Nesse artigo irei mostrar como configurar o servidor de dns bind em chroot utilizado o pacote bind-chroot nativo do centos .
Primeiro vamos instalar o bind-chroot.
yum install bind-chroot
[root@srv01 ~]# yum install bind-chroot Plugins carregados: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.globo.com * extras: mirror.globo.com * updates: mirror.globo.com base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 Resolvendo dependências --> Executando verificação da transação ---> O pacote bind-chroot.x86_64 32:9.11.4-9.P2.el7 será instalado --> Resolução de dependências finalizada Dependências resolvidas ========================================================================================================================================================================================================== Package Arq. Versão Repo Tam. ========================================================================================================================================================================================================== Instalando: bind-chroot x86_64 32:9.11.4-9.P2.el7 base 90 k Resumo da transação ========================================================================================================================================================================================================== Instalar 1 Package Tamanho total do download: 90 k Tamanho depois de instalado: 4.7 k Is this ok [y/d/N]: y Downloading packages: bind-chroot-9.11.4-9.P2.el7.x86_64.rpm | 90 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Instalando : 32:bind-chroot-9.11.4-9.P2.el7.x86_64 1/1 Verifying : 32:bind-chroot-9.11.4-9.P2.el7.x86_64 1/1 Instalados: bind-chroot.x86_64 32:9.11.4-9.P2.el7 Concluído!
Iniciando o serviço .
systemctl start named-chroot
Verificando o status .
systemctl status named-chroot
[root@srv01 ~]# systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
Active: active (running) since Qua 2019-11-13 14:06:08 -03; 47s ago
Process: 10613 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 10610 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 10615 (named)
CGroup: /system.slice/named-chroot.service
└─10615 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
Nov 13 14:06:08 ser01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Nov 13 14:06:08 srv01 named[10615]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Nov 13 14:06:08 srv01 named[10615]: resolver priming query complete
Ativando a inicialização.
systemctl enable named-chroot
[root@srv01 ~]# systemctl enable named-chroot Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
Liberando acesso no firewall;
firewall-cmd --zone=public --add-port=53/tcp --permanent firewall-cmd --zone=public --add-port=53/udp --permanent firewall-cmd --reload
[root@srv01 ~]# firewall-cmd --zone=public --add-port=53/tcp --permanent Warning: ALREADY_ENABLED: 53:tcp success [root@srv01 ~]# firewall-cmd --zone=public --add-port=53/udp --permanent Warning: ALREADY_ENABLED: 53:udp success [root@srv01 ~]# firewall-cmd --reload success
Verificando os pontos de montagem em chroot.
mount |grep chroot
[root@UNISESRV064 ~]# mount |grep chroot /dev/mapper/centos_srv01-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/rndc.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/services type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota) tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755) /dev/mapper/centos_srv01-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
Local onde a zona deve ficar :
/var/named/ ou /var/named/chroot/var/named/
Arquivo de configuração do named :
/var/named/chroot/etc/named.conf ou /etc/named.conf
Vamos editar o arquivo de configuração .
vi /etc/named.conf
Colocar os campos dessa forma :
listen-on-v6 port 53 { none; };
recursion no;
listen-on port 53 { any; };
Vamos criar uma zona .
Vamos criar a configuração no named.conf
[root@srv01 ~]# vi /var/named/chroot/etc/named.conf
Na penúltima linha colocar :
zone "it-howto.org" {
type master;
file "it-howto.org.zone";
allow-query { any; };
allow-transfer { 200.222.222.222;
200.222.222.223; };
allow-update { 200.222.222.222;
200.222.222.223; };
};
Vamos verificar o arquivo de configuração.
[root@srv01 ~]# named-checkconf
Caso não apresente nenhum erro como vimos a cima a configuração está ok .
Vamos criar o arquivo de configuração da zona.
[root@srv01 ~]# vi /var/named/chroot/var/named/it-howto.org.zone
Com o conteúdo nesse caso didático.
; it-howto.org
$TTL 86400
it-howto.org. IN SOA ns1.it-howto.org. contato.it-howto.org. (
2019111301 ; Serial number
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400) ; Minimum TTL
; Nameserver definition
IN NS ns1.it-howto.org.
IN NS ns2.it-howto.org.
; Mail exchanger definition
IN MX 10 mail.it-howto.org.
IN MX 50 mail2.it-howto.org.
; A records definition
it-howto.org. IN A 200.222.222.221
www.it-howto.org. IN A 200.222.222.221
ns1.it-howto.org. IN A 200.222.222.222
ns2.it-howto.org. IN A 200.222.222.223
mail.it-howto.org. IN A 200.222.222.224
mail2.it-howto.org. IN A 200.222.222.225
Vamos verificar a zona :
named-checkzone it-howto.org /var/named/chroot/var/named/it-howto.org.zone
[root@srv01 ~]# named-checkzone it-howto.org /var/named/chroot/var/named/it-howto.org.zone zone it-howto.org/IN: loaded serial 2019111301 OK
Vamos modificar as permissões da pasta da zona para funcionamento correto.
chown named:named -R /var/named/
chmod 0770 -R /var/named
Vamos reiniciar o serviço.
systemctl restart named-chroot
[root@srv01 ~]# systemctl restart named-chroot
Verificamos que a zona foi carregada com sucesso.
journalctl -f
[root@UNISESRV064 ~]# journalctl -f
Nov 13 15:25:43 srv01 named[11555]: configuring command channel from '/etc/rndc.key' Nov 13 15:25:43 srv01 named[11555]: command channel listening on 127.0.0.1#953 Nov 13 15:25:43 srv01 named[11555]: configuring command channel from '/etc/rndc.key' Nov 13 15:25:43 srv01 named[11555]: command channel listening on ::1#953 Nov 13 15:25:43 srv01 named[11555]: managed-keys-zone: journal file is out of date: removing journal file Nov 13 15:25:43 srv01 named[11555]: managed-keys-zone: loaded serial 8 Nov 13 15:25:43 srv01 named[11555]: zone 0.in-addr.arpa/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone it-howto.org/IN: loaded serial 2019111301 Nov 13 15:25:43 srv01 named[11555]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone localhost.localdomain/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone localhost/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: all zones loaded Nov 13 15:25:43 srv01 named[11555]: running Nov 13 15:25:43 srv01 named[11555]: zone it-howto.org/IN: sending notifies (serial 2019111301) Nov 13 15:25:43 srv01 named[11555]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53 Nov 13 15:25:43 srv01 systemd[1]: Started Berkeley Internet Name Domain (DNS).
O arquivo de configuração named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "it-howto.org" {
type master;
file "it-howto.org.zone";
allow-query { any; };
allow-transfer { 200.222.222.222;
200.222.222.223; };
allow-update { 200.222.222.222;
200.222.222.223; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Deixa seu comentário a baixo .