Table of Contents
DNS master e slave
Instalação no master
root@ns1:~# yum install bind-utils bind-chroot
Informações sobre os pacotes instalados
bind-chroot
root@ns1:~# rpm -qil bind-chroot Name : bind-chroot Epoch : 32 Version : 9.9.4 Release : 29.el7_2.1 Architecture: x86_64 Install Date: Seg 04 Abr 2016 11:49:28 BRT Group : System Environment/Daemons Size : 3308 License : ISC Signature : RSA/SHA256, Qua 16 Dez 2015 16:42:26 BRT, Key ID 24c6a8a7f4a80eb5 Source RPM : bind-9.9.4-29.el7_2.1.src.rpm Build Date : Qua 16 Dez 2015 15:40:35 BRT Build Host : worker1.bsys.centos.org Relocations : /var/named/chroot Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.isc.org/products/BIND/ Summary : A chroot runtime environment for the ISC BIND DNS server, named(8) Description : This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz> /usr/lib/systemd/system/named-chroot-setup.service /usr/lib/systemd/system/named-chroot.service /usr/libexec/setup-named-chroot.sh /var/named/chroot /var/named/chroot/dev /var/named/chroot/dev/null /var/named/chroot/dev/random /var/named/chroot/dev/zero /var/named/chroot/etc /var/named/chroot/etc/named /var/named/chroot/etc/named.conf /var/named/chroot/etc/pki /var/named/chroot/etc/pki/dnssec-keys /var/named/chroot/run /var/named/chroot/run/named /var/named/chroot/usr /var/named/chroot/usr/lib64 /var/named/chroot/usr/lib64/bind /var/named/chroot/var /var/named/chroot/var/log /var/named/chroot/var/named /var/named/chroot/var/run /var/named/chroot/var/tmp
bind
root@ns1:~# rpm -qil bind Name : bind Epoch : 32 Version : 9.9.4 Release : 29.el7_2.1 Architecture: x86_64 Install Date: Seg 04 Abr 2016 11:49:28 BRT Group : System Environment/Daemons Size : 4543208 License : ISC Signature : RSA/SHA256, Qua 16 Dez 2015 16:42:21 BRT, Key ID 24c6a8a7f4a80eb5 Source RPM : bind-9.9.4-29.el7_2.1.src.rpm Build Date : Qua 16 Dez 2015 15:40:35 BRT Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.isc.org/products/BIND/ Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. /etc/NetworkManager/dispatcher.d/13-named /etc/logrotate.d/named /etc/named /etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/named.root.key /etc/rndc.conf /etc/rndc.key /etc/rwtab.d/named /etc/sysconfig/named /run/named /usr/lib/systemd/system/named-setup-rndc.service /usr/lib/systemd/system/named.service /usr/lib/tmpfiles.d/named.conf /usr/lib64/bind /usr/libexec/generate-rndc-key.sh /usr/sbin/arpaname /usr/sbin/ddns-confgen /usr/sbin/dnssec-checkds /usr/sbin/dnssec-coverage /usr/sbin/dnssec-dsfromkey /usr/sbin/dnssec-importkey /usr/sbin/dnssec-keyfromlabel /usr/sbin/dnssec-keygen /usr/sbin/dnssec-revoke /usr/sbin/dnssec-settime /usr/sbin/dnssec-signzone /usr/sbin/dnssec-verify /usr/sbin/genrandom /usr/sbin/isc-hmac-fixup /usr/sbin/lwresd /usr/sbin/named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/named-compilezone /usr/sbin/named-journalprint /usr/sbin/nsec3hash /usr/sbin/rndc /usr/sbin/rndc-confgen /usr/share/doc/bind-9.9.4 /usr/share/doc/bind-9.9.4/Bv9ARM.ch01.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch02.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch03.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch04.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch05.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch06.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch07.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch08.