Contents
BIND インストール/設定
名前解決を行ってくれる DNS (Domain Name System) サーバーを構築します。
BIND インストール
1 2 3 4 5 6 7 |
[root@ns ~]# yum -y install bind bind-utils インストール: bind.x86_64 32:9.9.4-38.el7_3 完了しました! [root@ns ~]# |
BIND インストールされたファイルの確認(/etc と /var)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
[root@ns ~]# [root@ns ~]# rpm -ql bind | grep ^/etc /etc/logrotate.d/named /etc/named /etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/rwtab.d/named /etc/sysconfig/named [root@ns ~]# rpm -ql bind | grep ^/var /var/log/named.log /var/named /var/named/data /var/named/dynamic /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback /var/named/slaves [root@ns ~]# |
BIND 基本設定
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 |
[root@ns ~]# [root@ns ~]# cat /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; [root@ns ~]# |
named.confの修正後
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 |
[root@ns ~]# [root@ns ~]# cat -n /etc/named.conf 1 // 2 // named.conf 3 // 4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 5 // server as a caching only nameserver (as a localhost DNS resolver only). 6 // 7 // See /usr/share/doc/bind*/sample/ for example named configuration files. 8 // 9 // See the BIND Administrator's Reference Manual (ARM) for details about the 10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html 11 12 options { 13 listen-on port 53 { 127.0.0.1; 14 192.168.12.190; }; 15 listen-on-v6 port 53 { none; }; 16 directory "/var/named"; 17 dump-file "/var/named/data/cache_dump.db"; 18 statistics-file "/var/named/data/named_stats.txt"; 19 memstatistics-file "/var/named/data/named_mem_stats.txt"; 20 allow-query { localhost; 21 localnets; }; 22 23 /* 24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 25 - If you are building a RECURSIVE (caching) DNS server, you need to enable 26 recursion. 27 - If your recursive DNS server has a public IP address, you MUST enable access 28 control to limit queries to your legitimate users. Failing to do so will 29 cause your server to become part of large scale DNS amplification 30 attacks. Implementing BCP38 within your network would greatly 31 reduce such attack surface 32 */ 33 recursion yes; 34 35 dnssec-enable no; 36 dnssec-validation no; 37 38 /* Path to ISC DLV key */ 39 bindkeys-file "/etc/named.iscdlv.key"; 40 41 managed-keys-directory "/var/named/dynamic"; 42 43 pid-file "/run/named/named.pid"; 44 session-keyfile "/run/named/session.key"; 45 46 forwarders { 47 192.168.12.254; 48 }; 49 }; 50 51 logging { 52 channel default_debug { 53 file "data/named.run"; 54 severity dynamic; 55 }; 56 }; 57 58 zone "." IN { 59 type hint; 60 file "named.ca"; 61 }; 62 63 zone "sjk00.local" IN { 64 type master ; 65 file "sjk.local.lan"; 66 }; 67 68 zone "12.168.192.in-addr.arpa" IN { 69 type master ; 70 file "sjk.local.rev"; 71 }; 72 73 include "/etc/named.rfc1912.zones"; 74 include "/etc/named.root.key"; 75 [root@ns ~]# |
BIND 正引き情報の設定
named.localhostをベースに内容を書き換えます。
1 2 |
[root@ns ~]# cd /var/named [root@ns named]# cp -p named.localhost snj.local.lan |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
[root@ns named]# vi sjk.local.lan 1 $TTL 1D 2 @ IN SOA ns.sjk00.local. root.sjk00.local. ( 3 2017011001 ; serial 4 1D ; refresh 5 1H ; retry 6 1W ; expire 7 3H ) ; minimum 8 9 IN NS ns.sjk00.local. 10 IN A 192.168.12.190 11 12 IN MX 10 ns.sjk00.local. 13 14 ns IN A 192.168.12.190 15 16 mail IN A 192.168.12.190 17 www IN A 192.168.12.190 18 [root@ns named]# |
BIND 逆引き情報の設定
1 2 |
[root@ns named]# [root@ns named]# cp -p sjk.local.lan sjk.local.rev |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
[root@ns named]# vi sjk.local.rev 1 $TTL 1D 2 @ IN SOA ns.sjk00.local. root.sjk00.local. ( 3 2017011001 ; serial 4 1D ; refresh 5 1H ; retry 6 1W ; expire 7 3H ) ; minimum 8 9 IN NS ns.sjk00.local. 10 IN PTR ns.sjk00.local. 11 12 190 IN PTR ns.sjk00.local. 13 [root@ns named]# |
BIND 起動/動作確認
※ インストール時にはDNSは外部を参照していましたが、DNSの設定が完了したら自身をDNSに設定するようにネットワークの設定を変更します。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
[root@ns named]# vi /etc/sysconfig/network-scripts/ifcfg-ens33 [root@ns named]# [root@ns named]# cat -n /etc/sysconfig/network-scripts/ifcfg-ens33 1 TYPE="Ethernet" 2 BOOTPROTO="none" 3 DEFROUTE="yes" 4 IPV4_FAILURE_FATAL="no" 5 IPV6INIT="no" 6 IPV6_AUTOCONF="yes" 7 IPV6_DEFROUTE="yes" 8 IPV6_PEERDNS="yes" 9 IPV6_PEERROUTES="yes" 10 IPV6_FAILURE_FATAL="no" 11 IPV6_ADDR_GEN_MODE="stable-privacy" 12 NAME="ens33" 13 UUID="31df3316-7326-4408-805d-ca46e316659c" 14 DEVICE="ens33" 15 ONBOOT="yes" 16 IPADDR="192.168.12.190" 17 PREFIX="24" 18 GATEWAY="192.168.12.254" 19 DNS1="192.168.12.190" [root@ns named]# |
BIND 起動
1 2 3 4 5 |
[root@ns named]# [root@ns named]# systemctl start named [root@ns named]# systemctl enable named Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service. [root@ns named]# |
BIND 動作確認
正引きの動作確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
[root@ns named]# dig ns.sjk00.local ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> ns.sjk00.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9372 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ns.sjk00.local. IN A ;; ANSWER SECTION: ns.sjk00.local. 86400 IN A 192.168.12.190 ;; AUTHORITY SECTION: sjk00.local. 86400 IN NS ns.sjk00.local. ;; Query time: 9 msec ;; SERVER: 192.168.12.190#53(192.168.12.190) ;; WHEN: 火 1月 10 13:09:29 JST 2017 ;; MSG SIZE rcvd: 73 [root@ns named]# |
逆引きの操作確認
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
[root@ns named]# dig -x 192.168.12.190 ; <<>> DiG 9.9.4-RedHat-9.9.4-38.el7_3 <<>> -x 192.168.12.190 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23385 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;190.12.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 190.12.168.192.in-addr.arpa. 86400 IN PTR ns.sjk00.local. ;; AUTHORITY SECTION: 12.168.192.in-addr.arpa. 86400 IN NS ns.sjk00.local. ;; ADDITIONAL SECTION: ns.sjk00.local. 86400 IN A 192.168.12.190 ;; Query time: 0 msec ;; SERVER: 192.168.12.190#53(192.168.12.190) ;; WHEN: 火 1月 10 13:10:00 JST 2017 ;; MSG SIZE rcvd: 114 [root@ns named]# |