首页 > bind9, dns, linux, ubuntu > linux安装dns,rndc-confgen没反应

linux安装dns,rndc-confgen没反应

2010年1月27日 eric 发表评论 阅读评论

前几天,一位朋友问我安装linux 的时候有没有遇到执行rndc-confgen没反应的情况,我还真没有遇到过,朋友很急,我就让他把SSH 发过来,我连过去帮他看了一下,执行rndc-confgen就卡住了,不懂了只能ctrl+c 中断操作,后来我看了下rndc-confgen –help 看到randomfile,我印象这个是个生成器,应该跟他有关系,google 后果然没错在官网上看到 :

在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能

好了废话不多说了,看我是怎么给他解决的吧

测试域名: www.nginxs.com

shell $>wget http://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz

shell $> tar zxvf bind-9.6.1-P3.tar.gz
shell $> cd bind-9.6.1-P3
shell $> ./configure –prefix=/usr/local/named –enable-epoll –enable-openssl-version-check –enable-threads –disable-ipv6 –enable-largefile
shell $> make
shell $> make install
shell $> cd /usr/local/named/etc
###问题就出在这里了,没反映,google##
shell $> ../sbin/rndc-confgen > rndc.conf
在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能
###新建一个 random 文件随即输入一串数字“记得要长~~
shell $> vim random
asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl

###查看 rndc-confgen 帮助
shell $> ../sbin/rndc-confgen –help
rndc-confgen: invalid argument –
Usage:
 rndc-confgen [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] [-s addr] [-t chrootdir] [-u user]
  -a:           generate just the key clause and write it to keyfile (/usr/local/named/etc/rndc.key)
  -b bits:      from 1 through 512, default 128; total length of the secret
  -c keyfile:   specify an alternate key file (requires -a)
  -k keyname:   the name as it will be used  in named.conf and rndc.conf
  -p port:      the port named will listen on and rndc will connect to
  -r randomfile: a file containing random data
  -s addr:      the address to which rndc should connect
  -t chrootdir: write a keyfile in chrootdir as well (requires -a)
  -u user:      set the keyfile owner to “user” (requires -a)
shell $> ../sbin/rndc-confgen -r random > rndc.key

ok 问题解决了,接下来我们配置 我们的 域名服务器吧
#### 从 rndc.key文件中提取 named.conf 用的 key 生成 named.conf 文件,当然你也可以复制rndc.key 没被注释的内容到 named.conf
shell $> tail -10 rndc.key | head -9 | sed ‘s/# //g’ > named.conf
shell $> cat named.conf
key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

#### dig 命令直接生成 named.root 文件,这个文件是很标准的东东,
#### 有了它,本地 dns 不能解的就上总部去问

shell $> dig > named.root

配置 named.conf

shell $> vim named.conf

key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

options {
        // Relative to the chroot directory, if any
        directory       “/usr/local/named/etc”;
        pid-file        “/usr/local/named/var/run/named/pid”;
        dump-file       “/usr/local/named/var/dump/named_dump.db”;
        statistics-file “/usr/local/named/var/stats/named.stats”;
        listen-on       { 192.168.6.44; };
             forwarders {
                202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};
zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

创建 域名解析文件

shell $> mkdir dynamic
shell $> vim dynamic/www.nginxs.com
$TTL    86400
$ORIGIN ludy.com.
@       IN      SOA     nginxs.com. root.nginxs.com. (
                        2009072901      ;
                        68400           ;
                        86400           ;
                        3600000;        ;
                        36000   )       ;
        IN      NS      ns.nginxs.com.
        IN      MX      10 mail.nginxs.com.
www     IN      A       192.168.6.44
mail    IN      A       192.168.6.44
ns      IN      A       192.168.6.44

