Install the binariesyum install bind bind-utilsCreate the directories for the zone files which will be created later [root@ns01 ~]# chmod 755 /etc/named[root@ns01 ~]# ls -ld /etc/nameddrwxr-xr-x. 3 root named 43 Jan 5 01:12 /etc/named[root@ns01 ~]# mkdir /etc/named/zones[root@ns01 ~]# touch /etc/named/queries.confnamed.confThe file /etc/named.conf file is where you store the configs for who can do zone transfers, and where the zone files are stored. Edit the named.conf file vim /etc/named.confMake sure you enter in the IP addresses that bind will listen on. (just add the servers IP) listen-on port 53 { 127.0.0.1; 198.18.3.10; };Define what networks can talk to the server allow-query { localhost; 198.18.0.0/15; }; allow-query-cache { localhost; 198.18.0.0/15; }; forwarders { 8.8.8.8; 8.8.4.4; };Add the following includes (at the bottom of the config file) to tell the bind server where to look for resolving names: include "/etc/named/named.conf.local";named.conf.localThis used to be just a part of the named.conf file, but we're breaking it out to a separate file to help keep everything cleaner. Create the new file vim /etc/named/named.conf.localand add the following # Forward Zone Files:zone "cmed.us" { type master; file "/etc/named/zones/db.cmed.us"; # primary zone file};# Reverse Zone Files:zone "0.18.198.in-addr.arpa" { type master; file "/etc/named/zones/db.198.18.0"; # outside network};zone "1.18.198.in-addr.arpa" { type master; file "/etc/named/zones/db.198.18.1"; # dmz network};Forward Zone FileYou can have a single zone file for all of your hosts that are in the same namespace. Create the file noted above in the .local file: vim /etc/named/zones/db.cmed.usand add the following header to the file. Note that " ns1.cmed.us." is the fqdn of this server, and "admin.cmed.us." is the email admin email address associated to the domain. Note that a semi-colon ";" is the beginning of a comment. Every time you modify this file, you will need to update the "Serial" number. To keep track of this, we use the date format for the serial number of the change. $ORIGIN .$TTL 38400 ; 10 hours 40 minutescmed.us IN SOA ns01.cmed.us. abuse.cmed.us. ( 2018010401 ; Serial YYYYMMDD## 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day; the following is within the X.cmed.us zone.$ORIGIN cmed.us.; name servers - NS records IN NS ns01.cmed.us.and then enter in each entry vzn IN A 198.18.0.1 dvr IN A 198.18.0.100 all entries are in the following format:
Reverse Zone FilesThese files are separated by networks, not by domains. You will need to create one for each subnet. vim /etc/named/zones/db.198.18.0$ORIGIN .$TTL 86400 ; 1 day0.18.198.in-addr.arpa IN SOA ns1.cmed.us. admin.cmed.us. ( 2018010401 ; Serial YYYYMMDD## 43200 ; Refresh (12 hours) 900 ; Retry (15 min) 1814400 ; Expire (3 weeks) 10800 ; Min (3 hours)); name servers - NS records IN NS ns1.cmed.us$ORIGIN 0.18.198.in-addr.arpa.and then enter in each entry 1 IN PTR vzn.cmed.us.100 IN PTR dvr.cmed.us.254 IN PTR out-fw01.cmed.us.Start/Restart ServiceCheck filesFirst confirm that all the named.conf* files are correct. [root@ns01 ~]# named-checkconf[root@ns01 ~]#Then confirm that the forward zone files are correct, where "cmed.us" is the domain, and "/etc/named/zones/db.cmed.us" is the forward zone file. [root@ns01 ~]# named-checkzone cmed.us /etc/named/zones/db.cmed.us/etc/named/zones/db.cmed.us:13: record with inherited owner (cmed.us) immediately after $ORIGIN (cmed.us)zone cmed.us/IN: loaded serial 2018010401OK[root@ns01 ~]#[root@ns01 ~]# named-checkzone 0.18.198.in-addr.arpa /etc/named/zones/db.198.18.0zone 0.18.198.in-addr.arpa/IN: loaded serial 2018010401OK[root@ns01 ~]#Start Bind[root@ns01 ~]# systemctl start named[root@ns01 ~]# systemctl enable namedCreated symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.