아마존 Provided DNS 프런트엔드 BIND 서버 구축
의 목적
VPC 구축과 개봉 환경과의 Direct Connect 설정 이후 AWS 측에서 가동 환경에서의 이름 해결을 진행하고자 합니다.
Amazon Provided DNS(VPC의 CIDR.2)의 이름을 사전 프로세싱에서 직접 해석할 수 없기 때문에 VPC에 BIND를 구축해 Foward 설정을 한다.부트 서버에서 빌드된 BIND-Server를 DNS 참조 대상으로 설정합니다.
컨디션
구축
Bind 설치
console$ sudo yum install bind
$ /usr/sbin/named -v
BIND 9.9.4-RedHat-9.9.4-51.amzn2 (Extended Support Version)
자동 시작 설정
console$ sudo systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
console$ systemctl list-unit-files | grep named
named-setup-rndc.service static
named.service enabled
systemd-hostnamed.service static
BIND 설정 파일 업데이트(named.conf)
console$ sudo cp /etc/named.conf /etc/named.conf.bk
$ sudo vi /etc/named.conf
/etc/named.conf//// internalnet というACLでオンプレのCIDRを定義
//// 追加
acl "internalnet" {
172.16.0.0/12;
127.0.0.1;
};
options {
/* Listen元IPを制限 */
/* コメントアウト */
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
listen-on port 53 { internalnet; localhost; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
/* 転送のみ許可し、転送先を Amazon Provided DNS Server に変更 */
/* コメントアウト */
// allow-query { localhost; };
/* 追加 */
allow-transfer { none; };
allow-query { internalnet; localhost; };
allow-query-cache { internalnet; localhost; };
forward only;
forwarders { 10.0.0.2; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
/* Provided DNS が DNSSsec 非対応のため NO に変更 */
/* コメントアウト */
// dnssec-enable yes;
// dnssec-validation yes;
// 追加
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
/* ログローテーションをするよう変更 */
/* コメントアウト */
//logging {
// channel default_debug {
// file "data/named.run";
// severity dynamic;
// };
//};
/* 追加 */
logging {
channel "default-log" {
file "data/named.run" versions 5 size 10M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default { "default-log"; };
category general { "default-log"; };
category security { "default-log"; };
category client { "default-log"; };
category queries { "default-log"; };
category unmatched { "null"; };
};
/* ゾーン構築しない */
/* コメントアウト */
// zone "." IN {
// type hint;
// file "named.ca";
//};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
서비스 확인 로그를 다시 시작하여 이름을 지을 수 있는지 확인
console$ sudo systemctl restart named.service
$ dig @localhost qiita.com
...
;; ANSWER SECTION:
qiita.com. 60 IN A 54.178.162.126
qiita.com. 60 IN A 54.92.52.111
qiita.com. 60 IN A 54.95.21.121
;; Query time: 72 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 00 00:00:00 JST 2000
;; MSG SIZE rcvd: 86
$ dig @10.0.0.4 qiita.com
...
;; ANSWER SECTION:
qiita.com. 32 IN A 54.178.162.126
qiita.com. 32 IN A 54.95.21.121
qiita.com. 32 IN A 54.92.52.111
;; Query time: 0 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Wed Jan 00 00:00:00 JST 2000
;; MSG SIZE rcvd: 86
덧붙여 말하자면,named의 로그는 다음과 같다.
console@onpre$ sudo tail /var/named/data/named.run
00-Jan-2000 00:00:00.000 general: notice: running
00-Jan-2000 00:00:00.000 queries: info: client 10.0.0.4#22557 (qiita.com): query: qiita.com IN A + (10.0.0.4)
00-Jan-2000 00:00:00.000 queries: info: client 172.16.0.123#38738 (qiita.com): query: qiita.com IN A + (10.0.0.4)
시작 면에서 확인
DNS 서버, 도메인 이름 설정(Linux 시)
console@onpre$ vi /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
options timeout:2 attempts:5
nameserver 10.0.0.4
위에서 설정한 Nameserver에서도 이름을 지을 수 있는지 확인합니다.
console$ dig qiita.com
...
;; ANSWER SECTION:
qiita.com. 32 IN A 54.178.162.126
qiita.com. 32 IN A 54.95.21.121
qiita.com. 32 IN A 54.92.52.111
;; Query time: 0 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Wed Jan 00 00:00:00 JST 2000
;; MSG SIZE rcvd: 86
첨부된 Cloudwatch Logs Agent에 named 로그 보내기 멋있어요.
