Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung | Nächste ÜberarbeitungBeide Seiten der Revision | ||
centos:bind_c6 [06.10.2011 15:36. ] – Rechtschreibkorrekturen django | centos:bind_c6 [24.05.2014 18:45. ] – [Links] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== BIND Nameserver unter CentOS 6 ====== | ||
+ | Mit BIND((Berkeley Internet Name Domain)) des [[http:// | ||
+ | |||
+ | DNS wurde in den beiden RFC 1034 und RFC 1035 definiert und bekam von der Internet Assigned Numbers Authority die beiden Ports 53/UDP und 53/TCP. | ||
+ | ===== Installation ===== | ||
+ | Zu erst installieren wir uns die beiden Pakete **bind** und **bind-chroot**. Letzters hilft uns, unseren DNS in einem chroot((change root))-Umgebung laufen zu lassen. | ||
+ | # yum install bind bind-chroot -y | ||
+ | ===== Grund-Konfiguration ===== | ||
+ | ==== RPM-Pakete ==== | ||
+ | Als erstes sehen uns wir mal an, was die beiden Pakete alles an Dateien mitbringen und vor allem wohin diese gespeichert worden sind. | ||
+ | === bind === | ||
+ | # rpm -qil bind | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Install Date: Mon 22 Aug 2011 01:33:07 PM CEST Build Host: c6b6.bsys.dev.centos.org | ||
+ | Group : System Environment/ | ||
+ | Size : 6695969 | ||
+ | Signature | ||
+ | Packager | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | BIND (Berkeley Internet Name Domain) is an implementation of the DNS | ||
+ | (Domain Name System) protocols. BIND includes a DNS server (named), | ||
+ | which resolves host names to IP addresses; a resolver library | ||
+ | (routines for applications to use when interfacing with DNS); and | ||
+ | tools for verifying that the DNS server is operating properly. | ||
+ | / | ||
+ | / | ||
+ | /etc/named | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | /var/named | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | === bind-chroot === | ||
+ | # rpm -qil bind-chroot | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Install Date: Mon 22 Aug 2011 01:33:10 PM CEST Build Host: c6b6.bsys.dev.centos.org | ||
+ | Group : System Environment/ | ||
+ | Size : 0 License: ISC | ||
+ | Signature | ||
+ | Packager | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | This package contains a tree of files which can be used as a | ||
+ | chroot(2) jail for the named(8) program from the BIND package. | ||
+ | Based on the code from Jan " | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | </ | ||
+ | ==== change root - Umgebung | ||
+ | Bei der Installation unserer **chroot**-Umgebung wurde automatisch die Konfigurationsdatei // | ||
+ | |||
+ | In der Konfigurationsdatei // | ||
+ | |||
+ | <file | / | ||
+ | # ~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
+ | # Currently, you can use the following options: | ||
+ | # | ||
+ | # ROOTDIR="/ | ||
+ | # you must set up the chroot environment | ||
+ | # (install the bind-chroot package) before | ||
+ | # doing this. | ||
+ | # NOTE: | ||
+ | # Those directories are automatically mounted to chroot if they are | ||
+ | # empty in the ROOTDIR directory. It will simplify maintenance of your | ||
+ | # | ||
+ | # - /var/named | ||
+ | # - / | ||
+ | # - /etc/named | ||
+ | # - / | ||
+ | # | ||
+ | # Those files are mounted as well if target file doesn' | ||
+ | # chroot. | ||
