728x90
BIND DNS 서버에서 뷰(View)와 존 전송(Zone Transfer) 테스트하는 방법
1. 마스터 서버
named 설정 파일(/etc/named.conf)에 서버 설정, 뷰와 존 설정을 합니다.
vim /etc/named.conf
// named.conf
options {
listen-on port 53 { any; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
version "UNKNOWN";
allow-query { any; };
allow-query-cache { any; };
allow-transfer {
127.0.0.1;
192.168.0.62;
192.168.0.63;
};
notify yes;
also-notify { 192.168.0.63; };
recursion yes;
recursive-clients 10000;
check-names master ignore;
check-names slave ignore;
check-names response ignore;
zone-statistics yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
statistics-channels {
inet 192.168.0.62 port 7777 allow { 192.168.0.0/24; };
};
include "/etc/named.root.key";
include "/etc/named.logging.conf";
//internal zone(default)
view "internal-view" {
include "/etc/named.rfc1912.zones";
//match-clients { 127.0.0.1; 192.168.0.0/24; !192.168.0.63; };
match-clients { 127.0.0.1; 192.168.0.62; };
zone "." IN {
type hint;
file "named.ca";
};
zone "mocha.sangchul.kr" IN {
type master;
file "mocha.sangchul.kr.zone";
allow-transfer { 192.168.0.63; };
allow-update { 192.168.0.63; };
zone-statistics yes;
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192_168_0.zone";
allow-transfer { 192.168.0.63; };
allow-update { 192.168.0.63; };
};
};
//external zone
view "external-view" {
match-clients { any; };
recursion no;
zone "." IN {
type hint;
file "named.ca";
};
zone "mocha.sangchul.kr" IN {
type master;
file "ext-mocha.sangchul.kr.zone";
allow-transfer { 192.168.0.63; };
allow-update { 192.168.0.63; };
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "ext-192_168_0.zone";
allow-transfer { 192.168.0.63; };
allow-update { 192.168.0.63; };
};
};
zone file 목록 확인
ls -l /var/named/ | grep zone
$ ls -l /var/named/ | grep zone
-rw-r----- 1 named named 774 Jan 16 12:14 192_168_0.zone
-rw-r----- 1 named named 774 Jan 16 13:38 ext-192_168_0.zone
-rw-r----- 1 named named 359 Jan 16 13:44 ext-mocha.sangchul.kr.zone
-rw-r----- 1 named named 360 Jan 16 12:14 mocha.sangchul.kr.zone
728x90
2. 슬레이브 서버
named 설정 파일(/etc/named.conf)에 서버 설정, 뷰와 존 설정을 합니다.
vim /etc/bind/named.conf
// named.conf
options {
listen-on port 53 { any; };
directory "/var/cache/bind";
dump-file "/var/cache/bind/data/cache_dump.db";
statistics-file "/var/cache/bind/data/named_stats.txt";
memstatistics-file "/var/cache/bind/data/named_mem_stats.txt";
recursing-file "/var/cache/bind/data/named.recursing";
secroots-file "/var/cache/bind/data/named.secroots";
version "UNKNOWN";
allow-query { any; };
allow-query-cache { any; };
allow-transfer {
127.0.0.1;
192.168.0.63;
};
allow-notify { 192.168.0.62; };
recursion yes;
recursive-clients 10000;
masterfile-format text;
// forwarders {
// 0.0.0.0;
// };
dnssec-validation auto;
};
statistics-channels {
inet 192.168.0.63 port 7777 allow { 192.168.0.0/24; };
};
//include "/etc/bind/named.conf.options";
//include "/etc/bind/named.conf.local";
//include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.logging.conf";
//internal zone(default)
view "internal-view" {
include "/etc/bind/named.conf.default-zones";
//match-clients { 127.0.0.1; 192.168.0.0/24; !192.168.0.63; };
match-clients { 127.0.0.1; 192.168.0.62; };
zone "mocha.sangchul.kr" IN {
type slave;
file "slaves/mocha.sangchul.kr.zone";
masters { 192.168.0.62; };
zone-statistics yes;
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/192_168_0.zone";
masters { 192.168.0.62; };
};
};
//external zone
view "external-view" {
match-clients { any; };
recursion no;
zone "mocha.sangchul.kr" IN {
type slave;
file "slaves/ext-mocha.sangchul.kr.zone";
masters { 192.168.0.62; };
};
zone "0.168.192.in-addr.arpa" IN {
type slave;
file "slaves/ext-192_168_0.zone";
masters { 192.168.0.62; };
};
};
zone file 목록 확인
ls -l /var/cache/bind/slaves
$ ls -l /var/cache/bind/slaves
total 16
-rw-r--r-- 1 bind bind 523 Jan 16 14:22 192_168_0.zone
-rw-r--r-- 1 bind bind 523 Jan 16 14:22 ext-192_168_0.zone
-rw-r--r-- 1 bind bind 435 Jan 16 14:22 ext-mocha.sangchul.kr.zone
-rw-r--r-- 1 bind bind 435 Jan 16 14:22 mocha.sangchul.kr.zone
3. 질의 테스트(query test)
- 내부 dns client(match-clients) : 127.0.0.1, 192.168.0.62
- 외부 dns client(match-clients) : any
dig @192.168.0.62 mocha.sangchul.kr
192.168.0.62 클라이언트가 mocha.sangchul.kr 도메인을 질의할 때 내부 IP(192.168.0.61) 주소를 반환합니다.