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch09.html /usr/share/doc/bind-9.9.4/Bv9ARM.ch10.html /usr/share/doc/bind-9.9.4/Bv9ARM.html /usr/share/doc/bind-9.9.4/Bv9ARM.pdf /usr/share/doc/bind-9.9.4/CHANGES /usr/share/doc/bind-9.9.4/README /usr/share/doc/bind-9.9.4/isc-logo.pdf /usr/share/doc/bind-9.9.4/man.arpaname.html /usr/share/doc/bind-9.9.4/man.ddns-confgen.html /usr/share/doc/bind-9.9.4/man.dig.html /usr/share/doc/bind-9.9.4/man.dnssec-checkds.html /usr/share/doc/bind-9.9.4/man.dnssec-coverage.html /usr/share/doc/bind-9.9.4/man.dnssec-dsfromkey.html /usr/share/doc/bind-9.9.4/man.dnssec-keyfromlabel.html /usr/share/doc/bind-9.9.4/man.dnssec-keygen.html /usr/share/doc/bind-9.9.4/man.dnssec-revoke.html /usr/share/doc/bind-9.9.4/man.dnssec-settime.html /usr/share/doc/bind-9.9.4/man.dnssec-signzone.html /usr/share/doc/bind-9.9.4/man.dnssec-verify.html /usr/share/doc/bind-9.9.4/man.genrandom.html /usr/share/doc/bind-9.9.4/man.host.html /usr/share/doc/bind-9.9.4/man.isc-hmac-fixup.html /usr/share/doc/bind-9.9.4/man.named-checkconf.html /usr/share/doc/bind-9.9.4/man.named-checkzone.html /usr/share/doc/bind-9.9.4/man.named-journalprint.html /usr/share/doc/bind-9.9.4/man.named.html /usr/share/doc/bind-9.9.4/man.nsec3hash.html /usr/share/doc/bind-9.9.4/man.nsupdate.html /usr/share/doc/bind-9.9.4/man.rndc-confgen.html /usr/share/doc/bind-9.9.4/man.rndc.conf.html /usr/share/doc/bind-9.9.4/man.rndc.html /usr/share/doc/bind-9.9.4/named.conf.default /usr/share/doc/bind-9.9.4/sample /usr/share/doc/bind-9.9.4/sample/etc /usr/share/doc/bind-9.9.4/sample/etc/named.conf /usr/share/doc/bind-9.9.4/sample/etc/named.rfc1912.zones /usr/share/doc/bind-9.9.4/sample/var /usr/share/doc/bind-9.9.4/sample/var/named /usr/share/doc/bind-9.9.4/sample/var/named/data /usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.db /usr/share/doc/bind-9.9.4/sample/var/named/my.internal.zone.db /usr/share/doc/bind-9.9.4/sample/var/named/named.ca /usr/share/doc/bind-9.9.4/sample/var/named/named.empty /usr/share/doc/bind-9.9.4/sample/var/named/named.localhost /usr/share/doc/bind-9.9.4/sample/var/named/named.loopback /usr/share/doc/bind-9.9.4/sample/var/named/slaves /usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.ddns.internal.zone.db /usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.slave.internal.zone.db /usr/share/man/man1/arpaname.1.gz /usr/share/man/man5/named.conf.5.gz /usr/share/man/man5/rndc.conf.5.gz /usr/share/man/man8/ddns-confgen.8.gz /usr/share/man/man8/dnssec-checkds.8.gz /usr/share/man/man8/dnssec-coverage.8.gz /usr/share/man/man8/dnssec-dsfromkey.8.gz /usr/share/man/man8/dnssec-keyfromlabel.8.gz /usr/share/man/man8/dnssec-keygen.8.gz /usr/share/man/man8/dnssec-revoke.8.gz /usr/share/man/man8/dnssec-settime.8.gz /usr/share/man/man8/dnssec-signzone.8.gz /usr/share/man/man8/dnssec-verify.8.gz /usr/share/man/man8/genrandom.8.gz /usr/share/man/man8/isc-hmac-fixup.8.gz /usr/share/man/man8/lwresd.8.gz /usr/share/man/man8/named-checkconf.8.gz /usr/share/man/man8/named-checkzone.8.gz /usr/share/man/man8/named-compilezone.8.gz /usr/share/man/man8/named-journalprint.8.gz /usr/share/man/man8/named.8.gz /usr/share/man/man8/nsec3hash.8.gz /usr/share/man/man8/rndc-confgen.8.gz /usr/share/man/man8/rndc.8.gz /var/log/named.log /var/named /var/named/data /var/named/dynamic /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback /var/named/slaves
bind-utils
root@ns1:~# rpm -qil bind-utils Name : bind-utils Epoch : 32 Version : 9.9.4 Release : 29.el7_2.1 Architecture: x86_64 Install Date: Seg 04 Abr 2016 11:49:29 BRT Group : Applications/System Size : 444682 License : ISC Signature : RSA/SHA256, Qua 16 Dez 2015 16:43:23 BRT, Key ID 24c6a8a7f4a80eb5 Source RPM : bind-9.9.4-29.el7_2.1.src.rpm Build Date : Qua 16 Dez 2015 15:40:35 BRT Build Host : worker1.bsys.centos.org Relocations : (not relocatable) Packager : CentOS BuildSystem <http://bugs.centos.org> Vendor : CentOS URL : http://www.isc.org/products/BIND/ Summary : Utilities for querying DNS name servers Description : Bind-utils contains a collection of utilities for querying DNS (Domain Name System) name servers to find out information about Internet hosts. These tools will provide you with the IP addresses for given host names, as well as other information about registered domains and network addresses. You should install bind-utils if you need to get information from DNS name servers. /etc/trusted-key.key /usr/bin/dig /usr/bin/host /usr/bin/nslookup /usr/bin/nsupdate /usr/share/man/man1/dig.1.gz /usr/share/man/man1/host.1.gz /usr/share/man/man1/nslookup.1.gz /usr/share/man/man1/nsupdate.1.gz
