Sergej Minakov. Konfigurirovanie BIND versii 8.x.x

Ocenite etot tekst:
Sergej Minakov. Konfigurirovanie BIND versii 8.x.x

---------------------------------------------------------------
 Original etogo teksta raspolozhen v zhurnale "YUniksoid"
 http://www.fima.net/bind-8.html
---------------------------------------------------------------




Bind 8.x.x.
 Vvedenie.
|ta stat'ya posvyashchena BIND versii 8.x.x. |ta versiya poyavilas' 

otnositel'no nedavno. Ona imeet sovershenno drugoj konfiguracionnyj

fajl nezheli BIND versii 4. Takzhe v novoj versii poyavilos' massa

novyh vozmozhnostej, novye RR zanisi, uludshenaya 'zone-check' procedura, special'nye serijnye nomera, i dr. 
P.S. Ogovoryus' srazu, v etoj stat'e opisany daleko ne vse vozmozhnosti BIND 8, a tol'ko osnovnye.

Primer named.conf i opisanie opcij:


Budte vnimatel'ny ne zabyvajte stavit' ";"!


options {                       -- Nachalo CHASTI "Options".
        directory "." ;{                 -- Rabochij katalog.
        named-xfer "/usr/libexec/named-xfer"; -- Put' k 'zone-xfer'.
        dump-file "named_dump.db"; -- Imya Damp-Fajla ili imya

                                                   s putem iz rabochego kataloga.
        pid-file "/var/run/named.pid"; -- Put' k pid-fajlu.
        memstatistics-file "named.memstats"; -- Imya fajla so statistikoj.

                                                   ispol'zovaniya pamyati.
        statistics-file "named.stats";  -- Imya fajla so statistikoj.
        check-names master fail;  -- Opciya pimenyaemaya v sluchayah trebuetsya proverka imen domenov. V log-fajlah otobrazhaetsya adres master-servera na, kotorom obnaruzhena oshibka.  
        check-names slave warn;  -- -- dlya 'slave' zony
        check-names response ignore;  -- -- dopolnitel'naya proverka otvetov drugih serverov.
        host-statistics no; -- Statistika obrashchenij po hostam.
        deallocate-on-exit no;  -- Opciya pri kotoroj osvobozhdayutsya

                                                   vse ob®ekty pri preryvanii raboty programmy.

                                                   |to vygodno pri ne pravil'nom ispol'zovanii

                                                   pamyati. Polnaya otchet o rabote budet

                                                    nahodit'sya v 'memstatistics-file.'
        forward-only; -- |kvivaldent 'Slave'u.
        datasize default;  -- Limitirovanie segmetov vydelyaemyh pod dannye. 
        stacksize default;  -- Razmer STEKA.
        coresize default;
        files unlimited; -- Kolichestvo vozmozhno dopustimyh obrabatyvaemyh fajlov.
        recursion yes; -- Opciya razreshayushchaya ili zapreshchayushchaya rekursiyu.
        fetch-glue yes;
        fake-iquery no; -- |ta opciya pozvalyaet podmenyat' otvety pri opredelennyh zaprosax.
        notify yes; -- Posylka "NOTIFY" soobshcheniya

                                                   Vy mozhete postavit' 'yes' kogda vy

                                                   ispol'zuete shemu 'zone-by-zone', takzhe

                                                   eta opciya dostupna v CHASTI 'zone'.

        auth-nxdomain yes; -- Vsegda stav'te AA pri ispol'zovanii

                                                   NXDOMAIN. Ne stav'te etu opciyu 'no' esli vy 

                                                   ne znaete, chto delaete -- starye servera 

                                                   (staraya versiya PO) ne lyubyat etogo. :-);

        multiple-cnames no; -- Esli ustanovleno 'yes' togda

                                                   imeetsya bolee odnogo CANME RR. |to 

                                                   ispol'zuyut v ne standartnyh situaciyah i

                                                   ne rekomenduetsya, no dostupno potomu chto 

                                                   predidushchii versii podderzhivali i eta opciya 

                                                   ispol'zovalas' na bol'shih sajtah dlya 

                                                   uravnoveshivaniya zagruzki.
        allow-query { any; };
        allow-transfer { any; };
        transfers-in 10;  -- Znachenie ne dolzhno byt' 

