Rocky Linux-0088-教程-DNS-私有域名解析Bind-04

時(shí)間：2023-01-31 16:32:01 | 來(lái)源：建站知識(shí)

時(shí)間：2023-01-31 16:32:01 來(lái)源：建站知識(shí)

0、背景

CentOS 8 已停止維護(hù)，Rocky Linux 是未來(lái)~

從本篇起翻譯一下 Rocky Linux 域名解析~

（1）本系列文章

格瑞圖：Rocky Linux-0001~0011-教程-自定義內(nèi)核

格瑞圖：Rocky Linux-0012~0024-教程-共同構(gòu)建文檔

格瑞圖：Rocky Linux-0025~0034-教程-自動(dòng)化

格瑞圖：Rocky Linux-0034~0043-教程-文件同步

格瑞圖：Rocky Linux-0044~0051-教程-內(nèi)容管理

格瑞圖：Rocky Linux-0053~0053-教程-通信服務(wù)

格瑞圖：Rocky Linux-0054~0082-教程-容器技術(shù)

格瑞圖：Rocky Linux-0083-0084-教程-數(shù)據(jù)庫(kù)

格瑞圖：Rocky Linux-0085-教程-DNS-私有域名解析Bind-01

格瑞圖：Rocky Linux-0086-教程-DNS-私有域名解析Bind-02

格瑞圖：Rocky Linux-0087-教程-DNS-私有域名解析Bind-03

8、洛基林紐克斯九點(diǎn)零

Stupid Profile Names

愚蠢的配置文件名稱

In NetworkManager, the connections are not modified by the name of the device but by the name of the profile. This can be things like "Wired connection 1" or "Wireless connection 1". You can see the profile by running nmcli without any parameters:

在網(wǎng)絡(luò)管理器 nm 中，連接不是根據(jù)設(shè)備名稱修改的而是根據(jù)配置文件名稱。這可以是有線連接一或者無(wú)線連接一?？梢酝ㄟ^(guò)無(wú)參運(yùn)行 n 命令查看：

nmcli

This will show you output such as this:

會(huì)輸出如下信息：

enp0s3: connected to Wired Connection 1"Intel 82540EM"ethernet (e1000), 08:00:27:E4:2D:3D, hw, mtu 1500ip4 defaultinet4 192.168.1.140/24route4 192.168.1.0/24 metric 100route4 default via 192.168.1.1 metric 100inet6 fe80::f511:a91b:90b:d9b9/64route6 fe80::/64 metric 1024lo: unmanaged "lo" loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536DNS configuration: servers: 192.168.1.1 domains: localdomain interface: enp0s3Use "nmcli device show" to get complete information about known devices and"nmcli connection show" to get an overview on active connection profiles.

Before we even start modifying the connection, you should name this something sane, like the name of the interface (note the "/" below escapes the spaces in the name):

在開(kāi)始修改連接之前，應(yīng)該將改名字命名為有意義的名字，跟網(wǎng)卡名字一樣（注意下面名字中對(duì)空格的轉(zhuǎn)義）：

nmcli connection modify Wired/ connection/ 1 con-name enp0s3

Once you've done this, run nmcli by itself again and you will see something like this:

一旦該命令運(yùn)行完畢，再次運(yùn)行 n 會(huì)顯示如下：

enp0s3: connected to enp0s3"Intel 82540EM"ethernet (e1000), 08:00:27:E4:2D:3D, hw, mtu 1500ip4 defaultinet4 192.168.1.140/24route4 192.168.1.0/24 metric 100route4 default via 192.168.1.1 metric 100...

This will make the remaining configuration for the DNS much easier!

