Help us understand the problem. What is going on with this article?

EC2上で内部向けDNSを構築してみる

More than 5 years have passed since last update.
  • 内部向けのドメイン名を解決するためにEC2上にbindサーバを立ててみる
    • linuxなら/etc/hosts変えるという手があるがiphoneはそれができなかったりするので
    • dnsmasqとか簡単らしいがCNAMEが使えないらしい

試した環境

  • NonVPC
  • Amazon Linux 64bit
  • レジストラでドメインを取得しているわけではない

試した手順

  • EC2インスタンス立ち上げ

    • SecurityGroupでTCP 53番、UDP 53番、TCP 953番開放(DNS用)
    • SecurityGroupでTCP 80番開放(Apache用)
  • httpd設定

$ sudo yum update -y
$ sudo yum install httpd -y
$ echo "hogeee" | sudo tee /var/www/html/index.html
$ sudo /etc/init.d/httpd start
$ sudo chkconfig httpd on
$ curl http://[EC2インスタンスのPublicIP]
hogeee
  • bindインストール
$ sudo yum install bind -y
  • bindのnamed.conf設定
$ sudo cp /etc/named.conf{,.org}
$ sudo vi /etc/named.conf
$ sudo cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
    listen-on port 53 { 127.0.0.1; [EC2インスタンスのPrivateIP]; };
    listen-on-v6 port 53 { ::1; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
    //allow-query     { localhost; };
    allow-query     { any; };
    recursion yes;

    dnssec-enable yes;
    dnssec-validation yes;
    dnssec-lookaside auto;

    forwarders {  8.8.8.8; 8.8.4.4; };
    forward only;

    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

    managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "example.com" IN {
  type master;
  file "master.example.com";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
  • 正引き用ゾーンファイル作成
$ sudo vi /var/named/master.example.com
$ sudo cat /var/named/master.example.com
$TTL 43200
example.com.     IN      SOA    help.example.com. ns01.example.com. (
                            1 ; serial
                            21600      ; refresh (6 hours)
                            7200       ; retry (2 hours)
                            1209600    ; expire (2 weeks)
                            43200)      ; minimum (12 hours)

example.com.            NS      ns01.example.com.
ns01                    A       [EC2インスタンスのPrivateIP]
www                    A       [EC2インスタンスのPublicIP]
  • bindの起動
$ sudo /etc/init.d/named start
$ sudo chkconfig named on
  • resolve.confの設定
    • ※ このまま再起動すると設定した内容は消える
    • ※ このEC2からEC2のPublicDNSへのアクセスはPublicIPごしになる(通常PrivateIP)
$ sudo cp /etc/resolv.conf{,.org}
$ sudo vi /etc/resolv.conf
$ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search ap-northeast-1.compute.internal
nameserver 127.0.0.1
  • resolve.confが起動時に設定されないようにする
$ sudo vi /etc/sysconfig/network-scripts/ifcfg-eth0
# => PEERDNS=noにする
  • bindをたてたEC2インスタンスで確認
$ host ns01.example.com
ns01.example.com has address [EC2インスタンスのPrivateIP]
  • 別のEC2インスタンスで確認
$ sudo cp /etc/resolv.conf{,.org}
$ sudo vi /etc/resolv.conf
$ cat /etc/resolv.conf
; generated by /sbin/dhclient-script
search ap-northeast-1.compute.internal
nameserver [DNSサーバのPrivateIP]

$ host www.example.com
www.example.com has address [設定したIP]

$ curl www.example.com
hogeee
  • iphoneから確認
    • wifiの設定でDNSを[DNSサーバのPublicIP]にしてwifi接続 => safariでwww.example.com確認
    • => hogeee表示

参照サイト

Why do not you register as a user and use Qiita more conveniently?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Comments
Sign up for free and join this conversation.
If you already have a Qiita account
Why do not you register as a user and use Qiita more conveniently?
You need to log in to use this function. Qiita can be used more conveniently after logging in.
You seem to be reading articles frequently this month. Qiita can be used more conveniently after logging in.
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away