######DNS###
服务端
[root@server ~]#yum install bind -y
[root@server ~]#systemctl restart named 重启named
[root@server ~]#systemctl status firewalld 查看防火墙状态
[root@server ~]#systemctl stop firewalld 关闭防火墙
客户端
[root@client ~]#vim /etc/resolv.conf
空白行加
nameserver 172.25.254.195 服务端主机ip
服务端
vim /etc/named.conf
11 listen-on port 53 { any; }; 修改为any
12 listen-on-v6 port 53 { ::1; };
13 directory “/var/named”;
14 dump-file “/var/named/data/cache_dump.db”;
15 statistics-file “/var/named/data/named_stats.txt”;
16 memstatistics-file “/var/named/data/named_mem_stats.txt”;
17 allow-query { any; }; 修改为any
29 recursion yes;
30
31 dnssec-enable yes;
32 dnssec-validation no; 修改yes为no
33 dnssec-lookaside auto 配置文件缺少这一行,手动加上
服务端操作
vim /etc/named.rfc1912.zones
y6y 到24行p
19 zone “localhost” IN {
20 type master;
21 file “named.localhost”;
22 allow-update { none; };
23 };
24
25 zone “westos.com” IN {
26 type master;
27 file “westos.com.zone”;
28 allow-update { none; };
29 };
[root@server ~]# cd /var/named
[root@server named]# ls -l
total 16
drwxrwx—. 2 named named 22 Apr 15 01:18 data
drwxrwx—. 2 named named 30 Apr 15 01:52 dynamic
-rw-r—–. 1 root named 2076 Jan 28 2013 named.ca
-rw-r—–. 1 root named 152 Dec 15 2009 named.empty
-rw-r—–. 1 root named 152 Jun 21 2007 named.localhost
-rw-r—–. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx—. 2 named named 6 Sep 2 2015 slaves
[root@server named]# cp -p named.localhost westos.com.zone
[root@server named]# vim westos.com.zone
$TTL 1D
@ IN SOA dns.westos.com. root.westos.com (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS dns.westos.com.
dns A 172.25.254.195
www A 172.25.254.111
bbs A 172.25.254.222
[root@server named]# systemctl restart named
客户端测试
[root@client ~]# dig www.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> www.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42653
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.westos.com. IN A
;; ANSWER SECTION:
www.westos.com. 86400 IN A 172.25.254.111
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.195
;; Query time: 0 msec
;; SERVER: 172.25.254.195#53(172.25.254.195)
;; WHEN: Mon Apr 17 08:27:20 EDT 2017
;; MSG SIZE rcvd: 93
[root@client ~]# dig bbs.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> bbs.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41162
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;bbs.westos.com. IN A
;; ANSWER SECTION:
bbs.westos.com. 86400 IN A 172.25.254.222
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.195
;; Query time: 0 msec
;; SERVER: 172.25.254.195#53(172.25.254.195)
;; WHEN: Mon Apr 17 08:27:27 EDT 2017
;; MSG SIZE rcvd: 93
服务端 *(反向)
[root@server named]# vim /etc/named.rfc1912.zones
49 zone “254.25.172.in-addr.arpa” IN {
50 type master;
51 file “westos.com.ptr”;
52 allow-update { none; };
[root@server named]# vim westos.com.ptr
[root@server named]# cp -p westos.com.zone westos.com.ptr
1 $TTL 1D
2 @ IN SOA dns.westos.com. root.westos.com. (
3 0 ; serial
4 1D ; refresh
5 1H ; retry
6 1W ; expire
7 3H ) ; minimum
8 NS dns.westos.com.
9 dns A 172.25.254.195
10 111 PTR www.westos.com.
11 222 PTR bbs.westos.com.
