User Tools
сервис_dns
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
сервис_dns [2020/08/26 06:53] val [Настройка сервера зоны обратного преобразования X.168.192.IN-ADDR.ARPA] |
сервис_dns [2025/11/27 09:25] (current) val [Автоматическое обновление сертификатов LetsEncrypt для внутренних сайтов] |
||
|---|---|---|---|
| Line 3: | Line 3: | ||
| * [[http://ru.wikipedia.org/wiki/DNS|Domain Name System — система доменных имён]] | * [[http://ru.wikipedia.org/wiki/DNS|Domain Name System — система доменных имён]] | ||
| * [[http://xgu.ru/wiki/Настройка_DNS-сервера_BIND|Настройка DNS-сервера BIND]] | * [[http://xgu.ru/wiki/Настройка_DNS-сервера_BIND|Настройка DNS-сервера BIND]] | ||
| + | |||
| * [[Финальная настройка DNS сервера]] | * [[Финальная настройка DNS сервера]] | ||
| + | * [[https://nip.io/|Dead simple wildcard DNS for any IP Address]] | ||
| ===== Утилиты тестирования DNS ===== | ===== Утилиты тестирования DNS ===== | ||
| Line 11: | Line 13: | ||
| ==== nslookup ==== | ==== nslookup ==== | ||
| <code> | <code> | ||
| + | $ nslookup | ||
| + | >ya.ru | ||
| + | |||
| $ nslookup mx.bmstu.ru | $ nslookup mx.bmstu.ru | ||
| Line 16: | Line 21: | ||
| $ nslookup -q=NS bmstu.ru | $ nslookup -q=NS bmstu.ru | ||
| + | |||
| + | val@noc:~$ nslookup -q=AXFR bmstu.ru 195.19.32.2 | ||
| $ nslookup -q=MX bmstu.ru 195.19.32.2 | $ nslookup -q=MX bmstu.ru 195.19.32.2 | ||
| - | $ nslookup -q=AXFR bmstu.ru 195.19.32.2 | + | $ nslookup -q=SRV _xmpp-client._tcp.bmstu.ru |
| + | |||
| + | $ nslookup -q=SRV _kerberos._udp.bmstu.ru | ||
| - | # nslookup -q=SRV _xmpp-client._tcp.valtest.bmstu.ru | + | $ nslookup -q=SRV _sip._udp.bmstu.ru |
| </code> | </code> | ||
| Line 122: | Line 131: | ||
| ==== Настройка сервера перенаправляющего запросы на DNS cервер провайдера ==== | ==== Настройка сервера перенаправляющего запросы на DNS cервер провайдера ==== | ||
| - | === FreeBSD === | + | === Debian/Ubuntu === |
| <code> | <code> | ||
| - | server# cat named.conf | + | root@server:~# cat /etc/bind/named.conf.options |
| </code><code> | </code><code> | ||
| options { | options { | ||
| Line 132: | Line 141: | ||
| }; | }; | ||
| ... | ... | ||
| - | }; | + | // dnssec-validation auto; |
| ... | ... | ||
| + | }; | ||
| </code><code> | </code><code> | ||
| - | [server:~] # named-checkconf | + | root@server:~# named-checkconf |
| - | [server:~] # service named restart | + | root@server:~# service bind9 restart |
| </code> | </code> | ||
| - | === Debian/Ubuntu === | + | === FreeBSD === |
| <code> | <code> | ||
| - | root@server:~# cat /etc/bind/named.conf.options | + | server# cat named.conf |
| </code><code> | </code><code> | ||
| + | options { | ||
| ... | ... | ||
| forwarders { | forwarders { | ||
| Line 149: | Line 160: | ||
| }; | }; | ||
| ... | ... | ||
| - | // dnssec-validation auto; | + | }; |
| ... | ... | ||
| - | }; | ||
| </code><code> | </code><code> | ||
| - | root@server:~# named-checkconf | + | [server:~] # named-checkconf |
