DNS(Domain Name System) 서버의 구축
BIND의 설치
웹호스팅을 사용한다면 해당 업체의 네임서버를 사용할 수 밖에 없을 것이다. 서버호스팅을 하더라도 서비스를 제공하는 업체의 네임서버를 사용할 수 있지만 나의 서버가 있다면 네임서버를 직접 구축할 수 있다.
직접 DNS서버(네임서버)를 구축하기 위해서 bind를 설치하자.
[root@webpress /]# yum install bind bind-chroot bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.cat.net
* elrepo: ftp.ne.jp
* extras: mirrors.cat.net
* updates: mirrors.cat.net
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.11.4-26.P2.el7_9.4 will be installed
--> Processing Dependency: bind-libs-lite(x86-64) = 32:9.11.4-26.P2.el7_9.4 for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: bind-libs(x86-64) = 32:9.11.4-26.P2.el7_9.4 for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: python-ply for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: liblwres.so.160()(64bit) for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: libisccfg.so.160()(64bit) for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: libisccc.so.160()(64bit) for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: libisc.so.169()(64bit) for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: libdns.so.1102()(64bit) for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: libbind9.so.160()(64bit) for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
--> Processing Dependency: libGeoIP.so.1()(64bit) for package: 32:bind-9.11.4-26.P2.el7_9.4.x86_64
---> Package bind-chroot.x86_64 32:9.11.4-26.P2.el7_9.4 will be installed
---> Package bind-utils.x86_64 32:9.11.4-26.P2.el7_9.4 will be installed
--> Running transaction check
---> Package GeoIP.x86_64 0:1.5.0-14.el7 will be installed
--> Processing Dependency: geoipupdate for package: GeoIP-1.5.0-14.el7.x86_64
---> Package bind-libs.x86_64 32:9.11.4-26.P2.el7_9.4 will be installed
--> Processing Dependency: bind-license = 32:9.11.4-26.P2.el7_9.4 for package: 32:bind-libs-9.11.4-26.P2.el7_9.4.x86_64
---> Package bind-libs-lite.x86_64 32:9.11.4-26.P2.el7_9.4 will be installed
---> Package python-ply.noarch 0:3.4-11.el7 will be installed
--> Running transaction check
---> Package bind-license.noarch 32:9.11.4-26.P2.el7_9.4 will be installed
---> Package geoipupdate.x86_64 0:2.5.0-1.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
=====================================================================================================
Package Arch Version Repository Size
=====================================================================================================
Installing:
bind x86_64 32:9.11.4-26.P2.el7_9.4 updates 2.3 M
bind-chroot x86_64 32:9.11.4-26.P2.el7_9.4 updates 92 k
bind-utils x86_64 32:9.11.4-26.P2.el7_9.4 updates 260 k
Installing for dependencies:
GeoIP x86_64 1.5.0-14.el7 base 1.5 M
bind-libs x86_64 32:9.11.4-26.P2.el7_9.4 updates 157 k
bind-libs-lite x86_64 32:9.11.4-26.P2.el7_9.4 updates 1.1 M
bind-license noarch 32:9.11.4-26.P2.el7_9.4 updates 91 k
geoipupdate x86_64 2.5.0-1.el7 base 35 k
python-ply noarch 3.4-11.el7 base 123 k
Transaction Summary
=====================================================================================================
Install 3 Packages (+6 Dependent packages)
Total download size: 5.6 M
Installed size: 13 M
Is this ok [y/d/N]: y
Downloading packages:
(1/9): bind-chroot-9.11.4-26.P2.el7_9.4.x86_64.rpm | 92 kB 00:00:00
