This time, the procedure is to build a DNS server in the verification environment and perform forward / reverse lookup on A record / PTR record.
First, configure the virtual hardware settings for the virtual machine. -Log in to the deployment destination ESXi. -Store the ISO file in any location from Storage> Datastore> Datastore Browser. -From the creation / registration of the virtual machine, set the following and complete. ● Selection of creation type -Create a new virtual machine ● Name and guest OS selection ・ The name is CentOS7 (optional) · Compatibility is ESXi 6.x virtual machine -Guest OS family is linux, guest OS version is CentOS 7 (64-bit) ● Storage selection -Select any data store ● Customize settings ・ CPU / memory / hard disk / network adapter is optional -Select the ISO file stored in any location in the data store on the CD / DVD drive 1 and select it. Put ☑ in the connection when powering on
Next, start the virtual machine and install the OS. The installation settings are optional, but the software selection chooses a minimal installation. After installation, reboot.
See below for creating a local repository. https://qiita.com/fooot4/items/6e7ec0df51ac18abfb2b
# yum --disablerepo=* --enablerepo=local install bind
Loaded plugin:fastestmirror
Loading mirror speeds from cached hostfile
Resolving dependencies
-->Performing transaction confirmation.
--->Package bind.x86_64 32:9.9.4-29.install el7
-->I'm dealing with dependencies: bind-libs = 32:9.9.4-29.el7 package: 32:bind-9.9.4-29.el7.x86_64
-->I'm dealing with dependencies: liblwres.so.90()(64bit)Package: 32:bind-9.9.4-29.el7.x86_64
-->I'm dealing with dependencies: libisccfg.so.90()(64bit)Package: 32:bind-9.9.4-29.el7.x86_64
-->I'm dealing with dependencies: libisccc.so.90()(64bit)Package: 32:bind-9.9.4-29.el7.x86_64
-->I'm dealing with dependencies: libisc.so.95()(64bit)Package: 32:bind-9.9.4-29.el7.x86_64
-->I'm dealing with dependencies: libdns.so.100()(64bit)Package: 32:bind-9.9.4-29.el7.x86_64
-->I'm dealing with dependencies: libbind9.so.90()(64bit)Package: 32:bind-9.9.4-29.el7.x86_64
-->Performing transaction confirmation.
--->Package bind-libs.x86_64 32:9.9.4-29.install el7
-->Dependency resolution finished.
Resolved the dependency
================================================================================
Package architecture
Version repository capacity
================================================================================
During installation:
bind x86_64 32:9.9.4-29.el7 local 1.8 M
Dependency related installation:
bind-libs x86_64 32:9.9.4-29.el7 local 1.0 M
Transaction summary
================================================================================
Installation 1 package(+1 dependency package)
Total download capacity: 2.8 M
Installation capacity: 6.9 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------
115 MB in total/s | 2.8 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
During installation: 32:bind-libs-9.9.4-29.el7.x86_64 1/2
During installation: 32:bind-9.9.4-29.el7.x86_64 2/2
During verification: 32:bind-9.9.4-29.el7.x86_64 1/2
During verification: 32:bind-libs-9.9.4-29.el7.x86_64 2/2
Installation:
bind.x86_64 32:9.9.4-29.el7
Installed dependency related:
bind-libs.x86_64 32:9.9.4-29.el7
Has completed!
-Set the DNS server in named.conf.
# vi /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; x.x.x.i; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; x.x.x.z/nn; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel named_log {
file "/var/log/named_messages";
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
category queries { "named_log"; };
category security { "named_log"; };
category default { "named_log"; };
};
zone "local" IN {
type master;
file "local.zone";
};
zone "x.x.x.in-addr.arpa" IN {
type master;
file "local.revzone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
・ Set the following.
