본문 바로가기

리눅스

[draft] CentOS 7에서 BIND DNS 서버를 설치하고 설정하는 방법

728x90

CentOS 7에서 BIND DNS 서버를 설치하고 설정하는 방법(Install BIND DNS Server On CentOS 7)

테스트 환경

$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

1. BIND 설치

BIND 패키지 설치

  • bind : BIND 서버 패키지
  • bind-utils : DNS 클라이언트 명령어(nslookup, dig 등) 포함
sudo yum install -y bind bind-utils

BIND(named) 버전 확인

named -v
$ named -v
BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 (Extended Support Version) <id:7107deb>

BIND 서비스 활성화 및 시작

sudo systemctl --now enable named

BIND 서비스 상태 확인

sudo systemctl status named
더보기

---

$ sudo systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2023-10-23 14:45:19 KST; 9s ago
  Process: 1401 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 1398 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 1403 (named)
   CGroup: /system.slice/named.service
           └─1403 /usr/sbin/named -u named -c /etc/named.conf

Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Oct 23 14:45:19 localhost.localdomain named[1403]: resolver priming query complete

---

더보기

---

bind 패키지가 설치된 파일 목록 확인

rpm -ql bind

bind 파일 및 bind 명령어

rpm -ql bind | egrep -v 'share|lib|rwtab|sysconfig'
$ rpm -ql bind | egrep -v 'share|lib|rwtab|sysconfig'
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/run/named
/usr/bin/arpaname
/usr/bin/named-rrchecker
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
/usr/sbin/rndc-confgen
/usr/sbin/tsig-keygen
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves

---

방화벽 설정(선택 사항)

  • DNS 서버가 외부에서 접근할 수 있도록 방화벽에서 포트 53을 허용해야 합니다.
sudo firewall-cmd --permanent --add-port=53/tcp
sudo firewall-cmd --permanent --add-port=53/udp
sudo firewall-cmd --reload

2. BIND 설정

설정 파일 백업

sudo cp /etc/named.conf /etc/named.conf.bak

named 설정 파일

vim /etc/named.conf
더보기

---

cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	listen-on port 53 { 127.0.0.1; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { localhost; };

	/*
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable
	   recursion.
	 - If your recursive DNS server has a public IP address, you MUST enable access
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

---

options {
	listen-on port 53 { any; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { localhost; any; };
	allow-query-cache { localhost; any; };

	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

named zone 설정 파일

vim /etc/named.rfc1912.zones
더보기

---

cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "localhost.localdomain" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "localhost" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "0.in-addr.arpa" IN {
	type master;
	file "named.empty";
	allow-update { none; };
};

---

zone "localhost" IN {
	type master;
	file "named.localhost";
	allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
	type master;
	file "named.loopback";
	allow-update { none; };
};

zone "scbyun.com" IN {
        type master;
        file "scbyun.com.zone";
        allow-update { none; };
};

named.root.key 설정 파일

vim /etc/named.root.key
$ cat /etc/named.root.key
managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # These keys are activated by setting "dnssec-validation auto;"
        # in named.conf.
        #
        # This key (19036) is to be phased out starting in 2017. It will
        # remain in the root zone for some time after its successor key
        # has been added. It will remain this file until it is removed from
        # the root zone.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
                FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
                bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
                X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
                W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
                Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
                QxA+Uk1ihz0=";

        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key should roll to the
        # new # one seamlessly.  Servers being set up for the first time
        # can use either of the keys in this file to verify the root keys
        # for the first time; thereafter the keys in the zone will be
        # trusted and maintained automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
                R1AkUTV74bU=";
};
728x90

locahost 도메인

vim /var/named/named.localhost
$ cat /var/named/named.localhost
$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	127.0.0.1
	AAAA	::1

127.0.0.1 도메인

vim /var/named/named.loopback
$ cat /var/named/named.loopback
$TTL 1D
@	IN SOA	@ rname.invalid. (
					0	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	NS	@
	A	127.0.0.1
	AAAA	::1
	PTR	localhost.

scyun.com 도메인

vim /var/named/scbyun.com.zone
$ cat /var/named/scbyun.com.zone
$TTL 60
@	IN SOA	@ root.scbyun.com. (
					2024010101	; serial
					3600		; refresh
					1800		; retry
					1209600		; expire
					86400 )		; minimum
;
;
@       		IN  NS      ns1.scbyun.com.
@       		IN  A       192.168.10.201
ns1     		IN  A       192.168.10.201
www     		IN  A       192.168.10.201

