1 正向解析:
[root@iscsi-server ~]# yum install bind-chroot -y
[root@iscsi-server ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
[root@iscsi-server ~]# vim /etc/named.conf
10 options {
11 listen-on port 53 { any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats. txt";
17 allow-query { any; };
2 编辑区域配置文件
[root@iscsi-server ~]# vim /etc/named.rfc1912.zones
45 zone "linuxprobe.com" IN {
46 type master;
47 file "linuxprobe.com.zone";
48 allow-update { none; };
49 };
3 编辑数据配置文件:
1 $TTL 1D
2 @ IN SOA dns.linuxprobe.com root.linuxprobe.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.linuxprobe.com.
9 dns A 172.25.254.136
10 www A 1.1.1.1
11 mail A 2.2.2.2
4
[root@iscsi-server named]# systemctl restart named
5 查询:
> www.linuxprobe.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: www.linuxprobe.com
Address: 1.1.1.1
> mail.linuxprobe.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: mail.linuxprobe.com
Address: 2.2.2.2
>
(二) 反向解析
1 配置区域配置文件:
[root@iscsi-server named]# vim /etc/named.rfc1912.zones
51 zone "254.25.172.in-addr.arpa" IN {
52 type master;
53 file "172.25.254.arpa";
54 allow-update { none; };
55 };
2 编辑数据配置文件:
[root@iscsi-server named]# pwd
/var/named
[root@iscsi-server named]# cp -a named.loopback 172.25.254.arpa
[root@iscsi-server named]# vim 172.25.254.arpa
1 $TTL 1D
2 @ IN SOA ans.linuxprobe.com. root.linuxprobe.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.linuxprobe.com.
9 dns A 172.25.254.136
10 20 PTR www.linuxprobe.com
11 22 PTR bbs.linux.com
12
[root@iscsi-server named]#
systemctl restart named
4 查询:
[root@iscsi-server named]# nslookup
> 172.25.254.20
Server: 127.0.0.1
Address: 127.0.0.1#53
20.254.25.172.in-addr.arpa name = www.linuxprobe.com.254.25.172.in-addr.arpa.
> 172.25.254.22
Server: 127.0.0.1
Address: 127.0.0.1#53
22.254.25.172.in-addr.arpa name = bbs.linux.com.254.25.172.in-addr.arpa.
> exit
(三)部署slave服务器:
1 主服务器:172。25。254。136
从服务器:172。25。264。138
2 配置主服务器区域配置文件:
[root@iscsi-server slaves]# vim /etc/named.rfc1912.zones
45 zone "linuxprobe.com" IN {
46 type master;
47 file "linuxprobe.com.zone";
48 allow-update { 172.25.254.138; };
49 };
50
51 zone "254.25.172.in-addr.arpa" IN {
52 type master;
53 file "172.25.254.arpa";
54 allow-update { 172.25.254.138; };
55 };
重启服务
3 在slave服务器配置bind
78 yum install bind-chroot.x86_64 -y
79 rpm -qa bind
80 rpm -qc bind
81 vim /etc/named.conf
82 systemctl restart named
43 zone "linuxprobe.com" IN {
44 type slave;
45 masters{172.25.254.136;};
46 file "slaves/linuxprobe.com.zone";
47
48 };
49
50 zone "254.25.172.in-addr.arpa" IN {
51 type slave;
52 file "slaves/172.25.254.arpa";
53 masters{172.25.254.136;};
54 };
55
[root@client slaves]# systemctl restart named
[root@client slaves]# nslookup
> www.linuxprobe.com
Server: 172.25.254.138
Address: 172.25.254.138#53
Name: www.linuxprobe.com
Address: 1.1.1.1
> mail.linuxprobe.com
Server: 172.25.254.138
Address: 172.25.254.138#53
Name: mail.linuxprobe.com
Address: 2.2.2.2
>
查询成功!
