Utiliser Gentoo et Calculate Linux

Installer et configurer un serveur DNS sous Gentoo / Calculate Linux

Cet article a été mis à jour, vous consultez ici une archive de cet article!
Table des matières

dns_bind





Présentation





BIND (Berkeley Internet Name Domain) est le serveur DNS le plus utilisé sur Internet, spécialement sur les systèmes de type Unix.





Installation





Dans le tuto, j'utiliserai le nom de domainelinuxtricks.lan



Pour installer le service DNS sur notre serveur, installer le paquet net-dns/bind.



L'installer à l'aide de la commande



Code BASH :
emerge -avq bind




La sortie produite est de cet ordre :



Code BASH :
[ebuild  N    ] net-dns/bind-9.10.1_p1  USE="berkdb caps dlz ipv6 ssl threads -doc -filter-aaaa -fixed-rrset -geoip -gost -gssapi -idn -json -ldap -mysql -nslint -odbc -postgres -python -rpz -seccomp (-selinux) -static-libs -urandom -xml" PYTHON_TARGETS="python2_7 -python3_3 -python3_4"
 
Would you like to merge these packages? [Yes/No]




Ne voulant pas le support LDAP :



echo "net-dns/bind -ldap" >> /etc/portage/package.use/custom



On peut installer aussi les utilitaires de tests de serveur DNS (nslookup etc...)



Code BASH :
emerge -avq bind-tools






Configuration du DNS







Configuration générale





L’installation nous a créé un fichier /etc/bind/named.conf dont voici le contenu :



Caché :
/*

* Refer to the named.conf(5) and named(8) man pages, and the documentation

* in /usr/share/doc/bind-9 for more details.

* Online versions of the documentation can be found here:

* http://www.isc.org/software/bind/documentation

*

* If you are going to set up an authoritative server, make sure you

* understand the hairy details of how DNS works. Even with simple mistakes,

* you can break connectivity for affected parties, or cause huge amounts of

* useless Internet traffic.

*/



acl "xfer" {

/* Deny transfers by default except for the listed hosts.

* If we have other name servers, place them here.

*/

none;

};



/*

* You might put in here some ips which are allowed to use the cache or

* recursive queries

*/

acl "trusted" {

127.0.0.0/8;

::1/128;

};



options {

directory "/var/bind";

pid-file "/var/run/named/named.pid";



/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */

//bindkeys-file "/etc/bind/bind.keys";



listen-on-v6 { ::1; };

listen-on { 127.0.0.1; };



allow-query {

/*

* Accept queries from our "trusted" ACL. We will

* allow anyone to query our master zones below.

* This prevents us from becoming a free DNS server

* to the masses.

*/

trusted;

};



allow-query-cache {

/* Use the cache for the "trusted" ACL. */

trusted;

};



allow-recursion {

/* Only trusted addresses are allowed to use recursion. */

trusted;

};



allow-transfer {

/* Zone tranfers are denied by default. */

none;

};



allow-update {

/* Don't allow updates, e.g. via nsupdate. */

none;

};



/*

* If you've got a DNS server around at your upstream provider, enter its

* IP address here, and enable the line below. This will make you benefit

* from its cache, thus reduce overall DNS traffic in the Internet.

*

* Uncomment the following lines to turn on DNS forwarding, and change

* and/or update the forwarding ip address(es):

*/

/*

forward first;

forwarders {

// 123.123.123.123; // Your ISP NS

// 124.124.124.124; // Your ISP NS

// 4.2.2.1; // Level3 Public DNS

// 4.2.2.2; // Level3 Public DNS

8.8.8.8; // Google Open DNS

8.8.4.4; // Google Open DNS

};



*/



//dnssec-enable yes;

//dnssec-validation yes;



/*

* As of bind 9.8.0:

* "If the root key provided has expired,

* named will log the expiration and validation will not work."

*/

//dnssec-validation auto;



/* if you have problems and are behind a firewall: */

//query-source address * port 53;

};



/*

logging {

channel default_log {

file "/var/log/named/named.log" versions 5 size 50M;

print-time yes;

print-severity yes;

print-category yes;

};



category default { default_log; };

category general { default_log; };

};

*/



include "/etc/bind/rndc.key";

controls {

inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };

};



zone "." in {

type hint;

file "/var/bind/root.cache";

};



zone "localhost" IN {

type master;

file "pri/localhost.zone";

notify no;

};



zone "127.in-addr.arpa" IN {

type master;

file "pri/127.zone";

notify no;

};



/*

* Briefly, a zone which has been declared delegation-only will be effectively

* limited to containing NS RRs for subdomains, but no actual data beyond its

* own apex (for example, its SOA RR and apex NS RRset). This can be used to

* filter out "wildcard" or "synthesized" data from NAT boxes or from

* authoritative name servers whose undelegated (in-zone) data is of no

* interest.

