Instalación de servidores dns BIND9 (2ª Parte)
Instalación de un servidor esclavo no autoritativo.
Para realizar esto solo debemos de situarnos en otra distro ubuntu 12.04 server que hayamos instalado para ello. Una vez actualizado el sistema e instalado BIND9, modificamos "dnssec-validation" a no de momento.
cd /etc/bind/
vim named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { any; };
dnssec-validation no;
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { any; };
dnssec-validation no;
};
Creamos las zonas, en este caso las dos que creamos con anterioridad en el master de la siguiente manera:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "miempresa.com" {
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "miempresa.com" {
type slave; -> Debe ser de tipo slave
file "db.miempresa.com"; -> Por defecto se guarda en /var/cache/bind
masters { 192.168.1.6; }; -> Indica cuál o cuáles son los masters
};
zone "1.168.192.in-addr.arpa" {
type slave;
file "db.192";
masters { 192.168.1.6; };
};
Reiniciamos BIND9 y listo.
Syslog debe devolver datos relativos a la primera transferencia de zonas. Si realizamos dig a nuestro dominio hemos de recibir lo siguiente:
root@server1:/etc/bind# dig miempresa.com
; <<>> DiG 9.8.1-P1 <<>> miempresa.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29364
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;miempresa.com. IN A
;; ANSWER SECTION:
miempresa.com. 604800 IN A 192.168.1.6
;; AUTHORITY SECTION:
miempresa.com. 604800 IN NS server.miempresa.com.
;; ADDITIONAL SECTION:
server.miempresa.com. 604800 IN A 192.168.1.6
;; Query time: 4 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Fri Nov 2 16:50:02 2012
;; MSG SIZE rcvd: 84
root@server1:/etc/bind#
; <<>> DiG 9.8.1-P1 <<>> miempresa.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29364
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;; QUESTION SECTION:
;miempresa.com. IN A
;; ANSWER SECTION:
miempresa.com. 604800 IN A 192.168.1.6
;; AUTHORITY SECTION:
miempresa.com. 604800 IN NS server.miempresa.com.
;; ADDITIONAL SECTION:
server.miempresa.com. 604800 IN A 192.168.1.6
;; Query time: 4 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Fri Nov 2 16:50:02 2012
;; MSG SIZE rcvd: 84
root@server1:/etc/bind#
Donde el texto resaltado en naranja indica que la respuesta es AUTORIZADA por nuestro server master (192.168.1.6) y el texto resaltado en rojo muestra desde que servidor se ha realizado la petición dns; el servidor esclavo.
root@server1:/etc/bind# dig -x 192.168.1.6
; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38540
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;6.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
6.1.168.192.in-addr.arpa. 604800 IN PTR server.miempresa.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 604800 IN NS server.
;; Query time: 4 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Fri Nov 2 16:57:44 2012
;; MSG SIZE rcvd: 96
root@server1:/etc/bind#
; <<>> DiG 9.8.1-P1 <<>> -x 192.168.1.6
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38540
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;6.1.168.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
6.1.168.192.in-addr.arpa. 604800 IN PTR server.miempresa.com.
;; AUTHORITY SECTION:
1.168.192.in-addr.arpa. 604800 IN NS server.
;; Query time: 4 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Fri Nov 2 16:57:44 2012
;; MSG SIZE rcvd: 96
root@server1:/etc/bind#
Lo mismo para la zona inversa.
No hay comentarios:
Publicar un comentario