内部向け DNS サーバーの構築

$ uname -a
Linux amazonlinux2_dns 4.14.219-164.354.amzn2.x86_64 #1 SMP Mon Feb 22 21:18:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/os-release 
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

$ sudo yum install bind bind-chroot -y

$ sudo systemctl start named-chroot
$ sudo systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named-chroot.service to /usr/lib/systemd/system/named-chroot.service.
$ sudo systemctl status named-chroot
● named-chroot.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2021-03-07 17:33:05 UTC; 9s ago
 Main PID: 3444 (named)
   CGroup: /system.slice/named-chroot.service
           └─3444 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot

Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './DNSKEY/IN': 2001:503:ba3e::2:30#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './NS/IN': 2001:503:ba3e::2:30#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './DNSKEY/IN': 2001:500:9f::42#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './NS/IN': 2001:500:9f::42#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './DNSKEY/IN': 2001:500:a8::e#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './NS/IN': 2001:500:a8::e#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './DNSKEY/IN': 2001:500:2f::f#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: network unreachable resolving './NS/IN': 2001:500:2f::f#53
Mar 07 17:33:05 amazonlinux2_dns named[3444]: managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
Mar 07 17:33:05 amazonlinux2_dns named[3444]: resolver priming query complete

 $ sudo netstat -antp | grep 53
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      3444/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      3444/named
tcp6       0      0 ::1:953                 :::*                    LISTEN      3444/named
tcp6       0      0 ::1:53                  :::*                    LISTEN      3444/named

$ sudo su
$ cd /var/named/chroot/var/named/
$ cp -ip named.localhost queenanne.local.zone
$ cat /var/named/chroot/var/named/queenanne.local.zone
$TTL 1D
@	IN SOA	queenanne.local. root.queenanne.local (
					2	; serial
					1D	; refresh
					1H	; retry
					1W	; expire
					3H )	; minimum
	IN	NS	dns
dns	IN	A	192.168.100.53
dev	IN	A	192.168.100.22
web	IN	A	192.168.100.15
scan	IN	A	192.168.100.13
kvm	IN	A	192.168.100.4
mysql	IN	A	192.168.100.19

$ named-checkzone queenanne.local /var/named/chroot/var/named/queenanne.local.zone 
zone queenanne.local/IN: loaded serial 2
OK

$ emacs /var/named/chroot/etc/named.conf 
$ cat /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
	listen-on port 53 { any; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
	statistics-file "/var/named/data/named_stats.txt";
	memstatistics-file "/var/named/data/named_mem_stats.txt";
	recursing-file  "/var/named/data/named.recursing";
	secroots-file   "/var/named/data/named.secroots";
	allow-query     { any; };

	/* 
	 - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
	 - If you are building a RECURSIVE (caching) DNS server, you need to enable 
	   recursion. 
	 - If your recursive DNS server has a public IP address, you MUST enable access 
	   control to limit queries to your legitimate users. Failing to do so will
	   cause your server to become part of large scale DNS amplification 
	   attacks. Implementing BCP38 within your network would greatly
	   reduce such attack surface 
	*/
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.root.key";

	managed-keys-directory "/var/named/dynamic";

	pid-file "/run/named/named.pid";
	session-keyfile "/run/named/session.key";
	forwarders {
		   8.8.8.8;
		   1.1.1.1;
	};

};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "queenanne.local" IN {
	type master;
	file "queenanne.local.zone";
	allow-query { any; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

$ systemctl restart named-chroot

$ cat /etc/resolv.conf
; generated by /usr/sbin/dhclient-script
#nameserver 192.168.100.1
#nameserver 10.0.0.1
nameserver 127.0.0.1

$ dig dns.queenanne.local +short
192.168.100.53
$ dig dev.queenanne.local +short
192.168.100.22
$ dig web.queenanne.local +short
192.168.100.15
$ dig scan.queenanne.local +short
192.168.100.13
$ dig kvm.queenanne.local +short
192.168.100.4
$ dig mysql.queenanne.local +short
192.168.100.19

$ dig apple.com +short
17.253.144.10
$ dig amazon.com +short
176.32.103.205
54.239.28.85
205.251.242.103
$ dig google.com +short
172.217.14.238
$ dig blog.longest-road.com +short
52.35.187.76
52.42.6.194

dhcp scope 1 192.168.100.2-192.168.100.191/24
dhcp scope option 1 dns=192.168.100.53,10.0.0.1
dns server 192.168.100.53 10.0.0.1
dns server select 1 192.168.100.53 a queenanne.local
dns server select 2 10.0.0.1 any .
dns private address spoof on