OpenVZ으로 기본적인 네트워크 구축이 끝났다.
각 서버마다 호스트명과 IP를 할당하고 DNS 서버를 설치/운영한다.
DNS 서버는 bind로 돌리고 master, slave로 구축한다.
ns1.ddong.ac.kr - master name server
ns2.ddong.ac.kr - slave name server
1. master name server 설치
1) gentoo portage에서 최신 bind(bind-9.4.1-P1)를 받아서 설치한다
# emerge bind
2) /etc/bind/named.conf 편집
# cat /etc/bind/named.conf
options {
directory "/var/bind";
dump-file "/var/bind/named_dump.db";
statistics-file "/var/bind/named.stats";
pid-file "/var/run/named/named.pid";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
//listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
//query-source address * port 53;
};
zone "." IN {
type hint;
file "named.ca"; // linked root.cache
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "ddong.ac.kr" IN {
type master;
file "zone/ddong.ac.kr.zone";
allow-transfer { 1.1.2.200; };
notify yes;
};
zone "1.1.in-addr.arpa" IN {
type master;
file "pri/ddong.ac.kr.rev.zone";
};
3) /var/bind/zone/ddong.ac.kr.zone 파일 편집
# cat /var/bind/zone/ddong.ac.kr.zone
$ORIGIN 1.1.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.ddong.ac.kr. gogisnim.gmail.com. (
2007082620 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.ddong.ac.kr.;
;
IN MX 10 mail
IN MX 20 mail2
;
; host configuration
localhost IN A 127.0.0.1
ns1 IN A 1.1.1.200
ns2 IN A 1.1.2.200
ddong.ac.kr. IN A 1.1.1.200
www1 IN A 1.1.1.200
www2 IN A 1.1.2.200
www3 IN A 1.1.3.200
mail IN A 1.1.1.201
mail2 IN A 1.1.2.201
pop3 IN A 1.1.1.201
ftp IN A 1.1.1.203
db IN A 1.1.1.204
fw IN A 1.1.1.10
gw IN A 1.1.1.10
www IN CNAME www1
주의
첫 라인의 $ORIGIN 에 /etc/bind/named.conf에서 지정해준 reverse zone 영역명칭이 와야한다. 만약 ddong.ac.kr. 이되면 named 구동시 아래와 같은 메시지가 나온다
# tail -f /var/log/messages
...
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:3: ignoring out-of-zone data (ddong.ac.kr)
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:14: ignoring out-of-zone data (200.1.ddong.ac.kr)
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:15: ignoring out-of-zone data (200.2.ddong.ac.kr)
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:16: ignoring out-of-zone data (200.1.ddong.ac.kr)
...
4) named를 구동하고 부팅과 동시에 named 이 구동되게 rc-update에 등록
# /etc/init.d/named start
# rc-update add named default
2. slave name server 설치
1) gentoo portage에서 최신 bind(bind-9.4.1-P1)를 받아서 설치한다
# emerge bind
2) /etc/bind/named.conf 편집
# cat /etc/bind/named.conf
options {
directory "/var/bind";
dump-file "/var/bind/named_dump.db";
statistics-file "/var/bind/named.stats";
pid-file "/var/run/named/named.pid";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
//listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
//query-source address * port 53;
};
zone "." IN {
type hint;
file "named.ca"; // linked root.cache
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "ddong.ac.kr" IN {
type slave;
file "sl/bak.ddong.ac.kr.zone";
masters { 1.1.1.200; };
};
zone "1.1.in-addr.arpa" IN {
type slave;
file "sl/bak.ddong.ac.kr.rev.zone";
masters { 1.1.1.200; };
};
3) slave에서는 zone 파일을 설정할 필요가 없다.
master에서 zone transfer로 받아서 직접 생성해주기 때문..
주의할점은 이 상태에서 named을 구동하면 에러가 발생한다.
(named는 구동이 되지만 실제 zone transfer는 일어나지 않는다)
왜냐하면, gentoo에서 named는 root계정으로 실행되지 않고 named 계정으로 실행된다.
zone transfer가 일어날때 slave 의 zone 영역(/var/bind)은 root 권한만 쓸 수 있는데 일반계정인 named로 write하니 permission denied 가 일어나는 것이다.
http://www.isc.org/index.pl?/sw/bind/FAQ.php 참조한다.
