Bind

Отключение ipv6

Для запуска только с поддержкой ipv4 named должен запускаться с дополнительной опцией «-4»:

В /lib/systemd/system/bind9.service должна быть строчка вида:

ExecStart=/usr/sbin/named -f -u bind -4

Изменяем и перегружаем systemctl:

sudo sed -i 's/-u bind$/-u bind -4/g' /lib/systemd/system/bind9.service
sudo systemctl daemon-reload

До 16.04

В /etc/default/bind9 должна быть строчка вида:

OPTIONS="-u bind -4"

Команда:

sudo sed -i 's/-u bind"/-u bind -4"/g' /etc/default/bind9

Зоны

Форвард зоны

Для того чтобы отправлять все запросы на другой сервер по определенному домену, добавляем:

zone "example.loc" {
      type forward;
      forward only;
      forwarders {
                192.168.10.250;
      };
};

Рекурсия

В файле /etc/bind/named.conf.local определяем кому можно использовать рекурсию, например:

acl "trusted" {
    127.0.0.0/8;
    0.0.0.0/0;
};

и в /etc/bind/named.conf.options в блоке options { … }; добавляем:

allow-recursion { trusted; };

Логирование

Создаем директорию для логов:

sudo mkdir /var/log/named
sudo chown bind:bind /var/log/named

Создаём /etc/bind/named.conf.log:

named.conf.log

logging {
    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/log/named/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/log/named/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/log/named/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/log/named/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/log/named/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/log/named/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/log/named/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/log/named/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/log/named/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/log/named/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/log/named/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/log/named/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/log/named/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/log/named/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};

и подключаем его, добавляем в /etc/bind/named.conf:

include "/etc/bind/named.conf.log";

командой:

echo include \"/etc/bind/named.conf.log\"\; | sudo tee -a /etc/bind/named.conf

Ошибки

validating @0x7…: SOA: got insecure response; parent indicates it should be secure

На днс сервере остутствует dnssec. Необходимо в named.conf.options в секции options изменить:

dnssec-validation no;

Либо на запрашиваемом сервере включить dnssec.

couldn’t add command channel ::1#953: address not available

Отсутствует интерфейс ipv6, необходимо bind запускать только с поддержкой ipv4.

Ссылки

http://adminubuntu.net/2011/03/03/logi-bind9-v-otdelnyie-faylyi.html

http://wiki.dieg.info/bind

http://ru.wikipedia.org/wiki/Типы_ресурсных_записей_DNS