DNS for bind9

日付 2012.05.23
タイトル DNS for bind9
本文
参考URL
  man page of named.conf
  http://www.linux.or.jp/JM/html/bind/man5/named.conf.5.html

  たまにroot dnsが変更されていないか確認する。
  ftp://ftp.rs.internic.net/domain/named.root


RedHat EL, FedoraCore, CentOSなどでは /var/named/chroot 以下に実ファイルが収
められている場合があるので、環境に合わせてファイルの位置を調整してください。


[基本設定] ------------------------------------------------------
# 設定ファイル本体 --------------------------
>>> /etc/named.conf or /var/named/chroot/etc/named.conf
acl "mylocals" {
	// rewrite your local networks.
	127.0.0.1;
	192.168.1.0/24;
};
// if use ipv6
//acl "mylocals-v6" {
//	::1;
//}

options {
	directory "/var/named";
	dump-file "/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	cleaning-interval 10;
	lame-ttl 1800;

	allow-query { mylocals; };
	allow-query-cache { mylocals; };
	allow-transfer { none; };

	forwarders{
		// rewrite near fast dns cache server(ex provider, data center shared).
		211.9.33.76;
		211.9.32.235;
	};

	// if use dnssec
	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;
	bindkeys-file "/etc/named.iscdlv.key";

	// if no version info
	//version "bind";

	// if fw require statical port
	//query-source address * port 53;

	// if must separating ipaddr
	//listen-on port 53 { 127.0.0.1; };
	//listen-on-v6 port 53 { ::1; };
};

// if use rndc
controls {
	inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/rndc.key";

logging {
	category lame-servers { null; };
	channel default_debug {
		file "data/named.run";
		severity dynamic;
	};
};

view "local" {
	match-clients {
		mylocals;
	};
	recursion yes;

	include "/etc/named.rfc1912-zones.conf";
	include "/etc/named.global-zones.conf";
};

view "global" {
	match-clients {
		any;
	};
	recursion no;

	include "/etc/named.global-zones.conf";
};
<<<
chown root:named named.conf


# RFC1912関係 -------------------------------
>>> named.rfc1912-zones.conf
//
// sync redhat settings and add reverse query.
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.ip6.local";
        allow-update { none; };
};

zone "255.in-addr.arpa" IN {
        type master;
        file "named.invalid";
        allow-update { none; };
};

zone "0.in-addr.arpa" IN {
        type master;
        file "named.invalid";
        allow-update { none; };
};

//
// additional ipv4 local reverses for rfc1912.
// if conflict your network, comment out.
//
zone "10.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "16.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "17.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "18.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "19.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "20.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "21.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "22.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "23.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "24.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "25.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "26.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "27.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "28.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "29.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "30.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "31.172.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
zone "168.192.in-addr.arpa" IN { type master; file "named.invalid"; allow-update { none; }; };
<<<


# グローバルアナウンス用 --------------------
# 必要に応じて作成
>>> named.global-zones.conf
// masters ====================================================
//zone "example.com" IN {
//	type master;
//	file "primary/db.example.com";
//	allow-query { any; };
//	allow-transfer { secondary.dns.ip.addrs; };
//};

// slaves =====================================================
//zone "example.jp" IN {
//	type slave;
//	file "slave/db.example.jp";
//	masters { primary.dns.ip.addrs; };
//	allow-query { any; };
//};

// reverses ===================================================
//zone "nnn.nnn.nnn.nnn.in-addr.arpa" IN {
//	type master;
//	file "primary/rev.nnn.nnn.nnn.nnn_nn";
//	allow-query { any; };
//};
<<<


[zoneファイル] --------------------------------------------------
# /var/namedへ設置(chrootが有る場合はchroot内部にて)
# root DNS探索 ------------------------------
>>> named.ca
# OS提供、またはパッケージ提供及び自動更新に従う。以下一例
; <<>> DiG 9.5.0b2 <<>> +bufsize=1200 +norec NS . @a.root-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7033
;; flags: qr aa; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 20

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.                              IN      NS