# ls -l /var/bind
-rw-r--r-- 1 root root 2518 Aug 27 20:39 named.ca
drwxr-xr-x 2 root root 4096 Aug 28 01:48 pri
lrwxrwxrwx 1 root root 23 Aug 27 20:39 root.cache -> ../../var/bind/named.ca
drwxr-xr-x 2 root root 4096 Aug 27 20:39 sec
drwxr-xr-x 2 root root 4096 Aug 28 02:48 sl
tail -f /var/log/messages
Aug 28 01:42:51 ns2 named[22077]: zone ddong.ac.kr/IN: Transfer started.
Aug 28 01:42:51 ns2 named[22077]: transfer of 'ddong.ac.kr/IN' from 1.1.1.200#53: connected using 1.1.2.200#48915
Aug 28 01:42:51 ns2 named[22077]: dumping master file: zone/tmp-boAPWlF76G: open: permission denied
Aug 28 01:42:51 ns2 named[22077]: transfer of 'ddong.ac.kr/IN' from 1.1.1.200#53: failed while receiving responses: permission denied
Aug 28 01:42:51 ns2 named[22077]: transfer of 'ddong.ac.kr/IN' from 1.1.1.200#53: end of transfer
named에서 쓰기 이벤트가 일어나는 곳은 sl/ 이하이다.
named에 owner 권한을 변경한다.
# chown -R named.named sl/
4) named를 구동하고 부팅과 동시에 named 이 구동되게 rc-update에 등록
# /etc/init.d/named start
# rc-update add named default
3. nslookup, dig, dnstop 사용
1) root DNS부터 검색해서 innu.pe.kr 까지 내려오기
$ nslookup
> server a.root-servers.net
> set q=ns
> kr.
> server b.dns.kr
> pe.kr.
> server c.dns.kr
> innu.pe.kr.
> server ns.80port.com
> set q=a
> innu.pe.kr
Address: xxx.xxx.xxx.xxx#53
2) bind 버전 알아보기
$ dig @ns2.ddong.ac.kr txt chaos version.bind
; <<>> DiG 9.3.2 <<>> @ns2.ddong.ac.kr txt chaos version.bind
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13391
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.4.1-P1"
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 1 msec
;; SERVER: 1.1.2.200#53(1.1.2.200)
;; WHEN: Tue Aug 28 03:43:46 2007
;; MSG SIZE rcvd: 65
위의 9.3.2는 dig의 버전이고 아래 "9.4.1-P1" 이 name server의 bind 버전이다.
3) reverse dns가 제대로 작동하는지 테스트
# dig @ns1.ddong.ac.kr 204.1.1.1.in-addr.arpa ptr
; <<>> DiG 9.4.1-P1 <<>> @ns1.ddong.ac.kr 204.1.1.1.in-addr.arpa ptr
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55312
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;204.1.1.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
204.1.1.1.in-addr.arpa. 86400 IN PTR db.ddong.ac.kr.
;; AUTHORITY SECTION:
1.1.in-addr.arpa. 86400 IN NS ns1.ddong.ac.kr.
;; ADDITIONAL SECTION:
ns1.ddong.ac.kr. 86400 IN A 1.1.1.200
;; Query time: 1 msec
;; SERVER: 1.1.1.200#53(1.1.1.200)
;; WHEN: Wed Aug 29 01:37:02 2007
;; MSG SIZE rcvd: 102
또는
# dig -x 1.1.1.204
; <<>> DiG 9.4.1-P1 <<>> -x 1.1.1.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20304
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;204.1.1.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
204.1.1.1.in-addr.arpa. 86400 IN PTR db.ddong.ac.kr.
;; AUTHORITY SECTION:
1.1.in-addr.arpa. 86400 IN NS ns1.ddong.ac.kr.
;; ADDITIONAL SECTION:
ns1.ddong.ac.kr. 86400 IN A 1.1.1.200
;; Query time: 0 msec
;; SERVER: 1.1.1.200#53(1.1.1.200)
;; WHEN: Wed Aug 29 01:38:46 2007
;; MSG SIZE rcvd: 102
4) dnstop으로 dns query 모니터링
# dnstop eth0
dig, nslookup, host 의 command는 bind-tools 패키지에 포함되어 있다.
dnstop command는 dnstop 패키지에 포함되어 있다.
각 서버마다 호스트명과 IP를 할당하고 DNS 서버를 설치/운영한다.
