ProHoster > Š‘Š»Š¾Š³ > Administrācija > Soli pa solim sniegta instrukcija BIND DNS servera iestatÄ«Å”anai chroot vidē Red Hat (RHEL/ CentOS) 7. gads

Soli pa solim sniegta instrukcija BIND DNS servera iestatÄ«Å”anai chroot vidē Red Hat (RHEL/ CentOS) 7. gads

Kursa studentiem sagatavots raksta tulkojums "DroŔība LinuxĀ». Vai vēlaties attÄ«stÄ«ties Å”ajā virzienā? Skatieties Ivana Piskunova meistarklases raidÄ«juma ierakstu "DroŔība iekŔā Linux pret Windows un MacOSĀ»

Soli pa solim sniegta instrukcija BIND DNS servera iestatÄ«Å”anai chroot vidē Red Hat (RHEL/ CentOS) 7. gads

Å ajā rakstā es jÅ«s iepazÄ«stināŔu ar darbÄ«bām, kas jāveic, lai iestatÄ«tu DNS serveri RHEL 7 vai CentOS 7. Demonstrācijai es izmantoju Red Hat Enterprise Linux 7.4 MÅ«su mērÄ·is ir izveidot vienu A ierakstu un vienu PTR ierakstu attiecÄ«gi tieŔās un apgrieztās uzmeklÄ“Å”anas zonām.

Vispirms instalējiet DNS serverim nepiecieÅ”amās rpm pakotnes.

PIEZÄŖME: RHEL jums ir jābÅ«t aktÄ«vs RHN abonements, vai arÄ« varat iestatiet lokālo bezsaistes repozitoriju, ar kuru pakotņu pārvaldnieks ā€œyumā€ var instalēt nepiecieÅ”amās rpm pakotnes un atkarÄ«bas.

# yum install bind bind-chroot caching-nameserver

Mani iestatījumi:

# hostname
golinuxhub-client.example
ŠœŠ¾Š¹ IP-Š°Š“рŠµŃ 192.168.1.7
# ip address | egrep 'inet.*enp0s3'
    inet 192.168.1.7/24 brd 192.168.1.255 scope global dynamic enp0s3

Tā kā mēs izmantosim chroot, mums ir jāatspējo pakalpojums.

# systemctl stop named
# systemctl disable named

Pēc tam kopējiet nepiecieÅ”amos failus chroot direktorijā.
PIEZÄŖME. Izmantojiet argumentu -p komandā cp lai saglabātu tiesÄ«bas un Ä«paÅ”niekus.

[root@golinuxhub-client ~]# cp -rpvf /usr/share/doc/bind-9.9.4/sample/etc/*  /var/named/chroot/etc/
ā€˜/usr/share/doc/bind-9.9.4/sample/etc/named.confā€™ -> ā€˜/var/named/chroot/etc/named.confā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/etc/named.rfc1912.zonesā€™ -> ā€˜/var/named/chroot/etc/named.rfc1912.zonesā€™

Pēc tam kopējiet ar zonu saistītos failus uz jaunu vietu.

[root@golinuxhub-client ~]# cp -rpvf /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/dataā€™ -> ā€˜/var/named/chroot/var/named/dataā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.dbā€™ -> ā€˜/var/named/chroot/var/named/my.external.zone.dbā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/my.internal.zone.dbā€™ -> ā€˜/var/named/chroot/var/named/my.internal.zone.dbā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/named.caā€™ -> ā€˜/var/named/chroot/var/named/named.caā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/named.emptyā€™ -> ā€˜/var/named/chroot/var/named/named.emptyā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/named.localhostā€™ -> ā€˜/var/named/chroot/var/named/named.localhostā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/named.loopbackā€™ -> ā€˜/var/named/chroot/var/named/named.loopbackā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/slavesā€™ -> ā€˜/var/named/chroot/var/named/slavesā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.ddns.internal.zone.dbā€™ -> ā€˜/var/named/chroot/var/named/slaves/my.ddns.internal.zone.dbā€™
ā€˜/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.slave.internal.zone.dbā€™ -> ā€˜/var/named/chroot/var/named/slaves/my.slave.internal.zone.dbā€™
```bash
Š¢ŠµŠæŠµŃ€ŃŒ Š“Š°Š²Š°Š¹Ń‚Šµ ŠæŠ¾ŃŠ¼Š¾Ń‚Ń€ŠøŠ¼ Š½Š° Š¾ŃŠ½Š¾Š²Š½Š¾Š¹ фŠ°Š¹Š» ŠŗŠ¾Š½Ń„ŠøŠ³ŃƒŃ€Š°Ń†ŠøŠø.
```bash
# cd /var/named/chroot/etc/

Notīriet faila named.conf saturu un ielīmējiet tālāk norādīto.