Alterando o resolv.conf
Apontando as consultar para o próprio servidor
root@ns1:~# cat /etc/resolv.conf nameserver 127.0.0.1
Deixando o arquivo imutável para não sofrer alteração durante a inicialização
root@ns1:~# chattr +i /etc/resolv.conf
Configurando o chroot
Preparando o diretório
root@ns1:~# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
root@ns1:~# ls -la /var/named/chroot/* /var/named/chroot/dev: total 0 drwxr-x---. 2 root named 41 Abr 4 11:49 . drwxr-x---. 7 root named 56 Abr 4 11:49 .. crw-r--r--. 1 root root 1, 3 Abr 4 11:49 null crw-r--r--. 1 root root 1, 8 Abr 4 11:49 random crw-r--r--. 1 root root 1, 5 Abr 4 11:49 zero /var/named/chroot/etc: total 24 drwxr-x---. 4 root named 4096 Abr 4 12:06 . drwxr-x---. 7 root named 56 Abr 4 11:49 .. -rw-r--r--. 1 root root 574 Out 7 19:43 localtime drwxr-x---. 2 root named 6 Dez 16 15:40 named -rw-r-----. 1 root named 1558 Jun 1 2015 named.conf -rw-r--r--. 1 root named 2389 Dez 16 15:40 named.iscdlv.key -rw-r-----. 1 root named 931 Jun 21 2007 named.rfc1912.zones -rw-r--r--. 1 root named 487 Jul 19 2010 named.root.key drwxr-x---. 3 root named 24 Abr 4 11:49 pki /var/named/chroot/run: total 0 drwxr-x---. 3 root named 18 Abr 4 11:49 . drwxr-x---. 7 root named 56 Abr 4 11:49 .. drwxr-xr-x. 2 named named 40 Dez 16 15:40 named /var/named/chroot/usr: total 0 drwxrwx---. 3 named named 18 Abr 4 11:49 . drwxr-x---. 7 root named 56 Abr 4 11:49 .. drwxrwx---. 3 named named 17 Abr 4 11:49 lib64 /var/named/chroot/var: total 4 drwxr-x---. 5 root named 48 Abr 4 11:49 . drwxr-x---. 7 root named 56 Abr 4 11:49 .. drwxrwx---. 2 named named 6 Dez 16 15:40 log drwxr-x---. 6 root named 4096 Abr 4 11:49 named lrwxrwxrwx. 1 named named 6 Abr 4 11:49 run -> ../run drwxrwx---. 2 named named 6 Dez 16 15:40 tmp
root@ns1:~# mount | tail -n9 /dev/mapper/centos-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos-root on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos-root on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755) /dev/mapper/centos-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
Iniciando e habilitando o bind
root@ns1:~# systemctl start named-chroot.service root@ns1:~# systemctl enable named-chroot.service Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
Status dos serviços
root@ns1:~# systemctl status named-chroot.service -l ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since Seg 2016-04-04 12:11:43 BRT; 1min 2s ago Main PID: 2380 (named) CGroup: /system.slice/named-chroot.service └─2380 /usr/sbin/named -u named -t /var/named/chroot Abr 04 12:11:43 ns1 named[2380]: command channel listening on ::1#953 Abr 04 12:11:43 ns1 named[2380]: managed-keys-zone: loaded serial 0 Abr 04 12:11:43 ns1 named[2380]: zone 0.in-addr.arpa/IN: loaded serial 0 Abr 04 12:11:43 ns1 named[2380]: zone localhost.localdomain/IN: loaded serial 0 Abr 04 12:11:43 ns1 named[2380]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Abr 04 12:11:43 ns1 named[2380]: zone localhost/IN: loaded serial 0 Abr 04 12:11:43 ns1 named[2380]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Abr 04 12:11:43 ns1 named[2380]: all zones loaded Abr 04 12:11:43 ns1 named[2380]: running Abr 04 12:11:43 ns1 systemd[1]: Started Berkeley Internet Name Domain (DNS).
