総ダウンロード容量: 1.8 M インストール容量: 4.3 M Is this ok [y/d/N]: y Downloading packages: bind-9.9.4-38.el7_3.2.x86_64.rpm | 1.8 MB 00:00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction インストール中 : 32:bind-9.9.4-38.el7_3.2.x86_64 1/1 検証中 : 32:bind-9.9.4-38.el7_3.2.x86_64 1/1
総ダウンロード容量: 85 k インストール容量: 3.3 k Is this ok [y/d/N]: y Downloading packages: bind-chroot-9.9.4-38.el7_3.2.x86_64.rpm | 85 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction インストール中 : 32:bind-chroot-9.9.4-38.el7_3.2.x86_64 1/1 検証中 : 32:bind-chroot-9.9.4-38.el7_3.2.x86_64 1/1
インストール: bind-chroot.x86_64 32:9.9.4-38.el7_3.2
完了しました! [root@centos7 ~]#
[root@centos7 ~]# cd /var/named/ ←chrootができているか確認 [root@centos7 named]# ls ←chrootができているか確認 chroot data dynamic named.ca named.empty named.localhost named.loopback slaves←chrootができていることを確認できた。 [root@centos7 named]#
[root@centos7 etc]# cd /var/named/chroot/etc/named/ ←bind,bind-chrootインストール後にファイルの情報を確認 [root@centos7 named]# ls [root@centos7 named]#←まだサービスが起動していないためファイルが何もない状態
[root@centos7 named]# systemctl enable named.service ← namedが自動起動するように設定します。 Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service. [root@centos7 named]# systemctl start named.service ← namedを起動します。 [root@centos7 named]# systemctl status named.service ← namedが正常に起動しているか確認します。
● named.service – Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since 日 2017-04-16 07:01:02 JST; 6s ago Process: 5566 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS) Process: 5563 ExecStartPre=/bin/bash -c if [ ! “$DISABLE_ZONE_CHECKING” == “yes” ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo “Checking of zone files is disabled”; fi (code=exited, status=0/SUCCESS) Main PID: 5568 (named) CGroup: /system.slice/named.service mq5568 /usr/sbin/named -u named
4月 16 07:01:02 centos7.journey.dix.asia named[5568]: command channel listening on ::1#953 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: managed-keys-zone: loaded serial 0 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: zone 0.in-addr.arpa/IN: loaded serial 0 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: zone localhost.localdomain/IN: loaded serial 0 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: zone localhost/IN: loaded serial 0 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip…ial 0 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: all zones loaded 4月 16 07:01:02 centos7.journey.dix.asia named[5568]: running 4月 16 07:01:02 centos7.journey.dix.asia systemd[1]: Started Berkeley Internet Name Domain (DNS). Hint: Some lines were ellipsized, use -l to show in full.
[root@centos7 named]# systemctl enable named-chroot ← named-chroot が自動起動するように設定 Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service. [root@centos7 named]# systemctl start named-chroot ← named-chroot を起動する [root@centos7 named]# systemctl status named-chroot ← named-chroot のステータスを確認する ● named-chroot.service – Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since 日 2017-04-16 07:04:06 JST; 5s ago Process: 5830 ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 5826 ExecStartPre=/bin/bash -c if [ ! “$DISABLE_ZONE_CHECKING” == “yes” ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf; else echo “Checking of zone files is disabled”; fi (code=exited, status=0/SUCCESS) Main PID: 5831 (named) CGroup: /system.slice/named-chroot.service mq5831 /usr/sbin/named -u named -t /var/named/chroot
4月 16 07:04:06 centos7.journey.dix.asia named[5831]: couldn’t add command channel ::1#953: address in use 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: managed-keys-zone: journal file is out of date: removing journal file 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: managed-keys-zone: loaded serial 2 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: zone 0.in-addr.arpa/IN: loaded serial 0 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: zone localhost/IN: loaded serial 0 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: zone localhost.localdomain/IN: loaded serial 0 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip…ial 0 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: all zones loaded 4月 16 07:04:06 centos7.journey.dix.asia named[5831]: running Hint: Some lines were ellipsized, use -l to show in full. [root@centos7 named]# pwd /var/named/chroot/etc/named [root@centos7 named]# ls ← /var/named/chroot/etc/named/ に設定ファイルが作成されているか確認。されていない。
[root@centos7 named]# cd /var/named/chroot/etc/ [root@centos7 etc]# ls localtime named named.conf named.iscdlv.key named.rfc1912.zones named.root.key pki rndc.key
[root@centos7 etc]# cd /var/named/chroot/etc/named/ [root@centos7 named]# ls ← /var/named/chroot/etc/named ディレクトリにも何もファイルなし
[root@centos7 etc]# pwd /var/named/chroot/etc [root@centos7 etc]# ls -l 合計 24 -rw-r–r– 2 root root 292 3月 9 06:25 localtime drwxr-x— 2 root named 6 2月 15 22:16 named -rw-r—– 1 root named 1705 3月 22 2016 named.conf -rw-r–r– 1 root named 2389 2月 15 22:16 named.iscdlv.key -rw-r—– 1 root named 931 6月 21 2007 named.rfc1912.zones -rw-r–r– 1 root named 487 7月 19 2010 named.root.key drwxr-x— 3 root named 25 4月 15 23:00 pki -rw-r—– 1 root named 77 4月 16 07:01 rndc.key [root@centos7 etc]# cat named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator’s Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
/* – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. – If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. – If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes;
dnssec-enable yes; dnssec-validation yes;
/* Path to ISC DLV key */ bindkeys-file “/etc/named.iscdlv.key”;
