关于redhat as 4 DNS主从服务器的配置问题(原创)

我心飞翔

我曾经在虚拟机上装了两台redhat as 4 linux和两台redflag as 4.1 linux,然后分别用两台redflag做DNS主从服务器的实验，一切正常，可是用同样的方法在两台redhat上做相同的实验，主服务器的资源记录文件却怎么也传不到从服务器上去，同样我用一台redhat做主，一台redflag做从，实验成功，而用一台redflag做主，一台redhat做从，实验也不成功，经过N天的郁闷后，总算找到了原因，是因为在红旗linux下/var/named的属主是named，属主有写入权限，而在红帽as4下的/var/named的属主是root，所以named用户对于/var/named目录是无写入权限的，而从DNS服务器是以named用户的身分将主DNS服务器的区域文件写入到从DNS服务器的/var/named/chroot/var/named(红帽as4)或/var/named(红旗)，所以造成红旗主从DNS服务实验能做通，而红帽AS4上却被Deny，原因就在是否具有写入权限上，郁闷了N天，原因就是如此的简单，希望能给后来者以借鉴
      下面把我的配制文件贴出来：

我心飞翔

主DNS服务器的设置

主DNS服务器的设置
------------主DNS服务器IP为192.168.10.112
------------从DNS服务器IP为192.168.10.111
/etc/resolv.conf文件的内容：
search gao.com
nameserver 192.168.10.112

/etc/named.conf文件内容：
//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        allow-transfer {192.168.10.111;};
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
       inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};
zone "gao.com" IN {
        type master;
        file "gao.com";
};

zone "10.168.192.in-addr.arpa" IN {
        type master;
        file "gao.192.168.10";
};

include "/etc/rndc.key";



/var/named/chroot/var/named/gao.com文件的内容：
$TTL 86400
@       IN      SOA     www.gao.com.    root.www.gao.com. (
                                        1999010101
                                        28800
                                        14400
                                        3600000
                                        86400)
@               IN      NS      www.gao.com.
www             IN      A       192.168.10.112
test1           IN      A       192.168.10.150
test2           IN      A       192.168.10.151
test3           IN      A       192.168.10.152
test1bak        IN      CNAME   test1
test2bak        IN      CNAME   test2
test3bak        IN      CNAME   test3

/var/named/chroot/var/named/gao.192.168.10文件的内容：
$TTL 86400
@       IN      SOA     www.gao.com.    root.www.gao.com. (
                                        1999010101
                                        28800
                                        14400
                                        3600000
                                        86400)
@               IN      NS      www.gao.com.
112  IN      PTR     www.gao.com.
150  IN      PTR     test1.gao.com.
151  IN      PTR     test2.gao.com.
152  IN      PTR     test3.gao.com.