+ | # - / | ||
+ | # - / | ||
+ | # - / | ||
+ | # - / | ||
+ | # - / | ||
+ | # - / | ||
+ | # | ||
+ | # | ||
+ | # line to your / | ||
+ | # broken when rsyslogd daemon is restarted (due update, for example). | ||
+ | # | ||
+ | # OPTIONS=" | ||
+ | # at startup. Don't add -t here, use ROOTDIR instead. | ||
+ | # | ||
+ | # KEYTAB_FILE="/ | ||
+ | ROOTDIR=/ | ||
+ | </ | ||
+ | Beim Starten des named Daemon werden die betreffenden Konfigurationsdateien gemountet. Bei laufendem Daemon können wir uns ganz einfach überzeugen, | ||
+ | # df -ah | grep named | ||
+ | < | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | 7.2G 941M 6.0G 14% / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | 7.2G 941M 6.0G 14% / | ||
+ | </ | ||
+ | Beenden wir den Daemon erfolgt automatisch das Unmounten der betreffenden Konfigurationsverzeichnisse. | ||
+ | # service named stop && df -ah | grep named | ||
+ | |||
+ | | ||
+ | Wir können also bei der weiteren Konfiguration unser Augenmerk auf die Konfigurationsdatei **named.conf** im Verzeichnis **/etc** richten. | ||
+ | ==== rsyslogd | ||
+ | Darüber hinaus erfolgt hier auch ein Hinweis zum Anpassen des rsyslogd Daemon. | ||
+ | Wie in den Bemerkungen in der // | ||
+ | Hierzu öffnen wir mit dem Editor unserer Wahl die Konfigurationsdatei // | ||
+ | # vim / | ||
+ | <file | / | ||
+ | #rsyslog v3 config file | ||
+ | |||
+ | # if you experience problems, check | ||
+ | # http:// | ||
+ | |||
+ | #### MODULES #### | ||
+ | |||
+ | $ModLoad imuxsock.so # | ||
+ | $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) | ||
+ | #$ModLoad immark.so # provides --MARK-- message capability | ||
+ | |||
+ | # Provides UDP syslog reception | ||
+ | #$ModLoad imudp.so | ||
+ | # | ||
+ | |||
+ | # Provides TCP syslog reception | ||
+ | #$ModLoad imtcp.so | ||
+ | # | ||
+ | |||
+ | |||
+ | #### GLOBAL DIRECTIVES #### | ||
+ | |||
+ | # Use default timestamp format | ||
+ | $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat | ||
+ | |||
+ | # File syncing capability is disabled by default. This feature is usually not required, | ||
+ | # not useful and an extreme performance hit | ||
+ | # | ||
+ | |||
+ | # Django: 2011-08-22 | ||
+ | # Erweiterung für die chroot-Umgebung des bind Nameservers eingetragen | ||
+ | $AddUnixListenSocket / | ||
+ | |||
+ | |||
+ | #### RULES #### | ||
+ | |||
+ | # Log all kernel messages to the console. | ||
+ | # Logging much else clutters up the screen. | ||
+ | # | ||
+ | |||
+ | # Log anything (except mail) of level info or higher. | ||
+ | # Don't log private authentication messages! | ||
+ | *.info; | ||
+ | |||
+ | # The authpriv file has restricted access. | ||
+ | authpriv.* | ||
+ | |||
+ | # Log all the mail messages in one place. | ||
+ | mail.* | ||
+ | |||
+ | |||
+ | # Log cron stuff | ||
+ | cron.* | ||
+ | |||
+ | # Everybody gets emergency messages | ||
+ | *.emerg | ||
+ | |||
+ | # Save news errors of level crit and higher in a special file. | ||
+ | uucp, | ||
+ | |||
+ | # Save boot messages also to boot.log | ||
+ | local7.* | ||
+ | |||
+ | |||
+ | |||
+ | # ### begin forwarding rule ### | ||
+ | # The statement between the begin ... end define a SINGLE forwarding | ||
+ | # rule. They belong together, do NOT split them. If you create multiple | ||
+ | # forwarding rules, duplicate the whole block! | ||
+ | # Remote Logging (we use TCP for reliable delivery) | ||
+ | # | ||
+ | # An on-disk queue is created for this action. If the remote host is | ||
+ | # down, messages are spooled to disk and sent when it is up again. | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # remote host is: name/ | ||
+ | #*.* @@remote-host: | ||
+ | # ### end of the forwarding rule ### | ||
+ | </ | ||
+ | |||
+ | Zur Aktivierung unserer Änderung bedarf es nur noch eines Restarts des rsyslogd Daemon. | ||
+ | # service rsyslog restart | ||
+ | |||
+ | | ||
+ | | ||
+ | ==== SELinux ==== | ||
+ | In aller Regel werden wir auf die Dienste von **SELinux** in unserer vHOST-Installation verzichten können. Wir deaktivieren also, wenn noch nicht bereits bei der Erstinstallation erfolgt, SELinux komplett, indem wir in der Konfigurationsdatei unter // | ||
+ | |||
+ | # vim / | ||
+ | <file | / | ||
+ | # SELINUX= can take one of these three values: | ||
+ | # | ||
+ | # | ||
+ | # | ||
+ | # Django : 2011-08-22 SELinux deaktiviert | ||
+ | # default : SELINUX=enforcing | ||
+ | SELINUX=disabled | ||
+ | # SELINUXTYPE= can take one of these two values: | ||
+ | # | ||
+ | # mls - Multi Level Security protection. | ||
+ | SELINUXTYPE=targeted | ||
+ | </ | ||
+ | ==== IPv6 ==== | ||
+ | Bei unserer Musterinstallation begnügen wir uns mit einer IPv4-Inststallation. In der Grundkonfiguration unseres bind Daemon sehen wir im Syslog, dass versucht wird auch jedesmal via IPv6 eine Anfrage zu starten. | ||
+ | Aug 22 14:45:30 vml000020 named[3376]: | ||
+ | Da wir aber (noch) keine IPv6-Anbindung haben, werden wir die IPv6 lookups einfach abstellen. | ||
+ | In unserer bind-Konfigurationsdatei // | ||
+ | # vim / | ||
+ | |||
+ | // | ||
+ | In der Datei // | ||
+ | # vim / | ||
+ | |||
+ | # Django : 2011-08-22 nur die IPv4-Unterstützung aktivieren | ||
+ | | ||
+ | |||
+ | Anschließend starten wir den Nameserver einmal durch, damit die Konfigurationsänderunegn auch greifen. | ||
+ | # service named restart | ||
+ | ==== iptables Paketfilter ==== | ||
+ | Nach dem Starten unseres named Daemon können wir mit Hilfe von**netstat** überprüfen, | ||
+ | # netstat -tulpen | grep named | ||
+ | < | ||
+ | tcp 0 0 10.0.10.1: | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | udp 0 0 10.0.0.20: | ||
+ | udp 0 0 10.0.10.1: | ||
+ | udp 0 0 127.0.0.1: | ||
+ | </ | ||
+ | Damit der Zugriff auf den Port 53 (TCP/UDP) auch erfolgen kann, müssen wir noch unseren Paketfilter i.d.R. erweitern. | ||
+ | Wir tragen hierzu in der Konfigurationsdatei // | ||
+ | |||
+ | < | ||
+ | -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT | ||
+ | -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT | ||
+ | # Django : 2011-08-22 bei Bedarf Logging aktivieren | ||
+ | #-A INPUT -j LOG | ||
+ | # Django : end | ||
+ | </ | ||
+ | |||
+ | Anschließend aktivieren wir die Änderungen an unserem Paketfilter, | ||
+ | # service iptables restart | ||
+ | < | ||
+ | iptables: Setting chains to policy ACCEPT: filter nat [ OK ] | ||
+ | iptables: Unloading modules: | ||
+ | iptables: Applying firewall rules: | ||
+ | </ | ||
+ | ===== erweiterte Konfigurationen ===== | ||
+ | ==== caching-only Nameserver ==== | ||
+ | Im ersten Schritt wollen wir erst einmal einen caching-only Nameserver aufsetzen. Die mitgelieferte Konfigurationsdate // | ||