[root@server named]# systemctl restart named
客户端测试
[root@client ~]# dig -x 172.25.254.222
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.222
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32371
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;222.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
222.254.25.172.in-addr.arpa. 86400 IN PTR bbs.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.195
;; Query time: 1 msec
;; SERVER: 172.25.254.195#53(172.25.254.195)
;; WHEN: Mon Apr 17 08:42:24 EDT 2017
;; MSG SIZE rcvd: 118
[root@client ~]# dig -x 172.25.254.111
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> -x 172.25.254.111
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38679
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;111.254.25.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
111.254.25.172.in-addr.arpa. 86400 IN PTR www.westos.com.
;; AUTHORITY SECTION:
254.25.172.in-addr.arpa. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.195
;; Query time: 0 msec
;; SERVER: 172.25.254.195#53(172.25.254.195)
;; WHEN: Mon Apr 17 08:42:31 EDT 2017
;; MSG SIZE rcvd: 118
服务端
[root@server named]# scp westos.com.zone root@172.25.254.145:/var/named/slaves/
(辅DNS的westos.com.zone和主dns的westos.com.zone相同,直接用主dns的文件)
[root@server named]# cp -r /var/named/westos.com.zone /mnt/
服务端:
[root@server named]# vim /etc/named.rfc1912.zones
25 zone “westos.com” IN {
26 type master;
27 file “westos.com.zone”;
28 allow-update { 172.25.254.145; }; 允许145来更新
29 allow-transfer { 172.25.254.145; }; 允许
30 also-notify { 172.25.254.145; }; 更新后实时通知145的dns
31 };
32
客户端
[root@client ~]# vim /etc/named.rfc1912.zones
19 zone “localhost” IN {
20 type master;
21 file “named.localhost”;
22 allow-update { none; };
23 };
24
25 zone “westos.com” IN {
26 type slave; 类型为辅助DNS
27 masters { 172.25.254.195; }; 主DNS为195
28 file “slaves/westos.com.zone”; 文件位置
29 allow-update { none; };
30 };
root@client ~]# systemctl restart named
服务端操作
[root@client ~]# systemctl restart named
[root@server named]# rm -fr westos.com.zone
[root@server named]# ls -l
total 28
drwxrwx—. 2 named named 22 Apr 17 07:57 data
drwxrwx—. 2 named named 30 Apr 17 10:11 dynamic
-rw-r—–. 1 root named 2076 Jan 28 2013 named.ca
-rw-r—–. 1 root named 152 Dec 15 2009 named.empty
-rw-r—–. 1 root named 152 Jun 21 2007 named.localhost
-rw-r—–. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx—. 2 named named 6 Sep 2 2015 slaves
-rw-r—–. 1 root named 228 Apr 17 08:41 westos.com.ptr
-rw-r—–. 1 root named 222 Apr 17 08:26 westos.com.zone
-rw-r–r–. 1 named named 719 Apr 17 10:25 westos.com.zone.jnl
(权限OK不用改)
修改做法为:
[root@server named]# ls -ld /var/named/
drwxr-x—. 5 root named 4096 Apr 17 08:45 /var/named/
[root@server named]# chmod g+w /var/named/
客户端:
[root@client named]# nsupdate
server 172.25.254.195
update add westos.westos.com 86400 A 172.25.254.145
send
update failed: SERVFAIL
服务端清空日志:
[root@server named]# >/var/log/messages
客户端:
[root@client named]# nsupdate
server 172.25.254.195
update add westos.westos.com 86400 A 172.25.254.145
send
update failed: SERVFAIL
服务端查看日志:
[root@server named]# cat /var/log/messages
Apr 17 10:23:34 localhost rc.local: /etc/rc.d/rc.local: connect: No route to host
Apr 17 10:23:34 localhost rc.local: /etc/rc.d/rc.local: line 18: /dev/tcp/content.example.com/80: No route to host
Apr 17 10:23:40 localhost rc.local: /etc/rc.d/rc.local: connect: No route to host
