课程第23/24次

阅读模式 · 发表于 2019-8-29 20:07:19

bind：

[root@server3 ~]# rpm -qa |grep bind
bind-utils-9.9.4-72.el7.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-9.9.4-72.el7.x86_64
rpcbind-0.2.0-47.el7.x86_64
bind-chroot-9.9.4-72.el7.x86_64
bind-license-9.9.4-72.el7.noarch
bind-libs-9.9.4-72.el7.x86_64
bind-libs-lite-9.9.4-72.el7.x86_64
[root@server3 ~]# rpm -ql bind-9.9.4-72.el7.x86_64
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named
/run/named
/usr/lib/python2.7/site-packages/isc
/usr/lib/python2.7/site-packages/isc-2.0-py2.7.egg-info
/usr/lib/python2.7/site-packages/isc/__init__.py
/usr/lib/python2.7/site-packages/isc/__init__.pyc
/usr/lib/python2.7/site-packages/isc/__init__.pyo
/usr/lib/python2.7/site-packages/isc/checkds.py
/usr/lib/python2.7/site-packages/isc/checkds.pyc
/usr/lib/python2.7/site-packages/isc/checkds.pyo
/usr/lib/python2.7/site-packages/isc/coverage.py
/usr/lib/python2.7/site-packages/isc/coverage.pyc
/usr/lib/python2.7/site-packages/isc/coverage.pyo
/usr/lib/python2.7/site-packages/isc/dnskey.py
/usr/lib/python2.7/site-packages/isc/dnskey.pyc
/usr/lib/python2.7/site-packages/isc/dnskey.pyo
/usr/lib/python2.7/site-packages/isc/eventlist.py
/usr/lib/python2.7/site-packages/isc/eventlist.pyc
/usr/lib/python2.7/site-packages/isc/eventlist.pyo
/usr/lib/python2.7/site-packages/isc/keydict.py
/usr/lib/python2.7/site-packages/isc/keydict.pyc
/usr/lib/python2.7/site-packages/isc/keydict.pyo
/usr/lib/python2.7/site-packages/isc/keyevent.py
/usr/lib/python2.7/site-packages/isc/keyevent.pyc
/usr/lib/python2.7/site-packages/isc/keyevent.pyo
/usr/lib/python2.7/site-packages/isc/keymgr.py
/usr/lib/python2.7/site-packages/isc/keymgr.pyc
/usr/lib/python2.7/site-packages/isc/keymgr.pyo
/usr/lib/python2.7/site-packages/isc/keyseries.py
/usr/lib/python2.7/site-packages/isc/keyseries.pyc
/usr/lib/python2.7/site-packages/isc/keyseries.pyo
/usr/lib/python2.7/site-packages/isc/keyzone.py
/usr/lib/python2.7/site-packages/isc/keyzone.pyc
/usr/lib/python2.7/site-packages/isc/keyzone.pyo
/usr/lib/python2.7/site-packages/isc/parsetab.py
/usr/lib/python2.7/site-packages/isc/parsetab.pyc
/usr/lib/python2.7/site-packages/isc/parsetab.pyo
/usr/lib/python2.7/site-packages/isc/policy.py
/usr/lib/python2.7/site-packages/isc/policy.pyc
/usr/lib/python2.7/site-packages/isc/policy.pyo
/usr/lib/python2.7/site-packages/isc/utils.py
/usr/lib/python2.7/site-packages/isc/utils.pyc
/usr/lib/python2.7/site-packages/isc/utils.pyo
/usr/lib/systemd/system/named-setup-rndc.service
/usr/lib/systemd/system/named.service
/usr/lib/tmpfiles.d/named.conf
/usr/lib64/bind
/usr/libexec/generate-rndc-key.sh
/usr/sbin/arpaname
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
/usr/sbin/rndc-confgen
/usr/share/doc/bind-9.9.4
/usr/share/doc/bind-9.9.4/Bv9ARM.ch01.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch02.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch03.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch04.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch05.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch06.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch07.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch08.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch09.html
/usr/share/doc/bind-9.9.4/Bv9ARM.ch10.html
/usr/share/doc/bind-9.9.4/Bv9ARM.html
/usr/share/doc/bind-9.9.4/Bv9ARM.pdf
/usr/share/doc/bind-9.9.4/CHANGES
/usr/share/doc/bind-9.9.4/README
/usr/share/doc/bind-9.9.4/isc-logo.pdf
/usr/share/doc/bind-9.9.4/man.arpaname.html
/usr/share/doc/bind-9.9.4/man.ddns-confgen.html
/usr/share/doc/bind-9.9.4/man.dig.html
/usr/share/doc/bind-9.9.4/man.dnssec-checkds.html
/usr/share/doc/bind-9.9.4/man.dnssec-coverage.html
/usr/share/doc/bind-9.9.4/man.dnssec-dsfromkey.html
