Nesse artigo irei mostrar como configurar o servidor de dns bind em chroot utilizado o pacote bind-chroot nativo do centos .
Primeiro vamos instalar o bind-chroot.
yum install bind-chroot
[root@srv01 ~]# yum install bind-chroot Plugins carregados: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.globo.com * extras: mirror.globo.com * updates: mirror.globo.com base | 3.6 kB 00:00:00 extras | 2.9 kB 00:00:00 updates | 2.9 kB 00:00:00 Resolvendo dependências --> Executando verificação da transação ---> O pacote bind-chroot.x86_64 32:9.11.4-9.P2.el7 será instalado --> Resolução de dependências finalizada Dependências resolvidas ========================================================================================================================================================================================================== Package Arq. Versão Repo Tam. ========================================================================================================================================================================================================== Instalando: bind-chroot x86_64 32:9.11.4-9.P2.el7 base 90 k Resumo da transação ========================================================================================================================================================================================================== Instalar 1 Package Tamanho total do download: 90 k Tamanho depois de instalado: 4.7 k Is this ok [y/d/N]: y Downloading packages: bind-chroot-9.11.4-9.P2.el7.x86_64.rpm | 90 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Instalando : 32:bind-chroot-9.11.4-9.P2.el7.x86_64 1/1 Verifying : 32:bind-chroot-9.11.4-9.P2.el7.x86_64 1/1 Instalados: bind-chroot.x86_64 32:9.11.4-9.P2.el7 Concluído!
Iniciando o serviço .
systemctl start named-chroot
Verificando o status .
systemctl status named-chroot
[root@srv01 ~]# systemctl status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled) Active: active (running) since Qua 2019-11-13 14:06:08 -03; 47s ago Process: 10613 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 10610 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 10615 (named) CGroup: /system.slice/named-chroot.service └─10615 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot Nov 13 14:06:08 ser01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:500:2::c#53 Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:500:2::c#53 Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:503:c27::2:30#53 Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:503:c27::2:30#53 Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:7fd::1#53 Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:7fd::1#53 Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './DNSKEY/IN': 2001:dc3::35#53 Nov 13 14:06:08 srv01 named[10615]: network unreachable resolving './NS/IN': 2001:dc3::35#53 Nov 13 14:06:08 srv01 named[10615]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted Nov 13 14:06:08 srv01 named[10615]: resolver priming query complete
Ativando a inicialização.
systemctl enable named-chroot
[root@srv01 ~]# systemctl enable named-chroot Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
Liberando acesso no firewall;
firewall-cmd --zone=public --add-port=53/tcp --permanent firewall-cmd --zone=public --add-port=53/udp --permanent firewall-cmd --reload
[root@srv01 ~]# firewall-cmd --zone=public --add-port=53/tcp --permanent Warning: ALREADY_ENABLED: 53:tcp success [root@srv01 ~]# firewall-cmd --zone=public --add-port=53/udp --permanent Warning: ALREADY_ENABLED: 53:udp success [root@srv01 ~]# firewall-cmd --reload success
Verificando os pontos de montagem em chroot.
mount |grep chroot
[root@UNISESRV064 ~]# mount |grep chroot /dev/mapper/centos_srv01-root on /var/named/chroot/etc/localtime type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.root.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.conf type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.rfc1912.zones type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/rndc.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named.iscdlv.key type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/protocols type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/services type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/etc/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota) /dev/mapper/centos_srv01-root on /var/named/chroot/usr/lib64/bind type xfs (rw,relatime,seclabel,attr2,inode64,noquota) tmpfs on /var/named/chroot/run/named type tmpfs (rw,nosuid,nodev,seclabel,mode=755) /dev/mapper/centos_srv01-root on /var/named/chroot/var/named type xfs (rw,relatime,seclabel,attr2,inode64,noquota)
Local onde a zona deve ficar :
/var/named/ ou /var/named/chroot/var/named/
Arquivo de configuração do named :
/var/named/chroot/etc/named.conf ou /etc/named.conf
Vamos editar o arquivo de configuração .
vi /etc/named.conf
Colocar os campos dessa forma :
listen-on-v6 port 53 { none; };
recursion no;
listen-on port 53 { any; };
Vamos criar uma zona .
