安裝完CentOS 5.3之後
記得再update bind
#yum install bind*
更新完之後就會有chroot的功能
控制chroot開關狀態是在
/etc/sysconfig/named
裡面有個參數:ROOTDIR
若不啟動註解掉即可
chroot可大大提高安全性
即使named被hacker控制
最多也只能在root dir內遊走
named.conf - 主要設定檔
可參考sample
/usr/share/doc/bind-9.3.4/sample/etc/named.conf
以下是我的簡單設定
options
{
directory "/var/named"; // the default
};
zone "." { // root server
type hint;
file "named.ca";
};
//本機正反解
zone "localhost" {
type master;
file "named_localhost";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "arpa_127.0.0";
};
//herbsite 正反解
zone "herbsite.tw" {
type master;
file "named_herbsite.tw";
};
zone "75.208.134.in-addr.arpa" {
type master;
file "arpa_134.208.75";
};
herbsite正解設定:
named_herbsite.tw
$TTL 1d
@ IN SOA www.herbsite.tw. root.herbsite.tw. (
2009090100;
28800;
14400;
720000;
86400;
)
@ IN NS herbsite.tw.
@ IN A 134.208.75.141
@ IN NS dns.herbsite.tw.
dns IN A 134.208.75.143
@ IN NS www.herbsite.tw.
www IN A 134.208.75.143
@ IN MX 10 mail.herbsite.tw.
mail IN A 134.208.75.143
herbsite 反解設定:
arpa_134.208.75
$TTL 1d
@ IN SOA localhost. root.localhost. (
2009090100;
28800;
14400;
720000;
86400;
)
@ IN NS herbsite.tw.
@ IN NS mail.herbsite.tw.
141 IN PTR herbsite.tw.
143 IN PTR mail.herbsite.tw. //只做mail反解,以免被當成垃圾信
然後就可以啟動了
/etc/init.d/named restart
若有錯誤或失敗請檢查/var/log/messages
最常見錯誤為分號和空格問題!
沒有留言:
張貼留言