首页 > bind9, dns, linux, ubuntu > linux安装dns,rndc-confgen没反应

linux安装dns,rndc-confgen没反应

2010年1月27日 eric 发表评论 阅读评论

前几天,一位朋友问我安装linux 的时候有没有遇到执行rndc-confgen没反应的情况,我还真没有遇到过,朋友很急,我就让他把SSH 发过来,我连过去帮他看了一下,执行rndc-confgen就卡住了,不懂了只能ctrl+c 中断操作,后来我看了下rndc-confgen –help 看到randomfile,我印象这个是个生成器,应该跟他有关系,google 后果然没错在官网上看到 :

在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能

好了废话不多说了,看我是怎么给他解决的吧

测试域名: www.nginxs.com

shell $>wget http://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz

shell $> tar zxvf bind-9.6.1-P3.tar.gz
shell $> cd bind-9.6.1-P3
shell $> ./configure –prefix=/usr/local/named –enable-epoll –enable-openssl-version-check –enable-threads –disable-ipv6 –enable-largefile
shell $> make
shell $> make install
shell $> cd /usr/local/named/etc
###问题就出在这里了,没反映,google##
shell $> ../sbin/rndc-confgen > rndc.conf
在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能
###新建一个 random 文件随即输入一串数字“记得要长~~
shell $> vim random
asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl

###查看 rndc-confgen 帮助
shell $> ../sbin/rndc-confgen –help
rndc-confgen: invalid argument –
Usage:
 rndc-confgen [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-r randomfile] [-s addr] [-t chrootdir] [-u user]
  -a:           generate just the key clause and write it to keyfile (/usr/local/named/etc/rndc.key)
  -b bits:      from 1 through 512, default 128; total length of the secret
  -c keyfile:   specify an alternate key file (requires -a)
  -k keyname:   the name as it will be used  in named.conf and rndc.conf
  -p port:      the port named will listen on and rndc will connect to
  -r randomfile: a file containing random data
  -s addr:      the address to which rndc should connect
  -t chrootdir: write a keyfile in chrootdir as well (requires -a)
  -u user:      set the keyfile owner to “user” (requires -a)
shell $> ../sbin/rndc-confgen -r random > rndc.key

ok 问题解决了,接下来我们配置 我们的 域名服务器吧
#### 从 rndc.key文件中提取 named.conf 用的 key 生成 named.conf 文件,当然你也可以复制rndc.key 没被注释的内容到 named.conf
shell $> tail -10 rndc.key | head -9 | sed ‘s/# //g’ > named.conf
shell $> cat named.conf
key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

#### dig 命令直接生成 named.root 文件,这个文件是很标准的东东,
#### 有了它,本地 dns 不能解的就上总部去问

shell $> dig > named.root

配置 named.conf

shell $> vim named.conf

key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

options {
        // Relative to the chroot directory, if any
        directory       “/usr/local/named/etc”;
        pid-file        “/usr/local/named/var/run/named/pid”;
        dump-file       “/usr/local/named/var/dump/named_dump.db”;
        statistics-file “/usr/local/named/var/stats/named.stats”;
        listen-on       { 192.168.6.44; };
             forwarders {
                202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};
zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

创建 域名解析文件

shell $> mkdir dynamic
shell $> vim dynamic/www.nginxs.com
$TTL    86400
$ORIGIN ludy.com.
@       IN      SOA     nginxs.com. root.nginxs.com. (
                        2009072901      ;
                        68400           ;
                        86400           ;
                        3600000;        ;
                        36000   )       ;
        IN      NS      ns.nginxs.com.
        IN      MX      10 mail.nginxs.com.
www     IN      A       192.168.6.44
mail    IN      A       192.168.6.44
ns      IN      A       192.168.6.44

