-
公司有一测试环境,上面跑着线上的各个网站的线下版本(即上线之前在本地所做的测试)。起初,我们在配置该环境时,访问每个网站均采用独立IP的形式进行。这样一来,仅仅就这一个服务器上就占用了内网的10几个IP,再加上办公室同事的正常使用IP,IP就不足了(得再划分子网,麻烦)。现在想配置一台DNS服务器,不同的域名解析到同一个IP,达到节约IP资源的目的,此其一。其二,我也想该环境使用同线上一样的域名环境。但是有一个要求,仅仅测试部童鞋在使用特定域名时,解析到本地相应的IP,反之,解析到公网IP。同时,也希望该DNS服务器承担内网用户上网时解析域名的角色。
下面来看看整个实现的过程:
一、安装过程
由于DNS服务器易受攻击,所以安全性很重要。我们从dns的官网上下载最新stable版的bind98来做这个。(相对安全而言,本人还是比较青睐FreeBSD一点)。
bind98的下载地址:
- ftp://ftp.isc.org/isc/bind/9.8.0-P4/bind-9.8.0-P4.tar.gz
将其下载到本地的目录中,编译安装即可
- # tar xf bind-9.8.0-P4.tar.gz
- # cd bind-9.8.0-P4
- # ./configure --prefix=/usr/local/named --enable-epoll --enable-threads --enable-largefile
编译参数的说明:
- --enable-threads enable multithreading
- --enable-largefile 64-bit file support
- --enable-epoll use Linux epoll when available [default=auto]
这样运行configure完之后,会有这样的提示
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- WARNING WARNING
- WARNING Your OpenSSL crypto library may be vulnerable to WARNING
- WARNING one or more of the the following known security WARNING
- WARNING flaws: WARNING
- WARNING WARNING
- WARNING CAN-2002-0659, CAN-2006-4339, CVE-2006-2937 and WARNING
- WARNING CVE-2006-2940. WARNING
- WARNING WARNING
- WARNING It is recommended that you upgrade to OpenSSL WARNING
- WARNING version 0.9.8d/0.9.7l (or greater). WARNING
- WARNING WARNING
- WARNING You can disable this warning by specifying: WARNING
- WARNING WARNING
- WARNING --disable-openssl-version-check WARNING
- WARNING WARNING
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
- WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
这是因为configure时默认启用了这个参数所致
- --enable-openssl-version-check
- Check OpenSSL Version [default=yes]
你可以将其设置为NO,或者升级本地的openssl
顺便看一下本地的openssl版本吧
- # openssl version
- OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
让我们来升级它吧,最新的openssl版本下载地址
- http://www./source/openssl-1.0.0d.tar.gz
接下来,
- # tar xf openssl-1.0.0d.tar.gz
- # cd openssl-1.0.0d
- # ./config -fPIC --prefix=/usr enable-shared
- # make && make install
再看一下openssl的版本
- # openssl version
- OpenSSL 1.0.0d 8 Feb 2011
oh,yeah,成功升级至openssl 1.0.0d,之后再次在bind目录下configure就没有上面的warning了
以上都做完了之后,最后make && make install,这样bind98就算安装完毕了。
二、配置bind98
准备一个用户来运行bind98
- # groupadd named
- # useradd named -g named -s /sbin/nologin -d /dev/null -M -c "DNS server"
生成rndc.conf文件
- # rndc-confgen >/usr/local/named/etc/rndc.conf
修改rndc.conf如下
- key "rndc-key" {
- algorithm hmac-md5;
- secret "pdz01kiIZhCDgYTDEr2YXA==";
- };
- controls {
- inet 127.0.0.1 port 953
- allow { 127.0.0.1; } keys { "rndc-key"; };
- };
主配置文件named.conf
- options {
- directory "/usr/local/named/etc";
- dump-file "/var/named/data/cache_dump.db";
- statistics-file "/var/named/data/named_stats.txt";
- memstatistics-file "/var/named/data/named_mem_stats.txt";
- pid-file "/var/run/named/named.pid";
- version "Windows 2008 Enterprise Server";
- notify yes;
- /*
- 只当本域notify被激活时才是有意义的。能够收到本域DNS NOTIFY信息的计算机
的集合是由所有域中列明的名称服务器加上任何由also-notify设定的IP地址
*/- also-notify { 192.168.2.201; };
- //如果为yes,服务器将收集所有区域的统计数据
- zone-statistics yes;
- listen-on port 53 { 192.168.2.200; };
- //这里填写slave的地址
- //allow-transfer { 192.168.2.201; };