DNS 서버는 bind로 돌리고 master, slave로 구축한다.
ns1.ddong.ac.kr - master name server
ns2.ddong.ac.kr - slave name server
1. master name server 설치
1) gentoo portage에서 최신 bind(bind-9.4.1-P1)를 받아서 설치한다
# emerge bind
2) /etc/bind/named.conf 편집
# cat /etc/bind/named.conf
options {
directory "/var/bind";
dump-file "/var/bind/named_dump.db";
statistics-file "/var/bind/named.stats";
pid-file "/var/run/named/named.pid";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
//listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
//query-source address * port 53;
};
zone "." IN {
type hint;
file "named.ca"; // linked root.cache
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "ddong.ac.kr" IN {
type master;
file "zone/ddong.ac.kr.zone";
allow-transfer { 1.1.2.200; };
notify yes;
};
zone "1.1.in-addr.arpa" IN {
type master;
file "pri/ddong.ac.kr.rev.zone";
};
3) /var/bind/zone/ddong.ac.kr.zone 파일 편집
# cat /var/bind/zone/ddong.ac.kr.zone
$ORIGIN 1.1.in-addr.arpa.
$TTL 86400
@ IN SOA ns1.ddong.ac.kr. gogisnim.gmail.com. (
2007082620 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.ddong.ac.kr.;
;
IN MX 10 mail
IN MX 20 mail2
;
; host configuration
localhost IN A 127.0.0.1
ns1 IN A 1.1.1.200
ns2 IN A 1.1.2.200
ddong.ac.kr. IN A 1.1.1.200
www1 IN A 1.1.1.200
www2 IN A 1.1.2.200
www3 IN A 1.1.3.200
mail IN A 1.1.1.201
mail2 IN A 1.1.2.201
pop3 IN A 1.1.1.201
ftp IN A 1.1.1.203
db IN A 1.1.1.204
fw IN A 1.1.1.10
gw IN A 1.1.1.10
www IN CNAME www1
주의
첫 라인의 $ORIGIN 에 /etc/bind/named.conf에서 지정해준 reverse zone 영역명칭이 와야한다. 만약 ddong.ac.kr. 이되면 named 구동시 아래와 같은 메시지가 나온다
# tail -f /var/log/messages
...
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:3: ignoring out-of-zone data (ddong.ac.kr)
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:14: ignoring out-of-zone data (200.1.ddong.ac.kr)
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:15: ignoring out-of-zone data (200.2.ddong.ac.kr)
Aug 29 00:42:31 ddong named[29017]: zone/ddong.ac.kr.rev.zone:16: ignoring out-of-zone data (200.1.ddong.ac.kr)
...
4) named를 구동하고 부팅과 동시에 named 이 구동되게 rc-update에 등록
# /etc/init.d/named start
# rc-update add named default
2. slave name server 설치
1) gentoo portage에서 최신 bind(bind-9.4.1-P1)를 받아서 설치한다
# emerge bind
2) /etc/bind/named.conf 편집
# cat /etc/bind/named.conf
options {
directory "/var/bind";
dump-file "/var/bind/named_dump.db";
statistics-file "/var/bind/named.stats";
pid-file "/var/run/named/named.pid";
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
//listen-on { 127.0.0.1; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
//query-source address * port 53;
};
zone "." IN {
type hint;
file "named.ca"; // linked root.cache
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "ddong.ac.kr" IN {
type slave;
file "sl/bak.ddong.ac.kr.zone";
masters { 1.1.1.200; };
};
zone "1.1.in-addr.arpa" IN {
type slave;
file "sl/bak.ddong.ac.kr.rev.zone";
masters { 1.1.1.200; };
};
3) slave에서는 zone 파일을 설정할 필요가 없다.
master에서 zone transfer로 받아서 직접 생성해주기 때문..
주의할점은 이 상태에서 named을 구동하면 에러가 발생한다.
(named는 구동이 되지만 실제 zone transfer는 일어나지 않는다)
왜냐하면, gentoo에서 named는 root계정으로 실행되지 않고 named 계정으로 실행된다.
zone transfer가 일어날때 slave 의 zone 영역(/var/bind)은 root 권한만 쓸 수 있는데 일반계정인 named로 write하니 permission denied 가 일어나는 것이다.
http://www.isc.org/index.pl?/sw/bind/FAQ.php 참조한다.
