linux dns chroot,chroot DNS 过程(包括一些简单的排错过程)

于 2021-05-14 07:51:11 发布
阅读量825 收藏 1
点赞数
文章标签: linux dns chroot

注 :此次操作是参考那一篇 HOWTO 的,但因为原来的 HOWTO

中在后面的 /chroot 目录权限设置方面个人觉得有错,所以就没有

按照 HOWTO 中的做。

一、准备工作

1、rndc stop

2、vi /etc/passwd :修改 named 的 home 目录为 /chroot/named

3、vi /etc/group :保证有一个 named 存在

4、检查修改 :

[root@dns.bob.com =>/]#finger named

Login: named                            Name: Named

Directory: /chroot/named                Shell: /sbin/nologin        Never logged in.

No mail.

No Plan.

[root@dns.bob.com =>/]#id named

uid=25(named) gid=25(named) groups=25(named)

5、确定目录

原则 :最大程度的保证新的 named.conf 不需要太多的修改

a)include "/etc/rndc.key"; ==〉/chroot/named/etc 目录

b)include "log/log_def"; ==〉/chroot/named/log 目录

c)include "local/zone.def"; ==〉/chroot/named/local 目录

d)file "bob.com.zone"; ==〉/chroot/named/master 目录

file "db.192.253.254"; ==〉 /chroot/named/master 目录

e)pid-file "/var/run/named/named.pid"; ==〉/chroot/named/var/run 目录

f)/dev/random、/dev/null ;==> /chroot/named/dev 目录

二、主要步骤

6、创建目录

[root@dns.bob.com =>/]#mkdir -p /chroot/named

[root@dns.bob.com =>/]#mkdir -p /chroot/named/var

[root@dns.bob.com =>/]#mkdir -p /chroot/named/var/run

[root@dns.bob.com =>/]#mkdir -p /chroot/named/etc

[root@dns.bob.com =>/]#mkdir -p /chroot/named/log

[root@dns.bob.com =>/]#mkdir -p /chroot/named/local

[root@dns.bob.com =>/]#mkdir -p /chroot/named/{master,slave,stub}

[root@dns.bob.com =>/]#mkdir -p /chroot/named/dev

或者用 :

[root@dns.bob.com =>/]#mkdir -p /chroot/named/{var/run,etc,log,local,master,dev,slave,stub}

[root@dns.bob.com =>/]#ll -d /chroot

drwxr-xr-x    3 root     root         4096 12月 11 20:13 /chroot

[root@dns.bob.com =>/]#ll -d /chroot/named

drwxr-xr-x    9 root     root         4096 12月 11 20:14 /chroot/named

[root@dns.bob.com =>named]#ll

总用量 44

drwxr-xr-x    2 root     root         4096 12月 11 20:37 dev

drwxr-xr-x    2 root     root         4096 12月 13 09:32 etc

drwxr-xr-x    2 root     root         4096 12月 11 21:38 local

drwxr-xr-x   17 named    named        4096 12月 11 21:30 log

drwxr-xr-x    2 root     root         4096 12月 13 09:29 master

-rw-r--r--    1 named    named        2499 2003-01-25  named.ca

-rw-r--r--    1 named    named          57 12月 11 21:34 named_dump.db

-rw-r--r--    1 named    named         138 12月 11 21:33 named.stats

drwxr-xr-x    2 named    named        4096 12月 11 20:27 slave

drwxr-xr-x    2 named    named        4096 12月 11 20:27 stub

drwxr-xr-x    4 root     root         4096 12月 11 20:34 var

[root@dns.bob.com =>named]#

[root@dns.bob.com =>named]#ll var

总用量 8

drwxr-xr-x    2 root     root         4096 12月 11 20:34 run

[root@dns.bob.com =>named]#

7、复制文件

a)下面是原来的 /var/named 目录下的内容 :

[root@dns.bob.com =>named]#cd /var/named

[root@dns.bob.com =>named]#ll

总用量 28

-rw-r--r--    1 named    named         360 12月  8 16:24 bob.com.zone

-rw-r--r--    1 named    named         328 12月  8 16:14 db.192.253.254

drwxr-xr-x    3 root     root         4096 12月  7 11:05 key

drwxr-xr-x    2 named    named        4096 12月  1 10:01 local

drwxr-xr-x   16 named    named        4096 12月  1 15:53 log

-rw-r--r--    1 named    named        2499 2003-01-25  named.ca

-rw-r--r--    1 named    named          57 12月  4 10:16 named_dump.db

[root@dns.bob.com =>named]#

b)首先复制 zone data file

[root@dns.bob.com =>named]#cp -av bob.com.zone db.192.253.254 ~named/master/

‘bob.com.zone’ -> ‘/chroot/named/master/bob.com.zone’

