BIND Nameserver unter CentOS 6

Transkript

1 :58. 1/36 BIND Nameserver unter CentOS 6 BIND Nameserver unter CentOS 6 Mit BIND 1) des Internet Systems Consortium richten wir uns für unser SOHO 2) -LAN ein Domain-Name- System-Server oder kurz DNS 3) ein. DNS wurde in den beiden RFC 1034 und RFC 1035 definiert und bekam von der Internet Assigned Numbers Authority die beiden Ports 53/UDP und 53/TCP. Installation Zu erst installieren wir uns die beiden Pakete bind und bind-chroot. Letzters hilft uns, unseren DNS in einem chroot 4) -Umgebung laufen zu lassen. # yum install bind bind-chroot -y Grund-Konfiguration RPM-Pakete Als erstes sehen uns wir mal an, was die beiden Pakete alles an Dateien mitbringen und vor allem wohin diese gespeichert worden sind. bind # rpm -qil bind Name : bind Relocations: (not relocatable) Version : Vendor: CentOS Release : 5.P2.el6_0.1 Build Date: Sat 25 Jun :48:43 AM CEST Install Date: Mon 22 Aug :33:07 PM CEST Build Host: c6b6.bsys.dev.centos.org Group : System Environment/Daemons Source RPM: bind p2.el6_0.1.src.rpm Size : License: ISC Signature : RSA/8, Wed 06 Jul :37:08 AM CEST, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem < URL : Summary : The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server Description : BIND (Berkeley Internet Name Domain) is an implementation of the DNS Linux - Wissensdatenbank -

2 Last update: :01. centos:bind_c6 (Domain Name System) protocols. BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. /etc/networkmanager/dispatcher.d/13-named /etc/logrotate.d/named /etc/named /etc/named.conf /etc/named.iscdlv.key /etc/named.rfc1912.zones /etc/rc.d/init.d/named /etc/rndc.conf /etc/rndc.key /etc/sysconfig/named /usr/lib64/bind /usr/sbin/arpaname /usr/sbin/ddns-confgen /usr/sbin/dnssec-dsfromkey /usr/sbin/dnssec-keyfromlabel /usr/sbin/dnssec-keygen /usr/sbin/dnssec-revoke /usr/sbin/dnssec-settime /usr/sbin/dnssec-signzone /usr/sbin/genrandom /usr/sbin/isc-hmac-fixup /usr/sbin/lwresd /usr/sbin/named /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/named-compilezone /usr/sbin/named-journalprint /usr/sbin/nsec3hash /usr/sbin/rndc /usr/sbin/rndc-confgen /usr/share/doc/bind /usr/share/doc/bind-9.7.0/changes /usr/share/doc/bind-9.7.0/copyright /usr/share/doc/bind-9.7.0/copyright /usr/share/doc/bind-9.7.0/readme /usr/share/doc/bind-9.7.0/arm /usr/share/doc/bind-9.7.0/arm/bv9arm-book.xml /usr/share/doc/bind-9.7.0/arm/bv9arm.ch01.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch02.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch03.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch04.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch05.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch06.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch07.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch08.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch09.html /usr/share/doc/bind-9.7.0/arm/bv9arm.ch10.html Printed on :58.

3 :58. 3/36 BIND Nameserver unter CentOS 6 /usr/share/doc/bind-9.7.0/arm/bv9arm.html /usr/share/doc/bind-9.7.0/arm/bv9arm.pdf /usr/share/doc/bind-9.7.0/arm/makefile /usr/share/doc/bind-9.7.0/arm/makefile.in /usr/share/doc/bind-9.7.0/arm/readme-sgml /usr/share/doc/bind-9.7.0/arm/dnssec.xml /usr/share/doc/bind-9.7.0/arm/isc-logo.eps /usr/share/doc/bind-9.7.0/arm/isc-logo.pdf /usr/share/doc/bind-9.7.0/arm/latex-fixup.pl /usr/share/doc/bind-9.7.0/arm/libdns.xml /usr/share/doc/bind-9.7.0/arm/man.arpaname.html /usr/share/doc/bind-9.7.0/arm/man.ddns-confgen.html /usr/share/doc/bind-9.7.0/arm/man.dig.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-dsfromkey.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-keyfromlabel.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-keygen.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-revoke.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-settime.html /usr/share/doc/bind-9.7.0/arm/man.dnssec-signzone.html /usr/share/doc/bind-9.7.0/arm/man.genrandom.html /usr/share/doc/bind-9.7.0/arm/man.host.html /usr/share/doc/bind-9.7.0/arm/man.isc-hmac-fixup.html /usr/share/doc/bind-9.7.0/arm/man.named-checkconf.html /usr/share/doc/bind-9.7.0/arm/man.named-checkzone.html /usr/share/doc/bind-9.7.0/arm/man.named-journalprint.html /usr/share/doc/bind-9.7.0/arm/man.named.html /usr/share/doc/bind-9.7.0/arm/man.nsec3hash.html /usr/share/doc/bind-9.7.0/arm/man.nsupdate.html /usr/share/doc/bind-9.7.0/arm/man.rndc-confgen.html /usr/share/doc/bind-9.7.0/arm/man.rndc.conf.html /usr/share/doc/bind-9.7.0/arm/man.rndc.html /usr/share/doc/bind-9.7.0/arm/managed-keys.xml /usr/share/doc/bind-9.7.0/arm/pkcs11.xml /usr/share/doc/bind-9.7.0/draft /usr/share/doc/bind-9.7.0/draft/draft-ietf-6man-text-addrrepresentation-01.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-behave-dns64-01.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-axfr-clarify-13.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dns-tcprequirements-02.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dnssec-gost-06.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-ecc-key-07.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-interop txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc2671bis-edns0-02.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc2672bis-dname-18.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc3597-bis-00.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-bad-dns-res-05.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-default-local-zones-09.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-inaddr-required-07.txt Linux - Wissensdatenbank -

4 Last update: :01. centos:bind_c6 /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-name-server-managementreqs-02.txt /usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-respsize-06.txt /usr/share/doc/bind-9.7.0/draft/draft-kato-dnsop-local-zones-00.txt /usr/share/doc/bind-9.7.0/draft/update /usr/share/doc/bind-9.7.0/misc /usr/share/doc/bind-9.7.0/misc/makefile /usr/share/doc/bind-9.7.0/misc/makefile.in /usr/share/doc/bind-9.7.0/misc/dnssec /usr/share/doc/bind-9.7.0/misc/format-options.pl /usr/share/doc/bind-9.7.0/misc/ipv6 /usr/share/doc/bind-9.7.0/misc/migration /usr/share/doc/bind-9.7.0/misc/migration-4to9 /usr/share/doc/bind-9.7.0/misc/options /usr/share/doc/bind-9.7.0/misc/rfc-compliance /usr/share/doc/bind-9.7.0/misc/roadmap /usr/share/doc/bind-9.7.0/misc/sdb /usr/share/doc/bind-9.7.0/misc/sort-options.pl /usr/share/doc/bind-9.7.0/named.conf.default /usr/share/doc/bind-9.7.0/rfc /usr/share/doc/bind-9.7.0/rfc/index.gz /usr/share/doc/bind-9.7.0/rfc/rfc1032.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1033.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1034.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1035.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1101.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1122.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1123.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1183.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1348.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1535.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1536.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1537.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1591.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1611.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1612.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1706.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1712.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1750.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1876.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1886.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1912.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1982.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1995.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc1996.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2052.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2104.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2119.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2133.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2136.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2137.txt.gz Printed on :58.

