Installer et configurer un serveur DNS sous Gentoo / Calculate Linux
Table des matières
Dans le tuto, j'utiliserai le nom de domaine oxygen.sytes.net
Pour installer le service DNS sur notre serveur, installer le paquet net-dns/bind.
Vérifier l'installation à l'aide de la commande
Lorsque j'ai tenté de le faire sur mon serveur, j'ai eu cette erreur:
J'ai donc ajouté le USE qui va bien:
Une fois l'a vérification faite avec emerge, et que les éventuels soucis sont réglés, on est prêts à installer bind.
Lancer l'installation avec
Installer aussi les utilitaires de tests de serveur DNS (nslookup etc...)
L’installation nous a créé un fichier /etc/bind/named.conf dont voici le contenu :
Vérifier que les variables listen pour autoriser les autres ordinateurs du réseau à contacter le serveur DNS (indiquer any;) :
On souhaite que notre DNS aille chercher ce qu'il ne sait pas résoudre vers les serveurs de Google.
Ensuite, on complète la configuration de bind (toujours dans /etc/bind/named.conf) en remplaçant les lignes //zone "YOUR-DOMAIN.TLD" { et suivantes par la configuration de notre domaine (ci-dessous, un exemple) :
On créé le fichier /var/bind/pri/oxygen.sytes.net.zone (dans mon exemple), mais plus généralement, celui qu'on a déclaré dans le /etc/bind/named.conf (ci-dessous, un exemple) :
On modifie le fichier /etc/resolv.conf du serveur pour lui forcer à utiliser le DNS installé.
Maintenant que notre DNS est installé et configuré, on lance le service :
Il nous reste plus qu'à ajouter le service named au démarrage du serveur :
Présentation
Installation
Dans le tuto, j'utiliserai le nom de domaine oxygen.sytes.net
Pour installer le service DNS sur notre serveur, installer le paquet net-dns/bind.
Vérifier l'installation à l'aide de la commande
Code BASH :
emerge -p bind
Lorsque j'ai tenté de le faire sur mon serveur, j'ai eu cette erreur:
Caché :
oxygen adrien # emerge -p bind
These are the packages that would be merged, in order:
Calculating dependencies |
!!! Problem resolving dependencies for net-dns/bind
... done!
!!! The ebuild selected to satisfy "bind" has unmet requirements.
- net-dns/bind-9.9.2_p1::gentoo USE="berkdb ipv6 ssl -caps -dlz -doc -filter-aaaa -geoip -gost -gssapi -idn -ldap -mysql -odbc -postgres -python -rpz -rrl -sdb-ldap (-selinux) -static-libs -threads -urandom -xml" CDISTRO="CSS"
The following REQUIRED_USE flag constraints are unsatisfied:
berkdb? ( dlz )
The above constraints are a subset of the following complete expression:
postgres? ( dlz ) berkdb? ( dlz ) mysql? ( dlz !threads ) odbc? ( dlz ) ldap? ( dlz ) sdb-ldap? ( dlz ) gost? ( ssl ) threads? ( caps )
These are the packages that would be merged, in order:
Calculating dependencies |
!!! Problem resolving dependencies for net-dns/bind
... done!
!!! The ebuild selected to satisfy "bind" has unmet requirements.
- net-dns/bind-9.9.2_p1::gentoo USE="berkdb ipv6 ssl -caps -dlz -doc -filter-aaaa -geoip -gost -gssapi -idn -ldap -mysql -odbc -postgres -python -rpz -rrl -sdb-ldap (-selinux) -static-libs -threads -urandom -xml" CDISTRO="CSS"
The following REQUIRED_USE flag constraints are unsatisfied:
berkdb? ( dlz )
The above constraints are a subset of the following complete expression:
postgres? ( dlz ) berkdb? ( dlz ) mysql? ( dlz !threads ) odbc? ( dlz ) ldap? ( dlz ) sdb-ldap? ( dlz ) gost? ( ssl ) threads? ( caps )
J'ai donc ajouté le USE qui va bien:
Code BASH :
echo "net-dns/bind dlz" >> /etc/portage/package.use/custom
Une fois l'a vérification faite avec emerge, et que les éventuels soucis sont réglés, on est prêts à installer bind.
