-
公司有一測試環(huán)境,上面跑著線上的各個網(wǎng)站的線下版本(即上線之前在本地所做的測試),。起初,我們在配置該環(huán)境時,,訪問每個網(wǎng)站均采用獨立IP的形式進行。這樣一來,僅僅就這一個服務(wù)器上就占用了內(nèi)網(wǎng)的10幾個IP,再加上辦公室同事的正常使用IP,,IP就不足了(得再劃分子網(wǎng),麻煩)?,F(xiàn)在想配置一臺DNS服務(wù)器,不同的域名解析到同一個IP,,達到節(jié)約IP資源的目的,,此其一。其二,,我也想該環(huán)境使用同線上一樣的域名環(huán)境,。但是有一個要求,,僅僅測試部童鞋在使用特定域名時,解析到本地相應(yīng)的IP,,反之,,解析到公網(wǎng)IP。同時,,也希望該DNS服務(wù)器承擔內(nèi)網(wǎng)用戶上網(wǎng)時解析域名的角色,。
下面來看看整個實現(xiàn)的過程:
一、安裝過程
由于DNS服務(wù)器易受攻擊,,所以安全性很重要,。我們從dns的官網(wǎng)上下載最新stable版的bind98來做這個。(相對安全而言,,本人還是比較青睞FreeBSD一點),。
bind98的下載地址:
- ftp://ftp.isc.org/isc/bind/9.8.0-P4/bind-9.8.0-P4.tar.gz
將其下載到本地的目錄中,編譯安裝即可
- # tar xf bind-9.8.0-P4.tar.gz
- # cd bind-9.8.0-P4
- # ./configure --prefix=/usr/local/named --enable-epoll --enable-threads --enable-largefile
編譯參數(shù)的說明:
- --enable-threads enable multithreading
- --enable-largefile 64-bit file support
- --enable-epoll use Linux epoll when available [default=auto]
這樣運行configure完之后,,會有這樣的提示
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- WARNING WARNING
- WARNING Your OpenSSL crypto library may be vulnerable to WARNING
- WARNING one or more of the the following known security WARNING
- WARNING flaws: WARNING
- WARNING WARNING
- WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING
- WARNING CVE-2006-2940. WARNING
- WARNING WARNING
- WARNING It is recommended that you upgrade to OpenSSL WARNING
- WARNING version 0.9.8d/0.9.7l (or greater). WARNING
- WARNING WARNING
- WARNING You can disable this warning by specifying: WARNING
- WARNING WARNING
- WARNING --disable-openssl-version-check WARNING
- WARNING WARNING
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
這是因為configure時默認啟用了這個參數(shù)所致
- --enable-openssl-version-check
- Check OpenSSL Version [default=yes]
你可以將其設(shè)置為NO,,或者升級本地的openssl
順便看一下本地的openssl版本吧
- # openssl version
- OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
讓我們來升級它吧,最新的openssl版本下載地址
- http://www./source/openssl-1.0.0d.tar.gz
接下來,
- # tar xf openssl-1.0.0d.tar.gz
- # cd openssl-1.0.0d
- # ./config -fPIC --prefix=/usr enable-shared
- # make && make install
再看一下openssl的版本
- # openssl version
- OpenSSL 1.0.0d 8 Feb 2011
oh,yeah,成功升級至openssl 1.0.0d,之后再次在bind目錄下configure就沒有上面的warning了
以上都做完了之后,,最后make && make install,,這樣bind98就算安裝完畢了。
二,、配置bind98
準備一個用戶來運行bind98
- # groupadd named
- # useradd named -g named -s /sbin/nologin -d /dev/null -M -c "DNS server"
生成rndc.conf文件
- # rndc-confgen >/usr/local/named/etc/rndc.conf
修改rndc.conf如下
- key "rndc-key" {
- algorithm hmac-md5;
- secret "pdz01kiIZhCDgYTDEr2YXA==";
- };
- controls {
- inet 127.0.0.1 port 953
- allow { 127.0.0.1; } keys { "rndc-key"; };
- };
主配置文件named.conf
- options {
- directory "/usr/local/named/etc";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- pid-file "/var/run/named/named.pid";
- version "Windows 2008 Enterprise Server";
- notify yes;
- /*
- 只當本域notify被激活時才是有意義的,。能夠收到本域DNS NOTIFY信息的計算機
的集合是由所有域中列明的名稱服務(wù)器加上任何由also-notify設(shè)定的IP地址
*/- also-notify { 192.168.2.201; };
- //如果為yes,服務(wù)器將收集所有區(qū)域的統(tǒng)計數(shù)據(jù)
- zone-statistics yes;
