Services/DNS/Install
Aller à la navigation
Aller à la recherche
Mise en place du nom d'hôte
hostnamectl set-hostname ns.didier.com
Configuration du réseau
Fichier <path>/etc/sysconfig/network-scripts/ifcfg-eth0</path>TYPE=Ethernet NAME="eth0" BOOTPROTO=none DEVICE=eth0 UUID=6eb9e4ce-f3f4-44ad-8c7d-b288422d5a8b HWADDR=52:54:00:46:50:EB ONBOOT=yes DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=no IPV6INIT=yes IPV6_AUTOCONF=yes IPV6_DEFROUTE=yes IPV6_PEERDNS=yes IPV6_PEERROUTES=yes IPV6_FAILURE_FATAL=no IPADDR0="192.168.122.237" PREFIX0="24" GATEWAY0="192.168.122.1" DNS1="192.168.122.237" DOMAIN="didier.com"
qui produira automatiquement le fichier suivant
Fichier <path>/etc/resolv.conf</path># Generated by NetworkManager search didier.com nameserver 192.168.122.237
Installation des dépôts RPM
rpm -Uvh http://dl.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-5.noarch.rpm \ http://koji.b2pweb.com/packages/b2pweb-release/1.4.0/1.el7.centos/noarch/b2pweb-release-1.4.0-1.el7.centos.noarch.rpm \ http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
Installation de chrony
Installation, démarrage/activation de chrony pour le maintien à l'heure
yum install chrony systemctl start chronyd systemctl enable chronyd
Installation du serveur et des outils DNS
yum install bind bind-utils
Edition des fichiers DNS
Fichier <path>/etc/named.conf</path>//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.122.0/24; };
#listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 192.168.122.0/24; };
allow-transfer { localhost; 192.168.122.0/24; };
forwarders { 192.168.0.4; 192.168.0.5; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "didier.com" IN {
type master;
file "didier.com.zone";
allow-update { none; };
};
zone "122.168.192.in-addr.arpa" IN {
type master;
file "192.168.122.zone";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
Fichier <path>/var/named/192.168.122.zone</path>$TTL 86400 ; 1 day
@ IN SOA ns.didier.com. root.ns.didier.com. (
2015031801 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
@ IN NS ns.didier.com.
132 IN PTR kls.didier.com.
237 IN PTR ns.didier.com.
Fichier <path>/var/named/didier.com.zone</path>$TTL 86400 ; 1 day
@ IN SOA ns.didier.com. root.ns.didier.com. (
2015031801 ; serial
3600 ; refresh (1 hour)
900 ; retry (15 minutes)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
@ IN NS ns.didier.com.
kls IN A 192.168.122.132
ns IN A 192.168.122.237
_kerberos IN TXT "DIDIER.COM"
kerberos IN CNAME kls
ldap IN CNAME kls
_kerberos._udp IN SRV 0 0 88 kls
_kerberos-master._udp IN SRV 0 0 88 kls
_kerberos-adm._tcp IN SRV 0 0 749 kls
_kpasswd._udp IN SRV 0 0 464 kls
_kerberos._udp.DIDIER.COM. IN SRV 0 0 88 kls
_kerberos-master._udp.DIDIER.COM. IN SRV 0 0 88 kls
_kerberos-adm._tcp.DIDIER.COM. IN SRV 0 0 749 kls
_kpasswd._udp.DIDIER.COM. IN SRV 0 0 464 kls
firewall
Ouverture du firewall pour le service DNS
firewall-cmd --permanent --add-service=dns firewall-cmd --reload
Droits des fichiers
Mise en place du bon propriétaire/groupe des fichiers de configuration et mise en place des bons droits sur ceux-ci: unix + selinux
chgrp named -R /var/named chown root:named /etc/named.conf restorecon -rv /var/named restorecon /etc/named.conf
Test de la configuration
named-checkconf /etc/named.conf named-checkzone didier.com /var/named/didier.com.zone zone didier.com/IN: loaded serial 2015031801 OK named-checkzone 122.168.192.in-addr.arpa /var/named/192.168.122.zone zone 122.168.192.in-addr.arpa/IN: loaded serial 2015031801 OK
Démarrage du service DNS
systemctl start named
Tests
dig didier.com dig A ns.didier.com dig A kls.didier.com dig TXT _kerberos.didier.com