Apr 17 10:23:40 localhost rc.local: /etc/rc.d/rc.local: line 18: /dev/tcp/content.example.com/80: No route to host
Apr 17 10:23:43 localhost rc.local: /etc/rc.d/rc.local: connect: No route to host
Apr 17 10:23:43 localhost rc.local: /etc/rc.d/rc.local: line 18: /dev/tcp/content.example.com/80: No route to host
Apr 17 10:23:49 localhost rc.local: /etc/rc.d/rc.local: connect: No route to host
Apr 17 10:23:49 localhost rc.local: /etc/rc.d/rc.local: line 18: /dev/tcp/content.example.com/80: No route to host
Apr 17 10:23:52 localhost rc.local: /etc/rc.d/rc.local: connect: No route to host
Apr 17 10:23:52 localhost rc.local: /etc/rc.d/rc.local: line 18: /dev/tcp/content.example.com/80: No route to host
Apr 17 10:23:58 localhost rc.local: /etc/rc.d/rc.local: connect: No route to host
Apr 17 10:23:58 localhost rc.local: /etc/rc.d/rc.local: line 18: /dev/tcp/content.example.com/80: No route to host
Apr 17 10:23:58 localhost named[3277]: client 172.25.254.145#44993: updating zone ‘westos.com/IN’: adding an RR at ‘westos.westos.com’ A
Apr 17 10:23:58 localhost named[3277]: westos.com.zone.jnl: create: permission denied
Apr 17 10:23:58 localhost named[3277]: client 172.25.254.145#44993: updating zone ‘westos.com/IN’: error: journal open failed: unexpected error
Apr 17 10:23:58 localhost dbus-daemon: dbus[521]: [system] Activating service name=’org.fedoraproject.Setroubleshootd’ (using servicehelper)
Apr 17 10:23:58 localhost dbus[521]: [system] Activating service name=’org.fedoraproject.Setroubleshootd’ (using servicehelper)
Apr 17 10:23:59 localhost dbus-daemon: dbus[521]: [system] Successfully activated service ‘org.fedoraproject.Setroubleshootd’
Apr 17 10:23:59 localhost dbus[521]: [system] Successfully activated service ‘org.fedoraproject.Setroubleshootd’
Apr 17 10:23:59 localhost setroubleshoot: Plugin Exception restorecon
Apr 17 10:23:59 localhost setroubleshoot: SELinux is preventing /usr/sbin/named from write access on the directory . For complete SELinux messages. run sealert -l 3f2a1ea3-0db9-4439-a0a6-75353dd66253
Apr 17 10:23:59 localhost python: SELinux is preventing /usr/sbin/named from write access on the directory .
Plugin catchall_boolean (89.3 confidence) suggests *********
If you want to allow named to write master zones
Then you must tell SELinux about this by enabling the ‘named_write_master_zones’ boolean.
You can read ‘None’ man page for more details.
Do
setsebool -P named_write_master_zones 1
Plugin catchall (11.6 confidence) suggests *****************
If you believe that named should be allowed write access on the directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
grep named /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
Apr 17 10:24:01 localhost rc.local: /etc/rc.d/rc.local: connect: No route to host
Apr 17 10:24:01 localhost rc.local: /etc/rc.d/rc.local: line 18: /dev/tcp/content.example.com/80: No route to host
[root@server named]# setsebool -P named_write_master_zones 1 根据日志提斯修改bool值。
客户端:(再次查看)
[root@client named]# nsupdate
server 172.25.254.195
update add westos.westos.com 86400 A 172.25.254.145
send
客户端查看
[root@server named]# dig westos.westos.com
; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> westos.westos.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13922
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;westos.westos.com. IN A
;; ANSWER SECTION:
westos.westos.com. 86400 IN A 172.25.254.145
;; AUTHORITY SECTION:
westos.com. 86400 IN NS dns.westos.com.
