转自一论坛网友的帖子


linux安装dns,rndc-confgen没反应


前几天,一位朋友问我安装linux 的时候有没有遇到执行rndc-confgen没反应的情况,我还真没有遇到过,朋友很急,我就让他把SSH 发过来,我连过去帮他看了一下,执行rndc-confgen就卡住了,不懂了只能ctrl+c 中断操作,后来我看了下rndc-confgen –help 看到randomfile,我印象这个是个生成器,应该跟他有关系,google 后果然没错在官网上看到:

在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能

好了废话不多说了,看我是怎么给他解决的吧

测试域名: www.nginxs.com

shell $>wget http://ftp.isc.org/isc/bind9/9.6.1-P3/bind-9.6.1-P3.tar.gz

shell $> tar zxvf bind-9.6.1-P3.tar.gz
shell $> cd bind-9.6.1-P3
shell $> ./configure –prefix=/usr/local/named –enable-epoll–enable-openssl-version-check –enable-threads –disable-ipv6 –enable-largefile
shell $> make
shell $> make install
shell $> cd /usr/local/named/etc
###
问题就出在这里了,没反映,google##
shell $> ../sbin/rndc-confgen > rndc.conf
在官方网站上看到这么一条信息
You must use the keyboard to create entropy, since your system is lacking
/dev/random (or equivalent)

start typing:
rndc-confgen: generate key: out of entropy

大概意思就是服务器上没有random产生器,这种情况下我们就手动伪造一个文件代替/dev/random的功能
###新建一个 random 文件随即输入一串数字“记得要长~~
shell $> vim random
asdkfjalsjdflajsldfjlasjdflajsldfjalsjdflajslfjalsjflasjfl

###查看 rndc-confgen 帮助
shell $> ../sbin/rndc-confgen –help
rndc-confgen: invalid argument –
Usage:
 rndc-confgen [-a] [-b bits] [-c keyfile] [-k keyname] [-p port] [-rrandomfile] [-s addr] [-t chrootdir] [-u user]
  -a:           generatejust the key clause and write it to keyfile (/usr/local/named/etc/rndc.key)
  -b bits:      from 1 through 512, default 128;total length of the secret
  -c keyfile:   specify an alternate key file (requires -a)
  -k keyname:   the name as it will be used  in named.confand rndc.conf
  -p port:      the port named will listen on andrndc will connect to
  -r randomfile: a file containing random data
  -s addr:      the address to which rndc shouldconnect
  -t chrootdir: write a keyfile in chrootdir as well (requires -a)
  -u user:      set the keyfile owner to “user”(requires -a)
shell $> ../sbin/rndc-confgen -r random > rndc.key

ok 问题解决了,接下来我们配置 我们的 域名服务器吧
#### 从 rndc.key文件中提取 named.conf用的 key 生成 named.conf 文件,当然你也可以复制rndc.key 没被注释的内容到 named.conf
shell $> tail -10 rndc.key | head -9 | sed ‘s/# //g’ > named.conf
shell $> cat named.conf
key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

#### dig 命令直接生成 named.root 文件,这个文件是很标准的东东,
#### 有了它,本地 dns 不能解的就上总部去问

shell $> dig > named.root

配置 named.conf

shell $> vim named.conf

key “rndc-key” {
algorithm hmac-md5;
secret “O0SuB34RK+E3r+m5Fbh2eA==”;
};
controls {
inet 127.0.0.1 port 953
  allow { 127.0.0.1; } keys { “rndc-key”; };
};

options {
        // Relative to the chroot directory,if any
       directory       “/usr/local/named/etc”;
       pid-file       “/usr/local/named/var/run/named/pid”;
       dump-file      “/usr/local/named/var/dump/named_dump.db”;
        statistics-file“/usr/local/named/var/stats/named.stats”;
       listen-on       { 192.168.6.44; };
            forwarders {
               202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};
zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

