** CentOS8 is no longer supported as it will end on December 31, 2020, but ... Since there was an article that was about to be written, I will publish it. ** **
| package name | Use | Remarks |
|---|---|---|
| bind | bind body | |
| bind-chroot | bind chroot environment | For security, chroot to install unless there are special circumstances. |
| bind-utils | bind debugging tools |
Check the installation status of the required packages, and install them if they are not installed.
[user01@cent8 ~]$ rpm -q bind bind-chroot bind-utils
Package bind is not installed.
Package bind-chroot is not installed.
bind-utils-9.11.4-26.P2.el8.x86_64
[user01@cent8 ~]$ sudo dnf install -y bind bind-chroot
| Setting target | Settings | Target file | Remarks |
|---|---|---|---|
| ○ | Operation setting | /etc/named.conf | |
| ○ | Forward zone file | /var/named/example.co.jp_zone (created) | Let's match the domain part to the environment |
| ○ | Reverse zone file | /var/named/192.168.1.0_rev (created) | Let's match the IP part to the environment |
| rndc config file | /etc/rndc.conf | ||
| rndc key file | /etc/rndc.key | Automatically generated | |
| /etc/named.iscdlv.key | dnssec-key for lookaside auto: No setting required | ||
| /etc/named.rfc1912.zones | Recommended settings for localhost: No settings required | ||
| /etc/named.root.key | DNSKEY for the root zone.: No setting required | ||
| Latest named.ca | /var/named/named.ca | If not, rndc-confgen -Created using a [email protected] . ns > /var/named/named.ca I don't think you need to update it all the time, but remember how to do it. | |
| /var/named/slaves | Save the zone information obtained from master when slave | ||
| /var/named/data | Directory for storing statistics and debug information | ||
| chroot destination directory | /var/named/chroot | The files and directories required for namd to operate are automatically mounted under this directory at runtime. You don't need to be aware of chroot when making settings. |
When using with chroot, pay attention to the placement of the configuration file. The location of the actual file and the location of the file loaded when bind-chroot is started are different. However, this difference is resolved by mounting various files under the chroot directory when bind-chroot is started. Therefore, be aware of the actual file position (SOURCE side) and edit the configuration file / arrange the zone file.
You do not need to copy files for chroot.
It will be mounted like this.
[user01@cent8 ~]$ findmnt /dev/mapper/cl-root
TARGET SOURCE FSTYPE OPTIONS
/ /dev/mapper/cl-root xfs rw,relatime,seclab
/var/named/chroot/etc/localtime /dev/mapper/cl-root[/usr/share/zoneinfo/Asia/Tokyo] xfs rw,relatime,seclab
/var/named/chroot/etc/named.root.key /dev/mapper/cl-root[/etc/named.root.key] xfs rw,relatime,seclab
/var/named/chroot/etc/named.conf /dev/mapper/cl-root[/etc/named.conf] xfs rw,relatime,seclab
/var/named/chroot/etc/named.rfc1912.zones /dev/mapper/cl-root[/etc/named.rfc1912.zones] xfs rw,relatime,seclab
/var/named/chroot/etc/rndc.key /dev/mapper/cl-root[/etc/rndc.key] xfs rw,relatime,seclab
/var/named/chroot/etc/crypto-policies/back-ends/bind.config /dev/mapper/cl-root[/usr/share/crypto-policies/DEFAULT/bind.txt] xfs rw,relatime,seclab
/var/named/chroot/etc/protocols /dev/mapper/cl-root[/etc/protocols] xfs rw,relatime,seclab
/var/named/chroot/etc/services /dev/mapper/cl-root[/etc/services] xfs rw,relatime,seclab
/var/named/chroot/etc/named /dev/mapper/cl-root[/etc/named] xfs rw,relatime,seclab
/var/named/chroot/usr/lib64/bind /dev/mapper/cl-root[/usr/lib64/bind] xfs rw,relatime,seclab
/var/named/chroot/usr/share/GeoIP /dev/mapper/cl-root[/usr/share/GeoIP] xfs rw,relatime,seclab
/var/named/chroot/var/named /dev/mapper/cl-root[/var/named] xfs rw,relatime,seclab
[user01@cent8 ~]$
Make basic settings for bind.
