環境 KVM
ホストOS:Debian GNU/Linux 10.7
ゲストOS:FreeBSD 12.2-RELEASE r366954 GENERIC amd64
▼パッケージのアップデート
# pkg update
Updating FreeBSD repository catalogue...
Fetching meta.txz: 100% 916 B 0.9kB/s 00:01
Fetching packagesite.txz: 100% 6 MiB 6.7MB/s 00:01
Processing entries: 100%
FreeBSD repository update completed. 31973 packages processed.
All repositories are up to date.
▼インストール済みパッケージ確認
# pkg info
adwaita-icon-theme-3.38.0 GNOME Symbolic Icons
apache24-2.4.46 Version 2.4.x of Apache web server
apr-1.7.0.1.6.1_1 Apache Portability Library
argyllcms-1.9.2_5 ICC compatible color management system
at-spi2-atk-2.34.2 Assisted Technology Provider module for GTK+
at-spi2-core-2.36.0 Assistive Technology Service Provider Interface
atk-2.36.0 GNOME accessibility toolkit (ATK)
avahi-app-0.7_3 Service discovery on a local network
---省略---
▼バイナリ package リポジトリでBINDアプリケーションを探す
# pkg search bind9
bind9-devel-9.17.4.a0.2020.09.14 BIND DNS suite with updated DNSSEC and DNS64
bind911-9.11.25 BIND DNS suite with updated DNSSEC and DNS64
bind916-9.16.9 BIND DNS suite with updated DNSSEC and DNS64
▼bindインストール
# pkg install bind916
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 9 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
bind-tools: 9.16.9
bind916: 9.16.9
fstrm: 0.6.0
json-c: 0.15
libuv: 1.40.0
lmdb: 0.9.24_3,1
protobuf-c: 1.3.2_6
py37-ply: 3.11
py37-setuptools: 44.0.0
Number of packages to be installed: 9
The process will require 64 MiB more space.
8 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/9] Fetching bind916-9.16.9.txz: 100% 3 MiB 3.3MB/s 00:01
[2/9] Fetching bind-tools-9.16.9.txz: 100% 4 MiB 4.1MB/s 00:01
[3/9] Fetching py37-ply-3.11.txz: 100% 128 KiB 131.4kB/s 00:01
[4/9] Fetching py37-setuptools-44.0.0.txz: 100% 512 KiB 524.4kB/s 00:01
[5/9] Fetching libuv-1.40.0.txz: 100% 119 KiB 121.7kB/s 00:01
[6/9] Fetching json-c-0.15.txz: 100% 62 KiB 63.4kB/s 00:01
[7/9] Fetching protobuf-c-1.3.2_6.txz: 100% 169 KiB 173.2kB/s 00:01
[8/9] Fetching fstrm-0.6.0.txz: 100% 64 KiB 65.6kB/s 00:01
[9/9] Fetching lmdb-0.9.24_3,1.txz: 100% 101 KiB 103.2kB/s 00:01
Checking integrity... done (0 conflicting)
[1/9] Installing py37-setuptools-44.0.0...
[1/9] Extracting py37-setuptools-44.0.0: 100%
[2/9] Installing py37-ply-3.11...
[2/9] Extracting py37-ply-3.11: 100%
[3/9] Installing libuv-1.40.0...
[3/9] Extracting libuv-1.40.0: 100%
[4/9] Installing json-c-0.15...
[4/9] Extracting json-c-0.15: 100%
[5/9] Installing bind-tools-9.16.9...
[5/9] Extracting bind-tools-9.16.9: 100%
[6/9] Installing protobuf-c-1.3.2_6...
[6/9] Extracting protobuf-c-1.3.2_6: 100%
[7/9] Installing fstrm-0.6.0...
[7/9] Extracting fstrm-0.6.0: 100%
[8/9] Installing lmdb-0.9.24_3,1...
[8/9] Extracting lmdb-0.9.24_3,1: 100%
[9/9] Installing bind916-9.16.9...