在主和从DNS服务器启动named服务后，日志文件的内容：

[root@gao log]#tail –f /var/log/messages

Jul 29 02:51:34 gao named[3318]: client 192.168.10.111#32776: transfer of 'gao.com/IN': AXFR started
Jul 29 02:55:01 gao crond(pam_unix)[3339]: session opened for user root by (uid=0)
Jul 29 02:55:02 gao crond(pam_unix)[3339]: session closed for user root
Jul 29 02:58:00 gao named[3318]: client 192.168.10.111#32773: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 02:58:00 gao named[3318]: client 192.168.10.111#32774: transfer of 'gao.com/IN': AXFR started
Jul 29 02:58:42 gao named[3318]: client 192.168.10.111#32775: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 02:58:53 gao named[3318]: client 192.168.10.111#32776: transfer of 'gao.com/IN': AXFR started
Jul 29 03:00:01 gao crond(pam_unix)[3342]: session opened for user root by (uid=0)
Jul 29 03:00:01 gao crond(pam_unix)[3341]: session opened for user root by (uid=0)
Jul 29 03:00:01 gao crond(pam_unix)[3341]: session closed for user root
Jul 29 03:00:02 gao crond(pam_unix)[3342]: session closed for user root
Jul 29 03:00:08 gao named[3318]: client 192.168.10.111#32777: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:00:27 gao named[3318]: client 192.168.10.111#32778: transfer of 'gao.com/IN': AXFR started
Jul 29 03:01:01 gao crond(pam_unix)[3347]: session opened for user root by (uid=0)
Jul 29 03:01:01 gao crond(pam_unix)[3347]: session closed for user root
Jul 29 03:03:33 gao named[3318]: client 192.168.10.111#32779: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:03:42 gao named[3318]: client 192.168.10.111#32780: transfer of 'gao.com/IN': AXFR started
Jul 29 03:05:01 gao crond(pam_unix)[3359]: session opened for user root by (uid=0)
Jul 29 03:05:02 gao crond(pam_unix)[3359]: session closed for user root
Jul 29 03:10:01 gao crond(pam_unix)[3761]: session opened for user root by (uid=0)
Jul 29 03:10:01 gao crond(pam_unix)[3762]: session opened for user root by (uid=0)
Jul 29 03:10:01 gao crond(pam_unix)[3761]: session closed for user root
Jul 29 03:10:03 gao crond(pam_unix)[3762]: session closed for user root
Jul 29 03:10:11 gao named[3318]: client 192.168.10.111#32781: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:10:31 gao named[3318]: client 192.168.10.111#32782: transfer of 'gao.com/IN': AXFR started
Jul 29 03:15:01 gao crond(pam_unix)[3766]: session opened for user root by (uid=0)
Jul 29 03:15:02 gao crond(pam_unix)[3766]: session closed for user root
Jul 29 03:20:01 gao crond(pam_unix)[3768]: session opened for user root by (uid=0)
Jul 29 03:20:01 gao crond(pam_unix)[3769]: session opened for user root by (uid=0)
Jul 29 03:20:01 gao crond(pam_unix)[3768]: session closed for user root
Jul 29 03:20:02 gao crond(pam_unix)[3769]: session closed for user root
Jul 29 03:24:38 gao named[3318]: client 192.168.10.111#32783: transfer of '10.168.192.in-addr.arpa/IN': AXFR started
Jul 29 03:24:43 gao named[3318]: client 192.168.10.111#32784: transfer of 'gao.com/IN': AXFR started
Jul 29 03:25:01 gao crond(pam_unix)[3773]: session opened for user root by (uid=0)
Jul 29 03:25:02 gao crond(pam_unix)[3773]: session closed for user root
Jul 29 03:30:01 gao crond(pam_unix)[3776]: session opened for user root by (uid=0)
Jul 29 03:30:01 gao crond(pam_unix)[3775]: session opened for user root by (uid=0)
Jul 29 03:30:01 gao crond(pam_unix)[3775]: session closed for user root
Jul 29 03:30:02 gao crond(pam_unix)[3776]: session closed for user root
Jul 29 03:35:01 gao crond(pam_unix)[3780]: session opened for user root by (uid=0)
Jul 29 03:35:02 gao crond(pam_unix)[3780]: session closed for user root

主DNS服务器防火墙的配置：

[root@gao log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

我心飞翔

从DNS服务器的设置

从DNS服务器的设置
------------主DNS服务器IP为192.168.10.112
------------从DNS服务器IP为192.168.10.111
/etc/resolv.conf文件的内容：

search gao.com.
nameserver 192.168.10.112

/etc/named.conf文件内容：

//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.broadcast";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.zero";
        allow-update { none; };
};

zone "gao.com" IN {
        type slave;
        file "gao.com";
        masters {192.168.10.112;};
};

zone "10.168.192.in-addr.arpa" IN {
        type slave;
        file "gao.192.168.10";
        masters {192.168.10.112;};
};

include "/etc/rndc.key";

