|
说明
公司内部局域网,有些服务器(部分网段)不能直接访问internet,则在用某台可直接访问Internet的服务器设置 iptables MASQUERADE,采用NAT方式让这些内部服务器访问Internet。此外,我希望采用内部部署一台简单的DNS服务器,提供内部主机DNS解 析。这台DNS服务器也同时采用forward方式对内部客户端提供DNS服务。
优点:
可以提供内部服务器的DNS解析:例如,内部域名example.com,则客户端可以通过主机名解析方式轻松访问公司内部服务器。
对于某些特殊的访问可以采用DNS欺骗方式(自己声明权威域解析,解析指向特定IP地址),这在一些内部测试环境中可以采用。
以下是采用chroot模式安装运行DNS服务器软件Bind,这种方式比常规直接运行Bind软件有安全上的优势。虽然这里没有提供完整配置域名解析的实例(我计划以后完整实践复杂的DNS服务器部署),但是对Bind软件安装和基本运行的步骤是比较简明可参考的。
参考
Bind: Quick install guide to install and setup Bind (DNS server) in secure (chroot) environment in Linux (CentOS, Redhat Enterprise (RHEL), Fedora).
CentOS 4 : chroot DNS with BIND
准备工作
创建用户和目录结构
01 echo "named:x:200:200:Nameserver:/chroot/named:/bin/false" >> /etc/passwd
02 echo "named:x:200:" >> /etc/group
03 mkdir -p /chroot/named
04 cd /chroot/named
05 mkdir -p dev etc/namedb/slave var/run
06 chown -R named:named /chroot/named/etc/namedb/slave
07 chown named:named /chroot/named/var/run
08 mknod /chroot/named/dev/null c 1 3
09 mknod /chroot/named/dev/random c 1 8
10 chmod 666 /chroot/named/dev/{null,random}
11 cp /etc/localtime /chroot/named/etc/
编辑 /etc/sysconfig/syslog
编辑包含SYSLOGD_OPTIONS开头的配置行,配置类似如下
1 SYSLOGD_OPTIONS="-m 0 -a /chroot/named/dev/log"
然后重启syslog
1 /etc/init.d/syslog restart
设置目录安全
1 chown root /chroot
2 chmod 700 /chroot
3 chown named:named /chroot/named
4 chmod 700 /chroot/named
5 cd /chroot/named
6 chattr +i etc/localtime var
如果系统中曾经安装过bind则删除
1 rpm -qa |grep bind
2 rpm -e --nodeps <copy-paste-all-the-packages-separated-by-space>
安装bind
编译bind
1 wget http://ftp.isc.org/isc/bind9/9.7.1-P2/bind-9.7.1-P2.tar.gz
2 tar zxpfv bind-*.gz
3 cd bind*
4 ./configure
5 make && make install
1 mv /etc/init.d/named /etc/init.d/named.bak
添加以下启动脚本 /etc/init.d/named
01 #!/bin/sh
02 #
03 # named This shell script takes care of starting and stopping
04 # named (BIND DNS server).
05 #
06 # chkconfig: 345 55 45
07 # description: named (BIND) is a Domain Name Server (DNS)
08 # that is used to resolve host names to IP addresses.
09 # probe: true
10 #
11 # Source function library.
12 . /etc/rc.d/init.d/functions
13 #
14 # Source networking configuration.
15 . /etc/sysconfig/network
16 #
17 # Check that networking is up.
18 [ ${NETWORKING} = "no" ] && exit 0
19 #
20 [ -f /usr/local/sbin/named ] || exit 0
21 [ -f /chroot/named/etc/named.conf ] || exit 0
22 #
23 # See how we were called.
24 case "$1" in
25 start)
26 # Start daemons.
27 echo -n "Starting named: "
28 daemon /usr/local/sbin/named -u named -t /chroot/named -c /etc/named.conf
29 echo
30 touch /var/lock/subsys/named
31 ;;
32 stop)
33 # Stop daemons.
34 echo -n "Shutting down named: "
35 kill `pidof named`
36 echo
37 rm -f /var/lock/subsys/named
38 ;;
39 status)
40 status named
41 exit $?
42 ;;
43 restart)
44 $0 stop
45 $0 start
46 exit $?
47 ;;
48 reload)
49 /usr/local/sbin/rndc reload
50 exit $?