Code BASH :
[ebuild N ] net-dns/bind-9.9.2_p1 USE="berkdb dlz ipv6 ssl -caps -doc -filter-aaaa -geoip -gost -gssapi -idn -ldap -mysql -odbc -postgres -python -rpz -rrl -sdb-ldap (-selinux) -static-libs -threads -urandom -xml"
Lancer l'installation avec
Code BASH :
emerge bindInstaller aussi les utilitaires de tests de serveur DNS (nslookup etc...)
Code BASH :
emerge bind-tools
Configuration du DNS
Configuration générale
L’installation nous a créé un fichier /etc/bind/named.conf dont voici le contenu :
Caché :
/*
* Refer to the named.conf(5) and named(8) man pages, and the documentation
* in /usr/share/doc/bind-9 for more details.
* Online versions of the documentation can be found here:
* http://www.isc.org/software/bind/documentation
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
* you can break connectivity for affected parties, or cause huge amounts of
* useless Internet traffic.
*/
acl "xfer" {
/* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
none;
};
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
acl "trusted" {
127.0.0.0/8;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
/*
* If you've got a DNS server around at your upstream provider, enter its
* IP address here, and enable the line below. This will make you benefit
* from its cache, thus reduce overall DNS traffic in the Internet.
*
* Uncomment the following lines to turn on DNS forwarding, and change
* and/or update the forwarding ip address(es):
*/
/*
forward first;
forwarders {
// 123.123.123.123; // Your ISP NS
// 124.124.124.124; // Your ISP NS
// 4.2.2.1; // Level3 Public DNS
// 4.2.2.2; // Level3 Public DNS
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
};
*/
//dnssec-enable yes;
//dnssec-validation yes;
/*
* As of bind 9.8.0:
* "If the root key provided has expired,
* named will log the expiration and validation will not work."
*/
//dnssec-validation auto;
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
};
/*
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
*/
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
zone "." in {
type hint;
file "/var/bind/root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};
/*
* Briefly, a zone which has been declared delegation-only will be effectively
* limited to containing NS RRs for subdomains, but no actual data beyond its
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
* filter out "wildcard" or "synthesized" data from NAT boxes or from
* authoritative name servers whose undelegated (in-zone) data is of no
* interest.
* See http://www.isc.org/software/bind/delegation-only for more info
*/
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
//zone "YOUR-DOMAIN.TLD" {
// type master;
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
// allow-query { any; };
// allow-transfer { xfer; };
//};
//zone "YOUR-SLAVE.TLD" {
// type slave;
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
// masters { <MASTER>; };
/* Anybody is allowed to query but transfer should be controlled by the master. */
// allow-query { any; };
// allow-transfer { none; };
/* The master should be the only one who notifies the slaves, shouldn't it? */
// allow-notify { <MASTER>; };
// notify no;
//};
* Refer to the named.conf(5) and named(8) man pages, and the documentation
* in /usr/share/doc/bind-9 for more details.
* Online versions of the documentation can be found here:
* http://www.isc.org/software/bind/documentation
*
* If you are going to set up an authoritative server, make sure you
* understand the hairy details of how DNS works. Even with simple mistakes,
* you can break connectivity for affected parties, or cause huge amounts of
* useless Internet traffic.
*/
acl "xfer" {
/* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
none;
};
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
acl "trusted" {
127.0.0.0/8;
::1/128;
};
options {
directory "/var/bind";
pid-file "/var/run/named/named.pid";
/* https://www.isc.org/solutions/dlv >=bind-9.7.x only */
//bindkeys-file "/etc/bind/bind.keys";
listen-on-v6 { ::1; };
listen-on { 127.0.0.1; };
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
none;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
/*
* If you've got a DNS server around at your upstream provider, enter its
* IP address here, and enable the line below. This will make you benefit
* from its cache, thus reduce overall DNS traffic in the Internet.
