BIND+DHCP实现DDNS.doc

BIND+DHCP实现DDNS你已经掌握DNS服务了吗？你也已经掌握DHCP服务了吗？那么好吧，下面，我们将实现一个全新的服务DDNS。在这个服务里，我们将会使用DNS服务和DHCP的组合。学习之前，请再扪心自问：我已经准备好了吗？准备好了！好，那么在动手之前，先让我们来了解一下什么是DDNS。一、 什么是DDNSDDNS，Dynamic Domain Name Server，顾名思义就是动态域名服务器。DDNS，从其名称可以看出，它是DNS服务的一种。DNS服务，一般是基于静态IP的，主要是实现IP和域名的对应解析。而DDNS，言下之意就是实现对域名的动态解析，就是实现动态IP地址到域名的对应。DNS可以为客户端进行名称解析的前提是DNS服务器上有相关的记录。DDNS是将用户的动态IP地址映射到一个固定的域名解析服务上，用户每次连接网络的时候客户端程序就会通过信息传递把该主机的动态IP地址传送给位于服务主机上的服务器程序，服务项目器程序负责提供DNS服务并实现动态域名解析。就是说DDNS捕获用户每次变化的IP地址，然后将其与域名相对应，这样其他上网用户就可以通过域名来进行交流了。既然已经了解了DDNS的特点及其基本原理，那么下面我们来实现这个服务吧，给我们的DNS服务和DHCP服务管理下的网络域内每台机器都分配解析域。二、 DDNS的实现要实现DDNS服务，首先要搭建一台DNS服务器。本例中，我们将使用IP 54以及域名来实现。1. 修改named.conf文件，将不需要的部分注释掉，修改如下：/ Sample named.conf BIND DNS server named configuration file/ for the Red Hat BIND distribution./ See the BIND Administrators Reference Manual (ARM) for details, in:/ file:/usr/share/doc/bind-*/arm/Bv9ARM.html/ Also see the BIND Configuration GUI : /usr/bin/system-config-bind and / its manual./options / Those options should be used carefully because they disable port / randomizationquery-source port 53; query-source-v6 port 53; listen-on port 53 any; ;/ Put files that named is allowed to write in the data/ directory:directory /var/named; / the default dump-file data/cache_dump.db; statistics-file data/named_stats.txt; memstatistics-file data/named_mem_stats.txt; ;logging /* If you want to enable debugging, eg. using the rndc trace command, * named will try to write the named.run file in the $directory (/var/named). * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ channel default_debug file data/named.run; severity dynamic; ;/ All BIND 9 zones are in a view, which allow different zones to be served/ to different types of client addresses, and for options to be set for groups/ of zones./ By default, if named.conf contains no view clauses, all zones are in the / default view, which matches all clients./ / If named.conf contains any view clause, then all zones MUST be in a view; / so it is recommended to start off using views to avoid having to restructure/ your configuration files in the future./view localhost_resolver /* This view sets up named to be a localhost resolver ( caching only nameserver ). * If all you want is a caching-only nameserver, then you need only define this view: */match-clients any; ; match-destinationsany; ; recursion yes; # all views must contain the root hints zone:include /etc/named.root.hints; /* these are zones that contain definitions for all the localhost * names and addresses, as recommended in RFC1912 - these names should * ONLY be served to localhost clients: */include /etc/named.rfc1912.zones;#view internal #/* This view will contain zones you want to serve only to internal clients that connect via your directly attached LAN interfaces - localnets . */#match-clients localnets; ;#match-destinations localnets; ;#recursion yes;/ all views must contain the root hints zone:#include /etc/named.root.hints; / include named.rfc1912.zones;/ you should not serve your rfc1912 names to non-localhost clients. / These are your authoritative internal zones, and would probably/ also be included in the localhost_resolver view above :#zone ernal.zone #type master;#file