BIND Nameserver unter CentOS 6 - Linux

Transcription

24.12.2016 11:37.
1/36
BIND Nameserver unter CentOS 6
Mit BIND1) des Internet Systems Consortium richten wir uns für unser SOHO2)-LAN ein Domain-NameSystem-Server oder kurz DNS3)ein.
DNS wurde in den beiden RFC 1034 und RFC 1035 definiert und bekam von der Internet Assigned
Numbers Authority die beiden Ports 53/UDP und 53/TCP.
Installation
Zu erst installieren wir uns die beiden Pakete bind und bind-chroot. Letzters hilft uns, unseren DNS
in einem chroot4)-Umgebung laufen zu lassen.
# yum install bind bind-chroot -y
Grund-Konfiguration
RPM-Pakete
Als erstes sehen uns wir mal an, was die beiden Pakete alles an Dateien mitbringen und vor allem
wohin diese gespeichert worden sind.
bind
# rpm -qil bind
Name
: bind
Relocations: (not relocatable)
Version
: 9.7.0
Vendor: CentOS
Release
: 5.P2.el6_0.1
Build Date: Sat 25 Jun 2011
05:48:43 AM CEST
Install Date: Mon 22 Aug 2011 01:33:07 PM CEST
Build Host:
c6b6.bsys.dev.centos.org
Group
: System Environment/Daemons
Source RPM:
bind-9.7.0-5.P2.el6_0.1.src.rpm
Size
: 6695969
License: ISC
Signature
: RSA/8, Wed 06 Jul 2011 03:37:08 AM CEST, Key ID
0946fca2c105b9de
Packager
: CentOS BuildSystem <http://bugs.centos.org>
URL
: http://www.isc.org/products/BIND/
Summary
: The Berkeley Internet Name Domain (BIND) DNS (Domain Name
System) server
Description :
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
Linux - Wissensdatenbank - https://dokuwiki.nausch.org/
Last update: 24.05.2014 23:01.
centos:bind_c6 https://dokuwiki.nausch.org/doku.php/centos:bind_c6
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.
/etc/NetworkManager/dispatcher.d/13-named
/etc/logrotate.d/named
/etc/named
/etc/named.conf
/etc/named.iscdlv.key
/etc/named.rfc1912.zones
/etc/rc.d/init.d/named
/etc/rndc.conf
/etc/rndc.key
/etc/sysconfig/named
/usr/lib64/bind
/usr/sbin/arpaname
/usr/sbin/ddns-confgen
/usr/sbin/dnssec-dsfromkey
/usr/sbin/dnssec-keyfromlabel
/usr/sbin/dnssec-keygen
/usr/sbin/dnssec-revoke
/usr/sbin/dnssec-settime
/usr/sbin/dnssec-signzone
/usr/sbin/genrandom
/usr/sbin/isc-hmac-fixup
/usr/sbin/lwresd
/usr/sbin/named
/usr/sbin/named-checkconf
/usr/sbin/named-checkzone
/usr/sbin/named-compilezone
/usr/sbin/named-journalprint
/usr/sbin/nsec3hash
/usr/sbin/rndc
/usr/sbin/rndc-confgen
/usr/share/doc/bind-9.7.0
/usr/share/doc/bind-9.7.0/CHANGES
/usr/share/doc/bind-9.7.0/COPYRIGHT
/usr/share/doc/bind-9.7.0/Copyright
/usr/share/doc/bind-9.7.0/README
/usr/share/doc/bind-9.7.0/arm
/usr/share/doc/bind-9.7.0/arm/Bv9ARM-book.xml
/usr/share/doc/bind-9.7.0/arm/Bv9ARM.ch01.html
https://dokuwiki.nausch.org/
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
3/36
/usr/share/doc/bind-9.7.0/arm/Bv9ARM.html
/usr/share/doc/bind-9.7.0/arm/Bv9ARM.pdf
/usr/share/doc/bind-9.7.0/arm/Makefile
/usr/share/doc/bind-9.7.0/arm/Makefile.in
/usr/share/doc/bind-9.7.0/arm/README-SGML
/usr/share/doc/bind-9.7.0/arm/dnssec.xml
/usr/share/doc/bind-9.7.0/arm/isc-logo.eps
/usr/share/doc/bind-9.7.0/arm/isc-logo.pdf
/usr/share/doc/bind-9.7.0/arm/latex-fixup.pl
/usr/share/doc/bind-9.7.0/arm/libdns.xml
/usr/share/doc/bind-9.7.0/arm/man.arpaname.html
/usr/share/doc/bind-9.7.0/arm/man.ddns-confgen.html
/usr/share/doc/bind-9.7.0/arm/man.dig.html
/usr/share/doc/bind-9.7.0/arm/man.dnssec-dsfromkey.html
/usr/share/doc/bind-9.7.0/arm/man.dnssec-keyfromlabel.html
/usr/share/doc/bind-9.7.0/arm/man.dnssec-keygen.html
/usr/share/doc/bind-9.7.0/arm/man.dnssec-revoke.html
/usr/share/doc/bind-9.7.0/arm/man.dnssec-settime.html
/usr/share/doc/bind-9.7.0/arm/man.dnssec-signzone.html
/usr/share/doc/bind-9.7.0/arm/man.genrandom.html
/usr/share/doc/bind-9.7.0/arm/man.host.html
/usr/share/doc/bind-9.7.0/arm/man.isc-hmac-fixup.html
/usr/share/doc/bind-9.7.0/arm/man.named-checkconf.html
/usr/share/doc/bind-9.7.0/arm/man.named-checkzone.html
/usr/share/doc/bind-9.7.0/arm/man.named-journalprint.html
/usr/share/doc/bind-9.7.0/arm/man.named.html
/usr/share/doc/bind-9.7.0/arm/man.nsec3hash.html
/usr/share/doc/bind-9.7.0/arm/man.nsupdate.html
/usr/share/doc/bind-9.7.0/arm/man.rndc-confgen.html
/usr/share/doc/bind-9.7.0/arm/man.rndc.conf.html
/usr/share/doc/bind-9.7.0/arm/man.rndc.html
/usr/share/doc/bind-9.7.0/arm/managed-keys.xml
/usr/share/doc/bind-9.7.0/arm/pkcs11.xml
/usr/share/doc/bind-9.7.0/draft
/usr/share/doc/bind-9.7.0/draft/draft-ietf-6man-text-addrrepresentation-01.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-behave-dns64-01.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-axfr-clarify-13.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dns-tcprequirements-02.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dnssec-bis-updates-09.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-dnssec-gost-06.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-ecc-key-07.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-interop3597-02.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc2671bis-edns0-02.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc2672bis-dname-18.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-rfc3597-bis-00.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsext-tsig-md5-deprecated-03.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-bad-dns-res-05.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-default-local-zones-09.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-inaddr-required-07.txt
Last update: 24.05.2014 23:01.
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-name-server-managementreqs-02.txt
/usr/share/doc/bind-9.7.0/draft/draft-ietf-dnsop-respsize-06.txt
/usr/share/doc/bind-9.7.0/draft/draft-kato-dnsop-local-zones-00.txt
/usr/share/doc/bind-9.7.0/draft/update
/usr/share/doc/bind-9.7.0/misc
/usr/share/doc/bind-9.7.0/misc/Makefile
/usr/share/doc/bind-9.7.0/misc/Makefile.in
/usr/share/doc/bind-9.7.0/misc/dnssec
