我正在运行一个 arch linux bind 服务器,并尝试完成一个名为 ld.pvt 的伪本地开发域,以便我可以从其他机器通过 Web 访问 bind 机器上的 Web 服务器。
我感到困惑的是我应该将我的 LAN 机器映射到哪里?即所有其他机器、开发机器、打印机等等。bind 就是用来干这个的吗,还是它们应该直接进入 /etc/hosts?
/etc/hosts
#<ip-address> <hostname.domain.org> <hostname>
127.0.0.1 falcon.ld.pvt falcon localhost
#ipv6 support
::1 falcon.ld.pvt localhost
#localhost.localdomain
192.168.1.99 redtail.ld.pvt redtail
192.168.1.150 osprey.pd.pvt osprey
192.168.1.254 router.pd.pvt router gateway
区域文件
$ cat /var/named/ld.pvt.zone
$TTL 7200
; ld.pvt
@ IN SOA falcon.ld.pvt. postmaster.ld.pvt. (
200701171 ; Serial
3H ; Refresh
15M ; Retry
1W ; Expire - 1 week
1D ) ; Minimum
IN NS falcon.ld.pvt.
IN MX 10 mail.ld.pvt
falcon IN A 192.168.1.10
redtail IN A 192.168.1.99
imap IN CNAME falcon
smtp IN CNAME falcon
mail IN CNAME falcon
www IN CNAME falcon
;*wildcard is bad because you then cant use multiple hosts since oyou wildcarded everything in bulk to falcon alone, for e.g.
;*.ld.pvt IN CNAME falcon
; * IN CNAME falcon
命名配置文件
$ cat /etc/named.conf
// vim:set ts=4 sw=4 et:
acl "local" {
127.0.0.0/8;
};
acl "wolfnet" {
192.168.1.0/24;
};
acl "trusted" {
"local";
"wolfnet";
};
acl "forwarders" {
8.8.4.4;
8.8.8.8;
};
options {
directory "/var/named";
pid-file "/run/named/named.pid";
dnssec-validation auto;
listen-on-v6 { any; };
listen-on { "trusted"; };
interface-interval 101;
allow-recursion { "trusted"; };
recursion yes;
allow-query { trusted; };
allow-transfer { none; };
allow-update { none; };
forward only;
forwarders { "forwarders"; };
query-source address * port 53;
transfer-source address * port 53;
notify-source address * port 53;
query-source-v6 address * port 53;
version none;
hostname none;
server-id none;
};
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/log/named/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/log/named/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/log/named/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/log/named/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/log/named/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/log/named/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/log/named/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/log/named/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/log/named/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/log/named/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/log/named/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/log/named/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
zone "ld.pvt" IN {
type master;
file "ld.pvt.zone";
allow-update { none; };
notify no;
};
view "trusted" {
match-clients { trusted; };
zone "ld.pvt" {
type master;
file "ld.pvt.zone";
};
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "1.168.192..zone";
allow-update { none; };
};
iptables 目录
$ iptables --list
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT icmp -- anywhere anywhere icmp echo-request ctstate NEW
UDP udp -- anywhere anywhere ctstate NEW
TCP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain IN_SSH (1 references)
target prot opt source destination
DROP all -- anywhere anywhere recent: CHECK seconds: 10 hit_count: 3 TTL-Match name: sshbf side: source mask: 255.255.255.255
DROP all -- anywhere anywhere recent: CHECK seconds: 1800 hit_count: 4 TTL-Match name: sshbf side: source mask: 255.255.255.255
ACCEPT all -- anywhere anywhere recent: SET name: sshbf side: source mask: 255.255.255.255
Chain TCP (1 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp dpt:http STRING match "GET /w00tw00t.at.ISC.SANS." ALGO name bm TO 65535
ACCEPT tcp -- anywhere anywhere tcp dpt:22
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpts:hbci:cgms
ACCEPT tcp -- anywhere anywhere tcp dpt:35729
ACCEPT tcp -- anywhere anywhere tcp dpt:mysql
ACCEPT tcp -- anywhere anywhere tcp dpt:27017
ACCEPT tcp -- anywhere anywhere tcp dpt:953
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
IN_SSH tcp -- anywhere anywhere tcp dpt:22
Chain UDP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:27017
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpts:netbios-ns:netbios-dgm
ACCEPT udp -- anywhere anywhere udp dpt:microsoft-ds
从局域网上的开发机器,通过 .254 网关的路由总是显示此信息,无法访问:
编辑:
另外,请注意,我认为我遇到了一个大问题,我打开了端口 953,而不是 53,我应该切换哪个端口?
答案1
各个机器在区域文件中定义。在我写这个答案的时候,区域文件似乎发布不正确。但是,从我看到的片段来看,名为“falcon”的机器适当地有一个指向 192.168.1.10 的 A 记录
做得很完美。redtail 也已定义。此外,“imap”和“smtp”(以及其他)是指向 falcon 的 CNAME。一切都做对了。只需为 osprey 和 gateway 添加类似的行即可。或者,如果您想执行类似 hosts 文件的操作,您可以设置名称“router”以具有 A 记录,并将名称“gateway”设置为指向“router”的 CNAME。
由于名称(如“falcon”)不以句点结尾,因此这些名称将被视为部分名称。域的其余部分(文件中前面提到的 ld.pvt)将添加到部分名称的末尾。(如果您不想这样,请添加一个句点。名称末尾的句点会产生很大的不同。)