5 :58. 5/36 BIND Nameserver unter CentOS 6 /usr/share/doc/bind-9.7.0/rfc/rfc2163.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2168.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2181.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2230.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2308.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2317.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2373.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2374.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2375.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2418.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2535.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2536.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2537.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2538.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2539.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2540.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2541.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2553.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2671.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2672.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2673.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2782.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2825.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2826.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2845.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2874.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2915.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2929.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2930.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc2931.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3007.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3008.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3071.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3090.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3110.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3123.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3152.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3197.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3225.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3226.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3258.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3363.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3364.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3425.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3445.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3467.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3490.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3491.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3492.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3493.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3513.txt.gz Linux - Wissensdatenbank -

6 Last update: :01. centos:bind_c6 /usr/share/doc/bind-9.7.0/rfc/rfc3596.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3597.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3645.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3655.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3658.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3755.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3757.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3833.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3845.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc3901.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4025.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4033.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4034.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4035.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4074.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4159.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4193.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4255.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4294.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4339.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4343.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4367.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4398.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4408.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4431.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4470.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4471.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4472.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4509.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4634.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4635.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4641.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4648.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4697.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4701.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4892.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4955.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc4956.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5001.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5011.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5155.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5205.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5452.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5507.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5625.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc5702.txt.gz /usr/share/doc/bind-9.7.0/rfc/rfc952.txt.gz /usr/share/doc/bind-9.7.0/rfc1912.txt /usr/share/doc/bind-9.7.0/sample /usr/share/doc/bind-9.7.0/sample/etc /usr/share/doc/bind-9.7.0/sample/etc/named.conf Printed on :58.

7 :58. 7/36 BIND Nameserver unter CentOS 6 /usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones /usr/share/doc/bind-9.7.0/sample/var /usr/share/doc/bind-9.7.0/sample/var/named /usr/share/doc/bind-9.7.0/sample/var/named/data /usr/share/doc/bind-9.7.0/sample/var/named/my.external.zone.db /usr/share/doc/bind-9.7.0/sample/var/named/my.internal.zone.db /usr/share/doc/bind-9.7.0/sample/var/named/named.ca /usr/share/doc/bind-9.7.0/sample/var/named/named.empty /usr/share/doc/bind-9.7.0/sample/var/named/named.localhost /usr/share/doc/bind-9.7.0/sample/var/named/named.loopback /usr/share/doc/bind-9.7.0/sample/var/named/slaves /usr/share/doc/bind-9.7.0/sample/var/named/slaves/my.ddns.internal.zone.db /usr/share/doc/bind-9.7.0/sample/var/named/slaves/my.slave.internal.zone.db /usr/share/man/man1/arpaname.1.gz /usr/share/man/man5/named.conf.5.gz /usr/share/man/man5/rndc.conf.5.gz /usr/share/man/man8/ddns-confgen.8.gz /usr/share/man/man8/dnssec-dsfromkey.8.gz /usr/share/man/man8/dnssec-keyfromlabel.8.gz /usr/share/man/man8/dnssec-keygen.8.gz /usr/share/man/man8/dnssec-revoke.8.gz /usr/share/man/man8/dnssec-settime.8.gz /usr/share/man/man8/dnssec-signzone.8.gz /usr/share/man/man8/genrandom.8.gz /usr/share/man/man8/isc-hmac-fixup.8.gz /usr/share/man/man8/lwresd.8.gz /usr/share/man/man8/named-checkconf.8.gz /usr/share/man/man8/named-checkzone.8.gz /usr/share/man/man8/named-compilezone.8.gz /usr/share/man/man8/named-journalprint.8.gz /usr/share/man/man8/named.8.gz /usr/share/man/man8/nsec3hash.8.gz /usr/share/man/man8/rndc-confgen.8.gz /usr/share/man/man8/rndc.8.gz /var/log/named.log /var/named /var/named/data /var/named/dynamic /var/named/named.ca /var/named/named.empty /var/named/named.localhost /var/named/named.loopback /var/named/slaves /var/run/named bind-chroot # rpm -qil bind-chroot Linux - Wissensdatenbank -

8 Last update: :01. centos:bind_c6 Name : bind-chroot Relocations: /var/named/chroot Version : Vendor: CentOS Release : 5.P2.el6_0.1 Build Date: Sat 25 Jun :48:43 AM CEST Install Date: Mon 22 Aug :33:10 PM CEST Build Host: c6b6.bsys.dev.centos.org Group : System Environment/Daemons Source RPM: bind p2.el6_0.1.src.rpm Size : 0 License: ISC Signature : RSA/8, Wed 06 Jul :37:09 AM CEST, Key ID 0946fca2c105b9de Packager : CentOS BuildSystem < URL : Summary : A chroot runtime environment for the ISC BIND DNS server, named(8) Description : This package contains a tree of files which can be used as a chroot(2) jail for the named(8) program from the BIND package. Based on the code from Jan "Yenya" Kasprzak <kas@fi.muni.cz> /var/named/chroot /var/named/chroot/dev /var/named/chroot/dev/null /var/named/chroot/dev/random /var/named/chroot/dev/zero /var/named/chroot/etc /var/named/chroot/etc/localtime /var/named/chroot/etc/named /var/named/chroot/etc/named.conf /var/named/chroot/etc/pki/dnssec-keys /var/named/chroot/usr/lib64/bind /var/named/chroot/var /var/named/chroot/var/log /var/named/chroot/var/named /var/named/chroot/var/run /var/named/chroot/var/run/named /var/named/chroot/var/tmp change root - Umgebung Bei der Installation unserer chroot-umgebung wurde automatisch die Konfigurationsdatei /etc/sysconfig/named entsprechend angepasst, in dem die Konfigurationsoption ROOTDIR=/var/named/chroot aktiviert wird. In der Konfigurationsdatei /etc/sysconfig/named finden wir darüber hinaus noch weitere Angaben, wie die chroot-umgebung für bind unter CentOS 6 realisiert wird, und welche Konfigurationsdateien beim Starten des Daemon in die chroot-umgebung gemountet werden. Printed on :58.