/usr/share/doc/bind-9.7.0/misc/format-options.pl
/usr/share/doc/bind-9.7.0/misc/ipv6
/usr/share/doc/bind-9.7.0/misc/migration
/usr/share/doc/bind-9.7.0/misc/migration-4to9
/usr/share/doc/bind-9.7.0/misc/options
/usr/share/doc/bind-9.7.0/misc/rfc-compliance
/usr/share/doc/bind-9.7.0/misc/roadmap
/usr/share/doc/bind-9.7.0/misc/sdb
/usr/share/doc/bind-9.7.0/misc/sort-options.pl
/usr/share/doc/bind-9.7.0/named.conf.default
/usr/share/doc/bind-9.7.0/rfc
/usr/share/doc/bind-9.7.0/rfc/index.gz
/usr/share/doc/bind-9.7.0/rfc/rfc1032.txt.gz
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
5/36
Last update: 24.05.2014 23:01.
/usr/share/doc/bind-9.7.0/rfc1912.txt
/usr/share/doc/bind-9.7.0/sample
/usr/share/doc/bind-9.7.0/sample/etc
/usr/share/doc/bind-9.7.0/sample/etc/named.conf
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
7/36
/usr/share/doc/bind-9.7.0/sample/etc/named.rfc1912.zones
/usr/share/doc/bind-9.7.0/sample/var
/usr/share/doc/bind-9.7.0/sample/var/named
/usr/share/doc/bind-9.7.0/sample/var/named/data
/usr/share/doc/bind-9.7.0/sample/var/named/my.external.zone.db
/usr/share/doc/bind-9.7.0/sample/var/named/my.internal.zone.db
/usr/share/doc/bind-9.7.0/sample/var/named/named.ca
/usr/share/doc/bind-9.7.0/sample/var/named/named.empty
/usr/share/doc/bind-9.7.0/sample/var/named/named.localhost
/usr/share/doc/bind-9.7.0/sample/var/named/named.loopback
/usr/share/doc/bind-9.7.0/sample/var/named/slaves
/usr/share/doc/bind-9.7.0/sample/var/named/slaves/my.ddns.internal.zone.db
/usr/share/doc/bind-9.7.0/sample/var/named/slaves/my.slave.internal.zone.db
/usr/share/man/man1/arpaname.1.gz
/usr/share/man/man5/named.conf.5.gz
/usr/share/man/man5/rndc.conf.5.gz
/usr/share/man/man8/ddns-confgen.8.gz
/usr/share/man/man8/dnssec-dsfromkey.8.gz
/usr/share/man/man8/dnssec-keyfromlabel.8.gz
/usr/share/man/man8/dnssec-keygen.8.gz
/usr/share/man/man8/dnssec-revoke.8.gz
/usr/share/man/man8/dnssec-settime.8.gz
/usr/share/man/man8/dnssec-signzone.8.gz
/usr/share/man/man8/genrandom.8.gz
/usr/share/man/man8/isc-hmac-fixup.8.gz
/usr/share/man/man8/lwresd.8.gz
/usr/share/man/man8/named-checkconf.8.gz
/usr/share/man/man8/named-checkzone.8.gz
/usr/share/man/man8/named-compilezone.8.gz
/usr/share/man/man8/named-journalprint.8.gz
/usr/share/man/man8/named.8.gz
/usr/share/man/man8/nsec3hash.8.gz
/usr/share/man/man8/rndc-confgen.8.gz
/usr/share/man/man8/rndc.8.gz
/var/log/named.log
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
/var/run/named
bind-chroot
# rpm -qil bind-chroot
Last update: 24.05.2014 23:01.
Name
: bind-chroot
Relocations: /var/named/chroot
Version
: 9.7.0
Vendor: CentOS
Release
: 5.P2.el6_0.1
Build Date: Sat 25 Jun 2011
05:48:43 AM CEST
Install Date: Mon 22 Aug 2011 01:33:10 PM CEST
Build Host:
c6b6.bsys.dev.centos.org
Group
: System Environment/Daemons
Source RPM:
bind-9.7.0-5.P2.el6_0.1.src.rpm
Size
: 0
License: ISC
Signature
: RSA/8, Wed 06 Jul 2011 03:37:09 AM CEST, Key ID
0946fca2c105b9de
Packager
: CentOS BuildSystem <http://bugs.centos.org>
URL
: http://www.isc.org/products/BIND/
Summary
: A chroot runtime environment for the ISC BIND DNS server,
named(8)
Description :
This package contains a tree of files which can be used as a
chroot(2) jail for the named(8) program from the BIND package.
Based on the code from Jan "Yenya" Kasprzak <[email protected]>
/var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/dev/zero
/var/named/chroot/etc
/var/named/chroot/etc/localtime
/var/named/chroot/etc/named
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/pki/dnssec-keys
/var/named/chroot/usr/lib64/bind
/var/named/chroot/var
/var/named/chroot/var/log
/var/named/chroot/var/named
/var/named/chroot/var/run
/var/named/chroot/var/run/named
/var/named/chroot/var/tmp
change root - Umgebung
Bei der Installation unserer chroot-Umgebung wurde automatisch die Konfigurationsdatei
/etc/sysconfig/named entsprechend angepasst, in dem die Konfigurationsoption
ROOTDIR=/var/named/chroot
aktiviert wird.
In der Konfigurationsdatei /etc/sysconfig/named finden wir darüber hinaus noch weitere Angaben,
wie die chroot-Umgebung für bind unter CentOS 6 realisiert wird, und welche Konfigurationsdateien
beim Starten des Daemon in die chroot-Umgebung gemountet werden.
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
9/36
/etc/sysconfig/named
# BIND named process options
# ~~~~~~~~~~~~~~~~~~~~~~~~~~
# Currently, you can use the following options:
#
# ROOTDIR="/var/named/chroot" -- will run named in a chroot
environment.
#
you must set up the chroot environment
#
(install the bind-chroot package) before
#
doing this.
#
NOTE:
#
Those directories are automatically mounted to chroot if they
are
#
empty in the ROOTDIR directory. It will simplify maintenance
of your
#
chroot environment.
#
- /var/named
#
- /etc/pki/dnssec-keys
#
- /etc/named
#
- /usr/lib64/bind or /usr/lib/bind (architecture dependent)
#
#
Those files are mounted as well if target file doesn't exist in
#
chroot.
#
- /etc/named.conf
#
- /etc/rndc.conf
#
- /etc/rndc.key
#
- /etc/named.rfc1912.zones
#
- /etc/named.dnssec.keys
#
- /etc/named.iscdlv.key
#
#
Don't forget to add "$AddUnixListenSocket
/var/named/chroot/dev/log"
#
line to your /etc/rsyslog.conf file. Otherwise your logging becomes
#
broken when rsyslogd daemon is restarted (due update, for example).
#
# OPTIONS="whatever"
-- These additional options will be passed to
named
#
at startup. Don't add -t here, use ROOTDIR
instead.
#
# KEYTAB_FILE="/dir/file"
-- Specify named service keytab file (for
GSS-TSIG)
ROOTDIR=/var/named/chroot
Beim Starten des named Daemon werden die betreffenden Konfigurationsdateien gemountet. Bei
laufendem Daemon können wir uns ganz einfach überzeugen, wohin diese gemountet wurden.
# df -ah | grep named
Last update: 24.05.2014 23:01.
/etc/named
7.2G 941M 6.0G 14%
/var/named
7.2G 941M 6.0G 14%
