ネームサーバー構築
BIND をインストール [root@falcon21 ~]# dnf -y install bind bind-utils メタデータの期限切れの最終確認: 0:56:16 時間前の 2020年11月18日 15時19分15秒 に実施しました。 パッケージ bind-utils-32:9.11.13-6.el8_2.1.x86_64 はすでにインストールされています。 依存関係が解決しました。 ==================================================================================================================================== パッケージ アーキテクチャー バージョン リポジトリー サイズ ==================================================================================================================================== インストール中: bind x86_64 32:9.11.13-6.el8_2.1 AppStream 2.1 M トランザクションの概要 ==================================================================================================================================== インストール 1 パッケージ ダウンロードサイズの合計: 2.1 M インストール済みのサイズ: 4.5 M パッケージのダウンロード: bind-9.11.13-6.el8_2.1.x86_64.rpm 5.7 MB/s | 2.1 MB 00:00 ------------------------------------------------------------------------------------------------------------------------------------ 合計 3.0 MB/s | 2.1 MB 00:00 トランザクションの確認を実行中 トランザクションの確認に成功しました。 トランザクションのテストを実行中 トランザクションのテストに成功しました。 トランザクションを実行中 準備 : 1/1 scriptlet の実行中: bind-32:9.11.13-6.el8_2.1.x86_64 1/1 インストール中 : bind-32:9.11.13-6.el8_2.1.x86_64 1/1 scriptlet の実行中: bind-32:9.11.13-6.el8_2.1.x86_64 1/1 検証 : bind-32:9.11.13-6.el8_2.1.x86_64 1/1 Installed products updated. インストール済み: bind-32:9.11.13-6.el8_2.1.x86_64 完了しました! --------------------- bind-chrootインストール [root@falcon21 ~]# dnf install bind-chroot メタデータの期限切れの最終確認: 1:36:37 時間前の 2020年11月18日 15時19分15秒 に実施しました。 依存関係が解決しました。 ==================================================================================================================================== パッケージ アーキテクチャー バージョン リポジトリー サイズ ==================================================================================================================================== インストール中: bind-chroot x86_64 32:9.11.13-6.el8_2.1 AppStream 102 k トランザクションの概要 ==================================================================================================================================== インストール 1 パッケージ ダウンロードサイズの合計: 102 k インストール済みのサイズ: 4.6 k これでよろしいですか? [y/N]: y パッケージのダウンロード: bind-chroot-9.11.13-6.el8_2.1.x86_64.rpm 571 kB/s | 102 kB 00:00 ------------------------------------------------------------------------------------------------------------------------------------ 合計 207 kB/s | 102 kB 00:00 トランザクションの確認を実行中 トランザクションの確認に成功しました。 トランザクションのテストを実行中 トランザクションのテストに成功しました。 トランザクションを実行中 準備 : 1/1 インストール中 : bind-chroot-32:9.11.13-6.el8_2.1.x86_64 1/1 scriptlet の実行中: bind-chroot-32:9.11.13-6.el8_2.1.x86_64 1/1 検証 : bind-chroot-32:9.11.13-6.el8_2.1.x86_64 1/1 Installed products updated. インストール済み: bind-chroot-32:9.11.13-6.el8_2.1.x86_64 完了しました! --------------------- [root@falcon21 ~]# vi /etc/named.conf 1 // named.conf 2 // 3 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS 4 // server as a caching only nameserver (as a localhost DNS resolver only). 5 // 6 // See /usr/share/doc/bind*/sample/ for example named configuration files. 7 // 8 // See the BIND Administrator's Reference Manual (ARM) for details about the 9 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html 10 11 options { 12 #listen-on port 53 { 127.0.0.1; }; 13 #listen-on-v6 port 53 { ::1; }; 14 directory "/var/named"; 15 dump-file "/var/named/data/cache_dump.db"; 16 statistics-file "/var/named/data/named_stats.txt"; 17 memstatistics-file "/var/named/data/named_mem_stats.txt"; 18 recursing-file "/var/named/data/named.recursing"; 19 secroots-file "/var/named/data/named.secroots"; 20 allow-query { localhost;localnets; }; 21 allow-recursion { localhost; localnets; }; 22 allow-query-cache { localhost; localnets; }; 23 forwarders { 8.8.8.8; 8.8.4.4; }; 24 allow-transfer { none; }; 25 26 /* 27 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. 28 - If you are building a RECURSIVE (caching) DNS server, you need to enable 29 recursion. 