9 :58. 9/36 BIND Nameserver unter CentOS 6 /etc/sysconfig/named # BIND named process options # ~~~~~~~~~~~~~~~~~~~~~~~~~~ # Currently, you can use the following options: # # ROOTDIR="/var/named/chroot" -- will run named in a chroot environment. # you must set up the chroot environment # (install the bind-chroot package) before # doing this. # NOTE: # Those directories are automatically mounted to chroot if they are # empty in the ROOTDIR directory. It will simplify maintenance of your # chroot environment. # - /var/named # - /etc/pki/dnssec-keys # - /etc/named # - /usr/lib64/bind or /usr/lib/bind (architecture dependent) # # Those files are mounted as well if target file doesn't exist in # chroot. # - /etc/named.conf # - /etc/rndc.conf # - /etc/rndc.key # - /etc/named.rfc1912.zones # - /etc/named.dnssec.keys # - /etc/named.iscdlv.key # # Don't forget to add "$AddUnixListenSocket /var/named/chroot/dev/log" # line to your /etc/rsyslog.conf file. Otherwise your logging becomes # broken when rsyslogd daemon is restarted (due update, for example). # # OPTIONS="whatever" -- These additional options will be passed to named # at startup. Don't add -t here, use ROOTDIR instead. # # KEYTAB_FILE="/dir/file" -- Specify named service keytab file (for GSS-TSIG) ROOTDIR=/var/named/chroot Beim Starten des named Daemon werden die betreffenden Konfigurationsdateien gemountet. Bei laufendem Daemon können wir uns ganz einfach überzeugen, wohin diese gemountet wurden. # df -ah grep named Linux - Wissensdatenbank -

10 Last update: :01. centos:bind_c6 /etc/named 7.2G 941M 6.0G 14% /var/named/chroot/etc/named /var/named 7.2G 941M 6.0G 14% /var/named/chroot/var/named /etc/named.conf 7.2G 941M 6.0G 14% /var/named/chroot/etc/named.conf /etc/named.rfc1912.zones 7.2G 941M 6.0G 14% /var/named/chroot/etc/named.rfc1912.zones /etc/rndc.key 7.2G 941M 6.0G 14% /var/named/chroot/etc/rndc.key /usr/lib64/bind 7.2G 941M 6.0G 14% /var/named/chroot/usr/lib64/bind /etc/named.iscdlv.key 7.2G 941M 6.0G 14% /var/named/chroot/etc/named.iscdlv.key Beenden wir den Daemon erfolgt automatisch das Unmounten der betreffenden Konfigurationsverzeichnisse. # service named stop && df -ah grep named Stopping named: [ OK ] Wir können also bei der weiteren Konfiguration unser Augenmerk auf die Konfigurationsdatei named.conf im Verzeichnis /etc richten. rsyslogd Darüber hinaus erfolgt hier auch ein Hinweis zum Anpassen des rsyslogd Daemon. Wie in den Bemerkungen in der /etc/sysconfig/named angegeben, werden wir nun noch die rsyslogd Daemon anpassen. Hierzu öffnen wir mit dem Editor unserer Wahl die Konfigurationsdatei /etc/rsyslog.conf. # vim /etc/rsyslog.conf /etc/rsyslog.conf #rsyslog v3 config file # if you experience problems, check # for assistance #### MODULES #### $ModLoad imuxsock.so # provides support for local system logging (e.g. via logger command) $ModLoad imklog.so # provides kernel logging support (previously done by rklogd) #$ModLoad immark.so # provides --MARK-- message capability # Provides UDP syslog reception #$ModLoad imudp.so #$UDPServerRun Printed on :58.

11 :58. 11/36 BIND Nameserver unter CentOS 6 # Provides TCP syslog reception #$ModLoad imtcp.so #$InputTCPServerRun 514 #### GLOBAL DIRECTIVES #### # Use default timestamp format $ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat # File syncing capability is disabled by default. This feature is usually not required, # not useful and an extreme performance hit #$ActionFileEnableSync on # Django: # Erweiterung für die chroot-umgebung des bind Nameservers eingetragen $AddUnixListenSocket /var/named/chroot/dev/log #### RULES #### # Log all kernel messages to the console. # Logging much else clutters up the screen. #kern.* /dev/console # Log anything (except mail) of level info or higher. # Don't log private authentication messages! *.info;mail.none;authpriv.none;cron.none /var/log/messages # The authpriv file has restricted access. authpriv.* /var/log/secure # Log all the mail messages in one place. mail.* - /var/log/maillog # Log cron stuff cron.* /var/log/cron # Everybody gets emergency messages *.emerg * # Save news errors of level crit and higher in a special file. uucp,news.crit /var/log/spooler # Save boot messages also to boot.log local7.* Linux - Wissensdatenbank -

12 Last update: :01. centos:bind_c6 /var/log/boot.log # ### begin forwarding rule ### # The statement between the begin... end define a SINGLE forwarding # rule. They belong together, do NOT split them. If you create multiple # forwarding rules, duplicate the whole block! # Remote Logging (we use TCP for reliable delivery) # # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/spppl/rsyslog # where to place spool files #$ActionQueueFileName fwdrule1 # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g :514, port optional # ### end of the forwarding rule ### Zur Aktivierung unserer Änderung bedarf es nur noch eines Restarts des rsyslogd Daemon. # service rsyslog restart Shutting down system logger: [ OK ] Starting system logger: [ OK ] SELinux In aller Regel werden wir auf die Dienste von SELinux in unserer vhost-installation verzichten können. Wir deaktivieren also, wenn noch nicht bereits bei der Erstinstallation erfolgt, SELinux komplett, indem wir in der Konfigurationsdatei unter /etc/sysconfig das Thema SELinux deaktivieren. # vim /etc/sysconfig/selinux /etc/sysconfig/selinux # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. # Django : SELinux deaktiviert # default : SELINUX=enforcing SELINUX=disabled Printed on :58.

13 :58. 13/36 BIND Nameserver unter CentOS 6 # SELINUXTYPE= can take one of these two values: # targeted - Targeted processes are protected, # mls - Multi Level Security protection. SELINUXTYPE=targeted IPv6 Bei unserer Musterinstallation begnügen wir uns mit einer IPv4-Inststallation. In der Grundkonfiguration unseres bind Daemon sehen wir im Syslog, dass versucht wird auch jedesmal via IPv6 eine Anfrage zu starten. Aug 22 14:45:30 vml named[3376]: error (network unreachable) resolving 'heise.de.dlv.isc.org/dlv/in': 2001:500:71::29#53 Da wir aber (noch) keine IPv6-Anbindung haben, werden wir die IPv6 lookups einfach abstellen. In unserer bind-konfigurationsdatei /etc/named.conf deaktivieren wir einfach die betreffende Zeile durch Voranstellen von zwei Schrägstriche /. # vim /var/named/chroot/etc/named/named.conf //listen-on-v6 port 53 { ::1; // Django: IPv6 deaktiviert In der Datei /etc/sysconfig/named vermerken wir ferner, dass wir lediglich die IPv4-Unterstützung nutzen wollen. # vim /etc/sysconfig/named # Django : nur die IPv4-Unterstützung aktivieren OPTIONS="-4" Anschließend starten wir den Nameserver einmal durch, damit die Konfigurationsänderunegn auch greifen. # service named restart iptables Paketfilter Nach dem Starten unseres named Daemon können wir mit Hilfe vonnetstat überprüfen, ob der Daemon auf den gewünschten Ports lauscht. # netstat -tulpen grep named tcp : :* LISTEN /named tcp : :* LISTEN /named tcp : :* Linux - Wissensdatenbank -

14 Last update: :01. centos:bind_c6 LISTEN /named tcp : :* LISTEN /named udp : :* /named udp : :* /named udp : :* /named Damit der Zugriff auf den Port 53 (TCP/UDP) auch erfolgen kann, müssen wir noch unseren Paketfilter i.d.r. erweitern. Wir tragen hierzu in der Konfigurationsdatei /etc/sysconfig/iptables hierzu die folgenden Zeilen am Ende der INPUT-Regeln nach. # Django : DNS freigeschaltet -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT # Django : bei Bedarf Logging aktivieren #-A INPUT -j LOG # Django : end Anschließend aktivieren wir die Änderungen an unserem Paketfilter, indem wir den Daemon durchstarten. # service iptables restart iptables: Flushing firewall rules: [ OK ] iptables: Setting chains to policy ACCEPT: filter nat [ OK ] iptables: Unloading modules: [ OK ] iptables: Applying firewall rules: [ OK ] erweiterte Konfigurationen caching-only Nameserver Im ersten Schritt wollen wir erst einmal einen caching-only Nameserver aufsetzen. Die mitgelieferte Konfigurationsdate /etc/named.conf des RPM-Pakets bind passen wir unseren Gegebenheiten an. # vim /etc/named.conf /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver Printed on :58.

