Rocky Linux-0088-教程-DNS-私有域名解析Bind-04

时间：2023-01-31 16:32:01 | 来源：建站知识

时间：2023-01-31 16:32:01 来源：建站知识

0、背景

CentOS 8 已停止维护，Rocky Linux 是未来~

从本篇起翻译一下 Rocky Linux 域名解析~

（1）本系列文章

格瑞图：Rocky Linux-0001~0011-教程-自定义内核

格瑞图：Rocky Linux-0012~0024-教程-共同构建文档

格瑞图：Rocky Linux-0025~0034-教程-自动化

格瑞图：Rocky Linux-0034~0043-教程-文件同步

格瑞图：Rocky Linux-0044~0051-教程-内容管理

格瑞图：Rocky Linux-0053~0053-教程-通信服务

格瑞图：Rocky Linux-0054~0082-教程-容器技术

格瑞图：Rocky Linux-0083-0084-教程-数据库

格瑞图：Rocky Linux-0085-教程-DNS-私有域名解析Bind-01

格瑞图：Rocky Linux-0086-教程-DNS-私有域名解析Bind-02

格瑞图：Rocky Linux-0087-教程-DNS-私有域名解析Bind-03

8、洛基林纽克斯九点零

Stupid Profile Names

愚蠢的配置文件名称

In NetworkManager, the connections are not modified by the name of the device but by the name of the profile. This can be things like "Wired connection 1" or "Wireless connection 1". You can see the profile by running nmcli without any parameters:

在网络管理器 nm 中，连接不是根据设备名称修改的而是根据配置文件名称。这可以是有线连接一或者无线连接一。可以通过无参运行 n 命令查看：

nmcli

This will show you output such as this:

会输出如下信息：

enp0s3: connected to Wired Connection 1"Intel 82540EM"ethernet (e1000), 08:00:27:E4:2D:3D, hw, mtu 1500ip4 defaultinet4 192.168.1.140/24route4 192.168.1.0/24 metric 100route4 default via 192.168.1.1 metric 100inet6 fe80::f511:a91b:90b:d9b9/64route6 fe80::/64 metric 1024lo: unmanaged "lo" loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536DNS configuration: servers: 192.168.1.1 domains: localdomain interface: enp0s3Use "nmcli device show" to get complete information about known devices and"nmcli connection show" to get an overview on active connection profiles.

Before we even start modifying the connection, you should name this something sane, like the name of the interface (note the "/" below escapes the spaces in the name):

在开始修改连接之前，应该将改名字命名为有意义的名字，跟网卡名字一样（注意下面名字中对空格的转义）：

nmcli connection modify Wired/ connection/ 1 con-name enp0s3

Once you've done this, run nmcli by itself again and you will see something like this:

一旦该命令运行完毕，再次运行 n 会显示如下：

enp0s3: connected to enp0s3"Intel 82540EM"ethernet (e1000), 08:00:27:E4:2D:3D, hw, mtu 1500ip4 defaultinet4 192.168.1.140/24route4 192.168.1.0/24 metric 100route4 default via 192.168.1.1 metric 100...

This will make the remaining configuration for the DNS much easier!

这会使得接下来配置域名解析服务器更加容易。

Assuming that your connection profile name is "enp0s3", we will include the already configured DNS but add our local DNS server first:

假设连接配置文件名称为 e，将会包含已配置的域名解析服务器，并把本地域名解析服务器作为第一个：

nmcli con mod enp0s3 ipv4.dns '192.168.1.138,192.168.1.1'

You can have more DNS servers, and for a machine configured with public DNS servers, say Google's open DNS, you can have something like this instead:

可以配置很多域名解析服务器，对于一个配置了公网域名解析服务器的机器，比如说谷歌公开的域名解析服务器，可以如下配置：

nmcli con mod enp0s3 ipv4.dns '192.168.1.138,8.8.8.8,8.8.4.4'

Once you've added the DNS servers that you want to the connection, you should be able to resolve hosts in ourdomain.lan, as well as Internet hosts.

一旦添加了域名解析服务器到需要的连接，就应该可以解析 o.l 中的主机，以及互联网主机。

（3）九点零基于 fw 的防火墙规则 - 9.0 Firewall Rules - firewalld¶

firewalld By Default
With Rocky Linux 9.0 and above, using iptables rules is deprecated. You should use firewalld instead.

默认使用 fw 防火墙

在洛基林纽克斯九点零及其以上版本，已经弃用 it 了。应该使用 fw。

We aren't making any assumptions about the network or services that might be needed, except that we are turning on SSH access and DNS access for our LAN network only. For this, we will use the firewalld built-in zone, "trusted". We will also have to make some service changes to the "public" zone in order to limit SSH access to the LAN.

对于网络和服务的需要不做任何假设，除了需要为本地局域网络开启爱死爱死爱去访问和域名解析服务器访问。这里使用了防火墙内置区域受信区 t。同样需要修改公共区域中一些服务以限制爱死爱死爱去访问局域网。

The first step is to add our LAN network to the "trusted" zone:

首先需要将局域网添加到受信区 t：

firewall-cmd --zone=trusted --add-source=192.168.1.0/24 --permanentNext, we need to add our two services to the "trusted" zone:

接着需要添加两个服务到受信区：

firewall-cmd --zone=trusted --add-service=ssh --permanentfirewall-cmd --zone=trusted --add-service=dns --permanent

Finally, we need to remove the SSH service from our "public" zone, which is on by default:

最后需要从公共区移除爱死爱死爱去服务，默认是开启的：

firewall-cmd --zone=public --remove-service=ssh --permanent

Next, reload the firewall and then list out the zones that we've made changes to:

接着重载防火墙并列出修改的区域：

firewall-cmd --reloadfirewall-cmd --zone=trusted --list-all

Which should show that you have correctly added the services and the source network:

会显示已经正确添加的服务和源网络：

trusted (active) target: ACCEPT icmp-block-inversion: no interfaces: sources: 192.168.1.0/24 services: dns ssh ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

Listing out the "public" zone should show that SSH access is no-longer allowed:

列出公共区域的话会显示爱死爱死爱去已经不再被允许了：

firewall-cmd --zone=public --list-all

Which should show you:

输出如下：

public target: default icmp-block-inversion: no interfaces: sources: services: cockpit dhcpv6-client ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

These rules should get you DNS resolution on your private DNS server from hosts on the 192.168.1.0/24 network. In addition, you should be able to SSH from any of those hosts into your private DNS server.

这些规则将会允许从 1.1.1.0/24 网络的主机访问私有域名解析服务器进行域名解析。同时，也可以从局域网中任何主机使用爱死爱死爱去访问私有域名解析服务器。

N、后记

Oyster

生蚝

~