{"id":2853,"date":"2018-07-26T07:57:31","date_gmt":"2018-07-26T07:57:31","guid":{"rendered":"https:\/\/tst-amo.net.ua\/blog\/?p=2853"},"modified":"2019-04-15T19:38:09","modified_gmt":"2019-04-15T19:38:09","slug":"bind9-%d0%b2-chroot","status":"publish","type":"post","link":"https:\/\/tst-amo.net.ua\/blog\/?p=2853","title":{"rendered":"Bind9 \u0432 chroot"},"content":{"rendered":"
# yum -y install bind bind-utils bind-chroot<\/span>\r\n# systemctl start named-chroot \r\n# systemctl enable named-chroot<\/pre>\n
\u041f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u043c chroot-\u043a\u0430\u0442\u0430\u043b\u043e\u0433, \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0432 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442:<\/p>\n
# \/usr\/libexec\/setup-named-chroot.sh \/var\/named\/chroot on<\/pre>\n
\u0423\u043a\u0430\u0436\u0435\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 \u0434\u043b\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f chroot<\/p>\n
# mcedit \/etc\/sysconfig\/named<\/pre>\n
OPTIONS=\"-4\"<\/pre>\n
\u0420\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u0443\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0433:<\/p>\n
# nano\u00a0\/var\/named\/chroot\/etc\/named.conf<\/pre>\n
acl \"bsd<\/span>\" { 192.168.113.0\/24; 127.0.0.1; };\r\n\r\noptions {\r\n    listen-on port 53 { 127.0.0.1; 192.168.113.1; _IP_WAN_<\/span>; };\r\n    \/\/listen-on-v6 port 53 { ::1; };\r\n    directory \"\/var\/named\";\r\n    dump-file \"\/var\/named\/data\/cache_dump.db\";\r\n    statistics-file \"\/var\/named\/data\/named_stats.txt\";\r\n    memstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\r\n    allow-query { bsd<\/span>; };\r\n\r\n\/*\r\n - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.\r\n - If you are building a RECURSIVE (caching) DNS server, you need to enable\r\n recursion.\r\n - If your recursive DNS server has a public IP address, you MUST enable access\r\n control to limit queries to your legitimate users. Failing to do so will\r\n cause your server to become part of large scale DNS amplification\r\n attacks. Implementing BCP38 within your network would greatly\r\n reduce such attack surface\r\n *\/\r\n     recursion yes;\r\n     allow-recursion { bsd<\/span>; };\r\n\r\nforwarders {\r\n     127.0.0.1;\r\n     _IP_DNS_\u043f\u0440\u043e\u0432\u0430\u0439\u0434\u0435\u0440\u0430<\/span>;\r\n     8.8.8.8;\r\n };\r\n\r\nversion \"DNS Server\";\r\n\r\nblackhole {\r\n    0.0.0.0\/8;\r\n    10.0.0.0\/8;\r\n    169.254.0.0\/16;\r\n    172.16.0.0\/12;\r\n    192.0.2.0\/24;\r\n    \/\/192.168.0.0\/16;\r\n    224.0.0.0\/4;\r\n    240.0.0.0\/4;\r\n };\r\n\r\ndnssec-enable yes;\r\ndnssec-validation yes;\r\n\r\n\/* Path to ISC DLV key *\/\r\nbindkeys-file \"\/etc\/named.iscdlv.key\";\r\n\r\nmanaged-keys-directory \"\/var\/named\/dynamic\";\r\n\r\npid-file \"\/run\/named\/named.pid\";\r\nsession-keyfile \"\/run\/named\/session.key\";\r\n };\r\n\r\nlogging {\r\n channel queries {\r\n     file \"\/var\/log\/named\/<\/span>queries.log\" versions 2 size 10M;\r\n     print-time yes;\r\n     print-category yes;\r\n     print-severity yes;\r\n };\r\n channel bind_log {\r\n     file \"\/var\/log\/named\/named.log\" size 10M;\r\n     print-category yes;\r\n     print-severity yes;\r\n     print-time yes;\r\n };\r\n channel update_debug {\r\n     file \"\/var\/log\/named\/named-update.log\" versions 6 size 10M;\r\n     severity debug 10;\r\n     print-category yes;\r\n     print-severity yes;\r\n     print-time yes;\r\n };\r\n channel security_info {\r\n     file \"\/var\/log\/named\/named.log\" versions 6 size 10M;\r\n     severity info;\r\n     print-category yes;\r\n     print-severity yes;\r\n     print-time yes;\r\n };\r\n channel edns-disabled {\r\n     file \"\/var\/log\/named\/edns-disabled.log\" versions 1 size 500K;\r\n     severity info;\r\n     print-category yes;\r\n     print-severity yes;\r\n     print-time yes;\r\n };\r\ncategory default { bind_log; };\r\ncategory xfer-in { bind_log; };\r\ncategory xfer-out { bind_log; };\r\ncategory update { update_debug; };\r\ncategory security { security_info; };\r\ncategory queries { queries; };\r\ncategory edns-disabled { edns-disabled; };\r\ncategory lame-servers { null; };\r\n};\r\n\r\nzone \".\" IN {\r\n    type hint;\r\n    file \"named.ca\";\r\n };\r\n\r\ninclude \"\/etc\/named.rfc1912.zones\";\r\ninclude \"\/etc\/named.root.key\";<\/pre>\n
