| 本文 |
参考URL
man page of named.conf
http://www.linux.or.jp/JM/html/bind/man5/named.conf.5.html
たまにroot dnsが変更されていないか確認する。
ftp://ftp.rs.internic.net/domain/named.root
RedHat EL, FedoraCore, CentOSなどでは /var/named/chroot 以下に実ファイルが収
められている場合があるので、環境に合わせてファイルの位置を調整してください。
[基本設定] ------------------------------------------------------
# 設定ファイル本体 --------------------------
>>> /etc/named.conf or /var/named/chroot/etc/named.conf
acl "mylocals" {
// rewrite your local networks.
127.0.0.1;
192.168.1.0/24;
};
// if use ipv6
//acl "mylocals-v6" {
// ::1;
//}
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
cleaning-interval 10;
lame-ttl 1800;
allow-query { mylocals; };
allow-query-cache { mylocals; };
allow-transfer { none; };
forwarders{
// rewrite near fast dns cache server(ex provider, data center shared).
211.9.33.76;
211.9.32.235;
};
// if use dnssec
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
bindkeys-file "/etc/named.iscdlv.key";
// if no version info
//version "bind";
// if fw require statical port
//query-source address * port 53;
// if must separating ipaddr
//listen-on port 53 { 127.0.0.1; };
//listen-on-v6 port 53 { ::1; };
};
// if use rndc
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";
logging {
category lame-servers { null; };
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view "local" {
match-clients {
mylocals;
};
recursion yes;
include "/etc/named.rfc1912-zones.conf";
include "/etc/named.global-zones.conf";
};
view "global" {
match-clients {
any;
};
recursion no;
include "/etc/named.global-zones.conf";
};
<<<
chown root:named named.conf
# RFC1912関係 -------------------------------
>>> named.rfc1912-zones.conf
//
// sync redhat settings and add reverse query.
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
type hint;
file "named.ca";
};
zone "localdomain" IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.ip6.local";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "named.invalid";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.invalid";
allow-update { none; };
};
//
// additional ipv4 local reverses for rfc1912.
// if conflict your network, comment out.
//
zone "10.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "16.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "17.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "18.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "19.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "20.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "21.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "22.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "23.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "24.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "25.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "26.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "27.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "28.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "29.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "30.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "31.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "168.192.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
<<<
# グローバルアナウンス用 --------------------
# 必要に応じて作成
>>> named.global-zones.conf
// masters ====================================================
//zone "example.com" IN {
// type master;
// file "primary/db.example.com";
// allow-query { any; };
// allow-transfer { secondary.dns.ip.addrs; };
//};
// slaves =====================================================
//zone "example.jp" IN {
// type slave;
// file "slave/db.example.jp";
// masters { primary.dns.ip.addrs; };
// allow-query { any; };
//};
// reverses ===================================================
//zone "nnn.nnn.nnn.nnn.in-addr.arpa" IN {
// type master;
// file "primary/rev.nnn.nnn.nnn.nnn_nn";
// allow-query { any; };
//};
<<<
[zoneファイル] --------------------------------------------------
# /var/namedへ設置(chrootが有る場合はchroot内部にて)
# root DNS探索 ------------------------------
>>> named.ca
# OS提供、またはパッケージ提供及び自動更新に従う。以下一例
; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 518400 IN NS D.ROOT-SERVERS.NET.
. 518400 IN NS E.ROOT-SERVERS.NET.
. 518400 IN NS F.ROOT-SERVERS.NET.
. 518400 IN NS G.ROOT-SERVERS.NET.
. 518400 IN NS H.ROOT-SERVERS.NET.
. 518400 IN NS I.ROOT-SERVERS.NET.
. 518400 IN NS J.ROOT-SERVERS.NET.
. 518400 IN NS K.ROOT-SERVERS.NET.
. 518400 IN NS L.ROOT-SERVERS.NET.
. 518400 IN NS M.ROOT-SERVERS.NET.
. 518400 IN NS A.ROOT-SERVERS.NET.
. 518400 IN NS B.ROOT-SERVERS.NET.
. 518400 IN NS C.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4
A.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:ba3e::2:30
B.ROOT-SERVERS.NET. 3600000 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241
F.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:2f::f
G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53
H.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:500:1::803f:235
I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 3600000 IN A 192.58.128.30
J.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:503:c27::2:30
K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129
K.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:7fd::1
L.ROOT-SERVERS.NET. 3600000 IN A 199.7.83.42
M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33
M.ROOT-SERVERS.NET. 3600000 IN AAAA 2001:dc3::35
;; Query time: 110 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Feb 26 15:05:57 2008
;; MSG SIZE rcvd: 615
<<<
# localdomain解決用 -------------------------
>>> localdomain.zone
$TTL 86400
@ IN SOA localhost root (
2012051100; serial
3H; refresh
15M; retry
1W; expiry
1D; minimum
)
IN NS localhost
localhost IN A 127.0.0.1
localhost IN AAAA ::1
<<<
# localhost解決用 ---------------------------
>>> localhost.zone
$TTL 86400
@ IN SOA @ root (
2012051100; serial
3H; refresh
15M; retry
1W; expiry
1D; minimum
)
IN NS @
IN A 127.0.0.1
IN AAAA ::1
<<<
# loopbackアドレス逆引き解決用 --------------
>>> named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
2012051100; serial
3H; refresh
15M; retry
1W; expiry
1D; minimum
)
IN NS localhost.
1 IN PTR localhost.
<<<
# 同一内容のファイルだが分けて作成しておく
>>> named.ip6.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
2012051100; serial
3H; refresh
15M; retry
1W; expiry
1D; minimum
)
IN NS localhost.