‘db.192.253.254’ -> ‘/chroot/named/master/db.192.253.254’

[root@dns.bob.com =>named]#

c)再复制 /var/named/loca 目录下的内容 :

[root@dns.bob.com =>named]#cp -av local/* ~named/local/        ‘local/localhost.zone’ -> ‘/chroot/named/local/localhost.zone’

‘local/named.local’ -> ‘/chroot/named/local/named.local’

‘local/zone.def’ -> ‘/chroot/named/local/zone.def’

[root@dns.bob.com =>named]#

d)再复制 /var/named/log 目录下的内容 :

[root@dns.bob.com =>named]#cp -av log/* ~named/log/        ‘log/client’ -> ‘/chroot/named/log/client’

‘log/client/client_log’ -> ‘/chroot/named/log/client/client_log’

‘log/config’ -> ‘/chroot/named/log/config’

‘log/config/config_log’ -> ‘/chroot/named/log/config/config_log’

‘log/database’ -> ‘/chroot/named/log/database’

(中间省略)

‘log/xfer-out’ -> ‘/chroot/named/log/xfer-out’

‘log/xfer-out/xfer-out_log’ -> ‘/chroot/named/log/xfer-out/xfer-out_log’

[root@dns.bob.com =>named]#

e)再复制 hints 文件

[root@dns.bob.com =>named]#cp -av named.ca ~named/        ‘named.ca’ -> ‘/chroot/named/named.ca’

f)再复制 /etc/named.conf 文件

[root@dns.bob.com =>named]#cp -av /etc/named.conf ~named/etc/        ‘/etc/named.conf’ -> ‘/chroot/named/etc/named.conf’

[root@dns.bob.com =>named]#

[root@dns.bob.com =>named]#

8、修改目录的属主 (stub、log、slave、var/run)

[root@dns.bob.com =>named]#mkdir stub slave

[root@dns.bob.com =>named]#chown -c named:named log stub slave        ‘log’ 的所有者已更改为 named:named

‘stub’ 的所有者已更改为 named:named

‘slave’ 的所有者已更改为 named:named

[root@dns.bob.com =>named]#

[root@dns.bob.com =>named]#cd var

[root@dns.bob.com =>var]#ll

总用量 8

drwxr-xr-x    2 root     root         4096 12月 11 20:13 named

drwxr-xr-x    2 root     root         4096 12月 11 20:34 run

[root@dns.bob.com =>var]#chown -c named:named run

‘run’ 的所有者已更改为 named:named

[root@dns.bob.com =>var]#

9、复制 /dev/null 和 /dev/random 文件到 /chroot/named/dev 目录下,并修改这两个设备文件的权限

[root@dns.bob.com =>dev]#cp -a /dev/null /dev/random .        [root@dns.bob.com =>dev]#ll

总用量 0

crw-rw-rw-    1 root     root       1,   3 2003-01-30  null

crw-r--r--    1 root     root       1,   8 2003-01-30  random

[root@dns.bob.com =>dev]#

[root@dns.bob.com =>dev]#chmod -c 666 *        ‘random’ 的权限模式已更改为 0666 (rw-rw-rw-)

[root@dns.bob.com =>dev]#

10、复制 /etc/localtime 文件到 /chroot/named/etc 目录下

[root@dns.bob.com =>etc]#cp -av /etc/localtime .        ‘/etc/localtime’ -> ‘./localtime’

[root@dns.bob.com =>etc]#ll

总用量 8

-rw-r--r--    1 root     root          165  7月 13 00:40 localtime

-rw-r--r--    1 root     root         1091 12月  8 16:13 named.conf

[root@dns.bob.com =>etc]#

11、修改日志定义文件 log_def ,因为只有 default 类会用到 syslog ,所以把 default 类的日志写入文件 :

channel ch_default {

file "log/default/default_log" version 2 size 10k;

severity debug;

print-time yes;

print-severity yes;

print-category yes;

};

category default { ch_default; };

