RAC SCAN 사용을 위한 DNS 서버 설정하기
1. 패키지 설치 확인
[root@kwanst ~]# dnf list bind bind-utils Last metadata expiration check: 0:00:18 ago on Mon 16 Nov 2020 08:06:26 PM KST. Installed Packages bind.x86_64 32:9.11.4-26.P2.el7 @System bind-utils.x86_64 32:9.11.4-26.P2.el7 @System
만약 설치되지 않았다면 아래와 같이 설치하면 된다.
[root@kwanst etc]# yum install bind bind-utils Loaded plugins: fastestmirror, langpacks Loading mirror speeds from cached hostfile * base: mirror.kakao.com * extras: mirror.kakao.com * updates: mirror.kakao.com Package 32:bind-utils-9.11.4-16.P2.el7_8.6.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package bind.x86_64 32:9.11.4-16.P2.el7_8.6 will be installed --> Processing Dependency: python-ply for package: 32:bind-9.11.4-16.P2.el7_8.6.x86_64 --> Running transaction check ---> Package python-ply.noarch 0:3.4-11.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved =============================================================================================================================== Package Arch Version Repository Size =============================================================================================================================== Installing: bind x86_64 32:9.11.4-16.P2.el7_8.6 updates 2.3 M Installing for dependencies: python-ply noarch 3.4-11.el7 base 123 k Transaction Summary =============================================================================================================================== Install 1 Package (+1 Dependent package) Total download size: 2.4 M Installed size: 5.9 M Is this ok [y/d/N]: y Downloading packages: (1/2): python-ply-3.4-11.el7.noarch.rpm | 123 kB 00:00:00 (2/2): bind-9.11.4-16.P2.el7_8.6.x86_64.rpm | 2.3 MB 00:00:00 ------------------------------------------------------------------------------------------------------------------------------- Total 7.2 MB/s | 2.4 MB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : python-ply-3.4-11.el7.noarch 1/2 Installing : 32:bind-9.11.4-16.P2.el7_8.6.x86_64 2/2 Verifying : 32:bind-9.11.4-16.P2.el7_8.6.x86_64 1/2 Verifying : python-ply-3.4-11.el7.noarch 2/2 Installed: bind.x86_64 32:9.11.4-16.P2.el7_8.6 Dependency Installed: python-ply.noarch 0:3.4-11.el7 Complete!
2. 서버측 설정
/etc/named.conf 파일을 아래와 같이 수정
1) IP 지정
2) allow-query 부분 수정
3) localdomain zone 내용 추가
[root@kwanst ~]# vi /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 127.0.0.1; 192.168.45.105; }; //listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; //allow-query { localhost; }; allow-query { 192.168.45/24; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "localdomain." IN { type master; file "localdomain.zone"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
/var/named/localdomain.zone 파일 생성 후 아래와 같이 설정
[root@kwanst ~]# vi /var/named/localdomain.zone $TTL 86400 @ IN SOA localhost root.localhost( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D) ; minimum IN NS localhost localhost IN A 127.0.0.1 mprac1 IN A 192.168.45.201 mprac2 IN A 192.168.45.202 mprac1-vip IN A 192.168.45.211 mprac2-vip IN A 192.168.45.212 mprac-cluster-scan IN A 192.168.45.221 mprac-cluster-scan IN A 192.168.45.222 mprac-cluster-scan IN A 192.168.45.223
/var/named/45.168.192.in-addr.arpa 파일 생성
[root@kwanst ~]# vi /var/named/45.168.192.in-addr.arpa $ORIGIN 45.168.192.in-addr.arpa. $TTL 1H @ IN SOA kwanst.localdomain. root.kwanst.localdomain. ( 2 3H 1H 1W 1H ) 45.168.192.in-addr.arpa. IN NS kwanst.localdomain. 201 IN PTR mprac1.localdomain. 202 IN PTR mprac2.localdomain. 211 IN PTR mprac1-vip.localdomain. 212 IN PTR mprac2-vip.localdomain. 221 IN PTR mprac-cluster-scan.localdomain. 222 IN PTR mprac-cluster-scan.localdomain. 223 IN PTR mprac-cluster-scan.localdomain.
3. 서비스 시작 및 enable
[root@kwanst ~]# systemctl start named.service [root@kwanst ~]# systemctl enable named.service Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service. [root@kwanst ~]# systemctl status named.service ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2020-11-16 21:44:52 KST; 30s ago Main PID: 31621 (named) CGroup: /system.slice/named.service └─31621 /usr/sbin/named -u named -c /etc/named.conf Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:500:1::53#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:500:200::b#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:dc3::35#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './NS/IN': 2001:500:a8::e#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: network unreachable resolving './DNSKEY/IN': 2001:500:200::b#53 Nov 16 21:44:52 kwanst.localdomain named[31621]: managed-keys-zone: Key 20326 for zone . acceptance timer c...sted Nov 16 21:44:52 kwanst.localdomain named[31621]: resolver priming query complete Hint: Some lines were ellipsized, use -l to show in full. [root@kwanst ~]#
4. 방화벽 disable
[root@kwanst ~]# systemctl stop firewalld.service [root@kwanst ~]# systemctl disable firewalld.service Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@kwanst ~]#
5. 다른 서버에서 DNS 정보를 수정후 확인하기
# mprac2 서버에서 DNS 정보를 192.168.45.105로 변경하기 전 ping 결과 [root@mprac2 ~]# ping mprac-cluster-scan ping: mprac-cluster-scan: Name or service not known # mprac2 서버에서 DNS 정보를 192.168.45.105로 변경한 후 ping 결과 [root@mprac2 ~]# ping mprac-cluster-scan PING mprac-cluster-scan.localdomain (192.168.45.221) 56(84) bytes of data. From mprac2.localdomain (192.168.45.202) icmp_seq=1 Destination Host Unreachable From mprac2.localdomain (192.168.45.202) icmp_seq=2 Destination Host Unreachable From mprac2.localdomain (192.168.45.202) icmp_seq=3 Destination Host Unreachable From mprac2.localdomain (192.168.45.202) icmp_seq=4 Destination Host Unreachable From mprac2.localdomain (192.168.45.202) icmp_seq=5 Destination Host Unreachable From mprac2.localdomain (192.168.45.202) icmp_seq=6 Destination Host Unreachable ^C --- mprac-cluster-scan.localdomain ping statistics --- [root@mprac2 ~]# nslookup mprac-cluster-scan Server: 192.168.45.105 Address: 192.168.45.105#53 Name: mprac-cluster-scan.localdomain Address: 192.168.45.221 Name: mprac-cluster-scan.localdomain Address: 192.168.45.222 Name: mprac-cluster-scan.localdomain Address: 192.168.45.223 [root@mprac2 ~]# nslookup mprac1 Server: 192.168.45.105 Address: 192.168.45.105#53 Name: mprac1.localdomain Address: 192.168.45.201 [root@mprac2 ~]# nslookup mprac2 Server: 192.168.45.105 Address: 192.168.45.105#53 Name: mprac2.localdomain Address: 192.168.45.202 [root@mprac2 ~]# nslookup mprac1-vip Server: 192.168.45.105 Address: 192.168.45.105#53 Name: mprac1-vip.localdomain Address: 192.168.45.211 [root@mprac2 ~]# nslookup mprac2-vip Server: 192.168.45.105 Address: 192.168.45.105#53 Name: mprac2-vip.localdomain Address: 192.168.45.212