ager as central nameserver: nameserver 191.72.1.1 Pri opredelenii imeni vale, reshayushchee ustrojstvo iskalo by ego i v sluchae neudachi, vale.vbrew.com, i vale.com. 7.1.4 Oshibkoustojchivost' reshayushchego ustrojstva. Esli Vy zapuskaete LAN vnutri bol'shej seti, Vy nepremenno dolzhny ispol'zovat' central'nye servera, esli oni dostupny. Preimushchestvo etogo sostoit v tom, chto oni razrabotayut bogatye keshi, tak kak vse zaprosy napravleny k nim. |ta shema imeet nedostatok: kogda sgorel bazovyj kabel' v nashem universitete pri pozhare, nevozmozhno bylo dal'she rabotat' na LAN nashego otdela, potomu chto reshayushchee ustrojstvo ne moglo dostich' kakogo-libo iz serverov. Ne bylo login na X-terminals, ne bylo pechati na printerah, i t.d. - 110 - Hotya eto ne gozhe dlya universitetskogo gorodka, opuskat'sya do pozharov, kazhdyj obyazan soblyudat' tehniku bezopanosti, chtoby izbezhat' sluchaev podobnyh etim. One - ustanavlivaet lokal'nyj server, kotoryj opredelyaet hostnames iz vashej lokal'noj oblasti, i delaet vpered vse zaprosy dlya drugih hostnames k glavnym serveram. Konechno, eto primenimo tol'ko togda, kogda Vy ispol'zuete vashu sobstvennuyu oblast'. V kachestve al'ternativy, Vy mozhete sohranit' tablicu sohranennyh hostov Vashej oblasti ili LAN v /etc/hosts. V /etc/host.conf Vy mozhete vklyuchit' "order bind hosts" dlya togo, chtoby reshayushchee ustrojstvo vernulas' by k host fajlu, esli central'nyj server oslabel ili vyshel iz stroya. 7.2 Zapusk named. Programma, kotoraya obespechivaet obsluzhivanie imeni oblasti na bol'shinstve Unix mashin obychno nazyvaetsya named. |ta programma pervonachal'no razrabotanna dlya BSD obespecheniya klientury, i ,vozmozhno, dlya drugih serverov. |ta versiya v nastoyashchee vremya ispol'zuetsya na bol'shinstve Linux instalyacionnyh paketov, kak mne kazhet'sya eto BIND- 4.8.3. Novaya versiya, BIND-4.9.3, testiruetsya betoj v etot moment, i dolzhna byt' skoro dostupna na Linux. |tot razdel trebuet nekotorogo ponimaniya kak rabotaet Domain Name System. Esli sleduyushchee izlozhenie budet ne sovsem Vam ponyatno, to Vam sleduet perechitat' glavu 3., kotoraya imeet bolee podrobnuyu informaciyu po osnovam DNS. Named obychno zapuskaetsya pri nachal'noj zagruzke sichtemy, i rabotaet poka mashina vnov' ne perezagruzitsya. Ona cherpaet informaciyu iz konfiguracionnogo fajla nazyvaemogo /etc/named.boot, i iz razlichnyh fajlov, kotorye soderzhat nabor dannyh imen oblastej adresov. Dalee oni budut nazyvat'sya zone files. Formaty i semantika etih fajlov budut ob®yasneny v sleduyushchem razdele. Dlya zapuska named, prosto vvedite v komandnoj stroke: # /usr/sbin/named - 111 - Poyavitsya named, chitaet named.boot fajl i zone file, ustanovlennye tam. On zapisyvaet identichnost' processa id k /var/run/named.pid v ASCII, vygruzhaya lyubye zone files iz osnovnyh serverov, v sluchae neobhodimosti zapuskaet listening na port 53 dlya zaprosov DNS. (1) 7.2.1 Fajl named.boot. Fajl named.boot v osnovnom ochen' mal i soderzhit eshche nemnogo informacii, no soderzhit ukazateli na glavnye fajly, soderzhashchie zone informaciyu, i ukazateli k drugim serveram. Kommentarii v fajle nachal'noj zagruzki nachinayutsya s tochki s zapyatoj i prostirayutsya vplot' do sleduyushchej linii. Prezhde, chem my obsudim format named.boot fajla bolee podrobno, my rassmotrim tipovoj fajl dlya vlager predstavlennyj na risunke 7.2.1. (2) Kesh i osnovnye komandy, pokazannye v etom primere zagruzhayut informaciyu v named. |ta informaciya beretsya iz glavnogo fajla, opredelennogo vo vtorom argumente. On soderzhat tekstovye predstavleniya DNS istochnika zapisi, kotorye my rassmotrim nizhe. 1. Imeyutsya razlichnye named binaries kasayushchiesya Linux FTP sites, kazhdye iz kotoryh ne namnogo, no otlichayutsya drug ot druga. Nekotorye imeyut svoj sobstvennyj pid fajl, nekotorye hranyat ego v /tmp ili /var/tmp. 2. Zamet'te, chto imena oblastej v etom primere dany bez konechnoj tochki. Bolee rannie versii named prinimayut konechnye tochki v named.boot za oshibku, i ih otbrasyvayut. BIND-4.9.3, kak uzhe upominalos', ustranyaet eto. ; ; /etc/named.boot file for vlager.vbrew.com ; directory /var/named ; ; domain file ;--------------------------------------------------- - 112 - cache . named.ca primary vbrew.com named.hosts primary 0.0.127.in-addr.arpa named.local primary 