                                                   ustanovleno bolee 20.

        transfers-per-ns 2; -- Default znachenie peredach na

                                                   kazhdyj NameServer.
        transfers-out 0;  -- K sozhaleniyu ne rabotaet ;-)
        max-transfer-time-in 120;  -- Maksimal'noe znachenie 

                                                   prodolzhitel'nosti sessii 'zone transfer'.

                                                   (v minutah)
        transfer-format one-answer; --  Opciya ukazyvayushchaya put' ishodyashchego

                                                   'zone transfer'. Dopustimy dva znacheniya:

                                                    one-answer - Kazhdyj RR beret svoe soobshchenie.

                                                    |tot format ne ochen' effektiven, 

                                                    no prosto i ponyatno  :-). Vse versii BIND do 8.1

                                                    generiruyut imenno etot format soobshcheniya dlya 

                                                    ishodyashchih zon i trebuet vhodyashchih peredach.

                                                    many-answers - |to oznachaet

                                                    chto mnogo RR'ov budet polozheno v kazhdoe 

                                                    DNS soobshchenie. |tot format naibolee effektiven,

                                                    no tol'ko est' v versii BIND 8. Takzhe vypushchena 

                                                    izmenennaya versiya 'named-xfer' dlya BIND 4.9.5.

                                                Esli vy budete ispol'zovat' vash DNS server s 

                                                serverami na kotory ustanovlenno staroe PO, to 

                                                NESOVETUETXSYA ispol'zovat' 'many-answers'.

                                                Takzhe kak znachenie mozhet byt' ustanovlena 

                                                peremennaya 'server' - pri ispol'zovanii shemy

                                                'host-by-host'.
        forward first;
        forwarders { };  -- V Default znachenii nichego 

                                                   ne ukazyvaetsya.
                                                   Primer:
forwarders {
           1.2.3.4;
           5.6.7.8;
           };
        topology { localhost; localnets; }; -- Opciya opisyvaushchaya topologiyu NameServer'ov.
                                                   Primer:
topology {
         10/8;              -- Predpochtitel'naya
                            set' 10.0.0.0 s maskoj
                            255.0.0.0
         !1.2.3/24;         -- Ne ispol'zovat' 1.2.3.0
                            s maskoj 255.255.255.0 dlya
                            vseh
         { 1.2/16; 3/8; };  -- Ispol'zovat' 1.2.0.0 s
                            maskoj 255.255.0.0 i
                            3.0.0.0 s maskoj 255.0.0.0
                            - chast' 10/8, no men'she.
         };
        listen-on port 53 { any; };  -- Prinimat' zaprosy s 53 

                                                   porta na vseh dostupnyh interfejsah komp'yutera.

                                                   Esli port ne ukazan, to avtomaticheski

                                                   budut obrabatyvat'sya zaprosy s 53 porta/udp
Primer:
listen-on { 5.6.7.8; };  -- Prinimat' zaprosy s 53 porta
                         na interfejse s adresom 5.6.7.8

listen-on port 1234 {    -- Prinimat' zaprosy s porta
           !1.2.3.4;     1234 na interfejse s adresom
           1.2.3/24;     123 s maskoj 255.255.255.0,
                    };   za isklyucheniem interfejsa
                         1.2.3.4
        cleaning-interval 60; -- Opciya zadayushchaya interval ochishcheniya
                                                                      kesha RR zapisej. (v minutah)
        interface-interval 60; -- Opciya zadayushchaya interval obnovleniya spiska novyh i udalennyh interfejsov.
                                                                      (v minutah)
        statistics-interval 60; -- Opciya zadayushchaya interval obnovleniya fajla statistiki.
                                                                      (v minutah)

