Versões utilizadas: Debian 11 + Bind
Realize a instalação do BIND
# apt install bind9 bind9-utils
Avaliar se esta funcionando
# systemctl status bind9.service
/etc/default/named <- Configuração do serviço
/etc/bind <- Repositório configurações de zona
/var/cache/bind/
Caso deseje usar somente IPv4 ajuste o parâmetro OPTIONS adicionando a opção "-4" e "-6" para IPv6.
# vi /etc/default/named
# run resolvconf?
RESOLVCONF=no
# startup options for the server
OPTIONS="-u bind" <- "-4 -u bind"
# cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 samba.local.domain samba
192.168.10.10 samba.local.domain samba
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
Acesse o local /etc/bind e ajustes os parâmetros forwarders:
# vi /etc/bind/named.conf.options
// LAN PERMITIDAS ##########################################
//acl externals {};
acl knownips { 192.168.10.0/24; 192.168.20.0/24; 127.0.0.1; localhost; };
options {
directory "/var/cache/bind";
auth-nxdomain no; //conform to RFC1035
dnssec-validation yes; //auto
transfer-format many-answers;
listen-on { knownips; };
//listen-on-v6 { any; };
allow-query { knownips; }; //knownips or any
allow-recursion { knownips; };
allow-transfer { knownips; };
allow-update { none; }; //none
version none;
hostname none;
server-id none;
forwarders { 1.1.1.3; 9.9.9.11; };
};
// LOG ###################################################
logging {
channel bind_log {
file "/var/log/bind/bind.log" versions 5 size 5M;
severity info; //critical debug info error notice warning dynamic
print-time yes;
print-category yes;
print-severity yes;
};
category default { bind_log; };
category queries { bind_log; };
category query-errors { bind_log; };
category update { bind_log; };
category update-security { bind_log; };
category lame-servers { null; };
category dnssec { bind_log; };
category notify { bind_log; };
category xfer-in { bind_log; };
category xfer-out { bind_log; };
category client { bind_log; };
category security { bind_log; };
};
// RNDC KEY #################################################
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
//// TRANSFER KEY ##############################################
//Server <IP_SLAVE1> {
// transfer-format many-answers;
// keys { "rndc-key"; };
// //keys { TRANSFER; };
//};
//Server <IP_SLAVE2> {
// transfer-format many-answers;
// keys { "rndc-key"; };
// //keys { TRANSFER; };
//};
// ZONAS ###################################################
zone "local.domain" {
type master;
file "db.local.domain";
//allow-transfer { <IP_SLAVE1>; <IP_SLAVE2>; key "rndc-key"; };
};
// REVERSO #################################################
zone "10.168.192.in-addr.arpa" {
type master;
file "rev.10.168.192";
//allow-update { <IP>; }; //nao permitido para slave
//allow-transfer { <IP_SLAVE1>; <IP_SLAVE2>; key "rndc-key"; };
};
Validar o arquivo de configuração
# named-checkconf named.conf.options
Criando area de log
# mkdir /var/log/bind
# chown bind /var/log/bind/
Ajuste a permissão no apparmor
# vi /etc/apparmor.d/usr.sbin.named
/var/log/bind/** rw,
/var/log/bind/ rw,
# systemctl restart apparmor.service
Link: 1 /
A chave RNDC e armazenada no caminho e formato abaixo:
# vi /etc/bind/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
Existe a possibilidade de regerar a rndc-key com o commando abaixo:
# rndc-confgen -a.
Consulta db.local.domain
$TTL 3600
@ IN SOA samba.local.domain. root.local.domain. (
2022111701 ; Serial
600 ; Refresh
120 ; Retry
600 ; Expire
60 ; Negative Cache TTL
)
local.domain. IN NS samba.local.domain.
local.domain. IN NS localhost.
samba IN A 192.168.10.10
;ftp IN A <IP FTP>
;www IN A <IP WWW>
;algo IN AAAA ::1
Consulta reversa rev.10.168.192
$TTL 3600
@ IN SOA samba.local.domain. root.local.domain. (
2022111701 ; Serial
600 ; Refresh
120 ; Retry
600 ; Expire
60 ; Negative Cache TTL
)
@ IN NS samba.local.domain.
$ORIGIN 10.168.192.in-addr.arpa.
10 IN PTR samba.local.domain.
Liberar portas no firewall
INPUT TCP 53,953
INPUT UDP 53
OUTPUT TCP 53
OUTPUT UDP 53
No Master habilite os parâmetros de estatística para capturar os fluxos do Bind.
Ajustar os parâmetros de configuração
# vi /etc/bind/named.conf.options
options {
....
zone-statistics yes;
statistics-file "/var/log/bind/dns_stat.log";
....
// STATICS #################################################
statistics-channels {
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
Execute o comando para gerar o arquivo de estatística
# rndc stats
Realize a instalação do BIND
# apt install bind9 bind9-utils
Criar diretorio de armazenamento das configurações e log
# mkdir /home/bind
# mkdir /home/bind/log
# chown bind.bind /home/bind -R
Forçar a execução em ipv4. Para ipv6 altere para 6 e caso use os dois pode deixar padrão:
# vi /etc/default/bind9
# run resolvconf?
RESOLVCONF=no
# startup options for the server
De:
OPTIONS="-u bind"
Para:
OPTIONS="-4 -u bind"
# vi /etc/bind/named.conf.options
// LAN PERMITIDAS ##########################################
acl ips { 200.200.200.200/29; 180.180.180.180/25; 127.0.0.1; };
options {
directory "/home/bind";
auth-nxdomain no; # conform to RFC1035
dnssec-enable yes;
dnssec-validation yes; #auto
dnssec-lookaside auto;
version "Not Available";
transfer-format many-answers;
listen-on { ips; };
allow-query { any; }; //ips or any
allow-recursion { ips; };
cleaning-interval 60;
allow-transfer { none; };
allow-update { none; };
hostname none;
server-id none;
zone-statistics yes;
statistics-file "/home/dns/log/dns_stat.log";
//listen-on-v6 { any; };
// forwarders {
// 0.0.0.0;
// };
};
// LOG ###################################################
logging {
channel dns_log {
file "/home/bind/log/dns.log" versions 5 size 5M;
severity info; //critical debug info error notice warning dynamic
print-time yes;
print-category yes;
print-severity yes;
};
category default {
dns_log;
};
// category queries {
// dns_log;
// };
};
// RNDC KEY #################################################
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
// TRANSFER KEY ##############################################
Server <IP_SLAVE1> {
transfer-format many-answers;
keys { "rndc-key"; };
//keys { TRANSFER; };
};
Server <IP_SLAVE2> {
transfer-format many-answers;
keys { "rndc-key"; };
//keys { TRANSFER; };
};
// ZONAS ###################################################
zone "dominio.com.br" {
type master;
file "colaborativo.net.br";
allow-transfer { <IP_SLAVE1>; <IP_SLAVE2>; key "rndc-key"; };
};
// REVERSO #################################################
zone "1.11.111.in-addr.arpa" {
type master;
file "111.11.1";
//allow-update { <IP>; }; //nao permitido para slave
allow-transfer { <IP_SLAVE1>; <IP_SLAVE2>; key "rndc-key"; };
};
# vi /etc/bind/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxx";
};
Existe a possibilidade de regerar a rndc-key com o commando abaixo:
# rndc-confgen -a.
DB
$TTL 3600
@ IN SOA dns.dominio.com.br. hostmaster.dominio.com.br. (
2016062401 ;
900 ; refresh
120 ; retry
1800 ; expire
60 ; default_ttl
)
dominio.com.br. IN NS dns1.dominio.com.br.
dominio.com.br. IN NS dns2.dominio.com.br.
dns1 IN A <IP DNS1>
dns2 IN A <IP DNS2>
dominio.com.br. IN A <IP PAGINA>
ftp IN A <IP FTP>
www CNAME dominio.com.br.
Reverso
$TTL 3600
@ IN SOA dns.dominio.com.br. hostmaster.dominio.com.br. (
2016020101
900 ;refresh
900 ;retry
1800 ;expire
60 ;minimum-ttl
)
dominio.com.br. IN NS dns1.dominio.com.br.
dominio.com.br. IN NS dns2.dominio.com.br.
<IP FORA RANGE> IN PTR dns3.dominio.com.br.
$ORIGIN 1.11.111.in-addr.arpa.
1 IN PTR www.dominio.com.br.
2 IN PTR www.dominio.com.br.
Liberar portas no firewall
INPUT TCP 53,953
INPUT UDP 53
OUTPUT TCP 53
OUTPUT UDP 53
# vi /etc/bind/named.conf.options
acl ips { 200.200.200.200/29; 180.180.180.180/25; 127.0.0.1; }; //Redes permitidas para uso do serviço DNS
options {
directory "/home/bind";
auth-nxdomain no; # conform to RFC1035
dnssec-enable yes;
dnssec-validation yes; # auto
dnssec-lookaside auto;
version "Not Available";
transfer-format many-answers;
listen-on { ips; };
allow-query { any; }; # ips or any
allow-recursion { ips; };
cleaning-interval 60;
allow-transfer { none; };
allow-update { none; };
hostname none;
server-id none;
notify master-only;
zone-statistics yes;
statistics-file "/home/bind/log/dns_stat.log";
//listen-on-v6 { any; };
// forwarders {
// 0.0.0.0;
// };
};
logging{
channel simple_log {
file "/var/cache/bind/log/bind.log" versions 5 size 5m;
severity info; # critical debug info error notice warning dynamic
print-time yes;
print-severity yes;
print-category yes;
};
category default{
simple_log;
};
// category queries {
// dns_log;
// };
};
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
server <IP MASTER> {
transfer-format many-answers;
keys { "rndc-key"; };
//keys { TRANSFER; };
};
// ZONAS ###################################################
zone "dominio.com.br" {
type slave;
file "dominio.com.br";
masters { <IP MASTER>; };
allow-notify { <IP MASTER>; };
};
// REVERSO #################################################
zone "111.11.111.in-addr.arpa" {
type slave;
file "111.11.111";
masters { <IP MASTER>; };
allow-notify { <IP MASTER>; };
};
# vi /etc/bind/rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "xxxxxxxxxxxxxxxxxxxxxxxx"; <- Copiar do Master e substituir aqui
};
* Liberar portas no firewall
INPUT TCP 53,953
INPUT UDP 53
OUTPUT TCP 53
OUTPUT UDP 53
No Master habilite os parâmetros de estatística para capturar os fluxos do Bind.
Ajustar os parâmetros de configuração
# vi /etc/bind/named.conf.options
options {
....
zone-statistics yes;
statistics-file "/home/bind/log/stats.log";
....
}
statistics-channels {
inet 127.0.0.1 port 8653 allow { 127.0.0.1; };
};
Execute o comando para gerar o arquivo de estatística
# rndc stats
1 - Quando testei no Ubuntu Server, não sei o real motivo mas tive que usar o diretório padrão /var/cache/bind
2 - Caso use o serviço da AWS-EC2 colocar na acl ips o IP privado e publico