72.191.in-addr.arpa named.rev Risunok 9. Named.boot fajl dlya vlager. V etom primere, my skonfigurirovali named kak osnovnoj server dlya treh oblastej, kak oboznacheno osnovnymi operatorami v konce fajla. Pervaya iz etih strok, naprimer, instruktiruet named dejstvovat' kak osnovnoj server dlya vbrew.com, prinimaya zone dannye iz fajla named.hosts. Klyuchevoe slovo kataloga soobshchaet emu, chto vse zone files razmeshchayutsya v /var/named. Kesh zapis' ochen' osoba i dolzhna prisutstvovat' fakticheski na vseh mashinah, zapuskayushchih server. Ego funkciya - dvukratnaya: ona instruktiruet named dlya otmeny kesha, i zagruzhaet osnovnoj server hints iz kesh fajla (named.ca v nashem primere). My vernemsya k serveram hints nizhe. Takzhe imeetsya spisok naibolee vazhnyh opcij, kotorye Vy mozhete ispol'zovat' named.boot: directory - opredelyaet direktoriyu, v kotoroj zone files postoyanno nahodyatsya. Imena fajlov mogut byt' dany otnositel'no etoj direktorii.Neskol'ko direktorij mogut byt' opredeleny neodnokratno ispol'zuya directory. Soglasno standartu Linux filesystem, eta direktoriya dolzhna byt' /var/named. primary - beret imya oblasti i imya fajla kak argument, ob®yavlennyj lokal'nym serverom avtoritarno dlya named oblasti. Kak osnovnoj server, named zagruzhaet zone informaciyu iz dannogo glavnogo fajla. V osnovnom budet vsegda, po krajnej mere hotya by odna osnovnaya zapich' v kazhdom boot-fajle, a imenno dlya obratnogo otbora seti 127.0.0.0, kotoraya yavlyaetsya lokal'noj zamknutoj set'yu. - 113 - secondary - beret imya oblasti, spisok adresov, i imya fajla kak argument. On ob®yavlyaet lokal'nyj server vtorichnym glavnym serverom dlya ustanovlennoj oblasti.Vtorichnyj server zaderzhivaet avtoritarnye dannye postupayushchie na oblast', no on ne sobiraet ih iz fajla, i probuet zagruzit' ih iz osnovnogo servera. IP adres, po krajnej mere odnogo osnovnogo servera, dolzhen byt' dan named(u) v spiske adresov. Lokal'nyj server vojdet v kontakt s kazhdym iz nih, poka on uspeshno ne pereneset vsyu zonal'nuyu bazu dannyh, kotoraya zatem budet sohranena v fajle s rezervnoj kopiej, dannoj kak tretij argument. Esli ni odin iz osnovnyh serverov ne otvechaet,to zonal'nye dannye vosstanovyatsya iz fajla s rezervnoj kopiej vzamen.named zatem pytaetsya obnovit' zonal'nye dannye v postoyannye intervaly. |to ob®yasnyaetsya nizhe s SOA tipom zapisi. cache -|ta opciya beret oblast' i imya fajla kak argumenty. |tot fajl soderzhit podskazki servera hints, kotoryj yavlyaetsya spiskom zapisej, ukazyvayushchih na servery. No tol'ko NS i A zapisi budut priznany. Argument oblasti, v osnovnom ,- istochnik imeni oblasti.|ta ochen' vazhno: esli kesh operator ne poyalyaetsya v boot-fajle, named ne nachinaet razrabatyvat' lokal'nyj kesh voobshche. |to strogo uhudshit harakteristiku i uvelichit setevuyu zagruzku, esli sleduyushchij server delaet zapros ne na lokal'nuyu set'. Krome togo, named ne budet sposoben dostich' vseh serverov, i takim obrazom eto ne reshit problemu adresov za isklyucheniem teh, kotorye avtoritarny. Isklyuchenie iz etogo pravila - eto kogda ispol'zuyutsya servery peresylki (opciya mehanizmov prodvizheniya dana nizhe). forwarders -|tot operator beret spisok adresa kak argument. IP adresa v etom spiske tochno opredelyayut spisok serverov, na kotorye named mozhet sdelat' zapros, reshaetsya li zapros iz ego lokal'nogo kesha. Oni testiruyutsya po poryadku, poka odin iz nih ne otvechaet na zapros. slave - eto operator delaet glavnyj server podchinennym serverom. To est' on nikogda ne budet vypolnyat' rekursivnye zaprosy samostoyatel'no, i budet tol'ko napravlyat' ih k serveram opredelennyh s forwarders operatorom. - 114 - Imeyutsya dve opcii, kotorye my ne budem opisyvat' zdes', eto sortlist i domain. Dopolnitel'no, imeyutsya dve direktivy, kotorye mogut ispol'zovat'sya vnutri zone fajlov bazy dannyh. |to - $INCLUDE i $ORIGIN. Tak kak oni redko kogda ponadobyatsya, to my ne budem opisyvat' ih zdes'. 