| parameter | Explanation |
|---|---|
| listen-on port 53 { 127.0.0.1; x.x.x.i; }; | x.x.x.I listen to i/Specify the IPv4 address of F |
| listen-on-v6 port 53 { none; }; | Listen I/Specify the IPv6 address of F(None because it is unnecessary this time) |
| allow-query { localhost; x.x.x.z/nn; }; | Specify the network that accepts queries(For hosts, IP address only) |
| recursion no; | Do not make recursive queries |
| dnssec-enable no; | dnssec disabled |
| dnssec-validation no; | dnssec disabled |
| channel named_log { | Define the channel name(The channel name is arbitrary, this time named_log) |
| file "/var/log/named_messages"; | Specify the log output destination(This time named_messages) |
| severity dynamic; | Log level(importance)To specify(This time it's all) |
| print-time yes; | Record the time stamp in the log |
| print-severity yes; | Log level to log(importance)To record |
| print-category yes; | Log the category in the log |
| category queries { "named_log"; }; | Log output contents(Query query record)To specify |
| category security { "named_log"; }; | Log output contents(Record of approval / denial of request)To specify |
| category default { "named_log"; }; | Log output contents(Other than intentionally specified in category)To specify |
| zone "local" IN { | Define a zone |
| type master; | Define to be the master of this zone |
| file "local.zone"; | Specify the zone file name to refer to |
| zone "x.x.x.in-addr.arpa" IN { | Define a zone |
| type master; | Define to be the master of this zone |
| file "local.revzone"; | Specify the zone file name to refer to |
| category | Explanation |
|---|---|
| database | Database-related records such as zone information and cache information |
| security | Record of approval / denial of request |
| config | Parsing and processing of configuration files |
| resolver | A record of DNS resolutions such as recursive lookups, represented by the behavior of cache servers running on behalf of clients. |
| xfer-in | A record of zone transfers received by the server |
| xfer-out | A record of zone transfers sent by the server |
| notify | Recording of NOTIFY protocol |
| client | Processing record of client request |
| network | Record of network operations |
| update | DDNS record |
| queries | Query query record |
| dispatch | Recording of CPU allocation (dispatch) to process packets coming into the server module |
| dnssec | DNSSEC and TSIG processing records |
| lame-servers | Record of misconfiguration (lame) found on other servers during DNS resolution |
| general | Many logs other than the above are uncategorized and they are classified as general |
| default | Categories other than those intentionally specified in category are defined here |
-Create a log file. You need to give execute permission so that the named service can write.
# touch /var/log/named_messages
# chown named:named /var/log/named_messages
# ll /var/log/named_messages
-rw-r--r--.1 named named 0 November 15 11:59 /var/log/named_messages
This time, we will create a forward / reverse zone file. -Create a forward zone file * Please link with the actual domain name / host name / IP address.
# /var/named/local.zone
$TTL 86400
@ IN SOA ns.local. root.local. (
2014010101 ;Serial
3600 ;Zone transfer interval(Seconds)
300 ;Retry interval when transfer fails(Seconds)
360000 ;Zone file retention time(Seconds)
86400 ) ;Time cached on other servers(Seconds)
; Zone NS records
IN NS ns.local.
; Zone records
host01 IN A x.x.x.x
ns IN A x.x.x.i
-Create a reverse zone file * Please link with the actual domain name / FQDN / IP address / subnet mask.
# /var/named/local.revzone
$TTL 86400
@ IN SOA ns.local. root.local. (
2014010101 ;Serial
3600 ;Zone transfer interval(Seconds)
300 ;Retry interval when transfer fails(Seconds)
360000 ;Zone file retention time(Seconds)
86400 ) ;Time cached on other servers(Seconds)
; Zone NS records
IN NS local.
; Zone records
IN PTR local.
IN A y.y.y.y
x IN PTR host01.local.
i IN PTR ns.local.
-Check named.conf
# named-checkconf
・ Check the forward zone file
# named-checkzone local. /var/named/local.zone
zone local/IN: loaded serial 2014010101
OK
-Check the reverse zone file * Please link with the actual IP address.
# named-checkzone x.x.x.in-addr.arpa. /var/named/local.revzone
zone x.x.x.in-addr.arpa/IN: loaded serial 2014010101
OK
-Set the opening of the firewall service port below.
# firewall-cmd --permanent --add-service=dns
success
# firewall-cmd --reload
success
# firewall-cmd --list-all
public (default, active)
interfaces: eno16780032
sources:
services: dhcpv6-client dns ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
# systemctl start named
# systemctl status named
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
Active: active (running)since day 2020-11-15 12:23:38 JST; 36s ago
Process: 1471 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 1468 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z /etc/named.conf; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
Main PID: 1473 (named)
CGroup: /system.slice/named.service
mq1473 /usr/sbin/named -u named
November 15 12:23:38 dns.local named[1473]: using default UDP/IPv4 port range: [1024, 65535]
November 15 12:23:38 dns.local named[1473]: using default UDP/IPv6 port range: [1024, 65535]
November 15 12:23:38 dns.local named[1473]: listening on IPv4 interface lo, 127.0.0.1#53
November 15 12:23:38 dns.local named[1473]: listening on IPv4 interface eno16780032, x.x.x.i#53
November 15 12:23:38 dns.local named[1473]: generating session key for dynamic DNS
November 15 12:23:38 dns.local named[1473]: sizing zone task pool based on 7 zones
November 15 12:23:38 dns.local named[1473]: set up managed keys zone for view _default, file '/var/named/dynamic/managed-keys.bind'
November 15 12:23:38 dns.local named[1473]: command channel listening on 127.0.0.1#953
November 15 12:23:38 dns.local named[1473]: command channel listening on ::1#953
November 15 12:23:38 dns.local systemd[1]: Started Berkeley Internet Name Domain (DNS).
-Check if the name can be resolved from the dns client. Also, check if the log is output from cat / var / log / named_messages.
Recommended Posts