Scribd Logo
Upload

Welcome to Scribd!

  • 2K views

    DNS Server Installation in CentOS 6

    Uploaded by

    Adil Boukhira
    This document provides instructions for setting up primary and secondary DNS servers on CentOS 6.4. It describes installing and configuring Bind on two servers - a primary DNS server with IP 172.16.10.1 and a secondary server with IP 172.16.10.13. The primary DNS server is configured to act as the master for the ensak.ma domain, serving DNS for it directly. The secondary DNS server is configured as a slave to sync zone data from the primary server. Key steps include generating DNSSEC keys, configuring zone files, starting the named service, and testing DNS resolution.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd

    DNS Server Installation in CentOS 6

    Uploaded by

    Adil Boukhira
    2K views8 pages
    This document provides instructions for setting up primary and secondary DNS servers on CentOS 6.4. It describes installing and configuring Bind on two servers - a primary DNS server with IP 172.16.10.1 and a secondary server with IP 172.16.10.13. The primary DNS server is configured to act as the master for the ensak.ma domain, serving DNS for it directly. The secondary DNS server is configured as a slave to sync zone data from the primary server. Key steps include generating DNSSEC keys, configuring zone files, starting the named service, and testing DNS resolution.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides instructions for setting up primary and secondary DNS servers on CentOS 6.4. It describes installing and configuring Bind on two servers - a primary DNS server with IP 172.16.10.1 and a secondary server with IP 172.16.10.13. The primary DNS server is configured to act as the master for the ensak.ma domain, serving DNS for it directly. The secondary DNS server is configured as a slave to sync zone data from the primary server. Key steps include generating DNSSEC keys, configuring zone files, starting the named service, and testing DNS resolution.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    2K views8 pages

    DNS Server Installation in CentOS 6

    Uploaded by

    Adil Boukhira
    This document provides instructions for setting up primary and secondary DNS servers on CentOS 6.4. It describes installing and configuring Bind on two servers - a primary DNS server with IP 172.16.10.1 and a secondary server with IP 172.16.10.13. The primary DNS server is configured to act as the master for the ensak.ma domain, serving DNS for it directly. The secondary DNS server is configured as a slave to sync zone data from the primary server. Key steps include generating DNSSEC keys, configuring zone files, starting the named service, and testing DNS resolution.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Download as docx, pdf, or txt
    You are on page 1of 8

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    Installation dun serveur DNS


    Ce tutorial indique les tapes dinstallation et configurer des serveurs DNS primaire et secondaire. Les tapes on tait testes sur Centos 6.4 32x64x.

    Scenarios:
    Ci- dessous les scnarios de linstallation :

    [A] DNS Primaire(Master) :


    Operating System Hostname IP Address : CentOS 6.4 : masterdns.ensak.ma : 172.16.10.1/24

    [B] Serveur Secondaire (Slave):


    Operating System Hostname IP Address : CentOS 6.4 : slavedns.ensak.ma : 172.16.10.13/24

    Setup du DNS primaire (Master).


    [root@masterdns ~]# yum install bind* -y

    1. Configurer le serveur DNS.


    La configuration principal du DNS sera comme suit (Editer et ajouter les champs en gras) :
    [root@masterdns ~]# vi /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 172.16.10.1;}; ## Master DNS IP ## listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 172.16.10.0/24; }; ## IP Range ## allow-transfer { localhost; 172.16.10.13; }; ## Slave DNS IP ## recursion yes; dnssec-enable yes; dnssec-validation yes;

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "ensak.ma" IN { type master; file "fwd.ensak.ma"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "rev.ensak.ma"; allow-update { none; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

    2. Crer le fichier de Zone


    On doit crer le fichier de zones direct et indirect que nous avons mentionn dans le fichier /etc/named.conf. [A] Crer la zone direct. Crer le fichier fwd.ensak.ma dans /var/named et ajouter les champs suivant :
    [root@masterdns ~]# vi /var/named/fwd.ensak.ma $TTL 86400 @ IN SOA masterdns.ensak.ma. root.ensak.ma. ( 2013120401 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS masterdns.ensak.ma. @ IN NS slavedns.ensak.ma. masterdns IN A 172.16.10.1 slavedns IN A 172.16.10.13

    [B] crer le fichier de zone indirect : Crer le fichier rev.ensak.ma dans /var/named et ajouter les champs suivant :

