RHEL5.2下DNS與DHCP的互動更新

一、實驗?zāi)繕?biāo)

在Linux平臺下實現(xiàn)DHCP與DNS互動更新的功能。

二、實驗環(huán)境

一臺Linux服務(wù)器版本為Red Hat Enterprise Linux Server release 5.2 (Tikanga)，內(nèi)核版本號2.6.18-92.el5；兩臺客戶端：一臺為Windows XP Professional SP3；一臺為Linux主機(jī)，版本同服務(wù)器。

三、搭建DNS服務(wù)（bind）

1．安裝bind相關(guān)軟件包

放入安裝光盤，并切換到軟件包所在目錄，執(zhí)行下列命令安裝相應(yīng)軟件包：

rpm -ivh bind-9.3.4-6.P1.el5.i386.rpm

rpm -ivh bind-chroot-9.3.4-6.P1.el5.i386.rpm

rpm -ivh bind-devel-9.3.4-6.P1.el5.i386.rpm

rpm -ivh bind-libbind-devel-9.3.4-6.P1.el5.i386.rpm

rpm -ivh bind-libs-9.3.4-6.P1.el5.i386.rpm

rpm -ivh bind-sdb-9.3.4-6.P1.el5.i386.rpm

rpm -ihv bind-utils-9.3.4-6.P1.el5.i386.rpm

rpm -ivh caching-nameserver-9.3.4-6.P1.el5.i386.rpm

2．創(chuàng)建密鑰

要實現(xiàn)DNS的動態(tài)更新，首先要考慮的是怎樣保證安全地實現(xiàn)DDNS。由ISC給出的方法是創(chuàng)建進(jìn)行動態(tài)更新的密鑰，在進(jìn)行更新時通過該密鑰加以驗證。為了實現(xiàn)這一功能，需要以root身份運行以下命令：

[root@server etc]# dnssec-keygen -a HMAC-MD5 -b 128 -n USER administrator

上述dnssec-keygen命令的功能就是生成更新密鑰，其中參數(shù)-a HMAC-MD5是指密鑰的生成算法采用HMAC-MD5；參數(shù)-b 128是指密鑰的位數(shù)為128位；參數(shù)-n USER administrator是指密鑰的用戶為administrator。

該命令生成的一對密鑰文件如下：

-rw------- 1 named named 55 Jun 20 00:54 Kadministrator.+157+49362.key

-rw------- 1 named named 81 Jun 20 00:54 Kadministrator.+157+49362.private

可以查看剛生成的密鑰文件內(nèi)容：

[root@server etc]# cat Kadministrator.+157+49362.key

administrator. IN KEY 0 3 157 txOBJNpI39770VEkbPQQ6w==

[root@server etc]# cat Kadministrator.+157+49362.private

Private-key-format: v1.2

Algorithm: 157 (HMAC_MD5)

Key: txOBJNpI39770VEkbPQQ6w==

仔細(xì)閱讀該密鑰文件就會發(fā)現(xiàn)，這兩個文件中包含的密鑰是一樣的，該密鑰就是DHCP對DNS進(jìn)行安全動態(tài)更新時的憑據(jù)。后面需要將該密鑰分別添加到DNS和DHCP的配置文件中。

3．配置主配置文件。這里有兩種方法：

1） 去除掉/var/named/chroot/etc/named.caching-nameserver.conf文件中以下幾行內(nèi)容：

listen-on port 53 { 127.0.0.1; };

listen-on-v6 port 53 { ::1; };

allow-query { localhost; };

match-clients { localhost; };

match-destinations { localhost; };

修改后的如下：

[root@server etc]# cat named.caching-nameserver.conf

//

// named.caching-nameserver.conf

//

// Provided by Red Hat caching-nameserver package to configure the

// ISC BIND named(8) DNS server as a caching only nameserver

// (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

// DO NOT EDIT THIS FILE - use system-config-bind or an editor

// to create named.conf - edits to this file will be lost on

// caching-nameserver package upgrade.

