Triển khai một máy chủ DNS cơ bản, sử dụng phần mềm Bind trên Centos 7

Tài liệu

Triển khai một máy chủ DNS cơ bản, sử dụng phần mềm Bind trên Centos 7 ^Featured

Posted on: Tuesday, 18 August 2020 16:23
Written by Super User

Các bước triển khai một máy chủ DNS cơ bản sử dụng phần mềm Bind

I. Cài đặt phần mềm Bind.

- Download gói cài:

#wget https://downloads.isc.org/isc/bind9/9.11.22/bind-9.11.22.tar.gz

- Giải nén

#tar -zxvf bind-9.11.22.tar.gz

#cd bind-9.11.22/
#./configure

Trường hợp báo thiếu gói gì thì cài thêm gói đó

# yum install openssl*
#./configure
#make
#make install
[root@dns-root named]# named -v
BIND 9.11.22 (Extended Support Version) <id:6a05a96>
[root@dns-root named]#

Soạn nội dung file /etc/named.conf

Trong trường hợp giả lập máy chủ root . thì khai như sau

[root@dns-root named]# more /etc/named.conf
options {
   listen-on port 53 { any; };
   listen-on-v6 port 53 { any; };
   directory    "/var/named";
   allow-query     { any; };
   recursion no;
   dnssec-enable yes;
   dnssec-validation yes;
   pid-file "/run/named/named.pid";
};

logging {
        channel log_query {
       file "data/log_query" versions 3 size 100m;
       severity info;
       print-category yes;
       print-severity yes;
       print-time yes;
       };
   channel log_query_syslog {
                syslog daemon;
                severity info;
                print-category yes;
                print-severity yes;
                print-time yes;
                };
   channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
   category "queries" { "log_query"; "log_query_syslog"; };
   category "default" { "default_debug"; };
   category "security" { "default_debug"; };
   category "config" { "default_debug"; };
   category "notify" { "default_debug"; };
   category "lame-servers" { "default_debug"; };
};

zone "." IN {
   type master;
   file "db.root";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@dns-root named]#

Soạn file db.root, trong đó giả lập 13 máy chủ root đều trỏ về 1 IP: 192.168.206.136

[root@dns-root named]# more db.root
.           86400   IN   SOA   a.root-servers.net. nstld.verisign-grs.com. (
           2020082101   ;serial
          1800       ;refresh
          900        ;retry
           604800        ;expire
           86400       ;minimum
           );
.           518400   IN   NS   a.root-servers.net.
.           518400   IN   NS   b.root-servers.net.
.           518400   IN   NS   c.root-servers.net.
.           518400   IN   NS   d.root-servers.net.
.           518400   IN   NS   e.root-servers.net.
.           518400   IN   NS   f.root-servers.net.
.           518400   IN   NS   g.root-servers.net.
.           518400   IN   NS   h.root-servers.net.
.           518400   IN   NS   i.root-servers.net.
.           518400   IN   NS   j.root-servers.net.
.           518400   IN   NS   k.root-servers.net.
.           518400   IN   NS   l.root-servers.net.
.           518400   IN   NS   m.root-servers.net.
a.root-servers.net.   518400   IN   A   192.168.206.136
;a.root-servers.net.   518400   IN   AAAA   2001:503:ba3e:0:0:0:2:30
b.root-servers.net.   518400   IN   A   192.168.206.136
;b.root-servers.net.   518400   IN   AAAA   2001:500:200:0:0:0:0:b
c.root-servers.net.   518400   IN   A   192.168.206.136
;c.root-servers.net.   518400   IN   AAAA   2001:500:2:0:0:0:0:c
d.root-servers.net.   518400   IN   A   192.168.206.136
;d.root-servers.net.   518400   IN   AAAA   2001:500:2d:0:0:0:0:d
e.root-servers.net.   518400   IN   A   192.168.206.136
;e.root-servers.net.   518400   IN   AAAA   2001:500:a8:0:0:0:0:e
f.root-servers.net.   518400   IN   A   192.168.206.136
;f.root-servers.net.   518400   IN   AAAA   2001:500:2f:0:0:0:0:f
g.root-servers.net.   518400   IN   A   192.168.206.136
;g.root-servers.net.   518400   IN   AAAA   2001:500:12:0:0:0:0:d0d
h.root-servers.net.   518400   IN   A   192.168.206.136
;h.root-servers.net.   518400   IN   AAAA   2001:500:1:0:0:0:0:53
i.root-servers.net.   518400   IN   A   192.168.206.136
;i.root-servers.net.   518400   IN   AAAA   2001:7fe:0:0:0:0:0:53
j.root-servers.net.   518400   IN   A   192.168.206.136
;j.root-servers.net.   518400   IN   AAAA   2001:503:c27:0:0:0:2:30
k.root-servers.net.   518400   IN   A   192.168.206.136
;k.root-servers.net.   518400   IN   AAAA   2001:7fd:0:0:0:0:0:1
l.root-servers.net.   518400   IN   A   192.168.206.136
;l.root-servers.net.   518400   IN   AAAA   2001:500:9f:0:0:0:0:42
m.root-servers.net.   518400   IN   A   192.168.206.136
;m.root-servers.net.   518400   IN   AAAA   2001:dc3:0:0:0:0:0:35
[root@dns-root named]#

