How to solve the coexistence of DNS master-slave replication and selinux in RHEL6.3

DNS-BIND build Master/Slave DNS server for load balancing and Redundancy

------ Coexistence of selinux and DNS

Another blog address: www.rsyslog.org

Theoretical Analysis:

1. DNS type, master/slave architecture;

The configuration file of the DNS type such as Master includes the host names of all hosts and other related information. Generally, we manually add and modify the configuration file, after the settings are complete, we need to restart the service to read the data in the master database; generally, we specify such a database type when doing DNS, at the same time, we must ensure that the data content is provided to the slave server, which needs to be set. In the configuration file.

In Slave, data of this type must have a master node for use. Generally, data of one master node and one Slave node, one master node and one slvae, if we all have a master, we need to add and modify two master instances at the same time. If we accidentally modify the error, it is embarrassing, if we make it a master/slave, we can directly modify the master. But here we involve a priority issue, whether it is the master or slave, to ensure that the data content is completely consistent.

2. Master/slave Data Synchronization Process;

First, slave Data is read from the master, but how can I notify slave after the master data is updated? There are two ways to tell the slave database. One is that the master proactively informs that after the master modifies the data content and increases the database serial number, the master will notify slave after the service is restarted. Second, slvae takes the initiative to find the master. When it finds that the master data is different from its own, slave will update.

1. test environment;

650) this. width = 650; "title =" clip_image002 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image002 "height =" 60 "src =" http://www.bkjia.com/uploads/allimg/131228/0302591620-0.jpg "/>

Master Server: 192.168.100.102

Slave Server: 192.168.100.103

For the basic DNS setup process, please refer to the http://www.rsyslog.org/p239.html

I,Build a Primary Domain Name Server

Modify the global configuration file named. conf of the Primary Domain Name Server and insert an allow-transfer {192.168.100.103 ;}in options. This indicates that the host 192.168.100.103 is allowed to download the address database in the region.

650) this. width = 650; "title =" clip_image004 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image004 "height =" 294 "src =" http://www.bkjia.com/uploads/allimg/131228/03025a064-1.jpg "/>

Modify the auxiliary configuration file, which is usually modified according to work requirements and is not modified here for convenience of testing, you can set the default Cache Time of the valid address resolution record to 5 minutes and the Invalid Address Resolution record does not exist in the database. The default cache time is 5 minutes.

650) this. width = 650; "title =" clip_image006 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image006 "height =" 244 "src =" http://www.bkjia.com/uploads/allimg/131228/0302594M1-2.jpg "/>

After the modification is complete, restart the service and configure the Primary Domain Name Server. Check whether the Primary Domain Name Server works properly. For more information, see the preceding document.

650) this. width = 650; "title =" clip_image008 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image008 "height =" 70 "src =" http://www.bkjia.com/uploads/allimg/131228/0302595250-3.jpg "/>

II,Build a slave Domain Name Server

A redundant backup from the Domain Name Server as the Primary Domain Name Server can be used together with the primary domain name server to provide resolution of the domain name and IP address, the address database of the slave Domain Name Server needs to be regularly updated from the master Domain Name Server.

Create a secondary region configuration file from the Domain Name Server

650) this. width = 650; "title =" clip_image010 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image010 "height =" 105 "src =" http://www.bkjia.com/uploads/allimg/131228/03025954c-4.jpg "/>

Set tpye to slave type

The names of the forward and reverse regions must be the same as those of the primary DNS, but the file path must be placed under/var/named/slaves.

Add the master dns ip address masters {192.168.100.102 ;};

650) this. width = 650; "title =" clip_image012 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image012 "height =" 154 "src =" http://www.bkjia.com/uploads/allimg/131228/0302595401-5.jpg "/>

By default, we can see that there is no data in the DNS slaves directory. Restart the named service and find the region database information of the primary DNS.

650) this. width = 650; "title =" clip_image014 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image014 "height =" 43 "src =" http://www.bkjia.com/uploads/allimg/131228/03025934C-6.jpg "/>

650) this. width = 650; "title =" clip_image016 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image016 "height =" 45 "src =" http://www.bkjia.com/uploads/allimg/131228/0302593412-7.jpg "/>

650) this. width = 650; "title =" clip_image018 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image018 "height =" 313 "src =" http://www.bkjia.com/uploads/allimg/131228/0302596233-8.jpg "/>

We can also view the log information from the Domain Name Server and find that there are a lot of regional database information from the domain name server from the Primary Domain Name Server, which is actually obtained according to the serial number of the Primary Domain Name Server. The Domain Name Server is built here.

