Red Hat Enterprise Linux Network Services and Security Administration Unit 4 - Organizing Netwirked Systems
學習目標
- 了解DNS在網路世界中所扮演的重要角色
- 如何設定管理DNS
- 如何設定管理DHCP
Host Name Resolution
一般用到名稱解析的方式:
1.Files (/etc/hosts and /etc/networks)
2.DNS
4.NIS
解析器 resolvers
# dig
# host
# nslookup
The Stub Resolver
本機的函式庫 gethostbyname() 解析名稱的glibc函式庫
# vi /etc/nsswitch.conf
hosts: files dns ← 先找 /etc/hosts 再查 DNS,可調順序
DNS-Specific Resolvers
host 指令不讀 /etc/nsswitch.conf,只查DNS,DNS 的Server設定在 /etc/resolv.conf,可設多台
dig 指令不讀 /etc/nsswitch,conf,預設用 /etc/resolv.conf 的DNS,但不讀 search,輸出資訊較多
Trace a DNS Query with dig
# dig +trace redhat .com ← 會一層一層找出IP,這是所謂的 iterative query
一層一層階層式的DNS架構叫 FQDN
Other Observations
domain,伺服器名稱
ttl,留在Name Server cache 裡剩餘的時間
class,現在只剩 IN 的class
type,IPv4是A,IPv6的是AAAA,NS 就是 Name Server
rdata,查詢結果
Forward Lookups 找正解
# dig redhat.com
# dig -t AAAA redhat.com,查IPv6 的IP
# dig -t CNAME redhat.com,查別名
# dig -t NS redhat.com,查它的Name Server
redhat.com. 153282 IN NS ns1.redhat.com.
Reverse Lookups 找反解
# dig -x 209.132.177.50
;; ANSWER SECTION:
50.177.132.209.in-addr.arpa. 600 IN PTR www.redhat.com.
Mail Exchanger Lookups
# dig -t mx redhat.com,查寄E-mail的Server
;; ANSWER SECTION:
redhat.com. 600 IN MX 10 mx1.redhat.com.
redhat.com. 600 IN MX 20 mx2.redhat.com.
redhat.com. 600 IN MX 5 mx3.redhat.com. ← 會先嘗試數字低的Server
SOA Lookups 查負責domain的機器是哪一台及一些資訊
# dig -t SOA redhat.com
;; ANSWER SECTION:
redhat.com. 127 IN SOA ns1.redhat.com. noc.redhat.com. 2008030500 3600 1800 604800 86400
← 主要負責的Name Server: ns1.redhat.com
管理者E-mail:noc@redhat.com
Serial Number愈高表示資料愈新,通常都用日期表示
Refresh delay before checking serial number
Retry interval for slave servers
Expiration for records when the slave cannot contact its master(s)
Minimum TTL for negative answers("no such host"
Being Authoritative
# whois redhat.com,查是誰註冊了這個domain
Lame Server,跛腳的機器,有被授權的機器,但是機器沒有設DNS
The Everything Lookup 查 DNS Server 裡全部的資料
# dig -t axfr example.com @192.168.0.254 ← 指定透過用192.168.0.254這台DNS撈資料
Exploring DNS with host
# host -rt ns redhat.com,查Name Server
# host -r redhat.com,用iterative
# host 209.132.177.50,查反解
# host -t mx redhat.com,查Mail Server
# host -t soa redhat.com,查 SOA
# host -t axfr redhat.com 192.168.0.254,查全部資料,與dig相較不加@
Service Profile:DNS
屬於 System V 的Services
Daemons: /usr/sbin/named, /usr/sbin/rndc
啟動的script: /etc/init.d/named
PORT: 53(domain), 953(rndc),TCP,UDP 都要
設定檔: 在( /var/named/chroot/ ) /etc/named.conf, /var/named/*, /etc/rndc.key
相關套件: caching-nameserver, openssl
Getting Started with BIND
需安裝的套件: bind、bind-chroot、caching-nameserver
# service named configtest ← 測試設定檔有沒有設定好
# service named start
# chkconfig named on
# tail -f /var/log/messages ← 查看log,named 的啟動訊息
Essential named Configuration
/etc/named.conf example:
# vi /etc/named.conf
acl "trusted" {192.168.1.21;} ;
acl "classroom" { 192.168.0.0/24; trusted; };
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
allow-query { any; };
allow-recursion { 192.168.1.0/24; };
forwarders { 168.95.1.1; 139.175.10.20; };
forward only;
allow-transfer { 59.126.40.150; };
};