| - | root@server:~# service bind9 restart | + | [server:~] # service named restart |
| </code> | </code> | ||
| - | |||
| ==== Настройка мастер сервера зоны corpX.un ==== | ==== Настройка мастер сервера зоны corpX.un ==== | ||
| - | |||
| - | === FreeBSD === | ||
| - | <code> | ||
| - | [server:~] # cd /usr/local/etc/namedb/master/ | ||
| - | </code> | ||
| === Debian/Ubuntu === | === Debian/Ubuntu === | ||
| <code> | <code> | ||
| - | root@server:~# cd /etc/bind/ | + | server# cat /etc/bind/corpX.un |
| - | </code> | + | |
| - | + | ||
| - | === FreeBSD/Debian/Ubuntu === | + | |
| - | <code> | + | |
| - | server# cat corpX.un | + | |
| </code><code> | </code><code> | ||
| $TTL 3h | $TTL 3h | ||
| Line 191: | Line 190: | ||
| ;www CNAME server | ;www CNAME server | ||
| ;user1 CNAME server | ;user1 CNAME server | ||
| - | ;smtp CNAME server | + | ;mail CNAME server |
| - | ;imap CNAME server | + | |
| - | ;pop3 CNAME server | + | |
| - | ;ntp CNAME gate | + | ;ntp CNAME gate |
| + | |||
| + | ;proxy A 172.16.1.X | ||
| + | |||
| + | ;$GENERATE 1-100 node$ A 192.168.X.$ | ||
| + | ;$GENERATE 1-9 node$ A 192.168.X.20$ | ||
| + | ;$GENERATE 10-54 node$ A 192.168.X.2$ | ||
| + | ;$GENERATE 1-9 kube$ A 192.168.X.22$ | ||
| ;_sip._udp SRV 0 0 5060 server | ;_sip._udp SRV 0 0 5060 server | ||
| + | |||
| ;_xmpp-client._tcp SRV 0 0 5222 server | ;_xmpp-client._tcp SRV 0 0 5222 server | ||
| ;_kerberos._udp SRV 01 00 88 server | ;_kerberos._udp SRV 01 00 88 server | ||
| ;_kerberos._tcp SRV 01 00 88 server | ;_kerberos._tcp SRV 01 00 88 server | ||
| - | ;_kpasswd._udp SRV 01 00 464 server | ||
| - | ;_kerberos-adm._tcp SRV 01 00 749 server | ||
| ;_kerberos TXT CORPX.UN | ;_kerberos TXT CORPX.UN | ||
| </code><code> | </code><code> | ||
| - | server# named-checkzone corpX.un corpX.un | + | server# named-checkzone corpX.un /etc/bind/corpX.un |
| - | </code> | + | |
| - | + | ||
| - | === FreeBSD === | + | |
| - | <code> | + | |
| - | server# cat /usr/local/etc/namedb/named.conf | + | |
| - | </code><code> | + | |
| - | ... | + | |
| - | zone "corpX.un" { | + | |
| - | type master; | + | |
| - | file "/usr/local/etc/namedb/master/corpX.un"; | + | |
| - | }; | + | |
| - | </code><code> | + | |
| - | [server:~] # named-checkconf -z | + | |
| - | + | ||
| - | [server:~] # service named restart | + | |
| </code> | </code> | ||
| Line 236: | Line 224: | ||
| root@server:~# named-checkconf -z | root@server:~# named-checkconf -z | ||
| - | root@server:~# service bind9 restart | + | root@server:~# rndc reload |
| </code> | </code> | ||
| - | === Проверки FreeBSD/Debian/Ubuntu === | + | === Проверки Debian/Ubuntu === |
| <code> | <code> | ||
| server# nslookup -q=A server.corpX.un | server# nslookup -q=A server.corpX.un | ||
| Line 248: | Line 236: | ||
| === Настройка списка авторитетных серверов на мастер сервере === | === Настройка списка авторитетных серверов на мастер сервере === | ||
| - | == FreeBSD == | ||
| <code> | <code> | ||
| - | [server:~] # cd /usr/local/etc/namedb/master/ | + | server# cat /etc/bind/corpX.un |