root@ns1:~# ps -ef | grep named named 2380 1 0 12:11 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot
Configuração
Criando backup do arquivo original
root@ns1:~# cp -ap /var/named/chroot/etc/named.conf{,.dist}
Configuração do named.conf
root@ns1:~# cat /var/named/chroot/etc/named.conf #### CONFIGURAÇÃO DE ACLs #### acl interface_v4 {127.0.0.1; 192.0.2.250; }; acl interface_v6 { ::1; 2001:db8::250; }; acl rede_privada { 192.0.2.0/24; 198.51.100.0/24; }; acl bloco_v6 { 2001:db8::/34; }; options { listen-on port 53 { interface_v4; }; listen-on-v6 port 53 { interface_v6; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion no; recursive-clients 3000; tcp-clients 2000; max-cache-size 256M; version none; server-id none; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; // Rede externa view "externa" { match-clients { !interface_v4; !interface_v6; !rede_privada; any; }; recursion no; include "/etc/named/named.externa.zones"; }; // Rede interna view "interna" { match-clients { interface_v4; interface_v6; rede_privada; }; recursion yes; include "/etc/named/named.interna.zones"; include "/etc/named/named.common.zones"; };
Configuração dos arquivos de zona
root@ns1:~# cat /var/named/chroot/etc/named/named.common.zones zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
root@ns1:~# cat /var/named/chroot/etc/named/named.externa.zones #### CONFIGURAÇÃO DA ZONA DIRETA #### zone "exemplo.org" IN { type master; file "externo/exemplo.org.db"; }; #### CONFIGURAÇÃO DA ZONA REVERSA #### zone "113.0.203.in-addr.arpa" IN { type master; file "externo/113-0-203.db"; }; # Exemplo para clientes ISPs 128.66.0.0/20 zona reversa zone "0.66.128.in-addr.arpa" IN { type master; file "externo/0-66-128.db"; }; zone "1.66.128.in-addr.arpa" IN { type master; file "externo/1-66-128.db"; }; zone "2.66.128.in-addr.arpa" IN { type master; file "externo/2-66-128.db"; }; zone "3.66.128.in-addr.arpa" IN { type master; file "externo/3-66-128.db"; }; zone "4.66.128.in-addr.arpa" IN { type master; file "externo/4-66-128.db"; }; zone "5.66.128.in-addr.arpa" IN { type master; file "externo/5-66-128.db"; }; zone "6.66.128.in-addr.arpa" IN { type master; file "externo/6-66-128.db"; }; zone "7.66.128.in-addr.arpa" IN { type master; file "externo/7-66-128.db"; }; zone "8.66.128.in-addr.arpa" IN { type master; file "externo/8-66-128.db"; }; zone "9.66.128.in-addr.arpa" IN { type master; file "externo/9-66-128.db"; }; zone "10.66.128.in-addr.arpa" IN { type master; file "externo/10-66-128.db"; }; zone "11.66.128.in-addr.arpa" IN { type master; file "externo/11-66-128.db"; }; zone "12.66.128.in-addr.arpa" IN { type master; file "externo/12-66-128.db"; }; zone "13.66.128.in-addr.arpa" IN { type master; file "externo/13-66-128.db"; }; zone "14.66.128.in-addr.arpa" IN { type master; file "externo/14-66-128.db"; }; zone "15.66.128.in-addr.arpa" IN { type master; file "externo/15-66-128.db"; }; zone "0.0.0.4.0.8.b.d.0.1.0.0.2.ip6.arpa" IN { type master; file "externo/2001-db8-4000.db"; };