# ls -l /var/bind
-rw-r--r-- 1 root root 2518 Aug 27 20:39 named.ca
drwxr-xr-x 2 root root 4096 Aug 28 01:48 pri
lrwxrwxrwx 1 root root 23 Aug 27 20:39 root.cache -> ../../var/bind/named.ca
drwxr-xr-x 2 root root 4096 Aug 27 20:39 sec
drwxr-xr-x 2 root root 4096 Aug 28 02:48 sl
tail -f /var/log/messages
Aug 28 01:42:51 ns2 named[22077]: zone ddong.ac.kr/IN: Transfer started.
Aug 28 01:42:51 ns2 named[22077]: transfer of 'ddong.ac.kr/IN' from 1.1.1.200#53: connected using 1.1.2.200#48915
Aug 28 01:42:51 ns2 named[22077]: dumping master file: zone/tmp-boAPWlF76G: open: permission denied
Aug 28 01:42:51 ns2 named[22077]: transfer of 'ddong.ac.kr/IN' from 1.1.1.200#53: failed while receiving responses: permission denied
Aug 28 01:42:51 ns2 named[22077]: transfer of 'ddong.ac.kr/IN' from 1.1.1.200#53: end of transfer
named에서 쓰기 이벤트가 일어나는 곳은 sl/ 이하이다.
named에 owner 권한을 변경한다.
# chown -R named.named sl/
4) named를 구동하고 부팅과 동시에 named 이 구동되게 rc-update에 등록
# /etc/init.d/named start
# rc-update add named default
3. nslookup, dig, dnstop 사용
1) root DNS부터 검색해서 innu.pe.kr 까지 내려오기
$ nslookup
> server a.root-servers.net
> set q=ns
> kr.
> server b.dns.kr
> pe.kr.
> server c.dns.kr
> innu.pe.kr.
> server ns.80port.com
> set q=a
> innu.pe.kr
Address: xxx.xxx.xxx.xxx#53
2) bind 버전 알아보기
$ dig @ns2.ddong.ac.kr txt chaos version.bind
; <<>> DiG 9.3.2 <<>> @ns2.ddong.ac.kr txt chaos version.bind
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13391
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;version.bind. CH TXT
;; ANSWER SECTION:
version.bind. 0 CH TXT "9.4.1-P1"
;; AUTHORITY SECTION:
version.bind. 0 CH NS version.bind.
;; Query time: 1 msec
;; SERVER: 1.1.2.200#53(1.1.2.200)
;; WHEN: Tue Aug 28 03:43:46 2007
;; MSG SIZE rcvd: 65
위의 9.3.2는 dig의 버전이고 아래 "9.4.1-P1" 이 name server의 bind 버전이다.
3) reverse dns가 제대로 작동하는지 테스트
# dig @ns1.ddong.ac.kr 204.1.1.1.in-addr.arpa ptr
; <<>> DiG 9.4.1-P1 <<>> @ns1.ddong.ac.kr 204.1.1.1.in-addr.arpa ptr
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55312
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;204.1.1.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
204.1.1.1.in-addr.arpa. 86400 IN PTR db.ddong.ac.kr.
;; AUTHORITY SECTION:
1.1.in-addr.arpa. 86400 IN NS ns1.ddong.ac.kr.
;; ADDITIONAL SECTION:
ns1.ddong.ac.kr. 86400 IN A 1.1.1.200
;; Query time: 1 msec
;; SERVER: 1.1.1.200#53(1.1.1.200)
;; WHEN: Wed Aug 29 01:37:02 2007
;; MSG SIZE rcvd: 102
또는
# dig -x 1.1.1.204
; <<>> DiG 9.4.1-P1 <<>> -x 1.1.1.204
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20304
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;204.1.1.1.in-addr.arpa. IN PTR
;; ANSWER SECTION:
204.1.1.1.in-addr.arpa. 86400 IN PTR db.ddong.ac.kr.
;; AUTHORITY SECTION:
1.1.in-addr.arpa. 86400 IN NS ns1.ddong.ac.kr.
;; ADDITIONAL SECTION:
ns1.ddong.ac.kr. 86400 IN A 1.1.1.200
;; Query time: 0 msec
;; SERVER: 1.1.1.200#53(1.1.1.200)
;; WHEN: Wed Aug 29 01:38:46 2007
;; MSG SIZE rcvd: 102
4) dnstop으로 dns query 모니터링
# dnstop eth0
dig, nslookup, host 의 command는 bind-tools 패키지에 포함되어 있다.
dnstop command는 dnstop 패키지에 포함되어 있다.
댓글을 달아 주세요