IN QUESTA GUIDA VEDREMO COME CREARE 2 DNS SERVER 1 MASTER ED 1 SLAVE CENTOS 6 BIND9 CON UNA ZONA DIRETTA

-SELINUX OVVIAMENTE IN ENFORCING
-I DNS SERVER FARANNO DA FORWARD SU DNS ESTERNI E GESTIRANO UNA ZONA DIRETTA DOMAIN.LOCAL
-HO UTILIZZATO IL PACCHETTO CHROOT PER MIGLIORARE LA SICUREZZA QUINDI LA DIRECTORY DI LAVORO E' /var/named/chroot
-IL PACCHETTO "caching-nameserver" E' GIA INCLUSO NELLE ULTIME RELEASE DI BIND9
-QUESTI DNS SERVER SONO CACHING-NAMESERVER CON FORWARD SU DNS ESTERNI NEL MIO CASO HO ULTIZZATO I DNS GOOGLE

IN QUESTA GUIDA USEREMO COME ESEMPIO DNS1.DOMAIN.LOCAL IP 192.168.100.1 E DNS2.DOMAIN.LOCAL IP 192.168.100.2

____________________________________________________________________________________________________________________________________

Pacchetti necessari

#yum install bind bind*
____________________________________________________________________________________________________________________________________

Importante controllare link

la directory di lavoro è /var/named/chroot

ma controllate che in /etc esisteno 2 link

named.conf /var/named/chroot/etc/named.conf

rndc.key /var/named/chroot/etc/rndc.key

se non vi sono create 2 link simoblici ln -s
____________________________________________________________________________________________________________________________________
Diamo un occhio anche hai file

#vi /etc/resolv.conf

search domain.local
nameserver 127.0.0.1

#vi /etc/sysconfig/network-scripts/ifcfg-eth0

DNS1="127.0.0.1"
____________________________________________________________________________________________________________________________________

Configuriamo il firewall

#vi /etc/sysconfig/iptables

#DNS
-A INPUT -i eth0 -s 192.168.100.0/24 -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -s 192.168.100.0/24 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

#service iptables restart
____________________________________________________________________________________________________________________________________

Generiamo chiave rndc.key sul server DNS1

#rndc-confgen -a -b 256 -k rndc-key -t /var/named/chroot

Diamo permessi al file

#chmod 0644 /var/named/chroot/etc/rndc.key

diamo un occhiata a /etc/rndc.key

key "rndc-key" {
        algorithm hmac-md5;
        secret "rK8cVSuJZjIU5c8WeCoAjA/mWczQD/iuZUgw+xhK+8k=";
};
#options {
#       default-key "rndc-key";
#       default-server 127.0.0.1;
#       default-port 953;
#};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "xwfNFdjpDIPCZjmofjXFUQ==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };

questo file va copiato in maniera identica su DNS2
____________________________________________________________________________________________________________________________________

Ora configuriamo il file named.conf

#vi /etc/named.conf

file named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/rndc.key";  //includiamo il file rndc.key
acl lan {                      //creiamo un acl dove inseriamo la nostra lan
        192.168.100.0/24;
        127.0.0.1;
};
controls {
        inet 127.0.0.1 port 953
        allow { lan; } keys { "rndc-key"; };
};
options {
        listen-on port 53 { lan; };
        listen-on-v6 port 53 { none; };
        max-cache-size    512M;
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { lan; };
        allow-query-cache { lan; };
        allow-transfer  { lan; }; //abilitamo il trasferimento agli ip della lan in alternativa si poteva inserire l'ip del dns2
        recursion yes;
        forwarders { 8.8.8.8; 8.8.4.4; }; //io ho usato dns google
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "domain.local" {
        type master;
        file "data/lan.zone"; //il percorso di questo file sara /var/named/chroot/var/named/data/lan.zone
        notify yes;
        allow-update {none;};
};

include "/etc/named.rfc1912.zones";
____________________________________________________________________________________________________________________________________

a questo punto creiamo la nostra zona

file lan.zone

#vi /var/named/chroot/var/named/data/lan.zone

$ORIGIN domain.local.
$TTL 1D
@       IN      SOA     dns1.domain.local. root.dns1.domain.local. (
        1    ; Serial
        1M   ; Refresh
        2H   ; Retry
        4W   ; Expire
        1D ) ; Default TTL
;
@               IN  MX  10      dns1.domain.local.
@               IN  NS          dns1.domain.local.
@               IN  A           192.168.100.1

pdc             IN  A           192.168.100.xxx
mail            IN  A           192.168.100.xxx
proxy           IN  A           192.168.100.xxx
firewall        IN  A           192.168.100.xxx
localhost       IN  A           127.0.0.1

dns1        IN  CNAME   xxx
dns2        IN  CNAME   xxx
gateway     IN  CNAME   firewall

ovviamente personalizzate il file in base alla vostra lan
____________________________________________________________________________________________________________________________________

Avviamo bind

#service named start

#chkconfig named on

____________________________________________________________________________________________________________________________________

Andiamo su DNS2

Ovviamente come su DNS1

Installiamo bind
controlliamo i link
controlliamo i file ifcfg-eth0 e resolv.conf
apriamo iptables
copiamo rndc.key uguale al DNS1
____________________________________________________________________________________________________________________________________

Configuraimo il file named.conf

file named.conf server dns2

#vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
include "/etc/rndc.key";
acl lan {
        192.168.100.0/24;
        127.0.0.1;
};
controls {
        inet 127.0.0.1 port 953
        allow { lan; } keys { "rndc-key"; };
};
options {
        listen-on port 53 { lan; };
        listen-on-v6 port 53 { none; };
        max-cache-size    512M;
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { lan; };
        recursion yes;
        forwarders { 8.8.8.8; 8.8.4.4; };
        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "domain.local" {
        type slave;
        file "slaves/lan.zone"; // il file si trova /var/named/chroot/var/named/slaves/lan.zone
        masters {192.168.100.1;}; //indichiamo che il master è DNS1
        allow-notify { 192.168.100.1; };
};

include "/etc/named.rfc1912.zones";

____________________________________________________________________________________________________________________________________

Avviamo bind anche su DNS2
 
#service named start

#chkconfig named on

Ora noterete che in /var/named/chroot/var/named/slaves/ si è creato il file lan.zone identico a quello del DNS1

____________________________________________________________________________________________________________________________________