准备工作:
确保我们拥有所有必需的软件包
# rpm -q bind package bind is not installed # rpm -q bind-chroot package bind-chroot is not installed
使用 yum 安装所需的包
# yum -y install bind bind-chroot
默认情况下,所有绑定文件都不会复制到 chroot 中,因此我们必须手动执行此操作
复制 chroot 目录中所需的文件。
注意:使用 -p 参数和 cp 命令来保留所有文件和目录的权限和所有权
# cp -rvpf /etc/named.* /var/named/chroot/etc/ `/etc/named.conf' -> `/var/named/chroot/etc/named.conf' `/etc/named.iscdlv.key' -> `/var/named/chroot/etc/named.iscdlv.key' `/etc/named.rfc1912.zones' -> `/var/named/chroot/etc/named.rfc1912.zones' `/etc/named.root.key' -> `/var/named/chroot/etc/named.root.key'
# cp -rvpf /var/named/named.* /var/named/chroot/var/named/ `/var/named/named.ca' -> `/var/named/chroot/var/named/named.ca' `/var/named/named.empty' -> `/var/named/chroot/var/named/named.empty' `/var/named/named.localhost' -> `/var/named/chroot/var/named/named.localhost' `/var/named/named.loopback' -> `/var/named/chroot/var/named/named.loopback'
# cp -prvf /var/named/data//var/named/chroot/var/named/ `/var/named/data/' -> `/var/named/chroot/var/named/data'
# cp -prvf /var/named/dynamic//var/named/chroot/var/named/ `/var/named/dynamic/' -> `/var/named/chroot/var/named/dynamic'
# cp -prvf /var/named/slaves//var/named/chroot/var/named/ `/var/named/slaves/' -> `/var/named/chroot/var/named/slaves'
现在让我们开始编辑我们的主配置文件
# cd /var/named/chroot/etc/
# vi named.conf
options {
listen-on port 53 { 127.0.0.1; 192.168.1.11; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.1.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
在 resolv.conf 文件和 ifcfg-eth 文件中更改本地机器的 IP 地址
# vi /etc/resolv.conf search example nameserver 192.168.1.11
注意:DNS 条目必须在 ifcfg-eth 文件中创建,仅适用于 Red Hat Linux 6 及更高版本。
对于 Red Hat Linux 5 DNS 条目仅在 resolv.conf 文件中进行
# vi /etc/sysconfig/network-scripts/ifcfg-eth0 DNS1=192.168.1.11
验证主机名
# vi /ets/sysconfig/network HOSTNAME=test2.example
在终端上运行此命令
# hostname test2.example
重新启动网络服务
# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0:
Determining if ip address 192.168.1.11 is already in use for device eth0...
[ OK ]
# service named restart Stopping named: [ OK ] Generating /etc/rndc.key: [ OK ] Starting named: [ OK ]
注意:如果系统卡在
Generating /etc/rndc.key:
试试这个下面的命令,然后再次重试重启你的命名服务
# rndc-confgen -a -r /dev/urandom wrote key file "/etc/rndc.key"
为什么在生成rndc.key时系统卡住了?
