호스트네임 변경
hostnamectl status hostnamectl set-hostname dns hostnamectl status
[root@rac1 ~]# hostnamectl status
Static hostname: rac1
Icon name: computer-vm
Chassis: vm
Machine ID: 5554cd8ab5124283be4afd144783a884
Boot ID: 8075d1f529eb46f88fe2fc7927b8cdb9
Virtualization: kvm
Operating System: Oracle Linux Server 7.6
CPE OS Name: cpe:/o:oracle:linux:7:6:server
Kernel: Linux 4.14.35-1818.3.3.el7uek.x86_64
Architecture: x86-64
[root@rac1 ~]# hostnamectl set-hostname dns
[root@rac1 ~]# hostnamectl status
Static hostname: dns
Icon name: computer-vm
Chassis: vm
Machine ID: 5554cd8ab5124283be4afd144783a884
Boot ID: 8075d1f529eb46f88fe2fc7927b8cdb9
Virtualization: kvm
Operating System: Oracle Linux Server 7.6
CPE OS Name: cpe:/o:oracle:linux:7:6:server
Kernel: Linux 4.14.35-1818.3.3.el7uek.x86_64
Architecture: x86-64
방화벽 중지 원본 펼치기
systemctl stop firewalld systemctl disable firewalld
[root@dns ~]# systemctl stop firewalld [root@dns ~]# systemctl disable firewalld
DNS 서비스 패키지 설치
cd <리눅스 설치 디스크 마운트 경로>/Packages rpm -ivh python-ply-*.noarch.rpm # rpm -ivh bind-license-*.el7.noarch.rpm # rpm -Uvh bind-utils-*.x86_64.rpm bind-libs-*.x86_64.rpm rpm -ivh bind-*.el7.x86_64.rpm rpm -ivh bind-chroot-*.x86_64.rpm cd eject
[root@dns ~]# cd /run/media/root/OL-7.6\ Server.x86_64/Packages [root@dns Packages]# rpm -ivh python-ply-3.4-11.el7.noarch.rpm 경고: python-ply-3.4-11.el7.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY 준비 중... ################################# [100%] Updating / installing... 1:python-ply-3.4-11.el7 ################################# [100%] [root@dns Packages]# rpm -ivh bind-9.9.4-72.el7.x86_64.rpm 경고: bind-9.9.4-72.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY 준비 중... ################################# [100%] Updating / installing... 1:bind-32:9.9.4-72.el7 ################################# [100%] [root@dns Packages]# rpm -ivh bind-chroot-9.9.4-72.el7.x86_64.rpm 경고: bind-chroot-9.9.4-72.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID ec551f03: NOKEY 준비 중... ################################# [100%] Updating / installing... 1:bind-chroot-32:9.9.4-72.el7 ################################# [100%] [root@dns Packages]# cd [root@dns ~]# eject
DNS 서비스 재설정 (named-chroot로 기동)
/usr/libexec/setup-named-chroot.sh /var/named/chroot on systemctl stop named systemctl disable named systemctl start named-chroot systemctl enable named-chroot
[root@dns ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on [root@dns ~]# systemctl stop named [root@dns ~]# systemctl disable named [root@dns ~]# systemctl start named-chroot [root@dns ~]# systemctl enable named-chroot Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
vi /var/named/chroot/etc/named.conf
// listen-on port 53 { 127.0.0.1; };
listen-on port 53 { 127.0.0.1; 10.0.1.150; };
// allow-query { localhost; };
allow-query { localhost; 10.0.1.0/24; };
[root@dns ~]# cat /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
options {
listen-on port 53 { 127.0.0.1; 10.0.1.150; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; 10.0.1.0/24; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
vi /var/named/chroot/etc/named.rfc1912.zones
zone "localdomain." IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "1.0.10.in-addr.arpa." IN {
type master;
file "1.0.10.in-addr.arpa";
allow-update { none; };
};
[root@dns ~]# cat /var/named/chroot/etc/named.rfc1912.zones
// named.rfc1912.zones:
//
// Provided by Red Hat caching-nameserver package
//
// ISC BIND named zone configuration for zones recommended by
// RFC 1912 section 4.1 : localhost TLDs and address zones
// and http://www.ietf.org/internet-drafts/draft-ietf-dnsop-default-local-zones-02.txt
// (c)2007 R W Franks
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
zone "localdomain." IN {
type master;
file "localdomain.zone";
allow-update { none; };
};
zone "1.0.10.in-addr.arpa." IN {
type master;
file "1.0.10.in-addr.arpa";
allow-update { none; };
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
vi /var/named/chroot/var/named/localdomain.zone
$TTL 86400
@ IN SOA localhost root.localhost (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
rac-scan IN A 10.0.1.191
rac-scan IN A 10.0.1.192
rac-scan IN A 10.0.1.193
vi /var/named/chroot/var/named/1.0.10.in-addr.arpa
$ORIGIN 1.0.10.in-addr.arpa.
$TTL 1H
@ IN SOA dns.localdomain. root.dns.localdomain. ( 2
3H
1H
1W
1H )
1.0.10.in-addr.arpa. IN NS dns.localdomain.
191 IN PTR rac-scan.localdomain.
192 IN PTR rac-scan.localdomain.
193 IN PTR rac-scan.localdomain.
zone 파일 권한 설정 및 서비스 재기동
chown root:named /var/named/chroot/var/named/localdomain.zone chown root:named /var/named/chroot/var/named/1.0.10.in-addr.arpa systemctl restart named-chroot
[root@dns ~]# chown root:named /var/named/chroot/var/named/localdomain.zone [root@dns ~]# chown root:named /var/named/chroot/var/named/1.0.10.in-addr.arpa [root@dns ~]# systemctl restart named-chroot
정상 작동 여부 확인
nslookup rac-scan.localdomain nslookup 10.0.1.191 nslookup 10.0.1.192 nslookup 10.0.1.193
[root@dns ~]# nslookup rac-scan.localdomain Server: 127.0.0.1 Address: 127.0.0.1#53 Name: rac-scan.localdomain Address: 10.0.1.191 Name: rac-scan.localdomain Address: 10.0.1.192 Name: rac-scan.localdomain Address: 10.0.1.193 [root@dns ~]# nslookup rac-scan.localdomain Server: 127.0.0.1 Address: 127.0.0.1#53 Name: rac-scan.localdomain Address: 10.0.1.192 Name: rac-scan.localdomain Address: 10.0.1.191 Name: rac-scan.localdomain Address: 10.0.1.193 [root@dns ~]# nslookup rac-scan.localdomain Server: 127.0.0.1 Address: 127.0.0.1#53 Name: rac-scan.localdomain Address: 10.0.1.193 Name: rac-scan.localdomain Address: 10.0.1.192 Name: rac-scan.localdomain Address: 10.0.1.191 [root@dns ~]# nslookup 10.0.1.191 Server: 127.0.0.1 Address: 127.0.0.1#53 191.1.0.10.in-addr.arpa name = rac-scan.localdomain. [root@dns ~]# nslookup 10.0.1.192 Server: 127.0.0.1 Address: 127.0.0.1#53 192.1.0.10.in-addr.arpa name = rac-scan.localdomain. [root@dns ~]# nslookup 10.0.1.193 Server: 127.0.0.1 Address: 127.0.0.1#53 193.1.0.10.in-addr.arpa name = rac-scan.localdomain.
[root@rac1 ~]# nslookup rac-scan.localdomain Server: 10.0.1.150 Address: 10.0.1.150#53 Name: rac-scan.localdomain Address: 10.0.1.191 Name: rac-scan.localdomain Address: 10.0.1.193 Name: rac-scan.localdomain Address: 10.0.1.192 [root@rac1 ~]# nslookup rac-scan.localdomain Server: 10.0.1.150 Address: 10.0.1.150#53 Name: rac-scan.localdomain Address: 10.0.1.193 Name: rac-scan.localdomain Address: 10.0.1.191 Name: rac-scan.localdomain Address: 10.0.1.192 [root@rac1 ~]# nslookup rac-scan.localdomain Server: 10.0.1.150 Address: 10.0.1.150#53 Name: rac-scan.localdomain Address: 10.0.1.192 Name: rac-scan.localdomain Address: 10.0.1.193 Name: rac-scan.localdomain Address: 10.0.1.191 [root@rac1 ~]# nslookup 10.0.1.191 Server: 10.0.1.150 Address: 10.0.1.150#53 191.1.0.10.in-addr.arpa name = rac-scan.localdomain. [root@rac1 ~]# nslookup 10.0.1.192 Server: 10.0.1.150 Address: 10.0.1.150#53 192.1.0.10.in-addr.arpa name = rac-scan.localdomain. [root@rac1 ~]# nslookup 10.0.1.193 Server: 10.0.1.150 Address: 10.0.1.150#53 193.1.0.10.in-addr.arpa name = rac-scan.localdomain.