[root@golinuxhub-client etc]# vim named.conf
options {
        listen-on port 53 { 127.0.0.1; any; };
#       listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; any; };
        allow-query-cache { localhost; any; };
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

view my_resolver {
        match-clients      { localhost; any; };
        recursion yes;
        include "/etc/named.rfc1912.zones";
};

Jāpievieno informācija par specifisku zonu /var/named/chroot/etc/named.rfc1912.zones. Pievienojiet ierakstus zemāk. Fails example.zone ir uzmeklÄ“Å”anas zonas fails un piemērs.rzone ā€” apgrieztās zonas fails.

SVARÄŖGA PIEZÄŖME. Apgrieztās meklÄ“Å”anas zonā ir 1.168.192, jo mana IP adrese ir 192.168.1.7.

zone "example" IN {
        type master;
        file "example.zone";
        allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "example.rzone";
        allow-update { none; };
};

Ar zonām saistītie faili atrodas Ŕeit:

# cd /var/named/chroot/var/named/

Tālāk mēs izveidosim failus uz priekÅ”u un atpakaļgaitu zonām. Failu nosaukumi bÅ«s tādi paÅ”i kā iepriekÅ” failā named.rfc1912.zones. Mums jau ir vairākas noklusējuma veidnes, kuras varam izmantot.

# cp -p named.localhost  example.zone
# cp -p named.loopback example.rzone

Kā redzat, paÅ”reizējās atļaujas visiem failiem un direktorijiem pieder sakne.

[root@golinuxhub-client named]# ll
total 32
drwxr-xr-x. 2 root root    6 May 22  2017 data
-rw-r--r--. 1 root root  168 May 22  2017 example.rzone
-rw-r--r--. 1 root root  152 May 22  2017 example.zone
-rw-r--r--. 1 root root   56 May 22  2017 my.external.zone.db
-rw-r--r--. 1 root root   56 May 22  2017 my.internal.zone.db
-rw-r--r--. 1 root root 2281 May 22  2017 named.ca
-rw-r--r--. 1 root root  152 May 22  2017 named.empty
-rw-r--r--. 1 root root  152 May 22  2017 named.localhost
-rw-r--r--. 1 root root  168 May 22  2017 named.loopback
drwxr-xr-x. 2 root root   71 Feb 12 21:02 slaves

Mainiet visu failu atļaujas, lai norādītu lietotāju kā īpaŔnieku sakne un grupa nosaukts.

# chown root:named *

Bet datu īpaŔniekam ir jābūt nosaukts:nosaukts.

# chown -R  named:named data
# ls -l
total 32
drwxr-xr-x. 2 named named    6 May 22  2017 data
-rw-r--r--. 1 root  named  168 May 22  2017 example.rzone
-rw-r--r--. 1 root  named  152 May 22  2017 example.zone
-rw-r--r--. 1 root  named   56 May 22  2017 my.external.zone.db
-rw-r--r--. 1 root  named   56 May 22  2017 my.internal.zone.db
-rw-r--r--. 1 root  named 2281 May 22  2017 named.ca
-rw-r--r--. 1 root  named  152 May 22  2017 named.empty
-rw-r--r--. 1 root  named  152 May 22  2017 named.localhost
-rw-r--r--. 1 root  named  168 May 22  2017 named.loopback
drwxr-xr-x. 2 root  named   71 Feb 12 21:02 slaves

Pievienojiet tālāk norādÄ«to saturu savam pārsÅ«tÄ«Å”anas zonas failam. Å eit mēs izveidojam A ierakstu vietējam resursdatoram (golinuxhub-client) un otru serverim (golinuxhub-server).

# vim example.zone
$TTL 1D
@       IN SOA  example. root (
                                        1       ; serial
                                        3H      ; refresh
                                        15M     ; retry
                                        1W      ; expire
                                        1D )    ; minimum

                IN NS           example.

                        IN A 192.168.1.7
golinuxhub-server       IN A 192.168.1.5
golinuxhub-client       IN A 192.169.1.7

Pēc tam pievienojiet saturu reversās zonas failam. Šeit mēs izveidojam PTR ierakstu golinuxhub-klientam un golinuxhub-serverim.

# vim example.rzone
$TTL 1D
@       IN SOA  example. root.example. (
                                        1997022700      ; serial
                                        28800           ; refresh
                                        14400           ; retry
                                        3600000         ; expire
                                        86400  )        ; minimum

        IN NS   example.
5       IN PTR  golinuxhub-server.example.
7       IN PTR  golinuxhub-client.example.

Pirms pakalpojuma palaiŔanas nosaukts-chroot, pārbaudīsim zonas faila konfigurāciju.

[root@golinuxhub-client named]# named-checkzone golinuxhub-client.example example.zone
zone golinuxhub-client.example/IN: loaded serial 1
OK

[root@golinuxhub-client named]# named-checkzone golinuxhub-client.example example.rzone
zone golinuxhub-client.example/IN: loaded serial 1997022700
OK

Viss izskatās labi. Tagad pārbaudiet konfigurācijas failu, izmantojot Ŕo komandu.

