Nabídka

Zobrazit příspěvky

Zde lze prohlédnout všech příspěvky uživatele. Jsou zde vidět pouze příspěvky z oblastí, do kterých máte přístup.

Nabídka Zobrazit příspěvky

Příspěvky - MarianJack

#1
Server / BIND - Authoritativní DNS
01. 07. 2014, 18:07:27
Snažím se nakonfigurovat BIND jako Autoritativní DNS (zatím bez DNSSEC).
Bohužel mi stále neodpovídá na dotazy z internetu.´

Používám základní instalaci Debianu: debian-7.5.0-amd64-netinst.iso
BIND (verze BIND 9.8.4-rpz2+rl005.12-P1) instaluji takto: aptitude install bind9

Servery:
ns.example.cz - 192.168.50.6 - master
ns2.example.cz - 192.168.50.7 - slave

Moje zona:
example.com

Public IP:
33.22.11.06
33.22.11.07

Na routeru Cisco 886VA mám pravidla (První dvě pravidla asi stačí. Plně zastupují ostatní čtyři. Tady jsou pouze pro testování.):
ip nat inside source static 192.168.50.6 33.22.11.06
ip nat inside source static 192.168.50.7 33.22.11.07
ip nat inside source static udp 192.168.50.6 33.22.11.06 53 extendable
ip nat inside source static tcp 192.168.50.6 33.22.11.06 53 extendable
ip nat inside source static udp 192.168.50.7 33.22.11.07 53 extendable
ip nat inside source static tcp 192.168.50.7 33.22.11.07 53 extendable

ns.example.cz - Master:
named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

acl trusted-servers {
   127.0.0.1;
   192.168.50.7;  //ns2
   33.22.11.06
   33.22.11.07
};

zone "example.com" {
       type master;
   //allow-query { any; };
   allow-transfer { trusted-servers; };
   also-notify {33.22.11.07;};
       file "/etc/bind/pri.example.com";
   //notify yes;
};

zone "example.cz" {
       type master;
   //allow-query { any; };
   allow-transfer { trusted-servers; };
   also-notify {33.22.11.07;};
       file "/etc/bind/pri.example.cz";
   //notify yes;
};

zone "11.22.33.in-addr.arpa" {
       type master;
   //allow-query { any; };
   allow-transfer { trusted-servers; };
   also-notify {33.22.11.07;};
       file "/etc/bind/pri.33.22.11";
   //notify yes;
};

-------------------
named.conf.options
options {
   directory "/var/cache/bind";

   // If there is a firewall between you and nameservers you want
   // to talk to, you may need to fix the firewall to allow multiple
   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

   // If your ISP provided one or more IP addresses for stable
   // nameservers, you probably want to use them as forwarders. 
   // Uncomment the following block, and insert the addresses replacing
   // the all-0's placeholder.

   // forwarders {
   //    0.0.0.0;
   // };

   //========================================================================
   // If BIND logs error messages about the root key being expired,
   // you will need to update your keys.  See https://www.isc.org/bind-keys
   //========================================================================
   dnssec-validation auto;

   //recursion no;

   auth-nxdomain no;    # conform to RFC1035
   listen-on-v6 { any; };
};
--------------------------------------

ns2.example.cz - Slave:

named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

masters ns { 192.168.50.6; };

zone "example.com" {
       type slave;
   masters { ns; };
   allow-notify {192.168.50.6;};
   allow-transfer {none;};
   file "/var/cache/bind/sec.example.com";
};

zone "ileex.cz" {
       type slave;
   masters { ns; };
   allow-notify {192.168.50.6;};
   allow-transfer {none;};
   file "/var/cache/bind/sec.example.cz";
};

zone "11.22.33.in-addr.arpa" {
       type slave;
   masters { ns; };
   allow-notify {192.168.50.6;};
   allow-transfer {none;};
       file "/var/cache/bind/sec.33.22.11";
};
----------------------------------------------
named.conf.options
options {
   directory "/var/cache/bind";

   // If there is a firewall between you and nameservers you want
   // to talk to, you may need to fix the firewall to allow multiple
   // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

   // If your ISP provided one or more IP addresses for stable
   // nameservers, you probably want to use them as forwarders. 
   // Uncomment the following block, and insert the addresses replacing
   // the all-0's placeholder.

   // forwarders {
   //    0.0.0.0;
   // };

   //========================================================================
   // If BIND logs error messages about the root key being expired,
   // you will need to update your keys.  See https://www.isc.org/bind-keys
   //========================================================================
   dnssec-validation auto;

   recursion no;

   auth-nxdomain no;    # conform to RFC1035
   listen-on-v6 { any; };
};