/etc/named.conf
7.2G 941M 6.0G 14%
/etc/named.rfc1912.zones
7.2G 941M 6.0G 14%
/var/named/chroot/etc/named.rfc1912.zones
/etc/rndc.key
7.2G 941M 6.0G 14%
/usr/lib64/bind
7.2G 941M 6.0G 14%
/etc/named.iscdlv.key
7.2G 941M 6.0G 14%
/var/named/chroot/etc/named.iscdlv.key
/var/named/chroot/etc/named
/var/named/chroot/var/named
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/rndc.key
/var/named/chroot/usr/lib64/bind
Beenden wir den Daemon erfolgt automatisch das Unmounten der betreffenden
Konfigurationsverzeichnisse.
# service named stop && df -ah | grep named
Stopping named:
[
OK
]
Wir können also bei der weiteren Konfiguration unser Augenmerk auf die Konfigurationsdatei
named.conf im Verzeichnis /etc richten.
rsyslogd
Darüber hinaus erfolgt hier auch ein Hinweis zum Anpassen des rsyslogd Daemon. Wie in den
Bemerkungen in der /etc/sysconfig/named angegeben, werden wir nun noch die rsyslogd Daemon
anpassen. Hierzu öffnen wir mit dem Editor unserer Wahl die Konfigurationsdatei /etc/rsyslog.conf.
# vim /etc/rsyslog.conf
/etc/rsyslog.conf
#rsyslog v3 config file
# if you experience problems, check
# http://www.rsyslog.com/troubleshoot for assistance
#### MODULES ####
$ModLoad imuxsock.so
# provides support for local system logging
(e.g. via logger command)
$ModLoad imklog.so # provides kernel logging support (previously done
by rklogd)
#$ModLoad immark.so # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp.so
#$UDPServerRun 514
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
11/36
# Provides TCP syslog reception
#$ModLoad imtcp.so
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is
usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Django: 2011-08-22
# Erweiterung für die chroot-Umgebung des bind Nameservers eingetragen
$AddUnixListenSocket /var/named/chroot/dev/log
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.*
/dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none
/var/log/messages
# The authpriv file has restricted access.
authpriv.*
# Log all the mail messages in one place.
mail.*
/var/log/maillog
/var/log/secure
-
# Log cron stuff
cron.*
/var/log/cron
# Everybody gets emergency messages
*.emerg
*
# Save news errors of level crit and higher in a special file.
uucp,news.crit
/var/log/spooler
# Save boot messages also to boot.log
local7.*
Last update: 24.05.2014 23:01.
/var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spppl/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g
# 1gb space limit (use as much as
possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList
# run asynchronously
#$ActionResumeRetryCount -1
# infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
Zur Aktivierung unserer Änderung bedarf es nur noch eines Restarts des rsyslogd Daemon.
# service rsyslog restart
Shutting down system logger:
Starting system logger:
[
[
OK
OK
]
]
SELinux
In aller Regel werden wir auf die Dienste von SELinux in unserer vHOST-Installation verzichten
können. Wir deaktivieren also, wenn noch nicht bereits bei der Erstinstallation erfolgt, SELinux
komplett, indem wir in der Konfigurationsdatei unter /etc/sysconfig das Thema SELinux deaktivieren.
# vim /etc/sysconfig/selinux
/etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#
enforcing - SELinux security policy is enforced.
#
permissive - SELinux prints warnings instead of enforcing.
#
disabled - No SELinux policy is loaded.
# Django : 2011-08-22 SELinux deaktiviert
# default : SELINUX=enforcing
SELINUX=disabled
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
13/36
# SELINUXTYPE= can take one of these two values:
#
targeted - Targeted processes are protected,
#
mls - Multi Level Security protection.
SELINUXTYPE=targeted
IPv6
Bei unserer Musterinstallation begnügen wir uns mit einer IPv4-Inststallation. In der
Grundkonfiguration unseres bind Daemon sehen wir im Syslog, dass versucht wird auch jedesmal via
IPv6 eine Anfrage zu starten.
Aug 22 14:45:30 vml000020 named[3376]: error (network unreachable)
resolving 'heise.de.dlv.isc.org/DLV/IN': 2001:500:71::29#53
Da wir aber (noch) keine IPv6-Anbindung haben, werden wir die IPv6 lookups einfach abstellen. In
unserer bind-Konfigurationsdatei /etc/named.conf deaktivieren wir einfach die betreffende Zeile
durch Voranstellen von zwei Schrägstriche „/„.
# vim /var/named/chroot/etc/named/named.conf
//listen-on-v6 port 53 { ::1; };
Django: 2011-08-22 IPv6 deaktiviert
//
In der Datei /etc/sysconfig/named vermerken wir ferner, dass wir lediglich die IPv4-Unterstützung
nutzen wollen.
# vim /etc/sysconfig/named
# Django : 2011-08-22 nur die IPv4-Unterstützung aktivieren
OPTIONS="-4"
Anschließend starten wir den Nameserver einmal durch, damit die Konfigurationsänderunegn auch
greifen. # service named restart
iptables Paketfilter
Nach dem Starten unseres named Daemon können wir mit Hilfe vonnetstat überprüfen, ob der
Daemon auf den gewünschten Ports lauscht.
# netstat -tulpen | grep named
tcp
LISTEN
tcp
LISTEN
tcp
0
25
0
25
0
0 10.0.0.20:53
12850
0 10.0.10.1:53
12848
0 127.0.0.1:53
0.0.0.0:*
4010/named
0.0.0.0:*
4010/named
0.0.0.0:*
Last update: 24.05.2014 23:01.
LISTEN
tcp
LISTEN
udp
25
udp
25
udp
25
25
0
25
0
12849
0
12847
0
12845
12846
4010/named
0 127.0.0.1:953
12853
4010/named
0 10.0.0.20:53
4010/named
0 10.0.10.1:53
4010/named
0 127.0.0.1:53
4010/named
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
0.0.0.0:*
Damit der Zugriff auf den Port 53 (TCP/UDP) auch erfolgen kann, müssen wir noch unseren Paketfilter
i.d.R. erweitern. Wir tragen hierzu in der Konfigurationsdatei /etc/sysconfig/iptables hierzu die
folgenden Zeilen am Ende der INPUT-Regeln nach.
# Django : 2011-08-22 DNS
-A INPUT -m state --state
-A INPUT -m state --state
# Django : 2011-08-22 bei
#-A INPUT -j LOG
# Django : end
freigeschaltet
NEW -m udp -p udp --dport 53 -j ACCEPT
