分類: DNS

ArchLinux 好像並沒有像 CentOS Linux，在 Bind DNS Server 有直接提供 DNS Server Chroot(bind-chroot) 的套件，可以方便做設定，所以要用手動的方式來設定。
在 CentOS
# yum list | grep bind-chroot | awk ‘{print $1}’
bind-chroot.x86_64

底下文章參考：
How to install and set-up Slave Named (BIND) DNS server in ArchLinux | Stavrovski.Net

[@more@]設定 DNS Chroot 的目錄
# CHROOT=/var/named/chroot
# 建立 chroot 目錄
# mkdir -p “${CHROOT}”/{dev,etc} “${CHROOT}”/var/{run,log,named,tmp}
# mkdir -p “${CHROOT}”/usr/lib/bind “${CHROOT}”/usr/lib/engines

建立  block devices
# mknod “${CHROOT}”/dev/null c 1 3
# mknod “${CHROOT}”/dev/random c 1 8

複製  /usr/lib/libgost.so到 /var/named/chroot/usr/lib/engines/
# cp /usr/lib/engines/libgost.so “${CHROOT}”/usr/lib/engines/

更改目錄權限
# chown root:named “${CHROOT}”
# chmod 750 “${CHROOT}”
# chown -R named: “${CHROOT}”/var/named/
# chown named: “${CHROOT}”/var/{run,log}
# chmod 666 “${CHROOT}”/dev/{null,random}

搬移原有的設定檔到 chroot 目錄
# mv /etc/named.conf “${CHROOT}”/etc/
# mv /etc/rndc.key “${CHROOT}”/etc/
# mv /var/named/{root.hint,127.0.0.zone,localhost.zone,db.1.168.192,db.tces.ilc.edu.tw} “${CHROOT}”/var/named/

建立 /var/named/chroot/etc/named.conf 的連結到 /etc 目錄之下
# ln -s “${CHROOT}”/etc/named.conf /etc/

設定目錄的權限
# chown -R named: “${CHROOT}”/var/named/

在 /etc/systemd/system 目錄下建立 named.service 啟動檔
# vim /etc/systemd/system/named.service

[Unit]
Description=Internet domain name server
After=network.target

[Service]
ExecStart=/usr/bin/named -f -u named -t /var/named/chroot
ExecReload=/usr/bin/rndc reload
ExecStop=/usr/bin/rndc stop

[Install]
WantedBy=multi-user.target

關閉原有的 DNS Server，並啟動 chroot DNS Server
# systemctl stop named
# systemctl disable named
Removed symlink /etc/systemd/system/multi-user.target.wants/named.service.
# systemctl start named.service
# systemctl enable named.service
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /etc/systemd/system/named.service.

檢查 DNS Server 是否有正常啟動
# netstat -ant | grep :.*53
tcp        0      0 192.168.1.106:53        0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN

測試
# host free.test.ilc.edu.tw
free.test.ilc.edu.tw has address 192.168.1.6

# host 192.168.1.6
6.1.168.192.in-addr.arpa domain name pointer free.test.ilc.edu.tw.

參考網站：
Linux Pi的奇幻旅程(28)-DNS – iT邦幫忙::IT知識分享社群
BIND – ArchWiki
How to setup a DNS server master / slave with BIND
How to install and set-up Slave Named (BIND) DNS server in ArchLinux | Stavrovski.Net

安裝 bind 及 dnsutils 套件
# pacman -S bind dnsutils

備份設定檔
# cp /etc/named.conf /etc/named.conf.$(date +%F)[@more@]
修改設定檔 /etc/named.conf
# vim /etc/named.conf
//
// /etc/named.conf
//

options {
        directory “/var/named”;
        pid-file “/run/named/named.pid”;
        auth-nxdomain yes;
        datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
//      listen-on-v6 { any; };
// Add this for no IPv4:
//      listen-on { none; };

        // Default security settings.
        allow-recursion { 127.0.0.1; };
        allow-transfer { none; };
        allow-update { none; };
    version none;
    hostname none;
    server-id none;
};

zone “localhost” IN {
        type master;
        file “localhost.zone”;
        allow-transfer { any; };
};

zone “0.0.127.in-addr.arpa” IN {
        type master;
        file “127.0.0.zone”;
        allow-transfer { any; };
};

zone “.” IN {
        type hint;
        file “root.hint”;
};

zone “test.ilc.edu.tw” IN {
          type master;
          file “test.ilc.edu.tw.zone”;
          allow-update { none; };
};

zone “1.168.192.in-addr.arpa” IN {
          type master;
          file “1.168.192.zone”;
          allow-update { none; };
};

//zone “example.org” IN {
//      type slave;
//      file “example.zone”;
//      masters {
//              192.168.1.100;
//      };
//      allow-query { any; };
//      allow-transfer { any; };
//};

logging {
        channel xfer-log {
                file “/var/log/named.log”;
                print-category yes;
                print-severity yes;
                print-time yes;
                severity info;
        };
        category xfer-in { xfer-log; };
        category xfer-out { xfer-log; };
        category notify { xfer-log; };
};

# 設定權限
# chown -R root:named /var/named

建立 log 檔
# touch /var/log/named.log

更改檔案擁有者及群組
# chown named:named /var/log/named.log

啟動 DNS Server
# systemctl start named

設定開機時啟動 DNS Server
# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.

