BIND Setup - Sirva a LAN interna, consulta os resultados externos

0

Configurando um servidor privado interno para alguns testes em nossa LAN corporativa. Eu quero que seja autorativo para um domínio interno e hosts, mas seja capaz de resolver coisas na internet (google, yahoo, etc.)

Eu posso fazer com que a parte interna funcione bem, mas quando eu tento resolver algo público, ele falha. Eu provavelmente estou faltando uma bandeira simples no meu /etc/named.conf (BTW, RHEL 7.3 é o meu sistema operacional).

Eu posso colar o conteúdo da minha configuração, mas pensei em começar aqui.

Comecei de forma muito simples, apenas para que funcionasse e, em seguida, planeje adicionar mais conforme eu progredir. Eu só preciso corrigir o problema de resolução externa que estou tendo atualmente.

Obrigado!

IllusionMan

EDIT: Nervermind. Acho que descobri. Eu tive que configurar 'forwarders' na seção de opções e ativar a recursão. No momento, está funcionando do jeito que eu quero.

    
por theillusionman 24.06.2017 / 19:46

1 resposta

0

Aqui está o conteúdo do meu /etc/bind no Debian com uma configuração funcionando da maneira que você diz - autoritativo para um domínio / tld falso (chamado fake.tld) na LAN local usando endereços não-roteáveis (10.99.99.0 / 24 no meu caso) com DNS reverso para endereços de LAN, e outras pesquisas para DNS "real" enviado para o mundo (neste caso, encaminhado para o google 8.8.8.8). Os únicos arquivos não representados aqui são os /etc/bind/rndc.key e /etc/bind/bind.keys . Os nomes dos arquivos estão em negrito, o indicador de fim de arquivo foi comentado no estilo apropriado para esse arquivo (ou seja, em um arquivo de zona)

named.conf:

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

//end named.conf

named.conf.default-zones:

// prime the server with knowledge of the root servers
zone "." {
    type hint;
    file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
    type master;
    file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
};


//end named.conf.default-zones

named.conf.local:

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "fake.tld" {
  type master;
  notify no;
  file "/etc/bind/db.fake.tld";
};

zone "99.99.10.in-addr.arpa" {
  type master;
  notify no;
  file "/etc/bind/db.10.99.99";
};

//end named.conf.local

named.conf.options:

options {
    directory "/var/cache/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // If your ISP provided one or more IP addresses for stable 
    // nameservers, you probably want to use them as forwarders.  
    // Uncomment the following block, and insert the addresses replacing 
    // the all-0's placeholder.

     forwarders {
        8.8.8.8;
     };

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    auth-nxdomain no;    # conform to RFC1035
    listen-on-v6 { any; };
};

//end named.conf.options

db.0:

;
; BIND reverse data file for broadcast zone
;
$TTL    604800
@   IN  SOA localhost. root.localhost. (
                  1     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
@   IN  NS  localhost.
;end db.0

db.10.99.99:

$TTL 3D       ; default ttl for records without a specified lifetime
$ORIGIN 99.99.10.in-addr.arpa.
@                      IN   SOA ns.fake.tld. root.fake.tld. (
                                2017012811   ;  serial number
                                1638        ;  ns refresh
                                204         ;  ns retry
                                10485      ;  authority expiry
                                256        );  min (RFC2308 §4)
; we dont use a hostname when we tell about our nameserver(s)
    IN  NS  ns.fake.tld.
; hostname in this case is the last quad of the IP address
1       IN  PTR gw.fake.tld.
2       IN  PTR ns.fake.tld.
3   IN  PTR dhcp.fake.tld.
10  IN  PTR fileserver.fake.tld.


;end db.10.99.99

db.127:

;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@   IN  SOA localhost. root.localhost. (
                  1     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
@   IN  NS  localhost.
1.0.0   IN  PTR localhost.
;end db.127

db.255:

;
; BIND reverse data file for broadcast zone
;
$TTL    604800
@   IN  SOA localhost. root.localhost. (
                  1     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
@   IN  NS  localhost.
;end db.255

db.empty:

; BIND reverse data file for empty rfc1918 zone
;
; DO NOT EDIT THIS FILE - it is used for multiple zones.
; Instead, copy it, edit named.conf, and use that copy.
;
$TTL    86400
@   IN  SOA localhost. root.localhost. (
                  1     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
              86400 )   ; Negative Cache TTL
;
@   IN  NS  localhost.
;end db.empty

db.fake.tld:

$TTL    604800
@       IN      SOA     ns.fake.tld. root.fake.tld. (
                 2017062019         ; Serial
             ;   YYYYMMDDVV   
                     604800         ; Refresh
                      86400         ; Retry
                    2419200         ; Expire
                     604800 )       ; Negative Cache TTL
;
@           IN      NS      ns.fake.tld.
@       IN  A   10.99.99.2
gw      IN  A   10.99.99.1
ns          IN      A       10.99.99.2
dhcp        IN  A   10.99.99.3
fileserver  IN      A       10.99.99.10
gitlab      IN  A   10.99.99.7
;end db.fake.tld

db.local:

;
; BIND data file for local loopback interface
;
$TTL    604800
@   IN  SOA localhost. root.localhost. (
                  2     ; Serial
             604800     ; Refresh
              86400     ; Retry
            2419200     ; Expire
             604800 )   ; Negative Cache TTL
;
@   IN  NS  localhost.
@   IN  A   127.0.0.1
@   IN  AAAA    ::1
;end db.local

db.root:

;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC 
;       under anonymous FTP as
;           file                /domain/named.cache
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    Jan 3, 2013
;       related version of root zone:   2013010300
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     199.7.91.13
D.ROOT-SERVERS.NET.  3600000      AAAA  2001:500:2D::D
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
I.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FE::53
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
; End of File
;end db.root

zones.rfc1918:

zone "10.in-addr.arpa"      { type master; file "/etc/bind/db.empty"; };
zone "16.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "17.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "18.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "19.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "20.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "21.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "22.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "23.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "24.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "25.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "26.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "27.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "28.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "29.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "30.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "31.172.in-addr.arpa"  { type master; file "/etc/bind/db.empty"; };
zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.empty"; };
// end zones.rfc1918
    
por 24.06.2017 / 20:26

Tags