[Linux] Installation d’un serveur DNS sur Centos

 

Installation d’un serveur DNS sur une Centos 6.8

 

 

Version de l’OS: Centos 6.8 (minimal version)
Version de Bind: 9.8.2

 

 

Pré requis:

Voir l’article Préparation d’une machine Centos 6.x

 

 

Installer le paquet

$ sudo yum install bind

 

Éditer et configurer le fichier named.conf
/!\ Toujours faire une sauvegarde avant modification

$ sudo vim /etc/named.conf

 //
 // named.conf
 //
 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 // server as a caching only nameserver (as a localhost DNS resolver only).
 //
 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 //

options {
         listen-on port 53 { 127.0.0.1; 192.168.3.150; }; <--- Ajouter l'IP du serveur
         listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { localhost; 192.168.3.0/24; }; <--- Ajouter la plage d'IP local
         recursion yes;

        forwarders {
                 212.27.40.240;  <--- Ajouter le dns primaire
                 212.27.40.241;  <--- Ajouter le dns secondaire
         };

        dnssec-enable yes;
         dnssec-validation yes;
         dnssec-lookaside auto;

        /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
 };

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
 };

zone "." IN {
         type hint;
         file "named.ca";
 };

include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";

 

Éditer ensuite le fichier named.rfc1912.zones et modifier les zones

$ sudo vim /etc/named.rfc1912.zones

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "domaine.tld" IN {   <--- la zone de recherche direct
 type master;
 file "domaine.tld";   <--- le nom du fichier de zone direct que l'on va crée après
 allow-update { none; };
};

zone "localhost" IN {
 type master;
 file "named.localhost";
 allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
 type master;
 file "named.loopback";
 allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
 type master;
 file "named.loopback";
 allow-update { none; };
};

zone "0.in-addr.arpa" IN {
 type master;
 file "named.empty";
 allow-update { none; };
};

zone "3.168.192.in-addr.arpa" IN { <--- la zone de recherche inversée
 type master;
 file "db.192.168.3"; <--- le nom du fichier de la zone inversé
 allow-update { none; };
};

 

Puis créer le fichier de zone direct, en changer le groupe, puis l’éditer et le compléter.

$ sudo cp /var/named/named.empty /var/named/domaine.tld
$ sudo chgrp named /var/named/domaine.tld
$ sudo vim /var/named/domaine.tld

$TTL 3H
@       IN      SOA     dns.domaine.tld. root.dns.domaine.tld. (
                        0       ; serial
                        1D      ; refresh
                        1H      ; retry
                        1W      ; expire
                        3H )    ; minimum
@       IN      NS      dns.domaine.tld.
@       IN      A       192.168.3.150
dns     IN      A       192.168.3.150
test1   IN      A       192.168.3.151
test2   IN      A       192.168.3.152
test3   IN      A       192.168.3.153
www     IN      CNAME   siteweb.domaine.tld.

 

 

Ensuite créer le fichier de zone indirecte, en changer le groupe, puis l’éditer et le compléter.

$ sudo cp /var/named/named.empty /var/named/db.192.168.3
$ sudo chgrp named /var/named/db.192.168.3
$ sudo vim /var/named/db.192.168.3

$TTL 3H
@       IN      SOA    dns.domaine.tld. root.dns.domaine.tld. (
                 0                      ; serial
                 1D                     ; refresh
                 1H                     ; retry
                 1W                     ; expire
                 3H )                   ; minimum
@       IN      NS      dns.domaine.tld.
@       IN      PTR     domaine.tld.
150     IN      PTR     dns.domaine.tld.
151     IN      PTR     test1.domaine.tld.
152     IN      PTR     test2.domaine.tld.
153     IN      PTR     test3.domaine.tld.

 

/!\ Mettre a jour les 2 fichiers de zones ci dessus.

 

Enfin vérifier que les fichiers de conf du système soit bien a jour

$ sudo vim /etc/hosts

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.150   dns.domaine.tld dns

 

$ sudo vim /etc/resolv.conf

search domaine.tld
nameserver 192.168.3.150

 

$ sudo vim /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
TYPE=Ethernet
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ONBOOT=yes
NM_CONTROLLED=yes   <--- Network Manager doit être définie sur no
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
IPADDR=192.168.3.150
PREFIX=24
GATEWAY=192.168.3.2
DNS1=212.27.40.240   <--- Supprimer le dns, il est maintenant dans les redirecteurs
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"

 

$ cat /etc/sysconfig/network

NETWORKING=yes
HOSTNAME=dns.domaine.tld
GATEWAY=192.168.3.2

 

 

Redémarrer les services réseaux

$ sudo service network restart

 

Démarrer le service DNS

$ sudo service named start

 

Ajouter le service au démarrage du système

$ sudo chkconfig named on

 

Tester le serveur avec la commande nslookup ou dig

$ nslookup domain.local

Server: 192.168.3.150
Address: 192.168.3.150#53
Name: domaine.tld
Address: 192.168.3.150

 

# nslookup dns.domain.local

Server: 192.168.3.150
Address: 192.168.3.150#53
Name: dns.domaine.tld
Address: 192.168.3.150

Pour finir redémarrer le serveur

$ sudo reboot

 

/!\ Penser a ouvrir le port 53 UDP

 

 

---

Troubleshooting

 

 

Problème de résolution avec certains site comme Yahoo

$ sudo tail -f /var/log/messages

Apr 10 03:04:30 dns named[1820]: error (broken trust chain) resolving 'fr.yahoo.com/A/IN': 212.27.40.240#53
Apr 10 03:04:35 dns named[1090]: validating @0x7efca8519c90: com SOA: verify failed due to bad signature (keyid=28259): RRSIG validity period has not begun

 

Dans le log il affiche 3 :04 alors qu’il est 12h04 :/
vérification de la zone géographique

$ sudo vim /etc/sysconfig/clock

ZONE="Europe/Paris"
UTC=true
ARC=false

 

Puis mettre la l’heure a jour avec la commande

# date -s 12:05

 

Tout est OK je resoud bien Yahoo et plus d’erreurs dans les logs.

 

---

Erreur démarrage du service

 

$ sudo service named start
Starting named:              [FAILED]
Error inervice named start
/etc/named.rfc1912.zones:19: missing ';' before 'localhost'
/etc/named.rfc1912.zones:19: unknown option 'localhost'
/etc/named.rfc1912.zones:54: unexpected end of input

Comment perdre 30min a cause d’une guillemet qui manquait dans le fichier named.rfc1912.zones

( ligne 15 file "domaine.tld"; )

 

---

Des erreurs en continu dans le journal /var/log/messages

 

Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc04c4ed0: isc.org SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.222.222#53
Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.222.222#53
Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc054e100: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.220.220#53
Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: com SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.220.220#53
Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c1eb0: com SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.222.222#53
Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c4ed0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.222.222#53
Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure
Apr 18 22:01:26 zero named[2343]: error (no valid RRSIG) resolving 'g.bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53
Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure

 

Passer les valeurs de yes a no de dnssec

$ sudo vim /etc/named.conf

dnssec-enable no;  <-- passer la valeur de yes a no
dnssec-validation no; <-- passer la valeur de yes a no
dnssec-lookaside auto;

 

---