7.2.2 DNS fajl bazy dannyh. Osnovnoj fajl vklyuchaemyj named, podobno named.hosts, vsegda imeet oblast' soedinennuyu s nim, kotoraya nazyvaetsya origin. |to - oblast' nazvanie kotoroj opredeleno s keshem i s osnovnymi komandami. Vnutri osnovnogo fajla Vam dozvoleno opredelit' oblast' i imena hostov otnositel'no etoj oblasti. Imya, dannoe v fajle konfiguracii, schitaetsya absolyutnym, esli ono zakanchivaetsya v edinstvennoj tochke, inache ona budet rassmatrivaetsya otnositel'no origin. Ves' origin mozhet byt' upomyanut, esli Vy ispol'zuete "@". Vse dannye, soderzhashchiesya v osnovnom fajle opredeleny v istochnike zapisej, ili Rrs(resource records) dlya kratkosti. Oni sostavlyayut samuyu maluyu edinicu informacii dostupnuyu cherez DNS. Kazhdyj sposob zapisi imeet tip. Zapis', naprimer otobrazhenie imeni hosta k IP adresu, i CNAME zapis' associiruetsya s psevdonimom dlya hosta s ego oficial'nym imenem. Naprimer, posmotrite na risunok 7.2.3 na stranice 116, kotoraya pokazyvaet named.hosts osnovnoj fajl dlya virtual brewery. Sposob zapisi v osnovyh fajlah yavlyaetsya obshchim formatom: [domain] [ttl] [class] type rdata Polya otdeleny probelami ili tabulyaciej. Zapis' mozhet byt' prodolzhena cherez neskol'ko strok, esli otkryvayashchaya"figurnaya skobka poyavlyaetsya pered pervoj strokoj, i poslednee pole okanchivaetsya zakryvayushchej figurnoj skobkoj. CHto-libo mezhdu tochkoj s zapyatoj i novoj strokoj ignoriruetsya. domain |to imya oblasti v kotoroj poyavlyaetsya zapis'. Esli imya oblasti ne dano, RR popytaetsya obratit'sya k oblasti iz predydushchego RR. ttl Neobhodim dlya togo chtoby zastavit' reshayushchie ustrojstva - 115 - otbrasyvat' informaciyu posle opredelennogo promezhutka vremeni, kazhdyj RR associiruetsya s "time to live'', ili ttl dlya kratkosti. Pole ttl opredelyaet vremya v sekundah. information imeet silu posle togo, kak ona byla najdeno na servere. |to - desyatichnoe chislo s vosem'yu razryadami. Esli ttl znachenie ne dano, to budet ispol'zovat'sya znachenie po umolchaniyu k znacheniyu minimal'nogo polya predshestvuyushchej SOA zapisi. class |to - klass adresa, podobno IN dlya IP adresov, ili HS dlya ob®ekta v Hesoid klasse. Dlya TCP/IP setej, Vam neobhodimo sdelat' eto IN. Esli nikakoj klass polya ne dan,to budet prinyat klass predshestvuyushchego RR. type |to opisyvaet tip RR. Naibolee obshchie tipy: A, SOA, PTR, i NS. Sleduyushchie razdely opisyvayut razlichnye tipy RR. rdata |to zaderzhivaet dannye svyazannye s RR. Format etogo polya zavisit ot tipa RR. Nizhe, eto budet opisano dlya kazhdogo RR pootdel'nosti. following - nezavershennyj spisok RR, kotoryj nuzhno ispol'zovat' v DNS osnovnom fajle. Imeetsya neskol'ko par iz nih, kotorye my ne budem ob®yasnyat'. Oni yavlyayutsya eksperimental'nymi, i voobshche, nebol'shogo ispol'zovaniya. SOA |to opisyvaet zonu vlasti (SOA oznachaet " Start of Authority''). On soobshchaet chto zapis' sleduyushchaya za SOA RR soderzhite avtoritarnuyu informaciyu dlya oblasti. Kazhdyj osnovnoj fajl, vklyuchennyj osnovnym operatorom dolzhen soderzhat' SOA zapis' dlya etoj zony. Istochniki dannyh soderzhat sleduyushchiz polya: origin |to - kanonicheskoe imya hosta osnovnogo servera dlya etoj oblasti. Obychno daetsya kak absolyutnoe imya. - 116 - contact |to - email adres cheloveka otvetstvennogo za podderzhaniya oblasti, so znakom "@" v kachestve tochki. Naprimer, esli otvetstvennyj v Virtual Brewery - janet, to togda eto pole soderzhalo by janet.vbrew.com. serial |to - nomer versii zonal'nogo fajla, vyrazhennyj kak edinstvennoe desyatichnoe chislo. Vsyakij raz, kogda dannye menyayutsya v zonal'nom fajle, to eto chislo dolzhno byt' uvelicheno. Serijnyj nomer ispol'zuetsya vtorichnymi serverami, chtoby raspoznat', kogda zonal'naya informaciya byla izmenena. CHtoby ostavat'sya na urovne sovremennyh trebovanij, vtorichnye servery zaprashivayut SOA zapis' primarnogo servera v opredelennye promezhutki vremeni, i sravnivayut poryadkovyj nomer s keshiruemoj SOA zapis'yu. Esli nomer izmenilsya, to vtorichnye servery perenosut celuyu zonu baz dannyh iz osnovnogo servera. refresh Opredelyaet interval, v sekundah, kotoryj vtorichnye servery dolzhny ispol'zovat' mezhdu proverkami SOA zapisej osnovnogo servera. |to - desyatichnyj nomer bolee chem s vosem'yu razryadami. V osnovnom, setevaya topologiya slishkom chasto ne izmenyaetsya dlya togo, chtoby etot nomer tochno opredelyal interval dlya slikshom burnyh dnej bol'shih setej, i dazhe dlya men'shih setej. retry |tot nomer opredelyaet intervaly za kotorye vtorichnyj server dolzhen povtorit' soedinenie s osnovnym serverom, esli zapros ili zonal'naya regeneraciya terpit neudachu. On ne dolzhno byt' slishkom malen'kim, potomu chto