/etc/awslogs/awslogs.conf[/var/named/data/named.run]
datetime_format = %d-%b-%Y %H:%M:%S
file = /var/named/data/named.run
buffer_duration = 5000
log_stream_name = {instance_id}
initial_position = start_of_file
log_group_name = /var/named/data/named.run
기타
BIND 9.9.2에서 Linux가 클라이언트라면 아무 문제 없이 이름을 해결할 수 있지만, Windows에서는 고객만 BIND 서비스가 비정상적으로 끝나는 미스터리 사태가 발생하고 BIND 9.8.2로 강등되면 좋겠다.원인 불명.
named.run08-Mar-2018 19:28:22.038 queries: info: client 172.62.11.7#52061: query: twitter.com IN A + (172.74.11.134)
08-Mar-2018 19:28:22.040 general: critical: mem.c:1323: REQUIRE(ptr != ((void *)0)) failed, back trace
08-Mar-2018 19:28:22.040 general: critical: #0 0x8f233b086f in ??
08-Mar-2018 19:28:22.040 general: critical: #1 0x8f23380b1a in ??
08-Mar-2018 19:28:22.040 general: critical: #2 0x8f23392794 in ??
08-Mar-2018 19:28:22.040 general: critical: #3 0x8f23392eab in ??
08-Mar-2018 19:28:22.040 general: critical: #4 0x8f233b2925 in ??
08-Mar-2018 19:28:22.040 general: critical: #5 0x8f233d5275 in ??
08-Mar-2018 19:28:22.040 general: critical: #6 0x8f233d6878 in ??
08-Mar-2018 19:28:22.040 general: critical: #7 0x8f2339f439 in ??
08-Mar-2018 19:28:22.040 general: critical: #8 0x8f233848ca in ??
08-Mar-2018 19:28:22.040 general: critical: #9 0x8f2338c9a92d in ??
08-Mar-2018 19:28:22.040 general: critical: exiting (due to assertion failure)
Reference
이 문제에 관하여(아마존 Provided DNS 프런트엔드 BIND 서버 구축), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다
https://qiita.com/saitotak/items/703b161ec09ddc7bc022
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념
(Collection and Share based on the CC Protocol.)
$ sudo yum install bind
$ /usr/sbin/named -v
BIND 9.9.4-RedHat-9.9.4-51.amzn2 (Extended Support Version)
$ sudo systemctl enable named
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
$ systemctl list-unit-files | grep named
named-setup-rndc.service static
named.service enabled
systemd-hostnamed.service static
$ sudo cp /etc/named.conf /etc/named.conf.bk
$ sudo vi /etc/named.conf
//// internalnet というACLでオンプレのCIDRを定義
//// 追加
acl "internalnet" {
172.16.0.0/12;
127.0.0.1;
};
options {
/* Listen元IPを制限 */
/* コメントアウト */
// listen-on port 53 { 127.0.0.1; };
// listen-on-v6 port 53 { ::1; };
listen-on port 53 { internalnet; localhost; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
/* 転送のみ許可し、転送先を Amazon Provided DNS Server に変更 */
/* コメントアウト */
// allow-query { localhost; };
/* 追加 */
allow-transfer { none; };
allow-query { internalnet; localhost; };
allow-query-cache { internalnet; localhost; };
forward only;
forwarders { 10.0.0.2; };
/*
- If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
- If you are building a RECURSIVE (caching) DNS server, you need to enable
recursion.
- If your recursive DNS server has a public IP address, you MUST enable access
control to limit queries to your legitimate users. Failing to do so will
cause your server to become part of large scale DNS amplification
attacks. Implementing BCP38 within your network would greatly
reduce such attack surface
*/
recursion yes;
/* Provided DNS が DNSSsec 非対応のため NO に変更 */
/* コメントアウト */
// dnssec-enable yes;
// dnssec-validation yes;
// 追加
dnssec-enable no;
dnssec-validation no;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
/* ログローテーションをするよう変更 */
/* コメントアウト */
//logging {
// channel default_debug {
// file "data/named.run";
// severity dynamic;
// };
//};
/* 追加 */
logging {
channel "default-log" {
file "data/named.run" versions 5 size 10M;
severity info;
print-time yes;
print-severity yes;
print-category yes;
};
category default { "default-log"; };
category general { "default-log"; };
category security { "default-log"; };
category client { "default-log"; };
category queries { "default-log"; };
category unmatched { "null"; };
};
/* ゾーン構築しない */
/* コメントアウト */
// zone "." IN {
// type hint;
// file "named.ca";
//};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
$ sudo systemctl restart named.service
$ dig @localhost qiita.com
...