;; ANSWER SECTION:
.                       518400  IN      NS      D.ROOT-SERVERS.NET.
.                       518400  IN      NS      E.ROOT-SERVERS.NET.
.                       518400  IN      NS      F.ROOT-SERVERS.NET.
.                       518400  IN      NS      G.ROOT-SERVERS.NET.
.                       518400  IN      NS      H.ROOT-SERVERS.NET.
.                       518400  IN      NS      I.ROOT-SERVERS.NET.
.                       518400  IN      NS      J.ROOT-SERVERS.NET.
.                       518400  IN      NS      K.ROOT-SERVERS.NET.
.                       518400  IN      NS      L.ROOT-SERVERS.NET.
.                       518400  IN      NS      M.ROOT-SERVERS.NET.
.                       518400  IN      NS      A.ROOT-SERVERS.NET.
.                       518400  IN      NS      B.ROOT-SERVERS.NET.
.                       518400  IN      NS      C.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
A.ROOT-SERVERS.NET.     3600000 IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     3600000 IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     3600000 IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     3600000 IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     3600000 IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     3600000 IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     3600000 IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     3600000 IN      A       128.63.2.53
H.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:500:1::803f:235
I.ROOT-SERVERS.NET.     3600000 IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     3600000 IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.     3600000 IN      A       193.0.14.129
K.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.     3600000 IN      A       199.7.83.42
M.ROOT-SERVERS.NET.     3600000 IN      A       202.12.27.33
M.ROOT-SERVERS.NET.     3600000 IN      AAAA    2001:dc3::35

;; Query time: 110 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Tue Feb 26 15:05:57 2008
;; MSG SIZE  rcvd: 615
<<<

# localdomain解決用 -------------------------
>>> localdomain.zone
$TTL 86400
@			IN SOA localhost root (
					2012051100; serial
					3H; refresh
					15M; retry
					1W; expiry
					1D; minimum
			)
			IN	NS		localhost
localhost	IN	A		127.0.0.1
localhost	IN	AAAA	::1
<<<

# localhost解決用 ---------------------------
>>> localhost.zone
$TTL 86400
@			IN SOA @ root (
					2012051100; serial
					3H; refresh
					15M; retry
					1W; expiry
					1D; minimum
			)
			IN	NS		@
			IN	A		127.0.0.1
			IN	AAAA	::1
<<<

# loopbackアドレス逆引き解決用 --------------
>>> named.local
$TTL    86400
@			IN SOA localhost. root.localhost. (
					2012051100; serial
					3H; refresh
					15M; retry
					1W; expiry
					1D; minimum
			)
			IN	NS		localhost.
1			IN	PTR		localhost.
<<<
# 同一内容のファイルだが分けて作成しておく
>>> named.ip6.local
$TTL    86400
@			IN SOA localhost. root.localhost. (
					2012051100; serial
					3H; refresh
					15M; retry
					1W; expiry
					1D; minimum
			)
			IN	NS		localhost.
1			IN	PTR		localhost.
<<<

# 無効なエントリ外部問い合わせ防止用 --------
>>> named.invalid
$TTL 86400
@			IN SOA localhost. root.localhosts.  (
					2012051100; serial
					3H; refresh
					15M; retry
					1W; expiry
					1D; minimum
			)
			IN	NS		localhost.
<<<


[rndc] ----------------------------------------------------------
# rndc key fileの作成
rndc-confgen -a -r /dev/urandom -b 512 -k rndckey > /etc/rndc.key


[パーミッションの設定] ------------------------------------------
for NAME in /etc/{rndc.key,named.conf,named.global-zones.conf,named.rfc1912-zones.conf} \
    /var/named/{localdomain.zone,localhost.zone,named.invalid,named.ip6.local,named.local}; do
  chown root:named $NAME
  chmod 640 $NAME
done


[ファイル例] ----------------------------------------------------
>>> zoneファイルの例
$ORIGIN example.com.
$TTL 86400 ; 1 day
@			IN	SOA	ns1.example.com. root.ns1.example.com. (
				yyyymmddnn	; serial
				28800		; refresh (8 hour)
				86400		; retry (1 day)
				3600000		; expire (5 weeks 6 days 16 hours)
				3600		; minimum (1 hour)
			)
			NS	ns1
			NS	ns2
			MX	10 po
;
ns1			A	aaa.aaa.aaa.aaa
ns2			A	bbb.bbb.bbb.bbb
www			A	ccc.ccc.ccc.ccc
po			A	ddd.ddd.ddd.ddd
<<<