;; ADDITIONAL SECTION:
dns.westos.com. 86400 IN A 172.25.254.195
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Apr 17 10:42:38 EDT 2017
;; MSG SIZE rcvd: 96
加密方式允许特定dns更新:
准备工作:
[root@server named]# rm -fr westos.com.zone westos.com.zone.jnl
[root@server named]# ls
data named.ca named.localhost slaves
dynamic named.empty named.loopback westos.com.ptr
[root@server named]# cp -p /mnt/westos.com.zone .
[root@server named]# ls
data named.ca named.localhost slaves westos.com.zone
dynamic named.empty named.loopback westos.com.ptr
[root@server named]# ls -l
total 24
drwxrwx—. 2 named named 22 Apr 17 07:57 data
drwxrwx—. 2 named named 30 Apr 17 10:49 dynamic
-rw-r—–. 1 root named 2076 Jan 28 2013 named.ca
-rw-r—–. 1 root named 152 Dec 15 2009 named.empty
-rw-r—–. 1 root named 152 Jun 21 2007 named.localhost
-rw-r—–. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx—. 2 named named 6 Sep 2 2015 slaves
-rw-r—–. 1 root named 228 Apr 17 08:41 westos.com.ptr
-rw-r—–. 1 root root 222 Apr 17 10:10 westos.com.zone
[root@server named]# chgrp named westos.com.zone
[root@server named]# ls -l
total 24
drwxrwx—. 2 named named 22 Apr 17 07:57 data
drwxrwx—. 2 named named 30 Apr 17 10:49 dynamic
-rw-r—–. 1 root named 2076 Jan 28 2013 named.ca
-rw-r—–. 1 root named 152 Dec 15 2009 named.empty
-rw-r—–. 1 root named 152 Jun 21 2007 named.localhost
-rw-r—–. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx—. 2 named named 6 Sep 2 2015 slaves
-rw-r—–. 1 root named 228 Apr 17 08:41 westos.com.ptr
-rw-r—–. 1 root named 222 Apr 17 10:10 westos.com.zone
[root@server named]# systemctl restart named
[root@server mnt]# dnssec-keygen –help
dnssec-keygen: invalid argument –
Usage:
dnssec-keygen [options] name
Version: 9.9.4-RedHat-9.9.4-29.el7
name: owner of the key
Options:
-K : write keys into directory
-a :
RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA |
RSASHA256 | RSASHA512 | ECCGOST |
ECDSAP256SHA256 | ECDSAP384SHA384 |
DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |
HMAC-SHA384 | HMAC-SHA512
(default: RSASHA1, or NSEC3RSASHA1 if using -3)
-3: use NSEC3-capable algorithm
-b :
RSAMD5: [512..4096]
RSASHA1: [512..4096]
NSEC3RSASHA1: [512..4096]
RSASHA256: [512..4096]
RSASHA512: [1024..4096]
DH: [128..4096]
DSA: [512..1024] and divisible by 64
NSEC3DSA: [512..1024] and divisible by 64
ECCGOST: ignored
ECDSAP256SHA256: ignored
ECDSAP384SHA384: ignored
HMAC-MD5: [1..512]
HMAC-SHA1: [1..160]
HMAC-SHA224: [1..224]
HMAC-SHA256: [1..256]
HMAC-SHA384: [1..384]
HMAC-SHA512: [1..512]
(if using the default algorithm, key size
defaults to 2048 for KSK, or 1024 for all others)
-n : ZONE | HOST | ENTITY | USER | OTHER
(DNSKEY generation defaults to ZONE)
-c : (default: IN)
-d (0 => max, default)
-E :
name of an OpenSSL engine to use
-f : KSK | REVOKE
-g : use specified generator (DH only)
-L : default key TTL
-p : (default: 3 [dnssec])
-r : a file containing random data
-s : strength value this key signs DNS records with (default: 0)
-T : DNSKEY | KEY (default: DNSKEY; use KEY for SIG(0))
-t : AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
-h: print usage and exit
-m :
usage | trace | record | size | mctx
-v : set verbosity level (0 - 10)
Timing options:
-P date/[+-]offset/none: set key publication date (default: now)
