IT培训,读书、登山探险。
全部博文(26)
分类: LINUX
2009-02-26 16:57:28
Title:Fedora 8 and Red Hat
Enterprise Linux Bible
Chapter 25: Making Servers Public with DNS
Author:Christopher Negus(尼格斯.克里斯多佛)
任明哲 2008年9月25日翻译、整理
Making Servers Public with DNS
公共服务器DNS大曝光
Figure 1-1: The sample yourdomain.com
DNS server has a
combination of public servers and private client computers.
上图1-1中yourdomain.com域的DNS服务结合了服务器及客户端,是一个小型的网络环境。
The sections that follow describe how to set up a DNS
server for the example in Figure 25-1.
Quick-starting a DNS server
快速配置一个DNS服务
The DNS server software that comes with the current
Fedora and RHEL versions is Berkeley
Internet Name Domain (BIND) version 9. To configure BIND
9, you work with the following
components:
要配置DNS服务,首先应确定以下项目是否被正确地设定:
Configuration
file (/var/named/chroot/etc/named.conf) ⎯ The main DNS
server configuration file. ------DNS的配置文件
Zone directory
(/var/named/chroot/var/named) ⎯ The directory containing
files that keep information about Internet root DNS
servers (named.ca file) and
information about the zones that you create for your DNS
server. -------区域文件目录
Daemon process
(/usr/sbin/named) ⎯ The daemon process that listens for DNS
requests and responds with information that the named.conf file presents. --------工作进程
Debugging
tools (named-checkconf, and named-checkzone) ⎯ What you use to
determine whether you created your DNS configuration
correctly.---------调试工具
NOTE: Fedora and RHEL come
with a GUI tool for configuring Bind called system-config-bind.(Type yum install
system-config-bind to install it.) If you decide to use that tool, you need
to be careful editing the Bind configuration files by hand. It is recommended that
if there are changes you want to make to the named.conf file that are not supported by the system-config-bind window, you should put
those changes in the /etc/named.custom
file instead.
BIND 9 also includes tools for creating DNSSEC secured
zones. By using these tools, you can create and generate keys to provide authentication and
secure address resolution. The example illustrated in these sections doesn’t
include DNSSEC configuration.
The basic steps in creating a DNS server for your example
are as follows:
Identifying your DNS
servers
Creating DNS
Configuration files (named.conf
file and the named directory)
Starting the named
daemon
Monitoring named
activities
In the example configuration, you set up a primary master
DNS server and a slave DNS server.
The primary server holds the master copy of the
authoritative records for the domain. The
secondary server is there to share requests for
information about the domain, particularly in
case the primary goes down. The secondary typically gets
its records from the primary server.
The secondary is also considered to be authoritative in
regards to the DNS records for the
domains it controls.
1.Identifying your DNS servers
DNS配置步骤:确定你的DNS服务器基本信息
If you didn’t have your DNS servers set up at the time that you purchased
your domain name
with a registration authority, you might have just “parked” the domain
name there until you
configured your DNS servers. Whenever you’re ready to set up your DNS
servers, return to
that registration authority and provide the following information about
your DNS servers:
DNS server IP
addresses (the static IP addresses of your DNS servers, probably primary
and slave)------确定DNS服务的IP地址,确保地址是静态的、固定地分配给DNS服务器
DNS server hostnames
(often ns1.yourdomain.com, where you replace
yourdomain.com with your domain name for the primary; the slave hostname
is
ns2.yourdomain.com)------确定DNS的主机名,同样确保主机名是固定的,不易变得。
You should register both the primary and slave DNS servers. After you
update this record, that
information typically takes a day or two to propagate throughout the
Internet. When your DNS
servers are registered, you also need to tell the registration authority
to use those DNS servers
as the authority for addresses in your domain. The registration authority
probably offers an
online form you can fill out to identify your DNS servers.
2.Creating DNS configuration files
(named.conf and var/named)
创建DNS服务的配置文件(named.conf and var/named)
此例适合一个较小的办公环境。
Editing named.conf
The edited version of the /var/named/chroot/etc/named.conf
file is as follows:
options
{
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file
"/var/named/data/named_stats.txt";
};
acl
"mylan" {
127/8; 10.0.0.0/24;
};
controls {
inet 127.0.0.1 allow
{ localhost; } keys { rndckey; };
};
view
"inside" {
match-clients
{ "mylan"; };
recursion
yes;
zone
"." IN {
type
hint;
file
"named.ca";
};
zone
"0.0.10.in-addr.arpa" IN {
type
master;
file
"yourlan.db";
};
zone "yourdomain.com" {
type
master;
file
"db.yourdomain.com.inside";
allow-transfer
{ 10.0.0.2; };
};
};
view
"outside" {
match-clients { any;
};
recursion no;
zone "."
IN {
type hint;
file
"named.ca";
};
zone "yourdomain.com" {
type master;
file "db.yourdomain.com.outside";
allow-transfer { 123.45.67.2;
};
};
};
include
"/etc/rndc.key";
关于view(DNS视图)的说明:
The DNS server is broken up into two views: inside and outside.