12、安全设置

a)修改 /chroot 目录的权限为 (rwx--x--x),除了 root 用户拥有全部权限外,其他用户只能具有进入目录的权限

[root@dns.bob.com =>/]#chmod -c go-r /chroot        ‘/chroot’ 的权限模式已更改为 0711 (rwx--x--x)

[root@dns.bob.com =>/]#

b)修改 /chroot/named 目录的权限和属主

[root@dns.bob.com =>chroot]#chown named:named named/

[root@dns.bob.com =>chroot]#chmod -c 700 named        ‘named’ 的权限模式已更改为 0700 (rwx------)

[root@dns.bob.com =>chroot]#

13、后续工作

a)修改 /chroot/named/etc/named.conf 中的

directory "/var/named"

为 :

directory "/"

b)增加 pid-file "var/run/named.pid";

c)复制 rndc.key 文件到 /chroot/named/etc/ 目录下

[root@dns.bob.com =>named]#cp -av /etc/rndc.key etc/        ‘/etc/rndc.key’ -> ‘etc/rndc.key’

[root@dns.bob.com =>named]#ll etc

总用量 12

-rw-r--r--    1 root     root          165  7月 13 00:40 localtime

-rw-r--r--    1 root     root         1114 12月 11 21:14 named.conf

-rw-r-----    1 root     named         132  7月 12 23:53 rndc.key

d)修改 zone data file 存放的位置。 :

zone "bob.com" IN {

type master;

file "master/bob.com.zone";

};

zone "254.253.192.in-addr.arpa" IN {

type master;

file "master/db.192.253.254";

};

14、启动 named

[root@dns.bob.com =>etc]#named -u named -t /chroot/named -c /etc/named.conf -d 10

[root@dns.bob.com =>etc]#

15、启动错误

[root@dns.bob.com =>etc]#pidof named

[root@dns.bob.com =>etc]#

16、检查日志

[root@dns.bob.com =>etc]#tail -f /var/log/messagesDec 11 20:00:53 dns sshd(pam_unix)[20503]: session closed for user root

Dec 11 20:01:45 dns sshd(pam_unix)[20641]: session opened for user root by (uid=0)

Dec 11 20:54:58 dns vsftpd: warning: can't get client address: Bad file descriptor

Dec 11 21:00:02 dns syslogd 1.4.1: restart.

Dec 11 13:20:29 dns named[22007]: starting BIND 9.2.1 -u named -t /chroot/named -c /etc/named.conf -d 10

Dec 11 13:20:29 dns named[22007]: using 1 CPU

Dec 11 13:20:29 dns named[22007]: loading configuration from '/etc/named.conf'

Dec 11 13:20:29 dns named[22007]: none:0: open: /etc/named.conf: permission denied

Dec 11 13:20:29 dns named[22007]: loading configuration: permission denied

Dec 11 13:20:29 dns named[22007]: exiting (due to fatal error)

检查发现 /chroot/named 的属主为 root ,权限为 700 ,所以导致 named 用户无法进入读取配置文件

所以失败原因是忘记修改 /chroot/named 目录的属主

重新设置 /chroot/named 目录的属主为 named 用户

17、再次启动

[root@dns.bob.com =>named]#named -u named -t /chroot/named -c /etc/named.conf

[root@dns.bob.com =>named]#pidof named

18、仍然失败

[root@dns.bob.com =>named]#tail -f /var/log/messages

Dec 11 13:20:29 dns named[22007]: none:0: open: /etc/named.conf: permission denied

Dec 11 13:20:29 dns named[22007]: loading configuration: permission denied

Dec 11 13:20:29 dns named[22007]: exiting (due to fatal error)

Dec 11 21:25:13 dns named[22089]: starting BIND 9.2.1 -u named -t /chroot/named -c /etc/named.conf

Dec 11 21:25:13 dns named[22089]: using 1 CPU

Dec 11 21:25:13 dns named[22089]: loading configuration from '/etc/named.conf'

Dec 11 21:25:13 dns named[22089]: log/log_def:146: missing ';' before '2'

Dec 11 21:25:13 dns named[22089]: log/log_def:146: unknown option '2'

Dec 11 21:25:13 dns named[22089]: loading configuration: failure

Dec 11 21:25:13 dns named[22089]: exiting (due to fatal error)

可以看到配置文件已经读取,但在读取log定义文件 log_def 时,发生错误,位置是第 146 行,在 2 之前少了一个 ';'