因为我不需要反向解析“所以我不需要设置了“然后启动 debug 模式看看有错误吗。
shell $> ../sbin/named -g
27-Jan-2010 02:48:57.508 starting BIND 9.6.1-P3 -g
27-Jan-2010 02:48:57.508 built with ‘–prefix=/usr/local/named’ ‘–enable-epoll’ ‘–enable-openssl-version-check’ ‘–enable-threads’ ‘–disable-ipv6′ ‘–enable-largefile’
27-Jan-2010 02:48:57.508 adjusted limit on open files from 1024 to 1048576
27-Jan-2010 02:48:57.508 found 1 CPU, using 1 worker thread
27-Jan-2010 02:48:57.510 using up to 4096 sockets
27-Jan-2010 02:48:57.519 loading configuration from ‘/usr/local/named/etc/named.conf’
27-Jan-2010 02:48:57.521 using default UDP/IPv4 port range: [1024, 65535]
27-Jan-2010 02:48:57.522 using default UDP/IPv6 port range: [1024, 65535]
27-Jan-2010 02:48:57.526 listening on IPv4 interface eth0, 192.168.6.105#53
27-Jan-2010 02:48:57.532 automatic empty zone: 0.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 127.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 254.169.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 2.0.192.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: D.F.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: 8.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: 9.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: A.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: B.E.F.IP6.ARPA
27-Jan-2010 02:48:57.545 command channel listening on 127.0.0.1#953
27-Jan-2010 02:48:57.546 ignoring config file logging statement due to -g option
27-Jan-2010 02:48:57.550 zone nginxs.com/IN: loaded serial 2009072901
27-Jan-2010 02:48:57.552 running
27-Jan-2010 02:48:57.553 zone ludy.com/IN: sending notifies (serial 2009072901)

OK了。

现在 DNS 服务器还不是很安全,因为你的DNS是暴露在公网的,如果你只想做域名解析服务的话,就不用户查询关掉

shell $> vim named.conf

key “rndc-key” {
       algorithm hmac-md5;
       secret “bMXdKGcP5tqUFUnG7CTzmw==”;
};

 controls {
      inet 127.0.0.1 port 953
      allow { 127.0.0.1; } keys { “rndc-key”; };
};
acl “trusted”{
192.168.6.0/24;
}

options {
        // Relative to the chroot directory, if any
        directory       “/usr/local/named/etc”;
        pid-file        “/usr/local/named/var/run/named/pid”;
        dump-file       “/usr/local/named/var/dump/named_dump.db”;
        statistics-file “/usr/local/named/var/stats/named.stats”;
        allow-query { any; };
        allow-recursion { trusted; };
        allow-query-cache { trusted; };
        listen-on       { 192.168.6.105; };
             forwarders {
                202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};

zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

我个人感觉上allow-query-cache在未设置allow-recursion的情况下可以取代allow-recursion的功能,有继承关系。如果想禁止用户的递归查询请求,还需要将 allow-query-cache 选项关闭,否则用户仍然可能在 cache 中查到数据  上面我建立acl规则来指定用户来使用你的DNS服务器。

下来我们在 192.168.6.0/24 网段找个机器测试下吧如图所视:

查询 www.nginxs.com

好了 完工“

转载请注明:文章转载自:Eric's linux and nginx! (http://www.nginxs.com)
本文地址:http://www.nginxs.com/linux/43.html

  1. 2018年7月6日08:42 | #1

    online loan payday loans online payday loans online [url=https://onlineloans.us.com]payday loan online[/url]

  2. 2018年7月15日09:27 | #2

    The double entry system uses nominal ledger accounts.

  3. 2018年7月16日15:01 | #3

    These are real, stay upholstery cleaners.

  4. 2018年7月20日20:15 | #4

    The double entry system makes use of nominal ledger accounts.

  5. 2018年7月20日22:15 | #5

    Cash and financial institution records must even be entered.

  6. 2018年7月21日10:56 | #6

    Money and bank records should even be entered.

  7. 2018年7月21日11:27 | #7

    Bookkeeping is a really a subset of accounting.

  8. 2018年7月22日23:57 | #8

    777 no deposit bonus
    kelowna casino
    online poker no deposit bonus
    online slots game grosvenor casino
    yahoo slots

  9. 2018年7月27日17:28 | #9

    Some might have even used their services
    a time or two.

  10. 2018年7月30日03:06 | #10

    Not all corporations offer 24-hour emergency services.

  11. 2018年7月30日03:45 | #11

    Bookkeeping is a actually a subset of accounting.