;; ANSWER SECTION:
qiita.com. 60 IN A 54.178.162.126
qiita.com. 60 IN A 54.92.52.111
qiita.com. 60 IN A 54.95.21.121
;; Query time: 72 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 00 00:00:00 JST 2000
;; MSG SIZE rcvd: 86
$ dig @10.0.0.4 qiita.com
...
;; ANSWER SECTION:
qiita.com. 32 IN A 54.178.162.126
qiita.com. 32 IN A 54.95.21.121
qiita.com. 32 IN A 54.92.52.111
;; Query time: 0 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Wed Jan 00 00:00:00 JST 2000
;; MSG SIZE rcvd: 86
$ sudo tail /var/named/data/named.run
00-Jan-2000 00:00:00.000 general: notice: running
00-Jan-2000 00:00:00.000 queries: info: client 10.0.0.4#22557 (qiita.com): query: qiita.com IN A + (10.0.0.4)
00-Jan-2000 00:00:00.000 queries: info: client 172.16.0.123#38738 (qiita.com): query: qiita.com IN A + (10.0.0.4)
DNS 서버, 도메인 이름 설정(Linux 시)
console@onpre
$ vi /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
options timeout:2 attempts:5
nameserver 10.0.0.4
위에서 설정한 Nameserver에서도 이름을 지을 수 있는지 확인합니다.
console
$ dig qiita.com
...
;; ANSWER SECTION:
qiita.com. 32 IN A 54.178.162.126
qiita.com. 32 IN A 54.95.21.121
qiita.com. 32 IN A 54.92.52.111
;; Query time: 0 msec
;; SERVER: 10.0.0.4#53(10.0.0.4)
;; WHEN: Wed Jan 00 00:00:00 JST 2000
;; MSG SIZE rcvd: 86
첨부된 Cloudwatch Logs Agent에 named 로그 보내기 멋있어요.
/etc/awslogs/awslogs.conf
[/var/named/data/named.run]
datetime_format = %d-%b-%Y %H:%M:%S
file = /var/named/data/named.run
buffer_duration = 5000
log_stream_name = {instance_id}
initial_position = start_of_file
log_group_name = /var/named/data/named.run
기타
BIND 9.9.2에서 Linux가 클라이언트라면 아무 문제 없이 이름을 해결할 수 있지만, Windows에서는 고객만 BIND 서비스가 비정상적으로 끝나는 미스터리 사태가 발생하고 BIND 9.8.2로 강등되면 좋겠다.원인 불명.
named.run
08-Mar-2018 19:28:22.038 queries: info: client 172.62.11.7#52061: query: twitter.com IN A + (172.74.11.134)
08-Mar-2018 19:28:22.040 general: critical: mem.c:1323: REQUIRE(ptr != ((void *)0)) failed, back trace
08-Mar-2018 19:28:22.040 general: critical: #0 0x8f233b086f in ??
08-Mar-2018 19:28:22.040 general: critical: #1 0x8f23380b1a in ??
08-Mar-2018 19:28:22.040 general: critical: #2 0x8f23392794 in ??
08-Mar-2018 19:28:22.040 general: critical: #3 0x8f23392eab in ??
08-Mar-2018 19:28:22.040 general: critical: #4 0x8f233b2925 in ??
08-Mar-2018 19:28:22.040 general: critical: #5 0x8f233d5275 in ??
08-Mar-2018 19:28:22.040 general: critical: #6 0x8f233d6878 in ??
08-Mar-2018 19:28:22.040 general: critical: #7 0x8f2339f439 in ??
08-Mar-2018 19:28:22.040 general: critical: #8 0x8f233848ca in ??
08-Mar-2018 19:28:22.040 general: critical: #9 0x8f2338c9a92d in ??
08-Mar-2018 19:28:22.040 general: critical: exiting (due to assertion failure)
Reference
이 문제에 관하여(아마존 Provided DNS 프런트엔드 BIND 서버 구축), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/saitotak/items/703b161ec09ddc7bc022텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)