- //允许内外网查询本DNS
- allow-query { intranet;external; };
- //允许外部网络递归查询
- allow-recursion { external; };
- //在配置为”first”时,则在转发查询失败或没有查到结果时,会在本地发起查询。
- forward first;
- //上游DNS设置
- forwarders { 202.101.172.46;202.101.172.47; };
- //服务器可以使用的最大数据内存量,默认是default
- datasize 50M;
- auth-nxdomain no;
- rrset-order { order random; };
- };
- logging {
- channel warning {
- file "/var/log/dns_warnings.log" versions 5 size 1024K;
- severity warning;
- print-category yes;
- print-severity yes;
- print-time yes;
- };
- channel security_log {
- file "/var/log/dns_security.log" versions 5 size 1024K;
- severity info;
- print-category yes;
- print-severity yes;
- print-time yes;
- };
- channel query_log {
- file "/var/log/dns_query.log" versions 10 size 1024K;
- severity info;
- print-category yes;
- print-severity yes;
- print-time yes;
- };
- category default { warning; };
- category security { security_log; };
- category queries { query_log; };
- };
- include "acl.conf";
- include "rndc.conf";
- view "intranet" {
- match-clients { key intranet-key;intranet; };
- match-destinations { any; };
- //设定哪台主机允许和本地服务器进行域传输,这里指定传输到slave时使用的key
- allow-transfer { key intranet-key; };
- //这里是slave的地址
- server 192.168.2.201 { keys { intranet-key; }; };
- zone "." IN {
- type hint;
- file "named.root";
- };
- zone "localhost" IN {
- type master;
- file "localhost.zone";
- };
- zone "0.0.127.in-addr.arpa" IN {
- type master;
- file "localhost.rev";
- };
- zone "wholesale-dress.net" IN {
- type master;
- /*
- 由于域名wholesale-dress.net已在公网上注册,所以对测试的童鞋来说,
- 该域名的记录应该返回的是内网中测试服务器所对应的IP,下同
- */
- file "master/wholesale-dress.net.intranet";
- };
- zone "yixiebao.com" IN {
- type master;
- file "master/yixiebao.com.intranet";
- };
- zone "japan-dress.com" IN {
- type master;
- file "master/japan-dress.com.intranet";
- };
- zone "arab-clothes.com" IN {
- type master;
- file "master/arab-clothes.com.intranet";
- };
- zone "stamp-shopping.com" IN {
- type master;
- file "master/stamp-shopping.com.intranet";
- };
- zone "2.168.192.in-addr.arpa" IN {
- type master;
- file "master/2.168.192.rev";
- };
- };
- view "external" {
- match-clients { key external-key;external; };
- match-destinations { any; };
- zone "." IN {
- type hint;
- file "named.root";
- };
- zone "localhost" IN {
- type master;
- file "localhost.zone";
- };
- zone "0.0.127.in-addr.arpa" IN {
- type master;
- file "localhost.rev";
- };
- zone "wholesale-dress.net" IN {
- /*
- 对于外网用户来说(指定的),该域名已经作解析。我们就没有必要再解析一次
- ,当用户查询此域名时,直接丢给上游DNS即可。下同
- */
- type forward;
- };
- zone "goods-of-china.com" IN {
- type forward;
- };
- zone "japan-dress.com" IN {
- type forward;
- };
- zone "russia-dress.com" IN {
- type forward;
- };
- zone "stamp-shopping.com" IN {
- type forward;
- };
- };
acl.conf
- key "intranet-key" {
- algorithm hmac-md5;
- secret "qSFm5D26mtg1O1wJlyTKYA==";
- };
- key "external-key" {
- algorithm hmac-md5;
- secret "TorqY5N5hgkRhoXgSssaDQ==";
- };
- acl "intranet" {
- localhost;
- };
- acl "external" {
- any;
- };
name.root下载地址:
- wget ftp://ftp.internic.org/domain/named.root
还有一些准备工作