经检查发现是下面的语句错误了

channel ch_default {

file "log/default/default_log" version 2 size 10k; // 应该是 versions 而不是 version        severity debug;

print-time yes;

print-severity yes;

print-category yes;

};

修改完毕

19、第三次启动

[root@dns.bob.com =>named]#named -u named -t /chroot/named -c /etc/named.conf

[root@dns.bob.com =>named]#pidof named

20、仍然失败

[root@dns.bob.com =>named]#tail -f /var/log/messages

Dec 11 21:28:41 dns named[22099]: using 1 CPU

Dec 11 21:28:41 dns named[22099]: loading configuration from '/etc/named.conf'

Dec 11 21:28:41 dns named[22099]: no IPv6 interfaces found

Dec 11 21:28:41 dns named[22099]: listening on IPv4 interface lo, 127.0.0.1#53

Dec 11 21:28:41 dns named[22099]: listening on IPv4 interface eth0, 192.253.254.2#53

Dec 11 21:28:41 dns named[22099]: command channel listening on 127.0.0.1#953

Dec 11 21:28:41 dns named[22099]: logging channel 'ch_lame': not found

Dec 11 21:28:41 dns named[22099]: configuring logging: not found

Dec 11 21:28:41 dns named[22099]: loading configuration: not found

Dec 11 21:28:41 dns named[22099]: exiting (due to fatal error)

提示在 log_def 中出现了 ch_lame ,未定义的 channel。

经检查是在定义 channel lame 时错误应该是 channel ch_lame 。

修改完毕

21、第四次启动

[root@dns.bob.com =>named]#named -u named -t /chroot/named -c /etc/named.conf

[root@dns.bob.com =>named]#pidof named

22173[root@dns.bob.com =>named]#

可以看到 named 已经启动。但仍然需要检查是否正常

22、测试 rndc 能否正常执行

[root@dns.bob.com =>general]#rm -f * // 首先删除 /chroot/named/log/general/ 目录下的所有旧的日志文件

[root@dns.bob.com =>general]#rndc reload // 执行 rndc reload

[root@dns.bob.com =>general]#ll

总用量 4

-rw-r--r--    1 named    named        1485 12月 11 21:32 general_log // 已经生成新的 log 文件,所以 rndc reload 可以正常运行[root@dns.bob.com =>general]#

[root@dns.bob.com =>general]#rndc stats

-rw-r--r--    1 named    named         138 12月 11 21:33 named.stats // 已经生成 named.stats 文件

[root@dns.bob.com =>chroot]#rndc dumpdb

-rw-r--r--    1 named    named          57 12月 11 21:34 named_dump.db

[root@dns.bob.com =>named]#cat named.stats

+++ Statistics Dump +++ (1134308000)

success 0

referral 0

nxrrset 0

nxdomain 0

recursion 0

failure 0

--- Statistics Dump --- (1134308000)

[root@dns.bob.com =>named]#cat named_dump.db

;

; Cache dump of view '_default'

;

$DATE 20051211133417

[root@dns.bob.com =>named]#

23、检查日志

[root@dns.bob.com =>log]#cd general/

[root@dns.bob.com =>general]#cat general_log

Dec 11 21:32:05.174 general: debug 1: now using logging configuration from config file

Dec 11 21:32:05.175 general: debug 1: load_configuration: success

Dec 11 21:32:05.175 general: debug 1: zone 0.0.127.in-addr.arpa/IN: starting load

Dec

11 21:32:05.175 general: error: zone 0.0.127.in-addr.arpa/IN: loading

master file /var/named/local/named.local: file not found

Dec 11 21:32:05.175 general: debug 1: zone 254.253.192.in-addr.arpa/IN: skipping load: master file older than last load

Dec 11 21:32:05.175 general: debug 1: zone bob.com/IN: skipping load: master file older than last load

Dec 11 21:32:05.175 general: debug 1: zone localhost/IN: starting load

Dec 11 21:32:05.175 general: error: zone localhost/IN: loading master file /var/named/local/localhost.zone: file not foundDec 11 21:32:05.175 general: debug 1: dns_zone_maintenance: zone localhost/IN: enter

Dec 11 21:32:05.175 general: debug 1: dns_zone_maintenance: zone 0.0.127.in-addr.arpa/IN: enter

Dec 11 21:32:05.175 general: debug 1: dns_zone_maintenance: zone bob.com/IN: enter