NEW -m tcp -p tcp --dport 53 -j ACCEPT
Bedarf Logging aktivieren
Anschließend aktivieren wir die Änderungen an unserem Paketfilter, indem wir den Daemon
durchstarten.
# service iptables restart
iptables:
iptables:
iptables:
iptables:
Flushing firewall rules:
Setting chains to policy ACCEPT: filter nat
Unloading modules:
Applying firewall rules:
[
[
[
[
OK
OK
OK
OK
]
]
]
]
erweiterte Konfigurationen
caching-only Nameserver
Im ersten Schritt wollen wir erst einmal einen caching-only Nameserver aufsetzen. Die mitgelieferte
Konfigurationsdate /etc/named.conf des RPM-Pakets bind passen wir unseren Gegebenheiten an.
# vim /etc/named.conf
/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8)
DNS
// server as a caching only nameserver (as a localhost DNS resolver
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
15/36
only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration
files.
//
options {
listen-on port 53 { 127.0.0.1; 10.0.0.0; 10.0.10.0 };
// Django
: 2011-08-22 unsere Netzwerk// interfaces definiert
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query
{ localhost; 10.0.0.0/24; 10.0.10.0/26 }; // Django
: 2011-08-22 unsere Netzwerke
// die unseren Nameserver befragen
dürfen
recursion yes;
// Django : 2011-08-22 dnssec erst einmal deaktiviert für den
caching-only Betrieb
// dnssec-enable yes;
// dnssec-validation yes;
// dnssec-lookaside auto;
/* Path to ISC DLV key */
// Django : 2011-08-22 bindkeys-file erst einmal deaktiviert für
den caching-only Betrieb
// bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
Nach der Bearbeitung startetn wir nun unseren Nameserver das erste mal.
# service named start
Last update: 24.05.2014 23:01.
Starting named:
[
OK
]
Sollte wider Erwarten beim Starten etwas schief gelaufen sein, so ist der Syslog die Anlaufstelle für
weitere Fehlermeldungen. Im Regelfall wird der erfolgreiche Start entsprechend quittiert.
Oct 6 11:16:08 vml000020 named[4010]: starting BIND 9.7.0-P2RedHat-9.7.0-5.P2.el6_0.1 -u named -4 -t /var/named/chroot
Oct 6 11:16:08 vml000020 named[4010]: built with '--build=x86_64-unknownlinux-gnu' '--host=x86_64-unknown-linux-gnu' '--tar
get=x86_64-redhat-linux-gnu' '--program-prefix=' '--prefix=/usr' '--execprefix=/usr' '--bindir=/usr/bin' '--sbindir=/usr/sbi
n' '--sysconfdir=/etc' '--datadir=/usr/share' '--includedir=/usr/include' '-libdir=/usr/lib64' '--libexecdir=/usr/libexec' '
--sharedstatedir=/var/lib' '--mandir=/usr/share/man' '-infodir=/usr/share/info' '--with-libtool' '--localstatedir=/var' '--e
nable-threads' '--enable-ipv6' '--with-pic' '--disable-static' '--disableopenssl-version-check' '--with-dlz-ldap=yes' '--wit
h-dlz-postgres=yes' '--with-dlz-mysql=yes' '--with-dlz-filesystem=yes' '-with-gssapi=yes' '--disable-isc-spnego' 'build_alia
s=x86_64-unknown-linux-gnu' 'host_alias=x86_64-unknown-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS= -O2 -g -pip
e -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=sspbuffer-size=4 -m64 -mtune=generic' 'CPPFLAGS= -DDI
G_SIGCHASE'
Oct 6 11:16:08 vml000020 named[4010]: adjusted limit on open files from
1024 to 1048576
Oct 6 11:16:08 vml000020 named[4010]: found 1 CPU, using 1 worker thread
Oct 6 11:16:08 vml000020 named[4010]: using up to 4096 sockets
Oct 6 11:16:08 vml000020 named[4010]: loading configuration from
'/etc/named.conf'
Oct 6 11:16:08 vml000020 named[4010]: reading built-in trusted keys from
file '/etc/named.iscdlv.key'
Oct 6 11:16:08 vml000020 named[4010]: using default UDP/IPv4 port range:
[1024, 65535]
Oct 6 11:16:08 vml000020 named[4010]: using default UDP/IPv6 port range:
[1024, 65535]
Oct 6 11:16:08 vml000020 named[4010]: no IPv6 interfaces found
Oct 6 11:16:08 vml000020 named[4010]: listening on IPv4 interface lo,
127.0.0.1#53
Oct 6 11:16:08 vml000020 named[4010]: listening on IPv4 interface eth0,
10.0.10.1#53
Oct 6 11:16:08 vml000020 named[4010]: listening on IPv4 interface eth1,
10.0.0.20#53
Oct 6 11:16:08 vml000020 named[4010]: generating session key for dynamic
DNS
Oct 6 11:16:08 vml000020 named[4010]: using built-in trusted-keys for view
_default
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 127.INADDR.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 254.169.INADDR.ARPA
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
17/36
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 2.0.192.INADDR.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone:
255.255.255.255.IN-ADDR.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone:
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: D.F.IP6.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 8.E.F.IP6.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: 9.E.F.IP6.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: A.E.F.IP6.ARPA
Oct 6 11:16:08 vml000020 named[4010]: automatic empty zone: B.E.F.IP6.ARPA
Oct 6 11:16:08 vml000020 named[4010]: using built-in trusted-keys for view
_meta
Oct 6 11:16:08 vml000020 named[4010]: set up managed-keys.bind meta-zone
Oct 6 11:16:08 vml000020 named[4010]: command channel listening on
127.0.0.1#953
Oct 6 11:16:08 vml000020 named[4010]: the working directory is not writable
Oct 6 11:16:08 vml000020 named[4010]: zone 0.in-addr.arpa/IN: loaded serial
0
Oct 6 11:16:08 vml000020 named[4010]: zone 1.0.0.127.in-addr.arpa/IN:
loaded serial 0
Oct 6 11:16:08 vml000020 named[4010]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
Oct 6 11:16:08 vml000020 named[4010]: zone localhost.localdomain/IN: loaded
serial 0
Oct 6 11:16:08 vml000020 named[4010]: zone localhost/IN: loaded serial 0
Oct 6 11:16:08 vml000020 named[4010]: zone managed-keys.bind/IN/_meta:
loaded serial 12
Oct 6 11:16:08 vml000020 named[4010]: running
<code>
In der named-eigenen Logdatei //**/var/named/data/named.run**// wird
außerdem der Start mit Angabe der geladenen Zonen dokumentiert.
