Installation d’un serveur DNS sur une Centos 6.8
Version de l’OS: Centos 6.8 (minimal version)
Version de Bind: 9.8.2
Pré requis:
Voir l’article Préparation d’une machine Centos 6.x
Installer le paquet
$ sudo yum install bind
Éditer et configurer le fichier named.conf
/!\ Toujours faire une sauvegarde avant modification
$ sudo vim /etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 192.168.3.150; }; <--- Ajouter l'IP du serveur listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 192.168.3.0/24; }; <--- Ajouter la plage d'IP local recursion yes; forwarders { 212.27.40.240; <--- Ajouter le dns primaire 212.27.40.241; <--- Ajouter le dns secondaire }; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
Éditer ensuite le fichier named.rfc1912.zones et modifier les zones
$ sudo vim /etc/named.rfc1912.zones
// named.rfc1912.zones: // // Provided by Red Hat caching-nameserver package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt // (c)2007 R W Franks // // See /usr/share/doc/bind*/sample/ for example named configuration files. // zone "domaine.tld" IN { <--- la zone de recherche direct type master; file "domaine.tld"; <--- le nom du fichier de zone direct que l'on va crée après allow-update { none; }; }; zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; }; zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; }; }; zone "3.168.192.in-addr.arpa" IN { <--- la zone de recherche inversée type master; file "db.192.168.3"; <--- le nom du fichier de la zone inversé allow-update { none; }; };
Puis créer le fichier de zone direct, en changer le groupe, puis l’éditer et le compléter.
$ sudo cp /var/named/named.empty /var/named/domaine.tld $ sudo chgrp named /var/named/domaine.tld $ sudo vim /var/named/domaine.tld
$TTL 3H
@ IN SOA dns.domaine.tld. root.dns.domaine.tld. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.domaine.tld.
@ IN A 192.168.3.150
dns IN A 192.168.3.150
test1 IN A 192.168.3.151
test2 IN A 192.168.3.152
test3 IN A 192.168.3.153
www IN CNAME siteweb.domaine.tld.
Ensuite créer le fichier de zone indirecte, en changer le groupe, puis l’éditer et le compléter.
$ sudo cp /var/named/named.empty /var/named/db.192.168.3 $ sudo chgrp named /var/named/db.192.168.3 $ sudo vim /var/named/db.192.168.3
$TTL 3H
@ IN SOA dns.domaine.tld. root.dns.domaine.tld. (
0 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
@ IN NS dns.domaine.tld.
@ IN PTR domaine.tld.
150 IN PTR dns.domaine.tld.
151 IN PTR test1.domaine.tld.
152 IN PTR test2.domaine.tld.
153 IN PTR test3.domaine.tld.
/!\ Mettre a jour les 2 fichiers de zones ci dessus.
Enfin vérifier que les fichiers de conf du système soit bien a jour
$ sudo vim /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.3.150 dns.domaine.tld dns
$ sudo vim /etc/resolv.conf
search domaine.tld
nameserver 192.168.3.150
$ sudo vim /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
TYPE=Ethernet
UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
ONBOOT=yes
NM_CONTROLLED=yes <--- Network Manager doit être définie sur no
BOOTPROTO=none
HWADDR=xx:xx:xx:xx:xx:xx
IPADDR=192.168.3.150
PREFIX=24
GATEWAY=192.168.3.2
DNS1=212.27.40.240 <--- Supprimer le dns, il est maintenant dans les redirecteurs
DEFROUTE=yes
IPV4_FAILURE_FATAL=yes
IPV6INIT=no
NAME="System eth0"
$ cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=dns.domaine.tld
GATEWAY=192.168.3.2
Redémarrer les services réseaux
$ sudo service network restart
Démarrer le service DNS
$ sudo service named start
Ajouter le service au démarrage du système
$ sudo chkconfig named on
Tester le serveur avec la commande nslookup ou dig
$ nslookup domain.local
Server: 192.168.3.150 Address: 192.168.3.150#53 Name: domaine.tld Address: 192.168.3.150
# nslookup dns.domain.local
Server: 192.168.3.150 Address: 192.168.3.150#53 Name: dns.domaine.tld Address: 192.168.3.150
Pour finir redémarrer le serveur
$ sudo reboot
/!\ Penser a ouvrir le port 53 UDP
Troubleshooting
Problème de résolution avec certains site comme Yahoo
$ sudo tail -f /var/log/messages
Apr 10 03:04:30 dns named[1820]: error (broken trust chain) resolving 'fr.yahoo.com/A/IN': 212.27.40.240#53 Apr 10 03:04:35 dns named[1090]: validating @0x7efca8519c90: com SOA: verify failed due to bad signature (keyid=28259): RRSIG validity period has not begun
Dans le log il affiche 3 :04 alors qu’il est 12h04 :/
vérification de la zone géographique
$ sudo vim /etc/sysconfig/clock
ZONE="Europe/Paris" UTC=true ARC=false
Puis mettre la l’heure a jour avec la commande
# date -s 12:05
Tout est OK je resoud bien Yahoo et plus d’erreurs dans les logs.
Erreur démarrage du service
$ sudo service named start
Starting named: [FAILED]
Error inervice named start
/etc/named.rfc1912.zones:19: missing ';' before 'localhost'
/etc/named.rfc1912.zones:19: unknown option 'localhost'
/etc/named.rfc1912.zones:54: unexpected end of input
Comment perdre 30min a cause d’une guillemet qui manquait dans le fichier named.rfc1912.zones
( ligne 15 file "domaine.tld"; )
Des erreurs en continu dans le journal /var/log/messages
Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.220.220#53 Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc04c4ed0: isc.org SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:18 zero named[2343]: error (no valid RRSIG) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DS/IN': 208.67.222.222#53 Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.222.222#53 Apr 18 22:01:18 zero named[2343]: validating @0x7f5cc054e100: dlv.isc.org SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:18 zero named[2343]: error (insecurity proof failed) resolving 'ctldl.windowsupdate.nsatc.net.dlv.isc.org/DLV/IN': 208.67.220.220#53 Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: com SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.220.220#53 Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c1eb0: com SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com/DS/IN': 208.67.222.222#53 Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc04c4ed0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53 Apr 18 22:01:25 zero named[2343]: validating @0x7f5cc053bee0: dlv.isc.org SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:25 zero named[2343]: error (no valid RRSIG) resolving 'bing.com.dlv.isc.org/DS/IN': 208.67.222.222#53 Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure Apr 18 22:01:26 zero named[2343]: error (no valid RRSIG) resolving 'g.bing.com.dlv.isc.org/DS/IN': 208.67.220.220#53 Apr 18 22:01:26 zero named[2343]: validating @0x7f5cc04c1eb0: isc.org SOA: got insecure response; parent indicates it should be secure
Passer les valeurs de yes a no de dnssec
$ sudo vim /etc/named.conf
dnssec-enable no; <-- passer la valeur de yes a no
dnssec-validation no; <-- passer la valeur de yes a no
dnssec-lookaside auto;