DNS

Escenario
-

Servidor Principal (Master)

o IP
= 192.168.10.1/24
o Hostname
= masterdns.informatica.local
Servidor Secundario (Slave)
o IP
= 192.168.10.2/24
o Hostname
=
secondarydns.informatica.local
Cliente 1 (Client)
o IP
= 192.168.10.3/24
o Hostname
= client1.informatica.local
Cliente 2 (Client)
o IP
= 192.168.10.4/24
o Hostname
= client2.informatica.local
o

Servidor Principal (Master):

1. Instalamos los paquetes de bind en el servidor:
[root@localhost bxav]# yum install bind.x86_64 bind-utils.x86_64 -y

2. Editar el archivo de configuracin named.conf

[root@localhost bxav]# nano /etc/named.conf

3. Se agregan las partes que se encuentran en azul

//
//
//
//
//
//
//
//

named.conf
Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
server as a caching only nameserver (as a localhost DNS resolver only).
See /usr/share/doc/bind*/sample/ for example named configuration files.

options {
listen-on port 53 { 127.0.0.1; 192.168.10.1; };# IP Servidor Master
#
listen-on-v6 port 53 { ::1; };
# Se comenta esta linea
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query{ localhost; 192.168.10.0/24; };
# Dominio de broadcast
allow-transfer{ localhost; 192.168.10.2; };
# IP del servidor
# secundario
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access

control to limit queries to your legitimate users. Failing to do so

will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "informatica.local" IN {
type master;
file "forward.informatica";
allow-update { none; };
};
zone "10.168.192.in-addr.arpa" IN {
type master;
file "reverse.informatica";
allow-update { none; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Creamos los archivos de configuracin de las zonas

4. Creamos el archivo para la Forward zone
[root@localhost bxav]# nano /var/named/forward.informatica

5. Agregamos las siguientes lneas

$TTL 1d
@
IN SOA
masterdns.informatica.local. root.informatica.local. (
2016070101 ;Serial
1h
;Refresh
30m
;Retry
1w
;Expire
1d
;Minimum TTL
)
@
IN NS
masterdns.informatica.local.
@
IN NS
secondarydns.informatica.local.

@
IN A
@
IN A
@
IN A
@
IN A
masterdns
secondarydns
client1
client2

IN
IN
IN
IN

A
A
A
A

192.168.10.1
192.168.10.2
192.168.10.3
192.168.10.4
192.168.10.1
192.168.10.2
192.168.10.3
192.168.10.4

6. Creamos el archivo para la Reverse zone

[root@localhost bxav]# nano /var/named/reverse.informatica

7. Agregamos las siguientes lneas

$TTL 1d
@
IN SOA
masterdns.informatica.local. root.informatica.local. (
2016070101
;Serial
1h
;Refresh
30m
;Retry
1w
;Expire
1d
;Minimum TTL
)
@
IN NS
masterdns.informatica.local.
@
IN NS
secondarydns.informatica.local.
@
IN PTR
informatica.local.
masterdns
IN A
192.168.10.1
secondarydns
IN A
192.168.10.2
client1
IN A
192.168.10.3
client2
IN A
192.168.10.4
1
IN PTR
masterdns.informatica.local.
2
IN PTR
secondarydns.informatica.local.
3
IN PTR
client1.informatica.local.
4
IN PTR
client2.informatica.local.

8. Verificamos si est bien la configuracin

[root@localhost bxav]# named-checkconf /etc/named.conf
[root@localhost bxav]# named-checkzone informatica.local
/var/named/forward.informatica
zone informatica.local/IN: loaded serial 2016070101
OK
[root@localhost bxav]# named-checkzone informatica.local
/var/named/reverse.informatica
zone informatica.local/IN: loaded serial 2016070101
OK

9. Iniciamos el servicio DNS

[root@localhost bxav]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service
to /usr/lib/systemd/system/named.service.
[root@localhost bxav]# systemctl start named

10.Aadimos la regla en firewall permitiendo el servicio a travs del

puerto 53 TCP/UDP
[root@localhost bxav]# firewall-cmd --permanent --add-port=53/tcp

Success
[root@localhost bxav]# firewall-cmd --permanent --add-port=53/udp
Success
11. Reiniciamos

el firewall

[root@localhost bxav]# firewall-cmd --reload

Success
12. Revisamos

el estado de las Zonas

[root@localhost bxav]# named-checkzone informatica.local

/var/named/forward.informatica
zone informatica.local/IN: loaded serial 2016070101
OK
[root@localhost bxav]# named-checkzone informatica.local
/var/named/reverse.informatica
zone informatica.local/IN: loaded serial 2016070101
OK

13.Agregamos el servidor DNS de la red al archivo de configuracin de la

NIC.
[root@localhost bxav]# nano /etc/sysconfig/network-scripts/ifcfg-enp0s3
TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s3
UUID=d2e18740-73cd-46e1-8fb4-190e8ad1ba60
DEVICE=enp0s3
ONBOOT=no
IPADDR=192.168.10.1
PREFIX=24
DNS1=192.168.10.1
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

14.Reiniciamos los servicios de red y conectamos de nuevo el adaptador.

