document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Translated:How to set up a primary DNS server using CentOS.md

Browse Source
This commit is contained in:
GOLinux 2014-05-20 10:16:13 +08:00
parent 474536b40e
commit 5354a6ccdc
2 changed files with 335 additions and 354 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

354
sources/tech/How to set up a primary DNS server using CentOS.md
View File

@ -1,354 +0,0 @@
Translating by GOLinux ...
How to set up a primary DNS server using CentOS
================================================================================
Any operational domain has at least two DNS servers, one being called a primary name server (ns1), and the other a secondary name server (ns2). These servers are typically operated for DNS failover: If one server goes down, the other server becomes an active DNS server. More sophisticated failover mechanisms involving load balancers, firewalls and clusters are also possible.
All DNS entries for a particular domain are added in the primary name server. The secondary server will simply sync all the information from the primary name server based on counter type parameter set on the primary server.
This tutorial will describe **how to create a primary DNS server running on CentOS**. Please note that the DNS server presented in this tutorial will be public DNS, meaning that the server will respond to queries from any IP address. Limiting access to the server is discussed in [this tutorial][].
Before we start, I would like to mention that DNS can be set up with or without chroot jail environment. The chroot jail environment confines the DNS server to a certain directory in the system, as opposed to allow the server system-wide access. That way, any vulnerability of the DNS server would not compromise the entire system. Chrooting a DNS server is also useful for a test deployment.
### Objective ###
We will be setting up a DNS server in a test environment for the domain example.tst, which is a hypothetical (non-existing) domain. That way, we will not accidentally interfere with any other live domain.
In this domain, there are the following three servers.
注:表格代码,只需要翻译尖括号中间的文字即可
<table>
<tbody><tr>
<td>Server</td>
<td>IP address</td>
<td>Hosted services</td>
<td>FQDN</td>
</tr>
<tr>
<td>Server A</td>
<td>172.16.1.1</td>
<td>Mail</td>
<td>mail.example.tst</td>
</tr>
<tr>
<td>Server B</td>
<td>172.16.1.2</td>
<td>Web, FTP</td>
<td>www.example.tst<br>ftp.example.tst</td>
</tr>
<tr>
<td>Server C</td>
<td>172.16.1.3</td>
<td>Primary DNS server</td>
<td>ns1.example.tst</td>
</tr>
</tbody></table>
We will be setting up a primary DNS server, and add necessary domain and DNS records as shown in the table.
### Setting up hostnames ###
All the hostnames should be defined as FQDN correctly. This can be done using the following method.
# vim /etc/sysconfig/network
> HOSTNAME=ns1.example.tst
Note: The hostname parameter specified in this file is used while the server is booting up. Therefore, the change does not take effect immediately. The following command can be used to temporarily change the hostname of a server immediately.
# hostname ns1.example.tst
Once set, hostname can be verified using the following command.
# hostname
> ns1.example.tst
Before proceeding to the next step, make sure that the hostname of all three servers are set properly.
### Installing Packages ###
We will be using bind for DNS, which can be easily installed using yum.
To set up DNS without `chroot`:
# yum install bind bind-chroot
### Preparing a Configuration File ###
As mentioned earlier, bind can be set up with or without chroot. The paths vary a little depending on whether chroot has been installed.
注:表格代码,只需要翻译尖括号中间的文字即可
<table>
<tbody><tr>
<td></td>
<td>Path to configuration file</td>
<td>Path to zone files</td>
</tr>
<tr>
<td>
With <tt>chroot</tt>
</td>
<td>
/etc/
</td>
<td>
/var/named/
</td>
</tr>
<tr>
<td>
Without <tt>chroot</tt>
</td>
<td>
/var/named/chroot/etc/
</td>
<td>
/var/named/chroot/var/named/
</td>
</tr>
</tbody></table>
The configuration file named.conf provided by default can be used. However, we will be using another sample configuration file for ease of use.
Without `chroot`:
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /etc/named.conf
With `chroot`:
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /var/named/chroot/etc/named.conf
Now, the configuration file is backed up and modified.
