linux下DNS配置詳解之(二)
實驗環境 VMware 6.5.2 + RedHat enterprise 5
實驗目的 從安全的角度配置dns (增加chroot rpm包)以及用同一個ip解析兩個不同的域名
<a href="http://yuzeying.blog.51cto.com/attachment/200904/26/644976_1240716777K0Vu.jpg"></a>
首先禁掉防火牆,
<a href="http://yuzeying.blog.51cto.com/attachment/200904/26/644976_12407167794mOz.jpg"></a>
<a href="http://yuzeying.blog.51cto.com/attachment/200904/26/644976_1240716781E6Ex.jpg"></a>
配 ip
<a href="http://yuzeying.blog.51cto.com/attachment/200904/26/644976_12407167837V4L.jpg"></a>
[root@localhost ~]# vi /etc/resolv.conf
; generated by /sbin/dhclient-script
search router
nameserver 192.168.0.5
修改一下DNS
下一步: 安裝所需的DNS 軟體包今天我們裝個稍微複雜點的
[root@localhost ~]# cd /mnt
[root@localhost mnt]# ls
cdrom hgfs
[root@localhost mnt]# cd
[root@localhost ~]# mount /dev/cdrom /mnt/cdrom
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@localhost ~]# cd /mnt/cdrom
[root@localhost cdrom]# ls
Cluster README-te.html RELEASE-NOTES-U1-en
ClusterStorage README-zh_CN.html RELEASE-NOTES-U1-en.html
EULA README-zh_TW.html RELEASE-NOTES-U1-es.html
eula.en_US RELEASE-NOTES-as.html RELEASE-NOTES-U1-fr.html
GPL RELEASE-NOTES-bn.html RELEASE-NOTES-U1-gu.html
images RELEASE-NOTES-de.html RELEASE-NOTES-U1-hi.html
isolinux RELEASE-NOTES-en RELEASE-NOTES-U1-it.html
README-as.html RELEASE-NOTES-en.html RELEASE-NOTES-U1-ja.html
README-bn.html RELEASE-NOTES-es.html RELEASE-NOTES-U1-kn.html
README-de.html RELEASE-NOTES-fr.html RELEASE-NOTES-U1-ko.html
README-en RELEASE-NOTES-gu.html RELEASE-NOTES-U1-ml.html
README-en.html RELEASE-NOTES-hi.html RELEASE-NOTES-U1-mr.html
README-es.html RELEASE-NOTES-it.html RELEASE-NOTES-U1-or.html
README-fr.html RELEASE-NOTES-ja.html RELEASE-NOTES-U1-pa.html
README-gu.html RELEASE-NOTES-kn.html RELEASE-NOTES-U1-pt_BR.html
README-hi.html RELEASE-NOTES-ko.html RELEASE-NOTES-U1-ru.html
README-it.html RELEASE-NOTES-ml.html RELEASE-NOTES-U1-si.html
README-ja.html RELEASE-NOTES-mr.html RELEASE-NOTES-U1-ta.html
README-kn.html RELEASE-NOTES-or.html RELEASE-NOTES-U1-te.html
README-ko.html RELEASE-NOTES-pa.html RELEASE-NOTES-U1-zh_CN.html
README-ml.html RELEASE-NOTES-pt_BR.html RELEASE-NOTES-U1-zh_TW.html
README-mr.html RELEASE-NOTES-ru.html RELEASE-NOTES-zh_CN.html
README-or.html RELEASE-NOTES-si.html RELEASE-NOTES-zh_TW.html
README-pa.html RELEASE-NOTES-ta.html RPM-GPG-KEY-redhat-beta
README-pt_BR.html RELEASE-NOTES-te.html RPM-GPG-KEY-redhat-release
README-ru.html RELEASE-NOTES-U1-as.html Server
README-si.html RELEASE-NOTES-U1-bn.html TRANS.TBL
README-ta.html RELEASE-NOTES-U1-de.html VT
[root@localhost cdrom]# cd Server
[root@localhost Server]# rpm -ivh bind-
bind-9.3.3-10.el5.i386.rpm
bind-chroot-9.3.3-10.el5.i386.rpm
bind-devel-9.3.3-10.el5.i386.rpm
bind-libbind-devel-9.3.3-10.el5.i386.rpm
bind-libs-9.3.3-10.el5.i386.rpm
bind-sdb-9.3.3-10.el5.i386.rpm
bind-utils-9.3.3-10.el5.i386.rpm
[root@localhost Server]# rpm -ivh bind-9.3.3-10.el5.i386.rpm
warning: bind-9.3.3-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:bind ########################################### [100%]
[root@localhost Server]# rpm -ivh util-linux-2.13-0.45.el5.i386.rpm
warning: util-linux-2.13-0.45.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
package util-linux-2.13-0.45.el5 is already installed
[root@localhost Server]# rpm -ivh cach
cachefilesd-0.8-2.el5.i386.rpm
caching-nameserver-9.3.3-10.el5.i386.rpm
[root@localhost Server]# rpm -ivh caching-nameserver-9.3.3-10.el5.i386.rpm
warning: caching-nameserver-9.3.3-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
1:caching-nameserver ########################################### [100%]
[root@localhost Server]# rpm -ivh bind-chroot-9.3.3-10.el5.i386.rpm
warning: bind-chroot-9.3.3-10.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