[9/9] Extracting bind916-9.16.9: 100%
=====
Message from bind916-9.16.9:
--
BIND requires configuration of rndc, including a "secret"
key. The easiest, and most secure way to configure rndc is
to run 'rndc-confgen -a' to generate the proper conf file,
with a new random key, and appropriate file permissions.
The /usr/local/etc/rc.d/named script will do that for you.
If using syslog to log the BIND9 activity, and using a
chroot'ed installation, you will need to tell syslog to install
a log socket in the BIND9 chroot by running:
# sysrc altlog_proglist+=named
And then restarting syslogd with: service syslogd restart
▼設定ファイル一覧
named.root
named.local
in-named.rev
out-server-bff.net.zone
www11.158.141.203.in-addr.arpa.zone
▼named.confの設定
# Local Network Zone Setting(LAN内)と# Global Network Settingに分けて記載した。
optionsの項目では、allow-transfer { none; };を指定し、Global Network のみセカンダリDNSサーバへのゾーン転送を指定した。
# named.conf files
#Use with the following in named.conf, adjusting the allow list as needed:
key "rndc.key" {
algorithm hmac-sha256;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc.key"; };
};
#End of named.conf
acl hogenet {
192.168.0.0/24;
127.0.0.1;
};
logging {
category lame-servers { null; };
category edns-disabled { null; };
};
options {
// All file and path names are relative to the chroot directory,
// if any, and should be fully qualified.
directory "/usr/local/etc/namedb/working";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";
auth-nxdomain yes;
allow-query { none; };
allow-transfer { none; };
recursion no;
empty-zones-enable no;
blackhole { XXX.XXX.XXX.XXX; XXX.XXX.XXX.XXX; }; ←ブロックするIPアドレス
recursive-clients 400;
lame-ttl 1800;
version "";
dnssec-validation no;
};
# Local Network Zone Setting
view "localnet" {
match-clients { hogenet; };
recursion yes;
allow-transfer { hogenet; };
allow-recursion { hogenet; };
allow-query { hogenet; };
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "server-bff.net"{
type master;
file "in-server-bff.net.zone";
};
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local";
};
zone "0.168.192.in-addr.arpa"{
type master;
file "in-named.rev";
};
};
# Global Network Setting
view "globalnet" {
match-clients { any; };
allow-query { any; };
recursion no;
zone "server-bff.net"{
type master;
file "out-server-bff.net.zone";
allow-transfer {
XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
};
also-notify {
XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
};
};
zone "SUB11.158.141.203.in-addr.arpa"{
type master;
file "www11.158.141.203.in-addr.arpa.zone";
allow-transfer {
XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
};
also-notify {
XXX.XXX.XXX.XXX; ←セカンダリDNSのIPアドレス
};
};
};
▼rndc(remote name daemon control)リモート制御プログラム設定
# rndc-confgen -b 512 -k rndc.key
# Start of rndc.conf
key "rndc.key" {
algorithm hmac-sha256;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};
options {
default-key "rndc.key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc.key" {
# algorithm hmac-sha256;
# secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc.key"; };
# };
# End of named.conf
出力された上記の# Start of rndc.conf から # End of rndc.conf ↓ までをrndc.conf名で保存する。また、# Use with the following in named.conf, adjusting the allow list as needed: から # End of named.conf までをコメントアウトしnamed.confに追記する。
▼rndc.conf
# Start of rndc.conf
key "rndc.key" {
algorithm hmac-sha256;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};
options {
default-key "rndc.key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
▼下記、named.confに追記する。
#Use with the following in named.conf, adjusting the allow list as needed:
key "rndc.key" {
algorithm hmac-sha256;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc.key"; };
};
#End of named.conf
▼鍵作成
# rndc-confgen -a -b 512 -k rndc.key
wrote key file "/usr/local/etc/namedb/rndc.key"
作成したrndc.keyファイルのsecret欄をrndc.confのsecret欄のXXXXXXXXに書き換えて保存する。
# vi rndc.key
key "rndc.key" {
algorithm hmac-sha256;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX";
};
▼起動設定
# vi /etc/rc.conf
named_enable="YES"
▼起動!
