728x90
CentOS 7에서 BIND DNS 서버를 설치하고 설정하는 방법(Install BIND DNS Server On CentOS 7)
테스트 환경
$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
1. BIND 설치
BIND 패키지 설치
- bind : BIND 서버 패키지
- bind-utils : DNS 클라이언트 명령어(nslookup, dig 등) 포함
sudo yum install -y bind bind-utils
BIND(named) 버전 확인
named -v
$ named -v
BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 (Extended Support Version) <id:7107deb>
BIND 서비스 활성화 및 시작
sudo systemctl --now enable named
BIND 서비스 상태 확인
sudo systemctl status named
더보기
---
$ sudo systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2023-10-23 14:45:19 KST; 9s ago
Process: 1401 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1398 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1403 (named)
CGroup: /system.slice/named.service
└─1403 /usr/sbin/named -u named -c /etc/named.conf
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:7fe::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:7fe::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './DNSKEY/IN': 2001:500:1::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: network unreachable resolving './NS/IN': 2001:500:1::53#53
Oct 23 14:45:19 localhost.localdomain named[1403]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Oct 23 14:45:19 localhost.localdomain named[1403]: resolver priming query complete
---
더보기
---
bind 패키지가 설치된 파일 목록 확인
rpm -ql bind
bind 파일 및 bind 명령어
rpm -ql bind | egrep -v 'share|lib|rwtab|sysconfig'
$ rpm -ql bind | egrep -v 'share|lib|rwtab|sysconfig'
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/named.root.key
/etc/rndc.conf
/etc/rndc.key
/run/named
/usr/bin/arpaname
/usr/bin/named-rrchecker
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-checkds
/usr/sbin/dnssec-coverage
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-importkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-keymgr
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/dnssec-verify
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
/usr/sbin/rndc-confgen
/usr/sbin/tsig-keygen
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
---
방화벽 설정(선택 사항)
- DNS 서버가 외부에서 접근할 수 있도록 방화벽에서 포트 53을 허용해야 합니다.
sudo firewall-cmd --permanent --add-port=53/tcp
sudo firewall-cmd --permanent --add-port=53/udp
sudo firewall-cmd --reload
2. BIND 설정
설정 파일 백업
sudo cp /etc/named.conf /etc/named.conf.bak
named 설정 파일
vim /etc/named.conf
더보기
---
cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
---
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; any; };
allow-query-cache { localhost; any; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
named zone 설정 파일
vim /etc/named.rfc1912.zones
더보기
---
cat /etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
---
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "scbyun.com" IN {
type master;
file "scbyun.com.zone";
allow-update { none; };
};
named.root.key 설정 파일
vim /etc/named.root.key
$ cat /etc/named.root.key
managed-keys {
# ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
# for current trust anchor information.
#
# These keys are activated by setting "dnssec-validation auto;"
# in named.conf.
#
# This key (19036) is to be phased out starting in 2017. It will
# remain in the root zone for some time after its successor key
# has been added. It will remain this file until it is removed from
# the root zone.
. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
QxA+Uk1ihz0=";
# This key (20326) is to be published in the root zone in 2017.
# Servers which were already using the old key should roll to the
# new # one seamlessly. Servers being set up for the first time
# can use either of the keys in this file to verify the root keys
# for the first time; thereafter the keys in the zone will be
# trusted and maintained automatically.
. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
R1AkUTV74bU=";
};
728x90
locahost 도메인
vim /var/named/named.localhost
$ cat /var/named/named.localhost
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
127.0.0.1 도메인
vim /var/named/named.loopback
$ cat /var/named/named.loopback
$TTL 1D
@ IN SOA @ rname.invalid. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS @
A 127.0.0.1
AAAA ::1
PTR localhost.
scyun.com 도메인
vim /var/named/scbyun.com.zone
$ cat /var/named/scbyun.com.zone
$TTL 60
@ IN SOA @ root.scbyun.com. (
2024010101 ; serial
3600 ; refresh
1800 ; retry
1209600 ; expire
86400 ) ; minimum
;
;
@ IN NS ns1.scbyun.com.
