DNS сервер BIND на Debian 9

Bind9 это пакет создающий DNS-сервер который определяет доменное имя по IP-адресу в локальной или глобальной сети. Bind9 может также работать и в режиме кеширующего DNS-сервера. BIND использует 53/TCP, UDP порт. Настоящая статья содержит описание установки и настройки.

1. Установка BIND 9

 [email protected]:~# apt -y install bind9 bind9utils dnsutils

2. Настройка BIND 9

В этом примере используются глобальные IP-адреса [172.16.0.80/29], частные IP-адреса [10.0.0.0/24], имя домена [srv.local]. Однако при настройке конфигурации на своем сервере используйте свои собственные IP-адреса и доменное имя.

[email protected]:~# vi /etc/bind/named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.internal-zones";
include "/etc/bind/named.conf.external-zones";
[email protected]:~# vi /etc/bind/named.conf.internal-zones
 
view "internal" {
        match-clients {
                localhost;
                10.0.0.0/24;
        };
        zone "srv.local" {
                type master;
                file "/etc/bind/srv.local.lan";
                allow-update { none; };
        };
        zone "0.0.10.in-addr.arpa" {
                type master;
                file "/etc/bind/0.0.10.db";
                allow-update { none; };
        };
        include "/etc/bind/named.conf.default-zones";
};
 [email protected]:~# vi /etc/bind/named.conf.external-zones

view "external" {
        match-clients { any; };
        allow-query { any; };
        recursion no;
        zone "srv.local" {
                type master;
                file "/etc/bind/srv.local.wan";
                allow-update { none; };
        };
        zone "80.0.16.172.in-addr.arpa" {
                type master;
                file "/etc/bind/80.0.16.172.db";
                allow-update { none; };
        };
};

Для зон обратного разрешения, указывается адрес сети, как показано ниже:

10.0.0.0/24
Адрес сети — 10.0.0.0
Диапазон сети — 10.0.0.0 — 10.0.0.255
Как записать — 0.0.10.in-addr.arpa

172.16.0.80/29
Адрес сети — 172.16.0.80
Диапазон сети — 172.16.0.80 — 172.16.0.87
Как записать — 80.0.16.172.in-addr.arpa

3. Диапазоны ограничений, которые вы разрешаете при необходимости.

[email protected]:~# vi /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };
        # query range you allow
        allow-query { localhost; 10.0.0.0/24; };
        # the range to transfer zone files
        allow-transfer { localhost; 10.0.0.0/24; };
        # recursion range you allow
        allow-recursion { localhost; 10.0.0.0/24; };
        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        # change if not use IPV6
        listen-on-v6 { none; };
};

4. Создание файлов зон для разрешения IP-адреса из имени домена

4.1. Для внутренней зоны

[email protected]:~# vi /etc/bind/srv.local.lan

$TTL 86400
@   IN  SOA     srv01.srv.local. root.srv.local. (
        2017062101  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

# define name server
        IN  NS      srv01.srv.local.
# define name server's IP address
        IN  A       10.0.0.30
# define mail exchanger
        IN  MX 10   srv01.srv.local.
# define IP address of a hostname
srv01   IN  A       10.0.0.30

4.2. Для внешней зоны

[email protected]:~# vi /etc/bind/srv.local.wan

$TTL 86400
@   IN  SOA     srv01.srv.local. root.srv.local. (
        2017062101  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

# define name server
        IN  NS      srv01.srv.local.
# define name server's IP address
        IN  A       172.16.0.82
# define mail exchanger
        IN  MX 10   srv01.srv.local.
# define IP address of a hostname
srv01   IN  A       172.16.0.82

5. Создание файлов зон для разрешения
имени домена из IP-адреса 

5.1. Для внутренней зоны

[email protected]:~# vi /etc/bind/0.0.10.db

$TTL 86400
@   IN  SOA     srv01.srv.local. root.srv.local. (
        2017062101  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

# define name server
        IN  NS      srv01.srv.local.
# define the range of this domain included
        IN  PTR     srv.local.
        IN  A       255.255.255.0
# define hostname of an IP address
30      IN  PTR     srv01.srv.local.

5.2. Для внешней зоны

[email protected]:~# vi /etc/bind/80.0.16.172.db

$TTL 86400
@   IN  SOA     srv01.srv.local. root.srv.local. (
        2017062101  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

# define name server
        IN  NS      srv01.srv.local.
# define the range of this domain included
        IN  PTR     srv.local.
        IN  A       255.255.255.248
# define hostname of an IP address
82      IN  PTR     srv01.srv.local.

Перезапустите BIND, чтобы изменения вступили в силу и убедитесь, что при запуске нет ошибок.

Добавьте в resolv.conf свой собственный DNS для разрешения имен.

[ens3] отличается в каждом дистрибутиве, замените его на свой

[email protected]:~# apt -y install resolvconf
[email protected]:~# vi /etc/network/interfaces

dns-nameservers 10.0.0.30

[email protected]:~# systemctl restart [email protected] resolvconf bind9 

Проверка работы:

[email protected]:~# dig srv01.srv.local.


; <<>> DiG 9.10.3-P4-Debian <<>> srv01.srv.local.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52538
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;srv01.srv.local.                 IN      A

;; ANSWER SECTION:
srv01.srv.local.          86400   IN      A       10.0.0.30

;; AUTHORITY SECTION:
srv01.local.              86400   IN      NS      srv01.srv.local.

;; Query time: 0 msec
;; SERVER: 10.0.0.30#53(10.0.0.30)
;; WHEN: Thu Jun 22 14:40:36 JST 2018
;; MSG SIZE  rcvd: 72

[email protected]:~# dig -x 10.0.0.30


; <<>> DiG 9.10.3-P4-Debian <<>> -x 10.0.0.30
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19468
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;30.0.0.10.in-addr.arpa.                IN      PTR

;; ANSWER SECTION:
30.0.0.10.in-addr.arpa. 86400   IN      PTR     srv01.srv.local.

;; AUTHORITY SECTION:
0.0.10.in-addr.arpa.    86400   IN      NS      srv01.srv.local.

;; ADDITIONAL SECTION:
srv01.srv.local.        86400   IN      A       10.0.0.30

;; Query time: 0 msec
;; SERVER: 10.0.0.30#53(10.0.0.30)
;; WHEN: Thu Jun 22 14:41:46 JST 2018
;; MSG SIZE  rcvd: 108

6. Установка CNAME

Если вы хотите установить другое имя для своего хоста, укажите запись CNAME в файле зоны.

[email protected]:~# vi /etc/bind/srv.local.lan

$TTL 86400
@   IN  SOA     srv01.srv.local. root.srv.local. (

# update serial
        2017062102  ;Serial
        3600        ;Refresh
        1800        ;Retry
        604800      ;Expire
        86400       ;Minimum TTL
)

        IN  NS      srv01.srv.local.
        IN  A       10.0.0.30
        IN  MX 10   srv01.srv.local.
srv01   IN  A       10.0.0.30
# aliase IN CNAME server's name
ftp     IN  CNAME   srv01.srv.local.

[email protected]:~# rndc reload

server reload successful

[email protected]:~# dig ftp.srv.local.

; <<>> DiG 9.10.3-P4-Debian <<>> ftp.srv.local.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27731
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.srv.local.                 IN      A

;; ANSWER SECTION:
ftp.srv.local.          86400   IN      CNAME   srv01.srv.local.
srv01.srv.local.        86400   IN      A       10.0.0.30

;; AUTHORITY SECTION:
srv.local.              86400   IN      NS      srv01.srv.local.

;; Query time: 0 msec
;; SERVER: 10.0.0.30#53(10.0.0.30)
;; WHEN: Thu Jun 22 14:52:35 JST 2018
;; MSG SIZE  rcvd: 90

7. Настройка подчиненного DNS-сервера

В следующем примере показана среда, в которой master DNS [172.16.0.82] а Slave DNS [slave.example.host].

7.1. Настройка master DNS

[email protected]:~# vi /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };
        allow-query { localhost; 10.0.0.0/24; };
        # add a range you allow to transfer zones
        allow-transfer { localhost; 10.0.0.0/24; 172.16.0.80/29; };
        allow-recursion { localhost; 10.0.0.0/24; };
        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

[email protected]:~# rndc reload

server reload successful

7.2. Настройка slave DNS

[email protected]:~# vi /etc/bind/named.conf.external-zones

        zone "srv.local" {
                type slave;
                masters { 172.16.0.82; };
                file "/etc/bind/slaves/srv.local.wan";
        };

[email protected]:~# mkdir /etc/bind/slaves

[email protected]:~# chown bind. /etc/bind/slaves

[email protected]:~# rndc reload

server reload successful
[email protected]:~# ls /etc/bind/slaves

srv.local.wan     # zone file in master DNS has been just transfered

На этом все !

Оставьте комментарий