The inside view defines how IP addresses are resolved for requests
that come from the private LAN and localhost (as defined in mylan). By having recursion on (recursion yes), the named daemon will allow name
server queries to any domain (even domains that the local DNS server doesn't control)
from any computer on the LAN.
The outside view defines how
queries coming from all other places (presumably, the Internet) are handled.
With recursion off (recursion no), only queries from
other name servers for domains controlled by the local DNS server are honored.
Requests for information about other domains will be rejected with a not found message. (Turning recursion off can help
eliminate a common attack, where a cracker causes your server to seek
information from a DNS server controlled by the cracker.)
要保证在配置named.conf文件时不能有任何语法上的误差,否则将导致named不能正常加载服务文件。可在配置完成后使用以下命令检测配置文件的语法是否正确。
Be very careful editing the named.conf file. Forgetting a semicolon is all too easy, and
results in the entire file not loading. To ensure that
the named.conf file doesn’t contain
any
syntax errors, you can run the following command (as root
user):
#
named-checkconf
Setting up the zone files (inside)
The /var/named/chroot/var/named
directory contains the
zone files that the
/var/named/chroot/etc/named.conf
file points to. For
the example, you need to
create only three zone files from scratch. You can (and
should) leave the named.ca
file alone.
Most of the real work of the domain name server occurs in
the zone files. In the example, the
db.yourdomain.com.inside file contains the basic records for the yourdomain.com
domain, including all private names and addresses. The
following is an example of that file:
$TTL
86400
@ IN SOA yourdomain.com. hostmaster.yourdomain.com.
(
2007042701 ; Serial
28800 ;
Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
; Name servers
IN NS ns1.yourdomain.com.
IN NS ns2.yourdomain.com.
; Mail server for
domain
IN MX 10 mail.yourdomain.com.
; Public servers
ns1 IN A 10.0.0.1
ns2 IN A 10.0.0.2
mail IN A
123.45.67.2
www IN A 123.45.67.3
ftp IN A 123.45.67.4
; Private clients on
the LAN
red IN A 10.0.0.2
blue IN A 10.0.0.3
green IN A 10.0.0.4
yellow IN A 10.0.0.5
; EOF
Setting up the zone files (outside)
For the “outside” yourdomain.com zone you made a db.yourdomain.com.outside
file using the same information from the “inside” file,
with the following exceptions:
Removed all references
to private clients on the LAN. That way, someone poking
around from the Internet can’t get information about your
private computers.
Changed the addresses
of the primary and slave DNS servers (ns1
and ns2) to
123.45.67.1 and 123.45.67.2, respectively. In that way,
only public addresses for name
servers are seen by the public. (Of course, you need to
use your own public IP addresses
instead of the examples 123.45.67.1 and 123.45.67.2.)
Setting up the zone files (reverse
lookup)
The other new file in the example is the yourlan.db file, which contains
the information
necessary to perform reverse IP lookups for the computers
on your LAN. Here’s an example:
$TTL 86400
@ IN SOA ns1.yourdomain.com hostmaster.yourdomain.com.
(
2006042701 ; Serial
28800 ; Refresh
14400 ; Retry
3600000
; Expire
86400 ) ; Minimum
IN NS ns1.yourdomain.com
1 IN PTR yourdomain.com.
2 IN PTR red.yourdomain.com.
3 IN PTR blue.yourdomain.com.
4 IN PTR green.yourdomain.com.
5 IN PTR yellow.yourdomain.com.
; EOF
After you finish creating your own zone files, you can
use the named-checkzone command
to make sure that each zone file is formed correctly.
Here is how you’d run the namedcheckzone
command (as root user)
to check the two yourdomain.com zone files (be sure to type each command on one line, even though each is
shown here on two):
# named-checkzone yourdomain.com
/var/named/chroot/var/named/db.yourdomain.com.inside
zone yourdomain.com/IN:
loaded serial 2007042701
OK
# named-checkzone yourdomain.com
/var/named/chroot/var/named/db.yourdomain.com.outside
zone
yourdomain.com/IN: loaded serial 2007042701
OK
此处实验使用named-checkzone命令的结果如下图所示:
实验完成后,使用host命令在本机成功解析,如下图所示:
使用dig命令显示结果如下:
在此实验中,共使用客户端计算机两台,分别充当内部网络的两台客户机,此次实验没有设置DNS外部视图,在服务器本地成功解析后,发现在两个客户机上不能解析到域名,查找防火墙、selinux等相关设定后,还是不能正常解析,后检查主配置文件,发现问题,如下图所示进行设定既可正常。
2008年10月1日在配置DNS视图时,发现要注意问题如下:
在内部视图的正向区域文件west.zone里,如果此文件中存在内网中那台主机的“A”记录,则不会受ACL和客户端的匹配过滤检查,此客户机可直接访问DNS服务器进行解析;如果在正向区域文件中没有内网某台主机的“A”记录,并且ACL设置限制或“match-clients”一项对客户端主机有规定,则这台客户主机不能访问DNS服务器进行解析;如果要内部网络的任意主机都可访问DNS服务器进行解析,此项要设置为”any”。