/usr/share/doc/bind-9.9.4/man.dnssec-keyfromlabel.html
/usr/share/doc/bind-9.9.4/man.dnssec-keygen.html
/usr/share/doc/bind-9.9.4/man.dnssec-revoke.html
/usr/share/doc/bind-9.9.4/man.dnssec-settime.html
/usr/share/doc/bind-9.9.4/man.dnssec-signzone.html
/usr/share/doc/bind-9.9.4/man.dnssec-verify.html
/usr/share/doc/bind-9.9.4/man.genrandom.html
/usr/share/doc/bind-9.9.4/man.host.html
/usr/share/doc/bind-9.9.4/man.isc-hmac-fixup.html
/usr/share/doc/bind-9.9.4/man.named-checkconf.html
/usr/share/doc/bind-9.9.4/man.named-checkzone.html
/usr/share/doc/bind-9.9.4/man.named-journalprint.html
/usr/share/doc/bind-9.9.4/man.named.html
/usr/share/doc/bind-9.9.4/man.nsec3hash.html
/usr/share/doc/bind-9.9.4/man.nsupdate.html
/usr/share/doc/bind-9.9.4/man.rndc-confgen.html
/usr/share/doc/bind-9.9.4/man.rndc.conf.html
/usr/share/doc/bind-9.9.4/man.rndc.html
/usr/share/doc/bind-9.9.4/named.conf.default
/usr/share/doc/bind-9.9.4/sample
/usr/share/doc/bind-9.9.4/sample/etc
/usr/share/doc/bind-9.9.4/sample/etc/named.conf
/usr/share/doc/bind-9.9.4/sample/etc/named.rfc1912.zones
/usr/share/doc/bind-9.9.4/sample/var
/usr/share/doc/bind-9.9.4/sample/var/named
/usr/share/doc/bind-9.9.4/sample/var/named/data
/usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.db
/usr/share/doc/bind-9.9.4/sample/var/named/my.internal.zone.db
/usr/share/doc/bind-9.9.4/sample/var/named/named.ca
/usr/share/doc/bind-9.9.4/sample/var/named/named.empty
/usr/share/doc/bind-9.9.4/sample/var/named/named.localhost
/usr/share/doc/bind-9.9.4/sample/var/named/named.loopback
/usr/share/doc/bind-9.9.4/sample/var/named/slaves
/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.ddns.internal.zone.db
/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.slave.internal.zone.db
/usr/share/man/man1/arpaname.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man5/rndc.conf.5.gz
/usr/share/man/man8/ddns-confgen.8.gz
/usr/share/man/man8/dnssec-checkds.8.gz
/usr/share/man/man8/dnssec-coverage.8.gz
/usr/share/man/man8/dnssec-dsfromkey.8.gz
/usr/share/man/man8/dnssec-importkey.8.gz
/usr/share/man/man8/dnssec-keyfromlabel.8.gz
/usr/share/man/man8/dnssec-keygen.8.gz
/usr/share/man/man8/dnssec-keymgr.8.gz
/usr/share/man/man8/dnssec-revoke.8.gz
/usr/share/man/man8/dnssec-settime.8.gz
/usr/share/man/man8/dnssec-signzone.8.gz
/usr/share/man/man8/dnssec-verify.8.gz
/usr/share/man/man8/genrandom.8.gz
/usr/share/man/man8/isc-hmac-fixup.8.gz
/usr/share/man/man8/lwresd.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named-compilezone.8.gz
/usr/share/man/man8/named-journalprint.8.gz
/usr/share/man/man8/named.8.gz
/usr/share/man/man8/nsec3hash.8.gz
/usr/share/man/man8/rndc-confgen.8.gz
/usr/share/man/man8/rndc.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
[root@server3 ~]# rpm -qa |grep bind
bind-utils-9.9.4-72.el7.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-9.9.4-72.el7.x86_64
rpcbind-0.2.0-47.el7.x86_64
bind-chroot-9.9.4-72.el7.x86_64
bind-license-9.9.4-72.el7.noarch
bind-libs-9.9.4-72.el7.x86_64
bind-libs-lite-9.9.4-72.el7.x86_64
[root@server3 ~]# rpm -ql bind-chroot-9.9.4-72.el7.x86_64
/usr/lib/systemd/system/named-chroot-setup.service
/usr/lib/systemd/system/named-chroot.service
/usr/libexec/setup-named-chroot.sh
/var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/dev/zero
/var/named/chroot/etc
/var/named/chroot/etc/named
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/pki
/var/named/chroot/etc/pki/dnssec-keys
/var/named/chroot/run
/var/named/chroot/run/named
/var/named/chroot/usr
/var/named/chroot/usr/lib64
/var/named/chroot/usr/lib64/bind
/var/named/chroot/var
/var/named/chroot/var/log
/var/named/chroot/var/named
/var/named/chroot/var/run
/var/named/chroot/var/tmp
[root@server3 ~]#