};

zone "your.ru" { -- Nachalo CHASTI "Zone - Master". 
      type master; -- Tip zony. master = primary
      file "master.zone.ru"; -- Imya fajla v kotorom hranitsya tablica DNS.(vozmozhno c putem tz rabochego kataloga) 
      check-names fail;  
      allow-update { none; }; 
      allow-transfer { any; }; 
      allow-query { any; }; 
      also-notify { }; -- Ne posylat' NOTIFY soobshchenie perechislennym serveram.
};

zone "not-your.ru" { -- Nachalo CHASTI "Zone - Slave". 
      type slave; -- Tip zony. slave = secondary
      file "not-your.ru"; -- Imya fajla v kotorom hranitsya tablica DNS.(vozmozhno s putem iz rabochego kataloga) 
      masters { 1.2.3.4; 5.6.7.8; };  -- Adres NameServer'a s kotorogo beretsya informaciya o Zone.
      transfer-source 10.0.0.53;  -- |ta opciya ustranyaet problemu 'MULTIHOMING'
      allow-update { none; }; 
      allow-transfer { any; }; 
      allow-query { any; }; 
      also-notify { }; -- Ne posylat' NOTIFY soobshchenie perechislennym serveram.
      max-transfer-time-in 120; -- Esli ne ustanovleno ispol'zuetsya znachenie zadannoe v CHASTI "Options" ili Default znachenie. 
};

zone "stub.ru" { -- Nachalo CHASTI "Zone - Stub". 
      type stub; -- Tip zony. Stub zona pohozha na slave, no skachivayutsya tol'ko NS zapisi.
      file "not-your.ru"; -- Imya fajla v kotorom hranitsya tablica DNS.(vozmozhno s putem iz rabochego kotaloga) 
      masters { 1.2.3.4; 5.6.7.8; };  -- Adres NameServer'a s kotorogo beretsya informaciya o Zone.
      check-names warn;  
      allow-update { none; }; 
      allow-transfer { any; }; 
      allow-query { any; }; 
      also-notify { }; -- Ne posylat' NOTIFY soobshchenie perechislennym serveram.
      max-transfer-time-in 120; -- Esli ne ustanovleno ispol'zuetsya znachenie zadannoe v CHASTI "Options" ili Default znachenie. 
};

zone "." { -- Nachalo CHASTI "Zone - Hint". 
      type hint; -- Tip zony. Hint - ispol'zuetsya kak kesh..
      file "chahe.db"; -- Imya fajla v kotorom hranitsya kesh. 
};

acl can_query { !1.2.3/24; any;}; -- |ta opciya zapreshchaet obrashcheniya komp'yuterov iz seti 1.2.3.0 c maskoj 255.255.255.0. Mashiny ne popadayushchie pod dejstvie etogo pravila mogut svobodno ispol'zovat' NameServe








r.
acl can_axfr { !1.2.3.4; can_query; }; -- |toj opciej mozhno razreshit' konkreknomu komp'yuteru, iz zapreshchennoj seti, rabotat' s NameServer'om, v dannom sluchae eto 1.2.3.4 i vse komp'yutery opisannye v 'can_q








uery'.

zone "non-default-acl.ru" { -- Nachalo CHASTI "Zone - NON-Default-ACL". 
      type master; 
      file "foo"; 
      allow-update { 1.2.3.4; 5.6.7.8; }; 
      allow-transfer { can_axfr; }; 
      allow-query { can_query; }; 
};

key key2 { -- Nachalo CHASTI "Key2" (vozmozhny key1..key5..).
      algorithm hmac-md5; -- Tip algoritma kriptovaniya.
      secret "ereh terces rouy"; -- Kod.
};

