카테고리 없음

여행을떠나다 2011. 5. 1. 21:02

45장.   CentOS 4.4  네임서버로 되게 무조건 따라하기

 

OS설치시 :   DNS 패키지 설치 ,  Firewall 사용안함 체크 ,  참고: 보안상 Cache서버 동작은 안되게 합니다.


1. ssh 2개 접속

 

2. ssh 1개 세션에서는  로그 모니터링

# tail  -f  /var/log/messages


 

3. 나머지 한대에서 작업

//데몬 확인

[root@localhost ~]# ps -ef |grep named

[root@localhost ~]# /usr/sbin/named  -u  named

 

[root@localhost ~]# ps -ef |grep named
named     3950     1  5 00:08 ?        00:00:00 /usr/sbin/named -u named

root      3955  3880  0 00:08 pts/2    00:00:00 grep named

 

[root@localhost ~]# dig @127.0.0.1 www.aaar.com

 

 

4. 도메인 추가하기


 4.1 우선 도메인등록기관에 등록된 도메인의 네임서버 확인해보기

 

# dig  @A.GTLD-SERVERS.NET.   yahooms.com

; <<>> DiG 9.2.4 <<>> @A.GTLD-SERVERS.NET. yahooms.com
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13832
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;yahooms.com.                   IN      A

;; AUTHORITY SECTION:
yahooms.com.            172800  IN      NS      ns1.yahooms.com.
yahooms.com.            172800  IN      NS      ns2.yahooms.com.

;; ADDITIONAL SECTION:
ns1.yahooms.com.        172800  IN      A       124.60.31.5
ns2.yahooms.com.        172800  IN      A       124.60.31.5

;; Query time: 117 msec
;; SERVER: 192.5.6.30#53(192.5.6.30)
;; WHEN: Mon Apr 23 00:13:18 2007
;; MSG SIZE  rcvd: 97

[root@localhost ~]#

 


// com 도메인은 실시간 변경이나, 등록기관에 따라 변경적용이 다름. 

 

[root@localhost ~]# dig    @A.GTLD-SERVERS.NET.    serverchk.com

; <<>> DiG 9.2.4 <<>> @A.GTLD-SERVERS.NET. serverchk.com
; (2 servers found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32629
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;serverchk.com.                 IN      A

;; AUTHORITY SECTION:
serverchk.com.          172800  IN      NS      ns1.serverchk.com.

;; ADDITIONAL SECTION:
ns1.serverchk.com.      172800  IN      A       220.95.236.130

 

 


---------------------------------------------------

4.2  no recursion;  설정 (OPEN DNS취약점 해결)하기 위해 외부 DNS로 설정하는경우

   해당 DNS서버는 Cache DNS로 사용하지 않을경우 설정한다 (PC가 서버가 해당 서버를 DNS로 지정하지 않는경우)

 

주의: no recursion 사용시 해당네임서버의 DNS는 반드시 외부 ISP DNS를 설정 해주세요


# vi /etc/resolv.conf

nameserver 168.126.63.1
nameserver 168.126.63.2

 

 

4.3  작업전 백업

[root@localhost etc]# cp   named.conf   named.conf-20070420

 

 

4.4  named.conf설정하기

[root@localhost etc]# vi  named.conf
//
// named.conf for Red Hat caching-nameserver
//

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        version " No !!";
        recursion no;     // 네임서버 전용일떄만 설정해야한다.
        allow-transfer { 127.0.0.1;  200.1.177.122; };    // Master DNS  ip 와 Slaver DNS IP를 적는다

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//
controls {
        inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "localdomain" IN {
        type master;
        file "localdomain.zone";
        allow-update { none; };
};

zone "serverchk.com" IN {
        type master;
        file "serverchk.com.zone";
        allow-update { none; };
};

 

 

4.5  named.conf 제대로 설정되었는지 확인하기, 에러가 없으면 잘된것

[root@localhost etc]# named-checkconf named.conf
[root@localhost etc]#

 

 

4.6  named 데몬 재시작
[root@localhost named]# service   named   restart

 

