CentOS Bind DNS自动化部署 最近研究DNS主从服务,也是参考了很多文章,这里记录一下,方便大家少走弯路,DNS服务可以算是Linux服务中比较难的一个了,尤其是配置文件书写,少一个字符都有可能造成错误。
那什么是DNS呢?简单的说就是完成域名到IP的解析过程。简洁的域名能让人们更方便记忆,不需要记那么长的IP访问某一个网站。
DNS解析过程到底是怎样的呢?
第一步:客户机访问某个网站,请求域名解析,首先查找本地HOST文件,如果有对应域名、IP记录,直接返回给客户机。如果没有则将该请求发送给本地的域名服务器:
第二步:本地DNS服务器能够解析客户端发来的请求,服务器直接将答案返回给客户机。
第三步:本地DNS服务器不能解析客户端发来的请求,分为两种解析方法
1、采用递归解析:本地DNS服务器向根域名服务器发出请求,根域名服务器对本地域名服务的请求进行解析,得到记录再给本地DNS服务器,本地DNS服务器将记录缓存,并将记录返给客户机。
2、采用迭代解析:本地DNS服务器向根域名服务器发出请求,根域名服务器返回给本地域名服务器一个能够解析请求的根的下一级域名服务器的地址,本地域名服务器在向根返回的IP地址发出请求,最终得到域名解析记录。
如上只是简单介绍了一下DNS相关知识,言归正传,如下通过脚本自动安装并添加域名解析,脚本可以根据自己的需求修改:(脚本适用于CentOS x86_64 5.8系列)
#!/bin/sh #auto install config bind server #wugk 2013-08-28 #定义变量 BND_ETC=/var/named/chroot/etc BND_VAR=/var/named/chroot/var/named BAK_DIR=/data/backup/dns_`date +%Y%m%d-%H%M` ##Backup named server if [ ! -d $BAK_DIR ];then echo "Please waiting Backup Named Config ............" mkdir -p $BAK_DIR cp -a /var/named/chroot/{etc,var} $BAK_DIR cp -a /etc/named.* $BAK_DIR fi ##Define Shell Install Function Install () { if [ ! -e /etc/init.d/named ];then rpm -e --nodeps bind-utils rpm -e --nodeps bind-libs rpm -e --nodeps bind rpm -e bind-chroot rpm -e caching-nameserver rpm -ivh --nodeps bind-9.3.6-20.P1.el5_8.6.x86_64.rpm bind-chroot-9.3.6-20.P1.el5_8.6.x86_64.rpm bind-libs-9.3.6-20.P1.el5_8.6.x86_64.rpm bind-utils-9.3.6-20.P1.el5_8.6.x86_64.rpm caching-nameserver-9.3.6-20.P1.el5_8.6.x86_64.rpm else echo ------------------------------------------------- echo "The Named Server is exists ,Please exit ........." sleep 1 fi } ##Define Shell Init Function Init_Config () { cd $BND_ETC ;ls ./* cp -p named.caching-nameserver.conf named.conf sed -i -e 's/localhost;/any;/g' -e '/port/s/127.0.0.1/any/g' named.conf echo ------------------------------------------------- sleep 2 echo "The named.conf config Init success !" } ##Define Shell Add Name Function Add_named () { ##DNS name read -p "Please Insert Into Your Add Name ,Example 51cto.com :" NAME echo $NAME |grep -E "com|cn|net|org" while [ "$?" -ne 0 ] do read -p "Please reInsert Into Your Add Name ,Example 51cto.com :" NAME echo $NAME |grep -E "com|cn|net|org" done ## IP address read -p "Please Insert Into Your Name Server IP ADDress:" IP echo $IP |egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" while [ "$?" -ne "0" ] do read -p "Please reInsert Into Your Name Server IP ADDress:" IP echo $IP |egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" done ARPA_IP=`echo $IP|awk -F. '{print $3"."$2"."$1}'` ARPA_IP1=`echo $IP|awk -F. '{print $4}'` cd $BND_ETC grep "$NAME" named.rfc1912.zones if [ $? -eq 0 ];then echo "The $NAME IS exist named.rfc1912.zones conf ,please exit ..." exit else read -p "Please Insert Into SLAVE Name Server IP ADDress:" SLAVE echo $SLAVE |egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" while [ "$?" -ne "0" ] do read -p "Please Insert Into SLAVE Name Server IP ADDress:" SLAVE echo $SLAVE |egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" done grep "rev" named.rfc1912.zones if [ $? -ne 0 ];then cat >>named.rfc1912.zones <<EOF #`date +%Y-%m-%d` Add $NAME CONFIG zone "$NAME" IN { type master; file "$NAME.zone"; allow-transfer { $SLAVE; }; also-notify { $SLAVE; }; allow-update { none; }; }; zone "$ARPA_IP.in-addr.arpa" IN { type master; file "$ARPA_IP.rev"; allow-transfer { $SLAVE; }; also-notify { $SLAVE; }; allow-update { none; }; }; EOF else cat >>named.rfc1912.zones <<EOF #`date +%Y-%m-%d` Add $NAME CONFIG zone "$NAME" IN { type master; file "$NAME.zone"; allow-transfer { $SLAVE; }; also-notify { $SLAVE; }; allow-update { none; }; }; EOF fi fi [ $? -eq 0 ]&& echo "The $NAME config name.rfc1912.zones success !" sleep 3 ;echo "Please waiting config $NAME zone File ............." cd $BND_VAR read -p "Please insert Name DNS A HOST ,EXample www or mail :" HOST read -p "Please insert Name DNS A NS IP ADDR ,EXample 192.168.111.130 :" IP_HOST echo $IP_HOST |egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" ARPA_IP2=`echo $IP_HOST|awk -F. '{print $3"."$2"."$1}'` ARPA_IP3=`echo $IP_HOST|awk -F. '{print $4}'` while [ "$?" -ne "0" ] do read -p "Please Reinsert Name DNS A IPADDRESS ,EXample 192.168.111.130 :" IP_HOST echo $IP_HOST |egrep -o "([0-9]{1,3}\.){3}[0-9]{1,3}" done cat >$NAME.zone <<EOF \$TTL 86400 @ IN SOA localhost. root.localhost. ( 43 ; serial (d. adams) 1H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS $NAME. EOF REV=`ls *.rev` ls *.rev >>/dev/null if [ $? -ne 0 ];then cat >>$ARPA_IP.rev <<EOF \$TTL 86400 @ IN SOA localhost. root.localhost. ( 1997022703 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS $NAME. EOF echo "$HOST IN A $IP_HOST" >>$NAME.zone echo "$ARPA_IP3 IN PTR $HOST.$NAME." >>$ARPA_IP.rev [ $? -eq 0 ]&& echo -e "The $NAME config success:\n$HOST IN A $IP_HOST\n$ARPA_IP3 IN PTR $HOST.$NAME." else sed -i "9a IN NS $NAME." $REV echo "$HOST IN A $IP_HOST" >>$NAME.zone echo "$ARPA_IP3 IN PTR $HOST.$NAME." >>$REV [ $? -eq 0 ]&& echo -e "The $NAME config success1:\n$HOST IN A $IP_HOST\n$ARPA_IP3 IN PTR $HOST.$NAME." fi } ##Define Shell List A Function Add_A_List () { if cd $BND_VAR REV=`ls *.rev` read -p "Please Insert Into Your Add Name ,Example 51cto.com :" NAME [ ! -e "$NAME.zone" ];then echo "The $NAME.zone File is not exist ,Please ADD $NAME.zone File :" Add_named ; else read -p "Please Enter List Name A NS File ,Example /tmp/name_list.txt: " FILE if [ -e $FILE ];then for i in `cat $FILEawk '{print $2}'sed "s/$NAME//g"sed 's/\.$//g'` #for i in `cat $FILEawk '{print $1}'sed "s/$NAME//g"sed 's/\.$//g'` do j=`awk -v I="$i.$NAME" '{if(I==$2)print $1}' $FILE` echo ----------------------------------------------------------- echo "The $NAME.zone File is exist ,Please Enter insert NAME HOST ...." sleep 1 ARPA_IP=`echo $jawk -F. '{print $3"."$2"."$1}'` ARPA_IP2=`echo $jawk -F. '{print $4}'` echo "$i IN A $j" >>$NAME.zone echo "$ARPA_IP2 IN PTR $i.$NAME." >>$REV [ $? -eq 0 ]&& echo -e "The $NAME config success:\n$i IN A $j\n$ARPA_IP2 IN PTR $i.$NAME." done else echo "The $FILE List File IS Not Exist .......,Please exit ..." fi fi } ##Define Shell Select Menu PS3="Please select Menu Name Config: " select i in "自动安装Bind服务" "自动初始化Bind配置" "添加解析域名" "批量添加A记录" do case $i in "自动安装Bind服务") Install ;; "自动初始化Bind配置") Init_Config ;; "添加解析域名") Add_named ;; "批量添加A记录") Add_A_List ;; * ) echo ----------------------------------------------------- sleep 1 echo "Please exec: sh $0 { Install(1) or Init_Config(2) or Add_named(3) or Add_config_A(4) }" ;; esac done 本文参考如下文章,非常感谢,欢迎交流、转载!