dazhe vremennyj otkaz servera ili setevaya problema mogut potratit' vpustuyu vse setevye resursy. Odin chas, ili vozmozhno polchasa, mogli by byt' horoshim vyborom. expire - opredelyaet vremya v sekundah posle kotorogo server dolzhen nakonec-to otbrosit' vse zonal'nye dannye, esli nevozmozhno bylo vojti v kontakt s osnovnym serverom. |tot promezhutok vremeni v osnovnom dolzhen byt' ochen' bol'shim. Craig Hunt (GETS "hunt - tcpip"]) rekomenduet 42 dnya. - 117 - minimum - zadaet po umolchaniyu ttl znachenie dlya ishodnyh zapisej, kotorye tochno ne opredelyayut ego. Trebuet drugogo servera, chtoby otbrosit' RR pri proverki posle opredelennogo kol-va vremeni. Nichego nel'zya sdelat' s vremenem posle kotorogo vtorichnyj server poprobuet modificirovat' zonal'nuyu informaciyu. minimum dolzhen byt' bol'shim znacheniem, osobenno dlya LANs, gde setevaya topologiya pochti nikogda ne menyaetsya. Znachenie v nedelyu ili v mesyac. V sluchae, kogda edinstvennye Rrs mogut chasto izmenyat'sya, to Vy vse eshche mozhete pripisyvat' im razlichnye ttl. A Associiruet IP adres s hostname. Istochnik polej dannyh soderzhit adres v dotted quad notation. Dlya kazhdogo hosta dolzhna byt' tol'ko odna zapis'. Hostname ispol'zuemyj v etoj A zapisi rassmatrivaetsya sluzhebnym ili kanonicheskim hostname. Vse drugie hostnames - psevdonimy i dolzhny byt' otobrazheny na kanonicheskom hostname ispol'zuya CNAME zapis'. NS Ukazyvaet na glavnyj server podchinennoj zony. Dlya ob®yasneniya, pochemu, kazhdyj dolzhen imet' NS zapis', prosmotrite razdel 3.6. Istochnik polej dannyh soderzhit hostname servera. Mozhno razreshit' dopolnitel'nyj hostname k A zapisi, tak nazyvaemyj glue, kotoraya daet IP adres servera. CNAME Associiruet psevdonim hosta s ego kanonicheskim hostname. Kanonicheskiij hostname - glavnyj fajl, kotoryj obespechivaet A zapis'; psevdonimy prosto svyazany s etim imenem CNAME zapis'yu, no ne imeyut sobstvennye zapisi. - 118 - PTR |tot tip zapisi ispol'zuetsya, dlya togo, chtoby soedinit' imya v Addr.arpa oblasti s hostnaoes. |to ispol'zuetsya dlya obratnogo otobrazheniya IP adresov k hostnames. Dannyj hostname dolzhen byt' kanonicheskim hostname. MX |ta RR ob®yavlyaet preobrazovatel' pochty dlya oblasti. Dlya chego nado imet' preobrazovateli pochty, obsuzhdeno v razdele 14.4.1 v glave 14.. Sintaksis MX zapisi sleduyushchij: [domain] [ttl] [class] MX preference host host ob®yavlyaet preobrazovatel' pochty dlya oblasti. Kazhdyj preobrazovatel' pochty predpochitaet celoe chislo, svyazannoe s etim hostom. Agent perenosa pochty, to kto zhelaet dostavit' pochtu k oblasti, budet perebirat' vse hosty, ne imeyushchie MX zapisej v etoj oblasti, poka vse ne pojdet uspeshno. Snachala budet probovat'sya tot host, u kotorogo samoe nizkoe chislo, a dal'she vse hosty s chislom po vozrastaniyu (eto chislo nazyvaetsya-preference value). HINFO |ta zapis' predostavlyaet informaciyu otnositel'no apparatnyh sredstv sistemy i programmnogo obespecheniya. Sintaksis etoj zapisi: [domain] [ttl] [class] HINFO hardware software Apparatnaya oblast' identificiruet apparatnye sredstva, ispol'zuemye etim hostom. Imeyutsya special'nye soglasheniya, chtoby tochno opredelit' ee. Spisok podhodyashchih imen dan v "Assigned Numbers'' (RFS 1340). Esli oblast' soderzhit probely, to eto nado zaklyuchit' v dvojnye kavychki. Imena oblastej programmnogo obespecheniya ispol'zuyut'sya operacionnoj sistemoj. I snova, podhodyashchee imya mozhet byt' vybrano iz "Assigned Numbers'' RFC. 7.2.3 Zapis' glavnyh fajlov. - 119 - Risunki 7.2.3, 7.2.3, 7.2.3, i 7.2.3 dayut primernye fajly dlya nazvaniya servera v brewery, razmeshchennom na vlager. Vsledstvie haraktera obsuzhdaemoj seti (edinstvennaya lokal'naya vychislitel'naya set'), primer - dovol'no prostoj. Esli vashi trebovaniya chereschur slozhny, i Vy ne mozhete zapustit' named, to vam pomozhet "DNS and BIND'' by Cricket Liu and Paul Albitz ([GETST "liu-dns"]). & " Kesh fajl named.ca, kotoryj vy uvidite na risunke 7.2.3, pokazyvaet primer hint zapisi dlya root name servera. Tipichnyj kesh fajl obychno opisyvaet okolo dyuzhiny serverov, ili okolo togo. Vy mozhete poluchit' tekushchij spisok serverov dlya root oblasti, ispol'zuya nslookup, opisannyj blizhe k koncu etoj glavy.(3) ; ; /var/named/named.ca Cache file for the brewery. ; We're not on the Internet, so we don't need ; any root servers. To activate these ; records, remove the semicolons. ; ; . 