+ | # vim / | ||
+ | <file | / | ||
+ | // named.conf | ||
+ | // | ||
+ | // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS | ||
+ | // server as a caching only nameserver (as a localhost DNS resolver only). | ||
+ | // | ||
+ | // See / | ||
+ | // | ||
+ | |||
+ | options { | ||
+ | listen-on port 53 { 127.0.0.1; 10.0.0.0; 10.0.10.0 }; // Django : 2011-08-22 unsere Netzwerk- | ||
+ | | ||
+ | listen-on-v6 port 53 { ::1; }; | ||
+ | directory "/ | ||
+ | dump-file "/ | ||
+ | statistics-file "/ | ||
+ | memstatistics-file "/ | ||
+ | allow-query | ||
+ | | ||
+ | recursion yes; | ||
+ | |||
+ | // Django : 2011-08-22 dnssec erst einmal deaktiviert für den caching-only Betrieb | ||
+ | // dnssec-enable yes; | ||
+ | // dnssec-validation yes; | ||
+ | // dnssec-lookaside auto; | ||
+ | |||
+ | /* Path to ISC DLV key */ | ||
+ | // Django : 2011-08-22 bindkeys-file erst einmal deaktiviert für den caching-only Betrieb | ||
+ | // bindkeys-file "/ | ||
+ | }; | ||
+ | |||
+ | logging { | ||
+ | channel default_debug { | ||
+ | file " | ||
+ | severity dynamic; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type hint; | ||
+ | file " | ||
+ | }; | ||
+ | |||
+ | include "/ | ||
+ | |||
+ | </ | ||
+ | |||
+ | Nach der Bearbeitung startetn wir nun unseren Nameserver das erste mal. | ||
+ | # service named start | ||
+ | |||
+ | | ||
+ | Sollte wider Erwarten beim Starten etwas schief gelaufen sein, so ist der Syslog die Anlaufstelle für weitere Fehlermeldungen. Im Regelfall wird der erfolgreiche Start entsprechend quittiert. | ||
+ | < | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | get=x86_64-redhat-linux-gnu' | ||
+ | n' ' | ||
+ | --sharedstatedir=/ | ||
+ | nable-threads' | ||
+ | h-dlz-postgres=yes' | ||
+ | s=x86_64-unknown-linux-gnu' | ||
+ | e -Wall -Wp, | ||
+ | G_SIGCHASE' | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | Oct 6 11:16:08 vml000020 named[4010]: | ||
+ | < | ||
+ | |||
+ | In der named-eigenen Logdatei // | ||
+ | |||
+ | # less / | ||
+ | < | ||
+ | zone 1.0.0.127.in-addr.arpa/ | ||
+ | zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/ | ||
+ | zone localhost.localdomain/ | ||
+ | zone localhost/ | ||
+ | zone managed-keys.bind/ | ||
+ | running | ||
+ | </ | ||
+ | |||
+ | Nach dem Starten unseres named Daemon können wir mit Hilfe von**netstat** überprüfen, | ||
+ | # netstat -tulpen | grep named | ||
+ | tcp 0 0 10.0.0.20: | ||
+ | tcp 0 0 10.0.10.1: | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | tcp 0 0 127.0.0.1: | ||
+ | udp 0 0 10.0.0.20: | ||
+ | udp 0 0 10.0.10.1: | ||
+ | udp 0 0 127.0.0.1: | ||
+ | </ | ||
+ | |||
+ | Dass der Daemon in einer chroot-Umgebung gestartet wurde sehen wir anhand folgender Ausgabe: | ||
+ | # ps aux | grep named | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | |||
+ | |||
+ | Nachdem unser nameserver nun läuft werden wir auch gleich mal unsere erste Abfrage tätigen | ||
+ | # | ||
+ | < | ||
+ | ; (2 servers found) | ||
+ | ;; global options: +cmd | ||
+ | ;; Got answer: | ||
+ | ;; ->> | ||
+ | ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0 | ||
+ | |||
+ | ;; QUESTION SECTION: | ||
+ | ; | ||
+ | |||
+ | ;; ANSWER SECTION: | ||
+ | heise.de. 3600 IN A 193.99.144.80 | ||
+ | |||
