ISC BIND(Berkeley Internet Name Domain) &
DNS ¿¡¼­ÀÇ º¸¾È ¹× Optimizing (1)

ÇÊÀÚ: ÀÌ¿ìÁß(wjlee@debianusers.org)

 

     

    Âü°í¹®Çå

    Securing and Optimizing Linux: DNS and BIND
    Author¡¯s: Gerhard Mourani (gmourani@openna.com)
    Website: http://www.openna.com
    Version: rc1.0

     

    ¸ñÂ÷

    ¥°. µé¾î°¡¸ç

    ¥±. Compiling - Optimizing & Installing ISC BIND & DNS
        1. ¼³Ä¡¿¡ ÇÊ¿äÇÑ Á¤º¸
        2. ¼³Ä¡ÇϱâÀüÀÇ ÂªÀº ÆÁ
        3. ¼³Ä¡Çϱâ

    ¥². Security
        1. chroot jail À» ÀÌ¿ëÇÑ ISC BIND & DNS ÀÇ ¿î¿µ

    ¥³. Optimizing ISC BIND & DNS - lwresdÀÇ »ç¿ë

    ¥´. ¸¶Ä¡¸ç

 

¥°. µé¾î°¡¸ç

    ¸ÕÀú ÀÌ ±Û¿¡¼­´Â Àü¹ÝÀûÀÎ DNS ÀÇ °³³ä°ú ¼³Á¤ µî¿¡ ´ëÇÑ ³»¿ëÀ» ¹èÁ¦ÇÏ¿´´Ù. ¹°·Ð Gerhard Mourani ÀÇ Securing and Optimizing Linux: DNS and BIND ¿¡´Â DNS ÀÇ ±âÃÊÀûÀÎ ¼³Á¤±îÁöµµ ´Ù·ç°í ÀÖÀ¸³ª DNS ÀÇ °³³ä°ú ¼³Á¤¹æ¹ýÀ» ´Ù·é ±ÛµéÀº ¸¹ÀÌ ÀÖÀ¸¹Ç·Î ÀÌ ±Û¿¡¼­ ÀÌ·¯ÇÑ ºÎºÐÀ» »ý·«ÇÏ´Â °Í¿¡ ´ëÇؼ­ ¾çÇظ¦ ±¸ÇÏ°íÀÚ ÇÑ´Ù.

    DNS¿¡ ´ëÇÑ °³³ä°ú ÀÌ ±Û¿¡¼­ ´Ù·çÁö ¾ÊÀº ¼³Á¤ÆÄÀÏ(named.conf µî)À̳ª mapping ÆÄÀÏ¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ¼³Á¤Àº ¿ø¹®¿¡¼­µµ º¼ ¼ö ÀÖ´Ù. ¿ø¹®Àº Âü°í¹®Çå¿¡ ±â·ÏÇÑhttp://www.openna.com/products/books/ securing-optimizing-linux/old.htm Áß ¹öÀü 1.0 ÀÇ ISC BIND & DNS ºÎºÐÀÌ´Ù.

    ÀÌ ¹®¼­¿¡¼­ ´Ù·ç°í ÀÖ´Â °ÍÀº ISC BIND 9.1.1 ÀÌÁö¸¸ http://www.isc.org ÀÇ ÃֽŠ¸±¸®Áî ¹öÀüÀº 9.1.2 ÀÌ´Ù.(¹®¼­ÀÇ ÃֽŹöÀüÀº °ø°³µÇÁö ¾Ê°í ÀÖÀ¸¸ç old version Áß ÃÖ½ÅÀÇ ¹öÀüÀº 1.3 ÀÌÁö¸¸ Å« Â÷ÀÌ´Â ¾ø´Ù.)
    ÀÌ ¹®¼­´Â Redhat Linux ¸¦ ±âÁØÀ¸·Î ÀÛ¼ºµÇ¾ú´Ù.  

    ÀÌ ¹®¼­¿¡¼­ ÁßÁ¡ÀûÀ¸·Î ´Ù·ê ºÎºÐµéÀ» ¿ä¾àÇÏ¸é ´ÙÀ½°ú °°´Ù.

