DNS Bind en Gentoo
Instalación paquete Bind
Parametrización de la variable USE
Los parametros que he utilizado para la instalación de bind son los siguientes:
vi /etc/portage/package.use net-dns/bind -ipv6 -ldap -mysql
Quitando de esta forma el soporte en base de datos y IPv6
Emerge
emerge -av bind
Configuración
/etc/bind/named.conf
En la primera parte del fichero podemos observar algunos campos modificados, en fichero que viene por defecto:
options {
directory "/var/bind";
statistics-file "/var/bind/named.stats";
dump-file "/var/bind/named.dump";
zone-statistics yes;
allow-recursion { 127.0.0.1; 192.168.13.0/24; 192.168.14.0/24; 192.168.12.0/24; };
allow-transfer { 192.168.13.0/24; };
notify yes;
// uncomment the following lines to turn on DNS forwarding,
// and change the forwarding ip address(es) :
//forward first;
//forwarders {
// 123.123.123.123;
// 123.123.123.123;
//};
listen-on-v6 { none; };
//Escucha por 192.168.13.3
listen-on { 127.0.0.1; 192.168.13.3; };
// to allow only specific hosts to use the DNS server:
//allow-query {
// 127.0.0.1;
//};
// if you have problems and are behind a firewall:
//query-source address * port 53;
pid-file "/var/run/named/named.pid";
};
// Briefly, a zone which has been declared delegation-only will be effectively
// limited to containing NS RRs for subdomains, but no actual data beyond its
// own apex (for example, its SOA RR and apex NS RRset). This can be used to
// filter out "wildcard" or "synthesized" data from NAT boxes or from
// authoritative name servers whose undelegated (in-zone) data is of no
// interest.
// See http://www.isc.org/products/BIND/delegation-only.html for more info
//Descomentado por Dany
zone "COM" { type delegation-only; };
zone "NET" { type delegation-only; };
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
//Añadimos fichero conf de log
include "/var/bind/conf/logging.conf";
//añadimos fichero conf de ACL
include "/var/bind/conf/acls.conf";
//Añadimos Lista de configuraciones de dominios
include "/var/bind/conf/luniel.conf";
include "/var/bind/conf/pomboeng.conf";
include "/var/bind/conf/reverse.conf";
Tambien hemos añadido algunos ficheros de configuración separados para una mayor comprehensión de la configuración.
/var/bind/conf/logging.conf
logging {
channel default_file { file "/var/log/named/default.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel general_file { file "/var/log/named/general.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel database_file { file "/var/log/named/database.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel security_file { file "/var/log/named/security.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel config_file { file "/var/log/named/config.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel notify_file { file "/var/log/named/notify.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel client_file { file "/var/log/named/client.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel queries_file { file "/var/log/named/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel network_file { file "/var/log/named/network.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel update_file { file "/var/log/named/update.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5m; severity dynamic; print-time yes; };
channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5m; severity dynamic; print-time yes; };
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
Este fichero de configuración, nos permite tener un log de lo que pasa con nuestro servidor DNS (muy util)
/var/bind/conf/acls
Este fichero nos permite definir el control de acceso.
acl "red-local" {
192.168.13.0/24;
192.168.12.0/24;
192.168.27.0/24;
127.0.0.1;
};
/var/bind/conf/luniel.conf
Este fichero nos permite configurar los dominios de nuestro cliente luniel (yo mismo en este caso)
//
// Add local zone definitions here.
zone "luniel.com" IN {
type master;
file "/var/bind/db/luniel.com";
allow-update {192.168.13.0/24; 192.168.27.0/24; !192.168.13.1;};
allow-query { red-local; };
};
zone "luniel.es" IN {
type master;
file "/var/bind/db/luniel.es";
allow-update { none; };
allow-query { red-local; };
};
zone "luniel.net" IN {
type master;
file "/var/bind/db/luniel.net";
allow-update { none; };
allow-query { red-local; };
};
/var/bind/conf/reverse.conf
Este fichero nos permite configurar las zonas inversas que poseamos
//
// Add local zone definitions here.
zone "12.168.192.in-addr.arpa" IN {
type master;
file "/var/bind/db/12.168.192";
allow-update { none; };
allow-query { red-local; };
};
zone "13.168.192.in-addr.arpa" IN {
type master;
file "/var/bind/db/13.168.192";
allow-update {192.168.13.0/24; !192.168.13.1; };
allow-query { red-local; };
};
zone "27.168.192.in-addr.arpa" IN {
type master;
file "/var/bind/db/27.168.192";
allow-update { 192.168.27.0/24; };
allow-query { red-local; };
};
Ficheros de datos
Vamos a dar un par de ejemplos de definición de un dominio y de su zona inversa
/var/bind/db/luniel.com
$ORIGIN .
$TTL 600 ; 10 minutes
luniel.com IN SOA carpanta.luniel.com. hostmaster.luniel.com. (
2006051002 ; serial
43200 ; refresh (12 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
NS carpanta.luniel.com.
A 192.168.13.3
MX 10 carpanta.luniel.com.
$ORIGIN luniel.com.
carpanta A 192.168.13.3
firewall A 192.168.12.2
localhost A 127.0.0.1
router A 192.168.12.1
$TTL 600 ; 10 minutes
webmail CNAME carpanta
wiki CNAME carpanta
www CNAME carpanta
/var/bind/db/13.168.192
$ORIGIN .
$TTL 600 ; 10 minutes
13.168.192.in-addr.arpa IN SOA carpanta.luniel.com. hostmaster.luniel.com. (
2006051005 ; serial
43200 ; refresh (12 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
NS carpanta.luniel.com.
$ORIGIN 13.168.192.in-addr.arpa.
3 PTR carpanta.luniel.com.
Referencias
--Daniel Simao 14:44, 10 May 2006 (CEST)