server 1.2.3.4 { -- Nachalo CHASTI "Server", ustanavlivaet dlya ukazannogo NameServer'a dopolnitel'nye opcii.
      bogus no; --Ecli 'yes' to ne budut prinimat'sya zaprosy ot 1.2.3.4.
      transfer-format one-answer; 
      transfers 0; -- Poka ne rabotaet.
      keys { key2; }; -- Podklyuchenie ustanovlennyh kodov v CHASTI 'Key2"
};
logging { -- Nachalo CHASTI "Logging" , opcii dlya upravleniya fajlami statistiki.
      channel syslog_errors {
          syslog user;  severity error;
                            }; -- |ta opciya opredelyaet mesto kuda budet zapinana informaciya o oshibkah. Vozmozhnye varianty: critical,error,warning,notice,info,debug1...debug99.
      file "file.log"; -- Fajl v kotoryj budut zapisany soobshcheniya.(ne obyazatel'nyj parametr)
};

include "filename"; -- S pomoshch'yu etogo parametra vy smozhete podklyuchit' k vashemu konfiguracionnomu fajlu drugie.

Sergej Minakov.


Last-modified: Fri, 22 Jan 1999 06:19:38 GMT
Ocenite etot tekst:

Bind 8.x.x.
Vvedenie. \|ta stat'ya posvyashchena BIND versii 8.x.x. \|ta versiya poyavilas' otnositel'no nedavno. Ona imeet sovershenno drugoj konfiguracionnyj fajl nezheli BIND versii 4. Takzhe v novoj versii poyavilos' massa novyh vozmozhnostej, novye RR zanisi, uludshenaya 'zone-check' procedura, special'nye serijnye nomera, i dr. P.S. Ogovoryus' srazu, v etoj stat'e opisany daleko ne vse vozmozhnosti BIND 8, a tol'ko osnovnye.