15 :58. 15/36 BIND Nameserver unter CentOS 6 only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { ; ; // Django : unsere Netzwerk- // interfaces definiert listen-on-v6 port 53 { ::1; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; /24; /26 // Django : unsere Netzwerke // die unseren Nameserver befragen dürfen recursion yes; // Django : dnssec erst einmal deaktiviert für den caching-only Betrieb // dnssec-enable yes; // dnssec-validation yes; // dnssec-lookaside auto; /* Path to ISC DLV key */ // Django : bindkeys-file erst einmal deaktiviert für den caching-only Betrieb // bindkeys-file "/etc/named.iscdlv.key"; logging { channel default_debug { file "data/named.run"; severity dynamic; zone "." IN { type hint; file "named.ca"; include "/etc/named.rfc1912.zones"; Nach der Bearbeitung startetn wir nun unseren Nameserver das erste mal. # service named start Linux - Wissensdatenbank -

16 Last update: :01. centos:bind_c6 Starting named: [ OK ] Sollte wider Erwarten beim Starten etwas schief gelaufen sein, so ist der Syslog die Anlaufstelle für weitere Fehlermeldungen. Im Regelfall wird der erfolgreiche Start entsprechend quittiert. Oct 6 11:16:08 vml named[4010]: starting BIND P2- RedHat P2.el6_0.1 -u named -4 -t /var/named/chroot Oct 6 11:16:08 vml named[4010]: built with '--build=x86_64-unknownlinux-gnu' '--host=x86_64-unknown-linux-gnu' '--tar get=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--execprefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbi n' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '- -libdir=/usr/lib64' '--libexecdir=/usr/libexec' ' --sharedstatedir=/var/lib' '--mandir=/usr/share/man' '-- infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--e nable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disableopenssl-version-check' '--with-dlz-ldap=yes' '--wit h-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '-- with-gssapi=yes' '--disable-isc-spnego' 'build_alia s=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu' 'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pip e -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=sspbuffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDI G_SIGCHASE' Oct 6 11:16:08 vml named[4010]: adjusted limit on open files from 1024 to Oct 6 11:16:08 vml named[4010]: found 1 CPU, using 1 worker thread Oct 6 11:16:08 vml named[4010]: using up to 4096 sockets Oct 6 11:16:08 vml named[4010]: loading configuration from '/etc/named.conf' Oct 6 11:16:08 vml named[4010]: reading built-in trusted keys from file '/etc/named.iscdlv.key' Oct 6 11:16:08 vml named[4010]: using default UDP/IPv4 port range: [1024, 65535] Oct 6 11:16:08 vml named[4010]: using default UDP/IPv6 port range: [1024, 65535] Oct 6 11:16:08 vml named[4010]: no IPv6 interfaces found Oct 6 11:16:08 vml named[4010]: listening on IPv4 interface lo, #53 Oct 6 11:16:08 vml named[4010]: listening on IPv4 interface eth0, #53 Oct 6 11:16:08 vml named[4010]: listening on IPv4 interface eth1, #53 Oct 6 11:16:08 vml named[4010]: generating session key for dynamic DNS Oct 6 11:16:08 vml named[4010]: using built-in trusted-keys for view _default Oct 6 11:16:08 vml named[4010]: automatic empty zone: 127.IN- ADDR.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: IN- ADDR.ARPA Printed on :58.

17 :58. 17/36 BIND Nameserver unter CentOS 6 Oct 6 11:16:08 vml named[4010]: automatic empty zone: IN- ADDR.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: IN-ADDR.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: IP6.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: D.F.IP6.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: 8.E.F.IP6.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: 9.E.F.IP6.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: A.E.F.IP6.ARPA Oct 6 11:16:08 vml named[4010]: automatic empty zone: B.E.F.IP6.ARPA Oct 6 11:16:08 vml named[4010]: using built-in trusted-keys for view _meta Oct 6 11:16:08 vml named[4010]: set up managed-keys.bind meta-zone Oct 6 11:16:08 vml named[4010]: command channel listening on #953 Oct 6 11:16:08 vml named[4010]: the working directory is not writable Oct 6 11:16:08 vml named[4010]: zone 0.in-addr.arpa/IN: loaded serial 0 Oct 6 11:16:08 vml named[4010]: zone in-addr.arpa/IN: loaded serial 0 Oct 6 11:16:08 vml named[4010]: zone ip6.arpa/IN: loaded serial 0 Oct 6 11:16:08 vml named[4010]: zone localhost.localdomain/in: loaded serial 0 Oct 6 11:16:08 vml named[4010]: zone localhost/in: loaded serial 0 Oct 6 11:16:08 vml named[4010]: zone managed-keys.bind/in/_meta: loaded serial 12 Oct 6 11:16:08 vml named[4010]: running <code> In der named-eigenen Logdatei //**/var/named/data/named.run**// wird außerdem der Start mit Angabe der geladenen Zonen dokumentiert. # less /var/named/data/named.run <code>zone 0.in-addr.arpa/IN: loaded serial 0 zone in-addr.arpa/IN: loaded serial 0 zone ip6.arpa/IN: loaded serial 0 zone localhost.localdomain/in: loaded serial 0 zone localhost/in: loaded serial 0 zone managed-keys.bind/in/_meta: loaded serial 12 running Nach dem Starten unseres named Daemon können wir mit Hilfe vonnetstat überprüfen, ob der Daemon auf den gewünschten Ports lauscht. # netstat -tulpen grep named Linux - Wissensdatenbank -

18 Last update: :01. centos:bind_c6 tcp : :* LISTEN /named tcp : :* LISTEN /named tcp : :* LISTEN /named tcp : :* LISTEN /named udp : :* /named udp : :* /named udp : :* /named </code> Dass der Daemon in einer chroot-umgebung gestartet wurde sehen wir anhand folgender Ausgabe: # ps aux grep named named ? Ssl 11:16 0:00 /usr/sbin/named -u named -4 -t /var/named/chroot root pts/0 S+ 11:36 0:00 grep named Nachdem unser nameserver nun läuft werden wir auch gleich mal unsere erste Abfrage tätigen # heise.de ; <<>> DiG P2-RedHat P2.el6_0.1 heise.de ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0 ;; QUESTION SECTION: ;heise.de. IN A ;; ANSWER SECTION: heise.de IN A ;; AUTHORITY SECTION: heise.de IN NS ns.s.plusline.de. heise.de IN NS ns.pop-hannover.de. heise.de IN NS ns2.pop-hannover.net. heise.de IN NS ns.plusline.de. heise.de IN NS ns.heise.de. ;; Query time: 86 msec ;; SERVER: #53( ) ;; WHEN: Mon Aug 22 14:52: ;; MSG SIZE rcvd: 168 Die gleiche Abfrage mit Hilfe von nslookup sieht wie folgt aus: # nslookup heise Server: Address: #53 Non-authoritative answer: Printed on :58.

