SeaRiver Blog

实力才是你一生最好的依靠!

日志

关于我

SeaRiver

强者恒强,弱者恒弱!

文章分类

DNS: bind-chroot功能

2010-07-09 16:51:17| 分类： DNS | 标签： |举报 |字号大中小订阅

下载LOFTER 我的照片书 |

一.bind-chroot介绍

DNS是一种将域名解析为IP地址的服务.如:www.turbolinux.com.cn通过DNS解析,可以
得到210.77.38.126.
bind是linux的DNS服务器程序.bind-chroot是bind的一个功能,使bind可以在一个
chroot的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是
系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以
访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中.

二.bind-chroot的安装

1.rpm包

在GTES10,10.5,11中,都已包含有bind-chroot包,可以直接安装相应rpm包.

# rpm -ivh bind-chroot.xxx.rpm

2.源码包安装

源码下载地址:
http://www.isc.org/index.pl
以bind-9.4.1-P1版本为例.
# tar zxvf bind-9.4.1-P1.tar.gz
# cd bind-9.4.1-P1
# ./configure
# make
# make install

三.bind-chroot的使用

1.rpm包方式

在GTES 11上,如果已经安装了bind-chroot的包,则bind的默认启动方式就是chroot方式.

# /etc/init.d/named start
# ps -ef | grep named
named 2090 2613 1   0   07:49  ?   00:00:00  /usr/sbin/named -u named -t /var/named/chroot

2.源码包方式

使用源码包安装完成bind后,使用下面步骤进行配置:
建立named用户

# useradd named

建立chroot后所需的目录和文件

# mkdir -p /var/named/chroot/etc
# mkdir /var/named/chroot/dev
# mkdir -p /var/named/chroot/var/named/data
# mkdir -p /var/named/chroot/var/run
# cp /var/named/* /var/named/chroot/var/named/
# cp /etc/rndc.key /var/named/chroot/etc/

建立chroot后,所需的设备文件

# cd /var/named/chroot/dev
# mknod null c 1 3
# mknod random c 1 8
# mknod zero c 1 5
# chmod 666 null random
# chown -R named.named /var/named /var/run

建立named.conf配置文件
# vi /var/named/chroot/etc/named.conf

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
         // query-source address * port 53;
};

controls {
        inet 127.0.0.1 allow { 127.0.0.1; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { 127.0.0.1 ; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};


include "/etc/rndc.key";

启动bind

# /usr/local/sbin/named -u named -t /var/named/chroot
# ps -ef | grep named
named  15739   1  0    08:27  ?     00:00:00   /usr/local/sbin/named -u named -t /var/named/chroot

现在bind已经运行在chroot模式下了.

评论这张

转发至微博

阅读(3311)| 评论(0)

历史上的今天

this.p={  m:2,
              b:2,
              loftPermalink:'',
              id:'fks_081066085085080069093082085095085095089067084084087068',
              blogTitle:'DNS: bind-chroot功能',
              blogAbstract:'<h2\><a id=\"一.bind-chroot介绍\" name=\"一.bind-chroot介绍\" rel=\"nofollow\"  \>一.<span\>bind-chroot</span\>介绍</a\></h2\> <div\> <p\>DNS是一种将域名解析为IP地址的服务.如:<a title=\"http://www.turbolinux.com.cn\" rel=\"nofollow\" href=\"http://www.turbolinux.com.cn/\"  \>www.turbolinux.com.cn</a\>通过DNS解析,可以<br\>得到210.77.38.126.<br\>bind是linux的DNS服务器程序.<span\>bind-chroot</span\>是bind的一个功能,使bind可以在一个<br\>chroot的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是<br\>系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以</p\></div\>',
              blogTag:'',
              blogUrl:'blog/static/1980021720106945117402',
              isPublished:1,
              istop:false,
              type:0,
              modifyTime:1317320866809,
              publishTime:1278665477402,
              permalink:'blog/static/1980021720106945117402',
              commentCount:0,
              mainCommentCount:0,
              recommendCount:0,
              bsrk:-100,
              publisherId:0,
              recomBlogHome:false,
              currentRecomBlog:false,
              attachmentsFileIds:[],
              vote:{},
              groupInfo:{},
              friendstatus:'none',
              followstatus:'unFollow',
              pubSucc:'',
              visitorProvince:'',
              visitorCity:'',
              visitorNewUser:false,
              postAddInfo:{},
              mset:'000',
              mcon:'',
              srk:-100,
              remindgoodnightblog:false,
              isBlackVisitor:false,
              isShowYodaoAd:false,
              hostIntro:'强者恒强,弱者恒弱!',
              hmcon:'1',
              selfRecomBlogCount:'0',
              lofter_single:'<iframe width="140" height="560" style="overflow:hidden;" src="http://www.lofter.com/mailEntry.do?blogad=1&blog" frameBorder="0"></iframe>'
            }