[root@golinuxhub-client named]# named-checkconf -t /var/named/chroot/ /etc/named.conf

Tātad viss tika veiksmīgi pabeigts.

[root@golinuxhub-client named]# echo $?
0

SVARÄŖGA PIEZÄŖME: Man ir SELinux ir atļaujoŔā režīmā

# getenforce
Permissive

Viss izskatās labi, tāpēc ir pienācis laiks uzsākt mūsu pakalpojumu nosaukts-chroot .

[root@golinuxhub-client named]# systemctl restart named-chroot

[root@golinuxhub-client named]# systemctl status named-chroot
ā— named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2018-02-12 21:53:23 IST; 19s ago
  Process: 5236 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS)
  Process: 5327 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 5325 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 5330 (named)
   CGroup: /system.slice/named-chroot.service
           ā””ā”€5330 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

Feb 12 21:53:23 golinuxhub-client.example named[5330]: managed-keys-zone/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 0.in-addr.arpa/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.0.0.127.in-addr.arpa/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.168.192.in-addr.arpa/IN/my_resolver: loaded serial 1997022700
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone example/IN/my_resolver: loaded serial 1
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone localhost/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone localhost.localdomain/IN/my_resolver: loaded serial 0
Feb 12 21:53:23 golinuxhub-client.example named[5330]: all zones loaded
Feb 12 21:53:23 golinuxhub-client.example named[5330]: running
```bash
Š£Š±ŠµŠ“ŠøтŠµŃŃŒ, чтŠ¾ resolv.conf сŠ¾Š“ŠµŃ€Š¶Šøт Š²Š°Ńˆ IP-Š°Š“рŠµŃ, чтŠ¾Š±Ń‹ Š¾Š½ Š¼Š¾Š³ рŠ°Š±Š¾Ń‚Š°Ń‚ŃŒ Š² ŠŗŠ°Ń‡ŠµŃŃ‚Š²Šµ DNS-сŠµŃ€Š²ŠµŃ€Š°.
```bash
# cat /etc/resolv.conf
search example
nameserver 192.168.1.7
```bash
Š”Š°Š²Š°Š¹Ń‚Šµ ŠæрŠ¾Š²ŠµŃ€ŠøŠ¼ Š½Š°Ńˆ DNS-сŠµŃ€Š²ŠµŃ€ Š“Š»Ń Š¾Š±Ń€Š°Ń‚Š½Š¾Š¹ Š·Š¾Š½Ń‹, ŠøсŠæŠ¾Š»ŃŒŠ·ŃƒŃ dig.
```bash
[root@golinuxhub-client named]# dig -x 192.168.1.5

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.5
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40331
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;5.1.168.192.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
5.1.168.192.in-addr.arpa. 86400 IN      PTR     golinuxhub-server.example.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400   IN      NS      example.

;; ADDITIONAL SECTION:
example.                86400   IN      A       192.168.1.7

;; Query time: 1 msec
;; SERVER: 192.168.1.7#53(192.168.1.7)
;; WHEN: Mon Feb 12 22:13:17 IST 2018
;; MSG SIZE  rcvd: 122

Kā redzat, mēs saņēmām pozitīvu atbildi (ANSWER) uz mūsu pieprasījumu (QUERY).

[root@golinuxhub-client named]# dig -x 192.168.1.7

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.7
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55804
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;7.1.168.192.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
7.1.168.192.in-addr.arpa. 86400 IN      PTR     golinuxhub-client.example.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400   IN      NS      example.

;; ADDITIONAL SECTION:
example.                86400   IN      A       192.168.1.7

;; Query time: 1 msec
;; SERVER: 192.168.1.7#53(192.168.1.7)
;; WHEN: Mon Feb 12 22:12:54 IST 2018
;; MSG SIZE  rcvd: 122

Tādā paŔā veidā varam pārbaudīt tieŔo zonu.

[root@golinuxhub-client named]# nslookup golinuxhub-client.example
Server:         192.168.1.7
Address:        192.168.1.7#53

Name:   golinuxhub-client.example
Address: 192.169.1.7

[root@golinuxhub-client named]# nslookup golinuxhub-server.example
Server:         192.168.1.7
Address:        192.168.1.7#53

Name:   golinuxhub-server.example
Address: 192.168.1.5

Å is raksts ir nedaudz novecojis, jo RHEL 7 jums vairs nav jākopē saistÄ«Å”anas konfigurācijas faili chroot. Soli pa solim sniegta apmācÄ«ba: DNS servera konfigurÄ“Å”ana, izmantojot bind chroot (CentOS/RHEL 7).

Avots: www.habr.com

Iegādājieties uzticamu mitināŔanu vietnēm ar DDoS aizsardzÄ«bu, VPS VDS serveriem šŸ”„ Iegādājieties uzticamu tÄ«mekļa vietņu mitināŔanu ar DDoS aizsardzÄ«bu, VPS VDS serveriem | ProHoster