De DocUnix.

Sommaire 1 Linux RHEL 5 1.1 Configuration des caches 1.2 Le fichier resolv.conf 1.3 Fichier /etc/nsswitch.conf 2 Vérification de la configuration

Linux RHEL 5

Configuration des caches

Configuration des caches dans le fichier /etc/nscd.conf :

#
# /etc/nscd.conf
#
# An example Name Service Cache config file.  This file is needed by nscd.
#
# Legal entries are:
#
#       logfile                 <file>
#       debug-level             <level>
#       threads                 <initial #threads to use>
#       max-threads             <maximum #threads to use>
#       server-user             <user to run server as instead of root>
#               server-user is ignored if nscd is started with -S parameters
#       stat-user               <user who is allowed to request statistics>
#       reload-count            unlimited|<number>
#       paranoia                <yes|no>
#       restart-interval        <time in seconds>
#
#       enable-cache            <service> <yes|no>
#       positive-time-to-live   <service> <time in seconds>
#       negative-time-to-live   <service> <time in seconds>
#       suggested-size          <service> <prime number>
#       check-files             <service> <yes|no>
#       persistent              <service> <yes|no>
#       shared                  <service> <yes|no>
#       max-db-size             <service> <number bytes>
#       auto-propagate          <service> <yes|no>
#
# Currently supported cache names (services): passwd, group, hosts
#


#       logfile                 /var/log/nscd.log
#       threads                 6
#       max-threads             128
        server-user             nscd
#       stat-user               nocpulse
        debug-level             0
#       reload-count            5
        paranoia                no
#       restart-interval        3600

        enable-cache            passwd          yes
        positive-time-to-live   passwd          600
        negative-time-to-live   passwd          20
        suggested-size          passwd          211
        check-files             passwd          yes
        persistent              passwd          yes
        shared                  passwd          yes
        max-db-size             passwd          33554432
        auto-propagate          passwd          yes

        enable-cache            group           yes
        positive-time-to-live   group           3600
        negative-time-to-live   group           60
        suggested-size          group           211
        check-files             group           yes
        persistent              group           yes
        shared                  group           yes
        max-db-size             group           33554432
        auto-propagate          group           yes

        enable-cache            hosts           yes
        positive-time-to-live   hosts           60
        negative-time-to-live   hosts           20
        suggested-size          hosts           211
        check-files             hosts           yes
        persistent              hosts           yes
        shared                  hosts           yes
        max-db-size             hosts           33554432

Le time-to-live est positionné à 60s pour limiter l'impact d'un DNS Spoofing, et profiter des caches.

Le fichier resolv.conf

Ce fichier permet de configurer les domaines de recherches, le domaine d'appartenance du serveur, les @IP des serveurs DNS et des options de résolutions.

L'exemple ci-dessous a été anonymisé :

search <mydomaine1.com> <mydomaine2.com>
nameserver <IP1>
nameserver <IP2>
nameserver <IP3>
options ndots:10

Le paramètre ndots:10 permet de limiter la recherche a 10 points, et évite que la résolution n'aboutisse pas.

Fichier /etc/nsswitch.conf

Ce fichier permet de fixer la résolution de nom soit en statique sur le serveur via l'option files ou dns pour faire appel au DNS, ainsi que l'ordre d'appel :

#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       ldap                    Use LDAP (only if nss_ldap is installed)
#       nisplus or nis+         Use NIS+ (NIS version 3), unsupported
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files ldap nis
#shadow:    db files ldap nis
#group:     db files ldap nis

passwd:     files
shadow:     files
group:      files

#hosts:     db files ldap nis dns
hosts:  files dns

# Example - obey only what ldap tells us...
#services:  ldap [NOTFOUND=return] files
#networks:  ldap [NOTFOUND=return] files
#protocols: ldap [NOTFOUND=return] files
#rpc:       ldap [NOTFOUND=return] files
#ethers:    ldap [NOTFOUND=return] files

bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   files
publickey:  files
automount:  files
aliases:    files

Dans cet exemple, les noms de hosts sont résolus en premier par le fichier /etc/hosts puis par le dns.

Vérification de la configuration

La commande est valable pour Solaris 9 et 10.

nslookup <NOM> [<@IP DNS server>]

ex : nslookup nowhere.com
ou en forcant l'@IP du serveur DNS :
ex : nslookup nowhere.com 312.257.513.600