ernal.zone.db;#;#zone ernal.zone #type slave;#file slaves/ernal.zone.db;#masters /* put master nameserver IPs here */ ; ;/ put slave zones in the slaves/ directory so named can update them#;#zone ernal.zone #type master;#allow-update key ddns_key; ;#file slaves/ernal.zone.db;/ put dynamically updateable zones in the slaves/ directory so named can update them#;#;key ddns_key /此处先留着，等一会儿将生成一个ddns密钥algorithm hmac-md5;secret use /usr/sbin/dns-keygen to generate TSIG keys;#view external #/* This view will contain zones you want to serve only to external clients * that have addresses that are not on your directly attached LAN interface subnets: */#match-clients any; ;#match-destinations any; ;#recursion no;/ youd probably want to deny recursion to external clients, so you dont / end up providing free DNS service to all takers/ all views must contain the root hints zone:#include /etc/named.root.hints;/ These are your authoritative external zones, and would probably / contain entries for just your web and mail servers:#zone my.external.zone #type master;#file my.external.zone.db;#;#;2. 配置区域定义文件named.rfc1912.zones，添加相关记录/ named.rfc1912.zones:/ ISC BIND named zone configuration for zones recommended by/ RFC 1912 section 4.1 : localhost TLDs and address zones/ zone IN type master; file .zone; allow-update none; ; ;zone 0.168.192. IN type master; file 0.168.192.zone; allow-update none; ;3. 创建区域解析文件创建正向解析文件如下：$TTL86400 IN SOA. . ( 2009101901; serial (d. adams) 3H; refresh 15M; retry 1W; expiry 1D ); minimum IN NS. x IN A54 创建反向解析文件如下:$TTL86400 IN SOA. . ( 2009101901; serial (d. adams) 3H; refresh 15M; retry 1W; expiry 1D ); minimum IN NS. 254 IN PTR. 4. 启动named服务并测试（略）5. 生成DDNS密钥进入/var/named/chroot目录，使用如下命令生成一对DDNS密钥：dnssec-keygen -a HMAC-MD5 -b 128 -n USER example 指定加密算法 密钥长度 指定用户名使用此命令生成密钥对后，在当前目录下会看到两个密钥文件，如下：Kexample.+157+23558.key Kexample.+157.23558.private其中，Kexample.+157+23558.key是公钥，Kexample.+157+23558.private是私钥。下面，我们打开文件，查看生成的密钥并记录。rootx chroot#cat Kexample.+157+23558.keyexample. IN KEY 0 3 157 8fsNLoqo7RnRpNpCSMfszQ=rootx chroot#cat Kexample.+157.23558.privatePrivate-key-format: v1.2Algorithm: 157 (HMAC_MD5)Key: 8fsNLoqo7RnRpNpCSMfszQ=我们发现两个密钥是一样的，这并没有什么错误，公钥和私钥主要是用于核对密钥是否一致。随便将哪个密钥记录下来备用。6. 修改named.conf文件，添加DDNS密钥找到named.conf文件中key这个区域，然后修改如下：key example algorithm hmac-md5; secret 8fsNLoqo7RnRpNpCSMfszQ=;7 修改named.rfc1912.zones文件zone IN type master; file .zone; allow-update key example; ; ;zone 0.168.192. IN type master; file 0.168.192.zone; allow-update key example; ;8. 配置dhcpd.conf文件ddns-update-style interim;ignore client-updates;key example algorithm hmac-md5; secret 8fsNLoqo7RnRpNpCSMfszQ=;zone . primary 54; key example;zone 0.168.192.. primary 54; key example;subnet netmask # - default gatewayoption routers;option subnet-mask;#option ;option ;option domain-name-servers54;option time-offset-18000;# Eastern Standard Time#option ntp-servers;#option netbios-name-servers;# - Selects point-to-point node (default is hybrid). Dont change this unless# - you understand Netbios very well#option netbios-node-type 2;range dynamic-bootp 28 54;default-lease-time 21600;max-lease-time 43200;# we want the nameserver to appear at a fixed address#host cent #next-server marvin.redhat.c