99999999 IN NS NS.NIC.DDN.MIL ; NS.NIC.DDN.MIL 99999999 IN A 26.3.0.103 ; . 99999999 IN NS NS.NASA.GOV ; NS.NASA.GOV 99999999 IN A 128.102.16.10 Risunok 10. Fajl named.ca. 7.2.4 Proverka ustanovki servera(Name Server Setup). 3. Zamet'te, chto Vy ne smozhete sdelat' zapros dlya Vashego servera na root servery, esli Vy ne imeete kakie-nibud' root server hints: Zahvatite 22! CHtoby vyjti iz etoj dilemmy, Vy mozhete takzhe poprobovat' zastavite nslookup ispol'zovat' drugoj server, ili Vy mozhete ispol'zovat' primernyj fajl na risunke 7.2.3, i zatem poluchit' polnyj spisok podhodyashchih serverov. - 120 - ; ; /var/named/named.hosts Local hosts at the brewery ; Origin is vbrew.com ; @ IN SOA vlager.vbrew.com. ( janet.vbrew.com. 16 ; serial 86400 ; refresh: once per day 3600 ; retry: ong howr 3600000 ; expire: 42 days 604800 ; minimum: 1 week ) IN NS vlager.vbrew.com. ; ; local mail is distributed on vlager IN MX 10 vlager ; ; loopback address localhost. IN A 127.0.0.1 ; brewery Ethernet vlager IN A 191.72.1.1 vlager-if1 IN CNAME vlager ; vlager is also news server news IN CNAME vlager vstout IN A 191.72.1.2 vale IN A 191.72.1.3 ; winery Ethernet vlager-if2 IN A 191.72.2.1 vbardolino IN A 191.72.2.2 vchianti IN A 191.72.2.3 vbeaujolais IN A 191.72.2.4 Risunok 11. Fajl named.hosts. Sushchestvuet prekrasnoe sredstvo dlya proverki dejstviya ustanovki - 121 - Vashego servera(server setup). Ono nazyvaetsya nslookup, i mozhet byt' ispol'zovano i v interaktivnom rezhime i iz komandnoj stroki. V poslednem sluchae, Vy prosto vyzyvaete ee kak nslookup hostname i ona sdelaet zapros na server, opredelennyj v resolv.conf, dlya hostname. (Esli eti imena fajla bol'she chem odin server, nslookup vyberet kakoj-nibud' odin) ; ; /var/named/named.local Reverse mapping of 127.0.0 ; Origin is 0.0.127.in- addr.arpa. ; @ IN SOA vlager.vbrew.com. ( joe.vbrew.com. 1 ; serial " " 360000 ; refresh: 100 hrs 3600 ; retry: one hour 3600000 ; expire: 42 days ; minimum: 100 hrs ) IN NS vlager.vbrew.com. 1 IN PTR localhost. Risunok 12. Fajl named.local. Interaktivnyj rezhim, yavlyaetsya namnogo bolee zahvatyvayushchim. Krome togo pri prosmotre individual'nyh hostov, Vy mozhete sdelat' zapros dlya lyubogo tipa DNS zapisi, i perenesti zonal'nuyu informaciyu dlya oblasti. Kogda on vyzyvaetsya bez argumenta, nslookup otobrazit nazvanie ispol'zuemogo servera, i vstupit' v interaktivnyj rezhim. V " > " priglashenii(prompt), Vy mozhete vvesti lyuboe imya dlya kotorogo dolzhen byt' sdelan zapros. Po umolchaniyu, on oprosit klass A zapisi, soderzhashchij IP - 122 - adresa v otnoshenii nazvaniya oblasti. Vy mozhete izmenit' etot tip, ispol'zuya "set type=type", gde type(tip) yavlyaetsya odnim iz ishodnyh nazvanij zapisi, opisannyh vyshe v razdele 7.2, ili ANY. Naprimer, u Vas mog by poluchit'sya sleduyushchij dialog: ; ; /var/named/named.rev Reverse mapping of our IP addresses ; Origin is 72.191.in-addr.arpa. ; @ IN SOA vlager.vbrew.com. ( joe.vbrew.com. 16 ; serial 86400 ; refresh: once per day 3600 ; retry: one hour 3600000 ; expire: 42 days 604800 ; minimum; 1 week ) IN NS vlager.vbrew.com. ; brewery 1.1 IN PTR vlager.vbrew.com. 2.1 IN PTR vstout.vbrew.com. 3.1 IN PTR vale.vbrew.com. ; winery 1.2 IN PTR vlager-if1.vbrew.com. 2.2 IN PTR vbardolino.vbrew.com. 3.2 IN PTR vchianti.vbrew.com. 4.2 IN PTR vbeaujolais.vbrew.com. Risunok 13. Fajl named.rev. - 123 - $ nslookup Default Name Server: rs10.hrz.th-darmstadt.de Address: 130.83.56.60 > sunsite.unc.edu Name Server: rs10.hrz.th-darmstadt.de Address: 130.83.56.60 Non-authoritative answer: Name: sunsite.unc.edu Address: 152.2.22.81 Esli Vy poprobuete sdelat' zapros na imya, kotoroe ne imeet nikakogo svyazannogo IP adresa, no drugie zapisi byli najdeny v DNS baze dannyh, to nslookup soobshchit ob oshibke: "No type A records found''. Odnako, Vy mozhete zastavit' sdelat' zapros dlya zapisej drugih tipov (ne A), vvedya "set type" komandu. Naprimer, chtoby poluchit' SOA zapis' unc.edu, Vy by vveli: > unc.edu *** No address (A) records available for unc.edu Name Server: rs10.hrz.th-darmstadt.de Address: 130.83.56.60 > set type=SOA > unc.edu Name Server: rs10.hrz.th-darmstadt.de Address: 130.83.56.60 Non-authoritative answer: unc.edu origin = ns.unc.edu & mcil addr = shava.ns.unc.edu