| - | </code> | + | |
| - | + | ||
| - | == Debian/Ubuntu == | + | |
| - | <code> | + | |
| - | root@server:~# cd /etc/bind/ | + | |
| - | </code> | + | |
| - | + | ||
| - | == FreeBSD/Debian/Ubuntu == | + | |
| - | <code> | + | |
| - | server# cat corpX.un | + | |
| </code><code> | </code><code> | ||
| $TTL 3h | $TTL 3h | ||
| Line 270: | Line 247: | ||
| ... | ... | ||
| </code><code> | </code><code> | ||
| - | server# named-checkzone corpX.un corpX.un | + | server# named-checkzone corpX.un /etc/bind/corpX.un |
| server# rndc reload | server# rndc reload | ||
| Line 277: | Line 254: | ||
| === Настройка вторичного сервера === | === Настройка вторичного сервера === | ||
| - | == FreeBSD/Debian/Ubuntu == | ||
| <code> | <code> | ||
| server# nslookup -q=AXFR compX.un ns.isp.un | server# nslookup -q=AXFR compX.un ns.isp.un | ||
| </code> | </code> | ||
| - | == FreeBSD == | ||
| - | <code> | ||
| - | server# cat /usr/local/etc/namedb/named.conf | ||
| - | </code><code> | ||
| - | ... | ||
| - | zone "compX.un" { | ||
| - | type slave; | ||
| - | file "/usr/local/etc/namedb/slave/compX.un"; | ||
| - | masters { | ||
| - | 172.16.1.254; | ||
| - | }; | ||
| - | }; | ||
| - | </code><code> | ||
| - | [server:~] # named-checkconf | ||
| - | |||
| - | [server:~] # service named reload | ||
| - | |||
| - | [server:~] # ls /usr/local/etc/namedb/slave/ | ||
| - | </code> | ||
| - | |||
| - | == Debian/Ubuntu == | ||
| <code> | <code> | ||
| root@server:~# cat /etc/bind/named.conf.local | root@server:~# cat /etc/bind/named.conf.local | ||
| Line 315: | Line 270: | ||
| }; | }; | ||
| </code><code> | </code><code> | ||
| - | root@server:~# named-checkconf | + | root@server:~# named-checkconf -z |
| root@server:~# rndc reload | root@server:~# rndc reload | ||
| Line 407: | Line 362: | ||
| Создание файла зоны corpX.un для внутренних и внешних пользователей | Создание файла зоны corpX.un для внутренних и внешних пользователей | ||
| - | === FreeBSD === | + | === Debian/Ubuntu === |
| - | <code> | + | |
| - | [server:~] # cd /usr/local/etc/namedb/master/ | + | |
| - | </code> | + | |
| - | + | ||
| - | === Ubuntu === | + | |
| - | <code> | + | |
| - | root@server:~# cd /etc/bind/ | + | |
| - | </code> | + | |
| - | + | ||
| - | === FreeBSD/Ubuntu === | + | |
| <code> | <code> | ||
| - | server# cat corpX.un | + | server# cat /etc/bind/corpX.un |
| </code><code> | </code><code> | ||
| $TTL 3h | $TTL 3h | ||
| Line 427: | Line 372: | ||
| MX 1 server | MX 1 server | ||
| + | | ||
| + | A 192.168.X.10 | ||
| ns A 192.168.X.10 | ns A 192.168.X.10 | ||
| server A 192.168.X.10 | server A 192.168.X.10 | ||
| gate A 192.168.X.1 | gate A 192.168.X.1 | ||
| + | |||
| ... | ... | ||
| </code><code> | </code><code> | ||
| - | server# cat corpX.un.out | + | server# cat /etc/bind/corpX.un.out |
| </code><code> | </code><code> | ||
| $TTL 3h | $TTL 3h | ||
| Line 442: | Line 390: | ||
| MX 1 server | MX 1 server | ||
| - | + | ||
| + | A 172.16.1.X | ||
| + | | ||
| ns A 172.16.1.X | ns A 172.16.1.X | ||
