关于redhat as 4 DNS主从服务器的配置问题

redonion

主DNS服务器的设置

主DNS服务器的设置
------------主DNS服务器IP为192.168.10.112
------------从DNS服务器IP为192.168.10.111
/etc/resolv.conf文件的内容：
search gao.com
nameserver 192.168.10.112

/etc/named.conf文件内容：
//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        allow-transfer {192.168.10.111;};
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
       inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};
zone "gao.com" IN {
        type master;
        file "gao.com";
};

zone "10.168.192.in-addr.arpa" IN {
        type master;
        file "gao.192.168.10";
};

include "/etc/rndc.key";



/var/named/chroot/var/named/gao.com文件的内容：
$TTL 86400
@       IN      SOA     www.gao.com.    root.www.gao.com. (
                                        1999010101
                                        28800
                                        14400
                                        3600000
                                        86400)
@               IN      NS      www.gao.com.
www             IN      A       192.168.10.112
test1           IN      A       192.168.10.150
test2           IN      A       192.168.10.151
test3           IN      A       192.168.10.152
test1bak        IN      CNAME   test1
test2bak        IN      CNAME   test2
test3bak        IN      CNAME   test3

/var/named/chroot/var/named/gao.192.168.10文件的内容：
$TTL 86400
@       IN      SOA     www.gao.com.    root.www.gao.com. (
                                        1999010101
                                        28800
                                        14400
                                        3600000
                                        86400)
@               IN      NS      www.gao.com.
112  IN      PTR     www.gao.com.
150  IN      PTR     test1.gao.com.
151  IN      PTR     test2.gao.com.
152  IN      PTR     test3.gao.com.

在主和从DNS服务器启动named服务后，日志文件的内容：

[root@gao log]#tail –f /var/log/messages

Jul 29 02:51:34 gao named[3318]: client 192.168.10.111#32776: transfer of 'gao.com/IN': AXFR started
Jul 29 02:55:01 gao crond(pam_unix)[3339]: session opened for user root by (uid=0)
Jul 29 02:55:02 gao crond(pam_unix)[3339]: session closed for user root
Jul 29 02:58:00 gao named[3318]: client 192.168.10.111#32773: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 02:58:00 gao named[3318]: client 192.168.10.111#32774: transfer of 'gao.com/IN': AXFR started
Jul 29 02:58:42 gao named[3318]: client 192.168.10.111#32775: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 02:58:53 gao named[3318]: client 192.168.10.111#32776: transfer of 'gao.com/IN': AXFR started
Jul 29 03:00:01 gao crond(pam_unix)[3342]: session opened for user root by (uid=0)
Jul 29 03:00:01 gao crond(pam_unix)[3341]: session opened for user root by (uid=0)
Jul 29 03:00:01 gao crond(pam_unix)[3341]: session closed for user root
Jul 29 03:00:02 gao crond(pam_unix)[3342]: session closed for user root
Jul 29 03:00:08 gao named[3318]: client 192.168.10.111#32777: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:00:27 gao named[3318]: client 192.168.10.111#32778: transfer of 'gao.com/IN': AXFR started
Jul 29 03:01:01 gao crond(pam_unix)[3347]: session opened for user root by (uid=0)
Jul 29 03:01:01 gao crond(pam_unix)[3347]: session closed for user root
Jul 29 03:03:33 gao named[3318]: client 192.168.10.111#32779: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:03:42 gao named[3318]: client 192.168.10.111#32780: transfer of 'gao.com/IN': AXFR started
Jul 29 03:05:01 gao crond(pam_unix)[3359]: session opened for user root by (uid=0)
Jul 29 03:05:02 gao crond(pam_unix)[3359]: session closed for user root
Jul 29 03:10:01 gao crond(pam_unix)[3761]: session opened for user root by (uid=0)
Jul 29 03:10:01 gao crond(pam_unix)[3762]: session opened for user root by (uid=0)
Jul 29 03:10:01 gao crond(pam_unix)[3761]: session closed for user root
Jul 29 03:10:03 gao crond(pam_unix)[3762]: session closed for user root
Jul 29 03:10:11 gao named[3318]: client 192.168.10.111#32781: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:10:31 gao named[3318]: client 192.168.10.111#32782: transfer of 'gao.com/IN': AXFR started
Jul 29 03:15:01 gao crond(pam_unix)[3766]: session opened for user root by (uid=0)
Jul 29 03:15:02 gao crond(pam_unix)[3766]: session closed for user root
Jul 29 03:20:01 gao crond(pam_unix)[3768]: session opened for user root by (uid=0)
Jul 29 03:20:01 gao crond(pam_unix)[3769]: session opened for user root by (uid=0)
Jul 29 03:20:01 gao crond(pam_unix)[3768]: session closed for user root
Jul 29 03:20:02 gao crond(pam_unix)[3769]: session closed for user root
Jul 29 03:24:38 gao named[3318]: client 192.168.10.111#32783: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:24:43 gao named[3318]: client 192.168.10.111#32784: transfer of 'gao.com/IN': AXFR started
Jul 29 03:25:01 gao crond(pam_unix)[3773]: session opened for user root by (uid=0)
Jul 29 03:25:02 gao crond(pam_unix)[3773]: session closed for user root
Jul 29 03:30:01 gao crond(pam_unix)[3776]: session opened for user root by (uid=0)
Jul 29 03:30:01 gao crond(pam_unix)[3775]: session opened for user root by (uid=0)
Jul 29 03:30:01 gao crond(pam_unix)[3775]: session closed for user root
Jul 29 03:30:02 gao crond(pam_unix)[3776]: session closed for user root
Jul 29 03:35:01 gao crond(pam_unix)[3780]: session opened for user root by (uid=0)
Jul 29 03:35:02 gao crond(pam_unix)[3780]: session closed for user root

