公司有一測試環境,上面跑着線上的各個網站的線下版本(即上線之前在本地所做的測試)。起初,我們在配置該環境時,通路每個網站均采用獨立IP的形式進行。這樣一來,僅僅就這一個伺服器上就占用了内網的10幾個IP,再加上辦公室同僚的正常使用IP,IP就不足了(得再劃分子網,麻煩)。現在想配置一台DNS伺服器,不同的域名解析到同一個IP,達到節約IP資源的目的,此其一。其二,我也想該環境使用同線上一樣的域名環境。但是有一個要求,僅僅測試部童鞋在使用特定域名時,解析到本地相應的IP,反之,解析到公網IP。同時,也希望該DNS伺服器承擔内網使用者上網時解析域名的角色。
下面來看看整個實作的過程:
一、安裝過程
由于DNS伺服器易受攻擊,是以安全性很重要。我們從dns的官網上下載下傳最新stable版的bind98來做這個。(相對安全而言,本人還是比較青睐FreeBSD一點)。
bind98的下載下傳位址:
ftp://ftp.isc.org/isc/bind/9.8.0-P4/bind-9.8.0-P4.tar.gz
将其下載下傳到本地的目錄中,編譯安裝即可
# tar xf bind-9.8.0-P4.tar.gz
# cd bind-9.8.0-P4
# ./configure --prefix=/usr/local/named --enable-epoll --enable-threads --enable-largefile
編譯參數的說明:
--enable-threads enable multithreading
--enable-largefile 64-bit file support
--enable-epoll use Linux epoll when available [default=auto]
這樣運作configure完之後,會有這樣的提示
WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
WARNING WARNING
WARNING Your OpenSSL crypto library may be vulnerable to WARNING
WARNING one or more of the the following known security WARNING
WARNING flaws: WARNING
WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING
WARNING CVE-2006-2940. WARNING
WARNING It is recommended that you upgrade to OpenSSL WARNING
WARNING version 0.9.8d/0.9.7l (or greater). WARNING
WARNING You can disable this warning by specifying: WARNING
WARNING --disable-openssl-version-check WARNING
這是因為configure時預設啟用了這個參數所緻
--enable-openssl-version-check
Check OpenSSL Version [default=yes]
你可以将其設定為NO,或者更新本地的openssl
順便看一下本地的openssl版本吧
# openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
讓我們來更新它吧,最新的openssl版本下載下傳位址
http://www.openssl.org/source/openssl-1.0.0d.tar.gz
接下來,
# tar xf openssl-1.0.0d.tar.gz
# cd openssl-1.0.0d
# ./config -fPIC --prefix=/usr enable-shared
# make && make install
再看一下openssl的版本
# openssl version
OpenSSL 1.0.0d 8 Feb 2011
oh,yeah,成功更新至openssl 1.0.0d,之後再次在bind目錄下configure就沒有上面的warning了
以上都做完了之後,最後make && make install,這樣bind98就算安裝完畢了。
二、配置bind98
準備一個使用者來運作bind98
# groupadd named
# useradd named -g named -s /sbin/nologin -d /dev/null -M -c "DNS server"
生成rndc.conf檔案
# rndc-confgen >/usr/local/named/etc/rndc.conf
修改rndc.conf如下
key "rndc-key" {
algorithm hmac-md5;
secret "pdz01kiIZhCDgYTDEr2YXA==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
主配置檔案named.conf
options {
directory "/usr/local/named/etc";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
pid-file "/var/run/named/named.pid";
version "Windows 2008 Enterprise Server";
notify yes;
/*
隻當本域notify被激活時才是有意義的。能夠收到本域DNS NOTIFY資訊的計算機
的集合是由所有域中列明的名稱伺服器加上任何由also-notify設定的IP位址
*/
also-notify { 192.168.2.201; };
//如果為yes,伺服器将收集所有區域的統計資料
zone-statistics yes;
listen-on port 53 { 192.168.2.200; };
//這裡填寫slave的位址
//allow-transfer { 192.168.2.201; };
//允許内外網查詢本DNS
allow-query { intranet;external; };
//允許外部網絡遞歸查詢
allow-recursion { external; };
//在配置為”first”時,則在轉發查詢失敗或沒有查到結果時,會在本地發起查詢。
forward first;
//上遊DNS設定
forwarders { 202.101.172.46;202.101.172.47; };
//伺服器可以使用的最大資料記憶體量,預設是default
datasize 50M;
auth-nxdomain no;
rrset-order { order random; };
logging {
channel warning {
file "/var/log/dns_warnings.log" versions 5 size 1024K;
severity warning;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_log {
file "/var/log/dns_security.log" versions 5 size 1024K;
severity info;
};
channel query_log {
file "/var/log/dns_query.log" versions 10 size 1024K;
category default { warning; };
category security { security_log; };
category queries { query_log; };