(2/9): bind-libs-9.11.4-26.P2.el7_9.4.x86_64.rpm | 157 kB 00:00:00
(3/9): GeoIP-1.5.0-14.el7.x86_64.rpm | 1.5 MB 00:00:00
(4/9): bind-9.11.4-26.P2.el7_9.4.x86_64.rpm | 2.3 MB 00:00:00
(5/9): bind-license-9.11.4-26.P2.el7_9.4.noarch.rpm | 91 kB 00:00:00
(6/9): bind-utils-9.11.4-26.P2.el7_9.4.x86_64.rpm | 260 kB 00:00:00
(7/9): bind-libs-lite-9.11.4-26.P2.el7_9.4.x86_64.rpm | 1.1 MB 00:00:00
(8/9): geoipupdate-2.5.0-1.el7.x86_64.rpm | 35 kB 00:00:00
(9/9): python-ply-3.4-11.el7.noarch.rpm | 123 kB 00:00:00
-----------------------------------------------------------------------------------------------------
Total 5.3 MB/s | 5.6 MB 00:00:01
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-license-9.11.4-26.P2.el7_9.4.noarch 1/9
Installing : geoipupdate-2.5.0-1.el7.x86_64 2/9
Installing : GeoIP-1.5.0-14.el7.x86_64 3/9
Installing : 32:bind-libs-lite-9.11.4-26.P2.el7_9.4.x86_64 4/9
Installing : 32:bind-libs-9.11.4-26.P2.el7_9.4.x86_64 5/9
Installing : python-ply-3.4-11.el7.noarch 6/9
Installing : 32:bind-9.11.4-26.P2.el7_9.4.x86_64 7/9
Installing : 32:bind-chroot-9.11.4-26.P2.el7_9.4.x86_64 8/9
Installing : 32:bind-utils-9.11.4-26.P2.el7_9.4.x86_64 9/9
Verifying : 32:bind-libs-lite-9.11.4-26.P2.el7_9.4.x86_64 1/9
Verifying : 32:bind-chroot-9.11.4-26.P2.el7_9.4.x86_64 2/9
Verifying : 32:bind-utils-9.11.4-26.P2.el7_9.4.x86_64 3/9
Verifying : python-ply-3.4-11.el7.noarch 4/9
Verifying : 32:bind-license-9.11.4-26.P2.el7_9.4.noarch 5/9
Verifying : geoipupdate-2.5.0-1.el7.x86_64 6/9
Verifying : 32:bind-9.11.4-26.P2.el7_9.4.x86_64 7/9
Verifying : GeoIP-1.5.0-14.el7.x86_64 8/9
Verifying : 32:bind-libs-9.11.4-26.P2.el7_9.4.x86_64 9/9
Installed:
bind.x86_64 32:9.11.4-26.P2.el7_9.4 bind-chroot.x86_64 32:9.11.4-26.P2.el7_9.4
bind-utils.x86_64 32:9.11.4-26.P2.el7_9.4
Dependency Installed:
GeoIP.x86_64 0:1.5.0-14.el7 bind-libs.x86_64 32:9.11.4-26.P2.el7_9.4
bind-libs-lite.x86_64 32:9.11.4-26.P2.el7_9.4 bind-license.noarch 32:9.11.4-26.P2.el7_9.4
geoipupdate.x86_64 0:2.5.0-1.el7 python-ply.noarch 0:3.4-11.el7
Complete!
[root@webpress /]#
* nslookup, dig, host를 사용하기 위해서 bind-utils을 설치해야 한다.
설치가 끝났다면 네임서버가 정상적으로 작동하도록 /etc/named.conf를 수정해야 한다. 설치 과정에서 혹은 설치 후 아래의 명령으로 bind의 버전을 확인할 수 있다.
# named -v
/etc/name.conf의 내용은 대략 아래와 비슷할 것이다. (BIND 9.11.4)
1 //
2 // named.conf
3 //
4 // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
5 // server as a caching only nameserver (as a localhost DNS resolver only).
6 //
7 // See /usr/share/doc/bind*/sample/ for example named configuration files.
8 //
9 // See the BIND Administrator's Reference Manual (ARM) for details about the
10 // configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html
11
12 options {
13 listen-on port 53 { 127.0.0.1; };
14 listen-on-v6 port 53 { ::1; };
15 directory "/var/named";
16 dump-file "/var/named/data/cache_dump.db";
17 statistics-file "/var/named/data/named_stats.txt";
18 memstatistics-file "/var/named/data/named_mem_stats.txt";
19 recursing-file "/var/named/data/named.recursing";
20 secroots-file "/var/named/data/named.secroots";
21 allow-query { localhost; };
22
23 /*
24 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
25 - If you are building a RECURSIVE (caching) DNS server, you need to enable
26 recursion.