[root@dns-root named]# ls -l
total 28
drwxrwxrwx. 7 root named   61 Aug 19 10:21 chroot
drwxrwxrwx. 2 named named   40 Aug 21 22:13 data
-rwxrwxrwx. 1 root root 2032 Aug 21 22:09 db.root
drwxrwxrwx. 2 named named    6 Apr 1 08:35 dynamic
-rw-r--r--. 1 root root 1349 Aug 21 22:14 managed-keys.bind
-rw-r--r--. 1 root root   512 Aug 21 22:14 managed-keys.bind.jnl
-rwxrwxrwx. 1 root named 2253 Apr 5 2018 named.ca
-rwxrwxrwx. 1 root named 152 Dec 15 2009 named.empty
-rwxrwxrwx. 1 root named 152 Jun 21 2007 named.localhost
-rwxrwxrwx. 1 root named 168 Dec 15 2009 named.loopback
drwxrwxrwx. 2 named named    6 Apr 1 08:35 slaves

Đối với bind chuẩn, sẽ có thêm 2 file cho các zone

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

trong đó có 4 zone tiêu chuẩn, 4 zone này không cần khai, hệ thống vẫn hoạt động, tuy nhiên nó sẽ có những lợi ích riêng, được nêu chi tiết trong RFC 912

[root@dns-root named]# more /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
   type master;
   file "named.localhost";
   allow-update { none; };
};

zone "localhost" IN {
   type master;
   file "named.localhost";
   allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
   type master;
   file "named.loopback";
   allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
   type master;
   file "named.loopback";
   allow-update { none; };
};

zone "0.in-addr.arpa" IN {
   type master;
   file "named.empty";
   allow-update { none; };
};

[root@dns-root named]#

Truong hop máy chủ caching thì phải khai thêm chuỗi key DNSSEC của root server

[root@dns-root named]# more /etc/named.root.key
managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # These keys are activated by setting "dnssec-validation auto;"
        # in named.conf.
        #
        # This key (19036) is to be phased out starting in 2017. It will
        # remain in the root zone for some time after its successor key
        # has been added. It will remain this file until it is removed from
        # the root zone.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
                QxA+Uk1ihz0=";

        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key should roll to the
        # new # one seamlessly. Servers being set up for the first time
        # can use either of the keys in this file to verify the root keys
        # for the first time; thereafter the keys in the zone will be
        # trusted and maintained automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                R1AkUTV74bU=";
};
[root@dns-root named]#

Kiểm tra file cấu hình, nếu có lỗi gì sẽ thông báo lỗi, không lỗi thì không báo gì

#/usr/local/sbin/named-checkconf /etc/named.conf

Kiểm tra zone, có lỗi gì thì sẽ báo nơi và lỗi, còn không sẽ báo OK

#/usr/local/sbin/named-checkzone . /var/named/db.root

Start named

#/usr/local/sbin/named -c /etc/named.conf

Trường hợp muốn chạy named dưới user named thì thêm

#/usr/local/sbin/named -c /etc/named.conf -u named

[root@dns-root named]# ps -ef | grep named
root 76797 1 0 22:13 ? 00:00:00 /usr/local/sbin/named -c /etc/named.conf

Kiểm tra

[root@dns-root named]# dig @192.168.206.136 a.root-servers.net

; <<>> DiG 9.11.22 <<>> @192.168.206.136 a.root-servers.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4825
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 13
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: af65ffdae3b1ff9fccc38e7c5f3fecaad993d8a062b57721 (good)
;; QUESTION SECTION:
;a.root-servers.net.       IN   A

;; ANSWER SECTION:
a.root-servers.net.   518400   IN   A   192.168.206.136

;; AUTHORITY SECTION:
.           518400   IN   NS   g.root-servers.net.
.           518400   IN   NS   d.root-servers.net.
.           518400   IN   NS   a.root-servers.net.
.           518400   IN   NS   h.root-servers.net.
.           518400   IN   NS   k.root-servers.net.
.           518400   IN   NS   f.root-servers.net.
.           518400   IN   NS   i.root-servers.net.
.           518400   IN   NS   c.root-servers.net.
.           518400   IN   NS   l.root-servers.net.
.           518400   IN   NS   j.root-servers.net.
.           518400   IN   NS   e.root-servers.net.
.           518400   IN   NS   b.root-servers.net.
.           518400   IN   NS   m.root-servers.net.

;; ADDITIONAL SECTION:
b.root-servers.net.   518400   IN   A   192.168.206.136
c.root-servers.net.   518400   IN   A   192.168.206.136
d.root-servers.net.   518400   IN   A   192.168.206.136
e.root-servers.net.   518400   IN   A   192.168.206.136
f.root-servers.net.   518400   IN   A   192.168.206.136
g.root-servers.net.   518400   IN   A   192.168.206.136
h.root-servers.net.   518400   IN   A   192.168.206.136
i.root-servers.net.   518400   IN   A   192.168.206.136
j.root-servers.net.   518400   IN   A   192.168.206.136
k.root-servers.net.   518400   IN   A   192.168.206.136
l.root-servers.net.   518400   IN   A   192.168.206.136
m.root-servers.net.   518400   IN   A   192.168.206.136

;; Query time: 4 msec
;; SERVER: 192.168.206.136#53(192.168.206.136)
;; WHEN: Fri Aug 21 22:47:54 +07 2020
;; MSG SIZE rcvd: 476

[root@dns-root named]#

Read 513 times Last modified on Friday, 21 August 2020 15:52

Rate this item

(0 votes)

Published in DNS

Tagged under

Super User

Latest from Super User

Related items

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Create an account