samba3からsamba4へ移行 bind編
chroot化について
bindはchroot環境で運用を行うのが一般的ですが、samba4がdynamic update を行うおでchrootにはしない。
インストール
$ sudo yum -y install bind
/etc/named.confを設定
$ sudo vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
# listen-on port 53 { 127.0.0.1; };
# listen-on-v6 port 53 { ::1; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
#allow-query { localhost; };
allow-query { localhost; 192.168.0.0/16; };
allow-transfer { localhost; 192.168.0.0/16; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
#zone "." IN {
# type hint;
# file "named.ca";
#};
#
#include "/etc/named.rfc1912.zones";
#include "/etc/named.root.key";
view "internal" {
match-clients {
localhost;
192.168.0.0/16;
};
zone "." IN {
type hint;
file "named.ca";
};
zone "local.example.co.jp" {
type master;
file "local.example.co.jp.hosts";
};
zone "11.168.192.in-addr.arpa" IN {
type master;
file "11.168.192.rev";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};
赤字下線が編集箇所です。
正引きと逆引きのゾーンファイルを作成
$ vi /var/named/local.example.co.jp
$ttl 38400
local.example.co.jp. IN SOA ad.local.example.co.jp. root.local.example.co.jp (
1414940143
10800
3600
604800
38400 )
local.example.co.jp. IN NS ad.local.example.co.jp.
ad. IN A 192.168.11.101
www. IN A 192.168.11.102
$ vi /var/named/11.168.192.rev
$TTL 86400
@ IN SOA ad.local.example.co.jp. root.local.example.co.jp. (
2014080201 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
IN NS ad.local.example.co.jp.
IN PTR local.example.co.jp.
IN A 255.255.255.0
101 IN PTR ad.local.example.co.jp.102 IN PTR www.local.example.co.jp.
firewalldのポートを開ける
事前確認
$ sudo firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client dns ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
services に dns がない場合には、追加する
firewalldにサービスを追加
$ sudo firewall-cmd --add-service=dns --zone=public --permanent
$ sudo systemctl restart firewalld
firewalldの対象サービスにdnsを追加後にfirewalldを再起動する。再起動後にサービスにdns が追加されていることを確認する。
起動と確認
起動
$ sudo systemctl enable named.service
$ sudo systemctl start named.service
確認
リスニングしているこをと確認する
[root@ad named]# ss -an |grep ':53'
tcp LISTEN 0 10 192.168.11.101:53 *:*
tcp LISTEN 0 10 127.0.0.1:53 *:*
正引きを確認する
$ dig @localhost ad.loal.example.com
逆引きを確認する
$ dig @localhost -x 192.168.11.101