Without `chroot`:
# vim /etc/named.conf
With `chroot`:
# vim /var/named/chroot/etc/named.conf
The following lines are added/modified.
options {
## path to zone files ##
directory "/var/named";
## forwarding the query to Google public DNS server for non-local domains ##
forwarders { 8.8.8.8; };
};
## declaration of the forward zone for example.tst ##
zone "example.tst" IN {
type master;
file "example-fz"; ## filename for the forward zone stored in /var/named ##
allow-update { none; };
};
## declaration of reverse zone for network 172.16.1.0 ##
zone "1.16.172.in-addr.arpa" IN {
type master;
file "rz-172-16-1"; ## filename for the reverse zone stored in /var/named ##
allow-update { none; };
};
### Preparing Zone Files ###
The default zone files are automatically created under `/var/named or /var/named/chroot/var/named` (for `chroot`). If they are not available there, sample files are provided in `/usr/share/doc/bind` folder, and can be copied from there.
Assuming that the default zone files are not present, we can copy the sample files from `/usr`.
Without `chroot`:
# cp /usr/share/doc/bind-9.8.2/sample/var/named/named.* /var/named/
With `chroot`:
# cp /usr/share/doc/bind-9.8.2/sample/var/named/named.* /var/named/chroot/var/named
Great. Now that the default zone files are ready, we create our own zone file for example.tst and network 172.16.1.0. While we create the zone files, the following should be kept in mind.
- The characted @ means NULL within the zone files.
- Every FQDN is to end with a dot . i.e. mail.example.tst. Without it, youll be in trouble.
#### 1. Forward Zone ####
The forward zone contains mapping from names to IP addresses. For public domains, the DNS of the domain hosting provider stores the forward zone file.
Without `chroot`:
# vim /var/named/example-fz
With `chroot`:
# vim /var/named/chroot/var/named/example-fz
----------
$TTL 1D
@ IN SOA ns1.example.tst. sarmed.example.tst. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.example.tst.
IN A 172.16.1.3
mail IN A 172.16.1.1
IN MX 10 mail.example.tst.
www IN A 172.16.1.2
ns1 IN A 172.16.1.3
ftp IN CNAME www.example.tst.
**Explanation**: Within the zone file, SOA means start of authority. This is the FQDN of the authoritative name server. The FQDN is followed by the contact email address. Since we cannot use @ in sarmed@example.tst, we rewrite the email address as sarmed.example.tst.
- **NS**: Name Server
- **A**: A record or the address record is an IP address
- **MX**: Mail Exchanger record. Here we are using only one MX with priority of 10. In case of multiple MX, we can use multiple numeric priorities. The lowest number wins. For example, MX 0 is better than MX 1.
- **CNAME**: Canonical Name. If multiple services are hosted in a single server, it is very likely that multiple names would be resolved to that single server as well. CNAME indicates the other names a server may have and points to the name that actually has an A record.
#### 2. Reverse Zone ####
The reverse zone contains mapping from IP address to names. Here, we create the reverse zone for the network 172.16.1.0. In production domains, the DNS server of the owner of the public IP block stores the reverse zone file.
Without `chroot`:
# vim /var/named/rz-172-16-1
With `chroot`
# vim /var/named/chroot/var/named/rz-172-16-1
----------
$TTL 1D
@ IN SOA ns1.example.tst. sarmed.example.tst. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.example.tst.
1 IN PTR mail.example.tst.
2 IN PTR www.example.tst.
3 IN PTR ns1.example.tst.
**Explanation**: Most parameters used in the reverse zone file are identical to the forward zone, except the following.
- PTR: PTR or pointer record points to a FQDN`
### Finalizing ###
Now that the zone files are ready, we adjust the permission of the zone files.
Without `chroot`:
# chgrp named /var/named/*
With `chroot`:
# chgrp named /var/named/chroot/var/named/*
Now we set the IP address of the DNS server.
# vim /etc/resolv.conf
----------
nameserver 172.16.1.3
Finally, we can start the DNS service and make sure it is added to startup.
# service named restart
# chkconfig named on
While the DNS is firing up, it is advisable to keep an eye on the log file /var/log/messages as it contains useful information about what is going on behind the scenes. If there is no error, we can start testing the DNS server.
### Testing DNS ###
We can use dig or nslookup for testing DNS. First, we set up necessary package(s).
# yum install bind-utils
#### 1. Testing Forward Zone using dig ####
When you are using dig for testing, you should always look for the status: "NOERROR". Any other value means that there is something wrong.
# dig example.tst
----------
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31184
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 86400 IN A 172.16.1.3
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns1.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 86400 IN A 172.16.1.3
#### 2. Testing PTR using dig ####
When using dig for testing, you should always look for the status: "NOERROR". Any other value means that there is something wrong.
