dns服务搭建练手二

1 正向解析：

[root@iscsi-server ~]# yum install bind-chroot -y

[root@iscsi-server ~]# rpm -qc bind
/etc/logrotate.d/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback

[root@iscsi-server ~]# vim /etc/named.conf 

 10 options {
 11         listen-on port 53 { any; };
 12         listen-on-v6 port 53 { ::1; };
 13         directory       "/var/named";
 14         dump-file       "/var/named/data/cache_dump.db";
 15         statistics-file "/var/named/data/named_stats.txt";
 16         memstatistics-file "/var/named/data/named_mem_stats.    txt";
 17   allow-query     { any; };

2 编辑区域配置文件

[root@iscsi-server ~]# vim /etc/named.rfc1912.zones 

 45 zone "linuxprobe.com" IN {
 46         type master;
 47         file "linuxprobe.com.zone";
 48         allow-update { none; };
 49 };

3 编辑数据配置文件：

 1 $TTL 1D
  2 @       IN SOA  dns.linuxprobe.com   root.linuxprobe.com. (
  3                                         0       ; serial
  4                                         1D      ; refresh
  5                                         1H      ; retry
  6                                         1W      ; expire
  7                                         3H )    ; minimum
  8         NS      dns.linuxprobe.com.
  9 dns     A       172.25.254.136
 10 www     A       1.1.1.1
 11 mail    A       2.2.2.2

4

[root@iscsi-server named]# systemctl restart named

5 查询：

> www.linuxprobe.com
Server:     127.0.0.1
Address:    127.0.0.1#53

Name:   www.linuxprobe.com
Address: 1.1.1.1
> mail.linuxprobe.com     
Server:     127.0.0.1
Address:    127.0.0.1#53

Name:   mail.linuxprobe.com
Address: 2.2.2.2
> 

(二) 反向解析
1 配置区域配置文件：

[root@iscsi-server named]# vim /etc/named.rfc1912.zones 

 51 zone "254.25.172.in-addr.arpa" IN {
 52         type master;
 53         file "172.25.254.arpa";
 54         allow-update { none; };
 55 };

2 编辑数据配置文件：

[root@iscsi-server named]# pwd
/var/named

[root@iscsi-server named]# cp -a named.loopback 172.25.254.arpa

[root@iscsi-server named]# vim 172.25.254.arpa

1 $TTL 1D
  2 @       IN SOA  ans.linuxprobe.com. root.linuxprobe.com. (
  3                                         0       ; serial
  4                                         1D      ; refresh
  5                                         1H      ; retry
  6                                         1W      ; expire
  7                                         3H )    ; minimum
  8         NS      dns.linuxprobe.com.
  9 dns     A       172.25.254.136
 10 20      PTR     www.linuxprobe.com
 11 22      PTR     bbs.linux.com
 12 

[root@iscsi-server named]#
 systemctl restart named

4 查询：

[root@iscsi-server named]# nslookup 
> 172.25.254.20
Server:     127.0.0.1
Address:    127.0.0.1#53

20.254.25.172.in-addr.arpa  name = www.linuxprobe.com.254.25.172.in-addr.arpa.
> 172.25.254.22
Server:     127.0.0.1
Address:    127.0.0.1#53

22.254.25.172.in-addr.arpa  name = bbs.linux.com.254.25.172.in-addr.arpa.
> exit   

（三）部署slave服务器：
1 主服务器：172。25。254。136
从服务器：172。25。264。138

2 配置主服务器区域配置文件：

[root@iscsi-server slaves]# vim /etc/named.rfc1912.zones 

45 zone "linuxprobe.com" IN {
 46         type master;
 47         file "linuxprobe.com.zone";
 48         allow-update { 172.25.254.138; };
 49 };
 50 
 51 zone "254.25.172.in-addr.arpa" IN {
 52         type master;
 53         file "172.25.254.arpa";
 54         allow-update { 172.25.254.138; };
 55 };

重启服务
3 在slave服务器配置bind

   78  yum install bind-chroot.x86_64 -y
   79  rpm -qa bind
   80  rpm -qc bind
   81  vim /etc/named.conf 
   82  systemctl restart named

 43 zone "linuxprobe.com" IN {
 44         type slave;
 45         masters{172.25.254.136;};
 46         file "slaves/linuxprobe.com.zone";
 47 
 48 };
 49 
 50 zone "254.25.172.in-addr.arpa" IN {
 51         type slave;
 52         file "slaves/172.25.254.arpa";
 53         masters{172.25.254.136;};
 54 };
 55 

[root@client slaves]# systemctl restart named

[root@client slaves]# nslookup
> www.linuxprobe.com
Server:     172.25.254.138
Address:    172.25.254.138#53

Name:   www.linuxprobe.com
Address: 1.1.1.1
> mail.linuxprobe.com
Server:     172.25.254.138
Address:    172.25.254.138#53

Name:   mail.linuxprobe.com
Address: 2.2.2.2
> 

查询成功！

（四）slave远程更新master：

出现问题：

[root@client ~]# nsupdate 
> server 172.25.254.136 
> update add bbs.linuxprobe.com 86400 A 4.4.4.4
> send
update failed: SERVFAIL