# less /var/named/data/named.run
<code>zone 0.in-addr.arpa/IN: loaded serial 0
zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN:
loaded serial 0
zone localhost.localdomain/IN: loaded serial 0
zone localhost/IN: loaded serial 0
zone managed-keys.bind/IN/_meta: loaded serial 12
running
Nach dem Starten unseres named Daemon können wir mit Hilfe vonnetstat überprüfen, ob der
Daemon auf den gewünschten Ports lauscht.
# netstat -tulpen | grep named
Last update: 24.05.2014 23:01.
tcp 0 0 10.0.0.20:53 0.0.0.0:* LISTEN 25 12850 4010/named tcp 0 0 10.0.10.1:53 0.0.0.0:* LISTEN 25
12848 4010/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 25 12846 4010/named tcp 0 0
127.0.0.1:953 0.0.0.0:* LISTEN 25 12853 4010/named udp 0 0 10.0.0.20:53 0.0.0.0:* 25 12849
4010/named udp 0 0 10.0.10.1:53 0.0.0.0:* 25 12847 4010/named udp 0 0 127.0.0.1:53 0.0.0.0:* 25
12845 4010/named </code>
Dass der Daemon in einer chroot-Umgebung gestartet wurde sehen wir anhand folgender Ausgabe:
# ps aux | grep named
named
4010 0.0 1.4 161628 15300 ?
Ssl
/usr/sbin/named -u named -4 -t /var/named/chroot
root
4042 0.0 0.0 103148
828 pts/0
S+
11:16
0:00
11:36
0:00 grep named
Nachdem unser nameserver nun läuft werden wir auch gleich mal unsere erste Abfrage tätigen
#
dig @localhost heise.de
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> @localhost heise.de
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50804
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 0
;; QUESTION SECTION:
;heise.de.
IN
;; ANSWER SECTION:
heise.de.
3600
A
IN
;; AUTHORITY SECTION:
heise.de.
86400
heise.de.
86400
heise.de.
86400
heise.de.
86400
heise.de.
86400
;;
;;
;;
;;
IN
IN
IN
IN
IN
A
193.99.144.80
NS
NS
NS
NS
NS
ns.s.plusline.de.
ns.pop-hannover.de.
ns2.pop-hannover.net.
ns.plusline.de.
ns.heise.de.
Query time: 86 msec
SERVER: 127.0.0.1#53(127.0.0.1)
WHEN: Mon Aug 22 14:52:07 2011
MSG SIZE rcvd: 168
Die gleiche Abfrage mit Hilfe von nslookup sieht wie folgt aus:
# nslookup heise
Server:
Address:
10.0.0.20
10.0.0.20#53
Non-authoritative answer:
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
19/36
Name:
heise.dmz.nausch.org
Address: 88.217.187.21
Nameserver für Intranet und Demilitarized Zone
Im folgenden Beispiel erweitern wir unsere ersten Konfigurationsschritt ein wenig, denn schließlich
möchten wir ja nicht nur Anfragen nach öffentlichen IP-Adressen beantworten, sondern auch für unser
privates Netzwerk im SOHO mit den folgenden zwei Zonen:
DMZ : dmz.nausch.org mit Netz: 10.0.0.0/24
Intranet : intra.nausch.org mit Netz: 10.0.10.0/26
bind Konfiguration
named.conf
Basierend auf den Rahmenbedingungen erweitern wir als erstes die Hauptkonfigurationsdatei unseres
Nameservers bind. Hierzu bemühen wir wieder den Editor unserer Wahl vim. Die entsprechenden
Optionen sind im nachfolgenden Beispiel entsprechend beschrieben.
# vim /etc/named.conf
named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8)
DNS
// server as a caching only nameserver (as a localhost DNS resolver
only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration
files.
//
acl dmz
{ 10.0.0.0/24; };
Variablendefinition
acl intra { 10.0.10.0/26; };
2011-10-05 Variablendefinition
// Django : 2011-10-05
// Django :
options {
listen-on port 53 { 127.0.0.1; 10.0.0.20; 10.0.10.1; };
Django : 2011-08-22 unsere Netzwerk// interfaces definiert
// listen-on-v6 port 53 { ::1; };
IPv6 deaktiviert
directory
"/var/named";
//
//
Last update: 24.05.2014 23:01.
dump-file
"/var/named/data/cache_dump.db";
allow-query
{ localhost; dmz; intra; };
// Django :
2011-08-22 unsere Netzwerke
allow-recursion { localhost; dmz; intra; };
// die
unseren Nameserver befragen dürfen
recursion yes;
query-source address * port *;
2011-10-05
// Django :
// unpriviligierten Port nutzen,
wenn Anfragen
// nach extern gestellt werden
check-names master warn;
// Django : 2011-10-05
// Der Nameserver soll nur warnen
und nicht
// abbrechen, wenn er eine Anfrage
nicht
// beantworten kann. (Bsp. DKIMkeys)
auth-nxdomain no;
// Django : 2011-10-05
// RFC1035 Konforme Arbeit (keine
alten
// Anfragen und Konfigurationen
nutzen)
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
};
logging {
channel default_debug {
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
21/36
zone "dmz.nausch.org" IN {
type master;
file "dynamic/dmz-forward";
allow-update { none; };
};
zone "0.0.10.in-addr.arpa" IN {
type master;
file "dynamic/dmz-reverse";
};
zone "intra.nausch.org" IN {
type master;
file "dynamic/intra-forward";
};
type master;
file "dynamic/intra-reverse";
};
zone "nausch.org" IN {
type master;
file "dynamic/domain-forward";
};
type master;
file "dynamic/domain-reverse";
};
Die einzelnen Zonen-Dateien legen wir im Verzeichnis /var/named/dynamic/ ab.
dmz-forward
dmz-reverse
intra-forward
intra-reverse
domain-forward
domain-reverse
dmz-forward
Für die forward-Auflösung des Subnetzes DMZ legen wir uns eine Konfigurationsdatei nach folgendem
Muster an.
Last update: 24.05.2014 23:01.
/var/named/dynamic/dmz-forward
$ORIGIN dmz.nausch.org.
$TTL
86400
@
IN
SOA
vml000020.dmz.nausch.org. root.nausch.org. (
2011100501
; serial
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
;
IN
NS
vml000020.dmz.nausch.org.
;
fwe
IN
CNAME
vml000010
fwi
IN
CNAME
vml000020
time
IN
CNAME
vml000020
dns
IN
CNAME
vml000020
dhcp
IN
CNAME
vml000020
;
localhost
IN
A
127.0.0.1
;
vml000010
IN
A
10.0.0.10
vml000020
IN
A
10.0.0.20
vml000030
IN
A
10.0.0.30
dmz-reverse
Für die reverse-Auflösung des Subnetzes DMZ legen wir uns eine Konfigurationsdatei nach folgendem
Muster an.
/var/named/dynamic/dmz-reverse
$ORIGIN 0.0.10.in-addr.arpa.
$TTL 86400
@
IN SOA
vml000020.dmz.nausch.org. root.nss.nausch.org. (
2011100501
; serial
3H
; refresh
1H
; retry
1W
; expiry
1D )
; minimum
;
@
IN NS
;
10 IN PTR
20 IN PTR
30 IN PTR
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