# /usr/local/etc/rc.d/named start
Starting named.
▼ /var/log/messages 確認
Sep 9 12:42:53 www named[63954]: starting BIND 9.16.10 (Stable Release) <id:fac8def>
Sep 9 12:42:53 www named[63954]: running on FreeBSD amd64 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC
Sep 9 12:42:53 www named[63954]: built with '--disable-linux-caps' '--localstatedir=/var' '--sysconfdir=/usr/local/etc/namedb' '--with-dlopen=yes' '--with-libxml2' '--with-openssl=/usr' '--with-readline=-L/usr/local/lib -ledit' '--with-dlz-filesystem=yes' '--enable-dnstap' '--disable-fixed-rrset' '--disable-geoip' '--without-maxminddb' '--without-gssapi' '--with-libidn2=/usr/local' '--with-json-c' '--disable-largefile' '--with-lmdb=/usr/local' '--disable-native-pkcs11' '--without-python' '--disable-querytrace' '--enable-tcp-fastopen' '--disable-symtable' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/share/info/' '--build=amd64-portbld-freebsd12.1' 'build_alias=amd64-portbld-freebsd12.1' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector-strong -isystem /usr/local/include -fno-strict-aliasing ' 'LDFLAGS= -L/usr/local/lib -ljson-c -fstack-protector-strong ' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_PLUG -isystem /usr/local/include' 'CPP=cpp' 'PKG_CONFIG=pkgconf'
Sep 9 12:42:53 www named[63954]: running as: named -u bind -c /usr/local/etc/namedb/named.conf
Sep 9 12:42:53 www named[63954]: compiled by CLANG 4.2.1 Compatible FreeBSD Clang 8.0.1 (tags/RELEASE_801/final 366581)
Sep 9 12:42:53 www named[63954]: compiled with OpenSSL version: OpenSSL 1.1.1d-freebsd 10 Sep 2019
Sep 9 12:42:53 www named[63954]: linked to OpenSSL version: OpenSSL 1.1.1h-freebsd 22 Sep 2020
Sep 9 12:42:53 www named[63954]: compiled with libxml2 version: 2.9.10
Sep 9 12:42:53 www named[63954]: linked to libxml2 version: 20910
Sep 9 12:42:53 www named[63954]: compiled with json-c version: 0.15
Sep 9 12:42:53 www named[63954]: linked to json-c version: 0.15
Sep 9 12:42:53 www named[63954]: compiled with zlib version: 1.2.11
Sep 9 12:42:53 www named[63954]: linked to zlib version: 1.2.11
Sep 9 12:42:53 www named[63954]: ----------------------------------------------------
Sep 9 12:42:53 www named[63954]: BIND 9 is maintained by Internet Systems Consortium,
Sep 9 12:42:53 www named[63954]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
Sep 9 12:42:53 www named[63954]: corporation. Support and training for BIND 9 are
Sep 9 12:42:53 www named[63954]: available at https://www.isc.org/support
Sep 9 12:42:53 www named[63954]: ----------------------------------------------------
Sep 9 12:42:53 www named[63954]: command channel listening on 127.0.0.1#953
Sep 9 12:42:53 www named[63954]: all zones loaded
Sep 9 12:42:53 www named[63954]: running
▼サーバのステータス確認
# rndc status
version: BIND 9.16.10 (Stable Release) <id:fac8def> ()
running on www: FreeBSD amd64 12.2-RELEASE FreeBSD 12.2-RELEASE r366954 GENERIC
boot time: Thu, 09 Sep 2021 03:42:53 GMT
last configured: Thu, 09 Sep 2021 03:42:53 GMT
configuration file: /usr/local/etc/namedb/named.conf
CPUs found: 1
worker threads: 1
UDP listeners per interface: 1
number of zones: 7 (0 automatic)
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/360/400
tcp clients: 0/150
TCP high-water: 0
server is up and running
以上