[root@localhost bxav]# systemctl restart network
[root@localhost bxav]# ifup enp0s3
Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/5)

15.Verificamos que el servidor est declarado en el archivo resolv.conf

[root@localhost bxav]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.1

16.Configuracin de permisos, la propiedad y SELinux

[root@localhost
[root@localhost
[root@localhost
[root@localhost

bxav]#
bxav]#
bxav]#
bxav]#

chgrp named -R /var/named

chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf

17.Probar el servidor DNS

[root@localhost bxav]# nslookup informatica.local
Server:
Address:

192.168.10.1
192.168.10.1#53

Name: informatica.local
Address: 192.168.10.3
Name: informatica.local
Address: 192.168.10.2
Name: informatica.local
Address: 192.168.10.4
Name: informatica.local
Address: 192.168.10.1

Servidor Secundario (Slave)

1. Instalamos los paquetes de bind en el servidor:
[root@localhost bxav]# yum install bind.x86_64 bind-utils.x86_64 -y

2. Editar el archivo de configuracin named.conf

[root@localhost bxav]# nano /etc/named.conf

3. Se agregan las partes que se encuentran en azul

//
//
//
//
//
//
//
//

named.conf
Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
server as a caching only nameserver (as a localhost DNS resolver only).
See /usr/share/doc/bind*/sample/ for example named configuration files.

//Lista de confianza (Opcional)

acl "trusted" {
192.168.10.1;# IP Servidor Master
192.168.10.2;# IP Servidor Secundario
192.168.10.3;# IP Cleinte1
192.168.10.4;# IP cliente2
};
options {
listen-on port 53 { 127.0.0.1; 192.168.10.2; };
#
listen-on-v6 port 53 { ::1; };
directory
"/var/named";
dump-file
"/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query
{ localhost; trusted; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable

recursion.
- If your recursive DNS server has a public IP address, you MUST enable
access
control to limit queries to your legitimate users. Failing to do so
will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "informatica.local" IN {
type slave;
file "slaves/informatica.fwd";
masters { 192.168.10.1; };
};
zone "10.168.192.in-addr.arpa" IN {
type slave;
file "slaves/informatica.rev";
masters { 192.168.10.1; };
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

4. Verificamos si est bien la configuracin

[root@localhost bxav]# named-checkconf /etc/named.conf

5. Iniciamos el servicio DNS

[root@localhost bxav]# systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service
to /usr/lib/systemd/system/named.service.
[root@localhost bxav]# systemctl start named

6. Verificamos que los archivos de configuracin de las zonas se estn

replicando de servidor DNS Master.

[root@localhost bxav]# ls /var/named/slaves/

informatica.fwd informatica.rev

7.

Agregamos el servidor DNS de la red al archivo de configuracin de la

NIC

[root@localhost bxav]# nano /etc/sysconfig/network-scripts/ifcfg-enp0s3

TYPE=Ethernet
BOOTPROTO=none
DEFROUTE=yes
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=yes
IPV6_DEFROUTE=yes
IPV6_FAILURE_FATAL=no
NAME=enp0s3
UUID=d2e18740-73cd-46e1-8fb4-190e8ad1ba60
DEVICE=enp0s3
ONBOOT=no
IPADDR=192.168.10.2
PREFIX=24
DNS1=192.168.10.1
DNS2=192.168.10.2
IPV6_PEERDNS=yes
IPV6_PEERROUTES=yes

8. Reiniciamos los servicios de red y conectamos de nuevo el adaptador.

[root@localhost bxav]# systemctl restart network
[root@localhost bxav]# ifup enp0s3
Connection successfully activated (D-Bus active path:
/org/freedesktop/NetworkManager/ActiveConnection/5)

9. Verificamos que el servidor est declarado en el archivo resolv.conf

[root@localhost bxav]# cat /etc/resolv.conf
# Generated by NetworkManager
nameserver 192.168.10.1
nameserver 192.168.10.2

