Fedora36: DNS server settings

[root@www ~]# nmcli device
DEVICE TYPE STATE CONNECTION
enp2s0 ethernet 接続済み enp2s0

Installing BIND.

Install BIND.

[root@www ~]# dnf -y install bind bind-utils

Configure BIND.

[root@www ~]# vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { any; }; # change
        listen-on-v6 port 53 { none; }; #change
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        recursing-file  "/var/named/data/named.recursing";
        secroots-file   "/var/named/data/named.secroots";
        allow-query     { localhost; 192.168.1.1/24; }; # Postscript
        allow-transfer      { localhost; 192.168.1.1/24; }; # Postscript

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

#Change everything below 
view "internal" {
        match-clients {
                localhost;
                192.168.1.1/24;
        };
        zone "." IN {
                type hint;
                file "named.ca";
        };
        zone "fedoraserver.jp" IN {
                type master;
                file "fedoraserver.jp.lan";
                allow-update { none; };
        };
        zone "1.168.192.in-addr.arpa" IN {
                type master;
                file "1.168.192.db";
                allow-update { none; };
        };
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
};

Setting zone information.

Create an internal forward lookup information file.

[root@www ~]# vi /var/named/fedoraserver.jp.lan

$TTL 86400
@   IN  SOA     fedoraserver.jp. root.fedoraserver.jp. (
        2014071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
        IN  NS      fedoraserver.jp.
        IN  MX 10   fedoraserver.jp.
@       IN  A       192.168.1.3
*       IN  A       192.168.1.3

Create an internal reverse lookup information file.

[root@www ~]# vi /var/named/1.168.192.db

$TTL 86400
@   IN  SOA     fedoraserver.jp. root.fedoraserver.jp. (
        2014071001  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)
        IN  NS      fedoraserver.jp.
        IN  A       255.255.255.0
3       IN  PTR     fedoraserver.jp.

Open TCP/UDP port 53.

ルーターの設定で、TCP/UDP53番ポートを開放します。(設定方法はご自身の環境に合わせて調べてください。)

ポート開放テスト.

Open TCP/UDP port 53 in your router settings. (Check the setting method according to your own environment.)


Open confirmation

Start BIND and check its operation.

Change network settings.

[root@www ~]# nmcli connection modify enp2s0 ipv4.dns 192.168.1.3
[root@www ~]# nmcli connection down enp2s0; nmcli connection up enp2s0

Boot and set autostart.

[root@www ~]# systemctl enable --now named

Check for errors.

[root@www ~]# systemctl status named

If there are any errors, validate the syntax and fix the errors.

If there is an error in "192.168.1.1/24" in "/etc/named.conf", change it to "localhost;".
[root@www ~]# sudo named-checkconf

Check operation.

[root@www ~]# dig fedoraserver.jp

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> fedoraserver.jp
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15234
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;fedoraserver.jp.                                IN      A

;; ANSWER SECTION:
fedoraserver.jp.                 86400   IN      A       192.168.1.3

;; AUTHORITY SECTION:
fedoraserver.jp.                 86400   IN      NS      fedoraserver.jp.

;; Query time: 18 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: 水  7月 03 15:23:54 JST 2019
;; MSG SIZE  rcvd: 65


[root@www ~]# dig -x 192.168.1.3

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> -x 192.168.1.3
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54270
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;3.1.168.192.in-addr.arpa.      IN      PTR

;; ANSWER SECTION:
3.1.168.192.in-addr.arpa. 86400 IN      PTR     fedoraserver.jp.

;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 86400   IN      NS      fedoraserver.jp.

;; ADDITIONAL SECTION:
fedoraserver.jp.                 86400   IN      A       192.168.1.3

;; Query time: 87 msec
;; SERVER: 192.168.1.3#53(192.168.1.3)
;; WHEN: 水  7月 03 16:13:36 JST 2019
;; MSG SIZE  rcvd: 103

Move to chroot environment.

Go to the chroot environment.

[root@www ~]# dnf -y install bind-chroot
[root@www ~]# mkdir /var/named/chroot/usr/lib64/named
[root@www ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on 
[root@www ~]# systemctl disable --now named
[root@www ~]# systemctl enable --now named-chroot
Created symlink /etc/systemd/system/multi-user.target.wants/named-chroot.service → /usr/lib/systemd/system/named-chroot.service.
[root@www ~]# ll /var/named/chroot/etc 
合計 688
-rw-r--r--  2 root root     292  4月  1 21:27 localtime
drwxr-x---  2 root named      6  1月 30 02:23 named
-rw-r-----  1 root named   2340  6月  1 08:23 named.conf
-rw-r--r--  1 root named   3923  1月 30 02:23 named.iscdlv.key
-rw-r-----  1 root named    931  6月 21  2007 named.rfc1912.zones
-rw-r--r--  1 root named   1587  5月 22  2017 named.root.key
drwxr-x---  3 root named     25  6月  1 08:33 pki
-rw-r--r--. 1 root root    6545 10月 31  2018 protocols
-rw-r-----  1 root named    100  6月  1 08:27 rndc.key
-rw-r--r--. 1 root root  670293  6月  7  2013 services
[root@www ~]# ll /var/named/chroot/var/named 
合計 24
-rw-r--r-- 1 root  root   288  6月  1 08:27 1.168.192.db
drwxr-x--- 7 root  named   61  6月  1 08:33 chroot
drwxrwx--- 2 named named  127  6月 30 05:51 data
drwxrwx--- 2 named named  166  7月  3 22:32 dynamic
-rw-r----- 1 root  named 2277  6月  1 08:38 named.ca
-rw-r----- 1 root  named  152 12月 15  2009 named.empty
-rw-r----- 1 root  named  152  6月 21  2007 named.localhost
-rw-r----- 1 root  named  168 12月 15  2009 named.loopback
-rw-r--r-- 1 root  root   317  6月  1 08:24 rcg.jp.lan
drwxrwx--- 2 named named    6  1月 30 02:23 slaves

Change the DNS setting of the PC in the home network.

Right-click the Windows Start menu and click Network Connections.

ネットワーク接続

Click “Network and Sharing Center”.

ネットワークと共有センター

Click “Local Area Connection”.

ローカルエリア接続

Click Properties.

プロパティ

Select “Internet Protocol Version 4 (TCP/IPv4)” and click “Properties”.

インターネットプロトコルバージョン4

Select “Use the following DNS server addresses” and set “Preferred DNS server” to ” 192.168.1.3, “Alternate DNS Server” to ” 192.168.1.1, and click OK.


Second DNS verification.

Allow the server to connect to the internet.

Open a file.

[root@www ~]# vi /etc/resolv.conf

Append to the last line.

nameserver 192.168.1.1

Create a new interface configuration file.

[root@www ~]# vi /etc/sysconfig/network-scripts/ifcfg-enp2s0
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
IPV6_ADDR_GEN_MODE=stable-privacy
NAME=enp2s0
DEVICE=enp2s0
ONBOOT=yes
IPADDR=192.168.1.3
PREFIX=24
GATEWAY=192.168.1.1
DNS1=192.168.1.3
IPV6_PRIVACY=no
DNS2=192.168.1.1
CONNECTION_METERED=yes

Restart.

[root@www ~]# reboot

コメント

タイトルとURLをコピーしました