650) this. width = 650; "title =" clip_image020 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image020 "height =" 149 "src =" http://www.bkjia.com/uploads/allimg/131228/0302594I8-9.jpg "/>

III,Test whether the slave Domain Name Server can provideDNSAnalysis

Change pc dns to the IP address of the slave Domain Name Server

650) this. width = 650; "title =" clip_image022 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image022 "height =" 333 "src =" http://www.bkjia.com/uploads/allimg/131228/0302595A0-10.jpg "/>

650) this. width = 650; "title =" clip_image024 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image024 "height =" 367 "src =" http://www.bkjia.com/uploads/allimg/131228/0302595I4-11.jpg "/>

IV,Next let's take a lookSelinuxEnableEnforcingModeDNSWhether it works properly.

When the experiment is enabled, the slave DNS can work. There is a problem here. If you re-create a file to replace slaves, it will not work properly. As follows:

Create a dnsslaves directory to replace the slaves directory, and set the permission to the same as the slaves directory.

650) this. width = 650; "title =" clip_image026 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image026 "height =" 295 "src =" http://www.bkjia.com/uploads/allimg/131228/0302593M2-12.jpg "/>

Modify the configuration file from the secondary region of DNS and direct the forward and reverse region database address to the dnsslaves directory.

650) this. width = 650; "title =" clip_image028 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image028 "height =" 68 "src =" http://www.bkjia.com/uploads/allimg/131228/03025a359-13.jpg "/>

650) this. width = 650; "title =" clip_image030 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image030 "height =" 170 "src =" http://www.bkjia.com/uploads/allimg/131228/0302593413-14.jpg "/>

Modify the serial number of the configuration file in the secondary area of the primary DNS. Generally, you only need to add 1 to the configuration file.

650) this. width = 650; "title =" clip_image032 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image032 "height =" 221 "src =" http://www.bkjia.com/uploads/allimg/131228/0302595U9-15.jpg "/>

Start the DNS service and find that there is no data in the dnsslaves directory. Why.

650) this. width = 650; "title =" clip_image034 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image034 "height =" 101 "src =" http://www.bkjia.com/uploads/allimg/131228/0302594940-16.jpg "/>

Check the log and find that it is a permission file. We know that the permissions of dnsslaves are the same as those of slaves. The problem must be with selinux.

650) this. width = 650; "title =" clip_image036 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image036 "height =" 150 "src =" http://www.bkjia.com/uploads/allimg/131228/0302593157-17.jpg "/>

Try to change selinux mode to permissive mode, restart the DNS service, and find that the dnsslaves directory contains the regional database file of the primary DNS. We can see that it is indeed caused by selinux. How can we set selinux so that the DNS can work in The selinux enforcing mode.

650) this. width = 650; "title =" clip_image038 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image038 "height =" 159 "src =" http://www.bkjia.com/uploads/allimg/131228/0302595952-18.jpg "/>

In order to test whether to delete the generated regional database file first, then use man named_selinux to view the configuration file of named in selinux. It is found that there is a directory storage address related to the configuration file in the auxiliary region.

650) this. width = 650; "title =" clip_image040 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image040 "height =" 34 "src =" http://www.bkjia.com/uploads/allimg/131228/03025943P-19.jpg "/>

650) this. width = 650; "title =" clip_image042 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image042 "height =" 137 "src =" http://www.bkjia.com/uploads/allimg/131228/0302595635-20.jpg "/>

You can run the getsebool-a command to check whether this parameter is enabled. The mode is off. You can enable this parameter with the preceding prompt. Then, set selinux mode to enforcing mode and restart the slave DNS service. It is found that dnsslaves currently has the configuration file information for the main region.

650) this. width = 650; "title =" clip_image044 "style =" border-top: 0px; border-right: 0px; background-image: none; border-bottom: 0px; padding-top: 0px; padding-left: 0px; border-left: 0px; padding-right: 0px "border =" 0 "alt =" clip_image044 "height =" 221 "src =" http://www.bkjia.com/uploads/allimg/131228/03025962V-21.jpg "/>

For more information about selinux, visit the http://www.rsyslog.org/p239.html.

This article is from the blog of "the Linux open source technology blog", please be sure to keep this source http://dreamfire.blog.51cto.com/418026/1094790