[user01@cent8 ~]$ sudo vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl internals { //Added ACL for access restriction
127.0.0.1;
192.168.1.0/24;
};
options {
//listen-on port 53 { 127.0.0.1; }; //Comment out
//listen-on-v6 port 53 { ::1; }; //Comment out
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { internals; }; // localhost ->Change to insternals
allow-query-cache { internals; }; //Added acl settings for cache queries
allow-transfer { none; }; //Set acl for zone transfer
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
version ""; //version.Set bind response to blank
hostname ""; //hostname.Set bind response to blank
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
//Authority zone settings
zone "example.co.jp" IN {
type master;
allow-query { any; };
allow-transfer { 192.168.1.11; }; //If there is, specify the secondary server
file "example.co.jp_zone"; //zone Specify the file name
notify yes; //Set to yes when sending update notifications to the secondary
also-notify { 192.168.1.11; }; //If the secondary server is a private IP, specify that IP
};
zone "1.168.192.in-addr.arpa" IN {
type master;
allow-query { any; };
allow-transfer { 192.168.1.11; }; //If there is, specify the secondary server
file "192.168.1.0_rev"; //zone Specify the file name
notify yes; //Set to yes when sending update notifications to the secondary
also-notify { 192.168.1.11; }; //If the secondary server is a private IP, specify that IP
};
include "/etc/rndc.key";
//Even without the following settings, rndc.When the key is loaded, it behaves as if it had been set.
//It is described as reference information when changing the settings.
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
Make sure you don't get a message pointing out the mistake.
[user01@cent8 ~]$ sudo named-checkconf /etc/named.conf
[sudo]password for user01:
[user01@cent8 ~]$
[user01@cent8 ~]$ sudo vi /var/named/example.co.jp_zone
; example.co.jp
$TTL 86400
@ IN SOA ns1.example.co.jp. postmaster.ns1.example.co.jp. (
2020061901 ;Serial //Be sure to update it every time you change it.
7200 ;Refresh
1800 ;Retry
1209600 ;Expire
900 ;nagative
)
IN NS ns1.example.co.jp.
IN NS ns2.example.co.jp.
; IN TXT "v=spf1 +ip4:xxx.xxx.xxx.xxx ~all"
ns1 IN A 192.168.1.10
ns2 IN A 192.168.1.11
localhost IN A 127.0.0.1
[user01@cent8 ~]$ sudo vi /var/named/192.168.1.0_rev
; 1.168.192.in-addr.arpa
$TTL 86400
@ IN SOA ns1.example.co.jp. postmaster.ns1.example.co.jp. (
2020061901 ;Serial //Be sure to update it every time you change it.
7200 ;Refresh
1800 ;Retry
1209600 ;Expire
900 ;negative
)
IN NS ns1.example.co.jp.
IN NS ns2.example.co.jp.
10 IN PTR ns1.example.co.jp.
11 IN PTR ns2.example.co.jp.
If you use a chroot-enabled bind, the service you start is named-chroot. Be careful not to accidentally launch named.
[user01@cent8 ~]$ sudo systemctl disable named --now
[user01@cent8 ~]$ sudo systemctl enable named-chroot --now
Created symlink /etc/systemd/system/multi-user.target.wants/named-chroot.service → /usr/lib/systemd/system/named-chroot.service.
[user01@cent8 ~]$
[user01@cent8 ~]$ sudo systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
Active: active (running) since Sun 2020-11-29 17:02:47 JST; 8s ago
Process: 16297 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS)
Process: 16288 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMED>
Main PID: 16300 (named)
Tasks: 7 (limit: 37880)
Memory: 56.1M
CGroup: /system.slice/named-chroot.service
└─16300 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot
November 29 17:02:47 cent8.example.co.jp named[16300]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2020061901
November 29 17:02:47 cent8.example.co.jp named[16300]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0
November 29 17:02:47 cent8.example.co.jp named[16300]: zone example.co.jp/IN: loaded serial 2020061901
November 29 17:02:47 cent8.example.co.jp named[16300]: all zones loaded
November 29 17:02:47 cent8.example.co.jp named[16300]: running
November 29 17:02:47 cent8.example.co.jp named[16300]: zone 1.168.192.in-addr.arpa/IN: sending notifies (serial 2020061901)
November 29 17:02:47 cent8.example.co.jp named[16300]: zone example.co.jp/IN: sending notifies (serial 2020061901)
November 29 17:02:47 cent8.example.co.jp systemd[1]: Started Berkeley Internet Name Domain (DNS).