       1. º¸¾È ¹× ÃÖÀûÈ­¸¦ °í·ÁÇÑ ¼³Ä¡
       2. Security (chroot jail-runnig by non-root user)
       3. Optimizing (lwresd)
       4. TSIG(Transaction SIGnature) ¹× BIND9 ¿¡¼­ Á¦°øµÇ¾îÁö´Â utility ¿¡ ÀÇÇÑ º¸¾È

    À̹ø È£¿¡¼­´Â 1~3¹ø±îÁöÀÇ ³»¿ëÀ» ´Ù·ê »ý°¢À̸ç, ´ÙÀ½ È£¿¡¼­´Â 4. ISC BIND & DNS ¿¡¼­ ¼Ò°³ÇÑ TSIG(Transaction SIGnature)¿¡ ÀÇÇÑ Primary DNS ¿Í Secondary DNS °£ÀÇ zone file transfer ¹× ±âŸ BIND9 ¿¡¼­ Á¦°øµÇ¾îÁö´Â Utility ¿¡ ÀÇÇÑ º¸¾È ºÎºÐÀ» ¼Ò°³ÇÒ °ÍÀÌ´Ù.

 

¥±. Compiling - Optimizing & Installing ISC BIND & DNS

    1. ¼³Ä¡¿¡ ÇÊ¿äÇÑ Á¤º¸

    ¼³Ä¡¿¡ ÇÊ¿äÇÑ ¼Ò½º Á¤º¸¸¦ ¿ä¾àÇÏ¸é ¾Æ·¡¿Í °°´Ù.

    ISC BIND & DNS Homepage : htp://www.isc.org
    ISC BIND & DNS FTP site: 204.152.184.27
    Package name : bind-9.1.2.tar.gz

    * ¼±Çà¿ä±¸Á¶°Ç
    ¼³Ä¡ ÀÌÀü¿¡ ISC BIND & DNS ÀÇ ¼º´É Çâ»óÀ» À§ÇÏ¿© OpenSSL ¶óÀ̺귯¸®°¡ ¼³Ä¡µÇ¾î ÀÖ¾î¾ß ÇÑ´Ù. ¸¸¾à openSSL ÀÌ ¼³Ä¡µÇ¾î ÀÖÁö ¾Ê´Ù¸é make °úÁ¤¿¡¼­ ¿¡·¯°¡ ³­´Ù. Debian GNU/Linux(sid)ÀÇ °æ¿ì´Â openssl °ú libssl-dev ÆÐÅ°Áö¸¦ ¼³Ä¡ÇÏ¸é µÈ´Ù.

    2. ¼³Ä¡ÇϱâÀüÀÇ ÂªÀº ÆÁ

    rpm À̳ª deb µîÀÇ ÆÐÅ°Áö·Î ¼³Ä¡ÇÏÁö ¾Ê´Â °æ¿ì(tar ball¿¡ ÀÇÇÑ) ¼³Ä¡ ÀÌÈÄ¿¡, ¼³Ä¡µÈ fileÀÇ À§Ä¡¿¡ ´ëÇÑ list¸¦ ¾ò´Â ÆÁÀ» °£´ÜÇÏ°Ô ¼Ò°³ÇÏ°íÀÚ ÇÑ´Ù.

    1) ¼³Ä¡Çϱâ Àü ¾Æ·¡¿Í °°Àº °£´ÜÇÑ ¸í·ÉÀ» »ç¿ëÇÏ¿© ÇöÀç µð·ºÅ丮 ¹× ÆÄÀÏ Á¤º¸¸¦ ÀúÀåÇÑ´Ù.
        (´Ü, root À¯Àú·Î /root µð·ºÅ丮¿¡¼­ ¼öÇàÇÏ´Â °ÍÀ» ±ÇÀåÇÑ´Ù.)

    [root@wjlee /root]# find /* > DNS1

    2) ¼³Ä¡ ÀÌÈÄ ´ÙÀ½°ú °°Àº ¹æ¹ýÀ¸·Î ¼³Ä¡µÈ file µéÀ» listÈ­ ÇÒ ¼ö ÀÖ´Ù.

    [root@wjlee /root]# find /* > DNS2
    [root@wjlee /root]# diff DNS1 DNS2 > ISC-BIND-DNS-Installed

    3. ¼³Ä¡Çϱâ

    ¡¤Step1)
    ´Ù¿î·Îµå ¹ÞÀº ÆÐÅ°Áö¸¦ ¾Æ·¡¿Í °°Àº ¸í·ÉÀ¸·Î /var/tmp µð·ºÅ丮·Î ¿Å±â°í ¾ÐÃàÀ» Ǭ´Ù.

