메뉴 건너뛰기

Korea Oracle User Group

OS

RAC SCAN 사용을 위한 DNS 서버 설정하기

 

1. 패키지 설치 확인

[root@kwanst ~]# dnf list bind bind-utils
Last metadata expiration check: 0:00:18 ago on Mon 16 Nov 2020 08:06:26 PM KST.
Installed Packages
bind.x86_64                                32:9.11.4-26.P2.el7                          @System
bind-utils.x86_64                          32:9.11.4-26.P2.el7                          @System

 

만약 설치되지 않았다면 아래와 같이 설치하면 된다.

 

[root@kwanst etc]# yum install bind bind-utils
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.kakao.com
 * extras: mirror.kakao.com
 * updates: mirror.kakao.com
Package 32:bind-utils-9.11.4-16.P2.el7_8.6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.11.4-16.P2.el7_8.6 will be installed
--> Processing Dependency: python-ply for package: 32:bind-9.11.4-16.P2.el7_8.6.x86_64
--> Running transaction check
---> Package python-ply.noarch 0:3.4-11.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===============================================================================================================================
 Package                     Arch                    Version                                    Repository                Size
===============================================================================================================================
Installing:
 bind                        x86_64                  32:9.11.4-16.P2.el7_8.6                    updates                  2.3 M
Installing for dependencies:
 python-ply                  noarch                  3.4-11.el7                                 base                     123 k

Transaction Summary
===============================================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 2.4 M
Installed size: 5.9 M
Is this ok [y/d/N]: y
Downloading packages:
(1/2): python-ply-3.4-11.el7.noarch.rpm                                                                 | 123 kB  00:00:00     
(2/2): bind-9.11.4-16.P2.el7_8.6.x86_64.rpm                                                             | 2.3 MB  00:00:00     
-------------------------------------------------------------------------------------------------------------------------------
Total                                                                                          7.2 MB/s | 2.4 MB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : python-ply-3.4-11.el7.noarch                                                                                1/2 
  Installing : 32:bind-9.11.4-16.P2.el7_8.6.x86_64                                                                         2/2 
  Verifying  : 32:bind-9.11.4-16.P2.el7_8.6.x86_64                                                                         1/2 
  Verifying  : python-ply-3.4-11.el7.noarch                                                                                2/2 

Installed:
  bind.x86_64 32:9.11.4-16.P2.el7_8.6                                                                                          

Dependency Installed:
  python-ply.noarch 0:3.4-11.el7                                                                                               

Complete!

 

2. 서버측 설정

/etc/named.conf 파일을 아래와 같이 수정

1) IP 지정

2) allow-query 부분 수정

3) localdomain zone 내용 추가

 

[root@kwanst ~]# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.45.105; };
        //listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        //allow-query     { localhost; };
        allow-query     { 192.168.45/24; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable 
           recursion. 
         - If your recursive DNS server has a public IP address, you MUST enable access 
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain." IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

/var/named/localdomain.zone 파일 생성 후 아래와 같이 설정

 

[root@kwanst ~]# vi /var/named/localdomain.zone
$TTL    86400
@               IN SOA localhost root.localhost(
                        42      ; serial
                        3H      ; refresh
                        15M     ; retry
                        1W      ; expiry
                        1D)     ; minimum
                IN NS   localhost
localhost       IN A    127.0.0.1
mprac1          IN A    192.168.45.201
mprac2          IN A    192.168.45.202
mprac1-vip      IN A    192.168.45.211
mprac2-vip      IN A    192.168.45.212
mprac-cluster-scan      IN A    192.168.45.221
mprac-cluster-scan      IN A    192.168.45.222
mprac-cluster-scan      IN A    192.168.45.223

 

/var/named/45.168.192.in-addr.arpa 파일 생성

 

