Table of Contents
BINDでのDNSサーバの設定
UP2021.11.21
・セカンダリDNSが機能していなかったので、無料のセカンダリDNS マイハマネットに変更
UP2022.01.23
・DNSSECの影響(?)で名前解決が頻繁に失敗するドメインがあったので、無効化
・forwardersの設定修正
インストール
# dnf install bind bind-chroot bind-utils
設定ファイル作成
# cp /etc/named.conf /etc/named.conf.org
# vi /etc/named.conf
----------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
//自身・ローカルネットワークのアドレス
acl private-zone {
localhost;
192.168.xxx.xxx/24;
};
//セカンダリDNS
acl secondary-ns {
xxx.xxx.xxx.xxx;
xxx.xxx.xxx.xxx;
};
options {
listen-on port 53 { any; }; //IPv4を有効化
listen-on-v6 port 53 { any; }; //IPv6を有効化
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { private-zone; }; //ローカルのみの問い合わせを許可
allow-transfer { none; }; //全てのゾーン転送を拒否
forwarders{ XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX;}; //再帰問い合わせ先を指定(aclが使えなかった)
recursion no; //再帰問い合わせ機能を無効
dnssec-enable no; //DNSSECを無効化
dnssec-validation no; //DNSSECを無効化
// managed-keys-directory "/var/named/dynamic";//DNSSECを使用しないので、無効化
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
category lame-servers { null; };
};
//ローカル向けのview
view "local" {
match-clients { private-zone; };//ローカルのみの許可
recursion yes; //再帰問い合わせ機能を有効
zone "." {
type hint;
file "named.ca";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "0.0.127.in-addr.arpa";
};
zone "chinaz.org" {
type master;
file "rc.chinaz.org";
};
zone "xxx.168.192.in-addr.arpa" {
type master;
file "xxx.168.192.in-addr.arpa";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
//グローバル向けのview
view "world" {
match-clients { any; };//制限なし
allow-query { any; }; //制限なし
recursion no; //再帰問い合わせ機能を無効
zone "chinaz.org" {
type master;
file "chinaz.org";
allow-transfer { secondary-ns; };//転送先をセカンダリDNSに限定
};
zone "172.17.136.210.in-addr.arpa" {
type master;
file "172.17.136.210.in-addr.arpa";
};
};
----------------------------------------------------------------
# vi /var/named/0.0.127.in-addr.arpa
----------------------------------------------------------------
$TTL 1D
@ IN SOA ns.chinaz.org. root.ns.chinaz.org. (
2020123101
3H
1H
1W
1D )
IN NS ns.chinaz.org.
xxx IN PTR localhost.
----------------------------------------------------------------
# vi /var/named/rc.chinaz.org
----------------------------------------------------------------
$TTL 1D
@ IN SOA ns.chinaz.org. root.ns.chinaz.org. (
2020123101
3H
1H
1W
1D )
IN NS ns.chinaz.org.
IN MX 5 ns.chinaz.org.
ct02 IN A 192.168.xxx.2
ns IN A 192.168.xxx.xxx
dns IN CNAME ns
www IN CNAME ns
mail IN CNAME ns
smtp IN CNAME ns
pop IN CNAME ns
imap IN CNAME ns
ftp IN CNAME ns
----------------------------------------------------------------
# vi /var/named/xxx.168.192.in-addr.arpa
----------------------------------------------------------------
$TTL 1D
@ IN SOA ns.chinaz.org. root.ns.chinaz.org. (
2020123101
3H
1H
1W
1D )
IN NS ns.chinaz.org.
IN PTR chinaz.org.
IN A 255.255.255.0
2 IN PTR ct02.chinaz.org.
xxx IN PTR ns.chinaz.org.
----------------------------------------------------------------
# vi /var/named/chinaz.org
----------------------------------------------------------------
$TTL 1D
@ IN SOA ns.chinaz.org. root.ns.chinaz.org. (
2021112103
3H
1H
1W
1D )
IN NS ns.chinaz.org.
IN NS xxx.maihama-net.com. //セカンダリDNSを指定
IN NS xxx.maihama-net.com. //セカンダリDNSを指定
IN MX 5 ns.chinaz.org.
IN MX 10 chinaz.org.
IN TXT "v=spf1 mx ~all" //MX に指定したホストを利用
IN A 210.136.17.172
ns IN A 210.136.17.172
localhost IN A 127.0.0.1
www IN CNAME ns
mail IN CNAME ns
smtp IN CNAME ns
pop IN CNAME ns
imap IN CNAME ns
ftp IN CNAME ns
----------------------------------------------------------------
# vi /var/named/172.17.136.210.in-addr.arpa
----------------------------------------------------------------
$TTL 1D
@ IN SOA ns.chinaz.org. root.ns.chinaz.org. (
2020123101
3H
1H
1W
1D )
IN NS ns.chinaz.org.
IN NS example.com.
IN PTR chinaz.org.
IN A 255.255.255.254
----------------------------------------------------------------
構文チェック
# named-checkzone 0.0.127.in-addr.arpa /var/named/0.0.127.in-addr.arpa
# named-checkzone chinaz.org /var/named/rc.chinaz.org
# named-checkzone xxx.168.192.in-addr.arpa /var/named/xxx.168.192.in-addr.arpa
# named-checkzone chinaz.org /var/named/chinaz.org
# named-checkzone 172.17.136.210.in-addr.arpa /var/named/172.17.136.210.in-addr.arpa
# named-checkconf /etc/named.conf
起動設定
サービスを起動
# systemctl start named-chroot
サービスの自動起動を有効化
# systemctl enable named-chroot
設定の再読込
# systemctl reload named-chroot
ポートのオープン
# firewall-cmd --zone=external --add-service=dns --permanent
# firewall-cmd --zone=internal --add-service=dns --permanent
# firewall-cmd --reload
# firewall-cmd --list-all-zones
参照DNSの変更
DNSが稼働したら、外部のDNSを参照していた設定を自身を参照するように変更
# nmcli con mod eth0 ipv4.dns 192.168.xxx.xxx
# nmcli con mod eth1 ipv4.dns 192.168.xxx.xxx
# systemctl restart NetworkManager