linux 编译安装dns,linux安装dns

转自一论坛网友的帖子

linux安装dns，rndc-confgen没反应

前几天，一位朋友问我安装linux 的时候有没有遇到执行rndc-confgen没反应的情况，我还真没有遇到过，朋友很急，我就让他把SSH 发过来，我连过去帮他看了一下，执行rndc-confgen就卡住了，不懂了只能ctrl+c 中断操作，后来我看了下rndc-confgen –help 看到randomfile，我印象这个是个生成器，应该跟他有关系，google 后果然没错在官网上看到：

在官方网站上看到这么一条信息

You must use the keyboard to create entropy, since your system is lacking

/dev/random (or equivalent)

start typing:

rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器，这种情况下我们就手动伪造一个文件代替/dev/random的功能

好了废话不多说了，看我是怎么给他解决的吧

shell $> tar zxvf bind-9.6.1-P3.tar.gz

shell $> cd bind-9.6.1-P3

shell $> ./configure –prefix=/usr/local/named –enable-epoll–enable-openssl-version-check –enable-threads –disable-ipv6 –enable-largefile

shell $> make

shell $> make install

shell $> cd /usr/local/named/etc

###问题就出在这里了，没反映，google##

shell $> ../sbin/rndc-confgen > rndc.conf

在官方网站上看到这么一条信息

You must use the keyboard to create entropy, since your system is lacking

/dev/random (or equivalent)

start typing:

rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器，这种情况下我们就手动伪造一个文件代替/dev/random的功能

###新建一个 random 文件随即输入一串数字“记得要长~~

shell $> vim random

asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl

###查看 rndc-confgen 帮助

shell $> ../sbin/rndc-confgen –help

rndc-confgen: invalid argument –

Usage:

rndc-confgen [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-rrandomfile] [-s addr] [-t chrootdir] [-u user]

-a:           generatejust the key clause and write it to keyfile (/usr/local/named/etc/rndc.key)

-b bits:      from 1 through 512, default 128;total length of the secret

-c keyfile:   specify an alternate key file (requires -a)

-k keyname:   the name as it will be used  in named.confand rndc.conf

-p port:      the port named will listen on andrndc will connect to

-r randomfile: a file containing random data

-s addr:      the address to which rndc shouldconnect

-t chrootdir: write a keyfile in chrootdir as well (requires -a)

-u user:      set the keyfile owner to “user”(requires -a)

shell $> ../sbin/rndc-confgen -r random > rndc.key

ok问题解决了，接下来我们配置 我们的 域名服务器吧

#### 从 rndc.key文件中提取 named.conf用的 key 生成 named.conf 文件，当然你也可以复制rndc.key 没被注释的内容到 named.conf

shell $> tail -10 rndc.key | head -9 | sed ‘s/# //g’ > named.conf

shell $> cat named.conf

key “rndc-key” {

algorithm hmac-md5;

secret “O0SuB34RK+E3r+m5Fbh2eA==”;

};

controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; } keys { “rndc-key”; };

};

#### dig命令直接生成 named.root 文件，这个文件是很标准的东东，

#### 有了它，本地 dns 不能解的就上总部去问

shell $> dig > named.root

配置 named.conf

shell $> vim named.conf

key “rndc-key” {

algorithm hmac-md5;

secret “O0SuB34RK+E3r+m5Fbh2eA==”;

};

controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; } keys { “rndc-key”; };

};

options {

// Relative to the chroot directory,if any

directory       “/usr/local/named/etc”;

pid-file       “/usr/local/named/var/run/named/pid”;

dump-file      “/usr/local/named/var/dump/named_dump.db”;

statistics-file“/usr/local/named/var/stats/named.stats”;

listen-on       { 192.168.6.44; };

forwarders {

202.106.0.20;

};

};

zone “.” {

type hint;

file “/usr/local/named/etc/named.root”;

};

zone “ludy.com” {

type master;

file “dynamic/www.nginxs.com”;

};

创建 域名解析文件

shell $> mkdir dynamic

shell $> vim dynamic/www.nginxs.com

$TTL    86400

$ORIGIN ludy.com.

@       IN     SOA     nginxs.com. root.nginxs.com. (

2009072901      ;

68400           ;

86400           ;

3600000;        ;

36000   )       ;

IN     NS      ns.nginxs.com.