Configure the Stub Resolver
# vi /etc/resolv.conf
namedserver 127.0.0.1 ← 指向本機DNS
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
PEERDNS=no ← 若在dhcp環境時,/etc/resolv.conf 不會在重開機時設定被改寫掉
bind-chroot Package
# vi /etc/sysconfig/named ← 檔案設定 chroot 的路徑
ROOTDIR=/var/named/chroot
若在配罝slave server 時要注意目錄有沒有寫入的權限
caching-nameserver Package
提供,named.caching-nameserver.conf 與 named.ca(root server 'hints')
# mv named.caching-nameserver.conf named.conf ← 改名
# chown root:named named.conf ← 改ownership
# vi named.conf ← 設定 named.conf
Address Match List
IP Address: 192.168.0.1 ← 單一IP
Trailing dot: 192.168.0. ← 後面整段IP
CIDR: 192.168.0/24 ← 後面整段IP
! 表示反向選取
Example: (注意分號)
{ 192.168.0.1; 192.168.0.; !192.168.1.0/24; }
Access Control List(ACL) acl 定義
acl "trusted" {192.168.1.21;} ;
acl "classroom" { 192.168.0.0/24; trusted; }; ← trusted 前面有定義可直接使用
acl "cracker" { 192.168.1.0/24; };
acl "mymasters" { 192.168.0.254; };
acl "myaddresses" { 127.0.0.1; 192.168.0.1; };
Built-In ACL's
已定義好的關鍵字:
none 不包含任何IP
any 任何IP
localhost 本地端的IP
localnets 本地端直接連接網路
Server Interfaces
listen-on port 53 { match-list; }; ← match-list 服務監聽哪些介面, 提供哪個 port
ex. listen-on port 53 {127.0.0.1; 192.168.1.100; };
ex. listen-on-v6 port 53 { ::1; }; ← 提供本機的 IPv6 介面
listen-on-v6 port 53 { ::1; fe80::202:8aff:fe4b:37a; };
# netstat -ltn | grep 53 ← 查看DNS服務有沒有跑起來
Allowing Queries 允許哪些人來查詢
allow-query { match-list; };
allow-query { any; }; ← 若是在internet用的,基本上都是 any
ex. allow-query { classroom; cracker; }; ← 提供 classroom,也提供 cracker
若 allow-query沒設定,預設是allow any
Allowing Recursion 幫你去問
allow-recursion { match-list;};
allow-recursion { classroom; !cracker; }; ← 提供 classroom,但不提供 cracker
若 allow-recursion沒設定,預設是allow any
Allowing Transfers 通常為傳送到 slave server 的資料
allow-transfer { match-list; };
allow-transfer { !cracker; classroom; }; ← 通常要設定slave server 的IP
若 allow-transfer 沒設定,預設是allow any
Modifying BIND Behavior 本機cache沒有資料時,我請別人幫我找
forwarders { match-list; };
forwarders { 168.95.1.1; 139.175.10.20; }; ← 通常設定公開的DNS
forward first | only; ← 如果別人幫我找,找不到時first時換自己找,only時就算了不找了
forwarders { mymasters; };
forward only;
若 forward 沒設時預設為 forward first
Slave Zone Declaration 建置 slave server
# vi /etc/named.conf
zone "example.com" {
type slave;
masters { mymasters; }; ← mymasters 需要有設定allow-transfer{;};給這台本機
file "slaves/example.com.zone"; ← zone file 存放的位置,實際位置在 /var/named/chroot/var/named/slaves/example.com.zone
};
Master Zone Declaration
zone "example.com" {
type master;
file "example.com.zone"; ← 實際位置在 /var/named/chroot/var/named/example.com.zone
};
zone file 檔案的欄位順序:
domain ttl class R-Type rdata
幾個sample:
# vi vblog.tw.zone
$ORIGIN vblog.tw. ←
$TTL 86400 ← TTL 在後面都沒寫,這樣只要寫一次就可以
@ IN SOA ns.vblog.tw. root.mail.vblog.tw. ( ← @ = vblog.tw.,主要server: ns.vblog.tw,管理者e-mail: root@mail.vblog.tw
42 ; serial (d. adams) ← 加括號 () 是為了換行寫,否則要寫成一行
3H ; refresh ← 冒號 ; 為註解
15M ; retry
1W ; expiry
1D ) ; minimum
NS ns.vblog.tw. ← 指定 Name Server
NS ns2.vblog.tw. ← 指定第二台 Name Server(可有可無)
MX 10 mail.vblog.tw. ← 設定信件要寄到哪一台 Mail Server
ns A 192.168.1.2 ← 設定ns.vblog.tw 正解,ns 後面沒有逗點,後面會自動補上vblog.tw.
