Linux  DNS 설정법


1. 리눅스경우 설정 메뉴얼 

    <CentOS 4.x에서  네임서버로 되게 설정하기>

         OS설치시

          1)  DNS 패키지 반드시 설치한다.   

          2)  Firewall 사용안함 체크하여 설치한다.

 

          작업시

          1. ssh 2개로  접속하여 작업한다.

    2. ssh로 접속한  1개창에서는 로그 모니터링을 한다.

    # tail  -f  /var/log/messages

    3. 나머지 한대에서는 작업을 진행한다.

    DNS데몬이 떠 있는지 확인한다.

    # ps -ef |grep named
    named     3950     1  5 00:08 ?        00:00:00 /usr/sbin/named -u named

    root      3955  3880  0 00:08 pts/2    00:00:00 grep named

     

      DNS가 동작하는지 점검한다

    #  dig www.serverchk.com

    ; <<>> DiG 9.3.2 <<>> www.serverchk.com

    ;; global options:  printcmd

    ;; Got answer:

    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47129

    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

    ;; QUESTION SECTION:

    ;www.serverchk.com.             IN      A

    ;; ANSWER SECTION:

    www.serverchk.com.      10      IN      A       210.116.123.25

    ;; AUTHORITY SECTION:

    serverchk.com.          10      IN      NS      ns2.serverchk.com.

    serverchk.com.          10      IN      NS      ns1.serverchk.com.

    ;; ADDITIONAL SECTION:

    ns1.serverchk.com.      10      IN      A       210.116.123.25

    ;; Query time: 9 msec

    ;; SERVER: 168.126.63.1#53(168.126.63.1)

    ;; WHEN: Mon Jan 25 23:02:15 2010

    ;; MSG SIZE  rcvd: 103

     

     

    4. 도메인 추가하기


     4.1 도메인등록기관에 등록된 도메인의 네임서버 정보 확인하기

     

    # dig  @A.GTLD-SERVERS.NET.   yahooms.com

    ; <<>> DiG 9.2.4 <<>> @A.GTLD-SERVERS.NET. yahooms.com
    ; (2 servers found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13832
    ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

    ;; QUESTION SECTION:
    ;yahooms.com.                   IN      A

    ;; AUTHORITY SECTION:
    yahooms.com.            172800  IN      NS      ns1.yahooms.com.
    yahooms.com.            172800  IN      NS      ns2.yahooms.com.

    ;; ADDITIONAL SECTION:
    ns1.yahooms.com.        172800  IN      A       124.60.31.5
    ns2.yahooms.com.        172800  IN      A       124.60.31.5

    ;; Query time: 117 msec
    ;; SERVER: 192.5.6.30#53(192.5.6.30)
    ;; WHEN: Mon Apr 23 00:13:18 2007
    ;; MSG SIZE  rcvd: 97


    //  .com   kr등  네임서버 변경은  실시간으로  변경이 됩니다.


    4.2   OPEN DNS취약점 해결하기 위해 no recursion;  옵션을 설정할시 반드시 외부 DNS(ISP DNS)로 설정하도록한다.

       PC가  해당 서버를 DNS로 지정하여 사용되지 않도록 한다. ( 해당 DNS서버는 Cache DNS로 사용하지 않도록  설정한다.)

       
    # vi /etc/resolv.conf
    search kornet.net
    nameserver 168.126.63.1
    nameserver 168.126.63.2

     

    4.3  작업전 백업

    etc]# cp   named.conf   named.conf-20100420

     

    4.4  named.conf설정하기

    etc]# vi  named.conf
    //
    // named.conf for Red Hat caching-nameserver
    //

    options {
            directory "/var/named";
            dump-file "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            version " No !!";
            recursion no;
            allow-transfer { 127.0.0.1;  200.1.7.2; };
            /*
             * If there is a firewall between you and nameservers you want
             * to talk to, you might need to uncomment the query-source
             * directive below.  Previous versions of BIND always asked
             * questions using port 53, but BIND 8.1 uses an unprivileged
             * port by default.
             */
             // query-source address * port 53;
    };

    //
    // a caching only nameserver config
    //
    controls {
            inet 127.0.0.1 allow { localhost; } keys { rndckey; };
    };

    zone "." IN {
            type hint;
            file "named.ca";
    };

    zone "localdomain" IN {
            type master;
            file "localdomain.zone";
            allow-update { none; };
    };

    zone "serverchk.com" IN {
            type master;
            file "serverchk.com.zone";
            allow-update { none; };
    };

     

    4.5  named.conf 제대로 설정되었는지 확인하기

    etc# named-checkconf named.conf

    실행시 에러가 없이, 아무 응답이 없으면 설정오류가 없는 것이다.


    4.6  named 데몬 재시작하기
    named]# service   named   restart

     

    데몬확인하기

    # ps -ef |grep named

    # /usr/sbin/named -u named -t /var/named/chroot

     

    4.7  메일 잘되게 하기위한 spf설정 확인하기

    # dig  serverchk.com  txt

    응답이 오면 제대로 설정된것이다.

     

    4.8  zone file만들기

    # cd /var/named/chroot/var/named/

    # cp localdomain.zone serverchk.com.zone

     

    # vi   serverchk.com.zone


    $TTL    10M
    @               IN SOA  ns1.serverchk.com.  root (
                                            2010042002      ; serial (d. adams)
                                            3H              ; refresh
                                            15M             ; retry
                                            1W              ; expiry
                                            1D )            ; minimum
                    IN NS           ns1.serverchk.com.
                    IN NS           ns2.serverchk.com.
                    IN MX   10       mail.serverchk.com.

                            IN A            200.6.177.122

                            IN A            200.6.2.2
    ns1.serverchk.com.      IN A            200.6.177.1
    ns2.serverchk.com.      IN A            200.6.2.2
    www                     IN A            200.6.177.122
    mail                       IN A           200.6.177.122
    ftp                         IN A            200.6.177.122
    serverchk.com.          IN      TXT     "v=spf1  ip4:200.6.177.122  ip4:200.6.177.0/24 ~all"

     

    참고:  @               IN SOA  ns1.serverchk.com.    root   에서

    =>  ns1.serverchk.com. 은 반드시 Master NS이름을 적어주도록 한다. 

    DNS에서 notify시  여기에 적인 ns1.serverchk.com.  이름을 Master로 인식하고, 나머지 NS레코더(슬레이브 서버)에 notify 메시지를 보낸다.

     

     

    4.9   버전 보안설정 동작 확인


    # dig @127.0.1 txt chaos version.bind.

    ; <<>> DiG 9.2.4 <<>> @127.0.1 txt chaos version.bind.
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32021
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;version.bind.                  CH      TXT

    ;; ANSWER SECTION:
    version.bind.           0       CH      TXT     " No !!"

     

    4.10  전체적으로 DNS점검하기

    www.serverchk.com 

     

     

    5. rndc 되게 하기

    # cd /usr/sbin/

    # ./rndc-confgen

    # Start of rndc.conf
    key "rndc-key" {
            algorithm hmac-md5;
            secret "hLKd6Ywiqsskxg==";
    };

    options {
            default-key "rndc-key";
            default-server 127.0.0.1;
            default-port 953;
    };
    # End of rndc.conf


    # Use with the following in named.conf, adjusting the allow list as needed:
     key "rndc-key" {
           algorithm hmac-md5;
           secret "hL6Ywiqsskxg==";
     };
     
     controls {
           inet 127.0.0.1 port 953
                   allow { 127.0.0.1; } keys { "rndc-key"; };
     };
    # End of named.conf

     

    named.conf 설정 백업하기
    etc]# cp  named.conf  named.conf-20070420
    etc]# mv  rndc.conf  rndc.conf-20070420

     

    etc# vi rndc.conf

    # Start of rndc.conf
    key "rndc-key" {
            algorithm hmac-md5;
            secret "hLAPKd6Ywiqsskxg==";
    };

    options {
            default-key "rndc-key";
            default-server 127.0.0.1;
            default-port 953;
    };
    # End of rndc.conf

     

    etc# vi named.conf

    options {
            directory "/var/named";
            dump-file "/var/named/data/cache_dump.db";
            statistics-file "/var/named/data/named_stats.txt";
            version " No !!";
            recursion no;
            allow-transfer { 127.0.0.1;  200.1.7.122; };
            /*
             * If there is a firewall between you and nameservers you want
             * to talk to, you might need to uncomment the query-source
             * directive below.  Previous versions of BIND always asked
             * questions using port 53, but BIND 8.1 uses an unprivileged
             * port by default.
             */
             // query-source address * port 53;
    };

    //
    // a caching only nameserver config
    //
    # Use with the following in named.conf, adjusting the allow list as needed:
     key "rndc-key" {
           algorithm hmac-md5;
           secret "hLAPug4sNwKd6Ywiqsskxg==";
     };

     controls {
           inet 127.0.0.1 port 953
                   allow { 127.0.0.1; } keys { "rndc-key"; };
     };
    # End of named.conf


    zone "." IN {
            type hint;
            file "named.ca";

     

    rndc 사용법


    etc# rndc reload

    #rndc   reload   serverchk.com

     

     


    6. 부팅시 제데로 데몬 가져오게 하기

    etc]# vi /etc/rc.local

    /usr/sbin/named -u named -t /var/named/chroot

     

     

      2. Centos5, Fedora Core7 메뉴얼 

       

       최근OS에서 DNS관련 설정부분에 변화가 있어 간단히 정리합니다.

       

      설정하면서 확인한  CentOS 5.x에서 변경된 부분   (Fedora 7.x도 동일)

      1. OS설치시 DNS설치를 선택하여 설치했는데 named.conf 및 Zone File들이 안보입니다.

      2. 기본이 View사용으로 바뀌었습니다.

      3. 최근의 버전은 chroot를 기본으로 사용됩니다.  zone file이 /var/named/chroot/var/named에 있습니다.

      4. named.conf 파일은 include기능을 이용하여 기본 zone정보는 named.rfc1912.zones 파일 안에 있습니다.

       

      아래는 CentOS5.0 , Fedora 7 에서 DNS설정하는 법을 간략히 정리해봤습니다.

      ------------------------------------------------------------------------------------

      1. 버전 및 라이블러리 정보
      # more /etc/redhat-release
      CentOS release 5 (Final)

      # rpm -qa |grep glibc
      glibc-2.5-12

       

      2. OS설치시 Firewall mode로 설치한경우 우선 iptables해제함.

      # service iptables stop

      firewall mode로 설치시 , DNS53번포트가 막혀서, 서버자체에서는 되는데, 외부에서는 포트가 막혀있음 서비스가 안됩니다.

      iptables를 써야하는 경우는 TCP,UDC 53만 열어주셔도 됩니다


      3. named.conf 및 Zone file들  복사하기

      # locate named.conf

      /usr/share/doc/bind-9.3.3/sample/etc/named.conf


      # cp -rf   /usr/share/doc/bind-9.3.3/sample/etc/*     /var/named/chroot/etc/
      # cp -rf   /usr/share/doc/bind-9.3.3/sample/var/named/*    /var/named/chroot/var/named/


      4. ddns_key 우선 주석처리
      # vi /etc/named.conf
      //key ddns_key
      //{
      //      algorithm hmac-md5;
      //      secret "use /usr/sbin/dns-keygen to generate TSIG keys";
      //};

       

      5. acl과 match-clients  설정

       # vi named.conf

      acl "localarea" {
              127.0.0.1;
              200.6.177.1;
      };

      view "local" {
             match-clients           {  localarea; };
              recursion yes;

      zone "." IN {
              type hint;
              file "named.ca";
      };

      계속..

       

      view    "external"
      {
      /* This view will contain zones you want to serve only to "external" clients
       * that have addresses that are not on your directly attached LAN interface subnets:
       */
              match-clients           { any; };

              recursion no;
      //      match-destinations      { !localnets; !localhost; };

       
       

      6. 네임데몬 시작
      # service named restart

      etc# ps -ef |grep named
      named     3610     1  0 06:22 ?        00:00:00 /usr/sbin/named -u named -t /var/named/chroot
      root      3620  2794  0 06:23 pts/1    00:00:00 grep named


      7. 서비스 도메인추가시

      etc]# vi named.rfc1912.zones 에 추가

       

      Zone file 만들기

      named# cp   localdomain.zone    yahooms.com.zone

      named# vi   yahooms.com.zone
      $TTL    10
      @               IN SOA  localhost root (
                                              42              ; serial (d. adams)
                                              3H              ; refresh
                                              15M             ; retry
                                              1W              ; expiry
                                              1D )            ; minimum
                      IN NS           ns1.yahooms.com.
                      IN NS           ns2.yahooms.com.
      localhost       IN A            200.6.1.2
      ns1                IN A           200.7.1.2
      ns2                IN A           200.6.1.2
      www              IN A           200
      .6.1.2

       

      8.적용
      # rndc reload

     

     

    네임서버 정보 변경시

    1) GTLD에 등록확인

    # dig @a.gtld-servers.net serverchk.com ns +short
    ns1.serverchk.com.
    ns2.serverchk.com.

     

    2) 도메인등록기관에 ns3추가할경우 호스트를 추가, 네임서버변경

    확인

    C:\>dig @a.gtld-servers.net serverchk.com ns +short
    ns1.serverchk.com.
    ns2.serverchk.com.
    ns3.serverchk.com.

     

    감사합니다.