까나리의 지껄이기: BIND9

BIND 9.3.0 소스설치 on RedHat 7.3
1. bind 9.3.0 최신버전 source 다운로드

# cd /usr/src
# wget ftp://ftp.isc.org/isc/bind9/9.3.0/bind-9.3.0.tar.gz 
 
2. 압축풀기
# tar xvzf bind-9.3.0.tar.gz
 
3. 기존의 nameserver 정지 
# ntsysv (named 를 uncheck)
# service named stop
 
4. openssl 업데이트해줘야함 ( --with-openssl 옵션 넣을시) 
* apt-get 설치 (openssl 설치전에 해줌)
http://ftp.freshrpms.net/pub/freshrpms/redhat/7.3/apt/apt-0.5.5cnc5-fr0.rh73.2.i386.rpm
 
[root@ns local]# rpm -e gated
gated 하고 zebra 하고 충돌나기 때문에 어느 한 패키지는 삭제해줘야 한다. (메시지가 나왔을시만 해당됨)
[root@ns local]# apt-get install openssl
 
- 주의사항 -
1. 설치전에 OpenSSL을 업그래이드 시켜 준다. 필자는 레드헷 7.3에서 설치하다 OpenSSL에러가 나서 up2date로 업그래이드 시켜 줬다. 아래와 같은 에러나 나면서 0.9.6e이상 버전을 요구하는데 그냥 up2date로 업그래이드 시켜 줬더니 openssl-0.9.6b-32.7버전으로 교체 되면서 이상없이 설치가 되었다.
 
configure: error: you need OpenSSL 0.9.6e/0.9.7-beta2 (or newer): CERT CA-2002-23
ftp://rpmfind.net/linux/redhat/updates/7.3/en/os/i386/openssl-0.9.6b-35.7.i386.rpm
 
5. bind 9.3.0 compile 
# ./configure --prefix= /usr/local/bind-9.3.0 --enable-threads
# make
# make install
 
6. 심볼릭 링크 걸어주기 
# cd /usr/local
# ln -s bind-9.3.0/ bind
 
7. etc, var/run, var/named, var/tmp 디렉토리 생성 
# cd /usr/local/bind
# mkdir etc
# mkdir var
# cd var
# mkdir run
# mkdir named
# mkdir tmp
 
8. 키 생성
# cd /usr/local/bind/sbin
# ./rndc-confgen > /usr/local/bind/etc/rndc.conf
 
9. bin 파일 심볼링 링크 
# cd /usr/sbin
# mv rndc rndc.bak
# mv rndc-confgen rndc-confgen.bak
# ln -s ../local/bind/sbin/rndc rndc
# ln -s ../local/bind/sbin/rndc-confgen rndc-confgen
 
# cd /usr/bin
# mv dig dig.bak
# mv nslookup nslookup.bak
# ln -s ../local/bind/bin/dig dig
# ln -s ../local/bind/bin/nslookup nslookup
 
10. named.conf, kkanari.info.zone 생성 
# cd /usr/local/bind/etc
# cat named.conf
options {
        directory "/var/named";
        dump-file "/usr/local/bind/var/tmp/named_dump.db";
        statistics-file "/usr/local/bind/var/tmp/named.stats";
        version "no version";
        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;
};
key "rndc-key" {
       algorithm hmac-md5;
      secret "xx4m2r4GlTiKIaAVrW5fbg==";
};
controls {
       inet 127.0.0.1 port 953
               allow { 127.0.0.1; } keys { "rndc-key"; };
};
zone "." IN {
        type hint;
        file "named.ca";
};
zone "localhost" IN {
        type master;
        file "localhost.zone";
        allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "named.local";
        allow-update { none; };
};
zone "kkanari.info" IN {
        type master;
        file "kkanari.info.zone";
        allow-update { key rndc-key; };
};
//include "/etc/rndc.key";
 
# cd /usr/local/bind/var/named
# cat kkanari.info.zone
$TTL 3600
@       IN      SOA     ns.kkanari.info. root.kkanari.info. (
                                      2004121003 ; serial
                                      28800      ; refresh
                                      7200       ; retry
                                      604800     ; expire
                                      86400      ; minimum
                                      )
        IN      NS      ns.kkanari.info.
        IN      A       210.111.16.144
        IN      MX 10   mail
ns      IN      A       210.111.16.144
ns2     IN      A       210.111.16.144
mail    IN      A       210.111.16.144
ftp     IN      A       210.111.16.144
www     IN      A       210.111.16.144
home    IN      A       210.111.16.144
*       IN      A       210.111.16.144

 
11. rndc.conf 생성 
# cd /usr/local/bind/etc
# cat rndc.conf
# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "xx4m2r4GlTiKIaAVrW5fbg==";
};
options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "xx4m2r4GlTiKIaAVrW5fbg==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
 
12. 실행 
# /usr/local/bind/sbin/named -c /usr/local/bind/etc/named.conf&
 
13. 캐슁서버 동작확인 
[root@ns bind]# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> naver.com
Server:         127.0.0.1
Address:        127.0.0.1#53
Non-authoritative answer:
Name:   naver.com
Address: 211.218.150.200
> kr.yahoo.com
Server:         127.0.0.1
Address:        127.0.0.1#53
Non-authoritative answer:
kr.yahoo.com    canonical name = home.vip.krn.yahoo.com.
Name:   home.vip.krn.yahoo.com
Address: 202.43.214.190

* 위와같이 쿼리가 온다면 이상없음
 
14. 도메인 쿼리 동작확인 
[root@ns bind]# nslookup
> server 127.0.0.1
Default server: 127.0.0.1
Address: 127.0.0.1#53
> kkanari.info
Server:         127.0.0.1
Address:        127.0.0.1#53
Name:   kkanari.info
Address: 210.111.16.144
> www.kkanari.info
Server:         127.0.0.1
Address:        127.0.0.1#53
Name:   www.kkanari.info
Address: 210.111.16.144
>
 
* 위와같이 쿼리가 온다면 이상없음