# dig -x 172.16.1.1
----------
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27415
;; QUESTION SECTION:
;1.1.17.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.1.16.172.in-addr.arpa. 86400 IN PTR mail.example.tst.
;; AUTHORITY SECTION:
1.16.172.in-addr.arpa. 86400 IN NS ns1.example.tst.
;; ADDITIONAL SECTION:
ns1.example.tst. 86400 IN A 172.16.1.3
#### 3. Testing MX using dig ####
# dig example.tst mx
----------
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35405
;; QUESTION SECTION:
;example.tst. IN MX
;; ANSWER SECTION:
example.tst. 14366 IN MX 10 mail.example.tst.
### Troubleshooting Tips ###
1. I have SELinux turned off.
1. Make sure that your firewall is not blocking UDP port 53
1. /var/log/messages should contain useful information in case anything goes wrong
1. Make sure that the zone files are owned by user named
1. Make sure that the IP address of the DNS server is the first entry in /etc/resolv.conf
1. If you are using example.tst in a lab environment, make sure to disconnect the server from the Intenet since example.tst is a non-existent domain.
To sum up, this tutorial focuses on hosting a domain example.tst in a lab environment for demonstration purposes. Please note that this tutorial creates a public DNS server, i.e., a DNS server that will respond to queries from any source IP address. If you are configuring a production DNS server, make sure to check what the policies regarding public DNS are. Other tutorials cover [pcreating a secondary DNS][2], [limiting access to a DNS server][3], and implementing DNSSEC.
Hope this helps.
--------------------------------------------------------------------------------
via: http://xmodulo.com/2014/04/primary-dns-server-using-centos.html
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://xmodulo.com/2014/04/close-open-dns-resolver.html
[2]:http://xmodulo.com/2014/04/secondary-dns-server-centos.html
[3]:http://xmodulo.com/2014/04/close-open-dns-resolver.html

335
translated/tech/How to set up a primary DNS server using CentOS.md Normal file
View File

@ -0,0 +1,335 @@
Translated by GOLinux!
CentOS上配置主DNS服务器
================================================================================
任何运作中的域名至少有两台DNS服务器一台称为主域名服务器ns1而另一台称为从域名服务器ns2。这些服务器通常用于故障转移如果一台宕机另外一台就激活成为DNS服务器。包括负载均衡、防火墙和集群在内的更为复杂的故障转移机制也可实现。
用于特定域的所有DNS条目被添加到主域名服务器从服务器只会根据主服务器上的计数器类型参数从主服务器同步所有信息。
此教程将会讲述**如何创建一台在CentOS上运行的主DNS服务器**。请注意本教程中提到的DNS服务器将会是一台公共DNS服务器这也就是说该服务器将会回应来自任何IP地址的查询。对于服务器的访问控制将在[此教程][]中讨论。
在开始之前我想要提一下的是DNS可以在chroot监牢环境中配置也可以在非chroot监牢环境中配置。chroot监牢环境将DNS服务器限制在系统中某个特定目录中以避免让服务器具有系统范围的访问权限。在此环境中任何DNS服务器的漏洞不会造成整个系统的破坏。将DNS服务器置于chroot环境中对于测试部署也很有用。
### 目标 ###
我们将在基于域名example.tst的测试环境中配置一台DNS服务器这个域名是假定的非真实存在的。这样我们就不会意外干扰到其它存活的域名。
在该域中,有以下三台服务器。
<table>
<tbody><tr>
<td>服务器</td>
<td>IP地址</td>
<td>托管的服务</td>
<td>完全合格域名</td>
</tr>
<tr>
<td>Server A</td>
<td>172.16.1.1</td>
