Configurando servidor dns bind em chroot no contos 7

Nesse artigo irei mostrar como configurar o servidor de dns bind em chroot utilizado o pacote bind-chroot nativo do  centos .
Primeiro vamos instalar o bind-chroot.

yum install bind-chroot
[root@srv01 ~]# yum install bind-chroot 
Plugins carregados: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.globo.com
 * extras: mirror.globo.com
 * updates: mirror.globo.com
base                                                                                                                                                                               | 3.6 kB  00:00:00     
extras                                                                                                                                                                             | 2.9 kB  00:00:00     
updates                                                                                                                                                                            | 2.9 kB  00:00:00     
Resolvendo dependências
--> Executando verificação da transação
---> O pacote bind-chroot.x86_64 32:9.11.4-9.P2.el7 será instalado
--> Resolução de dependências finalizada

Dependências resolvidas

==========================================================================================================================================================================================================
 Package                                           Arq.                                         Versão                                                   Repo                                        Tam.
==========================================================================================================================================================================================================
Instalando:
 bind-chroot                                       x86_64                                       32:9.11.4-9.P2.el7                                       base                                        90 k

Resumo da transação
==========================================================================================================================================================================================================
Instalar  1 Package

Tamanho total do download: 90 k
Tamanho depois de instalado: 4.7 k
Is this ok [y/d/N]: y
Downloading packages:
bind-chroot-9.11.4-9.P2.el7.x86_64.rpm                                                                                                                                             |  90 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Instalando   : 32:bind-chroot-9.11.4-9.P2.el7.x86_64                                                                                                                                                1/1 
  Verifying    : 32:bind-chroot-9.11.4-9.P2.el7.x86_64                                                                                                                                                1/1 

Instalados:
  bind-chroot.x86_64 32:9.11.4-9.P2.el7                                                                                                                                                                   

Concluído!

Iniciando o serviço .

systemctl start named-chroot

Verificando o status .

systemctl status  named-chroot
[root@srv01 ~]# systemctl status  named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled)
   Active: active (running) since Qua 2019-11-13 14:06:08 -03; 47s ago
  Process: 10613 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
  Process: 10610 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
 Main PID: 10615 (named)
   CGroup: /system.slice/named-chroot.service
           └─10615 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

Nov 13 14:06:08 ser01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:500:2::c#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:7fd::1#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53
Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:dc3::35#53
Nov 13 14:06:08 srv01 named[10615]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Nov 13 14:06:08 srv01 named[10615]: resolver priming query complete

Ativando a inicialização.

systemctl enable  named-chroot
[root@srv01 ~]# systemctl enable  named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.

Liberando acesso no firewall;

firewall-cmd --zone=public --add-port=53/tcp --permanent
firewall-cmd --zone=public --add-port=53/udp  --permanent
firewall-cmd --reload
[root@srv01 ~]# firewall-cmd --zone=public --add-port=53/tcp --permanent
Warning: ALREADY_ENABLED: 53:tcp
success
[root@srv01 ~]# firewall-cmd --zone=public --add-port=53/udp  --permanent
Warning: ALREADY_ENABLED: 53:udp
success
[root@srv01 ~]# firewall-cmd --reload 
success

Verificando os pontos de montagem em chroot.

mount |grep chroot
[root@UNISESRV064 ~]# mount |grep chroot
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/rndc.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/services type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
/dev/mapper/centos_srv01-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755)
/dev/mapper/centos_srv01-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

Local onde a zona deve ficar :

/var/named/
ou 
/var/named/chroot/var/named/

Arquivo de configuração do named :

/var/named/chroot/etc/named.conf 
ou 
/etc/named.conf

Vamos editar o arquivo de configuração .

vi /etc/named.conf

Colocar os campos dessa forma :

listen-on-v6 port 53 { none; };
recursion no;
listen-on port 53 { any; };

Vamos criar uma zona .

Vamos criar a configuração no named.conf

 

[root@srv01 ~]# vi /var/named/chroot/etc/named.conf

Na penúltima  linha colocar :

zone "it-howto.org" {
    type master;
    file "it-howto.org.zone";
    allow-query { any; };
    allow-transfer { 200.222.222.222;
                    200.222.222.223; };
    allow-update   { 200.222.222.222;
                     200.222.222.223; };
};

 

Vamos verificar o arquivo de configuração.

[root@srv01 ~]# named-checkconf

Caso não apresente nenhum erro como vimos a cima a configuração está ok .

Vamos criar o arquivo de configuração da zona.

[root@srv01 ~]# vi /var/named/chroot/var/named/it-howto.org.zone

Com o conteúdo nesse caso didático.

; it-howto.org
$TTL 86400
it-howto.org.		IN	SOA	ns1.it-howto.org. contato.it-howto.org. (
        2019111301		; Serial number
        10800			; Refresh
        3600			; Retry
        604800			; Expire
        86400)			; Minimum TTL

      ; Nameserver definition
      IN	NS	ns1.it-howto.org.
      IN	NS	ns2.it-howto.org.

      ; Mail exchanger definition
      IN	MX	10	mail.it-howto.org.
      IN	MX	50	mail2.it-howto.org.

; A records definition
it-howto.org.		IN	A	200.222.222.221
www.it-howto.org.	IN	A	200.222.222.221
ns1.it-howto.org.	IN	A	200.222.222.222
ns2.it-howto.org.	IN	A	200.222.222.223
mail.it-howto.org.	IN	A	200.222.222.224
mail2.it-howto.org.	IN	A	200.222.222.225

Vamos verificar a zona :

named-checkzone it-howto.org /var/named/chroot/var/named/it-howto.org.zone
[root@srv01 ~]# named-checkzone it-howto.org  /var/named/chroot/var/named/it-howto.org.zone
zone it-howto.org/IN: loaded serial 2019111301
OK

Vamos modificar as permissões da pasta da zona para funcionamento correto.

chown named:named -R /var/named/
chmod 0770 -R /var/named

Vamos reiniciar o serviço.

systemctl restart named-chroot
[root@srv01 ~]# systemctl restart named-chroot

Verificamos que a zona foi carregada com sucesso.

journalctl -f
[root@UNISESRV064 ~]# journalctl -f
Nov 13 15:25:43 srv01 named[11555]: configuring command channel from '/etc/rndc.key'
Nov 13 15:25:43 srv01 named[11555]: command channel listening on 127.0.0.1#953
Nov 13 15:25:43 srv01 named[11555]: configuring command channel from '/etc/rndc.key'
Nov 13 15:25:43 srv01 named[11555]: command channel listening on ::1#953
Nov 13 15:25:43 srv01 named[11555]: managed-keys-zone: journal file is out of date: removing journal file
Nov 13 15:25:43 srv01 named[11555]: managed-keys-zone: loaded serial 8
Nov 13 15:25:43 srv01 named[11555]: zone 0.in-addr.arpa/IN: loaded serial 0
Nov 13 15:25:43 srv01 named[11555]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0

Nov 13 15:25:43 srv01 named[11555]: zone it-howto.org/IN: loaded serial 2019111301

Nov 13 15:25:43 srv01 named[11555]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Nov 13 15:25:43 srv01 named[11555]: zone localhost.localdomain/IN: loaded serial 0
Nov 13 15:25:43 srv01 named[11555]: zone localhost/IN: loaded serial 0
Nov 13 15:25:43 srv01 named[11555]: all zones loaded
Nov 13 15:25:43 srv01 named[11555]: running
Nov 13 15:25:43 srv01 named[11555]: zone it-howto.org/IN: sending notifies (serial 2019111301)
Nov 13 15:25:43 srv01 named[11555]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53
Nov 13 15:25:43 srv01 systemd[1]: Started Berkeley Internet Name Domain (DNS).

O arquivo de configuração named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion no;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.root.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};


zone "it-howto.org" {
    type master;
    file "it-howto.org.zone";
    allow-query { any; };
    allow-transfer { 200.222.222.222;
                    200.222.222.223; };
    allow-update   { 200.222.222.222;
                     200.222.222.223; };
};




include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

 

Deixa seu comentário a baixo .

Deixe uma resposta

O seu endereço de e-mail não será publicado. Campos obrigatórios são marcados com *