\u041d\u0435 \u0437\u0430\u0431\u044b\u0442\u044c \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u0434\u0438\u0440\u0435\u043a\u0442\u043e\u0440\u0438\u044e \u0434\u043b\u044f \u043b\u043e\u0433\u043e\u0432:<\/p>\n
# mkdir -p \/var\/named\/chroot\/var\/log\/named\r\n# cd \/var\/named\/chroot\/var\/log\r\n# chown named:named named<\/pre>\n
\u041f\u0435\u0440\u0435\u0447\u0438\u0442\u0430\u0442\u044c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e:<\/p>\n
# rndc reconfig<\/span><\/pre>\n
\u041f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0433\u0443\u0440\u0430\u0446\u0438\u044e \u0438 \u0437\u043e\u043d\u044b \u043d\u0430 \u043e\u0448\u0438\u0431\u043a\u0438:<\/p>\n
# named-checkconf\r\n# named-checkzone example.com<\/span> \/var\/named\/external\/example.com.zone\r\n# named-checkzone example.com<\/span> \/var\/named\/internal\/example.com.zone<\/pre>\n
DNS-\u0441\u0435\u0440\u0432\u0435\u0440 \u0440\u0430\u0431\u043e\u0442\u0430\u0435\u0442 \u043d\u0430 53 \u043f\u043e\u0440\u0442\u0443 UDP, \u0430 \u0434\u043b\u044f \u043f\u0435\u0440\u0435\u0434\u0430\u0447\u0438 \u0437\u043e\u043d \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442 53 \u043f\u043e\u0440\u0442 TCP. \u041e\u0442\u0432\u0435\u0447\u0430\u0442\u044c \u043d\u0430 \u0437\u0430\u043f\u0440\u043e\u0441\u044b \u0431\u0443\u0434\u0435\u0442 \u0432\u0441\u0435\u043c, \u043d\u043e \u043f\u0435\u0440\u0435\u0434\u0430\u0432\u0430\u0442\u044c \u0437\u043e\u043d\u0443 \u0442\u043e\u043b\u044c\u043a\u043e slave-\u0441\u0435\u0440\u0432\u0435\u0440\u0443, \u043f\u043e \u043b\u043e\u043a\u0430\u043b\u044c\u043d\u043e\u0439 \u0441\u0435\u0442\u0438.<\/p>\n
# iptables -A INPUT -p udp --dport 53 -j ACCEPT -m comment --comment \"dns-query\"\r\n# iptables -A INPUT -s 172.16.0.2<\/span> -p tcp --dport 53 -j ACCEPT -m comment --comment \"dns-transfer\"<\/pre>\n
\u041f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c.<\/p>\n
\u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a<\/a>
\nhttp:\/\/itzx.ru\/linux\/install-named-bind-chroot-on-centos<\/a>
\nhttps:\/\/webhostinggeeks.com\/howto\/bind-dns-server-in-chroot-jail-on-centos-7\/<\/a><\/p>\n
 <\/p>\n
\"image_pdf\"<\/a>\"image_print\"<\/a><\/div>","protected":false},"excerpt":{"rendered":"
# yum -y install bind bind-utils bind-chroot # systemctl start named-chroot # systemctl enable named-chroot \u041f\u043e\u0434\u0433\u043e\u0442\u043e\u0432\u0438\u043c chroot-\u043a\u0430\u0442\u0430\u043b\u043e\u0433, \u0437\u0430\u043f\u0443\u0441\u0442\u0438\u0432 \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u044b\u0439 \u0441\u043a\u0440\u0438\u043f\u0442: # \/usr\/libexec\/setup-named-chroot.sh \/var\/named\/chroot on \u0423\u043a\u0430\u0436\u0435\u043c \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440 \u0434\u043b\u044f \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f chroot # mcedit \/etc\/sysconfig\/named OPTIONS=”-4″ \u0420\u0435\u0434\u0430\u043a\u0442\u0438\u0440\u0443\u0435\u043c \u043a\u043e\u043d\u0444\u0438\u0433: # nano\u00a0\/var\/named\/chroot\/etc\/named.conf acl “bsd” { 192.168.113.0\/24; 127.0.0.1; }; options { listen-on port 53 { 127.0.0.1; 192.168.113.1; _IP_WAN_; }; \/\/listen-on-v6 port …<\/p>\n
Continue reading ‘Bind9 \u0432 chroot’ »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,48,131,47],"tags":[],"class_list":["post-2853","post","type-post","status-publish","format-standard","hentry","category-bind","category-centos","category-chroot","category-linux"],"_links":{"self":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2853"}],"collection":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2853"}],"version-history":[{"count":11,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2853\/revisions"}],"predecessor-version":[{"id":3941,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=\/wp\/v2\/posts\/2853\/revisions\/3941"}],"wp:attachment":[{"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2853"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tst-amo.net.ua\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}