在主和从DNS服务器启动named服务后，日志文件的内容：

Jul 29 02:56:09 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:56:09 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:56:09 redhatbak kernel: audit(1122576969.695:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:56:09 redhatbak named[3218]: dumping master file: tmp-XXXXfjRpOy: open: permission denied
Jul 29 02:56:09 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:56:09 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:56:56 redhatbak kernel: audit(1122577016.193:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:56:56 redhatbak named[3218]: dumping master file: tmp-XXXXC6e08G: open: permission denied
Jul 29 02:56:56 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:56:56 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:57:08 redhatbak named[3218]: dumping master file: tmp-XXXXuJR105: open: permission denied
Jul 29 02:57:08 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:57:08 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:57:08 redhatbak kernel: audit(1122577028.196:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:58:30 redhatbak kernel: audit(1122577110.199:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:58:30 redhatbak named[3218]: dumping master file: tmp-XXXXhdi6mk: open: permission denied
Jul 29 02:58:30 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:58:30 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 02:58:50 redhatbak kernel: audit(1122577130.195:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 02:58:50 redhatbak named[3218]: dumping master file: tmp-XXXXnoGai2: open: permission denied
Jul 29 02:58:50 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 02:58:50 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:00:01 redhatbak crond(pam_unix)[3227]: session opened for user root by (uid=0)
Jul 29 03:00:01 redhatbak crond(pam_unix)[3226]: session opened for user root by (uid=0)
Jul 29 03:00:01 redhatbak crond(pam_unix)[3226]: session closed for user root
Jul 29 03:00:02 redhatbak crond(pam_unix)[3227]: session closed for user root
Jul 29 03:01:01 redhatbak crond(pam_unix)[3231]: session opened for user root by (uid=0)
Jul 29 03:01:02 redhatbak crond(pam_unix)[3231]: session closed for user root
Jul 29 03:01:57 redhatbak named[3218]: dumping master file: tmp-XXXXpeRkIe: open: permission denied
Jul 29 03:01:57 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:01:57 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:01:57 redhatbak kernel: audit(1122577317.198:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:02:07 redhatbak kernel: audit(1122577327.194:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:02:07 redhatbak named[3218]: dumping master file: tmp-XXXXSj51MF: open: permission denied
Jul 29 03:02:07 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:02:07 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:05:01 redhatbak crond(pam_unix)[3241]: session opened for user root by (uid=0)
Jul 29 03:05:01 redhatbak crond(pam_unix)[3241]: session closed for user root
Jul 29 03:08:28 redhatbak named[3218]: dumping master file: tmp-XXXXeDKfWo: open: permission denied
Jul 29 03:08:28 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:08:28 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:08:28 redhatbak kernel: audit(1122577708.201:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:08:49 redhatbak named[3218]: dumping master file: tmp-XXXXVnGqPD: open: permission denied
Jul 29 03:08:49 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:08:49 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:08:49 redhatbak kernel: audit(1122577729.194:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:10:01 redhatbak crond(pam_unix)[3243]: session opened for user root by (uid=0)
Jul 29 03:10:01 redhatbak crond(pam_unix)[3245]: session opened for user root by (uid=0)
Jul 29 03:10:02 redhatbak crond(pam_unix)[3243]: session closed for user root
Jul 29 03:10:02 redhatbak crond(pam_unix)[3245]: session closed for user root
Jul 29 03:15:01 redhatbak crond(pam_unix)[3248]: session opened for user root by (uid=0)
Jul 29 03:15:02 redhatbak crond(pam_unix)[3248]: session closed for user root
Jul 29 03:20:02 redhatbak crond(pam_unix)[3250]: session opened for user root by (uid=0)
Jul 29 03:20:02 redhatbak crond(pam_unix)[3251]: session opened for user root by (uid=0)
Jul 29 03:20:02 redhatbak crond(pam_unix)[3250]: session closed for user root
Jul 29 03:20:02 redhatbak crond(pam_unix)[3251]: session closed for user root
Jul 29 03:23:01 redhatbak named[3218]: dumping master file: tmp-XXXXzOx2AB: open: permission denied
Jul 29 03:23:01 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:23:01 redhatbak named[3218]: transfer of '10.168.192.in-addr.arpa/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:23:01 redhatbak kernel: audit(1122578581.202:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:23:06 redhatbak named[3218]: dumping master file: tmp-XXXXCyi8UG: open: permission denied
Jul 29 03:23:06 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: failed while receiving responses: permission denied
Jul 29 03:23:06 redhatbak named[3218]: transfer of 'gao.com/IN' from 192.168.10.112#53: end of transfer
Jul 29 03:23:06 redhatbak kernel: audit(1122578586.204:0): avc:  denied  { write } for  pid=3219 exe=/usr/sbin/named name=named dev=hda1 ino=557967 scontext=root:system_r:named_t tcontext=system_ubject_r:named_zone_t tclass=dir
Jul 29 03:25:01 redhatbak crond(pam_unix)[3255]: session opened for user root by (uid=0)
Jul 29 03:25:02 redhatbak crond(pam_unix)[3255]: session closed for user root
Jul 29 03:28:53 redhatbak htt_server[2210]: status has not been enabled yet. (1, 1)
Jul 29 03:29:02 redhatbak last message repeated 2 times
Jul 29 03:30:01 redhatbak crond(pam_unix)[3332]: session opened for user root by (uid=0)
Jul 29 03:30:01 redhatbak crond(pam_unix)[3333]: session opened for user root by (uid=0)
Jul 29 03:30:02 redhatbak crond(pam_unix)[3332]: session closed for user root
Jul 29 03:30:03 redhatbak crond(pam_unix)[3333]: session closed for user root


从DNS服务器防火墙的配置：

[root@gao log]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination