[Linux] Installation d'un serveur DNS sur Centos - iZero

Installation d’un serveur DNS sur une Centos 6.8

Version de l’OS: Centos 6.8 (minimal version)
Version de Bind: 9.8.2

Pré requis:

Voir l’article Préparation d’une machine Centos 6.x

Installer le paquet

$ sudo yum install bind

1	$ sudo yum install bind

Éditer et configurer le fichier named.conf
/!\ Toujours faire une sauvegarde avant modification

$ sudo vim /etc/named.conf

1	$ sudo vim /etc/named.conf

 //
 // named.conf
 //
 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
 // server as a caching only nameserver (as a localhost DNS resolver only).
 //
 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 //

options {
         listen-on port 53 { 127.0.0.1; <strong>192.168.3.150</strong>; }; <span style="color: #000080;"><span style="color: #ff0000;"><--- Ajouter l'IP du serveur</span></span>
         listen-on-v6 port 53 { ::1; };
         directory       "/var/named";
         dump-file       "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         allow-query     { localhost; <strong>192.168.3.0/24</strong>; };<span style="color: #000080;"><span style="color: #ff0000;"> <--- Ajouter la plage d'IP local</span></span>
         recursion yes;

        <strong>forwarders {</strong>
                 <strong>212.27.40.240</strong>;<span style="color: #000080;"> <span style="color: #ff0000;"> <--- Ajouter le dns primaire</span></span>
                 <strong>212.27.40.241</strong>; <span style="color: #000080;"><span style="color: #ff0000;"> <--- Ajouter le dns secondaire</span></span>
         <strong>};</strong>

        dnssec-enable yes;
         dnssec-validation yes;
         dnssec-lookaside auto;

        /* Path to ISC DLV key */
         bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
 };

logging {
         channel default_debug {
                 file "data/named.run";
                 severity dynamic;
         };
 };

zone "." IN {
         type hint;
         file "named.ca";
 };

include "/etc/named.rfc1912.zones";
 include "/etc/named.root.key";

// named.conf

// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS

// server as a caching only nameserver (as a localhost DNS resolver only).

// See /usr/share/doc/bind*/sample/ for example named configuration files.

options {

listen-on port 53 { 127.0.0.1; 192.168.3.150; }; <--- Ajouter l'IP du serveur

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

allow-query { localhost; 192.168.3.0/24; }; <--- Ajouter la plage d'IP local

recursion yes;

forwarders {

212.27.40.240; <--- Ajouter le dns primaire

212.27.40.241; <--- Ajouter le dns secondaire

};

dnssec-enable yes;

dnssec-validation yes;

dnssec-lookaside auto;

/* Path to ISC DLV key */

bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

};

logging {

channel default_debug {

file "data/named.run";

severity dynamic;

};

zone "." IN {

type hint;

file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.root.key";

Éditer ensuite le fichier named.rfc1912.zones et modifier les zones

$ sudo vim /etc/named.rfc1912.zones

1	$ sudo vim /etc/named.rfc1912.zones

// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

zone "<strong>domaine.tld</strong>" IN { <span style="color: #000080;">  <span style="color: #ff0000;"><--- la zone de recherche direct</span></span>
 type master;
 file "<strong>domaine.tld</strong>";  <span style="color: #000080;"> <span style="color: #ff0000;"><--- le nom du fichier de zone direct que l'on va crée après</span></span>
<span style="color: #000000;"> allow-update { none; };
};

zone "localhost" IN {
 type master;
 file "named.localhost";
 allow-update { none; };
};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
 type master;
 file "named.loopback";
 allow-update { none; };
};

zone "1.0.0.127.in-addr.arpa" IN {
 type master;
 file "named.loopback";
 allow-update { none; };
};

zone "0.in-addr.arpa" IN {
 type master;
 file "named.empty";
 allow-update { none; };
};

