BIND - yusukew62/docs GitHub Wiki
whoisインストール
# yum install jwhoisドメイン名の登録を確認
# whois nifty.com| head -n20
[Querying whois.verisign-grs.com]
[whois.verisign-grs.com]
Domain Name: NIFTY.COM
Registry Domain ID: 5586877_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois2016.jprs.jp
Registrar URL: http://jprs.jp/registrar/
Updated Date: 2016-10-05T17:00:43Z
Creation Date: 1998-10-08T04:00:00Z
Registry Expiry Date: 2017-10-07T04:00:00Z
Registrar: Japan Registry Services Co., Ltd.
Registrar IANA ID: 1485
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +81.352158457
Domain Status: ok https://icann.org/epp#ok
Name Server: ONS0.NIFTY.AD.JP
Name Server: ONS1.NIFTY.AD.JP
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2017-09-23T15:10:37Z <<<iptablesで53/tcp(ゾーン転送), 53/udp(名前解決)を許可する
namedをリモートで制御する場合は953/tcp(rndc)を許可する
# diff -wu /etc/sysconfig/iptables.org /etc/sysconfig/iptables
--- /etc/sysconfig/iptables.org 2017-09-23 23:17:44.906999887 +0900
+++ /etc/sysconfig/iptables 2017-09-24 10:49:30.902543076 +0900
@@ -8,6 +8,9 @@
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
+-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
+-A INPUT -m state --state NEW -m udp -p udp --dport 953 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT提供されているパッケージは古いことが多いのでおすすめしない
$ yum install bind bind-chrootコンパイルに必要なパッケージ類をインストール
# yum remove bind-libs
# yum groupinstall Development tools
# yum install gcc make perl-Net-DNS openssl-devel ntpdateソースをダウンロード、展開する
# curl -sO ftp://ftp.isc.org/isc/bind9/9.11.0-P2/bind-9.11.0-P2.tar.gz
# mv bind-9.11.0-P2.tar.gz /usr/local/src/
# cd /usr/local/src/
# tar zxf bind-9.11.0-P2.tar.gz
# cd /usr/local/src/bind-9.11.0-P2configureを実行
# ./configure --prefix=/var/named
# make
# make installインストール後確認
# /var/named/sbin/named -v
BIND 9.11.2 <id:0a2b929>rndcを使用する場合は共有秘密鍵を作成
# /var/named/sbin/rndc status
rndc: neither /var/named/etc/rndc.conf nor /var/named/etc/rndc.key was found
# /var/named/sbin/rndc-confgen -a -b 512 -k rndc
wrote key file "/var/named/etc/rndc.key"時間がかかる場合は乱数生成器の/dev/randomのエントロピー・プールが枯渇しているため、しばらく時間をおいてからリトライする
# cat /proc/sys/kernel/random/entropy_avail
4鍵が作成されたことを確認
# ls -l /var/named/etc/rndc.key
-rw-------. 1 root root 137 9月 24 11:39 2017 /var/named/etc/rndc.keynamed.confで鍵の読み込み、接続元IPアドレス等を設定すればrndcで接続可能
# /var/named/sbin/rndc status
version: BIND 9.11.2 <id:0a2b929>
running on ns01: Linux x86_64 2.6.32-696.10.2.el6.x86_64 #1 SMP Tue Sep 12 14:33:29 UTC 2017
boot time: Sun, 24 Sep 2017 02:47:16 GMT
last configured: Sun, 24 Sep 2017 02:47:24 GMT
configuration file: /var/named/etc/named.conf
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 101 (98 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 0/150
server is up and runningnamed.confファイル
# cat named.conf
options {
directory "/var/named";
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc"; };
};
include "etc/rndc.key";
zone "yusukew62.net" {
type master;
file "db.yusukew62.net";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "db.1.168.192.in-addr.arpa";
};正引きゾーンファイル
# cat /var/named/db.yusukew62.net
$TTL 86400
yusukew62.net. IN SOA ns01.yusukew62.net. (
hostmaster.yusukew62.net. ;RNAME
2017092400 ;Serial
1h ;Refresh
15m ;Retry
30d ;Expire
1h ;Minimum
)
yusukew62.net. IN NS ns01.yusukew62.net.
yusukew62.net. IN NS ns02.yusukew62.net.
ns01.yusukew62.net. IN A 192.168.1.111
ns02.yusukew62.net. IN A 192.168.1.112
proxy01.yusukew62.net. IN A 192.168.1.62@は現在のorigin(yusukew62.net)を示すので以下のように書き換え可能
# cat /var/named/db.yusukew62.net
$TTL 86400
@ IN SOA ns01 (
hostmaster ;RNAME
2017092400 ;Serial
1h ;Refresh
15m ;Retry
30d ;Expire
1h ;Minimum
)
IN NS ns01.yusukew62.net.
IN NS ns02.yusukew62.net.
ns01 IN A 192.168.1.111
ns02 IN A 192.168.1.112
proxy01 IN A 192.168.1.62逆引きゾーンファイル
# cat /var/named/db.1.168.192.in-addr.arpa
$TTL 86400
@ IN SOA ns01 (
hostmaster
2017092400
1h
15m
30d
1h
)
IN NS ns01.yusukew62.net.
IN NS ns02.yusukew62.net.