serial = 930408 refresh = 28800 (8 hours) - 124 - retry = 3600 (1 hour) expire = 1209600 (14 days) minimum ttl = 86400 (1 day) Authoritative answers can be found from: UNC.EDU nameserver = SAMBA.ACS.UNC.EDU SAMBA.ACS.UNC.EDU internet address = 128.109.157.30 Takim obrazom Vy mozhete sdelat' zapros dlya MX zapisej, i t.d. Ispol'zovanie tipa ANY vernet vse ishodnye zapisi, svyazannye s dannym imenem. > set type=MX > unc.edu Non-authoritative answer: unc.edu preference = 10, mail exchanger = lambada.oit.unc.edu lambada.oit.unc.edu internet address = 152.2.22.80 Authoritative answers can be found from: UNC.EDU nameserver = SAMBA.ACS.UNC.EDU SAMBA.ACS.UNC.EDU internet address = 128.109.157.30 Prakticheskoe primenenie nslookup, pomimo otladki, - poluchit' tekushchij spisok root serverov dlya fajla named.ca. Vy mozhete sdelat' eto, zaprashivaya vse tipy NS zapisej, svyazannye s root oblast'yu: > set typ=NS > . Name Server: fb0430.mathematik.th-darmstadt.de Address: 130.83.2.30 Non-authoritative answer: (root) nameserver = NS.INTERNIC.NET (root) nameserver = AOS.ARL.ARMY.MIL (root) nameserver = C.NYSER.NET - 125 - (root) nameserver = TERP.UMD.EDU (root) nameserver = NS.NASA.GOV (root) nameserver = NIC.NORDU.NET (root) nameserver = NS.NIC.DDN.MIL Authoritative answers can be found from: (root) nameserver = NS.INTERNIC.NET (root) nameserver = AOS.ARL.ARMY.MIL (root) nameserver = C.NYSER.NET (root) nameserver = TERP.UMD.EDU (root) nameserver = NS.NASA.GOV (root) nameserver = NIC.NORDU.NET (root) nameserver = NS.NIC.DDN.MIL NS.INTERNIC.NET internet address = 198.41.0.4 AOS.ARL.ARMY.MIL internet address = 128.63.4.82 AOS.ARL.ARMY.MIL internet address = 192.5.25.82 AOS.ARL.ARMY.MIL internet address = 26.3.0.29 C.NYSER.NET internet address = 192.33.4.12 TERP.UMD.EDU internet address = 128.8.10.90 NS.NASA.GOV internet address = 128.102.16.10 NS.NASA.GOV internet address = 192.52.195.10 NS.NASA.GOV internet address = 45.13.10.121 NIC.NORDU.NET internet address = 192.36.148.17 NS.NIC.DDN.MIL internet address = 192.112.36.4 Polnaya sistema komand, dostupnyh s nslookup mozhet byt' poluchena pri ispol'zovanii komandy help iznutri nslookup. 7.2.5 Drugie poleznye instrumental'nye sredstva Imeetsya neskol'ko instrumental'nyh sredstv, kotorye pomogut Vam s Vashimi zadachami kak BIND administrator. YA kratko opishu dva iz nih. Pozhalujsta obratites' k dokumentacii, kotoraya prilagaetsya s etimi instrumental'nymi sredstvami dlya vyyasneniya togo, kak ih ispol'zovat'. hostcvt - sredstvo, kotoroe pomogaet Vam s Vashej nachal'noj - 126 - BIND konfiguracii, preobrazovyvaya vash /etc/hosts fajl v glavnyj fajl dlya named. Ono generiruet oba i pryamoe (A) i obratnoe otbrazhenie (PTR), i zabotitsya o psevdonimah i t.p. Konechno, ono ne budet delat' vsyu rabotu za Vas, poskol'ku Vy mozhete vse eshche zahotet' nastroit' znacheniya blokirovki po vtemepi v SOA zapisi sami, naprimer, ili pribavit' MX zapis' i t.p. No ono mozhet pomoch' sohranit' Vam neskol'ko tabletok aspirina. Hostcvt - chast' BIND istochnika, no mozhet takzhe byt' ispol'zovan kak avtonomnyj paket na neskol'ko Linux FTP serverah. Posle ustanovki vashego servera, Vy mozht byt' zahotite proverit' Vashu konfiguraciyu. Ideal'nym (i, po moemu mneniyu tozhe) sredstvom dlya etogo yavlyaetsya dnswalk, perl-based paket kotoryj progulivaetsya po vashej DNS baze dannyh, vyiskivaya obshchie oshibki i proveryaet sovmestimost' informacii. Dnswalk byl vypushchen na comp.sources.misc nedavno, i dolzhen byt' dostupen na vseh FTP, kotorye arhiviruyut etu gruppu. 8. Posledovatel'naya liniya IP Poryadkovye protokoly linii svyazi, SLIP i PPP, obespechivayut Internet connectivity dlya plohoj svyazi. Krome modema i posledovatel'noj oborudovannoj paneli s FIFO buferom, nikakie apparatnye sredstva ne nuzhny. Ispol'zovanie ego - ne namnogo uslozhnyaetsya chem ispol'zovanie mailbox, i poetomu uvelichivaetsya chislo chastnyh organizacij, kotorye predlagayut telefonnyj vyzov po nomeru IP za dostupnuyu stoimost' kazhdomu. Imeyutsya oba drajvera dostupnye dlya Linux- SLIP i PPP. SLIP byl tam v techenie dolgogo vremeni, i rabotaet dostatochno neploho. A PPP drajver byl razrabotan sovsem nedavno MIchael Callahan i Al Longyear. |tot drajver budet opisan v sleduyushchej glave. 