Dec 11 21:32:05.175 general: debug 1: dns_zone_maintenance: zone 254.253.192.in-addr.arpa/IN: enter

Dec 11 21:32:05.175 general: debug 1: dns_zone_maintenance: zone version.bind/CH: enter

Dec 11 21:32:05.175 general: debug 1: dns_zone_maintenance: zone version.bind/CH: enter

Dec 11 21:32:05.176 general: debug 1: zone_timer: zone version.bind/CH: enter

Dec 11 21:32:05.176 general: debug 1: zone_maintenance: zone version.bind/CH: enter

Dec 11 21:33:20.712 general: debug 1: received control channel command 'stats'

Dec 11 21:34:17.282 general: debug 1: received control channel command 'dumpdb'

[root@dns.bob.com =>general]#

发现出现 "file not found" 的情况 ,分别是 :

/var/named/local/named.local

/var/named/local/localhost.zone

经检查发现 /chroot/named/local/zone.def 文件使用了绝对路径

file "/var/named/local/localhost.zone";

file "/var/named/local/named.local";

导致加载出错

修改为 :

file "local/localhost.zone";

file "local/named.local";

24、重新 reload

[root@dns.bob.com =>local]#rndc reload

25、再次检查日志

Dec 11 21:38:04.274 general: debug 1: received control channel command 'reload'

Dec 11 21:38:04.275 general: info: loading configuration from '/etc/named.conf'

Dec 11 21:38:04.278 general: debug 1: now using logging configuration from config file

Dec 11 21:38:04.280 general: debug 1: load_configuration: success

Dec 11 21:38:04.280 general: debug 1: zone 0.0.127.in-addr.arpa/IN: starting load

Dec 11 21:38:04.280 general: debug 1: zone 0.0.127.in-addr.arpa/IN: loaded

Dec 11 21:38:04.280 general: debug 1: zone 0.0.127.in-addr.arpa/IN: journal rollforward completed successfully: no journal

Dec 11 21:38:04.280 general: info: zone 0.0.127.in-addr.arpa/IN: loaded serial 1997022700

Dec 11 21:38:04.281 general: debug 1: zone 254.253.192.in-addr.arpa/IN: skipping load: master file older than last load

Dec 11 21:38:04.281 general: debug 1: zone bob.com/IN: skipping load: master file older than last load

Dec 11 21:38:04.281 general: debug 1: zone localhost/IN: starting load

Dec 11 21:38:04.281 general: debug 1: zone localhost/IN: loaded

Dec 11 21:38:04.281 general: debug 1: zone localhost/IN: journal rollforward completed successfully: no journal

Dec 11 21:38:04.281 general: info: zone localhost/IN: loaded serial 42

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone localhost/IN: enter

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone 0.0.127.in-addr.arpa/IN: enter

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone bob.com/IN: enter

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone 254.253.192.in-addr.arpa/IN: enter

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone version.bind/CH: enter

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone localhost/IN: enter

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone 0.0.127.in-addr.arpa/IN: enter

Dec 11 21:38:04.281 general: debug 1: dns_zone_maintenance: zone version.bind/CH: enter

Dec 11 21:38:04.282 general: debug 1: zone_timer: zone localhost/IN: enter

Dec 11 21:38:04.282 general: debug 1: zone_maintenance: zone localhost/IN: enter

Dec 11 21:38:04.282 general: debug 1: zone_timer: zone 0.0.127.in-addr.arpa/IN: enter

Dec 11 21:38:04.282 general: debug 1: zone_maintenance: zone 0.0.127.in-addr.arpa/IN: enter

Dec 11 21:38:04.282 general: debug 1: zone_timer: zone version.bind/CH: enter

Dec 11 21:38:04.282 general: debug 1: zone_maintenance: zone version.bind/CH: enter

[root@dns.bob.com =>general]#

这次没有出现错误了

26、检查 config、default、lame、network、notify、security、xfer-out 类的日志

-rw-r--r--    1 named    named           0 12月  7 15:05 config_log

-rw-r--r--    1 named    named           0 12月 11 21:28 default_log

-rw-r--r--    1 named    named           0 12月  7 15:25 lame_log

[root@dns.bob.com =>network]#netstat -an |grep -w 53

tcp        0      0 192.253.254.2:53        0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN

udp        0      0 192.253.254.2:53        0.0.0.0:*

udp        0      0 127.0.0.1:53            0.0.0.0:*

[root@dns.bob.com =>network]#

-rw-r--r--    1 named    named           0 12月  7 15:32 notify_log

-rw-r--r--    1 named    named           0 12月 11 21:43 security_log

-rw-r--r--    1 named    named           0 12月 11 21:43 xfer-out_log

27、检查正向域名的解释情况

[root@dns.bob.com =>xfer-out]#rndc flush

[root@dns.bob.com =>xfer-out]#

[root@dns.bob.com =>xfer-out]#nslookup dns

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Name:   dns.bob.com

Address: 192.253.254.2

[root@dns.bob.com =>xfer-out]#nslookup gateway1

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Name:   gateway1.bob.com

Address: 192.253.254.1

[root@dns.bob.com =>xfer-out]#nslookup gateway2

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Non-authoritative answer:

Name:   gateway2.movie.bob.com

Address: 192.253.254.65

[root@dns.bob.com =>xfer-out]#nslookup dns.movie.bob.com.

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Non-authoritative answer:

Name:   dns.movie.bob.com

Address: 192.253.254.66

[root@dns.bob.com =>master]#nslookup ssh

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Name:   ssh.bob.com

Address: 192.253.254.2

[root@dns.bob.com =>master]#nslookup ailms

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

ailms.bob.com   canonical name = dns.bob.com.

Name:   dns.bob.com

Address: 192.253.254.2

[root@dns.bob.com =>master]#

接下来是反向区的解释

[root@dns.bob.com =>master]#nslookup 192.253.254.1

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

1.254.253.192.in-addr.arpa      name = gateway1.bob.com.

[root@dns.bob.com =>master]#nslookup 192.253.254.2

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

2.254.253.192.in-addr.arpa      name = ssh.bob.com.

2.254.253.192.in-addr.arpa      name = dns.bob.com.

[root@dns.bob.com =>master]#nslookup 192.253.254.65

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

65.254.253.192.in-addr.arpa     name = gateway2.movie.bob.com.

[root@dns.bob.com =>master]#nslookup 192.253.254.66

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

66.254.253.192.in-addr.arpa     name = dns.movie.bob.com.

[root@dns.bob.com =>master]#

一切正常。

28、named 进程的检查

[root@dns.bob.com =>xfer-out]#ps l -C named

F   UID   PID  PPID PRI  NI   VSZ  RSS WCHAN  STAT TTY        TIME COMMAND

1    25 22173     1  23   0 29748 2792 rt_sig S    ?          0:00 named -u named -t /chroot/named -c /etc/named.conf

[root@dns.bob.com =>xfer-out]#ps e -C named

PID TTY      STAT   TIME COMMAND

22173

?        S      0:00 named -u named -t /chroot/named -c /etc/named.conf

HOSTNAME=dns.bob.com PVM_RSH=/usr/bin/rsh TERM=linux S

29、修改启动脚本

在 /etc/sysconfig 目录下有一个 named 文件,可以在该文件中添加参数

[root@dns.bob.com =>root]#cat /etc/sysconfig/named# Currently, you can use the following options:

# ROOTDIR="/some/where"  --  will run named in a chroot environment.

#                            you must set up the chroot environment before

#                            doing this.ROOTDIR="/chroot/named" // 修改 ROOTDIR

# OPTIONS="whatever" -- These additional options will be passed to named

#                       at startup. Don't add -t here, use ROOTDIR instead.

OPTIONS=" -c /etc/named.conf -d 10" // 修改 OPTIONS

[root@dns.bob.com =>root]#

30、重新启动 named

[root@dns.bob.com =>root]#service named start[root@dns.bob.com =>root]#                                 [  确定  ]

[root@dns.bob.com =>root]#

[root@dns.bob.com =>root]#pidof named

14262

[root@dns.bob.com =>root]#tail -f /var/log/messagesDec 13 09:00:01 dns syslogd 1.4.1: restart.