Vamos criar a configuração no named.conf
[root@srv01 ~]# vi /var/named/chroot/etc/named.conf
Na penúltima linha colocar :
zone "it-howto.org" { type master; file "it-howto.org.zone"; allow-query { any; }; allow-transfer { 200.222.222.222; 200.222.222.223; }; allow-update { 200.222.222.222; 200.222.222.223; }; };
Vamos verificar o arquivo de configuração.
[root@srv01 ~]# named-checkconf
Caso não apresente nenhum erro como vimos a cima a configuração está ok .
Vamos criar o arquivo de configuração da zona.
[root@srv01 ~]# vi /var/named/chroot/var/named/it-howto.org.zone
Com o conteúdo nesse caso didático.
; it-howto.org $TTL 86400 it-howto.org. IN SOA ns1.it-howto.org. contato.it-howto.org. ( 2019111301 ; Serial number 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400) ; Minimum TTL ; Nameserver definition IN NS ns1.it-howto.org. IN NS ns2.it-howto.org. ; Mail exchanger definition IN MX 10 mail.it-howto.org. IN MX 50 mail2.it-howto.org. ; A records definition it-howto.org. IN A 200.222.222.221 www.it-howto.org. IN A 200.222.222.221 ns1.it-howto.org. IN A 200.222.222.222 ns2.it-howto.org. IN A 200.222.222.223 mail.it-howto.org. IN A 200.222.222.224 mail2.it-howto.org. IN A 200.222.222.225
Vamos verificar a zona :
named-checkzone it-howto.org /var/named/chroot/var/named/it-howto.org.zone
[root@srv01 ~]# named-checkzone it-howto.org /var/named/chroot/var/named/it-howto.org.zone zone it-howto.org/IN: loaded serial 2019111301 OK
Vamos modificar as permissões da pasta da zona para funcionamento correto.
chown named:named -R /var/named/
chmod 0770 -R /var/named
Vamos reiniciar o serviço.
systemctl restart named-chroot
[root@srv01 ~]# systemctl restart named-chroot
Verificamos que a zona foi carregada com sucesso.
journalctl -f
[root@UNISESRV064 ~]# journalctl -f
Nov 13 15:25:43 srv01 named[11555]: configuring command channel from '/etc/rndc.key' Nov 13 15:25:43 srv01 named[11555]: command channel listening on 127.0.0.1#953 Nov 13 15:25:43 srv01 named[11555]: configuring command channel from '/etc/rndc.key' Nov 13 15:25:43 srv01 named[11555]: command channel listening on ::1#953 Nov 13 15:25:43 srv01 named[11555]: managed-keys-zone: journal file is out of date: removing journal file Nov 13 15:25:43 srv01 named[11555]: managed-keys-zone: loaded serial 8 Nov 13 15:25:43 srv01 named[11555]: zone 0.in-addr.arpa/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone it-howto.org/IN: loaded serial 2019111301 Nov 13 15:25:43 srv01 named[11555]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone localhost.localdomain/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: zone localhost/IN: loaded serial 0 Nov 13 15:25:43 srv01 named[11555]: all zones loaded Nov 13 15:25:43 srv01 named[11555]: running Nov 13 15:25:43 srv01 named[11555]: zone it-howto.org/IN: sending notifies (serial 2019111301) Nov 13 15:25:43 srv01 named[11555]: network unreachable resolving './DNSKEY/IN': 2001:500:12::d0d#53 Nov 13 15:25:43 srv01 systemd[1]: Started Berkeley Internet Name Domain (DNS).
O arquivo de configuração named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator's Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { localhost; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion no; dnssec-enable yes; dnssec-validation yes; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "it-howto.org" { type master; file "it-howto.org.zone"; allow-query { any; }; allow-transfer { 200.222.222.222; 200.222.222.223; }; allow-update { 200.222.222.222; 200.222.222.223; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Deixa seu comentário a baixo .