在 Windows 域环境中,DHCP 自动将分配的 IP 信息同步至 DNS 服务器,只需知晓机器名即可轻松实现远程连接,这一功能非常实用。Linux 系统同样能够实现 DHCP 与 DNS 的动态更新,配置过程也相当简便。通过查阅 man 5 dhcpd.conf 手册,详细研读即可掌握核心要领。
昨天参加了一场运维沙龙线下分享会,又拍云运维总监邵海杨先生的一句话令人深有感触:“千金难买早知道”。回想此前配置动态更新功能的经历,我在网上翻阅了大量博客,按照各种教程尝试却屡屡碰壁,最终对底层原理仍然一知半解。倘若当时静下心来认真阅读 man 文档,问题早已迎刃而解,对技术底层的理解也会更加透彻。在这个信息泛滥的时代,互联网非但未必让人更聪明,反而常因海量碎片信息让人迷失。技术学习终究需要沉下心来深入钻研。
DHCP 与 DNS 的基础配置资料已经非常丰富,此处不再赘述。有意者可自行查看 man 5 dhcpd.conf,重点关注以下配置中的关键部分,即可快速上手。
在此额外分享一个 DNS chroot 的实现步骤:首先安装 bind 并调通 named,然后安装 bind-chroot。执行 /usr/libexec/setup-named-chroot.sh /var/named/chroot on,接着停用 named,启用 named-chroot:
systemctl disabled named ; systemctl stop named
systemctl enable named-chroot; systemctl start named-chroot[root@pxe ~]# cat /etc/dhcp/dhcpd.conf
ddns-update-style interim;
ddns-updates on;
do-forward-updates on;
allow client-updates;
allow bootp;
allow booting;
#allow client-updates;
option space Cisco_LWAPP_AP;
option Cisco_LWAPP_AP.server-address code 241 = array of ip-address;
option space pxelinux;
option pxelinux.magic code 208 = string;
option pxelinux.configfile code 209 = text;
option pxelinux.pathprefix code 210 = text;
option pxelinux.reboottime code 211 = unsigned integer 32;
option architecture-type code 93 = unsigned integer 16;
subnet 192.168.1.0 netmask 255.255.255.0 {
authoritative;
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option domain-name "it.lab";
option domain-name-servers 192.168.1.200;
range dynamic-bootp 192.168.1.100 192.168.1.199;
key SEC_DDNS {
algorithm hmac-md5;
secret 7ObhTIhKeDFMR2SbbS5s8A==;
};
ddns-domainname "it.lab";
zone it.lab.{
primary 192.168.1.200;
key SEC_DDNS;
}
zone 1.168.192.in-addr.arpa.{
primary 192.168.1.200;
key SEC_DDNS;
}
default-lease-time 600;
max-lease-time 7200;
class "pxeclients" {
match if substring (option vendor-class-identifier, 0, 9) = "PXEClient";
next-server 192.168.1.200;
if option architecture-type = 00:07 {
filename "uefi/syslinux.efi"; }
else {
filename "bios/pxelinux.0"; }
#filename "pxelinux.0"; }
}
}[root@pxe ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1;192.168.1.200; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any;};
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
key SEC_DDNS {
algorithm hmac-md5;
secret 7ObhTIhKeDFMR2SbbS5s8A==;
};
zone "it.lab" IN {
type master;
file "it.lab.forward";
allow-update { key SEC_DDNS ; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "1.168.192.reverse";
allow-update { key SEC_DDNS ; };
};配置的核心在于密钥的匹配,以及 dhcpd.conf 中 zone 声明的书写格式。只要密钥与 named.conf 保持一致,并且正确设置 allow-update 权限,动态更新机制即可顺利运行。此后,任何新机器通过 DHCP 获取 IP 地址时,DNS 记录便会自动生成,极大节省运维时间和精力。
