免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 1543 | 回复: 0

RHEL5.2下DNS与DHCP的互动更新 [复制链接]

论坛徽章:
0
发表于 2009-06-29 18:58 |显示全部楼层

RHEL5.2下DNS与DHCP的互动更新
一、       实验目标
在Linux平台下实现DHCP与DNS互动更新的功能。
二、       实验环境
一台Linux服务器版本为Red Hat Enterprise Linux Server release 5.2 (Tikanga),内核版本号2.6.18-92.el5;两台客户端:一台为Windows XP Professional SP3;一台为Linux主机,版本同服务器。
三、       搭建DNS服务(bind)
1.  安装bind相关软件包
放入安装光盘,并切换到软件包所在目录,执行下列命令安装相应软件包:
rpm -ivh bind-9.3.4-6.P1.el5.i386.rpm
rpm -ivh bind-chroot-9.3.4-6.P1.el5.i386.rpm
rpm -ivh bind-devel-9.3.4-6.P1.el5.i386.rpm
rpm -ivh bind-libbind-devel-9.3.4-6.P1.el5.i386.rpm
rpm -ivh bind-libs-9.3.4-6.P1.el5.i386.rpm
rpm -ivh bind-sdb-9.3.4-6.P1.el5.i386.rpm
rpm -ihv bind-utils-9.3.4-6.P1.el5.i386.rpm
rpm -ivh caching-nameserver-9.3.4-6.P1.el5.i386.rpm
2.  创建密钥
要实现DNS的动态更新,首先要考虑的是怎样保证安全地实现DDNS。由ISC给出的方法是创建进行动态更新的密钥,在进行更新时通过该密钥加以验证。为了实现这一功能,需要以root身份运行以下命令:
[root@server etc]# dnssec-keygen -a HMAC-MD5 -b 128 -n USER administrator
上述dnssec-keygen命令的功能就是生成更新密钥,其中参数-a HMAC-MD5是指密钥的生成算法采用HMAC-MD5;参数-b 128是指密钥的位数为128位;参数-n USER administrator是指密钥的用户为administrator。
该命令生成的一对密钥文件如下:
-rw------- 1 named named    55 Jun 20 00:54 Kadministrator.+157+49362.key
-rw------- 1 named named    81 Jun 20 00:54 Kadministrator.+157+49362.private
可以查看刚生成的密钥文件内容:
[root@server etc]# cat Kadministrator.+157+49362.key
administrator. IN KEY 0 3 157 txOBJNpI39770VEkbPQQ6w==
[root@server etc]# cat Kadministrator.+157+49362.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: txOBJNpI39770VEkbPQQ6w==
仔细阅读该密钥文件就会发现,这两个文件中包含的密钥是一样的,该密钥就是DHCP对DNS进行安全动态更新时的凭据。后面需要将该密钥分别添加到DNS和DHCP的配置文件中。
3.  配置主配置文件。这里有两种方法:
1)  去除掉/var/named/chroot/etc/named.caching-nameserver.conf文件中以下几行内容:
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
allow-query     { localhost; };
match-clients      { localhost; };
match-destinations { localhost; };
修改后的如下:
[root@server etc]# cat named.caching-nameserver.conf
//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        query-source    port 53;
        query-source-v6 port 53;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
view localhost_resolver {
        recursion yes;
        include "/etc/named.rfc1912.zones";
};
在文件/var/named/chroot/etc/ named.rfc1912.zones中添加新的解析域,结果如下:
[root@server etc]# cat named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
key administrator {
  algorithm HMAC-MD5.SIG-ALG.REG.INT;
  secret txOBJNpI39770VEkbPQQ6w==;
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

zone "china.test" IN {
  type master;
  file "china.test.zone";
  allow-update { key administrator; };
};
zone "13.168.192.in-addr.arpa" IN {
  type master;
  file "china.test.arpa";
  allow-update { key administrator; };
};
2)  切换到/var/named/chroot/etc/目录,将named.rfc1912.zones追加到named.caching-nameserver.conf中,合两为一,按照第一种方法删除、添加相应内容,并删除view localhost_resolver项所有内容。
4.在/var/named/chroot/var/named目录下添加域配置文件,文件如下:
[root@server named]# cat china.test.zone
$TTL    86400
@       IN SOA  server.china.test.      root.china.test. (
                2009062000
                28800
                14400
                360000
                86400
                )
@       IN      NS      server.china.test.
server  IN      A       192.168.13.11
client  IN      A       192.168.13.24
[root@server named]# cat china.test.arpa
$TTL    86400
@       IN      SOA     server.china.test. root.server.china.test.  (
                                      2009062000 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      3600000    ; Expire
                                      86400 )    ; Minimum
@       IN      NS      server.china.test.
11      IN      PTR     server.china.test.
5.  用chkconfig --level 3 named on命令设置开机自动开启DNS服务。
6.  启用DNS服务service named start
7.  在客户端主机的/etc/resolv.conf文件中指定DNS服务器:nameserver 192.168.13.11
四、       搭建DHCP服务
1.       dhcp相关软件包
rpm -ivh dhcp-3.0.5-13.el5.i386.rpm
rpm -ivh dhcp-devel-3.0.5-13.el5.i386.rpm
2.       修改配置文件。修改后的配置文件如下:
[root@server ~]# cat  /etc/dhcpd.conf   
ddns-update-style interim;
allow client-updates;