include "acl.conf";
include "rndc.conf";
view "intranet" {
match-clients { key intranet-key;intranet; };
match-destinations { any; };
//設定哪台主機允許和本地伺服器進行域傳輸,這裡指定傳輸到slave時使用的key
allow-transfer { key intranet-key; };
//這裡是slave的位址
server 192.168.2.201 { keys { intranet-key; }; };
zone "." IN {
type hint;
file "named.root";
};
zone "localhost" IN {
type master;
file "localhost.zone";
zone "0.0.127.in-addr.arpa" IN {
file "localhost.rev";
zone "wholesale-dress.net" IN {
type master;
由于域名wholesale-dress.net已在公網上注冊,是以對測試的童鞋來說,
該域名的記錄應該傳回的是内網中測試伺服器所對應的IP,下同
file "master/wholesale-dress.net.intranet";
zone "yixiebao.com" IN {
type master;
file "master/yixiebao.com.intranet";
zone "japan-dress.com" IN {
file "master/japan-dress.com.intranet";
zone "arab-clothes.com" IN {
file "master/arab-clothes.com.intranet";
zone "stamp-shopping.com" IN {
file "master/stamp-shopping.com.intranet";
zone "2.168.192.in-addr.arpa" IN {
file "master/2.168.192.rev";
view "external" {
match-clients { key external-key;external; };
對于外網使用者來說(指定的),該域名已經作解析。我們就沒有必要再解析一次
,當使用者查詢此域名時,直接丢給上遊DNS即可。下同
type forward;
zone "goods-of-china.com" IN {
zone "russia-dress.com" IN {
acl.conf
key "intranet-key" {
algorithm hmac-md5;
secret "qSFm5D26mtg1O1wJlyTKYA==";
key "external-key" {
secret "TorqY5N5hgkRhoXgSssaDQ==";
acl "intranet" {
localhost;
acl "external" {
any;
name.root下載下傳位址:
wget ftp://ftp.internic.org/domain/named.root
還有一些準備工作
# touch /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
# chown named.named /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
# ll /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
-rw-r--r-- 1 named named 701587 Jul 13 10:53 /var/log/dns_query.log
-rw-r--r-- 1 named named 0 Jul 12 17:56 /var/log/dns_security.log
-rw-r--r-- 1 named named 1158 Jul 13 09:56 /var/log/dns_warnings.log
# chown -R named.named /usr/local/named/
# chown -R named.named /var/run/named/
# chown -R named.named /var/named/data/
生成兩個key
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST intranet
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST external
生成的key檔案名like this
-rw------- 1 named named 52 Jul 12 16:04 Kexternal.+157+21581.key
-rw------- 1 named named 165 Jul 12 16:04 Kexternal.+157+21581.private
-rw------- 1 named named 52 Jul 12 16:03 Kintranet.+157+57599.key
-rw------- 1 named named 165 Jul 12 16:03 Kintranet.+157+57599.private
将下面紅色部分的代碼複制到acl.conf中
# cat Kexternal.+157+21581.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: TorqY5N5hgkRhoXgSssaDQ==
Bits: AAA=
Created: 20110712080429
Publish: 20110712080429
Activate: 20110712080429
cat Kintranet.+157+57599.private
Private-key-format: v1.3
Algorithm: 157 (HMAC_MD5)
Key: qSFm5D26mtg1O1wJlyTKYA==
Bits: AAA=
Created: 20110712080358
Publish: 20110712080358
Activate: 20110712080358
localhost.zone
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1
localhost.rev
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
/usr/local/named/etc/下建立一master目錄
2.168.192.rev
@ IN SOA wholesale-dress.net. root.wholesale-dress.net. (
100 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D) ; minimum
IN NS ns1.wholesale-dress.net.
200 IN PTR ns1.wholesale-dress.net.
201 IN PTR slave.wholesale-dress.net.
;88 IN PTR www.wholesale-dress.net.
;15 IN PTR js.wholesale-dress.net.
;15 IN PTR css.wholesale-dress.net.
;15 IN PTR img.wholesale-dress.net.
;14 IN PTR mail.wholesale-dress.net.