111 IN PTR ns01.yusukew62.net.
112 IN PTR ns02.yusukew62.net.
62 IN PTR proxy01.yusukew62.net.ゾーンファイルにエラーがあると読み込めないので注意
# cat /var/log/messages
Sep 24 03:59:54 ns01 named[2042]: zone yusukew62.net/IN: NS 'ns01.yusukew62.net' has no address records (A or AAAA)
Sep 24 03:59:54 ns01 named[2042]: zone yusukew62.net/IN: not loaded due to errors.named.conf
# cat /var/named/etc/named.conf
options {
directory "/var/named";
masterfile-format text;
};
zone "yusukew62.net" {
type slave;
masters { 192.168.1.111; };
file "bak.yusukew62.net";
};
zone "1.168.192.in-addr.arpa" {
type slave;
masters { 192.168.1.111; };
file "bak.1.168.192.in-addr.arpa";
};ゾーン転送されたファイル
# cat /var/named/bak.yusukew62.net
$ORIGIN .
$TTL 86400 ; 1 day
yusukew62.net IN SOA ns01.yusukew62.net. hostmaster.yusukew62.net. (
2017092400 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
2592000 ; expire (4 weeks 2 days)
3600 ; minimum (1 hour)
)
NS ns01.yusukew62.net.
NS ns02.yusukew62.net.
$ORIGIN yusukew62.net.
ns01 A 192.168.1.111
ns02 A 192.168.1.112
proxy01 A 192.168.1.62# cat bak.1.168.192.in-addr.arpa
$ORIGIN .
$TTL 86400 ; 1 day
1.168.192.in-addr.arpa IN SOA ns01.1.168.192.in-addr.arpa. hostmaster.1.168.192.in-addr.arpa. (
2017092400 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
2592000 ; expire (4 weeks 2 days)
3600 ; minimum (1 hour)
)
NS ns01.yusukew62.net.
NS ns02.yusukew62.net.
$ORIGIN 1.168.192.in-addr.arpa.
111 PTR ns01.yusukew62.net.
112 PTR ns02.yusukew62.net.
62 PTR proxy01.yusukew62.net.hintファイルの取得
# wget https://www.internic.net/domain/named.root
# mv named.root /var/named/etc/
named.confの設定
# cat /etc/named.conf
options {
directory "/var/named";
allow-query {
127.0.0.1;
192.168.1.0/24;
};
allow-recursion {
127.0.0.1;
192.168.1.0/24;
};
allow-transfer {
127.0.0.1;
192.168.1.0/24;
};
forwarders {
192.168.1.1;
202.219.2.43;
202.248.130.123;
};
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; };
};
logging {
category lame-servers { null; };
};
include "/etc/rndc.key";
zone "yusukew62.net" IN {
type master;
file "yusukew62.net.db";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "1.168.192.in-addr.arpa.db";
allow-update { none; };
};rndc.keyの設定
# cat /etc/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "tJ7A5Vs+tr63J+fjtn1Eog==";
};内部向けDNSサーバを設定する
# cat /etc/resolv.conf
# nameserver 8.8.8.8
# nameserver 8.8.4.4
nameserver 192.168.1.17正引きゾーンファイル
# cat /var/named/chroot/var/named/yusukew62.net.db
$TTL 86400
@ IN SOA yusukew62.net. root.yusukew62.net.(
2017120201 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS yusukew62.net.
IN MX 10 mail.yusukew62.net.
@ IN A 192.168.1.17
www IN A 192.168.1.17
ftp IN A 192.168.1.17
mail IN A 192.168.1.17
openstack IN A 192.168.1.16
ns1 IN A 192.168.1.17
ns2 IN A 192.168.1.18
ns3 IN A 192.168.1.19
docker2 IN A 192.168.1.23
zabbix IN A 192.168.1.29
redmine IN A 192.168.1.31
docker IN A 192.168.1.34
jenkins IN A 192.168.1.48
zabbix3 IN A 192.168.1.51
postfix IN A 192.168.1.52
build IN A 192.168.1.61
proxy IN A 192.168.1.62
kibana IN A 192.168.1.63
test2 IN A 192.168.1.64
phpipam IN A 192.168.1.65
zabbix2 IN A 192.168.1.66逆引きゾーンファイル
# cat /var/named/chroot/var/named/1.168.192.in-addr.arpa.db
$TTL 86400
@ IN SOA yusukew62.net. root.yusukew62.net.(
2017031901 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
;
IN NS yusukew62.net.
;
2 IN PTR yusukew62.net.
;
16 IN PTR openstack.yusukew62.net.
17 IN PTR ns1.yusukew62.net.
18 IN PTR ns2.yusukew62.net.
19 IN PTR ns3.yusukew62.net.
23 IN PTR docker2.yusukew62.net.
29 IN PTR zabbix.yusukew62.net.
31 IN PTR redmine.yusukew62.net.
34 IN PTR docker.yusukew62.net.
48 IN PTR jenkins.yusukew62.net.
51 IN PTR zabbix3.yusukew62.net.
52 IN PTR postfix.yusukew62.net.
61 IN PTR build.yusukew62.net.
62 IN PTR proxy.yusukew62.net.
63 IN PTR kibana.yusukew62.net.
64 IN PTR test2.yusukew62.net.
65 IN PTR phpipam.yusukew62.net.
66 IN PTR zabbix2.yusukew62.net.動作確認
# nslookup 192.168.1.17
Server: 192.168.1.17
Address: 192.168.1.17#53
17.1.168.192.in-addr.arpa name = ns1.yusukew62.net.
# nslookup 192.168.1.62
Server: 192.168.1.17
Address: 192.168.1.17#53
62.1.168.192.in-addr.arpa name = proxy.yusukew62.net.