| server A 172.16.1.X | server A 172.16.1.X | ||
| gate A 172.16.1.X | gate A 172.16.1.X | ||
| - | ... | + | |
| + | mail CNAME server | ||
| + | ;... | ||
| </code> | </code> | ||
| Настройка сервера | Настройка сервера | ||
| - | === FreeBSD === | ||
| - | <code> | ||
| - | server# named.conf | ||
| - | </code><code> | ||
| - | options { | ||
| - | ... | ||
| - | }; | ||
| - | view "inside" { | ||
| - | match-clients { | ||
| - | 192.168.X/24; | ||
| - | 127/8; | ||
| - | }; | ||
| - | zone "corpX.un" { | ||
| - | type master; | ||
| - | file "/usr/local/etc/namedb/master/corpX.un"; | ||
| - | }; | ||
| - | zone "X.168.192.IN-ADDR.ARPA" { | + | === Debian/Ubuntu === |
| - | type master; | + | |
| - | file "/usr/local/etc/namedb/master/corpX.rev"; | + | |
| - | }; | + | |
| - | }; | + | |
| - | view "outside" { | + | |
| - | zone "corpX.un" { | + | |
| - | type master; | + | |
| - | file "/usr/local/etc/namedb/master/corpX.un.out"; | + | |
| - | }; | + | |
| - | }; | + | |
| - | </code><code> | + | |
| - | [server:~] # service named reload | + | |
| - | </code> | + | |
| - | + | ||
| - | === Ubuntu === | + | |
| <code> | <code> | ||
| - | root@server:~# cat /etc/bind/named.conf.local | + | root@server:~# less /etc/bind/named.conf.local |
| </code><code> | </code><code> | ||
| zone "corpX.un" { | zone "corpX.un" { | ||
| Line 569: | Line 490: | ||
| </code> | </code> | ||
| - | ==== Ограничение доступа к DNS серверу ==== | + | ==== Автоматическое обновление сертификатов LetsEncrypt для внутренних сайтов ==== |
| - | === Ubuntu === | + | * [[Let's Encrypt для внутренних сайтов]] |
| + | |||
| + | === Черновик 1 === | ||
| <code> | <code> | ||
| - | # cat /etc/bind/named.conf.options | + | ns.domain1.mgtu.ru:~# vim /etc/bind/domain1.mgtu.ru |
| + | ... | ||
| + | site4 A 195.19.40.59 | ||
| + | *.site4 A 195.19.40.59 | ||
| + | _acme-challenge.site4 NS ns | ||
| + | ... | ||
| + | |||
| + | |||
| + | ns.domain1.mgtu.ru:~# rndc-confgen -a -A hmac-sha512 -k "certbot.site4" -c /etc/bind/certbot.site4.key | ||
| + | ns.domain1.mgtu.ru:~# chmod 640 /etc/bind/certbot.site4.key | ||
| + | |||
| + | ns.domain1.mgtu.ru:~# cat /etc/bind/named.conf | ||
| + | ... | ||
| + | include "/etc/bind/certbot.site4.key"; | ||
| + | ... | ||
| + | |||
| + | ns.domain1.mgtu.ru:~# cat /etc/bind/named.conf.local | ||
| + | ... | ||
| + | zone "_acme-challenge.site4.domain1.mgtu.ru" { | ||
| + | type master; | ||
| + | file "/var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru"; | ||
| + | update-policy { | ||
| + | grant certbot.site4 name _acme-challenge.site4.domain1.mgtu.ru. txt; | ||
| + | }; | ||
| + | }; | ||
| + | ... | ||
| - | # cat /etc/bind/named.conf.local | + | ns.domain1.mgtu.ru:~# sudo -u bind vim /var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru |
| - | </code> | + | |
| - | === FreeBSD === | + | $TTL 30 ; 30 seconds |
| + | _acme-challenge.site4.domain1.mgtu.ru. IN SOA ns.domain1.mgtu.ru. noc.bmstu.ru. ( | ||
| + | 9 ; serial | ||
