/ DNS

RHCE : DNS – Configure a caching-only name server.

DNS dig command rhce-new redhat-new named bind /etc/named.conf named-checkconf command firewall-cmd command nslookup command
https://4am.kr/rhce-dns-configure-a-caching-only-name-server/

RHCE : DNS – 캐싱 전용 이름 서버 구성

RHCE 주제입니다. 아래 참조된 사이트를 번역 및 내용 추가하였습니다.

시작하기 전에

캐시-전용 이름 서버는 루트 DNS에 요청한 이전 요청의 모든 결과들을 캐싱한다.

설정하기

1.bind 패키지를 설치한다.
[root@server2 ~]# yum install -y bind
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-14.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package       Arch            Version                  Repository         Size
================================================================================
Installing:
 bind          x86_64          32:9.9.4-14.el7          RHELREPO          1.8 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 1.8 M
Installed size: 4.3 M
Downloading packages:
bind-9.9.4-14.el7.x86_64.rpm                               | 1.8 MB   00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 32:bind-9.9.4-14.el7.x86_64                                  1/1 
  Verifying  : 32:bind-9.9.4-14.el7.x86_64                                  1/1 

Installed:
  bind.x86_64 32:9.9.4-14.el7                                                   

Complete!
[root@server2 ~]# 
2. /etc/named.conf파일을 열고 listen-on옵션을 127.0.0.1에서 any로, allow-query옵션을 localhost에서 any로 변경한다.
[root@server2 ~]# vim /etc/named.conf 
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        //listen-on port 53 { 127.0.0.1; };
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        //allow-query     { localhost; };
        allow-query     { any; };

        /* 
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to ena
ble 
           recursion. 
-- 끼워넣기 --                                                4,11           7%
[root@server2 ~]# 
3. 같은 파일에서 dnssec-validation옵션을 yes에서 no로 다음과 같이 변경한다.
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification 
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface 
        */
        recursion yes;

        dnssec-enable yes;
        //dnssec-validation yes;
        dnssec-validation no;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

"/etc/named.conf" 61L, 1674C                                  32,0-1        54%
4. 설정 파일을 점검한다.
[root@server2 ~]# named-checkconf 
[root@server2 ~]# 
5. 방화벽 설정에 새로운 서비스를 추가하고, 방화벽을 다시 로드한다.
[root@server2 ~]# firewall-cmd --permanent --add-service=dns
success
[root@server2 ~]# firewall-cmd --reload 
success
[root@server2 ~]# 
6. DNS서비스를 부팅시에 활성화하고, 시작한다.
[root@server2 ~]# systemctl enable named && systemctl start named
ln -s '/usr/lib/systemd/system/named.service' '/etc/systemd/system/multi-user.target.wants/named.service'
[root@server2 ~]# 

테스트하기

다음과 같이 테스트해본다.
[root@server2 ~]# nslookup 4am.kr 127.0.0.1
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	4am.kr
Address: 104.27.131.171
Name:	4am.kr
Address: 104.27.130.171

[root@server2 ~]# dig @127.0.0.1 4am.kr

; <<>> DiG 9.9.4-RedHat-9.9.4-14.el7 <<>> @127.0.0.1 4am.kr
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23565
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;4am.kr.				IN	A

;; ANSWER SECTION:
4am.kr.			279	IN	A	104.27.131.171
4am.kr.			279	IN	A	104.27.130.171

;; AUTHORITY SECTION:
4am.kr.			86379	IN	NS	tina.ns.cloudflare.com.
4am.kr.			86379	IN	NS	jay.ns.cloudflare.com.

;; ADDITIONAL SECTION:
jay.ns.cloudflare.com.	86379	IN	A	173.245.59.123
jay.ns.cloudflare.com.	86379	IN	AAAA	2400:cb00:2049:1::adf5:3b7b
tina.ns.cloudflare.com.	86379	IN	A	173.245.58.230
tina.ns.cloudflare.com.	86379	IN	AAAA	2400:cb00:2049:1::adf5:3ae6

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: 수  5월 04 16:01:36 KST 2016
;; MSG SIZE  rcvd: 209

[root@server2 ~]# 

추가 자료