19 :58. 19/36 BIND Nameserver unter CentOS 6 Name: heise.dmz.nausch.org Address: Nameserver für Intranet und Demilitarized Zone Im folgenden Beispiel erweitern wir unsere ersten Konfigurationsschritt ein wenig, denn schließlich möchten wir ja nicht nur Anfragen nach öffentlichen IP-Adressen beantworten, sondern auch für unser privates Netzwerk im SOHO mit den folgenden zwei Zonen: DMZ : dmz.nausch.org mit Netz: /24 Intranet : intra.nausch.org mit Netz: /26 bind Konfiguration named.conf Basierend auf den Rahmenbedingungen erweitern wir als erstes die Hauptkonfigurationsdatei unseres Nameservers bind. Hierzu bemühen wir wieder den Editor unserer Wahl vim. Die entsprechenden Optionen sind im nachfolgenden Beispiel entsprechend beschrieben. # vim /etc/named.conf named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // acl dmz { /24; // Django : Variablendefinition acl intra { /26; // Django : Variablendefinition options { listen-on port 53 { ; ; ; // Django : unsere Netzwerk- // interfaces definiert // listen-on-v6 port 53 { ::1; // IPv6 deaktiviert directory "/var/named"; Linux - Wissensdatenbank -

20 Last update: :01. centos:bind_c6 dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; dmz; intra; // Django : unsere Netzwerke allow-recursion { localhost; dmz; intra; // die unseren Nameserver befragen dürfen recursion yes; query-source address * port *; // Django : // unpriviligierten Port nutzen, wenn Anfragen // nach extern gestellt werden check-names master warn; // Django : // Der Nameserver soll nur warnen und nicht // abbrechen, wenn er eine Anfrage nicht // beantworten kann. (Bsp. DKIMkeys) auth-nxdomain no; // Django : // RFC1035 Konforme Arbeit (keine alten // Anfragen und Konfigurationen nutzen) dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; logging { channel default_debug { file "data/named.run"; severity dynamic; zone "." IN { type hint; file "named.ca"; include "/etc/named.rfc1912.zones"; Printed on :58.

21 :58. 21/36 BIND Nameserver unter CentOS 6 zone "dmz.nausch.org" IN { type master; file "dynamic/dmz-forward"; allow-update { none; zone " in-addr.arpa" IN { type master; file "dynamic/dmz-reverse"; allow-update { none; zone "intra.nausch.org" IN { type master; file "dynamic/intra-forward"; allow-update { none; zone " in-addr.arpa" IN { type master; file "dynamic/intra-reverse"; allow-update { none; zone "nausch.org" IN { type master; file "dynamic/domain-forward"; allow-update { none; zone " in-addr.arpa" IN { type master; file "dynamic/domain-reverse"; allow-update { none; Die einzelnen Zonen-Dateien legen wir im Verzeichnis /var/named/dynamic/ ab. dmz-forward dmz-reverse intra-forward intra-reverse domain-forward domain-reverse dmz-forward Für die forward-auflösung des Subnetzes DMZ legen wir uns eine Konfigurationsdatei nach folgendem Muster an. Linux - Wissensdatenbank -

22 Last update: :01. centos:bind_c6 /var/named/dynamic/dmz-forward $ORIGIN dmz.nausch.org. $TTL IN SOA vml dmz.nausch.org. root.nausch.org. ( ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ; IN NS vml dmz.nausch.org. ; fwe IN CNAME vml fwi IN CNAME vml time IN CNAME vml dns IN CNAME vml dhcp IN CNAME vml ; localhost IN A ; vml IN A vml IN A vml IN A dmz-reverse Für die reverse-auflösung des Subnetzes DMZ legen wir uns eine Konfigurationsdatei nach folgendem Muster an. /var/named/dynamic/dmz-reverse $ORIGIN in-addr.arpa. $TTL IN SOA vml dmz.nausch.org. root.nss.nausch.org. ( ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum IN NS vml dmz.nausch.org. ; 10 IN PTR vml dmz.nausch.org. 20 IN PTR vml dmz.nausch.org. 30 IN PTR vml dmz.nausch.org. Printed on :58.

23 :58. 23/36 BIND Nameserver unter CentOS 6 intra-forward Für die forward-auflösung des Subnetzes intra legen wir uns eine Konfigurationsdatei nach folgendem Muster an. /var/named/dynamic/intra-forward $ORIGIN intra.nausch.org. $TTL IN SOA vml dmz.nausch.org. root.nausch.org. ( ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ; IN NS vml dmz.nausch.org. ; proton IN CNAME pml ; pml IN A pml IN A intra-reverse Für die reverse-auflösung des Subnetzes intra legen wir uns eine Konfigurationsdatei nach folgendem Muster an. /var/named/dynamic/intra-reverse $ORIGIN in-addr.arpa. $TTL IN SOA vml dmz.nausch.org. root.nss.nausch.org. ( ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum IN NS pml intra.nausch.org. ; 1 IN PTR pml intra.nausch.org. 51 IN PTR pml intra.nausch.org. Linux - Wissensdatenbank -

24 Last update: :01. centos:bind_c6 domain-forward Für die forward-auflösung unserer eigenen Domäne nausch.org legen wir uns eine Konfigurationsdatei nach folgendem Muster an. /var/named/dynamic/domain-forward $ORIGIN nausch.org. $TTL IN SOA ns1.dmz.nausch.org. root.nausch.org. ( ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum ; IN NS ns1.dmz.nausch.org. ; ns1.dmz.nausch.org IN A ; nausch.org. IN A *.nausch.org. IN A domain-reverse Für die reverse-auflösung unserer eigenen Domäne nausch.org legen wir uns eine Konfigurationsdatei nach folgendem Muster an. /var/named/dynamic/domain-reverse $ORIGIN in-addr.arpa. $TTL IN SOA vml dmz.nausch.org. root.nss.nausch.org. ( ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum IN NS ns1.dmz.nausch.org. ; 21 IN PTR mx1.nausch.org. Printed on :58.