Primer named.conf i opisanie opcij: Budte vnimatel'ny ne zabyvajte stavit' ";"!
options {	-- Nachalo CHASTI "Options".
directory "." ;{	-- Rabochij katalog.
named-xfer "/usr/libexec/named-xfer";	-- Put' k 'zone-xfer'.
dump-file "named_dump.db";	-- Imya Damp-Fajla ili imya s putem iz rabochego kataloga.
pid-file "/var/run/named.pid";	-- Put' k pid-fajlu.
memstatistics-file "named.memstats";	-- Imya fajla so statistikoj. ispol'zovaniya pamyati.
statistics-file "named.stats";	-- Imya fajla so statistikoj.
check-names master fail;	-- Opciya pimenyaemaya v sluchayah trebuetsya proverka imen domenov. V log-fajlah otobrazhaetsya adres master-servera na, kotorom obnaruzhena oshibka.
check-names slave warn;	-- -- dlya 'slave' zony
check-names response ignore;	-- -- dopolnitel'naya proverka otvetov drugih serverov.
host-statistics no;	-- Statistika obrashchenij po hostam.
deallocate-on-exit no;	-- Opciya pri kotoroj osvobozhdayutsya vse ob®ekty pri preryvanii raboty programmy. \|to vygodno pri ne pravil'nom ispol'zovanii pamyati. Polnaya otchet o rabote budet nahodit'sya v 'memstatistics-file.'
forward-only;	-- \|kvivaldent 'Slave'u.
datasize default;	-- Limitirovanie segmetov vydelyaemyh pod dannye.
stacksize default;	-- Razmer STEKA.
coresize default;
files unlimited;	-- Kolichestvo vozmozhno dopustimyh obrabatyvaemyh fajlov.
recursion yes;	-- Opciya razreshayushchaya ili zapreshchayushchaya rekursiyu.
fetch-glue yes;
fake-iquery no;	-- \|ta opciya pozvalyaet podmenyat' otvety pri opredelennyh zaprosax.
notify yes;	-- Posylka "NOTIFY" soobshcheniya Vy mozhete postavit' 'yes' kogda vy ispol'zuete shemu 'zone-by-zone', takzhe eta opciya dostupna v CHASTI 'zone'.
auth-nxdomain yes;	-- Vsegda stav'te AA pri ispol'zovanii NXDOMAIN. Ne stav'te etu opciyu 'no' esli vy ne znaete, chto delaete -- starye servera (staraya versiya PO) ne lyubyat etogo. :-);
multiple-cnames no;	-- Esli ustanovleno 'yes' togda imeetsya bolee odnogo CANME RR. \|to ispol'zuyut v ne standartnyh situaciyah i ne rekomenduetsya, no dostupno potomu chto predidushchii versii podderzhivali i eta opciya ispol'zovalas' na bol'shih sajtah dlya uravnoveshivaniya zagruzki.
allow-query { any; };
allow-transfer { any; };
transfers-in 10;	-- Znachenie ne dolzhno byt' ustanovleno bolee 20.
transfers-per-ns 2;	-- Default znachenie peredach na kazhdyj NameServer.
transfers-out 0;	-- K sozhaleniyu ne rabotaet ;-)
max-transfer-time-in 120;	-- Maksimal'noe znachenie prodolzhitel'nosti sessii 'zone transfer'. (v minutah)
transfer-format one-answer;	-- Opciya ukazyvayushchaya put' ishodyashchego 'zone transfer'. Dopustimy dva znacheniya: one-answer - Kazhdyj RR beret svoe soobshchenie. \|tot format ne ochen' effektiven, no prosto i ponyatno :-). Vse versii BIND do 8.1 generiruyut imenno etot format soobshcheniya dlya ishodyashchih zon i trebuet vhodyashchih peredach. many-answers - \|to oznachaet chto mnogo RR'ov budet polozheno v kazhdoe DNS soobshchenie. \|tot format naibolee effektiven, no tol'ko est' v versii BIND 8. Takzhe vypushchena izmenennaya versiya 'named-xfer' dlya BIND 4.9.5. Esli vy budete ispol'zovat' vash DNS server s serverami na kotory ustanovlenno staroe PO, to NESOVETUETXSYA ispol'zovat' 'many-answers'. Takzhe kak znachenie mozhet byt' ustanovlena peremennaya 'server' - pri ispol'zovanii shemy 'host-by-host'.
forward first;
forwarders { };	-- V Default znachenii nichego ne ukazyvaetsya.
	Primer: forwarders { 1.2.3.4; 5.6.7.8; };
topology { localhost; localnets; };	-- Opciya opisyvaushchaya topologiyu NameServer'ov.
	Primer: topology { 10/8; -- Predpochtitel'naya set' 10.0.0.0 s maskoj 255.0.0.0 !1.2.3/24; -- Ne ispol'zovat' 1.2.3.0 s maskoj 255.255.255.0 dlya vseh { 1.2/16; 3/8; }; -- Ispol'zovat' 1.2.0.0 s maskoj 255.255.0.0 i 3.0.0.0 s maskoj 255.0.0.0 - chast' 10/8, no men'she. };
listen-on port 53 { any; };	-- Prinimat' zaprosy s 53 porta na vseh dostupnyh interfejsah komp'yutera. Esli port ne ukazan, to avtomaticheski budut obrabatyvat'sya zaprosy s 53 porta/udp
	Primer: listen-on { 5.6.7.8; }; -- Prinimat' zaprosy s 53 porta na interfejse s adresom 5.6.7.8 listen-on port 1234 { -- Prinimat' zaprosy s porta !1.2.3.4; 1234 na interfejse s adresom 1.2.3/24; 123 s maskoj 255.255.255.0, }; za isklyucheniem interfejsa 1.2.3.4
cleaning-interval 60;	-- Opciya zadayushchaya interval ochishcheniya kesha RR zapisej. (v minutah)
interface-interval 60;	-- Opciya zadayushchaya interval obnovleniya spiska novyh i udalennyh interfejsov. (v minutah)
statistics-interval 60;	-- Opciya zadayushchaya interval obnovleniya fajla statistiki. (v minutah)
};

zone "your.ru" {	-- Nachalo CHASTI "Zone - Master".
type master;	-- Tip zony. master = primary
file "master.zone.ru";	-- Imya fajla v kotorom hranitsya tablica DNS.(vozmozhno c putem tz rabochego kataloga)
check-names fail;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
also-notify { };	-- Ne posylat' NOTIFY soobshchenie perechislennym serveram.
};