root@192.168.0.62:~$ dig @192.168.0.62 mocha.sangchul.kr
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.10 <<>> @192.168.0.62 mocha.sangchul.kr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55545
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;mocha.sangchul.kr. IN A
;; ANSWER SECTION:
mocha.sangchul.kr. 60 IN A 192.168.0.61
;; AUTHORITY SECTION:
mocha.sangchul.kr. 60 IN NS ns2.mocha.sangchul.kr.
mocha.sangchul.kr. 60 IN NS ns.mocha.sangchul.kr.
;; ADDITIONAL SECTION:
ns.mocha.sangchul.kr. 60 IN A 192.168.0.62
ns2.mocha.sangchul.kr. 60 IN A 192.168.0.63
;; Query time: 0 msec
;; SERVER: 192.168.0.62#53(192.168.0.62)
;; WHEN: Mon Jan 16 14:31:29 KST 2023
;; MSG SIZE rcvd: 129
192.168.0.63 클라이언트가 mocha.sangchul.kr 도메인을 질의할 때 외부 IP(10.10.10.61) 주소를 반환합니다.
root@192.168.0.63:~$ dig @192.168.0.62 mocha.sangchul.kr
; <<>> DiG 9.18.1-1ubuntu1.2-Ubuntu <<>> @192.168.0.62 mocha.sangchul.kr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59508
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 8e19d8eed1f9367ccfb93c9b63c4e18f6dab5ba58f3930db (good)
;; QUESTION SECTION:
;mocha.sangchul.kr. IN A
;; ANSWER SECTION:
mocha.sangchul.kr. 60 IN A 10.10.10.61
;; AUTHORITY SECTION:
mocha.sangchul.kr. 60 IN NS ns.mocha.sangchul.kr.
mocha.sangchul.kr. 60 IN NS ns2.mocha.sangchul.kr.
;; ADDITIONAL SECTION:
ns.mocha.sangchul.kr. 60 IN A 192.168.0.62
ns2.mocha.sangchul.kr. 60 IN A 192.168.0.63
;; Query time: 4 msec
;; SERVER: 192.168.0.62#53(192.168.0.62) (UDP)
;; WHEN: Mon Jan 16 14:33:04 KST 2023
;; MSG SIZE rcvd: 157
참고URL
- bind view 설정 시 rndc 명령어 : https://scbyun.com/87
- Understanding views in BIND 9, with examples : https://kb.isc.org/docs/aa-00851
- 스플릿 브레인 DNS 배포에 DNS 정책 사용 : https://learn.microsoft.com/ko-kr/windows-server/networking/dns/deploy/split-brain-dns-deployment
728x90
'리눅스' 카테고리의 다른 글
[draft] 우분투에 HashiCorp Vault를 설치하는 방법 (0) | 2023.01.18 |
---|---|
CentOS 7 컨테이너 내에서 systemctl을 사용하는 방법(centos init) (0) | 2023.01.18 |
bind rndc 명령어 (0) | 2023.01.16 |
[리눅스] bind를 사용한 마스터-슬레이브 dns 구성하기 (0) | 2023.01.16 |
MySQL 클라이언트 실행 시 libtinfo.so.5 라이브러리 오류 (0) | 2023.01.16 |