25 :58. 25/36 BIND Nameserver unter CentOS 6 Utilities rund um den Nameserver bind Konfiguration überprüfen Möchte man die Konfiguration(sdatei) seinen bind-nameservers überprüfen so nutzt man den Befehl named-checkconf # named-checkconf Benutzt man hierbei die Option -p wird, sofern keine Fehler existieren, die Konfigurationsdatei named.conf ohne Kommentare auf der Konsole ausgegeben. # named-checkconf -p options { bindkeys-file "/etc/named.iscdlv.key"; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; listen-on port 53 { /32; /32; /32; memstatistics-file "/var/named/data/named_mem_stats.txt"; statistics-file "/var/named/data/named_stats.txt"; allow-recursion { "localhost"; "dmz"; "intra"; auth-nxdomain no; check-names master warn; dnssec-enable yes; dnssec-lookaside "auto" ; dnssec-validation yes; query-source address port 0; recursion yes; allow-query { "localhost"; "dmz"; "intra"; acl "dmz" { /24; acl "intra" { /26; Linux - Wissensdatenbank -

26 Last update: :01. centos:bind_c6 logging { channel "default_debug" { file "data/named.run"; severity dynamic; zone "." IN { type hint; file "named.ca"; zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { "none"; zone "localhost" IN { type master; file "named.localhost"; allow-update { "none"; zone " ip6.arpa" IN { type master; file "named.loopback"; allow-update { "none"; zone " in-addr.arpa" IN { type master; file "named.loopback"; allow-update { "none"; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { "none"; zone "dmz.nausch.org" IN { type master; file "dynamic/dmz-forward"; allow-update { Printed on :58.

27 :58. 27/36 BIND Nameserver unter CentOS 6 "none"; zone " in-addr.arpa" IN { type master; file "dynamic/dmz-reverse"; allow-update { "none"; zone "intra.nausch.org" IN { type master; file "dynamic/intra-forward"; allow-update { "none"; zone " in-addr.arpa" IN { type master; file "dynamic/intra-reverse"; allow-update { "none"; zone "nausch.org" IN { type master; file "dynamic/domain-forward"; allow-update { "none"; zone " in-addr.arpa" IN { type master; file "dynamic/domain-reverse"; allow-update { "none"; Versionsabfrage Will man die Version eines Namservers abfragen, so kann man dies mit Hilfe folgenden Befehls erreichen. # dig txt chaos version.bind ; <<>> DiG P2-RedHat P2.el6_0.1 <<>> txt chaos version.bind ;; global options: +cmd ;; Got answer: Linux - Wissensdatenbank -

28 Last update: :01. centos:bind_c6 ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;version.bind. CH TXT ;; ANSWER SECTION: version.bind. 0 CH TXT "9.7.0-P2-RedHat P2.el6_0.1" ;; AUTHORITY SECTION: version.bind. 0 CH NS version.bind. ;; Query time: 1 msec ;; SERVER: #53( ) ;; WHEN: Thu Oct 6 14:50: ;; MSG SIZE rcvd: 91 Zonenfiles überprüfen Will man (s)ein Zonenfile überprüfen und/oder die verwendete Seriennummer ausgeben, so nutz man den Befehl named-checkzone # named-checkzone dmz.nausch.org /var/named/dynamic/dmz-forward zone dmz.nausch.org/in: loaded serial OK Zonenfiles neu laden Das Neuladen der Zonenkonfigurationsdateien eines DNS-Server, ohne den DNS-Server neu starten zu müssen, erreicht man mit: # rndc reload dnssec-tools # yum install dnssec-tools # rpm -qil dnssec-tools Name : dnssec-tools Relocations: (not relocatable) Version : 1.13 Vendor: Fedora Project Release : 12.el6 Build Date: Fri 24 May :05:40 AM CEST Install Date: Sat 24 May :44:32 PM CEST Build Host: buildvm-24.phx2.fedoraproject.org Printed on :58.

29 :58. 29/36 BIND Nameserver unter CentOS 6 Group : System Environment/Base Source RPM: dnssectools el6.src.rpm Size : License: BSD Signature : RSA/8, Fri 24 May :56:53 PM CEST, Key ID 3b49df2a0608b895 Packager : Fedora Project URL : Summary : A suite of tools for managing dnssec aware DNS usage Description : The goal of the DNSSEC-Tools project is to create a set of tools, patches, applications, wrappers, extensions, and plugins that will help ease the deployment of DNSSEC-related technologies. /etc/dnssec-tools /etc/dnssec-tools/dnssec-tools.conf /usr/bin/blinkenlights /usr/bin/bubbles /usr/bin/buildrealms /usr/bin/check-zone-expiration /usr/bin/cleanarch /usr/bin/cleankrf /usr/bin/convertar /usr/bin/dnspktflow /usr/bin/donuts /usr/bin/donutsd /usr/bin/drawvalmap /usr/bin/dt-getaddr /usr/bin/dt-gethost /usr/bin/dt-getname /usr/bin/dt-getquery /usr/bin/dt-getrrset /usr/bin/dt-validate /usr/bin/dtck /usr/bin/dtconf /usr/bin/dtconfchk /usr/bin/dtdefs /usr/bin/dtinitconf /usr/bin/dtrealms /usr/bin/expchk /usr/bin/fixkrf /usr/bin/genkrf /usr/bin/getdnskeys /usr/bin/getds /usr/bin/grandvizier /usr/bin/keyarch /usr/bin/keymod /usr/bin/krfcheck /usr/bin/libval_check_conf /usr/bin/lights /usr/bin/lsdnssec /usr/bin/lskrf Linux - Wissensdatenbank -

30 Last update: :01. centos:bind_c6 /usr/bin/lsrealm /usr/bin/lsroll /usr/bin/maketestzone /usr/bin/mapper /usr/bin/realmchk /usr/bin/realmctl /usr/bin/realminit /usr/bin/realmset /usr/bin/rollchk /usr/bin/rollctl /usr/bin/rollerd /usr/bin/rollinit /usr/bin/rolllog /usr/bin/rollrec-editor /usr/bin/rollset /usr/bin/signset-editor /usr/bin/tachk /usr/bin/timetrans /usr/bin/trustman /usr/bin/zonesigner /usr/share/dnssec-tools /usr/share/dnssec-tools/donuts /usr/share/dnssec-tools/donuts/rules /usr/share/dnssec-tools/donuts/rules/check_nameservers.txt /usr/share/dnssec-tools/donuts/rules/dns.errors.txt /usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt /usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt /usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt /usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt /usr/share/dnssec-tools/validator-testcases /usr/share/doc/dnssec-tools-1.13 /usr/share/doc/dnssec-tools-1.13/copying /usr/share/doc/dnssec-tools-1.13/install /usr/share/doc/dnssec-tools-1.13/readme /usr/share/man/man1/blinkenlights.1.gz /usr/share/man/man1/bubbles.1.gz /usr/share/man/man1/buildrealms.1.gz /usr/share/man/man1/check-zone-expiration.1.gz /usr/share/man/man1/cleanarch.1.gz /usr/share/man/man1/cleankrf.1.gz /usr/share/man/man1/convertar.1.gz /usr/share/man/man1/dnspktflow.1.gz /usr/share/man/man1/dnssec-tools.1.gz /usr/share/man/man1/donuts.1.gz /usr/share/man/man1/donutsd.1.gz /usr/share/man/man1/drawvalmap.1.gz /usr/share/man/man1/dt-getaddr.1.gz /usr/share/man/man1/dt-gethost.1.gz /usr/share/man/man1/dt-getname.1.gz /usr/share/man/man1/dt-getquery.1.gz /usr/share/man/man1/dt-getrrset.1.gz Printed on :58.

