CentOS 安裝Bind DNS Server

最近因為DNS Server 出了一點問題，需要重新安裝，也剛好趁這次的機會更能了解bind，當然也做個筆記吧!

主要步驟如下:
1. Install Master Bind
2. 設定named.conf
3. 建立正解資料庫
4. 啟動服務
5. Install Slave Bind
6. 設定named.conf
7. 啟動服務 & Zone transfer

1. Install Master Bind
通常安裝DNS Server前，我都會習慣把所有其他不必要的服務都關閉，建議可以使用setup把不必要的服務都關閉吧。
預設bind套件在CentOS 6.3都已經有了，直接使用yum安裝

# yum install bind*

確認版本 (目前應該都是安裝到bind 9.8，建議安裝bind-chroot)

# rpm -qa bind*

2. 設定named.conf
若有chroot bind了話，所有的設定檔都會在/var/named/chroot下，可以使用以下方式確認

# grep ROOTDIR /etc/sysconfig/named

CentOS 6.3在/etc/named.conf 已經有一個範例檔案可以參考，但是我還是有修改一些內容

# vi /etc/named.conf

options {
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        version "DNS";
        allow-recursion { 127.0.0.1; 192.168.0.0/16; };
        allow-transfer  { none; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "abc.com" IN {
        type master;
        file "db.abc.com";
        allow-transfer { 192.168.20.7; };
};

zone "xxxxxxx.com.tw" IN {
        type master;
        file "db.xxxxxxx.com.tw";
        allow-transfer { 192.168.20.7; };
};

zone "def.com" IN {
        type master;
        file "db.def.com";
        allow-transfer { 192.168.20.7; };
};

Note:主要有幾點要注意一下
a. 語法會常打錯，結尾都要有一個“;”， “{}” 也別忘了
b. allow-query 是否要讓人查詢  預設是localhost
c. 建議把version 改掉，可讓別人無法查詢DNS Server版本
d. allow-recursion，允許可以使用遞回查詢(recursive query)的網段，通常一般來說我們的DNS都不會是open dns (168.95.1.1 & 8.8.8.8…etc)，所以沒必要幫別人查詢
e. allow-transfer 是否允許axfr zone transfer ，強烈建議設定只允許zone transfer 給slave dns
這邊說一個設定錯誤示範

#dig @dns2.cellopoinX.com axfr cellopoinX.com

啪啦啪啦…查出zone transfer 資料，竟然還敢號稱XX資安原廠…挖哩咧

3. 建立正解資料庫

#vi /var/named/chroot/var/named/db.abc.com

 $TTL   3600
@                       IN SOA    dns1.abc.com. tech.abc.com. (
                                  2013060801 ; serial
                                  10800           ; refresh (3 hours)
                                  900               ; retry (15 minutes)
                                  604800         ; expire (1 week)
                                  86400           ; minimum (1 day)
                                           )
@                    IN NS             dns1.abc.com.
@                    IN NS             dns2.abc.com.
@                    IN MX  10     spam.abc.com.
@                    IN MX  20     mail.abc.com.
@                    IN MX  30     crm.abc.com.
dns1               IN A        120.13.28.10
dns2               IN A        120.13.28.11
spam              IN A    120.13.28.4
mail                IN A    120.13.28.5
crm                 IN A    120.13.28.11
www               IN CNAME      web.abc.com.
web     45       IN A    120.13.28.11
@ IN TXT   "v=spf1 mx:abc.com -all"

Note:主要有幾點要注意一下
a. “$TTL“不要忘記，這是一個全域的DNS快取時間，如果RR沒有特別設定TTL，那就是套用全域TTL
b. “@“，也就是zone的意思 這邊是指abc.com (與named.conf上的zone有關)
c. “.” 也是常忘記的地方，這代表的是FQDN