//

options {

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

query-source port 53;

query-source-v6 port 53;

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

};

view localhost_resolver {

recursion yes;

include "/etc/named.rfc1912.zones";

};

在文件/var/named/chroot/etc/ named.rfc1912.zones中添加新的解析域，結(jié)果如下：

[root@server etc]# cat named.rfc1912.zones

// named.rfc1912.zones:

//

// Provided by Red Hat caching-nameserver package

//

// ISC BIND named zone configuration for zones recommended by

// RFC 1912 section 4.1 : localhost TLDs and address zones

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

key administrator {

algorithm HMAC-MD5.SIG-ALG.REG.INT;

secret txOBJNpI39770VEkbPQQ6w==;

};

zone "." IN {

type hint;

file "named.ca";

};

zone "localdomain" IN {

type master;

file "localdomain.zone";

allow-update { none; };

};

zone "localhost" IN {

type master;

file "localhost.zone";

allow-update { none; };

};

zone "0.0.127.in-addr.arpa" IN {

type master;

file "named.local";

allow-update { none; };

};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {

type master;

file "named.ip6.local";

allow-update { none; };

};

zone "255.in-addr.arpa" IN {

type master;

file "named.broadcast";

allow-update { none; };

};

zone "0.in-addr.arpa" IN {

type master;

file "named.zero";

allow-update { none; };

};

zone "china.test" IN {

type master;

file "china.test.zone";

allow-update { key administrator; };

};

zone "13.168.192.in-addr.arpa" IN {

type master;

file "china.test.arpa";

allow-update { key administrator; };

};

2） 切換到/var/named/chroot/etc/目錄，將named.rfc1912.zones追加到named.caching-nameserver.conf中，合兩為一，按照***種方法刪除、添加相應(yīng)內(nèi)容，并刪除view localhost_resolver項所有內(nèi)容。

4．在/var/named/chroot/var/named目錄下添加域配置文件，文件如下：

[root@server named]# cat china.test.zone

$TTL 86400

@ IN SOA server.china.test. root.china.test. (

2009062000

28800

14400

360000

86400

)

@ IN NS server.china.test.

server IN A 192.168.13.11

client IN A 192.168.13.24

[root@server named]# cat china.test.arpa

$TTL 86400

@ IN SOA server.china.test. root.server.china.test. (

2009062000 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

@ IN NS server.china.test.

11 IN PTR server.china.test.

5． 用chkconfig --level 3 named on命令設(shè)置開機(jī)自動開啟DNS服務(wù)。

6． 啟用DNS服務(wù)service named start

7． 在客戶端主機(jī)的/etc/resolv.conf文件中指定DNS服務(wù)器：nameserver 192.168.13.11

四、搭建DHCP服務(wù)

1. dhcp相關(guān)軟件包

rpm -ivh dhcp-3.0.5-13.el5.i386.rpm

rpm -ivh dhcp-devel-3.0.5-13.el5.i386.rpm

2. 修改配置文件。修改后的配置文件如下：

[root@server ~]# cat /etc/dhcpd.conf

ddns-update-style interim;

allow client-updates;

key administrator {

algorithm HMAC-MD5;

secret txOBJNpI39770VEkbPQQ6w==;

};

zone china.test. {

primary 192.168.13.11;

key administrator;

}

zone 13.168.192.in-addr.arpa. {

primary 192.168.13.11;

key administrator;

}

subnet 192.168.13.0 netmask 255.255.255.0 {

# --- default gateway

option routers 192.168.13.13;

option subnet-mask 255.255.255.0;

option nis-domain "china.test";

option domain-name "china.test";

option domain-name-servers 192.168.13.11;

# option time-offset -18000; # Eastern Standard Time

# option ntp-servers 192.168.1.1;

# option netbios-name-servers 192.168.1.1;

# --- Selects point-to-point node (default is hybrid). Don't change this unless

# -- you understand Netbios very well

# option netbios-node-type 2;

range dynamic-bootp 192.168.13.1 192.168.13.23;

default-lease-time 180;

max-lease-time 300;

}

3. 用chkconfig --level 3 dhcpd on命令設(shè)置開機(jī)自動開啟DNS服務(wù)。

4. 啟用DNS服務(wù)service dhcpd start

5. 在客戶端主機(jī)上添加DHCP客戶端配置文件/etc/dhclient.conf，內(nèi)容如下：

[root@client ~]# cat /etc/dhclient.conf

send fqdn.fqdn "client";

send fqdn.encoded on;