创建 域名解析文件

shell $> mkdir dynamic
shell $> vim dynamic/www.nginxs.com
$TTL    86400
$ORIGIN ludy.com.
@       IN     SOA     nginxs.com. root.nginxs.com. (
                       2009072901      ;
                       68400           ;
                       86400           ;
                       3600000;        ;
                       36000   )       ;
        IN     NS      ns.nginxs.com.
        IN     MX      10 mail.nginxs.com.
www     IN     A       192.168.6.44
mail    IN     A       192.168.6.44
ns      IN     A       192.168.6.44

因为我不需要反向解析“所以我不需要设置了“然后启动 debug模式看看有错误吗。
shell $> ../sbin/named -g
27-Jan-2010 02:48:57.508 starting BIND 9.6.1-P3 -g
27-Jan-2010 02:48:57.508 built with ‘–prefix=/usr/local/named’ ‘–enable-epoll’‘–enable-openssl-version-check’ ‘–enable-threads’ ‘–disable-ipv6′‘–enable-largefile’
27-Jan-2010 02:48:57.508 adjusted limit on open files from 1024 to 1048576
27-Jan-2010 02:48:57.508 found 1 CPU, using 1 worker thread
27-Jan-2010 02:48:57.510 using up to 4096 sockets
27-Jan-2010 02:48:57.519 loading configuration from ‘/usr/local/named/etc/named.conf’
27-Jan-2010 02:48:57.521 using default UDP/IPv4 port range: [1024, 65535]
27-Jan-2010 02:48:57.522 using default UDP/IPv6 port range: [1024, 65535]
27-Jan-2010 02:48:57.526 listening on IPv4 interface eth0, 192.168.6.105#53
27-Jan-2010 02:48:57.532 automatic empty zone: 0.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 127.IN-ADDR.ARPA
27-Jan-2010 02:48:57.533 automatic empty zone: 254.169.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 2.0.192.IN-ADDR.ARPA
27-Jan-2010 02:48:57.534 automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone:0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.535 automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: D.F.IP6.ARPA
27-Jan-2010 02:48:57.536 automatic empty zone: 8.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: 9.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: A.E.F.IP6.ARPA
27-Jan-2010 02:48:57.537 automatic empty zone: B.E.F.IP6.ARPA
27-Jan-2010 02:48:57.545 command channel listening on 127.0.0.1#953
27-Jan-2010 02:48:57.546 ignoring config file logging statement due to -goption
27-Jan-2010 02:48:57.550 zone nginxs.com/IN: loaded serial 2009072901
27-Jan-2010 02:48:57.552 running
27-Jan-2010 02:48:57.553 zone ludy.com/IN: sending notifies (serial 2009072901)

OK了。

现在 DNS 服务器还不是很安全,因为你的DNS是暴露在公网的,如果你只想做域名解析服务的话,就不用户查询关掉

shell $> vim named.conf

key “rndc-key” {
       algorithm hmac-md5;
       secret “bMXdKGcP5tqUFUnG7CTzmw==”;
};

 controls {
      inet 127.0.0.1 port 953
      allow { 127.0.0.1; } keys { “rndc-key”; };
};
acl “trusted”{
192.168.6.0/24;
}

options {
        // Relative to the chroot directory,if any
       directory       “/usr/local/named/etc”;
       pid-file       “/usr/local/named/var/run/named/pid”;
       dump-file      “/usr/local/named/var/dump/named_dump.db”;
        statistics-file“/usr/local/named/var/stats/named.stats”;
        allow-query { any; };
        allow-recursion { trusted; };
        allow-query-cache { trusted; };
       listen-on       { 192.168.6.105; };
            forwarders {
               202.106.0.20;
        };
};

zone “.” {
type hint;
file “/usr/local/named/etc/named.root”;
};

zone “ludy.com” {
        type master;
        file “dynamic/www.nginxs.com”;
};

我个人感觉上allow-query-cache在未设置allow-recursion的情况下可以取代allow-recursion的功能, 有继承关系。如果想禁止用户的递归查询请求,还需要将 allow-query-cache 选项关闭,否则用户仍然可能在 cache 中查到数据  上面我建立acl规则来指定用户来使用你的DNS服务器。

下来我们在 192.168.6.0/24 网段找个机器测试下吧如图所视:


查询 www.nginxs.com


# nslookup  www.nginxs.com