root@ns1:~# cat /var/named/chroot/etc/named/named.interna.zones #### CONFIGURAÇÃO DA ZONA DIRETA #### zone "exemplo.org" IN { type master; file "interno/exemplo.org.db"; }; #### CONFIGURAÇÃO DA ZONA REVERSA #### zone "2.0.192.in-addr.arpa" IN { type master; file "interno/2-0-192.db"; }; #zone "100.51.198.in-addr.arpa" IN { type master; file "interno/100-51-198.db"; }; zone "8.b.d.0.1.0.0.2.ip6.arpa" IN { type master; file "interno/2001-db8.db"; };
Alterando as permissões
root@ns1:~# chown -R root:named /var/named/chroot/etc/named/*
root@ns1:~# mkdir /var/named/chroot/var/named/externo root@ns1:~# mkdir /var/named/chroot/var/named/interno
zonas externas
root@ns1:~# cat /var/named/chroot/var/named/externo/exemplo.org.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016040401 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum ; @ IN NS exemplo.org. exemplo.org. IN TXT "v=spf1 a mx ip4:203.0.113.240 ip6:2001:db8:4000::240 -all" exemplo.org. IN SPF "v=spf1 a mx ip4:203.0.113.240 ip6:2001:db8:4000::240 -all" ; IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. IN MX 10 mx1.exemplo.org. ; ns1 IN A 203.0.113.250 IN AAAA 2001:db8:4000::250 ns2 IN A 203.0.113.251 IN AAAA 2001:db8:4000::251 mx1 IN A 203.0.113.240 IN AAAA 2001:db8:4000::240 imap IN CNAME mx1 pop IN CNAME mx1 smtp IN CNAME mx1 webmail IN CNAME mx1 @ IN A 203.0.113.80 IN AAAA 2001:db8:4000::80 ; IPs gerados automaticamente $GENERATE 0-255 128-66-0-$.exemplo.org IN A 128.66.0.$ $GENERATE 0-255 128-66-1-$.exemplo.org IN A 128.66.1.$ $GENERATE 0-255 128-66-2-$.exemplo.org IN A 128.66.2.$ $GENERATE 0-255 128-66-3-$.exemplo.org IN A 128.66.3.$ $GENERATE 0-255 128-66-4-$.exemplo.org IN A 128.66.4.$ $GENERATE 0-255 128-66-5-$.exemplo.org IN A 128.66.5.$ $GENERATE 0-255 128-66-6-$.exemplo.org IN A 128.66.6.$ $GENERATE 0-255 128-66-7-$.exemplo.org IN A 128.66.7.$ $GENERATE 0-255 128-66-8-$.exemplo.org IN A 128.66.8.$ $GENERATE 0-255 128-66-9-$.exemplo.org IN A 128.66.9.$ $GENERATE 0-255 128-66-10-$.exemplo.org IN A 128.66.10.$ $GENERATE 0-255 128-66-11-$.exemplo.org IN A 128.66.11.$ $GENERATE 0-255 128-66-12-$.exemplo.org IN A 128.66.12.$ $GENERATE 0-255 128-66-13-$.exemplo.org IN A 128.66.13.$ $GENERATE 0-255 128-66-14-$.exemplo.org IN A 128.66.14.$ $GENERATE 0-255 128-66-15-$.exemplo.org IN A 128.66.15.$
root@ns1:~# cat /var/named/chroot/var/named/externo/113-0-203.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum ; IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. ; 250 IN PTR ns1.exemplo.org. 251 IN PTR ns2.exemplo.org. 240 IN PTR mx1.exemplo.org. 80 IN PTR www.exemplo.org.