51 ;;
52 probe)
53 # named knows how to reload intelligently; we don\'t want linuxconf
54 # to offer to restart every time
55 /usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
56 exit 0
57 ;;
58 #
59 *)
60 echo "Usage: named {start|stop|status|restart|reload}"
61 exit 1
62 esac
63 #
64 exit 0
设置启动脚本可执行
1 chmod +x /etc/init.d/named
设置named启动时启动
1 chkconfig --add named
配置DNS
准备rcdc.key
1 rndc-confgen -a
2 cp /etc/rndc.key /chroot/named/etc/
设置配置文件/chroot/named/etc/named.conf
01 include "/etc/rndc.key";
02
03 options {
04 directory "/etc/namedb"; // Working directory
05 pid-file "/var/run/named.pid"; // Put pid file in working dir
06 statistics-file "/var/run/named.stats";
07 query-source address * port 53;
08 version "Bind 10";
09
10 allow-recursion {
11 127.0.0.1;
12 192.168.0.0/16;
13 10.1.9.0/24;
14 };
15 // 允许递归查询,这样可以对内部服务器提供DNS服务而不是只解析自己负责的domain;
16 // 因为我是期望作为内部DNS来运行服务的
17
18 forwarders {
19 202.96.209.133; //ip of dns server to forward requests to
20 202.96.209.5;
21 };
22
23 listen-on {
24 127.0.0.1;
25 192.168.7.189;
26 10.1.9.189;
27 };
28 //只监听内网接口,避免外部访问
29
30 };
31 controls {
32 inet 127.0.0.1 port 953
33 allow { 127.0.0.1; } keys { "rndc-key"; };
34 };
35 // Root server hints
36 zone "." {
37 type hint;
38 file "root.hint";
39 };
40 // Provide a reverse mapping for the loopback address 127.0.0.1
41 zone "0.0.127.in-addr.arpa" {
42 type master;
43 file "db.127.0.0";
44 notify no;
45 };
设置配置文件 /chroot/named/etc/namedb/root.hint(这个配置文件指示DNS根服务器)
01 ; This file holds the information on root name servers needed to
02 ; initialize cache of Internet domain name servers
03 ; (e.g. reference this file in the "cache . <file>"
04 ; configuration file of BIND domain name servers).
05 ;
06 ; This file is made available by InterNIC
07 ; under anonymous FTP as
08 ; file /domain/named.root
09 ; on server FTP.INTERNIC.NET
10 ;
11 ; last update: Nov 5, 2002
12 ; related version of root zone: 2002110501
13 ;
14 ;
15 ; formerly NS.INTERNIC.NET
16 ;
17 . 3600000 IN NS A.ROOT-SERVERS.NET.
18 A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
19 ;
20 ; formerly NS1.ISI.EDU
21 ;
22 . 3600000 NS B.ROOT-SERVERS.NET.
23 B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
24 ;
25 ; formerly C.PSI.NET
26 ;
27 . 3600000 NS C.ROOT-SERVERS.NET.
28 C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
29 ;
30 ; formerly TERP.UMD.EDU
31 ;
32 . 3600000 NS D.ROOT-SERVERS.NET.
33 D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
34 ;
35 ; formerly NS.NASA.GOV
36 ;
37 . 3600000 NS E.ROOT-SERVERS.NET.
38 E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
39 ;
40 ; formerly NS.ISC.ORG
41 ;
42 . 3600000 NS F.ROOT-SERVERS.NET.
43 F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
44 ;
45 ; formerly NS.NIC.DDN.MIL
46 ;
47 . 3600000 NS G.ROOT-SERVERS.NET.
48 G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
49 ;
50 ; formerly AOS.ARL.ARMY.MIL
51 ;
52 . 3600000 NS H.ROOT-SERVERS.NET.
53 H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
54 ;
55 ; formerly NIC.NORDU.NET
56 ;
57 . 3600000 NS I.ROOT-SERVERS.NET.
58 I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
59 ;
60 ; operated by VeriSign, Inc.
61 ;
62 . 3600000 NS J.ROOT-SERVERS.NET.
63 J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
64 ;
65 ; housed in LINX, operated by RIPE NCC
66 ;
67 . 3600000 NS K.ROOT-SERVERS.NET.
68 K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
69 ;
70 ; operated by IANA
71 ;
72 . 3600000 NS L.ROOT-SERVERS.NET.
73 L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
74 ;
75 ; housed in Japan, operated by WIDE
76 ;
77 . 3600000 NS M.ROOT-SERVERS.NET.
78 M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
9 ; End of File
设置iptables允许访问服务器udp端口53(查询DNS只需要访问UDP端口53,TCP端口是用来进行区传送的)
在 /etc/sysconfig/iptables 同添加
1 -A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
重启iptables
1 /etc/init.d/iptables restart
启动服务
1 /etc/init.d/named start
配置自己负责的权威域解析
后续补充
错误排除
刚开始的时候,没有添加 rndc.key配置,启动named时有如下报错
Jul 31 06:34:05 kvm1 named[25481]: /etc/named.conf:14: unknown key \'rndc-key\'
Jul 31 06:34:05 kvm1 named[25481]: loading configuration: failure
Jul 31 06:34:05 kvm1 named[25481]: exiting (due to fatal error)
则补上rcdc.key
1 rndc-confgen -a
2 cp /etc/rndc.key /chroot/named/etc/
然后在 /chroot/named/etc/named.conf 的第一行添加
view source
print?
1 include "/etc/rndc.key";
然后就可以正常启动named了。
(责任编辑:admin) |