30 - If your recursive DNS server has a public IP address, you MUST enable access 31 control to limit queries to your legitimate users. Failing to do so will 32 cause your server to become part of large scale DNS amplification 33 attacks. Implementing BCP38 within your network would greatly 34 reduce such attack surface 35 */ 36 recursion yes; 37 38 dnssec-enable yes; 39 dnssec-validation yes; 40 #dnssec-lookaside auto; 41 42 /* Path to ISC DLV key */ 43 bindkeys-file "/etc/named.root.key"; 44 45 managed-keys-directory "/var/named/dynamic"; 46 47 pid-file "/run/named/named.pid"; 48 session-keyfile "/run/named/session.key"; 49 }; 50 51 logging { 52 channel default_debug { 53 file "data/named.run"; 54 severity dynamic; 55 }; 56 category lame-servers { null; }; 57 }; 58 59 view "internal" { 60 match-clients { localnets; }; 61 match-destinations { localnets; }; 62 63 zone "." IN { 64 type hint; 65 file "named.ca"; 66 }; 67 include "/etc/named.rfc1912.zones"; 68 include "/etc/named.root.key"; 69 70 include "/etc/named/named.falcon21.space.zone"; 71 }; 72 73 view "external" { 74 match-clients { any; }; 75 match-destinations { any; }; 76 include "/etc/named/named.falcon21.space.zone.wan"; 77 }; 78 ------------------------- ゾーンファイル作成 /etc/named/ [root@falcon21 ~]# vi /etc/named/named.falcon21.space.zone zone "falcon21.space" { type master; file "falcon21.space.db"; }; zone "10.168.192.in-addr.arpa" { type master; file "10.168.192.in-addr.arpa.db"; }; ~ -------- [root@falcon21 ~]# vi /etc/named/named.falcon21.space.zone.wan zone "falcon21.space" { type master; file "falcon21.space.db.wan"; allow-query { any; }; }; ~ --------------------- [root@falcon21 ~]# echo OPTIONS="-4" >> /etc/sysconfig/named ルートゾーン最新化 [root@falcon21 ~]# dig . ns @198.41.0.4 +bufsize=1024 > /var/named/chroot/var/named/named.ca ルートゾーン最新化スクリプト作成 [root@falcon21 ~]# vi named.root_update #!/bin/bash new=`mktemp` errors=`mktemp` dig . ns @198.41.0.4 +bufsize=1024 > $new 2> $errors if [ $? -eq 0 ]; then sort_new=`mktemp` sort_old=`mktemp` diff_out=`mktemp` sort $new > $sort_new sort /var/named/chroot/var/named/named.ca > $sort_old diff --ignore-matching-lines=^\; $sort_new $sort_old > $diff_out if [ $? -ne 0 ]; then ( echo '-------------------- old named.root --------------------' cat /var/named/chroot/var/named/named.ca echo echo '-------------------- new named.root --------------------' cat $new echo '---------------------- difference ----------------------' cat $diff_out ) | mail -s 'named.root updated' root cp -f $new /var/named/chroot/var/named/named.ca chown named. /var/named/chroot/var/named/named.ca chmod 644 /var/named/chroot/var/named/named.ca which systemctl > /dev/null 2>&1 if [ $? -eq 0 ]; then systemctl restart named-chroot > /dev/null else /etc/rc.d/init.d/named restart > /dev/null fi fi rm -f $sort_new $sort_old $diff_out else cat $errors | mail -s 'named.root update check error' root fi rm -f $new $errors --------------------- ルートゾーン最新化スクリプトへ実行権限付加 root@falcon21 ~]# chmod 700 named.root_update ルートゾーン最新化スクリプトを毎月自動実行されるディレクトリへ移動 [root@falcon21 ~]# mv named.root_update /etc/cron.monthly/ --------------------- 正引きゾーンデータベース作成 var/named/ [root@falcon21 ~]# vi /var/named/falcon21.space.db $TTL 86400 @ IN SOA falcon21.space. root.falcon21.space.( 2020041702 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS falcon21.space. IN MX 10 falcon21.space. @ IN A 192.168.10.3 * IN A 192.168.10.3 --------------------- 逆引きゾーンデータベース作成 [root@falcon21 ~]# vi /var/named/10.168.192.in-addr.arpa.db $TTL 86400 @ IN SOA ns1.falcon21.space. root.falcon21.space.( 2020042123 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS ns1.falcon21.space. IN PTR falcon21.space. 3 IN PTR ns1.falcon21.space. ------------------------ 外部向け正引きゾーンデータベース作成 [root@falcon21 ~]# vi /var/named/falcon21.space.db.wan $TTL 86400 @ IN SOA ns1.falcon21.space. root.falcon21.space.