| + | 86400 ; refresh (1 day) | ||
| + | 43200 ; retry (12 hours) | ||
| + | 604800 ; expire (1 week) | ||
| + | 30 ; minimum (30 seconds) | ||
| + | ) | ||
| + | NS ns.domain1.mgtu.ru. | ||
| + | |||
| + | |||
| + | ns.domain1.mgtu.ru:~# nsupdate -k /etc/bind/certbot.key | ||
| + | site4.domain1.mgtu.ru:~# apt install bind9-dnsutils | ||
| + | site4.domain1.mgtu.ru:~# nsupdate -k certbot.key | ||
| + | > server 127.0.0.1 | ||
| + | > server 195.19.40.42 | ||
| + | > zone _acme-challenge.site4.domain1.mgtu.ru | ||
| + | > update add _acme-challenge.site4.domain1.mgtu.ru. 30 IN TXT "your_txt_record_data 2" | ||
| + | > update del _acme-challenge.site4.domain1.mgtu.ru. 30 IN TXT "your_txt_record_data 2" | ||
| + | > send | ||
| + | |||
| + | site4.domain1.mgtu.ru:~# dig TXT _acme-challenge.site4.domain1.mgtu.ru | ||
| + | |||
| + | |||
| + | ns.domain1.mgtu.ru:~# ###rndc freeze _acme-challenge.site4.domain1.mgtu.ru. | ||
| + | ns.domain1.mgtu.ru:~# ###sudo -u bind vim /var/lib/bind/_acme-challenge.site4.domain1.mgtu.ru | ||
| + | ns.domain1.mgtu.ru:~# ###rndc thaw _acme-challenge.site4.domain1.mgtu.ru. | ||
| + | |||
| + | |||
| + | site4.domain1.mgtu.ru:~# apt install python3-certbot-dns-rfc2136 | ||
| + | |||
| + | site4.domain1.mgtu.ru:~# cat /etc/certbot-credentials.ini | ||
| + | dns_rfc2136_server = 195.19.40.42 | ||
| + | dns_rfc2136_port = 53 | ||
| + | dns_rfc2136_name = certbot.site4 | ||
| + | dns_rfc2136_secret = QV8VQ+B8wv+nj/fE7DoqUmFLZWeNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNzFE8TjiwfnxO5MNg== | ||
| + | dns_rfc2136_algorithm = HMAC-SHA512 | ||
| + | |||
| + | |||
| + | site4.domain1.mgtu.ru:~# chmod 640 /etc/certbot-credentials.ini | ||
| + | |||
| + | certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/certbot-credentials.ini -d 'site4.domain1.mgtu.ru' -d '*.site4.domain1.mgtu.ru' | ||
| + | </code> | ||
| + | === Черновик 2 === | ||
| <code> | <code> | ||
| - | # cat named.conf | + | rndc-confgen -a -A hmac-sha512 -k "certbot." -c /etc/bind/certbot.key |
| + | |||
| + | valtest:~# chmod 640 /etc/bind/certbot.key | ||
| + | |||
| + | more /etc/bind/certbot.key | ||
| + | |||
| + | valtest:~# cat /etc/bind/named.conf | ||
| + | ... | ||
| + | include "/etc/bind/certbot.key"; | ||
| + | |||
| + | sudo -u bind vim /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | valtest:~# cat /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | $TTL 300 ; 5 minutes | ||
| + | _acme-challenge.valtest.bmstu.ru. IN SOA valtest.bmstu.ru. val.bmstu.ru. ( | ||
| + | 2020050828 ; serial | ||
| + | 10800 ; refresh (3 hours) | ||
| + | 3600 ; retry (1 hour) | ||
| + | 86400 ; expire (1 week) | ||
| + | 86400 ; minimum (1 day) | ||
| + | ) | ||
| + | NS valtest.bmstu.ru. | ||
| + | NS ns.bmstu.ru. | ||
| + | $TTL 60 ; 1 minute | ||
| + | TXT "127.0.0.8" | ||
| + | |||
| + | |||
| + | valtest:~# cat /etc/bind/named.conf.local | ||
| + | ... | ||
| + | zone "_acme-challenge.valtest.bmstu.ru" { | ||
| + | type master; | ||
| + | file "/var/lib/bind/_acme-challenge.valtest.bmstu.ru"; | ||
