ot Nikolai Hristov(16-11-2012)

reiting (62)   [ dobre ]  [ zle ]

Printer Friendly Variant za otpechatvane

Predi da prochetete tazi statiia, bi bilo dobre purvo da se zapoznaete sus statiiata: "Kak raboti DNS, chast 1 - Resolvers i Cache survuri" - link kum bloga mi ili link kum linux-bg.org.

Predi instalatsiiata, triabva da reshim koi dns survur da instalirame. Eto kratuk spisuk s nai-razprostranenite dns survuri: BIND, djbdns, PowerDNS, MaraDNS, Windows DNS (Izsledvane za DNS softuer v Bulgariia)
V primerite shte izpolzvam paralelno instalatsiia i konfiguratsiia na  nai-razprostraneniiat dns survur - BIND, kakto i tozi, koito izpolzvam i preporuchvam az - djbdns pod Debian.

Instalatsiia na BIND kato cache survur

V Debian stable (6.x, squeeze v momenta) BIND go ima na paket. Instalirame go:

# apt-get install bind9

Konfiguratsiiata na bind se namira v /etc/bind/ - direktoriiata, kato faila se kazva named.conf. V Debian tozi fail e razdelen na niakolko faila, kato vuv vseki ot tiah se konfigurirat otdelni neshta. Eto:

# cat named.conf
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

Kakto se vizhda, nastroikite se praviat v niakolko otdelni faila. Tui kato nie iskame da konfigurirame samo cache survur, failut koito ni interesuva e named.conf.options.

# cat /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };

    allow-recursion { 172.20.20.0/24; 172.20.30.3; };
};

S tozi red razreshiavame recursive zapitvaniia kum dns cache survura ot mrezhata 172.20.20.0/255.255.255.0 kakto i ot IP adresa 172.20.30.3. Suotvetno - promeniate gi na ip/mrezhite koito shte go polzvat kato dns cache survur.

# /etc/init.d/bind9 restart

Veche imate rabotesht BIND dns cache survur.

 

 Instalatsiia na djbdns cache survur

 

 V Debian stable (6.x, squeeze v momenta) djbdns ne e vklyuchen, 
 no go ima v testing/unstable. Ako iskate, mozhete da si 
 napravite paket (http://geroyblog.blogspot.com/2012/09/how-to-
 install-djbdns-in-debian-squeeze.html), ili da go 
 instalirate ot http://cr.yp.to/djbdns.html. SHTe razgledame vtoriia variant. Za tselta e nuzhno da imate 
 slednite paketi instalirani - daemontools (kak se instalira), ucspi-tcp. Sledvame 
 instruktsiite za instalatsiia na djb:

 

 # wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz
# zcat 
 djbdns-1.05.tar.gz|tar xvf -
# cd djbdns-1.05
# echo 
 gcc -O2 -include /usr/include/errno.h > conf-cc
# 
 make
# make setup check

 

 Djbdns paketa sudurzha niakolko programi, kato vsiaka ot koiato 
 vurshi opredelena rabota:

 

 
 tinydns - authoritative dns survur - udp

 axfrdns - authoritative dns survur - tcp

 dnscache - dns cache survur

 kakto i niakolko drugi koito v sluchaia niama da budat raziasniavani.
 

 

 Tui kato shte instalirame dns cache survur, shte razgledame 
 dnscache i programata za konfigurirane, koiato vurvi kum nego - 
 dnscache-conf. Sintaksisa na programata e sledniia:

 

 

 
 dnscache-conf: usage: dnscache-conf acct logacct /dnscache [ 
 myip ]

 

 kudeto:

 acct - nuzhen e da se suzdade potrebitelski akaunt, s 
 koito shte se startira dnscache;

 logacct - nuzhen e da se suzdade potrebitelski akaunt, s 
 koito shte se startira multilog, koito shte zapisva log - failovete 
 na dnscache;

 /directory - v koia direktoriia da budat suzdadeni 
 startirashtite/log - failove na dnscache

 myip - na koe IP shte "slusha" dnscache.

