Title：Fedora 8 and Red Hat Enterprise Linux Bible

Chapter 25: Making Servers Public with DNS

Author：Christopher Negus（尼格斯.克里斯多佛）

任明哲 2008年9月25日翻译、整理

Making Servers Public with DNS

公共服务器DNS大曝光

 

Figure 1-1: The sample yourdomain.com DNS server has a combination of public servers and private client computers.

上图1-1中yourdomain.com域的DNS服务结合了服务器及客户端，是一个小型的网络环境。

The sections that follow describe how to set up a DNS server for the example in Figure 25-1.

Quick-starting a DNS server

快速配置一个DNS服务

The DNS server software that comes with the current Fedora and RHEL versions is Berkeley

Internet Name Domain (BIND) version 9. To configure BIND 9, you work with the following

components:

要配置DNS服务，首先应确定以下项目是否被正确地设定：

• Configuration file (/var/named/chroot/etc/named.conf) ⎯ The main DNS

server configuration file. ------DNS的配置文件

• Zone directory (/var/named/chroot/var/named) ⎯ The directory containing

files that keep information about Internet root DNS servers (named.ca file) and

information about the zones that you create for your DNS server. -------区域文件目录

• Daemon process (/usr/sbin/named) ⎯ The daemon process that listens for DNS

requests and responds with information that the named.conf file presents. --------工作进程

• Debugging tools (named-checkconf, and named-checkzone) ⎯ What you use to

determine whether you created your DNS configuration correctly.---------调试工具

NOTE: Fedora and RHEL come with a GUI tool for configuring Bind called system-config-bind.(Type yum install system-config-bind to install it.) If you decide to use that tool, you need to be careful editing the Bind configuration files by hand. It is recommended that if there are changes you want to make to the named.conf file that are not supported by the system-config-bind window, you should put those changes in the /etc/named.custom file instead.

 

BIND 9 also includes tools for creating DNSSEC secured zones. By using these tools, you can create and generate keys to provide authentication and secure address resolution. The example illustrated in these sections doesn’t include DNSSEC configuration.

The basic steps in creating a DNS server for your example are as follows:

• Identifying your DNS servers

• Creating DNS Configuration files (named.conf file and the named directory)

• Starting the named daemon

• Monitoring named activities

In the example configuration, you set up a primary master DNS server and a slave DNS server.

The primary server holds the master copy of the authoritative records for the domain. The

secondary server is there to share requests for information about the domain, particularly in

case the primary goes down. The secondary typically gets its records from the primary server.

The secondary is also considered to be authoritative in regards to the DNS records for the

domains it controls.

1．Identifying your DNS servers

DNS配置步骤：确定你的DNS服务器基本信息

If you didn’t have your DNS servers set up at the time that you purchased your domain name

with a registration authority, you might have just “parked” the domain name there until you

configured your DNS servers. Whenever you’re ready to set up your DNS servers, return to

that registration authority and provide the following information about your DNS servers:

• DNS server IP addresses (the static IP addresses of your DNS servers, probably primary

and slave)------确定DNS服务的IP地址，确保地址是静态的、固定地分配给DNS服务器

• DNS server hostnames (often ns1.yourdomain.com, where you replace

yourdomain.com with your domain name for the primary; the slave hostname is

ns2.yourdomain.com)------确定DNS的主机名，同样确保主机名是固定的，不易变得。

You should register both the primary and slave DNS servers. After you update this record, that

information typically takes a day or two to propagate throughout the Internet. When your DNS

servers are registered, you also need to tell the registration authority to use those DNS servers

as the authority for addresses in your domain. The registration authority probably offers an

online form you can fill out to identify your DNS servers.

2．Creating DNS configuration files (named.conf and var/named)

创建DNS服务的配置文件(named.conf and var/named)

此例适合一个较小的办公环境。

Editing named.conf

The edited version of the /var/named/chroot/etc/named.conf file is as follows:

options {

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

};

acl "mylan" {

127/8; 10.0.0.0/24;

};

controls {

inet 127.0.0.1 allow { localhost; } keys { rndckey; };

};

view "inside" {

match-clients { "mylan"; };

recursion yes;

zone "." IN {

type hint;

file "named.ca";

};

zone "0.0.10.in-addr.arpa" IN {

type master;

file "yourlan.db";

};

zone "yourdomain.com" {

type master;

file "db.yourdomain.com.inside";

allow-transfer { 10.0.0.2; };

};

};

view "outside" {

match-clients { any; };

recursion no;

zone "." IN {

type hint;

file "named.ca";

};

zone "yourdomain.com" {

type master;

file "db.yourdomain.com.outside";

allow-transfer { 123.45.67.2; };

};

};

include "/etc/rndc.key";

关于view（DNS视图）的说明：

The DNS server is broken up into two views: inside and outside.

The inside view defines how IP addresses are resolved for requests that come from the private LAN and localhost (as defined in mylan). By having recursion on (recursion yes), the named daemon will allow name server queries to any domain (even domains that the local DNS server doesn't control) from any computer on the LAN.