[root@ns01 ~]#[root@ns01 ~]# systemctl status named● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-01-05 16:55:45 GMT; 26s ago Main PID: 23453 (named) CGroup: /system.slice/named.service └─23453 /usr/sbin/named -u named -c /etc/named.confJan 05 16:55:45 ns01 named[23453]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0Jan 05 16:55:45 ns01 named[23453]: zone localhost/IN: loaded serial 0Jan 05 16:55:45 ns01 named[23453]: zone 3.18.198.in-addr.arpa/IN: loaded serial 2018010401Jan 05 16:55:45 ns01 named[23453]: zone 0.18.198.in-addr.arpa/IN: loaded serial 2018010401Jan 05 16:55:45 ns01 named[23453]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.i...ial 0Jan 05 16:55:45 ns01 named[23453]: zone localhost.localdomain/IN: loaded serial 0Jan 05 16:55:45 ns01 named[23453]: zone 1.18.198.in-addr.arpa/IN: loaded serial 2018010401Jan 05 16:55:45 ns01 named[23453]: zone 2.18.198.in-addr.arpa/IN: loaded serial 2018010401Jan 05 16:55:45 ns01 named[23453]: all zones loadedJan 05 16:55:45 ns01 named[23453]: runningHint: Some lines were ellipsized, use -l to show in full.[root@ns01 ~]#Firewall ConfigurationsYou need to enable queries into the server, so you will need to modify the local firewall rules by entering the following [root@ns01 ~]# firewall-cmd --add-service=dns --permanentsuccess[root@ns01 ~]# firewall-cmd --reloadsuccess[root@ns01 ~]# firewall-cmd --list-allpublic (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client dns ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:[root@ns01 ~]#Change local resolve.confconfirm what your local IP is [root@ns01 ~]# ip -4 addr1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 inet 198.18.3.10/24 brd 198.18.3.255 scope global eth0 valid_lft forever preferred_lft foreverAnd review what your current lookup is set to. Note that the following is no good. You want the host to point to itself. [root@ns01 ~]# cat /etc/resolv.conf# Generated by NetworkManagersearch cmed.usnameserver 8.8.8.8nameserver 8.8.4.4[root@ns01 ~]# Then confim what your connection name is, and for that connection, overwrite the dns lookup setting [root@ns01 ~]# nmcli dev statusDEVICE TYPE STATE CONNECTIONeth0 ethernet connected System eth0lo loopback unmanaged --[root@ns01 ~]# nmcli con mod System\ eth0 ipv4.dns 198.18.3.10[root@ns01 ~]# nmcli con up System\ eth0Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)[root@ns01 ~]#Then confirm that the changes were successful [root@ns01 ~]# cat /etc/resolv.conf# Generated by NetworkManagersearch cmed.usnameserver 198.18.3.10[root@ns01 ~]#Debugginglog messagesdefault logging for bind is in /var/log/messages [root@ns01 ~]# cat /var/log/messages | grep namedJan 4 16:09:36 localhost NetworkManager[664]: <info> [1515082176.3349] settings: hostname: using hostnamedJan 4 17:45:30 localhost systemd-hostnamed: Changed static host name to 'ns01.cmed.us'Jan 4 17:45:30 localhost systemd-hostnamed: Changed host name to 'ns01.cmed.us'Jan 4 18:42:35 localhost systemd-hostnamed: Changed pretty host name to 'ns01'Jan 4 19:44:12 localhost systemd-hostnamed: Changed host name to 'ns01'Jan 5 16:55:45 localhost bash: /etc/named/zones/db.cmed.us:14: record with inherited owner (cmed.us) immediately after $ORIGIN (cmed.us)Jan 5 16:55:45 localhost named[23453]: starting BIND 9.9.4-RedHat-9.9.4-51.el7_4.1 -u named -c /etc/named.conf[...]Jan 5 16:55:45 localhost named[23453]: all zones loadedJan 5 16:55:45 localhost named[23453]: running[root@ns01 ~]#Query loggingto enable logging for every query, enter [root@ns01 ~]# rndc querylog[root@ns01 ~]#enter in the same command to turn off this feature. running the following dig statement on the bind host [root@ns01 ~]# dig fw01.cmed.us @localhost; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7_4.1 <<>> fw01.cmed.us @localhost;; global options: +cmd;; Got answer:;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 835;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2;; OPT PSEUDOSECTION:; EDNS: version: 0, flags:; udp: 4096;; QUESTION SECTION:;fw01.cmed.us. IN A;; ANSWER SECTION:fw01.cmed.us. 38400 IN A 198.18.2.1;; AUTHORITY SECTION:cmed.us. 38400 IN NS ns01.cmed.us.;; ADDITIONAL SECTION:ns01.cmed.us. 38400 IN A 198.18.3.10;; Query time: 1 msec;; SERVER: ::1#53(::1);; WHEN: Fri Jan 05 18:20:29 GMT 2018;; MSG SIZE rcvd: 92[root@ns01 ~]#produces the following in /var/log/messages Jan 5 18:20:29 localhost named[23453]: client ::1#56627 (fw01.cmed.us): query: fw01.cmed.us IN A +E (::1)Confirming portsfrom a remote host, confirm that the ports are up. (in this case, they are not!) Balsa ~ $ nmap 198.18.3.10Starting Nmap 7.60 ( https://nmap.org ) at 2018-01-05 12:18 ESTNmap scan report for 198.18.3.10Host is up (0.0032s latency).Not shown: 998 closed portsPORT STATE SERVICE22/tcp open ssh5060/tcp filtered sipNmap done: 1 IP address (1 host up) scanned in 1034.67 secondsBalsa ~ $References
|