■Vyattaのbind9設定
前回の続き
vyatta6.4のセキュリティ(メールウイルス対策)
http://d.hatena.ne.jp/labunix/20120729
■やり方は以下と同じ。
bindのログ出力とrndcによるキャッシュコントロール
http://d.hatena.ne.jp/labunix/20120502
squeeze+bindでDNSSECに対応する
http://d.hatena.ne.jp/labunix/20120503/
■ログの設定までは前回行った。
$ sudo grep -A 11 logging /etc/bind/named.conf.options
logging {
channel "default-log" {
file "/var/log/bind/bind.log" versions 10 size 100k;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default { "default-log"; };
category lame-servers { null; };
};
■rndcの設定
$ sudo head -4 /etc/bind/named.conf.options
Controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
include "/etc/bind/rndc.key";
■正引き、逆引きの設定
基本的に以下と同じ。
nsupdateは後で良い。nsupdate後、キャッシュの反映を確認したら、「jnl」ファイルは削除しておく。
MXも後回し。
仮想マシンのsqueeze2台にDNSを導入
http://d.hatena.ne.jp/labunix/20120404/
$ sudo grep -v "//" /etc/bind/named.conf.local
zone "labunix.in" {
type master;
file "labunix.in.zone";
allow-update {127.0.0.1;};
allow-query {127.0.0.1;192.168.72.0/24;};
};
zone "72.168.192.in-addr.arpa" {
type master;
file "labunix.in.rev";
allow-update {127.0.0.1;};
allow-query {127.0.0.1;192.168.72.0/24;};
};
$ sudo named-checkconf
$ sudo cat /var/cache/bind/labunix.in.zone
$TTL 3600
@ IN SOA labunix.in. root.labunix.in. (
2012073007 ; Serial
1800 ; Refresh
900 ; Retry
604800 ; Expire
1200 ) ; Negative Cache TTL
;
@ IN NS labunix.in.
IN A 192.168.72.213
vyatta64.labunix.in. IN CNAME labunix.in.
$ sudo named-checkzone labunix.in /var/cache/bind/labunix.in.zone
zone labunix.in/IN: loaded serial 2012073001
OK
$ sudo cat /var/cache/bind/labunix.in.rev
$TTL 3600
@ IN SOA labunix.in. root.labunix.in (
2012073001 ; Serial
1800 ; Refresh
900 ; Retry
604800 ; Expire
1200 ) ; Negative Cache TTL
;
@ IN NS labunix.in.
213 IN PTR labunix.in.
$ sudo named-checkzone 72.168.192.in-addr-arpa /var/cache/bind/labunix.in.rev
zone 72.168.192.in-addr-arpa/IN: loaded serial 2012073001
OK
■引いてみる
$ dig vyatta64.labunix.in. @127.0.0.1 | grep -A 1 HEAD | awk -F\: '{print $2,$3,$4,$5,$6}'
QUERY, status NOERROR, id 63525
qr aa rd ra; QUERY 1, ANSWER 2, AUTHORITY 1, ADDITIONAL 0
$ dig labunix.in. @127.0.0.1 | grep -A 1 HEAD | awk -F\: '{print $2,$3,$4,$5,$6}'
QUERY, status NOERROR, id 5122
qr aa rd ra; QUERY 1, ANSWER 1, AUTHORITY 1, ADDITIONAL 0
$ dig 72.168.192.in-addr.arpa @127.0.0.1 | grep -A 1 HEAD | awk -F\: '{print $2,$3,$4,$5,$6}'
QUERY, status NOERROR, id 26196
qr aa rd ra; QUERY 1, ANSWER 0, AUTHORITY 1, ADDITIONAL 0
$ dig vyatta.labunix.in. @127.0.0.1 | grep "IN"
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36816
;vyatta.labunix.in. IN A
labunix.in. 1200 IN SOA labunix.in. root.labunix.in. 2012073009 1800 900 604800 1200
■ついでにDNSSEC対応にする。
基本的に以下と同じ。zoneは適宜読み替えが必要。
リンクの方が若干丁寧。
squeeze+bindでDNSSECに対応する
http://d.hatena.ne.jp/labunix/20120503/
$ sudo apt-get install -y dnssec-tools libmailtools-perl libcrypt-openssl-random-perl
$ cd /var/cache/bind
$ sudo zonesigner -genkeys -usensec3 -zone labunix.in. /var/cache/bind/labunix.in.zone
0 errors found in /var/cache/bind/labunix.in.zone.signed
$ sudo grep -A 4 dnssec-enable /etc/bind/named.conf.options
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
auth-nxdomain no;
//listen-on-v6 { any; };
$ grep -v "#" /etc/bind/bind.keys | grep "[a-z]\. " | awk '{print $1}'
dlv.isc.org.
$ sudo grep include /etc/bind/named.conf.options
include "/etc/bind/rndc.key";
include "/etc/bind/bind.keys";
$ sudo named-checkconf && sudo /etc/init.d/bind restart
■引いてみる
$ dig +dnssec www.isc.org @127.0.0.1 2>&1| grep -A 1 HEADER | awk -F\: '{print $2,$3,$4,$5,$6}'
QUERY, status NOERROR, id 5066
qr rd ra ad; QUERY 1, ANSWER 2, AUTHORITY 5, ADDITIONAL 13
$ dig +dnssec www.verisignlabs.com @127.0.0.1 2>&1| grep -A 1 HEADER | awk -F\: '{print $2,$3,$4,$5,$6}'
QUERY, status NOERROR, id 49197
qr rd ra ad; QUERY 1, ANSWER 4, AUTHORITY 12, ADDITIONAL 1
$ dig +dnssec labunix.in @127.0.0.1 2>&1| grep "IN\|HEADER\|ANSWER" | sed s/"<\|>\|-"//g
;; HEADER opcode: QUERY, status: NOERROR, id: 60265
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1
;labunix.in. IN A
;; ANSWER SECTION:
labunix.in. 3600 IN A 192.168.72.213
labunix.in. 3600 IN NS labunix.in.
$ dig +dnssec vyatta64.labunix.in @127.0.0.1 2>&1| grep "IN\|HEADER\|ANSWER" | sed s/"<\|>\|-"//g
;; HEADER opcode: QUERY, status: NOERROR, id: 56872
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1
;vyatta64.labunix.in. IN A
;; ANSWER SECTION:
vyatta64.labunix.in. 3600 IN CNAME labunix.in.
labunix.in. 3600 IN A 192.168.72.213
labunix.in. 3600 IN NS labunix.in.
$ dig +dnssec 72.168.192.in-addr.arpa @127.0.0.1 2>&1| grep "IN\|HEADER\|ANSWER" | sed s/"<\|>\|-"//g
;; HEADER opcode: QUERY, status: NOERROR, id: 63478
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;72.168.192.inaddr.arpa. IN A
72.168.192.inaddr.arpa. 1200 IN SOA labunix.in. root.labunix.in.72.168.192.inaddr.arpa. 2012073001 1800 900 604800 1200