10.Aadimos la regla en firewall permitiendo el servicio a travs del

puerto 53 TCP/UDP
[root@localhost bxav]# firewall-cmd --permanent --add-port=53/tcp
Success
11. Reiniciamos

el firewall

[root@localhost bxav]# firewall-cmd --reload

Success

12.Configuracin de permisos, la propiedad y SELinux

[root@localhost
[root@localhost
[root@localhost
[root@localhost

bxav]#
bxav]#
bxav]#
bxav]#

chgrp named -R /var/named

chown -v root:named /etc/named.conf
restorecon -rv /var/named
restorecon /etc/named.conf

13.Probar el servidor DNS

[root@localhost bxav]# nslookup informatica.local
Server:
Address:

192.168.10.1
192.168.10.1#53

Name: informatica.local
Address: 192.168.10.2
Name: informatica.local
Address: 192.168.10.4
Name: informatica.local
Address: 192.168.10.3
Name: informatica.local
Address: 192.168.10.1

Cliente 1 (Client)
1. Agregamos los detalles de los servidores DNS en resolv.conf
[root@localhost bxav]# nano /etc/resolv.conf
# Generated by NetworkManager
search informtica.local
nameserver 192.168.10.1
nameserver 192.168.10.2

2. Probamos los servidores DNS

[root@localhost bxav]# dig masterdns.informatica.local
; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> masterdns.informatica.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61033
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;masterdns.informatica.local. IN
A
;; ANSWER SECTION:
masterdns.informatica.local. 86400 IN

;; AUTHORITY SECTION:
informatica.local.
informatica.local.

secondarydns.informatica.local.
masterdns.informatica.local.

86400 IN
86400 IN

;; ADDITIONAL SECTION:
secondarydns.informatica.local.
;;
;;
;;
;;

NS
NS

86400 IN A

192.168.10.1

192.168.10.2

Query time: 0 msec

SERVER: 192.168.10.1#53(192.168.10.1)
WHEN: sb jul 02 00:47:39 ECT 2016
MSG SIZE rcvd: 129

[root@localhost bxav]# dig secondarydns.informatica.local

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> secondarydns.informatica.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5330
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;secondarydns.informatica.local.
IN

;; ANSWER SECTION:
secondarydns.informatica.local.

86400 IN A

;; AUTHORITY SECTION:
informatica.local.
informatica.local.

NS
NS

86400 IN
86400 IN

;; ADDITIONAL SECTION:
masterdns.informatica.local. 86400 IN
;;
;;
;;
;;

192.168.10.2

masterdns.informatica.local.
secondarydns.informatica.local.
A

192.168.10.1

Query time: 0 msec

SERVER: 192.168.10.1#53(192.168.10.1)
WHEN: sb jul 02 00:49:33 ECT 2016
MSG SIZE rcvd: 129

[root@localhost bxav]# dig client1.informatica.local

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7 <<>> client1.informatica.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26506
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;client1.informatica.local. IN
A
;; ANSWER SECTION:
client1.informatica.local. 86400 IN A

192.168.10.3

;; AUTHORITY SECTION:
informatica.local.
informatica.local.

masterdns.informatica.local.
secondarydns.informatica.local.

86400 IN
86400 IN

NS
NS

;; ADDITIONAL SECTION:
masterdns.informatica.local. 86400 IN
A
secondarydns.informatica.local.
86400 IN A
;;
;;
;;
;;

Query time: 1 msec

SERVER: 192.168.10.1#53(192.168.10.1)
WHEN: sb jul 02 00:50:53 ECT 2016
MSG SIZE rcvd: 153

[root@localhost bxav]# nslookup informatica.local

Server:
Address:
Name:
Address:
Name:
Address:
Name:
Address:
Name:
Address:

192.168.10.1
192.168.10.1#53
informatica.local
192.168.10.3
informatica.local
192.168.10.1
informatica.local
192.168.10.2
informatica.local
192.168.10.4

Cliente 2 (Client)

192.168.10.1
192.168.10.2

1. Agregamos los detalles de los servidores DNS en resolv.conf

[root@localhost bxav]# nano /etc/resolv.conf
# Generated by NetworkManager
search informtica.local
nameserver 192.168.10.1
nameserver 192.168.10.2

Bibliografa:
-

https://www.unixmen.com/setting-dns-server-centos-7/
https://www.digitalocean.com/community/tutorials/how-toconfigure-bind-as-a-private-network-dns-server-on-centos-7