brunch

매거진 네이버클라우드 전문가 되기

라이킷 댓글

You can make anything
by writing

C.S.Lewis

계정을 잊어버리셨나요?

by Master Seo Dec 02. 2024

3. 네임서버 만들기

<1> 네임서버 2대 생성하기

<2> 도메인 구매와 네임서버 설정

<3> 네임서버 보안 설정

<1> 네임서버 2대 생성하기

# 가산에 ns1

dns-ga-ns1

kr1

새로운 공인IP

# 일산에 ns2

dns-il-ns2

kr2

새로운 공인IP

# ns1은 master , ns2는 slave로 구축하자.

211.188.59.87

211.188.57.7

# 서버 로그인

passwd

g1!!

# 도메인은 ?

예)

serverup11.co.kr

# DNS 소프트웨어인 bind 설치하기

yum -y install bind bind-chroot

[root@cache-ga-dns1 etc]# vi named.conf

options {

listen-on port 53 { any; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

dump-file "/var/named/data/cache_dump.db";

statistics-file "/var/named/data/named_stats.txt";

memstatistics-file "/var/named/data/named_mem_stats.txt";

secroots-file "/var/named/data/named.secroots";

recursing-file "/var/named/data/named.recursing";

allow-query { any; };

- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.

- If you are building a RECURSIVE (caching) DNS server, you need to enable

recursion.

- If your recursive DNS server has a public IP address, you MUST enable access

control to limit queries to your legitimate users. Failing to do so will

cause your server to become part of large scale DNS amplification

attacks. Implementing BCP38 within your network would greatly

reduce such attack surface

recursion no;

dnssec-enable yes;

# etc 아래 named.rfc1912.zones 에 사용 도메인 추가 하기

[root@cache-ga-dns1 etc]# ls named.*

named.conf named.rfc1912.zones named.root.key

[root@cache-ga-dns1 etc]# vi named.rfc1912.zones

// named.rfc1912.zones:

// Provided by Red Hat caching-nameserver package

// ISC BIND named zone configuration for zones recommended by

// RFC 1912 section 4.1 : localhost TLDs and address zones

// and https://tools.ietf.org/html/rfc6303

// See /usr/share/doc/bind*/sample/ for example named configuration files.

// Note: empty-zones-enable yes; option is default.

// If private ranges should be forwarded, add

// disable-empty-zone "."; into options

zone "serverup11.co.kr" IN {

type master;

file "serverup11.co.kr.zone";

allow-update { none; };

};

zone "localhost.localdomain" IN {

type master;

file "named.localhost";

allow-update { none; };

};

# 사용 도메인에 대한 Zone 파일 생성

[root@dns-ga-ns1 named]# pwd

/var/named

[root@dns-ga-ns1 named]# more serverup11.co.kr.zone

$TTL 10

@ IN SOA @ ns1.severup11.co.kr. (

2024120204 ; serial

1D ; refresh

1H ; retry

1W ; expire

3H ) ; minimum

NS ns1

NS ns2

A 127.0.0.1

AAAA ::1

ns1 A 211.188.59.87

ns2 A 211.188.57.7

www A 1.1.1.1

[root@dns-ga-ns1 named]#

# DNS 데몬 재시작

chown named.named serverup11.co.kr.zone

systemctl restart named

dig @127.0.0.1 www.serverup11.co.kr

# DNS 데몬 확인

[root@dns-il-ns2 etc]# ps -ef |grep named

named 37175 1 0 22:18 ? 00:00:00 /usr/sbin/named -u named -c /etc/named.conf

root 37183 2286 0 22:18 pts/0 00:00:00 grep --color=auto named

<2> 도메인 구매와 네임서버 설정

가비아, 아이네임즈 등에서 도메인 구매하고 네임서버 지정하기

예제 도메인

serverup11.co.kr

ns1

211.188.59.87

ns2

211.188.57.7

[root@dns-ga-ns1 etc]# ls nam*

named-chroot.files named.conf named.rfc1912.zones named.root.key

[root@dns-ga-ns1 etc]# vi named.rfc1912.zones

zone "serverup11.co.kr" IN {

type master;

file "serverup11.co.kr.zone";

allow-update { none; };

};

zone "localhost.localdomain" IN {

type master;

file "named.localhost";

allow-update { none; };

};

# 동작 하지 않는 경우 로그 확인하기

[root@dns-ga-ns1 etc]# cd /var/named/data/

[root@dns-ga-ns1 data]# ls

named.run

# 에러 로그 확인하기

[root@dns-ga-ns1 data]# more named.run

managed-keys-zone: loaded serial 0

zone 0.in-addr.arpa/IN: loaded serial 0

zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0

zone localhost.localdomain/IN: loaded serial 0

zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN: loaded serial 0

zone localhost/IN: loaded serial 0

all zones loaded

couldn't add command channel ::1#953: address not available

reloading configuration succeeded

reloading zones succeeded

zone serverup11.co.kr/IN: loading from master file serverup11.co.kr.zone failed: permission denied

zone serverup11.co.kr/IN: not loaded due to errors.

all zones loaded

running

# Zone 파일 권한 확인 하기

[root@dns-ga-ns1 data]# cd /var/named/

[root@dns-ga-ns1 named]# ls -al

total 24

drwxrwx--T 6 root named 170 Dec 2 23:23 .