- listen-on port 53 { 192.168.2.200; };
- //這里填寫slave的地址
- //allow-transfer { 192.168.2.201; };
- //允許內(nèi)外網(wǎng)查詢本DNS
- allow-query { intranet;external; };
- //允許外部網(wǎng)絡(luò)遞歸查詢
- allow-recursion { external; };
- //在配置為”first”時,則在轉(zhuǎn)發(fā)查詢失敗或沒有查到結(jié)果時,,會在本地發(fā)起查詢,。
- forward first;
- //上游DNS設(shè)置
- forwarders { 202.101.172.46;202.101.172.47; };
- //服務(wù)器可以使用的最大數(shù)據(jù)內(nèi)存量,默認是default
- datasize 50M;
- auth-nxdomain no;
- rrset-order { order random; };
- };
- logging {
- channel warning {
- file "/var/log/dns_warnings.log" versions 5 size 1024K;
- severity warning;
- print-category yes;
- print-severity yes;
- print-time yes;
- };
- channel security_log {
- file "/var/log/dns_security.log" versions 5 size 1024K;
- severity info;
- print-category yes;
- print-severity yes;
- print-time yes;
- };
- channel query_log {
- file "/var/log/dns_query.log" versions 10 size 1024K;
- severity info;
- print-category yes;
- print-severity yes;
- print-time yes;
- };
- category default { warning; };
- category security { security_log; };
- category queries { query_log; };
- };
- include "acl.conf";
- include "rndc.conf";
- view "intranet" {
- match-clients { key intranet-key;intranet; };
- match-destinations { any; };
- //設(shè)定哪臺主機允許和本地服務(wù)器進行域傳輸,,這里指定傳輸?shù)絪lave時使用的key
- allow-transfer { key intranet-key; };
- //這里是slave的地址
- server 192.168.2.201 { keys { intranet-key; }; };
- zone "." IN {
- type hint;
- file "named.root";
- };
- zone "localhost" IN {
- type master;
- file "localhost.zone";
- };
- zone "0.0.127.in-addr.arpa" IN {
- type master;
- file "localhost.rev";
- };
- zone "wholesale-dress.net" IN {
- type master;
- /*
- 由于域名wholesale-dress.net已在公網(wǎng)上注冊,,所以對測試的童鞋來說,
- 該域名的記錄應(yīng)該返回的是內(nèi)網(wǎng)中測試服務(wù)器所對應(yīng)的IP,,下同
- */
- file "master/wholesale-dress.net.intranet";
- };
- zone "yixiebao.com" IN {
- type master;
- file "master/yixiebao.com.intranet";
- };
- zone "japan-dress.com" IN {
- type master;
- file "master/japan-dress.com.intranet";
- };
- zone "arab-clothes.com" IN {
- type master;
- file "master/arab-clothes.com.intranet";
- };
- zone "stamp-shopping.com" IN {
- type master;
- file "master/stamp-shopping.com.intranet";
- };
- zone "2.168.192.in-addr.arpa" IN {
- type master;
- file "master/2.168.192.rev";
- };
- };
- view "external" {
- match-clients { key external-key;external; };
- match-destinations { any; };
- zone "." IN {
- type hint;
- file "named.root";
- };
- zone "localhost" IN {
- type master;
- file "localhost.zone";
- };
- zone "0.0.127.in-addr.arpa" IN {
- type master;
- file "localhost.rev";
- };
- zone "wholesale-dress.net" IN {
- /*
- 對于外網(wǎng)用戶來說(指定的),,該域名已經(jīng)作解析。我們就沒有必要再解析一次
- ,,當用戶查詢此域名時,,直接丟給上游DNS即可。下同
- */
- type forward;
- };
- zone "goods-of-china.com" IN {
- type forward;
- };
- zone "japan-dress.com" IN {
- type forward;
- };
- zone "russia-dress.com" IN {
- type forward;
- };
- zone "stamp-shopping.com" IN {
- type forward;
- };
- };
acl.conf
- key "intranet-key" {
- algorithm hmac-md5;
- secret "qSFm5D26mtg1O1wJlyTKYA==";
