[CentOS-es] Duda Servidor DNS.
Wilmer Arambula
tecnologiaterabyte en gmail.com
Sab Mayo 23 15:33:48 UTC 2015
Bueno después de seguir intentando y leyendo* (y gracias a las
recomendaciones de Angel Jauregui) *y probando con la herramienta
http://www.dnsstuff.com/tools, para chequear el DNS del dominio, logre
configurarlo correctamente o al menos eso creo, dejare esta configuración
espero que le sirva a alguien mas, y si hay sugerencias para mejorarlo y
darle mayor seguridad mucho mejor:
*1.- VPS ips:*
- 1.1.1.1* (server.vps.com <http://server.vps.com>)*, 1.1.1.2
*(ns1.midominio.com.ve
<http://ns1.midominio.com.ve>)*, 1.1.1.3 *(ns2.midominio.com.ve
<http://ns2.midominio.com.ve>)*.
*2.- Hostname:*
- server.vps.com
*3.- /ect/hosts:*
# Auto-generated hostname. Please do not remove this comment.
127.0.0.1 localhost.localdomain localhost localhost4.localdomain4 localhost4
::1 localhost localhost.localdomain localhost6
localhost6.localdomain6
1.1.1.1 server.vps.com
*4.- /etc/resolv.conf:*
search midominio.com.ve
nameserver 127.0.0.1 // localhost ip.
nameserver 4.2.2.2 // DNS VPS ip Proveedor.
nameserver 8.8.8.8 // Google DNS ip.
*5.- /etc/named.conf:*
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
acl "trusted" {
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
127.0.0.0/8;
::1/128;
};
acl "xfer" {
/*
* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
// Ips Autorizados - Para tus NameServes.
1.1.1.2;
1.1.1.3;
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable
recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to
enable
recursion.
- If your recursive DNS server has a public IP address, you MUST
enable access
control to limit queries to your legitimate users. Failing to do so
will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
xfer;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.zones";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
*6.- /etc/named.zones:*
zone "midominio.com.ve" {
type master;
file "/var/named/midominio.com.ve.hosts";
/* Anybody is allowed to query but transfer should be controlled by the
master. */
allow-query { any; };
allow-transfer { xfer; };
};
zone "1.1.1.1.in-addr.arpa" {
type master;
file "/var/named/1.1.1.1.in-addr.arpa";
/* Anybody is allowed to query but transfer should be controlled by the
master. */
allow-query { any; };
allow-transfer { xfer; };
};
*7.- /var/named/midominio.com.ve.hosts:*
$ttl 38400
midominio.com.ve. IN SOA ns1.midominio.com.ve.
administrator.midominio.com.ve. (
2015113003 // El Serial debe llevar el formato YYYYMMDDnn indicado en la
norma (*rfc1912*).
10800
3600
1209600
38400 )
IN NS ns1.midominio.com.ve.
IN NS ns2.midominio.com.ve.
@ IN A 1.1.1.1
ns1 IN A 1.1.1.2
ns2 IN A 1.1.1.3
www IN CNAME midominio.com.ve.
1.1.1.1.midominio.com.ve. IN PTR midominio.com.ve.
*8.- /var/named/1.1.1.1.in-addr.arpa:*
$ttl 38400
@ IN SOA ns1.midominio.com.ve.
administrator.midominio.com.ve. (
2015113001 // El Serial debe llevar el formato YYYYMMDDnn indicado en la
norma (*rfc1912*).
10800
3600
1209600
38400 )
IN NS ns1.midominio.com.ve.
IN NS ns1.midominio.com.ve.
@ IN A 1.1.1.1
ns1 IN A 1.1.1.2
ns2 IN A 1.1.1.3
90 IN PTR ns1.midominio.com.ve.
91 IN PTR ns2.midominio.com.ve.
Hasta ahora voy así, voy a indagar como crear una zona slave para el
servidor DNS, así como corregir estas info que arroja DNSSTUFF:
1.- No stealth nameservers to test. This is simply a note to indicate that
you do not have any stealth nameservers to test, which is what is normally
expected of domains.
2.- Domain has a WWW hostname provided through one or more CNAME lookups,
which will slow down clients attempting to resolve this host.
www.midominio.com.ve. | midominio.com.ve. | 38400
midominio.com.ve. | 1.1.1.1 | 38400
3.- No DNSSEC records created for this zone. Many major institutions and
government agencies are planning to move to DNSSEC. You may want to
consider an implementation plan for the zone specified. If you implemented
DNSSEC for your zone we would be able to run further tests.
4.- This domain does not have an SPF record, nor an SPF formatted TXT
record. SPF stands for Sender Policy Framework and is intended as an
anti-forgery email solution (See RFC4408
<http://www.dnsstuff.com/tools#rfcLookup|type=rfc&&value=4408>). Many
spammers have adopted this mechanism and SPF records alone may not be
sufficient to stop spam.
A medida que corrija y lo tenga perfecto ire actualizando, si alguien mas
quiere colaborar para dejar este post como guía a personas sin conocimiento
que puedan entender de forma mas sencilla, como configurar un servidor DNS
bind,
Saludos,
Wilmer.
Más información sobre la lista de distribución CentOS-es