chroot化について

bindはchroot環境で運用を行うのが一般的ですが、samba4がdynamic update を行うおでchrootにはしない。

インストール

$ sudo yum -y install bind

/etc/named.confを設定

$ sudo vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        # listen-on port 53 { 127.0.0.1; };
        # listen-on-v6 port 53 { ::1; };
        listen-on-v6 port 53 { none; };
        directory       "/var/named";
        dump-file       "data/cache_dump.db";
        statistics-file "data/named_stats.txt";
        memstatistics-file "data/named_mem_stats.txt";
        #allow-query     { localhost; };
        allow-query     { localhost; 192.168.0.0/16; };

        allow-transfer { localhost; 192.168.0.0/16; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

#zone "." IN {
#       type hint;
#       file "named.ca";
#};
#
#include "/etc/named.rfc1912.zones";
#include "/etc/named.root.key";
view "internal" {
        match-clients {
                localhost;
                192.168.0.0/16;
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };
        zone "local.example.co.jp" {
                type master;
                file "local.example.co.jp.hosts";
        };
        zone "11.168.192.in-addr.arpa" IN {
                type master;
                file "11.168.192.rev";
                allow-update { none; };
        };
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

赤字下線が編集箇所です。

正引きと逆引きのゾーンファイルを作成

$ vi /var/named/local.example.co.jp

$ttl 38400
local.example.co.jp.   IN      SOA     ad.local.example.co.jp. root.local.example.co.jp (
                        1414940143
                        10800
                        3600
                        604800
                        38400 )
local.example.co.jp.   IN      NS      ad.local.example.co.jp.
ad.     IN      A       192.168.11.101
www.   IN      A       192.168.11.102

$ vi /var/named/11.168.192.rev

$TTL 86400
@   IN  SOA     ad.local.example.co.jp. root.local.example.co.jp. (
        2014080201  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

        IN  NS      ad.local.example.co.jp.


        IN  PTR     local.example.co.jp.
        IN  A       255.255.255.0

101      IN  PTR     ad.local.example.co.jp.

102      IN  PTR     www.local.example.co.jp.

firewalldのポートを開ける

事前確認

$ sudo firewall-cmd --list-all

public (default, active)
  interfaces: eth0
  sources:
  services: dhcpv6-client dns ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

services に dns がない場合には、追加する

firewalldにサービスを追加

$ sudo firewall-cmd --add-service=dns --zone=public --permanent

$ sudo systemctl restart firewalld

firewalldの対象サービスにdnsを追加後にfirewalldを再起動する。再起動後にサービスにdns が追加されていることを確認する。

起動と確認

起動

$ sudo systemctl enable named.service

$ sudo systemctl start named.service

確認

リスニングしているこをと確認する

 

[root@ad named]# ss -an |grep ':53'
tcp    LISTEN     0      10         192.168.11.101:53                    *:*
tcp    LISTEN     0      10             127.0.0.1:53                    *:*

 正引きを確認する

$ dig @localhost ad.loal.example.com

逆引きを確認する

$ dig @localhost -x 192.168.11.101

参考にしたサイト

Server World - ネットワークサーバー構築

DNSサーバー構築(BIND) - CentOSで自宅サーバー構築