ns2 A 192.168.1.3 ← 設定 ns2.vblog.tw 正解,ns2 後面沒有逗點,後面會自動補上vblog.tw.
A 192.168.1.1 ← 設定 vblog.tw 的正解
ftp.vblog.tw. A 192.168.1.79 ← 設定 ftp.vblog.tw 正解,注意ftp.vblog.tw.最後有逗點
mail A 192.168.1.87 ← 設定 mail.vblog.tw 正解,mail 後面沒有逗點,後面會自動補上vblog.tw.
smallken CNAME mail ← mail.vblog.tw. 的別名 smallken.vblog.tw.
# service named configtest ← test
# named-checkconf -t /var/named/chroot ← 測試 /etc/named.conf 檔案
# named-checkzone vblog.tw /var/named/chroot/var/named/vblog.tw.zone ← 測試 vblog.tw.zone 檔案
# tail -f /var/log/messages ← debug
Remote Name Daemon Control(rndc)
近端或遠端的管理DNS,要有對應的key做認證,/etc/rndc,key
# rndc flush ← 清空cache
Delegating Subdomains 授權 sub domain 出去
步驟:
1.先要有一個 domain name
2.使用NS指定某domain授權限給下游
support.example.com. IN NS ns.support.example.com. ← 授權support.example.com這個domain給ns.support.example.com這台機器
ns.support.example. IN A 192.168.1.100
DHCP Overview
DHCP: Dynamic Host Configuration,透過 hdcpd daemon
Type: System V
套件 Package: dhcp
啟動Script: /etc/init.d/dhcpd
Ports: 67(bootps), 68(bootpc)
設定檔 Configuration: /etc/dhcpd.conf, /var/lib/dhcpd/dhcpd.leases
相關套件:dhclient, dhcpv6_client, dhcpv6
# yum -y install dhcp
# cat /usr/share/doc/dhcp*/dhcpd.conf.sample ← 範例檔
# cp /usr/share/doc/dhcp*/dhcpd.conf.sample /etc/dhcpd.conf ← COPY範例檔到/etc/dhcp.conf
# vi /etc/dhcpd.conf
ddns-update-style interim;
ignore client-updates;
subnet 192.168.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.1.254; ← 預設gateway
option subnet-mask 255.255.255.0;
option domain-name "example.com";
option domain-name-servers 192.168.1.100; ← DNS Server
# option time-offset -18000; # Eastern Standard Time ← 不用UTC,註解掉
range dynamic-bootp 192.168.1.100 192.168.1.250; ← 隨機發放192.168.1.100 ~ 192.168.1.250
default-lease-time 21600; ← 一次可以拿到的租約有多長,單位秒
max-lease-time 43200; ← client 自己要的租約期,最長限制,單位秒
host ns { ← 給不同機器發放固定IP
next-server marvin.redhat.com; ← PXE網路開機的SERVER
hardware ethernet 12:34:56:78:AB:CD; ← 網路卡號
fixed-address 192.168.1.110; ← 固定的IP
}
# service dhcpd configtest
# service dhcpd start
DHCP IP發放步驟: 當Client PC網路設定使用DHCP自動抓取IP時,一開機後
1.Client → Server 發Discover 廣播訊息,一般PC不理會,但DHCP Server會回應
2.Server → Client 還有IP可用的話,發 Offer 廣播訊息
3.Client → Server 發 REQUEST,選取 Offer 當中想要的資訊,如gateway, IP, Dns...,Server收到,並記錄租約資訊
4.Server → Client 回傳確認的 ACK 訊息給 client,租約始生效
Lab 4 重點
caching nameserver 實作
# yum -y install bind bind-utils bind-chroot caching-nameserver
# grep domain /etc/services
# ldd `which named` | grep libwrap ← 沒有用到tcp_wrapper
# strings `which named` | grep hosts
# semanage fcontext -l | grep named ← 目前SELinux已經配置好的context有哪些
# getsebool -a | grep named
named_disable_trans --> off
named_write_master_zones --> off