31 :58. 31/36 BIND Nameserver unter CentOS 6 /usr/share/man/man1/dt-libval_check_conf.1.gz /usr/share/man/man1/dt-validate.1.gz /usr/share/man/man1/dtck.1.gz /usr/share/man/man1/dtconf.1.gz /usr/share/man/man1/dtconfchk.1.gz /usr/share/man/man1/dtdefs.1.gz /usr/share/man/man1/dtinitconf.1.gz /usr/share/man/man1/dtrealms.1.gz /usr/share/man/man1/expchk.1.gz /usr/share/man/man1/fixkrf.1.gz /usr/share/man/man1/genkrf.1.gz /usr/share/man/man1/getdnskeys.1.gz /usr/share/man/man1/getds.1.gz /usr/share/man/man1/grandvizier.1.gz /usr/share/man/man1/keyarch.1.gz /usr/share/man/man1/keymod.1.gz /usr/share/man/man1/krfcheck.1.gz /usr/share/man/man1/lights.1.gz /usr/share/man/man1/lsdnssec.1.gz /usr/share/man/man1/lskrf.1.gz /usr/share/man/man1/lsrealm.1.gz /usr/share/man/man1/lsroll.1.gz /usr/share/man/man1/maketestzone.1.gz /usr/share/man/man1/mapper.1.gz /usr/share/man/man1/realmchk.1.gz /usr/share/man/man1/realmctl.1.gz /usr/share/man/man1/realminit.1.gz /usr/share/man/man1/realmset.1.gz /usr/share/man/man1/rollchk.1.gz /usr/share/man/man1/rollctl.1.gz /usr/share/man/man1/rollerd.1.gz /usr/share/man/man1/rollinit.1.gz /usr/share/man/man1/rolllog.1.gz /usr/share/man/man1/rollrec-editor.1.gz /usr/share/man/man1/rollset.1.gz /usr/share/man/man1/signset-editor.1.gz /usr/share/man/man1/tachk.1.gz /usr/share/man/man1/timetrans.1.gz /usr/share/man/man1/trustman.1.gz /usr/share/man/man1/zonesigner.1.gz /usr/share/man/man3/net::dns::sec::tools::realm.3pm.gz /usr/share/man/man3/net::dns::sec::tools::realmmgr.3pm.gz /usr/share/man/man3/p_ac_status.3.gz /usr/share/man/man3/p_val_status.3.gz zone-check # yum install zone-check -y Linux - Wissensdatenbank -

32 Last update: :01. centos:bind_c6 # rpm -qil zonecheck Name : zonecheck Relocations: (not relocatable) Version : Vendor: Dag Apt Repository, Release : 1.2.el6.rf Build Date: Fri 12 Nov :58:44 AM CET Install Date: Sat 24 May :00:03 PM CEST Build Host: lisse.hasselt.wieers.com Group : Applications/Internet Source RPM: zonecheck el6.rf.src.rpm Size : License: GPL Signature : DSA/SHA1, Sat 13 Nov :05:24 AM CET, Key ID a20e52146b8d79e6 Packager : Dag Wieers <dag@wieers.com> URL : Summary : Perform consistency checks on DNS zones Description : ZoneCheck is intended to help solve DNS misconfigurations or inconsistencies that are usually revealed by an increase in the latency of the application. The DNS is a critical resource for every network application, so it is quite important to ensure that a zone or domain name is correctly configured in the DNS. /etc/zonecheck /etc/zonecheck/afnic.profile /etc/zonecheck/de.profile /etc/zonecheck/default.profile /etc/zonecheck/reverse.profile /etc/zonecheck/rootservers /etc/zonecheck/zc.conf /usr/bin/zonecheck /usr/lib/zonecheck /usr/lib/zonecheck/cgi-bin /usr/lib/zonecheck/cgi-bin/zc.cgi /usr/lib/zonecheck/lib /usr/lib/zonecheck/lib/address /usr/lib/zonecheck/lib/address.rb /usr/lib/zonecheck/lib/address/common.rb /usr/lib/zonecheck/lib/address/ipv4.rb /usr/lib/zonecheck/lib/address/ipv6.rb /usr/lib/zonecheck/lib/nresolv /usr/lib/zonecheck/lib/nresolv.rb /usr/lib/zonecheck/lib/nresolv/compatibility.rb /usr/lib/zonecheck/lib/nresolv/config.rb /usr/lib/zonecheck/lib/nresolv/constants.rb /usr/lib/zonecheck/lib/nresolv/dbg.rb /usr/lib/zonecheck/lib/nresolv/dig_output.rb /usr/lib/zonecheck/lib/nresolv/dns.rb /usr/lib/zonecheck/lib/nresolv/dns_message.rb /usr/lib/zonecheck/lib/nresolv/dns_name.rb Printed on :58.

33 :58. 33/36 BIND Nameserver unter CentOS 6 /usr/lib/zonecheck/lib/nresolv/dns_resource.rb /usr/lib/zonecheck/lib/nresolv/host.rb /usr/lib/zonecheck/lib/nresolv/resolver.rb /usr/lib/zonecheck/lib/nresolv/transport.rb /usr/lib/zonecheck/lib/nresolv/wire.rb /usr/lib/zonecheck/lib/textfmt.rb /usr/lib/zonecheck/lib/whois.rb /usr/lib/zonecheck/locale /usr/lib/zonecheck/locale/cgi.en /usr/lib/zonecheck/locale/cgi.fr /usr/lib/zonecheck/locale/cli.en /usr/lib/zonecheck/locale/cli.fr /usr/lib/zonecheck/locale/gtk.en /usr/lib/zonecheck/locale/gtk.fr /usr/lib/zonecheck/locale/inetd.en /usr/lib/zonecheck/locale/inetd.fr /usr/lib/zonecheck/locale/test /usr/lib/zonecheck/locale/test/axfr.en /usr/lib/zonecheck/locale/test/axfr.fr /usr/lib/zonecheck/locale/test/connectivity.en /usr/lib/zonecheck/locale/test/connectivity.fr /usr/lib/zonecheck/locale/test/generic.en /usr/lib/zonecheck/locale/test/generic.fr /usr/lib/zonecheck/locale/test/interop.en /usr/lib/zonecheck/locale/test/interop.fr /usr/lib/zonecheck/locale/test/loopback.en /usr/lib/zonecheck/locale/test/loopback.fr /usr/lib/zonecheck/locale/test/mail.en /usr/lib/zonecheck/locale/test/mail.fr /usr/lib/zonecheck/locale/test/misc.en /usr/lib/zonecheck/locale/test/misc.fr /usr/lib/zonecheck/locale/test/mx.en /usr/lib/zonecheck/locale/test/mx.fr /usr/lib/zonecheck/locale/test/nameserver.en /usr/lib/zonecheck/locale/test/nameserver.fr /usr/lib/zonecheck/locale/test/ns.en /usr/lib/zonecheck/locale/test/ns.fr /usr/lib/zonecheck/locale/test/rootserver.en /usr/lib/zonecheck/locale/test/rootserver.fr /usr/lib/zonecheck/locale/test/soa.en /usr/lib/zonecheck/locale/test/soa.fr /usr/lib/zonecheck/locale/zc.en /usr/lib/zonecheck/locale/zc.fr /usr/lib/zonecheck/test /usr/lib/zonecheck/test/axfr.rb /usr/lib/zonecheck/test/connectivity.rb /usr/lib/zonecheck/test/generic.rb /usr/lib/zonecheck/test/interop.rb /usr/lib/zonecheck/test/loopback.rb /usr/lib/zonecheck/test/mail.rb /usr/lib/zonecheck/test/misc.rb Linux - Wissensdatenbank -