<td>Mail</td>
<td>mail.example.tst</td>
</tr>
<tr>
<td>Server B</td>
<td>172.16.1.2</td>
<td>Web, FTP</td>
<td>www.example.tst<br>ftp.example.tst</td>
</tr>
<tr>
<td>Server C</td>
<td>172.16.1.3</td>
<td>Primary DNS server</td>
<td>ns1.example.tst</td>
</tr>
</tbody></table>
我们将会配置一台主域名服务器并添加上表中必要的域和DNS记录。
### 设置主机名 ###
所有的主机名必须以完全合格域名的方式正确定义,可以通过以下方法完成设置。
# vim /etc/sysconfig/network
> HOSTNAME=ns1.example.tst
注:该文件中指定的主机名参数在服务器启动后才会启用,因此,该设置不会马上生效。下面的命令可以立刻临时性地修改主机名。
# hostname ns1.example.tst
一旦设置,主机名可以通过以下命令验证。
# hostname
> ns1.example.tst
在进入下一步之前,请确保三台服务器上的主机名已经设置正确。
### 安装软件包 ###
我们将使用bind来配置DNS服务该软件可以很方便地通过yum来安装。
安装DNS所需软件包
# yum install bind bind-chroot
### 准备配置文件 ###
正如前面提到的bind可以在chroot环境下配置或者在非chroot环境下配置配置文件的路径会因为是否安装chroot包而不同。
<table>
<tbody><tr>
<td></td>
<td>配置文件路径</td>
<td>区域文件路径</td>
</tr>
<tr>
<td>
不带有 <tt>chroot</tt>
</td>
<td>
/etc/
</td>
<td>
/var/named/
</td>
</tr>
<tr>
<td>
带有 <tt>chroot</tt>
</td>
<td>
/var/named/chroot/etc/
</td>
<td>
/var/named/chroot/var/named/
</td>
</tr>
</tbody></table>
可以使用默认提供的named.conf配置文件但是为了更方便使用我们将使用另外一个配置文件模板。
非`chroot`环境:
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /etc/named.conf
`chroot`环境:
# cp /usr/share/doc/bind-9.8.2/sample/etc/named.rfc1912.zones /var/named/chroot/etc/named.conf
现在来备份并修改配置文件。
非`chroot`环境:
# vim /etc/named.conf
`chroot`环境:
# vim /var/named/chroot/etc/named.conf
添加/修改以下行:
options {
## path to zone files ##
directory "/var/named";
## forwarding the query to Google public DNS server for non-local domains ##
forwarders { 8.8.8.8; };
};
## declaration of the forward zone for example.tst ##
zone "example.tst" IN {
type master;
file "example-fz"; ## filename for the forward zone stored in /var/named ##
allow-update { none; };
};
## declaration of reverse zone for network 172.16.1.0 ##
zone "1.16.172.in-addr.arpa" IN {
type master;
file "rz-172-16-1"; ## filename for the reverse zone stored in /var/named ##
allow-update { none; };
};
### 准备区域文件 ###
默认的区域文件会自动创建到`/var/named` 或者`/var/named/chroot/var/named` (`chroot`环境)。如果在这些地方找不到这些文件,`/usr/share/doc/bind`目录中提供了模板文件,可以从这里拷贝。
假设默认区域文件没有提供,我们可以从`/usr`拷贝模板文件。
非`chroot`环境:
# cp /usr/share/doc/bind-9.8.2/sample/var/named/named.* /var/named/
`chroot`环境:
# cp /usr/share/doc/bind-9.8.2/sample/var/named/named.* /var/named/chroot/var/named
太棒了由于现在默认的区域文件已经准备好我们可以为example.tst和172.16.1.0网络创建区域文件了,以下要点必须时刻谨记。
- 区域文件中的特殊字符‘@’意味着空。
- 所有的完全合格域名必须以点‘.结束。如example.tst.如果没有这个点,你会发生问题。
#### 1. 转发区域 ####
转发区域包含了名称到IP地址的映射。对于公共域域名托管提供商的DNS存储了转发区域文件。
非`chroot`环境:
# vim /var/named/example-fz
`chroot`环境:
# vim /var/named/chroot/var/named/example-fz
----------
$TTL 1D
@ IN SOA ns1.example.tst. sarmed.example.tst. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.example.tst.
IN A 172.16.1.3
mail IN A 172.16.1.1
IN MX 10 mail.example.tst.
www IN A 172.16.1.2
ns1 IN A 172.16.1.3
ftp IN CNAME www.example.tst.