    [root@wjlee /root]# cp bind-version.tar.gz
                          /var/tmp/
    [root@wjlee /root]# cd /var/tmp
    [root@wjlee tmp]# tar xzpf bind-version.tar.gz

    ¡¤Step2)
    ¼³Ä¡ÇÒ ÆÐÅ°Áö°¡ ¿øº»ÀÓÀ» È®ÀÎÇϱâ À§ÇÏ¿© PGP °ø°³Å°¸¦ ±¸ÇÏ¿© üũÇÑ´Ù.(¾ÇÀÇÀûÀÎ Àǵµ·Î ¼öÁ¤µÈ ÆÐÅ°Áö¸¦ ¼³Ä¡ÇÏÁö ¾Ê±â À§ÇÔÀÌ´Ù.)
    PGP °ø°³Å°´Â http://www.isc.org ¿¡¼­ ±¸ÇÒ ¼ö ÀÖ´Ù.

    ¡¤Step3)
    ISC BIND & DNS ¸¦ ¿î¿µÇÒ user ¸¦ »ý¼ºÇÑ´Ù. º¸¾È»óÀÇ ÀÌÀ¯·Î root·Î ¿î¿µÇÏ´Â °ÍÀº ¹Ù¶÷Á÷ÇÏÁö ¸øÇÏ´Ù.

    # useradd -c ¡°Named¡± -u 25 -s /bin/false -d
       /var/named named 2>/dev/null || :

    À§¿Í °°Àº ¸í·ÉÀº Æнº¿öµå¿Í ½© ȯ°æÀ» °¡ÁöÁö ¾ÊÀº ´ÜÁö uid ¿Í gid ¸¸À» °¡Áø named ¶ó´Â À¯Àú¸¦ »ý¼ºÇÑ´Ù.

    ¡¤Step4)
    ¾Æ·¡¿Í °°Àº ¸í·ÉÀ¸·Î ¼Ò½º ÆÐÅ°Áö°¡ ¾ÐÃà ÇØÁ¦µÈ µð·ºÅ丮·Î À̵¿ÇÑ´Ù.

    # cd bind-9.1.1rc3/

      Step4.1)
      dighost.c ÆÄÀÏÀÇ ¼öÁ¤ : reverse function ¿¡ ´ëÇÑ ºüÁø Á¤º¸ÀÇ ¼öÁ¤

        #vi +224 bin/dig/dighost.c
        
        (º¯°æÀü)
        if (n ==0) {
          return (DNS_R_BADDOTTEDQUAD);
        }
        for (i = n-1; i >= 0; i--) {
          sprintf(working, MXNAME/8, ¡°%d.¡±,adrs[i]);
        
        (º¯°æÈÄ)
        if (n ==0) {
          return (DNS_R_BADDOTTEDQUAD);
        }
        reverse[0] = 0;
        for (i = n-1; i >= 0; i--) {
          sprintf(working, MXNAME/8, ¡°%d.¡±,adrs[i]);

      Step4.2)
      glovals.h ÆÄÀÏÀÇ ¼öÁ¤ : named.pid ¿Í lwesd.pid ÆÄÀÏÀÇ À§Ä¡ Á¤º¸¸¦ º¯°æÇÑ´Ù.

        #vi +101 bin/named/include/named/globals.h
        (º¯°æÀü)
        ¡°/run/named.pid¡±);
        (º¯°æÈÄ)
        ¡°/run/named/named.pid¡±);

        (º¯°æÀü)
        ¡°/run/lwresd.pid¡±);
        (º¯°æÈÄ)
        ¡°/run/named/lwresd.pid¡±);

    ¡¤Step5)
    ¼³Ä¡½Ã ÃÖÀûÈ­Çϱâ À§ÇÏ¿© ¼³Á¤½ºÅ©¸³Æ® ±¸µ¿ ¹× ±âŸ ȯ°æÀÇ ±¸Ãà.
    ¾ÐÃàÀÌ ÇØÁ¦µÈ µð·ºÅ丮 /var/tmp/bind-9.1.2 ·Î À̵¿ÇÏ¿© ½© »ó¿¡¼­ ´ÙÀ½°ú °°ÀÌ ¸í·ÉÀ» ÁØ´Ù.

