BINDインストール
[root@falcon21 ~]# dnf -y install bind
IND設定ファイル編集
[root@falcon21 ~]# vi /etc/named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
secroots-file “/var/named/data/named.secroots”;
recursing-file “/var/named/data/named.recursing”;
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
zone “.” IN {
type hint;
file “named.ca”;
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;
************************************************************************************************************
falcon21.spaceの内部向けゾーン定義ファイル作成
[root@falcon21 ~]# vi /etc/named/named.falcon21.space.zone
zone “falcon21.space” {
type master;
file “falcon21.space.db”;
};
zone “10.168.192.in-addr.arpa” {
type master;
file “10.168.192.in-addr.arpa.db”;
};
外部向けゾーン定義ファイル作成
[root@falcon21 ~]# vi /etc/named/named.falcon21.space.zone.wan
// 正引き設定
zone “falcon21.space” {
type master;
file “falcon21.space.db.wan”;
allow-query { any; };
};
// 逆引き設定
zone “94.3.181.203.in-addr.arpa” {
type master;
file “94.3.181.203.in-addr.arpa.db.wan”;
};
IPv4のみ有効にする(error (network unreachable) resolvingというエラーログの出力抑止)
[root@falcon21 ~]# echo OPTIONS=”-4″ >> /etc/sysconfig/named
ルートゾーン(named.ca)最新化
[root@falcon21 ~]# dig . ns @198.41.0.4 +bufsize=1024 > /var/named/named.ca
ルートゾーン自動更新設定
1ヶ月に一度、ルートゾーンが最新かチェックし、更新されていればルートゾーンの最新化及び、BINDの
再起動を自動的に行うようにする。
※ルートゾーンが更新されていた場合のみ、新旧ルートゾーン情報及び、新旧ルートゾーンの
差分情報をroot宛にメールする
ルートゾーン月次自動最新化スクリプト作成
[root@falcon21 ~]# vi /etc/cron.monthly/named.root_update
!/bin/bash
new=mktemp
errors=mktemp
dig . ns @198.41.0.4 +bufsize=1024 > $new 2> $errors
if [ $? -eq 0 ]; then
sort_new=mktemp
sort_old=mktemp
diff_out=mktemp
sort $new > $sort_new
sort /var/named/named.ca > $sort_old
diff –ignore-matching-lines=^\; $sort_new $sort_old > $diff_out
if [ $? -ne 0 ]; then
(
echo ‘——————– old named.root ——————–‘
cat /var/named/named.ca
echo
echo ‘——————– new named.root ——————–‘
cat $new
echo ‘———————- difference ———————-‘
cat $diff_out
) | mail -s ‘named.root updated’ root
cp -f $new /var/named/named.ca
chown named. /var/named/named.ca
chmod 644 /var/named/named.ca
which systemctl > /dev/null 2>&1
systemctl restart named-chroot > /dev/null
fi
rm -f $sort_new $sort_old $diff_out
else
cat $errors | mail -s ‘named.root update check error’ root
fi
rm -f $new $errors
ルートゾーン月次自動最新化スクリプトへ実行権限付加
[root@falcon21 ~]# chmod 700 /etc/cron.monthly/named.root_update
内部向け正引きゾーンデータベース(ドメイン名⇒IPアドレス)作成
正引きゾーンデータベース作成
[root@falcon21 ~]# vi /var/named/falcon21.space.db
$TTL 86400
@ IN SOA ns1.falcon21.space. root.falcon21.space. (
2025111012 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns1.falcon21.space.
IN MX 10 falcon21.space.
@ IN A 192.168.10.3
- IN A 192.168.10.3
内部向け逆引きゾーンデータベース(IPアドレス⇒ドメイン名)作成
逆引きゾーンデータベース作成
[root@falcon21 ~]# vi /var/named/10.168.192.in-addr.arpa.db
$TTL 86400
@ IN SOA falcon21.space. root.falcon21.space.(
2025103101 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS falcon21.space.
3 IN PTR falcon21.space.
外部向け正引きゾーンデータベース(ドメイン名⇒IPアドレス)作成
外部向け正引きゾーンデータベース作成
[root@falcon21 ~]# vi /var/named/falcon21.space.db.wan
$TTL 86400
@ IN SOA ns1.falcon21.space. root.falcon21.space.(
2025103101 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
86400 ) ; Minimum
IN NS ns1.falcon21.space.
IN MX 10 falcon21.space.
ns1 IN A 203.181.3.94
@ IN A 203.181.3.94
www IN A 203.181.3.94
mail IN A 203.181.3.94
falcon21.space. IN TXT “v=spf1 ip4:203.181.3.94 ~all”
外部向け逆引きゾーンデータベース作成
[root@falcon21 ~]# vi /var/named/94.3.181.203.in-addr.arpa.db.wan
$TTL 86400
@ IN SOA ns1.falcon21.space. root.falcon21.space.(
2025103101 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
86400 ) ; Minimum
IN NS ns1.falcon21.space.
94 IN PTR falcon21.space.
BIND起動
root@falcon21:~# systemctl enable named
Created symlink ‘/etc/systemd/system/multi-user.target.wants/named.service’ → ‘/usr/lib/systemd/system/named.service’.
root@falcon21:~# systemctl restart named
Created symlink ‘/etc/systemd/system/multi-user.target.wants/named.service’ → ‘/usr/lib/systemd/system/named.service’.
Job for named.service failed because the control process exited with error code.
See “systemctl status named.service” and “journalctl -xeu named.service” for details.
BIND起動エラー 対処
named.confチェック
[root@falcon21 ~]# named-checkconf -z /etc/named.conf
ゾーン定義ファイルのチェック
[root@falcon21 ~]# named-checkzone falcon21.space
ゾーンファイルチェック
[root@falcon21 ~]# named-checkzone falcon21.space /var/named/10.168.192.in-addr.arpa.db
[root@falcon21 ~]# named-checkzone falcon21.space /var/named/falcon21.space.db
[root@falcon21 ~]# named-checkzone falcon21.space /var/named/falcon21.space.db.wan
[root@falcon21 ~]# named-checkzone falcon21.space /var/named/94.3.181.203.in-addr.arpa.db.wan
BIND自動起動設定
[root@falcon21 ~]# systemctl start named
[root@falcon21 ~]# systemctl enable named
起動確認
[root@falcon21 ~]# systemctl restart named
ファイアウォール設定 TCP53番、UDP53番ポート開放
[root@falcon21 ~]# firewall-cmd –add-service=dns
success
[root@falcon21 ~]# firewall-cmd –runtime-to-permanent
success