[root@localhost ~]# ps -ef |grep named

# /usr/sbin/named -u named -t /var/named/chroot

 

 

4.7  메일 잘되게 하기위한 spf설정이 되었는지 확인
[root@localhost named]# dig  serverchk.com  txt

 

 

4.8  zone file만들기


# cd /var/named/chroot/var/named/

# cp localdomain.zone serverchk.com.zone

 

 

[root@localhost named]# vi   serverchk.com.zone


$TTL    10M
@               IN SOA  ns1.serverchk.com. root (
                                        2007042002      ; serial (d. adams)
                                        3H              ; refresh
                                        15M             ; retry
                                        1W              ; expiry
                                        1D )            ; minimum
                IN NS           ns1.serverchk.com.
                IN NS           ns2.serverchk.com.
                IN MX   10       mail.serverchk.com.

                        IN A            200.1.177.1

                        IN A            200.1.2.2

ns1.serverchk.com.      IN A            200.1.177.1
ns2.serverchk.com.      IN A            200.1.2.2

www                     IN A            200.1.177.122
mail                       IN A           200.1.177.122
ftp                         IN A           200.1.177.122
serverchk.com.          IN      TXT     "v=spf1  ip4:200.1.177.122  ip4:200.1.177.0/24 ~all"

 

참고:  @               IN SOA  ns1.serverchk.com.    root   (     에서..

=>  ns1.serverchk.com. 은 반드시 Master NS이름을 적어주도록 한다

DNS에서 notify시  이 이름이 Master로 인식하고, 나머지 NS레코더(슬레이브 서버에)에 notify메시지를 보낸다.

 

 

4.9   버전 보안설정 동작 확인


[root@localhost named]# dig @127.0.1 txt chaos version.bind.

; <<>> DiG 9.2.4 <<>> @127.0.1 txt chaos version.bind.
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32021
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;version.bind.                  CH      TXT

;; ANSWER SECTION:
version.bind.           0       CH      TXT     " No !!"

 

 

4.10  전체적으로 점검하기

www.serverchk.com 

www.dnsreport.com

 

 

 

5. rndc 되게 하기

 

[root@localhost named]# cd /usr/sbin/


[root@localhost sbin]# ./rndc-confgen

# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "hLAPug4sNwKd6iqsskxg==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf


# Use with the following in named.conf, adjusting the allow list as needed:
 key "rndc-key" {
       algorithm hmac-md5;
       secret "hLAPug4sNwKkxg==";
 };
 
 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };
# End of named.conf

 

 

//백업
etc]# cp  named.conf  named.conf-20070420
etc]# mv  rndc.conf  rndc.conf-20070420

 

 

~
[root@localhost etc]# vi rndc.conf

# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "hLAPug4sNwKd6Ywiqsskxg==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

 

 

 

 

 

[root@localhost etc]# vi named.conf

options {
        directory "/var/named";
        dump-file "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        version " No !!";
        recursion no;
        allow-transfer { 127.0.0.1; 59.6.177.122; };
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
         // query-source address * port 53;
};

//
// a caching only nameserver config
//
# Use with the following in named.conf, adjusting the allow list as needed:
 key "rndc-key" {
       algorithm hmac-md5;
       secret "hLAPug4sNwKd6Ywiqsskxg==";
 };

 controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
 };
# End of named.conf


zone "." IN {
        type hint;
        file "named.ca";

 

 

 

 


[root@localhost etc]# rndc reload

[root@localhost etc]# rndc   reload   serverchk.com

 


6. 부팅시 제데로 데몬 가져오게 하기

[root@localhost etc]# vi /etc/rc.local

#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/usr/local/sbin/sshd
/usr/sbin/named -u named -t /var/named/chroot

 

 

6. IPTABLES 로 포트허용하기

최근 linux OS는 기본설치시 iptables로 53번포트를 허용해야한다.

 

 

 

 [교육] DNS 장애처리 및 보안설정 신청 :  http://www.bpan.com/edu_new/edu_lec/49