[root@centos7 named]# vi tama-chan.local.zone ← 「tama-chan.local.zone」を編集して以下のようにします。
[root@centos7 named]# cat tama-chan.local.zone $TTL 1D @ IN SOA ns.tama-chan.local. root.tama-chan.local. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns.tama-chan.local. @ IN A 192.168.1.10 ns IN A 192.168.1.10 PC IN A 192.168.1.3 [root@centos7 named]#
[root@centos7 named]# named-checkzone tama-chan.local /var/named/chroot/var/named/tama-chan.local.zone zone tama-chan.local/IN: loaded serial 0 OK [root@centos7 named]#
[root@centos7 etc]# cd /var/named/chroot/etc
[root@centos7 etc]# vi named.conf ← named.conf を編集して以下のようにします。
[root@centos7 etc]# cat named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator’s Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
/* – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. – If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. – If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes;
dnssec-enable yes; dnssec-validation yes;
/* Path to ISC DLV key */ bindkeys-file “/etc/named.iscdlv.key”;
[root@centos7 etc]# cat /var/named/chroot/etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator’s Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
/* – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. – If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. – If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes;
dnssec-enable yes; dnssec-validation yes;
/* Path to ISC DLV key */ bindkeys-file “/etc/named.iscdlv.key”;
zone “tama-chan.local” IN { type master; file “tama-chan.local.zone”; allow-query { localhost; };← これが Windows パソコンからの query が拒絶されていた原因でした。 };
include “/etc/named.rfc1912.zones”; include “/etc/named.root.key”;
[root@centos7 etc]#
以下のように修正しました。
[root@centos7 etc]# vi named.conf ← named.conf を以下のように編集します。
[root@centos7 etc]# cat named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator’s Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
/* – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. – If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. – If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes;
dnssec-enable yes; dnssec-validation yes;
/* Path to ISC DLV key */ bindkeys-file “/etc/named.iscdlv.key”;
[root@centos7 etc]# cat named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator’s Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
/* – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. – If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. – If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes;
dnssec-enable yes; dnssec-validation yes;
/* Path to ISC DLV key */ bindkeys-file “/etc/named.iscdlv.key”;
[root@centos7 named]# cat tama-chan.local.zone $TTL 1D @ IN SOA ns.tama-chan.local. root.tama-chan.local. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns.tama-chan.local. @ IN A 192.168.1.10 ns IN A 192.168.1.10 PC IN A 192.168.1.3 [root@centos7 named]#
[root@centos7 named]# cp -ip tama-chan.local.zone 1.168.192.in-addr.arpa.zone [root@centos7 named]# pwd /var/named/chroot/var/named [root@centos7 named]# cat 1.168.192.in-addr.arpa.zone $TTL 1D @ IN SOA ns.tama-chan.local. root.tama-chan.local. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns.tama-chan.local. 10 IN PTR tama-chan.local. 10 IN PTR ns.tama-chan.local. 3 IN PTR PC.tama-chan.local. [root@centos7 named]#
named.conf ファイルを編集
以下のように逆引きのゾーン部分を追加しました。
[root@centos7 etc]# cat named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // // See the BIND Administrator’s Reference Manual (ARM) for details about the // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
/* – If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. – If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. – If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes;
dnssec-enable yes; dnssec-validation yes;
/* Path to ISC DLV key */ bindkeys-file “/etc/named.iscdlv.key”;
[root@centos7 etc]# named-checkconf /var/named/chroot/etc/named.conf [root@centos7 etc]# named-checkconf -t /var/named/chroot /etc/named.conf [root@centos7 etc]# systemctl restart named-chroot [root@centos7 etc]# systemctl status named-chroot
● named-chroot.service – Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled) Active: active (running) since 日 2017-04-16 16:32:13 JST; 7s ago Process: 3140 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 3226 ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 3223 ExecStartPre=/bin/bash -c if [ ! “$DISABLE_ZONE_CHECKING” == “yes” ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf; else echo “Checking of zone files is disabled”; fi (code=exited, status=0/SUCCESS) Main PID: 3228 (named) CGroup: /system.slice/named-chroot.service mq3228 /usr/sbin/named -u named -t /var/named/chroot
4月 16 16:32:13 centos7 named[3228]: managed-keys-zone: loaded serial 2 4月 16 16:32:13 centos7 named[3228]: zone 0.in-addr.arpa/IN: loaded serial 0 4月 16 16:32:13 centos7 named[3228]: zone localhost/IN: loaded serial 0 4月 16 16:32:13 centos7 named[3228]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0 4月 16 16:32:13 centos7 named[3228]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0…al 0 4月 16 16:32:13 centos7 named[3228]: zone 1.168.192.in-addr.arpa.zone/IN: loaded serial 0 4月 16 16:32:13 centos7 named[3228]: zone tama-chan.local/IN: loaded serial 0 4月 16 16:32:13 centos7 named[3228]: zone localhost.localdomain/IN: loaded serial 0 4月 16 16:32:13 centos7 named[3228]: all zones loaded 4月 16 16:32:13 centos7 named[3228]: running Hint: Some lines were ellipsized, use -l to show in full. [root@centos7 etc]#