-A date/[+-]offset/none: set key activation date (default: now)
-R date/[+-]offset/none: set key revocation date
-I date/[+-]offset/none: set key inactivation date
-D date/[+-]offset/none: set key deletion date
-G: generate key only; do not set -P or -A
-C: generate a backward-compatible key, omitting all dates
-S : generate a successor to an existing key
-i : prepublication interval for successor key (default: 30 days)
Output:
K++.key, K++.private
[root@server named]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
Kwestos.+157+17866
[root@server named]# cd /mnt/
[root@server mnt]# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST westos
Kwestos.+157+04998
[root@server mnt]# ls
Kwestos.+157+04998.key Kwestos.+157+04998.private westos.com.zone
[root@server mnt]# cat Kwestos.+157+04998.key
westos. IN KEY 512 3 157 gdidvFD3w0xIEezgM3xxoQ==
[root@server mnt]# cat Kwestos.+157+04998.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: gdidvFD3w0xIEezgM3xxoQ==
Bits: AAA=
Created: 20170417145956
Publish: 20170417145956
Activate: 20170417145956
[root@server mnt]# cp /etc/rndc.key /etc/westos.key -p
[root@server mnt]# vim /etc/westos.key
[root@server mnt]# cat /etc/westos.key
key “westos” { westos为钥匙的名字
algorithm hmac-md5;
secret “gdidvFD3w0xIEezgM3xxoQ==”; “”内为刚刚生成的钥匙字符
};
[root@server mnt]# vim /etc/named.conf
第43行 include “/etc/westos.key”; 主配置文件允许钥匙更新
[root@server mnt]# vim /etc/named.rfc1912.zones
25 zone “westos.com” IN {
26 type master;
27 file “westos.com.zone”;
28 allow-update { key westos; }; 允许钥匙更新
29 allow-transfer { 172.25.254.145; };
30 also-notify { 172.25.254.145; };
31 };
[root@server mnt]# ls
Kwestos.+157+04998.key Kwestos.+157+04998.private westos.com.zon
[root@server mnt]# scp Kwestos.+157+04998* root@172.25.254.145:/mnt/
root@172.25.254.145’s password:
Kwestos.+157+04998.key 100% 50 0.1KB/s 00:00
Kwestos.+157+04998.private 100% 165 0.2KB/s 00:00
客户端
[root@client named]# cd /mnt/
[root@client mnt]# ls
Kwestos.+157+04998.key Kwestos.+157+04998.private westos.com.zone
[root@client mnt]# nsupdate -k Kwestos.+157+04998.private
server 172.25.254.195
update add westos.westos.com 86400 A 172.25.254.145
send
客户端DHCP随机获取ip后dns随之给出变化后的结果
[root@server ~]# vim /etc/dhcp/dhcpd.conf
[root@server ~]# cat /etc/dhcp/dhcpd.conf
dhcpd.conf
Sample configuration file for ISC dhcpd
option definitions common to all supported networks…
option domain-name “westos.com”;
option domain-name-servers 172.25.254.195;
default-lease-time 600;
max-lease-time 7200;
Use this to enble / disable dynamic dns updates globally.
ddns-update-style none;
If this DHCP server is the official DHCP server for the local
network, the authoritative directive should be uncommented.
authoritative;
Use this to send dhcp log messages to a different log file (you also
have to hack syslog.conf to complete the redirection).
log-facility local7;
No service will be given on this subnet, but declaring it helps the
DHCP server to understand the network topology.
This is a very basic subnet declaration.
subnet 172.25.254.0 netmask 255.255.255.0 {
range 172.25.254.200 172.25.254.220;
option routers 172.25.254.254;
}
key “rndc-key” {
algorithm hmac-md5;
secret “nqPeLPPEEmdxxjDl65MhVQ==”;
};
zone westos.com.{
primary 127.0.0.1;
key westos;
}
2172
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
