DNS – DOMAIN NAME SYSTEM

Primero debemos instalar el servicio

# yum install -y bind bind-chroot bind-devel bind-libs bind-utils

Para este caso pondremos de ejemplo el servidor DNS de Server Apolo

que consta con estos parámetros

Dominio: apolo.net
ip server: 172.16.5.1
network: 173.16.5.0/24
server esclavo: 172.16.5.2

Ingresamos al archivo de configuración vi /etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { 127.0.0.1; 172.16.5.1;};
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { localhost; 172.16.5.0/24;};
allow-update { localhost; 172.16.5.0/24;};
allow-transfer { localhost; 172.16.5.2; };
forwarder { //190.157.8.33; 181.48.0.228; //DNS CLARO
//200.13.149.101; 200.13.224.254; //DNS UNE
8.8.8.8; 8.8.4.4; //DNS GOOGLE
};

/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
 /* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "." IN {
type hint;
file "named.ca";
};

zone “apolo.net” IN {
type master;
file “forward.apolo”;
allow-update { none; };
};

zone “5.16.172.in-addr.arpa” IN {
type master;
file “reverse.apolo”;
allow-update { none; };
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

Ahora creamos los archivos de las zonas forward.apolo y reverse.apolo

vi /var/named/forward.apolo

$TTL 86400
@ IN SOA apolo.net. Root.apolo.net.(
20171; Serial
3600; Refresh
1800; Retry
604800; Expire
86400; Minimum TTL
)

IN NS apolo.net.
apolo.net IN A 172.16.5.1

server IN A 172.16.5.1
www IN CNAME apolo.net.
vi /var/named/reverse.apolo

$TTL 86400
@ IN SOA apolo.net. Root.apolo.net.(
20171; Serial
3600; Refresh
1800; Retry
604800; Expire
86400; Minimum TTL
)

@ IN NS apolo.net.
1 IN PTR apolo.net.
1 IN PTR www.apolo.net

Ahora iniciamos el servicios y configuramos los firewall para poder

ejecutarlo

# systemctl enable named

# systemctl restart named

# iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j

ACCEPT
# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 53 -j
ACCEPT

Configuramos los permisos, propietarios y SELinux

# chgrp named -R /var/named

# chown -v root:named /etc/named.conf
# restorecon -rv /var/named
# restorecon /etc/named.conf

Chequeemos el servidor DNS

# named-chckconf /etc/named.conf
si el comando no nos regresa nada que todo está bien configurado

# named-checkzone apolo.net /var/named/forward.apolo

zone apolo.net/IN loaded serial 20171
OK

# named-checkzone apolo.net /var/named/reverse.apolo

zone apolo.net/IN loaded serial 20171
OK

Y para terminar reiniciamos el servidor

# systemctl restart named