复制代码

根据上面的查询情况，rhel7 bind配置文件仍然是在/etc/下面的named.conf, 而数据库在/var/named/chroot/var/named/

/var/named/chroot/var/named下面的example.com.zone最少要写成这样：

; Specify the time-to-live( TTL ) for the zone
$TTL 86400 ; 1 Day ( we could have used 1D )
; Begin Start Of Authority resource record
example.com. IN SOA server3.example.com. root.server3.example.com. (
2010091500 ; serial number
1H ; refresh slave
5M ; retry query
1W ; expire
1M ; negative TTL
)
; Specify our name servers
; !!WARNING: You can not use CNAMEs for RDATA here !!
; owner TTL CL type RDATA
@ IN NS server3.example.com.
; Specify our mail exchangers
; !!WARNING: You can not use CNAMEs for RDATA here !!
; owner TTL CL type RDATA
; This is broken and against RFC but must be done to placate the masses
; owner TTL CL type RDATA
example.com. IN A 192.168.0.103
; List our CNAME records ( aliases ) here
; owner TTL CL type RDATA
; List our A records ( hosts ) here
; owner TTL CL type RDATA
server3.example.com. IN A 192.168.0.103

复制代码

/var/named/chroot/var/named/下面的192.168.0.zone最少要写成：

; Specify the time-to-live( TTL ) for the zone
$TTL 86400 ; 1 Day ( we could have used 1D )
; Begin Start Of Authority resource record
0.168.192.IN-ADDR.ARPA. IN SOA server3.example.com. root.server3.example.com.(
2009062000 ; serial number
1H ; refresh slave
5M ; retry query
1W ; expire
1M ; negative TTL
)
; Specify our name servers
; !!WARNING: You can not use CNAMEs for RDATA here !!
; owner TTL CL type RDATA
@ IN NS server3.example.com.
; List our PTR records ( rev lookup ) here
; owner TTL CL type RDATA
103.0.168.192.IN-ADDR.ARPA. IN PTR server3.example.com.

复制代码

-------------------------
在bind的世界里，全长的主机名结尾都要加上. 没有任何例外。
[root@server3 named]# ls -l
total 0
lrwxrwxrwx. 1 root root 25 Aug 29 20:40 192.168.0.zone -> /var/named/192.168.0.zone
lrwxrwxrwx. 1 root root 27 Aug 29 20:40 example.com.zone -> /var/named/example.com.zone
lrwxrwxrwx. 1 root root 19 Aug 29 20:19 named.ca -> /var/named/named.ca
lrwxrwxrwx. 1 root root 26 Aug 29 20:19 named.localhost -> /var/named/named.localhost
lrwxrwxrwx. 1 root root 25 Aug 29 20:19 named.loopback -> /var/named/named.loopback
------------------------------
最后是权限问题（组要归named所有）：

[root@server3 named]# ls -Z
-rw-r-----. root root unconfined_u

bject_r:named_zone_t:s0 192.168.0.zone
drwxr-x---. root named system_u

bject_r:named_conf_t:s0 chroot
drwxrwx---. named named system_u

bject_r:named_cache_t:s0 data
drwxrwx---. named named system_u

bject_r:named_cache_t:s0 dynamic
-rw-r-----. root root unconfined_u

bject_r:named_zone_t:s0 example.com.zone
-rw-r-----. root named system_u

bject_r:named_conf_t:s0 named.ca
-rw-r-----. root named system_u

bject_r:named_zone_t:s0 named.empty
-rw-r-----. root named system_u

bject_r:named_zone_t:s0 named.localhost
-rw-r-----. root named system_u

bject_r:named_zone_t:s0 named.loopback
drwxrwx---. named named system_u

bject_r:named_cache_t:s0 slaves
[root@server3 named]# chgrp named 192.168.0.zone
[root@server3 named]# chgrp named example.com.zone
[root@server3 named]# systemctl restart named
----------------------------------------------------------------

---------------------------------------
每次重新启动sshd的时候，会检查/etc/ssh有没有key，如果没有就会重新生成：