1:bind-chroot ########################################### [100%]
[root@localhost Server]#
解釋一下,,這裡 裝了四個包,而上次隻裝了三個包,這個bing-chroot-9.3.3-10.el5.i386.rpm
這個包的作用就是增加了他的安全性,這也是2.6核心的新功能,當然你說不裝他可不可以,當然可以,裝完以後有什麼差別呢
以前我們的配置檔案的儲存位置是下面的幾個地方
/etc/named.conf
/var/named/named.ca 這是根域檔案
/var/named/localhost.zone 正向區域檔案
/var/named/named.local 反向區域檔案
而裝完這個包之後,我們的配置檔案的存放位置發生了變化
變成更深一級的目錄
如/var/named/chroot/etc/named.conf
依次類推其他檔案的存放位置
~
[root@localhost Server]# cd /var/named/chroot/etc
[root@localhost etc]# ls
localtime named.caching-nameserver.conf named.rfc1912.zones rndc.key
[root@localhost etc]# vi named.conf
修改如下
// generated by named-bootconf.pl
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
zone "." IN {
type hint;
file "named.ca";
zone "sina.com" IN {
type master;
file "sina.zone";
allow-update { none; };
zone "0.168.192.in-addr.arpa" IN {
file "sina.local";
include "/etc/rndc.key";
儲存退出
修改正向區域檔案
[root@localhost etc]# cd /var/named/chroot/var/named
[root@localhost named]# ls
data localhost.zone named.ca named.local slaves
localdomain.zone named.broadcast named.ip6.local named.zero
[root@localhost named]# cp named.local sina.local
[root@localhost named]# cp named.local sina.zone
[root@localhost named]# vi sina.zone
修改後如下
$TTL 86400
@ IN SOA sina.com. root.sina.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS sina.com.
www IN A 192.168.0.5
儲存退出 修改反向區域檔案
[root@localhost named]# vi sina.local
5 IN PTR [url]www.sina.com.[/url]
修改屬組
[root@localhost named]# ll
總計 88
drwxrwx--- 2 named named 4096 2004-08-25 data
-rw-r----- 1 root named 198 2007-07-19 localdomain.zone
-rw-r----- 1 root named 195 2007-07-19 localhost.zone
-rw-r----- 1 root named 427 2007-07-19 named.broadcast
-rw-r----- 1 root named 2518 2007-07-19 named.ca
-rw-r----- 1 root named 424 2007-07-19 named.ip6.local
-rw-r----- 1 root named 426 2007-07-19 named.local
-rw-r----- 1 root named 427 2007-07-19 named.zero
-rw-r----- 1 root root 415 04-25 19:48 sina.local
-rw-r----- 1 root root 413 04-25 19:43 sina.zone
drwxrwx--- 2 named named 4096 2004-07-27 slaves
[root@localhost named]# chgrp named sina.local
[root@localhost named]# chgrp named sina.zone
[root@localhost named]#
重新開機服務
[root@localhost named]# service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@localhost named]# service named restart
Stopping named: [FAILED]
Starting named: [ OK ]
測試網絡
[root@localhost named]# nslookup [url]www.sina.com[/url]
Server: 127.0.0.1
Address: 127.0.0.1#53
Name: [url]www.sina.com[/url]
Address: 192.168.0.5
正向成功
[root@localhost named]# nslookup 192.168.0.5
5.0.168.192.in-addr.arpa name = [url]www.sina.com.[/url]
反向成功ok
設想一下,怎麼樣用同一個ip解析sina 和sohu呢 (千萬别把windows中的别名CNAME 記錄用到這裡)
[root@localhost named]# vi /var/named/chroot/etc/named.conf
修改此檔案,關鍵部分顯示結果如下
zone "sohu.com" IN {
file "sohu.zone";
[root@localhost named]# cd /var/named/chroot/var/named
data named.broadcast named.local sina.zone
localdomain.zone named.ca named.zero slaves
localhost.zone named.ip6.local sina.local
[root@localhost named]# cp sina.zone sohu.zone
[root@localhost named]# vi sohu.zone
修改sohu的正向區域檔案如下
@ IN SOA sohu.com. root.sohu.com. (
IN NS sohu.com.
修改sina的反響區域檔案
~ $TTL 86400
5 IN PTR [url]www.sohu.com.[/url]
總計 96
-rw-r----- 1 root named 438 04-25 20:22 sina.local
-rw-r----- 1 root named 413 04-25 19:43 sina.zone
-rw-r----- 1 root root 413 04-25 20:20 sohu.zone
[root@localhost named]# chgrp named sohu.zone
修改sohu的屬組
Stopping named: [ OK ]
[root@localhost named]# nslookup [url]www.sohu.com[/url]
Name: [url]www.sohu.com[/url]
5.0.168.192.in-addr.arpa name = [url]www.sohu.com.[/url]
ok 看來實驗很成功
由于之前的一片我覺得講的比較細緻了,是以這一片就是泛泛的過了一遍,增加了點難度
本文轉自 yuzeying1 51CTO部落格,原文連結:http://blog.51cto.com/yuzeying/153342
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)