       [root@wjlee bind-9.1.2]# CFLAGS=¡±-O3 -
         funroll-loops -fomit-frame-pointer¡± ¡¬
       ./configure ¡¬
       --prefix=/usr ¡¬
       --sysconfdir=/etc ¡¬
       --localstatedir=/var ¡¬
       --mandir=/usr/share/man ¡¬
       --with-openssl=/usr/include/openssl ¡¬
       --with-libtool ¡¬
       --disable-ipv6

    ¡¤Step6)
    À§ÀÇ °úÁ¤À» ¼öÇàÇß´Ù¸é install À» À§ÇÑ Áغñ°¡ ³¡³µ´Ù.

    ¾Æ·¡¿Í °°Àº ¸í·ÉÀ¸·Î install À» ÁøÇàÇÑ´Ù.

    ¡¤Step7)
    - ¼³Á¤ÆÄÀÏ ¸¸µé±â -
    ±âº»ÀûÀ¸·Î make install ¿¡ ÀÇÇÏ¿© »ý¼ºµÇ´Â ¼³Á¤ ÆÄÀÏÀº ¾ø´Ù. named.conf ³ª /var/named ¿¡ µé¾î°¥ mapping (zone) ÆÄÀϵéÀº ¿¹Á¦¼Ò½º¸¦ º¹»çÇÏ¿© ÀûÀýÇÑ ¹æ½ÄÀ¸·Î ¼³Á¤ÇØÁÖ¾î¾ß ÇÑ´Ù.
    ¿¹Á¦ ¼Ò½º´Â /var/tmp/bind-9.1.2/bin/tests/ system µð·ºÅ丮¿¡ ÀÖÀ¸¸ç ¾Æ·¡¿Í °°Àº ÆÄÀϵéÀ» ±¸¼ºÇØ ÁÖ¸é µÈ´Ù. ¼³Á¤¿¡ ´ëÇÑ ºÎºÐÀº ¾Õ¿¡¼­ ¹àÈù ¹Ù¿Í °°ÀÌ ´Ù·çÁö ¾ÊÀ½À» ´Ù½Ã Çѹø ¾çÇظ¦ ±¸ÇÑ´Ù.

      1) ±¸¼ºÇØ¾ß µÇ´Â ¼³Á¤ÆÄÀÏÀº ´ÙÀ½°ú °°´Ù.
      /etc/named.conf
      : /var/tmp/bind-9.1.2/bin/tests/system
      µð·ºÅ丮¿¡¼­ÀÇ ¿¹Á¦³ª ¿ø¹® ¶Ç´Â ´Ù¸¥ Âü°í¼­ÀûÀ» Âü°í Çϱ⠹ٶõ´Ù.

      /var/named ÀÇ zone file
      /etc/logrotate.d/named
      /etc/sysconfig/named
      /etc/rc.d/init.d/named

      /etc/named.conf¿Í /var/named ÀÇ zone fileÀÇ °æ¿ì´Â /var/tmp/bind-9.1.2/bin/tests/system µð·ºÅ丮¿¡¼­ÀÇ ¿¹Á¦³ª ¿ø¹® ¶Ç´Â ´Ù¸¥ Âü°í¼­ÀûÀ» Âü°í Çϱ⠹ٶõ´Ù.
      ´Ü, À§ÀÇ /etc/logrotate.d/named, /etc/sysconfig/named, /etc/rc.d/init.d/named ´Â ¿©±â¼­ °£´ÜÈ÷ ´Ù·ê °ÍÀÌ´Ù.

      2) /etc/logrotate.d/named
      ¸ÕÀú touch /etc/logrotate.d/named ¸¦ ÇÏ¿© ÆÄÀÏÀ» »ý¼ºÇÑ´Ù. ±×¸®°í ¾Æ·¡¿Í °°ÀÌ ÆíÁý±â·Î ¿­¾î ÀÛ¼ºÇÑ´Ù.

      /var/log/named.log {
         missingok
         postrotate
         /bin/kill -HUP `cat /var/named.pid 2>
         /dev/null` 2> /dev/null ||
      true
         endscript
      }

      3) /etc/sysconfig/named
      ¿ª½Ã À§¿Í µ¿ÀÏÇÑ ¹æ¹ýÀ¸·Î ÆÄÀÏÀ» »ý¼ºÇÏ°í ¾Æ·¡¿Í °°ÀÌ ¿­¾î¼­ ÆíÁýÇÑ´Ù. ÀÌ´Â ÀÌÈÄ chroot jail À» ±¸¼ºÇÒ ¶§ »ç¿ëµÇ¾îÁú °ÍÀ̹ǷΠ»ý¼º ÈÄ ¾Æ·¡¿Í °°ÀÌ ÁÖ¼®(#) ó¸®¿Í ¸î °¡Áö ¼³Á¤»çÇ×À» ±â·ÏÇϵµ·Ï ÇÑ´Ù.