@ IN A 192.168.10.201
ns1 IN A 192.168.10.201
www IN A 192.168.10.201
설정 파일 저장 및 검사
- 설정 파일의 유효성을 확인할 수 있습니다.
sudo named-checkconf
또는
sudo named-checkconf -z
zone localhost/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone scbyun.com/IN: loaded serial 2024010101
DNS 서비스 재시작
- 설정을 적용하려면 BIND DNS 서비스를 다시 시작합니다.
sudo systemctl restart named
rndc 명령어
rndc status
$ rndc status
version: BIND 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.16 (Extended Support Version) <id:7107deb>
running on ns1: Linux x86_64 3.10.0-1160.119.1.el7.x86_64 #1 SMP Tue Jun 4 14:43:51 UTC 2024
boot time: Sat, 05 Oct 2024 07:39:25 GMT
last configured: Sat, 05 Oct 2024 07:39:25 GMT
configuration file: /etc/named.conf
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 103 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 2/150
server is up and running
3. DNS 서비스 테스트(질의 테스트)
bind-utils(dig 명령) 패키지 설치
sudo yum install -y bind-utils
정방향 질의
dig @127.0.0.1 localhost
$ dig @127.0.0.1 localhost
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @127.0.0.1 localhost
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57712
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;localhost. IN A
;; ANSWER SECTION:
localhost. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
localhost. 86400 IN NS localhost.
;; ADDITIONAL SECTION:
localhost. 86400 IN AAAA ::1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 14 00:18:41 KST 2023
;; MSG SIZE rcvd: 96
역방향 질의
dig @127.0.0.1 -x 127.0.0.1
$ dig @127.0.0.1 -x 127.0.0.1
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @127.0.0.1 -x 127.0.0.1
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 594
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa. IN PTR
;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 86400 IN PTR localhost.
;; AUTHORITY SECTION:
1.0.0.127.in-addr.arpa. 86400 IN NS 1.0.0.127.in-addr.arpa.
;; ADDITIONAL SECTION:
1.0.0.127.in-addr.arpa. 86400 IN A 127.0.0.1
1.0.0.127.in-addr.arpa. 86400 IN AAAA ::1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 14 00:19:12 KST 2023
;; MSG SIZE rcvd: 132
dig @127.0.0.1 127.in-addr.arpa
$ dig @127.0.0.1 1.0.0.127.in-addr.arpa
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @127.0.0.1 1.0.0.127.in-addr.arpa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60002
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;1.0.0.127.in-addr.arpa. IN A
;; ANSWER SECTION:
1.0.0.127.in-addr.arpa. 86400 IN A 127.0.0.1
;; AUTHORITY SECTION:
1.0.0.127.in-addr.arpa. 86400 IN NS 1.0.0.127.in-addr.arpa.
;; ADDITIONAL SECTION:
1.0.0.127.in-addr.arpa. 86400 IN AAAA ::1
;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jan 14 00:19:48 KST 2023
;; MSG SIZE rcvd: 109
BIND DNS 서버가 CentOS 7에 성공적으로 설치되었으며 DNS 존 및 포워딩 구성을 추가하여 원하는 도메인에 대한 DNS 서비스를 제공할 수 있습니다.
옵션 { 수신 대기 포트 53 { 모두; }; 디렉토리 "/var/named"; 덤프 파일 "/var/named/data/cache_dump.db"; 통계 파일 "/var/named/data/named_stats.txt"; memstatistics-파일 "/var/named/data/named_mem_stats.txt"; 반복 파일 "/var/named/data/named.recursing"; secroots-파일 "/var/named/data/named.secroots"; 쿼리 허용 { localhost; 어느; }; 허용 쿼리 캐시 { localhost; 어느; }; 재귀 예; dnssec-활성화 예; dnssec-검증 예; /* ISC DLV 키 경로 */bindkeys-file "/etc/named.root.key"; 관리되는 키 디렉토리 "/var/named/dynamic"; pid 파일 "/run/named/named.pid"; 세션 키 파일 "/run/named/session.key"; }; 로깅 { 채널 default_debug { 파일 "data/named.run"; 심각도 동적; }; }; 구역 "." IN { 힌트 입력; 파일 "named.ca"; }; "/etc/named.rfc1912.zones"를 포함합니다. "/etc/named.root.key"를 포함합니다.
728x90
'리눅스' 카테고리의 다른 글
MySQL 클라이언트 실행 시 libtinfo.so.5 라이브러리 오류 (0) | 2023.01.16 |
---|---|
CentOS 7에서 BIND(named)의 로깅을 설정하는 방법 (0) | 2023.01.16 |
우분투에서 BIND를 설치하고 설정하는 방법 (0) | 2023.01.14 |
keepalived, haproxy 설치 및 설정하기 (0) | 2023.01.13 |
리눅스 sed 명령어 (0) | 2023.01.12 |