23/36
intra-forward
Für die forward-Auflösung des Subnetzes intra legen wir uns eine Konfigurationsdatei nach
folgendem Muster an.
/var/named/dynamic/intra-forward
$ORIGIN intra.nausch.org.
$TTL
86400
@
IN
SOA
vml000020.dmz.nausch.org. root.nausch.org. (
2011100501
; serial
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
;
IN
NS
;
proton
IN
CNAME
pml010051
;
pml010001
IN
A
10.0.10.1
pml010051
IN
A
10.0.10.51
intra-reverse
Für die reverse-Auflösung des Subnetzes intra legen wir uns eine Konfigurationsdatei nach folgendem
Muster an.
/var/named/dynamic/intra-reverse
$TTL 86400
@
IN SOA
2011100501
; serial
3H
; refresh
1H
; retry
1W
; expiry
1D )
; minimum
;
@
IN NS
pml010001.intra.nausch.org.
;
1
IN PTR
51 IN PTR
Last update: 24.05.2014 23:01.
domain-forward
Für die forward-Auflösung unserer eigenen Domäne nausch.org legen wir uns eine
Konfigurationsdatei nach folgendem Muster an.
/var/named/dynamic/domain-forward
$ORIGIN nausch.org.
$TTL
86400
@
IN
SOA
ns1.dmz.nausch.org. root.nausch.org. (
2011100501
; serial
3H
; refresh
15M
; retry
1W
; expiry
1D )
; minimum
;
IN
NS
ns1.dmz.nausch.org.
;
ns1.dmz.nausch.org IN
A
88.217.187.21
;
nausch.org.
IN
A
88.217.187.21
*.nausch.org.
IN
A
88.217.187.21
domain-reverse
Für die reverse-Auflösung unserer eigenen Domäne nausch.org legen wir uns eine
Konfigurationsdatei nach folgendem Muster an.
/var/named/dynamic/domain-reverse
$TTL 86400
@
IN SOA
2011100501
; serial
3H
; refresh
1H
; retry
1W
; expiry
1D )
; minimum
;
@
IN NS
ns1.dmz.nausch.org.
;
21 IN PTR
mx1.nausch.org.
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
25/36
Utilities rund um den Nameserver bind
Konfiguration überprüfen
Möchte man die Konfiguration(sdatei) seinen bind-Nameservers überprüfen so nutzt man den Befehl
named-checkconf
# named-checkconf
Benutzt man hierbei die Option -p wird, sofern keine Fehler existieren, die Konfigurationsdatei
named.conf ohne Kommentare auf der Konsole ausgegeben.
# named-checkconf -p
options {
bindkeys-file "/etc/named.iscdlv.key";
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
listen-on port 53 {
127.0.0.1/32;
10.0.0.20/32;
10.0.10.1/32;
};
allow-recursion {
"localhost";
"dmz";
"intra";
};
auth-nxdomain no;
check-names master warn;
dnssec-enable yes;
dnssec-lookaside "auto" ;
dnssec-validation yes;
query-source address 0.0.0.0 port 0;
recursion yes;
allow-query {
"localhost";
"dmz";
"intra";
};
};
acl "dmz" {
10.0.0.0/24;
};
acl "intra" {
10.0.10.0/26;
};
Last update: 24.05.2014 23:01.
logging {
channel "default_debug" {
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update {
"none";
};
};
zone
"1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update {
"none";
};
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update {
"none";
};
};
zone "dmz.nausch.org" IN {
type master;
file "dynamic/dmz-forward";
allow-update {
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
27/36
"none";
};
};
type master;
file "dynamic/dmz-reverse";
allow-update {
"none";
};
};
zone "intra.nausch.org" IN {
type master;
file "dynamic/intra-forward";
allow-update {
"none";
};
};
type master;
file "dynamic/intra-reverse";
allow-update {
"none";
};
};
zone "nausch.org" IN {
type master;
file "dynamic/domain-forward";
allow-update {
"none";
};
};
type master;
file "dynamic/domain-reverse";
allow-update {
"none";
};
};
Versionsabfrage
Will man die Version eines Namservers abfragen, so kann man dies mit Hilfe folgenden Befehls
erreichen.
# dig txt chaos version.bind
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> txt chaos version.bind
;; global options: +cmd
;; Got answer:
Last update: 24.05.2014 23:01.
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18905
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;version.bind.
;; ANSWER SECTION:
version.bind.
CH
TXT
0
CH
TXT
;; AUTHORITY SECTION:
version.bind.
0
CH
NS
;;
;;
;;
;;
"9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1"
version.bind.
Query time: 1 msec
SERVER: 10.0.0.20#53(10.0.0.20)
WHEN: Thu Oct 6 14:50:47 2011
MSG SIZE rcvd: 91
Zonenfiles überprüfen
Will man (s)ein Zonenfile überprüfen und/oder die verwendete Seriennummer ausgeben, so nutz man
den Befehl named-checkzone
# named-checkzone dmz.nausch.org /var/named/dynamic/dmz-forward
zone dmz.nausch.org/IN: loaded serial 2011100601
OK
Zonenfiles neu laden
Das Neuladen der Zonenkonfigurationsdateien eines DNS-Server, ohne den DNS-Server neu starten zu
müssen, erreicht man mit:
# rndc reload
dnssec-tools
# yum install dnssec-tools
# rpm -qil dnssec-tools
Name
: dnssec-tools
Version
: 1.13
Vendor: Fedora Project
Release
: 12.el6
Build Date: Fri 24 May 2013
01:05:40 AM CEST
Install Date: Sat 24 May 2014 08:44:32 PM CEST
Build Host:
buildvm-24.phx2.fedoraproject.org
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
29/36
Group
: System Environment/Base
Source RPM: dnssectools-1.13-12.el6.src.rpm
Size
: 2004766
License: BSD
Signature
: RSA/8, Fri 24 May 2013 06:56:53 PM CEST, Key ID
3b49df2a0608b895
Packager
: Fedora Project
URL
: http://www.dnssec-tools.org/
Summary
: A suite of tools for managing dnssec aware DNS usage
Description :
The goal of the DNSSEC-Tools project is to create a set of tools,
patches, applications, wrappers, extensions, and plugins that will
help ease the deployment of DNSSEC-related technologies.
/etc/dnssec-tools
/etc/dnssec-tools/dnssec-tools.conf
/usr/bin/blinkenlights
/usr/bin/bubbles
/usr/bin/buildrealms
/usr/bin/check-zone-expiration
/usr/bin/cleanarch
/usr/bin/cleankrf
/usr/bin/convertar
/usr/bin/dnspktflow
/usr/bin/donuts
/usr/bin/donutsd
/usr/bin/drawvalmap
/usr/bin/dt-getaddr
/usr/bin/dt-gethost
/usr/bin/dt-getname
/usr/bin/dt-getquery
/usr/bin/dt-getrrset
/usr/bin/dt-validate
/usr/bin/dtck
/usr/bin/dtconf
/usr/bin/dtconfchk
/usr/bin/dtdefs
/usr/bin/dtinitconf
/usr/bin/dtrealms
/usr/bin/expchk