# cat /etc/sysconfig/named ← 看一下 chroot 目錄在哪裡
# cd /var/named/chroot/etc/
# cp named.caching-nameserver.conf named.conf ← 把範例檔copy成named.conf
# service named configtest ← 看語法有沒有問題
# service named start
# ls -lZ
# chown root:named named.conf ← 修正 SELinux 的context
# chmod 640 named.conf ← 修正 SELinux 的context
# restorecon named.conf ← 修正 SELinux 的context
# ls -lZ
# service named configtest
# service named restart
# chkconfig named on
# vi /etc/sysconfig/iptables
-I INPUT -p tcp -s 192.168.0.0/24 --dport 53 -j ACCEPT ← 防火牆port 53 的tcp跟udp都要打開
-I INPUT -p udp -s 192.168.0.0/24 --dport 53 -j ACCEPT
# restorecon -R /etc/sysconfig
# cd /var/named/chroot/etc
# vi named.conf
listen-on port 53 { localhost; 192.168.1.99; };
allow-query { localhost; 192.168.1.0/24;};
allow-transfer { localhost; 192.168.1.254;};
forwarders { 168.95.1.1; };
forward only;
# service named configtest
# service named restart
# vi /etc/sysconfig/network-scripts/ifcfg-eth0
PEERDNS=no
# vi /etc/resolv.conf
search example.com
nameserver 127.0.0.1
# dig redhat.com | grep SERVER ← 查看是不是用本機的機器查DNS
# host ptt.cc ← 可正常查DNS
正解設定
# cd /var/named/chroot/etc/
# vi named.conf
zone "domainX.example.com" IN {
type master;
file "domainX.example.com.zone";
allow-update { none; };
forwarders {};
};
# service named configtest ← domainX.example.com.zone 檔案還沒建立
zone domainX.example.com/IN: loading master file domainX.example.com.zone: file not found
# cd /var/named/chroot/var/named/
# cp localdomain.zone domainX.example.com.zone
# ls -lZ domainX.example.com.zone
# chown root:named domainX.example.com.zone
# chmod 640 !$ (chmod 640 domainX.example.com.zone)
# ls -lZ domainX.example.com.zone
# vi domainX.example.com.zone
$TTL 86400
@ IN SOA stationX root (
43 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
@ IN NS stationX
@ IN MX 10 stationX
stationX IN A 192.168.1.102
station1 IN A 192.168.1.1
station2 IN A 192.168.1.2
station5 IN A 192.168.1.5
# service named configtest ← OK
# service named restart
# dig stationX.domainX.example.com @localhost ← 強制使用localhost的DNS查詢,結果OK
# vi /etc/resolv.conf
search domainX.example.com
# host stationX ← OK
stationX.domainX.example.com has address 192.168.1.102
# for num in $(seq 1 10); do ← 用for迴圈檢查正解有無生效
> host station$num
> done
station1.domainX.example.com has address 192.168.1.1
station2.domainX.example.com has address 192.168.1.2
Host station3 not found: 3(NXDOMAIN)
Host station4 not found: 3(NXDOMAIN)
station5.domainX.example.com has address 192.168.1.5
Host station6 not found: 3(NXDOMAIN)
Host station7 not found: 3(NXDOMAIN)
Host station8 not found: 3(NXDOMAIN)
Host station9 not found: 3(NXDOMAIN)
Host station10 not found: 3(NXDOMAIN)
# dig -t mx domainX.example.com
;; ANSWER SECTION:
domainX.example.com. 86400 IN MX 10 stationX.domainX.example.com.
