In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-21 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/03 Report--
System platform: CentOS 6.6x86x64
Bind version: bind-9.10.2
Preparatory work
Download the bind source package and omit it.
Install the development kit and omit it.
Installation:
Decompress bind-9.10.2.tar.gz
# tar xvf bind-9.10.2.tar.gz#cd bind-9.10.2/#./configure-h#./configure-- prefix=/usr/local/bind-- mandir=/usr/share/-- sysconfdir=/etc/named/-- disable-ipv6-- disable-chroot-- enable-threads # make-j 2 & & make install#ln-s / usr/local/bind/bin/* / usr/bin/#ln-s / usr/local/bind/sbin/ * / usr/sbin/#groupadd-r named#useradd-r-g named-M-s / sbin/nologin named#mkdir / usr/local/bind/var/run/named#chown named:named / usr/local/bind/var/run/named#ll-d / usr/local/bind/var/run/named/# [- d / etc/named/] | | mkdir / etc/named#chown named:named / etc/named# [- d/var/ named] | | mkdir / var/named#chown named:named / var/named
Start configuring the base zone file
# dig-t NS. @ 61.139.2.69 > / var/named/named.ca#cd / var/named/# vim named.localhost$TTL 1D @ IN SOA @ rname.invalid (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1 # vim named.loopback$TTL 1D @ IN SOA @ rname.invalid. (0; serial 1D; refresh 1H; retry 1W; expire 3H) Minimum NS @ A 127.0.0.1 PTR localhost. # chown-R named.named / var/named/*
Named.conf main configuration file (there is a sample file providing named.conf in the bind installation source file, bin/tests/named.conf)
# rndc-confgen-r / dev/urandom > / etc/named/rndc.conf#cd / etc/named/#touch named.conf#vim rndc.conf command mode: 2Jing 11w > > named.conf#cat named.conf#vim named.confoptions {directory "/ var/named"; listen-on port 53 {any;}; allow-query {any;}; recursion yes;}; zone "." IN {type hint; file "named.ca";}; zone "localhost" IN {type master; file "named.localhost"; allow-update {none;};}; zone "0.0.127.in-addr.arpa" IN {type master; file "named.loopback"; allow-update {none;};} # Use with the following in named.conf,adjusting the allow list as needed: key "rndc-key" {algorithm hmac-md5; secret "8VWpbjeJ8mochoPghAN5SQQ =";}; # controls {inet 127.0.0.1 port 953 allow {127.0.0.1;} keys {"rndc-key";}; # chown-R named.named / etc/named/*
Run named
# named-u named-g # named-u named# netstat-tunpl# tail / var/log/messages check the log and see if there is any error # iptables-t filter-I INPUT-p udp-- dport 53-j ACCEPT query the domain name on the remote computer to see if it can be queried normally
System service script for named
#! / bin/bash# named a network name service.# chkconfig: 345 357 description: a name server [- r / etc/rc.d/init.d/functions] & &. / etc/rc.d/init.d/functionsPidFile=/usr/local/bind/var/run/named/named.pidLockFile=/var/lock/subsys/namednamed=namedstart () {[- x / usr/local/bind/sbin/$named] | | exit 4 if [- f $LockFile]; then echo-n "$named is already running..." Failure echo exit 5 fi echo-n "Starting $named:" daemon-- pidfile "$PidFile" / usr/local/bind/sbin/$named-u named-4 RETVAL=$? Echo if [$RETVAL-eq 0]; then touch $LockFile return 0 else rm-f $LockFile $PidFile return 1 fi} stop () {if [!-f $LockFile]; then echo "$named is not started." Failure fi echo-n "Stopping $named:" killproc $named RETVAL=$? Echo [$RETVAL-eq 0] & & rm-f $LockFile return 0} restart () {stop sleep 1 start} reload () {echo-n "Reloading $named:" killproc $named-HUP RETVAL=$? Echo return $RETVAL} status () {if pidof $named > / dev/null & & [- f $PidFile]; then echo "$named is running..." Else echo "$named is stopped..." Fi} case $1 instart) start;; stop) stop;; restart) restart;; reload) reload;; status) status;; *) echo "Usage:named {start | stop | status | reload | restart}" exit 2dexesac
Redirect area Typ
This type of function is that if the domain name cannot be queried, the redirect returns a set IP instead of an empty result.
So you can use this feature to do some additional services.
Zone "." IN {type redirect; file "redirect.file";}; $TTL 3600 @ IN SOA ns.EXAMPLE.net. Mail.EXAMPLE.net. (0 000 0 0) @ IN NS ns.EXAMPLE.net*. IN A 8.8.8.8
test
Usage of $GENERATE instruction
The document is introduced as follows:
Syntax:
$GENERATE range lhs type rhs [comment]
The $GENERATE instruction is used to generate a sequence of resource records that have only one repetitive
Different. The $GENERATE instruction can be easily used to generate a collection of records to support the
Sub/24 reverse authorization: classless IN-ADDR.ARPA authorization.
$ORIGIN 0.0.192.IN-ADDR.ARPA.
$GENERATE 1-20 NS SERVER$.EXAMPLE.
$GENERATE 1-127$ CNAME $.0
Equivalent to:
0.0.0.192.IN-ADDR.ARPA NS SERVER1.EXAMPLE.
0.0.0.192.IN-ADDR.ARPA NS SERVER2.EXAMPLE.
1.0.0.192.IN-ADDR.ARPA CNAME 1.0.0.0.192.IN-ADDR.ARPA
2.0.0.192.IN-ADDR.ARPA CNAME 2.0.0.0.192.IN-ADDR.ARPA
...
127.0.0.192.IN-ADDR.ARPA CNAME 127.0.0.0.192.IN-ADDR.ARPA
Actual test
$GENERATE 1-6 lh$ 3600 IN CNAME googlehosted.l is equivalent to; lh2 3600 IN CNAME googlehosted.l;lh3 3600 IN CNAME googlehosted.l;lh4 3600 IN CNAME googlehosted.l;lh5 3600 IN CNAME googlehosted.l;lh6 3600 IN CNAME googlehosted.l;lh7 3600 IN CNAME googlehosted.l
Query result
One of the parameters in the option option in named.conf:
Deny-answer-addresses usage.
Syntax:
Deny-answer-addresses {
Address_match_list
} [except-from {namelist}]
It is not difficult to understand literally, organize an address for the answer.
For example, we dig query a domain name fscdnuni-vip.115.com.
You can see that there are a lot of IP.
What if we add an IP to the deny option?
Deny-answer-addresses {58.252.100.82;}
We have added one of the IP to the deny-answer-addresses here.
# rndc reload# rndc flushname fscdnuni-vip.115.com
Check again:
Found that there was no reply.
Deny-answer-addresses {58.252.100.82;} except-from {"115.com";}
Add an optional parameter except-from (exception)
This is the function of deny-answer-addresses.
Address_match_list format can be a single IP address, can also be dead CIDR format network address segment.
If there is only one match between the reply IP address and the address_match_list address, then named will not return the query result to the client when it recurses or forwards the query, because it is understood that as long as an IP is not trusted, then the change query is not trusted.
The deny-answer-aliases option is supposed to be similar to the one above, but my test here doesn't seem to work.
Does anyone know how to use it?
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 288
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.