/usr/bin/fixkrf
/usr/bin/genkrf
/usr/bin/getdnskeys
/usr/bin/getds
/usr/bin/grandvizier
/usr/bin/keyarch
/usr/bin/keymod
/usr/bin/krfcheck
/usr/bin/libval_check_conf
/usr/bin/lights
/usr/bin/lsdnssec
/usr/bin/lskrf
Last update: 24.05.2014 23:01.
/usr/bin/lsrealm
/usr/bin/lsroll
/usr/bin/maketestzone
/usr/bin/mapper
/usr/bin/realmchk
/usr/bin/realmctl
/usr/bin/realminit
/usr/bin/realmset
/usr/bin/rollchk
/usr/bin/rollctl
/usr/bin/rollerd
/usr/bin/rollinit
/usr/bin/rolllog
/usr/bin/rollrec-editor
/usr/bin/rollset
/usr/bin/signset-editor
/usr/bin/tachk
/usr/bin/timetrans
/usr/bin/trustman
/usr/bin/zonesigner
/usr/share/dnssec-tools
/usr/share/dnssec-tools/donuts
/usr/share/dnssec-tools/donuts/rules
/usr/share/dnssec-tools/donuts/rules/check_nameservers.txt
/usr/share/dnssec-tools/donuts/rules/dns.errors.txt
/usr/share/dnssec-tools/donuts/rules/dnssec.rules.txt
/usr/share/dnssec-tools/donuts/rules/nsec_check.rules.txt
/usr/share/dnssec-tools/donuts/rules/parent_child.rules.txt
/usr/share/dnssec-tools/donuts/rules/recommendations.rules.txt
/usr/share/dnssec-tools/validator-testcases
/usr/share/doc/dnssec-tools-1.13
/usr/share/doc/dnssec-tools-1.13/COPYING
/usr/share/doc/dnssec-tools-1.13/INSTALL
/usr/share/doc/dnssec-tools-1.13/README
/usr/share/man/man1/blinkenlights.1.gz
/usr/share/man/man1/bubbles.1.gz
/usr/share/man/man1/buildrealms.1.gz
/usr/share/man/man1/check-zone-expiration.1.gz
/usr/share/man/man1/cleanarch.1.gz
/usr/share/man/man1/cleankrf.1.gz
/usr/share/man/man1/convertar.1.gz
/usr/share/man/man1/dnspktflow.1.gz
/usr/share/man/man1/dnssec-tools.1.gz
/usr/share/man/man1/donuts.1.gz
/usr/share/man/man1/donutsd.1.gz
/usr/share/man/man1/drawvalmap.1.gz
/usr/share/man/man1/dt-getaddr.1.gz
/usr/share/man/man1/dt-gethost.1.gz
/usr/share/man/man1/dt-getname.1.gz
/usr/share/man/man1/dt-getquery.1.gz
/usr/share/man/man1/dt-getrrset.1.gz
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
31/36
/usr/share/man/man1/dt-libval_check_conf.1.gz
/usr/share/man/man1/dt-validate.1.gz
/usr/share/man/man1/dtck.1.gz
/usr/share/man/man1/dtconf.1.gz
/usr/share/man/man1/dtconfchk.1.gz
/usr/share/man/man1/dtdefs.1.gz
/usr/share/man/man1/dtinitconf.1.gz
/usr/share/man/man1/dtrealms.1.gz
/usr/share/man/man1/expchk.1.gz
/usr/share/man/man1/fixkrf.1.gz
/usr/share/man/man1/genkrf.1.gz
/usr/share/man/man1/getdnskeys.1.gz
/usr/share/man/man1/getds.1.gz
/usr/share/man/man1/grandvizier.1.gz
/usr/share/man/man1/keyarch.1.gz
/usr/share/man/man1/keymod.1.gz
/usr/share/man/man1/krfcheck.1.gz
/usr/share/man/man1/lights.1.gz
/usr/share/man/man1/lsdnssec.1.gz
/usr/share/man/man1/lskrf.1.gz
/usr/share/man/man1/lsrealm.1.gz
/usr/share/man/man1/lsroll.1.gz
/usr/share/man/man1/maketestzone.1.gz
/usr/share/man/man1/mapper.1.gz
/usr/share/man/man1/realmchk.1.gz
/usr/share/man/man1/realmctl.1.gz
/usr/share/man/man1/realminit.1.gz
/usr/share/man/man1/realmset.1.gz
/usr/share/man/man1/rollchk.1.gz
/usr/share/man/man1/rollctl.1.gz
/usr/share/man/man1/rollerd.1.gz
/usr/share/man/man1/rollinit.1.gz
/usr/share/man/man1/rolllog.1.gz
/usr/share/man/man1/rollrec-editor.1.gz
/usr/share/man/man1/rollset.1.gz
/usr/share/man/man1/signset-editor.1.gz
/usr/share/man/man1/tachk.1.gz
/usr/share/man/man1/timetrans.1.gz
/usr/share/man/man1/trustman.1.gz
/usr/share/man/man1/zonesigner.1.gz
/usr/share/man/man3/Net::DNS::SEC::Tools::realm.3pm.gz
/usr/share/man/man3/Net::DNS::SEC::Tools::realmmgr.3pm.gz
/usr/share/man/man3/p_ac_status.3.gz
/usr/share/man/man3/p_val_status.3.gz
zone-check
# yum install zone-check -y
Last update: 24.05.2014 23:01.
# rpm -qil zonecheck
Name
: zonecheck
Version
: 2.0.4
Vendor: Dag Apt Repository,
http://dag.wieers.com/apt/
Release
: 1.2.el6.rf
Build Date: Fri 12 Nov 2010
10:58:44 AM CET
Install Date: Sat 24 May 2014 11:00:03 PM CEST
Build Host:
lisse.hasselt.wieers.com
Group
: Applications/Internet
Source RPM:
zonecheck-2.0.4-1.2.el6.rf.src.rpm
Size
: 792719
License: GPL
Signature
: DSA/SHA1, Sat 13 Nov 2010 12:05:24 AM CET, Key ID
a20e52146b8d79e6
Packager
: Dag Wieers <[email protected]>
URL
: http://www.zonecheck.fr/
Summary
: Perform consistency checks on DNS zones
Description :
ZoneCheck is intended to help solve DNS misconfigurations or
inconsistencies that are usually revealed by an increase in
the latency of the application. The DNS is a critical resource
for every network application, so it is quite important to
ensure that a zone or domain name is correctly configured in
the DNS.
/etc/zonecheck
/etc/zonecheck/afnic.profile
/etc/zonecheck/de.profile
/etc/zonecheck/default.profile
/etc/zonecheck/reverse.profile
/etc/zonecheck/rootservers
/etc/zonecheck/zc.conf
/usr/bin/zonecheck
/usr/lib/zonecheck
/usr/lib/zonecheck/cgi-bin
/usr/lib/zonecheck/cgi-bin/zc.cgi
/usr/lib/zonecheck/lib
/usr/lib/zonecheck/lib/address
/usr/lib/zonecheck/lib/address.rb
/usr/lib/zonecheck/lib/address/common.rb
/usr/lib/zonecheck/lib/address/ipv4.rb
/usr/lib/zonecheck/lib/address/ipv6.rb
/usr/lib/zonecheck/lib/nresolv
/usr/lib/zonecheck/lib/nresolv.rb
/usr/lib/zonecheck/lib/nresolv/compatibility.rb
/usr/lib/zonecheck/lib/nresolv/config.rb
/usr/lib/zonecheck/lib/nresolv/constants.rb
/usr/lib/zonecheck/lib/nresolv/dbg.rb
/usr/lib/zonecheck/lib/nresolv/dig_output.rb
/usr/lib/zonecheck/lib/nresolv/dns.rb
/usr/lib/zonecheck/lib/nresolv/dns_message.rb
/usr/lib/zonecheck/lib/nresolv/dns_name.rb
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
33/36
/usr/lib/zonecheck/lib/nresolv/dns_resource.rb
/usr/lib/zonecheck/lib/nresolv/host.rb
/usr/lib/zonecheck/lib/nresolv/resolver.rb
/usr/lib/zonecheck/lib/nresolv/transport.rb
/usr/lib/zonecheck/lib/nresolv/wire.rb
/usr/lib/zonecheck/lib/textfmt.rb
/usr/lib/zonecheck/lib/whois.rb
/usr/lib/zonecheck/locale
/usr/lib/zonecheck/locale/cgi.en
/usr/lib/zonecheck/locale/cgi.fr
/usr/lib/zonecheck/locale/cli.en