DNS Server 192.168.1.106
# cat /etc/resolv.conf
nameserver 192.168.1.106

測試
# host free.test.ilc.edu.tw
free.test.ilc.edu.tw has address 192.168.1.6

# host 192.168.1.6
6.1.168.192.in-addr.arpa domain name pointer free.test.ilc.edu.tw.

防火牆上的設定
# iptables -A INPUT -p udp -m state –state NEW -m udp –dport 53 -j ACCEPT

因為最近打算把原本的 DNS Server 移到別台機器上，順便把系統和軟體做一下升級。所以先在 VM 中做一下測試及練習。
底下是安裝及設定步驟：

1. 安裝 DNS Server 軟體 bind
# yum install bind* -y

2. 修改設定檔
# vim /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        listen-on port 53 { 127.0.0.1; 192.168.154.167;};                      ## Master DNS IP ##
        listen-on-v6 port 53 { ::1; };
        directory       “/var/named”;
        dump-file       “/var/named/data/cache_dump.db”;
        statistics-file “/var/named/data/named_stats.txt”;
        memstatistics-file “/var/named/data/named_mem_stats.txt”;
        allow-query     { localhost; 192.168.154.0/24; };                      ## IP Range ##
        allow-transfer  { localhost; 192.168.154.201; };                        ## Slave DNS IP ##
        recursion yes;
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;
        /* Path to ISC DLV key */
        bindkeys-file “/etc/named.iscdlv.key”;
        managed-keys-directory “/var/named/dynamic”;
};
logging {
          channel default_debug {
          file “data/named.run”;
          severity dynamic;
                                                    };
};
zone “.” IN {
        type hint;
        file “named.ca”;
};
zone    “test.com” IN {
        type master;
        file “db.test.com”;
        allow-update { none; };
};
zone    “154.168.192.in-addr.arpa” IN {
        type master;
        file “db.154.168.192”;
        allow-update { none; };
};
include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

[@more@]3. 建立正解和反解的設定檔
# vim /var/named/db.test.com

$TTL 86400
@       IN      SOA     m2k.test.com.   admin.m2k.test.com. (
                        2013111409      ; serial
                        86400           ; refresh
                        1800            ; retry
                        1728000         ; expire
                        1200            ; Negative Caching
                        )
      IN        NS      m2k.test.com.
m2k             IN      A       192.168.154.167
;@              IN      MX      0       mail.test.com.
test.com.       IN      A       192.168.154.167
;
;
;test.com.      IN      MX      10      m2k.test.com.
localhost               IN      A       127.0.0.1
loopback                IN      CNAME   localhost
;mail           IN      MX      1       m2k.test.com.
www            IN      A       192.168.154.1
ftp             IN      CNAME   ms1
proxy           IN      A       192.168.154.250
ms1             IN      A       192.168.154.2
bbs             IN      CNAME   ms1
m2k             IN      A       192.168.154.167

# vim /var/named/db.154.168.192

$TTL 86400
@       IN      SOA     m2k.test.com.   root.m2k.test.com. (
                        2013111409      ; serial
                        28800           ; refresh
                        14400           ; retry
                        720000          ; expire
                        86400           ; Negative Caching
                        )
@     IN        NS      localhost.localdomain.
;
167     IN      PTR     m2k.test.com.
1     IN        PTR     www.test.com.
2     IN        PTR     ms1.test.com.
250   IN        PTR     proxy.test.com.
4     IN        PTR     disk.test.com.

4. 改變檔案擁有者
# chown named:named /var/named/db.*

5. 檢查設定檔
# named-checkconf /etc/named.conf
# named-checkzone test.com /var/named/db.test.com
zone test.com/IN: loaded serial 2013111409
OK
# named-checkzone test.com /var/named/db.154.168.192
zone test.com/IN: loaded serial 2013111409
OK

4. 啟動 DNS Server
# service named start

5. 設定開機時啟動 DNS Server
# chkconfig –level 3 named on

測試 DNS Server
# dig m2k.test.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> m2k.test.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26409
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;m2k.test.com.                  IN      A

;; ANSWER SECTION:
m2k.test.com.           86400   IN      A       192.168.154.167

;; AUTHORITY SECTION:
test.com.               86400   IN      NS      m2k.test.com.

;; ADDITIONAL SECTION:
m2k.test.com.           86400   IN      AAAA    2001:288:a229:1::167

;; Query time: 0 msec
;; SERVER: 192.168.154.167#53(192.168.154.167)
;; WHEN: Fri Nov 15 10:03:02 2013
;; MSG SIZE  rcvd: 88

# dig 192.168.154.167

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> 192.168.154.167
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52234
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;192.168.154.167.               IN      A

;; AUTHORITY SECTION:
.                       10800   IN      SOA     a.root-servers.net. nstld.verisign-grs.com. 2013111401 1800 900 604800 86400

;; Query time: 174 msec
;; SERVER: 192.168.154.167#53(192.168.154.167)
;; WHEN: Fri Nov 15 10:03:26 2013
;; MSG SIZE  rcvd: 108

# host free.test.com
free.test.com has address 192.168.154.100
free.test.com has IPv6 address 2001:288:a229:1::100

# host 192.168.154.100
100.154.168.192.in-addr.arpa domain name pointer free.test.com.