27 - If your recursive DNS server has a public IP address, you MUST enable access
28 control to limit queries to your legitimate users. Failing to do so will
29 cause your server to become part of large scale DNS amplification
30 attacks. Implementing BCP38 within your network would greatly
31 reduce such attack surface
32 */
33 recursion yes;
34
35 dnssec-enable yes;
36 dnssec-validation yes;
37
38 /* Path to ISC DLV key */
39 bindkeys-file "/etc/named.root.key";
40
41 managed-keys-directory "/var/named/dynamic";
42
43 pid-file "/run/named/named.pid";
44 session-keyfile "/run/named/session.key";
45 };
46
47 logging {
48 channel default_debug {
49 file "data/named.run";
50 severity dynamic;
51 };
52 };
53
54 zone "." IN {
55 type hint;
56 file "named.ca";
57 };
58
59 include "/etc/named.rfc1912.zones";
60 include "/etc/named.root.key";
61
bind의 최소한의 설정은 아래와 같다.
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
allow-transfer { none; };
allow-query-cache { any; };
version "version";
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.root.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
- version 구분을 별도로 설정하지 않으면 서버에 설치된 bind의 버전이 쉽게 노출된다.
- 네임서버가 사용하는 포트(53)는 방화벽에서 허용해야 한다.
# firewall-cmd --permanent --zone=public --add-port=53/tcp
# firewall-cmd --permanent --zone=public --add-port=53/udp
# firewall-cmd --reload
시스템의 (리)부팅 시에도 서비스가 활성화 될 수 있도록 아래의 명령을 추가로 실행하자.
[root@webpress etc]# systemctl enable named.service
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@webpress etc]#
# systemctl enable named 까지만 입력해도 된다. 네임서버의 구동은 systemctl start named 명령으로 실행할 수 있다.
지금까지의 설정은 캐싱네임서버(caching name server)의 설정이며, 자신의 도메인이 아닌 다른 도메인에 대한 쿼리에 대해서는 다른 네임서버에 대한 참조만 돌려준다. recursive dns query와 lterative dns quary의 작동 방식의 차이를 쉽게 테스트 해보려 한다면 위에서 설정한 서버의 ip주소를 내가 사용하는 pc의 네임서버 주소로 설정해 보면 알 수 있다. recursion의 값이 no 일 때와 yes 일 때의 차이점을 확인해보자.
여기까지가 네임서버 설정의 절반이다. 나머지는 도메인에 대한 직적접인 설정일 것이다. 웹서버를 설정 한 후에 네임서버와 웹서버의 설정 작업을 추가로 진행해야 한다.
설정파일을 수정했다면 systemctl restart named 명령으로 네임서버를 재시동해야 할 것이다.
자세한 내용은 아니지만 이전에 간략하게 정리한 글을 참고하자.
2020.02.12 - [Linux/DNS server] - 네임서버의 기본 보안 설정 - bind
'Linux > 서버구축 1.2.3...' 카테고리의 다른 글
(7) 워드프레스를 위한 리눅스 서버 구축 - 네임서버2 (도메인설정) (0) | 2021.04.18 |
---|---|
(6) 워드프레스를 위한 리눅스 서버 구축 - 웹서버1 (설치와 기본설정) (0) | 2021.04.18 |
(4) 워드프레스를 위한 리눅스 서버 구축 - ssh, [s]ftp[s]의 설정 (0) | 2021.04.18 |
(3) 워드프레스를 위한 리눅스 서버 구축 - 가상메모리(swap)설정 (0) | 2021.04.18 |
(2) 워드프레스를 위한 리눅스 서버 구축 - 서버의 시간(타임존) (0) | 2021.04.18 |
댓글