+ | ;; AUTHORITY SECTION: | ||
+ | heise.de. 86400 IN NS ns.s.plusline.de. | ||
+ | heise.de. 86400 IN NS ns.pop-hannover.de. | ||
+ | heise.de. 86400 IN NS ns2.pop-hannover.net. | ||
+ | heise.de. 86400 IN NS ns.plusline.de. | ||
+ | heise.de. 86400 IN NS ns.heise.de. | ||
+ | |||
+ | ;; Query time: 86 msec | ||
+ | ;; SERVER: 127.0.0.1# | ||
+ | ;; WHEN: Mon Aug 22 14:52:07 2011 | ||
+ | ;; MSG SIZE rcvd: 168 | ||
+ | </ | ||
+ | Die gleiche Abfrage mit Hilfe von **nslookup** sieht wie folgt aus: | ||
+ | # nslookup heise | ||
+ | < | ||
+ | Address: | ||
+ | |||
+ | Non-authoritative answer: | ||
+ | Name: | ||
+ | Address: 88.217.187.21</ | ||
+ | ==== Nameserver für Intranet und Demilitarized Zone ==== | ||
+ | Im folgenden Beispiel erweitern wir unsere [[centos: | ||
+ | * DMZ : dmz.nausch.org mit Netz: 10.0.0.0/24 | ||
+ | * Intranet : intra.nausch.org mit Netz: 10.0.10.0/ | ||
+ | === bind Konfiguration === | ||
+ | == named.conf == | ||
+ | Basierend auf den [[centos: | ||
+ | # vim / | ||
+ | <file | named.conf> | ||
+ | // | ||
+ | // named.conf | ||
+ | // | ||
+ | // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS | ||
+ | // server as a caching only nameserver (as a localhost DNS resolver only). | ||
+ | // | ||
+ | // See / | ||
+ | // | ||
+ | |||
+ | acl dmz { 10.0.0.0/ | ||
+ | acl intra { 10.0.10.0/ | ||
+ | |||
+ | options { | ||
+ | listen-on port 53 { 127.0.0.1; 10.0.0.20; 10.0.10.1; }; // Django : 2011-08-22 unsere Netzwerk- | ||
+ | | ||
+ | // listen-on-v6 port 53 { ::1; }; // IPv6 deaktiviert | ||
+ | directory "/ | ||
+ | dump-file "/ | ||
+ | statistics-file "/ | ||
+ | memstatistics-file "/ | ||
+ | allow-query | ||
+ | allow-recursion { localhost; dmz; intra; }; // die unseren Nameserver befragen dürfen | ||
+ | recursion yes; | ||
+ | |||
+ | query-source address * port *; // Django : 2011-10-05 | ||
+ | // unpriviligierten Port nutzen, wenn Anfragen | ||
+ | // nach extern gestellt werden | ||
+ | |||
+ | check-names master warn; | ||
+ | // Der Nameserver soll nur warnen und nicht | ||
+ | // abbrechen, wenn er eine Anfrage nicht | ||
+ | // beantworten kann. (Bsp. DKIM-keys) | ||
+ | |||
+ | auth-nxdomain no; // Django : 2011-10-05 | ||
+ | // RFC1035 Konforme Arbeit (keine alten | ||
+ | // Anfragen und Konfigurationen nutzen) | ||
+ | |||
+ | dnssec-enable yes; | ||
+ | dnssec-validation yes; | ||
+ | dnssec-lookaside auto; | ||
+ | |||
+ | /* Path to ISC DLV key */ | ||
+ | bindkeys-file "/ | ||
+ | }; | ||
+ | |||
+ | logging { | ||
+ | channel default_debug { | ||
+ | file " | ||
+ | severity dynamic; | ||
+ | }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type hint; | ||
+ | file " | ||
+ | }; | ||
+ | |||
+ | include "/ | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { none; }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { none; }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { none; }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { none; }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { none; }; | ||
+ | }; | ||
+ | |||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { none; }; | ||
+ | }; | ||
+ | |||
+ | </ | ||
+ | Die einzelnen Zonen-Dateien legen wir im Verzeichnis // | ||
+ | * dmz-forward | ||
+ | * dmz-reverse | ||
+ | * intra-forward | ||
+ | * intra-reverse | ||