설정 파일 저장 및 검사

  • 설정 파일의 유효성을 확인할 수 있습니다.
sudo named-checkconf

또는

sudo named-checkconf -z
zone localhost/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone scbyun.com/IN: loaded serial 2024010101

DNS 서비스 재시작

  • 설정을 적용하려면 BIND DNS 서비스를 다시 시작합니다.
sudo systemctl restart named

rndc 명령어

rndc status
$ rndc status
version: BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 (Extended Support Version) <id:7107deb>
running on ns1: Linux x86_64 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024
boot time: Sat, 05 Oct 2024 07:39:25 GMT
last configured: Sat, 05 Oct 2024 07:39:25 GMT
configuration file: /etc/named.conf
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 103 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 2/150
server is up and running

3. DNS 서비스 테스트(질의 테스트)

bind-utils(dig 명령) 패키지 설치

sudo yum install -y bind-utils

정방향 질의

dig @127.0.0.1 localhost
$ dig @127.0.0.1 localhost

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @127.0.0.1 localhost
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57712
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;localhost.			IN	A

;; ANSWER SECTION:
localhost.		86400	IN	A	127.0.0.1

;; AUTHORITY SECTION:
localhost.		86400	IN	NS	localhost.

;; ADDITIONAL SECTION:
localhost.		86400	IN	AAAA	::1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 14 00:18:41 KST 2023
;; MSG SIZE  rcvd: 96

역방향 질의

dig @127.0.0.1 -x 127.0.0.1
$ dig @127.0.0.1 -x 127.0.0.1

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @127.0.0.1 -x 127.0.0.1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 594
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa.		IN	PTR

;; ANSWER SECTION:
1.0.0.127.in-addr.arpa.	86400	IN	PTR	localhost.

;; AUTHORITY SECTION:
1.0.0.127.in-addr.arpa.	86400	IN	NS	1.0.0.127.in-addr.arpa.

;; ADDITIONAL SECTION:
1.0.0.127.in-addr.arpa.	86400	IN	A	127.0.0.1
1.0.0.127.in-addr.arpa.	86400	IN	AAAA	::1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 14 00:19:12 KST 2023
;; MSG SIZE  rcvd: 132
dig @127.0.0.1 127.in-addr.arpa
$ dig @127.0.0.1 1.0.0.127.in-addr.arpa

; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @127.0.0.1 1.0.0.127.in-addr.arpa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60002
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa.		IN	A

;; ANSWER SECTION:
1.0.0.127.in-addr.arpa.	86400	IN	A	127.0.0.1

;; AUTHORITY SECTION:
1.0.0.127.in-addr.arpa.	86400	IN	NS	1.0.0.127.in-addr.arpa.

;; ADDITIONAL SECTION:
1.0.0.127.in-addr.arpa.	86400	IN	AAAA	::1

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 14 00:19:48 KST 2023
;; MSG SIZE  rcvd: 109

 

BIND DNS 서버가 CentOS 7에 성공적으로 설치되었으며 DNS 존 및 포워딩 구성을 추가하여 원하는 도메인에 대한 DNS 서비스를 제공할 수 있습니다.

 

옵션 { 수신 대기 포트 53 { 모두; }; 디렉토리 "/var/named"; 덤프 파일 "/var/named/data/cache_dump.db"; 통계 파일 "/var/named/data/named_stats.txt"; memstatistics-파일 "/var/named/data/named_mem_stats.txt"; 반복 파일 "/var/named/data/named.recursing"; secroots-파일 "/var/named/data/named.secroots"; 쿼리 허용 { localhost; 어느; }; 허용 쿼리 캐시 { localhost; 어느; }; 재귀 예; dnssec-활성화 예; dnssec-검증 예; /* ISC DLV 키 경로 */bindkeys-file "/etc/named.root.key"; 관리되는 키 디렉토리 "/var/named/dynamic"; pid 파일 "/run/named/named.pid"; 세션 키 파일 "/run/named/session.key"; }; 로깅 { 채널 default_debug { 파일 "data/named.run"; 심각도 동적; }; }; 구역 "." IN { 힌트 입력; 파일 "named.ca"; }; "/etc/named.rfc1912.zones"를 포함합니다. "/etc/named.root.key"를 포함합니다.
 
728x90