[root@server3 ssh]# ls
moduli ssh_host_ed25519_key ssh_host_rsa_key.pub
ssh_config ssh_host_ed25519_key.pub
sshd_config ssh_host_rsa_key
[root@server3 ssh]# systemctl restart sshd
[root@server3 ssh]# ls
moduli ssh_host_ecdsa_key ssh_host_ed25519_key.pub
ssh_config ssh_host_ecdsa_key.pub ssh_host_rsa_key
sshd_config ssh_host_ed25519_key ssh_host_rsa_key.pub

复制代码

ssh -L 9999:172.31.118.100:22 192.168.0.103 sleep 30000

复制代码

[root@desktop3 ~]# ssh -p 9999 127.0.0.1
root@127.0.0.1's password:
Last login: Thu Aug 29 10:13:39 2019 from 172.31.118.103
[root@server1 ~]# ls
anaconda-ks.cfg initial-setup-ks.cfg 下载图片桌面视频
Desktop tmp 公共文档模板音乐

复制代码

chronyd本地时间源服务器，配置：

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
local stratum 8
manual
# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift
# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3
# Enable kernel synchronization of the real-time clock (RTC).
rtcsync
# Enable hardware timestamping on all interfaces that support it.
#hwtimestamp *
# Increase the minimum number of selectable sources required to adjust
# the system clock.
#minsources 2
# Allow NTP client access from local network.
allow 192.168.0.0/24
# Serve time even if not synchronized to a time source.
#local stratum 10
# Specify file containing keys for NTP authentication.
#keyfile /etc/chrony.keys
# Specify directory for log files.
logdir /var/log/chrony
# Select which information is logged.
#log measurements statistics tracking

复制代码

firewall-cmd --permanent --add-service ntp
firewall-cmd --reload

复制代码

------------------------------------------------------------------

lspci

复制代码

lsmod | grep e100

复制代码

modprobe e100

复制代码

[root@server3 network-scripts]# ethtool ens33
Settings for ens33:
Supported ports: [ TP ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Supported pause frame use: No
Supports auto-negotiation: Yes
Supported FEC modes: Not reported
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
1000baseT/Full
Advertised pause frame use: No
Advertised auto-negotiation: Yes
Advertised FEC modes: Not reported
Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 0
Transceiver: internal
Auto-negotiation: on
MDI-X: off (auto)
Supports Wake-on: d
Wake-on: d
Current message level: 0x00000007 (7)
drv probe link
Link detected: yes
[root@server3 network-scripts]# ip route
default via 192.168.0.1 dev ens33 proto static metric 100
192.168.0.0/24 dev ens33 proto kernel scope link src 192.168.0.103 metric 100
192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1
[root@server3 network-scripts]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 ens33
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 ens33
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
[root@server3 network-scripts]# ping 202.101.98.55
PING 202.101.98.55 (202.101.98.55) 56(84) bytes of data.
64 bytes from 202.101.98.55: icmp_seq=2 ttl=48 time=272 ms
64 bytes from 202.101.98.55: icmp_seq=3 ttl=48 time=306 ms
64 bytes from 202.101.98.55: icmp_seq=4 ttl=48 time=272 ms
^C
--- 202.101.98.55 ping statistics ---
4 packets transmitted, 3 received, 25% packet loss, time 3001ms
rtt min/avg/max/mdev = 272.149/283.844/306.480/16.014 ms
[root@server3 network-scripts]# route del -net 0.0.0.0
[root@server3 network-scripts]# ping 202.101.98.55
connect: Network is unreachable
[root@server3 network-scripts]# ping 192.168.0.3
PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data.
64 bytes from 192.168.0.3: icmp_seq=1 ttl=64 time=0.501 ms
^C
--- 192.168.0.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.501/0.501/0.501/0.000 ms
[root@server3 network-scripts]# route add -net 0.0.0.0 gw 192.168.0.1
[root@server3 network-scripts]# ping 202.101.98.55
PING 202.101.98.55 (202.101.98.55) 56(84) bytes of data.
64 bytes from 202.101.98.55: icmp_seq=2 ttl=48 time=276 ms
64 bytes from 202.101.98.55: icmp_seq=3 ttl=48 time=273 ms
^C
--- 202.101.98.55 ping statistics ---
4 packets transmitted, 2 received, 50% packet loss, time 3015ms
rtt min/avg/max/mdev = 273.343/275.079/276.815/1.736 ms
[root@server3 network-scripts]#

复制代码

mtr 202.101.98.55

复制代码

netstat -lntp 列出本机监听的端口，而ss -ta列出对方连接的过程。