*
* Uncomment the following lines to turn on DNS forwarding, and change
* and/or update the forwarding ip address(es):
*/
/*
forward first;
forwarders {
// 123.123.123.123; // Your ISP NS
// 124.124.124.124; // Your ISP NS
// 4.2.2.1; // Level3 Public DNS
// 4.2.2.2; // Level3 Public DNS
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
};
*/
//dnssec-enable yes;
//dnssec-validation yes;
/*
* As of bind 9.8.0:
* "If the root key provided has expired,
* named will log the expiration and validation will not work."
*/
//dnssec-validation auto;
/* if you have problems and are behind a firewall: */
//query-source address * port 53;
};
/*
logging {
channel default_log {
file "/var/log/named/named.log" versions 5 size 50M;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_log; };
category general { default_log; };
};
*/
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; };
};
zone "." in {
type hint;
file "/var/bind/root.cache";
};
zone "localhost" IN {
type master;
file "pri/localhost.zone";
notify no;
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
notify no;
};
/*
* Briefly, a zone which has been declared delegation-only will be effectively
* limited to containing NS RRs for subdomains, but no actual data beyond its
* own apex (for example, its SOA RR and apex NS RRset). This can be used to
* filter out "wildcard" or "synthesized" data from NAT boxes or from
* authoritative name servers whose undelegated (in-zone) data is of no
* interest.
* See http://www.isc.org/software/bind/delegation-only for more info
*/
//zone "COM" { type delegation-only; };
//zone "NET" { type delegation-only; };
//zone "YOUR-DOMAIN.TLD" {
// type master;
// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone";
// allow-query { any; };
// allow-transfer { xfer; };
//};
//zone "YOUR-SLAVE.TLD" {
// type slave;
// file "/var/bind/sec/YOUR-SLAVE.TLD.zone";
// masters { <MASTER>; };
/* Anybody is allowed to query but transfer should be controlled by the master. */
// allow-query { any; };
// allow-transfer { none; };
/* The master should be the only one who notifies the slaves, shouldn't it? */
// allow-notify { <MASTER>; };
// notify no;
//};
Vérifier que les variables listen pour autoriser les autres ordinateurs du réseau à contacter le serveur DNS (indiquer any;) :
Code TEXT :
listen-on-v6 { any; };
listen-on { any; };Code TEXT :
acl "trusted" {
any;
};
On souhaite que notre DNS aille chercher ce qu'il ne sait pas résoudre vers les serveurs de Google.
Code TEXT :
forward first;
forwarders {
8.8.8.8; // Google Open DNS
8.8.4.4; // Google Open DNS
};
Configuration de la zone Directe
Ensuite, on complète la configuration de bind (toujours dans /etc/bind/named.conf) en remplaçant les lignes //zone "YOUR-DOMAIN.TLD" { et suivantes par la configuration de notre domaine (ci-dessous, un exemple) :
Code TEXT :
zone "oxygen.sytes.net" {
type master;
file "/var/bind/pri/oxygen.sytes.net.zone";
allow-query { any; };
allow-transfer { xfer; };
};
On créé le fichier /var/bind/pri/oxygen.sytes.net.zone (dans mon exemple), mais plus généralement, celui qu'on a déclaré dans le /etc/bind/named.conf (ci-dessous, un exemple) :
Code TEXT :
$TTL 1W
@ IN SOA oxygen.sytes.net. root.oxygen.sytes.net. (
2008122601 ; Serial
28800 ; Refresh
14400 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN A 192.168.1.11
oxygen IN A 192.168.1.11
supermachine IN A 192.168.1.15
@ IN AAAA ::1
On modifie le fichier /etc/resolv.conf du serveur pour lui forcer à utiliser le DNS installé.
Code TEXT :
# Generated by net-scripts for interface eth0 search oxygen.sytes.net nameserver 127.0.0.1
Lancement du service
Maintenant que notre DNS est installé et configuré, on lance le service :
Code BASH :
/etc/init.d/named start * Caching service dependencies ... Service `donutsd' needs non existent service `mta' [ ok ] * Starting named ... * Checking named configuration ... [ ok ]
Il nous reste plus qu'à ajouter le service named au démarrage du serveur :
Code BASH :
rc-update add named default
* service named added to runlevel default