ot Nikolai Hristov(16-11-2012)

reiting (59)   [ dobre ]  [ zle ]

Printer Friendly Variant za otpechatvane

Predi da prochetete tazi statiia, bi bilo dobre purvo da se zapoznaete sus statiiata: "Kak raboti DNS, chast 1 - Resolvers i Cache survuri" - link kum bloga mi ili link kum linux-bg.org.

Predi instalatsiiata, triabva da reshim koi dns survur da instalirame. Eto kratuk spisuk s nai-razprostranenite dns survuri: BIND, djbdns, PowerDNS, MaraDNS, Windows DNS (Izsledvane za DNS softuer v Bulgariia)
V primerite shte izpolzvam paralelno instalatsiia i konfiguratsiia na nai-razprostraneniiat dns survur - BIND, kakto i tozi, koito izpolzvam i preporuchvam az - djbdns pod Debian.

Instalatsiia na BIND kato cache survur

V Debian stable (6.x, squeeze v momenta) BIND go ima na paket. Instalirame go:

# apt-get install bind9

Konfiguratsiiata na bind se namira v /etc/bind/ - direktoriiata, kato faila se kazva named.conf. V Debian tozi fail e razdelen na niakolko faila, kato vuv vseki ot tiah se konfigurirat otdelni neshta. Eto:

# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";


Kakto se vizhda, nastroikite se praviat v niakolko otdelni faila. Tui kato nie iskame da konfigurirame samo cache survur, failut koito ni interesuva e named.conf.options.

# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

// forwarders {
// 0.0.0.0;
// };

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };

    allow-recursion { 172.20.20.0/24; 172.20.30.3; };
 
};

S tozi red razreshiavame recursive zapitvaniia kum dns cache survura ot mrezhata 172.20.20.0/255.255.255.0 kakto i ot IP adresa 172.20.30.3. Suotvetno - promeniate gi na ip/mrezhite koito shte go polzvat kato dns cache survur.

# /etc/init.d/bind9 restart

Veche imate rabotesht BIND dns cache survur.

 
Instalatsiia na djbdns cache survur

V Debian stable (6.x, squeeze v momenta) djbdns ne e vklyuchen, no go ima v testing/unstable. Ako iskate, mozhete da si napravite paket (http://geroyblog.blogspot.com/2012/09/how-to- install-djbdns-in-debian-squeeze.html), ili da go instalirate ot http://cr.yp.to/djbdns.html. SHTe razgledame vtoriia variant. Za tselta e nuzhno da imate slednite paketi instalirani - daemontools (kak se instalira), ucspi-tcp. Sledvame instruktsiite za instalatsiia na djb:

# wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
# zcat djbdns-1.05.tar.gz|tar xvf -
# cd djbdns-1.05
# echo gcc -O2 -include /usr/include/errno.h > conf-cc
# make
# make setup check

Djbdns paketa sudurzha niakolko programi, kato vsiaka ot koiato vurshi opredelena rabota:

tinydns - authoritative dns survur - udp
axfrdns - authoritative dns survur - tcp
dnscache - dns cache survur
kakto i niakolko drugi koito v sluchaia niama da budat raziasniavani.

Tui kato shte instalirame dns cache survur, shte razgledame dnscache i programata za konfigurirane, koiato vurvi kum nego - dnscache-conf. Sintaksisa na programata e sledniia:


dnscache-conf: usage: dnscache-conf acct logacct /dnscache [ myip ]

kudeto:
acct - nuzhen e da se suzdade potrebitelski akaunt, s koito shte se startira dnscache;
logacct - nuzhen e da se suzdade potrebitelski akaunt, s koito shte se startira multilog, koito shte zapisva log - failovete na dnscache;
/directory - v koia direktoriia da budat suzdadeni startirashtite/log - failove na dnscache
myip - na koe IP shte "slusha" dnscache.


# useradd dnscache
# useradd dnslog
# dnscache-conf dnscache dnslog /etc/dnscache 172.20.20.1

Ostava da ukazhem ot koi ip/mrezhi e razreshen da se polzva dns cache survurut. Tova se pravi v direktoriiata /etc/dnscache/root/ip/, kato v neia se suzdavat prazni failove s imenata na mrezhi/ip adresi ot koito mozhe da se polzva survura.


# touch /etc/dnscache/root/ip/127.0.0.1
# touch /etc/dnscache/root/ip/172.20.20

Kakto sledva, dnscache mozhe da se izpolzva ot 127.0.0.1 ip adresa i ot mrezhata 172.20.20.0/24
Ostava samo da startirame dnscache. Tova stava, kato napravim symbolic link kum /etc/services direktoriiata:

# ln -s /etc/dnscache /etc/service/dnscache
# svstat /etc/service/dnscache /etc/service/dnscache/log
/etc/service/dnscache: up (pid 1273) 3 seconds
/etc/service/dnscache/log: up (pid 1277) 3 seconds

Konfiguratsionnata direktoriia na djbdns se namira v /etc/dnscache/env, kato vsichki promenlivi sa v otdelni failove.


# ls -l /etc/dnscache/env/
-rw-r--r-- 1 root root 8 Sep 9 2008 CACHESIZE
-rw-r--r-- 1 root root 8 Sep 9 2008 DATALIMIT
-rw-r--r-- 1 root root 15 Sep 9 2008 IP
-rw-r--r-- 1 root root 8 Sep 9 2008 IPSEND
-rw-r--r-- 1 root root 23 Sep 9 2008 ROOT

Po podrazbirane CACHESIZE e 1000000 baita, koeto e tvurde malko i triabva da bude promeneno na po-goliama stoinost v zavisimost ot svobodnata pamet s koiato razpolagate.
DATALIMIT se izpolzva ot programata softlimit, koiato ogranichava dnscache da izpolzva opredelen resurs pamet. DATASIZE triabva da e po-goliam ot CACHESIZE.
ROOT ukazva v koia direktoriia se namirat dns root hints.
IP ukazva na koi IP adres shte otgovaria dnscache pri zapitvaniia.
IPSEND ukazva ot koi adres da se izprashtat rekursivnite zaiavki.


# echo 134217728 > /etc/dnscache/env/CACHESIZE
# echo 154000000 > /etc/dnscache/env/DATALIMIT

Tezi stoinosti ukazvat 128mb za cache na dns zapitvaniiata i 154mb kato tsialo zadelena pamet za programata dnscache. Ako po niakakvi prichini samata programa se opita da zaeme poveche ot tazi pamet, programata softlimit shte vurne greshka "out of memory".

Ostava da konfigurirate PC-to si da izpolzva tozi DNS, i tova e vsichko. Veche imame rabotesht dns cache survur.

Keshiraneto stava samo v pametta, toest nishto ne se pishe po diska, ot koeto sledva, che pri vsiako restartirane na dns cache survura keshiranite danni se gubiat.

Ako iskate dnscache survura vi da poddurzha DNSCurve protokola (predlozhen ot Dan Bernstein), izpolzvaite eto tozi patch i instruktsiite kum nego: http://shinobi.dempsky.org/~matthew/patches/djbdns-dnscurve-20090602.patch
Statiiata e publikuvana i v bloga na avtora na adres: http://geroyblog.blogspot.com/2012/11/dns-3-dns- cache.html


<< Mikrotik + Openvpn + android | Periodichna tablitsa na distributsiite na Linux ... >>