|
|
# installation: BIND
|
|
|
|
|
|
[[_TOC_]]
|
|
|
|
|
|
|
|
|
## commun
|
|
|
|
|
|
# apt-get install bind9
|
|
|
|
|
|
[BUG:
|
|
|
il faut?]
|
|
|
|
|
|
# nano /etc/bind/named.conf.local
|
|
|
[uncomment]
|
|
|
include "/etc/bind/zones.rfc1918";
|
|
|
# service bind9 restart
|
|
|
# etckeeper commit 'bind/named.conf.local: include zones.rfc1918'
|
|
|
|
|
|
*[si dnsmasq interne]*
|
|
|
|
|
|
# nano /etc/dnsmasq.conf
|
|
|
[add]
|
|
|
except-interface=$IF_WAN
|
|
|
[uncomment]
|
|
|
bind-interfaces
|
|
|
# nano /etc/bind/named.conf.options
|
|
|
[add]
|
|
|
listen-on { ${IP_WAN}; };
|
|
|
[comment]
|
|
|
//listen-on-v6 { any; };
|
|
|
# service bind9 restart
|
|
|
# netstat -uanp | grep named
|
|
|
udp 0 0 $IP_WAN:53 0.0.0.0:* $PID/named
|
|
|
# netstat -tanp | grep named
|
|
|
[953 est le port de contrôle pour (r)ndc]
|
|
|
tcp 0 0 $IP_WAN:53 0.0.0.0:* LISTEN $PID/named
|
|
|
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN $PID/named
|
|
|
tcp6 0 0 ::1:953 :::* LISTEN $PID/named
|
|
|
# etckeeper commit 'bind/named.conf.options: listen-on IP_WAN && no IPv6'
|
|
|
|
|
|
*[si iodine externe]*
|
|
|
|
|
|
# nano /etc/default/iodine
|
|
|
[add "-b 5353" to IODINED_ARGS]
|
|
|
# service iodined restart
|
|
|
# nano /etc/bind/named.conf.options
|
|
|
[replace]
|
|
|
//// because of iodine, otherwise $IP_WAN:53
|
|
|
listen-on port 5353 { 127.0.0.1; };
|
|
|
# service bind9 restart
|
|
|
# netstat -uanp | grep named
|
|
|
udp 0 0 127.0.0.1:5353 0.0.0.0:* $PID/named
|
|
|
# netstat -tanp | grep named
|
|
|
[953 est le port de contrôle pour (r)ndc]
|
|
|
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN $PID/named
|
|
|
tcp 0 0 127.0.0.1:5353 0.0.0.0:* LISTEN $PID/named
|
|
|
tcp6 0 0 ::1:953 :::* LISTEN $PID/named
|
|
|
# etckeeper commit 'bind/named.conf.options: listen-on 127.0.0.1:5353'
|
|
|
|
|
|
*[de toute façon]*
|
|
|
|
|
|
# mkdir /etc/bind/db /etc/bind/zones
|
|
|
|
|
|
|
|
|
## master
|
|
|
|
|
|
# export NEW_DOMAIN_NAME=$DOMAIN
|
|
|
# export NEW_DOMAIN_IP=$IP
|
|
|
# export IP_SLAVE=$IP_SLAVE
|
|
|
# cat <<EOF >/etc/bind/zones/zones.${NEW_DOMAIN_NAME}
|
|
|
zone "${NEW_DOMAIN_NAME}" {
|
|
|
type master;
|
|
|
file "/etc/bind/db/db.${NEW_DOMAIN_NAME}";
|
|
|
allow-transfer {
|
|
|
$IP_SLAVE;
|
|
|
};
|
|
|
};
|
|
|
EOF
|
|
|
|
|
|
*[- situation de base]*
|
|
|
|
|
|
# cat <<EOF >/etc/bind/db/db.${NEW_DOMAIN_NAME}
|
|
|
\$ORIGIN .
|
|
|
\$TTL 600 ; 10 minutes (for faster updates)
|
|
|
${NEW_DOMAIN_NAME} IN SOA ${NEW_DOMAIN_NAME}. it.${NEW_DOMAIN_NAME}. (
|
|
|
$(date +%Y%m%d)NN ; serial
|
|
|
3600 ; refresh (1 hour)
|
|
|
600 ; retry (10 minutes)
|
|
|
86400 ; expire (1 day)
|
|
|
600 ; minimum (10 minutes)
|
|
|
)
|
|
|
NS ns1.${NEW_DOMAIN_NAME}.
|
|
|
NS ns2.${NEW_DOMAIN_NAME}.
|
|
|
NS ns1.inubo.ch.
|
|
|
NS ns1.pca.it.
|
|
|
NS ns1.itopie.ch.
|
|
|
MX 10 mail.${NEW_DOMAIN_NAME}.
|
|
|
TXT "v=spf1 ip4:${NEW_DOMAIN_IP} a ~all"
|
|
|
SPF "v=spf1 ip4:${NEW_DOMAIN_IP} a ~all"
|
|
|
|
|
|
\$ORIGIN _tcp.${NEW_DOMAIN_NAME}.
|
|
|
_xmpp-client SRV 0 5 5222 xmpp.${NEW_DOMAIN_NAME}.
|
|
|
_xmpp-server SRV 0 5 5269 xmpp.${NEW_DOMAIN_NAME}.