# dig -t axfr domainX.example.com ← 把全部設定全部dump出來
; <<>> DiG 9.3.3rc2 <<>> -t axfr domainX.example.com
;; global options: printcmd
domainX.example.com. 86400 IN SOA stationX.domainX.example.com. root.domainX.example.com. 43 10800 900 604800 86400
domainX.example.com. 86400 IN NS stationX.domainX.example.com.
domainX.example.com. 86400 IN MX 10 stationX.domainX.example.com.
station1.domainX.example.com. 86400 IN A 192.168.1.1
station2.domainX.example.com. 86400 IN A 192.168.1.2
station5.domainX.example.com. 86400 IN A 192.168.1.5
stationX.domainX.example.com. 86400 IN A 192.168.1.102
domainX.example.com. 86400 IN SOA stationX.domainX.example.com. root.domainX.example.com. 43 10800 900 604800 86400
;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Mar 6 09:06:34 2008
;; XFR size: 8 records (messages 1)
# host -l domainX.example.com ← 把全部設定全部dump出來
domainX.example.com name server stationX.domainX.example.com.
station1.domainX.example.com has address 192.168.1.1
station2.domainX.example.com has address 192.168.1.2
station5.domainX.example.com has address 192.168.1.5
stationX.domainX.example.com has address 192.168.1.102
反解設定
# cd /var/named/chroot/etc
# vi named.conf
zone "1.168.192.in-addr.arpa" IN {
type master;
file "192.168.1.0.zone";
allow-update {none;};
forwarders {};
};
# service named configtest ← 192.168.1.0.zone 檔案還沒產生
# cd /var/named/chroot/var/named/
# cp named.local 192.168.1.0.zone
# ls -lZ 192.168.1.0.zone
# chown root:named 192.168.1.0.zone
# chmod 640 192.168.1.0.zone
# ls -lZ 192.168.1.0.zone
# vi 192.168.1.0.zone
$TTL 86400
@ IN SOA localhost. root.localhost. (
2008030801 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS stationX.domainX.example.com.
1 IN PTR station1.domainX.example.com.
2 IN PTR station2.domainX.example.com.
5 IN PTR station5.domainX.example.com.
# service named configtest ← OK
# service named restart
# dig -x 192.168.1.1
# for ip in $(seq 1 10); do
> host -t ptr 192.168.1.$ip
> done
1.1.168.192.in-addr.arpa domain name pointer station1.domainX.example.com.
2.1.168.192.in-addr.arpa domain name pointer station2.domainX.example.com.
Host 3.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Host 4.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
5.1.168.192.in-addr.arpa domain name pointer station5.domainX.example.com.
Host 6.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Host 7.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Host 8.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Host 9.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
Host 10.1.168.192.in-addr.arpa not found: 3(NXDOMAIN)
slave server 設定
# dig -t axfr example.com @192.168.0.254 ← 在slave server機器測試一下能不能從192.168.0.254這台master機器抓到DNS資料
# host -l example.com @192.168.0.254 ← 在slave server機器測試一下能不能從192.168.0.254這台master機器抓到DNS資料
已經知道master已經有授權給slave抓取DNS資料之後
# vi named.conf
zone "example.com" IN {
type slave; ← 指定 slave
masters { 192.168.0.254; }; ← 指定master機器
file "slave/example.com.zone"; ← 指定zone file
forwarders {};
};
# service named configtest
# service named restart
# tail -f /var/log/messages ← debug
注意 slave/ 目錄named 系統user 要可以寫入
By SmallKen