;18 IN PTR ftp.wholesale-dress.net.
arab-clothes.com.intranet
$TTL 86400
@ IN SOA ns1.arab-clothes.com. root.arab-clothes.com. (
105 ; serial
1H ; refresh
1M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.arab-clothes.com.
; IN MX 10 mail.arab-clothes.com.
;mail IN A 192.168.1.14
ns1 IN A 192.168.2.200
slave IN A 192.168.2.201
www IN A 192.168.1.249
;js IN A 192.168.1.15
;css IN A 192.168.1.15
;img IN A 192.168.1.15
;ftp IN A 192.168.1.18
japan-dress.com.intranet
@ IN SOA ns1.japan-dress.com. root.japan-dress.com. (
101 ; serial
IN NS ns1.japan-dress.com.
; IN MX 10 mail.japan-dress.com.
www IN A 192.168.1.241
stamp-shopping.com.intranet
@ IN SOA ns1.stamp-shopping. root.stamp-shopping. (
IN NS ns1.stamp-shopping.
; IN MX 10 mail.stamp-shopping.
www IN A 192.168.1.238
wholesale-dress.net.intranet
@ IN SOA ns1.wholesale-dress.net. root.wholesale-dress.net. (
IN NS ns1.wholesale-dress.net.
; IN MX 10 mail.wholesale-dress.net.
www IN A 192.168.2.221
yixiebao.com.intranet
@ IN SOA ns1.yixiebao.com. root.yixiebao.com. (
IN NS ns1.yixiebao.com.
; IN MX 10 mail.yixiebao.com.
;www IN A 192.168.1.87
後面幾個正向解析檔案基本上差不多。
三、啟動named
基于以上的工作後,基本上算是配置完畢,在正式啟動之前我們來檢查一下mamed.conf 的文法
# named-checkconf named.conf
無錯誤輸出即可。
進行調試模式啟動,看是否有錯誤輸出
named -u named -c named.conf -g -d 4
最後,建立bind98啟動腳本
#!/bin/bash
#
# Init file for named
# chkconfig: - 80 12
# description: named daemon
# processname: named
# pidfile: /usr/local/named/var/run/named.pid
. /etc/init.d/functions
BIN="/usr/local/named/sbin"
PIDFILE="/var/run/named/named.pid"
RETVAL=0
prog="named"
desc="DNS Server"
start() {
if [ -e $PIDFILE ];then
echo "$desc already running...."
exit 1
fi
echo -n $"Starting $desc: "
daemon $BIN/$prog -u named -c /usr/local/named/etc/named.conf
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
return $RETVAL
}
stop() {
echo -n $"Stop $desc: "
killproc $prog
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog $PIDFILE
restart() {
stop
start
case "$1" in
start)
;;
stop)
restart)
restart
condrestart)
[ -e /var/lock/subsys/$prog ] && restart
status)
status $prog
*)
echo $"Usage: $0 {start|stop|restart|condrestart|status}"
RETVAL=1
esac
exit $RETVAL
以上腳本是由另一腳本修改而來,經試用,沒有問題。
四、測試過程(略)
1)将LAN中任意一台win 機器的DNS設定改成該伺服器的IP,看是否能解析OK?
2)将LAN中任意一台win 機器的IP配置成acl中的intranet位址,看是否不能查詢外網請求,在查詢指定請求的域名是,是否傳回所預定的結果。
注:按照以上的配置正常啟動DNS後,會在dns_warnings.log裡有一條錯誤的日志輸出,此錯誤并不影響DNS的正常工作。大緻是這樣的
13-Jul-2011 17:18:07.098 general: error: managed-keys-zone ./IN/internal: loading from master file 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys failed: file not found
13-Jul-2011 17:18:07.100 general: error: managed-keys-zone ./IN/external: loading from master file 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed: file not found
在google上查了N久,沒有該問題的較長的描述以及任何可用的solution。腫麼辦辦呢,本人突發奇想,既然是這個檔案沒有,那麼好啦,我就自己建立一個這樣的空檔案,看如何
# touch 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
296
# touch 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
緊接着更改這兩個檔案的屬主設定,再次啟動DNS,此時DNS日志中就木有這條該死的錯誤日志了,其他功能一切正常。哈哈, ^_^
五、随後某個時間,将附上該文檔的後續版本,增加從伺服器配置。
本文轉自dongfang_09859 51CTO部落格,原文連結:http://blog.51cto.com/hellosa/609881,如需轉載請自行聯系原作者
![HTTP 錯誤 403.9 - 禁止通路:連接配接的使用者過多 XP IIS伺服器連接配接數的修改[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)