DNS (Domain Name System) サーバーの設定

[root@ns ~]# yum -y install bind bind-utils

インストール:
bind.x86_64 32:9.9.4-38.el7_3

完了しました!
[root@ns ~]#

1

2

3

4

5

6

7

[root@ns ~]# yum -y install bind bind-utils

インストール:

bind.x86_64 32:9.9.4-38.el7_3

完了しました!

[root@ns ~]#

[root@ns ~]#
[root@ns ~]# rpm -ql bind | grep ^/etc
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/etc/rwtab.d/named
/etc/sysconfig/named

[root@ns ~]# rpm -ql bind | grep ^/var
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
[root@ns ~]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

[root@ns ~]#

[root@ns ~]# rpm -ql bind | grep ^/etc

/etc/logrotate.d/named

/etc/named

/etc/named.conf

/etc/named.iscdlv.key

/etc/named.rfc1912.zones

/etc/named.root.key

/etc/rndc.conf

/etc/rndc.key

/etc/rwtab.d/named

/etc/sysconfig/named

[root@ns ~]# rpm -ql bind | grep ^/var

/var/log/named.log

/var/named

/var/named/data

/var/named/dynamic

/var/named/named.ca

/var/named/named.empty

/var/named/named.localhost

/var/named/named.loopback

/var/named/slaves

[root@ns ~]#

[root@ns ~]#
[root@ns ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@ns ~]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

[root@ns ~]#

[root@ns ~]# cat /etc/named.conf

//

// named.conf

//

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

//

// See /usr/share/doc/bind*/sample/ for example named configuration files.

//

// See the BIND Administrator's Reference Manual (ARM) for details about the

// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {

listen-on port 53 { 127.0.0.1; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { localhost; };

/*

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

- If you are building a RECURSIVE (caching) DNS server, you need to enable

recursion.

- If your recursive DNS server has a public IP address, you MUST enable access

control to limit queries to your legitimate users. Failing to do so will

cause your server to become part of large scale DNS amplification

attacks. Implementing BCP38 within your network would greatly

reduce such attack surface

*/

recursion yes;

dnssec-enable yes;

dnssec-validation yes;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";

session-keyfile "/run/named/session.key";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

[root@ns ~]#

[root@ns ~]#
[root@ns ~]# cat -n /etc/named.conf
     1  //
     2  // named.conf
     3  //
     4  // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
     5  // server as a caching only nameserver (as a localhost DNS resolver only).
     6  //
     7  // See /usr/share/doc/bind*/sample/ for example named configuration files.
     8  //
     9  // See the BIND Administrator's Reference Manual (ARM) for details about the
    10  // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
    11
    12  options {
    13          listen-on port 53 { 127.0.0.1;
    14                              192.168.12.190; };
    15          listen-on-v6 port 53 { none; };
    16          directory       "/var/named";
    17          dump-file       "/var/named/data/cache_dump.db";
    18          statistics-file "/var/named/data/named_stats.txt";
    19          memstatistics-file "/var/named/data/named_mem_stats.txt";
    20          allow-query     { localhost;
    21                            localnets; };
    22
    23          /*
    24           - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
    25           - If you are building a RECURSIVE (caching) DNS server, you need to enable
    26             recursion.
    27           - If your recursive DNS server has a public IP address, you MUST enable access
    28             control to limit queries to your legitimate users. Failing to do so will
    29             cause your server to become part of large scale DNS amplification
    30             attacks. Implementing BCP38 within your network would greatly
    31             reduce such attack surface
    32          */
    33          recursion yes;
    34
    35          dnssec-enable no;
    36          dnssec-validation no;
    37
    38          /* Path to ISC DLV key */
    39          bindkeys-file "/etc/named.iscdlv.key";
    40
    41          managed-keys-directory "/var/named/dynamic";
    42
    43          pid-file "/run/named/named.pid";
    44          session-keyfile "/run/named/session.key";
    45
    46          forwarders {
    47                  192.168.12.254;
    48          };
    49  };
    50
    51  logging {
    52          channel default_debug {
    53                  file "data/named.run";
    54                  severity dynamic;
    55          };
    56  };
    57
    58  zone "." IN {
    59          type hint;
    60          file "named.ca";
    61  };
    62
    63  zone "sjk00.local" IN {
    64          type master ;
    65          file "sjk.local.lan";
    66  };
    67
    68  zone "12.168.192.in-addr.arpa" IN {
    69          type master ;
    70          file "sjk.local.rev";
    71  };
    72
    73  include "/etc/named.rfc1912.zones";
    74  include "/etc/named.root.key";
    75
[root@ns ~]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

[root@ns ~]#

[root@ns ~]# cat -n /etc/named.conf

1 //

2 // named.conf

3 //

4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

5 // server as a caching only nameserver (as a localhost DNS resolver only).

6 //

7 // See /usr/share/doc/bind*/sample/ for example named configuration files.