 

 

 
 # useradd dnscache

 # useradd dnslog

 # dnscache-conf dnscache dnslog /etc/dnscache 172.20.20.1

 

 Ostava da ukazhem ot koi ip/mrezhi e razreshen da se polzva dns 
 cache survurut. Tova se pravi v direktoriiata 
 /etc/dnscache/root/ip/, kato v neia se suzdavat prazni failove s 
 imenata na mrezhi/ip adresi ot koito mozhe da se polzva survura.
 

 

 

 
 # touch /etc/dnscache/root/ip/127.0.0.1

 # touch /etc/dnscache/root/ip/172.20.20

 

 Kakto sledva, dnscache mozhe da se izpolzva ot 127.0.0.1 ip 
 adresa i ot mrezhata 172.20.20.0/24

 Ostava samo da startirame dnscache. Tova stava, kato napravim 
 symbolic link kum /etc/services direktoriiata:

 

 
 # ln -s /etc/dnscache /etc/service/dnscache

 
 # svstat /etc/service/dnscache /etc/service/dnscache/log

 /etc/service/dnscache: up (pid 1273) 3 seconds

 /etc/service/dnscache/log: up (pid 1277) 3 seconds

 
Konfiguratsionnata direktoriia na djbdns se namira v 
 /etc/dnscache/env, kato vsichki promenlivi sa v otdelni failove.
 

 

 

 
 # ls -l /etc/dnscache/env/

 -rw-r--r-- 1 root root    8 Sep  9  2008 CACHESIZE

 -rw-r--r-- 1 root root    8 Sep  9  2008 DATALIMIT

 -rw-r--r-- 1 root root   15 Sep  9  2008 IP

 -rw-r--r-- 1 root root    8 Sep  9  2008 IPSEND

 -rw-r--r-- 1 root root   23 Sep  9  2008 ROOT

 

 Po podrazbirane CACHESIZE e 1000000 baita, koeto e tvurde malko 
 i triabva da bude promeneno na po-goliama stoinost v zavisimost 
 ot svobodnata pamet s koiato razpolagate.

 DATALIMIT se izpolzva ot programata softlimit, koiato ogranichava 
 dnscache da izpolzva opredelen resurs pamet. DATASIZE triabva da 
 e po-goliam ot CACHESIZE.

 ROOT ukazva v koia direktoriia se namirat dns root hints.

 IP ukazva na koi IP adres shte otgovaria dnscache pri zapitvaniia.
 

 IPSEND ukazva ot koi adres da se izprashtat rekursivnite zaiavki.
 

 

 

 
 # echo 134217728 > /etc/dnscache/env/CACHESIZE

 # echo 154000000 > /etc/dnscache/env/DATALIMIT

 

 Tezi stoinosti ukazvat 128mb za cache na dns zapitvaniiata i 
 154mb kato tsialo zadelena pamet za programata dnscache. Ako po 
 niakakvi prichini samata programa se opita da zaeme poveche ot 
 tazi pamet, programata softlimit shte vurne greshka "out of 
 memory".

 

 Ostava da konfigurirate PC-to si da izpolzva tozi DNS, i tova e 
 vsichko. Veche imame rabotesht dns cache survur.

 

 Keshiraneto stava samo v pametta, toest nishto ne se pishe po 
 diska, ot koeto sledva, che pri vsiako restartirane na dns cache 
 survura keshiranite danni se gubiat.

 

 Ako iskate dnscache survura vi da poddurzha DNSCurve protokola 
 (predlozhen ot Dan Bernstein), izpolzvaite eto tozi patch i 
 instruktsiite kum nego: http://shinobi.dempsky.org/~matthew/patches/djbdns-dnscurve-20090602.patch

 
 Statiiata e publikuvana i v bloga na avtora na adres: http://geroyblog.blogspot.com/2012/11/dns-3-dns-
 cache.html

 << Mikrotik + Openvpn + android | Periodichna tablitsa na distributsiite na Linux ... >>