http://blog.csdn.net/crazw/article/details/8986 最近在看Linux selinux 对于setroubleshoot与audit不是十分理解。找到如下官方解释 https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html-single/Security-Enhanced_Linux/index.html#sect-Security-Enhanced_Linux-Working_with_SELinux-Which_Log_File_is_Used 根据说明,在redhat 6中,retroubleshoot不再作为一个单独的服务,而是分为两个进程,同时,只要在开机加载过程中,如果使用了selinux,安装了retroubleshoot,那么就会自动启动两个进程:seapplet与sedispatch。作用如下: sedispatch runs as part of the audit subsystem, and via dbus, sends a message when an AVC denial occurs, which will go straight to setroubleshootd if it is already running, or it will start setroubleshootd if it is not running. seapplet is a tool which runs in the system's toolbar, waiting for dbus messages in setroubleshootd, and will launch the notification bubble, allowing the user to review the denial. 根据上面所说,做如下测试。 首先启动selinux,安装setroubleshoot 然后查看状态 [root@localhost ~]# getenforce Enforcing [root@localhost ~]# service auditd status auditd (pid 1222) is running... 可以看到现在selinux与auditd都是启动状态,打开两个终端,然后分别查看messages与audit.log 现在要做的实验是使用ftp服务器,说下实验流程。当安装ftp之后,创建新用户,然后在一个客户端登录该用户。正常情况下,当使用正确用户名与密码登录之后,ftp默认登入位置为当前用户的家目录。可是在selinux中有设置,是不允许客户进入家目录,这时登录成功之后,审计就会在日志中写入,而setroubleshoot则会抓去日志,进行分析,然后给用户一个解决方案。下面来验证这个过程 由于开始时我安装的操作系统是最小化安装。所以需要进行如下操作 [root@localhost ~]# yum -y install vsftpd [root@localhost ~]# yum -y install setroubleshoot* [root@localhost ~]# yum -y groupinstall "X Window System" [root@localhost ~]# yum -y groupinstall "KDE Desktop" 注意:在上面安装过程中,在安装setroubleshoot之后,使用ps aux | grep seapplet,发现没有此进程不需要担心。seapplest与sedispatch在安装X11与桌面管理器KDE之后重新启动就会出现。个人感觉应该是setroubleshoot必须有桌面支持。OK,继续看。 [root@localhost ~]# ps aux | grep sedispatch | grep -v grep root 1236 0.0 0.0 21200 1140 ? S< 11:28 0:00 /usr/sbin/sedispatch [root@localhost ~]# ps aux | grep seapplet | grep -v grep root 2494 0.0 0.3 217800 7208 ? S 12:43 0:00 /usr/bin/seapplet 步骤一:安装vsftpd 安装步骤略过,安装结束之后直接启动vsftpd,不需要做任何更改 步骤二:创建新用户 步骤略过 步骤三:开始监控setroubleshoot日志----messages 与auditd日志-----audit.log,建议使用tailf 步骤四:在客户端使用ftp登录,输入刚刚建立的用户名与密码,是正确的。 步骤五:查看是否日志有变动。看如下截图 操作之前 操作之后,大家可以根据日志信息来进行分析,我用的是KDE桌面 大家可以看到,根据信息,明确能够了解出现问题的原因,正常情况下,会桌面上出现一个五角星标志 下面大家来看看上面两个日志是否有区别: audit.log type=AVC msg=audit(1377664273.274:36): avc: denied { search } for pid=2117 comm="vsftpd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir type=SYSCALL msg=audit(1377664273.274:36): arch=c000003e syscall=80 success=no exit=-13 a0=7fe0a273afe0 a1=1f4 a2=0 a3=7fffa8c137e0 items=0 ppid=2112 pid=2117 auid=0 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=unconfined_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null) 可以看到 type=AVC标志。而再来看setroubleshoot Aug 28 12:39:26 localhost setroubleshoot: SELinux is preventing /usr/sbin/vsftpd from search access on the directory /home. For complete SELinux messages. run sealert -l 30972dbc-350e-4f82-9044-a8ffafd9e31c 在setroubleshoot中,能够看到前面localhost主机名之后的setroubleshoot,证明是由setroubleshoot来整理写入。根据上面红色字体部分,我们执行一下看看结果 SELinux is preventing /usr/sbin/vsftpd from search access on the directory /home. ***** Plugin catchall_boolean (47.5 confidence) suggests ******************* If you want to allow ftp servers to login to local users and read/write all files on the system, governed by DAC. Then you must tell SELinux about this by enabling the 'allow_ftpd_full_access'boolean. Do setsebool -P allow_ftpd_full_access 1 ***** Plugin catchall_boolean (47.5 confidence) suggests ******************* If you want to allow ftp to read and write files in the user home directories 
没有评论:
发表评论