</span><span style="color: #000080;"><span style="color: #000000;">zone "<strong>3.168.192.in-addr.arpa</strong>" IN {</span> <span style="color: #ff0000;"><--- la zone de recherche inversée</span></span>
 type master;
 file "<strong>db.192.168.3</strong>";<span style="color: #000080;"> <span style="color: #ff0000;"><--- le nom du fichier de la zone inversé</span></span>
<span style="color: #000000;"> allow-update { none; };
};</span>

// named.rfc1912.zones:

// Provided by Red Hat caching-nameserver package

// ISC BIND named zone configuration for zones recommended by

// RFC 1912 section 4.1 : localhost TLDs and address zones

// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt

// See /usr/share/doc/bind*/sample/ for example named configuration files.

zone "domaine.tld" IN { <--- la zone de recherche direct

type master;

file "domaine.tld"; <--- le nom du fichier de zone direct que l'on va crée après

allow-update { none; };

};

zone "localhost" IN {

type master;

file "named.localhost";

allow-update { none; };

};

zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {

type master;

file "named.loopback";

allow-update { none; };

};

zone "1.0.0.127.in-addr.arpa" IN {

type master;

file "named.loopback";

allow-update { none; };

};

zone "0.in-addr.arpa" IN {

type master;

file "named.empty";

allow-update { none; };

};

zone "3.168.192.in-addr.arpa" IN { <--- la zone de recherche inversée

type master;

file "db.192.168.3"; <--- le nom du fichier de la zone inversé

allow-update { none; };

};

Puis créer le fichier de zone direct, en changer le groupe, puis l’éditer et le compléter.

$ sudo cp /var/named/named.empty /var/named/domaine.tld
$ sudo chgrp named /var/named/domaine.tld
$ sudo vim /var/named/domaine.tld

$ sudo cp /var/named/named.empty /var/named/domaine.tld

$ sudo chgrp named /var/named/domaine.tld

$ sudo vim /var/named/domaine.tld

<span style="color: #000000;">
$TTL 3H
@       IN      SOA     dns.domaine.tld. root.dns.domaine.tld. (
                        0       ; serial
                        1D      ; refresh
                        1H      ; retry
                        1W      ; expire
                        3H )    ; minimum
@       IN      NS      dns.domaine.tld.
@       IN      A       192.168.3.150
dns     IN      A       192.168.3.150
test1   IN      A       192.168.3.151
test2   IN      A       192.168.3.152
test3   IN      A       192.168.3.153
www     IN      CNAME   siteweb.domaine.tld.</span>

$TTL 3H

@ IN SOA dns.domaine.tld. root.dns.domaine.tld. (

0 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

@ IN NS dns.domaine.tld.

@ IN A 192.168.3.150

dns IN A 192.168.3.150

test1 IN A 192.168.3.151

test2 IN A 192.168.3.152

test3 IN A 192.168.3.153

www IN CNAME siteweb.domaine.tld.

Ensuite créer le fichier de zone indirecte, en changer le groupe, puis l’éditer et le compléter.

$ sudo cp /var/named/named.empty /var/named/db.192.168.3
$ sudo chgrp named /var/named/db.192.168.3
$ sudo vim /var/named/db.192.168.3

$ sudo cp /var/named/named.empty /var/named/db.192.168.3

$ sudo chgrp named /var/named/db.192.168.3

$ sudo vim /var/named/db.192.168.3

<span style="color: #000080;"><span style="color: #000000;">$TTL 3H
@       IN      SOA    dns.domaine.tld. root.dns.domaine.tld. (
                 0                      ; serial
                 1D                     ; refresh
                 1H                     ; retry
                 1W                     ; expire
                 3H )                   ; minimum
@       IN      NS      dns.domaine.tld.
@       IN      PTR     domaine.tld.
150     IN      PTR     dns.domaine.tld.
151     IN      PTR     test1.domaine.tld.
152     IN      PTR     test2.domaine.tld.
153     IN      PTR     test3.domaine.tld.
</span>
</span>

$TTL 3H

@ IN SOA dns.domaine.tld. root.dns.domaine.tld. (

0 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

@ IN NS dns.domaine.tld.