key administrator {
  algorithm HMAC-MD5;
  secret txOBJNpI39770VEkbPQQ6w==;
};

zone china.test. {
  primary 192.168.13.11;
  key administrator;
}
zone 13.168.192.in-addr.arpa. {
  primary 192.168.13.11;
  key administrator;
}

subnet 192.168.13.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  192.168.13.13;
        option subnet-mask              255.255.255.0;

        option nis-domain               "china.test";
        option domain-name              "china.test";
        option domain-name-servers      192.168.13.11;

#       option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.13.1 192.168.13.23;
        default-lease-time 180;
        max-lease-time 300;
}
3.       用chkconfig --level 3 dhcpd on命令设置开机自动开启DNS服务。
4.       启用DNS服务service dhcpd start
5.       在客户端主机上添加DHCP客户端配置文件/etc/dhclient.conf,内容如下:
[root@client ~]# cat /etc/dhclient.conf
send fqdn.fqdn "client";
send fqdn.encoded on;
6.       在服务器上查DHCP分配文件/var/lib/dhcpd/dhcpd.leases:
[root@server ~]# cat /var/lib/dhcpd/dhcpd.leases
# All times in this file are in UTC (GMT), not your local timezone.   This is
# not a bug, so please don't ask about it.   There is no portable way to
# store leases in the local timezone, so please don't request this as a
# feature.   If this is inconvenient or confusing to you, we sincerely
# apologize.   Seriously, though - don't ask.
# The format of this file is documented in the dhcpd.leases(5) manual page.
# This lease file was written by isc-dhcp-V3.0.5-RedHat

lease 192.168.13.23 {
  starts 6 2009/06/20 08:20:53;
  ends 6 2009/06/20 08:25:53;
  binding state active;
  next binding state free;
  hardware ethernet 00:0c:29:71:c6:09;
  set ddns-rev-name = "23.13.168.192.in-addr.arpa.";
  set ddns-txt = "0003680744ede9faf3e6e8bd78563f6857";
  set ddns-fwd-name = "client.china.test";
}
7.       查看/var/named/chroot/var/named目录,自动生成如下两个文件,用于DNS更新。
-rw-r--r-- 1 named named 1980 Jun 20 16:20 china.test.arpa.jnl
-rw-r--r-- 1 named named 1825 Jun 20 16:20 china.test.zone.jnl
8.       查看域文件内容如下:
[root@server named]# cat china.test.zone  
$ORIGIN .
$TTL 86400      ; 1 day
china.test              IN SOA  server.china.test. root.china.test. (
                                2009062021 ; serial
                                28800      ; refresh (8 hours)
                                14400      ; retry (4 hours)
                                360000     ; expire (4 days 4 hours)
                                86400      ; minimum (1 day)
                                )
                        NS      server.china.test.
$ORIGIN china.test.
$TTL 150        ; 2 minutes 30 seconds
client                  A       192.168.13.23
                        TXT     "0003680744ede9faf3e6e8bd78563f6857"
$TTL 86400      ; 1 day
server                  A       192.168.13.11
[root@server named]# cat china.test.arpa  
$ORIGIN .
$TTL 86400      ; 1 day
13.168.192.in-addr.arpa IN SOA  server.china.test. root.server.china.test. (
                                2009062017 ; serial
                                28800      ; refresh (8 hours)
                                14400      ; retry (4 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
                        NS      server.china.test.
$ORIGIN 13.168.192.in-addr.arpa.
11                      PTR     server.china.test.
$TTL 150        ; 2 minutes 30 seconds
23                      PTR     client.china.test.
五、       结论
1、  表面现象:
1)  更新比较慢,甚至需要手动重启DNS服务才能更新成功。
2)  反向解析没有清除旧的记录,如下:
[root@server ~]# cat /var/named/chroot/var/named/china.test.arpa
$ORIGIN .
$TTL 86400      ; 1 day
13.168.192.in-addr.arpa IN SOA  server.china.test. root.server.china.test. (
                                2009062019 ; serial
                                28800      ; refresh (8 hours)
                                14400      ; retry (4 hours)
                                3600000    ; expire (5 weeks 6 days 16 hours)
                                86400      ; minimum (1 day)
                                )
                        NS      server.china.test.
$ORIGIN 13.168.192.in-addr.arpa.
11                      PTR     server.china.test.
$TTL 150        ; 2 minutes 30 seconds
12                      PTR     WWW-2E8A24A84C2.china.test.
20                      PTR     client.china.test.
23                      PTR     client.china.test.
24                      PTR     client.china.test.