1 IN PTR localhost.
<<<
# 無効なエントリ外部問い合わせ防止用 --------
>>> named.invalid
$TTL 86400
@ IN SOA localhost. root.localhosts. (
2012051100; serial
3H; refresh
15M; retry
1W; expiry
1D; minimum
)
IN NS localhost.
<<<
[rndc] ----------------------------------------------------------
# rndc key fileの作成
rndc-confgen -a -r /dev/urandom -b 512 -k rndckey > /etc/rndc.key
[パーミッションの設定] ------------------------------------------
for NAME in /etc/{rndc.key,named.conf,named.global-zones.conf,named.rfc1912-zones.conf} \
/var/named/{localdomain.zone,localhost.zone,named.invalid,named.ip6.local,named.local}; do
chown root:named $NAME
chmod 640 $NAME
done
[ファイル例] ----------------------------------------------------
>>> zoneファイルの例
$ORIGIN example.com.
$TTL 86400 ; 1 day
@ IN SOA ns1.example.com. root.ns1.example.com. (
yyyymmddnn ; serial
28800 ; refresh (8 hour)
86400 ; retry (1 day)
3600000 ; expire (5 weeks 6 days 16 hours)
3600 ; minimum (1 hour)
)
NS ns1
NS ns2
MX 10 po
;
ns1 A aaa.aaa.aaa.aaa
ns2 A bbb.bbb.bbb.bbb
www A ccc.ccc.ccc.ccc
po A ddd.ddd.ddd.ddd
<<<
>>> 逆引zoneファイルの例
$TTL 86400
@ IN SOA ns1.example.com. root.ns1.example.com. (
yyyymmddnn ; Serial
8H ; Refresh
2H ; Retry
1W ; Expire
1D ; Minimum TTL
)
; name servers
IN NS ns1.example.com.
IN NS ns2.example.com.
; server group
249 IN PTR gw.example.com.
250 IN PTR ns1.example.com.
251 IN PTR ns2.example.com.
<<<
[作業例] --------------------------------------------------------
su -
cd /var/named/chroot/etc
mv named.conf named.conf.orig
>>> vi named.conf
# /etc/named.confの例どおり
<<<
>>> vi named.local-zone.conf
// masters ====================================================
zone "systemix.local" IN {
type master;
file "db.systemix.local";
allow-query { any; };
//allow-transfer { secondary.dns.ip.addrs; };
};
// slaves =====================================================
//zone "example.jp" IN {
// type slave;
// file "slave/db.example.jp";
// masters { primary.dns.ip.addrs; };
// allow-query { any; };
//};
// reverses ===================================================
//zone "nnn.nnn.nnn.nnn.in-addr.arpa" IN {
// type master;
// file "primary/rev.nnn.nnn.nnn.nnn_nn";
// allow-query { any; };
//};
<<<
>>> vi named.global-zone.conf
// masters ====================================================
zone "systemix.ne.jp" IN {
type master;
file "db.systemix.ne.jp";
allow-query { any; };
//allow-transfer { secondary.dns.ip.addrs; };
};
// slaves =====================================================
//zone "example.jp" IN {
// type slave;
// file "slave/db.example.jp";
// masters { primary.dns.ip.addrs; };
// allow-query { any; };
//};
// reverses ===================================================
//zone "nnn.nnn.nnn.nnn.in-addr.arpa" IN {
// type master;
// file "primary/rev.nnn.nnn.nnn.nnn_nn";
// allow-query { any; };
//};
<<<
chown root:named named.conf named.local-zone.conf named.global-zone.conf
chmod 644 named.conf named.local-zone.conf named.global-zone.conf
ln -s /var/named/chroot/etc/named.local-zone.conf /etc
ln -s /var/named/chroot/etc/named.global-zone.conf /etc
cd /var/named/chroot/var/named
>>> vi db.systemix.local
$ORIGIN systemix.ne.jp.
$TTL 86400 ; 1 day
@ IN SOA ns1.systemix.ne.jp. root.systemix.ne.jp. (
2007021000 ; serial
28800 ; refresh (8 hour)
86400 ; retry (1 day)
3600000 ; expire (5 weeks 6 days 16 hours)
3600 ; minimum (1 hour)
)
IN NS ns1
IN NS ns2
IN MX 10 po
;
IN A 192.168.1.3
ns1 IN A 192.168.1.3
ns2 IN A 192.168.1.3
po IN A 192.168.1.3
www IN A 192.168.1.3
<<<
>>> vi db.systemix.ne.jp
$ORIGIN systemix.ne.jp.
$TTL 86400 ; 1 day
@ IN SOA ns1.systemix.ne.jp. root.systemix.ne.jp. (
2007021000 ; serial
28800 ; refresh (8 hour)
86400 ; retry (1 day)
3600000 ; expire (5 weeks 6 days 16 hours)
3600 ; minimum (1 hour)
)
IN NS ns1
IN NS ns2
IN MX 10 po
;
IN A 203.141.146.155
ns1 IN A 219.105.44.7
ns2 IN A 219.105.44.7
po IN A 203.141.146.155
www IN A 203.141.146.155
<<<
for NAME in db.systemix.local db.systemix.ne.jp; do
chown named:named $NAME;
chmod 644 $NAME;
ln -s /var/named/chroot/var/named/$NAME /var/named;
done
named-checkconf
named-checkzone systemix.ne.jp /var/named/db.systemix.local
named-checkzone systemix.ne.jp /var/named/db.systemix.ne.jp
chkconfig named on
/etc/init.d/named restart
cd /etc
>>> vi /etc/resolv.conf
# 以下を先頭に追加
nameserver 127.0.0.1
|