@ IN PTR domaine.tld.

150 IN PTR dns.domaine.tld.

151 IN PTR test1.domaine.tld.

152 IN PTR test2.domaine.tld.

153 IN PTR test3.domaine.tld.

/!\ Mettre a jour les 2 fichiers de zones ci dessus.

Enfin vérifier que les fichiers de conf du système soit bien a jour

$ sudo vim /etc/hosts

1	$ sudo vim /etc/hosts

<span style="color: #000000;">127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.150   dns.domaine.tld dns</span>

127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4

::1 localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.3.150 dns.domaine.tld dns

$ sudo vim /etc/resolv.conf

1	$ sudo vim /etc/resolv.conf

<span style="color: #000000;">search domaine.tld
nameserver 192.168.3.150</span>

1 2	<span style="color: #000000;">search domaine.tld nameserver 192.168.3.150</span>

$ sudo vim /etc/sysconfig/network-scripts/ifcfg-eth0

1	$ sudo vim /etc/sysconfig/network-scripts/ifcfg-eth0

<span style="color: #000080;"><span style="color: #000000;">DEVICE=eth0
TYPE=Ethernet
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ONBOOT=yes
NM_CONTROLLED=yes</span><span style="color: #ff0000;">   <--- Network Manager doit être définie sur no</span>
<span style="color: #000000;">BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
IPADDR=192.168.3.150
PREFIX=24
GATEWAY=192.168.3.2
DNS1=212.27.40.240</span><span style="color: #ff0000;">   <--- Supprimer le dns, il est maintenant dans les redirecteurs</span>
<span style="color: #000000;">DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"</span></span>

DEVICE=eth0

TYPE=Ethernet

UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

ONBOOT=yes

NM_CONTROLLED=yes <--- Network Manager doit être définie sur no

BOOTPROTO=none

HWADDR=xx:xx:xx:xx:xx:xx

IPADDR=192.168.3.150

PREFIX=24

GATEWAY=192.168.3.2

DNS1=212.27.40.240 <--- Supprimer le dns, il est maintenant dans les redirecteurs

DEFROUTE=yes

IPV4_FAILURE_FATAL=yes

IPV6INIT=no

NAME="System eth0"

$ cat /etc/sysconfig/network

1	$ cat /etc/sysconfig/network

<span style="color: #000000;">NETWORKING=yes
HOSTNAME=dns.domaine.tld
GATEWAY=192.168.3.2</span>

NETWORKING=yes

HOSTNAME=dns.domaine.tld

GATEWAY=192.168.3.2

Redémarrer les services réseaux

$ sudo service network restart

1	$ sudo service network restart

Démarrer le service DNS

$ sudo service named start

1	$ sudo service named start

Ajouter le service au démarrage du système

$ sudo chkconfig named on

1	$ sudo chkconfig named on

Tester le serveur avec la commande nslookup ou dig

$ nslookup domain.local

1	$ nslookup domain.local

Server: 192.168.3.150
Address: 192.168.3.150#53
Name: domaine.tld
Address: 192.168.3.150

Server: 192.168.3.150

Address: 192.168.3.150#53

Name: domaine.tld

Address: 192.168.3.150

# nslookup dns.domain.local

1	# nslookup dns.domain.local

Server: 192.168.3.150
Address: 192.168.3.150#53
Name: dns.domaine.tld
Address: 192.168.3.150

Server: 192.168.3.150

Address: 192.168.3.150#53

Name: dns.domaine.tld

Address: 192.168.3.150

Pour finir redémarrer le serveur

$ sudo reboot

1	$ sudo reboot

/!\ Penser a ouvrir le port 53 UDP

Troubleshooting

Problème de résolution avec certains site comme Yahoo

$ sudo tail -f /var/log/messages

1	$ sudo tail -f /var/log/messages

Apr 10 03:04:30 dns named[1820]: error (broken trust chain) resolving 'fr.yahoo.com/A/IN': 212.27.40.240#53
Apr 10 03:04:35 dns named[1090]: validating @0x7efca8519c90: com SOA: verify failed due to bad signature (keyid=28259): RRSIG validity period has not begun