這會(huì)使得接下來(lái)配置域名解析服務(wù)器更加容易。

Assuming that your connection profile name is "enp0s3", we will include the already configured DNS but add our local DNS server first:

假設(shè)連接配置文件名稱為 e，將會(huì)包含已配置的域名解析服務(wù)器，并把本地域名解析服務(wù)器作為第一個(gè)：

nmcli con mod enp0s3 ipv4.dns '192.168.1.138,192.168.1.1'

You can have more DNS servers, and for a machine configured with public DNS servers, say Google's open DNS, you can have something like this instead:

可以配置很多域名解析服務(wù)器，對(duì)于一個(gè)配置了公網(wǎng)域名解析服務(wù)器的機(jī)器，比如說(shuō)谷歌公開(kāi)的域名解析服務(wù)器，可以如下配置：

nmcli con mod enp0s3 ipv4.dns '192.168.1.138,8.8.8.8,8.8.4.4'

Once you've added the DNS servers that you want to the connection, you should be able to resolve hosts in ourdomain.lan, as well as Internet hosts.

一旦添加了域名解析服務(wù)器到需要的連接，就應(yīng)該可以解析 o.l 中的主機(jī)，以及互聯(lián)網(wǎng)主機(jī)。

（3）九點(diǎn)零基于 fw 的防火墻規(guī)則 - 9.0 Firewall Rules - firewalld?

firewalld By Default
With Rocky Linux 9.0 and above, using iptables rules is deprecated. You should use firewalld instead.

默認(rèn)使用 fw 防火墻

在洛基林紐克斯九點(diǎn)零及其以上版本，已經(jīng)棄用 it 了。應(yīng)該使用 fw。

We aren't making any assumptions about the network or services that might be needed, except that we are turning on SSH access and DNS access for our LAN network only. For this, we will use the firewalld built-in zone, "trusted". We will also have to make some service changes to the "public" zone in order to limit SSH access to the LAN.

對(duì)于網(wǎng)絡(luò)和服務(wù)的需要不做任何假設(shè)，除了需要為本地局域網(wǎng)絡(luò)開(kāi)啟愛(ài)死愛(ài)死愛(ài)去訪問(wèn)和域名解析服務(wù)器訪問(wèn)。這里使用了防火墻內(nèi)置區(qū)域受信區(qū) t。同樣需要修改公共區(qū)域中一些服務(wù)以限制愛(ài)死愛(ài)死愛(ài)去訪問(wèn)局域網(wǎng)。

The first step is to add our LAN network to the "trusted" zone:

首先需要將局域網(wǎng)添加到受信區(qū) t：

firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanentNext, we need to add our two services to the "trusted" zone:

接著需要添加兩個(gè)服務(wù)到受信區(qū)：

firewall-cmd --zone=trusted --add-service=ssh --permanentfirewall-cmd --zone=trusted --add-service=dns --permanent

Finally, we need to remove the SSH service from our "public" zone, which is on by default:

最后需要從公共區(qū)移除愛(ài)死愛(ài)死愛(ài)去服務(wù)，默認(rèn)是開(kāi)啟的：

firewall-cmd --zone=public --remove-service=ssh --permanent

Next, reload the firewall and then list out the zones that we've made changes to:

接著重載防火墻并列出修改的區(qū)域：

firewall-cmd --reloadfirewall-cmd --zone=trusted --list-all

Which should show that you have correctly added the services and the source network:

會(huì)顯示已經(jīng)正確添加的服務(wù)和源網(wǎng)絡(luò)：

trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: sources: 192.168.1.0/24 services: dns ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

Listing out the "public" zone should show that SSH access is no-longer allowed:

列出公共區(qū)域的話會(huì)顯示愛(ài)死愛(ài)死愛(ài)去已經(jīng)不再被允許了：

firewall-cmd --zone=public --list-all

Which should show you:

輸出如下：

public target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

These rules should get you DNS resolution on your private DNS server from hosts on the 192.168.1.0/24 network. In addition, you should be able to SSH from any of those hosts into your private DNS server.

這些規(guī)則將會(huì)允許從 1.1.1.0/24 網(wǎng)絡(luò)的主機(jī)訪問(wèn)私有域名解析服務(wù)器進(jìn)行域名解析。同時(shí)，也可以從局域網(wǎng)中任何主機(jī)使用愛(ài)死愛(ài)死愛(ài)去訪問(wèn)私有域名解析服務(wù)器。

N、后記

Oyster

生蠔

~