+ | * domain-forward | ||
+ | * domain-reverse | ||
+ | == dmz-forward == | ||
+ | Für die forward-Auflösung des Subnetzes **DMZ** legen wir uns eine Konfigurationsdatei nach folgendem Muster an. | ||
+ | <file | / | ||
+ | $ORIGIN dmz.nausch.org. | ||
+ | $TTL 86400 | ||
+ | @ IN SOA vml000020.dmz.nausch.org. root.nausch.org. ( | ||
+ | 2011100501 ; | ||
+ | 3H ; refresh | ||
+ | 15M ; retry | ||
+ | 1W ; expiry | ||
+ | 1D ) ; minimum | ||
+ | ; | ||
+ | IN | ||
+ | ; | ||
+ | fwe IN CNAME vml000010 | ||
+ | fwi IN CNAME vml000020 | ||
+ | time IN CNAME vml000020 | ||
+ | dns IN CNAME vml000020 | ||
+ | dhcp IN CNAME vml000020 | ||
+ | ; | ||
+ | localhost IN A 127.0.0.1 | ||
+ | ; | ||
+ | vml000010 IN A 10.0.0.10 | ||
+ | vml000020 IN A 10.0.0.20 | ||
+ | vml000030 IN A 10.0.0.30 | ||
+ | </ | ||
+ | == dmz-reverse == | ||
+ | Für die reverse-Auflösung des Subnetzes **DMZ** legen wir uns eine Konfigurationsdatei nach folgendem Muster an. | ||
+ | <file | / | ||
+ | $ORIGIN 0.0.10.in-addr.arpa. | ||
+ | $TTL 86400 | ||
+ | @ IN SOA vml000020.dmz.nausch.org. root.nss.nausch.org. ( | ||
+ | 2011100501 ; | ||
+ | 3H ; refresh | ||
+ | 1H ; retry | ||
+ | 1W ; expiry | ||
+ | 1D ) ; minimum | ||
+ | ; | ||
+ | @ IN NS vml000020.dmz.nausch.org. | ||
+ | ; | ||
+ | 10 IN PTR vml000010.dmz.nausch.org. | ||
+ | 20 IN PTR vml000020.dmz.nausch.org. | ||
+ | 30 IN PTR vml000030.dmz.nausch.org. | ||
+ | </ | ||
+ | == intra-forward == | ||
+ | Für die forward-Auflösung des Subnetzes **intra** legen wir uns eine Konfigurationsdatei nach folgendem Muster an. | ||
+ | <file | / | ||
+ | $ORIGIN intra.nausch.org. | ||
+ | $TTL 86400 | ||
+ | @ IN SOA vml000020.dmz.nausch.org. root.nausch.org. ( | ||
+ | 2011100501 ; | ||
+ | 3H ; refresh | ||
+ | 15M ; retry | ||
+ | 1W ; expiry | ||
+ | 1D ) ; minimum | ||
+ | ; | ||
+ | IN NS vml000020.dmz.nausch.org. | ||
+ | ; | ||
+ | proton IN CNAME pml010051 | ||
+ | ; | ||
+ | pml010001 IN A 10.0.10.1 | ||
+ | pml010051 IN A 10.0.10.51 | ||
+ | </ | ||
+ | == intra-reverse == | ||
+ | Für die reverse-Auflösung des Subnetzes **intra** legen wir uns eine Konfigurationsdatei nach folgendem Muster an. | ||
+ | <file | / | ||
+ | $ORIGIN 10.0.10.in-addr.arpa. | ||
+ | $TTL 86400 | ||
+ | @ IN SOA vml000020.dmz.nausch.org. root.nss.nausch.org. ( | ||
+ | 2011100501 ; | ||
+ | 3H ; refresh | ||
+ | 1H ; retry | ||
+ | 1W ; expiry | ||
+ | 1D ) ; minimum | ||
+ | ; | ||
+ | @ IN NS pml010001.intra.nausch.org. | ||
+ | ; | ||
+ | 1 IN PTR pml010001.intra.nausch.org. | ||
+ | 51 IN PTR pml010051.intra.nausch.org. | ||
+ | </ | ||
+ | == domain-forward == | ||
+ | Für die forward-Auflösung unserer eigenen Domäne **nausch.org** legen wir uns eine Konfigurationsdatei nach folgendem Muster an. | ||
+ | <file | / | ||
+ | $ORIGIN nausch.org. | ||
+ | $TTL 86400 | ||
+ | @ IN SOA ns1.dmz.nausch.org. root.nausch.org. ( | ||
+ | 2011100501 ; | ||
+ | 3H ; refresh | ||
+ | 15M ; retry | ||
+ | 1W ; expiry | ||
+ | 1D ) ; minimum | ||
+ | ; | ||
+ | IN NS ns1.dmz.nausch.org. | ||
+ | ; | ||
+ | ns1.dmz.nausch.org IN A 88.217.187.21 | ||
+ | ; | ||
+ | nausch.org. IN | ||
+ | *.nausch.org. IN | ||
+ | </ | ||
+ | == domain-reverse == | ||
+ | Für die reverse-Auflösung unserer eigenen Domäne **nausch.org** legen wir uns eine Konfigurationsdatei nach folgendem Muster an. | ||
