◻️bind作成の個人メモ
現状、nslookupまで問題ない状態を確認できた。
◻️インストール
yum -y install bind bind-chroot bind-utils
◻️firewall
外向き、内向きの53番ポートの開けておくこと!!
◻️各種config類
/etc/named.conf
/etc/named/named.digihide.local.lan.zone
/etc/named/named.digihide.local.wan.zone
/var/named/1.168.192.in-addr.arpa.db
/var/named/192.168.1.224.in-addr.arpa.wan.db
/var/named/digihide.local.wan.db
/var/named/digihide.local.lan.db
赤文字は、グローバルIPに差し替え可能
●外部からの再帰問い合わせを禁止にするためにaclを追記する。
ローカルIP:192.168.1.224
ドメイン名:digihide.local
===================/etc/named.conf================================
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
acl my-network {
192.168.1.0/24;
localhost;
};
options {
// listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
version "unknown";
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-transfer { none; };
allow-query { localhost; localnets; };
allow-recursion { localhost; localnets; };
allow-query-cache { localhost; localnets; };
forwarders{ 202.238.95.24; };
recursion yes;
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "internal" {
match-clients { localnets; };
match-destinations { localnets; };
zone "." IN {
type hint;
file "named.ca";
};
//include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
include "/etc/named/named.digihide.local.lan.zone";
};
view "external" {
match-clients { any; };
match-destinations { any; };
include "/etc/named/named.digihide.local.wan.zone";
};
=====================================================================================-
vi /etc/named/named.digihide.local.lan.zone
=================================================================
zone "digihide.local" {
type master;
file "digihide.local.lan.db";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "1.168.192.in-addr.arpa.db";
};
================================================================
vi /etc/named/named.digihide.local.wan.zone
================================================================
zone "digihide.local" {
type master;
file "digihide.local.wan.db";
allow-query { any; };
};
zone "192.168.1.224.in-addr.arpa" {
type master;
file "192.168.1.224.in-addr.arpa.wan.db";
allow-query { any; };
allow-transfer {
XXX.XXX.XXX.XX; ←このゾーン情報の転送先として(セカンダリネームサーバーのIPアドレス)を追加
};
notify yes;← このゾーン情報変更時は即座に上記セカンダリへ反映させる
};
=================================================================
赤文字は、グローバルIPに差し替え可能
<zone dbファイル>
vi /var/named/digihide.local.lan.db
=================================================================
$TTL 86400
@ IN SOA digihide.local. root.digihide.local.(
2011062001 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns1.digihide.local.
IN MX 10 mail.digihide.local.
@ IN A 192.168.1.224
* IN A 192.168.1.224
=================================================================
注意:mail.digihide.local.は、postfixの/etc/postfix/main.cfのhostnameに記載した内容に合わせること!
例:myhostname = mail.digihide.local
vi /var/named/1.168.192.in-addr.arpa.db
================================================================
$TTL 86400
@ IN SOA digihide.local. root.digihide.local.(
2011062001 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns1.digihide.local.
224 IN PTR digihide.local.
================================================================
vi /var/named/digihide.local.wan.db
================================================================
$TTL 86400
@ IN SOA digihide.local. root.digihide.local.(
2011062001 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
86400 ) ; Minimum
IN NS ns1.digihide.local.
IN MX 10 mail.digihide.local.
ns1 IN A 192.168.1.224
@ IN A 192.168.1.224
www IN A 192.168.1.224
ftp IN A 192.168.1.224
mail IN A 192.168.1.224
digihide.local. IN TXT "v=spf1 ip4:192.168.1.224 ~all" <-postfix側の偽装送信防止対策
===============================================================
赤文字は、グローバルIPに差し替え可能
注意:mail.digihide.local.は、postfixの/etc/postfix/main.cfのhostnameに記載した内容に合わせること!
例:myhostname = mail.digihide.local
vi /var/named/192.168.1.224.in-addr.arpa.wan.db
===============================================================
$TTL 86400
@ IN SOA digihide.local. root.digihide.local.(
2017012901 ; Serial
7200 ; Refresh
7200 ; Retry
2419200 ; Expire
86400 ) ; Minimum
IN NS ns1.digihide.local.
224 IN PTR digihide.local.
================================================================
赤文字は、グローバルIPに差し替え可能
◻️resolv.confの設定
以下、編集を行う。
vi /etc/resolv.conf
===================
search digihide.local
nameserver 192.168.1.224
===================
namedserverの指定をローカルIPにしないと、内部で名前引きが出来なかったので
現時点で、以下にすること!!
◻️まとめ
上記、キャッシュとコンテンツのハイブリットにしてるので
セキュリティ的に、微妙なので、別々で分けた方が良いなという反省。