redonion

主DNS服务器防火墙的配置：

[root@gao log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

redonion

从DNS服务器的设置

从DNS服务器的设置
------------主DNS服务器IP为192.168.10.112
------------从DNS服务器IP为192.168.10.111
/etc/resolv.conf文件的内容：

search gao.com.
nameserver 192.168.10.112

/etc/named.conf文件内容：

//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

zone "gao.com" IN {
        type slave;
        file "gao.com";
        masters {192.168.10.112;};
};

zone "10.168.192.in-addr.arpa" IN {
        type slave;
        file "gao.192.168.10";
        masters {192.168.10.112;};
};

include "/etc/rndc.key";

在主和从DNS服务器启动named服务后，日志文件的内容：

Jul 29 02:56:09 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:56:09 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:56:09 redhatbak kernel: audit(1122576969.695:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:56:09 redhatbak named[3218]: dumping master file: tmp-XXXXfjRpOy: open: permission denied
Jul 29 02:56:09 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:56:09 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:56:56 redhatbak kernel: audit(1122577016.193:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:56:56 redhatbak named[3218]: dumping master file: tmp-XXXXC6e08G: open: permission denied
Jul 29 02:56:56 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:56:56 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:57:08 redhatbak named[3218]: dumping master file: tmp-XXXXuJR105: open: permission denied
Jul 29 02:57:08 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:57:08 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:57:08 redhatbak kernel: audit(1122577028.196:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:58:30 redhatbak kernel: audit(1122577110.199:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:58:30 redhatbak named[3218]: dumping master file: tmp-XXXXhdi6mk: open: permission denied
Jul 29 02:58:30 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:58:30 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:58:50 redhatbak kernel: audit(1122577130.195:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:58:50 redhatbak named[3218]: dumping master file: tmp-XXXXnoGai2: open: permission denied
Jul 29 02:58:50 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:58:50 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:00:01 redhatbak crond(pam_unix)[3227]: session opened for user root by (uid=0)
Jul 29 03:00:01 redhatbak crond(pam_unix)[3226]: session opened for user root by (uid=0)
Jul 29 03:00:01 redhatbak crond(pam_unix)[3226]: session closed for user root
Jul 29 03:00:02 redhatbak crond(pam_unix)[3227]: session closed for user root
Jul 29 03:01:01 redhatbak crond(pam_unix)[3231]: session opened for user root by (uid=0)
Jul 29 03:01:02 redhatbak crond(pam_unix)[3231]: session closed for user root
Jul 29 03:01:57 redhatbak named[3218]: dumping master file: tmp-XXXXpeRkIe: open: permission denied
Jul 29 03:01:57 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:01:57 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:01:57 redhatbak kernel: audit(1122577317.198:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:02:07 redhatbak kernel: audit(1122577327.194:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:02:07 redhatbak named[3218]: dumping master file: tmp-XXXXSj51MF: open: permission denied
Jul 29 03:02:07 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:02:07 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:05:01 redhatbak crond(pam_unix)[3241]: session opened for user root by (uid=0)
