Bind
Отключение ipv6
Для запуска только с поддержкой ipv4 named должен запускаться с дополнительной опцией «-4»:
В /lib/systemd/system/bind9.service должна быть строчка вида:
ExecStart=/usr/sbin/named -f -u bind -4
Изменяем и перегружаем systemctl:
sudo sed -i 's/-u bind$/-u bind -4/g' /lib/systemd/system/bind9.service
sudo systemctl daemon-reload
В /etc/default/bind9 должна быть строчка вида:
OPTIONS="-u bind -4"
Команда:
sudo sed -i 's/-u bind"/-u bind -4"/g' /etc/default/bind9
Зоны
Форвард зоны
Для того чтобы отправлять все запросы на другой сервер по определенному домену, добавляем:
zone "example.loc" {
type forward;
forward only;
forwarders {
192.168.10.250;
};
};
Рекурсия
В файле /etc/bind/named.conf.local определяем кому можно использовать рекурсию, например:
acl "trusted" {
127.0.0.0/8;
0.0.0.0/0;
};
и в /etc/bind/named.conf.options в блоке options { … }; добавляем:
allow-recursion { trusted; };
Логирование
Создаем директорию для логов:
sudo mkdir /var/log/named
sudo chown bind:bind /var/log/named
Создаём /etc/bind/named.conf.log:
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/log/named/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/log/named/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/log/named/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/log/named/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/log/named/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/log/named/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/log/named/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/log/named/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/log/named/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/log/named/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/log/named/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/log/named/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
и подключаем его, добавляем в /etc/bind/named.conf:
include "/etc/bind/named.conf.log";
командой:
echo include \"/etc/bind/named.conf.log\"\; | sudo tee -a /etc/bind/named.conf
Ошибки
validating @0x7…: SOA: got insecure response; parent indicates it should be secure
На днс сервере остутствует dnssec. Необходимо в named.conf.options в секции options изменить:
dnssec-validation no;
Либо на запрашиваемом сервере включить dnssec.
couldn’t add command channel ::1#953: address not available
Отсутствует интерфейс ipv6, необходимо bind запускать только с поддержкой ipv4.
Ссылки