修改文件属主属组主为named
[root@client etc]# cat /etc/named.conf
options {
listen-on port 53 { 192.168.100.20; };
directory "/var/named";
allow-query { any; };
allow-transfer {192.168.100.254;};
};
};
include "/etc/named.rfc1912.zones";
include "/etc/rndc.key"; //包含前面定义好的锁头文件
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndckey"; };
//允许本机的环回接口使用/etc/rndc.conf文件中rndckey
这把钥匙控制953端口
};
…………………………输出省略…………………………
[root@client etc]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
[root@client etc]# netstat -ntpl |grep 953
tcp 0 0 127.0.0.1:953
0.0.0.0:* LISTEN 3243/named
[root@client etc]# service named status
number of zones: 8
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/1000
tcp clients: 0/100
client is up and running
named (pid 3243) is running...
[root@client etc]# rndc stop //测试
[root@client etc]# service named status
rndc: connect failed: 127.0.0.1#953: connection refused
named dead but subsys locked
二:配置server端使用rndc控制client
root@client etc]# rndc-confgen |grep -v '^#'
//和前面一样生成新的rndc.key和rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "p3DukvXgufSpbZdavZy1YA==";
};
options {
default-key "rndckey";
default-client 127.0.0.1;
default-port 953;
};
[root@client etc]# cat /etc/rndc.key
//将新生成的文件的“key”节写到/etc/rndc.key文件末尾,并将其改名为rndckey-254
key "rndckey" {
algorithm hmac-md5;
secret "q2yvOY2JiyUU2aV4qahzAw==";
};
key "rndckey-254" {
algorithm hmac-md5;
secret "p3DukvXgufSpbZdavZy1YA==";
};
[root@client etc]# grep 'rndckey-254' /etc/named.conf //在主配置文件添加下面内容
inet 192.168.100.20 port 953 allow { 192.168.100.254; } keys {
"rndckey-254"; };
//允许192.168.100.254这台服务器通过192.168.100.20这个接口,使用rndckey-254这把钥匙来控制953端口
[root@client etc]# service named restart //重启服务
Stopping named: [ OK ]
Starting named: [ OK ]
[root@client etc]# netstat -ntpl |grep 953
tcp 0 0 192.168.100.20:953
0.0.0.0:* LISTEN 3869/named
tcp 0 0 127.0.0.1:953
0.0.0.0:* LISTEN 3869/named
[root@server ~]# cat /etc/rndc.conf
//将前面生成的文件的全部内容写到server的/etc/rndc.conf文件中,需要修改key的名称和default-server的IP
key "rndckeyi-254" {
algorithm hmac-md5;
secret "p3DukvXgufSpbZdavZy1YA==";
};
options {
default-key "rndckey-254";
default-server 192.168.100.20;
default-port 953;
};
[root@server ~]# chown named.named /etc/rndc.conf //修改文件属主属组主为named
[root@server ~]# rndc -h //查看rndc命令帮助
rndc: illegal option -- h
Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command
command is one of the following:
reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
reconfig Reload configuration file and new zones only.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing
(named.recursing)
*restart Restart the server.
* == not yet implemented
Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5
测试:
[root@server ~]# rndc reload //重载client端DNS配置文件
server reload successful
[root@server ~]# rndc querylog on
//开启解析日志记录功能,开启后默认解析日志保存在client服务器的/var/log/messages文件中,开启此项功能会降低服务器性能
[root@server ~]# dig @192.168.100.20 //测试解析
; <<>> DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 <<>>
@192.168.100.20
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59157
[root@server ~]# rndc stop //远程关闭client上的DNS服务
[root@client ~]# tail -f /var/log/messages //客户端上查看日志
Mar 23 23:13:45 client named[3792]: loading configuration from
'/etc/named.conf'
Mar 23 23:13:45 client named[3792]: using default UDP/IPv4 port range:
[1024, 65535]
Mar 23 23:13:45 client named[3792]: using default UDP/IPv6 port range:
[1024, 65535]
Mar 23 23:13:45 client named[3792]: the working directory is not
writable
Mar 23 23:14:07 client named[3792]: query logging is now on
//开启解析日志记录功能
Mar 23 23:14:52 client named[3792]: client 192.168.100.254#45815: query:
IN A + //记录的解析日志
Mar 23 23:15:49 client named[3792]: shutting down: flushing changes
Mar 23 23:15:49 client named[3792]: stopping command channel on
127.0.0.1#953
Mar 23 23:15:49 client named[3792]: stopping command channel on
192.168.100.20#953
Mar 23 23:15:49 client named[3792]: no longer listening on
192.168.100.20#53
Mar 23 23:15:50 client named[3792]: exiting //成功关闭DNS服务
提示:配置rndc,需要注意服务器时间问题,如果两台服务器的系统时间存在很大出入,那必定rndc命令执行会失败
阅读(1408) | 评论(0) | 转发(0) |