- };
- key "external-key" {
- algorithm hmac-md5;
- secret "TorqY5N5hgkRhoXgSssaDQ==";
- };
- acl "intranet" {
- localhost;
- };
- acl "external" {
- any;
- };
name.root下載地址:
- wget ftp://ftp.internic.org/domain/named.root
還有一些準備工作
- # touch /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
- # chown named.named /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
- # ll /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
- -rw-r--r-- 1 named named 701587 Jul 13 10:53 /var/log/dns_query.log
- -rw-r--r-- 1 named named 0 Jul 12 17:56 /var/log/dns_security.log
- -rw-r--r-- 1 named named 1158 Jul 13 09:56 /var/log/dns_warnings.log
- # chown -R named.named /usr/local/named/
- # chown -R named.named /var/run/named/
- # chown -R named.named /var/named/data/
生成兩個key
- # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST intranet
- # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST external
生成的key文件名like this
- -rw------- 1 named named 52 Jul 12 16:04 Kexternal.+157+21581.key
- -rw------- 1 named named 165 Jul 12 16:04 Kexternal.+157+21581.private
- -rw------- 1 named named 52 Jul 12 16:03 Kintranet.+157+57599.key
- -rw------- 1 named named 165 Jul 12 16:03 Kintranet.+157+57599.private
將下面紅色部分的代碼復(fù)制到acl.conf中
- # cat Kexternal.+157+21581.private
- Private-key-format: v1.3
- Algorithm: 157 (HMAC_MD5)
- Key: TorqY5N5hgkRhoXgSssaDQ==
- Bits: AAA=
- Created: 20110712080429
- Publish: 20110712080429
- Activate: 20110712080429
- cat Kintranet.+157+57599.private
- Private-key-format: v1.3
- Algorithm: 157 (HMAC_MD5)
- Key: qSFm5D26mtg1O1wJlyTKYA==
- Bits: AAA=
- Created: 20110712080358
- Publish: 20110712080358
- Activate: 20110712080358
localhost.zone
- $TTL 86400
- $ORIGIN localhost.
- @ 1D IN SOA @ root (
- 100 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- 1D IN NS @
- 1D IN A 127.0.0.1
localhost.rev
- $TTL 86400
- @ IN SOA localhost. root.localhost. (
- 1997022700 ; Serial
- 28800 ; Refresh
- 14400 ; Retry
- 3600000 ; Expire
- 86400 ) ; Minimum
- IN NS localhost.
- 1 IN PTR localhost.
/usr/local/named/etc/下新建一master目錄
2.168.192.rev
- $TTL 86400
- @ IN SOA wholesale-dress.net. root.wholesale-dress.net. (
- 100 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D) ; minimum
- IN NS ns1.wholesale-dress.net.
- 200 IN PTR ns1.wholesale-dress.net.
- 201 IN PTR slave.wholesale-dress.net.
- ;88 IN PTR www.wholesale-dress.net.
- ;15 IN PTR js.wholesale-dress.net.
- ;15 IN PTR css.wholesale-dress.net.
- ;15 IN PTR img.wholesale-dress.net.
- ;14 IN PTR mail.wholesale-dress.net.
- ;18 IN PTR ftp.wholesale-dress.net.
arab-clothes.com.intranet
- $TTL 86400
- @ IN SOA ns1.arab-clothes.com. root.arab-clothes.com. (
- 105 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.arab-clothes.com.
- ; IN MX 10 mail.arab-clothes.com.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.1.249
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
japan-dress.com.intranet
- $TTL 86400
- @ IN SOA ns1.japan-dress.com. root.japan-dress.com. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.japan-dress.com.