8.1 Obshchie trebovaniya. Dlya togo, chtoby ispol'zovat' SLIP ili PPP, Vy dolzhny skonfigurirovat' nekotoruyu bazisnuyu rabotu s setyami, kak opisano v - 127 - predydushchih glavah. Nakonec Vy dolzhny ustanovit' looback interface, i obespechit' dlya name resolution. Pri soedinenii s Internet, Vy nesomnenno pozhelaete ispol'zovat' DNS. Samaya prostaya opciya - pomestit adres servera v Vash resolv.conf fajl; etot server sdelaet zapros kak tol'ko SLIP svyaz' budet aktivizirovanna. Odnako, eto reshenie ne optimal'no, potomu chto vse poiski imen budut vse eshche prohodit' cherez vashu SLIP/PPP svyaz'. Esli Vy volnuetes' otnositel'no shiriny zony, kotoruyu ona trebuet, to Vy mozhet takzhe ustanovit' cache-only server. On dejstvitel'no ne obsluzhivayushchij, on tol'ko dejstvuet kak pereklyuchatel' dlya vseh DNS zaprosov, proizvedennyh na Vashem hoste. Preimushchestvo etoj shemy - to, chto ona sozdaet kesh, tak, chtoby bol'shinstvo zaprosov dolzhny byt' poslany cherez posledovatel'nye linii tol'ko odin raz. Named.boot fajl dlya cache-only serverov, vyglyadit tak: ; named.boot file for caching-only server directory /var/named primary 0.0.127.in-addr.arpa db.127.0.0 ; loopback net cache . db.cache ; root servers V dopolnenie k etomu fajlu, Vy takzhe dolzhny ustanovit' db.cache fajl s podhodyashchim spiskom root serverov. |to opisyvaetsya blizhe k koncu glavy "Konfiguraciya reshayushchego ustrojstva". 8.2 SLIP Operaciya. Telefonnyj vyzov IP serverov chasto predlagaet SLIP obsluzhivanie cherez special'nye pol'zovatel'skie account(y). Posle login v takoj account, Vy ne vhodite v obshchuyu obolochku; vzamen programma ili script obolochki - otklyuchat SLIP drajver serverov posledovatel'noj linii i skonfiguriruyut sootvetstvuyushchij setevoj interface. Zatem Vy dolzhny sdelat' tozhe samoe v konce svyazi. - 128 - Na nekotoryh operacionnyh sistemah, SLIP drajver -- user-space programma; pod Linux, eto - chast' yadra, kotoraya delaet ego namnogo bystree. Trebuetsya, odnako, chtoby poryadkovaya liniya yavno byla by preobrazovana v SLIP rezhim. |to vypolneno posredstvom tty line discipline, SLIPDISC. Poka tty nahoditsya v obychnoj line discipline (DISC0), izmenyatsya dannye tol'ko s processvmi pol'zovatelya, ispol'zuya normal read (2) i write(2) vyzovy, SLIP drajver - otklyuchen dlya zapisi ili chteniya iz tty, poka vse dannye, postupayushchie na serejnyj port, budut propushcheny SLIP drajverom. SLIP drajver neposredstvenno ponimaet chislo raznovidnostej na SLIP protokole. Krome obychnogo SLIP, on takzhe ponimaet CSLIP, kotoryj vypolnyaetsya tak nazyvaemym Van Jacobson header compression na vyhodyashchih IP blokov.(1) Dopolnitel'no, imeyutsya shesti-bitovye versii dlya kazhdogo iz etih protokolov. Prostoj sposob preobrazovat' posledovatel'nuyu liniyu v SLIP rezhim - ispol'zovat' slattach. Dopustim, chto u Vas est' modem na /dev/cua3, i Vy udachno podsoedenilis' na SLIP server. Vy zatem by vypolnili: #slattach /dev/cua3 & |to vklyuchit line discipline cua3 k SLIPDISC, i podsoedinit ee k odnomu iz interface SLIP seti. Esli eto vasha pervaya aktivnaya SLIP svyaz', to liniya budet podsoedinena k sl0; vtoraya byla by podsoedinenp k sl1, i tak dalee. Tekushchie yadra podderzhivayut do vos'mi odnovremennyh SLIP svyazej. 1. Van Jacobson header compression opisan v RFC 1441. Zadannoe po umolchaniyu oformlenie paketa, vybrannoe slattach - CSLIP. Vy mozhete vybrat' lyuboj drugoj rezhim, ispol'zuya -p pereklyuchatel'. Dlya togo, chtoby ispol'zovat' normal SLIP (no compression), Vy dolzhny ispol'zovat' # slattach -p slip /dev/cua3 & - 129 - Drugie rezhimy - cslip, slip6, cslip6 (dlya shesti-bitovoj versii Slip(a)), i adaptive dlya adaptivnogo SLIP. Poslednie ostavlyayut eto dlya yadra, chtoby vyyasnit', kotoryj tip oformleniya paketa SLIP ispol'zuet remote end. Zamet'te, chto Vy obyazany ispol'zovat' takoe zhe oformlenie, kakoe imeet Vash peer. Naprimer, esli cowslip ispol'zuet CSLIP,to Vy dolzhny ispol'zovat' ego zhe. Simptomy rassoglasovaniya budut takie, chto ping neznachitel'nomu hostu ne vernet bloki ogratno. Esli drugoj host pings Vas, to Vy mozhete uvidet' soobshchenie tipa "Can't build ICMP header'' na vashem monitore. Odin sposob izbezhat' etu nepriyatnost' - nado ispol'zovat' adaptive SLIP. Fakticheski, slattach ne tol'ko ne pozvolyaet Vam otklyuchit' SLIP, no i ne pozvolyaet otklyuchaet drugie protokoly, kotorye ispol'zuyut posledovatel'nuyu