Bind9.9 на Centos 7
Устанавливаем:
$ sudo yum install bind bind-utils
$ cat /etc/named.conf
acl "bsd" { 192.168.113.0/24; 127.0.0.1; };
options {
listen-on port 53 { 127.0.0.1; 192.168.113.1; };
listen-on-v6 port 53 { none; };
forwarders {
127.0.0.1;
_DNS_провайдера;
8.8.8.8;
};
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
allow-query { bsd; };
recursion yes;
allow-recursion { bsd; };
blackhole {
0.0.0.0/8;
10.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.2.0/24;
//192.168.0.0/16;
224.0.0.0/4;
240.0.0.0/4;
};
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel queries {
file "/var/log/named/queries.log" versions 2 size 10M;
print-time yes;
print-category yes;
print-severity yes;
};
channel bind_log {
file "/var/log/named/named.log" size 10M;
print-category yes;
print-severity yes;
print-time yes;
};
channel update_debug {
file "/var/log/named/named-update.log" versions 6 size 10M;
severity debug 10;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named/named.log" versions 6 size 10M;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel edns-disabled {
file "/var/log/named/edns-disabled.log" versions 1 size 500K;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_log; };
category xfer-in { bind_log; };
category xfer-out { bind_log; };
category update { update_debug; };
category security { security_info; };
category queries { queries; };
category edns-disabled { edns-disabled; };
category lame-servers { null; };
};
zone "." IN {
type hint;
file "named.ca";
};
#controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
$ sudo systemctl start named $ sudo systemctl enable named
Правим:
cat /etc/resolv.conf # Generated by NetworkManager search imp.kiev.ua nameserver 194.44.219.161 nameserver 8.8.8.8 nameserver 8.8.4.4
Проверяем:
[root@ring etc]# dig ya.ru
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7 <<>> ya.ru
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 5166
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ya.ru. IN A
;; Query time: 0 msec
;; SERVER: 194.44.219.161#53(194.44.219.161)
;; WHEN: Срд Июл 25 16:26:48 EEST 2018
;; MSG SIZE rcvd: 34
Делаем chroot