wikiv3:bind_centos7
Table of Contents
Intalação do BIND no CentOS 7
Ajuntes iniciais
Hostname
# cat /etc/hostname
ns1.laboratorio.com.br
Configuração de rede
# ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:a0:82:1b brd ff:ff:ff:ff:ff:ff inet 192.0.2.100/24 brd 192.0.2.255 scope global enp0s3 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fea0:821b/64 scope link tentative dadfailed valid_lft forever preferred_lft forever 3: enp0s8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 08:00:27:b4:dd:d7 brd ff:ff:ff:ff:ff:ff inet6 2001:db8:cafe::100/64 scope global valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:feb4:ddd7/64 scope link valid_lft forever preferred_lft forever
Instalação do bind
# yum install bind bind-utils bind-chroot
Alterando o resolv.conf
# cat /etc/resolv.conf
nameserver 127.0.0.1
Inutando o resolv.conf para não sofrer alterações
# chattr +i /etc/resolv.conf
Preparando o diretório chroot
# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
# mount | egrep chroot /dev/sda2 on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/sda2 on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/sda2 on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/sda2 on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/sda6 on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/sda2 on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755) /dev/sda3 on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
# ls /var/named/chroot/etc/
localtime named named.conf named.iscdlv.key named.rfc1912.zones named.root.key pki
Contextos SElinux
# ls -lZ /var/named/chroot/etc/
-rw-r--r--. root root unconfined_u:object_r:locale_t:s0 localtime
drwxr-x---. root named system_u:object_r:etc_t:s0 named
-rw-r-----. root named system_u:object_r:named_conf_t:s0 named.conf
-rw-r--r--. root named system_u:object_r:etc_t:s0 named.iscdlv.key
-rw-r-----. root named system_u:object_r:named_conf_t:s0 named.rfc1912.zones
-rw-r--r--. root named system_u:object_r:etc_t:s0 named.root.key
drwxr-x---. root named system_u:object_r:cert_t:s0 pki
Iniciando e ativando os serviços
# systemctl start named-chroot.service # systemctl enable named-chroot.service ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
Verificando os serviços
# systemctl status named-chroot.service named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled) Active: active (running) since Sex 2015-06-12 13:09:36 BRT; 3min 56s ago Main PID: 12982 (named) CGroup: /system.slice/named-chroot.service └─12982 /usr/sbin/named -u named -t /var/named/chroot [...]
# ss -nat | egrep 53 LISTEN 0 10 127.0.0.1:53 *:* LISTEN 0 128 127.0.0.1:953 *:* LISTEN 0 10 ::1:53 :::* LISTEN 0 128 ::1:953 :::*
# ps -ef | egrep named named 12982 1 0 13:09 ? 00:00:00 /usr/sbin/named -u named -t /var/named/chroot root 16719 2204 0 13:14 pts/0 00:00:00 grep -E --color=auto named
Cinfiguração
# cat /etc/named.conf acl "ipv4" { 127.0.0.1; 192.0.2.100; }; acl "ipv6" { ::1; 2001:db8:cafe::100; }; acl "lan" { 192.0.2.0/24; 198.50.100.0/24; 2001:db8:cafe::/64; }; options { listen-on port 53 { ipv4; }; listen-on-v6 port 53 { ipv6; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; allow-query-cache { ipv4; ipv6; lan; }; recursive-clients 3000; tcp-clients 2000; max-cache-size 256M; version none; server-id none; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; /* logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; */ logging { channel default_syslog { syslog local2; severity debug; }; channel audit_log { file "data/named.run"; severity debug; print-time yes; }; category default { default_syslog; }; category general { default_syslog; }; category security { audit_log; default_syslog; }; category config { default_syslog; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { audit_log; }; category lame-servers { audit_log; }; }; include "/etc/named/named_zones.conf";
Observe com colocamos um “include” (include “/etc/named/named_zones.conf”;) no fim do arquivo, isso por que queremos as zonas separada do arquivo principal (named.conf).
# cat /etc/named/named_zones.conf view "publico" { match-clients { !lan; !ipv4; !ipv6; any; }; recursion no; zone "laboratorio.com.br" IN { type master; file "publico/laboratorio.db"; }; zone "113.0.203.in-addr.arpa" IN { type master; file "publico/113-0-203.db"; }; }; view "lan" { match-clients { lan; }; recursion yes; zone "." IN { type hint; file "named.ca"; }; zone "laboratorio.com.br" IN { type master; file "lan/laboratorio.db"; }; zone "2.0.192.in-addr.arpa" IN { type master; file "lan/2-0-192.db"; }; zone "e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa" IN { type master; file "lan/2001-db8-cafe.db"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; };
# chcon -u system_u -t named_conf_t named_zones.conf # chown root:named named_zones.conf
Rsyslog
# vim /etc/rsyslog.conf [...] local2.* /var/log/named.log
# cd /var/named/ # mkdir lan # mkdir publico # chmod named:named -R lan # chown named:named -R lan # chown named:named -R publico # chcon -u system_u -t named_cache_t lan # chcon -u system_u -t named_cache_t publico
Zona direta lan
# cat /var/named/lan/laboratorio.db $TTL 172800 @ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. ( 2015071001 ; serial 3600 ; refresh 3600 ; retry 3600 ; expire 900 ) ; minimum ;; Servidores DNS que respondem por esta zona @ IN NS laboratorio.com.br. @ IN NS ns1.laboratorio.com.br. @ IN MX 10 mail.laboratorio.com.br. ; ; SPF IN TXT "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8:cafe::240 -all" IN SPF "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8:cafe::240 -all" ; ns1.laboratorio.com.br. IN A 192.0.2.100 IN AAAA 2001:db8:cafe::100 ; mail.laboratorio.com.br. IN A 192.0.2.240 IN AAAA 2001:db8:cafe::240 imap.laboratorio.com.br. IN CNAME mail smtp.laboratorio.com.br. IN CNAME mail pop.laboratorio.com.br. IN CNAME mail ; @ IN A 192.0.2.50 IN AAAA 2001:db8:cafe::50 www.laboratorio.com.br. IN CNAME @
# chcon -u system_u -t named_zone_t /var/named/lan/laboratorio.db # chown root:named /var/named/lan/laboratorio.db
# named-checkzone laboratorio.com.br /var/named/lan/laboratorio.db zone laboratorio.com.br/IN: loaded serial 2015071001 OK
Zona reversa lan ipv4
# cat /var/named/lan/2-0-192.db $TTL 172800 @ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. ( 2015100501 ; serial 3600 ; refresh 3600 ; retry 3600 ; expire 900 ) ; minimum ;; Servidores DNS que respondem por esta zona reverso @ IN NS ns1.laboratorio.com.br. ; 200 IN PTR ns1.laboratorio.com.br. 240 IN PTR mail.laboratorio.com.br.