root@ns1:~# cat /var/named/chroot/var/named/externo/2001-db8-4000.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. ; $ORIGIN 0.0.0.4.8.b.d.0.1.0.0.2.ip6.arpa. 0.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns1.exemplo.org 1.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns2.exemplo.org 0.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR mx1.exemplo.org
root@ns1:~# cat /var/named/chroot/var/named/externo/0-66-128.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. ; $GENERATE 0-199 $ IN PTR 128-66-0-$.exemplo.org.
root@ns1:~# cat /var/named/chroot/var/named/externo/1-66-128.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. ; $GENERATE 0-255 $ IN PTR 128-66-1-$.exemplo.org.
root@ns1:~# cat /var/named/chroot/var/named/externo/2-66-128.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. ; $GENERATE 0-255 $ IN PTR 128-66-2-$.exemplo.org.
root@ns1:~# cat /var/named/chroot/var/named/externo/3-66-128.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. ; $GENERATE 0-255 $ IN PTR 128-66-3-$.exemplo.org.
Foram omitidas as subnetes da 4 à 15.
Zonas interna
root@ns1:~# cat /var/named/chroot/var/named/interno/exemplo.org.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum @ IN NS exemplo.org. exemplo.org. IN TXT "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8::240 -all" exemplo.org. IN SPF "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8::240 -all" ; NS ns1.exemplo.org. NS ns2.exemplo.org. MX 10 mx1.exemplo.org. ; ns1 IN A 192.0.2.250 IN AAAA 2001:db8::250 ns2 IN A 192.0.2.251 IN AAAA 2001:db8::251 mx1 IN A 192.0.2.240 IN AAAA 2001:db8::240 imap IN CNAME mx1 pop IN CNAME mx1 smtp IN CNAME mx1 webmail IN CNAME mx1 @ IN A 192.0.2.80 IN AAAA 2001:db8::80
root@ns1:~# cat /var/named/chroot/var/named/interno/2-0-192.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. 250 IN PTR ns1.exemplo.org. 251 IN PTR ns2.exemplo.org. 240 IN PTR mx1.exemplo.org.
root@ns1:~# cat /var/named/chroot/var/named/interno/2001-db8.db $TTL 1D @ IN SOA ns1.exemplo.org. hostmaster.exemplo.org. ( 2016011301 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.exemplo.org. IN NS ns2.exemplo.org. ; ;2001:db8::/48 $ORIGIN 8.b.d.0.1.0.0.2.ip6.arpa 0.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns1.exemplo.org. 1.5.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns2.exemplo.org. 0.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR mx1.exemplo.org.
Alterando as permissões
root@ns1:~# chown named:named -R /var/named/chroot/var/named/externo root@ns1:~# chown named:named -R /var/named/chroot/var/named/interno
root@ns1:~# chcon -t named_cache_t /var/named/chroot/var/named/interno root@ns1:~# chcon -t named_cache_t /var/named/chroot/var/named/externo
root@ns1:~# semanage fcontext -a -t named_zone_t "/var/named/chroot/var/named/externo(/.*)?" root@ns1:~# semanage fcontext -a -t named_zone_t "/var/named/chroot/var/named/interno(/.*)?"