{list a as x}
    {if !!x}
    <div class="iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
      {if x.visitorName==visitor.userName}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.visitorNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.visitorName)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        {if x.moveFrom=='wap'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/wapblog.html?frompersonalbloghome"><span title="来自网易手机博客" class="iblock wapIcon"> </span></a>
        {elseif x.moveFrom=='iphone'}
          <a class="noul pnt" target="_blank"><span title="来自iPhone客户端" class="iblock iphoneIcon"> </span></a>
        {elseif x.moveFrom=='android'}
          <a class="noul pnt" target="_blank"><span title="来自Android客户端" class="iblock androidIcon"> </span></a>
        {elseif x.moveFrom=='mobile'}
          <a class="noul pnt" target="_blank" href="http://blog.163.com/services/emsblog.html?frompersonalbloghome"><span title="来自网易短信写博" class="iblock wapIcon"> </span></a>
        {/if}
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.visitorName}/">
          ${fn(x.visitorNickname,8)|escape}
        </a>
      </div>
    </div>
    {/if}
    {/list}

<#--最新日志，群博日志--> <#--推荐日志-->

<p class="fc06">推荐过这篇日志的人：</p>
    <div>
      {list a as x}
      {if !!x}
      <div class="iblock nbw-fce nbw-f40">
        <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
        <img alt="${x.recommenderNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.recommenderName)}"/>
        </a>
        <div class="cwd thide">
          <a class="fc03 m2a" target="_blank" hidefocus="true" href="http://blog.163.com/${x.recommenderName}/">
            ${fn(x.recommenderNickname,6)|escape}
          </a>
        </div>
      </div>
      {/if}
      {/list}
    </div>
    {if !!b&&b.length>0}
    <p  class="fc06">他们还推荐了：</p>
    <ul>
    {list b as y}
      {if !!y}
        <li class="rrb"><span class="iblock">·</span><a class="fc03 m2a" target="_blank" href="http://blog.163.com/${y.recommendBlogPermalink}/?from=blog/static/1980021720106945117402">${y.recommendBlogTitle|escape}</a></li>
      {/if}
    {/list}
    </ul>
    {/if}

<#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇，下一篇--> <#-- 热度 -->

{list a as x}
    {if !!x}
    <div class="hotItem iblock nbw-fce nbw-f40">
      <a class="fc03 noul" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
      {if x.publisherUsername==visitor.userName}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}&r=${visitor.imageUpdateTime}"/>
      {else}
      <img alt="${x.publisherNickname|escape}" onerror="this.src=location.f40" class="cwd bdwa bdc0" src="${fn1(x.publisherUsername)}"/>
      {/if}
      </a>
      <div class="cwd vname thide">
        <a class="fc03 m2a"  target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/">
          ${fn(x.publisherNickname,8)|escape}
        </a>
      </div>
      <a class="f-myLikeIcons hottype {if x.type==1} js-liketype{elseif x.type==2} js-reblogtype{elseif x.type==3} js-sharetype{else}{/if}" target="_blank" hidefocus="true" href="http://blog.163.com/${x.publisherUsername}/"> </a>
    </div>
    {/if}
    {/list}

<#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->

页脚

我的照片书 - 手机博客 - 下载LOFTER APP - 订阅此博客