The outside view defines how queries coming from all other places (presumably, the Internet) are handled. With recursion off (recursion no), only queries from other name servers for domains controlled by the local DNS server are honored. Requests for information about other domains will be rejected with a not found message. (Turning recursion off can help eliminate a common attack, where a cracker causes your server to seek information from a DNS server controlled by the cracker.)

要保证在配置named.conf文件时不能有任何语法上的误差，否则将导致named不能正常加载服务文件。可在配置完成后使用以下命令检测配置文件的语法是否正确。

Be very careful editing the named.conf file. Forgetting a semicolon is all too easy, and

results in the entire file not loading. To ensure that the named.conf file doesn’t contain any

syntax errors, you can run the following command (as root user):

# named-checkconf

 

Setting up the zone files (inside)

The /var/named/chroot/var/named directory contains the zone files that the

/var/named/chroot/etc/named.conf file points to. For the example, you need to

create only three zone files from scratch. You can (and should) leave the named.ca file alone.

Most of the real work of the domain name server occurs in the zone files. In the example, the

db.yourdomain.com.inside file contains the basic records for the yourdomain.com

domain, including all private names and addresses. The following is an example of that file:

 

$TTL 86400

@       IN     SOA   yourdomain.com. hostmaster.yourdomain.com.

(

2007042701  ; Serial

28800        ; Refresh

14400        ; Retry

3600000      ; Expire

86400 )      ; Minimum

; Name servers

IN NS ns1.yourdomain.com.

IN NS ns2.yourdomain.com.

; Mail server for domain

IN MX 10 mail.yourdomain.com.

; Public servers

ns1 IN A 10.0.0.1

ns2 IN A 10.0.0.2

mail IN A 123.45.67.2

www IN A 123.45.67.3

ftp IN A 123.45.67.4

; Private clients on the LAN

red IN A 10.0.0.2

blue IN A 10.0.0.3

green IN A 10.0.0.4

yellow IN A 10.0.0.5

; EOF

 

Setting up the zone files (outside)

For the “outside” yourdomain.com zone you made a db.yourdomain.com.outside

file using the same information from the “inside” file, with the following exceptions:

• Removed all references to private clients on the LAN. That way, someone poking

around from the Internet can’t get information about your private computers.

• Changed the addresses of the primary and slave DNS servers (ns1 and ns2) to

123.45.67.1 and 123.45.67.2, respectively. In that way, only public addresses for name

servers are seen by the public. (Of course, you need to use your own public IP addresses

instead of the examples 123.45.67.1 and 123.45.67.2.)

Setting up the zone files (reverse lookup)

The other new file in the example is the yourlan.db file, which contains the information

necessary to perform reverse IP lookups for the computers on your LAN. Here’s an example:

 

$TTL 86400

@ IN SOA ns1.yourdomain.com hostmaster.yourdomain.com. (

2006042701   ; Serial

28800         ; Refresh

14400         ; Retry

3600000       ; Expire

86400 )       ; Minimum

IN NS ns1.yourdomain.com

1 IN PTR yourdomain.com.

2 IN PTR red.yourdomain.com.

3 IN PTR blue.yourdomain.com.

4 IN PTR green.yourdomain.com.

5 IN PTR yellow.yourdomain.com.

; EOF

 

After you finish creating your own zone files, you can use the named-checkzone command

to make sure that each zone file is formed correctly. Here is how you’d run the namedcheckzone command (as root user) to check the two yourdomain.com zone files (be sure to type each command on one line, even though each is shown here on two):

# named-checkzone yourdomain.com

/var/named/chroot/var/named/db.yourdomain.com.inside

zone yourdomain.com/IN: loaded serial 2007042701

OK

# named-checkzone yourdomain.com

/var/named/chroot/var/named/db.yourdomain.com.outside

zone yourdomain.com/IN: loaded serial 2007042701

OK

此处实验使用named-checkzone命令的结果如下图所示：

 

实验完成后，使用host命令在本机成功解析，如下图所示：

 

使用dig命令显示结果如下：

 

在此实验中，共使用客户端计算机两台，分别充当内部网络的两台客户机，此次实验没有设置DNS外部视图，在服务器本地成功解析后，发现在两个客户机上不能解析到域名，查找防火墙、selinux等相关设定后，还是不能正常解析，后检查主配置文件，发现问题，如下图所示进行设定既可正常。

2008年10月1日在配置DNS视图时，发现要注意问题如下：

在内部视图的正向区域文件west.zone里，如果此文件中存在内网中那台主机的“A”记录，则不会受ACL和客户端的匹配过滤检查，此客户机可直接访问DNS服务器进行解析；如果在正向区域文件中没有内网某台主机的“A”记录，并且ACL设置限制或“match-clients”一项对客户端主机有规定，则这台客户主机不能访问DNS服务器进行解析；如果要内部网络的任意主机都可访问DNS服务器进行解析，此项要设置为”any”。