首页 > bind9, dns, linux, ubuntu > linux安装dns,rndc-confgen没反应

linux安装dns,rndc-confgen没反应

2010年1月27日 eric 发表评论 阅读评论

前几天,一位朋友问我安装linux 的时候有没有遇到执行rndc-confgen没反应的情况,我还真没有遇到过,朋友很急,我就让他把SSH 发过来,我连过去帮他看了一下,执行rndc-confgen就卡住了,不懂了只能ctrl+c 中断操作,后来我看了下rndc-confgen –help 看到randomfile,我印象这个是个生成器,应该跟他有关系,google 后果然没错在官网上看到 :

在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能

好了废话不多说了,看我是怎么给他解决的吧

测试域名: www.nginxs.com

shell $>wget http://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz

shell $> tar zxvf bind-9.6.1-P3.tar.gz
shell $> cd bind-9.6.1-P3
shell $> ./configure –prefix=/usr/local/named –enable-epoll –enable-openssl-version-check –enable-threads –disable-ipv6 –enable-largefile
shell $> make
shell $> make install
shell $> cd /usr/local/named/etc
###问题就出在这里了,没反映,google##
shell $> ../sbin/rndc-confgen > rndc.conf
在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能
###新建一个 random 文件随即输入一串数字“记得要长~~
shell $> vim random
asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl

###查看 rndc-confgen 帮助
shell $> ../sbin/rndc-confgen –help
rndc-confgen: invalid argument –
Usage:
 rndc-confgen [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] [-s addr] [-t chrootdir] [-u user]
  -a:           generate just the key clause and write it to keyfile (/usr/local/named/etc/rndc.key)
  -b bits:      from 1 through 512, default 128; total length of the secret
  -c keyfile:   specify an alternate key file (requires -a)
  -k keyname:   the name as it will be used  in named.conf and rndc.conf
  -p port:      the port named will listen on and rndc will connect to
  -r randomfile: a file containing random data
  -s addr:      the address to which rndc should connect
  -t chrootdir: write a keyfile in chrootdir as well (requires -a)
  -u user:      set the keyfile owner to “user” (requires -a)
shell $> ../sbin/rndc-confgen -r random > rndc.key

ok 问题解决了,接下来我们配置 我们的 域名服务器吧
#### 从 rndc.key文件中提取 named.conf 用的 key 生成 named.conf 文件,当然你也可以复制rndc.key 没被注释的内容到 named.conf
shell $> tail -10 rndc.key | head -9 | sed ‘s/# //g’ > named.conf
shell $> cat named.conf
key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

#### dig 命令直接生成 named.root 文件,这个文件是很标准的东东,
#### 有了它,本地 dns 不能解的就上总部去问

shell $> dig > named.root

配置 named.conf

shell $> vim named.conf

key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

options {
        // Relative to the chroot directory, if any
        directory       “/usr/local/named/etc”;
        pid-file        “/usr/local/named/var/run/named/pid”;
        dump-file       “/usr/local/named/var/dump/named_dump.db”;
        statistics-file “/usr/local/named/var/stats/named.stats”;
        listen-on       { 192.168.6.44; };
             forwarders {
                202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};
zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

创建 域名解析文件

shell $> mkdir dynamic
shell $> vim dynamic/www.nginxs.com
$TTL    86400
$ORIGIN ludy.com.
@       IN      SOA     nginxs.com. root.nginxs.com. (
                        2009072901      ;
                        68400           ;
                        86400           ;
                        3600000;        ;
                        36000   )       ;
        IN      NS      ns.nginxs.com.
        IN      MX      10 mail.nginxs.com.
www     IN      A       192.168.6.44
mail    IN      A       192.168.6.44
ns      IN      A       192.168.6.44

因为我不需要反向解析“所以我不需要设置了“然后启动 debug 模式看看有错误吗。
shell $> ../sbin/named -g
27-Jan-2010 02:48:57.508 starting BIND 9.6.1-P3 -g
27-Jan-2010 02:48:57.508 built with ‘–prefix=/usr/local/named’ ‘–enable-epoll’ ‘–enable-openssl-version-check’ ‘–enable-threads’ ‘–disable-ipv6′ ‘–enable-largefile’
27-Jan-2010 02:48:57.508 adjusted limit on open files from 1024 to 1048576
27-Jan-2010 02:48:57.508 found 1 CPU, using 1 worker thread
27-Jan-2010 02:48:57.510 using up to 4096 sockets
27-Jan-2010 02:48:57.519 loading configuration from ‘/usr/local/named/etc/named.conf’
27-Jan-2010 02:48:57.521 using default UDP/IPv4 port range: [1024, 65535]
27-Jan-2010 02:48:57.522 using default UDP/IPv6 port range: [1024, 65535]
27-Jan-2010 02:48:57.526 listening on IPv4 interface eth0, 192.168.6.105#53
27-Jan-2010 02:48:57.532 automatic empty zone: 0.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 127.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 254.169.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 2.0.192.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: D.F.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: 8.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: 9.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: A.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: B.E.F.IP6.ARPA
27-Jan-2010 02:48:57.545 command channel listening on 127.0.0.1#953
27-Jan-2010 02:48:57.546 ignoring config file logging statement due to -g option
27-Jan-2010 02:48:57.550 zone nginxs.com/IN: loaded serial 2009072901
27-Jan-2010 02:48:57.552 running
27-Jan-2010 02:48:57.553 zone ludy.com/IN: sending notifies (serial 2009072901)

