前言:这几天在ubuntu server 10.4下配置主从DNS服务时,总是不成功,今天终于把这个困扰我快一个星期的问题解决了,很是高兴,记录下来,以备后用。
实验环境:
(1)ubserver5配置为主DNS服务器,IP:192.168.3.50
(2)ubserver4配置为从DNS服务器,IP:192.168.3.40
(3)软件包:bind9
操作:
1,在ubserver5,ubserver4上分别安装bind9
#sudo apt-get install bind9
2,主DNS服务器ubserver5配置
#cd /etc/bind
#sudo vim named.conf.default-zones
#sudo vim db.ublab.org
#sudo vim db.3.ublab.org
3,从DNS服务器ubserver4配置
#cd /etc/bind
#sudo vim named.conf.default-zones
在从DNS服务器ubserver4上db.ublab.org及db.3.ublab.org不需要手动建立,它会从主DNS服务ubserver5上复制过来,如果没有复制成功,说明配置主从DNS失败。
重启bind9
#sudo /etc/init.d/bind9 restart
查看/var/log/syslog日志文件,检查主从DNS是否配置成功,
没想到出现了图中画红线的错误,也就是这个错误一直困扰我快一个星期,一有空我就上网搜,看书找,把/etc/bind权限改成777,把它的拥有者改成bind;把/var/cache/bind也改成了777,拥有者改成bind,问题依就,还是同样的错误。
4,问题解决
(1)第一种解决方法:
今天又在网上找,柳暗花明找到了这个贴子
http://www.bergek.com/2008/09/14/file-permission-error-with-bind/内容如下:
把从DNS服务器ubserver4的named.conf.default-zones配置成如下内容:
问题解决了。为什么这样改,请看第二种方法。
查看/var/cache/bind下是否把配置文件复制过来了。
(2)apparmor是什么,他是干吗的?请看
http://en.wikipedia.org/wiki/Apparmor
于是修改/etc/apparmor.d/usr.sbin.named文件
#sudo vim /etc/apparmor.d/usr.sbin.named
添加如下内容
在此就能看到默认情况下,/etc/bind只能读,而/var/cache/bind为可读可写,所以用第一种方法时,就可以成功,这是我的理解。把/etc/bind/slaves改成可读可写,并给bind用户写的权限就可以了。
查看/var/log/syslog日志文件,检查主从DNS是否配置成功
可见,是可以了。
这篇
http://forum.ubuntu.org.cn/viewtopic.php?f=54&t=3089&view=previous贴子写的很好,可以参考,美中不足是没有指出出现错误的原因,可能环境不同,bind9的版本不同。有问题可以参考
http://www.bind9.net/BIND-FAQ
从安全角度考虑应该把DNS配置到chroot环境,引用https://help.ubuntu.com/community/BIND9ServerHowto的一段:
Chrooting BIND9 is a recommended setup from a security perspective if you don't have AppArmor installed. In a chroot enviroment, BIND9 has access to all the files and hardware devices it needs, but is unable to access anything it should not need. AppArmor is installed by default on recent Ubuntu releases. Unless you've explicitly disabled AppArmor, you might want to read this before you decide to attempt a chrooted bind. If you still want to go forward with it, you'll need this information, which isn't covered in the instructions that follow here.
从安全角度考虑应该把DNS配置到chroot环境,引用https://help.ubuntu.com/community/BIND9ServerHowto的一段:
Chrooting BIND9 is a recommended setup from a security perspective if you don't have AppArmor installed. In a chroot enviroment, BIND9 has access to all the files and hardware devices it needs, but is unable to access anything it should not need. AppArmor is installed by default on recent Ubuntu releases. Unless you've explicitly disabled AppArmor, you might want to read this before you decide to attempt a chrooted bind. If you still want to go forward with it, you'll need this information, which isn't covered in the instructions that follow here.
本文转自xcjgutong 51CTO博客,原文链接:http://blog.51cto.com/xuchengji/357139