Dec 13 09:13:20 dns sshd(pam_unix)[14137]: session opened for user root by (uid=0)

Dec 13 09:17:28 dns 12月 13 09:17:28 named: named 启动 succeeded

Dec 13 09:17:28 dns named[14262]: starting BIND 9.2.1 -u named -c /etc/named.conf -d 10 -t /chroot/named // 可以看到已经生效了

Dec 13 09:17:28 dns named[14262]: using 1 CPU

Dec 13 09:17:28 dns named[14262]: loading configuration from '/etc/named.conf'

Dec 13 09:17:28 dns named[14262]: no IPv6 interfaces found

Dec 13 09:17:28 dns named[14262]: listening on IPv4 interface lo, 127.0.0.1#53

Dec 13 09:17:28 dns named[14262]: listening on IPv4 interface eth0, 192.253.254.2#53

Dec 13 09:17:28 dns named[14262]: command channel listening on 127.0.0.1#953

31、继续测试

[root@dns.bob.com =>log]#rndc flush

[root@dns.bob.com =>log]#nslookup dns

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Name:   dns.bob.com

Address: 192.253.254.2

[root@dns.bob.com =>log]#nslookup dns.movie.bob.com.

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Non-authoritative answer:

Name:   dns.movie.bob.com

Address: 192.253.254.66

[root@dns.bob.com =>log]#nslookup gateway2.movie.bob.com.

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Non-authoritative answer:

Name:   gateway2.movie.bob.com

Address: 192.253.254.65

[root@dns.bob.com =>log]#nslookup gateway1.bob.com.

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Name:   gateway1.bob.com

Address: 192.253.254.1

[root@dns.bob.com =>log]#nslookup ssh.bob.com.

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

Name:   ssh.bob.com

Address: 192.253.254.2

[root@dns.bob.com =>log]#nslookup 192.253.254.1

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

1.254.253.192.in-addr.arpa      name = gateway1.bob.com.

[root@dns.bob.com =>log]#nslookup 192.253.254.2

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

2.254.253.192.in-addr.arpa      name = dns.bob.com.

2.254.253.192.in-addr.arpa      name = ssh.bob.com.

[root@dns.bob.com =>log]#nslookup 192.253.254.65

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

65.254.253.192.in-addr.arpa     name = gateway2.movie.bob.com.

[root@dns.bob.com =>log]#nslookup 192.253.254.66

Note:  nslookup is deprecated and may be removed from future releases.

Consider using the `dig' or `host' programs instead.  Run nslookup with

the `-sil[ent]' option to prevent this message from appearing.

Server:         127.0.0.1

Address:        127.0.0.1#53

66.254.253.192.in-addr.arpa     name = dns.movie.bob.com.