- # touch /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
- # chown named.named /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
- # ll /var/log/{dns_warnings.log,dns_security.log,dns_query.log}
- -rw-r--r-- 1 named named 701587 Jul 13 10:53 /var/log/dns_query.log
- -rw-r--r-- 1 named named 0 Jul 12 17:56 /var/log/dns_security.log
- -rw-r--r-- 1 named named 1158 Jul 13 09:56 /var/log/dns_warnings.log
- # chown -R named.named /usr/local/named/
- # chown -R named.named /var/run/named/
- # chown -R named.named /var/named/data/
生成两个key
- # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST intranet
- # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST external
生成的key文件名like this
- -rw------- 1 named named 52 Jul 12 16:04 Kexternal.+157+21581.key
- -rw------- 1 named named 165 Jul 12 16:04 Kexternal.+157+21581.private
- -rw------- 1 named named 52 Jul 12 16:03 Kintranet.+157+57599.key
- -rw------- 1 named named 165 Jul 12 16:03 Kintranet.+157+57599.private
将下面红色部分的代码复制到acl.conf中
- # cat Kexternal.+157+21581.private
- Private-key-format: v1.3
- Algorithm: 157 (HMAC_MD5)
- Key: TorqY5N5hgkRhoXgSssaDQ==
- Bits: AAA=
- Created: 20110712080429
- Publish: 20110712080429
- Activate: 20110712080429
- cat Kintranet.+157+57599.private
- Private-key-format: v1.3
- Algorithm: 157 (HMAC_MD5)
- Key: qSFm5D26mtg1O1wJlyTKYA==
- Bits: AAA=
- Created: 20110712080358
- Publish: 20110712080358
- Activate: 20110712080358
localhost.zone
- $TTL 86400
- $ORIGIN localhost.
- @ 1D IN SOA @ root (
- 100 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- 1D IN NS @
- 1D IN A 127.0.0.1
localhost.rev
- $TTL 86400
- @ IN SOA localhost. root.localhost. (
- 1997022700 ; Serial
- 28800 ; Refresh
- 14400 ; Retry
- 3600000 ; Expire
- 86400 ) ; Minimum
- IN NS localhost.
- 1 IN PTR localhost.
/usr/local/named/etc/下新建一master目录
2.168.192.rev
- $TTL 86400
- @ IN SOA wholesale-dress.net. root.wholesale-dress.net. (
- 100 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D) ; minimum
- IN NS ns1.wholesale-dress.net.
- 200 IN PTR ns1.wholesale-dress.net.
- 201 IN PTR slave.wholesale-dress.net.
- ;88 IN PTR www.wholesale-dress.net.
- ;15 IN PTR js.wholesale-dress.net.
- ;15 IN PTR css.wholesale-dress.net.
- ;15 IN PTR img.wholesale-dress.net.
- ;14 IN PTR mail.wholesale-dress.net.
- ;18 IN PTR ftp.wholesale-dress.net.
arab-clothes.com.intranet
- $TTL 86400
- @ IN SOA ns1.arab-clothes.com. root.arab-clothes.com. (
- 105 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.arab-clothes.com.
- ; IN MX 10 mail.arab-clothes.com.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.1.249
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
japan-dress.com.intranet
- $TTL 86400
- @ IN SOA ns1.japan-dress.com. root.japan-dress.com. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.japan-dress.com.
- ; IN MX 10 mail.japan-dress.com.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.1.241
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
stamp-shopping.com.intranet
- $TTL 86400
- @ IN SOA ns1.stamp-shopping. root.stamp-shopping. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.stamp-shopping.