IN     MX      10 mail.nginxs.com.

www     IN     A       192.168.6.44

mail    IN     A       192.168.6.44

ns      IN     A       192.168.6.44

因为我不需要反向解析“所以我不需要设置了“然后启动 debug模式看看有错误吗。

shell $> ../sbin/named -g

27-Jan-2010 02:48:57.508 starting BIND 9.6.1-P3 -g

27-Jan-2010 02:48:57.508 built with ‘–prefix=/usr/local/named’ ‘–enable-epoll’‘–enable-openssl-version-check’ ‘–enable-threads’ ‘–disable-ipv6′‘–enable-largefile’

27-Jan-2010 02:48:57.508 adjusted limit on open files from 1024 to 1048576

27-Jan-2010 02:48:57.508 found 1 CPU, using 1 worker thread

27-Jan-2010 02:48:57.510 using up to 4096 sockets

27-Jan-2010 02:48:57.519 loading configuration from ‘/usr/local/named/etc/named.conf’

27-Jan-2010 02:48:57.521 using default UDP/IPv4 port range: [1024, 65535]

27-Jan-2010 02:48:57.522 using default UDP/IPv6 port range: [1024, 65535]

27-Jan-2010 02:48:57.526 listening on IPv4 interface eth0, 192.168.6.105#53

27-Jan-2010 02:48:57.532 automatic empty zone: 0.IN-ADDR.ARPA

27-Jan-2010 02:48:57.533 automatic empty zone: 127.IN-ADDR.ARPA

27-Jan-2010 02:48:57.533 automatic empty zone: 254.169.IN-ADDR.ARPA

27-Jan-2010 02:48:57.534 automatic empty zone: 2.0.192.IN-ADDR.ARPA

27-Jan-2010 02:48:57.534 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA

27-Jan-2010 02:48:57.535 automatic empty zone:0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

27-Jan-2010 02:48:57.535 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA

27-Jan-2010 02:48:57.536 automatic empty zone: D.F.IP6.ARPA

27-Jan-2010 02:48:57.536 automatic empty zone: 8.E.F.IP6.ARPA

27-Jan-2010 02:48:57.537 automatic empty zone: 9.E.F.IP6.ARPA

27-Jan-2010 02:48:57.537 automatic empty zone: A.E.F.IP6.ARPA

27-Jan-2010 02:48:57.537 automatic empty zone: B.E.F.IP6.ARPA

27-Jan-2010 02:48:57.545 command channel listening on 127.0.0.1#953

27-Jan-2010 02:48:57.546 ignoring config file logging statement due to -goption

27-Jan-2010 02:48:57.550 zone nginxs.com/IN: loaded serial 2009072901

27-Jan-2010 02:48:57.552 running

27-Jan-2010 02:48:57.553 zone ludy.com/IN: sending notifies (serial 2009072901)

OK了。

现在 DNS 服务器还不是很安全，因为你的DNS是暴露在公网的，如果你只想做域名解析服务的话，就不用户查询关掉

shell $> vim named.conf

key “rndc-key” {

algorithm hmac-md5;

secret “bMXdKGcP5tqUFUnG7CTzmw==”;

};

controls {

inet 127.0.0.1 port 953

allow { 127.0.0.1; } keys { “rndc-key”; };

};

acl “trusted”{

192.168.6.0/24;

}

options {

// Relative to the chroot directory,if any

directory       “/usr/local/named/etc”;

pid-file       “/usr/local/named/var/run/named/pid”;

dump-file      “/usr/local/named/var/dump/named_dump.db”;

statistics-file“/usr/local/named/var/stats/named.stats”;

allow-query { any; };

allow-recursion { trusted; };

allow-query-cache { trusted; };

listen-on       { 192.168.6.105; };

forwarders {

202.106.0.20;

};

};

zone “.” {

type hint;

file “/usr/local/named/etc/named.root”;

};

zone “ludy.com” {

type master;

file “dynamic/www.nginxs.com”;

};

我个人感觉上allow-query-cache在未设置allow-recursion的情况下可以取代allow-recursion的功能， 有继承关系。如果想禁止用户的递归查询请求，还需要将 allow-query-cache 选项关闭，否则用户仍然可能在 cache 中查到数据  上面我建立acl规则来指定用户来使用你的DNS服务器。

下来我们在 192.168.6.0/24 网段找个机器测试下吧如图所视：

查询www.nginxs.com

# nslookup  www.nginxs.com