[root@kwanst ~]# vi /var/named/45.168.192.in-addr.arpa
$ORIGIN 45.168.192.in-addr.arpa.
$TTL 1H
@       IN SOA  kwanst.localdomain. root.kwanst.localdomain. ( 2
                                3H
                                1H
                                1W
                                1H )
45.168.192.in-addr.arpa.        IN NS   kwanst.localdomain.
201     IN PTR mprac1.localdomain.
202     IN PTR mprac2.localdomain.
211     IN PTR mprac1-vip.localdomain.
212     IN PTR mprac2-vip.localdomain.
221     IN PTR mprac-cluster-scan.localdomain.
222     IN PTR mprac-cluster-scan.localdomain.
223     IN PTR mprac-cluster-scan.localdomain.

 

3. 서비스 시작 및 enable

 

[root@kwanst ~]# systemctl start named.service 
[root@kwanst ~]# systemctl enable named.service 
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@kwanst ~]# systemctl status named.service 
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2020-11-16 21:44:52 KST; 30s ago
 Main PID: 31621 (named)
   CGroup: /system.slice/named.service
           └─31621 /usr/sbin/named -u named -c /etc/named.conf

Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:500:200::b#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53
Nov 16 21:44:52 kwanst.localdomain named[31621]: managed-keys-zone: Key 20326 for zone . acceptance timer c...sted
Nov 16 21:44:52 kwanst.localdomain named[31621]: resolver priming query complete
Hint: Some lines were ellipsized, use -l to show in full.
[root@kwanst ~]# 

 

4. 방화벽 disable

[root@kwanst ~]# systemctl stop firewalld.service 
[root@kwanst ~]# systemctl disable firewalld.service 
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
[root@kwanst ~]# 

 

5. 다른 서버에서 DNS 정보를 수정후 확인하기

 

# mprac2 서버에서 DNS 정보를 192.168.45.105로 변경하기 전 ping 결과
[root@mprac2 ~]# ping mprac-cluster-scan
ping: mprac-cluster-scan: Name or service not known

# mprac2 서버에서 DNS 정보를 192.168.45.105로 변경한 후 ping 결과
[root@mprac2 ~]# ping mprac-cluster-scan
PING mprac-cluster-scan.localdomain (192.168.45.221) 56(84) bytes of data.
From mprac2.localdomain (192.168.45.202) icmp_seq=1 Destination Host Unreachable
From mprac2.localdomain (192.168.45.202) icmp_seq=2 Destination Host Unreachable
From mprac2.localdomain (192.168.45.202) icmp_seq=3 Destination Host Unreachable
From mprac2.localdomain (192.168.45.202) icmp_seq=4 Destination Host Unreachable
From mprac2.localdomain (192.168.45.202) icmp_seq=5 Destination Host Unreachable
From mprac2.localdomain (192.168.45.202) icmp_seq=6 Destination Host Unreachable
^C
--- mprac-cluster-scan.localdomain ping statistics ---
[root@mprac2 ~]# nslookup mprac-cluster-scan
Server:         192.168.45.105
Address:        192.168.45.105#53

Name:   mprac-cluster-scan.localdomain
Address: 192.168.45.221
Name:   mprac-cluster-scan.localdomain
Address: 192.168.45.222
Name:   mprac-cluster-scan.localdomain
Address: 192.168.45.223

[root@mprac2 ~]# nslookup mprac1
Server:         192.168.45.105
Address:        192.168.45.105#53

Name:   mprac1.localdomain
Address: 192.168.45.201

[root@mprac2 ~]# nslookup mprac2
Server:         192.168.45.105
Address:        192.168.45.105#53

Name:   mprac2.localdomain
Address: 192.168.45.202

[root@mprac2 ~]# nslookup mprac1-vip
Server:         192.168.45.105
Address:        192.168.45.105#53

Name:   mprac1-vip.localdomain
Address: 192.168.45.211

[root@mprac2 ~]# nslookup mprac2-vip
Server:         192.168.45.105
Address:        192.168.45.105#53

Name:   mprac2-vip.localdomain
Address: 192.168.45.212

 

 

위로