(四)slave远程更新master:
出现问题:
[root@client ~]# nsupdate
> server 172.25.254.136
> update add bbs.linuxprobe.com 86400 A 4.4.4.4
> send
update failed: SERVFAIL
在slave dns上更新一个bbs。linuxprobecom,但是server fail。然后在master主机上清空日志,查看日至:
[root@iscsi-server named]# cat /var/log/messages
Apr 20 09:32:10 iscsi-server named[4004]: client 172.25.254.138#48010: updating zone 'linuxprobe.com/IN': adding an RR at 'bbs.linuxprobe.com' A
Apr 20 09:32:10 iscsi-server named[4004]: linuxprobe.com.zone.jnl: create: permission denied
Apr 20 09:32:10 iscsi-server named[4004]: client 172.25.254.138#48010: updating zone 'linuxprobe.com/IN': error: journal open failed: unexpected error
Apr 20 09:32:10 iscsi-server dbus[551]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Apr 20 09:32:10 iscsi-server dbus-daemon: dbus[551]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Apr 20 09:32:10 iscsi-server dbus[551]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Apr 20 09:32:10 iscsi-server dbus-daemon: dbus[551]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Apr 20 09:32:10 iscsi-server setroubleshoot: Plugin Exception restorecon_source
Apr 20 09:32:10 iscsi-server setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named. For complete SELinux messages. run sealert -l 20dac671-0d3d-4896-887c-d3c7f29b0007
Apr 20 09:32:10 iscsi-server python: SELinux is preventing /usr/sbin/named from write access on the directory /var/named.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow named to write master zones#012Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean.#012You can read 'None' man page for more details.#012Do#012setsebool -P named_write_master_zones 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that named should be allowed write access on the named directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep named /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Apr 20 09:32:10 iscsi-server dbus-daemon: 'list' object has no attribute 'split'
发现时selinux捣的鬼,并且日至给出了建议,
我们查看关于named服务的sebool值,只有两个:
[root@iscsi-server named]# getsebool -a | grep named
named_tcp_bind_http_port --> off
named_write_master_zones --> on
在master上设置sebool值
[root@iscsi-server named]# setsebool -P named_write_master_zones 1
此时在slave上更新,可以:
> server 172.25.254.136
>
> update add bbs.linuxprobe.com 86400 A 4.4.4.4
> send
在master上查看:
[root@iscsi-server named]# nslookup
> ccc.linuxprobe.com
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: bbs.linuxprobe.com
Address: 4.4.4.4
(五)基于key的远程更新
1 前面我们讲过的指定IP更新不安全,我们现在指定用钥匙更新。利用密钥进行更新顾名思义,只有有钥匙才可以对此更新,必须先加密,等进行分配钥匙,更新。
1 在做此类型更新之前需要保持主dns的/var/named目录以及辅dns的/var/named/slaves目录的“纯净“
在master上,
[root@iscsi-server named]# ls
172.25.254.arpa Kwestos.+157+28966.private named.empty
chroot linux.com.zone named.localhost
data linuxprobe.com.zone named.loopback
dynamic linuxprobe.com.zone.jnl slaves
Kwestos.+157+28966.key named.ca
[root@iscsi-server named]# rm -fr linuxprobe.com.zone.jnl
[root@iscsi-server named]# ls
172.25.254.arpa Kwestos.+157+28966.key named.ca slaves
chroot Kwestos.+157+28966.private named.empty
data linux.com.zone named.localhost
dynamic linuxprobe.com.zone named.loopback
辅dns上:
[root@client slaves]# ls
172.25.254.arpa linuxprobe.com.zone linuxprobe.com.zone.jnl
[root@client slaves]# rm -fr *
[root@client slaves]# ls
[root@client slaves]#
开始实验:
在主dns上:
cp -p /etc/rndc.key /etc/westos.key
[root@iscsi-server named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
生成密钥对:
[root@iscsi-server named]# ls
172.25.254.arpa Kwestos.+157+28966.key named.empty
chroot Kwestos.+157+28966.private named.localhost
data linuxprobe.com.zone named.loopback
dynamic named.ca slaves
查看密码钥匙:
[root@iscsi-server named]# cat Kwestos.+157+28966.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: 7LTDvDhZlFkRw1OYMMJYRw==
Bits: AAA=
Created: 20180420031127
Publish: 20180420031127
Activate: 20180420031127
将生成的密钥传给辅dns,以便更新时使用
[root@iscsi-server named]# scp Kwestos.+157+28966.* root@172.25.254.138:/mnt
在slave里查看:
[root@client mnt]# ls
Kwestos.+157+28966.key Kwestos.+157+28966.private
将密钥文件名和密钥修改!
[root@iscsi-server named]# vim /etc/westos.key
1 key "westos" {
2 algorithm hmac-md5;
3 secret "7LTDvDhZlFkRw1OYMMJYRw==";
4 };
master上修改主配置文件:
[root@iscsi-server named]# vim /etc/named.conf
[root@iscsi-server named]# vim /etc/named.rfc1912.zones
重启之前需要确保密钥文件的属性正确:
[root@iscsi-server named]# ll /etc/rndc.key /etc/westos.key
-rw-r-----. 1 root named 77 4月 19 10:52 /etc/rndc.key
-rw-r-----. 2 root named 75 4月 20 11:16 /etc/westos.key
重启named
在slave dns上:
[root@client ~]# cd /mnt/
You have new mail in /var/spool/mail/root
[root@client mnt]# ls
Kwestos.+157+28966.key Kwestos.+157+28966.private westos.key
[root@client mnt]# nsupdate -k Kwestos.+157+28966.private
> server 172.25.254.136
> update add fff.linuxprobe.com 86400 A 8.8.8.8
> send
> server 172.25.254.136
> update add fff.linuxprobe.com 86400 A 8.8.8.8
> send
可以看见已经更新成功。
更新成功后可以在主dns的/var/named目录下以及辅dns的/var/named/slaves目录下产生“。jnl“结尾的文件
[root@client slaves]# ls
linuxprobe.com.zone