Jul 29 03:05:01 redhatbak crond(pam_unix)[3241]: session closed for user root
Jul 29 03:08:28 redhatbak named[3218]: dumping master file: tmp-XXXXeDKfWo: open: permission denied
Jul 29 03:08:28 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:08:28 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:08:28 redhatbak kernel: audit(1122577708.201:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:08:49 redhatbak named[3218]: dumping master file: tmp-XXXXVnGqPD: open: permission denied
Jul 29 03:08:49 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:08:49 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:08:49 redhatbak kernel: audit(1122577729.194:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:10:01 redhatbak crond(pam_unix)[3243]: session opened for user root by (uid=0)
Jul 29 03:10:01 redhatbak crond(pam_unix)[3245]: session opened for user root by (uid=0)
Jul 29 03:10:02 redhatbak crond(pam_unix)[3243]: session closed for user root
Jul 29 03:10:02 redhatbak crond(pam_unix)[3245]: session closed for user root
Jul 29 03:15:01 redhatbak crond(pam_unix)[3248]: session opened for user root by (uid=0)
Jul 29 03:15:02 redhatbak crond(pam_unix)[3248]: session closed for user root
Jul 29 03:20:02 redhatbak crond(pam_unix)[3250]: session opened for user root by (uid=0)
Jul 29 03:20:02 redhatbak crond(pam_unix)[3251]: session opened for user root by (uid=0)
Jul 29 03:20:02 redhatbak crond(pam_unix)[3250]: session closed for user root
Jul 29 03:20:02 redhatbak crond(pam_unix)[3251]: session closed for user root
Jul 29 03:23:01 redhatbak named[3218]: dumping master file: tmp-XXXXzOx2AB: open: permission denied
Jul 29 03:23:01 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:23:01 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:23:01 redhatbak kernel: audit(1122578581.202:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:23:06 redhatbak named[3218]: dumping master file: tmp-XXXXCyi8UG: open: permission denied
Jul 29 03:23:06 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:23:06 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:23:06 redhatbak kernel: audit(1122578586.204:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:25:01 redhatbak crond(pam_unix)[3255]: session opened for user root by (uid=0)
Jul 29 03:25:02 redhatbak crond(pam_unix)[3255]: session closed for user root
Jul 29 03:28:53 redhatbak htt_server[2210]: status has not been enabled yet. (1, 1)
Jul 29 03:29:02 redhatbak last message repeated 2 times
Jul 29 03:30:01 redhatbak crond(pam_unix)[3332]: session opened for user root by (uid=0)
Jul 29 03:30:01 redhatbak crond(pam_unix)[3333]: session opened for user root by (uid=0)
Jul 29 03:30:02 redhatbak crond(pam_unix)[3332]: session closed for user root
Jul 29 03:30:03 redhatbak crond(pam_unix)[3333]: session closed for user root


从DNS服务器防火墙的配置：

[root@gao log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

redonion

在从DNS上查看日志 有这样一个结果
Jul 29 02:58:30 redhatbak named[3218]: dumping master file: tmp-XXXXhdi6mk: open: permission denied
Jul 29 02:58:30 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied

redonion

如何解决呢 在各位高手 多多指教  谢谢了

網中人

確定 /var/named 能讓 named 寫入.

或 try:
chown -R named /var/named

redonion

还 是不可以 郁闷啊

網中人

再貼一下如下 slave 執行結果:
service named restart
grep named /var/log/messages | tail -20
find /var/named -exec ls -l {} \;

redonion

谢谢 版主 好了]\

新装的系统 用这个命令了  

chown -R named /var/named