如果系统在生成 /etc/rndc.key 文件时遇到问题,那是因为随机池中缺少了 用于生成/dev/random 块的熵。
我们可以使用“cat /proc/sys/kernel/random/entropy_avail”检查池中有多少熵。
低于 300 的值表示存在问题(但不幸的是在虚拟机上很常见)。
最好的解决方案之一就是等待它完成(需要 5-15 分钟)。
有的建议是从多台源机器 ping 机器(甚至可能是“ping -f 地址”到泛洪ping)。
或者,如果连接了物理鼠标/键盘,Linux 内核将通过键入/移动鼠标来获取熵。
第二次或者第三次登录机器并产生网络流量或者运行诸如磁盘测试或者 CPU 繁重工作负载之类的事情也可能有助于以更快的速度产生更多的熵。
其他选项是硬件熵键或者守护进程,如“haged”。
验证 Internet 连接
# ping google.com PING google.com (74.125.236.71) 56(84) bytes of data. 64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=1 ttl=56 time=223 ms 64 bytes from maa03s05-in-f7.1e100.net (74.125.236.71): icmp_seq=2 ttl=56 time=319 ms ^C --- google.com ping statistics -- 2 packets transmitted, 2 received, 0% packet loss, time 1349ms rtt min/avg/max/mdev = 223.861/271.853/319.846/47.995 ms
所以我们的 DNS 服务器工作正常,现在让我们配置正向和反向区域
# vi /var/named/chroot/etc/named.rfc1912.zones
(Make new entry as shown below)
# Forward Zone Entry #
zone "example" IN {
type master;
file "example.zone";
allow-update { none; };
};
# Reverse Zone Entry #
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.zone";
allow-update { none; };
};
创建上面 named.rfc1912.zones 文件中提到的区域文件
现在,如果我们查看/var/named/chroot/var/named 中的named.localhost 和named.loopback 文件,我们会注意到它们分别类似于正向和反向查找文件。
因此,我们不会创建新文件,而是从各自的副本中复制内容
# pwd /var/named/chroot/var/named # cp -p named.loopback 192.168.1.zone # cp -p named.localhost example.zone
转发区域文件
# vi example.zone
$TTL 1D @ IN SOA example. hostmaster.example. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS example.
IN A 192.168.1.11
test2 IN CNAME example.
mail.example. IN A 192.168.1.11
example. IN MX 10 mail.example.
反向区域文件
# vi 192.168.1.zone $TTL 1D @ IN SOA example. hostmaster.example. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS example. 11 IN PTR example.
验证权限
重要说明:所有绑定相关文件的权限应为 640,对于所有目录,权限应为 770,root 作为用户所有者并命名为组所有者
# ls -al total 36 -rw-r-----. 1 root named 207 Mar 14 18:36 192.168.1.zone drwxrwx---. 2 named named 4096 Jan 20 23:10 data drwxrwx---. 2 named named 4096 Jan 20 23:10 dynamic -rw-r-----. 1 root named 242 Mar 14 18:32 example.zone -rw-r-----. 1 root named 1892 Nov 18 2008 named.ca -rw-r-----. 1 root named 152 Dec 15 2009 named.empty -rw-r-----. 1 root named 152 Jun 21 2007 named.localhost -rw-r-----. 1 root named 168 Dec 15 2009 named.loopback drwxrwx---. 2 named named 4096 Jan 20 23:10 slaves
在重新启动命名服务之前,请验证我们所做的更改是否反映使用命名检查区
# named-checkzone example example.zone zone example/IN: loaded serial 0 OK
# named-checkzone test2.example example.zone zone test2.example/IN: loaded serial 0 OK
# named-checkzone 192.168.1.11 192.168.1.zone zone 192.168.1.11/IN: loaded serial 0 OK So looks like all our zone field are reflecting correctly.
重启命名服务
# service named restart Stopping named: . [ OK ] Starting named: [ OK ]
验证两个区域
# nslookup example Server: 192.168.1.11 Address: 192.168.1.11#53 Name: example Address: 192.168.1.11
# dig -x 192.168.1.11 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> -x 192.168.1.11 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60861 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;11.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 11.1.168.192.in-addr.arpa. 86400 IN PTR example. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 86400 IN NS example. ;; ADDITIONAL SECTION: example. 86400 IN A 192.168.1.11 ;; Query time: 2 msec ;; SERVER: 192.168.1.11#53(192.168.1.11) ;; WHEN: Fri Mar 14 18:35:24 2014 ;; MSG SIZE rcvd: 98
我们得到正向和反向查找项的输出。一切正常。
本文将介绍在 chroot 环境中为 Red Hat (RHEL/CentOS) 7 配置 BIND DNS 服务器的步骤。
日期:2020-06-02 22:18:25 来源:oir作者:oir