windows域里有一个功能,dhcp把新分发的ip数据发给DNS服务器,这样只要知道一个人的电脑名字就可以很方便的远程。
linux当然也能很好的实现类似的功能。man5dhcpd.conf有详细描述。
昨天运维帮组织线下的沙龙,又拍云的运维总监邵海杨先生分享了一句千金难买早知道。是啊,就在实现动态更新的功能上,在网上找了不少博客,照着做又遇到各种问题,最后不不知道到底什么原理实现的。早知道认真看一下man,问题早解决了,对实现的原理也理解得深些。所以,在这个信息爆炸的时代,很多时候真的互联网没有让人更聪明,反而大量的信息经常把人淹没了。技术,还是需要静下心来去钻研的。
dhcp和dns的基本配置资料比较完善,此处不再赘述。有心的朋友认真看一下man5dhcpd.conf,瞧一眼下面配置中标红的部分,相信就能搞定了。
另外分享一个dnschroot的流程,先安装bind,调通named,然后再安装bind-chroot
执行/usr/libexec/setup-named-chroot.sh/var/named/chrooton
停用named,启用named-chroot即可
systemctldisablednamed;systemctlstopnamed
systemctlenablenamed-chroot;systemctlstartnamed-chroot
[root@pxe~]#cat/etc/dhcp/dhcpd.conf
ddns-update-styleinterim;
ddns-updateson;
do-forward-updateson;
allowclient-updates;
allowbootp;
allowbooting;
#allowclient-updates;
optionspaceCisco_LWAPP_AP;
optionCisco_LWAPP_AP.server-addresscode241=arrayofip-address;
optionspacepxelinux;
optionpxelinux.magiccode208=string;
optionpxelinux.configfilecode209=text;
optionpxelinux.pathprefixcode210=text;
optionpxelinux.reboottimecode211=unsignedinteger32;
optionarchitecture-typecode93=unsignedinteger16;
subnet192.168.1.0netmask255.255.255.0{
authoritative;
optionrouters192.168.1.1;
optionsubnet-mask255.255.255.0;
optionbroadcast-address192.168.1.255;
optiondomain-name"it.lab";
optiondomain-name-servers192.168.1.200;
rangedynamic-bootp192.168.1.100192.168.1.199;
keySEC_DDNS{
algorithmhmac-md5;
secret7ObhTIhKeDFMR2SbbS5s8A==;
};
ddns-domainname"it.lab";
zoneit.lab.{
primary192.168.1.200;
keySEC_DDNS;
}
zone1.168.192.in-addr.arpa.{
primary192.168.1.200;
keySEC_DDNS;
}
default-lease-time600;
max-lease-time7200;
class"pxeclients"{
matchifsubstring(optionvendor-class-identifier,0,9)="PXEClient";
next-server192.168.1.200;
ifoptionarchitecture-type=00:07{
filename"uefi/syslinux.efi";}
else{
filename"bios/pxelinux.0";}
#filename"pxelinux.0";}
}
}
[root@pxe~]#cat/etc/named.conf
//
//named.conf
//
//ProvidedbyRedHatbindpackagetoconfiguretheISCBINDnamed(8)DNS
//serverasacachingonlynameserver(asalocalhostDNSresolveronly).
//
//See/usr/share/doc/bind*/sample/forexamplenamedconfigurationfiles.
//
options{
listen-onport53{127.0.0.1;192.168.1.200;};
listen-on-v6port53{::1;};
directory"/var/named";
dump-file"/var/named/data/cache_dump.db";
statistics-file"/var/named/data/named_stats.txt";
memstatistics-file"/var/named/data/named_mem_stats.txt";
allow-query{any;};
/*
-IfyouarebuildinganAUTHORITATIVEDNSserver,doNOTenablerecursion.
-IfyouarebuildingaRECURSIVE(caching)DNSserver,youneedtoenable
recursion.
-IfyourrecursiveDNSserverhasapublicIPaddress,youMUSTenableaccess
controltolimitqueriestoyourlegitimateusers.Failingtodosowill
causeyourservertobecomepartoflargescaleDNSamplification
attacks.ImplementingBCP38withinyournetworkwouldgreatly
reducesuchattacksurface
*/
recursionno;
dnssec-enableyes;
dnssec-validationyes;
dnssec-lookasideauto;
/*PathtoISCDLVkey*/
bindkeys-file"/etc/named.iscdlv.key";
managed-keys-directory"/var/named/dynamic";
pid-file"/run/named/named.pid";
session-keyfile"/run/named/session.key";
};
logging{
channeldefault_debug{
file"data/named.run";
severitydynamic;
};
};
zone"."IN{
typehint;
file"named.ca";
};
include"/etc/named.rfc1912.zones";
include"/etc/named.root.key";
keySEC_DDNS{
algorithmhmac-md5;
secret7ObhTIhKeDFMR2SbbS5s8A==;
};
zone"it.lab"IN{
typemaster;
file"it.lab.forward";
allow-update{keySEC_DDNS;};
};
zone"1.168.192.in-addr.arpa"IN{
typemaster;
file"1.168.192.reverse";
allow-update{keySEC_DDNS;};
};