drwxr-xr-x. 22 root root 4096 Dec 2 22:22 ..

drwxr-x--- 8 root named 73 Dec 2 22:22 chroot

drwxrwx--- 2 named named 23 Dec 2 22:23 data

drwxrwx--- 2 named named 60 Dec 2 23:23 dynamic

-rw-r----- 1 root named 2112 Aug 19 17:37 named.ca

-rw-r----- 1 root named 152 Aug 19 17:37 named.empty

-rw-r----- 1 root named 152 Aug 19 17:37 named.localhost

-rw-r----- 1 root named 168 Aug 19 17:37 named.loopback

-rw-r----- 1 root root 230 Dec 2 23:22 serverup11.co.kr.zone

drwxrwx--- 2 named named 6 Aug 19 17:37 slaves

# zone 파일 권한 확인하기 , 데몬이 named로 실행 되므로 권한도 named로 변경한다.

[root@dns-ga-ns1 named]# chown named.named serverup11.co.kr.zone

[root@dns-ga-ns1 named]# rndc reload

server reload successful

# dig로 질의하여 확인

[root@dns-ga-ns1 named]# dig www.serverup11.co.kr

; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.2 <<>> www.serverup11.co.kr

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46151

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

;; QUESTION SECTION:

;www.serverup11.co.kr. IN A

;; ANSWER SECTION:

www.serverup11.co.kr. 10 IN A 1.1.1.1

;; Query time: 2 msec

;; SERVER: 169.254.169.53#53(169.254.169.53)

;; WHEN: Mon Dec 02 23:27:02 KST 2024

;; MSG SIZE rcvd: 65

[root@dns-ga-ns1 named]#

[root@dns-ga-ns1 etc]# dig www.serverup11.co.kr +short

1.1.1.1

<3> 네임서버 보안 설정

보안 설정을 해야 한다.

서버 정보를 가져 가지 못하도록 zone 전송 ip제한 설정을 해야 한다.

dig @127.0.0.1 serverup11.kr axfr

서버 호스트명과 ip 정보를 외부에서 가져 갈수 있다.

막아보자.

[root@hmaster-ns etc]# dig @127.0.0.1 serverup11.kr axfr

client @0x7f6748009980 127.0.0.1#35511 (serverup11.kr): transfer of 'serverup11.kr/IN': AXFR started (serial 2024120401)

client @0x7f6748009980 127.0.0.1#35511 (serverup11.kr): transfer of 'serverup11.kr/IN': AXFR ended

client @0x7f6748009980 127.0.0.1#35511 (serverup11.kr): transfer of 'serverup11.kr/IN': AXFR started (serial 2024120401)

client @0x7f6748009980 127.0.0.1#35511 (serverup11.kr): transfer of 'serverup11.kr/IN': AXFR ended

; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.2 <<>> @127.0.0.1 serverup11.kr axfr

; (1 server found)

;; global options: +cmd

serverup11.kr. 10 IN SOA ns1.serverup11.kr. ns1.serverup11.kr. 2024120401 86400 3600 604800 10800

serverup11.kr. 10 IN NS ns1.serverup11.kr.

serverup11.kr. 10 IN NS ns2.serverup11.kr.

ns1.serverup11.kr. 10 IN A 211.188.60.191

ns2.serverup11.kr. 10 IN A 211.188.58.219

www.serverup11.kr. 10 IN A 6.6.6.6

serverup11.kr. 10 IN SOA ns1.serverup11.kr. ns1.serverup11.kr. 2024120401 86400 3600 604800 10800

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Wed Dec 04 11:05:52 KST 2024

;; XFR size: 7 records (messages 1, bytes 230)

[root@hmaster-ns etc]#

# 막아보자. 설정

options {

listen-on port 53 { any; };

listen-on-v6 port 53 { ::1; };

directory "/var/named";

allow-transfer { 10.0.2.6; 10.0.10.6; };

rndc reload

[root@hmaster-ns etc]# dig @127.0.0.1 serverup11.kr axfr

client @0x7f6748009980 127.0.0.1#43775 (serverup11.kr): zone transfer 'serverup11.kr/AXFR/IN' denied

; <<>> DiG 9.11.36-RedHat-9.11.36-16.el8_10.2 <<>> @127.0.0.1 serverup11.kr axfr

; (1 server found)

;; global options: +cmd

; Transfer failed.

[root@hmaster-ns etc]#

2. 네임서버는 2대중 1대만 동작해도 서비스가 된다.

하지만 DNS 응답률이 떨어질수 있다.

Master 1대 이외에는 Slave DNS로 구성한다.

추가 설정과 보안 설정등 번거로운 관리를 피하려면 클라우드 DNS를 사용하는 방법도 있다.

네이버 클라우드 Global DNS를 사용해보자.

다음자료

https://brunch.co.kr/@topasvga/4177

4. 네임서버를 클라우드 DNS로 이전하기

<1> 네임서버를 클라우드 DNS로 이전하기위한 절차 <2> 기존 네임서버 OFF <1> 네임서버를 클라우드 DNS로 이전하기위한 절차 1. 새로운 네임서버를 구축한다. 2. 네이버 Global DNS에 기존 도메인의 Zone

brunch.co.kr/@topasvga/4177

감사합니다.

브런치는 최신 브라우저에 최적화 되어있습니다. IE chrome safari