liniyu takzhe, kak i PPP ili KISS (drugoj protokol, ispol'zuemyj lyud'mi v ham radio). Dlya detalej, obratites' pozhalujsta k slattach instrukcii str. 8. Posle peredachi linii SLIP drajveru, Vy dolzhny skonfigurirovat' setevoj interface. I snova, my ispol'zuem standart ifconfig i route komandy. Predpolozhim, chto iz vlager my soedinilis's serverom crowslip. Togda Vy dolzhny vypolnit': # ifconfig sl0 vlager pointopoint cowslip # route add cowslip # route add default gw cowslip Pervaya komanda konfiguriruet interface kak point-to-point svyaz' k cowslip, v to vremya kak vtoraya i tret'ya komandy pribavlyaet route k cowslip i zadaet po umolchaniyu marshrut, ispol'zuemyj cowslip kak vorota. Pri demontazhe SLIP svyazi, Vy snachala dolzhny udalit' vse marshruty cowslip, ispol'zuya route c del opciej, uberite interface, i peredaete slatch signal hangup(povesit' trubku). Vposledstvii Vy dolzhny hangup modem, ispol'zuyushchij Vashu terminal programmu: - 130 - # route del default # route del cowslip # ifconfig sl0 down # kill -HUP 516 8.3 Ispol'zovanie dip Teper' eto vse prosto. Odnako, Vy mogli by zahotet' avtomatizirovat' vysheupomyanutye shagi tak, chtoby Vy tol'ko vyzyvli by prostuyu komandu, kotoraya vypolnyaet vse te shagi, pokazannye vyshe. |to - to, dlya chego nuzhen dip. (2) Tekushchee versiya etogo vypuska - versiya 3.3.7. Onaispravlyalas' neskol'kimi lyud'mi, poetomu Vy uzhe bol'®e nz smozhete govorit' o dip kak o programme. |ti razlichnye elementy razvitiya budut "obnadezhivayushche" slity v budushchej versii. Dip obespechivaet interpretator prostym yazykom, kotoryj obrabatyvaet modem dlya Vas, preobrazuya liniyu v SLIP rezhim, i konfiguriruya interface. |to dovol'no primitivno i ogranichenno, no vpolne podhodyashche dlya bol'shinstva sluchaev. Novaya versiya dip(a) mozhet opisat' bol'shoe kolichestvo mnogostoronnih yazykov v odin den'. CHtoby bylo vozmozhnym skonfigurirovat' SLIP interface, dip trebuet root privelegiyu. |to teper' bylo by soblaznitel'no dlya togo, chtoby sdelat' dip setuid k root, takim obrazom Vse pol'zovateli mogli by soedinit'sya s nekotorym SLIP serverom bez neobhodimosti prdeostavleniya im root dostupa. |to ochen' opasno, potomu chto pri ustanovke fiktivnyh interface(ov) i zadannyh po umolchaniyu marshrutov dip mozhet razrushit' napravlenie na vashej seti. Dazhe eshche huzhe, eto dast vashim pol'zovatelyam prioritet na podsoedinenie k lyubym SLIP serveram, i nachat' opasnuyu ataku na Vashu set'. Tak, esli Vy hotite pozvolit' Vashim pol'zovatelyam zapustit' SLIP svyaz', napishite malen'kie programmki dlya kazhdogo predpolagaemogo SLIP servera, i vyzovite dip so specificheskim script(om), kotoryj ustanovit svyaz'. |ti programmy mogut byt' zatem bezopasno sdelany setuid root. (3) 8.3.1 Tipovoj Script(scenarij). - 131 - Tipovoj script aokazan na risunke 8.3.1. On mozhet ispol'zovat'sya dlya svyazi s cowslip, vyzyvaya dip so script imenem kak argument: 2. Dip podrazumevaetsya Dialup IP. On byl napisan Fred van Kempen. 3. Diplogin mozhet (ili dolzhen) byt' zapushchen setuid(om). Sm. razdel v konce etoj glavy. # Sample dip script for dialing up cowslip # Set local and remote name and address get $local vlager get $remote cowslip " port cua3 # choose a serial port speed 38400 # set speed to max modem HAYES # set modem type reset # reset modem and tty flush # flush out modem response # Prepare for dialing. send ATQ0V1E1X1\r wait OK 2 if $errlvl != 0 goto error dial 41988 if $errlvl != 0 goto error wait CONNECT 60 if $errlvl != 0 goto error # Okay, we're connected now sleep 3 send \r\n\r\n wait ogin: 10 if $errlvl != 0 goto error send Svlager\n wait ssword: 5 - 132 - if $errlvl != 0 goto error send hey-jude\n wait running 30 if $errlvl != 0 goto error # We have logged in, and the remote side is firing up SLIP. print Connected to $remote with address $rmtip default # Make this link our default route mode SLIP # We go to SLIP mode, too # fall through in case of error error: print SLIP to $remote failed. Risunok 14. Tipovoj dip script. # dip cowslip.dip DIP: Dialup IP Protocol Driver version 3.3.7 (12/13/93) Written by Fred N. van Kempen, MicroWalt Corporation. connected to cowslip.moo.com with addr 193.174.7.129 # Posle soedineniya s cowslip i vklyucheniem SLIP, dip otdelitsya ot terminala i otojdet k predostavleniyu vozmozhnosti SL