OK了。

现在 DNS 服务器还不是很安全,因为你的DNS是暴露在公网的,如果你只想做域名解析服务的话,就不用户查询关掉

shell $> vim named.conf

key “rndc-key” {
       algorithm hmac-md5;
       secret “bMXdKGcP5tqUFUnG7CTzmw==”;
};

 controls {
      inet 127.0.0.1 port 953
      allow { 127.0.0.1; } keys { “rndc-key”; };
};
acl “trusted”{
192.168.6.0/24;
}

options {
        // Relative to the chroot directory, if any
        directory       “/usr/local/named/etc”;
        pid-file        “/usr/local/named/var/run/named/pid”;
        dump-file       “/usr/local/named/var/dump/named_dump.db”;
        statistics-file “/usr/local/named/var/stats/named.stats”;
        allow-query { any; };
        allow-recursion { trusted; };
        allow-query-cache { trusted; };
        listen-on       { 192.168.6.105; };
             forwarders {
                202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};

zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

我个人感觉上allow-query-cache在未设置allow-recursion的情况下可以取代allow-recursion的功能,有继承关系。如果想禁止用户的递归查询请求,还需要将 allow-query-cache 选项关闭,否则用户仍然可能在 cache 中查到数据  上面我建立acl规则来指定用户来使用你的DNS服务器。

下来我们在 192.168.6.0/24 网段找个机器测试下吧如图所视:

查询 www.nginxs.com

好了 完工“

转载请注明:文章转载自:Eric's linux and nginx! (http://www.nginxs.com)
本文地址:http://www.nginxs.com/linux/43.html

  1. 2018年4月4日02:28 | #1

    generic mail order viagra
    viagra online
    mail order viagra generic

  2. 2018年4月4日11:48 | #2

    Value of Everett Crawl House Repairs and Cleanup.

  3. 2018年4月5日22:24 | #3

    Polished concrete floors have few disadvantages.

  4. 2018年4月6日00:14 | #4

    Glorioso Tree Service is a UNBELIEVABLE firm.

  5. 2018年4月7日18:35 | #5

    Ask them if they can’t take away the mildew or mildew.

  6. 2018年4月8日00:42 | #6

    how to order viagra from canada
    viagra without a doctor prescription
    buy viagra qld

  7. 2018年4月8日11:38 | #7

    viagra sale brighton
    viagra online without script
    cheap-generic-viagra.co.uk erfahrungen

  8. 2018年4月8日13:37 | #8

    Many damp basements are brought on by these minor cracks.

  9. 2018年4月8日14:56 | #9

    cheapest viagra sale uk
    viagra on line no prec
    viagra sale glasgow

  10. 2018年4月9日05:01 | #10

    cheap viagra in usa
    viagra online without prescription
    can you really buy viagra online

  11. 2018年4月10日03:57 | #11

    buy online safely uk http://drugstore-usa.science banned uk.

  12. 2018年4月10日13:18 | #12

    The next step is to remove the mildew progress.

  13. 2018年4月11日09:56 | #13

    can you buy cialis over counter usa
    tadalafil 20mg
    what are cialis pills for

  14. 2018年4月12日11:39 | #14

    buy cialis from canada online
    cialis cost
    buy cialis online with american express

  15. 2018年4月13日03:31 | #15

    cialis china buy
    cialis prices
    cheap generic cialis uk online

  16. 2018年4月13日11:16 | #16

    generic viagra cheap shipping
    buy generic viagra online
    generic viagra cheap uk

  17. 2018年4月14日22:55 | #17

    generic cialis mail order
    cialis coupons
    where to buy cialis pills

  18. 2018年4月15日04:44 | #18

    Washington dc public records search, http://background-check-services-for-employers.science criminal history checks.

  19. 2018年4月16日05:25 | #19

    cheap viagra buy online
    viagra coupons 75 off
    cheap viagra canada

  20. 2018年4月19日21:06 | #20

    When your lawn is cared for, it additionally appears to be like inexperienced.

  21. 2018年4月20日16:54 | #21

    Jeny is a recognized professional on black mildew remove.

订阅评论
5+6= (必填)