- ; IN MX 10 mail.stamp-shopping.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.1.238
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
wholesale-dress.net.intranet
- $TTL 86400
- @ IN SOA ns1.wholesale-dress.net. root.wholesale-dress.net. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.wholesale-dress.net.
- ; IN MX 10 mail.wholesale-dress.net.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- www IN A 192.168.2.221
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
yixiebao.com.intranet
- $TTL 86400
- @ IN SOA ns1.yixiebao.com. root.yixiebao.com. (
- 101 ; serial
- 1H ; refresh
- 1M ; retry
- 1W ; expiry
- 1D ) ; minimum
- IN NS ns1.yixiebao.com.
- ; IN MX 10 mail.yixiebao.com.
- ;mail IN A 192.168.1.14
- ns1 IN A 192.168.2.200
- slave IN A 192.168.2.201
- ;www IN A 192.168.1.87
- ;js IN A 192.168.1.15
- ;css IN A 192.168.1.15
- ;img IN A 192.168.1.15
- ;ftp IN A 192.168.1.18
后面几个正向解析文件基本上差不多。
三、启动named
基于以上的工作后,基本上算是配置完毕,在正式启动之前我们来检查一下mamed.conf 的语法
- # named-checkconf named.conf
无错误输出即可。
进行调试模式启动,看是否有错误输出
- named -u named -c named.conf -g -d 4
最后,创建bind98启动脚本
- #!/bin/bash
- #
- # Init file for named
- #
- # chkconfig: - 80 12
- # description: named daemon
- #
- # processname: named
- # pidfile: /usr/local/named/var/run/named.pid
- . /etc/init.d/functions
- BIN="/usr/local/named/sbin"
- PIDFILE="/var/run/named/named.pid"
- RETVAL=0
- prog="named"
- desc="DNS Server"
- start() {
- if [ -e $PIDFILE ];then
- echo "$desc already running...."
- exit 1
- fi
- echo -n $"Starting $desc: "
- daemon $BIN/$prog -u named -c /usr/local/named/etc/named.conf
- RETVAL=$?
- echo
- [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$prog
- return $RETVAL
- }
- stop() {
- echo -n $"Stop $desc: "
- killproc $prog
- RETVAL=$?
- echo
- [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$prog $PIDFILE
- return $RETVAL
- }
- restart() {
- stop
- start
- }
- case "$1" in
- start)
- start
- ;;
- stop)
- stop
- ;;
- restart)
- restart
- ;;
- condrestart)
- [ -e /var/lock/subsys/$prog ] && restart
- RETVAL=$?
- ;;
- status)
- status $prog
- RETVAL=$?
- ;;
- *)
- echo $"Usage: $0 {start|stop|restart|condrestart|status}"
- RETVAL=1
- esac
- exit $RETVAL
以上脚本是由另一脚本修改而来,经试用,没有问题。
四、测试过程(略)
1)将LAN中任意一台win 机器的DNS设置改成该服务器的IP,看是否能解析OK?
2)将LAN中任意一台win 机器的IP配置成acl中的intranet地址,看是否不能查询外网请求,在查询指定请求的域名是,是否返回所预定的结果。
注:按照以上的配置正常启动DNS后,会在dns_warnings.log里有一条错误的日志输出,此错误并不影响DNS的正常工作。大致是这样的
- 13-Jul-2011 17:18:07.098 general: error: managed-keys-zone ./IN/internal:
- loading from master file
- 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys failed:
- file not found
- 13-Jul-2011 17:18:07.100 general: error: managed-keys-zone ./IN/external:
- loading from master file
- 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys failed:
- file not found
在google上查了N久,没有该问题的详细描述以及任何可用的solution。肿么办办呢,本人突发奇想,既然是这个文件没有,那么好啦,我就自己创建一个这样的空文件,看如何
- # touch 3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys
- 296
- # touch 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys
紧接着更改这两个文件的属主设置,再次启动DNS,此时DNS日志中就木有这条该死的错误日志了,其他功能一切正常。哈哈, ^_^
五、随后某个时间,将附上该文档的后续版本,增加从服务器配置。