  12. 2018年8月7日16:52 | #12

    Students also receive trained in understanding the signs and symptoms of abuse and depression in patients, distributing supplemental nourishment, and correctly handling the needs of
    patients with varying health concerns cna night classes cna training classes local cna classes free
    when heading for aaa cna training center use moovit’s live directions with get off notifications to find out exactly where and exactly how far just to walk, how long to wait to your route , and what number
    of stops are left. Since just a few students are accepted, clinical instructors can identify and cater on the
    needs of each and every cna classes las vegas https://cnaclasses.us.com/ cna gna classes the free
    cna classes are a perfect method to get in to the
    profession without fees.

  13. 2018年8月13日09:06 | #13

    It’s an amazing article in favor of all the online visitors; they will obtain benefit from it I am sure.

  14. 2018年8月15日22:52 | #14

    Hi there, just became aware of your blog through Google, and found that it is truly informative.
    I’m going to watch out for brussels. I will be grateful if you continue
    this in future. Lots of people will be benefited
    from your writing. Cheers!

  15. 2018年8月18日07:24 | #15

    What’s up mates, how is everything, and what you wish for to say regarding
    this paragraph, in my view its really remarkable designed for me.

  16. 2018年8月19日09:00 | #16

    Wonderful blog! I found it while surfing around on Yahoo News.
    Do you have any suggestions on how to get listed in Yahoo News?
    I’ve been trying for a while but I never seem
    to get there! Thanks

    spel harpan

  17. 2018年8月22日04:30 | #17

    Hello there I am so delighted I found your blog, I really found you by error, while I was browsing
    on Askjeeve for something else, Nonetheless I am here now and would just like to
    say cheers for a incredible post and a all round thrilling blog (I also love the theme/design), I don’t have time to
    go through it all at the moment but I have bookmarked it and also added your
    RSS feeds, so when I have time I will be back to read a lot more, Please do keep up
    the awesome work.

  18. 2018年8月22日17:17 | #18

    Garnet is confirmed to be a quick and clean blast media.

  19. 2018年8月24日15:04 | #19

    To realize this, sandblasting tools is used.

  20. 2018年8月25日09:03 | #20

    Bead blasting paint from a concrete curb.

  21. 2018年8月25日16:03 | #21

    Bead blasting paint from a concrete curb.

  22. 2018年8月26日16:49 | #22

    Garnet is proven to be a quick and clear blast media.

  23. 2018年8月28日03:23 | #23

    Great post! We will be linking to this particularly great content on our website.

    Keep up the good writing.

  24. 2018年8月28日06:40 | #24

    Garnet is proven to be a fast and clean blast media.

  25. 2018年8月28日13:17 | #25

    Sand blasting creates this surface profile.

  26. 2018年8月30日06:46 | #26

    Tap the “Compose” button and after that tap “Attach”
    to add photos or doodles together with your email message.
    Godaddy login email msn email login att login email Right-click
    the page and click “Print Preview” should you use Internet
    Explorer. Logging in gives the perpetrators all they should
    access the individuals trove of personal emails — and
    to affect the settings to forward future emails towards the hacker.
    Aol.com email login https://emaillogin.us.com/ att login email Ever since Google purchased
    Sparrow, a trendy Gmail client for i – OS, in July, the corporation has
    been working on improving the app.

  27. 2018年8月30日21:52 | #27

    What’s up to all, since I am truly eager of reading this webpage’s post to be updated
    regularly. It includes fastidious information.

  28. 2018年9月4日13:31 | #28

    I love your blog.. very nice colors & theme. Did you create this website yourself or did you hire someone to do it for you?

    Plz respond as I’m looking to design my own blog and would like to find out where u got this from.

    thanks

  29. 2018年9月8日21:29 | #29

    buying from canada http://game-bai.com/forum/profile.php?id=387830 buy tablets uk.

  30. 2018年9月11日18:40 | #30

    Heya just wanted to give you a quick heads up and
    let you know a few of the images aren’t loading properly.
    I’m not sure why but I think its a linking issue.
    I’ve tried it in two different internet browsers and both show the same results.

  31. 2018年9月17日20:15 | #31

    Thanks for some other wonderful post. The place else could anybody get that
    type of info in such a perfect approach of writing? I’ve a presentation subsequent week, and I’m at the search
    for such information.

评论分页
1 ... 4 5 6 43
订阅评论
3+5= (必填)