8 //

9 // See the BIND Administrator's Reference Manual (ARM) for details about the

10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

11

12 options {

13 listen-on port 53 { 127.0.0.1;

14 192.168.12.190; };

15 listen-on-v6 port 53 { none; };

16 directory "/var/named";

17 dump-file "/var/named/data/cache_dump.db";

18 statistics-file "/var/named/data/named_stats.txt";

19 memstatistics-file "/var/named/data/named_mem_stats.txt";

20 allow-query { localhost;

21 localnets; };

22

23 /*

24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

25 - If you are building a RECURSIVE (caching) DNS server, you need to enable

26 recursion.

27 - If your recursive DNS server has a public IP address, you MUST enable access

28 control to limit queries to your legitimate users. Failing to do so will

29 cause your server to become part of large scale DNS amplification

30 attacks. Implementing BCP38 within your network would greatly

31 reduce such attack surface

32 */

33 recursion yes;

34

35 dnssec-enable no;

36 dnssec-validation no;

37

38 /* Path to ISC DLV key */

39 bindkeys-file "/etc/named.iscdlv.key";

40

41 managed-keys-directory "/var/named/dynamic";

42

43 pid-file "/run/named/named.pid";

44 session-keyfile "/run/named/session.key";

45

46 forwarders {

47 192.168.12.254;

48 };

49 };

50

51 logging {

52 channel default_debug {

53 file "data/named.run";

54 severity dynamic;

55 };

56 };

57

58 zone "." IN {

59 type hint;

60 file "named.ca";

61 };

62

63 zone "sjk00.local" IN {

64 type master ;

65 file "sjk.local.lan";

66 };

67

68 zone "12.168.192.in-addr.arpa" IN {

69 type master ;

70 file "sjk.local.rev";

71 };

72

73 include "/etc/named.rfc1912.zones";

74 include "/etc/named.root.key";

75

[root@ns ~]#

[root@ns ~]# cd /var/named
[root@ns named]# cp -p named.localhost snj.local.lan

1 2	[root@ns ~]# cd /var/named [root@ns named]# cp -p named.localhost snj.local.lan

[root@ns named]# vi sjk.local.lan
     1  $TTL 1D
     2  @       IN      SOA     ns.sjk00.local. root.sjk00.local. (
     3                          2017011001      ; serial
     4                                  1D      ; refresh
     5                                  1H      ; retry
     6                                  1W      ; expire
     7                                  3H )    ; minimum
     8
     9          IN      NS      ns.sjk00.local.
    10          IN      A       192.168.12.190
    11
    12          IN      MX 10   ns.sjk00.local.
    13
    14  ns      IN      A       192.168.12.190
    15
    16  mail    IN      A       192.168.12.190
    17  www     IN      A       192.168.12.190
    18
[root@ns named]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

[root@ns named]# vi sjk.local.lan

1 $TTL 1D

2 @ IN SOA ns.sjk00.local. root.sjk00.local. (

3 2017011001 ; serial

4 1D ; refresh

5 1H ; retry

6 1W ; expire

7 3H ) ; minimum

8

9 IN NS ns.sjk00.local.

10 IN A 192.168.12.190

11

12 IN MX 10 ns.sjk00.local.

13

14 ns IN A 192.168.12.190

15

16 mail IN A 192.168.12.190

17 www IN A 192.168.12.190

18

[root@ns named]#

[root@ns named]#
[root@ns named]# cp -p sjk.local.lan sjk.local.rev

1 2	[root@ns named]# [root@ns named]# cp -p sjk.local.lan sjk.local.rev

[root@ns named]# vi sjk.local.rev

     1  $TTL 1D
     2  @       IN      SOA     ns.sjk00.local. root.sjk00.local. (
     3                          2017011001      ; serial
     4                                  1D      ; refresh
     5                                  1H      ; retry
     6                                  1W      ; expire
     7                                  3H )    ; minimum
     8
     9          IN      NS      ns.sjk00.local.
    10          IN      PTR     ns.sjk00.local.
    11
    12  190     IN      PTR     ns.sjk00.local.
    13
[root@ns named]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

[root@ns named]# vi sjk.local.rev

1 $TTL 1D

2 @ IN SOA ns.sjk00.local. root.sjk00.local. (

3 2017011001 ; serial

4 1D ; refresh

5 1H ; retry

6 1W ; expire

7 3H ) ; minimum

8

9 IN NS ns.sjk00.local.

10 IN PTR ns.sjk00.local.

11

12 190 IN PTR ns.sjk00.local.