( 2002041702 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS ns1.falcon21.space. IN MX 10 falcon21.space. ns1 IN A 203.181.3.94 @ IN A 203.181.3.94 www IN A 203.181.3.94 mail IN A 203.181.3.94 falcon21.space. IN TXT "v=spf1 ip4:203.181.3.94 ~all" ~ ------------------------------- BIND起動 [root@falcon21 ~]# systemctl start named [root@falcon21 ~]# systemctl enable named Created symlink /etc/systemd/system/multi-user.target.wants/named.service → /usr/lib/systemd/system/named.service. ] [root@falcon21 ~]# systemctl status named ● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2020-11-18 18:32:36 JST; 59s ago Main PID: 32002 (named) Tasks: 5 (limit: 48971) Memory: 82.4M CGroup: /system.slice/named.service └─32002 /usr/sbin/named -u named -c /etc/named.conf -4 11月 18 18:32:35 falcon21.space named[32002]: zone falcon21.space/IN/internal: loaded serial 2020041702 11月 18 18:32:35 falcon21.space named[32002]: zone localhost/IN/internal: loaded serial 0 11月 18 18:32:36 falcon21.space named[32002]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN> 11月 18 18:32:36 falcon21.space named[32002]: zone localhost.localdomain/IN/internal: loaded serial 0 11月 18 18:32:36 falcon21.space named[32002]: zone falcon21.space/IN/external: loaded serial 2002041702 11月 18 18:32:36 falcon21.space named[32002]: all zones loaded 11月 18 18:32:36 falcon21.space named[32002]: running 11月 18 18:32:36 falcon21.space systemd[1]: Started Berkeley Internet Name Domain (DNS). 11月 18 18:32:36 falcon21.space named[32002]: managed-keys-zone/internal: Key 20326 for zone . acceptance timer complete: key > 11月 18 18:32:36 falcon21.space named[32002]: resolver priming query complete --------------------- サーバー自身の問合せ先DNSサーバーを自分自身に変更 [root@falcon21 ~]# sed -i 's/DNS1=.*/DNS1=127.0.0.1/g' /etc/sysconfig/network-scripts/ifcfg-enp0s25 ネットワーク再起動 [root@falcon21 ~]# systemctl restart NetworkManager [root@falcon21 ~]# systemctl status NetworkManager ● NetworkManager.service - Network Manager Loaded: loaded (/usr/lib/systemd/system/NetworkManager.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2020-11-18 18:58:31 JST; 40s ago Docs: man:NetworkManager(8) Main PID: 32425 (NetworkManager) Tasks: 3 (limit: 48971) Memory: 6.7M CGroup: /system.slice/NetworkManager.service └─32425 /usr/sbin/NetworkManager --no-daemon 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2321] device (virbr0): state change: secondaries ->> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2325] manager: NetworkManager state is now CONNECTE> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2335] policy: set 'enp0s25' (enp0s25) as default fo> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2338] policy: set 'enp0s25' (enp0s25) as default fo> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2957] device (virbr0): Activation: successful, devi> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2964] device (enp0s25): state change: secondaries -> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2968] manager: NetworkManager state is now CONNECTE> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2977] device (enp0s25): Activation: successful, dev> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2983] manager: NetworkManager state is now CONNECTE> 11月 18 18:58:32 falcon21.space NetworkManager[32425]: <info> [1605693512.2991] manager: startup complete lines 1-20/20 (END) dig コマンド [root@falcon21 ~]# dig falcon21.space ; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> falcon21.space ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13762 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;falcon21.space. IN A ;; ANSWER SECTION: falcon21.space. 1199 IN A 203.181.3.94 ;; Query time: 2116 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: 水 11月 18 18:51:37 JST 2020 ;; MSG SIZE rcvd: 59 [root@falcon21 ~]# dig -x 203.181.3.94 ; <<>> DiG 9.11.13-RedHat-9.11.13-6.el8_2.1 <<>> -x 203.181.3.94 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30723 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;94.3.181.203.in-addr.arpa. IN PTR ;; ANSWER SECTION: 94.3.181.203.in-addr.arpa. 21599 IN PTR q003094.ppp.asahi-net.or.jp. ;; Query time: 32 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: 水 11月 18 18:52:10 JST 2020 ;; MSG SIZE rcvd: 95 ***********************************************************************
投票数:1
平均点:10.00