BINDインストール
[root@falcon21 ~]# yum install bind bind-chroot bind-utils
インストール:
bind.x86_64 32:9.9.4-73.el7_6 bind-chroot.x86_64 32:9.9.4-73.el7_6
完了しました!
インストール確認
[root@falcon21 ~]# rpm -qa | grep bind
bind-9.9.4-73.el7_6.x86_64
bind-license-9.9.4-73.el7_6.noarch
bind-libs-lite-9.9.4-73.el7_6.x86_64
bind-chroot-9.9.4-73.el7_6.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-9.9.4-73.el7_6.x86_64
bind-utils-9.9.4-73.el7_6.x86_64
rpcbind-0.2.0-47.el7.x86_64
*** bind-chrootは、ルートディレクトリを/var/named/chrootに変更する
このディレクリより上位へはアクセスができず、セキュリティ強化がされる
設定ファイルはすべて/var/named/chrootに配置される
bindを起動していない状態では/var/named/chrootはマウントされず、起動することで初めてマウントされる ***
bind-chroot 起動せず、関係ファイルをすべて削除、新しくインストール 、
[root@falcon21 ~]# yum remove bind bind-chroot bind-utils
削除しました:
bind.x86_64 32:9.9.4-73.el7_6 bind-chroot.x86_64 32:9.9.4-73.el7_6 bind-utils.x86_64 32:9.9.4-73.el7_6
依存性の削除をしました:
ipa-client.x86_64 0:4.6.4-10.el7.centos.2 sssd.x86_64 0:1.16.2-13.el7_6.5 sssd-ad.x86_64 0:1.16.2-13.el7_6.5
sssd-ipa.x86_64 0:1.16.2-13.el7_6.5
[root@falcon21 ~]# reboot
[root@falcon21 ~]# rpm -qa | grep bind
bind-license-9.9.4-73.el7_6.noarch
bind-libs-lite-9.9.4-73.el7_6.x86_64
keybinder3-0.3.0-1.el7.x86_64
bind-libs-9.9.4-73.el7_6.x86_64
rpcbind-0.2.0-47.el7.x86_64
*** これらを、reinstall ***
[root@falcon21 ~]# yum install bind bind-chroot bind-utils
ファイル・フォルダを確認
/etc/named フォルダ
/etc/ named.conf named.iscdlv.key named.rfc1912.zones named.root.key
[root@falcon21 ~]# ll /var/named
合計 16
drwxr-x--- 7 root named 61 2月 16 16:03 chroot
drwxrwx--- 2 named named 6 1月 30 02:23 data
drwxrwx--- 2 named named 6 1月 30 02:23 dynamic
-rw-r----- 1 root named 2281 5月 22 2017 named.ca
-rw-r----- 1 root named 152 12月 15 2009 named.empty
-rw-r----- 1 root named 152 6月 21 2007 named.localhost
-rw-r----- 1 root named 168 12月 15 2009 named.loopback
drwxrwx--- 2 named named 6 1月 30 02:23 slaves
デフォルトのnamed.confをリネームコピー保存
[root@falcon21 ~]# cp -f /etc/named.conf /etc/named.conf_def
BIND設定 [root@falcon21 ~]# vi /var/named/chroot/etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { #listen-on port 53 { 127.0.0.1; }; #listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; localnets; }; allow-transfer { none; };
allow-query-cache { localhost; localnets; };
forwarders{ 8.8.8.8; 8.8.4.4; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
---------------------------------------------------------外部向けゾーン定義ファイル作成 [root@falcon21 ~]# vi /var/named/chroot/etc/named/named.falcon21.space.zone.wan zone "falcon21.space" { type master; file "falcon21.space.db.wan"; allow-query { any; }; }; --------------------------------------------------------------- IPv4のみ有効にする(error (network unreachable) resolvingというエラーログの出力抑止) [root@falcon21 ~]# echo OPTIONS="-4" >> /etc/sysconfig/named ルートゾーン最新化 [root@falcon21 ~]# dig . ns @198.41.0.4 +bufsize=1024 > /var/named/chroot/var/named/named.ca ルートゾーン最新化スクリプト作成 [root@falcon21 ~]# vi named.root_update #!/bin/bash new=`mktemp` errors=`mktemp` dig . ns @198.41.0.4 +bufsize=1024 > $new 2> $errors if [ $? -eq 0 ]; then sort_new=`mktemp` sort_old=`mktemp` diff_out=`mktemp` sort $new > $sort_new sort /var/named/chroot/var/named/named.ca > $sort_old diff --ignore-matching-lines=^\; $sort_new $sort_old > $diff_out if [ $? -ne 0 ]; then ( echo '-------------------- old named.root --------------------' cat /var/named/chroot/var/named/named.ca echo echo '-------------------- new named.root --------------------' cat $new echo '---------------------- difference ----------------------' cat $diff_out ) | mail -s 'named.root updated' root cp -f $new /var/named/chroot/var/named/named.ca chown named. /var/named/chroot/var/named/named.ca chmod 644 /var/named/chroot/var/named/named.ca which systemctl > /dev/null 2>&1 if [ $? -eq 0 ]; then systemctl restart named-chroot > /dev/null else /etc/rc.d/init.d/named restart > /dev/null fi fi rm -f $sort_new $sort_old $diff_out else cat $errors | mail -s 'named.root update check error' root fi rm -f $new $errors ~ ------------------------------------------------------------------------- ルートゾーン最新化スクリプトへ実行権限付加 [root@falcon21 ~]# chmod 700 named.root_update ルートゾーン最新化スクリプトを毎月自動実行されるディレクトリへ移動 [root@falcon21 ~]# mv named.root_update /etc/cron.monthly/ --------------------------------------------------------------- 内部向け正引きゾーンデータベース作成 [root@falcon21 ~]# vi /var/named/chroot/var/named/falcon21.space.db $TTL 86400 @ IN SOA ns1.falcon21.space. root.falcon21.space.( 2019021515 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS ns1.falcon21.space. IN MX 10 falcon21.space. @ IN A 192.168.2.101 * IN A 192.168.2.101 --------------------------------------------------------------- 内部向け逆引きゾーンデータベース作成 [root@falcon21 ~]# vi /var/named/chroot/var/named/2.168.192.in-addr.arpa.db $TTL 86400 @ IN SOA ns1.falcon21.space. root.falcon21.space.