La mise en œuvre du service de noms de domaine est décrite dans le support de travaux pratiques Introduction au service DNS. On donne ci-dessous les fichiers de configuration utilisés avec l'infrastructure de test. Dans ces fichiers, les noms d'hôtes sont associés à des adresses IP des deux versions.
-
Options globales du service :
/etc/bind/named.conf.optionsacl "xfer" { localhost; ::1; }; // Allow no other transfers. acl "internal" { 192.0.2.0/27; 2001:db8:feb2::/48; localhost; ::1; }; // Local networks include "/etc/bind/rndc.key"; controls { inet 127.0.0.1 allow { any; } keys { "rndc-key"; }; }; options { directory "/var/cache/bind"; statistics-file "/var/log/named/named.stats"; dump-file "/var/log/named/named.dump"; zone-statistics yes; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // Generate more efficient zone transfers. This will place // multiple DNS records in a DNS message, instead of one per // DNS message. transfer-format many-answers; // Set the maximum zone transfer time to something more // reasonable. In this case, we state that any zone transfer // that takes longer than 60 minutes is unlikely to ever // complete. WARNING: If you have very large zone files, // adjust this to fit your requirements. max-transfer-time-in 60; // We have no dynamic interfaces, so BIND shouldn't need to // poll for interface state {UP|DOWN}. interface-interval 0; // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internal; }; allow-recursion { internal; }; allow-transfer { xfer; }; dnssec-validation auto; dnssec-lookaside auto; }; logging { channel "default_syslog" { // Send most of the named messages to syslog. syslog local2; severity error; }; channel audit_log { // Send the security related messages to a separate file. file "/var/log/named/named.log"; severity debug; print-time yes; }; channel query_logging { file "/var/log/named/query.log"; print-category yes; print-severity yes; print-time yes; }; category default { default_syslog; }; category general { default_syslog; }; category security { audit_log; default_syslog; }; category config { default_syslog; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { query_logging; }; category lame-servers { audit_log; }; }; -
Déclaration des zones sur lesquelles le service a autorité :
/etc/bind/named.conf.local// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; view standard in { // Our internal (trusted) view. We permit the internal networks // to freely access this view. We perform recursion for our // internal hosts, and retrieve data from the cache for them. match-clients { internal; }; recursion yes; additional-from-auth yes; additional-from-cache yes; zone-statistics yes; include "/etc/bind/named.conf.default-zones"; // add entries for other zones below here ////////////////////////////////////////////////////// zone "fake.domain" { type master; file "fake.domain"; }; // 192.0.2.0/27 zone "2.0.192.in-addr.arpa" { type master; file "2.0.192"; }; // 2001:db8:feb2:10::/64 // ipv6calc --in ipv6addr --out revnibbles.arpa 2001:db8:feb2:10::/64 zone "0.1.0.0.2.b.e.f.8.b.d.0.1.0.0.2.ip6.arpa" { type master; file "10-feb2-db8-2001"; }; ////////////////////////////////////////////////////// }; -
Déclaration des enregistrements de la zone directe
fake.domain:/var/cache/bind/fake.domain$TTL 1D @ IN SOA cooper.fake.domain. root.cooper.fake.domain. ( 2013021001 ; Serial 8H ; Refresh 8 hours 2H ; Retry 2 hours 1W ; Expire 1 week 1D ) ; Minimum 1 day NS cooper.fake.domain. MX 0 cooper.fake.domain. cooper A 192.0.2.1 ns CNAME cooper.fake.domain. cooper AAAA 2001:db8:feb2:10::1 rtr AAAA 2001:db8:feb2:10::1 ; vm1 A 192.0.2.11 clnt4 CNAME vm1.fake.domain. vm1 AAAA 2001:db8:feb2:10::11 clnt6 AAAA 2001:db8:feb2:10::11 ; vm2 A 192.0.2.12 srvr4 CNAME vm2.fake.domain. vm2 AAAA 2001:db8:feb2:10::12 srvr6 AAAA 2001:db8:feb2:10::12 ; vm3 A 192.0.2.13 -
Déclaration des enregistrements de la zone inverse correspondant au réseau
192.0.2.0/27:/var/cache/bind/2.0.192$TTL 1D @ IN SOA cooper.fake.domain. root.cooper.fake.domain. ( 2013021001 ; Serial 8H ; Refresh 8 hours 2H ; Retry 2 hours 1W ; Expire 1 week 1D ) ; Minimum 1 day NS cooper.fake.domain. 1 PTR cooper.fake.domain. ; 11 PTR vm1.fake.domain. 12 PTR vm2.fake.domain. 13 PTR vm3.fake.domain. -
Déclaration des enregistrements de la zone inverse correspondant au réseau
2001:db8:feb2:10/64:/var/cache/bind/10-feb2-db8-2001$TTL 1D @ IN SOA cooper.fake.domain. root.cooper.fake.domain. ( 2013020504 ; Serial 8H ; Refresh 8 hours 2H ; Retry 2 hours 1W ; Expire 1 week 1D ) ; Minimum 1 day NS cooper.fake.domain. ; ; ipv6calc --in ipv6addr --out revnibbles.arpa 2001:db8:feb2:10::/64 $ORIGIN 0.1.0.0.2.b.e.f.8.b.d.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR cooper.fake.domain. 1.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR vm1.fake.domain. 2.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR vm2.fake.domain.