# chcon -u system_u -t named_zone_t /var/named/lan/2-0-192.db # chown root:named /var/named/lan/2-0-192.db
# named-checkzone 2.0.192.in-addr.arpa /var/named/lan/2-0-192.db zone 2.0.192.in-addr.arpa/IN: loaded serial 2015100501 OK
Zona reversa ipv6
# cat 2001-db8-cafe.db $TTL 172800 @ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. ( 2015100501 ; serial 3600 ; refresh 3600 ; retry 3600 ; expire 900 ) ; minimum ;; Servidores DNS que respondem por esta zona reverso @ IN NS ns1.laboratorio.com.br. ; 0.0.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ns1.laboratorio.com.br. 0.4.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR mail.laboratorio.com.br.
# chcon -u system_u -t named_zone_t /var/named/lan/2001-db8-cafe.db # chown root:named /var/named/lan/2001-db8-cafe.db
# named-checkzone e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa /var/named/lan/2001-db8-cafe.db zone e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa/IN: loaded serial 2015100501 OK
Zona publica
# cat /var/named/publico/laboratorio.db $TTL 172800 @ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. ( 2015100501 ; serial 3600 ; refresh 3600 ; retry 3600 ; expire 900 ) ; minimum ;; Servidores DNS que respondem por esta zona @ IN NS laboratorio.com.br. @ IN NS ns1.laboratorio.com.br. @ IN MX 10 mail.laboratorio.com.br. ; ; SPF IN TXT "v=spf1 a mx ip4:203.0.113.240 -all" IN SPF "v=spf1 a mx ip4:203.0.113.240 -all" ; ns1.laboratorio.com.br. IN A 203.0.113.100 mail.laboratorio.com.br. IN A 203.0.113.240 ; @ IN A 203.0.113.50 www.laboratorio.com.br. IN CNAME @
# chcon -u system_u -t named_zone_t /var/named/publico/laboratorio.db # chown root:named /var/named/publico/laboratorio.db
# named-checkzone laboratorio.com.br /var/named/publico/laboratorio.db zone laboratorio.com.br/IN: loaded serial 2015100501 OK
Zona reversa publica
# cat /var/named/publico/113-0-203.db $TTL 172800 @ IN SOA ns1.laboratorio.com.br. hostmaster.laboratorio.com.br. ( 2015100501 ; serial 3600 ; refresh 3600 ; retry 3600 ; expire 900 ) ; minimum ;; Servidores DNS que respondem por esta zona reverso @ IN NS ns1.laboratorio.com.br. ; 100 IN PTR ns1.laboratorio.com.br. 240 IN PTR mail.laboratorio.com.br.
# chcon -u system_u -t named_zone_t /var/named/publico/113-0-203.db # chown root:named /var/named/publico/113-0-203.db
# named-checkzone 113.0.203.in-addr.arpa /var/named/publico/113-0-203.db zone 113.0.203.in-addr.arpa/IN: loaded serial 2015100501 OK
# systemctl restart rsyslog.service # systemctl reload named-chroot.service
# firewall-cmd --permanent --add-service=dns success # firewall-cmd --reload success
Testes
# dig -t A +short laboratorio.com.br
192.0.2.50
# dig -t AAAA +short laboratorio.com.br 2001:db8:cafe::50
# dig -t MX +short laboratorio.com.br 10 mail.laboratorio.com.br.
# dig +short mail.laboratorio.com.br
192.0.2.240
# dig +short -x 192.0.2.240
mail.laboratorio.com.br.
# dig -t TXT +short laboratorio.com.br "v=spf1 a mx ip4:192.0.2.240 ip6:2001:db8:cafe::240 -all"
# dig @localhost laboratorio.com.br ; <<>> DiG 9.9.4-RedHat-9.9.4-18.el7_1.5 <<>> @localhost laboratorio.com.br ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7445 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;laboratorio.com.br. IN A ;; ANSWER SECTION: laboratorio.com.br. 172800 IN A 192.0.2.50 ;; AUTHORITY SECTION: laboratorio.com.br. 172800 IN NS ns1.laboratorio.com.br. laboratorio.com.br. 172800 IN NS laboratorio.com.br. ;; ADDITIONAL SECTION: laboratorio.com.br. 172800 IN AAAA 2001:db8:cafe::50 ns1.laboratorio.com.br. 172800 IN A 192.0.2.100 ns1.laboratorio.com.br. 172800 IN AAAA 2001:db8:cafe::100 ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Seg Out 05 22:17:29 BRT 2015 ;; MSG SIZE rcvd: 167
wikiv3/bind_centos7.txt · Last modified: by 127.0.0.1