ot Nikolai Hristov(16-11-2012)
reiting (62)
[ dobre ]
[ zle ]
Variant za otpechatvane Predi da prochetete tazi statiia, bi bilo dobre purvo da se
zapoznaete sus statiiata: "Kak raboti DNS, chast 1 - Resolvers
i Cache survuri" - link kum bloga mi ili link kum linux-bg.org.
Predi instalatsiiata, triabva da reshim koi dns survur da
instalirame. Eto kratuk spisuk s nai-razprostranenite dns
survuri: BIND, djbdns, PowerDNS, MaraDNS, Windows DNS
(Izsledvane za DNS softuer v Bulgariia)
V primerite shte izpolzvam paralelno instalatsiia i konfiguratsiia
na nai-razprostraneniiat dns survur - BIND, kakto i tozi, koito
izpolzvam i preporuchvam az - djbdns pod Debian.
Instalatsiia na BIND kato cache survur
V Debian stable (6.x, squeeze v momenta) BIND go ima na paket.
Instalirame go:
# apt-get install bind9
Konfiguratsiiata na bind se namira v /etc/bind/ - direktoriiata,
kato faila se kazva named.conf. V Debian tozi fail e razdelen
na niakolko faila, kato vuv vseki ot tiah se konfigurirat otdelni
neshta. Eto:
# cat named.conf
// This is the primary configuration file for the BIND DNS
server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for
information on the
// structure of BIND configuration files in Debian, *BEFORE*
you customize
// this configuration file.
//
// If you are just adding zones, please do that in
/etc/bind/named.conf.local
include "/etc/bind/named.conf.options";include
"/etc/bind/named.conf.local";include
"/etc/bind/named.conf.default-zones";
Kakto se vizhda, nastroikite se praviat v niakolko otdelni faila.
Tui kato nie iskame da konfigurirame samo cache survur, failut
koito ni interesuva e named.conf.options.
# cat /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers
you want
// to talk to, you may need to fix the firewall to
allow multiple
// ports to talk. See
http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for
stable
// nameservers, you probably want to use them as
forwarders.
// Uncomment the following block, and insert the
addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-recursion { 172.20.20.0/24; 172.20.30.3; };
};
S tozi red razreshiavame recursive zapitvaniia kum dns cache
survura ot mrezhata 172.20.20.0/255.255.255.0 kakto i ot IP
adresa 172.20.30.3. Suotvetno - promeniate gi na ip/mrezhite
koito shte go polzvat kato dns cache survur.
# /etc/init.d/bind9 restart
Veche imate rabotesht BIND dns cache survur.
Instalatsiia na djbdns cache survur
V Debian stable (6.x, squeeze v momenta) djbdns ne e vklyuchen,
no go ima v testing/unstable. Ako iskate, mozhete da si
napravite paket (http://geroyblog.blogspot.com/2012/09/how-to-
install-djbdns-in-debian-squeeze.html), ili da go
instalirate ot http://cr.yp.to/djbdns.html. SHTe razgledame vtoriia variant. Za tselta e nuzhno da imate
slednite paketi instalirani - daemontools (kak se instalira), ucspi-tcp. Sledvame
instruktsiite za instalatsiia na djb:
# wget http://cr.yp.to/djbdns/djbdns-1.05.tar.gz# zcat
djbdns-1.05.tar.gz|tar xvf -# cd djbdns-1.05# echo
gcc -O2 -include /usr/include/errno.h > conf-cc#
make# make setup check
Djbdns paketa sudurzha niakolko programi, kato vsiaka ot koiato
vurshi opredelena rabota:
tinydns - authoritative dns survur - udp
axfrdns - authoritative dns survur - tcp
dnscache - dns cache survur
kakto i niakolko drugi koito v sluchaia niama da budat raziasniavani.