+ | <file | / | ||
+ | $ORIGIN 187.217.88.in-addr.arpa. | ||
+ | $TTL 86400 | ||
+ | @ IN SOA vml000020.dmz.nausch.org. root.nss.nausch.org. ( | ||
+ | 2011100501 ; | ||
+ | 3H ; refresh | ||
+ | 1H ; retry | ||
+ | 1W ; expiry | ||
+ | 1D ) ; minimum | ||
+ | ; | ||
+ | @ IN NS ns1.dmz.nausch.org. | ||
+ | ; | ||
+ | 21 IN PTR mx1.nausch.org. | ||
+ | </ | ||
+ | ===== Utilities rund um den Nameserver bind ===== | ||
+ | ==== Konfiguration überprüfen ==== | ||
+ | Möchte man die Konfiguration(sdatei) seinen bind-Nameservers überprüfen so nutzt man den Befehl **named-checkconf** | ||
+ | # named-checkconf | ||
+ | Benutzt man hierbei die Option //-p// wird, sofern keine Fehler existieren, die Konfigurationsdatei **named.conf** ohne Kommentare auf der Konsole ausgegeben. | ||
+ | # named-checkconf -p | ||
+ | < | ||
+ | bindkeys-file "/ | ||
+ | directory "/ | ||
+ | dump-file "/ | ||
+ | listen-on port 53 { | ||
+ | 127.0.0.1/ | ||
+ | 10.0.0.20/ | ||
+ | 10.0.10.1/ | ||
+ | }; | ||
+ | memstatistics-file "/ | ||
+ | statistics-file "/ | ||
+ | allow-recursion { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }; | ||
+ | auth-nxdomain no; | ||
+ | check-names master warn; | ||
+ | dnssec-enable yes; | ||
+ | dnssec-lookaside " | ||
+ | dnssec-validation yes; | ||
+ | query-source address 0.0.0.0 port 0; | ||
+ | recursion yes; | ||
+ | allow-query { | ||
+ | " | ||
+ | " | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | acl " | ||
+ | 10.0.0.0/ | ||
+ | }; | ||
+ | acl " | ||
+ | 10.0.10.0/ | ||
+ | }; | ||
+ | logging { | ||
+ | channel " | ||
+ | file " | ||
+ | severity dynamic; | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type hint; | ||
+ | file " | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | zone " | ||
+ | type master; | ||
+ | file " | ||
+ | allow-update { | ||
+ | " | ||
+ | }; | ||
+ | }; | ||
+ | </ | ||
+ | ==== Versionsabfrage ==== | ||
+ | Will man die Version eines Namservers abfragen, so kann man dies mit Hilfe folgenden Befehls erreichen. | ||
+ | # dig txt chaos version.bind | ||
+ | < | ||
+ | ;; global options: +cmd | ||
+ | ;; Got answer: | ||
+ | ;; ->> | ||
+ | ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 | ||
+ | ;; WARNING: recursion requested but not available | ||
+ | |||
+ | ;; QUESTION SECTION: | ||
+ | ; | ||
+ | |||
+ | ;; ANSWER SECTION: | ||
+ | version.bind. 0 CH TXT " | ||
+ | |||
+ | ;; AUTHORITY SECTION: | ||
+ | version.bind. 0 CH NS version.bind. | ||
+ | |||
+ | ;; Query time: 1 msec | ||
+ | ;; SERVER: 10.0.0.20# | ||
+ | ;; WHEN: Thu Oct 6 14:50:47 2011 | ||
+ | ;; MSG SIZE rcvd: 91 | ||
+ | </ | ||
+ | ==== Zonenfiles überprüfen ==== | ||
+ | Will man (s)ein Zonenfile überprüfen und/oder die verwendete Seriennummer ausgeben, so nutz man den Befehl **named-checkzone** | ||
+ | # named-checkzone dmz.nausch.org / | ||
+ | |||
+ | zone dmz.nausch.org/ | ||
+ | OK | ||
+ | ==== Zonenfiles neu laden ==== | ||
+ | Das Neuladen der Zonenkonfigurationsdateien eines DNS-Server, ohne den DNS-Server neu starten zu müssen, erreicht man mit: | ||
+ | # rndc reload | ||
+ | ==== dnssec-tools ==== | ||
+ | # yum install dnssec-tools | ||
+ | |||
+ | FIXME | ||
+ | |||
+ | ====== Links ====== | ||
+ | * **[[wiki: | ||
+ | * **[[http:// | ||
+ | |||
+ | ~~DISCUSSION~~ | ||