>>> 逆引zoneファイルの例
$TTL 86400
@			IN SOA ns1.example.com. root.ns1.example.com. (
				yyyymmddnn	; Serial
				8H		; Refresh
				2H		; Retry
				1W		; Expire
				1D		; Minimum TTL
			)
; name servers
			IN      NS	ns1.example.com.
			IN      NS	ns2.example.com.
; server group
249	     IN      PTR     gw.example.com.
250	     IN      PTR     ns1.example.com.
251	     IN      PTR     ns2.example.com.
<<<


[作業例] --------------------------------------------------------
su -
cd /var/named/chroot/etc
mv named.conf named.conf.orig
>>> vi named.conf
# /etc/named.confの例どおり
<<<


>>> vi named.local-zone.conf
// masters ====================================================
zone "systemix.local" IN {
	type master;
	file "db.systemix.local";
	allow-query { any; };
	//allow-transfer { secondary.dns.ip.addrs; };
};

// slaves =====================================================
//zone "example.jp" IN {
//	type slave;
//	file "slave/db.example.jp";
//	masters { primary.dns.ip.addrs; };
//	allow-query { any; };
//};

// reverses ===================================================
//zone "nnn.nnn.nnn.nnn.in-addr.arpa" IN {
//	type master;
//	file "primary/rev.nnn.nnn.nnn.nnn_nn";
//	allow-query { any; };
//};
<<<


>>> vi named.global-zone.conf
// masters ====================================================
zone "systemix.ne.jp" IN {
	type master;
	file "db.systemix.ne.jp";
	allow-query { any; };
	//allow-transfer { secondary.dns.ip.addrs; };
};

// slaves =====================================================
//zone "example.jp" IN {
//	type slave;
//	file "slave/db.example.jp";
//	masters { primary.dns.ip.addrs; };
//	allow-query { any; };
//};

// reverses ===================================================
//zone "nnn.nnn.nnn.nnn.in-addr.arpa" IN {
//	type master;
//	file "primary/rev.nnn.nnn.nnn.nnn_nn";
//	allow-query { any; };
//};
<<<
chown root:named named.conf named.local-zone.conf named.global-zone.conf
chmod 644 named.conf named.local-zone.conf named.global-zone.conf
ln -s /var/named/chroot/etc/named.local-zone.conf /etc
ln -s /var/named/chroot/etc/named.global-zone.conf /etc

cd /var/named/chroot/var/named

>>> vi db.systemix.local
$ORIGIN systemix.ne.jp.
$TTL 86400 ; 1 day
@			IN	SOA	ns1.systemix.ne.jp. root.systemix.ne.jp. (
				2007021000	; serial
				28800		; refresh (8 hour)
				86400		; retry (1 day)
				3600000		; expire (5 weeks 6 days 16 hours)
				3600		; minimum (1 hour)
			)
			IN	NS	ns1
			IN	NS	ns2
			IN	MX 10	po
;
			IN	A	192.168.1.3
ns1			IN	A	192.168.1.3
ns2			IN	A	192.168.1.3
po			IN	A	192.168.1.3
www			IN	A	192.168.1.3
<<<

>>> vi db.systemix.ne.jp
$ORIGIN systemix.ne.jp.
$TTL 86400 ; 1 day
@			IN	SOA	ns1.systemix.ne.jp. root.systemix.ne.jp. (
				2007021000	; serial
				28800		; refresh (8 hour)
				86400		; retry (1 day)
				3600000		; expire (5 weeks 6 days 16 hours)
				3600		; minimum (1 hour)
			)
			IN	NS	ns1
			IN	NS	ns2
			IN	MX 10	po
;
			IN	A	203.141.146.155
ns1			IN	A	219.105.44.7
ns2			IN	A	219.105.44.7
po			IN	A	203.141.146.155
www			IN	A	203.141.146.155
<<<


for NAME in db.systemix.local db.systemix.ne.jp; do
  chown named:named $NAME;
  chmod 644 $NAME;
  ln -s /var/named/chroot/var/named/$NAME /var/named;
done

named-checkconf
named-checkzone systemix.ne.jp /var/named/db.systemix.local
named-checkzone systemix.ne.jp /var/named/db.systemix.ne.jp

chkconfig named on
/etc/init.d/named restart

cd /etc
>>> vi /etc/resolv.conf
# 以下を先頭に追加
nameserver 127.0.0.1