November 29 17:02:47 cent8.example.co.jp named[16300]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
November 29 17:02:47 cent8.example.co.jp named[16300]: resolver priming query complete
[user01@cent8 ~]$
[user01@cent8 ~]$ sudo lsof -P -i:53
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
systemd-r 1353 systemd-resolve 16u IPv4 31263 0t0 UDP 127.0.0.53:53
named 16300 named 21u IPv4 85726 0t0 TCP localhost:53 (LISTEN)
named 16300 named 22u IPv4 85728 0t0 TCP cent8.example.co.jp:53 (LISTEN)
named 16300 named 512u IPv4 85722 0t0 UDP localhost:53
named 16300 named 513u IPv4 85722 0t0 UDP localhost:53
named 16300 named 514u IPv4 85722 0t0 UDP localhost:53
named 16300 named 515u IPv4 85727 0t0 UDP cent8.example.co.jp:53
named 16300 named 516u IPv4 85727 0t0 UDP cent8.example.co.jp:53
named 16300 named 517u IPv4 85727 0t0 UDP cent8.example.co.jp:53
[user01@cent8 ~]$
To allow external queries, configure the settings to allow external access to port 53. In some cases, 53/udp alone is sufficient, but since the response size to the query tends to be large, allow access to both tcp and udp.
[user01@cent8 ~]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[user01@cent8 ~]$
[user01@cent8 ~]$ sudo firewall-cmd --permanent --add-service=dns --zone=public
success
[user01@cent8 ~]$ sudo firewall-cmd --reload
success
[user01@cent8 ~]$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client dns https ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[user01@cent8 ~]$
reference) The setting contents of service dns are described in /usr/lib/firewalld/services/dns.xml.
[user01@cent8 ~]$ sudo systemctl enable named-chroot --now
[user01@cent8 ~]$ sudo systemctl disable named-chroot --now
[user01@cent8 ~]$ sudo rndc reload
[user01@cent8 ~]$ sudo rndc status
version: BIND 9.11.13-RedHat-9.11.13-6.el8_2.1 (Extended Support Version) <id:ad4df16> ()
running on cent8.example.co.jp: Linux x86_64 4.18.0-193.28.1.el8_2.x86_64 #1 SMP Thu Oct 22 00:20:22 UTC 2020
boot time: Sun, 29 Nov 2020 08:02:47 GMT
last configured: Sun, 29 Nov 2020 08:02:47 GMT
configuration file: /etc/named.conf (/var/named/chroot/etc/named.conf)
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 105 (97 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/900/1000
tcp clients: 2/150
TCP high-water: 2
server is up and running
[user01@cent8 ~]$
Please enable it when you want to check the contents of the query for troubleshooting. Also, it will generate a lot of logs, so be sure to disable it after the investigation. You can check the current status with rndc status. The following commands are used to enable and disable.
The querylog is recorded in /var/named/data/named.run.
query logging on
[user01@cent8 ~]$ sudo rndc status |grep query
query logging is OFF
[user01@cent8 ~]$ sudo rndc querylog
[user01@cent8 ~]$ sudo rndc status |grep query
query logging is ON
[user01@cent8 ~]$
query logging off
[user01@cent8 ~]$ sudo rndc status |grep query
query logging is ON
[user01@cent8 ~]$ sudo rndc querylog
[user01@cent8 ~]$ sudo rndc status |grep query
query logging is OFF
[user01@cent8 ~]$
[user01@cent8 ~]$ sudo cp /var/named/named.ca /var/named/named.ca.`date +%Y%m%d`
[user01@cent8 ~]$ sudo sh -c "dig +noall +answer +add +bufsize=4096 @a.root-servers.net . ns > /var/named/named.ca"
[user01@cent8 ~]$ sudo rndc reload