( 2019021515 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS ns1.falcon21.space. IN PTR falcon21.space. 101 IN PTR ns1.falcon21.space. --------------------------------------------------------- 外部向け正引きゾーンデータベース作成 [root@falcon21 ~]# vi /var/named/chroot/var/named/falcon21.space.db.wan $TTL 86400 @ IN SOA ns1.falcon21.space. root.falcon21.space.( 2019021515 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS ns1.falcon21.space. IN MX 10 falcon21.space. ns1 IN A 203.181.3.94 @ IN A 203.181.3.94 www IN A 203.181.3.94 mail IN A 203.181.3.94 falcon21.space. IN TXT "v=spf1 ip4:203.181.3.94 ~all" ~ --------------------------------------------------------------- BIND起動 [root@falcon21 ~]# systemctl start named-chroot Job for named-chroot.service failed because the control process exited with error code. See "systemctl status named-chroot.service" and "journalctl -xe" for details. [root@falcon21 ~]# systemctl status named-chroot.service -l ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since 金 2019-02-15 16:56:39 JST; 9min ago Process: 4075 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=1/FAILURE) 2月 15 16:56:37 falcon21.space systemd[1]: Starting Berkeley Internet Name Domain (DNS)... 2月 15 16:56:39 falcon21.space bash[4075]: /etc/named.conf:79: open: /etc/named/named.named.falcon21.space.zone.wan: file n ot found 2月 15 16:56:39 falcon21.space systemd[1]: named-chroot.service: control process exited, code=exited status=1 2月 15 16:56:39 falcon21.space systemd[1]: Failed to start Berkeley Internet Name Domain (DNS). 2月 15 16:56:39 falcon21.space systemd[1]: Unit named-chroot.service entered failed state. 2月 15 16:56:39 falcon21.space systemd[1]: named-chroot.service failed.centos7 bind も bind-chroot を使う必要がある。自動でchrootに切り替わらない。 bind-chroot-adminスクリプト作成 [root@falcon21 ~]# vi bind-chroot-admin #!/bin/sh # bind-chroot install check rpm -q bind-chroot > /dev/null 2>&1 [ $? -ne 0 ] && echo bind-chroot not install && exit 1 # bind-chroot enabled sed -i '/^ROOTDIR=/d' /etc/sysconfig/named echo ROOTDIR=/var/named/chroot >> /etc/sysconfig/named # file copy filelist=`mktemp` rpm -ql bind|grep ^/etc >> ${filelist} rpm -ql bind|grep ^/var >> ${filelist} for file in `cat ${filelist}` do # directory make if [ -d ${file} ]; then DIRNAME=/var/named/chroot${file} [ ! -d ${DIRNAME} ] && mkdir -p ${DIRNAME} fi # file copy if [ -f ${file} ]; then DIRNAME=/var/named/chroot`dirname ${file}` [ ! -d ${DIRNAME} ] && mkdir -p ${DIRNAME} /bin/cp -a ${file} ${DIRNAME} fi done rm -f ${filelist} chown named:named /var/named/chroot/var/named/data chmod 770 /var/named/chroot/var/named/data chown named:named /var/named/chroot/var/named/dynamic exit ---------------------------- [root@falcon21 ~]# sh bind-chroot-admin BIND起動 [root@falcon21 ~]# systemctl start named-chroot BIND自動起動設 [root@falcon21 ~]# systemctl enable named-chroot Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service. 起動確認 [root@falcon21 ~]# systemctl status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since 日 2019-02-17 00:39:26 JST; 12min ago Main PID: 8997 (named) CGroup: /system.slice/named-chroot.service └─8997 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot -4 2月 17 00:39:26 falcon21.space named[8997]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/internal: loaded serial 0 2月 17 00:39:26 falcon21.space named[8997]: zone 1.0.0.127.in-addr.arpa/IN/internal: loaded serial 0 2月 17 00:39:26 falcon21.space named[8997]: zone localhost/IN/internal: loaded serial 0 2月 17 00:39:26 falcon21.space named[8997]: zone 2.168.192.in-addr.arpa/IN/internal: loaded serial 2019021515 2月 17 00:39:26 falcon21.space named[8997]: zone localhost.localdomain/IN/internal: loaded serial 0 2月 17 00:39:26 falcon21.space named[8997]: zone falcon21.space/IN/internal: loaded serial 2019021515 2月 17 00:39:26 falcon21.space named[8997]: zone falcon21.space/IN/external: loaded serial 2019021515 2月 17 00:39:26 falcon21.space named[8997]: all zones loaded 2月 17 00:39:26 falcon21.space systemd[1]: Started Berkeley Internet Name Domain (DNS). 2月 17 00:39:26 falcon21.space named[8997]: running ------------------------------[root@falcon21 ~]# dig falcon21.space ; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> falcon21.space ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30612 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;falcon21.space. IN A ;; ANSWER SECTION: falcon21.space. 930 IN A 203.181.3.94 ;; Query time: 15 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) ;; WHEN: 日 2月 17 01:08:10 JST 2019 ;; MSG SIZE rcvd: 59 |
投票数:1
平均点:10.00