|
|
|
|
|
|
\$ORIGIN ${NEW_DOMAIN_NAME}.
|
|
|
$(hostname) A ${NEW_DOMAIN_IP}
|
|
|
inubo A ${NEW_DOMAIN_IP}
|
|
|
mail A ${NEW_DOMAIN_IP}
|
|
|
ns1 A ${NEW_DOMAIN_IP}
|
|
|
ns2 A ${NEW_DOMAIN_IP}
|
|
|
ntp A ${NEW_DOMAIN_IP}
|
|
|
vpn1 A ${NEW_DOMAIN_IP}
|
|
|
webmail A ${NEW_DOMAIN_IP}
|
|
|
www A ${NEW_DOMAIN_IP}
|
|
|
xmpp A ${NEW_DOMAIN_IP}
|
|
|
|
|
|
; iodine
|
|
|
t1ns A ${NEW_DOMAIN_IP}
|
|
|
t1 NS t1ns
|
|
|
|
|
|
sip A ${NEW_DOMAIN_IP}
|
|
|
_sip._tcp SRV 10 10 5060 sip
|
|
|
_sip._udp SRV 10 10 5060 sip
|
|
|
EOF
|
|
|
|
|
|
*[- si ${NEW_DOMAIN_NAME} doit être rediriger vers www.${NEW_DOMAIN_NAME}]*
|
|
|
|
|
|
# nano /etc/bind/db/db.${NEW_DOMAIN_NAME}
|
|
|
[add in the SOA section]
|
|
|
A ${NEW_DOMAIN_IP}
|
|
|
|
|
|
*[- si tout ${$NEW_DOMAIN_NAME} doit être rediriger vers ${NEW_DOMAIN_OTHER}]*
|
|
|
|
|
|
# nano /etc/bind/db/db.${NEW_DOMAIN_NAME}
|
|
|
[leave only the following line in the SOA section]
|
|
|
DNAME ${NEW_DOMAIN_OTHER}.
|
|
|
|
|
|
*[de toute façon]*
|
|
|
|
|
|
# cat <<EOF >>/etc/bind/named.conf.local
|
|
|
include "/etc/bind/zones/zones.${NEW_DOMAIN_NAME}";
|
|
|
EOF
|
|
|
|
|
|
*[si gateway Internet]*
|
|
|
|
|
|
# nano /etc/rc.local
|
|
|
[add]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
# Accept external DNS requests
|
|
|
### module:ip_conntrack is needed for --state
|
|
|
/sbin/iptables -A INPUT -p udp -i $IF_WAN --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
|
|
|
# Accept external DNS zone transfers
|
|
|
## ns1.$DOMAIN_SLAVE
|
|
|
/sbin/iptables -A INPUT -p tcp -i $IF_WAN -d $IP_SLAVE --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
|
|
|
# Allow external DNS requests
|
|
|
/sbin/iptables -A OUTPUT -p udp -o $IF_WAN --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# /etc/rc.local
|
|
|
|
|
|
*[de toute façon]*
|
|
|
|
|
|
# service bind9 restart
|
|
|
# host ${NEW_DOMAIN_NAME} 127.0.0.1
|
|
|
# etckeeper commit "bind/*: add ${NEW_DOMAIN_NAME}"
|
|
|
# unset IP_SLAVE
|
|
|
# unset NEW_DOMAIN_IP
|
|
|
# unset NEW_DOMAIN_NAME
|
|
|
|
|
|
|
|
|
## slave
|
|
|
|
|
|
# export NEW_DOMAIN_NAME=$DOMAIN
|
|
|
# export IP_MASTER=$IP_MASTER
|
|
|
# /home/rescue/bin/dns-add-slave.sh ${NEW_DOMAIN_NAME} ${IP_MASTER}
|
|
|
|
|
|
|
|
|
*[si gateway Internet]*
|
|
|
|
|
|
# nano /etc/rc.local
|
|
|
[add]
|
|
|
--8<---------------cut here---------------start------------->8---
|
|
|
# Accept external DNS requests
|
|
|
### module:ip_conntrack is needed for --state
|
|
|
/sbin/iptables -A INPUT -p udp -i $IF_WAN --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
|
|
|
# Allow external DNS requests
|
|
|
/sbin/iptables -A OUTPUT -p udp -o $IF_WAN --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
|
|
|
# Allow external DNS zone transfers
|
|
|
## ns1.$DOMAIN_MASTER
|
|
|
/sbin/iptables -A OUTPUT -p tcp -o $IF_WAN -d $IP_MASTER --sport 1024:65535 --dport 53 -m state --state NEW -j ACCEPT
|
|
|
--8<---------------cut here---------------end--------------->8---
|
|
|
# /etc/rc.local
|
|
|
|
|
|
*[de toute façon]*
|
|
|
|
|
|
# service bind9 restart
|
|
|
# cat /var/cache/bind/db.${NEW_DOMAIN_NAME}
|
|
|
# etckeeper commit "bind/*: add slave ${NEW_DOMAIN_NAME}"
|
|
|
# unset IP_MASTER
|
|
|
# unset NEW_DOMAIN_NAME
|
|
|
|
|
|
|
|
|
## dynamic DNS
|
|
|
|
|
|
|
|
|
### client
|
|
|
|
|
|
|
|
|
## DNSSEC ([RFC#2535](http://tools.ietf.org/html/rfc2535))
|
|
|
|