1 2	Apr 10 03:04:30 dns named[1820]: error (broken trust chain) resolving 'fr.yahoo.com/A/IN': 212.27.40.240#53 Apr 10 03:04:35 dns named[1090]: validating @0x7efca8519c90: com SOA: verify failed due to bad signature (keyid=28259): RRSIG validity period has not begun

Dans le log il affiche 3 :04 alors qu’il est 12h04 :/
vérification de la zone géographique

$ sudo vim /etc/sysconfig/clock

1	$ sudo vim /etc/sysconfig/clock

ZONE="Europe/Paris"
UTC=true
ARC=false

ZONE="Europe/Paris"

UTC=true

ARC=false

Puis mettre la l’heure a jour avec la commande

# date -s 12:05

1	# date -s 12:05

Tout est OK je resoud bien Yahoo et plus d’erreurs dans les logs.

Erreur démarrage du service

$ sudo service named start
Starting named:              [<span style="color: #ff0000;">FAILED</span>]
Error inervice named start
/etc/named.rfc1912.zones:19: missing ';' before 'localhost'
/etc/named.rfc1912.zones:19: unknown option 'localhost'
/etc/named.rfc1912.zones:54: unexpected end of input

$ sudo service named start

Starting named: [FAILED]

Error inervice named start

/etc/named.rfc1912.zones:19: missing ';' before 'localhost'

/etc/named.rfc1912.zones:19: unknown option 'localhost'

/etc/named.rfc1912.zones:54: unexpected end of input

Comment perdre 30min a cause d’une guillemet qui manquait dans le fichier named.rfc1912.zones

( ligne 15 file "domaine.tld<strong><span style="color: #ff0000;">"</span></strong>; )

1	( ligne 15 file "domaine.tld<strong><span style="color: #ff0000;">"</span></strong>; )

Des erreurs en continu dans le journal /var/log/messages

<span style="color: #808080;">Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.220.220#53</span>
<span style="color: #808080;">Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc04c4ed0: isc.org SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.222.222#53</span>
<span style="color: #808080;">Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.222.222#53</span>
<span style="color: #808080;">Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc054e100: dlv.isc.org SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.220.220#53</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: com SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.220.220#53</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c1eb0: com SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.222.222#53</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c4ed0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.222.222#53</span>
<span style="color: #808080;">Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure</span>
<span style="color: #808080;">Apr 18 22:01:26 zero named[2343]: error (no valid RRSIG) resolving 'g.bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53</span>
<span style="color: #808080;">Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure</span>

Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.220.220#53

Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc04c4ed0: isc.org SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.222.222#53

Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.222.222#53

Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc054e100: dlv.isc.org SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.220.220#53

Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: com SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.220.220#53

Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c1eb0: com SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.222.222#53

Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c4ed0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53

Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.222.222#53

Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure

Apr 18 22:01:26 zero named[2343]: error (no valid RRSIG) resolving 'g.bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53

Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure

Passer les valeurs de yes a no de dnssec

$ sudo vim /etc/named.conf

1	$ sudo vim /etc/named.conf

<span style="color: #000000;">dnssec-enable no;  <-- passer la valeur de yes a no
dnssec-validation no; <-- passer la valeur de yes a no
dnssec-lookaside auto;</span>

dnssec-enable no; <-- passer la valeur de yes a no

dnssec-validation no; <-- passer la valeur de yes a no

dnssec-lookaside auto;

Articles lus : 2 718

No votes yet.

Please wait...

[Linux] Installation d’un serveur DNS sur Centos

Laisser un commentaire Annuler la réponse