**说明**在区域文件中SOA是开始授权的意思。此处是授权名称服务器的完全合格域名。完全合格域名后面跟着的是电子邮件地址。由于不能在sarmed@example.tst这样的格式中使用@符号我们将电子邮件地址重写成sarmed.example.tst.这样的格式。
- **NS**:名称服务器
- **A**: 记录或者地址记录记录IP地址
- **MX**: 邮件交换记录。这里我们只使用一个邮件交换记录设置其优先级为10。如果有多个邮件交换记录我们可以使用多个数值优先级数字小的优先级最高。例如MX 0比MX 1优先级更高。
- **CNAME**: 标准名。如果在一台单一服务器上托管了多个服务也很可能将多个名称解析到此台单一服务器。CNAME指定了一台服务器可能有的其它名称并且将它们指向具有实际A记录的名称。
#### 2. 反向区域 ####
反向区域包含了IP地址到名称的映射。这里我们为172.16.1.0网络创建反向区域。在生产域中公共IP区块的拥有者拥有的DNS服务器存储反向区域文件。
非`chroot`环境:
# vim /var/named/rz-172-16-1
`chroot`环境:
# vim /var/named/chroot/var/named/rz-172-16-1
----------
$TTL 1D
@ IN SOA ns1.example.tst. sarmed.example.tst. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.example.tst.
1 IN PTR mail.example.tst.
2 IN PTR www.example.tst.
3 IN PTR ns1.example.tst.
**说明**:除了下面的参数外,反向区域文件中的大多数参数和转发区域文件中的相同。
- PTR: PTR或者指针记录指向完全合格域名
### 结束工作 ###
既然区域文件已经准备好,我们接下来调整它们的权限。
非`chroot`环境:
# chgrp named /var/named/*
`chroot`环境:
# chgrp named /var/named/chroot/var/named/*
现在我们为DNS服务器设置IP地址。
# vim /etc/resolv.conf
----------
nameserver 172.16.1.3
最后我们可以启动DNS服务并确保将它添加到启动服务中。
# service named restart
# chkconfig named on
DNS服务器开动后建议关注一下日志文件/var/log/messages这里头包含了后台运行的一些有用信息。如果没有发现错误我们可以开始测试DNS服务器。
### 测试DNS ###
我们可以使用dig或者nslookup来测试DNS。首先我们需要安装必要的软件包。
# yum install bind-utils
#### 1. 使用dig测试转发区域 ####
使用dig来测试时必须时刻关注状态信息“NOERROR”任何其它值都表明存在问题。
# dig example.tst
----------
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31184
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 86400 IN A 172.16.1.3
;; AUTHORITY SECTION:
example.com. 86400 IN NS ns1.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 86400 IN A 172.16.1.3
#### 2. 使用dig测试PTR记录 ####
使用dig来测试时必须时刻关注状态信息“NOERROR”任何其它值都表明存在问题。
# dig -x 172.16.1.1
----------
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27415
;; QUESTION SECTION:
;1.1.17.172.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.1.16.172.in-addr.arpa. 86400 IN PTR mail.example.tst.
;; AUTHORITY SECTION:
1.16.172.in-addr.arpa. 86400 IN NS ns1.example.tst.
;; ADDITIONAL SECTION:
ns1.example.tst. 86400 IN A 172.16.1.3
#### 3. 使用dig测试MX记录 ####
# dig example.tst mx
----------
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35405
;; QUESTION SECTION:
;example.tst. IN MX
;; ANSWER SECTION:
example.tst. 14366 IN MX 10 mail.example.tst.
### 排障提示 ###
1. 我已经把SELinux关闭。
1. 保证防火墙没有阻挡UDP 53端口
1. 万一出错,可在/var/log/messages中查看到有用的信息
1. 确保区域文件的拥有者为named
1. 确保DNS服务器的IP地址是/etc/resolv.conf中的第一条目
1. 如果你使用example.tst作为实验环境确保将服务器从互联网断开因为example.tst是一个不存在的域。
最后小结该教程关注的是实验环境中配置example.tst域用作为演示。请注意该教程中创建了一台公共DNS服务器此服务器会回应来自任何源IP地址的查询。如果你是在配置DNS生产服务器请确保检查与公共DNS相关的策略。其它教程涵盖了[创建从DNS服务器][2], [限制对DNS服务器的访问][3]以及部署DNSSEC。
希望此教程对您有所帮助。
--------------------------------------------------------------------------------
via: http://xmodulo.com/2014/04/primary-dns-server-using-centos.html
译者:[GOLinux](https://github.com/GOLinux) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://xmodulo.com/2014/04/close-open-dns-resolver.html
[2]:http://xmodulo.com/2014/04/secondary-dns-server-centos.html
[3]:http://xmodulo.com/2014/04/close-open-dns-resolver.html