CentOS 7实现DNS+DHCP动态更新详解
<p>windows域里有一个功能,dhcp把新分发的ip数据发给DNS服务器,这样只要知道一个人的电脑名字就可以很方便的远程。</p><p>linux当然也能很好的实现类似的功能。man 5 dhcpd.conf 有详细描述。</p>
<p>昨天运维帮组织线下的沙龙,又拍云的运维总监邵海杨先生分享了一句“千金难买早知道”。是啊,就在实现动态更新的功能上,在网上找了不少博客,照着做又遇到各种问题,最后不不知道到底什么原理实现的。早知道认真看一下man,问题早解决了,对实现的原理也理解得深些。所以,在这个信息爆炸的时代,很多时候真的互联网没有让人更聪明,反而大量的信息经常把人淹没了。技术,还是需要静下心来去钻研的。</p>
<p>dhcp和dns的基本配置资料比较完善,此处不再赘述。有心的朋友认真看一下man 5 dhcpd.conf,瞧一眼下面配置中标红的部分,相信就能搞定了。</p>
<p>另外分享一个dns chroot的流程,先安装 bind,调通named,然后再安装bind-chroot</p>
<p>执行/usr/libexec/setup-named-chroot.sh /var/named/chroot on</p>
<p>停用named,启用named-chroot即可</p>
<p>systemctl disabled named ; systemctl stop named</p>
<p>systemctl enable named-chroot;systemctl start named-chroot</p>
<p># cat /etc/dhcp/dhcpd.conf </p>
<p> ddns-update-style interim; </p>
<p> ddns-updates on; </p>
<p> do-forward-updates on; </p>
<p> allow client-updates; </p>
<p> allow bootp; </p>
<p> allow booting; </p>
<p> #allow client-updates;</p>
<p> option space Cisco_LWAPP_AP; </p>
<p> option Cisco_LWAPP_AP.server-address code 241 = array of ip-address; </p>
<p> option space pxelinux; </p>
<p> option pxelinux.magic code 208 = string; </p>
<p> option pxelinux.configfile code 209 = text; </p>
<p> option pxelinux.pathprefix code 210 = text; </p>
<p> option pxelinux.reboottime code 211 = unsigned integer 32; </p>
<p> option architecture-type code 93 = unsigned integer 16;</p>
<p> subnet 192.168.1.0 netmask 255.255.255.0 { </p>
<p> authoritative; </p>
<p> option routers 192.168.1.1; </p>
<p> option subnet-mask 255.255.255.0; </p>
<p> option broadcast-address 192.168.1.255; </p>
<p> option domain-name "it.lab"; </p>
<p> option domain-name-servers 192.168.1.200; </p>
<p> range dynamic-bootp 192.168.1.100 192.168.1.199; </p>
<p> key SEC_DDNS { </p>
<p> algorithm hmac-md5; </p>
<p> secret 7ObhTIhKeDFMR2SbbS5s8A==; </p>
<p> }; </p>
<p> ddns-domainname "it.lab"; </p>
<p> zone it.lab.{ </p>
<p> primary 192.168.1.200; </p>
<p> key SEC_DDNS; </p>
<p> } </p>
<p> zone 1.168.192.in-addr.arpa.{ </p>
<p> primary 192.168.1.200; </p>
<p> key SEC_DDNS; </p>
<p> } </p>
<p> default-lease-time 600; </p>
<p> max-lease-time 7200;</p>
<p> class "pxeclients" { </p>
<p> match if substring (option vendor-class-identifier, 0, 9) = "PXEClient"; </p>
<p> next-server 192.168.1.200;</p>
<p> if option architecture-type = 00:07 { </p>
<p> filename "uefi/syslinux.efi"; } </p>
<p> else { </p>
<p> filename "bios/pxelinux.0"; }</p>
<p> #filename "pxelinux.0"; } </p>
<p> }</p>
<p>} </p>
<p># cat /etc/named.conf </p>
<p>// </p>
<p>// named.conf </p>
<p>// </p>
<p>// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS </p>
<p>// server as a caching only nameserver (as a localhost DNS resolver only). </p>
<p>// </p>
<p>// See /usr/share/doc/bind*/sample/ for example named configuration files. </p>
<p>//</p>
<p>options { </p>
<p> listen-on port 53 { 127.0.0.1;192.168.1.200; }; </p>
<p> listen-on-v6 port 53 { ::1; }; </p>
<p> directory "/var/named"; </p>
<p> dump-file "/var/named/data/cache_dump.db"; </p>
<p> statistics-file "/var/named/data/named_stats.txt"; </p>
<p> memstatistics-file "/var/named/data/named_mem_stats.txt"; </p>
<p> allow-query { any;};</p>
<p> /* </p>
<p> - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. </p>
<p> - If you are building a RECURSIVE (caching) DNS server, you need to enable </p>
<p> recursion. </p>
<p> - If your recursive DNS server has a public IP address, you MUST enable access </p>
<p> control to limit queries to your legitimate users. Failing to do so will </p>
<p> cause your server to become part of large scale DNS amplification </p>
<p> attacks. Implementing BCP38 within your network would greatly </p>
<p> reduce such attack surface </p>
<p> */ </p>
<p> recursion no;</p>
<p> dnssec-enable yes; </p>
<p> dnssec-validation yes; </p>
<p> dnssec-lookaside auto;</p>
<p> /* Path to ISC DLV key */ </p>
<p> bindkeys-file "/etc/named.iscdlv.key";</p>
<p> managed-keys-directory "/var/named/dynamic";</p>
<p> pid-file "/run/named/named.pid"; </p>
<p> session-keyfile "/run/named/session.key"; </p>
<p>};</p>
<p>logging { </p>
<p> channel default_debug { </p>
<p> file "data/named.run"; </p>
<p> severity dynamic; </p>
<p> }; </p>
<p>};</p>
<p>zone "." IN { </p>
<p> type hint; </p>
<p> file "named.ca"; </p>
<p>};</p>
<p>include "/etc/named.rfc1912.zones"; </p>
<p>include "/etc/named.root.key";</p>
<p>key SEC_DDNS { </p>
<p> algorithm hmac-md5; </p>
<p> secret 7ObhTIhKeDFMR2SbbS5s8A==; </p>
<p>}; </p>
<p>zone "it.lab" IN { </p>
<p> type master; </p>
<p> file "it.lab.forward"; </p>
<p> allow-update { key SEC_DDNS ; }; </p>
<p>};</p>
<p>zone "1.168.192.in-addr.arpa" IN { </p>
<p> type master; </p>
<p> file "1.168.192.reverse"; </p>
<p> allow-update { key SEC_DDNS ; }; </p>
<p>};</p>
頁:
[1]