Tui kato shte instalirame dns cache survur, shte razgledame
dnscache i programata za konfigurirane, koiato vurvi kum nego -
dnscache-conf. Sintaksisa na programata e sledniia:
dnscache-conf: usage: dnscache-conf acct logacct /dnscache [
myip ]
kudeto:
acct - nuzhen e da se suzdade potrebitelski akaunt, s
koito shte se startira dnscache;
logacct - nuzhen e da se suzdade potrebitelski akaunt, s
koito shte se startira multilog, koito shte zapisva log - failovete
na dnscache;
/directory - v koia direktoriia da budat suzdadeni
startirashtite/log - failove na dnscache
myip - na koe IP shte "slusha" dnscache.
# useradd dnscache
# useradd dnslog
# dnscache-conf dnscache dnslog /etc/dnscache 172.20.20.1
Ostava da ukazhem ot koi ip/mrezhi e razreshen da se polzva dns
cache survurut. Tova se pravi v direktoriiata
/etc/dnscache/root/ip/, kato v neia se suzdavat prazni failove s
imenata na mrezhi/ip adresi ot koito mozhe da se polzva survura.
# touch /etc/dnscache/root/ip/127.0.0.1
# touch /etc/dnscache/root/ip/172.20.20
Kakto sledva, dnscache mozhe da se izpolzva ot 127.0.0.1 ip
adresa i ot mrezhata 172.20.20.0/24
Ostava samo da startirame dnscache. Tova stava, kato napravim
symbolic link kum /etc/services direktoriiata:
# ln -s /etc/dnscache /etc/service/dnscache
# svstat /etc/service/dnscache /etc/service/dnscache/log
/etc/service/dnscache: up (pid 1273) 3 seconds
/etc/service/dnscache/log: up (pid 1277) 3 seconds
Konfiguratsionnata direktoriia na djbdns se namira v
/etc/dnscache/env, kato vsichki promenlivi sa v otdelni failove.
# ls -l /etc/dnscache/env/
-rw-r--r-- 1 root root 8 Sep 9 2008 CACHESIZE
-rw-r--r-- 1 root root 8 Sep 9 2008 DATALIMIT
-rw-r--r-- 1 root root 15 Sep 9 2008 IP
-rw-r--r-- 1 root root 8 Sep 9 2008 IPSEND
-rw-r--r-- 1 root root 23 Sep 9 2008 ROOT
Po podrazbirane CACHESIZE e 1000000 baita, koeto e tvurde malko
i triabva da bude promeneno na po-goliama stoinost v zavisimost
ot svobodnata pamet s koiato razpolagate.
DATALIMIT se izpolzva ot programata softlimit, koiato ogranichava
dnscache da izpolzva opredelen resurs pamet. DATASIZE triabva da
e po-goliam ot CACHESIZE.
ROOT ukazva v koia direktoriia se namirat dns root hints.
IP ukazva na koi IP adres shte otgovaria dnscache pri zapitvaniia.
IPSEND ukazva ot koi adres da se izprashtat rekursivnite zaiavki.
# echo 134217728 > /etc/dnscache/env/CACHESIZE
# echo 154000000 > /etc/dnscache/env/DATALIMIT
Tezi stoinosti ukazvat 128mb za cache na dns zapitvaniiata i
154mb kato tsialo zadelena pamet za programata dnscache. Ako po
niakakvi prichini samata programa se opita da zaeme poveche ot
tazi pamet, programata softlimit shte vurne greshka "out of
memory".
Ostava da konfigurirate PC-to si da izpolzva tozi DNS, i tova e
vsichko. Veche imame rabotesht dns cache survur.
Keshiraneto stava samo v pametta, toest nishto ne se pishe po
diska, ot koeto sledva, che pri vsiako restartirane na dns cache
survura keshiranite danni se gubiat.
Ako iskate dnscache survura vi da poddurzha DNSCurve protokola
(predlozhen ot Dan Bernstein), izpolzvaite eto tozi patch i
instruktsiite kum nego: http://shinobi.dempsky.org/~matthew/patches/djbdns-dnscurve-20090602.patch
Statiiata e publikuvana i v bloga na avtora na adres: http://geroyblog.blogspot.com/2012/11/dns-3-dns-
cache.html
<< Mikrotik + Openvpn + android | Periodichna tablitsa na distributsiite na Linux ... >>
|