/usr/lib/zonecheck/locale/cli.fr
/usr/lib/zonecheck/locale/gtk.en
/usr/lib/zonecheck/locale/gtk.fr
/usr/lib/zonecheck/locale/inetd.en
/usr/lib/zonecheck/locale/inetd.fr
/usr/lib/zonecheck/locale/test
/usr/lib/zonecheck/locale/test/axfr.en
/usr/lib/zonecheck/locale/test/axfr.fr
/usr/lib/zonecheck/locale/test/connectivity.en
/usr/lib/zonecheck/locale/test/connectivity.fr
/usr/lib/zonecheck/locale/test/generic.en
/usr/lib/zonecheck/locale/test/generic.fr
/usr/lib/zonecheck/locale/test/interop.en
/usr/lib/zonecheck/locale/test/interop.fr
/usr/lib/zonecheck/locale/test/loopback.en
/usr/lib/zonecheck/locale/test/loopback.fr
/usr/lib/zonecheck/locale/test/mail.en
/usr/lib/zonecheck/locale/test/mail.fr
/usr/lib/zonecheck/locale/test/misc.en
/usr/lib/zonecheck/locale/test/misc.fr
/usr/lib/zonecheck/locale/test/mx.en
/usr/lib/zonecheck/locale/test/mx.fr
/usr/lib/zonecheck/locale/test/nameserver.en
/usr/lib/zonecheck/locale/test/nameserver.fr
/usr/lib/zonecheck/locale/test/ns.en
/usr/lib/zonecheck/locale/test/ns.fr
/usr/lib/zonecheck/locale/test/rootserver.en
/usr/lib/zonecheck/locale/test/rootserver.fr
/usr/lib/zonecheck/locale/test/soa.en
/usr/lib/zonecheck/locale/test/soa.fr
/usr/lib/zonecheck/locale/zc.en
/usr/lib/zonecheck/locale/zc.fr
/usr/lib/zonecheck/test
/usr/lib/zonecheck/test/axfr.rb
/usr/lib/zonecheck/test/connectivity.rb
/usr/lib/zonecheck/test/generic.rb
/usr/lib/zonecheck/test/interop.rb
/usr/lib/zonecheck/test/loopback.rb
/usr/lib/zonecheck/test/mail.rb
/usr/lib/zonecheck/test/misc.rb
Last update: 24.05.2014 23:01.
/usr/lib/zonecheck/test/mx.rb
/usr/lib/zonecheck/test/nameserver.rb
/usr/lib/zonecheck/test/ns.rb
/usr/lib/zonecheck/test/rootserver.rb
/usr/lib/zonecheck/test/soa.rb
/usr/lib/zonecheck/www
/usr/lib/zonecheck/www/html
/usr/lib/zonecheck/www/html/batch.html.en
/usr/lib/zonecheck/www/html/batch.html.fr
/usr/lib/zonecheck/www/html/form.html.en
/usr/lib/zonecheck/www/html/form.html.fr
/usr/lib/zonecheck/www/img
/usr/lib/zonecheck/www/img/details.png
/usr/lib/zonecheck/www/img/element.png
/usr/lib/zonecheck/www/img/fatal.png
/usr/lib/zonecheck/www/img/gear.png
/usr/lib/zonecheck/www/img/info.png
/usr/lib/zonecheck/www/img/light.png
/usr/lib/zonecheck/www/img/logo.png
/usr/lib/zonecheck/www/img/loupe.png
/usr/lib/zonecheck/www/img/notepad.png
/usr/lib/zonecheck/www/img/ok.png
/usr/lib/zonecheck/www/img/primary.png
/usr/lib/zonecheck/www/img/ref.png
/usr/lib/zonecheck/www/img/secondary.png
/usr/lib/zonecheck/www/img/warning.png
/usr/lib/zonecheck/www/img/zc-fav.png
/usr/lib/zonecheck/www/img/zone.png
/usr/lib/zonecheck/www/js
/usr/lib/zonecheck/www/js/formvalidation.js
/usr/lib/zonecheck/www/js/popupmenu.js
/usr/lib/zonecheck/www/js/progress.js
/usr/lib/zonecheck/www/style
/usr/lib/zonecheck/www/style/zc.css
/usr/lib/zonecheck/www/zonecheck.conf.in
/usr/lib/zonecheck/zc
/usr/lib/zonecheck/zc/cache.rb
/usr/lib/zonecheck/zc/cachemanager.rb
/usr/lib/zonecheck/zc/config.rb
/usr/lib/zonecheck/zc/console.rb
/usr/lib/zonecheck/zc/data
/usr/lib/zonecheck/zc/data/catalog.xml
/usr/lib/zonecheck/zc/data/config.dtd
/usr/lib/zonecheck/zc/data/logo.rb
/usr/lib/zonecheck/zc/data/msgcat.dtd
/usr/lib/zonecheck/zc/data/xpm.rb
/usr/lib/zonecheck/zc/data/zonecheck.dtd
/usr/lib/zonecheck/zc/dbg.rb
/usr/lib/zonecheck/zc/ext
/usr/lib/zonecheck/zc/ext/array.rb
/usr/lib/zonecheck/zc/ext/file.rb
Printed on 24.12.2016 11:37.
24.12.2016 11:37.
35/36
/usr/lib/zonecheck/zc/ext/gtk.rb
/usr/lib/zonecheck/zc/ext/myxml.rb
/usr/lib/zonecheck/zc/framework.rb
/usr/lib/zonecheck/zc/input
/usr/lib/zonecheck/zc/input/cgi.rb
/usr/lib/zonecheck/zc/input/cli.rb
/usr/lib/zonecheck/zc/input/gtk.rb
/usr/lib/zonecheck/zc/input/inetd.rb
/usr/lib/zonecheck/zc/instructions.rb
/usr/lib/zonecheck/zc/locale.rb
/usr/lib/zonecheck/zc/mail.rb
/usr/lib/zonecheck/zc/msgcat.rb
/usr/lib/zonecheck/zc/param.rb
/usr/lib/zonecheck/zc/publisher
/usr/lib/zonecheck/zc/publisher.rb
/usr/lib/zonecheck/zc/publisher/gtk.rb
/usr/lib/zonecheck/zc/publisher/html.rb
/usr/lib/zonecheck/zc/publisher/text.rb
/usr/lib/zonecheck/zc/publisher/xml.rb
/usr/lib/zonecheck/zc/report
/usr/lib/zonecheck/zc/report.rb
/usr/lib/zonecheck/zc/report/byhost.rb
/usr/lib/zonecheck/zc/report/byseverity.rb
/usr/lib/zonecheck/zc/testmanager.rb
/usr/lib/zonecheck/zc/zc.rb
/usr/lib/zonecheck/zc/zonecheck.rb
/usr/share/doc/zonecheck-2.0.4
/usr/share/doc/zonecheck-2.0.4/BUGS
/usr/share/doc/zonecheck-2.0.4/COPYING
/usr/share/doc/zonecheck-2.0.4/CREDITS
/usr/share/doc/zonecheck-2.0.4/ChangeLog
/usr/share/doc/zonecheck-2.0.4/GPL
/usr/share/doc/zonecheck-2.0.4/HISTORY
/usr/share/doc/zonecheck-2.0.4/README
/usr/share/doc/zonecheck-2.0.4/TODO
/usr/share/doc/zonecheck-2.0.4/html
/usr/share/doc/zonecheck-2.0.4/html/FAQ.html
/usr/share/doc/zonecheck-2.0.4/html/apa.html
/usr/share/doc/zonecheck-2.0.4/html/ch01.html
/usr/share/doc/zonecheck-2.0.4/html/ch01s02.html
Last update: 24.05.2014 23:01.
/usr/share/doc/zonecheck-2.0.4/html/index-toc.html
/usr/share/doc/zonecheck-2.0.4/html/index.html
/usr/share/man/man1/zonecheck.1.gz
Links
Zurück zu Projekte und Themenkapitel
Zurück zur Startseite
1)
Berkeley Internet Name Domain
SmallOfficeHomeOffice
3)
Domain Name System
4)
change root
2)
From:
https://dokuwiki.nausch.org/ - Linux - Wissensdatenbank
Permanent link:
https://dokuwiki.nausch.org/doku.php/centos:bind_c6
Last update: 24.05.2014 23:01.
Printed on 24.12.2016 11:37.

BIND Nameserver unter CentOS 6 - Linux

Transcription

Documents pareils

Abwehr von SYN-Flood mit Hilfe von SynBlock

ultraschallreiniger

Qt mit Eclipse - Institut für Mathematik

BITTE 64 BIT!

Das 1. Pflegestärkungsgesetz verständlich gemacht

Konfiguration Server System Intel XEON CHF inkl

Franz Dobler THe boY naMeD SUe

Rafael van der Vaart als Pate des Förderprojektes Anstoß! e.V.

Buchen- und Eichen-Sägeholzsortierung im Walde

1 Erste Schritte