Amazon Linux上にBINDでキャッシュサーバと権威サーバのそれぞれのシンプルな動作手順をメモします。キャッシュサーバ、権威サーバのそれぞれのサーバについて、最初に入力するコマンドの流れを書いて、後に各設定ファイルの内容を書いていきます。セキュリティ等について各自責任で注意をお願いします。
キャッシュサーバ 構築
$ sudo su
# yum install -y bind
# vim /etc/named.conf
# named-checkconf /etc/named.conf
# vim /etc/sysconfig/network-scripts/ifcfg-eth0
# vim /etc/resolv.conf
# service named start
named.conf
listen-on port 53 { 127.0.0.1; }; から listen-on port 53 { 127.0.0.1; any; }; へ変更
allow-query { localhost; }; から allow-query { localhost; any; }; へ変更
allow-query-cache { localhost; any; }; を追加
named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
# service bind start
# chkconfig --list named
ifcfg-eth0
DNS=172.31.47.1を追加(プライベートIP)
DEVICE=eth0
BOOTPROTO=dhcp
ONBOOT=yes
TYPE=Ethernet
USERCTL=yes
PEERDNS=yes
DHCPV6C=yes
DHCPV6C_OPTIONS=-nw
PERSISTENT_DHCLIENT=yes
RES_OPTIONS="timeout:2 attempts:5"
DHCP_ARP_CHECK=no
DNS=172.31.47.1
resolve.conf
nameserver 172.31.47.1のようにネームサーバのIPをAmazon Linux起動時に割り振られたプライベートIPに変更する。
resolv.conf
; generated by /sbin/dhclient-script
search us-west-2.compute.internal
options timeout:2 attempts:5
nameserver 172.31.47.1
ローカルのDNSキャッシュの削除して検証
$ dscacheutil -flushcache
$ dig @35.165.154.140 google.com
; <<>> DiG 9.8.3-P1 <<>> @35.165.154.140 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51142
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 274 IN A 216.58.193.78
;; AUTHORITY SECTION:
google.com. 172774 IN NS ns1.google.com.
google.com. 172774 IN NS ns3.google.com.
google.com. 172774 IN NS ns2.google.com.
google.com. 172774 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns2.google.com. 172774 IN A 216.239.34.10
ns1.google.com. 172774 IN A 216.239.32.10
ns3.google.com. 172774 IN A 216.239.36.10
ns4.google.com. 172774 IN A 216.239.38.10
;; Query time: 151 msec
;; SERVER: 35.165.154.140#53(35.165.154.140)
;; WHEN: Sun Aug 6 19:55:38 2017
;; MSG SIZE rcvd: 180
権威サーバ 構築
ドメイン名はRoute53で登録したものを使用しています。
$ sudo su
# yum install -y bind
# vim named.conf
# rndc-confgen -a
# named-checkconf
# named-checkzone dns.hayashier.com dns.hayashier.com.zone
# vim /etc/sysconfig/named
# service named start
named.conf
pid-file "/var/run/named/named.pid";
allow-transfer { none; };
を追加。
recursion yes; から recursion no;へ変更
named.conf
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; };
recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/var/run/named/named.pid";
allow-transfer { none; };
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "dns.hayashier.com" {
type master;
file "/etc/dns.hayashier.com.zone";
};
include "/etc/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
dns.hayashier.com.zone
dns.hayashier.com.zone
$ORIGIN dns.hayashier.com.
$TTL 900
@ IN SOA ns.dns.hayashier.com. sample.dns.hayashier.com. (
2017080701 ; Serial
3600 ; Refresh
900 ; Retry
1814400 ; Expire
900 ) ; Minimum
IN NS ns-1092.awsdns-08.org.
IN A 52.43.178.10
named
OPTIONS="-4"を追加
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
# Currently, you can use the following options:
#
# ROOTDIR="/var/named/chroot" -- will run named in a chroot environment.
# you must set up the chroot environment
# (install the bind-chroot package) before
# doing this.
# NOTE:
# Those directories are automatically mounted to chroot if they are
# empty in the ROOTDIR directory. It will simplify maintenance of your
# chroot environment.
# - /var/named
# - /etc/pki/dnssec-keys
# - /etc/named
# - /usr/lib64/bind or /usr/lib/bind (architecture dependent)
#
# Those files are mounted as well if target file doesn't exist in
# chroot.
# - /etc/named.conf
# - /etc/rndc.conf
# - /etc/rndc.key
# - /etc/named.rfc1912.zones
# - /etc/named.dnssec.keys
# - /etc/named.iscdlv.key
#
# Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log"
# line to your /etc/rsyslog.conf file. Otherwise your logging becomes
# broken when rsyslogd daemon is restarted (due update, for example).
#
# OPTIONS="whatever" -- These additional options will be passed to named
# at startup. Don't add -t here, use ROOTDIR instead.
#
# KEYTAB_FILE="/dir/file" -- Specify named service keytab file (for GSS-TSIG)
#
# DISABLE_ZONE_CHECKING -- By default, initscript calls named-checkzone
# utility for every zone to ensure all zones are
# valid before named starts. If you set this option
# to 'yes' then initscript doesn't perform those
# checks.
OPTIONS="-4"
検証
$ dig @localhost dns.hayashier.com. ANY
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.56.amzn1 <<>> @localhost dns.hayashier.com. ANY
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37038
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;dns.hayashier.com. IN ANY
;; ANSWER SECTION:
dns.hayashier.com. 900 IN SOA ns.dns.hayashier.com. sample.dns.hayashier.com. 2017080702 3600 900 1814400 900
dns.hayashier.com. 900 IN NS ns-1092.awsdns-08.org.
dns.hayashier.com. 900 IN A 52.43.178.10
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Aug 6 15:12:53 2017
;; MSG SIZE rcvd: 132
参考資料
https://www.tecmint.com/install-configure-cache-only-dns-server-in-rhel-centos-7/
http://www.atmarkit.co.jp/ait/articles/1502/10/news010.html