4. 啟動服務

#chkconfig named on

#/etc/init.d/named start

一般經驗，不太會第一次就成功，原因是常會有語法寫錯，這個時候我們可以看一下log，通常會指出哪一行的語法有誤

#/etc/init.d/named start

#grep named /var/log/messages 

(這是正常啟動後的log)
Jun  8 01:57:52 dns1 named-sdb[5460]: starting BIND 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 -u named -t /var/named/chroot
Jun  8 01:57:52 dns1 named-sdb[5460]: built with '--build=i386-redhat-linux-gnu' '--host=i386-redhat-linux-gnu' '--target=i686-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '--libdir=/usr/lib' '--libexecdir=/usr/libexec' '--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--enable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disable-openssl-version-check' '--with-dlz-ldap=yes' '--with-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '--with-gssapi=yes' '--disable-isc-spnego' '--with-docbook-xsl=/usr/share/sgml/docbook/xsl-stylesheets' '--enable-fixed-rrset' 'build_alias=i386-redhat-linux-gnu' 'host_alias=i386-redhat-linux-gnu' 'target_alias=i686-redhat-linux-gnu' 'CFLAGS= -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables' 'CPPFLAGS= -DDIG_SIGCHASE'
Jun  8 01:57:52 dns1 named-sdb[5460]: ----------------------------------------------------
Jun  8 01:57:52 dns1 named-sdb[5460]: BIND 9 is maintained by Internet Systems Consortium,
Jun  8 01:57:52 dns1 named-sdb[5460]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Jun  8 01:57:52 dns1 named-sdb[5460]: corporation.  Support and training for BIND 9 are
Jun  8 01:57:52 dns1 named-sdb[5460]: available at https://www.isc.org/support
Jun  8 01:57:52 dns1 named-sdb[5460]: ----------------------------------------------------
Jun  8 01:57:52 dns1 named-sdb[5460]: adjusted limit on open files from 4096 to 1048576
Jun  8 01:57:52 dns1 named-sdb[5460]: found 1 CPU, using 1 worker thread
Jun  8 01:57:52 dns1 named-sdb[5460]: using up to 4096 sockets
Jun  8 01:57:52 dns1 named-sdb[5460]: SDB ldap zone database module loaded.
Jun  8 01:57:52 dns1 named-sdb[5460]: SDB postgreSQL DB zone database module loaded.
Jun  8 01:57:52 dns1 named-sdb[5460]: SDB sqlite3 DB zone database module loaded.
Jun  8 01:57:52 dns1 named-sdb[5460]: SDB directory DB zone database module loaded.
Jun  8 01:57:52 dns1 named-sdb[5460]: loading configuration from '/etc/named.conf'
Jun  8 01:57:52 dns1 named-sdb[5460]: using default UDP/IPv4 port range: [1024, 65535]
Jun  8 01:57:52 dns1 named-sdb[5460]: using default UDP/IPv6 port range: [1024, 65535]
Jun  8 01:57:52 dns1 named-sdb[5460]: listening on IPv4 interface lo, 127.0.0.1#53
Jun  8 01:57:52 dns1 named-sdb[5460]: listening on IPv4 interface eth0, 192.168.20.6#53
Jun  8 01:57:52 dns1 named-sdb[5460]: generating session key for dynamic DNS
Jun  8 01:57:52 dns1 named-sdb[5460]: sizing zone task pool based on 4 zones
Jun  8 01:57:52 dns1 named-sdb[5460]: set up managed keys zone for view _default, file 'dynamic/managed-keys.bind'
Jun  8 01:57:52 dns1 named-sdb[5460]: Warning: 'empty-zones-enable/disable-empty-zone' not set: disabling RFC 1918 empty zones
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 0.IN-ADDR.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 127.IN-ADDR.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 254.169.IN-ADDR.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 2.0.192.IN-ADDR.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 100.51.198.IN-ADDR.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 113.0.203.IN-ADDR.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: D.F.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 8.E.F.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 9.E.F.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: A.E.F.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: B.E.F.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Jun  8 01:57:52 dns1 named-sdb[5460]: command channel listening on 127.0.0.1#953
Jun  8 01:57:52 dns1 named-sdb[5460]: command channel listening on ::1#953
Jun  8 01:57:52 dns1 named-sdb[5460]: zone abc.com/IN: loaded serial 2013060601
Jun  8 01:57:52 dns1 named-sdb[5460]: zone xxxxxxx.com.tw/IN: loaded serial 2013060401
Jun  8 01:57:52 dns1 named-sdb[5460]: zone db.def.com/IN: loaded serial 2013060401
Jun  8 01:57:52 dns1 named-sdb[5460]: managed-keys-zone ./IN: loaded serial 0

Jun  8 01:57:52 dns1 named-sdb[5460]: running

 

確認一下是否被chroot ，根據man named的說明有提到
-t directory
Chroot to directory after processing the command line arguments, but before reading the configuration file.                  Warning: This option should be used in conjunction with the -u option, as chrooting a process running as root doesn’t enhance security on most systems; the way chroot(2) is defined allows a process with root privileges to escape a chroot jail.