13

[root@ns named]#

[root@ns named]# vi /etc/sysconfig/network-scripts/ifcfg-ens33
[root@ns named]#
[root@ns named]# cat -n /etc/sysconfig/network-scripts/ifcfg-ens33
     1  TYPE="Ethernet"
     2  BOOTPROTO="none"
     3  DEFROUTE="yes"
     4  IPV4_FAILURE_FATAL="no"
     5  IPV6INIT="no"
     6  IPV6_AUTOCONF="yes"
     7  IPV6_DEFROUTE="yes"
     8  IPV6_PEERDNS="yes"
     9  IPV6_PEERROUTES="yes"
    10  IPV6_FAILURE_FATAL="no"
    11  IPV6_ADDR_GEN_MODE="stable-privacy"
    12  NAME="ens33"
    13  UUID="31df3316-7326-4408-805d-ca46e316659c"
    14  DEVICE="ens33"
    15  ONBOOT="yes"
    16  IPADDR="192.168.12.190"
    17  PREFIX="24"
    18  GATEWAY="192.168.12.254"
    19  DNS1="192.168.12.190"
[root@ns named]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

[root@ns named]# vi /etc/sysconfig/network-scripts/ifcfg-ens33

[root@ns named]#

[root@ns named]# cat -n /etc/sysconfig/network-scripts/ifcfg-ens33

1 TYPE="Ethernet"

2 BOOTPROTO="none"

3 DEFROUTE="yes"

4 IPV4_FAILURE_FATAL="no"

5 IPV6INIT="no"

6 IPV6_AUTOCONF="yes"

7 IPV6_DEFROUTE="yes"

8 IPV6_PEERDNS="yes"

9 IPV6_PEERROUTES="yes"

10 IPV6_FAILURE_FATAL="no"

11 IPV6_ADDR_GEN_MODE="stable-privacy"

12 NAME="ens33"

13 UUID="31df3316-7326-4408-805d-ca46e316659c"

14 DEVICE="ens33"

15 ONBOOT="yes"

16 IPADDR="192.168.12.190"

17 PREFIX="24"

18 GATEWAY="192.168.12.254"

19 DNS1="192.168.12.190"

[root@ns named]#

[root@ns named]#
[root@ns named]# systemctl start named
[root@ns named]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@ns named]#

1

2

3

4

5

[root@ns named]#

[root@ns named]# systemctl start named

[root@ns named]# systemctl enable named

Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

[root@ns named]#

[root@ns named]# dig ns.sjk00.local

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> ns.sjk00.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9372
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ns.sjk00.local.                        IN      A

;; ANSWER SECTION:
ns.sjk00.local.         86400   IN      A       192.168.12.190

;; AUTHORITY SECTION:
sjk00.local.            86400   IN      NS      ns.sjk00.local.

;; Query time: 9 msec
;; SERVER: 192.168.12.190#53(192.168.12.190)
;; WHEN: 火  1月 10 13:09:29 JST 2017
;; MSG SIZE  rcvd: 73

[root@ns named]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

[root@ns named]# dig ns.sjk00.local

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> ns.sjk00.local

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9372

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;ns.sjk00.local. IN A

;; ANSWER SECTION:

ns.sjk00.local. 86400 IN A 192.168.12.190

;; AUTHORITY SECTION:

sjk00.local. 86400 IN NS ns.sjk00.local.

;; Query time: 9 msec

;; SERVER: 192.168.12.190#53(192.168.12.190)

;; WHEN: 火 1月 10 13:09:29 JST 2017

;; MSG SIZE rcvd: 73

[root@ns named]#

[root@ns named]# dig -x 192.168.12.190

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> -x 192.168.12.190
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23385
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;190.12.168.192.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
190.12.168.192.in-addr.arpa. 86400 IN   PTR     ns.sjk00.local.

;; AUTHORITY SECTION:
12.168.192.in-addr.arpa. 86400  IN      NS      ns.sjk00.local.

;; ADDITIONAL SECTION:
ns.sjk00.local.         86400   IN      A       192.168.12.190

;; Query time: 0 msec
;; SERVER: 192.168.12.190#53(192.168.12.190)
;; WHEN: 火  1月 10 13:10:00 JST 2017
;; MSG SIZE  rcvd: 114

[root@ns named]#

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

[root@ns named]# dig -x 192.168.12.190

; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> -x 192.168.12.190

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23385

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;190.12.168.192.in-addr.arpa. IN PTR

;; ANSWER SECTION:

190.12.168.192.in-addr.arpa. 86400 IN PTR ns.sjk00.local.

;; AUTHORITY SECTION:

12.168.192.in-addr.arpa. 86400 IN NS ns.sjk00.local.

;; ADDITIONAL SECTION:

ns.sjk00.local. 86400 IN A 192.168.12.190

;; Query time: 0 msec

;; SERVER: 192.168.12.190#53(192.168.12.190)

;; WHEN: 火 1月 10 13:10:00 JST 2017

;; MSG SIZE rcvd: 114

[root@ns named]#

DNS (Domain Name System) サーバーの設定

BIND インストール/設定

BIND インストール

BIND インストールされたファイルの確認（/etc と /var）

BIND 基本設定

named.confの修正後

BIND 正引き情報の設定

BIND 逆引き情報の設定

BIND 起動/動作確認

BIND 起動

BIND 動作確認

正引きの動作確認

逆引きの操作確認