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    [root@masterdns ~]# vi /var/named/rev.ensak.ma $TTL 86400 @ IN SOA masterdns.ensak.ma. root.ensak.ma. ( 2013120401 ;Serial 3600 ;Refresh 1800 ;Retry 604800 ;Expire 86400 ;Minimum TTL ) @ IN NS masterdns.ensak.ma. @ IN NS slavedns.ensak.ma. masterdns IN A 172.16.10.1 slavedns IN A 172.16.10.13 1 IN PTR masterdns.ensak.ma. 13 IN PTR slavedns.ensak.ma. 2 IN PTR client-xp.ensak.ma

    3. dmarrer bind service


    [root@masterdns ~]# service named start Generating /etc/rndc.key: Starting named: [root@masterdns ~]# chkconfig named on [ [ OK OK ] ]

    4. permet laccs au DNS Serveur dans iptables


    Ajouter les lignes en gras dans le fichier /etc/sysconfig/iptables. Cela permettra au diffrent client daccder au serveur.
    [root@masterdns ~]# vi /etc/sysconfig/iptables # Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -p udp -m state --state NEW --dport 53 -j ACCEPT -A INPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT

    5. Redmarrer iptables
    [root@masterdns ~]# service iptables restart iptables: Flushing firewall rules: iptables: Setting chains to policy ACCEPT: filter iptables: Unloading modules: iptables: Applying firewall rules: [ [ [ [ OK OK OK OK ] ] ] ]

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    6. Tester les erreurs de syntaxe dans les fichiers configuration et Zone


    [A] Check DNS Config file
    [root@masterdns ~]# named-checkconf /etc/named.conf [root@masterdns ~]# named-checkconf /etc/named.rfc1912.zones

    7. Test DNS Server


    [root@masterdns ~]# nslookup masterdns.ensak.ma Server: 172.16.10.1 Address: 172.16.19.1#53 Name: masterdns.ensak.ma Address: 172.16.10.1

    Et voil le serveur primaire est prt.

    Setup du Serveur DNS Secondaire (Slave)


    [root@slavedns ~]# yum install bind* -y

    1. Configurer le serveur DNS secondaire.


    Ouvrir le fichier de configuration /etc/named.conf et ajouter les champs en gras.
    [root@slavedns ~]# vi /etc/named.conf // // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1; 172.16.10.13; }; ## Slve DNS IP ## listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; 172.16.10.0/24; }; ## IP Range ## recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run";

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "ensak.ma" IN { type slave; file "slaves/ensak.ma.fwd"; masters { 172.16.10.1; }; }; zone "10.16.172.in-addr.arpa" IN { type slave; file "slaves/ensak.ma.rev"; masters { 172.16.10.1; }; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";

    2. Start the DNS Service


    [root@slavedns ~]# service named start Generating /etc/rndc.key: Starting named: [root@slavedns ~]# chkconfig named on [ [ OK OK ] ]

    Maintenant les fichiers de zone direct et reverse sont copier directement du serveur Primaire vers le secondaire. Pour verifier, il suffit de verifier dans le dossier (i.e /var/named/chroot/var/named/slaves) et taper ls.
    [root@slavedns ~]# cd /var/named/slaves/ [root@slavedns slaves]# ls ensak.fwd ensak.rev

    [A] vrifier les zones:


    [root@slavedns slaves]# cat ensak.ma $ORIGIN . $TTL 86400 ; 1 day ensak.ma IN SOA masterdns.ensak.ma. root.ensak.ma. ( 2013120401 ; serial 3600 ; refresh (1 hour) 1800 ; retry (30 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS masterdns.ensak.ma. NS slavedns.ensak.ma. $ORIGIN ensak.ma. masterdns A 172.16.10.1 slavedns A 172.16.10.13 Client-xp A 172.16.10.2

    [B] vrifier la zone reverse :


    [root@slavedns slaves]# cat ensak.rev $ORIGIN . $TTL 86400 ; 1 day

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    10.16.172.in-addr.arpa IN SOA masterdns.ensak.ma. root.ensak.ma. ( 2013120401 ; serial 3600 ; refresh (1 hour) 1800 ; retry (30 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS masterdns.ensak.ma. NS slavedns.ensak.ma. $ORIGIN 10.16.172.in-addr.arpa. 1 PTR masterdns.ensak.ma. 13 PTR slavedns.ensak.ma. 2 PTR client-xp.ensak.ma.

    3. ajouter les dtails du serveur au diffrent client.


    [root@slavedns ~]# vi /etc/resolv.conf # Generated by NetworkManager search ensak.ma nameserver 172.16.10.1 nameserver 172.16.10.13 nameserver 8.8.8.8

    4. Teste du serveur DNS


    [root@slavedns ~]# nslookup masterdns.ensak.ma. Server: 172.16.10.1 Address: 172.16.10.13#53 Name: slavedns.ensak.ma Address: 172.16.10.13

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    Comment configurer une zone dnssec sur serveur ddi ?