      # Currently. you can use the following options:
      # ROOTDIR = ¡° ¡±
      # OPTIONS = ¡° ¡±

      4) /etc/rc.d/init.d/named
      ÀÌ ÆÄÀÏÀº chroot jail ¿¡¼­ »ý¼ºÇÒ °ÍÀÌ´Ù.

 

¥². Security

    1. chroot jail À» ÀÌ¿ëÇÑ ISC BIND & DNS ÀÇ ¿î¿µ

    1) chroot jail ÀÇ °³³ä
    ½ÇÁ¦·Î ISC BIND & DNSÀº ¸Å¿ì °Å´ëÇÏ°í º¹ÀâÇÑ ÇÁ·Î±×·¥À̹ǷΠexploit¿¡ ÀÇÇØ °ø°Ý´çÇÒ ¼ö ÀÖ´Â ¹ö±×¿¡ ´ëÇÑ ºÎºÐÀ» ¿°µÎ¿¡ µÎ¾î¾ß ÇÑ´Ù. Áï, root À¯Àú·Î¼­°¡ ¾Æ´Ñ Ư¼öÇÑ user(¾Õ¿¡¼­ named user¸¦ »ý¼ºÇØ º¸¾Ò´Ù)¿¡ ÀÇÇÑ ¿î¿µÀÌ ¹Ù¶÷Á÷Çϸç chroot jail ¿¡ ÀÇÇÑ ¿î¿µµµ ¶ÇÇÑ ±ÇÇÒ¸¸ ÇÏ´Ù. chroot jailÀÇ °³³äÀº ÃÖ»óÀ§ µð·ºÅ丮ÀÎ / (root µð·ºÅ丮) ¸¦ ¼ÓÀÌ´Â °ÍÀÌ´Ù.
    °£·«ÇÑ µð·ºÅ丮»óÀÇ °³³äÀº ¾Æ·¡¿Í °°´Ù.

    / -+- /bin
       |- /boot
       |- /dev
       |- /etc
       |- /home
       |- /chroot - /named -+- /dev
       |                     |  /etc
       |                     |  /lib
       |                     |  /usr
       |                     |+- /var
         .
         .
         .

    À§ÀÇ µð·ºÅ丮 Æ®¸®¸¦ ¿¹·Î µé¾î¼­ ¼³¸íÇϸé /chroot µð·ºÅ丮°¡ / ó·³ ÀÛµ¿ÇÏ¿© named user ÀÇ ±ÇÇÑÀ¸·Î Á¢±ÙÇßÀ» ¶§ /chroot µð·ºÅ丮¸¦ ¹þ¾î³¯ ¼ö ¾ø°Ô µÈ´Ù.

    2) chroot jail À» ±¸¼ºÇϱâ

    ¡¤Step1)
    chroot jail À» ±¸¼ºÇϱâ À§ÇÑ È¯°æÀÇ Á¶¼º

    [root@wjlee /]# mkdir -p /chroot/named
    [root@wjlee /]# mkdir -p /chroot/named/etc
    [root@wjlee /]# mkdir -p /chroot/named/var/run/named
    [root@wjlee /]# mkdir -p /chroot/named/var/named
    [root@wjlee /]# chown -R named.named /chroot/named/var/run/named/
    [root@wjlee /]# chown -R named.named /chroot/named/var/named/

    ¡¤Step2)
    ¼³Á¤ÆÄÀÏÀ» ±¸¼ºÇÑ µð·ºÅ丮·Î À̵¿½ÃŲ´Ù.

    [root@wjlee /]# mv /etc/named.conf /chroot/named/etc/
    [root@wjlee /]# cd /var/named; mv * /chroot/named/var/named/
    [root@wjlee /]# chown named.named /chroot/named/etc/named.conf
    [root@wjlee /]# chown -R named.named /chroot/named/var/named/*

    ¡¤Step3)
    chroot jail¿¡ /etc/localtime ÆÄÀÏÀ» º¹»çÇÑ´Ù. (log ÆÄÀÏÀ» »ý¼ºÇϱâ À§Çؼ­´Â local time¿¡ ´ëÇÑ Á¤º¸°¡ ÇÊ¿ä)

    [root@wjlee /]# cp /etc/localtime /chroot/named/etc/

    ¡¤Step4)
    ¼³Á¤ÆÄÀÏ(named.conf)ÀÇ º¯°æÀ» ºÒ°¡´ÉÇÏ°Ô ¸¸µç´Ù.
    [root@wjlee /]# cd /chroot/named/etc/
    [root@wjlee etc]# chattr +inamed.conf

    - Âü°í +i ¿É¼ÇÀº named.conf ¸¦ »èÁ¦³ª º¯°æÀÌ ºÒ°¡´ÉÇÏ°Ô ¸¸µç´Ù. ½ÇÁ¦·Î chattr -i named.conf ¸¦ ¼öÇàÇϱâ Àü¿¡´Â root À¯Àú·Îµµ »èÁ¦°¡ µÇÁö ¾Ê´Â´Ù.

    ¡¤Step5)
    chroot jail À» »ç¿ëÇϱâ ÀüÀÇ mapping ÆÄÀϵéÀÌ ÀÖ¾ú´ø µð·ºÅ丮µéÀ» »èÁ¦ÇÑ´Ù.

    [root@wjlee /]# rm -rf /var/named/
    [root@wjlee /]# rm -rf /var/run/named/

    ¡¤Step6)
    /etc/sysconfig/named ÆÄÀÏÀÇ ¼öÁ¤

      (º¯°æÀü)
      #Curently, you can use the following options:
      #ROOTDIR=¡±¡±
      #OPTIONS=¡±¡±

      (º¯°æÈÄ)
      ROOTDIR=¡±/chroot/named/¡±

    ¡¤Step7)
    chroot ȯ°æÀÇ Å×½ºÆ®

    - ISC BIND & DNS ¸¦ ¾Æ·¡¿Í °°Àº ¸í·ÉÀ» »ç¿ëÇÏ¿© ½ÃÀÛÇÑ´Ù.

    [root@wjlee /]# /etc/rc.d/init.d/named start

    - ¿¡·¯¾øÀÌ ½ÇÇàµÇ¾ú´Ù¸é ps aux | grep named ¸¦ ½©¿¡ ÀÔ·ÂÇÏ¿© °á°ú¸¦ È®ÀÎÇÑ´Ù.

    4278 ?  S  0:00 named -u named -t /chroot/named/
    4279 ?  S  0:00 named -u named -t /chroot/named/
    4280 ?  S  0:00 named -u named -t /chroot/named/
    4281 ?  S  0:00 named -u named -t /chroot/named/
    4282 ?  S  0:00 named -u named -t /chroot/named/

    - À§¿¡¼­ ³ª¿Â ÇÁ·Î¼¼½º ID¸¦ ÀÌ¿ëÇÏ¿© /proc/PROCESS_ID/root/ µð·ºÅ丮¸¦
       ¿­¾îº½À¸·Î¼­ ´õ¿í´õ È®½ÇÇÏ°Ô È®ÀÎÇÒ ¼ö ÀÖ´Ù.

    [root@wjlee /]# ls -al /proc/4278/root/
    total 4
    drwxrwxr-x  4  root  root  1024  May 18 23:44.
    drwxrwxr-x  4  root  root  1024  May 18 23:44..
    drwxrwxr-x  4  root  root  1024  May 18 23:44 etc
    drwxrwxr-x  4  root  root  1024  May 18 23:44 var

 

¥³. Optimizing ISC BIND & DNS - lwresd ÀÇ »ç¿ë

    1. lwresd »ç¿ë

    Bind ÀÇ »õ·Î¿î ¹öÀüÀÎ Bind9 ÀÇ Æ¯Â¡ Áß¿¡ Çϳª´Â lwresd ¶ó´Â daemon À¸·Î¼­ ½ÇÇàÇÒ ¼ö ÀÖ´Ù´Â Á¡ÀÌ´Ù. lwresd daemon(¿ø·¡´Â Caching-Only Name Server ÀÌ´Ù) Àº lightweight resolver library¸¦ »ç¿ëÇÏ¿© DNS protocol º¸´Ù ºÎÇÏ°¡ Àû°Ô °É¸®´Â ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÑ´Ù.
    ¿©±â¼­´Â chroot ȯ°æ¿¡¼­ lwresd ¸¦ ¿î¿µÇÏ´Â ¹ýÀ» ¾Ë¾Æº¼ °ÍÀÌ´Ù.

    ¡¤Step1)
    ¸¸ÀÏ firewall À» »ç¿ëÇÏ°í ÀÖ´Ù¸é lwresd ´Â port 921 À» ÅëÇÑ UDP protocalÀ» »ç¿ëÇϹǷΠfirewall ¿¡ ÀÌ ºÎºÐ¿¡ ´ëÇÑ ±ÔÄ¢À» Ãß°¡ÇÏ´Â °ÍÀÌ ÇÊ¿äÇÏ´Ù. firewall ¸¶´Ù ´Ù¸£°ÚÁö¸¸ ÀÌ ºÎºÐ¿¡ ´ëÇÑ ±ÔÄ¢À» ¾Æ·¡¿Í °°ÀÌ Ãß°¡ÇÏ¸é µÈ´Ù.(input chain ¿¡¼­ udp ÇÁ·ÎÅäÄÝ¿¡ ÀÇÇÑ 921 Æ÷Æ®·ÎÀÇ Á¢±ÙÀ» ACCEPT ÇÏ¸é µÈ´Ù.) ¸¸ÀÏ kernel 2.4 ¸¦ »ç¿ëÇϸ鼭 iptable À» »ç¿ëÇÑ´Ù¸é ¸¶Âù°¡Áö·Î iptable À» ÀÌ¿ëÇÏ¿© ÀÌ·¯ÇÑ ±ÔÄ¢À» Ãß°¡ÇÏ¸é µÈ´Ù.

    ¿©±â¼­´Â Redhat ±âÁØÀÇ firewall ¼³Á¤ÆÄÀÏ¿¡¼­ÀÇ ¿¹¸¦ ´Ù·ç°Ú´Ù.

    /etc/rc.d/init.d/firewall ÆÄÀÏÀ» ¿­¾î ´ÙÀ½°ú °°ÀÌ Ãß°¡ÇÑ´Ù.

    # LWRESD server (921)
    # -------------------

    # A lightweight resolver library for Caching-Only Name Server

    iptables -A INPUT -i $EXTERNAL
                _INTERFACE -p udp ¡¬
              --source-port $UNPRIVPORTS ¡¬
             -d $IPADDR --destination-port 921 ¡¬
                 -j ACCEPT

    iptables -A OUTPUT -o ¡¬
              $EXTERNAL_INTERFACE -p udp ¡¬
              -s $IPADDR --source-port 921 ¡¬
             --destination-port $UNPRIVPORTS ¡¬
                 -j ACCEPT

    ¡¤Step2)
    ±âº»ÀûÀ¸·Î lwresd deamonÀº local loopback (127.0.0.1)¿¡¼­ÀÇ ¿ä±¸¸¦ ±â´Ù¸®°í ÀÖÀ¸¹Ç·Î À̸¦ ½Ã½ºÅÛÀÇ External interface ·ÎºÎÅÍÀÇ ¿ä±¸¸¦ ±â´Ù¸®µµ·Ï ÇØÁÖ¾î¾ß ÇÑ´Ù.

    lwserver 207.37.78.2

    ¡¤Step3)
    ¼³Á¤ÇÑ resolv.conf ÆÄÀÏÀ» chroot jail ȯ°æ¿¡ ¸ÂÃß±â À§ÇÏ¿© /chroot/etc ·Î Ä«ÇÇÇÑ´Ù.

    [root@wjlee /]# cp /etc/resolv.conf/chroot/named/etc/

    ¡¤Step4)
    ½Ã½ºÅÛ¿¡ lwresd ¸¦ ÃʱâÈ­Çϱâ À§ÇÑ ½ºÅ©¸³Æ®(Redhat ÀÇ °æ¿ì /etc/rc.d/init.d/lwresd)¸¦ ÀÛ¼ºÇÏ¿© ÀúÀåÇÑ´Ù.

    #!/bin/bash
    #
    # lwresd     This shell script takes care of starting and stopping lwresd ¡¬
    #             (The lightweight resolver library)
    # chkconfig: - 55 45
    # description : lwresd is essentially a Caching-
    # Only Named Server that answers requests
    # using the lightweight resolver protocol rather
    # than the DNS protocol.
    # probe : true

    # Source function library
    . /etc/rc.d/init.d/functions

    # Source networking configuration
    . /etc/sysconfig/network

    # Check that networking is up
    [ ¡°${NETWORKING}¡± = ¡°no¡± ] && exit 0
    [ -f /etc/sysconfig/named ] && .
         /etc/sysconfig/named
    [ -f /usr/sbin/lwresd ] || exit 0
    [ -f ¡°${ROOTDIR}¡±/etc/resolv.conf ] || exit 0

    RETVAL=0

    start() {
            # Start daemons
            echo -n ¡°Starting lwresd: ¡°
            if [ -n ¡°${ROOTDIR}¡± -a ¡°x${ROOTDIR}¡±               != ¡°x/¡± ]; then
             OPTIONS=¡°${OPTIONS} -t ${ROOTDIR}¡±
            fi
            daemon lwresd -u named ${OPTIONS}
            RETVAL = $?
            [$RETVAL -eq 0] && touch
                 /var/lock/subsys/lwresd
            echo
            return $RETVAL
    }
    stop() {
            # Stop daemons
            echo -n ¡°Sutting down lwresd: ¡°
            killproc lwresd
            RETVAL = $?
            [$RETVAL -eq 0] && rm -f
                 /var/lock/subsys/lwresd
            echo
            return $RETVAL
    }
    restart() {
            stop
            start
    }

    # See how we were called.
    case ¡°$1¡± in
                 start)
                    start
                    ;;
                 stop)
                    stop
                    ;;
                 restart)
                    resart
                    ;;
                 *)
                    echo ¡°Usage: lwresd {start|stop|resart}¡±
                    exit 1
    esac
    exit $?

    ¡¤Step5)
    ÀÛ¼ºÇÑ /etc/rc.d/init.d/lwresd ÀÇ ±ÇÇÑ ¼³Á¤ ¹× System ÀÇ ºÎÆ®½Ã ÀÚµ¿À¸·Î ½ÇÇàµÇµµ·Ï Çϱâ.

    [root@wjlee /]# chmod 700 /etc/rc.d/init.d/lwresd
    [root@wjlee /]# chown 0.0 /etc/rc.d/init.d/lwresd

    rc.d µð·ºÅ丮¿¡ ½Éº¼¸¯ ¸µÅ© »ý¼º ÀÌÈÄ ·±·¹º§ 2, 3, 4, 5¿¡¼­ ºÎÆ®½Ã ½ÇÇàµÇµµ·Ï ÇÏ´Â °úÁ¤ÀÌ´Ù.

    [root@wjlee /]# chkconifg --add lwresd
    [root@wjlee /]# chkconfig --level 2345 lwresd on

    ¡¤Step6)
    ¸¶Áö¸·À¸·Î ±âÁ¸ÀÇ named ¸¦ ºÎÆ®½Ã ÀÛµ¿ÇÏÁö ¾Êµµ·Ï ÇØÁÖ¾î¾ß ÇÑ´Ù.

    [root@wjlee /]# chkconfig --del named
    [root@wjlee /]# chkconfig --level 2345 named off
    [root@wjlee /]# rm -f /etc/rc.d/init.d/named

    ¡¤Step7)
    lwresd daemon À» ½ÇÇàÇÑ´Ù.

    [root@wjlee /]# /etc/rc.d/init.d/lwresd start

 

¸¶Ä¡¸ç

    ÀÌ»óÀ¸·Î ISC BIND & DNS¸¦ ÀÌ¿ëÇÑ Ãʱ⠼³Ä¡¿Í °£´ÜÇÑ º¸¾È ¹× ÃÖÀûÈ­ ¹æ¹ý¿¡ ´ëÇؼ­ ¾Ë¾Æº¸¾Ò´Ù.
    ´ÙÀ½ È£¿¡¼­´Â ISC BIND ¿¡¼­ Á¦°øÇÏ°í ÀÖ´Â TSIG µîÀ» ÀÌ¿ëÇÑ zone file transfer ¹× Á¦°øµÇ¾îÁö´Â À¯Æ¿¸®Æ¼¿¡ ÀÇÇÑ º¸¾ÈÀ» ´Ù·ê °ÍÀÌ´Ù.




¡ã top

homeÀ¸·Î...