6. 在服務(wù)器上查DHCP分配文件/var/lib/dhcpd/dhcpd.leases：

[root@server ~]# cat /var/lib/dhcpd/dhcpd.leases

# All times in this file are in UTC (GMT), not your local timezone. This is

# not a bug, so please don't ask about it. There is no portable way to

# store leases in the local timezone, so please don't request this as a

# feature. If this is inconvenient or confusing to you, we sincerely

# apologize. Seriously, though - don't ask.

# The format of this file is documented in the dhcpd.leases(5) manual page.

# This lease file was written by isc-dhcp-V3.0.5-RedHat

lease 192.168.13.23 {

starts 6 2009/06/20 08:20:53;

ends 6 2009/06/20 08:25:53;

binding state active;

next binding state free;

hardware ethernet 00:0c:29:71:c6:09;

set ddns-rev-name = "23.13.168.192.in-addr.arpa.";

set ddns-txt = "0003680744ede9faf3e6e8bd78563f6857";

set ddns-fwd-name = "client.china.test";

}

7. 查看/var/named/chroot/var/named目錄，自動生成如下兩個文件，用于DNS更新。

-rw-r--r-- 1 named named 1980 Jun 20 16:20 china.test.arpa.jnl

-rw-r--r-- 1 named named 1825 Jun 20 16:20 china.test.zone.jnl

8. 查看域文件內(nèi)容如下：

[root@server named]# cat china.test.zone

$ORIGIN .

$TTL 86400 ; 1 day

china.test IN SOA server.china.test. root.china.test. (

2009062021 ; serial

28800 ; refresh (8 hours)

14400 ; retry (4 hours)

360000 ; expire (4 days 4 hours)

86400 ; minimum (1 day)

)

NS server.china.test.

$ORIGIN china.test.

$TTL 150 ; 2 minutes 30 seconds

client A 192.168.13.23

TXT "0003680744ede9faf3e6e8bd78563f6857"

$TTL 86400 ; 1 day

server A 192.168.13.11

[root@server named]# cat china.test.arpa

$ORIGIN .

$TTL 86400 ; 1 day

13.168.192.in-addr.arpa IN SOA server.china.test. root.server.china.test. (

2009062017 ; serial

28800 ; refresh (8 hours)

14400 ; retry (4 hours)

3600000 ; expire (5 weeks 6 days 16 hours)

86400 ; minimum (1 day)

)

NS server.china.test.

$ORIGIN 13.168.192.in-addr.arpa.

11 PTR server.china.test.

$TTL 150 ; 2 minutes 30 seconds

23 PTR client.china.test.

五、結(jié)論

1、 表面現(xiàn)象：

1） 更新比較慢，甚至需要手動重啟DNS服務(wù)才能更新成功。

2） 反向解析沒有清除舊的記錄，如下：

[root@server ~]# cat /var/named/chroot/var/named/china.test.arpa

$ORIGIN .

$TTL 86400 ; 1 day

13.168.192.in-addr.arpa IN SOA server.china.test. root.server.china.test. (

2009062019 ; serial

28800 ; refresh (8 hours)

14400 ; retry (4 hours)

3600000 ; expire (5 weeks 6 days 16 hours)

86400 ; minimum (1 day)

)

NS server.china.test.

$ORIGIN 13.168.192.in-addr.arpa.

11 PTR server.china.test.

$TTL 150 ; 2 minutes 30 seconds

12 PTR WWW-2E8A24A84C2.china.test.

20 PTR client.china.test.

23 PTR client.china.test.

24 PTR client.china.test.

2、 更新日志：

Jun 20 22:35:25 server named[2719]: starting BIND 9.3.4-P1 -u named -c /etc/named.caching-nameserver.conf -t /var/named/chroot

Jun 20 22:35:25 server named[2719]: found 1 CPU, using 1 worker thread

Jun 20 22:35:25 server named[2719]: loading configuration from '/etc/named.caching-nameserver.conf'

Jun 20 22:35:25 server named[2719]: listening on IPv4 interface lo, 127.0.0.1#53

Jun 20 22:35:25 server named[2719]: listening on IPv4 interface eth0, 192.168.13.11#53

Jun 20 22:35:25 server named[2719]: command channel listening on 127.0.0.1#953

Jun 20 22:35:25 server named[2719]: command channel listening on ::1#953

Jun 20 22:35:25 server named[2719]: zone 0.in-addr.arpa/IN/localhost_resolver: loaded serial 42

Jun 20 22:35:25 server named[2719]: zone 0.0.127.in-addr.arpa/IN/localhost_resolver: loaded serial 1997022700

Jun 20 22:35:25 server named[2719]: zone 13.168.192.in-addr.arpa/IN/localhost_resolver: loaded serial 2009062027