    [A] Dfinitions ZSK : composes d'une clef publique et d'une clef prive, elles sont utilises pour signer les champs de la zone. Ces clefs sont inconnues du registre. KSK : composes d'une clef publique et d'une clef prive, elles ne sont utilises que pour signer les clefs ZSK. Ces clefs sont sign par un champ DS dans la zone mre (auprs du registre) DNSKEY : champs contenant une clef publique DS : C'est un condenst d'une DNSKEY, elle est transmise la zone mre [B] Gnerer ses clefs Nous utilisons l'outil dnssec-keygen. Cet outil utilise l'entropie, qui est gnre lors de l'utilisation de la machine. Une machine peu sollicite peut tre longue gnrer. Dans ce cas, vous pouvez utiliser l'argument "-r /dev/urandom" pour gagner du temps, mais OVH ne le prconise pas.

    1. Gnrer sa clef KSK


    Nous gnrons la clef avec la commande "dnssec-keygen -f KSK -a RSASHA256 -b 2048 -n ZONE mondomaine.ma" :
    [root@masterdns ~]# dnssec-keygen -f KSK -r /dev/urandom -a RSASHA256 -b 2048 -n ZONE ensak.ma

    Nous remarquons que ma clef KSK se nomme Kensak.ma.+008+04789, nous allons la renommer pour qu'elle soit plus intelligible :
    [root@masterdns ~]# mv Kensak.ma.+008+10954.key KensaK.ma.ksk.key [root@masterdns ~]# mv Kensak.ma.+008+10954.private KensaK.ma.ksk.private

    2. Gnrer sa clef ZSK


    Nous gnrons la clef avec la commande "dnssec-keygen -a RSASHA256 -b 2048 -n ZONE ensak.ma" :
    [root@masterdns ~]# dnssec-keygen -r /dev/urandom -a RSASHA256 -b 2048 -n ZONE ensak.ma

    Nous remarquons que ma clef ZSk se nomme Kensak.ma+008+43119, une fois encore nous la renommons :
    [root@masterdns ~]# mv Kensak.ma.+008+43119.key KensaK.ma.zsk.key [root@masterdns ~]# mv Kensak.ma.+008+43119.private KensaK.ma.zsk.private

    Les fichiers *.Key contiennent maintenant nos clefs publiques, il nous faut les insrer dans notre zone DNS. Vous pouvez soit en ajouter le contenu, soit ajouter des champs d'inclusion dans votre zone. Je choisis d'ajouter des inclusions : $include /etc/named/Kensak.ma.zsk.key ; ZSK $include /etc/named/Kebsak.ma.ksk.key ; KSK

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    UH1 / ENSA Khouribga

    TP : services daccs

    Pr. Y.I.Khamlichi

    [C] Crer et appliquer sa zone DNSSEC

    1. signer la zone.
    Nous signons la zone avec la commande "dnssec-signzone -eYYYYMMDDHHMMSS -p -t g -k Kmondomaine.ma.ksk.key -o mondomaine.ma le-fichier-de-ma-zonednsKmondomaine.ma.zsk.key". La valeur YYYYMMDDHHMMSS reprsente la date d'expiration. Si je souhaite que ma zone expire le 17 dcembre 2014 4h20, j'cris : 20141217042000
    [root@masterdns ~]# dnssec-signzone -e20141217042000 -p -t -g -k Kensak.ma.ksk.key -o ensak.ma fwd.ensak.ma Kensak.ma.zsk.key

    Nous obtenons un fichier nomm : fwd.ensak.ma.signed

    2. Configurer named
    Nous vrifions que named est configur pour prendre en charge le DNSSEC. Vous devriez trouver dans le fichier de configuration de named, la variable dnssec-enable gale yes.
    [root@masterdns ~]# cat /etc/bind/named.conf|grep dnssec-enable

    dnssec-enable yes; Maintenant nous devons indiquer de ne plus utiliser notre fichier de zone originel, mais son quivalent sign. Dans mon fichier /etc/bind/named.conf, nous avons remplac :
    zone "ensak.ma" IN { type master; file "fwd.ensak.ma"; allow-update { none; };

    };

    par :
    zone "ensak.ma" IN { type master; file "fwd.ensak.ma.signed"; allow-update { none; };

    }; [root@masterdns ~]# service named restart

    Ralis par : A.Boukhira L.Ghamrane A.Hadji M.Louah

    You might also like