5. 온프라미스 DNS 구성예제
<1> 일반적인 온프라미스 DNS 구성 예제
<2> 안정적인 네임서버 구축 - 히든 마스터로 관리하는 온프라미스 DNS 구성 예제
<3> DNS 구축 - 히든마스터 1대, 슬레이브 2대 설정
<1> 일반적인 온프라미스 DNS 구성 예제
1
ns1 , ns2 2대로 구성한다.
또는
ns1 , ns2 , ns3 3대로 구성한다.
모두 외부에 노출되는 공인 IP를 가지고 있어야 한다.
2
2대 구성일 경우
ns1은 Master이다.
ns2는 Slave이다.
3
3대 구성일 경우
ns1은 Master이다.
ns2, ns3는 Slave이다.
<2> 안정적인 네임서버 구축 - 히든 마스터로 관리하는 온프라미스 DNS 구성 예제
대규모 서비스를 운영하는 경우 보안에 더 신경 쓰게 된다.
마스터를 사설 ip로 설정하고, 숨겨서 관리하도록 한다.
1
구성?
히든 Master 1대 = hmaster-ns
(공인 IP 할당)
slave-ns1
slave-ns2
2
히든 마스터에서 설정하면, 각 Slave로 DNS 레코더가 동기화되는 방식이다.
3
히든마스터 1대, 네임서버로 동작하며, Slave로 구성될 DNS서버를 구축해 보자.
4
private subnet 1 개를 만들자.
dns-pri1
10.0.0.0/23
dns-kr1-nat1
NATGW 서브넷을 만들어야 한다.
10.0.4.0/24
VPC > NATGW도 만들어야 한다.
라우팅 테이블에서 natgw로 라우팅 테이블 추가해야 한다.
5
서버 생성 3대
히든 마스터 1대 - 사설
slave 2대 - 공인ip 할당 생성
rocky-8.10-base
High-CPU vCPU 2EA , Memory 4GB
hmaster-ns
slave-ns1
slave-ns2
hmaster-ns
10.0.0.6
slave-ns1
10.0.2.6
211.188.60.191
slave-ns2
10.0.10.6
211.188.58.219
<3> DNS 구축 - 히든마스터 1대, 슬레이브 2대 설정
1
히든마스터 1대
# DNS 소프트웨어인 bind 설치하기
yum -y install bind bind-chroot
3
[root@serverup-kr-ns1 ~]# cd /etc
[root@serverup-kr-ns1 etc]# vi named.conf
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
4
# etc 아래 named.rfc1912.zones 에 사용 도메인 추가 하기
[root@cache-ga-dns1 etc]# ls named.*
named.conf named.rfc1912.zones named.root.key
5
[root@hmaster-ns named]# more named.conf
more: stat of named.conf failed: No such file or directory
[root@hmaster-ns named]# cd /etc
[root@hmaster-ns etc]# more named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
masterfile-format text;
allow-transfer { 10.0.2.6; 10.0.10.6; };
also-notify { 10.0.2.6; 10.0.10.6; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion no;
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
6
[root@hmaster-ns etc]# more named.rfc1912.zones
zone "serverup11.kr" IN {
type master;
file "serverup11.kr.zone";
allow-update { none; };
};
zone "localhost.localdomain" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
[root@hmaster-ns etc]#
7
# 사용 도메인에 대한 Zone 파일 생성
[root@dns-ga-ns1 named]# pwd
/var/named
[root@serverup-kr-ns1 named]# cp named.localhost serverup11.kr.zone
[root@dns-ga-ns1 named]# more serverup11.kr.zone
$TTL 10
@ IN SOA @ ns1.severup11.kr. (
2024120204 ; serial
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
NS ns1
A 127.0.0.1
AAAA ::1
ns1 A 211.188.48.244
www A 1.1.1.1
6
# DNS 데몬 재시작
chown named.named serverup11.kr.zone
systemctl restart named
dig @127.0.0.1 www.serverup11.kr
7
# DNS 데몬 확인
[root@dns-il-ns2 etc]# ps -ef |grep named
named 37175 1 0 22:18 ? 00:00:00 /usr/sbin/named -u named -c /etc/named.conf
root 37183 2286 0 22:18 pts/0 00:00:00 grep --color=auto named
8
작업시 로그 확인
tail -f /var/named/data/named.run &
로그 확인 해제
fg
# 슬레이브 2대 설정
1
yum -y install bind bind-chroot
2
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
masterfile-format text;
allow-transfer { 10.0.2.6; 10.0.10.6; };
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
allow-query { any; };
3
# slave 설정
[root@slave-ns1 etc]# more named.rfc1912.zones
zone "serverup11.kr" IN {
type slave;
masters {10.0.0.6;};
file "serverup11.kr.zone";
};
zone "localhost" IN {
type master;
file "named.localhost";
allow-update { none; };
};
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "1.0.0.127.in-addr.arpa" IN {
type master;
file "named.loopback";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "named.empty";
allow-update { none; };
};
[root@slave-ns1 etc]#
4
systemctl restart named
다음자료
https://brunch.co.kr/@topasvga/4179
감사합니다.