| + | allow-transfer {195.19.32.2;}; | ||
| + | update-policy { | ||
| + | grant certbot. name _acme-challenge.valtest.bmstu.ru. txt; | ||
| + | }; | ||
| + | }; | ||
| + | |||
| + | valtest:~# nsupdate -k /etc/bind/certbot.key | ||
| + | > server 127.0.0.1 | ||
| + | > zone _acme-challenge.valtest.bmstu.ru | ||
| + | > update add _acme-challenge.valtest.bmstu.ru. 300 IN TXT "your_txt_record_data 1" | ||
| + | > send | ||
| + | |||
| + | valtest:~# dig TXT _acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | root@ns:~# named-compilezone -f raw -F text -o - _acme-challenge.valtest.bmstu.ru /var/cache/bind/ru/_acme-challenge.valtest.bmstu | ||
| + | |||
| + | valtest:~# rndc sync _acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | |||
| + | valtest:~# rndc freeze _acme-challenge.valtest.bmstu.ru. | ||
| + | valtest:~# sudo -u bind vim /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | valtest:~# rndc thaw _acme-challenge.valtest.bmstu.ru. | ||
| + | |||
| + | |||
| + | valtest:~# ###cat /var/lib/bind/_acme-challenge.valtest.bmstu.ru | ||
| + | |||
| + | |||
| + | |||
| + | Nov 19 14:51:06 ns named[213146]: zone _acme-challenge.valtest.bmstu.ru/IN/common: refresh: unexpected rcode (SERVFAIL) from primary 195.19.40.42#53 (source 0.0.0.0#0) | ||
| + | |||
| + | |||
| + | |||
| + | apt-get install python3-certbot-dns-rfc2136 | ||
| + | |||
| + | valtest:~# cat /etc/bind/certbot-credentials.ini | ||
| + | # Target DNS server | ||
| + | dns_rfc2136_server = 127.0.0.1 | ||
| + | # Target DNS port | ||
| + | dns_rfc2136_port = 53 | ||
| + | # TSIG key name | ||
| + | dns_rfc2136_name = certbot. | ||
| + | # TSIG key secret | ||
| + | dns_rfc2136_secret = Pba+bPbB8/fxhEl70BTgIz3ljrEPlq/msjkiaI7+X8gkQI7WwM6B4GQVifvkUIjd6TQFqc+x0rddefn1s8VgIA== | ||
| + | # TSIG key algorithm | ||
| + | dns_rfc2136_algorithm = HMAC-SHA512 | ||
| + | |||
| + | |||
| + | chmod 640 /etc/bind/certbot-credentials.ini | ||
| + | |||
| + | certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/certbot-credentials.ini -d 'valtest.bmstu.ru' -d '*.valtest.bmstu.ru' --dry-run | ||
| </code> | </code> | ||
| + | ==== Ограничение доступа к DNS серверу ==== | ||
| - | === Ubuntu/FreeBSD === | + | === Debian/Ubuntu === |
| <code> | <code> | ||
| + | # cat /etc/bind/named.conf.options | ||
| + | </code><code> | ||
| options { | options { | ||
| ... | ... | ||
| Line 590: | Line 664: | ||
| ... | ... | ||
| }; | }; | ||
| - | ... | + | </code><code> |
| + | # cat /etc/bind/named.conf.local | ||
| + | </code><code> | ||
| zone "corpX.un" { | zone "corpX.un" { | ||
| ... | ... | ||
| Line 596: | Line 672: | ||
| ... | ... | ||
| }; | }; | ||
| - | ... | + | </code><code> |
| + | gate.isp.un$ nslookup -q=AXFR corpX.un 192.168.X.10 | ||
| </code> | </code> | ||
| + | |||
| ==== Мониторинг DNS сервера ==== | ==== Мониторинг DNS сервера ==== | ||
сервис_dns.1598414006.txt.gz · Last modified: 2020/08/26 06:53 by val
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