2、  更新日志:
Jun 20 22:35:25 server named[2719]: starting BIND 9.3.4-P1 -u named -c /etc/named.caching-nameserver.conf -t /var/named/chroot
Jun 20 22:35:25 server named[2719]: found 1 CPU, using 1 worker thread
Jun 20 22:35:25 server named[2719]: loading configuration from '/etc/named.caching-nameserver.conf'
Jun 20 22:35:25 server named[2719]: listening on IPv4 interface lo, 127.0.0.1#53
Jun 20 22:35:25 server named[2719]: listening on IPv4 interface eth0, 192.168.13.11#53
Jun 20 22:35:25 server named[2719]: command channel listening on 127.0.0.1#953
Jun 20 22:35:25 server named[2719]: command channel listening on ::1#953
Jun 20 22:35:25 server named[2719]: zone 0.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Jun 20 22:35:25 server named[2719]: zone 0.0.127.in-addr.arpa/IN/localhost_resolver: loaded serial 1997022700
Jun 20 22:35:25 server named[2719]: zone 13.168.192.in-addr.arpa/IN/localhost_resolver: loaded serial 2009062027
Jun 20 22:35:25 server named[2719]: zone 255.in-addr.arpa/IN/localhost_resolver: loaded serial 42
Jun 20 22:35:25 server named[2719]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver: loaded serial 1997022700
Jun 20 22:35:25 server named[2719]: zone localdomain/IN/localhost_resolver: loaded serial 42
Jun 20 22:35:25 server named[2719]: zone localhost/IN/localhost_resolver: loaded serial 42
Jun 20 22:35:25 server named[2719]: zone china.test/IN/localhost_resolver: loaded serial 2009062035
Jun 20 22:35:25 server named[2719]: running
Jun 20 22:35:25 server dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat
Jun 20 22:35:25 server dhcpd: Copyright 2004-2006 Internet Systems Consortium.
Jun 20 22:35:25 server dhcpd: All rights reserved.
Jun 20 22:35:25 server dhcpd: For info, please visit http://www.isc.org/sw/dhcp/
Jun 20 22:35:25 server dhcpd: lease 192.168.13.22: no subnet.
Jun 20 22:35:25 server last message repeated 3 times
Jun 20 22:35:25 server dhcpd: Wrote 1 leases to leases file.
Jun 20 22:35:25 server dhcpd: Listening on LPF/eth0/00:0c:29:64:e2:df/192.168.13/24
Jun 20 22:35:25 server dhcpd: Sending on   LPF/eth0/00:0c:29:64:e2:df/192.168.13/24
Jun 20 22:35:25 server dhcpd: Sending on   Socket/fallback/fallback-net
Jun 20 22:35:33 server dhcpd: DHCPREQUEST for 192.168.13.22 from 00:0c:29:71:c6:09 via eth0: unknown lease 192.168.13.22.
Jun 20 22:35:37 server dhcpd: DHCPREQUEST for 192.168.13.22 from 00:0c:29:71:c6:09 via eth0: unknown lease 192.168.13.22.
Jun 20 22:35:49 server dhcpd: DHCPDISCOVER from 00:0c:29:71:c6:09 via eth0
Jun 20 22:35:50 server dhcpd: DHCPOFFER on 192.168.13.24 to 00:0c:29:71:c6:09 via eth0
Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone 'china.test/IN': update unsuccessful: client.china.test: 'name not in use' prerequisite not satisfied (YXDOMAIN)
Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone 'china.test/IN': deleting rrset at 'client.china.test' A
Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone 'china.test/IN': adding an RR at 'client.china.test' A
Jun 20 22:35:50 server dhcpd: Added new forward map from client.china.test to 192.168.13.24
Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone '13.168.192.in-addr.arpa/IN': deleting rrset at '24.13.168.192.in-addr.arpa' PTR
Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone '13.168.192.in-addr.arpa/IN': adding an RR at '24.13.168.192.in-addr.arpa' PTR
Jun 20 22:35:50 server dhcpd: added reverse map from 24.13.168.192.in-addr.arpa. to client.china.test
3、  客户端解析如下:
C:\>nslookup
Default Server:  server.china.test
Address:  192.168.13.11

> client.china.test
Server:  server.china.test
Address:  192.168.13.11

Name:    client.china.test
Address:  192.168.13.24

> 192.168.13.23
Server:  server.china.test
Address:  192.168.13.11

Name:    WWW-2E8A24A84C2.china.test
Address:  192.168.13.23

> 192.168.13.24
Server:  server.china.test
Address:  192.168.13.11

Name:    client.china.test
Address:  192.168.13.24

> WWW-2E8A24A84C2.china.test
Server:  server.china.test
Address:  192.168.13.11

Name:    WWW-2E8A24A84C2.china.test
Address:  192.168.13.23
4、  最终结论:
实现了DNS与DHCP的互动更新功能。工作过程使用域文件为:china.test.arpa.jnl和 china.test.zone.jnl,而不在是传统的china.test.arpa和china.test.zone文件。



本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u2/83566/showart_1981040.html
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP