Âü°í¹®Çå
Securing and Optimizing Linux: DNS and BIND
Author¡¯s: Gerhard Mourani (gmourani@openna.com)
Website: http://www.openna.com
Version: rc1.0
¸ñÂ÷
¥°. µé¾î°¡¸ç
¥±. Compiling - Optimizing & Installing
ISC BIND & DNS
1. ¼³Ä¡¿¡ ÇÊ¿äÇÑ Á¤º¸
2. ¼³Ä¡ÇϱâÀüÀÇ ÂªÀº ÆÁ
3. ¼³Ä¡Çϱâ
¥². Security
1. chroot jail À» ÀÌ¿ëÇÑ ISC BIND &
DNS ÀÇ ¿î¿µ
¥³. Optimizing ISC BIND & DNS - lwresdÀÇ
»ç¿ë
¥´. ¸¶Ä¡¸ç
¥°. µé¾î°¡¸ç
¸ÕÀú ÀÌ ±Û¿¡¼´Â Àü¹ÝÀûÀÎ DNS ÀÇ °³³ä°ú ¼³Á¤
µî¿¡ ´ëÇÑ ³»¿ëÀ» ¹èÁ¦ÇÏ¿´´Ù. ¹°·Ð Gerhard Mourani ÀÇ Securing
and Optimizing Linux: DNS and BIND ¿¡´Â DNS ÀÇ ±âÃÊÀûÀÎ ¼³Á¤±îÁöµµ
´Ù·ç°í ÀÖÀ¸³ª DNS ÀÇ °³³ä°ú ¼³Á¤¹æ¹ýÀ» ´Ù·é ±ÛµéÀº ¸¹ÀÌ ÀÖÀ¸¹Ç·Î
ÀÌ ±Û¿¡¼ ÀÌ·¯ÇÑ ºÎºÐÀ» »ý·«ÇÏ´Â °Í¿¡ ´ëÇؼ ¾çÇظ¦ ±¸ÇÏ°íÀÚ
ÇÑ´Ù.
DNS¿¡ ´ëÇÑ °³³ä°ú ÀÌ ±Û¿¡¼ ´Ù·çÁö ¾ÊÀº ¼³Á¤ÆÄÀÏ(named.conf
µî)À̳ª mapping ÆÄÀÏ¿¡ ´ëÇÑ ÀÚ¼¼ÇÑ ¼³Á¤Àº ¿ø¹®¿¡¼µµ º¼ ¼ö ÀÖ´Ù.
¿ø¹®Àº Âü°í¹®Çå¿¡ ±â·ÏÇÑhttp://www.openna.com/products/books/
securing-optimizing-linux/old.htm Áß ¹öÀü 1.0 ÀÇ ISC BIND &
DNS ºÎºÐÀÌ´Ù.
ÀÌ ¹®¼¿¡¼ ´Ù·ç°í ÀÖ´Â °ÍÀº ISC BIND 9.1.1
ÀÌÁö¸¸ http://www.isc.org ÀÇ ÃֽŠ¸±¸®Áî ¹öÀüÀº 9.1.2 ÀÌ´Ù.(¹®¼ÀÇ
ÃֽŹöÀüÀº °ø°³µÇÁö ¾Ê°í ÀÖÀ¸¸ç old version Áß ÃÖ½ÅÀÇ ¹öÀüÀº
1.3 ÀÌÁö¸¸ Å« Â÷ÀÌ´Â ¾ø´Ù.)
ÀÌ ¹®¼´Â Redhat Linux ¸¦ ±âÁØÀ¸·Î ÀÛ¼ºµÇ¾ú´Ù.
ÀÌ ¹®¼¿¡¼ ÁßÁ¡ÀûÀ¸·Î ´Ù·ê ºÎºÐµéÀ» ¿ä¾àÇϸé
´ÙÀ½°ú °°´Ù.
1. º¸¾È ¹× ÃÖÀûȸ¦ °í·ÁÇÑ
¼³Ä¡
2. Security (chroot jail-runnig by non-root
user)
3. Optimizing (lwresd)
4. TSIG(Transaction SIGnature) ¹× BIND9 ¿¡¼
Á¦°øµÇ¾îÁö´Â utility ¿¡ ÀÇÇÑ º¸¾È
À̹ø È£¿¡¼´Â 1~3¹ø±îÁöÀÇ ³»¿ëÀ» ´Ù·ê »ý°¢À̸ç,
´ÙÀ½ È£¿¡¼´Â 4. ISC BIND & DNS ¿¡¼ ¼Ò°³ÇÑ TSIG(Transaction
SIGnature)¿¡ ÀÇÇÑ Primary DNS ¿Í Secondary DNS °£ÀÇ zone file
transfer ¹× ±âŸ BIND9 ¿¡¼ Á¦°øµÇ¾îÁö´Â Utility ¿¡ ÀÇÇÑ º¸¾È
ºÎºÐÀ» ¼Ò°³ÇÒ °ÍÀÌ´Ù.
¥±. Compiling - Optimizing & Installing
ISC BIND & DNS
1. ¼³Ä¡¿¡ ÇÊ¿äÇÑ Á¤º¸
¼³Ä¡¿¡ ÇÊ¿äÇÑ ¼Ò½º Á¤º¸¸¦ ¿ä¾àÇÏ¸é ¾Æ·¡¿Í
°°´Ù.
ISC BIND & DNS Homepage : htp://www.isc.org
ISC BIND & DNS FTP site: 204.152.184.27
Package name : bind-9.1.2.tar.gz
* ¼±Çà¿ä±¸Á¶°Ç
¼³Ä¡ ÀÌÀü¿¡ ISC BIND & DNS ÀÇ ¼º´É Çâ»óÀ» À§ÇÏ¿© OpenSSL
¶óÀ̺귯¸®°¡ ¼³Ä¡µÇ¾î ÀÖ¾î¾ß ÇÑ´Ù. ¸¸¾à openSSL ÀÌ ¼³Ä¡µÇ¾î
ÀÖÁö ¾Ê´Ù¸é make °úÁ¤¿¡¼ ¿¡·¯°¡ ³´Ù. Debian GNU/Linux(sid)ÀÇ
°æ¿ì´Â openssl °ú libssl-dev ÆÐÅ°Áö¸¦ ¼³Ä¡ÇÏ¸é µÈ´Ù.
2. ¼³Ä¡ÇϱâÀüÀÇ ÂªÀº ÆÁ
rpm À̳ª deb µîÀÇ ÆÐÅ°Áö·Î ¼³Ä¡ÇÏÁö ¾Ê´Â °æ¿ì(tar
ball¿¡ ÀÇÇÑ) ¼³Ä¡ ÀÌÈÄ¿¡, ¼³Ä¡µÈ fileÀÇ À§Ä¡¿¡ ´ëÇÑ list¸¦ ¾ò´Â
ÆÁÀ» °£´ÜÇÏ°Ô ¼Ò°³ÇÏ°íÀÚ ÇÑ´Ù.
1) ¼³Ä¡Çϱâ Àü ¾Æ·¡¿Í °°Àº °£´ÜÇÑ ¸í·ÉÀ» »ç¿ëÇÏ¿©
ÇöÀç µð·ºÅ丮 ¹× ÆÄÀÏ Á¤º¸¸¦ ÀúÀåÇÑ´Ù.
(´Ü, root À¯Àú·Î /root µð·ºÅ丮¿¡¼
¼öÇàÇÏ´Â °ÍÀ» ±ÇÀåÇÑ´Ù.)
[root@wjlee /root]# find /* > DNS1
2) ¼³Ä¡ ÀÌÈÄ ´ÙÀ½°ú °°Àº ¹æ¹ýÀ¸·Î ¼³Ä¡µÈ file
µéÀ» listÈ ÇÒ ¼ö ÀÖ´Ù.
[root@wjlee /root]# find /* > DNS2
[root@wjlee /root]# diff DNS1 DNS2 > ISC-BIND-DNS-Installed
3. ¼³Ä¡Çϱâ
¡¤Step1)
´Ù¿î·Îµå ¹ÞÀº ÆÐÅ°Áö¸¦ ¾Æ·¡¿Í °°Àº ¸í·ÉÀ¸·Î /var/tmp µð·ºÅ丮·Î
¿Å±â°í ¾ÐÃàÀ» Ǭ´Ù.
[root@wjlee /root]# cp bind-version.tar.gz
/var/tmp/
[root@wjlee /root]# cd /var/tmp
[root@wjlee tmp]# tar xzpf bind-version.tar.gz
¡¤Step2)
¼³Ä¡ÇÒ ÆÐÅ°Áö°¡ ¿øº»ÀÓÀ» È®ÀÎÇϱâ À§ÇÏ¿© PGP °ø°³Å°¸¦ ±¸ÇÏ¿©
üũÇÑ´Ù.(¾ÇÀÇÀûÀÎ Àǵµ·Î ¼öÁ¤µÈ ÆÐÅ°Áö¸¦ ¼³Ä¡ÇÏÁö ¾Ê±â À§ÇÔÀÌ´Ù.)
PGP °ø°³Å°´Â http://www.isc.org ¿¡¼ ±¸ÇÒ ¼ö ÀÖ´Ù.
¡¤Step3)
ISC BIND & DNS ¸¦ ¿î¿µÇÒ user ¸¦ »ý¼ºÇÑ´Ù. º¸¾È»óÀÇ ÀÌÀ¯·Î
root·Î ¿î¿µÇÏ´Â °ÍÀº ¹Ù¶÷Á÷ÇÏÁö ¸øÇÏ´Ù.
# useradd -c ¡°Named¡± -u 25 -s /bin/false
-d
/var/named named 2>/dev/null || :
À§¿Í °°Àº ¸í·ÉÀº Æнº¿öµå¿Í ½© ȯ°æÀ» °¡ÁöÁö
¾ÊÀº ´ÜÁö uid ¿Í gid ¸¸À» °¡Áø named ¶ó´Â À¯Àú¸¦ »ý¼ºÇÑ´Ù.
¡¤Step4)
¾Æ·¡¿Í °°Àº ¸í·ÉÀ¸·Î ¼Ò½º ÆÐÅ°Áö°¡ ¾ÐÃà ÇØÁ¦µÈ µð·ºÅ丮·Î À̵¿ÇÑ´Ù.
# cd bind-9.1.1rc3/
Step4.1)
dighost.c ÆÄÀÏÀÇ ¼öÁ¤ : reverse function ¿¡ ´ëÇÑ ºüÁø Á¤º¸ÀÇ
¼öÁ¤
#vi +224 bin/dig/dighost.c
(º¯°æÀü)
if (n ==0) {
return (DNS_R_BADDOTTEDQUAD);
}
for (i = n-1; i >= 0; i--) {
sprintf(working, MXNAME/8, ¡°%d.¡±,adrs[i]);
(º¯°æÈÄ)
if (n ==0) {
return (DNS_R_BADDOTTEDQUAD);
}
reverse[0] = 0;
for (i = n-1; i >= 0; i--) {
sprintf(working, MXNAME/8, ¡°%d.¡±,adrs[i]);
Step4.2)
glovals.h ÆÄÀÏÀÇ ¼öÁ¤ : named.pid ¿Í lwesd.pid ÆÄÀÏÀÇ À§Ä¡
Á¤º¸¸¦ º¯°æÇÑ´Ù.
#vi +101 bin/named/include/named/globals.h
(º¯°æÀü)
¡°/run/named.pid¡±);
(º¯°æÈÄ)
¡°/run/named/named.pid¡±);
(º¯°æÀü)
¡°/run/lwresd.pid¡±);
(º¯°æÈÄ)
¡°/run/named/lwresd.pid¡±);
¡¤Step5)
¼³Ä¡½Ã ÃÖÀûÈÇϱâ À§ÇÏ¿© ¼³Á¤½ºÅ©¸³Æ® ±¸µ¿ ¹× ±âŸ ȯ°æÀÇ ±¸Ãà.
¾ÐÃàÀÌ ÇØÁ¦µÈ µð·ºÅ丮 /var/tmp/bind-9.1.2 ·Î À̵¿ÇÏ¿© ½© »ó¿¡¼
´ÙÀ½°ú °°ÀÌ ¸í·ÉÀ» ÁØ´Ù.
[root@wjlee bind-9.1.2]#
CFLAGS=¡±-O3 -
funroll-loops -fomit-frame-pointer¡±
¡¬
./configure ¡¬
--prefix=/usr ¡¬
--sysconfdir=/etc ¡¬
--localstatedir=/var ¡¬
--mandir=/usr/share/man ¡¬
--with-openssl=/usr/include/openssl ¡¬
--with-libtool ¡¬
--disable-ipv6
¡¤Step6)
À§ÀÇ °úÁ¤À» ¼öÇàÇß´Ù¸é install À» À§ÇÑ Áغñ°¡ ³¡³µ´Ù.
¾Æ·¡¿Í °°Àº ¸í·ÉÀ¸·Î install À» ÁøÇàÇÑ´Ù.
¡¤Step7)
- ¼³Á¤ÆÄÀÏ ¸¸µé±â -
±âº»ÀûÀ¸·Î make install ¿¡ ÀÇÇÏ¿© »ý¼ºµÇ´Â ¼³Á¤ ÆÄÀÏÀº ¾ø´Ù.
named.conf ³ª /var/named ¿¡ µé¾î°¥ mapping (zone) ÆÄÀϵéÀº ¿¹Á¦¼Ò½º¸¦
º¹»çÇÏ¿© ÀûÀýÇÑ ¹æ½ÄÀ¸·Î ¼³Á¤ÇØÁÖ¾î¾ß ÇÑ´Ù.
¿¹Á¦ ¼Ò½º´Â /var/tmp/bind-9.1.2/bin/tests/ system µð·ºÅ丮¿¡
ÀÖÀ¸¸ç ¾Æ·¡¿Í °°Àº ÆÄÀϵéÀ» ±¸¼ºÇØ ÁÖ¸é µÈ´Ù. ¼³Á¤¿¡ ´ëÇÑ ºÎºÐÀº
¾Õ¿¡¼ ¹àÈù ¹Ù¿Í °°ÀÌ ´Ù·çÁö ¾ÊÀ½À» ´Ù½Ã Çѹø ¾çÇظ¦ ±¸ÇÑ´Ù.
1) ±¸¼ºÇØ¾ß µÇ´Â ¼³Á¤ÆÄÀÏÀº ´ÙÀ½°ú °°´Ù.
/etc/named.conf
: /var/tmp/bind-9.1.2/bin/tests/system
µð·ºÅ丮¿¡¼ÀÇ ¿¹Á¦³ª ¿ø¹® ¶Ç´Â ´Ù¸¥ Âü°í¼ÀûÀ» Âü°í Çϱâ
¹Ù¶õ´Ù.
/var/named ÀÇ zone file
/etc/logrotate.d/named
/etc/sysconfig/named
/etc/rc.d/init.d/named
/etc/named.conf¿Í /var/named ÀÇ zone fileÀÇ
°æ¿ì´Â /var/tmp/bind-9.1.2/bin/tests/system µð·ºÅ丮¿¡¼ÀÇ
¿¹Á¦³ª ¿ø¹® ¶Ç´Â ´Ù¸¥ Âü°í¼ÀûÀ» Âü°í Çϱ⠹ٶõ´Ù.
´Ü, À§ÀÇ /etc/logrotate.d/named, /etc/sysconfig/named, /etc/rc.d/init.d/named
´Â ¿©±â¼ °£´ÜÈ÷ ´Ù·ê °ÍÀÌ´Ù.
2) /etc/logrotate.d/named
¸ÕÀú touch /etc/logrotate.d/named ¸¦ ÇÏ¿© ÆÄÀÏÀ» »ý¼ºÇÑ´Ù.
±×¸®°í ¾Æ·¡¿Í °°ÀÌ ÆíÁý±â·Î ¿¾î ÀÛ¼ºÇÑ´Ù.
/var/log/named.log {
missingok
postrotate
/bin/kill -HUP `cat /var/named.pid 2>
/dev/null` 2> /dev/null ||
true
endscript
}
3) /etc/sysconfig/named
¿ª½Ã À§¿Í µ¿ÀÏÇÑ ¹æ¹ýÀ¸·Î ÆÄÀÏÀ» »ý¼ºÇÏ°í ¾Æ·¡¿Í °°ÀÌ ¿¾î¼
ÆíÁýÇÑ´Ù. ÀÌ´Â ÀÌÈÄ chroot jail À» ±¸¼ºÇÒ ¶§ »ç¿ëµÇ¾îÁú
°ÍÀ̹ǷΠ»ý¼º ÈÄ ¾Æ·¡¿Í °°ÀÌ ÁÖ¼®(#) ó¸®¿Í ¸î °¡Áö ¼³Á¤»çÇ×À»
±â·ÏÇϵµ·Ï ÇÑ´Ù.
# Currently. you can use the following
options:
# ROOTDIR = ¡° ¡±
# OPTIONS = ¡° ¡±
4) /etc/rc.d/init.d/named
ÀÌ ÆÄÀÏÀº chroot jail ¿¡¼ »ý¼ºÇÒ °ÍÀÌ´Ù.
¥². Security
1. chroot jail À» ÀÌ¿ëÇÑ ISC BIND &
DNS ÀÇ ¿î¿µ
1) chroot jail ÀÇ °³³ä
½ÇÁ¦·Î ISC BIND & DNSÀº ¸Å¿ì °Å´ëÇÏ°í º¹ÀâÇÑ ÇÁ·Î±×·¥À̹ǷÎ
exploit¿¡ ÀÇÇØ °ø°Ý´çÇÒ ¼ö ÀÖ´Â ¹ö±×¿¡ ´ëÇÑ ºÎºÐÀ» ¿°µÎ¿¡ µÎ¾î¾ß
ÇÑ´Ù. Áï, root À¯Àú·Î¼°¡ ¾Æ´Ñ Ư¼öÇÑ user(¾Õ¿¡¼ named user¸¦
»ý¼ºÇØ º¸¾Ò´Ù)¿¡ ÀÇÇÑ ¿î¿µÀÌ ¹Ù¶÷Á÷Çϸç chroot jail ¿¡ ÀÇÇÑ
¿î¿µµµ ¶ÇÇÑ ±ÇÇÒ¸¸ ÇÏ´Ù. chroot jailÀÇ °³³äÀº ÃÖ»óÀ§ µð·ºÅ丮ÀÎ
/ (root µð·ºÅ丮) ¸¦ ¼ÓÀÌ´Â °ÍÀÌ´Ù.
°£·«ÇÑ µð·ºÅ丮»óÀÇ °³³äÀº ¾Æ·¡¿Í °°´Ù.
/ -+- /bin
|- /boot
|- /dev
|- /etc
|- /home
|- /chroot - /named -+- /dev
|
| /etc
|
| /lib
|
| /usr
|
|+- /var
.
.
.
À§ÀÇ µð·ºÅ丮 Æ®¸®¸¦ ¿¹·Î µé¾î¼ ¼³¸íÇϸé
/chroot µð·ºÅ丮°¡ / ó·³ ÀÛµ¿ÇÏ¿© named user ÀÇ ±ÇÇÑÀ¸·Î Á¢±ÙÇßÀ»
¶§ /chroot µð·ºÅ丮¸¦ ¹þ¾î³¯ ¼ö ¾ø°Ô µÈ´Ù.
2) chroot jail À» ±¸¼ºÇϱâ
¡¤Step1)
chroot jail À» ±¸¼ºÇϱâ À§ÇÑ È¯°æÀÇ Á¶¼º
[root@wjlee /]# mkdir -p /chroot/named
[root@wjlee /]# mkdir -p /chroot/named/etc
[root@wjlee /]# mkdir -p /chroot/named/var/run/named
[root@wjlee /]# mkdir -p /chroot/named/var/named
[root@wjlee /]# chown -R named.named /chroot/named/var/run/named/
[root@wjlee /]# chown -R named.named /chroot/named/var/named/
¡¤Step2)
¼³Á¤ÆÄÀÏÀ» ±¸¼ºÇÑ µð·ºÅ丮·Î À̵¿½ÃŲ´Ù.
[root@wjlee /]# mv /etc/named.conf /chroot/named/etc/
[root@wjlee /]# cd /var/named; mv * /chroot/named/var/named/
[root@wjlee /]# chown named.named /chroot/named/etc/named.conf
[root@wjlee /]# chown -R named.named /chroot/named/var/named/*
¡¤Step3)
chroot jail¿¡ /etc/localtime ÆÄÀÏÀ» º¹»çÇÑ´Ù. (log ÆÄÀÏÀ» »ý¼ºÇϱâ
À§Çؼ´Â local time¿¡ ´ëÇÑ Á¤º¸°¡ ÇÊ¿ä)
[root@wjlee /]# cp /etc/localtime /chroot/named/etc/
¡¤Step4)
¼³Á¤ÆÄÀÏ(named.conf)ÀÇ º¯°æÀ» ºÒ°¡´ÉÇÏ°Ô ¸¸µç´Ù.
[root@wjlee /]# cd /chroot/named/etc/
[root@wjlee etc]# chattr +inamed.conf
- Âü°í +i ¿É¼ÇÀº named.conf ¸¦ »èÁ¦³ª º¯°æÀÌ
ºÒ°¡´ÉÇÏ°Ô ¸¸µç´Ù. ½ÇÁ¦·Î chattr -i named.conf ¸¦ ¼öÇàÇϱâ Àü¿¡´Â
root À¯Àú·Îµµ »èÁ¦°¡ µÇÁö ¾Ê´Â´Ù.
¡¤Step5)
chroot jail À» »ç¿ëÇϱâ ÀüÀÇ mapping ÆÄÀϵéÀÌ ÀÖ¾ú´ø µð·ºÅ丮µéÀ»
»èÁ¦ÇÑ´Ù.
[root@wjlee /]# rm -rf /var/named/
[root@wjlee /]# rm -rf /var/run/named/
¡¤Step6)
/etc/sysconfig/named ÆÄÀÏÀÇ ¼öÁ¤
(º¯°æÀü)
#Curently, you can use the following options:
#ROOTDIR=¡±¡±
#OPTIONS=¡±¡±
(º¯°æÈÄ)
ROOTDIR=¡±/chroot/named/¡±
¡¤Step7)
chroot ȯ°æÀÇ Å×½ºÆ®
- ISC BIND & DNS ¸¦ ¾Æ·¡¿Í °°Àº ¸í·ÉÀ»
»ç¿ëÇÏ¿© ½ÃÀÛÇÑ´Ù.
[root@wjlee /]# /etc/rc.d/init.d/named start
- ¿¡·¯¾øÀÌ ½ÇÇàµÇ¾ú´Ù¸é ps aux | grep named
¸¦ ½©¿¡ ÀÔ·ÂÇÏ¿© °á°ú¸¦ È®ÀÎÇÑ´Ù.
4278 ? S 0:00 named -u named -t
/chroot/named/
4279 ? S 0:00 named -u named -t /chroot/named/
4280 ? S 0:00 named -u named -t /chroot/named/
4281 ? S 0:00 named -u named -t /chroot/named/
4282 ? S 0:00 named -u named -t /chroot/named/
- À§¿¡¼ ³ª¿Â ÇÁ·Î¼¼½º ID¸¦ ÀÌ¿ëÇÏ¿© /proc/PROCESS_ID/root/
µð·ºÅ丮¸¦ ¿¾îº½À¸·Î¼ ´õ¿í´õ È®½ÇÇÏ°Ô
È®ÀÎÇÒ ¼ö ÀÖ´Ù.
[root@wjlee /]# ls -al /proc/4278/root/
total 4
drwxrwxr-x 4 root root 1024 May
18 23:44.
drwxrwxr-x 4 root root 1024 May
18 23:44..
drwxrwxr-x 4 root root 1024 May
18 23:44 etc
drwxrwxr-x 4 root root 1024 May
18 23:44 var
¥³. Optimizing ISC BIND & DNS - lwresd
ÀÇ »ç¿ë
1. lwresd »ç¿ë
Bind ÀÇ »õ·Î¿î ¹öÀüÀÎ Bind9 ÀÇ Æ¯Â¡ Áß¿¡ Çϳª´Â
lwresd ¶ó´Â daemon À¸·Î¼ ½ÇÇàÇÒ ¼ö ÀÖ´Ù´Â Á¡ÀÌ´Ù. lwresd daemon(¿ø·¡´Â
Caching-Only Name Server ÀÌ´Ù) Àº lightweight resolver library¸¦
»ç¿ëÇÏ¿© DNS protocol º¸´Ù ºÎÇÏ°¡ Àû°Ô °É¸®´Â ÇÁ·ÎÅäÄÝÀ» »ç¿ëÇÑ´Ù.
¿©±â¼´Â chroot ȯ°æ¿¡¼ lwresd ¸¦ ¿î¿µÇÏ´Â ¹ýÀ» ¾Ë¾Æº¼ °ÍÀÌ´Ù.
¡¤Step1)
¸¸ÀÏ firewall À» »ç¿ëÇÏ°í ÀÖ´Ù¸é lwresd ´Â port 921 À» ÅëÇÑ
UDP protocalÀ» »ç¿ëÇϹǷΠfirewall ¿¡ ÀÌ ºÎºÐ¿¡ ´ëÇÑ ±ÔÄ¢À»
Ãß°¡ÇÏ´Â °ÍÀÌ ÇÊ¿äÇÏ´Ù. firewall ¸¶´Ù ´Ù¸£°ÚÁö¸¸ ÀÌ ºÎºÐ¿¡ ´ëÇÑ
±ÔÄ¢À» ¾Æ·¡¿Í °°ÀÌ Ãß°¡ÇÏ¸é µÈ´Ù.(input chain ¿¡¼ udp ÇÁ·ÎÅäÄÝ¿¡
ÀÇÇÑ 921 Æ÷Æ®·ÎÀÇ Á¢±ÙÀ» ACCEPT ÇÏ¸é µÈ´Ù.) ¸¸ÀÏ kernel 2.4
¸¦ »ç¿ëÇÏ¸é¼ iptable À» »ç¿ëÇÑ´Ù¸é ¸¶Âù°¡Áö·Î iptable À» ÀÌ¿ëÇÏ¿©
ÀÌ·¯ÇÑ ±ÔÄ¢À» Ãß°¡ÇÏ¸é µÈ´Ù.
¿©±â¼´Â Redhat ±âÁØÀÇ firewall ¼³Á¤ÆÄÀÏ¿¡¼ÀÇ
¿¹¸¦ ´Ù·ç°Ú´Ù.
/etc/rc.d/init.d/firewall ÆÄÀÏÀ» ¿¾î ´ÙÀ½°ú
°°ÀÌ Ãß°¡ÇÑ´Ù.
# LWRESD server (921)
# -------------------
# A lightweight resolver library for Caching-Only
Name Server
iptables -A INPUT -i $EXTERNAL
_INTERFACE
-p udp ¡¬
--source-port
$UNPRIVPORTS ¡¬
-d $IPADDR
--destination-port 921 ¡¬
-j
ACCEPT
iptables -A OUTPUT -o ¡¬
$EXTERNAL_INTERFACE
-p udp ¡¬
-s $IPADDR
--source-port 921 ¡¬
--destination-port
$UNPRIVPORTS ¡¬
-j
ACCEPT
¡¤Step2)
±âº»ÀûÀ¸·Î lwresd deamonÀº local loopback (127.0.0.1)¿¡¼ÀÇ
¿ä±¸¸¦ ±â´Ù¸®°í ÀÖÀ¸¹Ç·Î À̸¦ ½Ã½ºÅÛÀÇ External interface ·ÎºÎÅÍÀÇ
¿ä±¸¸¦ ±â´Ù¸®µµ·Ï ÇØÁÖ¾î¾ß ÇÑ´Ù.
lwserver 207.37.78.2
¡¤Step3)
¼³Á¤ÇÑ resolv.conf ÆÄÀÏÀ» chroot jail ȯ°æ¿¡ ¸ÂÃß±â À§ÇÏ¿© /chroot/etc
·Î Ä«ÇÇÇÑ´Ù.
[root@wjlee /]# cp /etc/resolv.conf/chroot/named/etc/
¡¤Step4)
½Ã½ºÅÛ¿¡ lwresd ¸¦ ÃʱâÈÇϱâ À§ÇÑ ½ºÅ©¸³Æ®(Redhat ÀÇ °æ¿ì /etc/rc.d/init.d/lwresd)¸¦
ÀÛ¼ºÇÏ¿© ÀúÀåÇÑ´Ù.
#!/bin/bash
#
# lwresd This shell script takes care
of starting and stopping lwresd ¡¬
# (The
lightweight resolver library)
# chkconfig: - 55 45
# description : lwresd is essentially a Caching-
# Only Named Server that answers requests
# using the lightweight resolver protocol rather
# than the DNS protocol.
# probe : true
# Source function library
. /etc/rc.d/init.d/functions
# Source networking configuration
. /etc/sysconfig/network
# Check that networking is up
[ ¡°${NETWORKING}¡± = ¡°no¡± ] && exit 0
[ -f /etc/sysconfig/named ] && .
/etc/sysconfig/named
[ -f /usr/sbin/lwresd ] || exit 0
[ -f ¡°${ROOTDIR}¡±/etc/resolv.conf ] || exit 0
RETVAL=0
start() {
# Start daemons
echo -n ¡°Starting
lwresd: ¡°
if [ -n ¡°${ROOTDIR}¡±
-a ¡°x${ROOTDIR}¡± !=
¡°x/¡± ]; then
OPTIONS=¡°${OPTIONS}
-t ${ROOTDIR}¡±
fi
daemon lwresd
-u named ${OPTIONS}
RETVAL = $?
[$RETVAL -eq
0] && touch
/var/lock/subsys/lwresd
echo
return $RETVAL
}
stop() {
# Stop daemons
echo -n ¡°Sutting
down lwresd: ¡°
killproc lwresd
RETVAL = $?
[$RETVAL -eq
0] && rm -f
/var/lock/subsys/lwresd
echo
return $RETVAL
}
restart() {
stop
start
}
# See how we were called.
case ¡°$1¡± in
start)
start
;;
stop)
stop
;;
restart)
resart
;;
*)
echo
¡°Usage: lwresd {start|stop|resart}¡±
exit
1
esac
exit $?
¡¤Step5)
ÀÛ¼ºÇÑ /etc/rc.d/init.d/lwresd ÀÇ ±ÇÇÑ ¼³Á¤ ¹× System ÀÇ ºÎÆ®½Ã
ÀÚµ¿À¸·Î ½ÇÇàµÇµµ·Ï Çϱâ.
[root@wjlee /]# chmod 700 /etc/rc.d/init.d/lwresd
[root@wjlee /]# chown 0.0 /etc/rc.d/init.d/lwresd
rc.d µð·ºÅ丮¿¡ ½Éº¼¸¯ ¸µÅ© »ý¼º ÀÌÈÄ ·±·¹º§
2, 3, 4, 5¿¡¼ ºÎÆ®½Ã ½ÇÇàµÇµµ·Ï ÇÏ´Â °úÁ¤ÀÌ´Ù.
[root@wjlee /]# chkconifg --add lwresd
[root@wjlee /]# chkconfig --level 2345 lwresd on
¡¤Step6)
¸¶Áö¸·À¸·Î ±âÁ¸ÀÇ named ¸¦ ºÎÆ®½Ã ÀÛµ¿ÇÏÁö ¾Êµµ·Ï ÇØÁÖ¾î¾ß ÇÑ´Ù.
[root@wjlee /]# chkconfig --del named
[root@wjlee /]# chkconfig --level 2345 named off
[root@wjlee /]# rm -f /etc/rc.d/init.d/named
¡¤Step7)
lwresd daemon À» ½ÇÇàÇÑ´Ù.
[root@wjlee /]# /etc/rc.d/init.d/lwresd start
¸¶Ä¡¸ç
ÀÌ»óÀ¸·Î ISC BIND & DNS¸¦ ÀÌ¿ëÇÑ Ãʱâ
¼³Ä¡¿Í °£´ÜÇÑ º¸¾È ¹× ÃÖÀûÈ ¹æ¹ý¿¡ ´ëÇؼ ¾Ë¾Æº¸¾Ò´Ù.
´ÙÀ½ È£¿¡¼´Â ISC BIND ¿¡¼ Á¦°øÇÏ°í ÀÖ´Â TSIG µîÀ» ÀÌ¿ëÇÑ zone
file transfer ¹× Á¦°øµÇ¾îÁö´Â À¯Æ¿¸®Æ¼¿¡ ÀÇÇÑ º¸¾ÈÀ» ´Ù·ê °ÍÀÌ´Ù.
¡ã top
|