因为我不需要反向解析“所以我不需要设置了“然后启动 debug 模式看看有错误吗。
shell $> ../sbin/named -g
27-Jan-2010 02:48:57.508 starting BIND 9.6.1-P3 -g
27-Jan-2010 02:48:57.508 built with ‘–prefix=/usr/local/named’ ‘–enable-epoll’ ‘–enable-openssl-version-check’ ‘–enable-threads’ ‘–disable-ipv6′ ‘–enable-largefile’
27-Jan-2010 02:48:57.508 adjusted limit on open files from 1024 to 1048576
27-Jan-2010 02:48:57.508 found 1 CPU, using 1 worker thread
27-Jan-2010 02:48:57.510 using up to 4096 sockets
27-Jan-2010 02:48:57.519 loading configuration from ‘/usr/local/named/etc/named.conf’
27-Jan-2010 02:48:57.521 using default UDP/IPv4 port range: [1024, 65535]
27-Jan-2010 02:48:57.522 using default UDP/IPv6 port range: [1024, 65535]
27-Jan-2010 02:48:57.526 listening on IPv4 interface eth0, 192.168.6.105#53
27-Jan-2010 02:48:57.532 automatic empty zone: 0.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 127.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 254.169.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 2.0.192.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: D.F.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: 8.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: 9.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: A.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: B.E.F.IP6.ARPA
27-Jan-2010 02:48:57.545 command channel listening on 127.0.0.1#953
27-Jan-2010 02:48:57.546 ignoring config file logging statement due to -g option
27-Jan-2010 02:48:57.550 zone nginxs.com/IN: loaded serial 2009072901
27-Jan-2010 02:48:57.552 running
27-Jan-2010 02:48:57.553 zone ludy.com/IN: sending notifies (serial 2009072901)

OK了。

现在 DNS 服务器还不是很安全,因为你的DNS是暴露在公网的,如果你只想做域名解析服务的话,就不用户查询关掉

shell $> vim named.conf

key “rndc-key” {
       algorithm hmac-md5;
       secret “bMXdKGcP5tqUFUnG7CTzmw==”;
};

 controls {
      inet 127.0.0.1 port 953
      allow { 127.0.0.1; } keys { “rndc-key”; };
};
acl “trusted”{
192.168.6.0/24;
}

options {
        // Relative to the chroot directory, if any
        directory       “/usr/local/named/etc”;
        pid-file        “/usr/local/named/var/run/named/pid”;
        dump-file       “/usr/local/named/var/dump/named_dump.db”;
        statistics-file “/usr/local/named/var/stats/named.stats”;
        allow-query { any; };
        allow-recursion { trusted; };
        allow-query-cache { trusted; };
        listen-on       { 192.168.6.105; };
             forwarders {
                202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};

zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

我个人感觉上allow-query-cache在未设置allow-recursion的情况下可以取代allow-recursion的功能,有继承关系。如果想禁止用户的递归查询请求,还需要将 allow-query-cache 选项关闭,否则用户仍然可能在 cache 中查到数据  上面我建立acl规则来指定用户来使用你的DNS服务器。

下来我们在 192.168.6.0/24 网段找个机器测试下吧如图所视:

查询 www.nginxs.com

好了 完工“

转载请注明:文章转载自:Eric's linux and nginx! (http://www.nginxs.com)
本文地址:http://www.nginxs.com/linux/43.html

  1. 2018年1月21日05:00 | #1

    casino games online real money
    casinos in us
    best us casinos online
    real money casino online
    triple diamond slots 5x

  2. 2018年1月21日08:13 | #2

    installment loans in california payday loans online personal short term loans [url=https://loansonline.us.com]payday loans online[/url]

  3. 2018年1月21日12:35 | #3

    payday loan no credit check cash advance payday loan no fax [url=https://paydayloan.us.org]payday loan no fax[/url]

  4. 2018年1月21日13:37 | #4

    When I initially commented I seem to have clicked the -Notify
    me when new comments are added- checkbox and from now
    on every time a comment is added I receive 4 emails with the same comment.
    Perhaps there is an easy method you can remove me from that service?
    Thank you!

  5. 2018年1月21日16:58 | #5

    personal loans personal loans with bad credit quick payday loans [url=https://personalloans.us.org]usa cash loans[/url]

  6. 2018年1月22日02:00 | #6

    Definitely believe that which you said. Your favourite justification seemed to
    be on the net the easiest thing to take into accout of.
    I say to you, I certainly get annoyed while folks consider worries that they plainly
    don’t recognise about. You controlled to hit the nail upon the top as well as outlined out
    the entire thing without having side-effects , other folks can take a signal.
    Will likely be back to get more. Thank you

评论分页
1 ... 3 4 5 43
订阅评论
1+4= (必填)