bind

Table of Content

BINDでのDNSサーバの設定

インストール

# dnf install bind bind-chroot bind-utils

設定ファイル作成

・セカンダリDNSが機能していなかったので、無料のセカンダリDNS マイハマネットに変更 UP2021.11.21

# cp /etc/named.conf /etc/named.conf.org
# vi /etc/named.conf
----------------------------------------------------------------
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

acl private-zone {
        localhost;
        192.168.xxx.xxx/24;
};

acl secondary-ns {
        xxx.xxx.xxx.xxx;
        xxx.xxx.xxx.xxx;
};

options {
        listen-on port 53 { any; }; ※
        listen-on-v6 port 53 { any; }; ※
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        secroots-file   "/var/named/data/named.secroots";
        recursing-file  "/var/named/data/named.recursing";
        allow-query     { private-zone; }; ※
        allow-transfer { private-zone; }; ※

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;

//        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";

        /* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
        include "/etc/crypto-policies/back-ends/bind.config";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
     category lame-servers { null; };
};

view "local" {
        match-clients { private-zone; };
        recursion yes;
        zone "." {
                 type hint;
                file "named.ca";
        };

        zone "0.0.127.in-addr.arpa" {
                type master;
                file "0.0.127.in-addr.arpa";
        };

        zone "chinaz.org" {
                type master;
                file "rc.chinaz.org";
        };

        zone "xxx.168.192.in-addr.arpa" {
                type master;
                file "xxx.168.192.in-addr.arpa";
        };

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

};

view "world" {
        match-clients { any; };
        allow-query { any; };
        recursion no;
        zone "chinaz.org" {
                type master;
                file "chinaz.org";
                allow-transfer  { secondary-ns; };
        };
        zone "172.17.136.210.in-addr.arpa" {
                type master;
                file "172.17.136.210.in-addr.arpa";
        };
};
----------------------------------------------------------------
# vi /var/named/0.0.127.in-addr.arpa
----------------------------------------------------------------
$TTL    1D

@    IN    SOA    ns.chinaz.org.    root.ns.chinaz.org. (
     2020123101
     3H
     1H
     1W
     1D )

          IN    NS    ns.chinaz.org.
xxx       IN    PTR   localhost.
----------------------------------------------------------------
# vi /var/named/rc.chinaz.org
----------------------------------------------------------------
$TTL    1D

@    IN    SOA    ns.chinaz.org.    root.ns.chinaz.org. (
    2020123101
    3H
    1H
    1W
    1D )
          IN    NS    ns.chinaz.org.
          IN    MX 5  ns.chinaz.org.

ct02      IN    A     192.168.xxx.2
ns        IN    A     192.168.xxx.xxx

dns       IN    CNAME ns
www       IN    CNAME ns
mail      IN    CNAME ns
smtp      IN    CNAME ns
pop       IN    CNAME ns
imap      IN    CNAME ns
ftp       IN    CNAME ns
----------------------------------------------------------------
# vi /var/named/xxx.168.192.in-addr.arpa
----------------------------------------------------------------
$TTL    1D

@    IN    SOA    ns.chinaz.org.    root.ns.chinaz.org. (
    2020123101
    3H
    1H
    1W
    1D )

          IN    NS    ns.chinaz.org.

          IN    PTR   chinaz.org.
          IN    A     255.255.255.0

2         IN    PTR   ct02.chinaz.org.
xxx       IN    PTR   ns.chinaz.org.
----------------------------------------------------------------
# vi /var/named/chinaz.org
----------------------------------------------------------------
$TTL    1D

@    IN    SOA   ns.chinaz.org.    root.ns.chinaz.org. (
    2021112103
    3H
    1H
    1W
    1D )
          IN    NS    ns.chinaz.org.
          IN    NS    ns1.maihama-net.com.
          IN    NS    ns3.maihama-net.com.
          IN    MX 5  ns.chinaz.org.
          IN    MX 10 chinaz.org.
          IN    TXT   "v=spf1 mx ~all"

          IN    A     210.136.17.172
ns        IN    A     210.136.17.172
localhost IN    A     127.0.0.1

www       IN    CNAME ns
mail      IN    CNAME ns
smtp      IN    CNAME ns
pop       IN    CNAME ns
imap      IN    CNAME ns
ftp       IN    CNAME ns
----------------------------------------------------------------
# vi /var/named/172.17.136.210.in-addr.arpa
----------------------------------------------------------------
$TTL    1D

@    IN    SOA    ns.chinaz.org.    root.ns.chinaz.org. (
    2020123101
    3H
    1H
    1W
    1D )

          IN    NS    ns.chinaz.org.
          IN    NS    example.com.

          IN    PTR   chinaz.org.
          IN    A     255.255.255.254
----------------------------------------------------------------

構文チェック

# named-checkzone 0.0.127.in-addr.arpa /var/named/0.0.127.in-addr.arpa
# named-checkzone chinaz.org /var/named/rc.chinaz.org
# named-checkzone xxx.168.192.in-addr.arpa /var/named/xxx.168.192.in-addr.arpa
# named-checkzone chinaz.org /var/named/chinaz.org
# named-checkzone 172.17.136.210.in-addr.arpa /var/named/172.17.136.210.in-addr.arpa
# named-checkconf /etc/named.conf

起動設定

# systemctl start named-chroot
# systemctl enable named-chroot

ポートのオープン

# firewall-cmd --zone=external --add-service=dns --permanent
# firewall-cmd --zone=internal --add-service=dns --permanent
# firewall-cmd --reload
# firewall-cmd --list-all-zones

参照DNSの変更

DNSが稼働したら、外部のDNSを参照していた設定を自身を参照するように変更

# nmcli con mod eth0 ipv4.dns 192.168.xxx.xxx
# nmcli con mod eth1 ipv4.dns 192.168.xxx.xxx
# systemctl restart NetworkManager

コメントを残す

メールアドレスが公開されることはありません。 * が付いている欄は必須項目です