Jun 20 22:35:25 server named[2719]: zone 255.in-addr.arpa/IN/localhost_resolver: loaded serial 42

Jun 20 22:35:25 server named[2719]: zone 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/localhost_resolver: loaded serial 1997022700

Jun 20 22:35:25 server named[2719]: zone localdomain/IN/localhost_resolver: loaded serial 42

Jun 20 22:35:25 server named[2719]: zone localhost/IN/localhost_resolver: loaded serial 42

Jun 20 22:35:25 server named[2719]: zone china.test/IN/localhost_resolver: loaded serial 2009062035

Jun 20 22:35:25 server named[2719]: running

Jun 20 22:35:25 server dhcpd: Internet Systems Consortium DHCP Server V3.0.5-RedHat

Jun 20 22:35:25 server dhcpd: Copyright 2004-2006 Internet Systems Consortium.

Jun 20 22:35:25 server dhcpd: All rights reserved.

Jun 20 22:35:25 server dhcpd: For info, please visit http://www.isc.org/sw/dhcp/

Jun 20 22:35:25 server dhcpd: lease 192.168.13.22: no subnet.

Jun 20 22:35:25 server last message repeated 3 times

Jun 20 22:35:25 server dhcpd: Wrote 1 leases to leases file.

Jun 20 22:35:25 server dhcpd: Listening on LPF/eth0/00:0c:29:64:e2:df/192.168.13/24

Jun 20 22:35:25 server dhcpd: Sending on LPF/eth0/00:0c:29:64:e2:df/192.168.13/24

Jun 20 22:35:25 server dhcpd: Sending on Socket/fallback/fallback-net

Jun 20 22:35:33 server dhcpd: DHCPREQUEST for 192.168.13.22 from 00:0c:29:71:c6:09 via eth0: unknown lease 192.168.13.22.

Jun 20 22:35:37 server dhcpd: DHCPREQUEST for 192.168.13.22 from 00:0c:29:71:c6:09 via eth0: unknown lease 192.168.13.22.

Jun 20 22:35:49 server dhcpd: DHCPDISCOVER from 00:0c:29:71:c6:09 via eth0

Jun 20 22:35:50 server dhcpd: DHCPOFFER on 192.168.13.24 to 00:0c:29:71:c6:09 via eth0

Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone 'china.test/IN': update unsuccessful: client.china.test: 'name not in use' prerequisite not satisfied (YXDOMAIN)

Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone 'china.test/IN': deleting rrset at 'client.china.test' A

Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone 'china.test/IN': adding an RR at 'client.china.test' A

Jun 20 22:35:50 server dhcpd: Added new forward map from client.china.test to 192.168.13.24

Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone '13.168.192.in-addr.arpa/IN': deleting rrset at '24.13.168.192.in-addr.arpa' PTR

Jun 20 22:35:50 server named[2719]: client 192.168.13.11#32772: view localhost_resolver: updating zone '13.168.192.in-addr.arpa/IN': adding an RR at '24.13.168.192.in-addr.arpa' PTR

Jun 20 22:35:50 server dhcpd: added reverse map from 24.13.168.192.in-addr.arpa. to client.china.test

3、 客戶端解析如下：

C:\>nslookup

Default Server: server.china.test

Address: 192.168.13.11

> client.china.test

Server: server.china.test

Address: 192.168.13.11

Name: client.china.test

Address: 192.168.13.24

> 192.168.13.23

Server: server.china.test

Address: 192.168.13.11

Name: WWW-2E8A24A84C2.china.test

Address: 192.168.13.23

> 192.168.13.24

Server: server.china.test

Address: 192.168.13.11

Name: client.china.test

Address: 192.168.13.24

> WWW-2E8A24A84C2.china.test

Server: server.china.test

Address: 192.168.13.11

Name: WWW-2E8A24A84C2.china.test

Address: 192.168.13.23

4、最終結(jié)論：

實現(xiàn)了DNS與DHCP的互動更新功能。工作過程使用域文件為：china.test.arpa.jnl和 china.test.zone.jnl，而不在是傳統(tǒng)的china.test.arpa和china.test.zone文件。

【編輯推薦】

1. RHEL 5系統(tǒng)下故障處理方法
2. 建立RHEL 5.0下版本控制服務(wù)器
3. RHEL5配置gdm讓遠(yuǎn)程機(jī)器登錄X window