- ; IN MX 10 mail.japan-dress.com.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.1.241
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
stamp-shopping.com.intranet
- $TTL 86400
- @ IN SOA ns1.stamp-shopping. root.stamp-shopping. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.stamp-shopping.
- ; IN MX 10 mail.stamp-shopping.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.1.238
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
wholesale-dress.net.intranet
- $TTL 86400
- @ IN SOA ns1.wholesale-dress.net. root.wholesale-dress.net. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.wholesale-dress.net.
- ; IN MX 10 mail.wholesale-dress.net.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.2.221
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
yixiebao.com.intranet
- $TTL 86400
- @ IN SOA ns1.yixiebao.com. root.yixiebao.com. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.yixiebao.com.
- ; IN MX 10 mail.yixiebao.com.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- ;www IN A 192.168.1.87
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
后面幾個正向解析文件基本上差不多,。
三,、啟動named
基于以上的工作后,基本上算是配置完畢,,在正式啟動之前我們來檢查一下mamed.conf 的語法
- # named-checkconf named.conf
無錯誤輸出即可,。
進行調(diào)試模式啟動,,看是否有錯誤輸出
- named -u named -c named.conf -g -d 4
最后,創(chuàng)建bind98啟動腳本
- #!/bin/bash
- #
- # Init file for named
- #
- # chkconfig: - 80 12
- # description: named daemon
- #
- # processname: named
- # pidfile: /usr/local/named/var/run/named.pid
- . /etc/init.d/functions
- BIN="/usr/local/named/sbin"
- PIDFILE="/var/run/named/named.pid"
- RETVAL=0
- prog="named"
- desc="DNS Server"
- start() {
- if [ -e $PIDFILE ];then
- echo "$desc already running...."
- exit 1
- fi
- echo -n $"Starting $desc: "
- daemon $BIN/$prog -u named -c /usr/local/named/etc/named.conf
- RETVAL=$?
- echo
- [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
- return $RETVAL
- }
- stop() {
- echo -n $"Stop $desc: "
- killproc $prog
- RETVAL=$?
- echo
- [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog $PIDFILE
- return $RETVAL
- }
- restart() {
- stop
- start
- }
- case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- restart
- ;;
- condrestart)
- [ -e /var/lock/subsys/$prog ] && restart
- RETVAL=$?
- ;;
- status)
- status $prog
- RETVAL=$?
- ;;
- *)
- echo $"Usage: $0 {start|stop|restart|condrestart|status}"
- RETVAL=1
- esac
- exit $RETVAL
以上腳本是由另一腳本修改而來,,經(jīng)試用,,沒有問題。
四,、測試過程(略)
1)將LAN中任意一臺win 機器的DNS設(shè)置改成該服務(wù)器的IP,,看是否能解析OK?
2)將LAN中任意一臺win 機器的IP配置成acl中的intranet地址,,看是否不能查詢外網(wǎng)請求,,在查詢指定請求的域名是,是否返回所預(yù)定的結(jié)果,。
注:按照以上的配置正常啟動DNS后,,會在dns_warnings.log里有一條錯誤的日志輸出,此錯誤并不影響DNS的正常工作,。大致是這樣的
- 13-Jul-2011 17:18:07.098 general: error: managed-keys-zone ./IN/internal:
- loading from master file
- 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys failed:
- file not found
- 13-Jul-2011 17:18:07.100 general: error: managed-keys-zone ./IN/external:
- loading from master file
- 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed:
- file not found
在google上查了N久,,沒有該問題的詳細描述以及任何可用的solution。腫么辦辦呢,,本人突發(fā)奇想,,既然是這個文件沒有,那么好啦,,我就自己創(chuàng)建一個這樣的空文件,,看如何
- # touch 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
- 296
- # touch 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
緊接著更改這兩個文件的屬主設(shè)置,再次啟動DNS,,此時DNS日志中就木有這條該死的錯誤日志了,,其他功能一切正常。哈哈,, ^_^
五,、隨后某個時間,將附上該文檔的后續(xù)版本,,增加從服務(wù)器配置,。