[root@dns.bob.com =>log]#

一切正常

霸王龙本龙
关注
  • 0
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
DNS chroot功能以及内外网解析
weixin_42171644的博客
01-26 1817
DNS题目一、IspSrv1、安装dns服务2、默认文件解析3、定义解析域4、配置为DNS根域服务器启用 chroot 功能,限制 bind9 在/var/named 下运行启用chroot从Buster开始,debian默认开启apparmor,所以需要添加权限重新加载apparmor配置文件对于debian 10 Buster,要启用chroot还需要/usr/share/dns下的文件最后告诉rsyslog在正确位置监听绑定日志5、测试二、AppSrv安装dns服务内外网解析: 题目 服务器 Is
DNS Chroot
最新发布
forinput的博客
03-03 119
DNS Chroot
linux dns chroot配置文件,rhce7 dns chroot 配置
weixin_42367557的博客
05-13 208
dns server BIND 安装与配置配置文件安装 DNSyum install bind*根域配置文件/=/var/named/chroot//etc/named.conf --> /var/named/chroot/etc/name.conf复制chroot模式根域配置文件cp -a /etc/named.conf /var/named/chroot/etc///named.con...
配置一个安全的chroot DNS(1)(转)
csdn785029689的博客
07-12 773
由于天缘最近使用的比较多的是Red Hat 操作系统,而且自己也是在一台Red Hat 9 下面配置好Bind 9的,因此在下面的例子中就以Red Hat AS3为配置平台进行介绍。天缘所在单位的服务DNS是solaris操作系...
Linux chroot命令用法详解
01-09
Linux chroot命令 Linux chroot命令用于改变根目录。 chroot(change root)命令把根目录换成指定的目的目录。 、 语法chroot [--help][--version][目的目录][执行指令...] 参数说明: –help 在线帮助。 –version ...
Linuxchroot的使用.pdf
09-07
今天,我们将详细介绍 Linuxchroot 的使用,包括其原理、应用场景和实践步骤。 首先,让我们了解一下 chroot 命令的原理。chroot 命令的作用是将当前的根目录改变为指定的目录,以限制某些进程或用户的访问权限...
linux chroot命令详解
09-15
主要介绍了linux chroot命令详解,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
详解Linux搭建DNS服务器
01-10
1.DNS服务器概念 在互联网上通信需要借助于IP地址,但人类对于数字的记忆能力远不如文字,那么将IP地址转换成容易记忆的文字是个好办法,可是计算机只能识别0、1代码,这时就需要一种机制来解决IP地址与主机名的转换...
如何通过chroot构建Linux操作系统
08-01
安装过程包括: - 规划和创建所需的分区。 - 创建并挂载文件系统,如ext3到/mnt/slack。 - 将Slackware 10.2安装ISO的第一张映像挂载到/mnt/cdrom,然后使用其提供的工具进行基础系统的安装。 通过chroot构建...
架设CHROOT环境下的安全DNS
mst7
02-13 2551
系统平台:RedHat Linux 9软件版本:Bind 9.26考虑到的系统兼容性及运行速度,所以安装采用源码包,去ISC(BIND官方)下载最新的稳定版本(即次本号为偶数)。安装步骤:(无特殊需求,所有操作都为root权限)一、 主DNS服务器配置 ( Master Bind)(1)BIND 安装wget ftp://ftp.isc.org/isc/bind9/9.2.6/bind-9.2.6
linux dns chroot配置文件,linxu chroot DNS 配置
weixin_39527911的博客
05-13 359
1、安装Bind 9,chroot DNS首先我们来查看一下BIND文件是否已经安装.用命令 # rpm -qa | grep bind 来查看架设所需的安装包是否已经齐备.bind-utils-9.2.4-16.EL4 <=====是用户端搜寻主机名称的相关指令,服务器测试工具bind-libs-9.2.4-2 <=========实现域名解析功能必备库文件ypbind-1.17....
配置一个安全的chroot DNS(2)(转)
csdn785029689的博客
06-08 402
1、安装Bind 9   虽然我所用的Red Hat AS3 中有rpm包,但是为了方便其他操作系统的朋友,我们还是从源代码包方式安装。首先从ISC公司的主页(http://www.isc.org/products/BIND/)...
debian10 dns_如何在Debian 10上使用OctoDNS部署和管理DNS
08-15 287
debian10 dnsThe author selected the Electronic Frontier Foundation to receive a donation as part of the Write for DOnations program. 作者选择电子前沿基金会作为“ Write for DOnations”计划的一部分接受捐赠。 介绍 (Introduction...
bind9(DNS服务)错误信息
qq_38849692的博客
11-21 3041
Nov 16 15:01:49 rh71 named[2287]: loading configuration from '/etc/named.conf' Nov 16 15:01:49 rh71 named[2287]: /etc/named.conf:41: parse error near zone Nov 16 15:01:49 rh71 named[2287]: loading conf
DNS扫盲系列之六:擅用日志排除BIND故障
weixin_30878361的博客
12-22 452
DNS扫盲系列之六:擅用日志排除BIND故障 这么多年来耳闻目染,发现网友提出的几乎99%的问题本来是不需要求助就能解决的,追其根源是不擅于(或不知道)使用软件本身提供的运行日志来解决问题。本文就BIND服务器日志简要说明。这里假设一网友反映“启动named进程后配置的域名解析服务不工作”这一简单问题说明怎么使用named的日志来解决。 首先...
通过 chroot 解决 Linux 系统无法启动的问题
weixin_30785593的博客
03-28 3051
这篇博客讲述了博主为了安装 sqlite3,不小心删了 boot 目录下的内核,还重启系统。结果重启失败,通过 Ubuntu 安装 U 盘和 chroot 修复的故事。 想在学校的服务器上装一个 sqlite3,被告知之前一次更新内核由于 boot 目录满了,没有更新成功,需要完成内核的更新才能进行其它软件的安装。我一看 boot 分区里已经有了很多版本的内核,想都没想就把旧版本的内核...
DNS服务器systemctl start named启动失败
热门推荐
ywl470812087的博客
09-21 14万+
systemctl restart named Job for named.service failed because the control process exited with error code. See "systemctl status named.service" and "journalctl -xe" for details. 命令:named-checkconf -z...
2022年优秀-Linux网络服务DNS域名解析服务v.pptx
11-14
通过学习这部分内容,学生将能够理解DNS服务的工作原理,掌握如何设置和管理Linux环境下的DNS服务,包括配置缓存服务器以提高性能,以及如何安全地管理和分发DNS区域信息。这对于系统管理员和网络工程师来说是一项...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值