Checando as configurações
root@ns1:~# named-checkzone exemplo.org /var/named/chroot/var/named/externo/exemplo.org.db zone exemplo.org/IN: loaded serial 2016040401 OK
root@ns1:~# named-checkzone 113.0.203.in-addr.arpa /var/named/chroot/var/named/externo/113-0-203.db zone 113.0.203.in-addr.arpa/IN: loaded serial 2016011301 OK
root@ns1:~# named-checkzone 0.0.0.4.8.b.d.0.1.0.0.2.ip6.arpa /var/named/chroot/var/named/externo/2001-db8-4000.db zone 0.0.0.4.8.b.d.0.1.0.0.2.ip6.arpa/IN: loaded serial 2016011301 OK
root@ns1:~# named-checkzone exemplo.org /var/named/chroot/var/named/interno/exemplo.org.db zone exemplo.org/IN: loaded serial 2016011301 OK
Reiniciando e testando as consultas
root@ns1:~# systemctl restart named-chroot
root@ns1:~# host -a exemplo.org Trying "exemplo.org" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54063 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 6 ;; QUESTION SECTION: ;exemplo.org. IN ANY ;; ANSWER SECTION: exemplo.org. 86400 IN A 192.0.2.80 exemplo.org. 86400 IN AAAA 2001:db8::80 exemplo.org. 86400 IN SOA ns1.exemplo.org. hostmaster.exemplo.org. 2016011301 86400 3600 604800 10800 exemplo.org. 86400 IN NS exemplo.org. exemplo.org. 86400 IN NS ns1.exemplo.org. exemplo.org. 86400 IN NS ns2.exemplo.org. exemplo.org. 86400 IN TXT "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8::240 -all" exemplo.org. 86400 IN SPF "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8::240 -all" exemplo.org. 86400 IN MX 10 mx1.exemplo.org. ;; ADDITIONAL SECTION: ns1.exemplo.org. 86400 IN A 192.0.2.250 ns1.exemplo.org. 86400 IN AAAA 2001:db8::250 ns2.exemplo.org. 86400 IN A 192.0.2.251 ns2.exemplo.org. 86400 IN AAAA 2001:db8::251 mx1.exemplo.org. 86400 IN A 192.0.2.240 mx1.exemplo.org. 86400 IN AAAA 2001:db8::240 Received 448 bytes from 127.0.0.1#53 in 0 ms
Condulta direta
root@ns1:~# dig +short mx1.exemplo.org 192.0.2.240
Cosulta reversa
root@ns1:~# dig +short -x 192.0.2.240 mx1.exemplo.org.
Consultas de um cliente externo
ip do cliente: 203.0.113.2
root@cliente:~# host -a exemplo.org Trying "exemplo.org" ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37138 ;; flags: qr aa rd; QUERY: 1, ANSWER: 9, AUTHORITY: 0, ADDITIONAL: 6 ;; QUESTION SECTION: ;exemplo.org. IN ANY ;; ANSWER SECTION: exemplo.org. 86400 IN A 203.0.113.80 exemplo.org. 86400 IN AAAA 2001:db8:4000::80 exemplo.org. 86400 IN SOA ns1.exemplo.org. hostmaster.exemplo.org. 2016040401 86400 3600 604800 10800 exemplo.org. 86400 IN NS exemplo.org. exemplo.org. 86400 IN NS ns2.exemplo.org. exemplo.org. 86400 IN NS ns1.exemplo.org. exemplo.org. 86400 IN TXT "v=spf1 a mx ip4:203.0.113.240 ip6:2001:db8:4000::240 -all" exemplo.org. 86400 IN SPF "v=spf1 a mx ip4:203.0.113.240 ip6:2001:db8:4000::240 -all" exemplo.org. 86400 IN MX 10 mx1.exemplo.org. ;; ADDITIONAL SECTION: ns1.exemplo.org. 86400 IN A 203.0.113.250 ns1.exemplo.org. 86400 IN AAAA 2001:db8:4000::250 ns2.exemplo.org. 86400 IN A 203.0.113.251 ns2.exemplo.org. 86400 IN AAAA 2001:db8:4000::251 mx1.exemplo.org. 86400 IN A 203.0.113.240 mx1.exemplo.org. 86400 IN AAAA 2001:db8:4000::240 Received 462 bytes from 203.0.113.1#53 in 4 ms
root@cliente:~# dig -x 128.66.0.2 ; <<>> DiG 9.9.5-9+deb8u6-Debian <<>> -x 128.66.0.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54683 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;2.0.66.128.in-addr.arpa. IN PTR ;; ANSWER SECTION: 2.0.66.128.in-addr.arpa. 86400 IN PTR 128-66-0-2.exemplo.org. ;; AUTHORITY SECTION: 0.66.128.in-addr.arpa. 86400 IN NS ns1.exemplo.org. 0.66.128.in-addr.arpa. 86400 IN NS ns2.exemplo.org. ;; ADDITIONAL SECTION: ns1.exemplo.org. 86400 IN A 203.0.113.250 ns1.exemplo.org. 86400 IN AAAA 2001:db8:4000::250 ns2.exemplo.org. 86400 IN A 203.0.113.251 ns2.exemplo.org. 86400 IN AAAA 2001:db8:4000::251 ;; Query time: 4 msec ;; SERVER: 203.0.113.1#53(203.0.113.1) ;; WHEN: Mon Apr 04 17:39:12 BRT 2016 ;; MSG SIZE rcvd: 212