* See http://www.isc.org/software/bind/delegation-only for more info

*/



//zone "COM" { type delegation-only; };

//zone "NET" { type delegation-only; };



//zone "YOUR-DOMAIN.TLD" {

// type master;

// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";

// allow-query { any; };

// allow-transfer { xfer; };

//};



//zone "YOUR-SLAVE.TLD" {

// type slave;

// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";

// masters { <MASTER>; };



/* Anybody is allowed to query but transfer should be controlled by the master. */

// allow-query { any; };

// allow-transfer { none; };



/* The master should be the only one who notifies the slaves, shouldn't it? */

// allow-notify { <MASTER>; };

// notify no;

//};





Vérifier que les variables listen pour autoriser les autres ordinateurs du réseau à contacter le serveur DNS (indiquer any;) :



Code TEXT :
        listen-on-v6 { any; };
        listen-on { any; };




L'ACL "trusted" correspond aux ordinateurs qui pourront faire des requêtes à notre serveur DNS. Mettre un (ou des) sous réseau ou directement any pour tous.





Code TEXT :
acl "trusted" {
        127.0.0.0/8;
        10.21.27.0/24;
        192.168.216.0/24;
};




Code TEXT :
acl "trusted" {
        any;
};
 




On souhaite que notre DNS aille chercher ce qu'il ne sait pas résoudre vers les serveurs de Google.



Code TEXT :
        forward first;
        forwarders {
                8.8.8.8;                // Google Open DNS
                8.8.4.4;                // Google Open DNS
        };
 






Configuration de la zone Directe





Ensuite, on complète la configuration de bind (toujours dans /etc/bind/named.conf) en remplaçant les lignes //zone "YOUR-DOMAIN.TLD" { et suivantes par la configuration de notre domaine (ci-dessous, un exemple) :



Code TEXT :
zone "linuxtricks.lan" {
        type master;  
        file "/var/bind/pri/linuxtricks.lan.zone";
        allow-query { any; };
        allow-transfer { xfer; };
};
 




On créé le fichier /var/bind/pri/linuxtricks.lan.zone (dans mon exemple), mais plus généralement, celui qu'on a déclaré dans le /etc/bind/named.conf (ci-dessous, un exemple) :



Code TEXT :
$TTL 1W
@       IN      SOA     linuxtricks.lan. root.linuxtricks.lan.  (
                                      2008122601 ; Serial
                                      28800      ; Refresh
                                      14400      ; Retry
                                      604800     ; Expire - 1 week
                                      86400 )    ; Minimum
@               IN      NS      localhost.
@               IN      A       127.0.0.1
@               IN      A       192.168.1.11
oxygen          IN      A       192.168.1.11
www IN    A      192.168.1.15
routeur IN    A      192.168.1.254
 
@               IN      AAAA    ::1
 




On modifie le fichier /etc/resolv.conf du serveur pour lui forcer à utiliser le DNS installé.



Code TEXT :
# Generated by net-scripts for interface eth0
search linuxtricks.lan
nameserver 127.0.0.1




Sur Calculate Linux on peut directement utiliser l'outil "cl-setup-network" :

Code BASH :
cl-setup-network --dns 127.0.0.1






Lancement du service





Maintenant que notre DNS est installé et configuré, on lance le service :



Code BASH :
/etc/init.d/named start
 * Caching service dependencies ...
Service 'donutsd' needs non existent service 'mta'                                                           [ ok ]
 * Starting named ...
 * Checking named configuration ...                                                                          [ ok ]




Il nous reste plus qu'à ajouter le service named au démarrage du serveur :



Code BASH :
rc-update add named default
 * service named added to runlevel default






Bugs rencontrés





named failed to start





En lançant mon service après une mise à jour, j'ai eu cette erreur :



Code BASH :
/etc/init.d/named start -v
named              | * Starting named ...
named              | * Checking named configuration ...                                                                                                 [ ok ]
named              | * start-stop-daemon: fopen '/run/named/named.pid': No such file or directory
named              | * Detaching to start '/usr/sbin/named' ...
named              | *   start-stop-daemon: failed to start '/usr/sbin/named'                                                                           [ !! ]
named              | * ERROR: named failed to start
 




En fait, c'est un problème de droit sur le fichier named.conf qui se pose

Code BASH :
-rw-r----- 1 root root  3992 15 janv. 23:25 named.conf




Il suffit de remettre les bonnes permissions :

Code BASH :
cd /etc/bind
chown named:root named.conf
chmod 0600 named.conf




Ensuite tout démarre correctement



Code BASH :
/etc/init.d/named start -v
named              | * Starting named ...
named              | * Checking named configuration ...                                                                                                 [ ok ]
named              | * start-stop-daemon: fopen '/run/named/named.pid': No such file or directory
named              | * Detaching to start '/usr/sbin/named' ...  




Code BASH :
/etc/init.d/named status
 * status: started