在slave dns上更新一个bbs。linuxprobecom，但是server fail。然后在master主机上清空日志，查看日至：

[root@iscsi-server named]# cat /var/log/messages
Apr 20 09:32:10 iscsi-server named[4004]: client 172.25.254.138#48010: updating zone 'linuxprobe.com/IN': adding an RR at 'bbs.linuxprobe.com' A
Apr 20 09:32:10 iscsi-server named[4004]: linuxprobe.com.zone.jnl: create: permission denied
Apr 20 09:32:10 iscsi-server named[4004]: client 172.25.254.138#48010: updating zone 'linuxprobe.com/IN': error: journal open failed: unexpected error
Apr 20 09:32:10 iscsi-server dbus[551]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Apr 20 09:32:10 iscsi-server dbus-daemon: dbus[551]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Apr 20 09:32:10 iscsi-server dbus[551]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Apr 20 09:32:10 iscsi-server dbus-daemon: dbus[551]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Apr 20 09:32:10 iscsi-server setroubleshoot: Plugin Exception restorecon_source
Apr 20 09:32:10 iscsi-server setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory /var/named. For complete SELinux messages. run sealert -l 20dac671-0d3d-4896-887c-d3c7f29b0007
Apr 20 09:32:10 iscsi-server python: SELinux is preventing /usr/sbin/named from write access on the directory /var/named.#012#012*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************#012#012If you want to allow named to write master zones#012Then you must tell SELinux about this by enabling the 'named_write_master_zones' boolean.#012You can read 'None' man page for more details.#012Do#012setsebool -P named_write_master_zones 1#012#012*****  Plugin catchall (11.6 confidence) suggests   **************************#012#012If you believe that named should be allowed write access on the named directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# grep named /var/log/audit/audit.log | audit2allow -M mypol#012# semodule -i mypol.pp#012
Apr 20 09:32:10 iscsi-server dbus-daemon: 'list' object has no attribute 'split'

发现时selinux捣的鬼，并且日至给出了建议，

我们查看关于named服务的sebool值，只有两个：

[root@iscsi-server named]# getsebool -a | grep named
named_tcp_bind_http_port --> off
named_write_master_zones --> on

在master上设置sebool值

[root@iscsi-server named]# setsebool -P named_write_master_zones 1

此时在slave上更新，可以：

> server 172.25.254.136
> 
> update add bbs.linuxprobe.com 86400 A 4.4.4.4
> send

在master上查看：

[root@iscsi-server named]# nslookup 
> ccc.linuxprobe.com
Server:     127.0.0.1
Address:    127.0.0.1#53

Name:   bbs.linuxprobe.com
Address: 4.4.4.4

(五)基于key的远程更新
1 前面我们讲过的指定IP更新不安全，我们现在指定用钥匙更新。利用密钥进行更新顾名思义，只有有钥匙才可以对此更新，必须先加密，等进行分配钥匙，更新。

1 在做此类型更新之前需要保持主dns的/var/named目录以及辅dns的/var/named/slaves目录的“纯净“

在master上，

[root@iscsi-server named]# ls
172.25.254.arpa         Kwestos.+157+28966.private  named.empty
chroot                  linux.com.zone              named.localhost
data                    linuxprobe.com.zone         named.loopback
dynamic                 linuxprobe.com.zone.jnl     slaves
Kwestos.+157+28966.key  named.ca
[root@iscsi-server named]# rm -fr linuxprobe.com.zone.jnl 
[root@iscsi-server named]# ls
172.25.254.arpa  Kwestos.+157+28966.key      named.ca         slaves
chroot           Kwestos.+157+28966.private  named.empty
data             linux.com.zone              named.localhost
dynamic          linuxprobe.com.zone         named.loopback

辅dns上：

[root@client slaves]# ls
172.25.254.arpa  linuxprobe.com.zone  linuxprobe.com.zone.jnl
[root@client slaves]# rm -fr *
[root@client slaves]# ls
[root@client slaves]# 

开始实验：
在主dns上：

cp -p /etc/rndc.key /etc/westos.key 
[root@iscsi-server named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos

生成密钥对：

[root@iscsi-server named]# ls
172.25.254.arpa  Kwestos.+157+28966.key      named.empty
chroot           Kwestos.+157+28966.private  named.localhost
data             linuxprobe.com.zone         named.loopback
dynamic          named.ca                    slaves

查看密码钥匙：

[root@iscsi-server named]# cat Kwestos.+157+28966.private 
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: 7LTDvDhZlFkRw1OYMMJYRw==
Bits: AAA=
Created: 20180420031127
Publish: 20180420031127
Activate: 20180420031127

将生成的密钥传给辅dns，以便更新时使用

[root@iscsi-server named]# scp Kwestos.+157+28966.* root@172.25.254.138:/mnt

在slave里查看：

[root@client mnt]# ls
Kwestos.+157+28966.key  Kwestos.+157+28966.private  

将密钥文件名和密钥修改！

[root@iscsi-server named]# vim /etc/westos.key 

  1 key "westos" {
  2         algorithm hmac-md5;
  3         secret "7LTDvDhZlFkRw1OYMMJYRw==";
  4 };

master上修改主配置文件：

[root@iscsi-server named]# vim /etc/named.conf 

[root@iscsi-server named]# vim /etc/named.rfc1912.zones 

重启之前需要确保密钥文件的属性正确：

[root@iscsi-server named]# ll /etc/rndc.key /etc/westos.key 
-rw-r-----. 1 root named 77 4月  19 10:52 /etc/rndc.key
-rw-r-----. 2 root named 75 4月  20 11:16 /etc/westos.key

重启named

在slave dns上：

[root@client ~]# cd /mnt/
You have new mail in /var/spool/mail/root
[root@client mnt]# ls
Kwestos.+157+28966.key  Kwestos.+157+28966.private  westos.key
[root@client mnt]# nsupdate -k Kwestos.+157+28966.private 
> server 172.25.254.136
> update add fff.linuxprobe.com 86400 A 8.8.8.8
> send
> server 172.25.254.136
> update add fff.linuxprobe.com 86400 A 8.8.8.8
> send

可以看见已经更新成功。
更新成功后可以在主dns的/var/named目录下以及辅dns的/var/named/slaves目录下产生“。jnl“结尾的文件

[root@client slaves]# ls
linuxprobe.com.zone