環境
- CentOS7
インストール
yum -y install bind bind-chroot
chroot化
/usr/libexec/setup-named-chroot.sh /var/named/chroot on
最後の「on」で有効化できる。
※/usr/libexec/setup-named-chroot.sh /var/named/chroot off
とすれば無効化
systemd
systemctl enable named-chroot
systemctl disable named
systemctl mask named
chrootした後は「named-chroot」を使用するので、「named」は使用できないようにする。※事故らないように、maskする。
設定 /etc/named.conf
- コンテンツ・キャッシュサーバ兼用(設定は内部向けDNSサーバ)
- 外部から参照されるDNSサーバ設定は「view external { }」部分
- ログは動作ごとに出力できる。参考まで
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl my-network {
10.0.0.0/24;
127.0.0.1;
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
version "unknown";
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
allow-recursion { my-network; };
allow-query-cache { my-network; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
//channel default_debug {
// file "data/named.run";
// severity dynamic;
//};
channel query-log {
file "/var/log/named/query.log" versions 5 size 10M;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel resolver-log {
file "/var/log/named/resolver.log" versions 5 size 10M;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer-log {
file "/var/log/named/xfer.log" versions 5 size 10M;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel default-log {
file "/var/log/named/default.log" versions 5 size 10M;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries { query-log; };
category security { query-log; };
category client { query-log; };
category resolver { resolver-log; };
category notify { xfer-log; };
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category database { default-log; };
category config { default-log; };
category general { default-log; };
category default { default-log; };
category lame-servers { null; };
};
view "internal" {
match-clients { localhost; my-network; };
match-destinations { localhost; my-network; };
zone "." IN {
type hint;
file "named.ca";
};
zone "example.local" IN {
type master;
file "example.local.internal";
};
zone "0.0.10.in-addr.arpa" {
type master;
file "0.0.10.in-addr.arpa.rev.internal";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
/*
view "external" {
match-clients { any; };
match-destinations { any; };
recursion no;
};
*/
zoneファイル
- /var/named/ 以下に配置
正引き 例
$TTL 300
$ORIGIN example.local.
@ IN SOA ns01.example.local. root.example.local. (
2018021801 ; serial
3600 ; refresh 1hr
900 ; retry 15min
604800 ; expire 1w
86400 ; min 24hr
)
IN NS ns01
ns01 IN A 10.0.0.1
www IN A 10.0.0.2
逆引き 例
$TTL 300
@ IN SOA ns01.example.local. root.example.local. (
2018021801 ; serial
3600 ; refresh 1hr
900 ; retry 15min
604800 ; expire 1w
86400 ; min 24hr
)
IN NS ns01.example.local.
1 IN PTR ns01.example.local.
2 IN PTR www.example.local.