34 Last update: :01. centos:bind_c6 /usr/lib/zonecheck/test/mx.rb /usr/lib/zonecheck/test/nameserver.rb /usr/lib/zonecheck/test/ns.rb /usr/lib/zonecheck/test/rootserver.rb /usr/lib/zonecheck/test/soa.rb /usr/lib/zonecheck/www /usr/lib/zonecheck/www/html /usr/lib/zonecheck/www/html/batch.html.en /usr/lib/zonecheck/www/html/batch.html.fr /usr/lib/zonecheck/www/html/form.html.en /usr/lib/zonecheck/www/html/form.html.fr /usr/lib/zonecheck/www/img /usr/lib/zonecheck/www/img/details.png /usr/lib/zonecheck/www/img/element.png /usr/lib/zonecheck/www/img/fatal.png /usr/lib/zonecheck/www/img/gear.png /usr/lib/zonecheck/www/img/info.png /usr/lib/zonecheck/www/img/light.png /usr/lib/zonecheck/www/img/logo.png /usr/lib/zonecheck/www/img/loupe.png /usr/lib/zonecheck/www/img/notepad.png /usr/lib/zonecheck/www/img/ok.png /usr/lib/zonecheck/www/img/primary.png /usr/lib/zonecheck/www/img/ref.png /usr/lib/zonecheck/www/img/secondary.png /usr/lib/zonecheck/www/img/warning.png /usr/lib/zonecheck/www/img/zc-fav.png /usr/lib/zonecheck/www/img/zone.png /usr/lib/zonecheck/www/js /usr/lib/zonecheck/www/js/formvalidation.js /usr/lib/zonecheck/www/js/popupmenu.js /usr/lib/zonecheck/www/js/progress.js /usr/lib/zonecheck/www/style /usr/lib/zonecheck/www/style/zc.css /usr/lib/zonecheck/www/zonecheck.conf.in /usr/lib/zonecheck/zc /usr/lib/zonecheck/zc/cache.rb /usr/lib/zonecheck/zc/cachemanager.rb /usr/lib/zonecheck/zc/config.rb /usr/lib/zonecheck/zc/console.rb /usr/lib/zonecheck/zc/data /usr/lib/zonecheck/zc/data/catalog.xml /usr/lib/zonecheck/zc/data/config.dtd /usr/lib/zonecheck/zc/data/logo.rb /usr/lib/zonecheck/zc/data/msgcat.dtd /usr/lib/zonecheck/zc/data/xpm.rb /usr/lib/zonecheck/zc/data/zonecheck.dtd /usr/lib/zonecheck/zc/dbg.rb /usr/lib/zonecheck/zc/ext /usr/lib/zonecheck/zc/ext/array.rb /usr/lib/zonecheck/zc/ext/file.rb Printed on :58.

35 :58. 35/36 BIND Nameserver unter CentOS 6 /usr/lib/zonecheck/zc/ext/gtk.rb /usr/lib/zonecheck/zc/ext/myxml.rb /usr/lib/zonecheck/zc/framework.rb /usr/lib/zonecheck/zc/input /usr/lib/zonecheck/zc/input/cgi.rb /usr/lib/zonecheck/zc/input/cli.rb /usr/lib/zonecheck/zc/input/gtk.rb /usr/lib/zonecheck/zc/input/inetd.rb /usr/lib/zonecheck/zc/instructions.rb /usr/lib/zonecheck/zc/locale.rb /usr/lib/zonecheck/zc/mail.rb /usr/lib/zonecheck/zc/msgcat.rb /usr/lib/zonecheck/zc/param.rb /usr/lib/zonecheck/zc/publisher /usr/lib/zonecheck/zc/publisher.rb /usr/lib/zonecheck/zc/publisher/gtk.rb /usr/lib/zonecheck/zc/publisher/html.rb /usr/lib/zonecheck/zc/publisher/text.rb /usr/lib/zonecheck/zc/publisher/xml.rb /usr/lib/zonecheck/zc/report /usr/lib/zonecheck/zc/report.rb /usr/lib/zonecheck/zc/report/byhost.rb /usr/lib/zonecheck/zc/report/byseverity.rb /usr/lib/zonecheck/zc/testmanager.rb /usr/lib/zonecheck/zc/zc.rb /usr/lib/zonecheck/zc/zonecheck.rb /usr/share/doc/zonecheck /usr/share/doc/zonecheck-2.0.4/bugs /usr/share/doc/zonecheck-2.0.4/copying /usr/share/doc/zonecheck-2.0.4/credits /usr/share/doc/zonecheck-2.0.4/changelog /usr/share/doc/zonecheck-2.0.4/gpl /usr/share/doc/zonecheck-2.0.4/history /usr/share/doc/zonecheck-2.0.4/readme /usr/share/doc/zonecheck-2.0.4/todo /usr/share/doc/zonecheck-2.0.4/html /usr/share/doc/zonecheck-2.0.4/html/faq.html /usr/share/doc/zonecheck-2.0.4/html/apa.html /usr/share/doc/zonecheck-2.0.4/html/ch01.html /usr/share/doc/zonecheck-2.0.4/html/ch01s02.html /usr/share/doc/zonecheck-2.0.4/html/ch01s03.html /usr/share/doc/zonecheck-2.0.4/html/ch01s04.html /usr/share/doc/zonecheck-2.0.4/html/ch02.html /usr/share/doc/zonecheck-2.0.4/html/ch02s02.html /usr/share/doc/zonecheck-2.0.4/html/ch02s03.html /usr/share/doc/zonecheck-2.0.4/html/ch03.html /usr/share/doc/zonecheck-2.0.4/html/ch04.html /usr/share/doc/zonecheck-2.0.4/html/ch05.html /usr/share/doc/zonecheck-2.0.4/html/ch05s02.html /usr/share/doc/zonecheck-2.0.4/html/ch06.html /usr/share/doc/zonecheck-2.0.4/html/ch07.html Linux - Wissensdatenbank -

36 Last update: :01. centos:bind_c6 /usr/share/doc/zonecheck-2.0.4/html/ch07s02.html /usr/share/doc/zonecheck-2.0.4/html/ch07s03.html /usr/share/doc/zonecheck-2.0.4/html/ch08.html /usr/share/doc/zonecheck-2.0.4/html/ch08s02.html /usr/share/doc/zonecheck-2.0.4/html/index-toc.html /usr/share/doc/zonecheck-2.0.4/html/index.html /usr/share/man/man1/zonecheck.1.gz Links Zurück zu Projekte und Themenkapitel Zurück zur Startseite 1) Berkeley Internet Name Domain 2) SmallOfficeHomeOffice 3) Domain Name System 4) change root From: - Linux - Wissensdatenbank Permanent link: Last update: :01. Printed on :58.