Outils pour utilisateurs

Outils du site


Panneau latéral

Menu tree

welcome:network_with_separeted_services:dns_debian

Service DNS achieved by a Debian 8 “Jessie”

General

Applying these wikis: wiki.debian.org and debian-facile.org too.

The wiki wiki.debian.org contains following “bugs”:

  • the folder /var/cache/bind that contains the Ressources Records (RR) for the local resolving is not accessible by user “bind” after the chroot.
    Therefore the “db.*” records must be moved into /var/bind9/chroot/var/cache/bind/. The default permissions of the files “db.*” are OK (bind only need to read).
  • the folder /var/log/ gived into the file /etc/bind/named.conf.log and the logfiles don't exist into the chroot environment of bind ⇒ must be created and must get the permissions for bind
    # cd /var/bind9/chroot/var
    # mkdir log
    # nano log/update_debug.log
    # nano log/security_info.log
    # nano log/bind.log
    # chown bind:bind log/update_debug.log 
    # chown bind:bind log/security_info.log 
    # chown bind:bind log/bind.log 
Eventually a link could be created to reach this folder from the original location /var/log

Files

/etc/bind/named.conf

/ This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local


// Gérer les acls
acl internals { 127.0.0.0/8; XXX.YYY.zzz.0/24; XXX.YYY.ZZZ.0/24; };

// Déclaration de la clef TSIG utilisée pour la mise à jour dynamique
//include "/etc/bind/ns-example-com_rndc-key";

// Configurer le canal de communication pour administrer BIND9 avec rndc
// Par défaut, la clef est située dans le fichier rndc.key et utilisée par
// rndc et bind9 sur localhost
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// Charger les options
include "/etc/bind/named.conf.options";

include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.local";

/etc/bind/named.conf.default-zones

/ prime the server with knowledge of the root servers
//zone "." {
//      type hint;
//      file "/etc/bind/db.root";
//};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Gérer les fichiers de logs
include "/etc/bind/named.conf.log";

// Gestion du domaine example.com
// ------------------------------
//  - Le serveur est défini comme maître sur ce domaine
//  - Il n'y a aucun forwarder pour ce domaine car nous avons la main mise dessus.
//    Pour tous les autres domaines, nous utiliserons le forwarder mentionné dans *named.conf.options*
//  - Les entrees sur le domaine peuvent être ajoutées dynamiquement avec le clef ns-example-com_rndc-key


zone "sub.domain.tld" {
        type master;
        file "/var/cache/bind/db.sub.domain.tld";
        forwarders {};
//        allow-update { key ns-example-com_rndc-key; };
};


zone "zzz.YYY.XXX.in-addr.arpa" {
        type master;
        file "/var/cache/bind/db.sub.domain.tld.inv";
        forwarders {};
//        allow-update { key ns-example-com_rndc-key; };
};


// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918";

/etc/bind/named.conf.options

ptions {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
        dnssec-validation auto;

        // Port d'échange entre les serveurs DNS
        query-source address * port *;

        // Transmettre les requêtes à 192.168.1.1 si ce serveur ne sait pas résoudre ces adresses.
        // On pourrait aussi bien renseigner les serveurs DNS du FAI plutôt que de renseigner
        // l'adresse IP du routeur (xxxbox)
        forward only;
        forwarders {
                80.67.169.12; # dns de FDN
                80.67.169.40; # dns de FDN
        };

        auth-nxdomain no;    # conform to RFC1035

        // Ecouter sur les interfaces locales uniquement (IPV4)
        listen-on-v6 { none; };
        listen-on { 127.0.0.1; IP.of.this.server; };

        // Ne pas transférer les informations de zones aux DNS secondaires
        allow-transfer { none; };

        // Accepter les requêtes pour le réseau interne uniquement
        allow-query { internals; };

        // Autoriser les requêtes récursives pour les hôtes locaux
        allow-recursion { internals; };

        // Ne pas rendre publique la version de BIND
        version none;
};

/etc/resolv.conf

search sub.domain.tld
nameserver localhost
welcome/network_with_separeted_services/dns_debian.txt · Dernière modification: 2017/05/03 18:20 (modification externe)