기록's

• Ansible에서 common에서 초기 설정은 살고 있는 전제
• CentOS 7 64bit

BIND설치

/usr/libexec/setup-named-chroot.sh /var/named/chroot/ on

BIND chroot환경의 초기화

BIND의 자동 실행 설정

systemctl enable named-chroot.service

/etc/named.conf의 편집

vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html


acl naver-networks-local {
    10.0.0.0/8;
    192.168.0.0/16;
};


options {
    listen-on port 53 { any; };
    listen-on-v6 port 53 { none; };
    directory   "/var/named";
    dump-file   "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; naver-networks-local; };
    allow-transfer  { localhost; naver-networks-local; };
    forwarders { 10.70.0.2; };
    /* forwarders { 118.238.201.33; 118.238.201.49; }; */
    /* forwarders { 8.8.8.8; 8.8.4.4; }; */
    forward only;


    /*
     - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
     - If you are building a RECURSIVE (caching) DNS server, you need to enable
       recursion.
     - If your recursive DNS server has a public IP address, you MUST enable access
       control to limit queries to your legitimate users. Failing to do so will
       cause your server to become part of large scale DNS amplification
       attacks. Implementing BCP38 within your network would greatly
       reduce such attack surface
    */
    recursion yes;


    dnssec-enable no;
    dnssec-validation no;


    /* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";


    managed-keys-directory "/var/named/dynamic";


    pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";
};


logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};


view "internal"
{
    match-clients       { localhost; cocone-networks-local; };
    match-destinations  { localhost; cocone-networks-local; };
    recursion yes;


    zone "." IN {
        type hint;
        file "named.ca";
    };


    include "/etc/named.rfc1912.zones";
    include "/etc/named.root.key";
};

BIND의 정지/기동 등의 조작

systemctl stop named-chroot.service
systemctl start named-chroot.service
systemctl reload named-chroot.service