#ps -ef |grep named 

named     1964     1  0 03:02 ?        00:00:00 /usr/sbin/named-sdb -u named -t /var/named/chroot
 root      2225  1606  0 03:25 pts/0    00:00:00 grep named

5. Install Slave Bind
還是跟安裝Master DNS方式相同

#yum install bind*

確認版本

#rpm -qa bind*

6. 設定named.conf

options {
directory       "/var/named";
dump-file       "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query     { any; };
version "DNS";
allow-recursion { 127.0.0.1; 192.168.0.0/16; };
allow-transfer  { none; };
};

zone "." IN {
type hint;
file "named.ca";
};

zone "abc.com" IN {
type slave;
file "slaves/db.abc.com";
masters { 192.168.20.6; };
};

zone "xxxxxxx.com.tw" IN {
type slave;
file "slaves/xxxxxxx.com.tw";
masters { 192.168.20.6; };
};

zone "def.com" IN {
type slave;
file "slaves/def.com";
masters { 192.168.20.6; };
};

Note:主要有幾點要注意一下

a. type 改為slave
b. 解析資料庫的部份我也把它放在/var/named/chroot/var/named/slaves/下
c. 指定master dns ip 這樣才不會被人隨便zone transfer
(PS 語法上是masters常打錯，要注意)

7. 啟動服務 & Zone transfer

# chkconfig named on

# /etc/init.d/named start

# tail -f /var/log/messages

Jun  9 12:27:30 dns2 named-sdb[4323]: running
 Jun  9 12:27:30 dns2 named-sdb[4323]: zone abc.com/IN: Transfer started.
 Jun  9 12:27:30 dns2 named-sdb[4323]: transfer of 'abc.com/IN' from 192.168.20.6#53: connected using 192.168.20.7#52986
 Jun  9 12:27:30 dns2 named-sdb[4323]: zone abc.com/IN: transferred serial 2013060902
 Jun  9 12:27:30 dns2 named-sdb[4323]: transfer of 'abc.com/IN' from 192.168.20.6#53: Transfer completed: 1 messages, 15 records, 359 bytes, 0.001 secs (359000 bytes/sec)
 Jun  9 12:27:30 dns2 named-sdb[4323]: zone abc.com/IN: sending notifies (serial 2013060902)
 Jun  9 12:27:31 dns2 named-sdb[4323]: zone def.com/IN: Transfer started.
 Jun  9 12:27:31 dns2 named-sdb[4323]: zone xxxxxxx.com.tw/IN: Transfer started.
 Jun  9 12:27:31 dns2 named-sdb[4323]: transfer of 'def.com/IN' from 192.168.20.6#53: connected using 192.168.20.7#56492
 Jun  9 12:27:31 dns2 named-sdb[4323]: transfer of 'xxxxxxx.com.tw/IN' from 192.168.20.6#53: connected using 192.168.20.7#43076
 Jun  9 12:27:31 dns2 named-sdb[4323]: zone xxxxxxx.com.tw/IN: transferred serial 2013060902
 Jun  9 12:27:31 dns2 named-sdb[4323]: transfer of 'xxxxxxx.com.tw/IN' from 192.168.20.6#53: Transfer completed: 1 messages, 14 records, 383 bytes, 0.001 secs (383000 bytes/sec)
 Jun  9 12:27:31 dns2 named-sdb[4323]: transfer of 'def.com/IN' from 192.168.20.6#53: Transfer completed: 1 messages, 14 records, 410 bytes, 0.001 secs (410000 bytes/sec)

補充個人常使用的幾個測試DNS指令
1. dig www.google.com (查詢A紀錄)
2. dig mx google.com (查詢MX紀錄)
3. dig ns google.com(查詢NS紀錄)
4. dig soa googel.com(查詢SOA紀錄)
5. dig txt google.com(查詢TXT紀錄)
6. dig -x 8.8.8.8(查詢PTR紀錄)
7. dig +trac www.google.com(追蹤查詢)
8. dig @168.95.1.1 version.bind chaos txt(查詢DNS版本)
9. dig @ns1.imprezagt1031.idv.tw axfr imprezagt1031.idv.tw(測試Zone Transfer設定是否正確)
Refer:
http://linux.vbird.org/linux_server/0350dns.php