zone "not-your.ru" {	-- Nachalo CHASTI "Zone - Slave".
type slave;	-- Tip zony. slave = secondary
file "not-your.ru";	-- Imya fajla v kotorom hranitsya tablica DNS.(vozmozhno s putem iz rabochego kataloga)
masters { 1.2.3.4; 5.6.7.8; };	-- Adres NameServer'a s kotorogo beretsya informaciya o Zone.
transfer-source 10.0.0.53;	-- \|ta opciya ustranyaet problemu 'MULTIHOMING'
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
also-notify { };	-- Ne posylat' NOTIFY soobshchenie perechislennym serveram.
max-transfer-time-in 120;	-- Esli ne ustanovleno ispol'zuetsya znachenie zadannoe v CHASTI "Options" ili Default znachenie.
};

zone "stub.ru" {	-- Nachalo CHASTI "Zone - Stub".
type stub;	-- Tip zony. Stub zona pohozha na slave, no skachivayutsya tol'ko NS zapisi.
file "not-your.ru";	-- Imya fajla v kotorom hranitsya tablica DNS.(vozmozhno s putem iz rabochego kotaloga)
masters { 1.2.3.4; 5.6.7.8; };	-- Adres NameServer'a s kotorogo beretsya informaciya o Zone.
check-names warn;
allow-update { none; };
allow-transfer { any; };
allow-query { any; };
also-notify { };	-- Ne posylat' NOTIFY soobshchenie perechislennym serveram.
max-transfer-time-in 120;	-- Esli ne ustanovleno ispol'zuetsya znachenie zadannoe v CHASTI "Options" ili Default znachenie.
};

zone "." {	-- Nachalo CHASTI "Zone - Hint".
type hint;	-- Tip zony. Hint - ispol'zuetsya kak kesh..
file "chahe.db";	-- Imya fajla v kotorom hranitsya kesh.
};

acl can_query { !1.2.3/24; any;};	-- \|ta opciya zapreshchaet obrashcheniya komp'yuterov iz seti 1.2.3.0 c maskoj 255.255.255.0. Mashiny ne popadayushchie pod dejstvie etogo pravila mogut svobodno ispol'zovat' NameServe r.
acl can_axfr { !1.2.3.4; can_query; };	-- \|toj opciej mozhno razreshit' konkreknomu komp'yuteru, iz zapreshchennoj seti, rabotat' s NameServer'om, v dannom sluchae eto 1.2.3.4 i vse komp'yutery opisannye v 'can_q uery'.

zone "non-default-acl.ru" {	-- Nachalo CHASTI "Zone - NON-Default-ACL".
type master;
file "foo";
allow-update { 1.2.3.4; 5.6.7.8; };
allow-transfer { can_axfr; };
allow-query { can_query; };
};

key key2 {	-- Nachalo CHASTI "Key2" (vozmozhny key1..key5..).
algorithm hmac-md5;	-- Tip algoritma kriptovaniya.
secret "ereh terces rouy";	-- Kod.
};

server 1.2.3.4 {	-- Nachalo CHASTI "Server", ustanavlivaet dlya ukazannogo NameServer'a dopolnitel'nye opcii.
bogus no;	--Ecli 'yes' to ne budut prinimat'sya zaprosy ot 1.2.3.4.
transfer-format one-answer;
transfers 0;	-- Poka ne rabotaet.
keys { key2; };	-- Podklyuchenie ustanovlennyh kodov v CHASTI 'Key2"
};
logging {	-- Nachalo CHASTI "Logging" , opcii dlya upravleniya fajlami statistiki.
channel syslog_errors { syslog user; severity error; };	-- \|ta opciya opredelyaet mesto kuda budet zapinana informaciya o oshibkah. Vozmozhnye varianty: critical,error,warning,notice,info,debug1...debug99.
file "file.log";	-- Fajl v kotoryj budut zapisany soobshcheniya.(ne obyazatel'nyj parametr)
};

include "filename";	-- S pomoshch'yu etogo parametra vy smozhete podklyuchit' k vashemu konfiguracionnomu fajlu drugie.

Sergej Minakov.